Solving the Pell Equation

H. W. Lenstra Jr.
182 NOTICES OF THE AMS VOLUME 49, NUMBER 2
Pells Equation
The Pell equation is the equation
x
2
= dy
2
+ 1,
to be solved in positive integers x, y for a given
nonzero integer d. For example, for d = 5 one can
take x = 9, y = 4. We shall always assume that d is
positive but not a square, since otherwise there are
clearly no solutions.
The English mathematician John Pell (1610
1685) has nothing to do with the equation. Euler
(17071783) mistakenly attributed to Pell a solu-
tion method that had in fact been found by another
English mathematician, William Brouncker
(16201684), in response to a challenge by Fermat
(16011665); but attempts to change the termi-
nology introduced by Euler have always proved
futile.
Pells equation has an extraordinarily rich history,
to which Weils book [13] is the best guide; see also
[3, Chap. XII]. Brounckers method is in substance
identical to a method that was known to Indian
mathematicians at least six centuries earlier. As
we shall see, the equation also occurred in Greek
mathematics, but no convincing evidence that the
Greeks could solve the equation has ever emerged.
A particularly lucid exposition of the Indian
or English method of solving the Pell equation is
found in Eulers Algebra [4, Abschn. 2, Cap. 7].
Modern textbooks usually give a formulation in
terms of continued fractions, which is also due to
Euler (see for example [9, Chap. 7]). Euler, as well
as his Indian and English predecessors, appears to
take it for granted that the method always produces
a solution. That is true, but it is not obviousall
that is obvious is that if there is a solution, the
method will find one. Fermat was probably in pos-
session of a proof that there is a solution for every
d (see [13, Chap. II, XIII]), and the first to publish
such a proof was Lagrange (17361813) in 1768 (see
Figure 1).
One may rewrite Pells equation as
(x + y
_
d ) (x y
_
d ) = 1,
so that finding a solution comes down to finding
a nontrivial unit of the ring Z[

d] of norm 1; here
the norm Z[

d]

= {1} between unit

groups multiplies each unit by its conjugate, and
the units 1 of Z[

d] are considered trivial. This

reformulation implies that once one knows a so-
lution to Pells equation, one can find infinitely
many. More precisely, if the solutions are ordered
by magnitude, then the nth solution x
n
, y
n
can be
expressed in terms of the first one, x
1
, y
1
, by
x
n
+ y
n
_
d = (x
1
+ y
1
_
d )
n
.
Accordingly, the first solution x
1
, y
1
is called the
fundamental solution to the Pell equation, and
solving the Pell equation means finding x
1
, y
1
for
given d. By abuse of language, we shall also refer
to x + y

d instead of the pair x, y as a solution to

H. W. Lenstra Jr. is professor of mathematics at the Uni-
versity of California, Berkeley, and at the Mathematisch
Instituut, Universiteit Leiden, The Netherlands. His e-mail
addresses are: [email protected] and hwl@math.
leidenuniv.nl.
FEBRUARY 2002 NOTICES OF THE AMS 183
Pells equation and call x
1
+ y
1

d the fundamen-
tal solution.
One may view the solvability of Pells equation
as a special case of Dirichlets unit theorem from
algebraic number theory, which describes the
structure of the group of units of a general ring of
algebraic integers; for the ring Z[

d], it is the prod-

uct of {1} and an infinite cyclic group.
As an example, consider d = 14. One has
_
14 = 3 +
1
1 +
1
2 +
1
1 +
1
3 +
_
14
,
so the continued fraction expansion of 3 +

14 is
purely periodic with period length 4. Truncating the
expansion at the end of the first period, one finds
that the fraction
3 +
1
1 +
1
2 +
1
1
1
=
15
4
is a fair approximation to

14. The numerator

and denominator of this fraction yield the funda-
mental solution x
1
= 15, y
1
= 4; indeed one has
15
2
= 14 4
2
+ 1. Furthermore, one computes
(15 + 4

14)
2
= 449 + 120

14, so x
2
= 449, y
2
=
120; and so on. One finds:
n x
n
y
n
1 15 4
2 449 120
3 13455 3596
4 403201 107760
5 12082575 3229204
6 362074049 96768360
The shape of the table reflects the exponential
growth of x
n
and y
n
with n.
For general d, the continued fraction expansion
of [

d] +

d is again purely periodic, and the period

displays a symmetry similar to the one visible for
d = 14. If the period length is even, one proceeds as
above; if the period length is odd, one truncates at
the end of the second period.
The cattle problem
An interesting example of the Pell equation, both
from a computational and from a historical per-
spective, is furnished by the cattle problem of
Archimedes (287212 B.C.). A manuscript con-
taining this problem was discovered by Lessing
(17291781) in the Wolffenbttel library, and
published by him in 1773 (see Figure 2). It is now
generally credited to Archimedes (see [5, 13]). In
twenty-two Greek elegiac distichs, the problem
asks for the number of white, black, dappled, and
brown bulls and cows belonging to the Sun god,
subject to several arithmetical restrictions. A ver-
sion in English heroic couplets, taken from [1], is
shown in Figure 3. In modern mathematical nota-
tion the problem is no less elegant. Writing x, y,
z, t for the numbers of white, black, dappled, and
brown bulls, respectively, one reads in lines 816
the restrictions
Figures 1 and 2.
Title pages of two
publications from
1773. The first (far
left) contains
Lagranges proof of
the solvability of
Pells equation,
already written and
submitted in 1768.
The second
contains Lessings
discovery of the
cattle problem of
Archimedes.
184 NOTICES OF THE AMS VOLUME 49, NUMBER 2
x = (
1
2
+
1
3
)y + t,
y = (
1
4
+
1
5
)z + t,
z = (
1
6
+
1
7
)x + t.
Next, for the numbers x

