Cubic Sieve Congruence of the Discrete Logarithm Problem, and Fractional Part Sequences

Transcription

1 Cubic Sieve Congruence of the Discrete Logarithm Problem, and Fractional Part Sequences Srinivas Vivek University of Luxembourg, Luxembourg C. E. Veni Madhavan Deartment of Comuter Science and Automation, Indian Institute of Science, Bangalore, India Abstract The Cubic Sieve Method for solving the Discrete Logarithm Problem in rime elds requires a nontrivial solution to the Cubic Sieve Congruence (CSC) x 3 y 2 z (mod ), where is a given rime number. A nontrivial solution must also satisfy x 3 y 2 z and 1 x, y, z < α, where α is a given real number such that 1 < α 1. The CSC roblem is to nd an ecient 3 2 algorithm to obtain a nontrivial solution to CSC. CSC can be arametrized as x v 2 z (mod ) and y v 3 z (mod ). In this aer, we give a deterministic olynomial-time (O(ln 3 ) bitoerations) algorithm to determine, for a given v, a nontrivial solution to CSC, if one exists. Previously it took Õ(α ) time in the worst case to determine this. We relate the CSC roblem to the ga roblem of fractional art sequences, where we need to determine the non-negative integers N satisfying the fractional art inequality {θn} < φ (θ and φ are given real numbers). The corresondence between the CSC roblem and the ga roblem is that determining the arameter z in the former roblem corresonds to determining N in the latter roblem. We also show in the α = 1 case of CSC that for a certain class of rimes the CSC roblem can be solved 2 ( ) ( ) deterministically in Õ 1 3 time comared to the revious best of Õ 2 1. It is emirically observed that about one out of three rimes is covered by the above class. Key words: comutational number theory, crytanalysis, Diohantine equation, discrete logarithm roblem, fractional art sequence 1991 MSC: [2010] 11D79, 11Y16, 11Y50 Prerint submitted to Journal of Symbolic Comutation October 18, 2013

2 1. Introduction The Cubic Sieve is a variant of the Index Calculus Method for the Discrete Logarithm Problem (DLP) in elds of rime order Coersmith et al. (1986); Das (1999); Das and Veni Madhavan (2005); Lenstra and Lenstra Jr. (1990); Menezes et al. (1997); Schirokauer et al. (1996). It was rst roosed in Coersmith et al. (1986). Working of the cubic sieve method requires a nontrivial solution (in ositive integers) to a Diohantine equation called the Cubic Sieve Congruence (CSC, for short) x 3 y 2 z (mod ), where is a given rime number. A nontrivial solution to CSC must satisfy x 3 y 2 z (mod ), x 3 y 2 z, 1 x, y, z < α, (1) where α is a given real number that satises 1 3 < α 1 2. Henceforth the above equation will be referred to as CSC (1). Note that CSC (1) cannot be satised if 1 x, y, z 1 3. When x, y, and z are of the order O( α ), then the heuristic exected running time of [ the cubic sieve is L γ = 1 2, c = 2α ] ( = ex (c + o(1)) (ln ) γ (ln ln ) 1 γ), where ln denotes the natural logarithm of. Hence smaller values of α lead to faster running times. It is imortant to note that this estimate of the running time of cubic sieve does not take into account the time required for nding a nontrivial solution to CSC. Therefore, an imortant oen roblem concerning the cubic sieve method is to develo an ecient algorithm to determine a nontrivial solution to CSC, given and α. We shall refer to this roblem as the CSC roblem. The Number Field Sieve is the current best algorithm for DLP in rime elds with the ) 1 ] 3. Hence the cubic sieve method is mostly [ 1 heuristic exected running time of L 3, ( 64 9 of theoretical interest to crytograhy. Aart from the crytograhic connection, the CSC roblem is a challenging roblem in comutational number theory and is interesting in its own right. Some attemts to solve this roblem have been made in Das (1999); Das and Veni Madhavan (2005); Maitra et al. (2009). Recently, the arametrization x v 2 z (mod ) and y v 3 z (mod ) (Equation (2)) was introduced by Maitra et. al. Maitra et al. (2009). In this aer, we make further rogress towards nding an ecient algorithm for the CSC roblem by showing that we can determine in deterministic olynomial time whether a solution to CSC (Equation (2)) exists for a given v (1 v < ). If one exists, we show that we can also comute it eciently. Previously, the only way to determine this was to check all the values of z from 1 to α. We were able to accomlish this by relating the above roblem to the ga roblem of fractional art sequences Slater (1950, 1967). As a consequence, we show in the α = 1 2 case of CSC (1) that for rimes "close" to i ɛ (integer i, ( real ) ɛ [3, 4]), a solution to CSC exists and ( it ) can be comuted deterministically in Õ 1 3 time 1, while the revious best is Õ 1 2. Interestingly, we Abstract of this work aeared in the third Worksho on Mathematical Crytology (WMC 2012) held at CIEM-Castro Urdiales, Sain, on 9-11 July Corresonding Author. Postal address: University of Luxembourg, FSTC, 6 rue Richard Coudenhove- Kalergi, L-1359 Luxembourg. Tel: Fax: addresses: srinivasvivek.venkatesh@uni.lu (Srinivas Vivek), cevm@csa.iisc.ernet.in (C. E. Veni Madhavan). 1 The running times of the algorithms related to the CSC roblem reect the total number of bit oerations required. In order to avoid cluttering the running time exressions with logarithmic factors, we often use the soft-oh notation Õ Cormen et al. (2001,. 59). The imlicit logarithmic factor is ln 3. 2

