General number field sieve
Posted on: August 20, 2011
Number fields
Suppose f is an n-degree polynomial over Q (the rational numbers), and r is a complex root of f. Then, f(r) = 0, which can be rearranged to express rn as a linear combination of powers of r less than n. This equation can be used to reduce away any powers of r n. For example, if f(x) = x2 + 1 and r is the imaginary unit i, then i2 + 1=0, or i2 = 1. This allows us to define the complex product:
(a+bi)(c+di) = ac + (ad+bc)i + (bd)i2 = (ac - bd) + (ad+bc)i.
In general, this leads directly to the algebraic number field Q[r], which can be defined as the set of real numbers given by:
an-1rn-1 + ... + a1r1 + a0r0, where a0,...,an-1 in Q.
The product of any two such values can be computed by taking the product as polynomials, then reducing any powers of r n as described above, yielding a value in the same form. To ensure that this field is actually n-dimensional and does not collapse to an even smaller field, it is sufficient that f is an irreducible polynomial. Similarly, one may define the number field ring Z[r] as the subset of Q[r] where a0,...,an-1 are restricted to be integers.
Method
We choose two polynomials f(x) and g(x) of small degrees d and e, which have integer coefficients, which are irreducible over the rationals, and which, when interpreted mod n, have a common integer root m. An optimal strategy for choosing these polynomials is not known; one simple method is to pick a degree d for a polynomial, consider the expansion of n in base m (allowing digits between and m) for a number of different m of order n1/d, and pick f(x) as the polynomial with the smallest coefficients and g(x) as x m.
We consider the number field rings Z[r1] and Z[r2], where r1 and r2 are complex roots of the polynomials f and g. Since f is of degree d with integer coefficients, if a and b are integers, then so will be bdf(a/b), which we call r. Similarly, s = beg(a/b) is an integer. We seek to find integer values of a and b that simultaneously make r and s smooth relative to the chosen basis of primes. If a and b are small, then r and s will be small too, about the size of m, and we have a better chance for them to be smooth at the same time. The current best-known approach for this search is lattice sieving; to get acceptable yields, it is necessary to use a large factor base.
Having enough such pairs, using Gaussian elimination, we can get products of certain r and of the corresponding s to be squares at the same time. We need a slightly stronger conditionhat they are norms of squares in our number fields, but we can get that condition by this method too. Each r is a norm of a r1b and hence we get that the product of the corresponding factors a r1b is a square in Z[r1], with a "square root" which can be determined (as a product of known factors in Z[r1])t will typically be represented as an irrational algebraic number. Similarly, we get that the product of the factors a r2b is a square in Z[r2], with a "square root" which we can also compute.
Since m is a root of both f and g mod n, there are homomorphisms from the rings Z[r1] and Z[r2] to the ring Z/nZ (the integers mod n), which map r1 and r2 to m, and these homomorphisms will map each "square root" (typically not represented as a rational number) into its integer representative. Now the product of the factors a mb mod n can be obtained as a square in two waysne for each homomorphism. Thus, we get two numbers x and y, with x2 y2 divisible by n and again with probability at least one half we get a factor of n by finding the greatest common divisor of n and x y.
Improving polynomial choice
The choice of polynomial can dramatically affect the time to complete the remainder of the algorithm. The method of choosing polynomials based on the expansion of n in base m shown above is suboptimal in many practical situations, leading to the development of better methods.
One such method was suggested by Murphy and Brent; they introduce a two-part score for polynomials, based on the presence of roots modulo small primes and on the average value that the polynomial takes over the sieving area.
The best reported results were achieved by the method of Thorsten Kleinjung, which allows g(x) = ax + b, and searches over a composed of small prime factors congruent to 1 modulo 2d and over leading coefficients of f which are divisible by 60.
Implementations
Until 2007, the gold-standard implementation was a suite of software developed and distributed by CWI in the Netherlands, which was available only under a relatively restrictive license. In 2007, Jason Papadopoulos developed a faster implementation of final processing as part of msieve, which is public-domain. msieve, however, can only run on a single SMP computer, whilst CWI's implementation can be distributed among several nodes in a cluster with a sufficiently fast interconnect.
Polynomial selection is normally performed by GPL software written by Kleinjung, or by msieve, and lattice sieving by GPL software written by Franke and Kleinjung; these are distributed in GGNFS.