, y

, z

, t

of cows of the
same respective colors, the poet requires in lines
1726
x

= (
1
3
+
1
4
)(y + y

),
y

= (
1
4
+
1
5
)(z + z

),
z

= (
1
5
+
1
6
)(t + t

),
t

= (
1
6
+
1
7
)(x + x

).
Whoever can solve the problem thus far is called
merely competent by Archimedes; to win the prize
for supreme wisdom, one should also meet the
conditions formulated in lines 3340 that x + y be
a square and that z + t be a triangular number.
The first part of the problem is just linear algebra,
and there is indeed a solution in positive integers.
The general solution to the first three equations is
given by (x, y, z, t) = m (2226, 1602, 1580, 891),
where m is a positive integer. The next four equa-
tions turn out to be solvable if and only if mis divisible
by 4657; with m= 4657 k one has (x

, y

, z

, t

)
= k (7206360, 4893246, 3515820, 5439213) .
The true challenge is now to choose k such that
x + y = 4657 3828 k is a square and z + t
= 46572471 k is a triangular number. From the
prime factorization 4657 3828 = 2
2
3 11
29 4657 one sees that the first condition is equiv-
alent to k = al
2
, where a = 3 11 29 4657 and l
is an integer. Since z + t is a triangular number if
and only if 8(z + t) + 1 is a square, we are led to the
equation h
2
= 8(z + t) +1= 8 4657 2471 al
2
+1,
which is the Pell equation h
2
= dl
2
+ 1 for
d = 2 3 7 11 29 353 (2 4657)
2
= 410286423278424.
Thus, by Lagranges theorem, the cattle problem
admits infinitely many solutions.
In 1867 the otherwise unknown German math-
ematician C. F. Meyer set out to solve the equation
by the continued fraction method [3, p. 344]. After
240 steps in the continued fraction expansion for

d he had still not detected the period, and he gave

up. He may have been a little impatient; it was
later discovered that the period length equals
203254. The first to solve the cattle problem in a
satisfactory way was A. Amthor in 1880 (see [6]).
Amthor did not directly apply the continued frac-
tion method; what he did do we shall discuss below.
Nor did he spell out the decimal digits of the
fundamental solution to the Pell equation or the
corresponding solution of the cattle problem. He
did show that, in the smallest solution to the
cattle problem, the total number of cattle is given
by a number of 206545 digits; of the four leading
digits 7766 that he gave, the fourth was wrong,
due to the use of insufficiently precise logarithms.
Figure 3. Problem that Archimedes conceived in verse and
posed to the specialists at Alexandria in a letter to
Eratosthenes of Cyrene.
The Sun god's cattle, friend, apply thy care
to count their number, hast thou wisdom's share.
They grazed of old on the Thrinacian floor
of Sic'ly's island, herded into four,
colour by colour: one herd white as cream,
the next in coats glowing with ebon gleam,
brown-skinned the third, and stained with spots the last.
Each herd saw bulls in power unsurpassed,
in ratios these: count half the ebon-hued,
add one third more, then all the brown include;
thus, friend, canst thou the white bulls' number tell.
The ebon did the brown exceed as well,
now by a fourth and fifth part of the stained.
To know the spottedall bulls that remained
reckon again the brown bulls, and unite
these with a sixth and seventh of the white.
Among the cows, the tale of silver-haired
was, when with bulls and cows of black compared,
exactly one in three plus one in four.
The black cows counted one in four once more,
plus now a fifth, of the bespeckled breed
when, bulls withal, they wandered out to feed.
The speckled cows tallied a fifth and sixth
of all the brown-haired, males and females mixed.
Lastly, the brown cows numbered half a third
and one in seven of the silver herd.
Tell'st thou unfailingly how many head
the Sun possessed, o friend, both bulls well-fed
and cows of ev'ry colourno-one will
deny that thou hast numbers' art and skill,
though not yet dost thou rank among the wise.
But come! also the foll'wing recognise.
Whene'er the Sun god's white bulls joined the black,
their multitude would gather in a pack
of equal length and breadth, and squarely throng
Thrinacia's territory broad and long.
But when the brown bulls mingled with the flecked,
in rows growing from one would they collect,
forming a perfect triangle, with ne'er
a diff'rent-coloured bull, and none to spare.
Friend, canst thou analyse this in thy mind,
and of these masses all the measures find,
go forth in glory! be assured all deem
thy wisdom in this discipline supreme!
FEBRUARY 2002 NOTICES OF THE AMS 185
The full number occupies forty-seven pages of
computer printout, reproduced in reduced size on
twelve pages of the Journal of Recreational Math-
ematics [8]. In abbreviated form, it reads
77602714. . . 237983357. . . 55081800,
each of the six dots representing 34420 omitted
digits.
Several nineteenth century German scholars
were worried that so many bulls and cows might
not fit on the island of Sicily, contradicting lines 3
and 4 of the poem; but, as Lessing remarked, the
Sun god, to whom the cattle belonged, will have
coped with it.
The story of the cattle problem demonstrates
that the continued fraction method is not the last
word on the Pell equation.
Efficiency
We are interested in the efficiency of solution meth-
ods for the Pell equation. Thus, how much time does
a given algorithm for solving the Pell equation
take? Here time is to be measured in a realistic way,
which reflects, for example, that large positive in-
tegers are more time-consuming to operate with
than small ones; technically, one counts bit oper-
ations. The input to the algorithm is d, and the run-
ning time estimates are accordingly expressed as
functions of d. If one supposes that d is specified
in binary or in decimal, then the length of the input
is approximately proportional to log d. An algo-
rithm is said to run in polynomial time if there is
a positive real number c
0
such that for all d the run-
ning time is at most (1 + log d)
c
0
, in other words, if
the time that it takes the algorithm to solve the Pell
equation is not much greater than the time re-
quired to write down the equation.
How fast is the continued fraction method? Can
the Pell equation be solved in polynomial time? The
central quantity that one needs to consider in order
to answer such questions is the regulator R
d
, which
is defined by
R
d
= log(x
1
+ y
1
_
d ),
where x
1
+ y
1

d denotes, as before, the funda-

mental solution to Pells equation. The regulator
coincides with what in algebraic number theory
would be called the regulator of the kernel of
the norm map Z[

d]

