Choosing Numbers for the Properties of Their

Squares
Michael de Mare
Computer Science Department
SUNY Institute of Technology
Abstract
This paper investigates the properties of certain numbers modulus
a composite whose quadratic residues can be predicted. A structure
is presented that allows minimums to be taken over the set of these
numbers.
1 Introduction
An interesting question in number theory is whether you can put a bound on
the quadratic residue of a number based on some other property. Our results
indicate that, for

n
2
numbers you can. The numbers we work with are the
ceilings of multiples of the square root of n, k

n|. A simple bound on the

square of this number is 2k

n.
The next question is whether we can compute k

n|
2
without computing
the square, ie, whether there is another formula for computing this value. The
answer is yes, and it is based on a function with predictable properties. We
call this the Delta-function.
2 Notation
Convention 1 Z is the set of integers. Z
k
is the set of integers formed by
modulus k. Z

k
is the group formed using modulus k, ie. Z
k
with all numbers
(C) Copyright 2004 SUNY Institute of Technology
This technical report was written in the course of research for a thesis.
1
divisible by factors of k removed. A discussion of group theory is beyond the
scope of this paper.[1][2]
Convention 2 i, j, k Z We use these variables when we wish to denote
integers in this paper. These values are generally understood to either hold
any integer, or to be counters through a range of integers.
Convention 3 We use x, y 1 together to dene Cartesian coordinates or
seperately as real numbers. In this paper, when Cartesian coordinates are
used x Z, y 1. x and y are used as variables in this paper. x by itself
is used as an unknown or a function input, while when used together, they
represent Cartesian coordinates for a point on a plane.
Convention 4 n Z
+
is the positive integer we want to factor.
Convention 5 x| Z, x 1 is the ceiling function. x| is the oor
function. These are used to nd the minimum integer i such that x i and
the maximum integer j such that x j respectively.
Convention 6 f(x) = O(g(x)) if there exists constants c > 0 and X such
that f(x) cg(x) for all x X.[1] [2]
Convention 7 (a, b) is the set of all numbers a < x < b. [a, b] is the set of
all numbers a x b. [3]
Convention 8 A point is dened as a pair of numbers x, y written (x, y).
Convention 9 In this paper z for some z 1 means the change in z. We
use the variable to signify a dierence.
Convention 10 When we indicate (mod n), we are invoking the modulus
function, which means that we use the remainder after division by n.
Convention 11 We dene the slope s to be the slope of a line, calculated
from two points as follows. s =
y
2
y
1
x
2
x
1
Convention 12 (n) is the size of the group formed by n. This is the num-
ber to compute modulus of when dealing with exponents in Z

n
and given (n)
it is trivial to factor n. [1][2]
2
Convention 13 D is the vector of lengths along the X axis of lines. Its
members are denoted d
0
, d
1
. . .
Convention 14 D is the vector of osets on the X axis of lines. Its mem-
bers are denoted v
0
, v
1
. . .
Convention 15 Q is an integer vector of divisors for the clipping function.
C is an integer vector of osets for the clipping function.
3 The Delta-Function
The key insight is that there exists a correlation between the square of the
number immediately following the multiple of the root and the small real
value which is the dierence between the multiple of the root and the root
itself. This relationship allows us to select numbers based on what the prop-
erties of their squares without computing the square itself. If there is a
structure in the value of this dierence, which we shall show later that there
is, then we have a structure for choosing the squares.
First let us dene this dierence so that we have something to work with.
Denition 1
n
(i)
We will dene a function called the delta function:

n
(i) = (i

n| i

n)
Now we need to show that there is a relationship between
n
(i) and
i

n|
2
. We will prove this by induction. In the proof we also nd a scaling
factor that allows us to eciently compare the squares against one another
without actually computing them.
Theorem 1 Proportionality of
n
(i) to i

n|
2
(mod n)

n
(i) increases as (i

n|mod n)
2
increases.
Pf: For our base step we have the case
n
(i) = (i

n| i

n) = 0 This
is trivially true if i = 0 or n is a perfect square.
i

n|
2
= (i

n)
2
= i
2
n = 0mod n
Inductive step: Keep n constant, let i vary. For = i

n|i

n. We assume
that for each

< resulting in an increase of one then

must equal zero, so

the change in the square is 1. Then consider how varies if i

n|
2
mod n is
3
one larger. If this is not a relevant quadratic residue, we can consider the next
relevant quadratic residue and scale appropriately. We then use the binomial
theorem [4] on
2
+2i

