october,2006 higher- degree polynomials peter l. montgomery microsoft research and cwi 1 abstract...

October,2006 Higher-Degree Polynomials

Peter L. Montgomery Microsoft Research and CWI

1

Abstract

• The Number Field Sieve is asymptotically the fastest algorithm for factoring a large integer N with no small prime factors, such as an RSA modulus. An early step in the algorithm selects two polynomials with a common root modulo N and “small” coefficients. We know ways to select two polynomials when one is linear, but that choice causes one polynomial norm to be much larger than the other. This talk says what is known about higher-degree selections, esp. a search for two cubic polynomials.

Searching for Higher-Degree Polynomials for the General

Number Field Sieve

Peter L. MontgomeryMicrosoft Research, USA, and CWI

October, 2006



3

Number Field Sieve (NFS)

• Asymptotically best known algorithm for factoring large integers with no small prime factors.

• Also best known algorithm for discrete logarithms modulo large primes.



4

SNFS and GNFS

• Special Number Field Sieve (SNFS)– Number being factored has nice algebraic

form.– Record 6353 − 1 (274 digits, 2006).

• General Number Field Sieve (GNFS)– No known nice algebraic form.– Record RSA200 (200 digits, 2005).



5

NFS Stages – Part I

• Input: Composite integer N, no small factors.• Polynomial selection

– Find polynomials f1, f2 with common root m modulo N.– Homogeneous form: Fk(a, b) = b deg(fk) fk(a/b) .

• Sieving– Find many integer pairs (ai, bi) where both

homogeneous polynomial values |Fk(ai, bi)| are smooth (k = 1, 2).

• Normalized so gcd(ai, bi) = 1 and bi > 0.• Called relations.

– Need one relation per prime ideal in your factor bases.



6

NFS Stages – Part II

• Matrix construction and linear algebra– Let k be a (complex) root of fk.– Find nonempty set S of indices such that

πjS (aj – bj k) is a square in Q(k), for each k.• Each aj – bj k has smooth norm.

– Find square roots in Q(k).– Apply homomorphisms mapping each k to m

mod N .– Get integer congruence A2 ≡ B2 (mod N). Hope

GCD(A + B, N) is nontrivial factor of N.



7

NFS with Two Polynomials

• Given N, which we want to factor.• Also input desired degrees d1, d2 .• Find irreducible polynomials f1, f2 of degrees

d1, d2 with common root m modulo N (but not in C).

• resultant(f1, f2) will be a nonzero multiple of N, preferably a small multiple.

• Determinant formula for resultant gives lower bound on coefficient sizes in f1, f2 .



8

Sample SNFS Polynomial Selection

• N = (2512 + 1)/2424833 (148 digits).• 9th Fermat number made SNFS famous.• Guess to use degrees 5 and 1.• Common root m = 2103.• f1(X) = X − m and f2(X) = X5 + 8.• Resultant = ± (m5 + 8) or 19e6 N.• Homogeneous F1 (a, b) = a − mb,

and F2 (a, b) = a5 + 8 b5.



9

Norm Sizes

• Assume we sieve 2e12 points, in rectangle |a| 1e6 and 0 < b 1e6.

• Approximate homogeneous sizes

a − 1e31 b and a5 + 8b5.

• Norm bounds approx 1e37 and 9e30.

• Smaller norms more likely to be smooth.– Both norms must be smooth.



10

Alternate Choices for 2512 + 1

• Degree 4, m = 2128 ≈ 3e38. f2(X) = X4 + 1.– a − mb and a4 + b4.– Bounds 3e44 and 2e24.

• Degree 6, m = 285 ≈ 4e25. f2(X) = 4X6 + 1.– a − mb and 4a6 + b6.– Bounds 4e31 and 5e36.

• Degree 5 bounds were 1e37 and 9e30.• Close call between degrees 5 and 6.

– 1990 technology needed monic polynomials.



11

Roots Modulo Small Primes

• X 4 + 1– One root modulo 2, four modulo 17.

• X 5 + 8– One root modulo each of 2, 3, 5, 7, 13, 17, 19, 23.

