7
$\begingroup$

Given quadratic diophantine equation $x^2+dy^2=m$ where $d,m> 0$ and $d$ is square-free, Cornacchia's algorithm: https://en.wikipedia.org/wiki/Cornacchia%27s_algorithm, solves the problem in polynomial time by firstly finding a square root $s$ of $-d$ modulo $m$, i.e solve $s^2\equiv -d \mod m$ and then performing a gcd-like step until some certain condition is satisfied. If the condition is not satisfied, we try another square root of $-d$ until we find a solution or exhaust all square roots and in this case no primitive solution exists.

The problem with this approach is that we have might have to try all $2^{\omega(m)}$ square roots until we find a solution, and if $m$ has "too many" prime factors the running time becomes exponential in $\log m$ (as $\omega(m)=O( \frac{\log m}{\log\log m})$).

Lets say we have the factorization of $m$ so we can extract square roots of $-d\pmod m$ easily. Is there a way to circumvent the issue of going through all square roots whem $m$ is highly composite? Its worthy to note that I’m also interested in the quantum setting. And I was honestly looking at how one can reduce this problem to an instance of the hidden subgroup problem which can be solved in quantum polynomial-time. I know Grover’s algorithm provides a quadratic speedup, but that’s still not good enough. Would really appreciate any assistance on that!

Improve this question
$\endgroup$
2
  • 3
    $\begingroup$ Simultaneously cross-posted on cstheory.stackexchange.com/questions/55024/… . Please, do not do that. $\endgroup$ Commented Jan 23 at 9:48
  • $\begingroup$ Ahh apologies! I did delete the other one , I wasn’t really aware of that.. $\endgroup$ Commented Jan 23 at 12:35

3 Answers 3

Reset to default
2
$\begingroup$

You might be interested in an extremely recent arXiv preprint by M. Mamah, titled "Enhanced Algorithms for the Representation of integers by Binary Quadratic forms: Reduction to Subset Sum" (arXiv preprint 2502.11402).

The author is interested in solving $x^2+dy^2=m$ efficiently when the factorization of $m$ is given. The author reduces this to the subset sum problem. Quoting from the abstract,

Leveraging this reduction, we propose multiple algorithms that solve this problem, given the factorization of $m$, based on different cases depending on d and $m$. Particularly, one of our algorithms finds a solution in polynomial time when $d=\mathrm{polylog}(m)$, while the other achieves a quadratic speedup over Cornacchia's algorithm in the generic case.

Improve this answer
$\endgroup$
1
  • 1
    $\begingroup$ Heh, I guess I should have written an article about my answer :). I don't understand why it says that it can't use the algorithm by Howgrave-Graham and Joux though, even if it is only heuristic. $\endgroup$ Commented Mar 14 at 17:38
3
$\begingroup$

Note that if $x^2+dy^2=m$ and $w^2+dv^2=n$, then $(xw-dyv)^2+d(wy+xv)^2=mn$ as can be seen from looking at the arithmetic of $\mathbb{Z}[\sqrt(d)]$. Now using a bit of algebraic number theory in class number one it's enough to work with prime factors.

In high class numbers life is more complicated (thank you Kenta for pointing this out) and sadly most of the time the class number is bigger.

Improve this answer
$\endgroup$
3
  • 1
    $\begingroup$ What do you mean "the existence of a solution comes down to the existence solution for each prime power factor"? For example $x^2+5y^2=6$ has a solution but $x^2+5y^2=2$ and $x^2+5y^2=3$ do not. $\endgroup$ Commented Jan 24 at 7:35
  • 2
    $\begingroup$ @WatsonLadd your answer doesn’t really solve the problem unless we are in class number 1, then yeah. But as pointed out by KENTA SUZUKI in general this can’t be really done.. $\endgroup$ Commented Jan 24 at 12:29
  • $\begingroup$ Ah yes, I had forgotten class number greater than 1. $\endgroup$ Commented Jan 24 at 16:13
2
$\begingroup$

We can do the following when the class number is not 1.

Compute the class group $C$ of $K = \mathbb{Q}(\sqrt{-d})$. You can compute this class group by generating a relation matrix with smooth numbers. See here for example. Suppose for simplicity that $C$ is cyclic and has $[I_g]$ as its generator. This computation also gives us the class number $h = \#C$.

Now, for each prime $p$ dividing $m$, compute a root $\sqrt{-d} \mod p$ and use this to construct an ideal $I_p$ of norm $p$ in $K$. Find an equivalent ideal $J_p$ in the class of $I_p$ of smooth norm (smooth in the sense that the largest prime is smaller than the biggest prime used in the relation matrix). Using the relation matrix, we can now find an integer $k$ such that $[I_g^{k}] = [I_p]$. This all takes sub-exponential time in $\log(|d|)$ (heuristically, I think).

Suppose $p_1, \dots, p_r$ are the primes dividing $m$. We now have to choose $e_1, \dots e_r \in \{-1,1\}$ such that $e_1k_1 + \dots + e_rk_r = 0 \bmod h$. Because then $[I_{p_1}^{e_1} \cdots I_{p_r}^{e_r}] = [I_g^{e_1k_1 + \dots + e_rk_r}] = [1]$. The $e_i$ now tell you if you have to use $\sqrt{-d} \bmod p$ or $-\sqrt{-d} \bmod p$ as your choice of square root.

Finding these $e_i$ is almost a partition problem, the only difference is that we work mod $h$. You can work around this by first trying to solve it as a normal partition problem over the integers, and if that's unsuccessful, then add $h$ to your list of numbers, and if still unsuccessful add $2h$ instead, etc. Within $r$ tries this will work, which is not too bad.

The main bottleneck is actually solving these partition problems. In general this is NP-hard, but there are algorithms which are faster than $\mathcal{O}(2^r)$, namely about$\mathcal{O}(2^{r/3})$, or if your $r$ is significanly less than $\log_2(h)$, then a lattice method can most likely find the $e_i$'s.

If C is not cyclic, then you can still find a basis for $C = [G_1] \bigoplus \dots \bigoplus [G_s]$. Then you have to solve $e_1k_1 + \dots + e_rk_r = 0 \bmod \text{order}(G_i)$ for each basis component $G_i$ simultaneously.

As a side note: deciding if an equation $x^2 = a \bmod m$ has a solution $0 < x < y$ for a given bound $y$ is NP-hard, as proven here.

Improve this answer
$\endgroup$

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.