Prime Numbers

is conjectured that it is su cient to choose k = 3 lg n (with the k primes qj chosen as the least possible). Probably a somewhat smaller value of k would also su ce, but this aspect is not a time bottleneck for the algorithm.

We use the pairs qj , sj to augment our exponent vectors with k additional

entries. If a−bsj = 1, the entry corresponding to qj , sj in the exponent vector

qj

for a − bα is 0. If the Legendre symbol is −1, the entry is 1. (This allows the translation from the multiplicative group {1, −1} of order 2 to the additive group Z2 of order 2.) These augmented exponent vectors turn out now to be not only necessary, but also su cient (in practice) for constructing squares.

6.2.5Basic NFS: Square roots

Suppose we have overcome all the obstructions of the last section, and we now have a set S of coprime integer pairs such that f (α)2 (a,b) S (a − bα) = γ2 for γ Z[α], and (a,b) S (a − bm) = v2 for v Z. We then are nearly done, for if u is an integer with φ(γ) ≡ u (mod n), then u2 ≡ (f (m)v)2 (mod n), and we may attempt to factor n via gcd(u − f (m)v, n).

However, a problem remains. The methods of the above sections allow us to find the set S with the above properties, but they do not say how we might go about finding the square roots γ and v. That is, we have squares, one in Z[α], the other in Z, and we wish to find their square roots.

The problem for v is simple, and can be done in the same way as in QS. From the exponent vectors, we can deduce easily the prime factorization of v2, and from this, we can deduce even more easily the prime factorization of v. We actually do not need to know the integer v; rather, we need to know only its residue modulo n. For each prime power divisor of v, compute its residue mod n by a fast modular powering algorithm, say Algorithm 2.1.5. Then multiply these residues together in Zn, finally getting v (mod n).

The more di cult, and more interesting, problem is the computation of γ. If γ is expressed as a0 + a1α + · · · + ad−1αd−1, then an integer u that works is a0 + a1m + · · · + ad−1md−1. Since again we are interested only in the residue u (mod n), it means that we are interested only in the residues aj (mod n). This is good, since the integers a0, . . . , ad−1 might well be very large, with perhaps about as many digits as the square root of the number of steps for the rest of the algorithm! One would not want to do much arithmetic with such huge numbers. Even if one computed only the algebraic integer γ2, and did not worry about finding the square root γ, one would have to use the fast multiplication methods of Chapter 8.8 in order to keep the computation within the time bound of Section 6.2.3. And this does not even begin to touch how one would take the square root.

If we are in the special case where Z[α] = I and this ring is a unique factorization domain, we can use a method similar to the one sketched above for computing v (mod n). But in the general case, our ring may be far from being a UFD.

number n that is not a power. This algorithm attempts to find a nontrivial factorization of n.

Attempt to factor f (x) into irreducible polynomials in Z[x] using the factoring algorithm in [Lenstra et al. 1982] or a variant such as [Cohen 2000, p. 139];

If f (x) has the nontrivial factorization g(x)h(x), return the (also nontrivial)

for(prime p ≤ B) compute the set

R(p) = {r [0, p − 1] : f (r) ≡ 0 (mod p)}; k = 3 lg n ;

Compute the first k primes q1, . . . , qk > B such that R(qj ) contains some element sj with f (sj ) ≡0 (mod qj ), storing the k pairs (qj , sj );

B = p≤B #R(p);

V = 1 + π(B) + B + k;

M= B;

2.[The sieve]

Use a sieve to find a set S of coprime integer pairs (a, b) with 0 < |a|, b ≤ M , and F (a, b)G(a, b) being B-smooth, until #S > V , or failing this, increase M and try again, or goto [Setup] and increase B;

3.[The matrix]

//We shall build a V × #S binary matrix, one row per (a, b) pair.

//We shall compute v(a−bα), the binary exponent vector for a−bα having V bits (coordinates) as follows:

Set the first bit of v to 1 if G(a, b) < 0, else set this bit to 0;

//The next π(B) bits depend on the primes p ≤ B: Define pγ as the power of p in the prime factorization of |G(a, b)|.

Set the bit for p to 1 if γ is odd, else set this bit to 0;

// The next B bits are to correspond to the pairs p, r where p is a prime not exceeding B and r R(p). We use the notation vp,r(a − bα) defined prior to Lemma 6.2.1.

Set the bit for p, r to 1 if vp,r(a − bα) is odd, else set it to 0; // Next, the last k bits correspond to the pairs qj , sj .

Set the bit for qj , sj to 1 if a−bsj is −1, else set it to 0;

qj

If the divisor of n that is reported in Algorithm 6.2.5 is trivial, one has the option of finding more linear dependencies in the matrix and trying again. If we run out of linear dependencies, one again has the option to sieve further to find more rows for the matrix, and so have more linear dependencies.