• 4X 6 + 1– Projective root modulo 2.– Two roots modulo each of 5, 17.

• This quintic norm has more prime divisors < 25 than the other norms, on average.



12

Resultant Lower Bounds on Coefficient Sizes

• Assume fk has degree dk, coefficient bound Bk (k = 1, 2).

• Determinant formula for resultant(f1, f2) has d2 rows with coefficients of f1 and d1 rows with coefficients of f2.

• Need B1d2 B2

d1 N (approx).

• If rectangular sieving region is 2A × A, we want both BkAdk small, about same size.



13

Base-m Method

• Set m ≈ N1/(d+1) if degree d wanted.• Write N = a0 + a1m + ... + ad md in base m.• Each ai is O(m), possibly negative.

– f1(X) = X − m .– f2(X) = a0 + a1X + ... + ad Xd .– Let rectangular sieving region be 2A × A.

• |a| A and 0 < b A. • Norm bounds mA and (d+1)mAd .• Norms too far apart (ratio (d+1)Ad−1 ).



14

Rating Polynomials

• Heuristics to increase density of smooth norms:– Try to make norm small on average.

• Prefer real roots, so norm is near zero on parts of sieving region.

– Try to have many roots modulo small primes and prime powers.

• For example, X2 + 7 is divisible by 8 whenever it is even.

• Brian Murphy (ANTS, 1998) confirmed that these properties improve yield when using two quadratic polynomials.



15

Improved Base-m

• Assume degrees d and 1 wanted, with d 4.• Looking for f(m) = N where (if d = 5)

f(X) = a5X5 + a4X4 + a3X3 + a2X2 + a1X + a0.

• Pick leading coefficient ad.– Prefer many small prime divisors.

• Set m = round((N/ad)1/d).

• Fill in initial a0 to ad−1 using arithmetic mod m. Usually |ad−1| d ad / 2.

• Reject unless |ad−2| << m.



16

Skewed Sieving Region

• Let f0 be the initial f, with “small” ad to ad−2 and f0(m) = N.

• Suppose the rectangular sieving region of area 2A2 is |a| Ar and 0 < b A/r. – If r = 1, norm bound is about a0 Ad or m Ad.– If r >> 1, big terms are ad−3

(Ar)d−3 (A/r)3 and

ad−2 (Ar)d−2 (A/r)2 and ad (Ar)d.

– Assuming first and last dominate, equate them• r = (ad−3 / ad)1/6 or (m/ad)1/6.

– New norm bound ad−3 (Ar)d−3 (A/r)3 is about m Ad rd−6.

– When d = 5, this is factor of r improvement over r = 1.• Linear X − m norm improves slightly too.



17

Improved Modular Properties

• Try f(X) = f0(X) + C(X) (X − m) .– C(X) of degree d−4 to be determined– ad to ad−2 not affected.– ad−3 to a0 grow, but little effect on norm bound if C has

small coefficients.

• f(m) = f0(m) = N.• Sieve to find C(X) for which f has good modular

properties.• Used for RSA140 and RSA155 (1999).

– Brian Murphy’s PhD thesis.



18

Two Quadratic Polynomials• Suppose m is common root (mod N) of

fk = ak X2 + bk X + ck (k = 1, 2) .– Assume O(N1/4) coefficients, coprime in Q[X].– [m2, m, 1] orthogonal to both [ak , bk , ck ] (mod N) .

• Let v = cross product of [ak , bk , ck ] over Z.– Coefficients of v are O(N1/2), not all zero.– v is multiple of [m2, m, 1] (mod N).– v is a geometric progression mod N.– Not a GP over Z if fk are irreducible.

• Polynomials → Geometric progression mod N.



19

GP → Quadratic Polynomials

• Let R = [r2, r1, r0] = O(N1/2) be geometric progression mod N, but not over Z.

• Look at 2-D lattice in Z3 where R . v = 0. – Smallest basis vectors [ak, bk, ck] have typical

size O(|R|1/2) = O(|N|1/4).

