The problem Given an integer N that we want to factor with the number - PowerPoint PPT Presentation

N ONLINEAR POLYNOMIALS FOR NFS FACTORISATION Nicholas Coxon

The problem Given an integer N that we want to factor with the number field sieve, find two homogeneous polynomials f 1 , f 2 ∈ Z [ x , y ] such that · deg f 1 + deg f 2 = δ , where δ = δ ( N ) ( ∈ { 6 , 7 } in practice), · f 1 and f 2 are distinct and irreducible, · ∃ m 1 , m 2 ∈ Z \ { 0 } such that f 1 ( m 1 , m 2 ) ≡ f 2 ( m 1 , m 2 ) ≡ 0 ( mod N ) , · f 1 and f 2 produce many smooth values in the sieve stage.

The problem Given an integer N that we want to factor with the number field sieve, find two homogeneous polynomials f 1 , f 2 ∈ Z [ x , y ] such that · deg f 1 + deg f 2 = δ , where δ = δ ( N ) ( ∈ { 6 , 7 } in practice), · f 1 and f 2 are distinct and irreducible, · ∃ m 1 , m 2 ∈ Z \ { 0 } such that f 1 ( m 1 , m 2 ) ≡ f 2 ( m 1 , m 2 ) ≡ 0 ( mod N ) , · f 1 and f 2 produce many smooth values in the sieve stage. Very roughly speaking, smoothness probabilities are correlated with · Coefficient size, · Number of real roots, · Roots modulo small primes. See [Brent, Montgomery & Murphy ≈ 1997] for more details.

The problem Given an integer N that we want to factor with the number field sieve, find two homogeneous polynomials f 1 , f 2 ∈ Z [ x , y ] such that · deg f 1 + deg f 2 = δ , where δ = δ ( N ) ( ∈ { 6 , 7 } in practice), · f 1 and f 2 are distinct and irreducible, · ∃ m 1 , m 2 ∈ Z \ { 0 } such that f 1 ( m 1 , m 2 ) ≡ f 2 ( m 1 , m 2 ) ≡ 0 ( mod N ) , · f 1 and f 2 produce many smooth values in the sieve stage. Very roughly speaking, smoothness probabilities are correlated with � · Coefficient size, Size properties · Number of real roots, · Roots modulo small primes. See [Brent, Montgomery & Murphy ≈ 1997] for more details.

The problem Given an integer N that we want to factor with the number field sieve, find two homogeneous polynomials f 1 , f 2 ∈ Z [ x , y ] such that · deg f 1 + deg f 2 = δ , where δ = δ ( N ) ( ∈ { 6 , 7 } in practice), · f 1 and f 2 are distinct and irreducible, · ∃ m 1 , m 2 ∈ Z \ { 0 } such that f 1 ( m 1 , m 2 ) ≡ f 2 ( m 1 , m 2 ) ≡ 0 ( mod N ) , · f 1 and f 2 produce many smooth values in the sieve stage. Very roughly speaking, smoothness probabilities are correlated with � · Coefficient size, Size properties · Number of real roots, · Roots modulo small primes. See [Brent, Montgomery & Murphy ≈ 1997] for more details.

The problem Given an integer N that we want to factor with the number field sieve, find two homogeneous polynomials f 1 , f 2 ∈ Z [ x , y ] such that · deg f 1 + deg f 2 = δ , where δ = δ ( N ) ( ∈ { 6 , 7 } in practice), · f 1 and f 2 are distinct and irreducible, · ∃ m 1 , m 2 ∈ Z \ { 0 } such that f 1 ( m 1 , m 2 ) ≡ f 2 ( m 1 , m 2 ) ≡ 0 ( mod N ) , · f 1 and f 2 produce many smooth values in the sieve stage. Quantifying size properties: If f = � d i = 0 a i x i y d − i has degree d , define its s-skewed 2 -norm to be � 1 / 2 � d � s − d · � � a i s i � � f � 2 , s = for s > 0 . � i = 0 We want | a d | to be small and | a d − 1 | , | a d − 2 | , . . . , | a 0 | to grow at most geomet- rically with ratio s . The skew of f is the s that minimises � f � 2 , s .