6.2.7NFS: Further considerations

As with the basic quadratic sieve, there are many “bells and whistles” that may be added to the number field sieve to make it an even better factorization method. In this section we shall briefly discuss some of these improvements.

Free relations

Suppose p is a prime in the “factor base,” that is, p ≤ B. Our exponent vectors have a coordinate corresponding to p as a possible prime factor of a − bm, and #R(p) further coordinates corresponding to integers r R(p). (Recall that R(p) is the set of residues r (mod p) with f (r) ≡ 0 (mod p).) On average, #R(p) is 1, but it can be as low as 0 (in the case that f (x) has no roots (mod p), or it can be as high as d, the degree of f (x) (in the case that f (x) splits into d distinct linear factors (mod p)). In this latter case, we have that the product of the prime ideals (p, α − r) in the full ring of algebraic integers in Q[α] is (p).

Suppose p is a prime with p ≤ B, and R(p) has d members. Let us throw into our matrix an extra row vector v(p), which has 1’s in the coordinates corresponding to p and to each pair p, r where r R(p). Also, in the final field of k coordinates corresponding to the quadratic characters modulo qj

in the precomputations, and not in the sieving stage. Now, when we find a subset of rows that sum to the zero vector mod 2, we have that the subset corresponds to a set S of coprime pairs a, b and a set F of free relations. Let w be the product of the primes p corresponding to the free relations in F .

Then it should be that

a,b)

Then if φ(γ) = u, we have u2 ≡ v2 (mod n), as before.

The advantage of free relations is that the more of them there are, the fewer relations need be uncovered in the time-consuming sieve stage. Also, the vectors v(p) are sparser than a typical exponent vector v(a, b), so including free relations allows the matrix stage to run faster.

So, how many free relations do we expect to find? A free relation corresponds to a prime p that splits completely in the algebraic number field Q(α). Let g be the order of the splitting field of f (x); that is, the Galois closure of Q(α) in the complex numbers. It follows from the Chebotarev density theorem that the number of primes p up to a bound X that split completely in Q(α) is asymptotically g1 π(X), as X → ∞. That is, on average, 1 out of every g prime numbers corresponds to a free relation. Assuming that our factor base bound B is large enough so that the asymptotics are beginning to take over (this is yet another heuristic, but reasonable, assumption), we thus should expect about g1 π(B) free relations. Now, the order g of the splitting field could be as small as d, the degree of f (x), or as high as d!. Obviously, the smaller g is, the more free relations we should expect. Unfortunately, the generic case is g = d!. That is, for most irreducible polynomials f (x) in Z[x] of degree d, the order of the splitting field of f (x) is d!. So, for example, if d = 5, we should expect only about 1201 π(B) free relations, if we choose our polynomial f (x) according to the scheme in Step [Setup] in Algorithm 6.2.5. Since our vectors have about 2π(B) coordinates, the free relations in this case would only reduce the sieving time by less than one-half of 1 per cent. But still, it is free, so to speak, and every little bit helps.

Free relations can help considerably more in the case of special polynomials f (x) with small splitting fields. For example, in the factorization of the ninth Fermat number F9, the polynomial f (x) = x5 + 8 was used. The order of the splitting field here is 20, so free relations allowed the sieving time to be reduced by about 2.5%.

Partial relations

As in the quadratic sieve method, sieving in the number field sieve not only reveals those pairs a, b where both of the numbers N (a − bα) = F (a, b) = bdf (a/b) and a − bm are B-smooth, but also pairs a, b where one or both of these numbers are a B-smooth number times one somewhat larger prime. If we allow relations that have such large primes, at most one each for N (a − bα) and a − bm, we then have a data structure not unlike the quadratic sieve with the double large-prime variation; see Section 6.1.4. It has also been suggested that reports can be used with N (a − bα) having two large primes and a − bm

is a square in Q(α), and if S has an even number of pairs, then

is a square in Z[cdα], say γ2. Finding the integral coe cients (modulo n) of γ with respect to the basis 1, cdα, . . . , (cdα)d−1 then allows us as before to get two congruent squares modulo n, and so gives us a chance to factor

n. (Note that if F (x, y) = ydf (x/y) is the homogenized form of f (x), then F (cdx, cd) = cdF (cdx), and so Fx(cdα, cd) = cdF (cdα). We thus may use Fx(cdα, cd) in place of F (cdα) in the above, if we wish.) So, using a nonmonic

polynomial poses no great complications. To ensure that the cardinality of the set S is even, we can enlarge all of our exponent vectors by one additional coordinate, which is always set to be 1.

