This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Jeremie Detrey — Factoring integers with CADO-NFS 3 / 22
Factorization algorithms (III)I Find all prime factors of an integer N :
• QS (Quadratic Sieve) [Pomerance, 1981] and
MPQS (Multiple Polynomial QS) [Silverman, 1987] in
O(
exp(√
logN log logN))
• SNFS (Special Number Field Sieve)
[Lenstra, Lenstra, Manasse, & Pollard, 1990]:
O
(exp
(3
√32
9(logN)1/3 (log logN)2/3
))• (G)NFS (General Number Field Sieve)
[Buhler, Lenstra, & Pomerance, 1993]:
O
(exp
(3
√64
9(logN)1/3 (log logN)2/3
))
Jeremie Detrey — Factoring integers with CADO-NFS 4 / 22
Factorization algorithms (III)I Find all prime factors of an integer N :
• QS (Quadratic Sieve) [Pomerance, 1981] and
MPQS (Multiple Polynomial QS) [Silverman, 1987] in
O(
exp(√
logN log logN))
• SNFS (Special Number Field Sieve)
[Lenstra, Lenstra, Manasse, & Pollard, 1990]:
O
(exp
(3
√32
9(logN)1/3 (log logN)2/3
))
• (G)NFS (General Number Field Sieve)
[Buhler, Lenstra, & Pomerance, 1993]:
O
(exp
(3
√64
9(logN)1/3 (log logN)2/3
))
Jeremie Detrey — Factoring integers with CADO-NFS 4 / 22
Factorization algorithms (III)I Find all prime factors of an integer N :
• QS (Quadratic Sieve) [Pomerance, 1981] and
MPQS (Multiple Polynomial QS) [Silverman, 1987] in
O(
exp(√
logN log logN))
• SNFS (Special Number Field Sieve)
[Lenstra, Lenstra, Manasse, & Pollard, 1990]:
O
(exp
(3
√32
9(logN)1/3 (log logN)2/3
))• (G)NFS (General Number Field Sieve)
[Buhler, Lenstra, & Pomerance, 1993]:
O
(exp
(3
√64
9(logN)1/3 (log logN)2/3
))
Jeremie Detrey — Factoring integers with CADO-NFS 4 / 22
Current factorization records
I ECM (small- to medium-size factors):
• 2013: found 83-digit-factor of 7337 + 1 (285 digits)
I SNFS (numbers of a special form):
• 1990: factorization of F9 = 229
+ 1 (155 digits) in ∼ 340 CPU-years• . . .• 2011–12: fact. of 21061 − 1 (320 digits) in ∼ 335 CPU-years• 2010–14: fact. of 17 numbers of the form 2n − 1 for
1007 ≤ n ≤ 1199 (304–361 digits) in ∼ 7500 core-years
I GNFS (general numbers, esp. RSA moduli):
• 1996: fact. of RSA-130 (130 digits) in ∼ 17 CPU-years• . . .• 2007–09: fact. of RSA-768 (232 digits) in ∼ 2000 core-years
I Quantum computer:
• 2012: fact. of 56153 (a whopping 5 digits!)
Jeremie Detrey — Factoring integers with CADO-NFS 5 / 22
Current factorization records
I ECM (small- to medium-size factors):
• 2013: found 83-digit-factor of 7337 + 1 (285 digits)
I SNFS (numbers of a special form):
• 1990: factorization of F9 = 229
+ 1 (155 digits) in ∼ 340 CPU-years• . . .• 2011–12: fact. of 21061 − 1 (320 digits) in ∼ 335 CPU-years• 2010–14: fact. of 17 numbers of the form 2n − 1 for
1007 ≤ n ≤ 1199 (304–361 digits) in ∼ 7500 core-years
I GNFS (general numbers, esp. RSA moduli):
• 1996: fact. of RSA-130 (130 digits) in ∼ 17 CPU-years• . . .• 2007–09: fact. of RSA-768 (232 digits) in ∼ 2000 core-years
I Quantum computer:
• 2012: fact. of 56153 (a whopping 5 digits!)
Jeremie Detrey — Factoring integers with CADO-NFS 5 / 22
Current factorization records
I ECM (small- to medium-size factors):
• 2013: found 83-digit-factor of 7337 + 1 (285 digits)
I SNFS (numbers of a special form):
• 1990: factorization of F9 = 229
+ 1 (155 digits) in ∼ 340 CPU-years• . . .• 2011–12: fact. of 21061 − 1 (320 digits) in ∼ 335 CPU-years• 2010–14: fact. of 17 numbers of the form 2n − 1 for
1007 ≤ n ≤ 1199 (304–361 digits) in ∼ 7500 core-years
I GNFS (general numbers, esp. RSA moduli):
• 1996: fact. of RSA-130 (130 digits) in ∼ 17 CPU-years• . . .• 2007–09: fact. of RSA-768 (232 digits) in ∼ 2000 core-years
I Quantum computer:
• 2012: fact. of 56153 (a whopping 5 digits!)
Jeremie Detrey — Factoring integers with CADO-NFS 5 / 22
Current factorization records
I ECM (small- to medium-size factors):
• 2013: found 83-digit-factor of 7337 + 1 (285 digits)
I SNFS (numbers of a special form):
• 1990: factorization of F9 = 229
+ 1 (155 digits) in ∼ 340 CPU-years• . . .• 2011–12: fact. of 21061 − 1 (320 digits) in ∼ 335 CPU-years• 2010–14: fact. of 17 numbers of the form 2n − 1 for
1007 ≤ n ≤ 1199 (304–361 digits) in ∼ 7500 core-years
I GNFS (general numbers, esp. RSA moduli):
• 1996: fact. of RSA-130 (130 digits) in ∼ 17 CPU-years• . . .• 2007–09: fact. of RSA-768 (232 digits) in ∼ 2000 core-years
I Quantum computer:
• 2012: fact. of 56153 (a whopping 5 digits!)
