Prime Numbers

Be that as it may, the large-prime variation does give us something that we did not have before. By allowing sieve reports of numbers that are close to the threshold for B-smoothness, but not quite there, we can discover numbers that have one slightly larger prime. In fact, if a number has all the primes up to B removed from its prime factorization, and the resulting number is smaller than B2, but larger than 1, then the resulting number must be a prime. It is this idea that is at work in the large-prime variation. Our sieve is not perfect, since we are using approximate logarithms and perhaps not sieving with small primes (see Section 3.2.5), but the added grayness does not matter much in the mass of numbers being considered. Some numbers with a large prime factor that might have been reported are possibly passed over, and some numbers are reported that should not have been, but neither problem is of great consequence.

So if we can obtain these numbers with a large prime factor for free, how then can we process them in the linear algebra stage of the algorithm? In fact, we should not view the numbers with a large prime as having longer exponent vectors, since this could cause our matrix to be too large. There is a very cheap way to process these large prime reports. Simply sort them on the value of the large prime factor. If any large prime appears just once in the sorted list, then this number cannot possibly be used to make a square for us, so it is discarded. Say we have k reports with the same large prime: x2i − n = yiP , for i = 1, 2, . . . , k. Then

(x1xi)2 ≡ y1yiP 2 (mod n), for i = 2, . . . , k.

So when k ≥ 2 we can use the exponent vectors for the k − 1 numbers y1yi, since the contribution of P 2 to the exponent vector, once it is reduced mod 2, is 0. That is, duplicate large primes lead to exponent vectors on the primes up to B. Since it is very fast to sort a list, the creation of these new exponent vectors is like a gift from heaven.

There is one penalty to using these new exponent vectors, though it has not proved to be a big one. The exponent vector for a y1yi as above is usually not as sparse as an exponent vector for a fully smooth report. Thus, the matrix techniques that take advantage of sparseness are somewhat hobbled. Again, this penalty is not severe, and every important implementation of the QS method uses the large-prime variation.

One might wonder how likely it is to have a pair of large primes matching. That is, when we sort our list, could it be that there are very few matches, and that almost everything is discarded because it appears just once? The birthday paradox from probability theory suggests that matches will not be uncommon, once one has plenty of large prime reports. In fact the experience that factorers have is that the importance of the large prime reports is nil near the beginning of the run, because there are very few matches, but as the data set gets larger, the e ect of the birthday paradox begins, and the matches for the large primes blossom and become a significant source of rows for the final matrix.

It is noticed in practice, and this is supported too by theory, that the larger the large prime, the less likely for it to be matched up. Thus, most practitioners eschew the larger range for large primes, perhaps keeping only those in the interval (B, 20B] or (B, 100B].

Various people have suggested over the years that if one large prime is good, perhaps two large primes are better. This idea has been developed in [Lenstra and Manasse 1994], and they do, in fact, find better performance for larger factorizations if they use two large primes. The landmark factorization of the RSA129 challenge number mentioned in Section 1.1.2 was factored using this double large-prime variation.

There are various complications for the double large-prime variation that are not present in the single large-prime variation discussed above. If an integer in the interval (1, B2] has all prime factors exceeding B, then it must be prime: This is the fundamental observation used in the single large-prime variation. What if an integer in (B2, B3] has no prime factor ≤ B? Then either it is a prime, or it is the product of two primes each exceeding B. In essence, the double large prime variation allows for reports where the unfactored portion is as large as B3. If this unfactored portion m exceeds B2, a cheap pseudoprimality test is applied, say checking whether 2m−1 ≡ 1 (mod m); see Section 3.4.1. If m satisfies the congruence, it is discarded, since then it is likely to be prime, and also too large to be matched with another large prime. If m is proved composite by the congruence, it is then factored, say by the Pollard rho method; see Section 5.2.1. This will then allow reports that are B-smooth, except for two prime factors larger than B (and not much larger).