. From x
1
y
1

d =
1/(x
1
+ y
1

d ) one deduces that 0 < x

1
y
1

d
< 1/(2

d ), and combining this with x

1
+ y
1

d
= e
R
d
, one finds that
e
R
d
2
< x
1
<
e
R
d
2
+
1
4

d
,
e
R
d
2

d

1
4d
< y
1
<
e
R
d
2

d
.
This shows that R
d
is very close to log(2x
1
) and to
log(2y
1

d ). That is, if x
1
and y
1
are to be repre-
sented in binary or in decimal, then R
d
is approx-
imately proportional to the length of the output of
any algorithm solving the Pell equation. Since the
time required for spelling out the output is a lower
bound for the total running time, we may con-
clude: there exists c
1
such that any algorithm for
solving the Pell equation takes time at least c
1
R
d
.
Here c
1
denotes, just as do c
2
, c
3
, below, a pos-
itive real number that does not depend on d.
The continued fraction method almost meets
this lower bound. Let l be the period length of the
continued fraction expansion of [

d] +

d if that
length is even and twice that length if it is odd. Then
one has
log 2
2
l < R
d
<
log(4d)
2
l
(see [7, eq. (11.4)]); so R
d
and l are approximately
proportional. Using this, one estimates easily that
the time taken by a straightforward implementa-
tion of the continued fraction method is at most
R
2
d
(1 + log d)
c
2
for suitable c
2
; and a more refined
implementation, which depends on the fast Fourier
transform, reduces this to R
d
(1 + log d)
c
3
for suit-
able c
3
. We conclude that the latter version of the
continued fraction method is optimal, apart from
a logarithmic factor.
In view of these results it is natural to ask how
the regulator grows as a function of d. It turns out
that it fluctuates wildly. One has
log(2
_
d ) < R
d
<
_
d (log(4d) + 2),
the lower bound because of the inequality
y
1
< e
R
d
/(2

d ) above and the upper bound by a

theorem of Hua. The gap between the two bounds
is very large, but it cannot be helped: if d ranges
over numbers of the form k
2
1, for which one has
x
1
= k and y
1
= 1, then R
d
log(2

d ) tends to 0;
and one can show that there exist an infinite set D
of ds and a constant c
4
such that all d D have
R
d
= c
4

d. In fact, if d
0
, d
1
are integers greater
than 1 and d
0
is not a square, then there exists
a positive integer m= m(d
0
, d
1
) such that D =
{d
0
d
2n
1
: n Z, n m} has this property for some
c
4
= c
4
(d
0
, d
1
) .
It is believed that for most d the upper bound
is closer to the truth. More precisely, a folklore con-
jecture asserts that there is a set D of nonsquare
positive integers that has density 1 in the sense that
lim
x
#{d D : d x}/x = 1, and that satisfies
lim
dD
log R
d
log

d
= 1.
This conjecture, however, is wide open. The same
is true for the much weaker conjecture that
186 NOTICES OF THE AMS VOLUME 49, NUMBER 2
limsup
d
(log R
d
)/ log

d, with d ranging over the

squarefree integers > 1, is positive.
If the folklore conjecture is true, then for most
d the factor R
d
entering the running time is about

d, which is an exponential function of the length

log d of the input.
Combining the results above, one concludes
that the continued fraction method takes time at
most

d (1 + log d)
c
5
; that conjecturally it is ex-
ponentially slow for most values of d; and that any
method for solving the Pell equation that spells out
x
1
and y
1
in full is exponentially slow for infinitely
many d, and will therefore fail to run in polyno-
mial time.
If we want to improve upon the continued frac-
tion method, then we need a way of representing
x
1
and y
1
that is more compact than the decimal
or binary notation.
Amthors solution
Amthors solution to the cattle problem depended
on the observation that the number d =
410286423278424 can be written as
(2 4657)
2
d

, where d

= 4729494 is squarefree.
Hence, if x, y solves the Pell equation for d, then
x, 2 4657 y solves the Pell equation for d

and
will therefore for some n be equal to the nth so-
lution x

n
, y

n
(say) of that equation:
x + 2 4657 y
_
d

= (x

1
+ y

1
_
d

)
n
.
This reduces the cattle problem to two easier
problems: first, solving the Pell equation for d

; and
second, finding the least value of n for which y

n
is
divisible by 2 4657.
Since d

is much smaller than d, Amthor could

use the continued fraction algorithm for d

. In a
computation that could be summarized in three
pages (see [6]), he found the period length to be 92
and x

1
+ y

to be given by
In order to save space, one can write
u =
_
300426607914281713365
_
609
+ 84129507677858393258
_
7766
_
2
.
This is derived from the identity x + y

d =
_
_
(x 1)/2 +
_
(x + 1)/2
_
2
, which holds whenever
x
2
= dy
2
+ 1. The regulator is found to be R
d

.
=
102.101583.
In order to determine the least feasible value for
n, Amthor developed a little theory, which one
would nowadays cast in the language of finite fields
and rings. Using that p = 4657 is a prime number
for which the Legendre symbol
_
d

p
_
equals 1, he
deduced from his theory that the least value for n
divides p + 1 = 4658; had he been a little more care-
ful, he would have found that it must divide
(p + 1)/2 = 2329 = 17 137. In any case, trying a
few divisors, one discovers that the least value
for n is actually equal to 2329. One has R
d
=
2329 R
d

