NFSNet

In number theory, the general number field sieve (GNFS) is the most efficient classical algorithm known for factoring integers larger than . Heuristically, its complexity for factoring an integer (consisting of bits) is of the form

:
\begin
& \exp\left(\left((64/9)^+o(1)\right)\left(\log n\right)^ \left(\log\log n\right)^\right) \\ pt= & L_n\left /3,(64/9)^\right\end

in O and L-notations. It is a generalization of the special number field sieve: while the latter can only factor numbers of a certain special form, the general number field sieve can factor any number apart from prime powers (which are trivial to factor by taking roots).

The principle of the number field sieve (both special and general) can be understood as an improvement to the simpler rational sieve or quadratic sieve. When using such algorithms to factor a large number , it is necessary to search for smooth numbers (i.e. numbers with small prime factors) of order . The size of these values is exponential in the size of (see below). The general number field sieve, on the other hand, manages to search for smooth numbers that are subexponential in the size of . Since these numbers are smaller, they are more likely to be smooth than the numbers inspected in previous algorithms. This is the key to the efficiency of the number field sieve. In order to achieve this speed-up, the number field sieve has to perform computations and factorizations in number fields. This results in many rather complicated aspects of the algorithm, as compared to the simpler rational sieve.

The size of the input to the algorithm is or the number of bits in the binary representation of . Any element of the order for a constant is exponential in . The running time of the number field sieve is super-polynomial but sub-exponential in the size of the input.

Number fields

Suppose is a -degree polynomial over $\mathbb Q$ (the rational numbers), and is a complex root of . Then, , which can be rearranged to express as a linear combination of powers of less than . This equation can be used to reduce away any powers of with exponent . For example, if and is the imaginary unit , then , or . This allows us to define the complex product:
:
\begin
(a+bi)(c+di) & = ac + (ad+bc)i + (bd)i^2 \\ pt& = (ac - bd) + (ad+bc)i.
\end

In general, this leads directly to the algebraic number field \mathbb Q /math>, which can be defined as the set of complex numbers given by:

:$a_r^ + \cdots + a_1 r^1 + a_0 r^0, \text a_0,\ldots,a_ \in \mathbb Q.$

The product of any two such values can be computed by taking the product as polynomials, then reducing any powers of with exponent as described above, yielding a value in the same form. To ensure that this field is actually -dimensional and does not collapse to an even smaller field, it is sufficient that is an irreducible polynomial over the rationals. Similarly, one may define the ring of integers $\mathbb O_$ as the subset of \mathbb Q /math> which are roots of monic polynomials with integer coefficients. In some cases, this ring of integers is equivalent to the ring \mathbb Z . However, there are many exceptions.

Method

Two polynomials ''f''(''x'') and ''g''(''x'') of small degrees ''d'' and ''e'' are chosen, which have integer coefficients, which are irreducible over the rationals, and which, when interpreted mod ''n'', have a common integer root ''m''. An optimal strategy for choosing these polynomials is not known; one simple method is to pick a degree ''d'' for a polynomial, consider the expansion of ''n'' in base ''m'' (allowing digits between −''m'' and ''m'') for a number of different ''m'' of order ''n''^1/''d'', and pick ''f''(''x'') as the polynomial with the smallest coefficients and ''g''(''x'') as ''x'' − ''m''.

Consider the number field rings Z 'r''₁and Z 'r''₂ where ''r''₁ and ''r''₂ are roots of the polynomials ''f'' and ''g''. Since ''f'' is of degree ''d'' with integer coefficients, if ''a'' and ''b'' are integers, then so will be ''b''^''d''·''f''(''a''/''b''), which we call ''r''. Similarly, ''s'' = ''b''^''e''·''g''(''a''/''b'') is an integer. The goal is to find integer values of ''a'' and ''b'' that simultaneously make ''r'' and ''s'' smooth relative to the chosen basis of primes. If ''a'' and ''b'' are small, then ''r'' and ''s'' will be small too, about the size of ''m'', and we have a better chance for them to be smooth at the same time. The current best-known approach for this search is lattice sieving; to get acceptable yields, it is necessary to use a large factor base.