As one can see, this already requires much more work than the single largeprime variation. But there is more to come. One must search the reported numbers with a single large prime or two large primes for cycles; that is, subsets whose product is B-smooth, except for larger primes that all appear to even exponents. For example, say we have the reports y1P1, y2P2, y3P1P2, where y1, y2, y3 are B-smooth and P1, P2 are primes exceeding B (so we are describing here a cycle consisting of two single large prime reports and one double large prime report). The product of these three reports is y1y2y3P12P22, whose exponent vector modulo 2 is the same as that for the B-smooth number y1y2y3. Of course, there can be more complicated cycles than this, some even involving only double large-prime factorizations (though that kind will be infrequent). It is not as simple as before, to search through our data set for these cycles. For one, the data set is much larger than before and there is a possibility of being swamped with data. These problems are discussed in [Lenstra and Manasse 1994]. They find that with larger numbers they gain a more than twofold speed-up using the double large-prime variation. However, they also admit that they use a value of B that is perhaps smaller than others would choose. It would be interesting to see an experiment that allows for variations of all parameters involved to see which combination is the best for numbers of various sizes.

And what, then, of three large primes? One can appreciate that the added di culties with two large primes increase still further. It may be worth it, but it seems likely that instead, using a larger B would be more profitable.

6.1.5Multiple polynomials

√

In the basic QS method we let x run over integers near n, searching for values

size of x − n, since smaller numbers are more likely to be smooth than larger

numbers. But for x near to √n, we have x2 − n ≈ 2 (x − √n) √n, and so as x

√

marches away from n, so, too, do the numbers x2 − n, and at a steady and rapid rate. There is thus built into the basic QS method a certain diminishing return as one runs the algorithm, with perhaps a healthy yield rate for smooth reports at the beginning of the sieve, but this rate declining perceptibly as one continues to sieve.

The multiple polynomial variation of the QS method allows one to get around this problem by using a family of polynomials rather than just the one polynomial x2 − n. Di erent versions of using multiple polynomials have been suggested independently by Davis, Holdridge, and Montgomery; see [Pomerance 1985]. The Montgomery method is slightly better and is the way we currently use the QS algorithm. Basically, what Montgomery does

If we have a value of a that is a square times a B-smooth number and a value of x for which f (x) is B-smooth, then the exponent vector for af (x), once it is reduced modulo 2, gives us a row for our matrix. Moreover, the possible odd primes p that can divide f (x) (and do not divide n) are those with np = 1, namely the same primes that we are using in the basic QS algorithm. (It is somewhat important to have the set of primes occurring not depend on the polynomial used, since otherwise, we will have more columns for our matrix, and thus need more rows to generate a dependency.)

We are requiring that the triple a, b, c satisfy b2 − ac = n and that a be a B-smooth number times a square. However, the reason we are using the polynomial f (x) is that its values might be small, and so more likely to be smooth. What conditions should we put on a, b, c to have small values for f (x) = ax2 + 2bx + c? Well, this depends on how long an interval we sieve on for the given polynomial. Let us decide beforehand that we will only sieve the polynomial for arguments x running in an interval of length 2M . Also, by (6.2), we can agree to take the coe cient b so that it satisfies |b| ≤ 12 a (assuming a is positive). That is, we are ensuring our interval of length 2M

and the least value is at x = 0, being there about −n/a. Let us set the absolute

values of these two expressions approximately equal to each other, giving the

√

approximate equation a2M 2 ≈ 2n, so that a ≈ 2n/M .

So we have saved a factor 2 2 in size. But we have saved much more than that. In the basic QS method the values continue to grow, we cannot stop at a preset value M . But when we use a family of polynomials, we can continually change. Roughly, using the analysis of Section 6.1.1, we can choose M = B = L(n)1/2 when we use multiple polynomials, but must choose M = B2 = L(n) when we use only one polynomial. So the numbers that “would be smooth” using multiple polynomials are smaller on average by a factor B. A heuristic analysis

shows that using multiple polynomials speeds up the quadratic sieve method

√

by roughly a factor 12 ln n ln ln n. When n is about 100 digits, this gives a savings of about a factor 17; that is, QS with multiple polynomials runs about 17 times as fast as the basic QS method. (This “thought experiment” has not been numerically verified, though there can be no doubt that using multiple polynomials is considerably faster in practice.)

