Factorization of integers: the quadratic sieve and

the number field sieve

Adriana Moya

June 1, 2017

Abstract
A brief summary.

1 Introduction

2 The quadratic sieve

Suppose we are presented with a natural number N , which we know to be composite
and would like to factor. The basic idea of the quadratic sieve algorithm attemps
to find a solution of the congruence

x2 y 2 (mod N ). (2.1)

If such a pair x, y is found, then the greatest common divisor d = gcd x y, N

is computed by Euclids algorithm. Of course, this factor can be a trivial divisor,
but the probability of this factor to be nontrivial is 12 . This is because ig p, q are
different primes in n, then the probability that p and q both divide x y of both
divide x + y is 12 . That is, with probability 12 , the gcd(x y, N ) is divisible by p
and not q of by q and not p, and so is a nontrivial factor of N .
To find a prime factorization of N , we can either iterate the methon on the
composite factors of n or we can use the congruence 2.1 again to produce different
factorizations of N and so deduce N s prime factorization.

2.1 The basic quadratic sieve algorithm

To solve 2.1 we consider the polynomial

 2
Q(a) = b N c + a N (2.2)
2 THE QUADRATIC SIEVE 2

The reason why this polynomial is used is that if a is an integer, then

 2
b N c + a Q(a) (mod N ).

Suppose we could find a set of distinct integers a1 , . . . , ak such that Q(a1 ) Q(ak )
is a square, then for
   
x = b N c + a1 b N c + ak ,
y 2 =Q(a1 ) Q(ak ),

we would have
x2 y 2 (mod N ),
and we would have found a solution of 2.1. Thus, weve reduced the problem of
factoring N to finding sets a1 , . . . , ak of distinct integers with Q(a1 ) Q(ak ) a
square.
We need an efficient way to determine our ai , and to get a product of the Q(ai )
to be a square. We need to factor each of the Q(ai ) to check if the exponents of
the prime factors of the product are even. To do so, we will search for integers a
such that the primes in the factorization of Q(a) are small, and then impose that
the sum of the exponents of every prime is even.
Focusing on the first item, we consider a bound B and only concentrate on the
values that factor completely with the primes smaller than that bound. In other
words, the values which are B-smooth. To make Q(a) small, we need to select
a close to 0, so we set a bound M and only consider values of a over the sieving
interval [M, M ]. We will discuss later how to take the bounds B and M . Heuristics
suggest we choose B = L(n)1/2 .
Now, let a be in the sieving interval, then if some prime p divides Q(a),
 2
b N c + a N (mod p).

So the primes in our factor base must be primes such that the Legendre symbol
 
N
= 1.
p

The sieving procedure works with the prime factors and prime powers of the
elements we want to sieve, so if pk is a prime factor of Q(a), then p is also a prime
factor of Q(a+p). Indeed, since Q is a polynomial with integer coeficients, if a b
(mod pk ), then Q(a) Q(b) (mod pk ). To find the set of as where pk is a divisor
of Q(a), we need only to solve the quadratic congruence

Q(a) 0 (mod pk ). (2.3)

2 THE QUADRATIC SIEVE 3

and its equivalent to solve

x2 N (mod pk )

and take a x b N c (mod pk ).
We see that if p > 2 (not being a factor of N ) then x2 N (mod pk ) has two

distinct solutions x1 , x2 in Zpk and we set a1 , a2 x1 , x2 b N c. If p = 2 and
k 3, then x2 N (mod 2k ) has four solutions if and only if N 1 (mod 8). If
p = 2 and k = 2 the congruence only has one solution when N 1 (mod 4) and it
is x = 1. Finally, if p = 2 and k = 1 we take x = 1 for all N .
For each a in our sieving interval, we compute blog2 Q(a)c and store these in
locations indexed by a. Then for each of our prime power pk we substract blog2 pc
from the number in location a if and only if a a1 or a2 (mod pk ). (the special case
of p = 2 is different so it has to be done before). After this sieving procedure, the
numbers in the array, which had been initialized with the values blog2 Q(a)c, have
been changed. We have substracted blog2 pc  for which pk is a divisor of Q(a) and
this for every one of the first B primes with Np = 1. Thus the residual number
at location a should be close to 0 if Q(a) is B-smooth.
Now, we have a set a1 , , ak of integers satistying that the prime decomposition
of Q(aj ) is of the form
K
e
Y
Q(aj ) = pi ij , pi B.
i=1

For each j, 1 j K consider the vector

v(aj ) = (e1j , . . . , eKj ) (mod 2).

