On Nonlinear Polynomial Selection and Geometric Progression (mod N) for Number Field Sieve

Transcription

1 On onlinear Polynomial Selection and Geometric Progression (mod ) for umber Field Sieve amhun Koo, Gooc Hwa Jo, and Soonhak Kwon komaton@skku.edu, achimheasal@nate.com, shkwon@skku.edu Det. of Mathematics, Sungkyunkwan University, Suwon, S. Korea Abstract The general number field sieve (GFS) is asymtotically the fastest known factoring algorithm. One of the most imortant stes of GFS is to select a good olynomial air. A standard way of olynomial selection (being used in factoring RSA challenge numbers) is to select a nonlinear olynomial for algebraic sieving and a linear olynomial for rational sieving. There is another method called a nonlinear method which selects two olynomials of the same degree greater than one. In this aer, we generalize Montgomery s method [7] using small geometric rogression (GP) (mod ) to construct a air of nonlinear olynomials. We introduce GP of length d + k with 1 k d 1 and show that we can construct olynomials of degree d having common root (mod ), where the number of such olynomials and the size of the coefficients can be recisely determined. Keywords : olynomial selection, number field sieve, geometric rogression, LLL algorithm 1 Introduction The number field sieve (FS) [6, 11] is asymtotically the fastest known algorithm to factor a large comosite integer. One of the most exciting news on this toic is the factorization of RSA-768 by the collaboration of Kleinjung and many other researchers [3] using the technique of the general number field sieve (GFS). Almost all of the factored RSA numbers with 100 digit size or more were tackled by using FS algorithm so far. Recently the olynomial selection ste of FS is being studied widely since a good olynomial air greatly reduces the entire running time of FS algorithm. Among several olynomial selection methods for FS being roosed so far, the base-m method is one of the most standard ones. Murhy [9] roosed an imrovement of the base-m method by refining the notion of olynomial yield. Murhy s method focuses on root roerty, which is a measurement of the efficiency of olynomial air having roots modulo small rimes. Kleinjung [2] roosed an imrovement of Murhy s method to nonmonic linear olynomial. Both Murhy s and Kleinjung s methods were used on factorization of many RSA challenge numbers. We call all these olynomial selection methods linear method since it selects a nonlinear olynomial for algebraic sieving and a linear olynomial for rational sieving. A nonlinear method refers the method of choosing two nonlinear olynomials (of degree 2) having a common zero (mod ). Several researchers focus on nonlinear olynomial selection methods. Montgomery [7] showed that one can find two nonlinear olynomials of degree d and size O( 1/2d ) having common root (mod ) if and only if one can find a geometric rogression 1

2 (GP) (mod ) of length 2d 1 and size O( 1 1/d ). Montgomery succeeded in finding such GP (mod ) when d = 2 but the case d 3 is still unresolved. The quadratic method (d = 2) is not cometitive to linear method when the integer is over 120 digits [9]. Prest and Zimmermann [12], and also Williams [13] roosed other nonlinear olynomial selection methods using GP (mod ) of length d + 1, however these methods roduce olynomials which have larger coefficients than the otimal bound O( 1/2d ) exected from Montgomery s method. In this aer, we roose a olynomial selection method using a GP of length d + k with 1 k d 1 which generalizes Montgomery s method of GP with length 2d 1 (i.e., k = d 1). atural imlication of our result is that one can generate olynomials with different degrees l d for all 2 < d < l having common root (mod ) from a GP of fixed length l. We also introduce a method of finding a GP of (d + 1)-term with size O( 1 1/d ) and show that the roosed method has flexibility than the usual base-m method. GP with length d + 2 and size O( 1 1/d ) is difficult to find in general but we show that such GP can be found under certain conditions. We aly the result to GP of size O( 2/3 ) to construct cubic olynomials having common roots (mod ). The remaining art of this aer is organized as follows. We exlain the existing olynomial selection methods in section 2. We introduce an extension of Montgomery s GP method and state generalized olynomial selection method given GP of arbitrary length in section 3. We exlain the method of constructing a GP of length d + 1 and d + 2, and give exlicit examles in section 4. Finally we give conclusive remarks in section 5. 2 Existing Polynomial Selection Methods 2.1 Linear olynomial selection method Base-m method Let 1/(d+1) < m 1/d and let = d i=0 a im i (0 a i < m) be the base m-exansion of. Then f(x) = a d x d + a d 1 x d a 0, g(x) = x m are two olynomials having common root m (mod ). There are other imrovements to reduce the size of coefficients of f with the roerty f(m) 0 (mod ) being reserved. For examle, if a i > m/2 then the substitution a i a i m and a i+1 a i+1 + 1, makes a i < m/2 for every i. For more detail, refer [6, 9] Murhy s method Murhy s method [9] is an imrovement of the base-m method to generate skewed olynomials having good root roerty using rotations and translations. For given olynomial air (f(x), g(x)) with common root m (mod ), rotation by r(x) refers another olynomial air (f(x)+r(x)g(x), g(x)). Also translation by t refers a olynomial air (f(x t), g(x t)) having common root m + t (mod ). The root roerty measures the smoothness of given olynomial, i.e. it tells how many roots the olynomial has modulo small rimes. To measure the root roerty of a olynomial 2

