Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download A Montgomery-like Square Root for the Number Field
Document related concepts
Approximations of π wikipedia , lookup
List of important publications in mathematics wikipedia , lookup
Vincent's theorem wikipedia , lookup
Elementary mathematics wikipedia , lookup
Quadratic reciprocity wikipedia , lookup
Fundamental theorem of algebra wikipedia , lookup
List of prime numbers wikipedia , lookup
Proofs of Fermat's little theorem wikipedia , lookup
Factorization of polynomials over finite fields wikipedia , lookup
Transcript
Algorithmic Number Theory { Proceedings of ANTS-III
(June 21{25, 1998, Portland, Oregon, USA)
J. Buhler (Ed.), vol. 1423 of Lecture Notes in Computer Science, pages 151{168
c Springer-Verlag (http://www.springer.de/comp/lncs/index.html)
A Montgomery-like Square Root for the
Number Field Sieve
Phong Nguyen
[email protected]
http://www.dmi.ens.fr/~pnguyen/
Ecole Normale Superieure
Laboratoire d'Informatique
45, rue d'Ulm
F - 75230 Paris Cedex 05
Abstract. The Number Field Sieve (NFS) is the asymptotically fastest
factoring algorithm known. It had spectacular successes in factoring numbers of a special form. Then the method was adapted for general numbers, and recently applied to the RSA-130 number [6], setting a new
world record in factorization. The NFS has undergone several modications since its appearance. One of these modications concerns the last
stage: the computation of the square root of a huge algebraic number
given as a product of hundreds of thousands of small ones. This problem was not satisfactorily solved until the appearance of an algorithm by
Peter Montgomery. Unfortunately, Montgomery only published a preliminary version of his algorithm [15], while a description of his own
implementation can be found in [7]. In this paper, we present a variant
of the algorithm, compare it with the original algorithm, and discuss its
complexity.
1 Introduction
The number eld sieve [8] is the most powerful known factoring method. It was
rst introduced in 1988 by John Pollard [17] to factor numbers of form x3 + k.
Then it was modied to handle numbers of the form re ? s for small positive
r and jsj: this was successfully applied to the Fermat number F9 = 2512 + 1
(see [11]). This version of the algorithm is now called the special number eld
sieve (SNFS) [10], in contrast with the general number eld sieve (GNFS) [3]
which
integers.
n in heuristic time
can handle 1arbitrary
GNFS factors1=integers
=
3
2=3
3
exp (cg + o(1)) ln n ln ln n with cg = (64=9) 1:9.
Let n be the composite integer we wish to factor. We assume that n is not a
prime power. Let Zn denote the ring Z=nZ. Like many factoring algorithms, the
number eld sieve attempts to nd pairs (x; y) 2 Z2n such that x2 y2 (mod n).
For such a pair, gcd(x ? y; n) is a nontrivial factor of n with a probability
of
P
d
1
j
at least 2 . The NFS rst selects a primitive polynomial f (X ) = j=0 cj X 2
Z[X ] irreducible over Z, and an integer m with f (m) 0 (mod n). Denote by
F (X; Y ) = Y df (X=Y ) in Z[X; Y ] the homogenous form of f . Let 2 C be a
2
root of f , and K = Q () be the corresponding number eld. There is a natural
ring homomorphism from Z[] to Zn induced by () m (mod n). We will
do as if mapped the whole K . If ever ( ) is not dened for some 2 K , then
we have found an integer not invertible in Zn, and thus, a factor N of n which
should not be trivial. If n0 = n=N is prime, the factorization is over, and if not,
we replace n by n0 , and by 0 induced by 0 () m (mod n0 ).
By means of sieving, the
several integer pairs (ai ; bi ) and a nite
Q NFS nds
? bi ) and Qi2S (aiQ? bi m) are squares in K
nonempty set S such that i2S (ai?Q
and in Z, respectively. We have i2S (ai ? bi ) i2S (ai ? bi m) (mod n);
therefore
13 2s
3
2 0s
Y
Y
4 @ (ai ? bi)A5 4 (ai ? bi m)5
2
i2S
2
i2S
(mod n)
after extracting the square roots, which gives rise to a suitable pair (x; y). The
NFS does
root of the
Q not specify how to evaluate these square roots. The square
prime
factorizainteger i2S (ai ? bi m) mod n can be found using the known
Q
tions of each ai ? bi m. But extracting the square root of i2S (aiQ? bi ) is much
more complicated and is the subject of this paper. We note = i2S (ai ? bi ):
The following facts should be stressed:
{ the cardinality jS j is large, roughly equal to the square root of the run time
of the number eld sieve. It is over 106 for n larger than 100 digits.
{ the integers ai; bi are coprime, and t in a computer word.
{ the prime factorization of each F (ai ; bi) is known.
{ for every prime number p dividing cd or some F (ai; bi ), we know the set R(p)
consisting of roots of f modulo p, together with 1 if p divides cd .
The remainder of the paper is organized as follows. In Section 2, we review
former methods to solve the square root problem, one of these is used in the
last stage of the algorithm. Section 3 presents a few denitions and results. In
Section 4, we describe the square root algorithm, which is a variant of Montgomery's original algorithm, and point out their dierences and similarities. We
discuss its complexity in Section 5. Finally, we make some remarks about the
implementation in Section 6, and the appendix includes the missing proofs.
2 Former methods
UFD method. If is an algebraic integer and the ring Z[] is a unique factorization domain (UFD), then each ai ? bi can be factored into primes and units,
and so can be , which allows us to extract a square root of . Unfortunately,
the ring Z[] is not necessarily a UFD for the arbitrary number elds GNFS encounters. And even though Z[] is a UFD, computing a system of fundamental
units is not an obvious task (see [4]). The method was nevertheless applied with
success to the factorization of F9 [11].
3
Brute-force method. One factorizes the polynomial P (X ) = X ? over
K [X ].