n = 1 to compute = i

n +

(i

n)
2
+ 1 This
is a small positive number, so has increased. The alternative root can not
be true, as [0, 1) and the dierence would be too large. Since is dened
by i, it trivially covers all i <

n Z.//
The underlying idea of this proof is to carve up the space between zero
and one into tiny pieces and show that if we move to the next piece, the
square increases by one. The proof shows the size of the tiny pieces. This
makes
n
i a discrete value and allows us to map it to the square mod n.
The real function we are tring to optimize:
i

n|
2
is very regular and periodic, as we can see in a graph of it for RSA576 (below).
This helps us understand why we can minimize the delta function by nding
a set of periods.
0
2e+88
4e+88
6e+88
8e+88
1e+89
1.2e+89
1.4e+89
0 20 40 60 80 100 120 140 160 180 200
(ceil(i*sqrt(n)))^2 mod n for n=RSA576
4
4 First Order Properties
The delta-function expresses a line. Actually, since the line goes to zero
everytime it intercepts a one (or vice-vera), it represents a series of parallel
lines. We demonstrate this by showing that there
Theorem 2 ns :
n
(i) Z > 2,
n
(i1),
n
(i)y
n
(i1) = s
n
(i)+1

n
(i1) = s if s > 0 else
n
(i)1
n
(i1) = s where
n
(j) = j

n|j

n
and s [1, 1].
Pf. Let
n
(k) = k

n| k

n.
n
(k)
n
(k 1) = (k)

n| (k)

n
(k 1)

n| (k 1)

n. This is (k)

n| (k 1)

n|

n.
= k

n| k

n k

n| (k 1)

n = k

n| (k 1)

n| +(k
1)

n| (k 1)

n or k

n| (k 1)

n| + k

n| (k 1)

n 1.
This is

n

n| or

n

n| + 1 which is a constant function of

n,
which is constant. Therefore
n
(k)
n
(k1) is constant except where zero is
intersected between k1, k, in these cases one needs to be added or subtracted
depending on the direction of the slope. Furthermore, s [1, 1] because the
dierence between the ceiling of a number and a number can not exceed one.//
What this proof shows is that there is a constant slope, except at the
discontinous points where
n
(i) intercept zero or one. This means that we
are dealing with a sequence of parallel lines. Later, in the algorithm, we will
be interested in the lowest value for these lines for which k is an integer. We
can show that this will make another sequence of parallel lines.
The proof further shows that the slope is in [0, 1]. This is because the
proof nds the slope to be

n

n| or

n

n| + 1. We get the +1
because we a adding to numbers in [0,1] and the sum may exceed one but
will never exceed two. Therefore the lines will have more than one point in
them and be usable.
Here is an example of the delta function on the RSA-576 challenge num-
ber.
5
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
0 5 10 15 20 25 30 35 40 45 50
First order delta function for RSA-576
Theorem 3 Derived Lines
The minimum point of each line such that
n
(i) is an integer forms an-
other set of parallel lines.
Pf: The horizontal length of the lines remains constant and the slope
remains constant. Therefore the change in
n
(i) is a constant. Now we
expand the horizontal length to cover a line segment. The vertical distance
will still be a constant therefore the new slope is a constant. //
These meta parallel lines will wrap around at a value less than one. This
value can be computed by rst nding two points on the line, and computing
the slope. Then we nd a point on the next line and determine that line
by the point slope method. Finally we compute the line between a point on
each line and compute what x would have to be to make y zero and take the
absolute value as the distance the line travels on x. The maximum y can be
computed from this and the slope.
Now we have a relationship that allows us to predict the value of
n
(i).
We will be able to use this relationship to select out a large group of i with
small values of
n
(i). This gives us a shot at either nding a perfect square
or a collision. This is because i

n|
2
will be a small number which improves
6
our odds. We will deal with just how much the odds are improved in the
analysis of the algorithm.
There are really two sets of lines, we want to take the lines whose slope
has the lesser absolute value, as you can see in the graph of the derived lines
for RSA-576. This is why you will see algorithms which need to compute the
slope choosing among two of them based on the absolute value.
7
0
0.05
0.1
0.15
0.2
0.25
0.3
0.35
0.4
0 20 40 60 80 100 120 140
Second Order lines function for RSA-576
0
0.02
0.04
0.06
0.08
0.1
0.12
0.14
0.16
0.18
0 50 100 150 200 250 300
Third Order lines function for RSA-576
8
5 nth Order Properties
What is interesting, for the purpose of choosing good candidates to be the
other root of perfect squares, are values of i such that
n
(i) are local min-
imums. For any set of values of i, o, such that the function f : o
[0, 1), f(x) =
n
(x) that forms a series of parallel lines that wraps at zero
and a xed value of
n
(x) we can nd the set o