3 f, one defines α(f) = (1 q ) log 1 B where B is the given bound and q is the number of root of f(x) 0 (mod ). Sufficiently many zeros of f (mod ) imlies that one has negative α(f) with larger absolute value. Similarly one can also define α value for a bivariate homogeneous olynomial F (x, y) with f(x) = F (x, 1). In this case, rojective roots dividing the leading coefficient a d of f should be also considered. That is, if the leading coefficient of f has many small rime factors, then f may have a good root roerty. Therefore one may we select m with a d m d < (a d + 1)m d with a d having many small rime factors. By using the techniques of translation and rotation, one may generate skewed olynomials having good root roerties. In Murhy s method, rotation by linear olynomial r(x) was used. Rotation by nonlinear olynomials using the Chinese remainder theorem was roosed in [15] Kleinjung s method Kleinjung [2] roosed an imrovement of Murhy s method to nonmonic linear g. The method first selects a ositive integer a d which has many small rime factors. ext, one chooses an integer such that a d x d (mod ) is solvable. ow let m be a solution of a d x d (mod ) close to m = (/a d ) 1/d. Then there is an exression with a d 1 < da d m m = a d m d + a d 1 m d a 1 m d 1 + a 0 d, + and a i < m + for i = 0,, d 2 (see Lemma 2.1 of [2]). Thus f(x) = a d x d + a d 1 x d a 0, g(x) = x m is a olynomial air having common root 1 m (mod ), where a d 1 and a d 2 can be bounded in terms of a d, and m. Considering lenty of triles (a d,, m), Kleinjung found olynomial airs with nonmonic g having better yields than that of Murhy s method. This method was used for the factorization of RSA-768 [3]. 2.2 onlinear olynomial selection method Montgomery s method Montgomery [7] roosed a nonlinear method which finds two olynomials of the same degree d using a small GP (mod ). If there exists a GP (mod ) of length 2d 1 with c i = O( 1 1/d ) written in vector notation as c = [c 0, c 1,, c 2d 2 ], which is not a linear recurrence of order d 1 over Q, then by looking at the two dimensional sublattice of Z d+1 which is orthogonal to d 1 vectors in Z d+1 sanned by [c 0, c 1,, c d ], [c 1, c 2,, c d+1 ],, [c d 2, c d 1,, c 2d 2 ], one can construct two olynomials f 1 (x) = a d x d + a d 1 x d a 0 and f 2 (x) = b d x d + b d 1 x d b 0 of degree d with common root r (mod ), where r is the geometric ratio of GP c and the coefficients of f 1 and f 2 are of O( 1/2d ). At this moment, it is still an oen roblem whether one can find such GP (mod ) with length 2d 1 and size c i = O( 1 1/d ) for general d. However, when d = 2, Montgomery 3

4 resented a GP (mod ) satisfying the above conditions. That is, letting be a rime satisfying (i) < ( ), (ii) = 1, Montgomery finds a solution c 1 of x 2 (mod ) with c 1 /2, and thus [c 0, c 1, c 2 ] = [, c 1, (c 2 1 )/] (1) is a desired GP (mod ) with ratio r 1 c 1 (mod ). It seems difficult to extend the idea of Montgomery to general d 3. A ositive answer for the case d = 3 would imly that we may relace the sieving olynomial air (f(x), l(x)) with linear l(x) and deg f = 5, 6 by two cubic olynomials. For details, refer [9] The method of Prest and Zimmermann According to Montgomery s idea, we need a GP (mod ) with length 2d 1 and size O( 1 1/d ) to generate two olynomials of degree d with common root (mod ) and coefficients of O( 1/2d ). In the case that we have only (d + 1)-term of GP, we may still generate two olynomials of degree d with common root (mod ). Williams [13] showed that a GP of length 4 (i.e., d = 3) of size O( 2/3 ) gives two cubic olynomials having common root (mod ) with coefficients O( 2/9 ). Therefore the resultant of two olynomials is O( 4/3 ), while O() is the otimal resultant size exected from two olynomials with coefficients O( 1/2d ). Prest and Zimmermann [12] considered the case of arbitrary degree to generate skewed olynomials. Choosing a GP of the form [1, m,, m d 1, m d ] with m near 1/d, and alying LLL algorithm [5] on the lattice sanned by the column vectors of the following matrix m m d 1 m d s s d s d where s is the skewness arameter, they get two short vectors of the form a 0 a 1 s.. a d s d Thus the olynomials a a d x d have m as a common root (mod ). 2 They showed that, by selecting s = O( d(d 2 d+2) ), the skewed olynomials have medium coefficients of size 2 2d+2 O( d 2(d 2 2d+2) d 3 d 2 +2d ) and resultant of size O( d 2 d+2 ). When d = 3, this method gives two cubic olynomials whose resultant is of O( 5/4 ) and medium coefficients of O( 5/24 ). 3 Polynomial Selections from GP of Length d + k To find a air of nonlinear sieving olynomials, Montgomery [7] considers GP (mod ) c = [c 0, c 1,, c 2d 2 ] with length 2d 1 and size c i = O( 1 1/d ). On the other hand, Prest and 4

