General number field sieve

In number theory, the general number field sieve (GNFS) is the most efficient classical algorithm known for factoring integers larger than 100 digits. Heuristically, its complexity for factoring an integer n (consisting of log₂ n bits) is of the form

$\exp\left( \left(\sqrt[3]{\frac{64}{9}} + o(1)\right)(\log n)^{\frac{1}{3}}(\log \log n)^{\frac{2}{3}}\right) =L_n\left[\frac{1}{3},\sqrt[3]{\frac{64}{9}}\right]$

(in L-notation).^[1] It is a generalization of the special number field sieve: while the latter can only factor numbers of a certain special form, the general number field sieve can factor any number apart from prime powers (which are trivial to factor by taking roots). When the term number field sieve (NFS) is used without qualification, it refers to the general number field sieve.

The principle of the number field sieve (both special and general) can be understood as an improvement to the simpler rational sieve or quadratic sieve. When using such algorithms to factor a large number n, it is necessary to search for smooth numbers (i.e. numbers with small prime factors) of order n^1/2. The size of these values is exponential in the size of n (see below). The general number field sieve, on the other hand, manages to search for smooth numbers that are subexponential in the size of n. Since these numbers are smaller, they are more likely to be smooth than the numbers inspected in previous algorithms. This is the key to the efficiency of the number field sieve. In order to achieve this speed-up, the number field sieve has to perform computations and factorizations in number fields. This results in many rather complicated aspects of the algorithm, as compared to the simpler rational sieve.

Note that log₂ n is the number of bits in the binary representation of n, that is the size of the input to the algorithm, so any element of the order n^c for a constant c is exponential in log n. The running time of the number field sieve is super-polynomial but sub-exponential in the size of the input.

Number fields

Main article: Number field

Suppose f is an n-degree polynomial over Q (the rational numbers), and r is a complex root of f. Then, f(r) = 0, which can be rearranged to express rⁿ as a linear combination of powers of r less than n. This equation can be used to reduce away any powers of r ≥ n. For example, if f(x) = x² + 1 and r is the imaginary unit i, then i² + 1=0, or i² = −1. This allows us to define the complex product:

(a+bi)(c+di) = ac + (ad+bc)i + (bd)i² = (ac − bd) + (ad+bc)i.

In general, this leads directly to the algebraic number field Q[r], which can be defined as the set of real numbers given by:

a_n−1rⁿ⁻¹ + ... + a₁r¹ + a₀r⁰, where a₀,...,a_n−1 in Q.

The product of any two such values can be computed by taking the product as polynomials, then reducing any powers of r ≥ n as described above, yielding a value in the same form. To ensure that this field is actually n-dimensional and does not collapse to an even smaller field, it is sufficient that f is an irreducible polynomial. Similarly, one may define the number field ring Z[r] as the subset of Q[r] where a₀,...,a_n−1 are restricted to be integers.

Method

Two polynomials f(x) and g(x) of small degrees d and e are chosen, which have integer coefficients, which are irreducible over the rationals, and which, when interpreted mod n, have a common integer root m. An optimal strategy for choosing these polynomials is not known; one simple method is to pick a degree d for a polynomial, consider the expansion of n in base m (allowing digits between −m and m) for a number of different m of order n^1/d, and pick f(x) as the polynomial with the smallest coefficients and g(x) as x − m.

Consider the number field rings Z[r₁] and Z[r₂], where r₁ and r₂ are roots of the polynomials f and g. Since f is of degree d with integer coefficients, if a and b are integers, then so will be b^d·f(a/b), which we call r. Similarly, s = b^e·g(a/b) is an integer. The goal is to find integer values of a and b that simultaneously make r and s smooth relative to the chosen basis of primes. If a and b are small, then r and s will be small too, about the size of m, and we have a better chance for them to be smooth at the same time. The current best-known approach for this search is lattice sieving; to get acceptable yields, it is necessary to use a large factor base.

Having enough such pairs, using Gaussian elimination, one can get products of certain r and of the corresponding s to be squares at the same time. A slightly stronger condition is needed—that they are norms of squares in our number fields, but that condition can be achieved by this method too. Each r is a norm of a − r₁b and hence that the product of the corresponding factors a − r₁b is a square in Z[r₁], with a "square root" which can be determined (as a product of known factors in Z[r₁])—it will typically be represented as an irrational algebraic number. Similarly, the product of the factors a − r₂b is a square in Z[r₂], with a "square root" which also can be computed. It should be remarked that the use of Gaussian elimination does not give the optimal run time of the algorithm. Instead, sparse matrix solving algorithms such as Block Lanczos or Block Wiedemann are used.