Jeremie Detrey — Factoring integers with CADO-NFS 5 / 22
Free (as in free speech) factorization software
I p − 1, p + 1, and ECM:
• GMP-ECM [Zimmermann et al.]:
http://ecm.gforge.inria.fr/
I QS and MPQS:
• YAFU [Buhrow]:
http://yafu.sourceforge.net/
I SNFS and GNFS:
• NFS@home [Childers]:
http://escatter11.fullerton.edu/nfs/
• Msieve [Papadopoulos]:
http://www.boo.net/~jasonp/qs.html
• CADO-NFS:
http://cado-nfs.gforge.inria.fr/
Jeremie Detrey — Factoring integers with CADO-NFS 6 / 22
The Number Field SieveI Based on Fermat’s factoring method (congruence of squares):• Find two integers x and y such that x2 ≡ y 2 (mod N)• With good probability, gcd(x ± y ,N) gives a non-trivial factor of N
I Obtain such equalities through two number fields
• f1 and f2 ∈ Z[X ] two polynomials, irreducible and coprime over Q• αi root of fi : Q(αi) is an algebraic number field• f1 and f2 chosen such that they have a common root m in Z/NZ
Γ(X ) ∈
Z[X ]
Z[X ]/(f1(X ))
γ1(α1)2?=
Γ(α1) ∈ Z[α1] ⊂ OQ(α1)
X 7→ α1X 7→ X mod f1
OQ(α2) ⊃
Z[α2]
3 Γ(α2)
?= γ2(α2)2
X 7→ α2
Z/NZ
α1 7→ m mod N α2 7→ m mod N
⇒ γ1(m)2 ≡ γ2(m)2 mod N
Jeremie Detrey — Factoring integers with CADO-NFS 8 / 22
The Number Field SieveI Based on Fermat’s factoring method (congruence of squares):• Find two integers x and y such that x2 ≡ y 2 (mod N)• With good probability, gcd(x ± y ,N) gives a non-trivial factor of N
I Obtain such equalities through two number fields
• f1 and f2 ∈ Z[X ] two polynomials, irreducible and coprime over Q• αi root of fi : Q(αi) is an algebraic number field• f1 and f2 chosen such that they have a common root m in Z/NZ
Γ(X ) ∈
Z[X ]
Z[X ]/(f1(X ))
γ1(α1)2?=
Γ(α1) ∈ Z[α1] ⊂ OQ(α1)
X 7→ α1X 7→ X mod f1
OQ(α2) ⊃
Z[α2]
3 Γ(α2)
?= γ2(α2)2
X 7→ α2
Z/NZ
α1 7→ m mod N α2 7→ m mod N
⇒ γ1(m)2 ≡ γ2(m)2 mod N
Jeremie Detrey — Factoring integers with CADO-NFS 8 / 22
The Number Field SieveI Based on Fermat’s factoring method (congruence of squares):• Find two integers x and y such that x2 ≡ y 2 (mod N)• With good probability, gcd(x ± y ,N) gives a non-trivial factor of N
I Obtain such equalities through two number fields
• f1 and f2 ∈ Z[X ] two polynomials, irreducible and coprime over Q• αi root of fi : Q(αi) is an algebraic number field• f1 and f2 chosen such that they have a common root m in Z/NZ
Γ(X ) ∈
Z[X ]
Z[X ]/(f1(X ))
γ1(α1)2?=
Γ(α1) ∈ Z[α1] ⊂ OQ(α1)
X 7→ α1X 7→ X mod f1
OQ(α2) ⊃
Z[α2]
3 Γ(α2)
?= γ2(α2)2
X 7→ α2
Z/NZ
α1 7→ m mod N α2 7→ m mod N
⇒ γ1(m)2 ≡ γ2(m)2 mod N
Jeremie Detrey — Factoring integers with CADO-NFS 8 / 22
The Number Field SieveI Based on Fermat’s factoring method (congruence of squares):• Find two integers x and y such that x2 ≡ y 2 (mod N)• With good probability, gcd(x ± y ,N) gives a non-trivial factor of N
I Obtain such equalities through two number fields• f1 and f2 ∈ Z[X ] two polynomials, irreducible and coprime over Q
• αi root of fi : Q(αi) is an algebraic number field• f1 and f2 chosen such that they have a common root m in Z/NZ
Γ(X ) ∈
Z[X ]
Z[X ]/(f1(X ))
γ1(α1)2?=
Γ(α1) ∈ Z[α1] ⊂ OQ(α1)
X 7→ α1X 7→ X mod f1
OQ(α2) ⊃
Z[α2]
3 Γ(α2)
?= γ2(α2)2
X 7→ α2
Z/NZ
α1 7→ m mod N α2 7→ m mod N
⇒ γ1(m)2 ≡ γ2(m)2 mod N
Jeremie Detrey — Factoring integers with CADO-NFS 8 / 22
The Number Field SieveI Based on Fermat’s factoring method (congruence of squares):• Find two integers x and y such that x2 ≡ y 2 (mod N)• With good probability, gcd(x ± y ,N) gives a non-trivial factor of N
I Obtain such equalities through two number fields• f1 and f2 ∈ Z[X ] two polynomials, irreducible and coprime over Q
• αi root of fi : Q(αi) is an algebraic number field• f1 and f2 chosen such that they have a common root m in Z/NZ
Γ(X ) ∈
Z[X ]
Z[X ]/(f1(X ))
γ1(α1)2?=
Γ(α1) ∈ Z[α1] ⊂ OQ(α1)
X 7→ α1
X 7→ X mod f1
OQ(α2) ⊃
Z[α2]
3 Γ(α2)
?= γ2(α2)2
X 7→ α2
Z/NZ
α1 7→ m mod N α2 7→ m mod N
⇒ γ1(m)2 ≡ γ2(m)2 mod N
Jeremie Detrey — Factoring integers with CADO-NFS 8 / 22
The Number Field SieveI Based on Fermat’s factoring method (congruence of squares):• Find two integers x and y such that x2 ≡ y 2 (mod N)• With good probability, gcd(x ± y ,N) gives a non-trivial factor of N
I Obtain such equalities through two number fields• f1 and f2 ∈ Z[X ] two polynomials, irreducible and coprime over Q• αi root of fi : Q(αi) is an algebraic number field
• f1 and f2 chosen such that they have a common root m in Z/NZ
Γ(X ) ∈
Z[X ]
Z[X ]/(f1(X ))
γ1(α1)2?=
Γ(α1) ∈
Z[α1] ⊂ OQ(α1)
X 7→ α1
X 7→ X mod f1
OQ(α2) ⊃
Z[α2]
3 Γ(α2)
?= γ2(α2)2
X 7→ α2
Z/NZ
α1 7→ m mod N α2 7→ m mod N
⇒ γ1(m)2 ≡ γ2(m)2 mod N
Jeremie Detrey — Factoring integers with CADO-NFS 8 / 22
The Number Field SieveI Based on Fermat’s factoring method (congruence of squares):• Find two integers x and y such that x2 ≡ y 2 (mod N)• With good probability, gcd(x ± y ,N) gives a non-trivial factor of N
I Obtain such equalities through two number fields• f1 and f2 ∈ Z[X ] two polynomials, irreducible and coprime over Q• αi root of fi : Q(αi) is an algebraic number field
• f1 and f2 chosen such that they have a common root m in Z/NZ
Γ(X ) ∈
Z[X ]
Z[X ]/(f1(X ))
γ1(α1)2?=
Γ(α1) ∈
Z[α1]
⊂ OQ(α1)
X 7→ α1
X 7→ X mod f1
OQ(α2) ⊃ Z[α2]
3 Γ(α2)
?= γ2(α2)2
X 7→ α2
Z/NZ
α1 7→ m mod N α2 7→ m mod N
⇒ γ1(m)2 ≡ γ2(m)2 mod N
Jeremie Detrey — Factoring integers with CADO-NFS 8 / 22
The Number Field SieveI Based on Fermat’s factoring method (congruence of squares):• Find two integers x and y such that x2 ≡ y 2 (mod N)• With good probability, gcd(x ± y ,N) gives a non-trivial factor of N
I Obtain such equalities through two number fields• f1 and f2 ∈ Z[X ] two polynomials, irreducible and coprime over Q• αi root of fi : Q(αi) is an algebraic number field• f1 and f2 chosen such that they have a common root m in Z/NZ
Γ(X ) ∈
Z[X ]
Z[X ]/(f1(X ))
γ1(α1)2?=
Γ(α1) ∈
Z[α1]
⊂ OQ(α1)
X 7→ α1
X 7→ X mod f1
OQ(α2) ⊃
Z[α2]
3 Γ(α2)
?= γ2(α2)2
X 7→ α2
Z/NZ
α1 7→ m mod N α2 7→ m mod N
⇒ γ1(m)2 ≡ γ2(m)2 mod N
Jeremie Detrey — Factoring integers with CADO-NFS 8 / 22
