Abstract The Number Field Sieve is asymptotically the

Abstract • The Number Field Sieve is asymptotically the fastest known algorithm for factoring a large integer N with no small prime factors, such as an RSA modulus. An early step in the algorithm selects two polynomials with a common root modulo N. This talk will present some techniques for choosing the polynomials when N has no nice algebraic form. May 29, 2008 GNFS polynomials Peter L. Montgomery Microsoft Research, USA

Polynomial Selection for the General Number Field Sieve Peter L. Montgomery Microsoft Research, USA May 29, 2008 GNFS polynomials Peter L. Montgomery Microsoft Research, USA 2

Number Field Sieve (NFS) • Asymptotically best known algorithm for factoring large integers with no small prime factors. • Also best known algorithm for discrete logarithms modulo large primes. May 29, 2008 GNFS polynomials Peter L. Montgomery Microsoft Research, USA

SNFS and GNFS • Special Number Field Sieve (SNFS) – Number being factored has nice algebraic form. – Record (21039 − 1)/5080711 (307 digits, 2007). • General Number Field Sieve (GNFS) – No known nice algebraic form. – Record RSA 200 (200 digits, 2005). May 29, 2008 GNFS polynomials Peter L. Montgomery Microsoft Research, USA

NFS Stages – Part I • Input: Composite integer N, no small factors. • Polynomial selection – Find f 1, f 2 Z[X] with common root m modulo N. – Homogeneous form: Fk(a, b) = b deg(fk) fk(a/b). • Sieving – Find many integer pairs (ai, bi) where both homogeneous polynomial values |Fk(ai, bi)| are smooth (k = 1, 2). • Normalized so gcd(ai, bi) = 1 and bi > 0. • Called relations. – Need one relation per prime in your factor bases. May 29, 2008 GNFS polynomials Peter L. Montgomery Microsoft Research, USA

NFS Stages – Part II • Matrix construction and linear algebra – Let k be a (complex) root of fk. – Find nonempty set S of indices such that πj S (aj – bj k) is a square in Q( k), for each k. • Each aj – bj k has smooth norm. – Find square roots in Q( k). – Apply homomorphisms mapping each k to m mod N. – Get integer congruence A 2 ≡ B 2 (mod N). Hope GCD(A + B, N) is nontrivial factor of N. May 29, 2008 GNFS polynomials Peter L. Montgomery Microsoft Research, USA

Finding Two Polynomials for NFS • Given N, which we want to factor. • Also input desired degrees d 1, d 2. • Find irreducible polynomials f 1, f 2 of degrees d 1, d 2 with common root m modulo N (but not in C). • resultant(f 1, f 2) will be a nonzero multiple of N, preferably a small multiple. • Determinant formula for resultant gives lower bound on coefficient sizes in f 1, f 2. May 29, 2008 GNFS polynomials Peter L. Montgomery Microsoft Research, USA

Sample SNFS Polynomial Selection • • N = (2512 + 1)/2424833 (148 digits). 9 th Fermat number made SNFS famous (1990). Guess to use degrees 5 and 1. Common root m = 2103. f 1(X) = X − m and f 2(X) = X 5 + 8. Resultant = ± (m 5 + 8) or 19 e 6 N. Homogeneous F 1 (a, b) = a − mb, and F 2 (a, b) = a 5 + 8 b 5. May 29, 2008 GNFS polynomials Peter L. Montgomery Microsoft Research, USA

Norm Sizes • Assume we sieve 2 e 12 points, in rectangle |a| 1 e 6 and 0 < b 1 e 6. • Approximate homogeneous sizes a − 1 e 31 b and a 5 + 8 b 5. • Norm bounds approx 1 e 37 and 9 e 30. • Smaller norms more likely to be smooth. – Both norms must be smooth. May 29, 2008 GNFS polynomials Peter L. Montgomery Microsoft Research, USA

Alternate Choices for 2512 + 1 • Degree 4, m = 2128 ≈ 3 e 38. f 2(X) = X 4 + 1. – a − mb and a 4 + b 4. – Bounds 3 e 44 and 2 e 24. • Degree 6, m = 285 ≈ 4 e 25. f 2(X) = 4 X 6 + 1. – a − mb and 4 a 6 + b 6. – Bounds 4 e 31 and 5 e 36. • Degree 5 bounds were 1 e 37 and 9 e 30. • Close call between degrees 5 and 6. – 1990 technology needed monic polynomials. May 29, 2008 GNFS polynomials Peter L. Montgomery Microsoft Research, USA

Roots Modulo Small Primes • X 4+1 – One root modulo 2, four modulo 17. • X 5+8 – One root modulo each of 2, 3, 5, 7, 13, 17, 19, 23. • 4 X 6 + 1 – Projective root modulo 2. – Two roots modulo each of 5, 17. • This quintic norm has more prime divisors < 25 than the other norms, on average. May 29, 2008 GNFS polynomials Peter L. Montgomery Microsoft Research, USA

Lower Bounds on Sizes • Assume fk has degree dk, coefficient bound Bk (k = 1, 2). • Determinant formula for resultant(f 1, f 2) has d 2 rows with coefficients of f 1 and d 1 rows with coefficients of f 2. • Need B 1 d 2 B 2 d 1 N (approx). • If rectangular sieving region is 2 A × A, want both Bk Adk small, about same size. May 29, 2008 GNFS polynomials Peter L. Montgomery Microsoft Research, USA