.
= 237794.586710.
The conclusion is that the fundamental solution
to the Pell equation for d itself is given by
x
1
+ y
1

d = u
2329
, with u as just defined. Amthor
failed to put everything together, but I did this for
the convenience of the reader in Figure 4: for the
first time in history, all infinitely many solutions to
the cattle problem are displayed in a handy little
table! It does, naturally, not contain the full decimal
expansion of any of the numbers asked for, but what
it does contain should be considered more enlight-
ening. For example, it enables the reader not only
to verify easily that the total number of cattle in
the smallest solution has 206545 decimal digits
and equals 77602714. . . 55081800, but also to dis-
cover that the number of dappled bulls in the
1494195300th solution equals 111111. . . 000000,
a number of 308619694367813 digits. (Finding the
middle digits is probably much harder.) Archimedes
had an interest in the representation of large
numbers, and there is little doubt that the solution
in Figure 4 would have pleased and satisfied him.
Power products
Suppose one wishes to solve the Pell equation
x
2
= dy
2
+ 1 for a given value of d. From Amthors
approach to the cattle problem we learn that for
two reasons it may be wise to find the smallest
divisor d

of d for which d/d

is a square: it
saves time when performing the continued fraction
algorithm, and it saves both time and space when
expressing the final answer. There is no known
algorithm for finding d

from d that is essentially

faster than factoring d. In addition, if we want
to determine which power of the fundamental
solution for d

yields the fundamental solution

for dthat is, the number n from the previous
sectionwe also need to know the prime factor-
ization of
_
d/d

, as well as the prime factorization

of p
_
d

p
_
for each prime p dividing
_
d/d

. Thus,
if one wants to solve the Pell equation, one may as
well start by factoring d. Known factoring algo-
rithms may not be very fast for large d, but for most
values of d they are still expected to be orders of
magnitudes faster than any known method for
solving the Pell equation.
Let it now be assumed that d is squarefree, and
write x
1
+ y
1

d for the fundamental solution of the

Pell equation, which is a unit of Z[

d]. Then
x
1
+ y
1

d may still be a proper power in the field

Q(

d ) of fractions of Z[

d]. For example, the least

d with y
1
> 6 is d = 13, for which one has x
1
= 649,
y
1
= 180, and
u = 109931986732829734979866232821433543901088049
+ 50549485234315033074477819735540408986340
_
d

.
FEBRUARY 2002 NOTICES OF THE AMS 187
649 + 180
_
13 =
_
3 +

13
2
_
6
.
Also in the case d = 109, which Fermat posed as a
challenge problem in 1657, the fundamental solu-
tion is a sixth power:
158070671986249 + 15140424455100
_
109
=
_
261 + 25

109
2
_
6
.
However, this is as far as it goes: it is an elemen-
tary exercise in algebraic number theory to show
that if n is a positive integer for which x
1
+ y
1

d
has an nth root in Q(

d ), then n = 1, 2, 3, or 6, the
case n = 2 being possible only for d 1, 2, or
5 mod 8, and the cases n = 3 and 6 only for
d 5 mod 8. Thus, for large squarefree d one can-
not expect to save much space by writing x
1
+ y
1

d
as a power. This is also true when one allows the
root to lie in a composite of quadratic fields, as we
did for the cattle problem.
Let d again be an arbitrary positive integer that
is not a square. Instead of powers, we consider
power products in Q(

d ), that is, expressions of

the form
t

i=1
(a
i
+ b
i
_
d )
n
i
where t is a nonnegative integer, a
i
, b
i
, n
i
are
integers, n
i
= 0, and for each i at least one of a
i
and b
i
is nonzero. We define the length of such an
expression to be
t
_
i=1
_
log |n
i
| + log(|a
i
| + |b
i
|
_
d )
_
.
This is roughly proportional to the amount of bits
needed to specify the numbers a
i
, b
i
, and n
i
. Each
power product represents a nonzero element of
Q(

d ), and that element can be expressed uniquely

as (a + b

d )/c, with a, b, c Z, gcd(a, b, c) = 1,

c > 0. However, the number of bits of a, b, c will
typically grow linearly with the exponents |n
i
|
themselves rather than with their logarithms. So one
avoids using the latter representation and works
directly with the power products instead.
Several fundamental issues are raised by the
representation of elements as power products. For
example, can we recognize whether two power
products represent the same element of Q(

d ) by
means of a polynomial time algorithm? Here poly-
nomial time means, as before, that the run time
is bounded by a polynomial function of the length
of the input, which in this case equals the sum of
the lengths of the two given power products. Sim-
ilarly, can we decide in polynomial time whether a
given power product represents an element of the
form a + b

d with a, b Z, that is, an element of

Z[

d]? If it does, can we decide whether one has

a
2
db
2
= 1 and a, b > 0, so that we have a solu-
tion to Pells equation, and can we compute the
residue classes of a and b modulo a given positive
integer m, all in polynomial time?
All questions just raised have affirmative an-
swers, even in the context of general algebraic
number fields. Algorithms proving this were ex-
hibited recently by Guoqiang Ge. In particular, one
can efficiently decide whether a given power prod-
uct represents a solution to Pells equation, and if
it does, one can efficiently compute any desired
number of least significant decimal digits of that
solution; taking the logarithm of the power prod-
uct, one can do the same for the leading digits, and
for the number of decimal digits, except possibly
in the probably very rare cases that a or b is ex-
cessively close to a power of 10. There is no known
polynomial time algorithm for deciding whether a
given power product represents the fundamental
solution to Pells equation.
Figure 4.
188 NOTICES OF THE AMS VOLUME 49, NUMBER 2
Infrastructure
Suppose now that, given d, we are not asking for
the fundamental solution x
1
+ y
1

d to Pells
equation, but for a power product in Q(

d ) that
represents it. The following theorem summarizes
essentially all that is rigorously known about the
smallest length of such a power product and about
algorithms for finding one.
Theorem. There are positive real numbers c
6
and
c
7
with the following properties.
(a) For each positive integer d that is not a square
there exists a power product that represents the
fundamental solution to Pells equation and that
has length at most c
6
(log d)
2
.
(b) The problem of computing a power product
representing the fundamental solution to Pells equa-
tion is polynomial time equivalent to the problem
of computing an integer

