Upload
backdrag-sirius-vargas
View
218
Download
0
Embed Size (px)
Citation preview
8/17/2019 COmputing and Combinatoria
1/489
8/17/2019 COmputing and Combinatoria
2/489
8/17/2019 COmputing and Combinatoria
3/489
3 Berlin Heidelberg New York Barcelona Hong Kong London MilanParisSingaporeTokyo
8/17/2019 COmputing and Combinatoria
4/489
Ding-Zhu Du Peter Eades Vladimir Estivill-Castro
Xuemin Lin Arun Sharma (Eds.)
Computingand Combinatorics
6th Annual International Conference, COCOON 2000Sydney, Australia, July 26-28, 2000Proceedings
13
8/17/2019 COmputing and Combinatoria
5/489
Series Editors
Gerhard Goos, Karlsruhe University, GermanyJuris Hartmanis, Cornell University, NY, USAJan van Leeuwen, Utrecht University, The Netherlands
Volume Editors
Ding-Zhu DuUniversity of Minnesota, Department of Computer Science and EngineeringMinneapolis, MN 55455, USAE-mail: [email protected]
Peter EadesVladimir Estivill-CastroUniversity of NewcastleDepartment of Computer Science and Software Engineering
Callaghan, NSW 2308, AustraliaE-mail: {eades,vlad}@cs.newcastle.edu.au
Xuemin LinArun SharmaThe University of New South WalesSchool of Computer Science and EngineeringSydney, NSW 2052, AustraliaE-mail: {lxue,arun}@cse.unsw.edu.au
Cataloging-in-Publication Data applied for
Die Deutsche Bibliothek - CIP-Einheitsaufnahme
Computing and combinatorics : 6th annual international conference ;proceedings / COCOON 2000, Sydney, Australia, July 26 - 28, 2000.D.-Z. Du . . . (ed.). - Berlin ; Heidelberg ; New York ; Barcelona ;Hong Kong ; London ; Milan ; Paris ; Singapore ; Tokyo : Springer, 2000
(Lecture notes in computer science ; Vol. 1858)ISBN 3-540-67787-9
CR Subject Classification (1998): F.2, G.2.1-2, I.3.5, C.2.3-4, E.1
ISSN 0302-9743ISBN 3-540-67787-9 Springer-Verlag Berlin Heidelberg New York
This work is subject to copyright. All rights are reserved, whether the whole or part of the material isconcerned, specifically the rights of translation, reprinting, re-use of illustrations, recitation, broadcasting,reproduction on microfilms or in any other way, and storage in data banks. Duplication of this publicationor parts thereof is permitted only under the provisions of the German Copyright Law of September 9, 1965,in its current version, and permission for use must always be obtained from Springer-Verlag. Violations areliable for prosecution under the German Copyright Law.
Springer-Verlag Berlin Heidelberg New York a member of BertelsmannSpringer Science+Business Media GmbH© Springer-Verlag Berlin Heidelberg 2000Printed in Germany
Typesetting: Camera-ready by author, data conversion by Boller MediendesignPrinted on acid-free paper SPIN: 10722191 06/3142 5 4 3 2 1 0
8/17/2019 COmputing and Combinatoria
6/489
Preface
The papers in this volume were selected for presentation at the 6th AnnualInternational Computing and Combinatorics Conference (COCOON2000), inSydney, Australia from July 26 - 28, 2000. The topics cover many areas in the-oretical computer science and combinatorial optimization.
There were 81 high quality papers submitted to COCOON 2000. Each paperwas reviewed by at least three program committee members, and the 44 paperswere selected. It is expected that most of them will appear in a more completeform in scientific journals. In addition to the selected papers, the volume also
contains the papers from two invited keynote speeches by Christos Papadim-itriou and Richard Brent.
This year the Hao Wang Award was given to honor the paper judged by theprogram committee to have the greatest merit. The recipient is “ApproximatingUniform Triangular Meshes in Polygons” by Franz Aurenhammer, Naoki Katoh,Hiromichi Kojima, Makoto Ohsaki, and Yinfeng Xu. The first Best Young Re-searcher paper award was given to William Duckworth for his paper “MaximumInduced Matchings of Random Cubic Graphs”.
We wish to thank all who have made this meeting possible: the authors forsubmitting papers, the program committee members and the external referees,sponsors, the local organizers, ACM SIGACT for handling electronic submis-sions, Springer-Verlag for their support, and Debbie Hatherell for her assistance.
July 2000 Ding-Zhu DuPeter EadesXuemin Lin
Sponsoring Institutions
University of New South WalesUniversity of Newcastle
University of SydneyComputer Science Association of Australasia
8/17/2019 COmputing and Combinatoria
7/489
Conference Organization
Program Committee Co-chairs
Ding-Zhu Du (University of Minnesota, USA)Peter Eades (University of Sydney, Australia)Xuemin Lin (University of New South Wales, Australia)
Program Committee
David Avis (McGill, Canada)Jianer Chen (Texas A&M, USA)Francis Chin (Hong Kong U., Hong Kong)Vladimir Estivill-Castro (Newcastle, Australia),George Havas (UQ, Australia)Hiroshi Imai (Tokyo, Japan)Tao Jiang (UC Riverside, USA)Michael Juenger (Cologne, Germany)Richard Karp (UC Berkeley, USA)
D. T. Lee (Academia Sinica, Taiwan)Bernard Mans (Macquarie U., Australia)Brendan McKay (ANU, Australia)Maurice Nivat (Université de Paris VII, France)Takeshi Tokuyama (Tohoku, Japan)Roberto Tamassia (Brown, USA)Jie Wang (UNC Greensboro, USA)Shmuel Zaks (Technion, Israel)Louxin Zhang (NUS, Singapore)
Shuzhong Zhang (CUHK, Hong Kong)Binhai Zhu (City U. Hong Kong, Hong Kong)
Organizing Committee
Vladimir Estivill-Castro (Conference Co-chair, University of Newcastle)Arun Sharma (Conference Co-chair, University of New South Wales)
Hai-Xin Lu (University of New South Wales)
8/17/2019 COmputing and Combinatoria
8/489
VIII Conference Organization
Referees
Kazuyuki AmanoJoffroy Beauquier
Francois BertaultChristoph BuchheimS.W. ChengL. DevroyeMatthias Elf Stanley FungYehuda HassinSeokhee HongTsan-Sheng Hsu
Wen-Lian HsuMing-Tat KoJoachim KupkeThierry LecroqWeifa LiangFrauke LiersChi-Jen LuHsueh-I Lu
Marcus OswaldAndrzej Pelc
David PelegStephane PerennesZ.P. QinBruce ReedMaurice RojasJames L. SchwingRinovia M.G. SimanjuntakSlaminRinovia Simanjuntak
Peter TischerDa-Wei WangJohn WatorusMartin Wolff Yinfeng XuDing Feng YeHong Zhu
8/17/2019 COmputing and Combinatoria
9/489
Table of Contents
Invited Talks
Theoretical Problems Related to the Internet . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Christos H. Papadimitriou
Recent Progress and Prospects for Integer Factorisation Algorithms . . . . . . 3
Richard P. Brent
Hao Wang Award Paper
Approximating Uniform Triangular Meshes in Polygons . . . . . . . . . . . . . . . . . 23
Franz Aurenhammer, Naoki Katoh, Hiromichi Kojima, Makoto Ohsaki,
Yinfeng Xu
The Best Young Researcher Paper
Maximum Induced Matchings of Random Cubic Graphs . . . . . . . . . . . . . . . . 34
William Duckworth, Nicholas C. Wormald, Michele Zito
Computational Geometry 1
A Duality between Small-Face Problems in Arrangements of Lines and
Heilbronn-Type Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Gill Barequet
On Local Transformation of Polygons with Visibility Properties . . . . . . . . . 54
Carmen Hernando, Michael E. Houle, Ferran Hurtado
Graph Drawing
Embedding Problems for Paths with Direction Constrained Edges . . . . . . . . 64
Giuseppe Di Battista, Giuseppe Liotta, Anna Lubiw, Sue Whitesides
Characterization of Level Non-planar Graphs by Minimal Patterns . . . . . . . 74
Patrick Healy, Ago Kuusik, Sebastian Leipert
Rectangular Drawings of Plane Graphs Without Designated Corners . . . . . 85
Md. Saidur Rahman, Shin-ichi Nakano, Takao Nishizeki
Computing Optimal Embeddings for Planar Graphs . . . . . . . . . . . . . . . . . . . . 95
Petra Mutzel, René Weiskircher
8/17/2019 COmputing and Combinatoria
10/489
X Table of Contents
Graph Theory and Algorithms 1
Approximation Algorithms for Independent Sets in Map Graphs . . . . . . . . . 105
Zhi-Zhong Chen
Hierarchical Topological Inference on Planar Disc Maps . . . . . . . . . . . . . . . . . 115
Zhi-Zhong Chen, Xin He
Efficient Algorithms for the Minimum Connected Domination on
Trapezoid Graphs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Yaw-Ling Lin, Fang Rong Hsu, Yin-Te Tsai
Complexity, Discrete Mathematics, and Number Theory
Parameterized Complexity of Finding Subgraphs with Hereditary
Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Subhash Khot, Venkatesh Raman
Some Results on Tries with Adaptive Branching . . . . . . . . . . . . . . . . . . . . . . . 148
Yuriy A. Reznik
Optimal Coding with One Asymmetric Error: Below the Sphere Packing
Bound . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Ferdinando Cicalese, Daniele Mundici
Closure Properties of Real Number Classes under Limits and Computable
Operators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
Xizhong Zheng
Graph Theory and Algorithms 2
A Characterization of Graphs with Vertex Cover Six . . . . . . . . . . . . . . . . . . . 180
Michael J. Dinneen, Liu Xiong
On the Monotonicity of Minimum Diameter with Respect to Order andMaximum Out-Degree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Mirka Miller, Slamin
Online Algorithms
Online Independent Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Magn´ us M. Halld´ orsson, Kazuo Iwama, Shuichi Miyazaki,
Shiro Taketomi
Two-Dimensional On-Line Bin Packing Problem with Rotatable Items . . . 210Satoshi Fujita, Takeshi Hada
Better Bounds on the Accommodating Ratio for the Seat Reservation
Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Eric Bach, Joan Boyar, Tao Jiang, Kim S. Larsen, Guo-Hui Lin
8/17/2019 COmputing and Combinatoria
11/489
Table of Contents XI
Ordinal On-Line Scheduling on Two Uniform Machines . . . . . . . . . . . . . . . . . 232
Zhiyi Tan, Yong He
Parallel and Distributed Computing
Agents, Distributed Algorithms, and Stabilization . . . . . . . . . . . . . . . . . . . . . . 242
Sukumar Ghosh
A Fast Sorting Algorithm and Its Generalization on Broadcast
Communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
Shyue-Horng Shiau, Chang-Biau Yang
Efficient List Ranking Algorithms on Reconfigurable Mesh . . . . . . . . . . . . . . 262
Sung-Ryul Kim, Kunsoo Park
Computational Geometry 2
Tripods Do Not Pack Densely . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
Alexandre Tiskin
An Efficient k Nearest Neighbor Searching Algorithm for a Query Line . . . 281
Subhas C. Nandy
Tetrahedralization of Two Nested Convex Polyhedra . . . . . . . . . . . . . . . . . . . 291Cao An Wang, Boting Yang
Efficient Algorithms for Two-Center Problems for a Convex Polygon . . . . . 299
Sung Kwon Kim, Chan-Su Shin
Combinatorial Optimization
On Computation of Arbitrage for Markets with Friction . . . . . . . . . . . . . . . . 310
Xiaotie Deng, Zhongfei Li, Shouyang Wang
On Some Optimization Problems in Obnoxious Facility Location . . . . . . . . . 320
Zhongping Qin, Yinfeng Xu, Binhai Zhu
Generating Necklaces and Strings with Forbidden Substrings . . . . . . . . . . . . 330
Frank Ruskey, Joe Sawada
Optimal Labelling of Point Features in the Slider Model . . . . . . . . . . . . . . . . 340
Gunnar W. Klau, Petra Mutzel
Data Structures and Computational Biology
Mappings for Conflict-Free Access of Paths in Elementary Data
Structures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
Alan A. Bertossi, M. Cristina Pinotti
8/17/2019 COmputing and Combinatoria
12/489
XII Table of Contents
Theory of Trinomial Heaps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
Tadao Takaoka
Polyhedral Aspects of the Consecutive Ones Problem . . . . . . . . . . . . . . . . . . . 373
Marcus Oswald, Gerhard Reinelt The Complexity of Physical Mapping with Strict Chimerism . . . . . . . . . . . . 383
Stephan Weis, R¨ udiger Reischuk
Learning and Cryptography
Logical Analysis of Data with Decomposable Structures . . . . . . . . . . . . . . . . . 396
Hirotaka Ono, Kazuhisa Makino, Toshihide Ibaraki
Learning from Approximate Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407
Shirley Cheung H.C.