5 Zimmermann [12] consider c = [c 0, c 1,, c d ] with length d + 1 and size c i = O( 1 1/d ). Finding GP (mod ) with length d + 1 and size c i = O( 1 1/d ) is easy because, if one choose c 0 = 1/d + j for small j and c i c i 0 (mod ), then one gets c i = O( 1 1/d ). However it is not clear how one can find a GP (mod ) with bounded size for general length d + k c = [c 0, c 1,, c d+k 1 ]. The most desirable case is k = d 1 so that we have a GP of length 2d 1 and can find two indeendent olynomials of degree d having common root (mod ). It should be mentioned that finding GP even in the cases k = 2, 3,, d 2 satisfying suitable size roerty is suosed to be a difficult roblem. Moreover, for given GP of length d + k, we may find more than two olynomials having common roots (mod ), and the size of the coefficients of such olynomials will be determined by the size of c. Our aim is to generalize the idea of Montgomery to the case of GP c (mod ) of arbitrary length d + k and also to rovide an unified aroach for the olynomials of degree d having common roots (mod ) arising from a GP c of variable length such as d + 1 [12] and 2d 1 [7]. Moreover we will clarify the relations between the olynomials of different degree d having common root (mod ) for given GP c of fixed length. For examle, we will show that, for given 5-term GP of size O( 2/3 ), we can generate 2 cubic olynomials and 4 olynomials of degree 4, all having coefficients of size O( 1/6 ) and the same common root (mod ). To summarize the raised questions; How many indeendent olynomials we may generate for given GP of fixed length? What are the ossible degrees of such olynomials? How the size of the coefficients of such olynomials is related to the size of the given GP? We will answer all the questions in the following theorem below. For given olynomial f(x) = ai x i, let us define the norm of f as f = a 2 i. Theorem 1. Let d and k be integers with d 2 and 1 k d 1. Suose that c = [c 0, c 1,, c d+k 1 ] is a GP (mod ) with length d + k such that the k vectors [c 0,, c d ], [c 1,, c d+1 ],, [c k 1,, c d+k 1 ] Z d+1 are linearly indeendent over Q. Then we may generate d k + 1 olynomials f i of degree at most d having common root r (mod ) with r the ratio of the GP and satisfying ( ) c k f 1 f 2 f d k+1 = O. (2) k 1 Proof. Let Λ be the lattice in Z d+1 sanned by the following k indeendent vectors v 0 = [c 0,, c d ], v 1 = [c 1,, c d+1 ],, v k 1 = [c k 1,, c d+k 1 ], (3) obtained from d + 1 consecutive terms of c. Define Ω to be the lattice in Z d+k+1 sanned by the column vectors of the following (d + k + 1) (d + 1) matrix Kc 0 Kc 1 Kc d, (4) Kc 1 Kc 2 Kc d Kc k 1 Kc k Kc d+k 1 5