– Resulting polynomials ak X2 + bk X + ck have common root r2 / r1≡ r1 / r0 mod N .



20

Constructing 3-term GP modulo N

• Choose prime q < N1/2 for which N is a quadratic residue.

• Find x0 near N1/2 with x02 ≡ N (mod q).

• Return [q, x0, (x02 – N)/q].

• Different q lead to different GP and different pairs of quadratics.

• Used for 3367 − 1 c105 in 1993-94.



21

Two Quadratics for N = 2005

• Guess q = 23. 22 ≡ 2005 mod 23

• GP (23, 44, −3) since 442 ≡ −3 ∙ 23.

• Ratio 44/23 ≡ −3/44 ≡ 1048 mod 2005.

• [23, 44, −3] orthogonal to [−1, 1, 7] and [6, −3, 2].

• 7X2 + X −1 and 2X2 −3X + 6

share root 1048 mod 2005.



22

More than two Quadratics

• If f and g are two same-size quadratics with a common root, merge them with f ± g.

• Try ℓ quadratics, where ℓ 2, shared factor base bound.– Changes to rest of NFS straightforward.– ℓ (ℓ − 1)/2 chances per (a, b) for two norms to be smooth.– Need to produce ℓ / 2 times as many smooth relations.– Sieve 1 / (ℓ − 1) times as many points (hence smaller norms).– Sieving takes ℓ / 2 times as long per (a, b).– Estimate ℓ / 2(ℓ − 1) as much time as two quadratics.– Average ℓ /2 − 1 + 2−ℓ free ideals per prime.

• Hard to find over two quadratics which excellent modular properties, so the ℓ (ℓ − 1)/2 above is unrealistic.



23

Two Cubics → Five-term GP

• Suppose m is common root (mod N) of fk = ak X3 + bk X2 + ck X + dk (k = 1, 2) .– By resultant bound, O(N1/6) coefficients is

smallest we can hope for.

• Find vector v orthogonal over Z to both [ak, bk, ck , dk , 0] and both [0, ak, bk, ck, dk ].– Simple determinant formula for v.– Components of v will be O(N2/3).– Multiple of [m4, m3, m2, m, 1] mod N.



24

Five-term GP →Two Cubics

• Let R = [r4, r3, r2, r1, r0] = O(N2/3) be 5-term GP mod N, but not over Z. Ratio s = r1/r0 mod N.

• Must avoid 2nd-order linear recurrence. • Look at 2-D lattice in Z4 orthogonal to both

R ′ = [r3, r2, r1, r0] and ( [r4, r3, r2, r1] −s R ′ ) / N .– Smallest basis vectors [ak, bk, ck, dk] have typical size

O((|R|2/N)1/2) = O(|N|1/6).– Resulting polynomials have common root s mod N .

• For two degree-d polynomials, with O(N1/2d) coefficients, need 2d−1 terms of size O(N1−1/d ).



25

Desire a five-term GP mod N

• Exhaustive search finds many O(N2/3) solutions when N ≈ 1e8.

• Example:– [109, 151, 154, 11, 144] ratio 14 = 154/11 mod 2005– Largest entry 154 vs. 20052/3 ≈ 159.0 .– X3 − 4X2 + 3X + 3 and 3X3 − X2 − X − 2 share root 14 mod 2005.

• Avoid (1st or) 2nd order linear recurrence.– Example: [39, 22, −39, −22, 39] mod 2005 = 392 + 222.– X3 + X and X2 + 1 share a quadratic factor.

• Don’t know how to find quickly when N is large.



26

Can we use Matrix Inverse?

• Matrix inverse is O(N1/3) / N (109 151 154 ) (−11 10 11)

(151 154 11 ) ( 10 4 −11) = 2005 I3

(154 11 144 ) ( 11 −11 3) • Entries in second are bilinear forms evaluated at

coefficients of f1 and f2 • (a1b2−b1a2 a1c2−c1a2 a1d2−d1a2)• (a1c2−c1a2 a1d2+b1c2−c1b2−d1a2 b1d2−d1b2 )• (a1d2−d1a2 b1d2−d1b2 c1d2−d1c2 )

– Related to coefficients of [f1(X)f2(Y) − f2(X)f1(Y)] / (X − Y) .