R
d
with |R
d

R
d
| < 1.
(c) There is an algorithm that given d computes
a power product representing the fundamental
sol uti on to Pel l s equati on i n ti me at most
R
1/2
d
(1 + log d)
c
7
.
Part (a) of the theorem, which is taken from [2],
implies that the question we are asking does
admit a brief answer, so that there is no obvious
obstruction to the existence of a polynomial time
algorithm for finding such an answer.
Part (b), which is not formulated too rigorously,
asserts the existence of two polynomial time
algorithms. The first takes as input a power
product

i
(a
i
+ b
i

d )
n
i
representing the funda-
mental solution to the Pell equation and gives as
output an integer approximation to the regulator.
There is no surprise here, one just uses the formula
R
d
=

i
n
i
log |a
i
+ b
i

d| and applies a polynomial

time algorithm for approximating logarithms. The
second algorithm takes as input the number d as
well as an integer approximation

R
d
to R
d
, and
it computes a power product representing the
fundamental solution to Pells equation. Since the
algorithm runs in polynomial time, the length of
the output is polynomially bounded, and this is in
fact the way part (a) of the theorem is proved.
The key notion underlying the second algorithm
is that of infrastructure, a word coined by
Shanks (see [11]) to describe a certain multiplica-
tive structure that he detected within the period of
the continued fraction expansion of

d. It was
subsequently shown (see [7]) that this period can
be embedded in a circle group of circumfer-
ence R
d
, the embedding preserving the cyclical
structure. In the modern terminology of Arakelov
theory, one may describe that circle group as the
kernel of the natural map Pic
0
Z[

d] PicZ[

d]
from the group of metrized line bundles of
degree 0 on the arithmetic curve corresponding
to Z[

d] to the usual class group of invertible

ideals. By means of Gausss reduced binary qua-
dratic forms one can do explicit computations in
Pic
0
Z[

d] and in its circle subgroup. For a fuller

explanation of these notions and their algorithmic
use we refer to the literature [2, 7, 10, 11, 14].
The equivalence stated in part (b) of the theo-
rem has an interesting feature that is not com-
monly encountered in the context of equivalences.
Namely, one may achieve an improvement by going
back-and-forth. Thus, starting from a power prod-
uct representing the fundamental solution, one
can first use it to compute

R
d
and next use

R
d
to
find a second power product, possibly of smaller
length than the initial one. And conversely, start-
ing from any rough approximation to R
d
, one can
compute a power product and use it to compute
R
d
to any desired accuracy.
The algorithm referred to in part (c) is the
fastest rigorously proven algorithm for computing
a power product as desired. Its run time is roughly
the square root of the run time of the continued
fraction algorithm. It again makes use of the
infrastructure just discussed, combining it with
a search technique that is known as the baby
stepgiant step method. The power product com-
ing out of the algorithm may not have a very small
length, but one can easily do something about this
by using the algorithms of part (b). Our estimates
for R
d
show that the run time is at most
d
1/4
(1 + log d)
c
8
for some c
8
; here the exponent
1/4 can be improved to 1/5 if one is willing to
assume certain generalized Riemann hypotheses
(see [10]). Recent work of Buchmann and Vollmer
shows that part (c) is valid with c
7
= 1 + for all
> 0 and all d exceeding a bound depending on .
Mathematically the infrastructure methods have
great interest. Algorithmically one conjectures that
something faster is available. But as we shall see,
the final victory may belong to the infrastructure.
Smooth numbers
The algorithms for solving Pells equation that we
saw so far have an exponential run time as a func-
tion of log d. One prefers to have an algorithm
whose run time is polynomial in log d. The method
that we shall now discuss is believed to have a run
time that is halfway between exponential and
polynomial. Like many subexponential algorithms
in number theory, it makes use of smooth numbers,
that is, nonzero integers that up to sign are built
up from small prime factors. Smooth numbers
have been used with great success in the design of
algorithms for factoring integers and for comput-
ing discrete logarithms in multiplicative groups of
rings. Here we shall see how they can be used for
the solution of Pells equation as well.
Instead of giving a formal description, we illus-
trate the algorithm on the case d = 4729494 =
FEBRUARY 2002 NOTICES OF THE AMS 189
2 3 7 11 29 353 derived from the cattle
problem. The computation is less laborious and
more entertaining than the expansion of

d in a
continued fraction performed by Amthor. We shall
explain the method on an intuitive level only; read-
ers desirous to see its formal justification should
acquaint themselves with the basic theorems of
algebraic number theory.
The smooth numbers that the algorithm operates
with are not ordinary integers, but elements of the
ring Z[

d], with d as just chosen. There is a natural

way of extending the notion of smoothness to such
numbers. Namely, for = a + b

d Q(

d ), with
a, b Q, write

= a b

d. Then

yields an
automorphism of the field Q() and the ring Z[],
and the norm map N: Q(

d ) Q defined by
N() =

= a
2
db
2
respects multiplication. It is
now natural to expect that an element of Z[

d] is
smooth if and only if

is smooth; so one may as

well pass to their product N(), which is an ordinary
integer, and define to be smooth if |N()| is built
up from prime numbers that lie below a certain
bound. The size of this bound depends on the cir-
cumstances; in the present computation we choose
it empirically.
The first step in the algorithm is to find a good
supply of smooth numbers a + b

d in Z[

d], or,
equivalently, pairs of integers a, b for which
a
2
db
2
is smooth. One does this by trying b = 1,
2, 3, in succession, and trying integers a in the
neighborhood of b

d; then |a
2
db
2
| is fairly
small, which increases its chance to be smooth. For
example, with b = 1 one finds for a near
b