3 Algorithm 1 Solving CSC (1) given, α and δ (δ > 0). (1) For x 1 to 1 3 +δ (a) For y 1 to 1 3 +δ (i) z x 3 y 2 (mod ) (ii) If (x, y, z) satises CSC (1), then Return (x, y, z). have emirically observed that about one-third of all the rimes are covered by the above class. The rest of the aer is organized as follows. In Section 2, we briey discuss the revious results on the CSC roblem. In Section 3, we generalize a heuristic algorithm described in Maitra et al. (2009) for the α = 1 2 case of CSC to a generic α ( 1 3 < α 2) 1. Later in that section, we make some remarks on the non-alicability of the LLL and other lattice basis reduction algorithms for solving the CSC roblem. Previous results on the distribution of the non-negative integers N satisfying the fractional art inequality {θn} < φ (rational θ, real φ are given) is resented in Section 4, and we shall also see there how to eciently comute the least such N. In Section 5, we will extend the results of Section } 4 to eciently determine the least common N satisfying both {θn} < φ and {ˆθN < ˆφ (both θ and ˆθ are rational), when certain conditions on θ, ˆθ, φ, ˆφ and N are satised. As a consequence we shall see how, given any v, we can eciently determine a solution to CSC. The existence of solutions for rimes close to i ɛ, and consequently lesser time to comute them, is resented in Section 6. We nally conclude in Section Previous Work Let R, Z and N denote, resectively, the set of real numbers, the set of integers and the set of ositive integers. Throughout this aer, the variable reresents a rime number, α R, 1 3 < α 1 2, and by n (mod ) (for n Z) we mean the least non-negative remainder obtained on dividing n by. The symbols, and { } denote the oor, ceiling and fractional art, resectively, of a real value. When rimes are close to (but less than) erfect cubes, then we can directly get the solution x = 1 3, y = 1 and z = x 3, satisfying CSC (1). Since this method will not work for many rimes, we need a systematic aroach. The simlest algorithm to comute a solution to CSC (1) is to vary x and y from 1 to α, and check if (x, y) satises CSC (1). Clearly, the worst-case running time of this algorithm is Õ( 2α). The rst non-trivial (heuristic) algorithm for the CSC roblem is due to Das (1999); Das and Veni Madhavan (2005). It is based on a heuristic estimate that the number of solutions to CSC (1) is aroximately 3α 1. An evidence for the estimate is obtained by observing that the robability of z x 3 y 2 (mod ) being less than α is α 1 Maitra et al. (2009). Interestingly, the question of non-emtiness of the solution set of CSC (1) for all but nitely many rimes is still oen. We now obtain Algorithm 1 for the CSC roblem. In Algorithm 1, δ > 0 must be suciently large to ensure that ) there are enough solutions. Clearly, the running time of Algorithm 1 is ( Õ 2 3 +o(1) when δ = o(1). Note ) that the x, y and z we get as a solution are of magnitude O ( 1 3 +o(1) and are indeendent 3

4 Algorithm 2 Solving CSC (2) given and α. (1) For v 1 to 1 (a) For z 1 to α 1 (i) x v 2 z (mod ), y v 3 z (mod ) (ii) If (v, z) satises CSC (2), then (A) Return (x, y, z). of α. By assuming that the solutions of CSC (1) are uniform randomly distributed in the range 1 x, y < 1 3 +δ, and consequently the robability that a randomly selected ) ( air (x, y) (1 x, y < δ satises CSC (1) being 3 3 +δ ) 1 = 2 ( 1 3 +δ ) ( 1 3 +δ) 1, we get the ( (heuristic) exected running time of Algorithm 1 to be Õ 1 ( 1 +δ)) ) 3 = ( Õ 2 3 o(1). However, note that even when we give a value of x for which there is a solution to CSC (1), we cannot eciently determine a corresonding value of y, and vice-versa. This serves as the motivation for us to study the (v, z)-arametrization of CSC introduced in Maitra et al. (2009). The next major attemt at solving the CSC roblem was by Maitra et al. (2009). They arametrized x 3 y 2 z (mod ) as ( y ) 2 x x z v2 (mod ) x v 2 z (mod ), y v 3 z (mod ). Hence CSC (1) can be equivalently written as x v 2 z (mod ), y v 3 z (mod ), x 3 y 2 z, 1 x, y, z < α, 1 v <. (2) We refer to the above equation as CSC (2). Based on CSC (2), we obtain Algorithm 2. The worst-case running time of Algorithm 2 is Õ( 1+α) and the (heuristic) exected running time is Õ( 2 2α). Note that the worstcase and the exected running time of Algorithm 2 is worse than that of Algorithm 1. Throughout Maitra et al. (2009), only the α = 1 2 case is dealt. It is shown for v < 1 2 that we can otimize the inner loo of Algorithm 2. This is made ossible by exloiting the roerties of solutions to CSC (2) (α = 1 2 ). As a consequence they show that the solutions can be eciently comuted for those rimes close to (but less than) the fourth owers. In the next section, we generalize the otimized version of Algorithm 2 in Maitra et al. (2009) (for the α = 1 2 case) to a general α ( 1 3 < α 1 2). Hence, in order to avoid reetition, we refrain from further describing the results of Maitra et al. (2009). More details on the ecient comutation of solutions for rimes close to fourth owers can be found in Section Heuristic Algorithm and Some Remarks In this section and in Sections 4 and 5, α can take any real value such that 1 3 < α 1 2. Throughout the remainder of the aer, we will work with the (v, z)-arametrization given by CSC (2). The results resented in this section follow in a straightforward manner from those corresonding to the case of α = 1 2 in Maitra et al. (2009). 4