A Combinatorial Approach to Asymmetric Traitor Tracing . . . . . . . . . . . . . . 416
Reihaneh Safavi-Naini, Yejing Wang
Removing Complexity Assumptions from Concurrent Zero-Knowledge
Proofs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426
Giovanni Di Crescenzo
Automata and Quantum ComputingOne-Way Probabilistic Reversible and Quantum One-Counter Automata . . 436
Tomohiro Yamasaki, Hirotada Kobayashi, Yuuki Tokunaga,
Hiroshi Imai
Similarity Enrichment in Image Compression through Weighted Finite
Automata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447
Zhuhan Jiang, Bruce Litow, Olivier de Vel
On the Power of Input-Synchronized Alternating Finite Automata . . . . . . .
457Hiroaki Yamamoto
Ordered Quantum Branching Programs Are More Powerful than Ordered
Probabilistic Branching Programs under a Bounded-Width Restriction . . . . 467
Masaki Nakanishi, Kiyoharu Hamaguchi, Toshinobu Kashiwabara
Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477
8/17/2019 COmputing and Combinatoria
13/489
Theoretical Problems Related to the Internet
(Extended Abstract)
Christos H. Papadimitriou
University of California, Berkeley, USA,
http://www.cs.berkeley.edu/∼christos/
The Internet has arguably superseded the computer as the most complex co-hesive artifact (if you can call it that), and is, quite predictably, the source of
a new generation of foundational problems for Theoretical Computer Science.These new theoretical challenges emanate from several novel aspects of the In-ternet: (a) Its unprecedented size, diversity, and availability as an informationrepository; (b) its novel nature as a computer system that intertwines a multi-tude of economic interests in varying degrees of competition; and (c) its historyas a shared resource architecture that emerged in a remarkably ad hoc yet glori-ously successful manner. In this talk I will survey some recent research (done incollaboration with Joan Feigenbaum, Dick Karp, Elias Koutsoupias, and ScottShenker, see [1,2]) on problems of the two latter kinds. See [3,5] for examples of
theoretical work along the first axis.To a large extent, the Internet owes its remarkable ascent to the surprising
empirical success of TCP’s congestion control protocol [4]. A flow between twopoints strives to determine the correct transmission rate by trying higher andhigher rates, in a linearly increasing function. As links shared by several flowsreach their capacity, one or more packets may be lost, and, in response, thecorresponding flow halves its transmission rate. The fantastic empirical successof this crude mechanism raises important, and at times theoretically interesting,questions related to novel search algorithms (the process clearly contains a novel
variant of binary search), on-line algorithms (when the true capacity that aflow can use changes in an unknown and, in a worst case, adversarial fashion),and algorithmic game theory (why is it that flows seem to be unwilling, orunmotivated, to move away from TCP?).
In a situation in which the same piece of information is multicast to millionsof individuals, it is of interest to determine the price that each recipient must payin return. The information in question is of different value to each individual,and this value is known only to this individual. The participants must engagein a mechanism , that is to say, a distributed protocol whereby they determine
the individuals who will actually receive the information, and the price each willpay. Economists over the past fourty years have studied such situations aris-ing in auctions, welfare economics, and pricing of public goods, and have comeup with clever mechanisms —solutions that satisfy various sets of desiderata
Research partially supported by the National Science Foundation.
D.-Z. Du et al. (Eds.): COCOON 2000, LNCS 1858, pp. 1–2, 2000.c Springer-Verlag Berlin Heidelberg 2000
8/17/2019 COmputing and Combinatoria
14/489
2 Christos H. Papadimitriou
(“axioms”)— or ingenious proofs that satisfying other sets of desiderata is im-possible. In the context of the Internet, however, an important computationaldesideratum emerges: The protocol should be efficient, with respect to the totalnumber of messages sent. It turns out that this novel condition changes the sit-
uation dramatically, and carves out a new set of pricing mechanisms that areappropriate and feasible.
References
1. Joan Feigenbaum, Christos H. Papadimitriou, Scott Shenker, “Sharing the Cost of
Multicast Transmissions,” Proc. 2000 STOC.
2. Richard M. Karp, Elias Koutsoupias, Christos H. Papadimitriou, Scott Shenker,
“Optimization Problems in Congestion Control,” manuscript, April 2000.
3. Jon Kleinberg, “Authoritative sources in a hyperlinked environment,” Proc. ACM-SIAM Symposium on Discrete Algorithms , 1998.
4. Van Jacobson “Congestion Avoidance and Control,” in ACM SigComm Proceedings ,
pp 314-329, 1988.
5. Christos H. Papadimitriou, Prabhakar Raghavan, Hisao Tamaki, Santosh Vempala,
“Latent Semantic Indexing: A Probabilistic Analysis,” Proc. 1998 PODS , to appear
in the special issue of JCSS .
8/17/2019 COmputing and Combinatoria
15/489
Recent Progress and Prospects for IntegerFactorisation Algorithms
Richard P. Brent
Oxford University Computing Laboratory,Wolfson Building, Parks Road,
Oxford OX1 3QD, [email protected]
http://www.comlab.ox.ac.uk/
Abstract. The integer factorisation and discrete logarithm problemsare of practical importance because of the widespread use of public keycryptosystems whose security depends on the presumed difficulty of solv-ing these problems. This paper considers primarily the integer factorisa-tion problem. In recent years the limits of the best integer factorisationalgorithms have been extended greatly, due in part to Moore’s law and inpart to algorithmic improvements. It is now routine to factor 100-decimaldigit numbers, and feasible to factor numbers of 155 decimal digits (512bits). We outline several integer factorisation algorithms, consider theirsuitability for implementation on parallel machines, and give examplesof their current capabilities. In particular, we consider the problem of parallel solution of the large, sparse linear systems which arise with theMPQS and NFS methods.
1 Introduction
There is no known deterministic or randomised polynomial-time1 algorithm forfinding a factor of a given composite integer N . This empirical fact is of great
interest because the most popular algorithm for public-key cryptography, theRSA algorithm [54], would be insecure if a fast integer factorisation algorithmcould be implemented.
In this paper we survey some of the most successful integer factorisationalgorithms. Since there are already several excellent surveys emphasising thenumber-theoretic basis of the algorithms, we concentrate on the computationalaspects.
This paper can be regarded as an update of [8], which was written justbefore the factorisation of the 512-bit number RSA155. Thus, to avoid duplica-
tion, we refer to [8] for primality testing, multiple-precision arithmetic, the useof factorisation and discrete logarithms in public-key cryptography, and somefactorisation algorithms of historical interest.
1 For a polynomial-time algorithm the expected running time should be a polynomialin the length of the input, i.e. O((logN )c) for some constant c.
D.-Z. Du et al. (Eds.): COCOON 2000, LNCS 1858, pp. 3–22, 2000.c Springer-Verlag Berlin Heidelberg 2000
8/17/2019 COmputing and Combinatoria
16/489
4 Richard P. Brent
1.1 Randomised Algorithms
All but the most trivial algorithms discussed below are randomised algorithms ,i.e. at some point they involve pseudo-random choices. Thus, the running times
are expected rather than worst case . Also, in most cases the expected runningtimes are conjectured, not rigorously proved.