6 where K is a constant. Then Theorem 4 of [10] says that, if { x 1,, x d+1 } is an LLLreduced basis of Ω and if one chooses K sufficiently large (i.e., if K > 2 d+(d k)2 vol(λ)), then { x 1,, x d k+1 } is an LLL-reduced basis for Λ, where x i Z d+1 is the vector obtained by taking the first (d + 1)-terms of x i and Λ is the orthogonal lattice of Λ. Therefore x i = (a 0, a 1,, a d ) Λ satisfies 0 = a 0 c 0 + a 1 c a d c d a 0 + a 1 r + a 2 r 2 + a d r d (mod ) where r c 1 0 c 1 (mod ), which imlies that x i corresonds to a olynomial f i(x) = a 0 + a 1 x + + a d x d with degree at most d. Hence we may consider {f 1, f 2,, f d k+1 } is a basis for Λ over Q of dimension d + 1 k. A standard result of LLL-reduced basis says that vol(λ ) d k+1 f i 2 d(d 1) 4 vol(λ ), where vol(λ ) = vol(λ) with Λ = san Q (Λ) Z d+1. Therefore, to estimate the size of f i, we need to estimate the volume of Λ. Observe that y Z d+1 is orthogonal to the vectors v 0, v 1,, v k 1 defined in (3) if and only if it is orthogonal to the lattice Λ sanned by v 0, v 1 r v 0, v 2 r v 1,, v k 1 r v k 2, where r is the geometric ratio of GP c. Since vol(λ ) = vol((λ ) ) = vol(λ ) vol(λ ), to estimate the volume of Λ, we need to comute vol(λ ) = det(a T A) where A is the k k matrix with each column written as v 0, v 1 r v 0, v 2 r v 1,, v k 1 r v k 2, ow v 0 v 1 r v 0 ( ) det(a T A) = Ṇ v 1 r v 0 v k 1 r v k 2 v 0. v k 1 r v k 2 v 0 v 0 v 0 v 1 r v 0 v 0 v k 1 r v k 2 v 1 r v 0 v 1 r v 0 v 0 v 1 r v 0 v 1 r v 0 v k 1 r v k 2 = v k 1 r v k 2 v k 1 r v k 2 v 0 v 1 r v 0 v k 1 r v k 2 v k 1 r v k 2 v 0 v 0 v 0 ( v 1 r v 0 ) v 0 ( v k 1 r v k 2 ) = 1 ( v 1 r v 0 ) v 0 ( v 1 r v 0 ) ( v 1 r v 0 ) ( v 1 r v 0 ) ( v k 1 r v k 2 ) 2(k 1) ( v k 1 r v k 2 ) v 0 ( v k 1 r v k 2 ) ( v 1 r v 0 ) ( v k 1 r v k 2 ) ( v k 1 r v k 2 ) = 1 2(k 1) det(bt B), where B is the matrix with each column vector written as v 0, v 1 r v 0, v 2 r v 1,, v k 1 r v k 2. Since the base change matrix between the following two bases for Q d+1, { v 0, v 1, v 2,, v k 1 }, { v 0, v 1 r v 0, v 2 r v 1,, v k 1 r v k 2 }, 6

7 is triangular and having 1 in all diagonal entries (in articular unimodular), they san the same lattice and thus we get det(b T B) = det(( v i v j )) = O( c 2k ). Consequently one gets ( ) c vol(λ ) vol(λ k ) = O which comletes the roof. k 1 Corollary 1. With the same conditions in Theorem 1, suose that k vectors [c 0, c 1,, c d 1 ], [c 1, c 2,, c d ],, [c k 1, c k,, c k+d 2 ] of consecutive d terms are linearly indeendent over Q. Then we( get at least one olynomial of degree d having r as a zero (mod ). Moreover if ( ) all f i are O c k 1/(d k+1) ), then we may choose all such olynomials having degree d. k 1 Proof. On the contrary, assume that all f i found in Theorem 1 have degree < d. This haens when the basis vectors x 1,, x d k+1 for Λ have last coordinate 0 (i.e., x i = (a 0, a 1,, a d 1, 0) ). Then we may view { x 1,, x d k+1 } Zd which sans (d k + 1)- dimensional orthogonal subsace to k indeendent vectors [c i, c i+1,, c i+d 1 ] (0 i k 1) in Z d, which is absurd. For the second assertion, let f {f 1, f 2,, f d k+1 } be a olynomial of degree d. Then for any f i with deg f i < d, we may relace f i by f i ( + f so that the resulting ( ) olynomial has common root r (mod ) and the coefficients are of O c k 1/(d k+1) ). k 1 One can also think of the converse of Theorem 1 and it can be hrased as follows. Theorem 2. Suose 1 k d 1 and j = d 1 k + 1. Assume that there exist degree d olynomials g 1 (x),, g j (x) Z[x] having common root r (mod ) such that g 1,, g j are linearly indeendent over Q. Then one can find GP c = [c 0,, c d+k 1 ] (mod ) of length d + k and c = O( g d+k 1 ) where g = max g i. Proof. The condition j = d 1 k + 1 imlies (j 1)k < d + k 1 jk. One may consider (2d + 2k 1) (d + k) matrix I d+k KG 1 M =., (5) KG j 1 KG j where I d+k is the identity matrix of dimension d + k and KG i (1 i j 1) is k (d + k) submatrix sanned by the k row vectors in Z d+k d+1 k 1 d+1 k 2 k 1 d+1 {}}{{}}{{}}{{}}{{}}{{}}{ [ Kg i, 0,, 0], [0, Kg i, 0,, 0],, [ 0,, 0, Kg i ]. The submatrix KG j is defined similarly but the number of cyclic shifts (i.e., the number of rows) is d + k 1 (j 1)k. ow as in the case of the matrix in (4), one may think of LLL reduced basis of d + k column vectors of M. Theorem 4 in [10] again says that, if K is sufficiently large, we have one dimensional orthogonal lattice c = [c 0, c 1,, c d+k 1 ] Z d+k to the lattice of dimension d + k 1 sanned by the row vectors of KG 1,, KG j. Since [1, r, r 2,, r d+k 1 ] is also orthogonal to all the row vectors of KG 1,, KG j (mod ), one finds that c and [1, r, r 2,, r d+k 1 ] sans the same sace (mod ), and therefore the ratio of c (mod ) is r. Finally the volume of the lattice c is bounded by the volume of the lattice sanned by the d + k 1 row vectors of KG 1,, KG j and is of O( g d+k 1 ). 7

