ON POLYNOMIAL SELECTION FOR THE GENERAL NUMBER FIELD SIEVE

Transcription

1 MATHEMATICS OF COMPUTATIO Volume 75, umber 256, October 26, Pages S (6)187-9 Article electronically ublished on June 28, 26 O POLYOMIAL SELECTIO FOR THE GEERAL UMBER FIELD SIEVE THORSTE KLEIJUG Abstract. The general number field sieve (GFS) is the asymtotically fastest algorithm for factoring large integers. Its runtime deends on a good choice of a olynomial air. In this article we resent an imrovement of the olynomial selection method of Montgomery and Murhy which has been used in recent GFS records. 1. The olynomial selection method of Montgomery and Murhy In this section we briefly discuss the roblem of olynomial selection for GFS. We also sketch the olynomial selection method of Montgomery and Murhy. The first ste in GFS (see [3]) for factoring an integer consists in the choice of two corime olynomials f 1 and f 2 sharing a common root modulo. If we denote the corresonding homogenized olynomials by F 1,res.F 2, the next (and most time consuming) ste in GFS consists in finding many airs (a, b) Z 2 of corime integers for which both values F i (a, b), i =1, 2, are roducts of rimes below some smoothness bounds B i, i =1, 2 (we will refer to these airs as sieve reorts). This is usually done by a sieving rocedure which identifies (most of) these airs in some region A Z 2. In the case of line sieving A is of the form [ A, A] [1,B] Z 2 for some A and B. For lattice sieving the form of this region is more comlicated, but we could use a rectangle as above as an aroximation. The sieving region A and the smoothness bounds B i, i =1, 2, are chosen such that one finds aroximately π(b 1 )+π(b 2 ) sieve reorts (π(x) denotes the number of rimes below x). The time sent for sieving mainly deends on the size of the region A, i.e., 2AB. So we are left with two roblems for the olynomial selection hase: how to find such olynomial airs and, having found more than one, how to select a olynomial air which minimizes sieving time. Both roblems are addressed in several articles ([4], [5], [6]). We give a short descrition of the results of these articles. Let ρ(x) be Dickman s function which roughly is the robability that the largest rime factor of a natural number n is at most n 1 x. A first aroximation for the number of sieve reorts is given by 6 π 2 A ( log(f1 (x, y)) ρ log(b 1 ) ) ρ ( log(f2 (x, y)) log(b 2 ) ) dxdy Received by the editor December 22, 24 and, in revised form, June 22, Mathematics Subject Classification. Primary 11Y5, 11Y16. Key words and hrases. Integer factorization, GFS, olynomial selection. 237 c 26 American Mathematical Society Reverts to ublic domain 28 years from ublication

2 238 THORSTE KLEIJUG (the factor 6 π takes the robability of two integers being corime into account). 2 This aroximation can be refined by considering the number of roots of F i, i =1, 2, modulo small rimes. Let r(f, ) be the number of linear factors of the homogeneous olynomial F modulo and let α i = small ( 1 r(f i,) +1 ) log() 1. Then a better aroximation for the number of sieve reorts is given by 6 ( log(f1 (x, y)) + α ) ( 1 log(f2 (x, y)) + α ) 2 π 2 ρ ρ dxdy. A log(b 1 ) log(b 2 ) Since this exression is difficult to comute, one needs simler aroximations. ote that we only need a method to rank several olynomial airs, since we are only interested in finding the best one. We now assume that f 2 is of degree one (which imlies that α 2 does not deend on f 2 )andthatlog(f 2 (x, y)) does not vary much over the sieving region (this will be the case for the olynomials in the algorithm below). Then the term ρ((log(f 2 (x, y)) + α 2 )/ log(b 2 )) can be omitted so that the integrand only deends on f 1. A further simlification consists in considering α ( ) 2 log F1 2 (x, y)dxdy. A Here the contribution from the left summand α 1 is called root roerty and the contribution from the right summand is called size roerty. ote that we want to minimize this exression, whereas we want to maximize the reviously given aroximations. Before outlining the algorithm of Montgomery and Murhy, we have to discuss some methods to imrove the quality of a given olynomial air. From a corime olynomial air (f 1,f 2 ) sharing a common root modulo, we can roduce other airs by two methods: (1) we can translate it by an integer t getting the air ( f 1, f 2 )where f i (x+t) = f i (x), or (2) we can add a Z[x]-multile of one olynomial to the other. Translation reserves the value of α 1, whilst the second method may change it. Another method to otimize the quality is to change the shae of the sieving region A (without changing the area of A). A rectangle of given areeends only on the ratio s = A B which we will call the skewness of the sieving region. Changing the skewness also reserves α 1. We now sketch the algorithm of Montgomery and Murhy. Let the number, adegreed, and a bound,max for the leading coefficient be given, and set =. Then execute the following stes: Choose the next good (good means that has some small rime divisors). If a [ d >,max ] terminate the algorithm. d Set m = and determine the next two coefficients 1, 2 of the base-m-exansion of. If 2 is not sufficiently small, go to the first ste. Determine the comlete base-m-exansion of which gives an initial f 1 and set f 2 = x m. Otimize this air as exlained above by changing the skewness, translating, and adding multiles of f 2 to f 1. If the coefficients of f 1 are too big, go to the first ste.