1.2 Parallel Algorithms
When designing parallel algorithms we hope that an algorithm which requirestime T 1 on a computer with one processor can be implemented to run in timeT P
∼ T 1/P on a computer with P independent processors. This is not always
the case, since it may be impossible to use all P processors effectively. However,it is true for many integer factorisation algorithms, provided P is not too large.
The speedup of a parallel algorithm is S = T 1/T P . We aim for a linearspeedup, i.e. S = Θ(P ).
1.3 Quantum Algorithms
In 1994 Shor [57,58] showed that it is possible to factor in polynomial expected
time on a quantum computer [20,21]. However, despite the best efforts of severalresearch groups, such a computer has not yet been built, and it remains unclearwhether it will ever be feasible to build one. Thus, in this paper we restrict ourattention to algorithms which run on classical (serial or parallel) computers. Thereader interested in quantum computers could start by reading [50,60].
1.4 Moore’s Law
Moore’s “law” [44,56] predicts that circuit densities will double every 18 monthsor so. Of course, Moore’s law is not a theorem, and must eventually fail, but ithas been surprisingly accurate for many years. As long as Moore’s law continuesto apply and results in correspondingly more powerful parallel computers, we ex-pect to get a steady improvement in the capabilities of factorisation algorithms,without any algorithmic improvements. Historically, improvements over the pastthirty years have been due both to Moore’s law and to the development of newalgorithms (e.g. ECM, MPQS, NFS).
2 Integer Factorisation Algorithms
There are many algorithms for finding a nontrivial factor f of a composite inte-ger N . The most useful algorithms fall into one of two classes –
8/17/2019 COmputing and Combinatoria
17/489
Recent Progress and Prospects for Integer Factorisation Algorithms 5
A. The run time depends mainly on the size of N, and is not strongly dependenton the size of f . Examples are –
• Lehman’s algorithm [28], which has worst-case run time O(N 1/3).
• The Continued Fraction algorithm [39] and the Multiple PolynomialQuadratic Sieve (MPQS) algorithm [46,59], which under plausible as-sumptions have expected run time O(exp(
√ c ln N ln ln N )), where c is a
constant (depending on details of the algorithm). For MPQS, c ≈ 1.• The Number Field Sieve (NFS) algorithm [29,30], which under plausi-
ble assumptions has expected run time O(exp(c(ln N )1/3(lnln N )2/3)),where c is a constant (depending on details of the algorithm and on theform of N ).
B. The run time depends mainly on the size of f, the factor found. (We can
assume that f ≤ N 1/2.) Examples are –• The trial division algorithm, which has run time O(f · (log N )2).• Pollard’s “rho” algorithm [45], which under plausible assumptions has
expected run time O(f 1/2 · (log N )2).• Lenstra’s Elliptic Curve (ECM) algorithm [34], which under plausible as-
sumptions has expected run time O(exp(√
c ln f ln ln f )·(log N )2), wherec ≈ 2 is a constant.
In these examples, the time bounds are for a sequential machine, and the term
(log N )2 is a generous allowance for the cost of performing arithmetic operationson numbers which are O(N 2). If N is very large, then fast integer multiplicationalgorithms [19,24] can be used to reduce the (log N )2 term.
Our survey of integer factorisation algorithms is necessarily cursory. For moreinformation the reader is referred to [8,35,48,53].
3 Lenstra’s Elliptic Curve Algorithm
Lenstra’s elliptic curve method/algorithm (abbreviated ECM) was discoveredby H. W. Lenstra, Jr. about 1985 (see [34]). It is the best known algorithmin class B. To save space, we refer to [7,8,34] and the references there for adescription of ECM, and merely give some examples of its successes here.
3.1 ECM Examples
1. In 1995 we completed the factorisation of the 309-decimal digit (1025-bit)
Fermat number F 10 = 2210 + 1. In fact
F 10 = 45592577 · 6487031809 ·4659775785220018543264560743076778192897 · p252
where 46597 · · ·92897 is a 40-digit prime and p252 = 13043 · · ·24577 is a252-digit prime. The computation, which is described in detail in [7], took
8/17/2019 COmputing and Combinatoria
18/489
6 Richard P. Brent
about 240 Mips-years. (A Mips-year is the computation performed by ahypothetical machine performing 106 instructions per second for one year,i.e. about 3.15× 1013 instructions. Is is a convenient measure but should notbe taken too seriously.)
2. The largest factor known to have been found by ECM is the 54-digit factor
484061254276878368125726870789180231995964870094916937
of (643 − 1)42 + 1, found by Nik Lygeros and Michel Mizony with PaulZimmermann’s GMP-ECM program [63] in December 1999 (for more detailssee [9]).
3.2 Parallel/Distributed Implementation of ECM
ECM consists of a number of independent pseudo-random trials, each of whichcan be performed on a separate processor. So long as the expected number of trials is much larger than the number P of processors available, linear speedupis possible by performing P trials in parallel. In fact, if T 1 is the expected runtime on one processor, then the expected run time on a MIMD parallel machinewith P processors is
T P = T 1/P + O(T 1/2+
1 ) (1)
3.3 ECM Factoring Records
1990 1992 1994 1996 1998 2000 2002
38
40
42
44
46
48
50
52
54 D
Figure 1: Size of factor found by ECM versus year
8/17/2019 COmputing and Combinatoria
19/489
Recent Progress and Prospects for Integer Factorisation Algorithms 7
Figure 1 shows the size D (in decimal digits) of the largest factor found byECM against the year it was done, from 1991 (40D) to 1999 (54D) (historicaldata from [9]).
3.4 Extrapolation of ECM Records
1990 1992 1994 1996 1998 2000 2002
6.0
6.2
6.4
6.6
6.8
7.0
7.2
7.4
7.6 √
D
Figure 2:√ D versus year Y for ECM
Let D be the number of decimal digits in the largest factor found by ECM upto a given date. From the theoretical time bound for ECM, assuming Moore’slaw, we expect
√ D to be roughly a linear function of calendar year (in fact√
D ln D should be linear, but given the other uncertainties we have assumed forsimplicity that
√ ln D is roughly a constant). Figure 2 shows
√ D versus year Y .
The straight line shown in the Figure 2 is
√ D = Y
−1932.3
9.3 or equivalently Y = 9.3√ D + 1932.3 ,and extrapolation gives D = 60 in the year Y = 2004 and D = 70 in the yearY = 2010.
8/17/2019 COmputing and Combinatoria
20/489
8 Richard P. Brent
4 Quadratic Sieve Algorithms
Quadratic sieve algorithms belong to a wide class of algorithms which try to findtwo integers x and y such that x
=
±y (mod N ) but
x2 = y2 (mod N ) . (2)
Once such x and y are found, then GCD (x − y, N ) is a nontrivial factor of N .One way to find x and y satisfying (2) is to find a set of relations of the form
u2i = v2i wi (mod N ), (3)
where the wi have all their prime factors in a moderately small set of primes(called the factor base ). Each relation (3) gives a colunm in a matrix R whoserows correspond to the primes in the factor base. Once enough columns have beengenerated, we can use Gaussian elimination in GF(2) to find a linear dependency(mod 2) between a set of columns of R. Multiplying the corresponding relationsnow gives an expression of the form (2). With probability at least 1/2, we havex = ±y mod N so a nontrivial factor of N will be found. If not, we need toobtain a different linear dependency and try again.
In quadratic sieve algorithms the numbers wi are the values of one (or more)quadratic polynomials with integer coefficients. This makes it easy to factor thew
i by sieving . For details of the process, we refer to [11,32,35,46,49,52,59].
The best quadratic sieve algorithm (MPQS) can, under plausible assump-tions, factor a number N in time Θ(exp(c(ln N ln ln N )1/2)), where c ∼ 1. Theconstants involved are such that MPQS is usually faster than ECM if N is theproduct of two primes which both exceed N 1/3. This is because the inner loopof MPQS involves only single-precision operations.
Use of “partial relations”, i.e. incompletely factored wi, in MPQS gives asignificant performance improvement [2]. In the “one large prime” (P-MPQS)variation wi is allowed to have one prime factor exceeding m (but not too muchlarger than m). In the “two large prime” (PP-MPQS) variation w
i can have two
prime factors exceeding m – this gives a further performance improvement atthe expense of higher storage requirements [33].
4.1 Parallel/Distributed Implementation of MPQS
The sieving stage of MPQS is ideally suited to parallel implementation. Differentprocessors may use different polynomials, or sieve over different intervals withthe same polynomial. Thus, there is a linear speedup so long as the number of
processors is not much larger than the size of the factor base. The computa-tion requires very little communication between processors. Each processor cangenerate relations and forward them to some central collection point. This wasdemonstrated by A. K. Lenstra and M. S. Manasse [32], who distributed theirprogram and collected relations via electronic mail. The processors were scat-tered around the world – anyone with access to electronic mail and a C compiler
8/17/2019 COmputing and Combinatoria
21/489
Recent Progress and Prospects for Integer Factorisation Algorithms 9
could volunteer to contribute2. The final stage of MPQS – Gaussian eliminationto combine the relations – is not so easily distributed. We discuss this in §7below.
4.2 MPQS Examples
MPQS has been used to obtain many impressive factorisations [10,32,52,59].At the time of writing (April 2000), the largest number factored by MPQS isthe 129-digit “RSA Challenge” [54] number RSA129. It was factored in 1994by Atkins et al [1]. The relations formed a sparse matrix with 569466 columns,which was reduced to a dense matrix with 188614 columns; a dependency wasthen found on a MasPar MP-1. It is certainly feasible to factor larger numbersby MPQS, but for numbers of more than about 110 decimal digits GNFS is
faster [22]. For example, it is estimated in [16] that to factor RSA129 by MPQSrequired 5000 Mips-years, but to factor the slightly larger number RSA130 byGNFS required only 1000 Mips-years [18].
5 The Special Number Field Sieve (SNFS)
The number field sieve (NFS) algorithm was developed from the special number field sieve (SNFS), which we describe in this section. The general number field sieve (GNFS or simply NFS) is described in
§6.