2
To do so, one has to explicitly write the algebraic number , for instance
by expanding the product: one thus gets the (rational) coecients of as a
polynomial of degree at most d ? 1 in . But there are two serious obstructions:
the coecients that one keeps track of during the development of the product
have O(jS j) digits. Hence, the single computation of the coecients of can
dominate the cost of the whole NFS. And even if we are able to compute , it
remains to factorize P (X ).
One can overcome the rst obstruction by working with integers instead of
rationals: let f^(X ) be the monic polynomial F (X; cd ), and ^ be the algebraic
integer cd which is a root of f^. If is a square in K then 0 = c2ddjSj=2e f^0 (^)2 is a square in Z[^], where f^0 denotes the formal derivative of f^. It has integral
coecients as a polynomial of degree at most d?1 in ^, and these can be obtained
with the Chinese Remainder Theorem, using several inert primes (that is, f is
irreducible modulo this prime) if there exist inert primes (which is generally
true). This avoids computations with very large numbers. However, one still has
to factorize the polynomial Q(X ) = X 2 ? 0 ; whose coecients remain huge, so
the second obstruction holds. Furthermore, a large number of primes is required
for the Chinese Remainder Theorem, due to the size of the coecients.
Couveignes's method. This method overcomes the second obstruction. If f
has odd degree d, Couveignes [5] remarks that one is able to distinguish
the two
p
square roots of any square in K , by specifying its norm. Let 0 be the square
root with positive
norm. Since the prime factorization of N ( 0 ) is known, the
p
0
integer
any prime q. If q is inert
p N ( ) can be eciently computed modulo (mod
q). From the Chinese
then 0 (mod q) can be computed after expanding 0 p
Remainder Theorem, one recovers the coecients of 0 2 Z[^]. One can show
that the complexity of the algorithm is at best O(M (jS j) ln jS j), where M (jS j)
is the time required to multiply two jS j-bit integers. The algorithm appears to
be impractical for the sets S now in use, and it requires an odd degree.
Montgomery's strategy [15, 14, 7] can be viewed as a mix of UFD and bruteforce methods. It bears some resemblance to the square root algorithm sketched
in [3] (pages 75-76). It works for all values of d, and does not make any particular
assumption (apart from the existence of inert primes) about the number eld.
3 Algebraic preliminaries
Our number eld is K = Q () = Q (^ ), where is an algebraic number and
^ = cd is an algebraic integer. Let O be its ring of integers, and I be the abelian
group of fractional ideals of O. For x1 ; : : : ; xm 2 K , we note < x1 ; : : : ; xm >
the element of I generated by x1 ; : : : ; xm . For every prime ideal p, we denote
by vp the p-adic valuation that maps I to Z. We dene the
Q numerator and
denominator of I 2 I to be the integral ideals numer(I ) = vp (I )>0 pvp (I ) and
Q
denom(I ) = vp (I )<0 p?vp (I ) . We denote the norm of an ideal I by N (I ), and
4
Q
the norm of an algebraic number x 2 K by NK (x) = 1id i (x), i denoting
the d distinct embeddings of K in C . We dene the complexity of I 2 I to be
C (I ) = N (numer(I ))N (denom(I )); and we say that I is simpler than J when
C (I ) C (J ). We say that a fractional ideal I is a square ifpthere exists
J2I
such that J 2 = I . Such a J is unique and will be denoted I . If pv11 : : : pvmm is
the prime ideal factorization
I is a square if and only if every vi is
p of I vthen:
=
2
1
even; if I is a square, then I = p1 : : : pvmm =2 ; if x is a square in K , then so is
<x> in I . We follow the notations of [3] and recall some results. Let R be an
order in O. By a \prime of R" we mean a non-zero prime ideal of R. We denote
by flp;R : K ! Zgp the unique collection (where p ranges over the set of all
primes of R) of group homomorphisms such that:
{ lp;R(x) 0 for all x 2 R; x 6= 0;
{ if x is a non-zero element of R, then lp;R(x) > 0 if and only if x 2 p;
{ for
Y eachlpx;R(2x) K one has lp;R(x) = 0 for all but nitely many p, and
N (p)
= jNK (x)j; where p ranges over the set of all primes of R.
p
lp;O (x) coincide with vpP
( < x > ). Let i = cd d?1?i + cd?1 d?2?i + + ci+1 .
?2 i Z is an order of O, which is in fact Z[] \ Z[?1].
We know that A = Z + id=0
Its discriminant (A) is equal to (f ) and we have:
(d?1)(d?2)
2
[
(Z[^]) = c(dd?1)(d?2)(A);
[O : Z[^]] = cd
O : A]:
Recall that for any prime number p, R(p) is dened as the set consisting of roots
of f modulo p, together with 1 if p divides cd. Note that this R(p) is denoted
R0 (p) in [3]. The pairs consisting of a prime number p and an element r 2 R(p)
are in bijective correspondence with the rst degree primes p of A:
{ if r 6= 1 then p is the intersection of A and the kernel of the ring homomorphism p;r : Z[] ! Fp that sends to r.
{ if r = 1 then p is the intersection of A and the kernel of the ring homomorphism p;1 : Z[?1] ! Fp that sends ?1 to 0.
Let p be a prime number, r an element of R(p) and a, b be coprime integers. If
a br (mod p) and r 6= 1, or if b 0 (mod p) and r = 1, we dene ep;r (a; b) =
vp (F (a; b)) where vp denotes the ordinary pQ-adic valuation. Otherwise, we set
ep;r (a; b) = 0. We have NK (a ? b) = c1d p;r pep;r (a;b) ; the product ranging
over all pairs p, r with p prime and r 2 R(p). Furthermore, for any coprime
integers a, b and any rst degree prime p of A corresponding to a pair p, r 2 R(p),
we have:
e (a; b)
1
lp;A (a ? b) = ep;r (a; b) ? v (c ) ifif rr 6=
=1
p;r
p d
Theorem 1. Let a and b be coprime integers, and p be a prime number. Let p
be a prime ideal of O above p such that vp ( <a ? b> ) 6= 0. If p does not divide
[O : A] then:
5
1. For every r 2 R(p), there is a unique prime ideal pr of O that lies over the
rst degree prime ideal qr of A corresponding to the pair p, r. pr is a rst
degree prime ideal, given by pr = <p; 0 ? p;r (0 ); : : : ; d?2 ? p;r (d?2 ) > :
Furthermore, we have vpr ( <a ? b> ) = lqr ;A (a ? b).
