0

If $x^2\equiv y^2\mod n$, does $\gcd(x-y,n)$ divide $n$?

EDIT: I should really be asking if $\gcd(x-y,n)$ is neither $n$ nor $1$, since it will always divide $n$.

I know $n$ must divide $x^2-y^2$, but in my cryptology course we have been using a square factoring algorithm where we look at the prime factorization of numbers with small prime factors in order to find some $x\ne \pm y$ such that $x^2\equiv y^2\mod n$.

Cotton Headed Ninnymuggins
  • 840
  • 2
    The GCD of $x-y$ and $n$ is a common divisor of both. – pancini Nov 29 '23 at 01:49
  • 1
    The greatest common divisor of $n$ and anything is a divisor of $n$. The point of computing $\gcd(x-y,n)$ in cryptology is presumably that you are trying to factor $n$ (or find some proper nontrivial factor of $n$). So if $\gcd(x-y,n)\neq 1$ and $\gcd(x-y,n)\neq n$, then you've found a proper nontrivial factor of $n$. Choosing $x$ and $y$ so $x\not\equiv\pm y\pmod{n}$ ensures you do not get $\gcd(x-y,n)=n$, so you now just hope that you don't get $\gcd(x-y,n)=1$). – Arturo Magidin Nov 29 '23 at 01:50
  • @ArturoMagidin Yes, it was for factoring. And I don't think it's possible that the $\gcd(x-y,n)=1$ but I'm not sure – Cotton Headed Ninnymuggins Nov 29 '23 at 02:07
  • @ArturoMagidin and it looks like you've included that explanation in your answer, thanks – Cotton Headed Ninnymuggins Nov 29 '23 at 02:08
  • 2
    @CottonHeadedNinnymuggins Sure, it's possible. Take $n=25$, $x=13$, $y=12$. Then $x^2=169$, $y^2=144$. Then $x^2-y^2=25$, so $x^2\equiv y^2\pmod{n}$, but $\gcd(x-y,n) = \gcd(13-12,25) = \gcd(1,25) = 1$. But if $n$ divides $x^2-y^2$ and does not divide either $x-y$ nor $x+y$, at least one of $\gcd(n,x-y)$ and $\gcd(n,x+y)$ will be a nontrivial divisor of $n$. – Arturo Magidin Nov 29 '23 at 02:11

1 Answers1

2

The greatest common divisor of two numbers is a divisor of each of those, so $\gcd(n,a)$ is a divisor of $n$ for any number $a$.

The point of what you are doing is the following: you are trying to factor $n$, or at least find a proper nontrivial divisor (that is a divisor $d$ such that $1\neq d\neq n$.

If $x^2\equiv y^2\pmod{n}$, then since $n$ divides $x^2-y^2=(x-y)(x+y)$. If in addition $x\not\equiv y\pmod{n}$ and $x\not\equiv -y\pmod{n}$, then $n$ does not divide $x-y$ nor $x+y$. That means that $\gcd(n,x-y)\neq n$ and $\gcd(n,x+y)\neq n$. If $p$ is a prime factor of $n$, then $p\mid (x-y)(x+y)$, and since $p$ is prime, if it divides a product then it divides one for the factors, so you will have either $p\mid x-y$ or $p\mid x+y$. And that means that $p\mid \gcd(n,x-y)$ or $p\mid \gcd(n,x+y)$. And that will mean that $\gcd(n,x-y)$ (or $\gcd(n,x+y)$) will not equal $1$. So you will "detect" a nontrivial factor of $n$ with either $\gcd(n,x-y)$ or with $\gcd(n,x+y)$, provided that $x^2\equiv y^2\pmod{n}$ and $x\not\equiv \pm y\pmod{n}$. This is the heart of Fermat's factorization method.

Arturo Magidin
  • 398,050