Most of our numerical examples have involved numbers of the form
ae ± b , (4)for small a and b, although the ECM and MPQS factorisation algorithms do nottake advantage of this special form.
The special number field sieve (SNFS) is a relatively new algorithm whichdoes take advantage of the special form (4). In concept it is similar to thequadratic sieve algorithm, but it works over an algebraic number field defined
by a, e and b. We refer the interested reader to Lenstra et al [29,30] for details,and merely give an example to show the power of the algorithm.
5.1 SNFS Examples
Consider the 155-decimal digit number
F 9 = N = 229 + 1
as a candidate for factoring by SNFS. Note that 8N = m5
+ 8, where m = 2103
.We may work in the number field Q(α), where α satisfies
α5 + 8 = 0,
2 This idea of using machines on the Internet as a “free” supercomputer has beenadopted by several other computation-intensive projects
8/17/2019 COmputing and Combinatoria
22/489
10 Richard P. Brent
and in the ring of integers of Q(α). Because
m5 + 8 = 0 (mod N ),
the mapping φ : α
→m mod N is a ring homomorphism from Z [α] to Z/NZ .
The idea is to search for pairs of small coprime integers u and v such that boththe algebraic integer u + αv and the (rational) integer u + mv can be factored.(The factor base now includes prime ideals and units as well as rational primes.)Because
φ(u + αv) = (u + mv) (mod N ),
each such pair gives a relation analogous to (3).The prime ideal factorisation of u +αv can be obtained from the factorisation
of the norm u5−8v5 of u+αv. Thus, we have to factor simultaneously two integersu + mv and
|u5
−8v5
|. Note that, for moderate u and v, both these integers are
much smaller than N , in fact they are O(N 1/d), where d = 5 is the degree of the algebraic number field. (The optimal choice of d is discussed in §6.)
Using these and related ideas, Lenstra et al [31] factored F 9 in June 1990,obtaining
F 9 = 2424833 · 7455602825647884208337395736200454918783366342657 · p99,where p99 is an 99-digit prime, and the 7-digit factor was already known(although SNFS was unable to take advantage of this). The collection of re-lations took less than two months on a network of several hundred workstations.A sparse system of about 200,000 relations was reduced to a dense matrix withabout 72,000 rows. Using Gaussian elimination, dependencies (mod 2) betweenthe columns were found in three hours on a Connection Machine. These depen-dencies implied equations of the form x2 = y2 mod F 9. The second such equationwas nontrivial and gave the desired factorisation of F 9.
More recently, considerably larger numbers have been factored by SNFS,for example, the 211-digit number 10211 − 1 was factored early in 1999 by acollaboration called “The Cabal” [13].
6 The General Number Field Sieve (GNFS)
The general number field sieve (GNFS or just NFS) is a logical extension of thespecial number field sieve (SNFS). When using SNFS to factor an integer N , werequire two polynomials f (x) and g(x) with a common root m mod N but nocommon root over the field of complex numbers. If N has the special form (4)then it is usually easy to write down suitable polynomials with small coefficients,as illustrated by the two examples given in §5. If N has no special form, but is
just some given composite number, we can also find f (x) and g(x), but they nolonger have small coefficients.
Suppose that g(x) has degree d > 1 and f (x) is linear3. d is chosen empir-ically, but it is known from theoretical considerations that the optimum value
3 This is not necessary. For example, Montgomery found a clever way of choosing twoquadratic polynomials.
8/17/2019 COmputing and Combinatoria
23/489
Recent Progress and Prospects for Integer Factorisation Algorithms 11
is
d ∼
3 ln N
lnln N
1/3.
We choose m = N 1/(d+1) and write
N =d
j=0
ajmj
where the aj are “base m digits”. Then, defining
f (x) = x − m, g(x) =d
j=0
ajxj ,
it is clear that f (x) and g(x) have a common root m mod N . This method of polynomial selection is called the “base m” method.
In principle, we can proceed as in SNFS, but many difficulties arise because of the large coefficients of g(x). For details, we refer the reader to [36,37,41,47,48,62].Suffice it to say that the difficulties can be overcome and the method works! Dueto the constant factors involved it is slower than MPQS for numbers of less than
about 110 decimal digits, but faster than MPQS for sufficiently large numbers,as anticipated from the theoretical run times given in §2.
Some of the difficulties which had to be overcome to turn GNFS into apractical algorithm are:
1. Polynomial selection. The “base m” method is not very good. Peter Mont-gomery and Brian Murphy [40,41,42] have shown how a very considerableimprovement (by a factor of more than ten for number of 140–155 digits)
can be obtained.2. Linear algebra. After sieving a very large, sparse linear system over GF(2)is obtained, and we want to find dependencies amongst the columns. It isnot practical to do this by structured Gaussian elimination [25, §5] becausethe “fill in” is too large. Odlyzko [43,17] and Montgomery [37] showed thatthe Lanczos method [26] could be adapted for this purpose. (This is non-trivial because a nonzero vector x over GF(2) can be orthogonal to itself,i.e. xT x = 0.) To take advantage of bit-parallel operations, Montgomery’sprogram works with blocks of size dependent on the wordlength (e.g. 64).
3. Square roots. The final stage of GNFS involves finding the square root of a (very large) product of algebraic numbers4. Once again, Montgomery [36]found a way to do this.
4 An idea of Adleman, using quadratic characters, is essential to ensure that the desiredsquare root exists with high probability.
8/17/2019 COmputing and Combinatoria
24/489
12 Richard P. Brent
6.1 RSA155
At the time of writing, the largest number factored by GNFS is the 155-digitRSA Challenge number RSA155. It was split into the product of two 78-digit
primes on 22 August, 1999, by a team coordinated from CWI, Amsterdam. Fordetails see [51]. To summarise: the amount of computer time required to find thefactors was about 8000 Mips-years. The two polynomials used were
f (x) = x − 39123079721168000771313449081
and
g(x) = +119377138320x5
−80168937284997582x4−66269852234118574445x3+11816848430079521880356852x2
+7459661580071786443919743056x
−40679843542362159361913708405064 .
The polynomial g(x) was chosen to have a good combination of two proper-
ties: being unusually small over the sieving region and having unusually manyroots modulo small primes (and prime powers). The effect of the second prop-erty alone makes g(x) as effective at generating relations as a polynomial chosenat random for an integer of 137 decimal digits (so in effect we have removedat least 18 digits from RSA155 by judicious polynomial selection). The polyno-mial selection took approximately 100 Mips-years or about 1.25% of the totalfactorisation time. For details of the polynomial selection, see Brian Murphy’sthesis [41].
The total amount of CPU time spent on sieving was 8000 Mips-years on
assorted machines (calendar time 3.7 months). The resulting matrix had about6.7 × 106 rows and weight (number of nonzeros) about 4.2 × 108 (about 62nonzeros per row). Using Montgomery’s block Lanczos program, it took almost224 CPU-hours and 2 GB of memory on a Cray C916 to find 64 dependencies.Calendar time for this was 9.5 days.
Table 1. RSA130, RSA140 and RSA155 factorisations
RSA130 RSA140 RSA155Total CPU time in Mips-years 1000 2000 8000Matrix rows 3.5 × 106 4.7 × 106 6.7 × 106Total nonzeros 1.4 × 108 1.5 × 108 4.2 × 108Nonzeros per row 39 32 62Matrix solution time (on Cray C90/C916) 68 hours 100 hours 224 hours
8/17/2019 COmputing and Combinatoria
25/489
Recent Progress and Prospects for Integer Factorisation Algorithms 13
Table 1 gives some statistics on the RSA130, RSA140 and RSA155 factori-sations. The Mips-year times given are only rough estimates. Extrapolation of these figures is risky, since various algorithmic improvements were incorporatedin the later factorisations and the scope for further improvements is unclear.
7 Parallel Linear Algebra
At present, the main obstacle to a fully parallel and scalable implementationof GNFS (and, to a lesser extent, MPQS) is the linear algebra. Montgomery’sblock Lanczos program runs on a single processor and requires enough memoryto store the sparse matrix (about five bytes per nonzero element). It is possibleto distribute the block Lanczos solution over several processors of a parallel
machine, but the communication/computation ratio is high [38].Similar remarks apply to some of the best algorithms for the integer discretelogarithm problem. The main difference is that the linear algebra has to beperformed over a (possibly large) finite field rather than over GF(2).
In this Section we present some preliminary ideas on how to implement thelinear algebra phase of GNFS (and MPQS) in parallel on a network of relativelysmall machines. This work is still in progress and it is too early to give definitiveresults.
7.1 Assumptions
Suppose that a collection of P machines is available. It will be convenient toassume that P = q 2 is a perfect square. For example, the machines might be400 Mhz PCs with 256 MByte of memory each, and P = 16 or P = 64.
We assume that the machines are connected on a reasonably high-speednetwork. For example, this might be multiple 100Mb/sec Ethernets or somehigher-speed proprietary network. Although not essential, it is desirable for thephysical network topology to be a q × q grid or torus. Thus, we assume thata processor P i,j in row i can communicate with another processor P i,j in thesame row or broadcast to all processors P i,∗ in the same row without interferencefrom communication being performed in other rows. (Similarly for columns.)The reason why this topology is desirable is that it matches the communicationpatterns necessary in the linear algebra: see for example [4,5,6].
To simplify the description, we assume that the standard Lanczos algorithmis used. In practice, a block version of Lanczos [37] would be used, both to takeadvantage of word-length Boolean operations and to overcome the technicalproblem that uT u can vanish for u = 0 when we are working over a finite field.The overall communication costs are nearly the same for blocked and unblockedLanczos, although blocking reduces startup costs.
If R is the matrix of relations, with one relation per column, then R is a large,sparse matrix over GF(2) with slightly more columns than rows. (Warning: inthe literature, the transposed matrix is often considered, i.e. rows and columnsare often interchanged.) We aim to find a nontrivial dependency , i.e. a nonzero
8/17/2019 COmputing and Combinatoria
26/489
14 Richard P. Brent
vector x such that Rx = 0. If we choose b = Ry for some random y, and solveRx = b, then x − y is a dependency (possibly trivial, if x = y). Thus, in thedescription below we consider solving a linear system Rx = b.