5 Algorithm 3 Solving CSC (2) such that v < α, given and α. (1) For v 1 α to α 1 v (a) For j 1 to 2 1 α (i) z j v 2 (ii) x v 2 z (mod ) (iii) If (x < α v ), then Return (x, y vx, z). Proosition 1. If x, y, z, v < α, x v 2 z (mod ) and y v 3 z (mod ), then the condition x 3 y 2 z is equivalent to x v 2 z. Proof. The condition v, x < α imlies that vx <. Since y v 3 z vx (mod ), we have y = vx. Therefore, x 3 y 2 z x 3 (vx) 2 z x v 2 z x < v 2 z. We now obtain the following corollaries from Proosition 1 and its roof. Corollary 2. If 1 v 1 α 2 or α v 1 α, then corresonding to v there exists no solution to CSC (2). Proof. If 1 v 1 α, then y vx (mod ) imlies that y = vx. If α v 1 α, then y α. Hence there can be no solution. If α > 1 1 α 3 and 1 v 2, then from Proosition 1, we have x 3 = y 2 z and hence there can exist no solution to CSC (2). Note that when α = 1 2, then α = 1 α = 1 2. Corollary 3. Corresonding to v < α if there exists a solution to CSC (2), then x < α v. Using the above results, we obtain Algorithm 3 for solving CSC (2) for those rimes which have a solution for v < α. An examle of a rime for which there is no solution to CSC (2) for v < α ( 1 3 < α 1 2 ) is 101. The ste 1.(a).i of Algorithm 3 is an otimized version of the corresonding ste 1.(a) of Algorithm 2. The inner loo of Algorithm 2 corresonds to the arithmetic rogression v 2 z (varying z for a xed v). Hence between any two multiles of, we need to consider only the rst term of the rogression. The exression z j v in Algorithm 3 recisely 2 corresonds to these terms. The uer bound on the index j is obtained by observing that j v 2 α. The fact that v 2 (1 < v < α ) and that j 1 ensures that v 2 z >. Since v 2 < 2α v, in the worst case, there are exactly 2 iterations of the inner 1 α for-loo corresonding to j. Hence the running time of Algorithm 3 is Õ 1 α ( ) v 2 3α = Õ = Õ( 4α 1). 1 α v= 1 α 2 1 α When α < 1 2, this algorithm is asymtotically faster than the Õ( 2α) -algorithm we obtain when z is incremented only by 1 at a time. This algorithm runs in olynomial time for those rimes which have a solution to CSC (2) for v 1 α 2. It is shown in the 5

6 α = 1 2 case that there are innitely many rimes which have a solution for v 1 4 Maitra et al. (2009). The (heuristic) exected running time of Algorithm 3 is the same as its worst-case running time. This is because the exected number of solutions for v < α is 4α 2, which is at most 1 for α 1 2. Note that these running times are worse comared to that of Algorithm 1. In the inner loo of Algorithm 3, we were trying to determine { a z (z} < α ),( for) a given v (v < α ), such that v 2 z (mod ) < α v, or equivalently v 2 (mod ) z < 1 α v. Using revious results on the ga roblem of fractional art sequences, we shall see in the next section that such a (least) z can be comuted deterministically in olynomial time, and hence the running time of Algorithm 3 can be reduced to Õ(α ). The fact that not all rimes have a solution to CSC (2) corresonding to v < α, and that the range ( 1 α ) 2, α shrinks to zero length as α 1 3 (for a xed ), rovides us a motivation to ursue the following { roblem. } To nd a common { z (z < } α ) simultaneously satisfying the two inequalities v 2 (mod ) z < α and v 3 (mod ) z < α, and also satisfying the condition x 3 y 2 z. In Section 5, we rovide a deterministic olynomial-time algorithm to this roblem by extending the results for the single inequality case, thereby reducing the worst-case running time of Algorithm 2 to Õ() and the exected running time of Algorithm 2 to Õ( 2 3α) Lattice Basis Reduction: Remarks { v 2 (mod ) } The roblem of nding a common z (z < α ) satisfying both z < α } and z < α can be restated as nding airs (c, d) and (ĉ, d) such that { v 3 (mod ) 1 c, ĉ, d < α, c d r (mod ) and ĉ d ˆr (mod ), where r = v 2 (mod ), ˆr = v 3 (mod ) and d = z. Note that all the (c, d) (no restriction on the values of c and d) satisfying c d r (mod ) form a two dimensional lattice. Similarly, the (ĉ, ˆd) satisfying ĉ ˆd ˆr (mod ) form another lattice. Hence we are looking for a short vector on each of the two lattices such that both the vectors have the same value in the second coordinate (d = ˆd). The LLL or other lattice basis reduction algorithms do not seem to be of much use in our case, though the shortest vector roblem in two dimensions can be exactly solved in deterministic olynomial time (Lenstra Jr., 2008; Micciancio and Goldwasser, 2002). The roblem seems to lie in the fact that the condition x 3 y 2 z in CSC (2) does not have a geometric analogue unlike the rest of the conditions, as seen in the revious aragrah. Let us try to examine this issue in the case of v = 1 in CSC (2). When v = 1, we have r = ˆr = 1 and the lattices c d r (mod ) and ĉ ˆd ˆr (mod ) are now identical to Z Z. But the shortest ossible air of vectors (c = 1, d = 1) and (ĉ = 1, ˆd = 1) fail to satisfy the condition x 3 y 2 z. Also, no other air of (exonentially many) short vectors in Z Z can satisfy CSC (2) because when v = 1, then x = y = z and hence x 3 = y 2 z. In fact, as we have seen in Corollary 2, there are no solutions to CSC (2) corresonding to 1 v 1 α 2 and α v 1 α. However if v is suciently large, then we may be able to heuristically argue that the condition x 3 y 2 z holds with a high robability. But our goal is to obtain a deterministic olynomial time method to determine whether there exists a solution to CSC (2) for a given value of v. Hence trying to comute short lattice vectors until the condition x 3 y 2 z is satised does not seem to work in our case. 6