2. There is at most one nite r 2 R(p) such that ep;r (a; b) 6= 0:
3. If p does not divide cd, such a nite r exists and p = pr .
4. If p divides cd, then either p is p1 , or pr for r nite.
5. p divides F (a; b) or cd .
Proof. Let r 2 R(p) and qr be the rst degree prime ideal of A corresponding to
the pair p,r. Since
P p does not divide [O : A], we have from [3] (Proposition 7.3,
pages 65-66): pr jqr f (pr =qr ) = 1; where pr ranges over all primes of O lying
over qr and f denotes the residual degree. This proves that pr is unique and is
a rst degree prime ideal. From [3] (Proposition 7.2, page 65), we also have:
lqr ;A (a ? b) =
X
p0 jqr
f (p0 =qr )lp0 ;O (a ? b) = lpr ;O (a ? b):
Hence, vpr (a ? b) = lqr ;A (a ? b). Moreover, we know a Z-basis for any ideal
qr of A, namely (p; 0 ? p;r (0 ); : : : ; d?2 ? p;r (d?2 )): Since pr lies over qr ,
this Z-basis is a system of O-generators for pr . We therefore proved 1. From the
denition of i , one sees that i = ci ?1 + ci?1?2 + + c0 ?i?1 ; which proves
that p;1 (i ) = 0. This simplies the formula when r = 1. One obtains 2 from
the denition of ep;r . Denote by q the intersection of p and A. q is a prime of
A and p lies over q. We have lq;A (a ? b) 6= 0 since vp (a ? b) 6= 0. From [3]
(page 89), this proves that q is a rst degree prime ideal of A. Hence, there exists
r 2 R(p) such that q = qr . From 1, this proves that p = pr . This r is nite or
innite, and if r is nite, it is the r of 2. This proves 3 and 4. From the formula
expressing lq;A (a ? b) in terms of ep;r (a; b), we obtain 5.
ut
4 The square root algorithm
We
that we want to compute a square root of the algebraic number =
Q recall
(
a
?
i2S i bi ): The algorithm is split as follows:
1. Transform in order to make < > simpler. The running time of the rest
of the algorithm
heuristically depends on C ( < > ).
p
2. Compute < > from the prime ideal factorization of < > given by the
prime factorization
of each
F (ai ; bi ).
p
p
3. Approximate from < > : using lattice reductions, construct a sequence of algebraic
Q integers 1; : : : ; L in O and signs s1; : : : ; sL in f1g
such that = L`=1 `?2s` is a \small" algebraic integer. Qcan be thought
as the square of the \guessing-error" inpthe approximation L`=1 `s` of p .
4. Since is a square, so is . Compute using brute-force method. One is
able to explicitly write because is a \small" algebraic integer.
6
We thus obtain p as a product of algebraic integers with exponents 1:
L
p = p Y
s` :
`=1
`
This enables to compute (p ) without explicitly calculating p , and hopefully
some factors of n.
Although formalized dierently, Montgomery's algorithm uses the same strategy. Only the steps change. We use another heuristic approach in Step 1, which
seems to be more eective in practice. We use a new process in Step 2, derived
from Section 3. Montgomery used a process which was as ecient, but only
heuristic. Step 3 is the core of the algorithm. We modied this step by using the
integral basis in a systematic manner, instead of the power basis. This simplies
the algorithm and the proofs. Heuristically, this should also improve the performances. We postpone the computation of the error in Step 4, while Montgomery
included it in Step 3, by updating the computations during the approximation.
This decreases the running-time because it is easier to estimate the necessary
computations when Step 3 is over, and sometimes, Step 4 can be avoided (when
the approximation is already perfect, which can be checked without additional
computations). The new algorithm might be more suited to analysis, but like
Montgomery's algorithm, its complexity has yet to be determined, even though
they both display signicantly better performances than former methods.
4.1 Computing in the number eld
The ring of integers. During the whole algorithm, we need to work with
ideals and algebraic integers. We rst have to compute an integral basis of O.
In general, this is a hopeless task (see [13, 2] for a survey), but for the number
elds NFS encounters (small degree and large discriminant), this can be done
by the so-called round algorithms [16, 4]. Given an order R and several primes
pi , any round algorithm will enlarge this order for all these primes so that the
new order Rb is pi -maximal for every pi . If we take for the pi all the primes
p such that p2 divides (R), then Rb = O. To determine all these primes, a
partial factorization of (R) suces, that is a factorization of the form df 2
where d is squarefree and f is factorized. Theoretically, a partial factorization is
as hard to nd as a complete factorization and unfortunately, the discriminant
is sometimes much larger than the number n we wish to factor. However, if one
takes a \random" large number, and one removes all \small" prime factors from
it (by trial division or by elliptic curves [12]), then in practice the result is quite
likely to be squarefree. Furthermore, even in the case Rb 6= O, it will be true
that Rb has almost all of the good properties of O for all ideals that we are likely
to encounter in practice, like the fact that every ideal is a product of prime
ideals. This is because every order satises these properties for all ideals that
are coprime to the index of the order in O. Hence, we can now assume that an
integral basis (!1 ; : : : ; !d) of O has been computed.
7
Algebraic numbers and ideals. From this integral basis we can represent
any algebraic number of K as a vector of Q d : thisPis the integral representation.
If x 2 K we dene x = [x1 ; : : : ; xd ]t where x = di=1 xi !i and xi 2 Q . We can
also represent any algebraic number as a polynomial of degree at most d ? 1 in
: this is the power representation. When dealing with algebraic integers, the
integral representation is preferable. We will represent any integral ideal I by
an integral matrix (with respect to (!1 ; : : : ; !d)) from a Z-basis or a system of
O-generators. In the case of Z-basis, we use the Hermite normal form (HNF) of
the square matrix for eciency reasons. We refer to [4] for algorithms concerning
algebraic numbers and ideals.