8 Remark 1. From Theorem 1 and 2, it is natural to exect j d k+1. Indeed, if j > d k+1, then from d k + 2 j < d+2k 1 k, we get (k 1)d < k 2 1 = (k 1)(k + 1) and thus d < k + 1 which is a contradiction. The following corollary shows that, for given GP of fixed length l, one can obtain several olynomials with similar size having common root (mod ) for various degrees d with l 2 < d < l, which imlies the size of the coefficients deends on the length of GP not on the degree. Corollary 2. Let c be a GP (mod ) of l-term of size O( ϵ l 1 l+1 ) with d < l < 2d and 0 < ϵ < l+1 l 1. Then we may generate 2d l + 1 olynomials f i with degree at most d such that 2d l+1 Proof. From Theorem 1, by letting l = d + k, f i = O( ϵ 2d l+1 l+1 (ϵ 1)(l d 1) ). ( ) c l d f 1 f 2 f 2d l+1 = O l d 1 ( = O = O ϵ (l d)(l 1) = O ϵ (l 1) l+1 (l d) ϵ(l d 1) ϵ(l d 1) l d 1 l+1 ϵ(l d 1) (ϵ 1)(l d 1) ) ( ϵ 2d l+1 l+1 (ϵ 1)(l d 1)). Remark 2. Letting ϵ = 1, one has 2d l+1 f i = O( 2d l+1 l+1 ). Moreover, if all f i have roughly the same size, we get f i = O( 1 l+1 ). For examle, if l = 2d 1, we get two olynomials of degree at most d of size O( 1 2d ) as exected in [7, 9]. The condition f i = O( 1 l+1 ) imlies that the size of fi does not deend on the the degree l 2 < d < l for fixed l. For examle, if we have a 5-term GP of O( 2/3 ), then we may generate 2 olynomials of degree 3 for (d, k) = (3, 2), and also 4 olynomials of degree 4 for (d, k) = (4, 1), where all the coefficients are of O( 1/6 ). Corollary 3. With the same conditions in Theorem 1, suose that r 2d+2 1 is relatively rime to. Let h(x) Z[x] be a olynomial of degree at most d such that h(r) 0 (mod ). Then there exist integers s 1, s 2,, s d k+1 such that h(x) d k+1 s i f i (x) (mod ). Proof. For any olynomial f(x) = d i=0 a ix i of degree at most d, define a vector f = [a 0,, a d ] in Z d+1. Since Q d+1 is sanned by the basis vectors, f 1, f 2,, f d k+1, v 0, v 1,, v k 1 where v i are defined in (3), we have d k+1 k 1 h = s ifi + t j v j j=0 8

9 for some s i, t j in Q. ow letting r = [1, r,, r d ] and noticing the ratio of the GP c = [c 0,, c d+k 1 ] (mod ) is r, we get v j = [c j, c j+1,, c d+j ] c j r (mod ). Therefore 0 h(r) h r s i f i (r) + t j ( v j r) t j c j ( r r) t j c j (1 + r 2 + r r 2d ) r2d+2 1 r 2 1 tj c j (mod ). Since r 2d+2 1 is relatively rime to, we get k 1 j=0 t jc j 0 (mod ). Consequently d k+1 h = d k+1 k 1 s ifi + t j v j j=0 k 1 s ifi + r( j=0 t j c j ) d k+1 k 1 s ifi + t j c j r d k+1 s i fi j=0 (mod ). 4 Constructing GP (mod ) 4.1 GP (mod ) with Length d + 1 As is mentioned in Section 2.1.1, one finds such GP by the base-m method with m = d + j for small j so that the base-m exansion of, = d i=0 a im i, gives a olynomial f(x) = d i=0 a ix i with f(m) 0 (mod ) and coefficients a i = O( 1 d ). On the other hand, Theorem 1 says that we can find d such olynomials of degree d with coefficients O( d 1 d 2 ) having m as a common zero (mod ). It should be mentioned that d olynomials in Theorem 1 are obtained via LLL algorithm [5] not from the base-m method. Also since there are d olynomials, we have much freedom in maniulating those olynomials via rotations and translations to find otimal olynomials having good root roerty. By extending the idea of GP in (1) of Montgomery, we may generate GP (mod ) with length d + 1 as follows. Proosition 1. Suose is a rime such that (i) < 1/d, (ii) x d (mod ) is solvable. Let r be a solution of x d (mod ) with r 1/d 2. Then c = [c 0, c 1, c 2,, c d ] = [ ] d 1, d 2 r,, r d 1, rd (6) is a (d + 1)-term GP (mod ) of size O( 1 1/d ) with geometric ratio r 1 (mod ). Remark 3. Heuristic argument tells that, for randomly chosen rime with 1 (mod d), the robability that is a d-th ower residue (mod ) is 1 d. Therefore we may generate lenty of and r satisfying the conditions of the Proosition 1. 9