We want a solution of the congruence

v(a1 ) + v(a2 ) + + v(ak ) (0, . . . , 0) (mod 2).

because then the exponents of the primes in Q(a1 ) Q(ak ) will be even and it will
be a square.
There are several ways to obtain a solution of that congruence, for example we
can put all the vectors v(ai ) on the columns of a matrix M , and then solve

Mx 0 (mod 2), x = (x1 , . . . , xk )

To assure that this conguence has any solution, we need to find at least many ai as
there are primes in the factor base. So if K is the number of primes in the factor
base, with K + 1 values of a in the sieving procedure we can find the set of ai s and
we are done.
2 THE QUADRATIC SIEVE 4

As we have seen, this leads immediately to a solution of the congruence 2.1 and
a chance of factoring N .
How large should we choose the bound B? I fwe choose B small, we have the
advantatge that we do not need many B-smooth residues to find s subset product
that is a square. But the problem is that if B is too small, we may not find any
B-smooth numbers. So B should be latge enough that the B-smooth numbers are
arrivind with sufficient frequency. It turns out that this optimum value for the size
of the factor base is

log N log log N
B = (L(N )) , where L(N ) = e .

The optimum size of the factor base turns out to be the cube of this bound.
Some notes about the running time of the algorithm. With this optimum bound,
the sieving time should be roughly three times the matrix reduction time. So this
step runs in less than O(B 3 ) time. Put this all together and we have an asymptotic
running time for the QS of
O(L(N )1+o(1) ).

2.2 The Algorithm

We have explained the Quadratic Sieve algorithm. Lets put all the ideas together
and write down the algorithm.

Algorithm 2.1. Imput: Composite number N .

Output: Factorization of N .

1. Initialize:

B = be log N log log N c
Check that N is not a multiple of some prime p B.
Find the primes p B such that ( Np ) = 1.

2. Sieve:

List log2 |Q(a)| for a = b N c + 1 to a = b N c.
Sieve the sequence for p in the factor base.
Write the pairs (a, Q(a)) in a set S for all Q(a) B-smooth.

3. Linear algebra:
Prime factorization of Q(a) for (a, Q(a)) S.
Matrix M of exponents of the factorization reduced mod 2.
Solution of M x 0 (mod 2) and take the ai s. t xi = 1.
2 THE QUADRATIC SIEVE 5

4. End

X = (a1 + b N c) (ak + b N c) (mod N ).
p
Y = Q(a1 ) Q(ak ) (mod N ).
d = gcd X Y, N .
Return d.

We can find the algoritm implemented in Mathematica at the end of this work.
Some comments about the algoritm:

(1) At the begining of the section we saw that the probability that if (x, y) is a
solution of the congruence 2.1 then the probability that gcd(x y, N ) is a
nontrivial factor of N is 1/2. So in the step 4 of the algorithm we can get d = 1
or d = N with probability 1/2. In this case, we compute another X and Y
from computing another solution of the linear system M x 0 (mod 2) in step
3. We said before that to have a solution of this system is sufficient that the
number of elements in the set S is at least the number of primes in the factor
base plus 1. But now, if we want the system to have more than one solution,
we have to find more B-smoorth numbers to put in the set S. For example, if
K is the number of primes in the factor base, if we sieve until there are K + 11
B-smooth numbers, then there will be at least 10 solutions of the system and
so 10 different pairs (X, Y ) in step 4. The probability that all of them give a
trivial factor is smaller than 1 over 1000.

(2) What happens if the imput is a prime number? The algorithm works correctly
but in step 4 we allways will get d = N . So if we do the 10 possible solutions
weve mentioned before and all of them are trivial factors of N we can conclude
that N is prime.

2.3 The Multiple Polynomial Quadratic Sieve algorithm

There is a improvement to the quadratic sieve that uses plynomails instead of Q(x)
in the algoritm. The idea of the Multiple Polynomial QUadratic Sieve ig to use
several polynomials Q so that the sixe of Q8a) can be kept as small as possible.
The idea is due to Peter Montgomery.
The quadratic polynomials are all of the form Q(x) = Ax2 +2Bx+C with A > 0,
B 2 AC > 0 and such that N |B 2 AC. This gives a congruence symilar to the
one before since

AQ(x) = (Ax)2 + 2ABx + AC = (Ax + B)2 (B 2 AC) (Ax + B)2 (mod N ).

3 THE NUMBER FIELD SIEVE 6

Suppose that our sieving interval is [M, M ]. We wish to optimize M and the
value of Q(x) over this interval, so it is therefore natural to center the interval at
the minimum of the function Q, i.e. to sieve in the interval

I = [B/A M, B/A + M ].

To minimize the absolute value of Q(x) observe that we have for x I, Q(B/A)
Q(x) Q(B/A + M ), therefore we ask that Q(B/A) Q(B/A + M ), which
is equivalent to
p
2(B 2 AC)
A2 M 2 2(B 2 AC) = A .
M

Since we want this to be as small as possible, we will choose A, B and C such

that B 2 AC = N iself, and the maximum of |Q(x)| will then be

B 2 AC p
max|Q(x)| M N/2.
A

Observe that the values Q(x) are of the same order of magnitude than the size
of the values of our initial polynomial, but we now add the freedom to switch
polynomials as soon as the size become too large.
To summarize, we first choose an appropiate sieving length M. Then we choose

A close to 2N /M such that A is prime and ( N A
) = 1. Then we find the solution
2 2
of B N (mod A) and finally we set C = (B N )/A.
A heuristic analysis shows that using multiple polynomials speeds us the quadratic

sieve method by roughly a factor 1/2 log N log log N
There is actually another algorithm that may come into play and again majorize
the special quadratic sieve. This is the number field sieve, something we shall
discuss in the next section.