The above argument assumes that the coe cient cd is coprime to n. However, it is a simple matter to check that cd and n are coprime. And, since cd is smaller than n in all the cases that would be considered, a nontrivial gcd would lead to a nontrivial splitting of n. For further details on how to use nonmonic polynomials, and also how to use homogeneous polynomials, [Buhler et al. 1993, Section 12].

There have been some exciting developments in polynomial selection, developments that were very important in the record 155-digit factorization of the famous RSA challenge number in late 1999. It turns out that a good polynomial makes so much di erence that it is worthwhile to spend a considerable amount of resources searching through polynomial choices. For details on the latest strategies see [Murphy 1998, 1999].

Polynomial pairs

The description of NFS given in the sections above actually involves two polynomials, though we have emphasized only the single polynomial f (x) for which we have an integer m with f (m) ≡ 0 (mod n). It is more precisely the homogenized form of f that we considered, namely F (x, y) = ydf (x/y), where d is the degree of f (x). The second polynomial is the rather trivial

However, it is not necessary for the degree of g(x) to be 1. Suppose we have two distinct, irreducible (not necessarily monic) polynomials f (x), g(x) Z[x], and an integer m with f (m) ≡ g(m) ≡ 0 (mod n). Let α be a root of f (x) in C and let β be a root of g(x) in C. Assuming that the leading coe cient c of f (x) and C of g(x) are coprime to n, we have homomorphisms φ : Z[cα] → Zn and ψ : Z[Cβ] → Zn, where φ(cα) ≡ cm (mod n) and ψ(Cβ) ≡ Cm (mod n).

Suppose, too, that we have a set S consisting of an even number of coprime integer pairs a, b and elements γ Z[α] and β Z[β] with

298 Chapter 6 SUBEXPONENTIAL FACTORING ALGORITHMS

If S has 2k elements, and φ(γ) ≡ v (mod n), ψ(δ) ≡ w (mod n), then

CkGx(Cm, C)v 2 ≡ ckFx(cm, c)w 2 (mod n),

and so we may attempt to factor n via gcd(CkGx(Cm, C)u−ckFx(cm, c)v, n). One may wonder why it is advantageous to use two polynomials of degree higher than 1. The answer is a bit subtle. Though the first-order desirable quality for the numbers that we sieve for smooth values is their size, there is a second-order quality that also has some significance. If a number near x is given to us as a product of two numbers near x1/2, then it is more likely to be smooth than if it is a random number near x that is not necessarily such a product. If it is y-smoothness we are interested in and u = ln x/ ln y, then this second-order e ect may be quantified as about 2u. That is, a number near x given as a product of two random numbers near x1/2 is about 2u times as likely to be y-smooth than is a random number near x. If we have two polynomials in the number field sieve with the same degree and with coe cients of the same magnitude, then their respective homogeneous forms have values that are of the same magnitude. It is the product of the two homogeneous forms that we

are sieving for smooth values, so this 2u philosophy seems to be relevant. However, in the “ordinary” NFS as described in Algorithm 6.2.5, we

are also looking for the product of two numbers to be smooth: One is the homogeneous form F (a, b), and the other is the linear form a − bm. They do not have roughly equal magnitude. In fact, using the parameters suggested, F (a, b) is about the 3/4 power of the product, and a − bm is about the 1/4 power of the product. Such numbers also have an enhanced probability of being y-smooth, namely, 4/33/4 u.

So, using two polynomials of the same degree d ≈ 12 (3 ln n/ ln ln n)1/3, and with coe cients bounded by about n1/2d, we get an increased probability of

The trouble, though, with using dual polynomials is finding them. Other than an exhaustive search, perhaps augmented with fast lattice techniques, no one has suggested a good way of finding such polynomials. For example, take the case of d = 3. We do not know any good method when given a large integer n of coming up with two distinct, irreducible, degree 3 polynomials f (x), g(x), with coe cients bounded by n1/6, say, and an integer m, perhaps very large, such that f (m) ≡ g(m) ≡ 0 (mod n). A counting argument suggests that such polynomials should exist with coe cients even somewhat smaller, say bounded by about n1/8.

Special number field sieve (SNFS)

Counting arguments show that for most numbers n, we cannot do very much better in finding polynomials than the simple-minded strategy of Algorithm 6.2.5. However, there are many numbers for which much better

polynomials do exist, and if we can find such polynomials, then the complexity of NFS is significantly lowered. The special number field sieve (SNFS) refers to the cases of NFS where we are able to find extraordinarily good polynomials.

The SNFS has principally been used to factor many Cunningham numbers (these are numbers of the form bk ± 1 for b = 2, 3, 5, 6, 7, 10, 11, 12, see [Brillhart et al. 1988]). We have already mentioned the factorization of the ninth Fermat number, F9 = 2512 + 1, by [Lenstra et al. 1993a]. They used the polynomial f (x) = x5 + 8 and the integer m = 2103, so that f (m) = 8F9 ≡ 0 (mod F9). Even though we already knew the factor 2424833 of F9 (found by A. E. Western in 1903), this was ignored. That is, the pretty nature of F9 itself was used; the number F9/2424833 is not so pretty!