The Number Field SieveI Based on Fermat’s factoring method (congruence of squares):• Find two integers x and y such that x2 ≡ y 2 (mod N)• With good probability, gcd(x ± y ,N) gives a non-trivial factor of N
I Obtain such equalities through two number fields• f1 and f2 ∈ Z[X ] two polynomials, irreducible and coprime over Q• αi root of fi : Q(αi) is an algebraic number field• f1 and f2 chosen such that they have a common root m in Z/NZ
Γ(X ) ∈
Z[X ]
Z[X ]/(f1(X ))
γ1(α1)2?=
Γ(α1) ∈
Z[α1]
⊂ OQ(α1)
X 7→ α1
X 7→ X mod f1
OQ(α2) ⊃
Z[α2]
3 Γ(α2)
?= γ2(α2)2
X 7→ α2
Z/NZ
α1 7→ m mod N α2 7→ m mod N
⇒ γ1(m)2 ≡ γ2(m)2 mod N
Jeremie Detrey — Factoring integers with CADO-NFS 8 / 22
The Number Field SieveI Based on Fermat’s factoring method (congruence of squares):• Find two integers x and y such that x2 ≡ y 2 (mod N)• With good probability, gcd(x ± y ,N) gives a non-trivial factor of N
I Obtain such equalities through two number fields• f1 and f2 ∈ Z[X ] two polynomials, irreducible and coprime over Q• αi root of fi : Q(αi) is an algebraic number field• f1 and f2 chosen such that they have a common root m in Z/NZ
Γ(X ) ∈ Z[X ]
Z[X ]/(f1(X ))
γ1(α1)2?=
Γ(α1) ∈
Z[α1]
⊂ OQ(α1)
X 7→ α1
X 7→ X mod f1
OQ(α2) ⊃
Z[α2]
3 Γ(α2)
?= γ2(α2)2
X 7→ α2
Z/NZ
α1 7→ m mod N α2 7→ m mod N
⇒ γ1(m)2 ≡ γ2(m)2 mod N
Jeremie Detrey — Factoring integers with CADO-NFS 8 / 22
The Number Field SieveI Based on Fermat’s factoring method (congruence of squares):• Find two integers x and y such that x2 ≡ y 2 (mod N)• With good probability, gcd(x ± y ,N) gives a non-trivial factor of N
I Obtain such equalities through two number fields• f1 and f2 ∈ Z[X ] two polynomials, irreducible and coprime over Q• αi root of fi : Q(αi) is an algebraic number field• f1 and f2 chosen such that they have a common root m in Z/NZ
Γ(X ) ∈ Z[X ]
Z[X ]/(f1(X ))γ1(α1)2?=
Γ(α1) ∈ Z[α1]
⊂ OQ(α1)
X 7→ α1
X 7→ X mod f1
OQ(α2) ⊃
Z[α2] 3 Γ(α2)
?= γ2(α2)2
X 7→ α2
Z/NZ
α1 7→ m mod N α2 7→ m mod N
⇒ γ1(m)2 ≡ γ2(m)2 mod N
Jeremie Detrey — Factoring integers with CADO-NFS 8 / 22
The Number Field SieveI Based on Fermat’s factoring method (congruence of squares):• Find two integers x and y such that x2 ≡ y 2 (mod N)• With good probability, gcd(x ± y ,N) gives a non-trivial factor of N
I Obtain such equalities through two number fields• f1 and f2 ∈ Z[X ] two polynomials, irreducible and coprime over Q• αi root of fi : Q(αi) is an algebraic number field• f1 and f2 chosen such that they have a common root m in Z/NZ
Γ(X ) ∈ Z[X ]
Z[X ]/(f1(X ))
γ1(α1)2?= Γ(α1) ∈ Z[α1]
⊂ OQ(α1)
X 7→ α1
X 7→ X mod f1
OQ(α2) ⊃
Z[α2] 3 Γ(α2)?= γ2(α2)2
X 7→ α2
Z/NZ
α1 7→ m mod N α2 7→ m mod N
⇒ γ1(m)2 ≡ γ2(m)2 mod N
Jeremie Detrey — Factoring integers with CADO-NFS 8 / 22
The Number Field SieveI Based on Fermat’s factoring method (congruence of squares):• Find two integers x and y such that x2 ≡ y 2 (mod N)• With good probability, gcd(x ± y ,N) gives a non-trivial factor of N
I Obtain such equalities through two number fields• f1 and f2 ∈ Z[X ] two polynomials, irreducible and coprime over Q• αi root of fi : Q(αi) is an algebraic number field• f1 and f2 chosen such that they have a common root m in Z/NZ
Γ(X ) ∈ Z[X ]
Z[X ]/(f1(X ))
γ1(α1)2?= Γ(α1) ∈ Z[α1]
⊂ OQ(α1)
X 7→ α1
X 7→ X mod f1
OQ(α2) ⊃
Z[α2] 3 Γ(α2)?= γ2(α2)2
X 7→ α2
Z/NZ
α1 7→ m mod N α2 7→ m mod N
⇒ γ1(m)2 ≡ γ2(m)2 mod NJeremie Detrey — Factoring integers with CADO-NFS 8 / 22
The Number Field Sieve
I How can one find such a polynomial Γ(X )?
I For all pairs of coprime integers (a, b) ∈ [−A,A]×]0,A]:
• Consider the polynomial a − bX in the diagram
• Try to factor each a − bαi into a product of primes ≤ bound Bi
• Such a pair is called a relation: add (a, b) to R (set of relations)
a − bX ∈
Z[X ]
∏j
pe1,j
1,j =
a − bα1 ∈
Z[α1] Z[α2]
3 a − bα2
=∏j
pe2,j
2,j
Z/NZ
X 7→ α1 X 7→ α2
α1 7→ m mod N α2 7→ m mod N
Jeremie Detrey — Factoring integers with CADO-NFS 9 / 22
The Number Field Sieve
I How can one find such a polynomial Γ(X )?
I For all pairs of coprime integers (a, b) ∈ [−A,A]×]0,A]:
• Consider the polynomial a − bX in the diagram
• Try to factor each a − bαi into a product of primes ≤ bound Bi
• Such a pair is called a relation: add (a, b) to R (set of relations)
a − bX ∈
Z[X ]
∏j
pe1,j
1,j =
a − bα1 ∈
Z[α1] Z[α2]
3 a − bα2
=∏j
pe2,j
2,j
Z/NZ
X 7→ α1 X 7→ α2
α1 7→ m mod N α2 7→ m mod N
Jeremie Detrey — Factoring integers with CADO-NFS 9 / 22
The Number Field Sieve
I How can one find such a polynomial Γ(X )?
I For all pairs of coprime integers (a, b) ∈ [−A,A]×]0,A]:
• Consider the polynomial a − bX in the diagram
• Try to factor each a − bαi into a product of primes ≤ bound Bi
• Such a pair is called a relation: add (a, b) to R (set of relations)
a − bX ∈
Z[X ]
∏j
pe1,j
1,j =
a − bα1 ∈
Z[α1] Z[α2]
3 a − bα2
=∏j
pe2,j
2,j
Z/NZ
X 7→ α1 X 7→ α2
α1 7→ m mod N α2 7→ m mod N
Jeremie Detrey — Factoring integers with CADO-NFS 9 / 22
The Number Field Sieve
I How can one find such a polynomial Γ(X )?
I For all pairs of coprime integers (a, b) ∈ [−A,A]×]0,A]:
• Consider the polynomial a − bX in the diagram
• Try to factor each a − bαi into a product of primes ≤ bound Bi
• Such a pair is called a relation: add (a, b) to R (set of relations)
a − bX ∈
Z[X ]
∏j
pe1,j
1,j =
a − bα1 ∈
Z[α1] Z[α2]
3 a − bα2
=∏j
pe2,j
2,j
Z/NZ
X 7→ α1 X 7→ α2
α1 7→ m mod N α2 7→ m mod N
Jeremie Detrey — Factoring integers with CADO-NFS 9 / 22
The Number Field Sieve
I How can one find such a polynomial Γ(X )?
I For all pairs of coprime integers (a, b) ∈ [−A,A]×]0,A]:
• Consider the polynomial a − bX in the diagram
• Try to factor each a − bαi into a product of primes ≤ bound Bi
• Such a pair is called a relation: add (a, b) to R (set of relations)
a − bX ∈ Z[X ]
∏j
pe1,j
1,j =
a − bα1 ∈
Z[α1] Z[α2]
3 a − bα2
=∏j
pe2,j
2,j
Z/NZ
X 7→ α1 X 7→ α2
α1 7→ m mod N α2 7→ m mod N
Jeremie Detrey — Factoring integers with CADO-NFS 9 / 22
The Number Field Sieve
I How can one find such a polynomial Γ(X )?
