We address the problem of finding a nontrivial divisor of a composite integer when it has a prime divisor in an interval. We show that this problem can be solved in time of the square root of the interval length with a similar amount of storage, by presenting two algorithms; one is probabilistic and the other is its derandomized version. is, the square root of the interval length, even though it is a natural requirement to design such an algorithm. In this paper, we present two algorithms, one

more »

... s probabilistic and the other is its deterministic version, for achieving birthday complexity in finding a divisor in an interval. The proposed algorithms can find a nontrivial divisor of a composite integer N when it has a prime divisor in an interval, at around the time of the square root of the interval length with a similar amount of storage. As a result, using the proposed deterministic algorithm, we can check the existence of prime divisors in the interval, and if they exist, we can find all such prime divisors, by recursively applying the proposed deterministic algorithm at most log N times, in combination with a primality test such as [1] and a procedure to check that an integer belongs to the interval. Our algorithms basically work by solving the discrete logarithm problem over (Z/nZ) * , where n is an unknown divisor of the target composite integer N . To solve this problem efficiently, we adapt a multipoint evaluation method of univariate polynomials, as that of Pollard [15], who used it to give a deterministic time algorithm for finding divisors less than some integers. At the heart of the deterministic argument is the distribution of smooth numbers, that is, to take small integers to generate a large subgroup of (Z/N Z) * . We note that this approach was originally used for devising a deterministic primality test under some condition by Konyagin and Pomerance [9] . Compared to previous algorithms to find a divisor in an interval, the proposed algorithms are more efficient for some parameters. The complexity of Coppersmith's method depends on not only the interval length but also the relative size of the divisor for the target composite number N . In contrast, the proposed algorithms mainly depend on the interval length. This difference leads to a situation where our algorithms are better than Coppersmith's method. As log N becomes larger or log(β − α) gets closer to log α, our algorithms become more efficient than Coppersmith's method. For example, roughly speaking, when logN = 4 , log α = , log(β − α) = 2 /3, the proposed algorithms run in O(2 /3 ) time , whereas Coppersmith's method runs in O(2 5 /12 ) time, which is less efficient. Compared to Pollard's algorithm [15] , the proposed algorithms are better for the case that β − α is significantly smaller than β. We also note that by combining our techniques in Section 5 and Pollard's technique in [15, Section 2] one can obtain another deterministic algorithm suitable to the interval case, but it is not as efficient as our solution. The detailed explanation can be found in Section 5.5. In fact, one may consider applying Pollard's kangaroo method [17] to find a factor in an interval. Pollard's kangaroo method solves the discrete logarithm problem by finding a collision between two sequences which are generated by iteratively applying a function f to two distinct starting points. The main reason why this method works is that a collision between these two sequences is always preserved after applying f . However, this method as well as Pollard's rho method for the discrete logarithm [17] uses an iteration function f which does not satisfy that f (x mod p) = f (x) mod p. Such an iteration function does not preserve a collision modulo p after its applications, and so cannot be used for integer factorization. The remainder of this paper is organized as follows. In Section 2, we introduce notation and a theorem about smooth integers necessary for devising our deterministic algorithm. We start to present our algorithms by giving Lemma 3.1 in Licensed to AMS. License or copyright restrictions may apply to redistribution; see http://www.ams.org/journal-terms-of-use COMPUTING PRIME DIVISORS IN AN INTERVAL