7 4. Solving a Fractional Part Inequality In the revious section, we saw that the Algorithm 3 would } considerably ( ) seed u if we could eciently determine a z such that z α. Let us consider a { v 2 (mod ) < 1 more general roblem of determining an N (for a given θ and φ) such that {θn} < φ, where θ, φ R, 0 < θ, φ < 1, N N {0}. (3) The restrictions on θ and φ will not lead to any loss of generality because 0 {θn} < 1 and {(m + θ)n} = {θn} m Z. The roblem of determining the gas between the successive N satisfying (3) is known as the ga roblem Slater (1967). The distribution of the N satisfying (3) was rst studied in Slater (1950). It is shown, for both rational and irrational θ, that the successive N satisfying (3) is searated by gas of at most three dierent lengths, one being the sum of the other two. A related roblem is the ste roblem Slater (1967). The roblem is to determine the stes into which the interval [0, 1] is artitioned when the values {1θ}, {2θ},..., {Nθ} are arranged in the ascending order. A result analogous to that of the ga roblem is alicable to the ste roblem. For more details on this and other related roblems, we refer the reader to Drobot (1987); Fraenkel and Holzman (1995); Halton (1965); Slater (1964, 1967). When θ is irrational, the sequence Nθ (N 0) is uniformly distributed modulo 1 Graham et al. (1994,. 87). Throughout the rest of the aer, we shall conne ourselves to the case of θ being rational. Let θ = r q, r, q N, r < q and gcd(r, q) = 1. Solving the inequality {θn} < φ for N is equivalent to solving rn (mod q) < T, where T = φq. Henceforth, let φ be of the form φ = T q, where 0 < T < q. Note that the inequality rn (mod q) < T has exactly T solutions for 0 N < q. Also note that the sequence of fractional arts {Nθ} is eriodic with eriod q. From these observations, let us rewrite (3) as follows {θn} < φ, where θ = r q, φ = T, 1 r, T < q, gcd(r, q) = 1, (4) q r, T, q N, and N N {0}. The following reliminary continued fraction formulae will be useful in further discussions. Many of these can be found, for instance, in Hensley (2006,. 6). Let θ be as dened in (4). Let the simle continued fraction exansion of θ be θ = r q = [0; a 1, a 2,..., a n ], where a i N, a n > 1. (5) The s th convergent to θ is r s = [0; a 1, a 2,..., a s ], q s where gcd(r s, q s ) = 1, 1 s n, (6) r 0 = 0 and q 0 = 1. Let q s be the simle continuant of a 1, a 2,..., a s, then it satises q s = a s q s 1 + q s 2 where 1 s n, q 0 = 1, q 1 = 0. (7) Note that r s is the simle continuant of a 2, a 3,..., a s (2 s n, r 1 = 1, r 0 = 0), r n = r and q n = q. Let Q s be the simle continuant of a n, a n 1,..., a n s+1 (1 s n, Q 0 = 1, Q 1 = 0). Particular values of Q i are Q n = q n = q, Q n 1 = r n = r and Q 1 = a n. The Q i satisfy v 7

8 Q n s+1 = a s Q n s + Q n s 1 (1 s n), (8) q s Q n s + q s 1 Q n s 1 = q (0 s n), (9) Q n s = ( 1) s 1 (r q s 1 q r s 1 ) (1 s n + 1). (10) Let A s be the s th comlete quotient of θ, where 1 = [0; a s, a s+1,..., a n ] = Q n s (1 s n). (11) A s Q n s+1 Remark 4. Most of the results in this section can be found in Slater (1950, Part 1) and the rest can be easily derived from it. There are only a few notational changes we have made when using their results. The variables x, i (1 i n), Z, Z 0 and α in Slater (1950, Part 1) have been relaced by, resectively, θ, r i (1 i n), T, T 0 and γ. For the sake of comleteness, we have collected the required results in this section. We often refer to Lemma 5, Theorems 6 and 9, Corollaries 7, 8 and 10, and Equations (5) - (13) mentioned here. The ideas of this section are needed in the next section. The T given in (4) can be uniquely reresented as T = T 0 (s, b) + c, as dened by Lemma 5. Lemma 5. Any T N, 0 < T < q, may be exressed uniquely as T = T 0 + c, (12) where T 0 = T 0 (s, b) = (b + 1) Q n s + Q n s 1, (13) with b = 0, 1,..., a s 1 if s = 2, 3,..., n, with b = 0, 1,..., a 1 2 if s = 1, and c = 0, 1,..., Q n s 1. Whenever we write T 0 or T 0 (s, b) (or, T 0, T 0, ˆT 0 and ˆT 0), we always refer to the secial numbers of (13). Unless the arameters s (ŝ or s ) and b (ˆb or b ) are exlicitly maniulated, say as in T 0 (s, b + 1), by writing T 0 (s, b) = T 0, we always mean that s and b are as uniquely determined according to (13). Theorem 6 below describes all the N that satisfy (4) for T 0. By writing (4) for (θ, T 0 ), we mean that θ = θ and T = T 0 in (4). If the value of θ is clear from the context, then we will simly write (4) for T 0. Theorem 6. The non-negative N satisfying (4) for T 0 (s, b) are N(γ, β) = γ q s 1 + β (q s b q s 1 ) where, if s is even, β = γ = 0, or β = 1, 2, 3,... with γ { (β 1) B s, (β 1) B s + 1,..., β B s }, where, if s is odd, β = 0, 1, 2,... and B s = b + 1 A s+1, dene B n = b. with γ { β B s, β B s + 1,..., (β + 1) B s }, 8