I For all pairs of coprime integers (a, b) ∈ [−A,A]×]0,A]:
• Consider the polynomial a − bX in the diagram
• Try to factor each a − bαi into a product of primes ≤ bound Bi
• Such a pair is called a relation: add (a, b) to R (set of relations)
a − bX ∈ Z[X ]
∏j
pe1,j
1,j =
a − bα1 ∈ Z[α1] Z[α2] 3 a − bα2
=∏j
pe2,j
2,j
Z/NZ
X 7→ α1 X 7→ α2
α1 7→ m mod N α2 7→ m mod N
Jeremie Detrey — Factoring integers with CADO-NFS 9 / 22
The Number Field Sieve
I How can one find such a polynomial Γ(X )?
I For all pairs of coprime integers (a, b) ∈ [−A,A]×]0,A]:
• Consider the polynomial a − bX in the diagram
• Try to factor each a − bαi into a product of primes ≤ bound Bi
• Such a pair is called a relation: add (a, b) to R (set of relations)
a − bX ∈ Z[X ]
∏j
pe1,j
1,j =
a − bα1 ∈ Z[α1] Z[α2] 3 a − bα2
=∏j
pe2,j
2,j
Z/NZ
X 7→ α1 X 7→ α2
α1 7→ m mod N α2 7→ m mod N
Jeremie Detrey — Factoring integers with CADO-NFS 9 / 22
The Number Field Sieve
I How can one find such a polynomial Γ(X )?
I For all pairs of coprime integers (a, b) ∈ [−A,A]×]0,A]:
• Consider the polynomial a − bX in the diagram
• Try to factor each a − bαi into a product of primes ≤ bound Bi
• Such a pair is called a relation: add (a, b) to R (set of relations)
a − bX ∈ Z[X ]
∏j
pe1,j
1,j = a − bα1 ∈ Z[α1] Z[α2] 3 a − bα2 =∏j
pe2,j
2,j
Z/NZ
X 7→ α1 X 7→ α2
α1 7→ m mod N α2 7→ m mod N
Jeremie Detrey — Factoring integers with CADO-NFS 9 / 22
The Number Field Sieve
I How can one find such a polynomial Γ(X )?
I For all pairs of coprime integers (a, b) ∈ [−A,A]×]0,A]:
• Consider the polynomial a − bX in the diagram
• Try to factor each a − bαi into a product of primes ≤ bound Bi
• Such a pair is called a relation: add (a, b) to R (set of relations)
a − bX ∈ Z[X ]
∏j
pe1,j
1,j = a − bα1 ∈ Z[α1] Z[α2] 3 a − bα2 =∏j
pe2,j
2,j
Z/NZ
X 7→ α1 X 7→ α2
α1 7→ m mod N α2 7→ m mod N
Jeremie Detrey — Factoring integers with CADO-NFS 9 / 22
The Number Field Sieve
I Once enough relations were collected, find subset S ⊂ R such that∏(a,b)∈S
(a − bαi) is a square in Z[αi ], for both i ∈ {1, 2}
I Tantamount to finding a vector of the left-kernel of the matrix over F2
formed by the exponents of the primes in the relations
Jeremie Detrey — Factoring integers with CADO-NFS 10 / 22
The Number Field Sieve
I Slight problem: no unique factorization of numbers in Z[αi ] or OQ(αi )I However, OQ(αi ) is a Dedekind domain: unique factorization of ideals
into products of prime ideals
• Prime ideals p of Z[αi ] given by integers (p, r) such that p is prime
and fi(r) ≡ 0 (mod p)• pe ”divides” 〈a− bαi〉 iff. a− br ≡ 0 (mod p) and pe|Ni(a− bαi),
where Ni(a − bαi) = fi(a/b)bdeg fi is called the norm of a − bαi
a − bX ∈ Z[X ]
∏j
pe1,j
1,j
×
= a − bα1 ∈
u1∏j
pe1,j
1,j =
〈a − bα1〉 ⊂
Z[α1] Z[α2] 3 a − bα2 =∏j
pe2,j
2,j
×⊃ 〈a − bα2〉
= u2∏j
pe2,j
2,j
Z/NZ
X 7→ α1 X 7→ α2
α1 7→ m mod N α2 7→ m mod N
Jeremie Detrey — Factoring integers with CADO-NFS 11 / 22
The Number Field SieveI Slight problem: no unique factorization of numbers in Z[αi ] or OQ(αi )
I However, OQ(αi ) is a Dedekind domain: unique factorization of ideals
into products of prime ideals
• Prime ideals p of Z[αi ] given by integers (p, r) such that p is prime
and fi(r) ≡ 0 (mod p)• pe ”divides” 〈a− bαi〉 iff. a− br ≡ 0 (mod p) and pe|Ni(a− bαi),
where Ni(a − bαi) = fi(a/b)bdeg fi is called the norm of a − bαi
a − bX ∈ Z[X ]
∏j
pe1,j
1,j×= a − bα1 ∈
u1∏j
pe1,j
1,j =
〈a − bα1〉 ⊂
Z[α1] Z[α2] 3 a − bα2 =∏j
pe2,j
2,j×
⊃ 〈a − bα2〉
= u2∏j
pe2,j
2,j
Z/NZ
X 7→ α1 X 7→ α2
α1 7→ m mod N α2 7→ m mod N
Jeremie Detrey — Factoring integers with CADO-NFS 11 / 22
The Number Field SieveI Slight problem: no unique factorization of numbers in Z[αi ] or OQ(αi )I However, OQ(αi ) is a Dedekind domain: unique factorization of ideals
into products of prime ideals
• Prime ideals p of Z[αi ] given by integers (p, r) such that p is prime
and fi(r) ≡ 0 (mod p)• pe ”divides” 〈a− bαi〉 iff. a− br ≡ 0 (mod p) and pe|Ni(a− bαi),
where Ni(a − bαi) = fi(a/b)bdeg fi is called the norm of a − bαi
a − bX ∈ Z[X ]
∏j
pe1,j
1,j×= a − bα1 ∈
u1∏j
pe1,j
1,j =
〈a − bα1〉 ⊂
Z[α1] Z[α2]
3 a − bα2 =∏j
pe2,j
2,j×⊃ 〈a − bα2〉
= u2∏j
pe2,j
2,j
Z/NZ
X 7→ α1 X 7→ α2
α1 7→ m mod N α2 7→ m mod N
Jeremie Detrey — Factoring integers with CADO-NFS 11 / 22
The Number Field SieveI Slight problem: no unique factorization of numbers in Z[αi ] or OQ(αi )I However, OQ(αi ) is a Dedekind domain: unique factorization of ideals
into products of prime ideals
• Prime ideals p of Z[αi ] given by integers (p, r) such that p is prime
and fi(r) ≡ 0 (mod p)• pe ”divides” 〈a− bαi〉 iff. a− br ≡ 0 (mod p) and pe|Ni(a− bαi),
where Ni(a − bαi) = fi(a/b)bdeg fi is called the norm of a − bαi
a − bX ∈ Z[X ]
∏j
pe1,j
1,j×= a − bα1 ∈u1∏j
pe1,j
1,j =
〈a − bα1〉 ⊂ Z[α1] Z[α2]
3 a − bα2 =∏j
pe2,j
2,j×
⊃ 〈a − bα2〉
= u2∏j
pe2,j
2,j
Z/NZ
X 7→ α1 X 7→ α2
α1 7→ m mod N α2 7→ m mod N
Jeremie Detrey — Factoring integers with CADO-NFS 11 / 22
The Number Field SieveI Slight problem: no unique factorization of numbers in Z[αi ] or OQ(αi )I However, OQ(αi ) is a Dedekind domain: unique factorization of ideals
into products of prime ideals
• Prime ideals p of Z[αi ] given by integers (p, r) such that p is prime
and fi(r) ≡ 0 (mod p)
• pe ”divides” 〈a− bαi〉 iff. a− br ≡ 0 (mod p) and pe|Ni(a− bαi),
where Ni(a − bαi) = fi(a/b)bdeg fi is called the norm of a − bαi
a − bX ∈ Z[X ]
∏j
pe1,j
1,j×= a − bα1 ∈u1∏j
pe1,j
1,j =
〈a − bα1〉 ⊂ Z[α1] Z[α2]
3 a − bα2 =∏j
pe2,j
2,j×
⊃ 〈a − bα2〉
= u2∏j
pe2,j
2,j
Z/NZ
X 7→ α1 X 7→ α2
α1 7→ m mod N α2 7→ m mod N
Jeremie Detrey — Factoring integers with CADO-NFS 11 / 22
The Number Field SieveI Slight problem: no unique factorization of numbers in Z[αi ] or OQ(αi )I However, OQ(αi ) is a Dedekind domain: unique factorization of ideals