4.2 Simplifying the principal ideal
Q
If is p
a square
in K , then so is any 0 = i2pS (ai ? bi p)ei ; when ei = 1. Since
Q
p
(ai ? bi ); we can recover from 0 but actually, we only
= 0
ei =?1
look for a square identity. Fortunately:
2 s
3
3 2s
Y
Y
4( (ai ? bi)ei )5 4 (ai ? bim)ei 5
2
i2S
2
(mod n)
i2S
p
This replaces the computation of p by the computation of 0 . By cleverly
selecting the ei , C ( < 0 > ) will be much smaller than C ( < > ): this is because
many <ai ? bi > share the same prime ideals, since many NK (ai ? bi ) share
the same primes (as a consequence of sieving). We now address the optimization
problem of selecting the ei so that C ( < 0 > ) is small. Given a distribution of
ei , the complexity of < 0 > can be computed by the following formula (which
comes from the known \factorization" of each ai ? bi into primes of A):
Y jPi2S eiep;r ai;bi j Y jPi2S ei ep;1 ai;bi ?vp cd j
p
p
:
(
p;r6=1
)
[
pjcd
(
)
(
)]
The simplest method is a random strategy which selects randomly ei = 1.
Another method is a greedy strategy (used in [7]): at every step, select ei = 1
according to the best complexity (whether we put ai ? bi in the numerator
or in the denominator). This behaves better than the random strategy. But the
best method so far in practice is based on simulated annealing [18], a well-known
probabilistic solution method in the eld of combinatorial optimization. Here,
the conguration space is E = f?1; +1gjSj, and the energy function U maps any
e = (e1 ; : : : ; ejS j ) 2 E to ln C ( < > ) where corresponds to e. For any e 2
E , we dene its neighbourhood V (e) = f(e1; : : : ; ei?1 ; ?ei ; ei+1 ; : : : ; ejSj) j i =
1; : : : ; jS jg. We try to minimize U by the following algorithm, which performances
depend on three parameters i ; f (initial and nal temperatures) and :
{ select randomly e 2 E and set ? i .
{ choose randomly f 2 V (e) and set ? U (f ) ? U (e). If > 0, set
p ? exp(?=), otherwise set p ? 1. Then set e ? f with probability
p, and ? .
8
{ repeat previous step if > f .
Although this method behaves better in practice than previous methods, theoretical estimates can hardly be given.
4.3 Ideal square root
Q
From now on, we forget
about the initial and set = i2S (ai ? bi )ei :
p
We wish to obtain as a product of ideals with exponents lying in Z (this
ideal is too large to be represented as a single matrix). This
Q can be done by
factoring into prime ideals the fractional ideal < > = < i2S (ai ? bi )ei > .
We simplify the problem to the factorization of any linear expression < ai ?
bi > with coprime ai ; bi . Such a factorization could be obtained by general
ideal factorization algorithms (see [4]) but this would be too slow if we had to
use these algorithms jS j times. Fortunately, we can do much of the work by
ourself using the known factorization of each F (ai ; bi ) = f (ai =bi )bdi , as shown in
the previous section. We say that a prime number p is exceptional if p divides
the index = [O : A]. Otherwise, we say that p is normal. Naturally, a prime
ideal of O is said to be exceptional (resp. normal) if it lies above an exceptional
(resp. normal) prime. If m is the number of prime factors of , there are at most
md exceptional prime ideals. We compute all the exceptional prime ideals (for
example, by decomposing all the exceptional primes in O using the BuchmannLenstra algorithm described in [4]), along with some constants allowing us to
compute eciently any valuation at these primes. From Theorem 1, we get the
prime ideal factorization of < a ? b > as follows: for every prime number p
dividing cd or such that there exists a nite r 2 R(p) satisfying ep;r (a; b) 6= 0,
{ if p is exceptional, compute the valuation of <a ? b> at all the exceptional
ideals lying above p.
{ otherwise, p is normal. If there is a nite r 2 R(p) such that ep;r (a; b) 6= 0
(r is then unique), pick the prime ideal pr with exponent ep;r (a; b) where
= <p; 0 ? p;r (0 ); : : : ; d?2 ? p;r (d?2) > :
If 1 2 R(p), also pick the prime ideal p1 with exponent ep;1 (a; b) ? vp (cd )
where p1 = <p; 0; : : : ; d?2 > :
We thus decompose < > pas a product of ideals where every exponent is
necessarily even, which gives < > . Montgomery used a dierent ideal factorization process (see [7, 14]) by introducing a special ideal, but its correctness is
not proved.
pr
4.4 Square root approximation
We now use the ideal square root p < > to approximate p . Since p < >
is a huge ideal, we will get an approximation through an iterative process, by
selecting a small part of the ideal at each step: this small part will be alternatively
9
taken in the numerator and denominator. To lift an integral ideal to an algebraic
integer, we use lattice reduction techniques. We associate several variables at
each step `:
{ an algebraic number `. It canp be considered as the square of the error in
the current approximation of .
{ a sign s` in f?1; +1g, indicating whether we take something in the denominator or in the numerator of the huge original ideal.
{ a fractional ideal G`, which is an approximation to p <` > . p
{ an integral ideal H` of bounded norm. It dierentiates G` from <` > .
{ an algebraic integer `.
{ an integral ideal I` of bounded norm.
Q
We initialize these variables by: 1 = = i2S (ai ? bi )ei , G1 = p < > ,
H1 = < 1 > , s1 = 1 if NK ( ) 1 and ?1 otherwise. Each step of the approximation makes `+1 in some sense smaller than ` , and G`+1 simpler than G` .