NFSNet
NFS@Home
GGNFS
pGNFS
factor by gnfs
msieve, which contains excellent final-processing code, a good implementation of the polynomial selection which is very good for smaller numbers, and an implementation of the line sieve.
kmGNFS
References
^ Pomerance, Carl (December 1996), "A Tale of Two Sieves" (PDF), Notices of the AMS 43 (12): 14731485, http://www.ams.org/notices/199612/pomerance.pdf
^ B. Murphy and R. P. Brent. "On quadratic polynomials for the number field sieve". Australian Computer Science Communications 20 (1998), pp. 199213.
^ Franke, Jens (2006) (PDF), On RSA 200 and larger projects, http://www.hyperelliptic.org/tanja/SHARCS/talks06/Jens_Franke.pdf
^ Kleinjung, Thorsten (October 2006). "On polynomial selection for the general number field sieve" (PDF). Mathematics of Computation 75 (256): 20372047. doi:10.1090/S0025-5718-06-01870-9. http://www.ams.org/mcom/2006-75-256/S0025-5718-06-01870-9/S0025-5718-06-01870-9.pdf. Retrieved 2007-12-13.
Arjen K. Lenstra and H. W. Lenstra, Jr. (eds.). "The development of the number field sieve". Lecture Notes in Math. (1993) 1554. Springer-Verlag.
Richard Crandall and Carl Pomerance. Prime Numbers: A Computational Perspective (2001). 2nd edition, Springer. ISBN 0-387-25282-7. Section 6.2: Number field sieve, pp. 278301.
v d e
Number-theoretic algorithms
Primality tests
AKS APR BallieSW ECPP Elliptic curve Pocklington Fermat Lucas Lucasehmer Lucasehmeriesel Proth's theorem Ppin's Solovaytrassen Millerabin Trial division
Sieving algorithms
Sieve of Atkin Sieve of Eratosthenes Sieve of Sundaram Wheel factorization
Integer factorization algorithms
CFRAC Dixon's ECM Euler's Pollard's rho p 1 p + 1 QS GNFS SNFS rational sieve Fermat's Shanks' square forms Trial division Shor's
Multiplication algorithms
Ancient Egyptian multiplication Karatsuba algorithm Toomook multiplication Schnhagetrassen algorithm Frer's algorithm
Discrete logarithm algorithms
Baby-step giant-step Pollard rho Pollard kangaroo Pohligellman Index calculus Function field sieve
GCD algorithms
Binary GCD Euclidean Extended Euclidean
Other algorithms
Aryabhata Chakravala Cipolla integer relation algorithm integer square root Modular exponentiation Pocklington Schoof's Tonellihanks
Italics indicate that algorithm is for numbers of special forms; bold indicates deterministic algorithm for primality tests.
Categories: Integer factorization algorithms
Suppose f is an n-degree polynomial over Q (the rational numbers), and r is a complex root of f. Then, f(r) = 0, which can be rearranged to express rn as a linear combination of powers of r less than n. This equation can be used to reduce away any powers of r n. For example, if f(x) = x2 + 1 and r is the imaginary unit i, then i2 + 1=0, or i2 = 1. This allows us to define the complex product:
(a+bi)(c+di) = ac + (ad+bc)i + (bd)i2 = (ac - bd) + (ad+bc)i.
In general, this leads directly to the algebraic number field Q[r], which can be defined as the set of real numbers given by:
an-1rn-1 + ... + a1r1 + a0r0, where a0,...,an-1 in Q.
The product of any two such values can be computed by taking the product as polynomials, then reducing any powers of r n as described above, yielding a value in the same form. To ensure that this field is actually n-dimensional and does not collapse to an even smaller field, it is sufficient that f is an irreducible polynomial. Similarly, one may define the number field ring Z[r] as the subset of Q[r] where a0,...,an-1 are restricted to be integers.
Method
We choose two polynomials f(x) and g(x) of small degrees d and e, which have integer coefficients, which are irreducible over the rationals, and which, when interpreted mod n, have a common integer root m. An optimal strategy for choosing these polynomials is not known; one simple method is to pick a degree d for a polynomial, consider the expansion of n in base m (allowing digits between and m) for a number of different m of order n1/d, and pick f(x) as the polynomial with the smallest coefficients and g(x) as x m.
We consider the number field rings Z[r1] and Z[r2], where r1 and r2 are complex roots of the polynomials f and g. Since f is of degree d with integer coefficients, if a and b are integers, then so will be bdf(a/b), which we call r. Similarly, s = beg(a/b) is an integer. We seek to find integer values of a and b that simultaneously make r and s smooth relative to the chosen basis of primes. If a and b are small, then r and s will be small too, about the size of m, and we have a better chance for them to be smooth at the same time. The current best-known approach for this search is lattice sieving; to get acceptable yields, it is necessary to use a large factor base.