• Second matrix O(N1/3), symmetric, determinant ±N.• First has constant backwards diagonals.



27

O(1) Cubic and O(N1/3) Quadratic for Prime N

• Choose irreducible cubic f1 with known linear factor X− mod N and O(1) coefficients.– One of X3 − (2, 3, 6, 12) will work.

• Find quadratic f2 with O(N1/3) coefficients and root modulo N.

• Can use LLL to choose f2 .

• Follow construction of GP from two O(N1/6) cubics. Output satisfies 2nd order recurrence.

• N is prime in discrete logarithm problem.



28

Sizes when Factoring c200

• Assume 2e18 points sieved.• Two quadratics.

– Coefficients 1e50. Norms 3e68.

• Two cubics. – Coefficients 2e33. Norms 8e60.

• Two degree 4. – Coefficients 1e25. Norms 5e61.

• Degree 3 or 4 appears best if we use equal degrees.



29

c200 Sizes for Original Base-m

• Assume degree d = 5. Sieving area 2e18.

• m = (c200)1/6 = 2e33.

• Coefficients (except leading) 1e33.

• Norms (d+2)(1e33)(1e9)d =7e78 and m(1e9) = 2e42.

• Norm bounds far apart, compared to equal degrees.



30

c200 Sizes for Modified Base-m

• Assume degree d = 5. Sieving area 2e18.• Assume a5 ≈ 1e10 and m = (1e200/a5)1/5 ≈

1e38.• Assume we can find a3 small enough.• r ≈ (m/a5)1/6 ≈ 5e4.• Bounds (1e18)1/2r = 5e13 on a and 2e4 on b.• a5 (5e13)5 and m(5e13)2(2e4)3 both 2e78.

– Norm bound around 1e79 (six summands).• Linear bound (2e4)(1e38) = 2e42.• Little different than original base m.

– But improved modular properties.



31

Non-monic Linear Polynomial – Part I

• Start with N, d, ad.

• Instead of finding f0 with f0(m) = N, find a P for which the congruence ad Md ≡ N (mod P) has many solutions M.– P is product of primes, each ≡ 1 (mod d) with

N / ad a d-th residue.

– Size of M chosen so | M − (N / ad )1/d | P / 2.



32

Non-monic Linear Polynomial – Part II

• For each such M, where ad Md ≡ N (mod P), find polynomial f0 (X)= Σj=0

d aj Xj Z[X] with N = Pd f0(M/P).• As earlier, reject unless coefficient of Xd−2 is small.

– Can perform this test quickly when same P is reused.

• f2(X) = f0(X) + C(X)(PX − M) for some C(X).• f2(X) and f1(X) = PX − M share root m = M / P mod N.• Due to Thorsten Kleinjung, Math. Comp., Oct. 2006.

– Used for RSA576 (2003) and RSA200 (2005).



33

RSA200 polynomials

• Found by Kleinjung et al• f1(X) = 374029011720 X 5 + 2711065637795630118X 4

+ 19400071943177513865892714 X 3

− 33803470609202413094680462360399 X 2

− 120887311888241287002580512992469303610 X + 38767203000799321189782959529938771195170960• M = 37570227807001155896638712233675454511• P = 12722245648421103686881 = 11 . 31 . 61 . 71 . 191 . 331 . 461 . 521 . 691 . 821



34

Norm Sizes for RSA200

• a5 ≈ 23 . 35 . 5 . 7 . 13 . 422861 ≈ 4e11.

• r ≈ 1800.• Linear PX − M ≈ 1e22 X − 4e37.

• On rectangle |a| < 1.8e12 and 0 < b < 5.6e5,

of area 2e18, norm bounds about 1e74 (quintic) and 2e43 (linear).

• Quintic much smaller than predicted.

october,2006 higher- degree polynomials peter l. montgomery microsoft research and cwi 1 abstract...

Documents