into products of prime ideals
• Prime ideals p of Z[αi ] given by integers (p, r) such that p is prime
and fi(r) ≡ 0 (mod p)• pe ”divides” 〈a− bαi〉 iff. a− br ≡ 0 (mod p) and pe|Ni(a− bαi),
where Ni(a − bαi) = fi(a/b)bdeg fi is called the norm of a − bαi
a − bX ∈ Z[X ]
∏j
pe1,j
1,j×= a − bα1 ∈u1∏j
pe1,j
1,j =
〈a − bα1〉 ⊂ Z[α1] Z[α2]
3 a − bα2 =∏j
pe2,j
2,j×
⊃ 〈a − bα2〉
= u2∏j
pe2,j
2,j
Z/NZ
X 7→ α1 X 7→ α2
α1 7→ m mod N α2 7→ m mod N
Jeremie Detrey — Factoring integers with CADO-NFS 11 / 22
The Number Field SieveI Slight problem: no unique factorization of numbers in Z[αi ] or OQ(αi )I However, OQ(αi ) is a Dedekind domain: unique factorization of ideals
into products of prime ideals
• Prime ideals p of Z[αi ] given by integers (p, r) such that p is prime
and fi(r) ≡ 0 (mod p)• pe ”divides” 〈a− bαi〉 iff. a− br ≡ 0 (mod p) and pe|Ni(a− bαi),
where Ni(a − bαi) = fi(a/b)bdeg fi is called the norm of a − bαi
a − bX ∈ Z[X ]
∏j
pe1,j
1,j×= a − bα1 ∈
u1∏j
pe1,j
1,j = 〈a − bα1〉 ⊂ Z[α1] Z[α2]
3 a − bα2 =∏j
pe2,j
2,j×
⊃ 〈a − bα2〉 = u2∏j
pe2,j
2,j
Z/NZ
X 7→ α1 X 7→ α2
α1 7→ m mod N α2 7→ m mod N
Jeremie Detrey — Factoring integers with CADO-NFS 11 / 22
The Number Field Sieve
I Let’s recap!
• Sieving domain: coprime pairs (a, b) in [−A,A]×]0,A]
• Factor base Bi : prime ideals p = (p, r) of Z[αi ] with p ≤ Bi
I For each (a, b) pair in the sieving domain:
• Compute the norms Ni(a − bαi) = fi(a/b)bi
• Check if Ni(a − bαi) is Bi -smooth (all its prime factors are ≤ Bi)
• If both norms are smooth, then (a, b) is a relation
I We need more relations than elements of the factor bases:
#R > #B1 + #B2
Jeremie Detrey — Factoring integers with CADO-NFS 12 / 22
The Number Field Sieve
I Let’s recap!
• Sieving domain: coprime pairs (a, b) in [−A,A]×]0,A]
• Factor base Bi : prime ideals p = (p, r) of Z[αi ] with p ≤ Bi
I For each (a, b) pair in the sieving domain:
• Compute the norms Ni(a − bαi) = fi(a/b)bi
• Check if Ni(a − bαi) is Bi -smooth (all its prime factors are ≤ Bi)
• If both norms are smooth, then (a, b) is a relation
I We need more relations than elements of the factor bases:
#R > #B1 + #B2
Jeremie Detrey — Factoring integers with CADO-NFS 12 / 22
The Number Field Sieve
I Let’s recap!
• Sieving domain: coprime pairs (a, b) in [−A,A]×]0,A]
• Factor base Bi : prime ideals p = (p, r) of Z[αi ] with p ≤ Bi
I For each (a, b) pair in the sieving domain:
• Compute the norms Ni(a − bαi) = fi(a/b)bi
• Check if Ni(a − bαi) is Bi -smooth (all its prime factors are ≤ Bi)
• If both norms are smooth, then (a, b) is a relation
I We need more relations than elements of the factor bases:
#R > #B1 + #B2
Jeremie Detrey — Factoring integers with CADO-NFS 12 / 22
The Number Field Sieve
I Let’s recap!
• Sieving domain: coprime pairs (a, b) in [−A,A]×]0,A]
• Factor base Bi : prime ideals p = (p, r) of Z[αi ] with p ≤ Bi
I For each (a, b) pair in the sieving domain:
• Compute the norms Ni(a − bαi) = fi(a/b)bi
• Check if Ni(a − bαi) is Bi -smooth (all its prime factors are ≤ Bi)
• If both norms are smooth, then (a, b) is a relation
I We need more relations than elements of the factor bases:
#R > #B1 + #B2
Jeremie Detrey — Factoring integers with CADO-NFS 12 / 22
The Number Field Sieve
I Let’s recap!
• Sieving domain: coprime pairs (a, b) in [−A,A]×]0,A]
• Factor base Bi : prime ideals p = (p, r) of Z[αi ] with p ≤ Bi
I For each (a, b) pair in the sieving domain:
• Compute the norms Ni(a − bαi) = fi(a/b)bi
• Check if Ni(a − bαi) is Bi -smooth (all its prime factors are ≤ Bi)
• If both norms are smooth, then (a, b) is a relation
I We need more relations than elements of the factor bases:
#R > #B1 + #B2
Jeremie Detrey — Factoring integers with CADO-NFS 12 / 22
The Number Field Sieve
I Let’s recap!
• Sieving domain: coprime pairs (a, b) in [−A,A]×]0,A]
• Factor base Bi : prime ideals p = (p, r) of Z[αi ] with p ≤ Bi
I For each (a, b) pair in the sieving domain:
• Compute the norms Ni(a − bαi) = fi(a/b)bi
• Check if Ni(a − bαi) is Bi -smooth (all its prime factors are ≤ Bi)
• If both norms are smooth, then (a, b) is a relation
I We need more relations than elements of the factor bases:
#R > #B1 + #B2
Jeremie Detrey — Factoring integers with CADO-NFS 12 / 22
The Number Field Sieve
I Let’s recap!
• Sieving domain: coprime pairs (a, b) in [−A,A]×]0,A]
• Factor base Bi : prime ideals p = (p, r) of Z[αi ] with p ≤ Bi
I For each (a, b) pair in the sieving domain:
• Compute the norms Ni(a − bαi) = fi(a/b)bi
• Check if Ni(a − bαi) is Bi -smooth (all its prime factors are ≤ Bi)
• If both norms are smooth, then (a, b) is a relation
I We need more relations than elements of the factor bases:
#R > #B1 + #B2
Jeremie Detrey — Factoring integers with CADO-NFS 12 / 22
The Number Field Sieve
I Let’s recap!
• Sieving domain: coprime pairs (a, b) in [−A,A]×]0,A]
• Factor base Bi : prime ideals p = (p, r) of Z[αi ] with p ≤ Bi
I For each (a, b) pair in the sieving domain:
• Compute the norms Ni(a − bαi) = fi(a/b)bi
• Check if Ni(a − bαi) is Bi -smooth (all its prime factors are ≤ Bi)
• If both norms are smooth, then (a, b) is a relation
I We need more relations than elements of the factor bases:
#R > #B1 + #B2
Jeremie Detrey — Factoring integers with CADO-NFS 12 / 22
The Number Field Sieve
Ê Polynomial selection: find suitable polynomials f1 and f2
Ë Factor base generation: build factors bases B1 and B2
Ê Relation collection (a.k.a. sieving): build set of relations R
Í Filtering: build and simplify matrix from relations
Ë Linear algebra: find vector of left-kernel of the matrix over F2
Ï Characters: deal with number-field-related technicalities (e.g., units)
Ì Square root: compute elements γ1 ∈ Z[α1] and γ2 ∈ Z[α2] such
that γ1(m)2 ≡ γ2(m)2 (mod N)
Ñ Profit!
