General number field sieve
|
|
In mathematics, the general number field sieve is the most efficient algorithm known for factoring integers. It uses
- <math>O\left\{\exp\left[\left({64\over9}\log n\right)^{1\over3} (\log \log n)^{2\over3}\right]\right\}<math>
steps to factor integer n (see Big O notation). It is derived from the special number field sieve. When the term number field sieve is used without qualification, it refers to the general number field sieve.
Method
We choose two irreducible polynomials f(x) and g(x) with common root m mod n; they will be of order of m, while having small degrees d and e of our polynomials. It is not known what is the best way to choose the polynomials, but usually it is done by picking a degree d for a polynomial and considering expansion of n in basis m where m is of order n1/d. The point is to get coefficients of f and g as small as possible.
Now, we consider number field rings Z[r1] and Z[r2] where r1 and r2 are roots of polynomials f and g, and look for values a and b such that r = bd·f(a/b) and s = be·g(a/b) are smooth relative to the chosen basis of primes. If a and b are small, r and s will be too (but at least of order of m), and we have a better chance for them to be smooth at the same time.
Having enough such pairs, using Gaussian elimination, we can get products of certain r and of corresponding s to be squares at the same time. We need a slightly stronger condition — that they are norms of squares in our number fields, but we can get that condition by this method too. Each r is a norm of a- r1*b and hence we get that product of corresponding factors a- r1*b is a square in Z[r1], with a "square root" which can be determined (as a product of known factors in Z[r1]) — it will typically be represented as a nonrational algebraic number. Similarly, we get that product of factors a- r2*b is a square in Z[r2], with a "square root" which we can also compute.
Since m is root of both f and g mod n, there are homomorphisms from the rings Z[r1] and Z[r2] to the ring Z/nZ, which map r1 and r2 to m, and these homomorphisms will map each "square root" (typically not represented as a rational number) into its integer representative. Now product of factors a-m*b mod n we can get as a square in two ways - one for each homomorphism. Thus, we get two numbers x and y, with x2-y2 divisible by n and again with probability at least one half we get a factor of n by finding greatest common divisor of n and x-y
The second-best-known algorithm for integer factorization is the Lenstra elliptic curve factorization method. It is better than the general number field sieve when factors are of small size, as it works by finding smooth values of order of the smallest prime divisor of n, and its running time depends on the size of this divisor.
References
- Lenstra, Arjen K.; Lenstra, H.W. Jr. (Eds.) (1993). The development of the number field sieve. Lecture Notes in Math. 1554. Springer-Verlag.
- Pomerance, Carl (1996). A Tale of Two Sieves (http://www.ams.org/notices/199612/pomerance.pdf). Notices of the AMS 1996, 1473–1485.de:Zahlkörpersieb
fr:Algorithme de factorisation par crible sur les corps de nombres généralisé zh:普通数域筛选法