General number field sieve
Encyclopedia
In number theory
, the general number field sieve (GNFS) is the most efficient
classical algorithm
known for factoring integers
larger than 100 digits. Heuristic
ally, its complexity
for factoring an integer n (consisting of log2 n bits) is of the form
(in L-notation
). It is a generalization of the special number field sieve
: while the latter can only factor numbers of a certain special form, the general number field sieve can factor any number apart from prime power
s (which are trivial to factor by taking roots). When the term number field sieve (NFS) is used without qualification, it refers to the general number field sieve.
The principle of the number field sieve (both special and general) can be understood as an improvement to the simpler rational sieve
or quadratic sieve
. When using such algorithms to factor a large number n, it is necessary to search for smooth number
s (i.e. numbers with small prime factors) of order n1/2. The size of these values is exponential in the size of n (see below). The general number field sieve, on the other hand, manages to search for smooth numbers that are subexponential in the size of n. Since these numbers are smaller, they are more likely to be smooth than the numbers inspected in previous algorithms. This is the key to the efficiency of the number field sieve. In order to achieve this speed-up, the number field sieve has to perform computations and factorizations in number fields. This results in many rather complicated aspects of the algorithm, as compared to the simpler rational sieve.
Note that log2 n is the number of bits in the binary representation of n, that is the size of the input to the algorithm, so any element of the order nc for a constant c is exponential in log n. The running time of the number field sieve is super-polynomial but sub-exponential in the size of the input.
In general, this leads directly to the algebraic number field
Q[r], which can be defined as the set of real numbers given by:
The product of any two such values can be computed by taking the product as polynomials, then reducing any powers of r ≥ n as described above, yielding a value in the same form. To ensure that this field is actually n-dimensional and does not collapse to an even smaller field, it is sufficient that f is an irreducible polynomial
. Similarly, one may define the number field ring Z[r] as the subset of Q[r] where a0,...,an−1 are restricted to be integers.
s f(x) and g(x) of small degrees
d and e are chosen, which have integer coefficients, which are irreducible
over the rationals
, and which, when interpreted mod n
, have a common integer root m. An optimal strategy for choosing these polynomials is not known; one simple method is to pick a degree d for a polynomial, consider the expansion of n in base m
(allowing digits between −m and m) for a number of different m of order n1/d, and pick f(x) as the polynomial with the smallest coefficients and g(x) as x − m.
Consider the number field rings Z[r1] and Z[r2], where r1 and r2 are roots of the polynomials f and g. Since f is of degree d with integer coefficients, if a and b are integers, then so will be bd·f(a/b), which we call r. Similarly, s = be·g(a/b) is an integer. The goal is to find integer values of a and b that simultaneously make r and s smooth
relative to the chosen basis of primes. If a and b are small, then r and s will be small too, about the size of m, and we have a better chance for them to be smooth at the same time. The current best-known approach for this search is lattice sieving
; to get acceptable yields, it is necessary to use a large factor base.
Having enough such pairs, using Gaussian elimination
, one can get products of certain r and of the corresponding s to be squares at the same time. A slightly stronger condition is needed—that they are norms
of squares in our number fields, but that condition can be achieved by this method too. Each r is a norm of a − r1b and hence that the product of the corresponding factors a − r1b is a square in Z[r1], with a "square root" which can be determined (as a product of known factors in Z[r1])—it will typically be represented as an irrational algebraic number
. Similarly, the product of the factors a − r2b is a square in Z[r2], with a "square root" which also can be computed. It should be remarked that the use of Gaussian elimination does not give the optimal run time of the algorithm. Instead, sparse matrix solving algorithms such as Block Lanczos
or Block Wiedemann
are used.
Since m is a root of both f and g mod n, there are homomorphism
s from the rings Z[r1] and Z[r2] to the ring Z/nZ (the integers mod n
), which map r1 and r2 to m, and these homomorphisms will map each "square root" (typically not represented as a rational number) into its integer representative. Now the product of the factors a − mb mod n can be obtained as a square in two ways—one for each homomorphism. Thus, one can find two numbers x and y, with x2 − y2 divisible by n and again with probability at least one half we get a factor of n by finding the greatest common divisor
of n and x − y.
One such method was suggested by Murphy and Brent; they introduce a two-part score for polynomials, based on the presence of roots modulo small primes and on the average value that the polynomial takes over the sieving area.
The best reported results were achieved by the method of Thorsten Kleinjung, which allows g(x) = ax + b, and searches over a composed of small prime factors congruent to 1 modulo 2d and over leading coefficients of f which are divisible by 60.
techniques, such as used in the Cunningham project
.