Jeremie Detrey — Factoring integers with CADO-NFS 13 / 22
The Number Field Sieve
Ê Polynomial selection: find suitable polynomials f1 and f2
Ë Factor base generation: build factors bases B1 and B2
Ê Relation collection (a.k.a. sieving): build set of relations R
Í Filtering: build and simplify matrix from relations
Ë Linear algebra: find vector of left-kernel of the matrix over F2
Ï Characters: deal with number-field-related technicalities (e.g., units)
Ì Square root: compute elements γ1 ∈ Z[α1] and γ2 ∈ Z[α2] such
that γ1(m)2 ≡ γ2(m)2 (mod N)
Ñ Profit!
Jeremie Detrey — Factoring integers with CADO-NFS 13 / 22
The Number Field Sieve
Ê Polynomial selection: find suitable polynomials f1 and f2
Ë Factor base generation: build factors bases B1 and B2
Ê Relation collection (a.k.a. sieving): build set of relations R
Í Filtering: build and simplify matrix from relations
Ë Linear algebra: find vector of left-kernel of the matrix over F2
Ï Characters: deal with number-field-related technicalities (e.g., units)
Ì Square root: compute elements γ1 ∈ Z[α1] and γ2 ∈ Z[α2] such
that γ1(m)2 ≡ γ2(m)2 (mod N)
Ñ Profit!
Jeremie Detrey — Factoring integers with CADO-NFS 13 / 22
The Number Field Sieve
Ê Polynomial selection: find suitable polynomials f1 and f2
Ë Factor base generation: build factors bases B1 and B2
Ë Relation collection (a.k.a. sieving): build set of relations R
Í Filtering: build and simplify matrix from relations
Ì Linear algebra: find vector of left-kernel of the matrix over F2
Ï Characters: deal with number-field-related technicalities (e.g., units)
Í Square root: compute elements γ1 ∈ Z[α1] and γ2 ∈ Z[α2] such
that γ1(m)2 ≡ γ2(m)2 (mod N)
Ñ Profit!
Jeremie Detrey — Factoring integers with CADO-NFS 13 / 22
The Number Field Sieve
Ê Polynomial selection: find suitable polynomials f1 and f2
Ë Factor base generation: build factors bases B1 and B2
Ì Relation collection (a.k.a. sieving): build set of relations R
Í Filtering: build and simplify matrix from relations
Í Linear algebra: find vector of left-kernel of the matrix over F2
Ï Characters: deal with number-field-related technicalities (e.g., units)
Î Square root: compute elements γ1 ∈ Z[α1] and γ2 ∈ Z[α2] such
that γ1(m)2 ≡ γ2(m)2 (mod N)
Ñ Profit!
Jeremie Detrey — Factoring integers with CADO-NFS 13 / 22
The Number Field Sieve
Ê Polynomial selection: find suitable polynomials f1 and f2
Ë Factor base generation: build factors bases B1 and B2
Ì Relation collection (a.k.a. sieving): build set of relations R
Í Filtering: build and simplify matrix from relations
Î Linear algebra: find vector of left-kernel of the matrix over F2
Ï Characters: deal with number-field-related technicalities (e.g., units)
Ï Square root: compute elements γ1 ∈ Z[α1] and γ2 ∈ Z[α2] such
that γ1(m)2 ≡ γ2(m)2 (mod N)
Ñ Profit!
Jeremie Detrey — Factoring integers with CADO-NFS 13 / 22
The Number Field Sieve
Ê Polynomial selection: find suitable polynomials f1 and f2
Ë Factor base generation: build factors bases B1 and B2
Ì Relation collection (a.k.a. sieving): build set of relations R
Í Filtering: build and simplify matrix from relations
Î Linear algebra: find vector of left-kernel of the matrix over F2
Ï Characters: deal with number-field-related technicalities (e.g., units)
Ð Square root: compute elements γ1 ∈ Z[α1] and γ2 ∈ Z[α2] such
that γ1(m)2 ≡ γ2(m)2 (mod N)
Ñ Profit!
Jeremie Detrey — Factoring integers with CADO-NFS 13 / 22
The Number Field Sieve
Ê Polynomial selection: find suitable polynomials f1 and f2
Ë Factor base generation: build factors bases B1 and B2
Ì Relation collection (a.k.a. sieving): build set of relations R
Í Filtering: build and simplify matrix from relations
Î Linear algebra: find vector of left-kernel of the matrix over F2
Ï Characters: deal with number-field-related technicalities (e.g., units)
Ð Square root: compute elements γ1 ∈ Z[α1] and γ2 ∈ Z[α2] such
that γ1(m)2 ≡ γ2(m)2 (mod N)
Ñ Profit!
Jeremie Detrey — Factoring integers with CADO-NFS 13 / 22
Back to CADO-NFSI Each step is handled by a specific binary/script
I cadofactor.py: Python script to run whole factorization
→ All NFS parameters in a single parameter file
I factor.sh: Bash script for simple factorizations
Ê Polynomial selection polyselect/polyselect2l
Ë Factor base generation sieve/makefb
Ì Relation collection sieve/{freerel,las}
Í Filtering filter/{dup1,dup2,purge,merge,replay}
Î Linear algebra linalg/bwc/bwc.pl
Ï Characters linalg/characters
Ð Square root sqrt/sqrt
Pyt
ho
nsc
rip
t+
par
am
eter
file
scripts/cadofactor/cadofactor.py
Ba
shsc
rip
tfactor.sh
Jeremie Detrey — Factoring integers with CADO-NFS 14 / 22
Back to CADO-NFSI Each step is handled by a specific binary/script
I cadofactor.py: Python script to run whole factorization
→ All NFS parameters in a single parameter file
I factor.sh: Bash script for simple factorizations
Ê Polynomial selection polyselect/polyselect2l
Ë Factor base generation sieve/makefb
Ì Relation collection sieve/{freerel,las}
Í Filtering filter/{dup1,dup2,purge,merge,replay}
Î Linear algebra linalg/bwc/bwc.pl
Ï Characters linalg/characters
Ð Square root sqrt/sqrtPyt
ho
nsc
rip
t+
par
am
eter
file
scripts/cadofactor/cadofactor.py
Ba
shsc
rip
tfactor.sh
Jeremie Detrey — Factoring integers with CADO-NFS 14 / 22
Back to CADO-NFSI Each step is handled by a specific binary/script
I cadofactor.py: Python script to run whole factorization
→ All NFS parameters in a single parameter file
I factor.sh: Bash script for simple factorizations
Ê Polynomial selection polyselect/polyselect2l
Ë Factor base generation sieve/makefb
Ì Relation collection sieve/{freerel,las}
Í Filtering filter/{dup1,dup2,purge,merge,replay}
Î Linear algebra linalg/bwc/bwc.pl
Ï Characters linalg/characters
Ð Square root sqrt/sqrtPyt
ho
nsc
rip
t+
par
am
eter
file
scripts/cadofactor/cadofactor.py
Ba
shsc
rip
tfactor.sh
Jeremie Detrey — Factoring integers with CADO-NFS 14 / 22
Let’s play!
I Requirements:
• GNU/Linux (or Mac OS X + Xcode)
• GCC 4.4 or later
• GMP 5 or later
• GNU Make and CMake 2.6.3 or later
• Python 3.2 or later
• SQLite 3, including Python bindings
• GNU Wget or cURL
• GNU Gzip
• GNU Bash
Jeremie Detrey — Factoring integers with CADO-NFS 15 / 22
Let’s play!