The Lanczos algorithm over the real field works for a positive-definite sym-
metric matrix. In our case, R is not symmetric (or even square). Hence we applyLanczos to the normal equations
RT Rx = RT b
rather than directly to Rx = b. We do not need to compute the matrix A = RT R,because we can compute Ax as RT (Rx). To compute RT z, it is best to thinkof computing (zT R)T because the elements of R will be scattered across theprocessors and we do not want to double the storage requirements by storing
RT
as well as R.The details of the Lanczos iteration are not important for the descriptionbelow. It is sufficient to know that the Lanczos recurrence has the form
wi+1 = Awi − ci,iwi − ci,i−1wi−1where the multipliers ci,i and ci,i−1 can be computed using inner products of known vectors. Thus, the main work involved in one iteration is the computationof Awi = R
T (Rwi). In general, if R has n columns, then wi is a dense n-vector.The Lanczos process terminates with a solution after n + O(1) iterations [37].
7.2 Sparse Matrix-Vector Multiplication
The matrix of relations R is sparse and almost square. Suppose that R has ncolumns, m ≈ n rows, and ρn nonzeros, i.e. ρ nonzeros per column. Considerthe computation of Rw, where w is a dense n-vector. The number of multiplica-tions involved in the computation of Rw is ρn. (Thus, the number of operationsinvolved in the complete Lanczos process is of order ρn2 n3.)
For simplicity assume that q = √ P divides n, and the matrix R is distributedacross the q × q array of processors using a “scattered” data distribution tobalance the load and storage requirements [5]. Within each processor P i,j asparse matrix representation will be used to store the relevant part Ri,j of R.Thus the local storage of requirement is O(ρn/q 2 + n/q ).
After each processor computes its local matrix-vector product with aboutρn/q 2 multiplications, it is necessary to sum the partial results (n/q -vectors) ineach row to obtain n/q components of the product Rw. This can be done inseveral ways, e.g. by a systolic computation, by using a binary tree, or by each
processor broadcasting its n/q -vector to other processors in its row and summingthe vectors received from them to obtain n/q components of the product Rw.If broadcasting is used then the results are in place to start the computation of RT (Rw). If an inner product is required then communication along columns of the processor array is necessary to transpose the dense n-vector (each diagonalprocessor P i,i broadcasts its n/q elements along its column).
8/17/2019 COmputing and Combinatoria
27/489
Recent Progress and Prospects for Integer Factorisation Algorithms 15
We see that, overall, each Lanczos iteration requires computationO(ρn/q 2 + n) on each processor, and communication of O(n) bits along eachrow/column of the processor array. Depending on details of the communicationhardware, the time for communication might be O((n/q )log q ) (if the binary tree
method is used) or even O(n/q +q ) (if a systolic method is used with pipelining).In the following discussion we assume that the communication time is propor-tional to the number of bits communicated along each row or column, i.e. O(n)per iteration (not the total number of bits communicated per iteration, which isO(nq )).
The overall time for n iterations is
T P ≈ αρn2/P + βn2 , (5)
where the constants α and β depend on the computation and communicationspeeds respectively. (We have omitted the communication “startup” cost sincethis is typically much less than βn2.)
Since the time on a single processor is T 1 ≈ αρn2, the efficiency E P is
E P = T 1P T P
≈ αραρ + βP
and the condition for E P ≥ 1/2 is
αρ ≥ βP .
Typically β/α is large (50 to several hundred) because communication be-tween processors is much slower than computation on a processor. The numberof nonzeros per column, ρ, is typically in the range 30 to 100. Thus, we can notexpect high efficiency.
Fortunately, high efficiency is not crucial. The essential requirements arethat the (distributed) matrix R fits in the local memories of the processors, andthat the time for the linear algebra does not dominate the overall factorisationtime. Because sieving typically takes much longer than linear algebra on a singleprocessor, we have considerable leeway.
For example, consider the factorisation of RSA155 (see Table 1 above). Wehave n ≈ 6.7 × 106, ρ ≈ 62. Thus n2 ≈ 4.5 × 1013. If the communications speedalong each row/column is a few hundred Mb/sec then we expect β to be a smallmultiple of 10−8 seconds. Thus βn2 might be (very roughly) 106 seconds or say 12days. The sieving takes 8000 Mips-years or 20 processor-years if each processorruns at 400 Mips. With P processors this is 20/P years, to be compared with12/365 years for communication. Thus,
sieving time
communication time ≈ 600
P
and the sieving time dominates unless P > 600. For larger problems we expectthe sieving time to grow at least as fast as n2.
8/17/2019 COmputing and Combinatoria
28/489
16 Richard P. Brent
For more typical factorisations performed by MPQS rather than GNFS, thesituation is better. For example, using Arjen Lenstra’s implementation of PP-MPQS in the Magma package, we factored a 102-decimal digit composite c102 (afactor of 14213 − 1) on a 4 × 250 Mhz Sun multiprocessor. The sieving time was11.5 days or about 32 Mips-years. After combining partial relations the matrix Rhad about n = 73000 columns. Thus n2 ≈ 5.3× 109. At 100 Mb/sec it takes lessthan one minute to communicate n2 bits. Thus, although the current Magmaimplementation performs the block Lanczos method on only one processor, thereis no reason why it could not be performed on a network of small machines (e.g. a“Beowulf” cluster) and the communication time on such a network would onlybe a few minutes.
7.3 Reducing Communication Time
If our assumption of a grid/torus topology is not satisfied, then the communi-cation times estimated above may have to be multiplied by a factor of orderq =
√ P . In order to reduce the communication time (without buying better
hardware) it may be worthwhile to perform some steps of Gaussian eliminationbefore switching to Lanczos.
If there are k relations whose largest prime is p, we can perform Gaussianelimination to eliminate this large prime and one of the k relations. (The workcan be done on a single processor if the relations are hashed and stored on pro-
cessors according to the largest prime occurring in them.) Before the eliminationwe expect each of the k relations to contain about ρ nonzeros; after the elim-ination each of the remaining k − 1 relations will have about ρ − 1 additionalnonzeros (assuming no “cancellation”).
From (5), the time for Lanczos is about
T = n(αz/P + βn) ,
where z = ρn is the weight (number of nonzeros) of the matrix R. The effect of eliminating one relation is n
→ n = n
−1, z
→ z = z + (ρ
−1)(k
−1)−
ρ,T → T = n(αz/P + βn) . After some algebra we see that T < T if
k < 2βP
αρ + 3 .
For typical values of β/α ≈ 100 and ρ ≈ 50 this gives the condition k
8/17/2019 COmputing and Combinatoria
29/489
Recent Progress and Prospects for Integer Factorisation Algorithms 17
to go much further, there is an “explosion”, the matrix becomes dense, and theadvantage of the Lanczos method over Gaussian elimination is lost. (It would benice to have a theoretical explanation of this behaviour.)
8 Historical Factoring Records
1960 1970 1980 1990 2000 2010
0
20
40
60
80100
120
140
160 D
Figure 3: Size of “general” number factored versus year
Figure 3 shows the size D (in decimal digits) of the largest “general” numberfactored against the year it was done, from 1964 (20D) to April 2000 (155D)(historical data from [41,44,55]).
8.1 Curve Fitting and Extrapolation
Let D be the number of decimal digits in the largest “general” number fac-tored by a given date. From the theoretical time bound for GNFS, assumingMoore’s law, we expect D1/3 to be roughly a linear function of calendar year (infact D1/3(ln D)2/3 should be linear, but given the other uncertainties we haveassumed for simplicity that (ln D)2/3 is roughly a constant). Figure 4 shows D1/3
versus year Y .
The straight line shown in the Figure 4 is
D1/3 = Y − 1928.6
13.24 or equivalently Y = 13.24D1/3 + 1928.6 ,
and extrapolation, for what it is worth, gives D = 309 (i.e. 1024 bits) in the yearY = 2018.
8/17/2019 COmputing and Combinatoria
30/489
18 Richard P. Brent
1960 1970 1980 1990 2000 2010
2.0
2.5
3.0
3.5
4.0
4.5
5.0
5.5
6.0
6.5 D1/3
Figure 4: D1/3 versus year Y
9 Summary and Conclusions
We have sketched some algorithms for integer factorisation. The most importantare ECM, MPQS and NFS. As well as their inherent interest and applicabilityto other areas of mathematics, advances in public key cryptography have lentthem practical importance.
Despite much progress in the development of efficient algorithms, our knowl-edge of the complexity of factorisation is inadequate. We would like to find apolynomial time factorisation algorithm or else prove that one does not exist.
Until a polynomial time algorithm is found or a quantum computer capableof running Shor’s algorithm [57,58] is built, large factorisations will remain aninteresting challenge.
A survey similar to this one was written in 1990 (see [3]). Comparing theexamples there we see that significant progress has been made. This is partlydue to Moore’s law, partly due to the use of many machines on the Internet,and partly due to improvements in algorithms (especially GNFS). The largestnumber factored by MPQS at the time of writing [3] had 111 decimal digits.According to [16], RSA110 was factored in 1992 (by MPQS). In 1996 GNFS was
used to factor RSA130; in August 1999, RSA155 also fell to GNFS. Progressseems to be accelerating. This is due in large part to algorithmic improvementswhich seem unlikely to be repeated. On the other hand, it is very hard to antic-ipate algorithmic improvements!
8/17/2019 COmputing and Combinatoria
31/489
Recent Progress and Prospects for Integer Factorisation Algorithms 19
From the predicted run time for GNFS, we would expect RSA155 to take6.5 times as long as RSA1405. On the other hand, Moore’s law predicts thatcircuit densities will double every 18 months or so. Thus, as long as Moore’s lawcontinues to apply and results in correspondingly more powerful parallel com-
puters, we expect to get three to four decimal digits per year improvement in thecapabilities of GNFS, without any algorithmic improvements. The extrapolationfrom historical figures is more optimistic: it predicts 6–7 decimal digits per yearin the near future.