However, there is one last requirement for the leading coe cient a: We

for b, then we can ensure that |b| ≤ a/2, and we can let c = (b − n)/a. Note that the methods of Section 2.3.2 will allow us to solve the congruence provided that we choose a such that a is odd, we know the prime factorization of a, and for each prime p|a, we have np = 1. One e ective way to do this is

to take various primes p ≈ (2n)1/4/M 1/2, with np = 1, and choose a = p2. Then such values of a meet all the criteria we have set for them:

The congruence b2 ≡ n (mod a) has two solutions, if we take a = p2 as above. However, the two solutions lead to equivalent polynomials, so we use only one of the solutions, say the one with 0 < b < 12 a.

6.1.6Self initialization

In Section 6.1.5 we learned that it is good to change polynomials frequently. The question is, how frequently? One constraint, already implicitly discussed, is that the length, 2M , of the interval on which we sieve a polynomial should be at least B, the bound for the moduli with which we sieve. If this is the only constraint, then a reasonable choice might then be to take M with 2M = B.

For numbers in the range of 50 to 150 digits, typical choices for B are in the range 104 to 107, approximately. It turns out that sieving is so fast an operation, that if we changed polynomials every time we sieved B numbers, the overhead in making the change would be so time-consuming that overall e ciency would su er. This overhead is principally to solve the initialization problem. That is, given a, b, c as in Section 6.1.5, for each odd prime p ≤ B with np = 1, we have to solve the congruence

ax2 + 2bx + c ≡ 0 (mod p)

for the two roots r(p) mod p and s(p) mod p (we assume here that p does not divide an). Thus, we have

where

t(p)2 ≡ n (mod p).

For each polynomial, we can use the exact same residue t(p) each time when we come to finding r(p), s(p). So the principal work in using (6.3) is in computing a−1 mod p for each p (say by Algorithm 2.1.4) and the two mod p multiplications. If there are many primes p for which this needs to be done, it is enough work that we do not want to do it too frequently.

The idea of self initialization is to amortize the work in (6.3) over several polynomials with the same value of a. For each value of a, we choose b such that b2 ≡ n (mod a) and 0 < b < a/2; see Section 6.1.5. For each such b we can write down a polynomial ax2 + 2bx + c to use in QS, by letting c = (b2 − n)/a. The number of choices for b for a given value of a is 2k−1, where a has k distinct prime factors (assuming that a is odd, and for each prime p|a we have np = 1). So, choosing a as the square of a prime, as suggested in Section 6.1.5, gives exactly 1 choice for b. Suppose instead we choose a as the product of 10 di erent primes p. Then there are 512 = 29 choices for b corresponding to the given a, and so the a−1 (mod p) computations need only be done once and then used for all 512 of the polynomials. Moreover, if none of the 10 primes used in a exceeds B, then it is not necessary to have them squared in a, their elimination is already built into the matrix step anyway.

There can be more savings with self initialization if one is willing to do some additional precomputation and store some files. For example, if one computes and stores the list of all 2t(p)a−1 mod p for all the primes p with which we sieve, then the computation to get r(p), s(p) in (6.3) can be done with a single multiplication rather than 2. Namely, multiply −b + t(p) by the stored value a−1 mod p and reduce mod p. This gives r(p). Subtracting the stored value 2t(p)a−1 mod p and adding p if necessary, we get s(p).

