Download Smooth Numbers and the Quadratic Sieve: Factoring Large Numbers and more Study notes Number Theory in PDF only on Docsity!
Algorithmic Number TheoryMSRI Publications Volume 44 , 2008
Smooth numbers and the quadratic sieve
CARL POMERANCE
ABSTRACT. This article gives a gentle introduction to factoring large integers via the quadratic sieve algorithm. The conjectured complexity is worked out in some detail.
When faced with a large number n to factor, what do you do first? You might say, “Look at the last digit,” with the idea of cheaply pulling out possible factors of 2 and 5. Sure, and more generally, you can test for divisibility cheaply by all of the very small primes. So it may as well be assumed that the number n has no small prime factors, say below log n. Since it is also cheap to test for probable primeness, say through the strong probable prime test, and then actually prove primality as in [Schoof 2008] in the case that you become convinced n is prime, it also may as well be assumed that the number n is composite. Trial division is a factoring method (and in the extreme, a primality test) that involves sequentially trying n for divisibility by the consecutive primes. This method was invoked above for the removal of the small prime factors of n. The only thing stopping us from continuing beyond the somewhat arbitrary cut off of log n is the enormous time that would be spent if the smallest prime factor of n is fairly large. For example, if n were a modulus being used in the RSA cryptosystem, then as current protocols dictate, n would be the product of two primes of the same order of magnitude. In this case, factoring n by trial division would take roughly n^1 =^2 steps. This already is an enormous calculation if n has thirty decimal digits, and for numbers only slightly longer, the calculation is not possible at this time by the human race and all of their computers.
Difference of squares. We have long known however that trial division is not the only game in town for factoring. Take the number 8051 for example. This number is composite and not divisible by any prime up to its logarithm. One can see instantly (if one looks) that it is 8100 � 49 , that is,
8051 D 902 � 72 :
69
70 CARL POMERANCE
Thus, we can use algebra to factor 8051 as a difference of squares. It is. 90 � 7 / �. 90 C 7 /, or 83 � 97. Every odd composite can be factored as a difference of squares (an easy exercise), so why don’t we use this method instead of trial division? Let us try again on the number n D 1649. Again, 1649 is composite, but not divisible by any prime up to its logarithm. What worked with 8051 was to take the first square above 8051 , namely 902 , and then notice that 902 � 8051 D 49 , where 49 is recognized as a square. It would seem in general that one could walk through the sequence x^2 � n with x D dn^1 =^2 e; dn^1 =^2 e C 1 ; : : : , looking for squares. With n D 1649 we have
412 � n D 32 ; 422 � n D 115 ; 432 � n D 200 ;
and so on, with no squares in immediate sight. Despite this failure, the three equations (1) may in fact be already used to factor n. Note that while neither 32 nor 200 is a square, their product is a square: 6400 D 802. Thus, since
412 � 32 .mod n/; 432 � 200 .mod n/;
we have 412 � 432 � 802 .mod n/, that is,
. 41 � 43 /^2 � 802 .mod n/:. 2 / We have found a solution to a^2 � b^2 .mod n/. Is this interesting? There are surely plenty of uninteresting pairs a; b with a^2 � b^2 .mod n/. Namely, take any value of a and let b D ˙a. Have we exhausted all solutions with this enumeration? Well no, since factoring n as a difference of squares would give a pair a; b with b ¤ ˙a. Further, any pair a; b with
a^2 � b^2 .mod n/; b 6 � ˙a .mod n/. 3 /
must lead to a nontrivial factorization of n, via gcd.a � b; n/. Indeed, (3) im- plies that n divides .a � b/.a C b/, but divides neither factor, so both gcd.a � b; n/; gcd.a C b; n/ must be nontrivial factors of n. Moreover, gcd’s are simple to compute via Euclid’s algorithm of replacing the larger member of gcd.u; v/ by its residue modulo the smaller member, until one member reaches 0. Finally, if n has at least two different odd prime factors, then it turns out that at least half of the solutions to a^2 � b^2 .mod n/ with ab coprime to n also have b 6 � ˙a .mod n/, that is, (3) is satisfied. The proof: For an odd prime power pu, the congruence y^2 � 1 .mod pu/ has exactly 2 solutions, so since n is divisible by
72 CARL POMERANCE
how do we find the subsequence? The answers to these questions involve smooth numbers. A number m is smooth if all of its prime factors are small. Specifically, we say m is B-smooth if all of its prime factors are � B. The first observation is that if a number in our sequence is not smooth, then it is unlikely it will be used in a subsequence with product a square. Indeed, if the number m is divisible by the large prime p, then if m is to be used in the square subsequence, then there necessarily must be at least one other term m^0 in the subsequence which also is divisible by p. (This other term m^0 may be m itself, that is, perhaps p^2 jm.) But given that p is large, multiples of p will be few and far between, and finding this mate for m will not be easy. So, say we agree to choose some cut off B, and discard any number from the sequence that is not B-smooth. Let us look at the numbers that are not discarded, these B-smooth numbers. The following lemma is crucial.
