All Topics  
General number field sieve

 

 
   Email Print
   Bookmark   Link
 

 

General number field sieve
 
 
  Topics General number field sieve Topic Home

In mathematics
Mathematics

Mathematics is the study of quantity, structure, space, change, and related topics of pattern and form. Mathematicians seek out patterns whether found in numbers, space, natural science, computers, imaginary abstractions, or elsewhere....
, the general number field sieve (GNFS) is the most efficient
Algorithmic efficiency

In computer science, efficiency is used to describe properties of an algorithm relating to how much of various types of resources it consumes. The two most frequently encountered are...
 classical algorithm
Algorithm

In mathematics, computing, linguistics and related subjects, an algorithm is a sequence of finite instructions, often used for calculation and data processing....
 known for factoring integers
Integer factorization

In number theory, integer factorization is the breaking down of a composite number into smaller non-trivial divisors, which when multiplied together equal the original integer....
 larger than 100 digits. Heuristic
Heuristic

Heuristic is an adjective for methods that help in problem solving, in turn leading to learning and discovery. These methods in most cases employ experimentation and trial-and-error techniques....
ally, its complexity
Computational complexity theory

Computational complexity theory, as a branch of the theory of computation in computer science, investigates the problems related to the Computational resource required for the execution of algorithms , and the inherent difficulty in providing efficient algorithms for specific computational problems....
 for factoring an integer n (consisting of log n bits) is of the form

(in O
Big O notation

In mathematics, big O notation describes the asymptotic analysis of a function when the argument tends towards a particular value or infinity, usually in terms of simpler functions....
 and L
L-notation

L-notation is an asymptotic analysis notation analogous to big-O notation, denoted as for a bound variable limit . Like big-O notation, it is usually used to roughly convey the computational complexity of a particular algorithm....
 notations) for a constant which depends on the complexity measure and on the variant of the algorithm. It is a generalization of the special number field sieve
Special number field sieve

The special number field sieve is a special-purpose integer factorization algorithm. The general number field sieve was derived from it.The special number field sieve is efficient for integers of the form re ± s, where r and s are small ....
: while the latter can only factor numbers of a certain special form, the general number field sieve can factor any number (apart from prime power
Prime power

In mathematics, a prime power is a positive integer exponentiation of a prime number.For example: 5=51, 9=32 and 16=24 are prime powers, while...
s, but this is a minor issue).






Discussion
Ask a question about 'General number field sieve'
Start a new discussion about 'General number field sieve'
Answer questions from other users
Full Discussion Forum



Encyclopedia


In mathematics
Mathematics

Mathematics is the study of quantity, structure, space, change, and related topics of pattern and form. Mathematicians seek out patterns whether found in numbers, space, natural science, computers, imaginary abstractions, or elsewhere....
, the general number field sieve (GNFS) is the most efficient
Algorithmic efficiency

In computer science, efficiency is used to describe properties of an algorithm relating to how much of various types of resources it consumes. The two most frequently encountered are...
 classical algorithm
Algorithm

In mathematics, computing, linguistics and related subjects, an algorithm is a sequence of finite instructions, often used for calculation and data processing....
 known for factoring integers
Integer factorization

In number theory, integer factorization is the breaking down of a composite number into smaller non-trivial divisors, which when multiplied together equal the original integer....
 larger than 100 digits. Heuristic
Heuristic

Heuristic is an adjective for methods that help in problem solving, in turn leading to learning and discovery. These methods in most cases employ experimentation and trial-and-error techniques....
ally, its complexity
Computational complexity theory

Computational complexity theory, as a branch of the theory of computation in computer science, investigates the problems related to the Computational resource required for the execution of algorithms , and the inherent difficulty in providing efficient algorithms for specific computational problems....
 for factoring an integer n (consisting of log n bits) is of the form

(in O
Big O notation

In mathematics, big O notation describes the asymptotic analysis of a function when the argument tends towards a particular value or infinity, usually in terms of simpler functions....
 and L
L-notation

L-notation is an asymptotic analysis notation analogous to big-O notation, denoted as for a bound variable limit . Like big-O notation, it is usually used to roughly convey the computational complexity of a particular algorithm....
 notations) for a constant which depends on the complexity measure and on the variant of the algorithm. It is a generalization of the special number field sieve
Special number field sieve

The special number field sieve is a special-purpose integer factorization algorithm. The general number field sieve was derived from it.The special number field sieve is efficient for integers of the form re ± s, where r and s are small ....
: while the latter can only factor numbers of a certain special form, the general number field sieve can factor any number (apart from prime power
Prime power

In mathematics, a prime power is a positive integer exponentiation of a prime number.For example: 5=51, 9=32 and 16=24 are prime powers, while...
s, but this is a minor issue). When the term number field sieve (NFS) is used without qualification, it refers to the general number field sieve.