I Go and download CADO-NFS 2.1.1 from
http://cado-nfs.gforge.inria.fr/
I Un-tar:
$ tar xzvf cado-nfs-2.1.1.tar.gz
$ cd cado-nfs-2.1.1
I Optional: tweak build configuration (esp. for Mac OS X):
$ cp local.sh.example local.sh
$ vi local.sh
I Build:
$ make
Jeremie Detrey — Factoring integers with CADO-NFS 16 / 22
• f1 and f2 are irreducible and coprime over Q• they have a common root m ∈ Z/NZ:
f1(m) ≡ 0 (mod N) and f2(m) ≡ 0 (mod N)
I In practice:
• Take a linear polynomial for f2: this is called the ”rational side”• Take a degree-d polynomial for f1, with d ∈ {4, 5, 6}: this is called
the ”algebraic side”
f1(X ) = f1,dXd + f1,d−1X
d−1 + · · · + f1,1X + f1,0
I Look for a polynomial f1 of degree d :
• such that norms N1(a − bα1) = f1(a/b)bd are as small as possible
for pairs (a, b) in the sieving domain• which has many roots modulo small primes
Jeremie Detrey — Factoring integers with CADO-NFS 18 / 22
Diving into details – Polynomial selection
I Find polynomials f1 and f2 ∈ Z[X ] such that
• f1 and f2 are irreducible and coprime over Q• they have a common root m ∈ Z/NZ:
f1(m) ≡ 0 (mod N) and f2(m) ≡ 0 (mod N)
I In practice:
• Take a linear polynomial for f2: this is called the ”rational side”• Take a degree-d polynomial for f1, with d ∈ {4, 5, 6}: this is called
the ”algebraic side”
f1(X ) = f1,dXd + f1,d−1X
d−1 + · · · + f1,1X + f1,0
I Look for a polynomial f1 of degree d :
• such that norms N1(a − bα1) = f1(a/b)bd are as small as possible
for pairs (a, b) in the sieving domain• which has many roots modulo small primes
Jeremie Detrey — Factoring integers with CADO-NFS 18 / 22
Diving into details – Polynomial selection
I Find polynomials f1 and f2 ∈ Z[X ] such that
• f1 and f2 are irreducible and coprime over Q• they have a common root m ∈ Z/NZ:
f1(m) ≡ 0 (mod N) and f2(m) ≡ 0 (mod N)
I In practice:
• Take a linear polynomial for f2: this is called the ”rational side”• Take a degree-d polynomial for f1, with d ∈ {4, 5, 6}: this is called
the ”algebraic side”
f1(X ) = f1,dXd + f1,d−1X
d−1 + · · · + f1,1X + f1,0
I Look for a polynomial f1 of degree d :
• such that norms N1(a − bα1) = f1(a/b)bd are as small as possible
for pairs (a, b) in the sieving domain• which has many roots modulo small primes
Jeremie Detrey — Factoring integers with CADO-NFS 18 / 22
Diving into details – Polynomial selectionI Two main steps:
• Size optimization: find polynomials with small norm• Root optimization: translate/rotate candidates so that they have
many roots modulo small primes
I CADO-NFS parameters (tasks.polyselect.*):
• degree: degree d of polynomial f1• admin (0): minimum value for leading coefficient f1,d• admax: maximum value for leading coefficient f1,d• incr (60): force f1,d to be a multiple of this smooth number• nrkeep: how many candidates to keep after first step
• adrange: split search interval for f1,d into ranges of this size
→ easy parallelization
I Best polynomial stored in:
〈name〉.polyselect2.poly
Jeremie Detrey — Factoring integers with CADO-NFS 19 / 22
Diving into details – Polynomial selectionI Two main steps:
• Size optimization: find polynomials with small norm• Root optimization: translate/rotate candidates so that they have
many roots modulo small primes
I CADO-NFS parameters (tasks.polyselect.*):
• degree: degree d of polynomial f1• admin (0): minimum value for leading coefficient f1,d• admax: maximum value for leading coefficient f1,d• incr (60): force f1,d to be a multiple of this smooth number• nrkeep: how many candidates to keep after first step
• adrange: split search interval for f1,d into ranges of this size
→ easy parallelization
I Best polynomial stored in:
〈name〉.polyselect2.poly
Jeremie Detrey — Factoring integers with CADO-NFS 19 / 22
Diving into details – Polynomial selectionI Two main steps:
• Size optimization: find polynomials with small norm• Root optimization: translate/rotate candidates so that they have
many roots modulo small primes
I CADO-NFS parameters (tasks.polyselect.*):
• degree: degree d of polynomial f1• admin (0): minimum value for leading coefficient f1,d• admax: maximum value for leading coefficient f1,d• incr (60): force f1,d to be a multiple of this smooth number• nrkeep: how many candidates to keep after first step• adrange: split search interval for f1,d into ranges of this size
→ easy parallelization
I Best polynomial stored in:
〈name〉.polyselect2.poly
Jeremie Detrey — Factoring integers with CADO-NFS 19 / 22
Diving into details – Polynomial selectionI Two main steps:
• Size optimization: find polynomials with small norm• Root optimization: translate/rotate candidates so that they have
many roots modulo small primes
I CADO-NFS parameters (tasks.polyselect.*):
• degree: degree d of polynomial f1• admin (0): minimum value for leading coefficient f1,d• admax: maximum value for leading coefficient f1,d• incr (60): force f1,d to be a multiple of this smooth number• nrkeep: how many candidates to keep after first step• adrange: split search interval for f1,d into ranges of this size
→ easy parallelization
I Best polynomial stored in:
〈name〉.polyselect2.poly
Jeremie Detrey — Factoring integers with CADO-NFS 19 / 22
Diving into details – Relation collection
I For each (a, b) pair in the sieving domain:
• Compute the norms Ni(a − bαi) = fi(a/b)bi
• Check if Ni(a − bαi) is Bi -smooth (all its prime factors are ≤ Bi)
• If both norms are smooth, then (a, b) is a relation
I Special-q sieving:
• Fix a prime ideal q = (q, ρ) of Z[α1]
• The set of (a, b) pairs such that q divides 〈a − bαi〉 is a Euclidean
lattice of Z2
• Compute basis (u, v) of this lattice
• Enumerate lattice elements as pairs (a, b) = iu + jv with
(i , j) ∈ [−I , I ]×]0, I ]
• One independent subtask for each special-q
→ easy parallelization
Jeremie Detrey — Factoring integers with CADO-NFS 20 / 22
Diving into details – Relation collection
I For each (a, b) pair in the sieving domain:
• Compute the norms Ni(a − bαi) = fi(a/b)bi
• Check if Ni(a − bαi) is Bi -smooth (all its prime factors are ≤ Bi)
• If both norms are smooth, then (a, b) is a relation
I Special-q sieving:
• Fix a prime ideal q = (q, ρ) of Z[α1]
• The set of (a, b) pairs such that q divides 〈a − bαi〉 is a Euclidean
lattice of Z2
• Compute basis (u, v) of this lattice
• Enumerate lattice elements as pairs (a, b) = iu + jv with
(i , j) ∈ [−I , I ]×]0, I ]
• One independent subtask for each special-q
→ easy parallelization
Jeremie Detrey — Factoring integers with CADO-NFS 20 / 22
Diving into details – Relation collection
I For each (a, b) pair in the sieving domain:
• Compute the norms Ni(a − bαi) = fi(a/b)bi
• Check if Ni(a − bαi) is Bi -smooth (all its prime factors are ≤ Bi)
• If both norms are smooth, then (a, b) is a relation
I Special-q sieving:
• Fix a prime ideal q = (q, ρ) of Z[α1]