9 Algorithm 4 Given θ (r, q) and T, to comute the least ositive N satisfying (4) for T. (1) Determine T 0(s, b ) (the least value satisfying (13) such that T 0 T ) using Lemma 5. (2) Comute, using Theorem 6, the rst two ositive values of N, say N 1 and N 2 (N 1 < N 2 ), satisfying (4) for T 0. (3) If N 1 satises (4) for T, then Return N 1, else Return N 2. From the above theorem it follows that in the case of (4) for T 0, there are only two ga-lengths searating the successive N satisfying (4) for T 0 (excet when T 0 = 1). We also obtain Corollaries 7 and 8 from Theorem 6. Corollary 7. The successive N satisfying (4) for T 0 (s, b) are searated by only two ga-lengths q s 1 and q s b q s 1, and the number of gas for 0 N q are T 0 Q n s and Q n s, resectively. The larger ga-length is q s b q s 1 while the smaller one is q s 1. Note that T 0 Q n s = 0 only when T 0 = 1. It is easy to see that for any value of θ in (4), T = 1 is always a secial number of (13). When T 0 (s, b) > 1, then B s > 0. Corollary 8. When 1 < T 0 < q, the ga-lengths in Corollary 7 are dierent. If s is even, then the rst ga is the larger ga (q s b q s 1 ), followed by B s smaller gas (q s 1 ). If s is odd, then the rst B s gas are the smaller gas, followed by one larger ga. Theorem 9 below is a generic version of Theorem 6 which is valid for any value of T (0 < T < q). Theorem 9 is known in the literature as Slater's three-ga theorem Fraenkel and Holzman (1995). Corollary 10 follows from Theorem 9. Theorem 9. Let T = T 0 (s, b) + c be the reresentation determined by (12). The N satisfying (4) for T are searated by only three ga-lengths q s 1, q s b q s 1 and q s (b + 1) q s 1. The number of these gas, for 0 N q, are T Q n s, Q n s c and c, resectively. The largest ga-length is q s b q s 1, which is the same as the larger galength corresonding to (4) for T 0. The other two gas of ga-lengths q s (b + 1) q s 1 and q s 1 are obtained by slitting the larger ga corresonding to (4) for T 0. Corollary 10. Let T = T 0 (s, b) + c (by (12)), and T 0(s, b ) be the least value satisfying (13) such that T 0 T. If N 1 and N 2 are two consecutive values satisfying (4) for T 0, then N 1 or N 2 (or both) satisfy (4) for T 0, and hence also satisfy (4) for T. Corollary 10 suggests that in order to comute the least ositive N satisfying (4), then it suces to comute the rst two ositive N satisfying (4) for T 0. These two values of N are in turn comuted using Theorem 6. Using this idea we now obtain Algorithm 4. Proosition 11. The running time of Algorithm 4 is O ( ln 3 q ) bit-oerations. This follows from the fact that the extended Euclidean algorithm terminates in O(ln q) stes and requires O ( ln 3 q ) bit-oerations when run on the inuts r and q. Hence the length of the continued fraction exansion of θ is O(ln q). The continuants q s and Q s (1 s n) can be comuted with O ( ln 3 q ) bit-oerations, and so are each of the stes in Algorithm 4. 9

10 Using Algorithm 4, we can signicantly seed u Algorithm 3. We can relace the inner loo of Algorithm 3 by a call to Algorithm 4 with θ = v2 (mod ) (r = v 2 (mod ), q = ) and T = α v. We must also erform a check whether the returned value, say z, satises z < α. The worst-case and the exected running time of Algorithm 3 is now reduced to Õ(α ) from Õ( 4α 1). 5. Solving Simultaneous Fractional Part Inequalities In the revious section, we saw how to eciently comute the least ositive N satisfying {θn} < φ, when θ is a rational number. The Algorithm 2 for the CSC roblem suggests us to solve a generalization of the above roblem. More recisely, we need to eciently } determine the least ositive N simultaneously satisfying both {θn} < φ and {ˆθN < ˆφ, for rational θ and ˆθ (θ, ˆθ, φ and ˆφ are given). The roblem of exlicitly determining such an N has not been addressed before. A related existential } result is that the successive (non-negative) N satisfying both {θn} < φ and {ˆθN < ˆφ are searated by nitely many gas (θ, ˆθ are either rational or irrational). It is easy to show this result for θ and ˆθ both being rational. For more details on this and other related results refer to Fraenkel and Holzman (1995); Slater (1964). As assumed in the revious section, θ and ˆθ will always denote rational numbers in the interval (0, 1). Consider the two inequalities (the rst same as (4)) and {θn} < φ, where θ = r q, φ = T, 1 r, T < q, gcd(r, q) = 1, (14) q {ˆθN } < ˆφ, where ˆθ = ˆr ˆq, ˆφ = ˆT ˆq, 1 ˆr, ˆT < ˆq, gcd(ˆr, ˆq) = 1, (15) r, T, q, ˆr, ˆT, ˆq N (given), and N N {0} (to be determined). A straightforward algorithm to comute the least ositive N satisfying both (14) and (15) is to successively comute the N satisfying one of (14) or (15) (using Corollary 10 and Theorem 6), until the other inequality is also satised. This aroach is not ecient as can be seen from the examle where q = ˆq = (rime > 2), r = 1, ˆr = 1 and T = ˆT = In this case there is no common (nontrivial) solution to (14) and (15), but this algorithm will still check +1 2 values of N which are less than. Designing a olynomial-time algorithm for the generic case of (14) and (15) aears hard. Fortunately, when we aly the restrictions T q 1 2, ˆT ˆq 1 2, and N < (min(q, ˆq)) 1 2, then we can come u with a deterministic olynomial-time algorithm to comute the least ositive common N satisfying both (14) and (15). It is easy to guess that the above restrictions are tailor-made for those corresonding to the roblem of determining a z (z < α ), for a given v (1 v < ), such that (v, z) satises CSC (2). In order to simlify the descrition of the algorithm, throughout the rest of the section, we shall only consider the instance of (14) and (15) corresonding to CSC (2). The algorithm for the generic case (with the above mentioned restrictions) can be easily derived from Algorithm 5. 10