A project called NFSNET ran from 2002 through at least 2007. It used volunteer distributed computing on the Internet
.
Paul Leyland
of the United Kingdom
and Richard Wackerbarth of Texas were involved.
Until 2007, the gold-standard implementation was a suite of software developed and distributed by CWI in the Netherlands, which was available only under a relatively restrictive license. In 2007, Jason Papadopoulos developed a faster implementation of final processing as part of msieve, which is public-domain. Both implementations feature the ability to be distributed among several nodes in a cluster with a sufficiently fast interconnect.
Polynomial selection is normally performed by GPL software written by Kleinjung, or by msieve, and lattice sieving by GPL software written by Franke and Kleinjung; these are distributed in GGNFS.
Number theory
Number theory is a branch of pure mathematics devoted primarily to the study of the integers. Number theorists study prime numbers as well...
, the general number field sieve (GNFS) is the most efficient
Algorithmic efficiency
In computer science, efficiency is used to describe properties of an algorithm relating to how much of various types of resources it consumes. Algorithmic efficiency can be thought of as analogous to engineering productivity for a repeating or continuous process, where the goal is to reduce...
classical algorithm
Algorithm
In mathematics and computer science, an algorithm is an effective method expressed as a finite list of well-defined instructions for calculating a function. Algorithms are used for calculation, data processing, and automated reasoning...
known for factoring integers
Integer factorization
In number theory, integer factorization or prime factorization is the decomposition of a composite number into smaller non-trivial divisors, which when multiplied together equal the original integer....
larger than 100 digits. Heuristic
Heuristic
Heuristic refers to experience-based techniques for problem solving, learning, and discovery. Heuristic methods are used to speed up the process of finding a satisfactory solution, where an exhaustive search is impractical...
ally, its complexity
Computational complexity theory
Computational complexity theory is a branch of the theory of computation in theoretical computer science and mathematics that focuses on classifying computational problems according to their inherent difficulty, and relating those classes to each other...
for factoring an integer n (consisting of log2 n bits) is of the form
(in L-notation
L-notation
L-notation is an asymptotic notation analogous to big-O notation, denoted as L_n[\alpha,c] for a bound variable n tending to infinity. Like big-O notation, it is usually used to roughly convey the computational complexity of a particular algorithm....
). It is a generalization of the special number field sieve
Special number field sieve
In number theory, a branch of mathematics, the special number field sieve is a special-purpose integer factorization algorithm. The general number field sieve was derived from it....
: while the latter can only factor numbers of a certain special form, the general number field sieve can factor any number apart from prime power
Prime power
In mathematics, a prime power is a positive integer power of a prime number.For example: 5=51, 9=32 and 16=24 are prime powers, while6=2×3, 15=3×5 and 36=62=22×32 are not...
s (which are trivial to factor by taking roots). When the term number field sieve (NFS) is used without qualification, it refers to the general number field sieve.
The principle of the number field sieve (both special and general) can be understood as an improvement to the simpler rational sieve
Rational sieve
In mathematics, the rational sieve is a general algorithm for factoring integers into prime factors. It is essentially a special case of the general number field sieve, and while it is far less efficient than the general algorithm, it is conceptually far simpler...
or quadratic sieve
Quadratic sieve
The quadratic sieve algorithm is a modern integer factorization algorithm and, in practice, the second fastest method known . It is still the fastest for integers under 100 decimal digits or so, and is considerably simpler than the number field sieve...
. When using such algorithms to factor a large number n, it is necessary to search for smooth number
Smooth number
In number theory, a smooth number is an integer which factors completely into small prime numbers. The term seems to have been coined by Leonard Adleman. Smooth numbers are especially important in cryptography relying on factorization.-Definition:...
s (i.e. numbers with small prime factors) of order n1/2. The size of these values is exponential in the size of n (see below). The general number field sieve, on the other hand, manages to search for smooth numbers that are subexponential in the size of n. Since these numbers are smaller, they are more likely to be smooth than the numbers inspected in previous algorithms. This is the key to the efficiency of the number field sieve. In order to achieve this speed-up, the number field sieve has to perform computations and factorizations in number fields. This results in many rather complicated aspects of the algorithm, as compared to the simpler rational sieve.
Note that log2 n is the number of bits in the binary representation of n, that is the size of the input to the algorithm, so any element of the order nc for a constant c is exponential in log n. The running time of the number field sieve is super-polynomial but sub-exponential in the size of the input.