3 POLYOMIAL SELECTIO FOR THE GEERAL UMBER FIELD SIEVE 239 Using a sieve identify those f 1 +cf 2 which have good root roerties, where c is a olynomial of small degree with bounded coefficients, and outut these airs (f 1 + cf 2,f 2 ). Go to the first ste. This algorithm oututs a lot of olynomial airs which can be ranked as described above. In the next sections we will describe an imrovement of the first two stes of the algorithm above. The otimization ste and the sieving ste will not be affected. 2. onmonic linear olynomials In this section we consider a substitute for the base-m-exansion in the case of a nonmonic olynomial f 2. Denote the linear olynomial by f 2 (x) =x m and assume that and m are corime. We want to find a olynomial f 1 = d i= a ix i of degree d such that f 1 ( m ) d = holds, and the coefficients of f 1 should be as small as ossible. As in the method described above we assume that the leading coefficient is given. If the congruence (2.1) m d (mod ) does not hold, no olynomial f 1 satisfying f 1 ( m ) d = exists. Lemma 2.1. Let, d,,, and m be given such that m d (mod ) holds. Define m := d and assume m m. Then there exists a olynomial f 1 (x) = d i= a ix i satisfying f 1 ( m ) d =, m m 1 <+ d,and a i <+ m for i d 2. Proof. Let r d = and choose successively for i = d 1,..., r i = r i+1 a i+1 m i+1 and a i = r i m + δ i i with δ i <such that r i a i m i (mod ) holds. Then the r i satisfy = m d + + a i+1 m i+1 d i 1 + r i d i or i r i = a j m j i j for i =,...,d. j= So we will get a olynomial satisfying the first roerty. The second roerty follows from r d 1 = 1 m d = (md m d ) < (m m)dmd 1 and the definition of 1. For showing the last roerty we use r i 1 = 1 r i a i m i = 1 δ im i <m i and the definition of a i.