3 The Number Field Sieve

Today, the number field sieve (NFS) stands as the asymptotically fastest heuristic
factoring algorithm we know for worst-case composite numbers.
The QS method would be faster still if the quadratic residues could be arranged
to be smaller. An interesting thought in this regard is that it is not necessary
that they be quadratic residues, only small! So, the basic idea is the same as in
the quadratic sieve: by a sieving process we look for congruences modulo N by
working over a factor base, and then we do a Gaussian elimination over Z/2Z to
obtain a congruence of squares, hence hopefully a factorization of N . However, the
3 THE NUMBER FIELD SIEVE 7

congruences here will not be modulo N , they will be with pairs , () where lies
in a particular algebraic number ring.

3.1 The Number Field Sieve

We choose a number field K = Q() for some algebraic integer , let f (X) Z[X]
be the minimal monic polynomial of , and let d be the degree of K. Assume that
we know an integer m such that f (m) 0 (mod N ). Then we can define a ring
homomorphism from Z[] to Z/N Z, by setting

() = m (mod N ).

This homomorphism can be extended to the ring of integers of K, ZK in the fol-

lowing way. Let f = [ZK : Z[]] be the index of Z[] in ZK . We may assume
that gcd(f, N ) = 1 otherwise we have found a non-trivial factor of N . Hence f is
inverible modulo N , and if u Z is and inverse of f modulo N , for all ZK we
can set
() = u(f )
since f Z[].
Suppose we can find integers a and b such that a + bm is a square in Z, say x2 ,
and also such that a + b is a square in ZK , say 2 . We set () y (mod N ) and
then,

x2 = a + bm = a + b() (a + b) ( 2 ) ()2 y 2 (mod N ).

That is, we have found a pair of squares that are congruent mod N and we may
attempt to factor N by computing gcd(x y, N ).
The above ideas consititute the strategy of NFS. We now discuss the basic setup
that introduces the number ring and the homomorphism . Suppose we are trying
to factor the number N , which is odd, composidte, and not a power. Choose the
degree d of our polynomial. (We will later give a heuristic argument on how to
choose d so as to minimize the running time to factor N .) Let m = bN 1/d c, and
write N in base m so that

N = md + cd1 md1 + + c0 ,

where each cj [0, m 1]. So we choose the polynomial f (x) to be the base-m
expansion of N ,
f (x) = xd + cd1 xd1 + . . . c0 .
Then observe that f (m) 0 (mod N ). Let be an algebraic number that is a root
of f . Our number ring will be Z[]. This is computationally thought of as the set of
3 THE NUMBER FIELD SIEVE 8

ordered d-tuples (a0 , a1 , . . . , ad1 ) of integers where the ai s are the corrficients of an
element of Z[] in the base {1, , . . . , d1 }. This polynomial may not be irreducible.
Alctually, this is an exellent situation in which to find ourselves, since if we have
the nontrivial factorization f (x) = g(x)h(x) in Z[x], then the integer factorization
N = g(m)h(m) is also nontrivial and then one has a factorization of N . If it is
irreducible, we may continue with NFS and search for pairs a, b Z such that
Y
(a + b) = 2 , for some Z[],
Y
(a + bm) = x2 , for some x Z.
This scenario will be promising only if we can find integers a and b such that they
get the conditions above. If the ring is a unique factorization domain, and if we
know a basis for the units, then we could create exponent vectors for he algebraic
integers a + b for all the small prime ideals of ZK and repeat the method we did
in the QS. This is, sieve for smooth integers of the form a + bm and a + b, and find
a set of them such that when multiplied together become a square of integers (for
the a + bm) and a square of elements in Z[] (for the a + b).
This is the basic distinction between the general number field sieve and the
special one (for the second one we know the units, class number, generators of
small prime ideals, etc...).
We will start by the simplest case of NFS.

3.2 The Special NFS when h(K) = 1

In this subsection we will assume that the class number of the number field is 1,
and then we will go inte the details concerning the different parts of the algorithm.
We will discuss how the factor base is constructed, how the sieving is performed,
and how to find the square roots of an element in Z[].
Recall that the class number of a number field is the order of the ideal Cl(ZK ).
So if the class number of K is 1, then its ring of integers is a principal ideal domain.
In this section we will assume that K has class number 1 and we know its prime
ideals, say pi . Since ZK has class number equal to 1, we can put pi = gi ZK . Before
we begin to see how to find the pairs (a, b) lets give a rigorous definition of what
is to be B-smoth in ZK . Let ZK , write
Y
ZK = pi vi ,
i

where we assume that for all i, vi > 0. We will say that is B-smooth if NK|Q ()
is B-smooth, or in other words....
3 THE NUMBER FIELD SIEVE 9

Consider G the set of generators for the prime ideals p above a prime p B,
and U the set of generators of the group of units of K. Then we can write as
Y Y
= uu g g .
uU gG

And if () is also B-smoooth, then we have

Y
() = pvp ,
pB

hence the congruence

Y Y Y
(u)u (g)g pvp (mod N ).
uU gG pB

3.2.1 Sieve

The factor base is to consist of three parts, the first part is all the prime numbers up
to B. The second and the third part of the factor base is to consist of the generators
for the prime ideals above B, G, and a set of generators for the group of units, U .
The pairs (a, b) we are looking need to satisfy this three conditions to be smooth.