After enough steps, G` is reduced to the unit ideal < 1 > , and ` becomes an
algebraic integer suciently small that its integral representation can be determined explicitly (using Chinese Remainders) and a square root constructed
using brute-force method. At the start of step `, we need to know the following:
{ approximations to the jj (`)j for 1 j d, giving an approximation to
jNK (` )j.
{ prime ideal factorization of G`.
{ Hermite normal form of H`.
{ value of s`.
For ` = 1, these information are obtained from the initial values of the variables.
Each step ` consists of:
1. Select an integral ideal I` of almost xed norm, by multiplying H` with
another integral ideal dividing the numerator (resp. the denominator) of G`
if s` = 1 (resp. s` = ?1). Compute its Hermite normal form.
2. Pick some \nice" ` in I` using lattice reductions.
3. Dene:
`+1 = ` `?2s` ; G`+1 =
I ?s`
`
H`
G` ; H`+1 = <I` > ; s`+1 = ?s` :
`
This allows to easily update necessary information:
{ compute the jj (` )j's to approximate the jj (`+1 )j's.
{ the selection of I` is actually made in order to obtain the prime ideal
factorization of G`+1 simply by updating the exponents of the prime
ideal factorization of G` .
{ H`+1 and s`+1 are directly computed.
4. Store s` and the integral representation of ` .
We now explain the meaning of the dierent
then we detail the rst
hQ`?1 svariables,
i2
Q
L
two parts. By induction on `, = ` L=1 L : In other words, `L?=11 LsL is
the approximation of p at step `. Each ` is a square and G` = H`s` p <` > :
Notice that C (G`+1 ) = N (I`1=H` ) C (G` ):
10
Ideal selection. We try to select an I` with norm as close as possible to a
constant LLLmax, set at the beginning of the iterative process, to be explained
later on. To do so, we adopt a greedy strategy. Since we know the prime ideal
factorization of G` , we can sort all the prime ideals (according to their norm)
appearing in this factorization. We start with I` = H` , and we keep multiplying
I` by the possibly largest prime ideal power in such manner that N (I` ) is less
than LLLmax. In practice, this strategy behaves well because most of our prime
ideals lie over small primes. At the same time, when we pick a prime ideal power
to multiply with I` , we update its exponent in the prime ideal factorization of
G` so that we obtain the prime ideal factorization of G`+1 . At the end of the
approximation, when C (G` ) is small, we nd an I` of small norm (not close to
LLLmax) such that HI`` equals the whole numerator or the whole denominator
of G` .
Integer selection. We look for a nice element ` in the integral ideal I` , that
is to say, an algebraic integer that looks like the ideal. For us, \looking like" will
mainly mean \with norm almost alike". This really means something since the
norm of any element is a multiple of the norm of the integral ideal. So we select
` in order to make N ( < ` > =I` ) as small as possible, which is the same as
nding a short element in a given ideal. Fortunately an ideal is also a lattice, and
there exists a famous polynomial-time algorithm for lattice reduction: LLL [9, 4].
We will use two features of the LLL-algorithm: computation of an LLL-reduced
basis, and computation of a short vector (with respect to the Euclidean norm,
not to the norm in a number eld). First, we reduce the basis of I` given by its
HNF. In other words, we reduce the matrix of the integral representations (with
respect to (!1 ; : : : ; !d )) of the elements of the basis. We do so because the HNF
matrix is triangular, therefore not well-balanced: by applying an LLL reduction,
coecients are smaller and better spread.
Assume the obtained reduced basis is (v(j) )dj=1 . We specify a constant c > 0
by
s
LLL
K (` )js`
max
cd = N (I ) jNj
(K )j :
`
Let j = jj (`c)js`=2 for 1 j d. We dene a linear transformation that maps
P
any v = di=1 vi !i 2 I` to v = [v1 ; : : : ; vd ; 1 1 (v); : : : ; d d (v)]t : This is when
K is totally real. If f has complex roots: for any complex conjugate pairs i and
p
i , we replacepi (v) and i (v) in the denition of by respectively, <(i (v)) 2
and =(i (v)) 2. In Montgomery's implementation, the Z-basis (v(j) )dj=1 is expressed with respect to the power basis instead of the integral basis, which does
not seem to be more attractive. From (v(j) )dj=1 , we form a 2d d real matrix
with the corresponding (
v(j) )dj=1 .
Proposition 2. This matrix satises:
1. The determinant of the image of the rst d coordinates is in absolute value
equal to N (I` ).
11
2. The determinant of the image of the last d coordinates is in absolute value
equal to LLLmax.
Proof. The image of the rst d coordinates is the matrix representation of a Zbasis of I` with respect to a Z-basis of O. Hence, its determinant is in absolute
value equal to [O : I` ], proving 1. For 2, we assume that K is totally real:
otherwise, the determinant is unchanged by multilinearity. In absolute value,
the determinant of the image of the last d coordinates of (
v(j) )dj=1 is equal to
q
d
j(v ; : : : ; v d )j jN (c )js` = ;
K `
(1)
( )
2
where denotes the discriminant of d elements of K . Since the v(j) form a Z-basis
of I` , this discriminant is N (I` )2 (!1 ; : : : ; !d), where (!1 ; : : : ; !d )p= (K ).
The initial determinant is thus in absolute value cd jNK (` )j?s` =2 N (I` ) j(K )j ,
and we conclude from the denition of c.
ut
We apply a second LLL reduction to this matrix. In practice, we apply a
LLL reduction to this matrix rounded to an integral matrix (notice that the
upper d d matrix has integral entries) as integer arithmetic is often preferable.
We initialize LLLmax to the maximal value where the LLL-reduction algorithm
supposedly performs well. The previous proposition ensures us that both LLL
reductions perform well. We choose for ` the algebraic integer dened by the
rst d coordinates of the rst column of the matrix output by the second LLL
reduction. We use the following result to prove that the approximation stage
terminates.
Theorem 3. There exists a computable constant C depending only on K such
that the second LLL reduction outputs an algebraic integer ` with
jNK (` )j C N (I` );
where C is independent of N (I` ), LLLmax and c. In particular, N (H` ) C:
The proof, quite technical, is left in the appendix.