The problem Given an integer N that we want to factor with the number field sieve, find two homogeneous polynomials f 1 , f 2 ∈ Z [ x , y ] such that · deg f 1 + deg f 2 = δ , where δ = δ ( N ) ( ∈ { 6 , 7 } in practice), · f 1 and f 2 are distinct and irreducible, · ∃ m 1 , m 2 ∈ Z \ { 0 } such that f 1 ( m 1 , m 2 ) ≡ f 2 ( m 1 , m 2 ) ≡ 0 ( mod N ) , · � f 1 � 2 , s and � f 2 � 2 , s are small for some large s > 0.

The problem Given an integer N that we want to factor with the number field sieve, find two homogeneous polynomials f 1 , f 2 ∈ Z [ x , y ] such that · deg f 1 + deg f 2 = δ , where δ = δ ( N ) ( ∈ { 6 , 7 } in practice), · f 1 and f 2 are distinct and irreducible, · ∃ m 1 , m 2 ∈ Z \ { 0 } such that f 1 ( m 1 , m 2 ) ≡ f 2 ( m 1 , m 2 ) ≡ 0 ( mod N ) , · � f 1 � 2 , s and � f 2 � 2 , s are small for some large s > 0. Quantifying root properties: For homogeneous f ∈ Z [ x , y ] , define � � � p log p α ( f , B ) = 1 − σ ( f i , p ) p − 1 , p + 1 p ≤ B where σ ( f , p ) := # { ( r 1 : r 2 ) ∈ P 1 ( F p ) | f ( r 1 , r 2 ) ≡ 0 ( mod p ) } .

The problem Given an integer N that we want to factor with the number field sieve, find two homogeneous polynomials f 1 , f 2 ∈ Z [ x , y ] such that · deg f 1 + deg f 2 = δ , where δ = δ ( N ) ( ∈ { 6 , 7 } in practice), · f 1 and f 2 are distinct and irreducible, · ∃ m 1 , m 2 ∈ Z \ { 0 } such that f 1 ( m 1 , m 2 ) ≡ f 2 ( m 1 , m 2 ) ≡ 0 ( mod N ) , · � f 1 � 2 , s and � f 2 � 2 , s are small for some large s > 0. Quantifying root properties: For homogeneous f ∈ Z [ x , y ] , define � � � p log p α ( f , B ) = 1 − σ ( f i , p ) p − 1 . p + 1 p ≤ B [Brent & Murphy 1997]: f ( a , b ) behaves like f ( a , b ) · e α ( f , B ) w.r.t. B -smoothness.

The problem Given an integer N that we want to factor with the number field sieve, find two homogeneous polynomials f 1 , f 2 ∈ Z [ x , y ] such that · deg f 1 + deg f 2 = δ , where δ = δ ( N ) ( ∈ { 6 , 7 } in practice), · f 1 and f 2 are distinct and irreducible, · ∃ m 1 , m 2 ∈ Z \ { 0 } such that f 1 ( m 1 , m 2 ) ≡ f 2 ( m 1 , m 2 ) ≡ 0 ( mod N ) , · � f 1 � 2 , s and � f 2 � 2 , s are small for some large s > 0. · α ( f 1 , B ) and α ( f 2 , B ) are small (-ve), where B is the smoothness bound.

Room for improvement [Crandall and Pomerance 2001] : · In the sieve stage, smooth values f 1 ( a , b ) · f 2 ( a , b ) are found. · As these values are a product of two integers, they are more likely to be smooth than a random integer of the same size that is not necessarily a product of two integers. · This e ff ect is maximised when f 1 and f 2 produce values that are of the same magnitude. Current best methods generate polynomial with deg f 1 ≥ 5 and deg f 2 = 1. Thus, they produce values that are not of the same magnitude. Better smoothness probabilities could be obtained by using two nonlinear polynomials with deg f 1 ≈ deg f 2 .