1. gcd(a, b) = 1.

2. |a + bm| is B-smooth.

3. a + b is B-smooth.

By sieving on small primes, eliminate pairs (a, b) divisible by a small prime. Then
sieve for the elements |a + bm| to be B-smooth using essentially the same sieving
procedure as the one that we have described for the quadratic sieve. To sieve for
a + b to be smooth, we need to study when a prime p divides the N (a + b).

Definition 3.1. If p is a prime ideal above p, we call inertial degree, and we denote
by fp , the dimension of the Fp -vector space ZK /p, that is

fp = dim Fp (ZK /p).

dim Fp (ZK /p)
Note that we have N (p) = |ZK /p| = |Fp = |Fp |fp = pfp .

Lemma 3.2. If a and b are coprime integers, then any prime ideal p which divides
a + b, either divides the index d = [ZK : Z[]] or is of degree 1.
3 THE NUMBER FIELD SIEVE 10

Proof. Let p be the prime number below p, suppose p | b, then a p Z hence

p | a, which its a contradiction since a and b are coprime. So p - b. Now assume
that p - d, and let b1 be an inverse of b modulo p and u be an inverse of d modulo
p. We have
ab1 (mod p).
Hence, if x ZK , dx Z[] so there exists a polynomial P Z[X] such that
x uP (ab1 ) (mod p). So any element of ZK is congruent to some integer
modulo p, hence to an element of the set {0, 1, . . . , p 1}, thus p is a first degree
prime ideal.

Prime ideals of degree 1 dividing a prime number p and not dividing the index
correspond to linear factors of f (x) modulo p, i.e. roots of f (x) in Fp . This follows
from the next theorem.

Lemma 3.3. Let p, f and Z[] as above, if f (c) 0 (mod p) then I = (p, c) is
a first degree prime ideal.

Proof. We want the homomorphism

: Z[]/I Z/pZ
7 c
z 7 z (mod p).

to be an isomorphism. First, let y Z/pZ. We know that 1 Z[]/I and since

is an homomorphism, (1) = 1. Then (y) = (1y) = y(1) = y and so is
exhaustive.
Again let x Z[]/I but assume (x) = 0. Since x is of the form a0 + a1 +
a2 2 + . . . an n , ai Z, if we take the element

x0 = a0 + a1 c + a2 c2 + . . . an cn Z[]/I

and we add and substract it from x and we see that

x = x x0 + x0 = k1 p + k2 (c )

for k1 , k2 Z[] is an element of I, and we conclude that is injective.

Theorem 3.4. Let K, f and d be as above. For any prime p not dividing d one
can obain the prime decomoposition of pZK as follows. Let
g
Y
f (x) = fi (x)ei (mod p)
i=1
3 THE NUMBER FIELD SIEVE 11

be the decomposition of f into irreducible factors in Fp [x]. Then

g
Y
pZK = pei i ,
i=1

where pi = (p, fi ()) and the residual index di is equal to the degree of fi .

If p does not divide d, for any root cp {0, 1, . . . , p 1} of f (x) modulo p, we

thus have the corresponding prime ideal of degree 1 above p generated over ZK by
(p, cp ). Since the extension is assumbed to be a PID and since the norm is
multipicative this implies that the factorization of numbers of the form a + b
with (a, b) = 1 corresponds to the factorization of the norm of a + b, then p if
and only if p | a + bcp . Moreover, if p | a + bcp , the p-adic valuation of is equal to
the p-adic valuation of N () which is simple to compute.
For p dividing d, we can use a basis of p rescpect to , where we may assume
that is primitive. The basis will then be of the form

(p, cp + y, 2 , . . . , d1 )

where cp and y are integers with y | p and the i are polynomials of degree exactly
i in . It is clear that a + b p if and only if y | b and a bcp /y (mod p).
Observe that p | b is impossible since as before it would imply p | a hence a and b
would not be coprime. If follows that y = 1, hence p if and only if a bcp
(mod p) and then p | a + bcp . Furthermore, cp p implies clearly that f (cp ) 0
(mod p). The condition is therefore exactly the same as in the case p - d.
Finally, in the sieving procedure we will compute once and for all the roots cp of
the polynomial f (x) modulo each prime p B and sieve for the elements a + cp b if
p | a + cp b for every root cp .