Since m is a root of both f and g mod n, there are homomorphisms from the rings Z[r₁] and Z[r₂] to the ring Z/nZ (the integers mod n), which map r₁ and r₂ to m, and these homomorphisms will map each "square root" (typically not represented as a rational number) into its integer representative. Now the product of the factors a − mb mod n can be obtained as a square in two ways—one for each homomorphism. Thus, one can find two numbers x and y, with x² − y² divisible by n and again with probability at least one half we get a factor of n by finding the greatest common divisor of n and x − y.

Improving polynomial choice

The choice of polynomial can dramatically affect the time to complete the remainder of the algorithm. The method of choosing polynomials based on the expansion of n in base m shown above is suboptimal in many practical situations, leading to the development of better methods.

One such method was suggested by Murphy and Brent;^[2] they introduce a two-part score for polynomials, based on the presence of roots modulo small primes and on the average value that the polynomial takes over the sieving area.

The best reported results^[3] were achieved by the method of Thorsten Kleinjung,^[4] which allows g(x) = ax + b, and searches over a composed of small prime factors congruent to 1 modulo 2d and over leading coefficients of f which are divisible by 60.

Implementations

Some implementations focus on a certain smaller class of numbers. These are known as special number field sieve techniques, such as used in the Cunningham project. A project called NFSNET ran from 2002^[5] through at least 2007. It used volunteer distributed computing on the Internet.^[6] Paul Leyland of the United Kingdom and Richard Wackerbarth of Texas were involved.^[7]

Until 2007, the gold-standard implementation was a suite of software developed and distributed by CWI in the Netherlands, which was available only under a relatively restrictive license. In 2007, Jason Papadopoulos developed a faster implementation of final processing as part of msieve, which is public-domain. Both implementations feature the ability to be distributed among several nodes in a cluster with a sufficiently fast interconnect.

Polynomial selection is normally performed by GPL software written by Kleinjung, or by msieve, and lattice sieving by GPL software written by Franke and Kleinjung; these are distributed in GGNFS.

• NFS@Home
• GGNFS
• pGNFS
• factor by gnfs
• CADO-NFS
• msieve, which contains excellent final-processing code, a good implementation of the polynomial selection which is very good for smaller numbers, and an implementation of the line sieve.
• kmGNFS

See also

• Special number field sieve

References

1. ^ Pomerance, Carl (December 1996). "A Tale of Two Sieves" (PDF). Notices of the AMS 43 (12): pp. 1473–1485. http://www.ams.org/notices/199612/pomerance.pdf 
2. ^ B. Murphy and R. P. Brent. "On quadratic polynomials for the number field sieve". Australian Computer Science Communications 20 (1998), pp. 199–213. [1]
3. ^ Franke, Jens (2006) (PDF), On RSA 200 and larger projects, http://www.hyperelliptic.org/tanja/SHARCS/talks06/Jens_Franke.pdf 
4. ^ Kleinjung, Thorsten (October 2006). "On polynomial selection for the general number field sieve" (PDF). Mathematics of Computation 75 (256): 2037–2047. doi:10.1090/S0025-5718-06-01870-9. http://www.ams.org/mcom/2006-75-256/S0025-5718-06-01870-9/S0025-5718-06-01870-9.pdf. Retrieved 2007-12-13. 
5. ^ Paul Leyland (December 12, 2003). "NFSNET: the first year". Presentation at EIDMA-CWI Workshop on Factoring Large Numbers. http://homepages.cwi.nl/~herman/Leyland.ppt. Retrieved August 9, 2011. 
6. ^ "Welcome to NFSNET". April 23, 2007. Archived from the original on October 22, 2007. http://web.archive.org/web/20071022032617/http://www.nfsnet.org/. Retrieved August 9, 2011. 
7. ^ "About NFSNET". Archived from the original on May 9, 2008. http://web.archive.org/web/20080509131653/http://www.nfsnet.org/aboutus.html. Retrieved August 9, 2011. 

• Arjen K. Lenstra and H. W. Lenstra, Jr. (eds.). "The development of the number field sieve". Lecture Notes in Math. (1993) 1554. Springer-Verlag.
• Richard Crandall and Carl Pomerance. Prime Numbers: A Computational Perspective (2001). 2nd edition, Springer. ISBN 0-387-25282-7. Section 6.2: Number field sieve, pp. 278–301.