Similar arguments apply to ECM, for which we expect slightly more thanone decimal digit per year in the size of factor found [9].
Although we did not discuss them here, the best algorithms for the inte-ger discrete logarithm problem are analogous to NFS, requiring the solution of large, sparse linear systems over finite fields, and similar remarks apply to such
algorithms.Regarding cryptographic consequences, we can say that 512-bit RSA keys
are already insecure. 1024-bit RSA keys should remain secure for at least fifteenyears, barring the unexpected (but unpredictable) discovery of a completelynew algorithm which is better than GNFS, or the development of a practicalquantum computer. In the long term, public key algorithms based on the discretelogarithm problem for elliptic curves appear to be a promising alternative to RSAor algorithms based on the integer discrete logarithm problem.
Acknowledgements
Thanks are due to Peter Montgomery, Brian Murphy, Andrew Odlyzko, JohnPollard, Herman te Riele, Sam Wagstaff, Jr. and Paul Zimmermann for theirassistance.
References
1. D. Atkins, M. Graff, A. K. Lenstra and P. C. Leyland, The magic words aresqueamish ossifrage, Advances in Cryptology: Proc. Asiacrypt’94, LNCS 917,Springer-Verlag, Berlin, 1995, 263–277.
2. H. Boender and H. J. J. te Riele, Factoring integers with large prime variations of the quadratic sieve, Experimental Mathematics, 5 (1996), 257–273.
3. R. P. Brent, Vector and parallel algorithms for integer factorisation, Proceed-ings Third Australian Supercomputer Conference University of Melbourne, Decem-ber 1990, 12 pp. http://www.comlab.ox.ac.uk/oucl/work/richard.brent/pub/pub122.html .
4. R. P. Brent, The LINPACK benchmark on the AP 1000, Proceedings of Fron-tiers ’92 (McLean, Virginia, October 1992), IEEE Press, 1992, 128-135. http://www.comlab.ox.ac.uk/oucl/work/richard.brent/pub/pub130.html
5 It actually took only about 4.0 times as long, thanks to algorithmic improvementssuch as better polynomial selection.
8/17/2019 COmputing and Combinatoria
32/489
20 Richard P. Brent
5. R. P. Brent, Parallel algorithms in linear algebra, Algorithms and Architec-tures: Proc. Second NEC Research Symposium held at Tsukuba, Japan, Au-gust 1991 (edited by T. Ishiguro), SIAM, Philadelphia, 1993, 54-72. http://www.comlab.ox.ac.uk/oucl/work/richard.brent/pub/pub128.html
6. R. P. Brent and P. E. Strazdins, Implementation of the BLAS level 3 and Lin-pack benchmark on the AP 1000, Fujitsu Scientific and Technical Journal 29, 1(March 1993), 61-70. http://www.comlab.ox.ac.uk/oucl/work/richard.brent/pub/pub136.html
7. R. P. Brent, Factorization of the tenth Fermat number, Math. Comp. 68 (1999),429-451. Preliminary version available as Factorization of the tenth and eleventh Fermat numbers, Technical Report TR-CS-96-02, CSL, ANU, Feb. 1996, 25pp.http://www.comlab.ox.ac.uk/oucl/work/richard.brent/pub/pub161.html .
8. R. P. Brent, Some parallel algorithms for integer factorisation Proc. Europar’99 ,Toulouse, Sept. 1999. LNCS 1685, Springer-Verlag, Berlin, 1–22.
9. R. P. Brent, Large factors found by ECM, Oxford University Computing Lab-oratory, March 2000. ftp://ftp.comlab.ox.ac.uk/pub/Documents/techpapers/Richard.Brent/champs.txt .
10. J. Brillhart, D. H. Lehmer, J. L. Selfridge, B. Tuckerman and S. S. Wagstaff, Jr.,Factorisations of bn ± 1, b = 2, 3, 5, 6, 7, 10, 11, 12 up to high powers , AmericanMathematical Society, Providence, Rhode Island, second edition, 1988. Updatesavailable from http://www/cs/purdue.edu/homes/ssw/cun/index.html .
11. T. R. Caron and R. D. Silverman, Parallel implementation of the quadratic sieve,J. Supercomputing 1 (1988), 273–290.
12. S. Cavallar, B. Dodson, A. K. Lenstra, P. Leyland, W. Lioen, P. L. Montgomery,B. Murphy, H. te Riele and P. Zimmermann, Factorization of RSA-140 using the number field sieve , announced 4 February 1999. Available from ftp://ftp.cwi.nl/pub/herman/NFSrecords/RSA-140 .
13. S. Cavallar, B. Dodson, A. K. Lenstra, P. Leyland, W. Lioen, P. L. Montgomery,H. te Riele and P. Zimmermann, 211-digit SNFS factorization , announced 25 April1999. Available from ftp://ftp.cwi.nl/pub/herman/NFSrecords/SNFS-211 .
14. D. V. and G. V. Chudnovsky, Sequences of numbers generated by addition informal groups and new primality and factorization tests, Adv. in Appl. Math. 7(1986), 385–434.
15. H. Cohen, A Course in Computational Algebraic Number Theory , Springer-Verlag,Berlin, 1993.
16. S. Contini, The factorization of RSA-140, RSA Laboratories Bulletin 10, 8 (March1999). Available from http://www.rsa.com/rsalabs/html/bulletins.html .
17. D. Coppersmith, A. Odlyzko and R. Schroeppel, Discrete logarithms in GF( p),Algorithmica 1 (1986), 1–15.
18. J. Cowie, B. Dodson, R. M. Elkenbracht-Huizing, A. K. Lenstra, P. L. Montgomeryand J. Zayer, A world wide number field sieve factoring record: on to 512 bits,Advances in Cryptology: Proc. Asiacrypt’96 , LNCS 1163, Springer-Verlag, Berlin,1996, 382–394.
19. R. Crandall and B. Fagin, Discrete weighted transforms and large-integer arith-metic, Math. Comp. 62 (1994), 305–324.
20. D. Deutsch, Quantum theory, the Church-Turing principle and the universal quan-tum computer, Proc. Roy. Soc. London, Ser. A 400 (1985), 97–117.
21. D. Deutsch, Quantum computational networks, Proc. Roy. Soc. London, Ser. A425 (1989), 73–90.
8/17/2019 COmputing and Combinatoria
33/489
Recent Progress and Prospects for Integer Factorisation Algorithms 21
22. M. Elkenbracht-Huizing, A multiple polynomial general number field sieve Algo-rithmic Number Theory – ANTS III , LNCS 1443, Springer-Verlag, Berlin, 1998,99–114.
23. K. F. Ireland and M. Rosen, A Classical Introduction to Modern Number Theory ,
Springer-Verlag, Berlin, 1982.24. D. E. Knuth, The Art of Computer Programming , Vol. 2, Addison Wesley, thirdedition, 1997.
25. B. A. LaMacchia and A. M. Odlyzko, Solving large sparse systems over finite fields,Advances in Cryptology, CRYPTO ’90 (A. J. Menezes and S. A. Vanstone, eds.),LNCS 537, Springer-Verlag, Berlin, 109–133.
26. C. Lanczos, Solution of systems of linear equations by minimized iterations, J. Res.Nat. Bureau of Standards 49 (1952), 33–53.
27. S. Lang, Elliptic Curves – Diophantine Analysis , Springer-Verlag, Berlin, 1978.28. R. S. Lehman, Factoring large integers, Math. Comp. 28 (1974), 637–646.
29. A. K. Lenstra and H. W. Lenstra, Jr. (editors), The development of the numberfield sieve, Lecture Notes in Mathematics 1554, Springer-Verlag, Berlin, 1993.
30. A. K. Lenstra, H. W. Lenstra, Jr., M. S. Manasse and J. M. Pollard, The number field sieve , Proc. 22nd Annual ACM Conference on Theory of Computing, Balti-more, Maryland, May 1990, 564–572.
31. A. K. Lenstra, H. W. Lenstra, Jr., M. S. Manasse, and J. M. Pollard, The factor-ization of the ninth Fermat number, Math. Comp. 61 (1993), 319–349.
32. A. K. Lenstra and M. S. Manasse, Factoring by electronic mail, Proc. Eurocrypt ’89 , LNCS 434, Springer-Verlag, Berlin, 1990, 355–371.
33. A. K. Lenstra and M. S. Manasse, Factoring with two large primes, Math. Comp.
63 (1994), 785–798.34. H. W. Lenstra, Jr., Factoring integers with elliptic curves, Annals of Mathematics
(2) 126 (1987), 649–673.35. P. L. Montgomery, A survey of modern integer factorization algorithms, CWI Quar-
terly 7 (1994), 337–366. ftp://ftp.cwi.nl/pub/pmontgom/cwisurvey.psl.Z .36. P. L. Montgomery, Square roots of products of algebraic numbers, Mathematics of
Computation 1943 – 1993, Proc. Symp. Appl. Math. 48 (1994), 567–571.37. P. L. Montgomery, A block Lanczos algorithm for finding dependencies over GF(2),
Advances in Cryptology: Proc. Eurocrypt’95 , LNCS 921, Springer-Verlag, Berlin,1995, 106–120. ftp://ftp.cwi.nl/pub/pmontgom/BlockLanczos.psa4.gz .
38. P. L. Montgomery, Parallel block Lanczos , Microsoft Research, Redmond, USA,17 January 2000 (transparencies of a talk presented at RSA 2000).
39. M. A. Morrison and J. Brillhart, A method of factorisation and the factorisationof F 7, Math. Comp. 29 (1975), 183–205.
40. B. A. Murphy, Modelling the yield of number field sieve polynomials, Algorithmic Number Theory – ANTS III , LNCS 1443, Springer-Verlag, Berlin, 1998, 137–150.
41. B. A. Murphy, Polynomial selection for the number field sieve integer factorisation algorithm , Ph. D. thesis, Australian National University, July 1999.