3.2.2 Matrix of exponent vectors

The second step of this algorithm, as in the quadratic sieve, is to find the factoriza-
tion of every element weve obtained in the sieve. For the factorization of a + bm in
Z we do as always, but the factorization of a + b in ZK is obtained as follows. For
all the primes p | d, there can be more than one prime ideal such that correspond
to the same cp , this is because the norm does not distinguish between the different
ideals as they have the same norm p. The easiest way to get around this is to not
use that primes. (There is also an algorithm that can compute the p-adic valuations
in this case but is not necessarly.) So we focus on the primes such that p - d. For
theese primes there is only one prime ideal p above p that corresponds to a given
3 THE NUMBER FIELD SIEVE 12

cp . If we let d0 be the degree of p, the p-adic valuation of a + b is vp , where vp is

the p-adic valuation of N (a + b).
Once enough relations have been found it is straight forward to put the exponent
vectors into a matrix reduced modulo 2 and find a subset of pairs (ai , bi ) such that
Y
ai + bi m is a square in Z,
i
Y
ai + bi is a square in ZK .
i

A method that can be used to find them is for example Gaussian elimination,
byt there are different algorithms that are more effective. For the current record
factorization by the special number field sieve 21 039 + 1, the block Wiedemann
algorithm (Posar bibliografia de D.H. Wiedemann. Solving sparse linear equations
over finite fields. IEEE Transactions on Information Theroy, issue 1, (32):54-62,
2986.) was used to find the right combination.

3.2.3 Square roots

When all the right combinations dureing the sieving and linear algebra step has been
overcome, one is left wuth a set S satisfying that there exist x Z and ZK
such that Y
x2 = a + bm Z,
(a,b)S
Y
2 = a + b ZK .
(a,b)S

With the homomorphism from Z[] to Z/N Z as before, we have the congruence
Y Y
x2 a + bm (a + b) ( 2 ) ()2 (mod N ).
(a,b)S (a,b)S

Q
The square root of (a,b)S a + bm can be computed as in the quadratic sieve.
For the square root of the product of the elements in the number field we represent
each element a + b S by its factors in G and U . Then sum all the exponents
and take the half of it, as Y 1 Y 1
= u 2 eu g 2 eg .
uU gG

Finally, applying to we obtain y = () and x2 y 2 (mod N ).

3 THE NUMBER FIELD SIEVE 13

3.2.4 Complexity

In the same way as for the quadratic sieve there has not yet come a rigirius proof of
the actual running time of the special number field sieve. The heuristic asymptotic
complefity for the running time of NFS is
 p 
O(exp C 3 log N log log N .

And the optimal choice for d such that minimizes the runnng time is
  13
(3 + O(1)) log N
d= .
2 log log N

3.2.5 Example

Given a large composite integer N = re s, where r and s are small, start by finding
a monic polynomial f such that we can find m Z, f (m) 0 (mod N ). With the
special form of N , this polynomial can be constructed in the following way, decide
the degree d and let k be k = | de |. Then put t = srkde and

f (x) = xd t, m = rk .

It is clear that f (m) = rkde N is a small multiple of N . Since typically d = 5 and

srkde is small, K is a simple field i.e. it will not be difficult to find g,enerators for
ideals os small norm.
We summarize the algorithm by factoring the integer N = 260101 = 5102 + 1.
2
We choose d = 2, hence k = 2
= 1, m = 510 and t = 51022 = 1. So the
polynomial we will work on is
f (x) = x2 + 1
thus K = Q(i) which happens to be a field with class number equal to 1. The ring
of integers of Q(i) is the called the Gaussian integers and its Z[i], and the norm is
N (a + bi) = a2 + b2 . The homomorphism is

: Z[i] Z/N Z
i 7 510

We choose the factor bases with limit B = 40 and for the ideals we chose the
first degree prime ideals with norm less than B 0 = 55. We found generators for all
the first degree prime ideals, looking for the cp such that f (cp ) 0 (mod p). The
primes that are not in the table are the ones that the polynomial f doesnt factorize
in a lineal factor modulo p and so they dont give any first degree prime ideal. The
3 THE NUMBER FIELD SIEVE 14

generators of the ideals are represented in the table with the corresponding pair
(p, cp ).
(p, c) Generator
(2,1) (1+i)
(5,2) (1+2i)
(13,5) (3+2i)
(17,4) (1+4i)
(29,12) (5+2i)
(37,6) (1+6i)
(41,9) (5+4i)
(53,23) (7+2i)
We sieved with the values 200 a 200 and 1 b 54. First sieve to get
a + bm be B-smooth and second sieve to get the ideals a + bi be B 0 -smooth. To
be sure that with the elements we can find there a product that gives a square, we
need 12 from the factor base, 8 more from the ideals, and 2 more from the units. So
we need 23 pairs (a, b). After doing Gaussian elimination on the exponent vectors,
the following set S of pairs are a square when multiplied together
(a, b) a+bm Factors N(a+bi) Factors Ideal factorization
2
(34, 19) 9724 2 11 13 17 1517 37 41 (1)(i)(1 + 6i)(5 + 4i)
3 2
(70, 1) 440 2 5 11 4901 13 29 (i)(3 + 2i)2 (5 + 2i)
(4, 1) 506 2 11 23 17 17 (i)(1 + 4i)
2
(2, 5) 2548 2 72 13 29 29 (i)(5 + 2i)
3
(3, 1) 513 3 19 10 25 (1)(i)(1 + i)(1 + 2i)(34, 19)
(5, 7) 3565 5 23 31 74 2 37 (1 + i)(1 + 6i)(34, 19)
(3, 2) 1023 3 11 31 13 13 (3 + 2i)
(59, 2) 961 312 3485 5 17 41 (1 + 2i)(1 + 4i)(5 + 4i)(34, 19)
(102, 23) 11628 22 32 17 19 10933 13 292 (i)(3 + 2i)(5 + 2i)2
This gives us the following squares in Z and Z[i].
Y
a + bm = (25 33 5 7 112 13 17 19 23 312 )2 = 3395973209428802 ,
(a,b)S
Y
a+bi = (i3 (1)(1+i)(1+2i)(3+2i)2 (1+4i)(5+2i)2 (1+6i)(5+4i))2 = (156017+110961i)2 .
(a,b)S