Having enough such pairs, using Gaussian elimination, one can get products of certain ''r'' and of the corresponding ''s'' to be squares at the same time. A slightly stronger condition is needed—that they are norms of squares in our number fields, but that condition can be achieved by this method too. Each ''r'' is a norm of ''a'' − ''r''₁''b'' and hence that the product of the corresponding factors ''a'' − ''r''₁''b'' is a square in Z 'r''₁ with a "square root" which can be determined (as a product of known factors in Z 'r''₁—it will typically be represented as an irrational algebraic number. Similarly, the product of the factors ''a'' − ''r''₂''b'' is a square in Z 'r''₂ with a "square root" which also can be computed. It should be remarked that the use of Gaussian elimination does not give the optimal run time of the algorithm. Instead, sparse matrix solving algorithms such as Block Lanczos or Block Wiedemann are used.

Since ''m'' is a root of both ''f'' and ''g'' mod ''n'', there are homomorphisms from the rings Z 'r''₁and Z 'r''₂to the ring Z/''n''Z (the integers modulo ''n''), which map ''r''₁ and ''r''₂ to ''m'', and these homomorphisms will map each "square root" (typically not represented as a rational number) into its integer representative. Now the product of the factors ''a'' − ''mb'' mod ''n'' can be obtained as a square in two ways—one for each homomorphism. Thus, one can find two numbers ''x'' and ''y'', with ''x''² − ''y''² divisible by ''n'' and again with probability at least one half we get a factor of ''n'' by finding the greatest common divisor of ''n'' and ''x'' − ''y''.

Improving polynomial choice

The choice of polynomial can dramatically affect the time to complete the remainder of the algorithm. The method of choosing polynomials based on the expansion of in base shown above is suboptimal in many practical situations, leading to the development of better methods.

One such method was suggested by Murphy and Brent; they introduce a two-part score for polynomials, based on the presence of roots modulo small primes and on the average value that the polynomial takes over the sieving area.

The best reported results were achieved by the method of Thorsten Kleinjung, which allows , and searches over composed of small prime factors congruent to 1 modulo 2 and over leading coefficients of which are divisible by 60.

Implementations

Some implementations focus on a certain smaller class of numbers. These are known as special number field sieve techniques, such as used in the Cunningham project.
A project called NFSNET ran from 2002 through at least 2007. It used volunteer distributed computing on the Internet.
Paul Leyland of the United Kingdom and Richard Wackerbarth of Texas were involved.

Until 2007, the gold-standard implementation was a suite of software developed and distributed by CWI in the Netherlands, which was available only under a relatively restrictive license. In 2007, Jason Papadopoulos developed a faster implementation of final processing as part of msieve, which is in the public domain. Both implementations feature the ability to be distributed among several nodes in a cluster with a sufficiently fast interconnect.

Polynomial selection is normally performed by GPL software written by Kleinjung, or by msieve, and lattice sieving by GPL software written by Franke and Kleinjung; these are distributed in GGNFS.

NFS@Home

GGNFS

factor by gnfs

CADO-NFS

msieve
(which contains final-processing code, a polynomial selection optimized for smaller numbers and an implementation of the line sieve)

kmGNFS

See also

* Special number field sieve

Notes

References

* Arjen K. Lenstra and H. W. Lenstra, Jr. (eds.). "The development of the number field sieve". Lecture Notes in Math. (1993) 1554. Springer-Verlag.
* Richard Crandall and Carl Pomerance. Prime Numbers: A Computational Perspective (2001). 2nd edition, Springer. . Section 6.2: Number field sieve, pp. 278–301.

* Matthew E. Briggs: An Introduction to the General Number Field Sieve, 1998
{{Number theoretic algorithms

Integer factorization algorithms