10 Remark 4. Letting = 1, we get c = [1, r, r 2,, r d ] which is exactly the base-m method. Thus the roosed method is a generalization of the base-m method and has more flexibility. ote that in the roosition need not necessarily be a rime as long as the solutions of x d (mod ) are efficiently comutable. One ossible direction of this idea is to think of the solutions of x d (mod i ) using Chinese Remainder Theorem from the solutions of x d (mod i ). Remark 5. Another generalization of the Proosition 1 is using k in lace of, where k is small and a roduct of small rimes. Therefore if r is a solution of x d k (mod ), then the GP [ ] c = d 1, d 2 r,, r d 1, rd k (7) roduces olynomials f i (x) such that f i ( 1 r) 0 (mod k), which imlies that f i (x) 0 (mod q) has a solution for all rimes q dividing k. In this way, one may find olynomials with good root roerties. (See Examle 2.) Alying LLL algorithm on the (d + 2) (d + 1) matrix in (4) with the GP in (6) or (7) gives d olynomials of degree d with coefficients size O( (d 1)/d2 ) under the assumtion of Corollary 1. All generated olynomials have 1 r as a common root (mod ) and the linear olynomial x r also has 1 r (mod ) as a root. We can also imrove this method to select skewed olynomials following [12]. For given skewness s and GP c, alying LLL algorithm on the column vectors of s (8) 0 0 s d Kc 0 Kc 1 Kc d gives d skewed olynomials. Examle 1. Let = C59 = and d = 3 as in [12]. We choose rime = near 1/3. Then x 3 0 (mod ) has solution r = Running LLL algorithm with the GP c = [ 2, r, r 2, r3 ] gives 3 olynomials of degree 3 having common root 1 r (mod ): f 1 (x) = x x x , f 2 (x) = x x x , f 3 (x) = x x x Since l(x) = x r has the common root 1 r (mod ) also, using the Corollary 3, we may exress l(x) as a linear combination l(x) f 1 (x) f 2 (x) f 3 (x) (mod ). Examle 2. Let, d be the same as in Examle 1. We choose rime = near 1/6. Then x (mod ) has solution r = Let s = 10

11 be the skewness arameter. Running LLL algorithm on the matrix (8) with c = [ 2, r, r 2, r3 210 ] gives 3 skewed olynomials of degree 3 having common root 1 r (mod ): f 1 (x) = 115x x x , f 2 (x) = 100x x x , f 3 (x) = x x x The above olynomials have α(f 1 ) = 1.50, α(f 2 ) = 1.96, α(f 3 ) = 0.09, of which two olynomials f 1 and f 2 have better α-values than α(f) = 0.41, α(g) = 0.65 in age 9 of [12], where f(x) = 42044x x x , g(x) = x x x Moreover our resultant Res(f 1, f 2 ) = = is just 64-digits while Res(f, g) = 1.22 in [12] is of 73 digits. Our resultant is 9-digits less than [12] and only 5-digits more than. Since we may try many ossible candidates of, r and k satisfying r d k (mod ), it is a more flexible method than that of the base-m method, so it is exected to get olynomials of better yields when combined with other techniques. 4.2 GP (mod ) with Length d + 2 We introduce a form of (d + 2)-term GP (mod ) of size O( 1 1/d ) which imroves a GP introduced in Proosition 1. Proosition 2. With the same conditions in Proosition 1, assume further 1/d = O() and suose that dr d 1 x rd (mod ) (9) has a solution t with t = O(1). Then we can find a GP (mod ) with length d + 2 and size O( 1 1/d ). Proof. Write r = r + t where t is a solution of (9). By Hensel s Lemma, r is a solution of x d (mod 2 ) with r 1/d = O(). Therefore the first d + 1 terms of the following GP [ c = [c 0, c 1,, c d 1, c d, c d+1 ] = d 1, d 2 r,, r d 1, r d, r (r d ] ) 2. (10) are of O( 1 1/d ), i.e., c 0, c 1,, c d = O( 1 1/d ). Also the assumtion 1/d = O() imlies r = O(). Therefore r = r + t = O(1) and we get c d+1 = c d r = O( 1 1/d ). Remark 6. An equivalent condition of Proosition 2 is that there exists a rime with 1/d such that x d (mod 2 ) has a solution r with r. ext corollary shows that the GP introduced above gives olynomials with secial roerties. Corollary 4. Let f(x) = a d x d + a d 1 x d a 1 x + a 0 be a olynomial of degree d obtained by alying (d + 2)-term GP in (10). Then we get a d 1 = 0. 11