11 In the case of CSC (2) (given rime ( 3), v (1 v < ), and α ( 1 3 < α 1 2 )), the equations (14) and (15) become {θz} < φ, where θ = r, φ = T, r = v2 (mod ), T = α, (16) and } {ˆθZ < ˆφ, ˆr where ˆθ =, ˆT ˆφ =, ˆr = v3 (mod ), ˆT = α, (17) where Z N {0} (to be determined). Note that gcd(r, ) = gcd(ˆr, ) = 1. In (16) and (17), we have relaced N with Z to remind us that we are working in the case of CSC (2). Note that if we require a value of Z satisfying both (16) and (17) to also satisfy CSC (2), then the following two conditions must also be satised and 1 Z < α, (18) x 3 y 2 z, where x v 2 Z (mod ), y v 3 Z (mod ), z = Z. (19) Let θ, T, ˆθ and ˆT be as in (16) and (17). Let T = α = T 0 (s, b) + c (20) and ˆT = α = ˆT 0 (ŝ, ˆb) + ĉ (21) be the reresentation of T and ˆT, determined by (12), corresonding to (16) and (17), resectively. Denote the largest ga-length corresonding to (16) and (17) by g max and ĝ max, resectively. From Theorem 9, the exact values of g max and ĝ max are, resectively, q s b q s 1 and ˆqŝ ˆb ˆqŝ 1. We now have the following lemma. Lemma 12. g max, ĝ max α 1. Proof. First, we rove the lemma for g max. Since T = α and (16) has exactly T gas for 0 Z, we need α g max. Therefore, g max. Using the fact that g max is an integer, we get g max for ĝ max. α 1 2 α 1. Similarly the result follows Using Theorem 9 (alied to (16)), Lemma 12, and Corollary 8 (alied to (14) for (θ, T 0 )), we see that when s (in (20)) is even, the rst ga corresonding to (16) is the ga of length q s b q s 1 (= g max ) or q s (b + 1) q s 1 (= g max q s 1 ). (It cannot be q s 1, by Corollary 8 (alied to (14) for (θ, T 0(s, b + 1)))). Hence there can be at most two values of Z < α which satisfy (16). Note that there can be exactly two values of Z < α only when g max = α 1 and the rst (larger) ga of (14) for (θ, T 0 ) has slit. Similarly when ŝ (in (21)) is even, there can be at most two values of Z < α which satisfy (17). Hence when s (or ŝ) is even, we just need to check if g max q s 1 and g max (or, ĝ max ˆqŝ 1 and ĝ max ) satisfy (16)-(19). In these (three) cases, we can comute the smallest Z satisfying (16)-(19) in olynomial time. Let both s and ŝ be odd. Using Theorem 9 (alied to (16)), Lemma 12, and Corollary 8 (alied to (14) for (θ, T 0 )), we see that the rst B s gas corresonding to (16) are of

12 length q s 1, and then followed by a ga of length g max, or a ga of length q s 1 followed by a ga of length g max q s 1. In the case of (17), the rst ˆBŝ gas are of length ˆqŝ 1, and then followed by a ga of length ĝ max, or a ga of length ˆqŝ 1 followed by a ga of length ĝ max ˆqŝ 1. Let M = min( B s q s 1, ˆBŝ ˆqŝ 1 ) and F = lcm(q s 1, ˆqŝ 1 ). (22) In the range [0, M] there is only one tye of ga-length in (16) as well as (17). Now there are two ossibilities for M. If M α 1, then there are exactly α 1 F values ( of Z < α satisfying ) both (16) and (17). The corresonding values of Z are j F 1 j. Note that when F > α 1, there are no solutions. The α 1 F other ossibility is that M < α 1. The values of Z u to M (1 M < α 1) satisfying both (16) and (17) are j F ( 1 j ) M F. Again, if M < F, then there are no solutions u to M. Let h = q s 1 or h = ˆqŝ 1 according as M = B s q s 1 or not. Since g max, ĝ max α 1 (Lemma 12) and M, F 1, we have M +g max, M +ĝ max α. Therefore the only ossibility of another solution is Z = M + h. Hence, even in the case of both s and ŝ being odd, we can nd a Z < α, if one exists, satisfying both (16) and (17). Since we even require that the Z must satisfy (19), then we need to check all the solutions u to α 1. When there are exonentially many solutions, as in the case of v = 1, then we might end u checking all the solutions but none satisfying (19). This roblem can be overcome with the hel of the following theorem, which shows that it suces to check the satisability of (19) for Z = F. Theorem 13. Let s (in (20)) and ŝ (in (21)) ( be both odd, and M, ) F be as in (22). Consider the common solutions Z j = j F 1 j min(m, α 1) F satisfying (16), (17) and (18). Either all the Z j satisfy (19) or none of them satises (19). Proof. Let min(m, α 1) F 1, so that there exists at least one common solution. Let x j v 2 Z j (mod ), y j v 3 Z j (mod ) and z j = Z j. Therefore x j j x 1 (mod ), y j j y 1 (mod ) and z j = j z 1. Since j, x 1, y 1, z 1 α 1 < 1 2, we get x j = j x 1, y j = j y 1 and z j = j z 1. Hence x 3 j y2 j z j if and only if x 3 1 y1z 2 1. Using the above ideas, we obtain Algorithm 5. It determines, for a given v, the least Z (say z) satisfying (16) to (19), i.e. determines the least z such that (v, z) satises CSC (2), if any exists. The following roosition follows easily from Proosition 11. Proosition 14. The running time of Algorithm 5 is O ( ln 3 ) bit-oerations. We have imlemented Algorithm 5 in PARI/GP on an Intel Pentium-4 single core rocessor running Ubuntu Linux On exerimenting (for the α = 1 2 case of CSC (2)) with 10 randomly chosen 1024-bit rimes and 100 randomly chosen v for each value of, we got the average running time of Algorithm 5 to be 0.02 seconds. Using Algorithm 5, we can reduce the worst-case running time of Algorithm 2 to Õ( 1) from Õ( 1+α), and the exected running time of Algorithm 2 reduces to Õ( 2 3α) from 12