Finally, the x and y we are looking for are

x = 339597320942880 (mod 260101) = 151328,
y = () = (156017 + 110961i) = 156017 + 110961 510 (mod 260101) = 7824.
This gives us the results we wanted by using the Euclidean algorithm,
gcd(260101, 151328 + 7824) = 29,
gcd(260101, 151328 7824) = 8969.
And 8969 29 = 260101 is the decomposition in prime factors of 260101.
3 THE NUMBER FIELD SIEVE 15

3.3 The Special Number Field Sieve when h(K) > 1

In this subsection we explain what modifications should be made to the above

method in the case that ZK is not a PID.
In this case we do not try to find generators of the prime ideals, but we look
as before for algebraic integers wich small coordinates in an integral basis, habing
very smooth notm. Let p1 , . . . , pr be the orue ideals of notm less than or equal to
a certain bound B. We construct the B-smooth elements by looking for algebraic
integers ai such that
ai ZK = pk11 pki i .
More precisely, we first looj for an algebraic integers a1 whoose decomposition gives
k
a1 ZK = p11,1 and take k1,1 equal to the order of p1 in Cl(K). Then we look for
k k
another algebraic integer a2 such that a2 ZK = p11,2 p22,2 where k2,2 is the order of p2
in Cl(K)/p1 . Poceeding in this way for each pi of norm less than or equal to B.
We can now replace the set G of generators of the pi which was used in the case
h(K) = 1 by the set of numbers ai in the following way.
We consider the matrix M whose rows correspond to the prime ideals pi and the
columns correspond to the numbers ai . Note that this matrix is upper triangular.
Asume that is B-smooth and that ZK = i pvi i . Let V be the column vector
Q

whose components are the vi . And we consider the components j of the vector
M 1 V , that is

k1,1 1 + k1,2 2 + + k1,r r =v1 ,

+k2,2 2 + + k2,r r =v2 ,
..
.
kr,r r =vr .

Then observe that

k 1 k r k 2 k r
Y
ZK = pvi i = p11,1 p11,r p22,2 p22,r pkr r,r r =
i
k1,1 1 k k k
= p1 p11,2 2 p22,2 2 p11,r r pkr r,r r =
Y
= a1 1 a2 2 ar r ZK = aj j ZK .
j

Q
Hence = u j aj j where u is a unit, and we can proceed as in the algorithm
above.
3 THE NUMBER FIELD SIEVE 16

3.4 General Number Field Sieve

The general NFS is in practive the same algorithm as the sepacial number field
sieve, by when using a general N ther are several problems that arise through the
steps of the algoritm. The first problem is that we cant assume anymore that K is
a simple field. Hence is out of the question to compte explicit generators for prime
ideals of small norm, a system of fundamental units, etc.
So we proceed as befors, but instead of keeping relations beween elements we
keep relations between the prime ideals themselves.
A usual in our factor base we take the prime ideals of degree 1 whoose norm
is less than or equal to B and the prime ideals of norm less than or equal to B
which divide the index of the extension K|Q. If the index is difficult to compute,
we can use instead the prime ideals above ptimes p B such that p2 divides the
discriminant of the polynomial f .
Using the same argument than in the SNFS, we can find pairs (a, b) such that the
integers a + bm and N (a + b) are B-smooth and conclude that then the algebraic
integer a + b is also B-smooth. The problem begins when we try to find a square
element in this set of B-smooth algebraic integers. This is because the condition
that the norm of a+b being a square in Z is not sufficient to make a+b a square in
ZK . For example, if we were in Z[i] and consider the elements (2 + i) and (1 + 2i),
then
(2 + i)(1 + 2i) = i(2 + i)2 is not a square in Z[i],
but N ((2 + i)(1 + 2i)) = (4 + 1)(1 + 4) = 25 is a square in Z. The problem
comes from the fact that the ring Z[] may not be the full ring ZK of integers in
P
Q(). Thus, even if (a,b)S v(a + b) (mod 2) is the zero vector, we may not have
Q
(a,b)S (a + b)ZK being the square of an ideal in ZK . Even if it is the square of
an ideal I in ZK , it may be that ZK is not a principal ideal domain, so I may not
be principal. Fortunately, this difficulty can easily be overcome by sing a trick due
to L. Adleman (seeref Adleman).