LEMMA. If m 1 ; m 2 ; : : : ; mk are positive B-smooth integers, and if k > �.B/ .where �.B/ denotes the number of primes in the interval Œ 1 ; B/, then some non-empty subsequence of .mi / has product a square.
PROOF. For a B-smooth number m, look at its exponent vector v.m/. This is a simple concept. If m has the prime factorization
m D
�.YB/
iD 1
pv i i;
where pi is the ith prime number and each exponent vi is a nonnegative integer, then v.m/ D .v 1 ; v 2 ; : : : ; v�.B//. Then a subsequence mi 1 ; : : : ; mit has product a square if and only if v.mi 1 / C : : : C v.mit / has all even entries. That is, if and only if this sum of vectors is the 0-vector mod 2. Now the vector space F �. 2 B/, where F 2 is the finite field with 2 elements, has dimension �.B/. And we have k > �.B/ vectors. So this sequence of vectors is linearly dependent in this vector space. However, a linear dependency when the field of scalars is F (^2) is exactly the same as a subsequence sum being the 0-vector. �
This proof suggests an answer to our algorithmic question of how to find the subsequence. The proof uses linear algebra, and this subject is rife with algo- rithms. Actually, there is really only one algorithm that is taught in beginning linear algebra classes, namely Gaussian reduction of a matrix, and then there are many, many applications of this one technique. Well, now we have another application. With a collection of smooth numbers, form their exponent vectors, reduce these modulo 2, and then use Gaussian reduction to find a nonempty subsequence with sum the 0-vector modulo 2.
SMOOTH NUMBERS AND THE QUADRATIC SIEVE 73
In particular, we shall find the concept of an exponent vector very useful in the sequel. Note that knowledge of the complete exponent vector of a number m is essentially equivalent to knowledge of the complete prime factorization of m. Also note that though in the proof of the lemma we wrote out exponent vectors in traditional vector notation, doing so in general may itself be an exponentially huge problem, even if we “know” what the vector is. Luckily, exponent vectors are sparse creatures with most entries being zero, so that one can work with them modulo 2 in a more compact notation that merely indicates where the odd entries are.
A proto-algorithm. So now we have a proto-algorithm. We are given a number n which is composite, has no prime factors up to its logarithm, and is not a power. We insist that n not be a power in order to ensure that n is divisible by at least two different odd primes. It is easy to check if a number is a power by taking roots via Newton’s method, and for close calls to integers, exponentiating that integer to see if n is a power of it. Our goal is to find a nontrivial factorization of n.
- Choose a parameter B, and examine the numbers x^2 �n for B-smooth values, where x runs through the integers starting at dn^1 =^2 e.
- When you have more than �.B/ numbers x with x^2 � n being B-smooth, form the exponent vectors of these B-smooth numbers, and use linear algebra to find a subsequence x^21 �n; : : : ; x^2 t �n which has product a square, say A^2.
- From the exponent vectors of the numbers xi^2 � n, we can produce the prime factorization of A, and thus find the least nonnegative residue of A mod- ulo n, call it a. Find too the least nonnegative residue of the product x 1 : : : xt modulo n, call it b.
- We have a^2 � b^2 .mod n/. If a 6 � ˙b .mod n/, then compute gcd.a�b; n/. Otherwise, return to step 1, find additional smooth values of x^2 �n, find a new linear dependency in step 2, and attempt once again to assemble congruent squares to factor n.
There are clearly a few gaps in this proto-algorithm. One is a specification of the number B. Another is a fuller description of how one examines a number for B- smoothness, namely how one recognizes a B-smooth number when presented with one.