12 Proof. From the orthogonality condition we obtain two equations [a 0, a 1,, a d ] [c 0,, c d 1, c d ], [c 1,, c d, c d+1 ], c 0a c d 1 a d 1 + c d a d = 0, c 1a c d a d 1 + c d+1 a d = 0. By cancelling a d from the above two equations, 0 = (c 1c d c 0c d+1 )a (c d 1 c d c d 2 c d+1 )a d 2 + (c 2 d = (c 2 d c d+1 c d 1 )a d 2 d 1 + (c i+1c d c i c d+1 )a i i=0 = (c 2 d c d+1 c d 1 )a d 2 d 1 + (c i+1c d c i i=0 Since c d+1 c d 1 c 2 d 0, we have a d 1 = 0. c d+1 c d 1 )a d 1 r c d )a i = (c 2 d c d+1 c d 1 )a d 1 Therefore if we can find a GP introduced in (10), then we may generate olynomials whose second highest coefficient is zero. It may give some ossible advantage in FS algorithms. In articular, when d = 3, we can generate 2 cubic olynomials of coefficients size O( 1/6 ) with coefficient of x 2 zero. Unfortunately, for large, it is not easy to find such and r. Examle 3. Let = = q 1 q 2 with q 1 = and q 2 = Letting m = 1/3, m 10 < < m, and t < 10, we find 3 tules [, r, t] satisfying the condition of Proosition 2 (i.e., r 3 (mod 2 ) with r ) : [, r, t] = [ , , 2], [ , , 8], [ , , 0] Using the last examle with = , r = r = and t = 0, we get a 5-term GP (mod ) as c = [ 2, r, r 2, r 3, r (r 3 ) ]. With this GP as an inut, running LLL 2 algorithm on the lattice in (4) roduces 2 cubic olynomials 47x x , 88x x , for the case d = 3, k = 2. If we let d = 4, k = 1, then we obtain 4 olynomials of degree 4 as follows: 3685x x x x 5409, 9189x x x x 3028, 1643x 4 477x x x , 710x 4 212x x x All 6 generated olynomials have a common root 1 r (mod ). Therefore we obtain 1 olynomial air of degree (3,3), 8 olynomial airs of degree (3,4), 6 olynomial airs of degree (4,4). 12

13 Remark 7. Similarly as in Section 4.1, we may extend the idea in Proosition 2 to more general case when x d k (mod 2 ) with small k has a solution r so that [ d 1, d 2 r,, r d 1, r d k, r (r d ] k) 2 (11) is a (d + 2)-term GP (mod ) of O( 1 1/d ). Examle 4. Let be the same with Examle 3. Let = , then r = is a solution of x 3 10 (mod 2 ). From the 5-term GP [ 2, r, r 2, r 3, r (r 3 ) ], we get 2 2 cubic olynomials 34x x , 37x x for d = 3, k = 2, and we get 4 olynomials of degree x x x x , 6175x x x x 2696, 10797x x x x 4718, 71x x x x 3412, where all 6 olynomials have common root 1 r (mod ). Using x d k (mod 2 ) for many small k increases the robability that the equation is solvable. In ractice, the GP in (11) is much easier to find than the GP with k = 1. For instance, in Examle 3 with k = 1, there are 3 airs (, r ) such that r 3 (mod 2 ) with r 10 and m 10 < < m. If we extend our search range to 1 k 10, then have 27 of (, r ) such that r 3 k (mod 2 ) with r 10 and m 10 < < m, which is not so cost effective because we get less than three times of (, r ) even if we increased the range of k ten times. On the other hand, reducing the search range of from m 10 < < m to m 10 < < 19m 100 roduces 9 airs of (, r ) with 1 k 10. That is, we still find more GP by reducing the range of and increasing the range of k, which seems more effective since we consider congruence equations (mod 2 ) for smaller values of. Table 1 show a small numerical data for the number of the air (r, ) satisfying r 3 k (mod 2 ) for all which is a roduct of two rimes q 1 q 2 with 10 4 < q 1, q 2 < ote that each air (r, ) corresonds to a GP of length 5 which is either the form of (10) or (11). This result suggests that 5-term GP (10) and (11) exist with high robability, even though the number of GP is relatively small for each. Moreover it says that one is more likely to find solution of x 3 k (mod 2 ) by increasing the range of k rather than that of. It should be mentioned that it also saves the time for the following reason. If we increase the range of k from k = 1 to 1 k 10, the number of equations x 3 k (mod 2 ) we need to consider is increased by the factor of 10. However if we increase the range of from m 10 < < m to m 10 < < 10m, the number of equations x3 k (mod 2 ) we need to consider is increased by the factor of π( m)/π( 9 10m) 11 but the catch in this case is that we have to solve the congruence equation x 3 k (mod 2 ) for ten times larger size of which inevitably slow down the imlementation time on PARI-GP, as is shown in the table. 5 Conclusions We have resented a method of constructing olynomials of degree d for all l 2 < d < l having common roots (mod ) given GP (mod ) of fixed length l. We also give the estimation of the 13