, which is the set composed

of the least value in o for each line, in other words, o

is the set of local

minimums in o.
Theorem 4 If o has the property of forming these parallel lines, then so
will o

.
Pf: (o, f(o)) has a constant slope. Since x is constant and
n
(x) is a
multiplication of x by a constant, y is constant. Therefore o

has a constant
slope.//
Since it would be prohibitively expensive to store all the values of o or o

,
we compute, given the rst point on o

and the length of the x component of

the lines values on o

. If we want to compute the jth value on o

, we simply
multiply j by the length and add the rst point T. We can see by Theorem
4 that o

will have the same property as o.

6 Minimums
Now we have a structure for the delta function that allows us to minimize
it. Using this we can nd minimum values for k

n|
2
. The next question
is, what is the minimum going to be on average. This is a very important
question, because if the minimum was O(log n) then it would be possible
to factor n by looking for perfect squares, which are common among small
numbers. Unfortunately, the minimum is not small enough to factor.
Consider the single point

n|
2
. The maximum value for this is going to
be 2

n, so the average value for the point is

n. Since this is a single point,
the average value is also the average minimum.
Consider the set of points k 1 . . .
4

n. The average minimum is going

to be:

1
2

n
4

n
4

n
=

n
9
As k gets larger, so does 2k

n, so we can safely assume that we are not

going to nd a smaller average minimum greater than the one for
4

n which
is

n.
7 Conclusions and Open Problems
This shows a structure in Z

n
that may be useful in predicting some properties
but is probably not sucient for factoring. Open problems include computing
the average minimum from k 1 . . .
sqrtn
2
. Study is also required on higher
roots. It would be surprising, but not completely unexpected if a way of
exploiting this other than trying to get a perfect square were found.
You might note that we might nd a way of exploiting the structure by
the following line of reasoning, and this is an important open problem.
We write
x

n|
2
= (x(x))
2
We can compute x
2
thus we can compute (x)
2
by dividing out the x
2
component.
(x

n| + z)
2
= x

n + z|
2
= (x(x) + z)
2
= (x(x))
2
+ 2zx(x) + z
2
Using this, we can calculate (x)(mod n) =
(x

n| + z)
2
(x

n|)
2
z
2
2xz
(mod n)

n|
2
x
2
=

n|
x

2
= (x)(mod n)
The consequence of this is that x, z Z
n
[x > 0, z > 0:
(x

n| + z)
2
(x

n|)
2
z
2
2xz
=
x

n|
x
(mod n)
(x) =
x

n|
x
(mod n)
x
2

n
2
+ 2x

n(x) + (x)
2
= x(x)(mod n)
10
2x

n = (x 1)(x)
2
(mod n)

n =
(x 1)(x)
2
2x
(mod n)
It should be impossible to represent

n mod n because it is a root of
zero. However, if we overlook that for a minute.
x

n| = x(

n + (x))(mod n)
=
(x
2
x)(x)
2
2x
+ x(x)(mod n)
=
(x 1)(x)
2
2
+ x(x)(mod n)
= (x)

(x 1)(x)
2
+ x

(mod n)
For x = 1:x

n| = (1) mod(n). This is true. We need to verify for

x > 1. Unfortunately, we dont get a xed value for

n since non-zero roots
of n are not dened mod n. Instead we have a dierent

n for each x.
Now we get the equation:
2(x)
2

(x 1)(x)
2
+ x

+ (x)
2
= x

n|
2
mod(n)
References
[1] Eric Bach and Jerey Shallit. Algorithmic Number Theory, Volume 1
Ecient Algorithms. MIT Press, Cambridge, Mass., 1997.
[2] Neal Koblitz. A Course in Number Theory and Cryptography. Springer-
Verlag, 1987.
[3] Jerrold E. Marsden. Elementary Classical Analysis. W.H. Freeman and
Company, 1974.
[4] Gilbert Strang. Calculus. Wellesly-Cambridge Press, 1991.
11