Number fields
Suppose f is an n-degree polynomial over Q (the rational numbers), and r is a complex root of f. Then, f(r) = 0, which can be rearranged to express rn as a linear combination of powers of r less than n. This equation can be used to reduce away any powers of r ≥ n. For example, if f(x) = x2 + 1 and r is the imaginary unit i, then i2 + 1=0, or i2 = −1. This allows us to define the complex product:(c+di) = ac + (ad+bc)i + (bd)i2 = (ac − bd) + (ad+bc)i.In general, this leads directly to the algebraic number field
Algebraic number field
In mathematics, an algebraic number field F is a finite field extension of the field of rational numbers Q...
Q[r], which can be defined as the set of real numbers given by:
- an−1rn−1 + ... + a1r1 + a0r0, where a0,...,an−1 in Q.
The product of any two such values can be computed by taking the product as polynomials, then reducing any powers of r ≥ n as described above, yielding a value in the same form. To ensure that this field is actually n-dimensional and does not collapse to an even smaller field, it is sufficient that f is an irreducible polynomial
Irreducible polynomial
In mathematics, the adjective irreducible means that an object cannot be expressed as the product of two or more non-trivial factors in a given set. See also factorization....
. Similarly, one may define the number field ring Z[r] as the subset of Q[r] where a0,...,an−1 are restricted to be integers.
Method
Two polynomialPolynomial
In mathematics, a polynomial is an expression of finite length constructed from variables and constants, using only the operations of addition, subtraction, multiplication, and non-negative integer exponents...
s f(x) and g(x) of small degrees
Degree of a polynomial
The degree of a polynomial represents the highest degree of a polynominal's terms , should the polynomial be expressed in canonical form . The degree of an individual term is the sum of the exponents acting on the term's variables...
d and e are chosen, which have integer coefficients, which are irreducible
Irreducible polynomial
In mathematics, the adjective irreducible means that an object cannot be expressed as the product of two or more non-trivial factors in a given set. See also factorization....
over the rationals
Rational number
In mathematics, a rational number is any number that can be expressed as the quotient or fraction a/b of two integers, with the denominator b not equal to zero. Since b may be equal to 1, every integer is a rational number...
, and which, when interpreted mod n
Modular arithmetic
In mathematics, modular arithmetic is a system of arithmetic for integers, where numbers "wrap around" after they reach a certain value—the modulus....
, have a common integer root m. An optimal strategy for choosing these polynomials is not known; one simple method is to pick a degree d for a polynomial, consider the expansion of n in base m
Radix
In mathematical numeral systems, the base or radix for the simplest case is the number of unique digits, including zero, that a positional numeral system uses to represent numbers. For example, for the decimal system the radix is ten, because it uses the ten digits from 0 through 9.In any numeral...
(allowing digits between −m and m) for a number of different m of order n1/d, and pick f(x) as the polynomial with the smallest coefficients and g(x) as x − m.
Consider the number field rings Z[r1] and Z[r2], where r1 and r2 are roots of the polynomials f and g. Since f is of degree d with integer coefficients, if a and b are integers, then so will be bd·f(a/b), which we call r. Similarly, s = be·g(a/b) is an integer. The goal is to find integer values of a and b that simultaneously make r and s smooth
Smooth number
In number theory, a smooth number is an integer which factors completely into small prime numbers. The term seems to have been coined by Leonard Adleman. Smooth numbers are especially important in cryptography relying on factorization.-Definition:...
relative to the chosen basis of primes. If a and b are small, then r and s will be small too, about the size of m, and we have a better chance for them to be smooth at the same time. The current best-known approach for this search is lattice sieving
Lattice sieving
Lattice sieving is a technique for finding smooth values of a bivariate polynomial f over a large region. It is almost exclusively used in conjunction with the number field sieve...
; to get acceptable yields, it is necessary to use a large factor base.
Having enough such pairs, using Gaussian elimination
Gaussian elimination
In linear algebra, Gaussian elimination is an algorithm for solving systems of linear equations. It can also be used to find the rank of a matrix, to calculate the determinant of a matrix, and to calculate the inverse of an invertible square matrix...
, one can get products of certain r and of the corresponding s to be squares at the same time. A slightly stronger condition is needed—that they are norms
Field norm
In mathematics, the norm is a mapping defined in field theory, to map elements of a larger field into a smaller one.-Formal definitions:1. Let K be a field and L a finite extension of K...
of squares in our number fields, but that condition can be achieved by this method too. Each r is a norm of a − r1b and hence that the product of the corresponding factors a − r1b is a square in Z[r1], with a "square root" which can be determined (as a product of known factors in Z[r1])—it will typically be represented as an irrational algebraic number
Algebraic number
In mathematics, an algebraic number is a number that is a root of a non-zero polynomial in one variable with rational coefficients. Numbers such as π that are not algebraic are said to be transcendental; almost all real numbers are transcendental...