End of the approximation. We stop the iterative process when
C (G` ) =
1. This pnecessarily happens if LLLmax C . Indeed, if numer(p < > ) and
denom( < > ) have close norms, then at every step `, N (I` =H` ) is close to
LLLmax=C , which gives C (G` ) (C=LLLmax)`p? C (G ): So the number of steps
to obtain C (G` ) = 1 is roughly logarithmic in C ( < > ). More precisely, one can
show that if LLLmax=Cpis greater than the largest prime appearing in C ( < > ),
then at most 2dlog C ( < > )e steps are necessary to make C (G` ) equal to 1.
Once C (G` ) = 1, we perform one more iteration if s` = +1, in which I` is
equalpto H` . We can now assume that C (GL) = 1 with sL = ?1. This implies
that <L > = HL and therefore, L is an algebraic integer of norm N (HL )
bounded by C . This does not prove that L has a small integral representation:
if the coecients of L are small, then we can bound NK (L ), but the converse
1
1
2
+1
2
2
is false (for instance, L might be a power of a unit).
12
Proposition 4. There exists a computable
P constant C 0 depending only on K
such that for every algebraic number = dj=1 j !j 2 K , each ji j is bounded by
C0
sX
id
ji ()j :
2
1
Proof. Let be the injective Q -linear transformation that maps any x 2 K to
[1 (x); : : : ; d (x)]t . Since (K ) and K both are Q -vector spaces of nite dimension, there exists k?1 k 2 R such that for all x 2 K : kxk k?1 k:k(x)k;
where we consider the \Euclidean" norms induced on K by the integral basis (!1 ; : : : ; !d ), and on (K ) by the canonical basis of C d . The matrix A =
(i (!j ))1i;jd represents . A can be computed, and so can be its inverse A?1 .
This gives an upper bound to k?1 k, which we note C 0 .
ut
With Lemma 5 (see the appendix), this proves that bounding the embeddings
is the same as bounding the coecients. But the linear transformation is
precisely chosen to reduce the embeddings: the last d coordinates reduce the
sum of inverses of the embeddings of `+1 . This is not a proof, but it somehow
explains why one obtains in practice a \small" algebraic integer.
4.5 Computing the error
We wish to compute the last algebraic integer = L of norm at most C 2 . We
have a product formula for , of which we know every term. The partial products
are too large to use directly this formula, but since we only deal with integers, we
can use the Chinese Remainder Theorem if we choose good primes. A prime p is
a good prime if it is inert (f is irreducible modulo p) and if p does not divide any
of the NK (` )=N (I` ). For such a p, the integral representation of (mod p) can
be computed. This computation is not expensive if p is not too large. In general,
it is easy to nd good primes. We rst nd inert primes. In some very particular
cases, inert primes do not even exist, but in general, there are a lot of inert
primes (see [3]). Then we select among these primes those who do not divide
any of the NK (` )=N (I` ). Most of these primes will satisfy this assumption. If
we selected several good primes p1 ; : : : ; pN , and if the coecients of are all
bounded by the product p1 : : : pN , then we obtain these coecients from the
coecients of modulo each pi . In practice, a few good primes suce. Then
we can factorize X 2p? Qover K [X ] in a reasonable time. The initial square root
follows since p = L`=1 `s` : Actually, we only need (p ), so we compute
all the (` ) to avoid excessively large numbers. We thus obtain a square identity
and hopefully, some factors of n.
5 Complexity analysis
We discuss the complexity of each stage of the algorithm, with respect to the
growth of jS j. We assume that f is independent of jS j, which implies that all
13
ai , bi and F (ai ; bi ) can be bounded independently of jS j. Recall that during the
sieving, all ep;r (a; b) are computed.
Simplication of < > : even if the simulated annealing method is used, one
can easily show that this stage takes at most O(jS j) time.
Ideal square root: The only expensive operations are the decomposition of
exceptional primes and the computation of valuations at these primes. The decomposition of exceptional primes is done once for all, independently of jS j. Any
valuation can be eciently computed, and takes time independent of jS j. Since
exceptional prime numbers appear at most O(jS j) times, this stage takes at most
O(jS j) time.
Square root approximation: We showed that the number of required steps
was O(ln C ( < > )). Since all the F (ai ; bi ) are bounded, ln C ( < > ) is O(jS j).
Unfortunately, we cannot say much about the complexity of each step, although
each step takes very little time in practice. This is because we cannot bound
independently of jS j all the entries of the 2d d matrix that is LLL reduced.
Indeed, we can bound the entries of the upper d d square matrix, but not the
entries of the lower one, as we are unable to prove that the embeddings of the
algebraic number ` get better. However, since we perform LLL reductions on
matrices with very small dimension, it is likely that these reductions take very
little time, unless the entries are extremely large. This is why in practice the
approximation takes at most O(jS j) time.
Computing the error: If we can bound the number and the size of necessary
good primes independently of jS j, then this stage takes at most O(jS j) time.
Unfortunately, we are unable to do this, because we cannot bound the embeddings of the last algebraic integer , as seen previously. In practice however, these
embeddings are small.
One sees that it is dicult to prove anything on the complexity of the algorithm. The same holds for Montgomery's algorithm. In practice, the algorithm
behaves as if it had linear time in jS j (which is not too surprising), but we are
unable to prove it at the moment. pWe lack a proof mainly because we pdo not
know any particular expression for . For instance, we do not know if can
be expressed as a product with exponents 1 of algebraic integers with bounded
integral representation.
6 Implementation
We make some remarks about the implementation:
1. Since the number of ideals appearing in p < > is huge, we use a hash-table
and represent any normal prime ideal by its corresponding (p; r) pair. Exceptional prime ideals require more place, but there are very few exceptional
primes.
2. It is only during the approximation process (namely, to obtain the Hermite
normal form of I` ) that one needs to compute a system of O-generators for
normal prime ideals. Such a computation is however very fast.