Recognizing smooth numbers. Let us look at the second gap first, namely the recognition of B-smooth numbers. Trial division is a candidate for a good method, even though it is very slow as a worst-case factorization algorithm. The point is that B-smooth numbers are very far from the worst-case of trial division, in fact they approach the best case. There are fewer than B primes up to B, so
SMOOTH NUMBERS AND THE QUADRATIC SIEVE 75
find the remaining places in this residue class by adding 7’s sequentially to the location number, and similarly for the 5 (mod 7) residue class. One has a similar result for higher powers of p and also for the special case p D 2. As with the sieve of Eratosthenes above, the number of steps we will spend per polynomial value is proportional to just log log B. That is, it takes about as much time to tell if a value is smooth as it does just to look at the value, as long as we amortize the time over many members of the polynomial sequence. So this is how we recognize B-smooth values of x^2 � n: we use a quadratic sieve.
An optimization problem. Next, in our proto-algorithm, there should be some guidance on the choice of the parameter B. Of course, we would like to choose B optimally, that is, we should choose a value of B which minimizes the time spent to factor n. This optimization problem must balance two principal forces. On the one hand, if B is chosen very small, then we do not have to find very many B-smooths in the sieve, and the matrix we will be dealing with will be small. But numbers that are B-smooth with a very small value of B are very sparsely distributed among the natural numbers, and so we may have to traverse a very long sequence of x values to get even one B-smooth value of x^2 � n, much less the requisite number of them. On the other hand, if B is chosen large, then B-smooth numbers are fairly common, and perhaps we will not have such a hard time finding them in the polynomial sequence x^2 � n. But, we will need to find a great many of them for large B, and the matrix we will be dealing with will be large. So, the optimization problem must balance these conflicting forces. To solve this problem, we should have a measure of the likelihood that a value x^2 � n is B-smooth. This in fact is a very hard problem in analytic number theory, one that is essentially unsolved in the interesting ranges. However, the number n we are trying to factor may not be up on the latest research results! That is, perhaps we should be more concerned with what is true rather than what is provable, at least for the design of a practical algorithm. This is where heuristics enter the fray. Let us assume that a polynomial value is just as likely to be smooth as a random number of the same magnitude. This assumption has been roughly borne out in practice with the quadratic sieve algorithm, as well as other factorization methods such as the number field sieve; see the survey [Stevenhagen 2008]. What is the order of magnitude of our polynomial values? If x runs in the interval
Œn^1 =^2 ; n^1 =^2 C n";
where 0 < " < 1 = 2 , then the numbers x^2 � n are all smaller than approximately 2n^1 =^2 C". Let X be this bound, and let us ask for the chance that a random number up to X is B-smooth.
76 CARL POMERANCE
An analytic tidbit. In analytic number theory we use the notation .X; B/ for the counting function of the B-smooth numbers in the interval Π1 ; X . That is,
.X; B/ D #fm W 1 � m � X; m is B-smoothg:
Let us try our hand at estimating this function in the special case that B D X 1 =^2. We can do this by an inclusion-exclusion, with a single exclusion, since no number up to X is divisible by two primes > X 1 =^2. Thus,
.X; X 1 =^2 / D bX c �
X
X 1 =^2 <p�X
bX=pc;
where p runs over primes in the stated interval. This identity uses the fact that there are exactly bX=pc multiples of p in the interval Œ 1 ; X . And the multiples of p are definitely not x^1 =^2 -smooth, so must be excluded. By removing the floor functions in the above display, we create an error bounded by �.X /, so that the prime number theorem implies that
.X; X 1 =^2 / D X
X
X 1 =^2 <p�X
1 =p
C O.X= log X /:
We now use a theorem of Mertens stating that we have X
p�t
1 =p D log log t C C C O. 1 = log t/;. 4 /
for a particular constant C. This theorem predates the prime number theorem, but can also be derived from it. Using (4) we obtain X
X 1 =^2 <p�X
1 =p D
X
p�X
1 =p �
X
p�X 1 =^2
1 =p
D log log X � log log.X 1 =^2 / C O
1 = log.X 1 =^2 /
D log 2 C O. 1 = log X /:
We thus have
.X; X 1 =^2 / D. 1 � log 2 /X C O.X= log X /;
so that .X; X 1 =^2 / X 1 � log 2 as X! 1:
For example, about 30% of all numbers have no prime factors above their square root. It may seem surprising that such a large proportion of numbers can be built out of so few primes.
78 CARL POMERANCE
and B D exp
. 2 �^1 =^2 C o. 1 //.log X log log X /^1 =^2
This calculation allows us not only to find the key parameter B, but also to estimate the running time. With B given by (7), we have
X 1 =uuu^ D exp
. 21 =^2 C o. 1 //.log X log log X /^1 =^2
and so this expression stands as the number of steps to find the requisite number of B-smooth values. Recall that X D 2n^1 =^2 C"^ in our proto-algorithm, so that the expression in (8) is of the form no.^1 /. That is, we do not need to take " as fixed in the expression for X ; it may tend to 0 slowly. Letting X D n^1 =^2 Co.^1 /, we get B D exp
. 1 = 2 C o. 1 //.log n log log n/^1 =^2
X 1 =uuu^ D exp
. 1 C o. 1 //.log n log log n/^1 =^2
where the second expression is the number of steps to do the sieving to find the requisite number of B-smooth polynomial values.