d
.
= 2174.74 the following smooth values of
a
2
d:
2156
2
d = 2 7 11 17 31,
2162
2
d = 2 5
3
13 17,
2175
2
d = 3 13 29,
2178
2
d = 2 3 5 11 43,
2184
2
d = 2 3 7 31
2
,
2187
2
d = 3 5
2
23 31.
For b = 2, 3, 4, one finds, restricting to values of a
that are coprime to b:
4329
2
2
2
d = 3 5 17
2
41,
4341
2
2
2
d = 3 5 17
3
,
4351
2
2
2
d = 5
2
23
2
,
4363
2
2
2
d = 13
2
17 41,
4389
2
2
2
d = 3 5 7 11 13 23,
4399
2
2
2
d = 5
2
13 31 43,
6514
2
3
2
d = 2 5
3
13 41,
6524
2
3
2
d = 2 5 7 41,
6538
2
3
2
d = 2 7 13 23 43,
8699
2
4
2
d = 17 41.
The prime numbers occurring in these sixteen fac-
torizations are the small prime factors 2, 3, 7, 11,
29 of d, as well as the prime numbers p 43 with
_
d
p
_
= 1. It is only the latter primes that matter, and
there are seven of them: 5, 13, 17, 23, 31, 41, and
43. It is important that the number of smooth ex-
pressions a
2
db
2
exceeds the number of those
primes, which is indeed the case: 16 > 7. If one
uses only the prime numbers up to 31 and the
eight factorizations that do not contain 41 or 43,
there is still a good margin: 8 > 5. Thus, one
decides to work with the smoothness bound 31.
The next step is to write down the prime ideal
factorizations of the eight numbers (a + b

d )/
(a b

d ) . Consider, for example, the case a =

2162, b = 1. Since 2162
2
d contains a factor 13,
the element 2162 +

d has a prime ideal factor of

norm 13, and from 2162 4 mod 13 one sees that
this is the prime ideal p
13
= (13, 4 +

d ); it is the
kernel of the ring homomorphism Z[

d] Z/13Z
sending

d to 4 (mod 13). The conjugate prime

ideal q
13
= (13, 4

d ) then occurs in 2162

d.
Likewise, 2162 +

d is divisible by the cube of

the prime ideal p
5
= (5, 2 +

d ) and by p
17
=
(17, 3 +

d ), and 2162

d by q
3
5
q
17
, where q
5
=
(5, 2

d ) and q
17
= (17, 3

d ) . Finally, 2162
+

d has the prime ideal factor (2,

d ) , but since
2 divides d, this prime ideal equals its own conju-
gate, so it cancels when one divides 2162 +

d by
its conjugate. Altogether one finds the prime ideal
factorization
_
(2162 +
_
d )/(2162
_
d )
_
= (p
5
/q
5
)
3
(p
13
/q
13
) (p
17
/q
17
).
As a second example, consider a = 4351, b = 2.
We have 4351
2
2
2
d = 5
2
23
2
, and from
4351/2 2 mod 5 one sees that 4351 + 2

d
belongs to q
5
rather than p
5
. Similarly,
4351/2 2 mod 23 implies that it belongs to
p
23
= (23, 2 +

d ). Writing q
23
= (23, 2

d ) , one
obtains
_
(4351 + 2
_
d )/(4351 2
_
d )
_
= (p
5
/q
5
)
2
(p
23
/q
23
)
2
.
Doing this for all eight pairs a, b, one arrives at
the table in Figure 5. The first row lists the prime
numbers p we are using. The first column lists the
eight expressions = a + b

d. In the th row
and the pth column, one finds the exponent of
190 NOTICES OF THE AMS VOLUME 49, NUMBER 2
p
p
/q
p
in the prime ideal factorization of /

;
here p
p
, q
p
are as above, with p
31
= (31, 14 +

d )
and q
31
= (31, 14

d ). Thus, each gives rise to

an exponent vector that belongs to Z
5
.
The third step in the algorithm is finding linear
relations with integer coefficients between the eight
exponent vectors. The set of such relations forms
a free abelian group of rank 3, which is 8 minus
the rank of the 8 5 matrix formed by the eight
vectors. A set of three independent generators for
the relation group is given by the last three columns
of Figure 5; in general, one can find such a set by
applying techniques of linear algebra over Z.
In the final step of the algorithm one inspects
the relations one by one. Consider for example the
first relation. It expresses that the sum of the ex-
ponent vectors corresponding to 2156 +

d and
2162 +

d equals the sum of the exponent vectors

for 2187 +

d and 4389 + 2

d. In other words, if
we put
=
(2156 +

d ) (2162 +

d )
(2187 +

d ) (4389 + 2

d )
,
then the element = /

has all exponents in its

prime ideal factorization equal to 0. This is the
same as saying that is a unit x + y

d of the ring
Z[

d]; also, the norm

= x
2
dy
2
of this unit
equals N()/N(

) = 1, so we obtain an integral
solution to Pells equation x
2
dy
2
= 1, except
that it is uncertain whether x and y are positive.
We can write = /

=
2
/N() , where the prime
factorization of N() is available from the factor-
izations of a
2
db
2
that we started with; one finds
in this manner the following two power product
representations of :
=
(2156 +

d ) (2162 +

d )
(2156

d ) (2162

d )