4 24 THORSTE KLEIJUG The lemma above allows us to extend the first art of the Montgomery-Murhy olynomial selection algorithm to nonmonic linear olynomials. We choose and, solve the congruence (2.1), and, for each solution m, we comute the (first 3 coefficients of the) olynomial f 1 examining it more closely if 2 is sufficiently small. After that we go to the next air (,). This will not seed u the algorithm, in fact it will slow it down a bit since the olynomial exansion is now more exensive. But we have an overwhelming number of triles (,,m) at our disosal so that we can imose further restrictions on them in order to seed u the olynomial exansion. This will be done in the next section. 3. The imrovement We begin with iscussion of measuring the size of the olynomial f 1. We will work with the su-norm of olynomials which is defined as follows: Definition 3.1. Let f(x) = d i= a ix i R[x] be a olynomial of degree d and s a ositive real number (skewness). We define su(f,s) =max a i s i d 2 i and su(f) =min su(f,s). s> The (An) s for which the minimum is attained will be called otimal skewness. Remark 3.2. We can also define the L 2 -norm by 1 1 ( ( sx ) ( ys ) d ) 2dxdy su(f,s) = f L 2 y and su(f) =min su (f,s). L 2 s> L 2 This seems to give better estimates for the size roerties of a olynomial, but we do not know how to use it in the following algorithm. We can at least bound the quotient of the two norms by constants (for fixed degree d). From now on we assume d 4. This is reasonable since at the crossover oint of MPQS and GFS degree 4 olynomials are otimal. It is also ossible to carry over the algorithm below (with some modifications) to the case d =3andeven d = 2. For the case d = 4, see also Remark 3.8. Below we will resent an algorithm for finding olynomials whose first three coefficients, 1, 2 are below some bounds,max, 1,max,res. 2,max. It is ossible to use these three bounds as inut for the algorithm. However, in ractice the following aroach seems to be referable. Let M< d+1 be a bound on the su-norm of the olynomials we want to find. as above. We will allow a and a 1 to be of size For a given let m = d m. For an uer bound on the skewness we immediately get s ( M ) 2 d.togeta lower bound we assume that in the olynomial exansion of Lemma 2.1 the worst

5 POLYOMIAL SELECTIO FOR THE GEERAL UMBER FIELD SIEVE 241 case haens for the first coefficient, namely a 1 = m. With this assumtion we obtain ( ) 2 ( ) 2 m d 2 M d (3.1) s min = s smax = M for the otimal skewness. This immediately yields the bound ( ) M 2d 2 1 d 3 for. We also get the bounds a i Ms d 2 i min =: a i,max for d 2 i < d, and a i Ms d 2 i max =: a i,max for i< d 2 which deend on. We now assume that m is chosen near m and that 1,max and m holds. Then the olynomial exansion of Lemma 2.1 imlies that the coefficient 1 is of order and so is within the bounds. The other coefficients are of size m, soa 1 and a are also within the bounds. Our task is to get the coefficients 2,...,a 2 sufficiently small. In the following we will show how to quickly estimate the size of 2. We now choose = l i=1 i,where i 1(mod d) are (small) rimes, (, )= 1, and 1,max. This choice imlies that the equation x d (mod ) has either no solution or d l solutions. In the latter case these can be written as (3.2) x µ = l x i,µi, i=1 where µ = (µ 1,...,µ l ) with µ i {1,...,d}, x i,µi <, x i,µi, and {x i,j mod i j =1,...,d} are the d solutions of x d (mod i ). Remark 3.3. From each of these d l solutions x µ we will construct a olynomial air via Lemma 2.1. The corresonding variables will get an additional subscrit µ (e.g., 1 becomes 1,µ ). We will reresent some of these variables in a form such as (3.2), since in this form the d l variables on the left-hand side are linear combinations of the ld variables on the right-hand side. Let m be the smallest integer bigger than m and divisible by and let { m + x i,j, i =1, (3.3) m i,j = x i,j, i > 1. Then m µ = l i=1 m i,µ i = m + x µ are d l solutions of x d (mod ) near m. Lemma 3.4. otations as above. There exist integers e i,j <where 1 i l and 1 j d (see formula (3.6)) such that l (3.4) 1,µ = satisfies i=1 e i,µi (3.5) 1,µ m d 1 µ m d µ (mod ). Hence 1,µ canbeusedintheexansionof for the air (, m µ ). i