The resultant bound [Montgomery?]: Suppose that f 1 , f 2 ∈ Z [ x , y ] are non-constant coprime poly- nomials with a common root modulo N . Then N ≤ � f 1 � deg f 2 · � f 2 � deg f 1 for all s > 0 . 2 , s 2 , s · Obtained by bounding | Res ( f 1 , f 2 ) | above and below. · Small degrees used in NFS imply there must be large coefficients. · Current best methods give f 1 and f 2 with � f 1 � deg f 2 � f 2 � deg f 1 = O ( N ) . 2 , s 2 , s · [Prest & Zimmermann 2010] give heuristic evidence that for each N there exist pairs of NFS polynomials such that � N 1 / ( 2 d ) � deg f 1 = deg f 2 = d � f i � 2 , s = O for i = 1 , 2 . and

This talk Given an integer N that we want to factor with the number field sieve, find two homogeneous polynomials f 1 , f 2 ∈ Z [ x , y ] such that · deg f 1 = deg f 2 = d , where d = δ ( N ) / 2; · f 1 and f 2 are distinct and irreducible; · f 1 and f 2 have a common root modulo N ; and · � f 1 � 2 , s · � f 2 � 2 , s = O ( N 1 / d ) for some large s > 0. · α ( f 1 , B ) and α ( f 2 , B ) are small.

P ART I : MONTGOMERY - TYPE ALGORITHMS

Lattices A lattice is a subgroup L ⊂ R n of the form L = b 1 Z + . . . + b k Z , where b 1 , . . . , b k ∈ R n are linearly independent. Key invariants: · k — the dimension of L 1 / 2 — the determinant of L · det L := ( det ( b i · b j ) 1 ≤ i , j ≤ k ) [Lenstra, Lenstra & Lovász 1982]: Given b 1 , . . . , b k ∈ Z n , there exists an algorithm (now called LLL-reduction ) that can be used to compute a 1 , a 2 ∈ L such that � a 1 � 2 ≤ 2 ( k − 1 ) / 4 det ( L ) 1 / k � a 2 � 2 ≤ 2 k / 4 det ( L ) 1 / ( k − 1 ) and in time polynomial in k , n and max 1 ≤ i ≤ k log � b i � 2

Geometric progressions [Montgomery 1993] introduced a method for constructing NFS polynomials with small coefficients which relies on construction of modular geometric pro- gressions. De fi nition. A vector [ c 0 , c 1 , . . . , c ℓ − 1 ] ∈ Z ℓ is called a geometric progression (GP) of length ℓ and ratio r modulo N if c i ≡ c 0 r i ( mod N ) gcd ( c i , N ) = 1 for i = 0 , . . . , ℓ − 1 . and Length d+1 GPs are special: If [ c 0 , c 1 , . . . , c d ] is a length d + 1 GP with ratio m 1 / m 2 modulo N , then a vector ( a 0 , a 1 , . . . , a d ) ∈ Z d + 1 satisfies d � a j c j ≡ 0 ( mod N ) j = 0 iff the polynomial f = � d i = 0 a i x i y d − i satisfies f ( m 1 , m 2 ) ≡ 0 ( mod N ) .

GPs → Polynomials Suppose we have 1 ≤ k ≤ d − 1 linearly independent length d + 1 GPs c 1 = [ c 1 , 0 , . . . , c 1 , d ] , c 2 = [ c 2 , 0 , . . . , c 2 , d ] , . . . , c k = [ c k , 0 , . . . , c k , d ] that have the same ratio m 1 / m 2 modulo N . Then any vector ( a 0 , . . . , a d ) ∈ Z d + 1 satisfying d � a j c i , j = 0 for i = 1 , . . . , k j = 0 gives rise to a polynomial f = � d i = 0 a i x i y d − i with f ( m 1 , m 2 ) ≡ 0 ( mod N ) . Moreover, if s − d / 2 ( a 0 , a 1 s . . . , a d s d ) is a short vector, then � f � 2 , s is small.