(2187

d ) (4389 2

d )
(2187 +

d ) (4389 + 2

d )
=
3
2
23
2
(2156 +

d )
2
(2162 +

d )
2
2
2
17
2
(2187 +

d )
2
(4389 + 2

d )
2
.
In the second representation, is visibly a square,
or, equivalently, N() is a square; this is a bad
sign, since it is certain to happen when = 1, in
which case one has Q, N() =
2
, x = 1, and
y = 0. That is indeed what occurs here. (Likewise,
it would have been a bad sign if were visibly d
times a square; this is certain to happen if = 1.)
In the present case, the numbers are small enough
that one can directly verify that = 1. For larger
power products, one can decide whether equals
1 by computing log || to a suitable precision
and proving that the logarithm of a positive unit
of Z[

d] cannot be close to 0 without being equal

to 0.
Thus, the first relation disappointingly gives
rise to a trivial solution to the Pell equation. The
reader may check that the unit
29
2
(4351 + 2

d )
2
(4389 + 2

d )
4
5
4
7
2
11
2
23
4
(2175 +

d )
4
obtained from the second relation is also equal
to 1. The third relation yields the unit
=
2
4
5
14
(2175 +

d )
18
(2184 +

d )
10
3
27
7
5
29
9
31
20

(2187 +

d )
20
(4341 + 2

d )
6
(2162 +

d )
18
(4351 + 2

d )
10
.
Since this is not visibly a square, we can be certain
that it is not 1. Since it is positive, it is not 1
either. So is of the form x + y

d, where x, y Z
satisfy x
2
dy
2
= 1 and y = 0; thus, |x| , |y| solve
Pells equation. From the power product, one com-
putes the logarithm of the unit to be
about 102.101583. This implies that
> 1, so that is the largest of the
four numbers ,

= 1/, , and

;
in other words, x + y

d is the largest of
the four numbers x y

d, which is
equivalent to x and y being positive. In
general one can achieve this by first re-
placing by if is negative and next
by

if < 1.
We conclude that the power product
defining does represent a solution to
Pells equation. The next question is
whether it is the fundamental solution.
In the present case we can easily con-
firm this, since from Amthors compu-
tation we know that R
d
.
= 102.101583, Figure 5.
FEBRUARY 2002 NOTICES OF THE AMS 191
and the logarithm of any nonfundamental solution
would be at least 2 R
d
. Therefore, is equal to
the solution u found by Amthor, and it is indeed
fundamental. In particular, the numbers
log
.
= 102.101583 and log u
.
= 102.101583 are
exactly equal, not just to a precision of six decimals.
The power product representation we found
for is a little more compact than the standard
representation we gave for u. Indeed, its length, as
defined earlier, is about 93.099810, as compared
to R
d
.
= 102.101583 for u. The power product
(2175 +

d )
18
(2184 +

d )
10
(2187 +

d )
20
(2175

d )
18
(2184

d )
10
(2187

d )
20

(4341 + 2

d )
6
(2162

d )
18
(4351 2

d )
10
(4341 2

d )
6
(2162 +

d )
18
(4351 + 2

d )
10
,
which also represents u, has length about
125.337907.
Performance
The smooth numbers method for solving Pells
equation exemplified in the previous section can
be extended to any value of d. There is unfortu-
nately not much one can currently prove either
about the run time or about the correctness of the
method. Regarding the run time, however, one can
make a reasonable conjecture.
For x > e, write
L(x) = exp
__
(log x) log log x
_
.
The conjecture is that, for some positive real
number c
9
and all d > 2, the smooth numbers
method runs in time at most L(d)
c
9
. This is, at a
doubly logarithmic level, the exact average of
x
c
9
= exp(c
9
log x) and (log x)
c
9
= exp(c
9
log log x) ;
so conjecturally, the run time of the smooth
numbers method is in a sense halfway between
exponential time and polynomial time.
The main ingredient of the heuristic reasoning
leading to the conjecture is the following proven
theorem: for fixed positive real numbers c, c

, and
x , the probability for a random positive
integer x
c

(drawn from a uniform distribution)

to have all its prime factors L(x)
c
equals
1/L(x)
c

/(2c)+o(1)
. This theorem explains the
importance of the function L in the analysis of
algorithms depending on smooth numbers.
Other ingredients of the heuristic run time
analysis are the belief that the expressions
a
2
db
2
that one hopes to be smooth are so
with the same probability as if they were
random numbers, and the belief that the units
produced by the algorithm have a substantial
probability of being different from 1. These
beliefs appear to be borne out in practice.
Probably one can take c
9
= 3/

8 + in the
conjecture just formulated, for any > 0 and all
d exceeding a bound depending on ; one has
3/

8
.
= 1.06066. One of the bottlenecks is the
time spent on solving a large sparse linear system
over Z. If one is very optimistic about developing
a better algorithm for doing this, it may be possi-
ble to achieve 1 instead of 3/

8.
The smooth numbers method needs to be sup-
plemented with an additional technique if one
wishes to be reasonably confident that the unit it
produces is the fundamental solution to Pells
equation. We forgo a discussion of this technique,
since there is no satisfactory method for testing
whether it achieves its purpose. More precisely,
there is currently no known way of verifying in
subexponential time that a solution to the Pell
equation that is given by means of a power prod-
uct is the fundamental one. The most promising
technique for doing this employs the analytic class
number formula, but its effectiveness depends on
the truth of the generalized Riemann hypothesis.
The latter hypothesis, abbreviated GRH, asserts
that there does not exist an algebraic number field
whose associated zeta function has a complex zero
with real part greater than
1
2
. The GRH can also be
used to corroborate the heuristic run time analy-
sis, albeit in a probabilistic setting. This leads to
the following theorem.
Theorem. There is a probabilistic algorithm that for
some positive real number c
10
has the following
properties.
(a) Given any positive integer d that is not a
square, the algorithm computes a positive integer
R that differs by less than 1 from some positive in-
teger multiple m R
d
of R
d
.
(b) If the GRH is true, then (a) is valid with m= 1.
(c) If the GRH is true, then for each d > 2 the ex-
pected run time of the algorithm is at most L(d)
c
10
.
The algorithm referred to in the theorem is prob-
abilistic in the sense that it employs a random
number generator; every time the random number
generator is called, it draws, in unit time, a random
bit from the uniform distribution, independently
of previously drawn bits. The run time and the
output of a probabilistic algorithm depend not
only on the input, but also on the random bits that
are drawn; so given the input, they may be viewed
as random variables. In the current case, the ex-
pectation of the run time for fixed d is considered
in part (c) of the theorem, and (a) and (b) describe
what we know about the output. In particular, the
algorithm always terminates, and if GRH is true,
then it is guaranteed to compute an integer ap-
proximation to the regulator.
The theorem just stated represents the efforts
of several people, an up-to-date list of references
being given by Ulrich Vollmer [12]. According to a
recent unpublished result of Ulrich Vollmer, one
192 NOTICES OF THE AMS VOLUME 49, NUMBER 2
may take c
10
= 3/