13 Algorithm 5 Given v (1 v < ) ( 3), to determine the least ositive z, if any, such that (v, z) satises CSC (2). (1) Determine the reresentations T = α = T 0 (s, b) + c and ˆT = α = ˆT 0 (ŝ, ˆb) + ĉ by alying Lemma 5 for (16) and for (17), resectively. (2) If s (or ŝ) is even, and if z q s (b+1) q s 1 or else z q s b q s 1 (or ˆqŝ (ˆb+1) ˆqŝ 1 or else ˆqŝ ˆb ˆqŝ 1 ) satises CSC (2) for the given v, then Return z. (3) Else (s, ŝ - both odd) (a) If B s q s 1 ˆBŝ ˆqŝ 1, then M B s q s 1 and h q s 1, else M ˆBŝ ˆqŝ 1 and h ˆqŝ 1. (b) F lcm(q s 1, ˆqŝ 1 ) (c) If z F satises CSC (2) for the given v, then Return z. (d) If M < α 1 and if z M + h satises CSC (2) for the given v, then Return z. Õ ( 2 2α). Note that, for the α = 1 2 case, the imroved worst-case running time of Algorithm 2 equals that of the current best deterministic algorithm (Algorithm 1), and similarly the imroved exected running time of Algorithm 2 matches the current best exected running time (Algorithm 1). In order to make Algorithm 2 even more ecient, we need to be able to redict a small range of values of v in which we are guaranteed a solution. This roblem aears to be hard and currently we are even unable to determine whether corresonding to v = i+1 a solution to CSC (2) exists, given that v = i has no solutions. Nevertheless, it is imortant to ursue research in this direction since we are now required to analyze the distribution of solutions of CSC (2) with resect to only one arameter v, unlike two arameters x and y in the case of CSC (1). The converse roblem of determining various rimes which have a solution to CSC (2) for a given value of v (say i) is useful to identify classes of rimes for which we can nd a solution eciently. This roblem is addressed in the next section. 6. Existence of Solutions to CSC It is shown in Maitra et al. (2009) that for the rimes satisfying (i 1) 2 i 2 i + 1 < < (i 1) 2 i 2, there exists a solution to CSC (2) (α = 1 2 ) and a corresonding (v, z) air is ( v = i, z = (i 1) 2). Using the rime number theorem, we see ( that ) the (exected) n number of rimes less than n satisfying the above inequality is Θ 1 2 ln n. Hence rimes ( ) close to the fourth owers have a solution for v 1 4 v > 1 4 and using Algorithm 3 (α = 1 2 ) the solution can be eciently comuted. It is easy to see that the above result is based on the following lemma. Lemma 15. If 0 < a 2 b < 2 1 a (2) (α = 1 2 ). and 1 a, b < 1 2, then (v = a, z = b) satises CSC 13

14 Note that the number of rimes for which the trile (x = 1 3 ( ), y = 1, z = x 3 ) satises CSC (1) (α = 1 2 ) is Θ n 5 6. ln n Let us try to generalize the above result that rimes close to (but less than) the fourth owers have a solution for v 1 4, to determine those rimes which have a solution to CSC (2) (α = 1 2 ) for a given v = i, and that v 1 ɛ (ɛ R, 3 ɛ 4). Throughout this section we will restrict ourselves only to the case α = 1 2 of CSC (2). Let i N, i 6, ɛ R and 3 ɛ 4. Let v = i in CSC (2). Dene z = i ɛ 2, hence v 2 z i ɛ. If we choose such that (i 1) ɛ < < v 2 z i ɛ and v 2 z < 2 1 v, then by Lemma 15 we have (v, z) satisfying CSC (2) for such a, and also v 1 ɛ. The restriction (i 1) ɛ < i ɛ ensures that the rimes are in disjoint intervals as i varies for a xed ɛ. Since v 2 z = i 2 i ɛ 2 = i ɛ { i ɛ 2} i 2 i ɛ and 0 { i ɛ 2} i 2 < i 2, we require ɛ 3, and the restriction ɛ 4 follows from Algorithm 3 (α = 1 2 ). Note that when i 6, we have i ɛ < 2 (i 1) ɛ and hence v 2 z (mod ) = v 2 z. We need to nd those rimes which satisfy the conditions and (i 1) ɛ < < i 2 i ɛ 2 (23) i 2 i ɛ 2 < 1 2 i. (24) The inequality in (24) is quadratic and it can be solved for (this is the reason for requiring α = 1 2 ). On solving (24) for, and then requiring that it also satises (23), we get the solution set { P ɛ, i = rimes ( ) i2 i ɛ 2 4 i4 i ɛ i 2 < < i 2 i ɛ 2 }. Proosition 16. The rimes P ɛ, i have (v = i, z = i ɛ 2 ) satisfying CSC (2) (α = 1 2 ), and v 1 ɛ. Since ( by P ɛ, i is Θ ( 4 i 4 i ɛ 2 1 ) 2 i i ɛ 2 2 1, the number of rimes less than n (for a xed ɛ) covered ). Note that v 1 ɛ, but not really v ɛ, as belongs to an interval n 1 2 ln n (of length v ɛ 2 1 ) whose right end is the multile of v 2 nearest to (and less than or equal to) v ɛ. We still say that is close to v ɛ v since ɛ v ɛ (v 1) 0 as v. ɛ For a given i, the set P ɛ, i can be better ictured by considering the interval 3 ɛ 4 [ i 3, i 4], dividing it into sub-intervals of length i 2, i.e. intervals of the form ( i 3 +(j 1) i 2, i 3 +j i 2 ) for 1 j i 2 i, and then considering in each sub-interval all the rimes in the right most sub-sub-interval of length i + j 1. It is easy to see that the cardinality ( ) of P ɛ, i is Θ. This aroach gives us a fairly accurate algorithm to comute 3 ɛ 4 i 3 ln i the cardinality of ɛ, ip ɛ, i. When l 3, we have l 3 < (l+1) 3 < l 4 and hence any real number k 27 can be written in the form l ɛ (for some 3 ɛ 4 and l N) and the number of such reresentations of 14