42. B. A. Murphy and R. P. Brent, On quadratic polynomials for the number fieldsieve, Australian Computer Science Communications 20 (1998), 199–213. http://www.comlab.ox.ac.uk/oucl/work/richard.brent/pub/pub178.html .
43. A. M. Odlyzko, Discrete logarithms in finite fields and their cryptographic signif-icance, Advances in Cryptology: Proc. Eurocrypt ’84, LNCS 209, Springer-Verlag,Berlin, 1985, 224–314.
44. A. M. Odlyzko, The future of integer factorization, CryptoBytes 1, 2 (1995), 5–12.Available from http://www.rsa.com/rsalabs/pubs/cryptobytes .
8/17/2019 COmputing and Combinatoria
34/489
22 Richard P. Brent
45. J. M. Pollard, A Monte Carlo method for factorisation, BIT 15 (1975), 331–334.46. C. Pomerance, The quadratic sieve factoring algorithm, Advances in Cryptology,
Proc. Eurocrypt ’84, LNCS 209, Springer-Verlag, Berlin, 1985, 169–182.47. C. Pomerance, The number field sieve, Proceedings of Symposia in Applied Math-
ematics 48
, Amer. Math. Soc., Providence, Rhode Island, 1994, 465–480.48. C. Pomerance, A tale of two sieves, Notices Amer. Math. Soc. 43 (1996), 1473–1485.
49. C. Pomerance, J. W. Smith and R. Tuler, A pipeline architecture for factoring largeintegers with the quadratic sieve algorithm, SIAM J. on Computing 17 (1988),387–403.
50. J. Preskill, Lecture Notes for Physics 229: Quantum Information and Com-putation , California Institute of Technology, Los Angeles, Sept. 1998. http://www.theory.caltech.edu/people/preskill/ph229/ .
51. H. te Riele et al , Factorization of a 512-bits RSA key using the number field sieve ,
announcement of 26 August 1999, http://www.loria.fr/~zimmerma/records/RSA155 .
52. H. J. J. te Riele, W. Lioen and D. Winter, Factoring with the quadratic sieve onlarge vector computers, Belgian J. Comp. Appl. Math. 27 (1989), 267–278.
53. H. Riesel, Prime numbers and computer methods for factorization, 2nd edition,Birkhäuser, Boston, 1994.
54. R. L. Rivest, A. Shamir and L. Adleman, A method for obtaining digital signaturesand public-key cryptosystems, Comm. ACM 21 (1978), 120–126.
55. RSA Laboratories, Information on the RSA challenge, http://www.rsa.com/rsalabs/html/challenges.html .
56. R. S. Schaller, Moore’s law: past, present and future, IEEE Spectrum 34, 6 (June1997), 52–59.
57. P. W. Shor, Algorithms for quantum computation: discrete logarithms and factor-ing, Proc. 35th Annual Symposium on Foundations of Computer Science, IEEEComputer Society Press, Los Alamitos, California, 1994, 124–134. CMP 98:06
58. P. W. Shor, Polynomial time algorithms for prime factorization and discrete loga-rithms on a quantum computer, SIAM J. Computing 26 (1997), 1484–1509.
59. R. D. Silverman, The multiple polynomial quadratic sieve, Math. Comp. 48 (1987),329–339.
60. U. Vazirani, Introduction to special section on quantum computation, SIAM J.
Computing 26 (1997), 1409–1410.61. D. H. Wiedemann, Solving sparse linear equations over finite fields, IEEE Trans.
Inform. Theory 32 (1986), 54–62.62. J. Zayer, Faktorisieren mit dem Number Field Sieve , Ph. D. thesis, Universität des
Saarlandes, 1995.63. P. Zimmermann, The ECMNET Project , http://www.loria.fr/~zimmerma/
records/ecmnet.html.
8/17/2019 COmputing and Combinatoria
35/489
Approximating Uniform Triangular Meshes in
Polygons
Franz Aurenhammer1, Naoki Katoh2 and Hiromichi Kojima2, Makoto Ohsaki2,and Yinfeng Xu3
1 Institute for Theoretical Computer Science, Graz University of TechnologyKlosterwiesgasse 32/2, A-8010 Graz, Austria,
[email protected] Department of Architecture and Architectural Systems, Kyoto University
Yoshida-Honmachi, Sakyo-ku, Kyoto, 606-8501 Japan{naoki,kojima,ohsaki}@is-mj.archi.kyoto-u.ac.jp3
School of Management, Xi’an Jiaotong UniversityXi’an, 710049 P.R.China,[email protected]
1 Introduction
Given a convex polygon P in the plane and a positive integer n, we considerthe problem of generating a length-uniform triangular mesh for the interior of
P using n Steiner points. More specifically, we want to find both a set S n of npoints inside P , and a triangulation of P using S n, with respect to the followingminimization criteria: (1) ratio of the maximum edge length to the minimumone, (2) maximum edge length, and (3) maximum triangle perimeter.
These problems can be formalized as follows: Let V be the set of vertices of P . For an n-point set S n interior to P let T (S n) denote the set of all possibletriangulations of S n ∪ V . Further, let l(e) denote the (Euclidean) length of edgee, and let peri(∆) be the perimeter of triangle ∆.
Problem 1 minS n⊂P minT ∈T (S n) maxe,f ∈T l(e)l(f )
Problem 2 minS n⊂P minT ∈T (S n) maxe∈T l(e)
Problem 3 minS n⊂P minT ∈T (S n) max∆∈T peri(∆)
Finding an optimal solution for any of the three problems seems to be diffi-cult, in view of the NP-completeness of packing problems in the plane, see e.g.Johnson [10], or in view of the intrinsic complexity of Heilbronn’s triangle prob-lem, see [14]. For the case of a fixed point set, minimizing the maximum edge
length is known to be solvable in O(n2
) time; see Edelsbrunner and Tan [7].Nooshin et al. [12] developed a potential-based heuristic method for Problem 2,but did not give a theoretical guarantee for the obtained solution.
In this paper, we offer an O(n2 log n) heuristic capable of producing con-stant approximations for any of the three problems stated above. Respectiveapproximation factors of 6, 4
√ 3, and 6
√ 3 are proven, provided n is reasonably
D.-Z. Du et al. (Eds.): COCOON 2000, LNCS 1858, pp. 23–33, 2000.c Springer-Verlag Berlin Heidelberg 2000
8/17/2019 COmputing and Combinatoria
36/489
24 Franz Aurenhammer et al.
large. Our experiments reveal a much better behaviour, concerning the qualityas well as the runtime. With minor modifications, our method works for arbi-trary polygons (with possible holes), and yields the same approximation resultfor Problem 1. Concerning Problems 2 and 3, the approximation factors above
can be guaranteed for a restricted class of non-convex polygons.We first develop a heuristic we called canonical Voronoi insertion which
approximately solves a certain extreme packing problem for point sets within P .The method is similar to the one used in Gonzalez [9] and Feder and Greene [8]developed for clustering problems. We then show how to modify the heuristic,in order to produce a set of n points whose Delaunay triangulation within P constitutes a constant approximation for the problems stated above. Note thatthe solution we construct is neccessarily a triangulation of constant vertex degree.
Generating triangular meshes is one of the fundamental problems in compu-
tational geometry, and has been extensively studied; see e.g. the survey articleby Bern and Eppstein [3]. Main fields of applications are finite element meth-ods and computer aided design. In finite element methods, for example, it isdesirable to generate triangulations that do not have too large or too small an-gles. Along this direction, various algorithms have been reported [4,11,6,2,5,15].Restricting angles means bounding the edge length ratio for the individual trian-gles, but not necessarily for a triangulation in global, which might be desirablein some applications. That is, the produced triangulation need not be uniformconcerning, e.g., the edge length ratio of its triangles. Chew [6] and Melisseratos
and Souvaine [11] construct uniform triangular meshes in the weaker sense thatonly upper bounds on the triangle size are required. To the knowledge of theauthors, the problems dealt with in this paper have not been studied in the fieldof computational geometry. The mesh refinement algorithms in Chew [6] and inRuppert [15] are similar in spirit to our Voronoi insertion method, but do notproceed in a canonical way and aim at different optimality criteria.
A particular application of length-uniform triangulation arises in designingstructures such as plane trusses with triangular units, where it is required to de-termine the shape from aesthetic points of view under the constraints concerning
stress and nodal displacement. The plane truss can be viewed as a triangulationof points in the plane by regarding truss members and nodes as edges and points,respectively. When focusing on the shape, edge lengths should be as equal as pos-sible from the viewpoint of design, mechanics and manufacturing; see [12,13]. Insuch applications, the locations of the points are usually not fixed, but can beviewed as decision variables. In view of this application field, it is quite naturalto consider Problems 1, 2, and 3.
The following notation will be used throughout. For two points x and y inthe plane, let l(x, y) denote their Euclidean distance. The minimum (non-zero)
distance between two point sets X and Y is defined as l(X, Y ) = min{l(x, y) |x ∈ X, y ∈ Y, x = y}. When X is a singleton set {x} we simply write l(X, Y ) asl(x, Y ). Note that l(X, X ) defines the minimum interpoint distance among thepoint set X .
8/17/2019 COmputing and Combinatoria
37/489
Approximating Uniform Triangular Meshes in Polygons 25
2 Canonical Voronoi Insertion and Extreme Packing
In this section, we consider the following extreme packing problem . Let P be a(closed) convex polygon with vertex set V .
Maximize l(V ∪ S n, V ∪ S n)subject to a set S n of n points within P .
We shall give a 2-approximation algorithm for this problem using canonical Voronoi insertion . In Section 3 we then show that the point set S n produced bythis algorithm, as well as the Delaunay triangulation induced by S n within P ,can be modified to give an approximate solution for the three problems addressedin Section 1.
The algorithm determines the location of the point set S n in a greedy manner.Namely, starting with an empty set S , it repeatedly places a new point inside P at the position which is farthest from the set V ∪ S . The idea of the algorithmoriginates with Gonzalez [9] and Feder and Greene [8], and was developed forapproximating minimax k-clusterings. Comparable insertion strategies are alsoused for mesh generation in Chew [6] and in Ruppert [15], there called Delaunay refinement . Their strategies aim at different quality measures, however, andinsertion does not take place in a canonical manner.
