General number field sieve

From Free net encyclopedia

In mathematics, the general number field sieve is the most efficient algorithm known for factoring integers larger than 100 digits. It uses

<math>O\left(\exp\left(\left(\begin{matrix}\frac{64}{9}\end{matrix} n\right)^{1\over3} (\log n)^{2\over3}\right)\right)</math>

steps to factor an integer with n decimal digits (see Big O notation). It is a generalization of the special number field sieve: while the latter can only factor numbers of a certain special form, the general number field sieve can factor any number (apart from prime powers, but this is a minor issue). When the term number field sieve is used without qualification, it refers to the general number field sieve.

The principle of the number field sieve (both special and general) can be understood as an extension of the simpler rational sieve. When using the rational sieve to factor a large number n, it is necessary to search for smooth numbers (i.e. numbers with small prime factors) of order n; the rarity of these causes the rational sieve to be impractical. The general number field sieve, on the other hand, only requires a search for smooth numbers of order n1/d, where d is some integer greater than one. Since larger numbers are far less likely to be smooth than smaller numbers, this is the key to the efficiency of the number field sieve. But in order to achieve this speed-up, the number field sieve has to perform computations and factorizations in number fields. This results in many rather complicated aspects of the algorithm, as compared to the simpler rational sieve.

[edit]

Method

We choose two irreducible polynomials f(x) and g(x) with common root m mod n; they will be of order of m, while having small degrees d and e of our polynomials. The best way to choose the polynomials has not been proven, but usually it is done by picking a degree d for a polynomial and considering expansion of n in basis m where m is of order n1/d. The point is to get coefficients of f and g as small as possible. Currently the best way is described by Murphy and Brent [1].

Now, we consider number field rings Z[r1] and Z[r2] where r1 and r2 are roots of polynomials f and g, and look for values a and b such that r = bd·f(a/b) and s = be·g(a/b) are smooth relative to the chosen basis of primes. If a and b are small, r and s will be too (but at least of order of m), and we have a better chance for them to be smooth at the same time.

Having enough such pairs, using Gaussian elimination, we can get products of certain r and of corresponding s to be squares at the same time. We need a slightly stronger condition — that they are norms of squares in our number fields, but we can get that condition by this method too. Each r is a norm of a- r1*b and hence we get that product of corresponding factors a- r1*b is a square in Z[r1], with a "square root" which can be determined (as a product of known factors in Z[r1]) — it will typically be represented as a nonrational algebraic number. Similarly, we get that product of factors a- r2*b is a square in Z[r2], with a "square root" which we can also compute.

Since m is root of both f and g mod n, there are homomorphisms from the rings Z[r1] and Z[r2] to the ring Z/nZ, which map r1 and r2 to m, and these homomorphisms will map each "square root" (typically not represented as a rational number) into its integer representative. Now product of factors a-m*b mod n we can get as a square in two ways - one for each homomorphism. Thus, we get two numbers x and y, with x2-y2 divisible by n and again with probability at least one half we get a factor of n by finding greatest common divisor of n and x-y.

The second-best-known algorithm for integer factorization is the Lenstra elliptic curve factorization method. It is better than the general number field sieve when factors are of small size, as it works by finding smooth values of order of the smallest prime divisor of n, and its running time depends on the size of this divisor.

[edit]

Implementations

[edit]

References

  • [1] Murphy, B.; Brent, R. P., On quadratic polynomials for the number field sieve. Australian Computer Science Communications 20 (1998), pp. 199-213. [1]
  • Lenstra, Arjen K.; Lenstra, H.W., Jr. (Eds.) (1993). The development of the number field sieve. Lecture Notes in Math. 1554. Springer-Verlag.
  • Pomerance, Carl (1996). A Tale of Two Sieves. Notices of the AMS 1996, 1473–1485.
  • Template:Cite book Section 6.2: Number field sieve, pp.244–267.de:Zahlkörpersieb

fr:Algorithme de factorisation par crible sur les corps de nombres généralisé zh:普通数域筛选法

Retrieved from "http://www.netipedia.com/index.php/General_number_field_sieve"