What makes a polynomial extraordinary is that it has very small coe cients. If we have a number n = bk ± 1, we can create a polynomial as follows. Say we wish the degree of f (x) to be 5. Write k = 5l + r, where r is the remainder when 5 is divided into k. Then b5−rn = b5(l+1) ± b5−r. Thus, we may use the polynomial f (x) = x5 ± b5−r, and choose m = bl+1. When k is large, the coe cients of f (x) are very small in comparison to n.

A small advantage of a polynomial of the form xd + c is that the order of the Galois group is a divisor of dϕ(d), rather than having the generic value d! for degree-d polynomials. Recall that the usefulness of free relations is proportional to the reciprocal of the order of the Galois group. Thus, free relations are more useful with special polynomials of the form xd + c than in the general case.

Sometimes a fair amount of ingenuity can go into the choosing of special polynomials. Take the case of 10193 − 1, factored in 1996 by M. ElkenbrachtHuizing and P. Montgomery. They might have used the polynomial x5 − 100 and m = 1039, as suggested by the above discussion, or perhaps 10x6 − 1 and m = 1032. However, the factorization still would have been a formidable. The number 10193 − 1 was already partially factored. There is the obvious factor 9, but we also knew the factors

773, 39373, 561470969, 639701219449517, 4274417556076113498947,

26409540111952717487908689681403.

After dividing these known factors into 10193 − 1, the resulting number n was still composite and had 108 digits. It would have been feasible to use either the quadratic sieve or the general NFS on n, but it seemed a shame not to use n’s pretty ancestry. Namely, we know that 10 has a small multiplicative

(mod n). However, m is too large to profitably use the linear polynomial x−m. Instead, Elkenbracht-Huizing and Montgomery searched for a quadratic polynomial g(x) with relatively small coe cients and with g(m) ≡ 0 (mod n). This was done by considering the lattice of integer triples (A, B, C) with Am2 + Bm + C ≡ 0 (mod n). The task is to find a short vector in this

lattice. Using techniques to find such short vectors, they came up with a choice for A, B, C all at most 36 digits long. They then used both f (x) and g(x) = Ax2 + Bx + C to complete the factorization of n, finding that n is the product of two primes, the smaller being

447798287131284928051408304965265782892174953181087929.

Many polynomials

It is not hard to come up with many polynomials that may be used in NFS. For example, choose the degree d, let m = 1n1/(d+1)2, write n in base m, getting n = cdnd + · · · + c0, let f (x) = cdxd + · · · + c0, and let fj (x) = f (x) + jx − mj for various small integers j. Or one could look at the family fj,k(x) = f (x) + kx2 − (mk − j)x − mj for various small integers k, j. Each of these polynomials evaluated at m is n.

One might use such a family to search for a particularly favorable polynomial, such as one where there is a tendency for many small primes to have multiple roots. Such a polynomial may have its homogeneous form being smooth more frequently than a polynomial where the small primes do not have this tendency.

But can all of the polynomials be used together? There is an obvious hindrance to doing this. Each time a new polynomial is introduced, the factor base must be extended to take into account the ways primes split for this polynomial. That is, each polynomial used must have its own field of coordinates in the exponent vectors, so that introducing more polynomials makes for longer vectors.

In [Coppersmith 1993] a way is found to (theoretically) get around this problem. He uses a large factor base for the linear form a − bm and small factor bases for the various polynomials used. Specifically, if the primes up to B are used for the linear form, and k polynomials are used, then we use primes only up to B/k for each of these polynomials. Further, we consider only pairs a, b where both a − bm is B-smooth and the homogeneous form of one of the polynomials is (B/k)-smooth. After B relations are collected, we (most likely) have more than enough to create congruent squares.

Coppersmith suggests first sieving over the linear form a − bm for B- smooth numbers, and then individually checking at the homogeneous form of each polynomial used to see if the value at a, b is B/k-smooth. This check can be quickly done using the elliptic curve method (see Section 7.4). The elliptic curve method (ECM) used as a smoothness test is not as e cient in practice as sieving. However, if one wanted to use ECM in QS or NFS instead of sieving, the overall heuristic complexity would remain unchanged, the only di erence coming in the o(1) expression. In Coppersmith’s variant of NFS he cannot e ciently use sieving to check his homogeneous polynomials for smoothness, since the pairs a, b that he checks for are irregularly spaced, being those where a − bm has passed a smoothness test. (One might actually sieve over the letter j in the family fj (x) suggested above, but this will not be a long enough array to make the sieve economical.) Nevertheless, using ECM as a smoothness test