The algorithm uses the Voronoi diagram of the current point set to selectthe next point to be inserted. We assume familiarity with the basic propertiesof a Voronoi diagram and its dual, the Delaunay triangulation, and refer to thesurvey paper [1].
Algorithm INSERT
Step 1: Initialize S := ∅.Step 2: Compute the Voronoi diagram Vor(V ∪ S ) of V ∪ S .Step 3: Find the set B of intersection points between edges of Vor(V ∪ S ) andthe boundary of P . Among the points in B and the vertices of Vor(V ∪S ) insideP , choose the point u which maximizes l(u, V
∪S ).
Step 4: Put S := S ∪ {u} and return to Step 2 if |S | < n.Let pj and S j , respectively, denote the point chosen in Step 3 and the set
obtained in Step 4 at the j-th iteration of the algorithm. For an arbitrary pointx ∈ P define the weight of x with respect to S j as wj(x) = l(x, S j ∪ V ). That is,wj(x) is the radius of the largest circle centered at x which does not enclose anypoint from S j ∪ V . By definition of a Voronoi diagram, the point pj maximizeswj−1(x) over all x ∈ P . Let
dn = l(S n ∪
V, S n ∪
V ) (1)
be the minimum interpoint distance realized by S n ∪ V . Furthermore, denote byS ∗n the optimal solution for the extreme packing problem for P and let d
∗n denote
the corresponding objective value. The following approximation result might beof interest in its own right. Its proof is an adaptation of techniques in [9,8] andcontains observations that will be used in our further analysis.
8/17/2019 COmputing and Combinatoria
38/489
26 Franz Aurenhammer et al.
Theorem 1. The solution S n obtained by Algorithm INSERT is a 2-approxi-mation of the extreme packing problem for P . That is, dn ≥ d∗n/2.
Proof. We claim that pn realizes the minimum (non-zero) distance from S n to
S n ∪ V . Equivalently, the claim iswn−1( pn) = l(S n, S n ∪ V ). (2)
To see this, assume that the minimum distance is realized by points pk and pj different from pn. Let pk be inserted after pj by the algorithm. Then weget wk−1( pk) ≤ l( pk, pj) < l( pn, S n−1 ∪ V ) = wn−1( pn). On the other hand,the sequence of weights chosen by the algorithm must be non-increasing. Moreexactly, wk−1( pk) ≥ wk−1( pn) ≥ wn−1( pn). This is a contradiction.
The observations dn = min{l(S n, S n ∪ V ), l(V, V )} and l(V, V ) ≥ d∗n ≥ dnnow imply dn = min{wn−1( pn), d∗n} by (2). But pn maximizes wn−1(x) for allx ∈ P . So the lemma below (whose proof is omitted) completes the argument.
Lemma 1. For any set S ⊂ P of n − 1 points there exists a point x ∈ P with l(x, S ∪ V ) ≥ d∗n/2.
3 Delaunay Triangulation of Bounded Edge Ratio
Our aim is to show that Algorithm INSERT is capable of producing a pointset appropriate for Problems 1, 2, and 3. To this end, we first investigate theDelaunay triangulation DT(S n ∪ V ) of S n ∪ V . This triangulation is implicitlyconstructed by the algorithm, as being the dual structure of Vor(S n ∪ V ). How-ever, DT(S n ∪ V ) need not exhibit good edge length properties. We thereforeprescribe the placement of the first k inserted points, and show that AlgorithmINSERT completes them to a set of n points whose Delaunay triangulation has
its edge lengths controlled by the minimum interpoint distance dn for S n ∪ V .3.1 Triangle types. For 1 ≤ j ≤ n, consider the triangulation DT(S j ∪ V ).Let us classify a triangles ∆ of DT(S j ∪ V ) as either critical or non-critical ,depending on whether the Voronoi vertex dual to ∆ (i.e., the circumcenter of ∆) lies outside of the polygon P or not. Whereas edges of critical triangles canbe arbitrarily long, edge lengths are bounded in non-critical triangles.
Lemma 2. No edge e of a non-critical triangle ∆ of DT( S j ∪ V ) is longer than 2 · wj−1( pj).Proof. Let e = ( p, q ) and denote with x the Voronoi vertex dual to ∆. As xlies inside of P , we get l(x, p) = l(x, q ) = wj−1(x) ≤ wj−1( pj), by the choice of point pj in Step 3 of Algorithm INSERT. The triangle inequality now impliesl( p, q ) ≤ 2 · wj−1( pj).
8/17/2019 COmputing and Combinatoria
39/489
Approximating Uniform Triangular Meshes in Polygons 27
We make an observation on critical triangles. Consider some edge e of DT(S j∪V )on the boundary of P . Edge e cuts off some part of the diagram Vor(S j ∪ V )that is outside of P . If that part contains Voronoi vertices then we define thecritical region , R(e), for e as the union of all the (critical) triangles that are dual
to these vertices. Notice that each critical triangle of DT(S j ∪ V ) belongs to aunique critical region.
Lemma 3. No edge f of a critical triangle in R(e) is longer than l(e).
Proof. Let p be an endpoint of f . Then the region of p in Vor(S j ∪ V ) intersectse. Let x be a point in this region but outside of P . There is a circle around xthat encloses p but does not enclose any endpoint of e. Within P , this circle iscompletely covered by the circle C with diameter e. This implies that p lies in C .As the distance between any two points in C is at most l(e), we get l(f )
≤ l(e).
Let us further distinguish between interior triangles and non-interior ones, theformer type having no two endpoints on the boundary of P . The shortest edgeof an interior triangle can be bounded as follows.
Lemma 4. Each edge e of an interior triangle ∆ of DT( S j ∪ V ) has a length of at least wj−1( pj).
Proof. We have l(e) ≥ l(S j, S j ∪ V ), because ∆ has no two endpoints on P ’sboundary. But from (2) we know l(S j , S j ∪ V ) = wj−1( pj).3.2 Edge length bounds. We are now ready to show how a triangulationwith edge lengths related to dn can be computed. First, Algorithm INSERT is runon P , in order to compute the value dn. We assume than n is chosen sufficientlylarge to assure dn ≤ l(V, V )/2. This assumption is not unnatural as the shortestedge of the desired triangulation cannot be longer than the shortest edge of P .After having dn available, k points p1, . . . , p
k are placed on the boundary of P ,
with consecutive distances between 2 · dn and 3 · dn, and such that l(V , V ) ≥dn holds, for V
= V ∪ {
p1, . . . , pk
}. Notice that such a placement is always
possible. Finally, n−k additional points pk+1, . . . , pn are produced by re-runningAlgorithm INSERT after this placement.
For 1 ≤ j ≤ n, let S j = { p1, . . . , pj}. Define w(x) = l(x, S n ∪ V ) for a pointx ∈ P . The value of w( pn) will turn out to be crucial for analyzing the edgelength behavior of the triangulation DT(S n ∪ V ). The lemma below asserts thatw( pn) is small if n exceeds twice the number k of prescribed points.
Lemma 5. Suppose n ≥ 2k. Then w( pn) ≤ 3 · dn.
Proof. The point set S n produced by Algorithm INSERT in the first run is largeenough to ensure dn < l(V, V ). So we get dn = wn−1( pn) from (2). As point pnmaximizes wn−1(x) for all x ∈ P , the n + |V | circles centered at the points inS n ∪ V and with radii dn completely cover the polygon P . Let dn = 1 for themoment. Then
A(P ) ≤ π(n + |V |) − A (3)
8/17/2019 COmputing and Combinatoria
40/489
28 Franz Aurenhammer et al.
where A(P ) is the area of P , and A denotes the area outside of P which iscovered by the circles centered at V .
Assume now w( pn) > 3 ·dn. Draw a circle with radius 32 dn around each pointin S n \ S k. Since w( pn) = l(S n \ S k, S n ∪ V ) by (2), these circles are pairwisedisjoint. By the same reason, and because boundary distances defined by V =V ∪S k are at most 3·dn, these circles all lie completely inside P . Obviously, thesecircles are also disjoint from the |V | circles of radius dn centered at V . Finally,the latter circles are pairwise disjoint, since dn ≤ l(V, V )/2. Consequently,
A(P ) ≥ 94
π(n − k) + A (4)
where A denotes the area inside of P which is covered by the circles centered atV . Combining (3) and (4), and observing A + A = π
· |V
| now implies n
8/17/2019 COmputing and Combinatoria
41/489
Approximating Uniform Triangular Meshes in Polygons 29
Case 2: w( pn) ≥ dn. The upper bound 2 ·w( pn) for non-critical triangles nowgives l(e) ≤ 6 ·dn, due to Lemmas 5 and 6. The lower bound for interior trianglesbecomes l(e) ≥ w( pn) ≥ dn. The remaining two bounds are the same as in theformer case.
3.3 Computational issues. The time complexity of computing the trian-gulation T + is dominated by Steps 2 and 3 of Algorithm INSERT. In the veryfirst iteration of the algorithm, both steps can be accomplished in O(|V | log |V |)time. In each further iteration j we update the current Voronoi diagram underthe insertion of a new point pj in Step 2, as well as a set of weights for theVoronoi vertices and relevant polygon boundary points in Step 3.
Since we already know the location of the new point pj in the current Voronoidiagram, the region of pj can be integrated in time proportional to the degree
of pj in the corresponding Delaunay triangulation, deg( pj). We then need tocalculate, insert, and delete O(deg( pj)) weights, and then select the largest onein the next iteration. This gives a runtime of O(deg( pj) · log n) per iteration.
The following lemma bounds the number of constructed triangles, of a certaintype. Let us call a triangle good if it is both interior and non-critical.
Lemma 7. The insertion of each point pj creates only a constant number of good triangles.
Proof. Consider the endpoints of all good triangles incident to pj in DT(S j ∪V ), and let X be the set of all such endpoints interior to P . Then l(X, X ) ≥
l(S j , S j) ≥ wj−1( pj), due to (2). On the other hand, b