It is even possible to eliminate the one multiplication remaining, by traversing the di erent solutions b using a Gray code; see Exercise 6.7. In fact, the Chinese remainder theorem, see Section 2.1.3, gives the di erent solutions b in the form B1 ± B2 ± · · · ± Bk. (If a = p1p2 · · · pk, then Bi satisfies

276 Chapter 6 SUBEXPONENTIAL FACTORING ALGORITHMS

Bi2 ≡ n (mod pi) and Bi ≡ 0 (mod a/pi).) If we traverse the 2k−1 numbers B1 ± B2 ± . . . ± Bk using a Gray code and precompute the lists 2Bia−1 mod p for all p with which we sieve, then we can move from the sieving coordinates for one polynomial to the next doing merely some low-precision adds and subtracts for each p. One can get by with storing only the most frequently used files 2Bia−1 mod a if space is at a premium. For example, storing this file only for i = k, which is in action every second step in the Gray code, we have initialization being very cheap half the time, and done with a single modular multiplication for each p (and a few adds and subtracts) the other half of the time.

The idea for self initialization was briefly sketched in [Pomerance et al. 1988] and more fully described in [Alford and Pomerance 1995] and [Peralta 1993]. In [Contini 1997] it is shown through some experiments that self initialization gives about a twofold speedup over standard implementations of QS using multiple polynomials.

6.1.7Zhang’s special quadratic sieve

What makes the quadratic sieve fast is that we have a polynomial progression of small quadratic residues. That they are quadratic residues renders them useful for obtaining congruent squares that can split n. That they form a polynomial progression (that is, consecutive values of a polynomial) makes it easy to discover smooth values, namely, via a sieve. And of course, that they are small makes them more likely to be smooth than random residues modulo n. One possible way to improve this method is to find a polynomial progression of even smaller quadratic residues. Recently, M. Zhang has found such a way, but only for special values of n, [Zhang 1998]. We call his method the special quadratic sieve, or SQS.

Suppose the number n we are trying to factor (which is odd, composite, and not a power) can be represented as

where m, a2, a1, a0 are integers, m ≈ n1/3. Actually, every number n can be represented in this way; just choose m = n1/3!, let a1 = a2 = 0, and let a0 = n − m3. We shall see below, though, that the representation (6.4) will be useful only when the ai’s are all small in absolute value, and so we are considering only special values of n.

Let b0, b1, b2 be integer variables, and let

where

c2 = (a22 − a1)b22 − 2a2b1b2 + b21 + 2b0b2,

c1 = (a1a2 − a0)b22 − 2a1b1b2 + 2b0b1,

c0 = a0a2b22 − 2a0b1b2 + b20.

Since b0, b1, b2 are free variables, perhaps they can be chosen so that they are small integers and that c2 = 0. Indeed, they can. Let

b2 = 2, b1 = 2b, b0 = a1 − a22 + 2a2b − b2,

where b is an arbitrary integer. With these choices of b0, b1, b2 we have

The proposal is to let b run through small numbers, use a sieve to search for smooth values of y(b), and then use a matrix of exponent vectors to find a subset of the congruences (6.6) to construct two congruent squares mod n that then may be tried for factoring n. If a0, a1, a2, and b are all O(n ), where 0 ≤ < 1/3, and m = O n1/3 , then y(b) = O(n1/3+3 ). The complexity analysis of Section 6.1.1 gives a heuristic running time of

√

L(n) 2/3+6 +o(1),

where L(n) is defined in (6.1). If is small enough, this estimate beats the heuristic complexity of QS.

It may also be profitable to generalize (6.4) to

an = m3 + a2m2 + a1m + a0.

The number a does not appear in the expressions for x(b), y(b), but it does a ect the size of the number m, which is now about (an)1/3.

For example, consider the number 2601 − 1. We have the two prime factors 3607 and 64863527, but the resulting number n0 when these primes are divided into 2601 − 1 is a composite of 170 decimal digits for which we know no factor.

We have

22 · 3607 · 64863527n0 = 2603 − 22 = 2201 3 − 4,

so that we may take a0 = −4, a1 = a2 = 0, m = 2201. These assignments give the congruence (6.6) with

x(b) = 2m2 + 2bm − b2, y(b) = (16 − 4b3)m + 32b + b4, m = 2201.