6 242 THORSTE KLEIJUG Proof. First note that given 1,µ modulo for all µ by equation (3.5), it is sufficient to solve (3.4) modulo since we can reduce the e i,j modulo to satisfy e i,j <. ote also that the e i,j are not uniquely determined, since we can add a constant to all e i,j, i fixed, 1 j l (reducing modulo if necessary) and subtract the same constant from all e i,j, i fixed, 1 j l. Fix a 1 i l, andletµ =(µ 1,...,µ l ), µ =(µ 1,...,µ l )withµ j = µ j for j i. We will show that 1,µ 1,µ mod does not deend on µ j for j i, but only on µ i and µ i. This allows us to set (3.6) e 1,1 1,(j,1,...,1) (mod ), e i,1 = for i>1and e i,j 1,(1,...,1,j,1,...,1) 1,(1,...,1) (mod ) for i>1,j >1 (in the last line j aears at the ith lace). Because of the indeendence these e i,j satisfy (3.4). Let µ =( µ 1,..., µ l )and µ =( µ 1,..., µ l) be another air with µ j = µ j for j i and µ i = µ i, µ i = µ i (omitting or adding a means that everything outside the ith lace remains constant; a means that the ith lace stays constant). We have to rove (3.7) 1,µ 1,µ 1, µ 1, µ (mod k ), 1 k l. We now multily (3.5) by 1 m µ mod and get 1,µ 1 a m d µ dm µ (mod ). For k i we have m µ m µ = x µ x µ = x i,µi x i,µ i (mod k ), whence we get 1,µ 1,µ m m d µ m d µ µ m dm d 1 µ x i,µ i i,µ i µ i i d x i,µ i i,µ i i i (mod ), i roving (3.7) for k i. For showing it modulo i we note that m µ m µ (mod i ) and get (as above) 1,µ 1, µ m m d µ m d µ µ d(m µ m µ ) and analogously for 1,µ 1, µ. Therefore (mod i ) 1,µ 1,µ 1, µ + 1, µ d(m µ m µ m µ + m µ ) which comletes the roof. (mod i ), ow we consider the next coefficient in the olynomial exansion corresonding to m µ, and want to estimate its size. We use the aroximation m µ m because m is much bigger than and m µ differs from m by at most l. Since we are

7 POLYOMIAL SELECTIO FOR THE GEERAL UMBER FIELD SIEVE 243 free to add multiles of (x m µ )x d 2 to the olynomial exansion, we want that is very near to an integer. An aroximation of this quantity is given by 2,µ m 2,µ m r d 2,µ m d 1 = m d µ 1,µ m d 1 µ 2 m d 1 m d d(m µ m )m d 1 1,µ m d 1 2 m d 1 = m d 2 m d 1 + d(m µ m ) 1,µ 2. The transition from the first to the second line is done by using the binomial exansions of (m +(m µ m )) a, a = d, d 1, and omitting all monomials in the numeratorforwhichtheowerofm is less than d 1. Definition 3.5. Let f = m d 2 m d 1 and for 1 i l, 1 j d, f i,j = dx i,j 2 e i,j. With this definition the aroximation above becomes 2,µ l f + f i,µi. m TheerrormadeisO( dl2 (d +) m ). We now resent an algorithm which, given an integer and egree d 4, roduces a list of olynomial airs (f 1,f 2 )withacommonrootmodulo such that the first three coefficients of f 1 are small. Algorithm 3.6. Inut: a number, adegreed 4off 1, a bound M for the su-norm of f 1 (or alternatively three bounds,max, 1,max and 2,max for the first three coefficients), a bound l on the minimal number of rime factors of, and a bound b for these rime factors. (1) Set P = {r 1(modd) r rime, r and r< b } and set =. ( ) M (2) Increase and terminate the algorithm if it exceeds,max = 2d 2 1 d 3. Otherwise set Q( )={r P (mod r) is th ower modulo r}. Also comute aroximately m = d, 1,max = M 2 m and 2,max = ( ) M 2d 6 1 d 2. m d 4 (3) For all subsets P of at least l elements of Q( ) such that = r P r 1,max holds, execute the following three stes: (a) Comute x i,j, m i,j,ande i,j as in (3.2), (3.3), and (3.6), resectively. (b) Finally comute f and f i,j as in Definition 3.5. (c) Set ɛ = 2,max m and find those vectors µ for which l f + f i,µi mod Z [ ɛ, ɛ] i=1 i=1

