Contents

Special number field sieve

Heuristically, its complexity for factoring an integer ${\displaystyle n}$ is of the form:^[1]

${\displaystyle \exp \left(\left(1+o($1)\right)\left({\tfrac {32}{9}}\log n\right)^{1/3}\left(\log \log n\right)^{2/3}\right)=L_{n}\left[1/3,(32/9)^{1/3}\right]}

inO and L-notations.

The SNFS has been used extensively by NFSNet (a volunteer distributed computing effort), NFS@Home and others to factorise numbers of the Cunningham project; for some time the records for integer factorization have been numbers factored by SNFS.

The SNFS is based on an idea similar to the much simpler rational sieve; in particular, readers may find it helpful to read about the rational sieve first, before tackling the SNFS.

The SNFS works as follows. Let n be the integer we want to factor. As in the rational sieve, the SNFS can be broken into two steps:

• First, find a large number of multiplicative relations among a factor base of elements of Z/nZ, such that the number of multiplicative relations is larger than the number of elements in the factor base.
• Second, multiply together subsets of these relations in such a way that all the exponents are even, resulting in congruences of the form a²≡b² (mod n). These in turn immediately lead to factorizations of n: n=gcd(a+b,n)×gcd(a-b,n). If done right, it is almost certain that at least one such factorization will be nontrivial.

The second step is identical to the case of the rational sieve, and is a straightforward linear algebra problem. The first step, however, is done in a different, more efficient way than the rational sieve, by utilizing number fields.

Let n be the integer we want to factor. We pick an irreducible polynomial f with integer coefficients, and an integer m such that f(m)≡0 (mod n) (we will explain how they are chosen in the next section). Let α be a rootoff; we can then form the ring Z[α]. There is a unique ring homomorphism φ from Z[α] to Z/nZ that maps αtom. For simplicity, we'll assume that Z[α] is a unique factorization domain; the algorithm can be modified to work when it isn't, but then there are some additional complications.

Next, we set up two parallel factor bases, one in Z[α] and one in Z. The one in Z[α] consists of all the prime ideals in Z[α] whose norm is bounded by a chosen value ${\displaystyle N_{\max }}$. The factor base in Z, as in the rational sieve case, consists of all prime integers up to some other bound.

We then search for relatively prime pairs of integers (a,b) such that:

• a+bmissmooth with respect to the factor base in Z (i.e., it is a product of elements in the factor base).
• a+bα is smooth with respect to the factor base in Z[α]; given how we chose the factor base, this is equivalent to the norm of a+bα being divisible only by primes less than ${\displaystyle N_{\max }}$.

These pairs are found through a sieving process, analogous to the Sieve of Eratosthenes; this motivates the name "Number Field Sieve".

For each such pair, we can apply the ring homomorphism φ to the factorization of a+bα, and we can apply the canonical ring homomorphism from ZtoZ/nZ to the factorization of a+bm. Setting these equal gives a multiplicative relation among elements of a bigger factor base in Z/nZ, and if we find enough pairs we can proceed to combine the relations and factor n, as described above.

Not every number is an appropriate choice for the SNFS: one needs to know in advance a polynomial f of appropriate degree (the optimal degree is conjectured to be ${\displaystyle \left(3{\frac {\log N}{\log \log N}}\right)^{\frac {1}{3}}}$, which is 4, 5, or 6 for the sizes of N currently feasible to factorise) with small coefficients, and a value x such that ${\displaystyle f($x)\equiv 0{\pmod {N}}} where N is the number to factorise. There is an extra condition: x must satisfy ${\displaystyle ax+b\equiv 0{\pmod {N}}}$ for a and b no bigger than ${\displaystyle N^{1/d}}$.

One set of numbers for which such polynomials exist are the ${\displaystyle a^{b}\pm 1}$ numbers from the Cunningham tables; for example, when NFSNET factored ⁠${\displaystyle 3^{479}+1}$⁠, they used the polynomial ⁠${\displaystyle x^{6}+3}$⁠ with ⁠${\displaystyle x=3^{80}}$⁠, since ⁠${\displaystyle (3^{80})^{6}+3=3^{480}+3}$⁠, and ${\displaystyle 3^{480}+3\equiv 0{\pmod {3^{479}+1}}}$.

Numbers defined by linear recurrences, such as the Fibonacci and Lucas numbers, also have SNFS polynomials, but these are a little more difficult to construct. For example, ${\displaystyle F_{709}}$ has polynomial ${\displaystyle n^{5}+10n^{3}+10n^{2}+10n+3}$, and the value of x satisfies ${\displaystyle F_{142}x-F_{141}=0}$.^[2]

If one already knows some factors of a large number compatible with SNFS, then one could do the SNFS calculation modulo the remaining part; for the NFSNET example above, ⁠${\displaystyle 3^{479}+1=(2^{2}\times 158071\times 7167757\times 7759574882776161031)}$⁠ times a 197-digit composite number (the small factors were found by ECM), and the SNFS was performed modulo the 197-digit number. The number of relations required by SNFS still depends on the size of the large number, but the individual calculations are quicker modulo the smaller number.

This algorithm, as mentioned above, is very efficient for numbers of the form r^e±s, for r and s relatively small. It is also efficient for any integers which can be represented as a polynomial with small coefficients. This includes integers of the more general form ar^e±bs^f, and also for many integers whose binary representation has low Hamming weight. The reason for this is as follows: The Number Field Sieve performs sieving in two different fields. The first field is usually the rationals. The second is a higher degree field. The efficiency of the algorithm strongly depends on the norms of certain elements in these fields. When an integer can be represented as a polynomial with small coefficients, the norms that arise are much smaller than those that arise when an integer is represented by a general polynomial. The reason is that a general polynomial will have much larger coefficients, and the norms will be correspondingly larger. The algorithm attempts to factor these norms over a fixed set of prime numbers. When the norms are smaller, these numbers are more likely to factor.

• General number field sieve

• Byrnes, Steven (May 18, 2005), "The Number Field Sieve" (PDF), Math 129
• Lenstra, A. K.; Lenstra, H. W. Jr.; Manasse, M. S. & Pollard, J. M. (1993), "The Factorization of the Ninth Fermat Number", Mathematics of Computation, 61 (203): 319–349, Bibcode:1993MaCom..61..319L, doi:10.1090/S0025-5718-1993-1182953-4, hdl:1887/2150
• Lenstra, A. K.; Lenstra, H. W. Jr., eds. (1993), The Development of the Number Field Sieve, Lecture Notes in Mathematics, vol. 1554, New York: Springer-Verlag, ISBN 978-3-540-57013-4
• Silverman, Robert D. (2007), "Optimal Parameterization of SNFS", Journal of Mathematical Cryptology, 1 (2): 105–124, CiteSeerX 10.1.1.12.2975, doi:10.1515/JMC.2007.007, S2CID 16236028