. Similarly, the product of the factors a − r2b is a square in Z[r2], with a "square root" which also can be computed. It should be remarked that the use of Gaussian elimination does not give the optimal run time of the algorithm. Instead, sparse matrix solving algorithms such as Block Lanczos
Block Lanczos algorithm for nullspace of a matrix over a finite field
The block Lanczos algorithm for nullspace of a matrix over a finite field is a procedure for finding the nullspace of a matrix using only multiplication of the matrix by long, thin matrices...
or Block Wiedemann
Block Wiedemann algorithm
The block Wiedemann algorithm for computing kernel vectors of a matrix over a finite field is a generalisation of an algorithm due to Don Coppersmith.- Coppersmith's algorithm :...
are used.
Since m is a root of both f and g mod n, there are homomorphism
Homomorphism
In abstract algebra, a homomorphism is a structure-preserving map between two algebraic structures . The word homomorphism comes from the Greek language: ὁμός meaning "same" and μορφή meaning "shape".- Definition :The definition of homomorphism depends on the type of algebraic structure under...
s from the rings Z[r1] and Z[r2] to the ring Z/nZ (the integers mod n
Modular arithmetic
In mathematics, modular arithmetic is a system of arithmetic for integers, where numbers "wrap around" after they reach a certain value—the modulus....
), which map r1 and r2 to m, and these homomorphisms will map each "square root" (typically not represented as a rational number) into its integer representative. Now the product of the factors a − mb mod n can be obtained as a square in two ways—one for each homomorphism. Thus, one can find two numbers x and y, with x2 − y2 divisible by n and again with probability at least one half we get a factor of n by finding the greatest common divisor
Greatest common divisor
In mathematics, the greatest common divisor , also known as the greatest common factor , or highest common factor , of two or more non-zero integers, is the largest positive integer that divides the numbers without a remainder.For example, the GCD of 8 and 12 is 4.This notion can be extended to...
of n and x − y.
Improving polynomial choice
The choice of polynomial can dramatically affect the time to complete the remainder of the algorithm. The method of choosing polynomials based on the expansion of n in base m shown above is suboptimal in many practical situations, leading to the development of better methods.One such method was suggested by Murphy and Brent; they introduce a two-part score for polynomials, based on the presence of roots modulo small primes and on the average value that the polynomial takes over the sieving area.
The best reported results were achieved by the method of Thorsten Kleinjung, which allows g(x) = ax + b, and searches over a composed of small prime factors congruent to 1 modulo 2d and over leading coefficients of f which are divisible by 60.
Implementations
Some implementations focus on a certain smaller class of numbers. These are known as special number field sieveSpecial number field sieve
In number theory, a branch of mathematics, the special number field sieve is a special-purpose integer factorization algorithm. The general number field sieve was derived from it....
techniques, such as used in the Cunningham project
Cunningham project
The Cunningham project aims to find factors of large numbers of the formb^n \pm 1for b = 2, 3, 5, 6, 7, 10, 11, 12 and large exponents n. The project is named after Allan Joseph Champneys Cunningham, who published the first version of the table together with Herbert J. Woodall in 1925...
.
A project called NFSNET ran from 2002 through at least 2007. It used volunteer distributed computing on the Internet
Internet
The Internet is a global system of interconnected computer networks that use the standard Internet protocol suite to serve billions of users worldwide...
.
Paul Leyland
Paul Leyland
Paul Leyland is a British number theorist who has studied integer factorization and primality testing.He has contributed to the factorization of RSA-129, RSA-140, and RSA-155, as well as potential factorial primes as large as 400! + 1. He has also studied Cunningham numbers, Cullen numbers, Woodall...
of the United Kingdom
United Kingdom
The United Kingdom of Great Britain and Northern IrelandIn the United Kingdom and Dependencies, other languages have been officially recognised as legitimate autochthonous languages under the European Charter for Regional or Minority Languages...
and Richard Wackerbarth of Texas were involved.
Until 2007, the gold-standard implementation was a suite of software developed and distributed by CWI in the Netherlands, which was available only under a relatively restrictive license. In 2007, Jason Papadopoulos developed a faster implementation of final processing as part of msieve, which is public-domain. Both implementations feature the ability to be distributed among several nodes in a cluster with a sufficiently fast interconnect.
Polynomial selection is normally performed by GPL software written by Kleinjung, or by msieve, and lattice sieving by GPL software written by Franke and Kleinjung; these are distributed in GGNFS.