As the number b grows in absolute value, y(b) is dominated by the term −4b3m. It is not unreasonable to expect that b will grow as large as 240, in which case the size of |y(b)| will be near 2323. This does not compare favorably with the quadratic sieve with multiple polynomials, where the size of the numbers we sieve for smooths would be about 220√n ≈ 2301. (This assumes a sieving interval of about 220 per polynomial.)

However, we can also use multiple polynomials with the special quadratic sieve. For example, for the above number n0, take b0 = −2u2, b1 = 2uv, b2 = v2. This then implies that we may take

x(u, v) = v2m2 + 2uvm − 2u2, y(u, v) = (4v4 − 8u3v)m + 16uv3 + 4u4,

and let u, v range over small, coprime integers. (It is important to take u, v coprime, since otherwise, we shall get redundant relations.) If u, v are allowed to range over numbers with absolute value up to 220, we get about the same

2 , a savings over the ordinary quadratic sieve. (There is a small additional savings, since we may actually consider the pair n−2 1 x(u, v), 14 y(u, v).)

It is perhaps not clear why the introduction of u, v may be considered as “multiple polynomials.” The idea is that we may fix one of these letters, and sieve over the other. Each choice of the first letter gives a new polynomial in the second letter.

The assumption in the above analysis of a sieve of length 240 is probably on the small side for a number the size of n0. A larger sieve length will make SQS look poorer in comparison with ordinary QS.

It is not clear whether the special quadratic sieve, as described above, will be a useful factoring algorithm (as of this writing, it has not actually been tried out in significant settings). If the number n is not too large, the growth of the coe cient of m in y(b) or y(u, v) will dominate and make the comparison with the ordinary quadratic sieve poor. If the number n is somewhat larger, so that the special quadratic sieve starts to look better, as in the above example, there is actually another algorithm that may come into play and again majorize the special quadratic sieve. This is the number field sieve, something we shall discuss in the next section.

6.2Number field sieve

We have encountered some of the inventive ideas of J. Pollard in Chapter 5. In 1988 (see [Lenstra and Lenstra 1993]) Pollard suggested a factoring method that was very well suited for numbers, such as Fermat numbers, that are close to a high power. Before long, this method had been generalized so that it could be used for general composites. Today, the number field sieve (NFS) stands as the asymptotically fastest heuristic factoring algorithm we know for “worst-case” composite numbers.

6.2.1Basic NFS: Strategy

The quadratic sieve factorization method is fast because it produces small quadratic residues modulo the number we are trying to factor, and because we can use a sieve to quickly recognize which of these quadratic residues are smooth. The QS method would be faster still if the quadratic residues it produces could be arranged to be smaller, since then they would be more likely to be smooth, and so we would not have to sift through as many of them. An interesting thought in this regard is that it is not necessary that they be quadratic residues, only small! We have a technique through linear algebra of multiplying subsets of smooth numbers so as to obtain squares. In the quadratic sieve, we had only to worry about one side of the congruence, since the other side was already a square. In the number field sieve we use the linear algebra method on both sides of the key congruence.

However, our congruences will not start with two integers being congruent mod n. Rather, they will start with pairs θ, φ(θ), where θ lies in a particular algebraic number ring, and φ is a homomorphism from the ring to Zn. (These concepts will be described concretely, in a moment.) Suppose we have k such pairs θ1, φ(θ1), . . . , θk, φ(θk), such that the product θ1 · · · θk is a square in the number ring, say γ2, and there is an integer square, say v2, such that φ(θ1) · · · φ(θk) ≡ v2 (mod n). Then if φ(γ) ≡ u (mod n) for an integer u, we have

u2 ≡ φ(γ)2 ≡ φ(γ2) ≡ φ(θ1 · · · θk) ≡ φ(θ1) · · · φ(θk) ≡ v2 (mod n).

That is, stripping away all of the interior expressions, we have the congruence u2 ≡ v2 (mod n), and so could try to factor n via gcd(u − v, n).