3.4.1 Find square elements

Let us say that a non-zero algebraic number y K is singular if yZK is the square
of a fractional ideal. Let S be the multipicative group of singular numbers. If U (K)
is the group of units of K 1 , it is easy to check that we have an exact sequence

1 U (K)/U (K)2 S/K 2 Cl(K)[2]2 1.

1
A unit of a number field is an algebraic integer x such that 1/x is in the ring of integers of K.
2
The class group Cl(K) is the set of equivalence classes of fractional ideals where then are
equivalent if there exists K such that I = J
3 THE NUMBER FIELD SIEVE 17

This exact sequence can be considered as an exact sequence of vector spaces over
F2 = Z/2Z. Let (r1 , r2 ) be the signature of K, i.e. r1 is the number of embeddings
of K whose image lie in R and 2r2 is the number of complex embeddings, so that
r1 + 2r2 = d. Then, using Dirichlets Theorem that says that U (K) is a finitely
generated abelian group of rank r1 + r2 1, and the parity of the number of roots
of unity in K, it is clear that

dimF2 U (K)/U (K)2 = r1 + r2 .

Morover, for any finite abelian group G, the exact sequence

1 G[2] G G G/G2 1.

where the map from G to G is squaring, shows that |G[2]| = |G/G2 | hence

dimF2 G[2] = rk2 (G)

where the 2-rank rk2 (G) of G is by definition equal to dimF2 G/G2 . Puting all this
together, we obtain

dimF2 (S/K 2 ) = r1 + r2 + rk2 (Cl(K)).

Hence, if we obtain more than e = r1 + r2 + rk2 (Cl(K)) singular umbers which are
algebraic integers, a suitable multiplicationve ocombination with corfficients = or 1
will give an element of ZK cupK 2 , i.e. a square of ZK .
Since in practice is not possible to compute the number rk2 (Cl(K)), we will
wait until we obtaina square with a suitable combination, and is we do not obtain
a square, this simply means that our guess is not large enough.
To find a combination of algebraic integers that give a square we choose a number
r of prime ideals p which do not belong to our factor base. A reasonable choice is
r = 3e, where e is r1 + r2 + rk2 (Cl(K)) and can be replaced by a suitable bound.
For example, we can choose for p ideals of degree 1 above primes which are larger
than B,i.e. p = (p, cp ). Then the idea is to compute a generalized Legendre
a+b
symbol p
defined as
 
(N (p)1)/2 x
x (mod p).
p
Each relationc will be stored as a vector over Z/2Z with |E| + |P | + r components,
where E is the set of prime ideals in our factor base. As soon as we have more
relations than components, by Gaussian elimination over Z/2Z we can find an
algebraic number x which is a singular integer and which is a quadratic residue
modulo our r extra primes. It follows that the element x is quite likely a square.
4 EXERCISES 18

3.4.2 Square roots

One of the most difficult problems of the general number field sieve, which is not
yet solved, is the problem of finding an algorihm to compute a square root y of x.
We still have the exponent vectors for our numbers a + b that give the square
number x. But unless we are working in a unique factorization domain it is no so
easy to use them. A bruteforce method is to multiply out the huge product and
somehow take its square root.
An algorithm that solve this problem is the following

Algorithm 3.5. 1. If A(X) is the minimal polynomial of x, factor A(X 2 ) in

Z[X]. If A(X 2 ) is irreducible, then x is not a square and terminate the
algorithm. Otherwise, let A(X 2 ) = S(X)S(X) for some S Z[X] monic
of degree t.

2. Let S(X) = (X 2 x)Q(X) + R(X) be the Euclidean division of S(X) by

X 2 x in K[X].

3. Write R(X) = aX + b with a and b in K. Then the output is y = b/a.

Unfortunately, in our case, simply computing the polyomial A(X) is already not
easy, and factrinf A(X 2 ) will be even more difficult although it will be a polynomial
of degree 10 for example and with coefficients having several hundred thousands
digits.
Q
A new idea that H.W.Lenstra has suggested is look for y of the form y = (a +
b), with (a, b) coprime and a + b smooth, but not necessarily a + bm. This has
the advantatge that many more pairs (a, b) are avaliable, and also leads to a linear
system over Z/2Z.

4 Exercises
Exercice 4.1. Show that the problem of computing a square root modulo an ar-
bitrary integer N is probabilistically polynomial time equivalent to the problem of
factoring N in the following sense. If we have an algoritm for one of the problems,
then we can solve the other in probabilistic polynomial time.

For composite N it is well-known that a square root of a number a modulo N

can efficiently be extracted if the factorization of N is known. One simply computes
the square roots of a modulo the prime-power factors of N and composes the result
via the Chinese Remainder Theorem.
4 EXERCISES 19

Conversely, pick a random x mod N and compute the square root of x2 mod N .
Then,
x2 y 2 mod N, (4.1)
and we saw at the introduction of the factorization methods that if x and y satisfy
4.1, then the probability of gcd(x y, N ) being nontrivial is 1/2. So the procedure
is simply iterate this argument until we get a nontrivial factor of N , and then repeat
the algorithm again.