Having enough such pairs, using Gaussian elimination, we can get products of certain r and of the corresponding s to be squares at the same time. We need a slightly stronger conditionhat they are norms of squares in our number fields, but we can get that condition by this method too. Each r is a norm of a r1b and hence we get that the product of the corresponding factors a r1b is a square in Z[r1], with a "square root" which can be determined (as a product of known factors in Z[r1])t will typically be represented as an irrational algebraic number. Similarly, we get that the product of the factors a r2b is a square in Z[r2], with a "square root" which we can also compute.
Improving polynomial choice
The choice of polynomial can dramatically affect the time to complete the remainder of the algorithm. The method of choosing polynomials based on the expansion of n in base m shown above is suboptimal in many practical situations, leading to the development of better methods.
One such method was suggested by Murphy and Brent; they introduce a two-part score for polynomials, based on the presence of roots modulo small primes and on the average value that the polynomial takes over the sieving area.
The best reported results were achieved by the method of Thorsten Kleinjung, which allows g(x) = ax + b, and searches over a composed of small prime factors congruent to 1 modulo 2d and over leading coefficients of f which are divisible by 60.
Implementations
Until 2007, the gold-standard implementation was a suite of software developed and distributed by CWI in the Netherlands, which was available only under a relatively restrictive license. In 2007, Jason Papadopoulos developed a faster implementation of final processing as part of msieve, which is public-domain. msieve, however, can only run on a single SMP computer, whilst CWI's implementation can be distributed among several nodes in a cluster with a sufficiently fast interconnect.
Polynomial selection is normally performed by GPL software written by Kleinjung, or by msieve, and lattice sieving by GPL software written by Franke and Kleinjung; these are distributed in GGNFS.
NFSNet
NFS@Home
GGNFS
pGNFS
factor by gnfs
msieve, which contains excellent final-processing code, a good implementation of the polynomial selection which is very good for smaller numbers, and an implementation of the line sieve.
kmGNFS
References
^ Pomerance, Carl (December 1996), "A Tale of Two Sieves" (PDF), Notices of the AMS 43 (12): 14731485, http://www.ams.org/notices/199612/pomerance.pdf
^ B. Murphy and R. P. Brent. "On quadratic polynomials for the number field sieve". Australian Computer Science Communications 20 (1998), pp. 199213.
^ Franke, Jens (2006) (PDF), On RSA 200 and larger projects, http://www.hyperelliptic.org/tanja/SHARCS/talks06/Jens_Franke.pdf
^ Kleinjung, Thorsten (October 2006). "On polynomial selection for the general number field sieve" (PDF). Mathematics of Computation 75 (256): 20372047. doi:10.1090/S0025-5718-06-01870-9. http://www.ams.org/mcom/2006-75-256/S0025-5718-06-01870-9/S0025-5718-06-01870-9.pdf. Retrieved 2007-12-13.
Arjen K. Lenstra and H. W. Lenstra, Jr. (eds.). "The development of the number field sieve". Lecture Notes in Math. (1993) 1554. Springer-Verlag.
Richard Crandall and Carl Pomerance. Prime Numbers: A Computational Perspective (2001). 2nd edition, Springer. ISBN 0-387-25282-7. Section 6.2: Number field sieve, pp. 278301.
v d e
Number-theoretic algorithms
Primality tests
AKS APR BallieSW ECPP Elliptic curve Pocklington Fermat Lucas Lucasehmer Lucasehmeriesel Proth's theorem Ppin's Solovaytrassen Millerabin Trial division
Sieving algorithms
Sieve of Atkin Sieve of Eratosthenes Sieve of Sundaram Wheel factorization
Integer factorization algorithms
CFRAC Dixon's ECM Euler's Pollard's rho p 1 p + 1 QS GNFS SNFS rational sieve Fermat's Shanks' square forms Trial division Shor's
Multiplication algorithms
Ancient Egyptian multiplication Karatsuba algorithm Toomook multiplication Schnhagetrassen algorithm Frer's algorithm
Discrete logarithm algorithms
Baby-step giant-step Pollard rho Pollard kangaroo Pohligellman Index calculus Function field sieve
GCD algorithms
Binary GCD Euclidean Extended Euclidean
Other algorithms
Aryabhata Chakravala Cipolla integer relation algorithm integer square root Modular exponentiation Pocklington Schoof's Tonellihanks
Italics indicate that algorithm is for numbers of special forms; bold indicates deterministic algorithm for primality tests.
Categories: Integer factorization algorithms
Article Wall
Let everyone know your opinion on this article by writing a review!