8 244 THORSTE KLEIJUG holds and outut the corresonding olynomial air. This can be done by setting l =[ l 2 ], comuting the two lists f + l i=1 f i,µ i mod Z and l i=l +1 f i,µ i mod Z, sorting these two lists, and checking each element of the second list to see whether it is in an ɛ-neighbourhood of an element of the first list. Go to ste (2). Remark 3.7. In one ass of stes 3(a) (c) we check d l olynomial airs in time O(d l 2 log d) resulting in a runtime of O(d l 2 log d) er checked olynomial air. So we try to choose l as large as ossible. Remark 3.8. For smaller numbers (less than 15 digits, say) a olynomial air of degree (4,1), i.e., d = 4, will be suerior to one of degree (5,1). In this case the following modification roduces better olynomial airs. We no longer require that a 1 is of size m which will restrict the degree of the olynomial c in the root sieve to, i.e., we search among f 1 + c f 2, c Z, c small for olynomials having good root roerties. Then the bounds (3.1) will be relaced by m M s min = M s s max = a 4 giving ( ) 1 ) 1 M 8 3 M 11 6 a 4, a3 (, and a2 M. The outut of the algorithm above consists of olynomials such that all coefficients with the ossible excetion of a 1 are small enough. We then check whether a 1 also lies within the bounds (for a suitable skewness). We now describe some variants of the algorithm above: (1) Instead of considering every we may only consider those which are divisible by a roduct of some small rimes (6, say). This increases the root roerties of the olynomial f 1 by adding rojective roots modulo these small rimes. On the other hand it reduces the number of available leading coefficients which may force us to decrease the number l of rime factors in which in turn slows down ste 3(c) of the algorithm. Alternatively it is also ossible to identify good using a sieve. (2) For degree d = 5 and smaller l a large art of time is sent in the initialization of ste 3(a). By also considering roducts of the form = i=1 i, l where is a number (not necessarily rime) such that x d (mod ) has exactly one solution, we can decrease the ercentage of the initialization cost. For a set P we first roceed as in arts 3(a) (c) of the algorithm (this corresonds to = 1). Then we do these stes with other values of such that 1,max holds. For these values we can reuse some of the comutations done for =1. (3) For very large the number of admissible values for is huge. We may decrease the su-norm bound M, thereby shrinking the admissible -interval, but we risk getting no olynomial satisfying this reduced su-norm bound. So we can only restrict the search interval by selecting some of the. Since we want to have the number l of different rime factors of as large as ossible (for very large ste 3(c) dominates the runtime), we reverse

9 POLYOMIAL SELECTIO FOR THE GEERAL UMBER FIELD SIEVE 245 the roles of and in the following way: select l rimes out of P whose roduct is smaller than 1,max.ow must be congruent to times th ower modulo each of the l rimes dividing, and it has to satisfy a restriction on its size. So we get another knasack roblem whose solutions give airs (,). We may include informations modulo 6 into the knasack roblem to get only those which are divisible by 6. As in the revious variant we may also use an auxiliary factor, but since the initialization costs are not a roblem, it is robably better to increase l. 4. Simle heuristic analysis In this section we want to examine which quality we can exect using a given amount of time. This will only be a rough analysis not involving the root sieve and assuming that the number of examined olynomials is not too big. As above let be the integer to be factored, d 4 the degree of the algebraic olynomial f 1 = d i= a ix i,andm a bound on its su-norm. We want to search for olynomials whose su-norm is less than M. Furthermore let b< d 1 2 be an integer. Using the algorithm described above we search for olynomials such that there exists a skewness s 1 such that the following holds: (4.1) a i Ms d 2 i d for b i d and Ms d 2 b. Since the coefficients a,...,a b 1 will be of size d, these conditions imly that the de-skewed su-norm is at most M. The second condition imlies that we can doa(b + 1)-dimensional root sieve, i.e., using a sieve over olynomials c Z[x] of degree b with small coefficients, we search for olynomials f 1 + cf 2 having good root roerties. In the revious section we only considered the case b =1. For a olynomial exansion we have by Lemma max(, )and a i d for i = d 2,...,. Therefore we get the restriction Ms 1 d 2. Then the average number W of olynomials we have to check in order to find one olynomial satisfying (4.1) is W = d 2 i=b+1 max 1, d Ms d 2 i. These checks consist of a quick check of the size of 2 and for the d 3 d W = max 1, i=b+1 Ms d 2 i survivors of this a slower check of the sizes of the remaining coefficients. Choosing as a roduct of l rimes, this can be done in time O( W )+O(W ). This is d 2 l minimal if is as large as ossible, so we assume from now on that = Ms d 2. If we substitute this and multily out, we get W = M s z,wherez and W = M s z,wherez forb 1. In order to minimize the work we choose d s as small as ossible for b>, i.e., = Ms d 2 b, since a smaller s imlies a