The principle of the number field sieve (both special and general) can be understood as an extension of the simpler rational sieve
Rational sieve

In mathematics, the rational sieve is a general algorithm for integer factorization. It is essentially a special case of the general number field sieve, and while it is far less algorithmic efficiency than the general algorithm, it is conceptually far simpler....
. When using the rational sieve to factor a large number n, it is necessary to search for smooth number
Smooth number

In number theory, a negative and positive numbers integer is called B-smooth if none of its prime factors are greater than B. For example, 1,620 has prime factorization 22 ? 34 ? 5; therefore 1,620 is 5-smooth since none of its prime factors are greater than 5....
s (i.e. numbers with small prime factors) of order n; the rarity of these causes the rational sieve to be impractical. The general number field sieve, on the other hand, only requires a search for smooth numbers of order n1/d, where d is some integer greater than one. Since larger numbers are far less likely to be smooth than smaller numbers, this is the key to the efficiency of the number field sieve. But in order to achieve this speed-up, the number field sieve has to perform computations and factorizations in number fields. This results in many rather complicated aspects of the algorithm, as compared to the simpler rational sieve.

Note that log n is the number of digits in the binary representation of n, that is the size of the input to the algorithm. The (worst-case) running time is therefore super-polynomial in the size of the input. It is an important open problem whether factorization can be done in reasonable time — polynomial time
Polynomial time

In computational complexity theory, polynomial time refers to the computation time of a problem where the run time, , is no greater than a polynomial function of the problem size, n....
 — on a classical computer. On a quantum computer
Quantum computer

A quantum computer is a device for computation that makes direct use of quantum mechanical phenomena, such as quantum superposition and quantum entanglement, to perform operations on data....
, factorization is a tractable problem using Shor's algorithm
Shor's algorithm

Shor's algorithm, first introduced by mathematician Peter Shor, is a quantum computer algorithm for integer factorization. On a quantum computer, to factor an integer , Shor's algorithm takes polynomial time in , specifically , demonstrating that integer factorization is in the complexity class BQP....
.

Method

We choose two polynomial
Polynomial

In mathematics, a polynomial is an expression constructed from variables and constants, using the operations of addition, subtraction, multiplication, and constant non-negative whole number exponents....
s f(x) and g(x) of small degrees
Degree of a polynomial

When a polynomial is expressed as a sum or difference of term s , the exponent of the term with the highest exponent is the degree of the polynomial....
 d and e, which have integer coefficients, which are irreducible
Irreducible polynomial

In mathematics, the adjective irreducible means that an object cannot be expressed as a product of at least two non-trivial factors in a given set....
 over the rationals
Rational number

In mathematics, a rational number is a number which can be expressed as a quotient of two integers. Non-integer rational numbers are usually written as the vulgar fraction , where b is not 0 ....
, and which, when interpreted mod n
Modular arithmetic

In mathematics, modular arithmetic is a system of arithmetic for integers, where numbers "wrap around" after they reach a certain value — the modulus....
, have a common root
Root (mathematics)

In mathematics, a root of a complex-valued Function is a member of the Domain of such that vanishes at , that is,In other words, a "root" of a function is a value for that produces a result of zero ....
 m. An optimal strategy for choosing these polynomials is not known; one simple method is to pick a degree d for a polynomial, consider the expansion of n in base m
Radix

In numeral system, the base or radix is usually the number of unique Numerical digit, including zero, that a Positional notation numeral system uses to represent numbers....
 (allowing digits between −m and m) for a number of different m of order n1/d, and pick f(x) as the polynomial with the smallest coefficients and g(x) as x − m.