Exercice 4.2. In the multiple polynomial version of the quardatic sieve factoring
algorithm, we have AQ(x) y 2 (mod N ) for some N , and no Q(x) itself. Then
why do we take into account in the explanation the maximum of |Q(x)| and not of
|AQ(x)|?

This is because we choose such A to be square and B-smooth. To make AQ(x)

be a square modulo N we only have to sieve the polynomial Q(x) and later on put
the prime exponents of Q(x) in a matrix and do Gaussian elimination to make Q(x)
be a square. The maximum of |Q(x)| has to be with the sieve procedure.

Exercice 4.3. Let p = (p, cp ) be a prime

  ideal
 of degree
 1 in ZK , where K =
x a+bcp
Q(). If x = a + b ZK , show that p = p
, where xp is defined in
Exercice 19 of Chapter 4.

Recall the definition of the genearlized Legendre symbol:

 
(N (p)1)/2 x
x (mod p).
p

Note that if p is a degree one prime ideal,

N (p) = |ZK /p| = p.

Hence since cp (mod p)

a + b a + bcp (mod p) = (a + b)(N (p)1)/2 (a + bcp )(p1)/2 (mod p).

Exercice 4.4. Prove that, as claimed in the text, if S is the group of singular
numbers, the following sequence is exact:

1 U (K)/U (K)2 S/K 2 Cl(K)[2] 1

where Cl(K)[2] is the subgroup of elements of Cl(K) whose square is equal to the
identity.
4 EXERCISES 20

Let u U (K), then its clear that u is singular since

uZK = ZK = (1)2 .

Consider the inclusion and reduction modulo K 2 map

: U (K) S/K 2

and observe that ker = U (K)2 because U (K) K 2 = U (K)2 . So the first part
of the exact sequence is done. Now consider the map

: S/K 2 Cl(K)[2]
y 7 I

where I is the fractional ideal such that since y is singular, yZK = I 2 . It is clear
that for any singular algebraic number y, the ideal I is on Cl(K)[2]. This is becaise
the square of I is the principal ideal generatid by y, and then the class of it in
Cl(K) is the identity. To see that the map is well defined we consider y1 and y2 S
such that y1 y2 (mod K 2 ), then y1 = y2 z for some z K 2 . The image of y1
and y2 for the map are the principal ideals y1 ZK and y1 ZK respectively. Since
they are fractional ideals, we can multiply by an invertible element in K and the
ideal remains intact. So,
y1 ZK = zy2 ZK = y2 ZK .
Then the fractional ideal I such that I 2 = y1 ZK must be the same as the frac. ideal
J such that J 2 = y2 ZK .
To see that the map is exhaustive consider an ideal I in Cl(K)[2], then the
square of it is the identity and so there exists som y K such that I 2 = yZK . So
the image of y for the map is the ideal I.
The last part of the exact sequence is to prove that the kernel of the map is
the image of the map .
First, let u U (K), is clear that

uZK = ZK = (1)2

and (1) is a principal ideal. So the image of u for the map is in ker . Otherwise,
let y such that y is not a square in K. Then, if (y) is the identity, the ideal
I such that yZK = I 2 is a principal ideal. So there exists some z K such that
I = zZK . Note that z has to be in the unit group of K because if z / U (K) then
we would have
yZK = z 2 ZK = y = z 2 = y K 2 .
So z U (K) and the ideal yZK is the total ideal, so 1/y ZK and y is a unit of
K.
4 EXERCISES 21

Exercice 4.5. Let A(X) be an irreducible monic polynomial of degree d in Z[X].

(a) Show that either A(X 2 ) is irreducible in Z[X], or ther exists an irreducible
monic polynomial S Z[X] such that A(X 2 ) = S(X)S(X).

(b) Prove the validity of the Algorithm 3.5.

(a) Suppose A(X 2 ) is not irreducible in Z[X], so there exists some polynomial
S(X) Z[X] of degree r < 2d such that S(X) divides A(X 2 ). Then, all the
roots a1 , . . . , ar of the polynomial S(X) are also roots of A(X 2 ). Hence, the
oposite of theese roots are also roots of A(X 2 ) because

A(a2i ) = 0 = A((ai )2 ) = 0.

Note that the ai s cant be zero because if so, A(0) = 0 and A(X) wouldnt
be irreducible. If we consider the polynomial with roots a1 , . . . , ar , that is
S(X), then it also divides our polynomial A(X 2 ). So the product S(X)S(X)
divides A(X 2 ). Note that

S(X)S(X) Z[X 2 ]

So weve found a polynomial S( X)S( X) Z[X] such that is a factor of
A(X). Since A(X) is irreducible, the factor has to be trivial and

A(X) = S( X)S( X) = A(X 2 ) = S(X)S(X).

(b) ff

Exercice 4.6. For any finite abelian group G and n 1 show that

G[n] ' G/Gn

(altough this isomorphism is not canonical in general).