Root optimization of polynomials in the number field sieve

The general number field sieve (GNFS) is the most efficient algorithm known for factoring large integers. It consists of several stages, the first one being polynomial selection. The quality of the chosen polynomials in polynomial selection can be modelled in terms of size and root properties. In this paper, we describe some algorithms for selecting polynomials with very good root properties. 1. The general number field sieve The general number field sieve [14] is the most efficient algorithm known for factoring large integers. It consists of several stages including polynomial selection, sieving, filtering, linear algebra and finding square roots. Let n be the integer to be factored. The number field sieve starts by choosing two irreducible and coprime polynomials f(x) and g(x) over Z which share a common root m modulo n. In practice, the notations F (x, y) and G(x, y) for the homogenized polynomials corresponding to f and g are often used. We want to find many coprime pairs (a, b) ∈ Z such that the polynomial values F (a, b) and G(a, b) are simultaneously smooth with respect to some upper bound B. An integer is smooth with respect to bound B (or B-smooth) if none of its prime factors are larger than B. Lattice sieving [19] and line sieving [6] are commonly used to identify such pairs (a, b). The running time of sieving depends on the quality of the chosen polynomials in polynomial selection, hence many polynomial pairs will be generated and optimized in order to produce a best one. This paper discusses algorithms for root optimization in polynomial selection in the number field sieve. We mainly focus on polynomial selection with two polynomials, one of which is a linear polynomial. 2. Polynomial selection For large integers, most polynomial selection methods [6, 11, 12, 16, 17] use a linear polynomial for g(x) and a quintic or sextic polynomial for f(x). Let f(x) = ∑d i=0 cix i and g(x) = m2x−m1. The standard method to generate such polynomial pairs is to expand n in base-(m1,m2) so n = ∑d i=0 cim i 1m d−i 2 . The running time of sieving depends on the smoothness of the polynomial values |F (a, b)| and |G(a, b)|. Let Ψ(x, x) be the number of x-smooth integers below x for some u. The Dickman-de Bruijn function ρ(u) [9] is often used to estimate Received by the editor June 14, 2013 and in revised form, October 30, 2013 and December 7, 2013. 2010 Mathematics Subject Classification. Primary 11Y05, 11Y16. c ©2015 American Mathematical Society