14 k = 1 k = 1 1 k 10 m 10 < < m m 10 < < 10m m 10 < < 19m 100 Average number of (r, ) with r 5 for each The number of such that 89.79% 98.04% 99.91% x 3 k (mod 2 ) has a solution r 5 Average number of (r, ) with r 10 for each The number of such that 97.75% 99.85% 100% x 3 k (mod 2 ) has a solution r 10 PARI-GP time estimation on 2 days 18 days 2days Intel U GHz CPU lato Table 1: Existence of GP (10) and (11) size of the coefficients of the obtained olynomials in terms of the size of each terms of given GP, which generalizes Montgomery s method. We showed that the GP of length d + 1 can be constructed in more flexible way than the usual base-m method and we find corresonding olynomials of various degrees having common root (mod ). We also stated the conditions when secial GP of length d + 2 exists. Acknowledgements. The authors would like to thank Peter L. Montgomery for his helful suggestions regarding a few questions related to this aer. References [1] J. Gower, Rotations and translations of number field sieve olynomials, Proceeding of Asiacryt 2003, LCS 2894, , [2] T. Kleinjung, On olynomial selection for the general number field sieve, Mathematics of Comutation 75, , [3] T. Kleinjung, K. Aoki, J. Franke, A. Lenstra, E. Thome, J. Bos, P. Gaudry, A. Krua, P. Montgomery, D. Osvik, H. te Riele, A. Timofeev, P. Zimmermann, Factorization of a 768-bit RSA modulus, Proceeding of Cryto 2010, LCS 6223, , [4] S. Cavallar, B. Dodson, A. K. Lenstra, W. Lioen, P. L. Montgomery, B. Murhy, H. te Riele, K. Aardal, J. Gilchrist, G. Guillerm, Paul Leyland, J. Marchand,F. Morain, A. Muffett, Chris and Craig Putnam, and P. Zimmermann, Factorization of a 512-Bit RSA modulus, Proceeding of Eurocryt 2000, LCS 1807,. 1 18,2000. [5] A. K. Lenstra, H. W. Lenstra, Jr, and L. Lovász, Factoring olynomials with rational coefficients, Mathematische Ann., 261, , [6] A. K. Lenstra, and H. K. Lenstra, Jr, The Develoment of the umber Field Sieve, LM 1554, Sringer, [7] P. Montgomery, Small geometric rogressions modulo n, Unublished note of 2 ages, December 1993, revised 1995 and available through corresondence [8] P. Montgomery, Polynomial selection for number field sieve, resentation slide, available at [9] B. Murhy, Polynomial Selection for the umber Field Sieve Integer Factorisation Algorithm, PhD thesis, Australian ational University, July

15 [10] P. guyen, and J. Stern, Merkle-Hellman revisited: A crytoanalysis of the Qu-Vanstone crytosystem based on grou factorizations, Proceeding of Cryto 1997, LCS 1294, , [11] R. Crandall, and C. Pomerance, Prime umbers: A Comutational Persective 2ed, Sringer, [12] T. Prest, and P. Zimmermann, on-linear olynomial selection for the number field sieve, available at htt://hal.archives-ouvertes.fr/docs/00/54/04/83/ PDF/olyselect.df [13] R. S. Williams, Cubic Polynomials in the umber Field Sieve, MSc Thesis, Texas Tech University, [14] M. Elkenbracht-Huizing, A multile olynomial general number field sieve, Proceeding of Algorithmic umber Theory 1996, LCS 1122, , [15] K. Aoki, J. Franke, T. Kleinjung, A. K. Lenstra, and D. A. Osvik, A Kilobit secial number field sieve factorization, Proceeding of Asiacryt 2007, LCS 4833,. 1 12, [16] RSA challenge. available at htt:// 15