15 Table 1. Secic values of count(n). n count(n) π(n) count(n) π(n) ( ) ( ) k is Θ k 1 3 k 1 4 = Θ k 1 3. These ideas suggest that ɛ, i can ossibly cover a large ɛ, ip roortion of rimes. Because the sets P ɛ,i have too much overla, calculating the exact roortion of these rimes seems to be challenging. Let count(n) denote the number of rimes less than or equal to n which are also in ɛ, ip ɛ, i. It is emirically observed u to one billion that about one in three rimes belongs to ɛ, ip ɛ, i. Table 1 gives the value of count(n) for some values of n. The values of count(n) listed in Table 1 deviate only marginally from the actual values because of the oating-oint aroximations in their comutations. The function π(n) denotes the total number of rimes less than or equal to n. From Proosition 16, we conclude that for rimes P ɛ, i there is a solution to CSC (2) (α = 1 2 ) corresonding to v, where 1 4 < v < 1 3 ( + 1, ) and using Algorithm 2 along with Algorithm 5, we can determine a solution in ( ) Õ 1 3 time. It can be easily shown that for these rimes the Algorithm 3 takes Õ 1 2 time in the worst case, the revious best running time. Using an aroach similar to the one in this section, we may be able to identify more classes of rimes for which a solution to CSC (2) can be comuted more eciently. 7. Conclusion We have shown that we can determine in deterministic olynomial time whether a solution to CSC (2) exists for a given v (1 v < ), and we can also comute it eciently, if one exists. An imortant research direction is to analyze the distribution of solutions with resect to the arameter v and use the analysis to guess a value of v close to the one which has a solution. We have also shown that the rimes close to i ɛ (integer i, real ɛ [3, 4]) have a solution to CSC (2) (α = 1 2 ). Determining a recise estimate of the roortion of rimes covered by this characterization needs to be addressed. Extending this analysis of the distribution of solutions to a general α ( 1 3 < α 1 2 ) also needs to be done. Determining whether a solution to CSC (2) exists for a given z (1 z < α ) leads to interesting questions on fractional art sequences such as eciently nding a common N simultaneously satisfying both { θn 2} < φ and { θn 3} < φ. 15

16 Acknowledgements We would like to thank Mr. Puttabasavaiah for heling us obtain the aers Slater (1950, 1967). Many thanks to Prof. John H. Halton for mailing his aer Halton (1965), and also to Srikanth Pai for useful initial discussions. References Coersmith, D., Odlzyko, A. M., Schroeel, R., Discrete logarithms in GF (). Algorithmica 1 (1), 115. Cormen, T. H., Leiserson, C. E., Rivest, R. L., Stein, C., Introduction to algorithms. The MIT ress. Das, A., Galois Field comutations: Imlementation of a library and a study of the discrete logarithm roblem. Ph.D. thesis, Indian Institute of Science, Bangalore. Das, A., Veni Madhavan, C. E., On the cubic sieve method for comuting discrete logarithms over rime elds. International Journal of Comuter Mathematics 82 (12), Drobot, V., Gas in the sequence n 2 ϑ (mod 1). International Journal of Mathematics and Mathematical Sciences 10 (1), Fraenkel, A. S., Holzman, R., Ga roblems for integer art and fractional art sequences. Journal of Number Theory 50 (1), Graham, R. L., Knuth, D. E., Patashnik, O., Concrete Mathematics: a foundation for comuter science. Addison-Wesley Reading, MA. Halton, J. H., The distribution of the sequence {nξ} (n = 0, 1, 2,...). In: Proceedings of the Cambridge Philosohical Society. Vol Hensley, D., Continued Fractions. World Scientic Pub Co Inc. Lenstra, A. K., Lenstra Jr., H. W., Handbook of Theoretical Comuter Science. MIT Press/Elsevier, Amsterdam, Ch. Algorithms in Number Theory, Lenstra Jr., H. W., Algorithmic Number Theory: Lattices, Number Fields, Curves and Crytograhy. Cambridge Univ Press, Ch. Lattices, Maitra, S., Rao, Y. V. S., Stanica, P., Gangoadhyay, S., Nontrivial solutions to the cubic sieve congruence roblem: x 3 y 2 z mod. Comutación y Sistemas 12 (3), Menezes, A. J., Van Oorschot, P. C., Vanstone, S. A., Handbook of Alied Crytograhy. CRC. Micciancio, D., Goldwasser, S., Comlexity of lattice roblems: a crytograhic ersective. Vol Sringer Netherlands. Schirokauer, O., Weber, D., Denny, T., Discrete logarithms: the eectiveness of the index calculus method. In: Proceedings of the Algorithmic Number Theory Symosium II. Sringer, Slater, N. B., The distribution of the integers N for which {θn} < φ. In: Proceedings of the Cambridge Philosohical Society. Vol Slater, N. B., Distribution roblems and hysical alications. Comositio Math 16, Slater, N. B., Gas and stes for the sequence nθ mod 1. In: Proceedings of the Cambridge Philosohical Society. Vol