8 + for any > 0 and all d ex-

ceeding a bound depending on ; this improves the
value

2 + found in [12].
The last word on algorithms for solving Pells
equation has not been spoken yet. Very recently,
Sean Hallgren exhibited a quantum algorithmthat
computes, in polynomial time, a power product rep-
resenting the fundamental solution. His algorithm
depends on infrastructure, but not on smooth num-
bers. For practical purposes, the smooth numbers
method will remain preferable until quantum com-
puters become available.
Acknowledgements
This paper was written while I held the 20002001
HP-MSRI Visiting Research Professorship. I thank
Sean Hallgren, Mike Jacobson Jr., and Ulrich Vollmer
for answering my questions, John Voight for
writing a first draft, Bart de Smit for numerical as-
sistance, and the Universiteitsbibliotheek Leiden for
providing Figure 1. A special word of thanks is
due to Hugh Williams, whose version [14] of the
same story contains many details omitted in mine.
Bibliographic note
The present paper will, with additional references,
also appear in Algorithmic number theory, the
proceedings of an introductory workshop held at
MSRI (Berkeley) in August 2000, to be published by
Cambridge University Press. Readers interested in
acquainting themselves with number theoretic
algorithms are encouraged to consult those pro-
ceedings. An extensive and up-to-date bibliography
on the Pell equation and on methods for solving it
can be found in Hugh Williamss paper [14].
References
[1] ARCHIMEDES, The cattle problem, in English verse
by S. J. P. Hillion & H. W. Lenstra Jr., Mercator,
Santpoort, 1999.
[2] J. BUCHMANN, C. THIEL, H. C. WILLIAMS, Short represen-
tation of quadratic integers, Computational Algebra
and Number Theory (Sydney, 1992), Math. Appl.,
vol. 325, Kluwer, Dordrecht, pp. 159185.
[3] L. E. DICKSON, History of the theory of numbers, vol.
II, Diophantine analysis, Carnegie Institution of Wash-
ington, Washington, 1920.
[4] L. EULER, Vollstndige Anleitung zur Algebra, Zweyter
Theil, Kays. Acad. der Wissenschaften, St. Peters-
burg, 1770; Opera mathematica, ser. I, vol. 1, B. G.
Teubner, Leipzig, 1911. English translation: Elements
of Algebra, Springer, New York, 1984.
[5] P. M. FRASER, Ptolemaic Alexandria, Oxford University
Press, Oxford, 1972.
[6] B. KRUMBIEGEL, A. AMTHOR, Das Problema Bovinum des
Archimedes, Historisch-literarische Abteilung der
Zeitschrift fr Mathematik und Physik 25 (1880),
121136, 153171.
[7] H. W. LENSTRA JR., On the calculation of regulators and
class numbers of quadratic fields, J. Armitage (ed.),
Journes Arithmtiques 1980, London Math. Soc.
Lecture Note Ser. 56, Cambridge University Press,
Cambridge, 1982, pp. 123150.
[8] H. L. NELSON, A solution to Archimedes cattle prob-
lem, J. Recreational Math. 13 (3) (198081), 162176.
[9] I. NIVEN, H. S. ZUCKERMAN, H. L. MONTGOMERY, An Intro-
duction to the Theory of Numbers, 5th ed., John Wiley
& Sons, New York, 1991.
[10] R. J. SCHOOF, Quadratic fields and factorization, H. W.
Lenstra Jr., R. Tijdeman (eds.), Computational Meth-
ods in Number Theory, Part II, Math. Centre Tracts
155, Math. Centrum, Amsterdam, 1982, pp. 235286.
[11] D. SHANKS, The infrastructure of a real quadratic field
and its applications, Proceedings of the Number The-
ory Conference (Univ. Colorado, Boulder, Colo., 1972),
Univ. Colorado, Boulder, pp. 217224.
[12] U. VOLLMER, Asymptotically fast discrete logarithms
in quadratic number fields, W. Bosma (ed.), Algo-
rithmic Number Theory (ANTS-IV), Lecture Notes
in Comput. Sci. 1838, Springer, Berlin, 2000, pp.
581594.
[13] A. WEIL, Number Theory, an Approach through His-
tory, Birkhuser, Boston, 1984.
[14] H. C. WILLIAMS, Solving the Pell equation, Proc. Mil-
lennial Conference on Number Theory, A. K. Peters,
to appear.
About the Cover
This months cover is what the graphics expert
Edward Tufte would likely call a confection. It
tries very hard to portray all of the cattle and all
of the digits involved in the minimal solution to
Archimedes cattle problem described in Hen-
drik Lenstras article. It also illustrates a well
known geometrical version of the algorithm for
constructing a continued fraction expansion (in
this case, of the ratio of dimensions of the image
itself).
The picture of the animals has been extracted
from a famous painting by the seventeenth cen-
tury artist Paulus Potter entitled (in translation
from the original Dutch) Four cows in a
meadow, even though the cows seem to be
steers. It is reproduced here by permission of the
Rijksmuseum in Amsterdam, where the original
is located.
The 206,545 digits to be displayed down to
subatomic level were supplied by Lenstra and Bart
de Smit.
Bill Casselman ([email protected])