A better method was suggested by Murphy and Brent ; they introduce a two-part score for polynomials, based on the presence of roots modulo small primes and on the average value that the polynomial takes over the sieving area.

The best reported results were achieved by the method of Thorsten Kleinjung , which allows g(x) = ax + b, and searches over a composed of small prime factors congruent to 1 modulo 2d and over leading coefficients of f which are divisible by 60.

Now, we consider the number field rings Z[r1] and Z[r2], where r1 and r2 are roots of the polynomials f and g, and look for values a and b such that r = bd·f(a/b) and s = be·g(a/b) are smooth relative to the chosen basis of primes. If a and b are small, then r and s will be too (but at least of order of m), and we have a better chance for them to be smooth at the same time. The current best-known approach for this search is lattice sieving
Lattice sieving

Lattice sieving is a technique for finding smooth number values of a bivariate polynomial over a large region. It is almost exclusively used in connection with the number field sieve....
; to get acceptable yields, it is necessary to use a large factor base.

Having enough such pairs, using Gaussian elimination
Gaussian elimination

In linear algebra, Gaussian elimination is an efficient algorithm for solving system of linear equations, finding the Rank of a matrix , and calculating the inverse of an invertible matrix....
, we can get products of certain r and of the corresponding s to be squares at the same time. We need a slightly stronger condition—that they are norms
Field norm

In mathematics, the norm is a mapping defined in field theory , to map elements of a larger field into a smaller one....
 of squares in our number fields, but we can get that condition by this method too. Each r is a norm of a- r1 b and hence we get that the product of the corresponding factors a- r1 b is a square in Z[r1], with a "square root" which can be determined (as a product of known factors in Z[r1])—it will typically be represented as an irrational algebraic number
Algebraic number

In mathematics, an algebraic number is a complex number that is a root of a non-zero polynomial in one variable with rational number coefficients....
. Similarly, we get that the product of the factors a- r2 b is a square in Z[r2], with a "square root" which we can also compute.

Since m is a root of both f and g mod n, there are homomorphism
Homomorphism

In abstract algebra, a homomorphism is a structure-preserving map between two algebraic structures . The word homomorphism comes from the Greek language: ???? meaning "same" and ???f? meaning "shape"....
s from the rings Z[r1] and Z[r2] to the ring Z/nZ, which map r1 and r2 to m, and these homomorphisms will map each "square root" (typically not represented as a rational number) into its integer representative. Now the product of the factors a − mb mod n can be obtained as a square in two ways—one for each homomorphism. Thus, we get two numbers x and y, with x2 − y2 divisible by n and again with probability at least one half we get a factor of n by finding the greatest common divisor
Greatest common divisor

In mathematics, the greatest common divisor , sometimes known as the greatest common factor or highest common factor , of two non-zero integers, is the largest positive integer that divisor both numbers without remainder....
 of n and x − y.

Implementations


Most implementations are split three ways: polynomial selection, sieving, and final processing. A working implementation of GNFS is a reasonable master's thesis, and a few such theses have been written, but full production-scale implementations are rather more work.

The gold-standard implementation until 2007 was a suite of software developed and distributed by CWI
National Research Institute for Mathematics and Computer Science

The National Research Institute for Mathematics and Computer Science is one of the leading European research centers in the field of mathematics and theoretical computer science....
 in the Netherlands, which was available only under a relatively restrictive license; in 2007, Jason Papadopoulos developed a faster implementation of final processing as part of msieve, which is public-domain. msieve, however, can only run on a single SMP
Symmetric multiprocessing

In computing, symmetric multiprocessing or SMP involves a multiprocessor computer-architecture where two or more identical processors can connect to a single shared main memory....
 computer, whilst CWI's implementation can be distributed among several nodes in a cluster with a sufficiently fast interconnect.

Polynomial selection is normally performed by GPL software written by Kleinjung, and lattice sieving by GPL software written by Franke and Kleinjung; these are distributed in GGNFS.

  • NFSNet
    NFSNet

    NFSNet is a distributed computing project that integer factorizations very, very large numbers that have hundreds of digits, particularly those from the Cunningham project....
  • .
  • [https://sourceforge.net/projects/factor-by-gnfs/ factor by gnfs]
  • , which contains excellent final-processing code, and implementations of the polynomial selection and sieving parts.