10 246 THORSTE KLEIJUG larger bound on and therefore a larger l. In this case the second argument in the roducts above is always the maximum and we get W = ( ) (d 2 b)(d 1 b) d(d 1 2b) M d+1 or d(d 1 2b) d+1 W (d+1)(d 2 b)(d 1 b). M = 1 We now assume that the O( W )-term dominates the O(W )-term. By checking one d 2 l olynomial we obtain M = 1 d+1 as exected. If we want to imrove this by a factor f we have to check f (d+1)(d 2 b)(d 1 b) d(d 1 2b) olynomials on average. For small values of d and b this exonent is tabulated in the following table: b d We note that this function takes the same values for b =andb =1,namely (d+1)(d 2) d. So in these cases the amount of work for finding a olynomial with small su-norm is equal, but for b = 1 we have a larger root sieve and can exect better root roerties (always neglecting the O(W )-term). 5. Exerimental results This algorithm has been used for the olynomial selection stage of the factorization of many numbers. The largest number whose factorization has been comleted and where a number of similar size has been factored using the original Montgomery-Murhy method is a comosite 143-digit factor of We used the following arameters: a 5 ranged over all multiles of 6 between 1 and ca , was comosed of 7 rimes 1 (mod 5) less than 1 and an auxiliary factor less than This took aroximately 3 days on four 233 MHz Pentiums. Comared with the olynomial air used for the factorization of the (slightly smaller) 143-digit comosite 92! + 1 which has been generated by the original Montgomery-Murhy method, the yield has been increased by 4%. We also have done a short search for the 512-bit RSA challenge number factored in August 1999 ([1]). In this exeriment was comosed of 7 rimes 1(mod5) and an auxiliary factor. The range for the leading coefficient a 5 was [1, 2], a 5 being a multile of 6. Only for those olynomials whose de-skewed su-norm was less than a root sieve was erformed. The best olynomial air found was f 1 = x x x 3 and x x f 2 = x

11 POLYOMIAL SELECTIO FOR THE GEERAL UMBER FIELD SIEVE 247 This olynomial air has a yield aroximately 32% higher than that of the olynomial air used for the factorization. The time sent for the search was less than 9 hours on a 1 GHz Pentium. For the 576-bit RSA challenge number factored in December 23 ([2]), the algorithm resented in this article was intensely used. The best olynomial air we found was f 1 = x x x 3 and x x f 2 = x , and it was used for the factorization. References 1. S. Cavallar, W. M. Lioen, H. J. J. teriele, B. Dodson, A. K. Lenstra, P. L. Montgomery, B. Murhy et al., Factorization of a 512-bit RSA modulus, Reort MAS-R7, CWI. 2. J. Franke, T. Kleinjung et al., RSA-576, announcement, 23. htt:// 3. A. K. Lenstra and H. W. Lenstra, Jr. (eds.), The Develoment of the umber Field Sieve, Lecture otes in Math. 1554, Sringer, MR B. A. Murhy and R. P. Brent, On Quadratic Polynomials for the umber Field Sieve, Comuting Theory 98, ACSC 2(3) (1998), MR (2i:11189) 5. B. A. Murhy, Modelling the Yield of umber Field Sieve Polynomials, Algorithmic umber Theory - ATS III, LCS 1443 (1998), MR (21d:1129) 6. B. A. Murhy, Polynomial selection for the umber Field Sieve Integer Factorisation Algorithm, Ph.D. thesis, The Australian ational University, Deartment of Mathematics, University of Bonn, Beringstrasse 1, Bonn, Germany address: thor@math.uni-bonn.de