• The set of (a, b) pairs such that q divides 〈a − bαi〉 is a Euclidean
lattice of Z2
• Compute basis (u, v) of this lattice
• Enumerate lattice elements as pairs (a, b) = iu + jv with
(i , j) ∈ [−I , I ]×]0, I ]
• One independent subtask for each special-q
→ easy parallelization
Jeremie Detrey — Factoring integers with CADO-NFS 20 / 22
Diving into details – Relation collection
I For each (a, b) pair in the sieving domain:
• Compute the norms Ni(a − bαi) = fi(a/b)bi
• Check if Ni(a − bαi) is Bi -smooth (all its prime factors are ≤ Bi)
• If both norms are smooth, then (a, b) is a relation
I Special-q sieving:
• Fix a prime ideal q = (q, ρ) of Z[α1]
• The set of (a, b) pairs such that q divides 〈a − bαi〉 is a Euclidean
lattice of Z2
• Compute basis (u, v) of this lattice
• Enumerate lattice elements as pairs (a, b) = iu + jv with
(i , j) ∈ [−I , I ]×]0, I ]
• One independent subtask for each special-q
→ easy parallelization
Jeremie Detrey — Factoring integers with CADO-NFS 20 / 22
Diving into details – Relation collection
I For each (a, b) pair in the sieving domain:
• Compute the norms Ni(a − bαi) = fi(a/b)bi
• Check if Ni(a − bαi) is Bi -smooth (all its prime factors are ≤ Bi)
• If both norms are smooth, then (a, b) is a relation
I Special-q sieving:
• Fix a prime ideal q = (q, ρ) of Z[α1]
• The set of (a, b) pairs such that q divides 〈a − bαi〉 is a Euclidean
lattice of Z2
• Compute basis (u, v) of this lattice
• Enumerate lattice elements as pairs (a, b) = iu + jv with
(i , j) ∈ [−I , I ]×]0, I ]
• One independent subtask for each special-q
→ easy parallelization
Jeremie Detrey — Factoring integers with CADO-NFS 20 / 22
Diving into details – Relation collection
I For each (a, b) pair in the sieving domain:
• Compute the norms Ni(a − bαi) = fi(a/b)bi
• Check if Ni(a − bαi) is Bi -smooth (all its prime factors are ≤ Bi)
• If both norms are smooth, then (a, b) is a relation
I Special-q sieving:
• Fix a prime ideal q = (q, ρ) of Z[α1]
• The set of (a, b) pairs such that q divides 〈a − bαi〉 is a Euclidean
lattice of Z2
• Compute basis (u, v) of this lattice
• Enumerate lattice elements as pairs (a, b) = iu + jv with
(i , j) ∈ [−I , I ]×]0, I ]
• One independent subtask for each special-q
→ easy parallelization
Jeremie Detrey — Factoring integers with CADO-NFS 20 / 22
Diving into details – Relation collection
I For each (a, b) pair in the sieving domain:
• Compute the norms Ni(a − bαi) = fi(a/b)bi
• Check if Ni(a − bαi) is Bi -smooth (all its prime factors are ≤ Bi)
• If both norms are smooth, then (a, b) is a relation
I Special-q sieving:
• Fix a prime ideal q = (q, ρ) of Z[α1]
• The set of (a, b) pairs such that q divides 〈a − bαi〉 is a Euclidean
lattice of Z2
• Compute basis (u, v) of this lattice
• Enumerate lattice elements as pairs (a, b) = iu + jv with
(i , j) ∈ [−I , I ]×]0, I ]
• One independent subtask for each special-q
→ easy parallelization
Jeremie Detrey — Factoring integers with CADO-NFS 20 / 22
Diving into details – Relation collection
I Example from c59:
• Polynomials:
f1(X ) = 60 · X 4 + 164823 · X 3 + 2561101187 · X 2
− 4872316534587 · X − 9288039622841198
f2(X ) = 4827001309 · X − 192616011406041
• Special-q: (q, ρ) = (200003, 74941)
• Sieving position: (a, b) = (−876877, 31)
I Is (a, b) a relation? Factor its norms
• Remove small factors by sieving techniques (up to bound B ′i )
• Co-factor remaining parts only if not too large
N1(a − bα1) = 34039772577219966371130285
N2(a − bα2) = −10203782780419264
Jeremie Detrey — Factoring integers with CADO-NFS 21 / 22
Diving into details – Relation collection
I Example from c59:
• Polynomials:
f1(X ) = 60 · X 4 + 164823 · X 3 + 2561101187 · X 2
− 4872316534587 · X − 9288039622841198
f2(X ) = 4827001309 · X − 192616011406041
• Special-q: (q, ρ) = (200003, 74941)
• Sieving position: (a, b) = (−876877, 31)
I Is (a, b) a relation? Factor its norms
• Remove small factors by sieving techniques (up to bound B ′i )
• Co-factor remaining parts only if not too large
N1(a − bα1) = 34039772577219966371130285
N2(a − bα2) = −10203782780419264
Jeremie Detrey — Factoring integers with CADO-NFS 21 / 22
Diving into details – Relation collection
I Example from c59:
• Polynomials:
f1(X ) = 60 · X 4 + 164823 · X 3 + 2561101187 · X 2
− 4872316534587 · X − 9288039622841198
f2(X ) = 4827001309 · X − 192616011406041
• Special-q: (q, ρ) = (200003, 74941)
• Sieving position: (a, b) = (−876877, 31)
I Is (a, b) a relation? Factor its norms
• Remove small factors by sieving techniques (up to bound B ′i )
• Co-factor remaining parts only if not too large
N1(a − bα1) = 34039772577219966371130285
N2(a − bα2) = −10203782780419264
Jeremie Detrey — Factoring integers with CADO-NFS 21 / 22
Diving into details – Relation collection
I Example from c59:
• Polynomials:
f1(X ) = 60 · X 4 + 164823 · X 3 + 2561101187 · X 2
− 4872316534587 · X − 9288039622841198
f2(X ) = 4827001309 · X − 192616011406041
• Special-q: (q, ρ) = (200003, 74941)
• Sieving position: (a, b) = (−876877, 31)
I Is (a, b) a relation? Factor its norms
• Remove small factors by sieving techniques (up to bound B ′i )
• Co-factor remaining parts only if not too large
N1(a − bα1) = 34039772577219966371130285
N2(a − bα2) = −10203782780419264
Jeremie Detrey — Factoring integers with CADO-NFS 21 / 22
Diving into details – Relation collection
I Example from c59:
• Polynomials:
f1(X ) = 60 · X 4 + 164823 · X 3 + 2561101187 · X 2
− 4872316534587 · X − 9288039622841198
f2(X ) = 4827001309 · X − 192616011406041
• Special-q: (q, ρ) = (200003, 74941)
• Sieving position: (a, b) = (−876877, 31)
I Is (a, b) a relation? Factor its norms
• Remove small factors by sieving techniques (up to bound B ′i )
• Co-factor remaining parts only if not too large
N1(a − bα1) = 34039772577219966371130285
N2(a − bα2) = −10203782780419264
Jeremie Detrey — Factoring integers with CADO-NFS 21 / 22
Diving into details – Relation collection
I Example from c59:
• Polynomials:
f1(X ) = 60 · X 4 + 164823 · X 3 + 2561101187 · X 2
− 4872316534587 · X − 9288039622841198
f2(X ) = 4827001309 · X − 192616011406041
• Special-q: (q, ρ) = (200003, 74941)
• Sieving position: (a, b) = (−876877, 31)
I Is (a, b) a relation? Factor its norms
• Remove small factors by sieving techniques (up to bound B ′i )
• Co-factor remaining parts only if not too large
N1(a − bα1) = 34039772577219966371130285
N2(a − bα2) = −10203782780419264
Jeremie Detrey — Factoring integers with CADO-NFS 21 / 22
Diving into details – Relation collection
I Example from c59:
• Polynomials:
f1(X ) = 60 · X 4 + 164823 · X 3 + 2561101187 · X 2
− 4872316534587 · X − 9288039622841198
f2(X ) = 4827001309 · X − 192616011406041
• Special-q: (q, ρ) = (200003, 74941)
• Sieving position: (a, b) = (−876877, 31)
I Is (a, b) a relation? Factor its norms
• Remove small factors by sieving techniques (up to bound B ′i )