The above ideas constitute the strategy of NFS. We now discuss the basic setup that introduces the number ring and the homomorphism φ. Suppose we are trying to factor the number n, which is odd, composite, and not a power.

Let

f (x) = xd + cd−1xd−1 + · · · + c0

be an irreducible polynomial in Z[x], and let α be a complex number that is a root of f . We do not need to numerically approximate α; we just use the symbol “α” to stand for one of the roots of f . Our number ring will be Z[α]. This is computationally thought of as the set of ordered d-tuples (a0, a1, . . . , ad−1) of integers, where we “picture” such a d-tuple as the element a0 + a1α + · · · ad−1αd−1. We add two such expressions coordinatewise, and we multiply via the normal polynomial product, but then reduce to a d-tuple via the identity f (α) = 0. Another, equivalent way of thinking of the number ring Z[α] is to realize it as Z[x]/(f (x)), that is, involving polynomial arithmetic modulo f (x).

The connection to the number n we are factoring comes via an integer m with the property that

f (m) ≡ 0 (mod n).

We do need to know what the integer m is. We remark that there is a very simple method of coming up with an acceptable choice of f (x) and

m. Choose the degree d for our polynomial. (We will later give a heuristic argument on how to choose d so as to minimize the running time to factor n. Experimentally, for numbers of around 130 digits, the choice d = 5 is acceptable.) Let m = n1/d!, and write n in base m, so that

n = md + cd−1md−1 + · · · + c0,

where each cj [0, m−1]. (From Exercise 6.8 we have that if 1.5(d/ ln 2)d < n, then n < 2md, so the md-coe cient is indeed 1, as in the above display.) So the polynomial f (x) falls right out of the base-m expansion of n: We have f (x) = xd +cd−1xd−1 +· · ·+c0. This polynomial is self-evidently monic. But it may not be irreducible. Actually, this is an excellent situation in which to find ourselves, since if we have the nontrivial factorization f (x) = g(x)h(x) in Z[x], then the integer factorization n = g(m)h(m) is also nontrivial; see [Brillhart et al. 1981] and Exercises 6.9 and 6.10. Since polynomial factorization is relatively easy, see [Lenstra et al. 1982], [Cohen 2000, p. 139], one should factor f into irreducibles in Z[x]. If the factorization is nontrivial, one has a nontrivial factorization of n. If f is irreducible, we may continue with NFS.

The homomorphism φ from Z[α] to Zn is defined by φ(α) being the residue class m (mod n). That is, φ first sends a0 +a1α+· · ·+ad−1αd−1 to the integer a0 + a1m + · · · + ad−1md−1, and then reduces this integer mod n. It will be interesting to think of φ in this “two step” way, since we will also be dealing with the integer a0 + a1m + · · · + ad−1md−1 before it is reduced.

The elements θ in the ring Z[α] that we will consider will all be of the form a − bα, where a, b Z, with gcd(a, b) = 1. Thus, we are looking for a set S of coprime integer pairs (a, b) such that

(a − bα) = γ2, for some γ Z[α],

(a,b) S

(a − bm) = v2, for some v Z.

(a,b) S

Then, if u is an integer such that φ(γ) ≡ u (mod n), then, as above, u2 ≡ v2 (mod n), and we may try to factor n via gcd(u − v, n). (The pairs (a, b) in S are assumed to be coprime so as to avoid trivial redundancies.)

6.2.2Basic NFS: Exponent vectors

How, then, are we supposed to find the set S of pairs (a, b)? The method resembles what we do in the quadratic sieve. There we have a single variable that runs over an interval. We use a sieve to detect smooth values of the given polynomial, and associate exponent vectors to these smooth values, using linear algebra to find a subset of them with product being a square. With NFS, we have two variables a, b. As with the special quadratic sieve (see Section 6.1.7), we can fix the first variable, and sieve over the other, then change to the next value of the first variable, sieve on the other, and so on.