14
3. To avoid overows,
we do not compute jj (` )j, c and j but their logarithms.
P
One checks that dj=1 ln jj (` )j = ln jNK (` )j if one is in doubt about the
precision.
4. To choose the constant LLLmax, one can compute the C constant from the
formulas given in the proof of Theorem 3, but one can also perform some
LLL reductions to obtain the practical value of C . Notice that when one
knows C and LLLmax, one can estimate the number of iterations.
5. To know how many good primes are sucient to compute the last algebraic
integer, one can compute the C 0 constant as shown in the proof of Proposition 4, which gives a bound for the coecients of the integral representation.
6. The last algebraic integer is often a small root of unity. This is because the
last ideal I` is principal, and we know an approximation to the embeddings
of one of its generators. This generator has unusual short norm in the corresponding lattice, therefore it is no surprise that the LLL algorithm nds this
generator, making H`+1 equal to < 1 > . In the latter case, the last algebraic
integer is often equal to 1: one should try to bypass the computation of
the error and apply directly to nd some factors of n.
The algorithm has been implemented using version 1.39 of the PARI library [1]
developed by Henri Cohen et al. In December, 1996, it completed the factorization of the 100-digit cofactor of 17186 + 1, using the quadratic polynomials
5633687910X 2 ? 4024812630168572920172347X +482977515620225815833203056197828591062 and
?77869128383X 2 ? 2888634446047190834964717X + 346636133525639208946167278118238554489.
Each dependency had about 1.5 million relations. It took the square root code
about 10 hours to do both square roots on a 75Mhz Sparc 20.
7 Conclusion
We presented an algorithm suitable for implementation to solve the square root
problem of the number eld sieve. This algorithm is a variant of Montgomery's
square root. We modied the square root approximation process by using an
integral basis instead of the power basis: this allows to work with integers instead
of rationals, and to search the algebraic integer ` in the whole ideal I` , not in
some of its submodules. We introduced the simulated annealing method in the
ideal simplication process. From results of [3], we proposed an ecient ideal
square root process and proved its validity. We postponed the computation of the
error to avoid useless computations. The present running time of the algorithm
is negligible compared to other stages of the number eld sieve. In practice, the
algorithm behaves as if it had linear complexity, but one should note that this
is only heuristic as few things are proved about the complexity. It is an open
problem to determine precisely the complexity of the algorithm.
Acknowledgements. I am particularly grateful to both Arjen and Hendrik
Lenstra for many explanations about the number eld sieve. I wish to thank
Jean-Marc Couveignes and Peter Montgomery for enlightening discussions. I
also thank Philippe Hoogvorst for his helpful comments, and for carrying out
experiments.
15
A Proof of Theorem 3
This theorem is related to the classical result of the geometry of numbers which
states that for any integral ideal I , there exists an algebraic integer 2 I such
that jNK ()j M(K )N (I ) where M(K ) denotes the Minkowski constant of
K . It relies on Minkowski's convex body theorem which can be viewed as a
generalization of the pigeon-hole principle. Following an idea of Montgomery
[14], we use the pigeon-hole principle to estimate precisely each component of ` .
The only thing we need to know about LLL-reduced bases is that if (b1 ; : : : ; bd )
is an LLL-reduced basis of a lattice , then
det() Yd
kbi k 2d d?
(
= det()
(1)
1) 4
i=1
kb1 k 2(d?1)=2kxk if x 2 ; x 6= 0
(2)
where det denotes the lattice determinant and k:k denotes the Euclidean norm.
In the following, we will use the notation
k:k even for vectors with dierent
P
d
numberqof coordinates. Here, if x = i=1 xi !i is an algebraic number of K , then
kxk = Pdi=1 x2i . We will use the notation (x)i to denote the i-th coordinate
of x. From now on (all along the proof), we assume that K is totally real to
simplify the denition of , but a similar reasoning applies to other cases with
a dierent choice of constants.
Lemma 5. There exists a computable constant C depending only on K such
that for every x 2 K , and for any integer j = 1; : : : ; d:
1
jj (x)j C kxk
j(
x)d j j j C kxk
(3)
(4)
1
+
1
P
P
Proof. We have x = di=1 xi !i where xi 2 Q . Therefore j (x) = di=1 xi j (!i ).
Using triangle inequality and Cauchy-Schwarz, we obtain:
jj (x)j d
X
i=1
v
u
d
uX
jxi jjj (!i )j t jxi j
where C1 = max1jd
denition of .
i=1
2
v
u
d
uX
t jj (!i )j kxkC ;
2
1
i=1
qPd
i jj (!i )j . This proves (3), which implies (4) by
=1
2
ut
Lemma 6. There exists two computable constants C and C depending only
2
3
on K such that for any integral ideal I` , there exists a real M and an algebraic
16
integer z 2 I` ; z 6= 0 satisfying:
M d C2
Y
j 2J
j
(5)
kzk M N (I` ) =d
8j 2 J j kzk M N (I` ) =d
k
z k C M N (I` ) =d
(6)
(7)
(8)
1
1
1
3
where J = fj = 1; : : : ; d = j > 1g.