A general principle, a moral, and three bullets. The heuristic analysis above is instructive in that it can serve, in an almost intact manner, for many factoring algorithms. What may change is the number X , which is the bound on the auxiliary numbers that are examined for smoothness. In the quadratic sieve algorithm, we have X just a little above n^1 =^2. In the number field sieve, this bound on auxiliary numbers is much smaller, it is of the form no.^1 /. Smaller numbers are much more likely to be smooth than larger numbers, and this gen- eral principle “explains” the asymptotic superiority of the number field sieve over the quadratic sieve; see [Stevenhagen 2008]. Our story has a moral. Smooth numbers are not an artifact, they were forced upon us once we decided to combine auxiliary numbers to make a square. In fact for random numbers this is a theorem of mine: the bound in (8), of X 1 =uuu for the depth of the search for random auxiliary numbers below X to form a square, is tight. So the heuristic passage to B-smooth numbers is justified — one is unlikely to be able to assemble a square from random numbers below X in fewer choices than the bound in (8), even if one does not restrict to B-smooth numbers with B the bound in (7). There are several important points about smooth numbers that make them indispensable in many number-theoretic algorithms:
� Smooth numbers have a simple multiplicative structure. � Smooth numbers are easy to recognize. � Smooth numbers are surprisingly numerous.
See [Granville 2008] in this volume for much more about smooth numbers.
SMOOTH NUMBERS AND THE QUADRATIC SIEVE 79
Gaussian reduction. If Gaussian reduction is used on the final matrix, our com- plexity bound is ruined. In fact, our matrix will be about B�B, and the bound for the number of steps to reduce such a matrix is about B^3. With B given as in (8), the time for the matrix step is then about exp.. 3 = 2 C o. 1 //.log n log log n/^1 =^2 /, which then would be the dominant step in the algorithm, and would indicate that perhaps a smaller value of B than in (8) would be in order. There are several thoughts about the matrix issue. First, Gaussian reduction, though it may be the only trick in the beginning undergraduate linear algebra book, is not the only trick we have. There are in fact fast asymptotic meth- ods, that are practical as well. I refer to the Wiedemann coordinate recurrence method, the Lanczos method, etc. These reduce the complexity to the shape B^2 Co.^1 /, and so the total asymptotic, heuristic complexity of the quadratic sieve becomes, as first intimated above, exp.. 1 C o. 1 //.log n log log n/^1 =^2 /. Also, Gaussian reduction is not quite as expensive as its complexity estimate indicates. In practice, the matrix starts out as quite sparse, and so for awhile fill-in can be avoided. And, the arithmetic in the matrix is binary, so a programmer may exploit this, using say a 32-bit word size in the computer, and so process 32 matrix entries at once. The matrix poses another problem as well, and that is the space that is needed to store it and process it. This space problem is mitigated by using a sparse encoding of the matrix, namely a list of where the 1’s are in the matrix. This sparse encoding might be used at the start until the matrix can be cut down to size somewhat. In practice, people have found that it pays to slightly deoptimize B on the low side. This in essence is a concession to the matrix problem, both to the space required and the time required. While sieving can easily be distributed to many unextraordinary processors, no one knows how to do this efficiently with the matrix, and so this final step might well hog the memory and time of a large expensive computer.
Conclusion. The quadratic sieve is a deterministic factoring algorithm with conjectured complexity
exp.. 1 C o. 1 //.log n log log n/^1 =^2 /:
It is currently the algorithm of choice for “hard” composites with about 20 to 120 digits. (By “hard” I mean that the number does not have a small prime factor that could be discovered by trial division or the elliptic curve method, nor does the number succumb easily to other special methods such as the p � 1 factoring method or the special number field sieve.) For larger numbers, the number field sieve moves to the front, but this “viability border” between the quadratic sieve and the number field sieve is not very well defined, and shifts as new computer
SMOOTH NUMBERS AND THE QUADRATIC SIEVE 81
CARL POMERANCE DEPARTMENT OF MATHEMATICS DARTMOUTH COLLEGE HANOVER, NH 03755- (603) 646- carl.pomerance@dartmouth.edu