Proof. Let C2 = 2d(d?1)=4dd 2d+1. Since 2d(d?1)=4dd
Y
Y
dj e < C j by dej 2J
j 2J
Y
dY
d
2
nition of J , there exists M > 0 such that 2d(d?1)=4d
dj e < M C2 j :
j 2J
j 2J
= (n1 ; : : : ; nd ) 2 N d such that each ni
This M satises (5). The number of n
satises ni kv(i) k Md N (I` )1=d is at least
Yd M N (I`) =d Yd M N (I` ) =d
d
e
1
1
i=1
dkv i
( )
k
dkv i
( )
i=1
k
M d by (1) > Y d e:
j
d
d
d 2 (d?1)=4
j 2J
(i)
k c is a positive integer less than j . By the pigeonFor such an n, bj MnNi dk(Iv` )1=d
hole principle, there therefore exists two distinct n = (n1 ; : : : ; nd) and n0 =
(n01 ; : : : ; n0d) both in N d such that for all i = 1; : : : ; d:
P
ni kv(i) k Md N (I` )1=d
n0i kv(i) k Md N (I` )1=d
(i)
0 (i)
8j 2 J bj MniNdk(vI )1k=d c = bj MniNdk(vI )1k=d c
`
`
(9)
(10)
(11)
Dene z = di=1 (ni ? n0i )v(i) . Then z 2 I` ; z 6= 0 and by (9) and (10), we have
for all i = 1; : : : ; d:
jni ? n0i j:kv i k Md N (I` ) =d :
( )
1
This proves (6) by triangle inequality . Furthermore, for all j 2 J and for all
i = 1; : : : ; d, the quantity j jni ? n0i j:kv(i) k is equal to
M N (I )1=d ni dkv(i) k ? n0i dkv(i) k ;
d ` j M N (I` )1=d j M N (I` )1=d 17
which is, by (11), less than Md N (I` )1=d . This proves (7) by triangle inequality.
Finally:
k
z k =
2
d
X
j =1
j(
z )j j +
2
kzk +
2
X
d
X
j =1
j(
z )d j j
+
j C1 kzk2 +
X
2
j C1 kzk2 by (4)
j 2J
0 j62J
1
h
i
X
X
@1 + C 1 + C 1A M N (I` ) =d
1
1
j 62J
1
j 2J
2
p
by (6), (7) and the denition of J . This proves (8) with C3 = 1 + dC1 .
ut
Now, if is the algebraic integer output by the second LLL reduction, (2) implies
that k
k2 2d?1k
z k2. Since kk k
k, (8) implies that
kk 2 d? = C M N (I` ) =d :
(
1) 2
1
3
Q
Q
Q
Moreover, jNK ()j = dj=1 jj ()j = j2J jj ()j) j62J jj ()j : On the
one hand, by (3):
Y
j 62J
h
jj ()j (C kk)d?jJ j 2 d? = C C M N (I` ) =d
1
(
1) 2
1
1
3
id?jJ j
:
Qj2J j d+j j
Qj2J j , where by the arithmetic-
Q
On the other hand, j2J jj ()j =
geometric mean inequality:
(
)
0
1jJ j
X
j(
)d j j @ j(
)d j j A (k
k )jJ j (2d? k
z k )jJ j
j 2J
j 2J
i
h d? =
=d jJ j
Y
+
2
+
2
(
1) 2
2
2
C3 M N (I` )1
We collect these two inequalities:
d?jJ j
h
1
by (8).
id?jJ j
jNK ()j QC 2 d? = C M N (I` ) =d
j 2J j
d
Q ; C ) 2d d? = C dM dN (I` )
max(1
1
1
(
1) 2
(
3
1
jJ j
+
1) 2
3
j 2J j
max(1; C1d )2d(d?1)=2C3d C2 N (I` ) by (5).
This completes the proof with C = 2d(d?1)=2 max(1; C1d )C2 C3d :
2
18
References
1. Batut, C., Bernardi, D., Cohen, H., and Olivier, M. Pari-gp computer
package. Can be obtained by ftp at megrez.math.u-bordeaux.fr.
2. Buchmann, J. A., and Lenstra, Jr., H. W. Approximating rings of integers in
number elds. J. Theor. Nombres Bordeaux 6, 2 (1994), 221{260.
3. Buhler, J. P., Lenstra, H. W., and Pomerance, C. Factoring integers with
the number eld sieve. pages 50-94 in [8].
4. Cohen, H. A course in computational algebraic number theory. Springer, 1993.
5. Couveignes, J.-M. Computing a square root for the number eld sieve. pages
95-102 in [8].
6. Cowie, J., Dodson, B., Elkenbracht-Huizing, R. M., Lenstra, A. K.,
Montgomery, P. L., and Zayer, J. A world wide number eld sieve factoring record: On to 512 bits. In Proceedings of ASIACRYPT'96 (1996), vol. 1163 of
Lecture Notes in Computer Science, Springer-Verlag, pp. 382{394.
7. Elkenbracht-Huizing, M. An implementation of the number eld sieve. Experimental Mathematics 5, 3 (1996), 231{253.
8. Lenstra, A. K., and Lenstra, Jr., H. W. The development of the Number
Field Sieve, vol. 1554 of Lecture Notes in Mathematics. Springer-Verlag, 1993.
9. Lenstra, A. K., Lenstra, Jr., H. W., and Lovasz, L. Factoring polynomials
with rational coecients. Math. Ann. 261 (1982), 515{534.
10. Lenstra, A. K., Lenstra, Jr., H. W., Manasse, M. S., and Pollard, J. M.
The number eld sieve. pages 11-42 in [8].
11. Lenstra, A. K., Lenstra, Jr., H. W., Manasse, M. S., and Pollard, J. M.
The factorization of the ninth fermat number. Math. Comp. 61 (1993), 319{349.
12. Lenstra, Jr., H. W. Factoring integers with elliptic curves. Ann. of Math. 126
(1987), 649{673.
13. Lenstra, Jr., H. W. Algorithms in algebraic number theory. Bull. Amer. Math.
Soc. 26 (1992), 211{244.
14. Montgomery, P. L. Square roots of products of algebraic numbers. Draft of
June, 1995. Available at ftp://ftp.cwi.nl/pub/pmontgom/sqrt.ps.gz.
15. Montgomery, P. L. Square roots of products of algebraic numbers. In Mathematics of Computation 1943-1993: a Half-Century of Computational Mathematics (1994), W. Gautschi, Ed., Proceedings of Symposia in Applied Mathematics,
American Mathematical Society, pp. 567{571.
16. Pohst, M., and Zassenhaus, H. Algorithmic algebraic number theory. Cambridge
University Press, 1989.
17. Pollard, J. M. Factoring with cubic integers. pages 4-11 in [8].
18. Reeves, C. R. Modern Heuristic Techniques for Combinatorial Problems. Blackwell Scientic Publications, 1993.