Base-m Method for GNFS • Set m ≈ N 1/(d+1) if degrees d and 1 wanted. • Write N = a 0 + a 1 m +. . . + ad md in base m. • Each ai is O(m), possibly negative. – f 1(X) = X − m. – f 2(X) = a 0 + a 1 X +. . . + ad Xd. – Let rectangular sieving region be 2 A × A. • |a| A and 0 < b A. • Norm bounds m. A and (d+1)m. Ad. • Norms too far apart. May 29, 2008 GNFS polynomials Peter L. Montgomery Microsoft Research, USA

Rating Polynomials • Heuristics to increase density of smooth norms: – Try to make norm small on average. • Prefer real roots, so norm is near zero on parts of sieving region. – Try to have many roots modulo small primes and prime powers. • For example, X 2 + 7 is divisible by 8 whenever it is even. • Brian Murphy (ANTS, 1998) confirmed that these properties improve yield when using two quadratic polynomials. May 29, 2008 GNFS polynomials Peter L. Montgomery Microsoft Research, USA

Improved Base-m • Assume degree d 4 and linear wanted. • Looking for f(m) = N where (if d = 5) f(X) = a 5 X 5 + a 4 X 4 + a 3 X 3 + a 2 X 2 + a 1 X + a 0. • Pick leading coefficient ad. – Prefer many small prime divisors. • Set m = round(N/ad)1/d. • Fill in initial ad− 1 to a 0. Usually |ad− 1| dad/2. • Reject unless |ad− 2| << m. May 29, 2008 GNFS polynomials Peter L. Montgomery Microsoft Research, USA

Skewed Sieving Region • Let f 0 be the initial f, with small ad to ad− 2 and f 0(m) = N. • Suppose the rectangular sieving region of area 2 A 2 is |a| Ar and 0 < b A/r. – If r = 1, norm bound is about a 0 Ad or m Ad. – If r >> 1, big terms are ad− 3 (Ar)d− 3 (A/r)3 and ad− 2 (Ar)d− 2 (A/r)2 and ad (Ar)d. – Assuming first and last dominate, equate them • r = (ad− 3 / ad)1/6 or (m/ad)1/6. – New norm bound ad− 3 (Ar)d− 3 (A/r)3 is about m Ad rd− 6. – When d = 5, this is factor of r improvement over r = 1. • Linear X − m norm improves slightly too. May 29, 2008 GNFS polynomials Peter L. Montgomery Microsoft Research, USA

Improved Modular Properties • Try f(X) = f 0(X) + C(X) (X − m). – C(X) of degree d− 4 to be determined – ad to ad− 2 not affected. – ad− 3 to a 0 grow, but little effect on norm bound if C has small coefficients. • f(m) = f 0(m) = N. • Sieve to find C(X) for which f has good modular properties. • Used for RSA 140 and RSA 155 (1999). May 29, 2008 GNFS polynomials Peter L. Montgomery Microsoft Research, USA

Non-monic Linear Polynomial • Start with N, d, ad. • Instead of finding f 0 with f 0(m) = N, find a P for which the congruence ad md ≡ N (mod P) has many solutions m. – P product of primes ≡ 1 (mod d). with N /ad a d-th residue. • For each such m, find f 0(X) with N = Pd f 0(m/P). • As earlier, reject unless coefficient of Xd− 2 is small. – Can perform this step quickly when same P is reused. • f 2(X) = f 0(X) + C(X)(PX − m) for some C(X). • f 2(X) and f 1(X) = PX − m share root m / P mod N. • Due to Thorsten Kleinjung. – Used for RSA 576 (2003) and RSA 200 (2005). May 29, 2008 GNFS polynomials Peter L. Montgomery Microsoft Research, USA

Two Quadratic Polynomials • Suppose m is common root (mod N) of fk = ak X 2 + bk X + ck (k = 1, 2). – Assume O(N 1/4) coefficients, coprime over Q. – [m 2, m, 1] orthogonal to both [ak, bk, ck ] (mod N). • Let v = cross product of [ak, bk, ck ] over Z. – – Coefficients of v are O(N 1/2), not all zero. v is multiple of [m 2, m, 1] (mod N). v is a geometric progression mod N. Not a GP over Z if fk are irreducible (m not a root). • Polynomials → Geometric progression mod N. May 29, 2008 GNFS polynomials Peter L. Montgomery Microsoft Research, USA

GP to Quadratic Polynomials • Let R = [r 2, r 1, r 0] = O(N 1/2) be geometric progression mod N, but not over Z. • Look at 2 -D lattice in Z 3 where R. v = 0. – Smallest basis vectors [ak, bk, ck] have typical size O(|R|1/2) = O(|N|1/4). – Resulting polynomials have common root r 2 / r 1≡ r 1 / r 0 mod N. May 29, 2008 GNFS polynomials Peter L. Montgomery Microsoft Research, USA

Constructing 3 -term GP modulo N • Choose prime q slightly below N 1/2 for which N is a quadratic residue. • Find x 0 near N 1/2 with x 02 ≡ N (mod q). • Return [q, x 0, (x 02 – N)/q]. • Different q lead to different GP and different pairs of quadratics. • Used for 3, 367− c 105 in 1993− 94. May 29, 2008 GNFS polynomials Peter L. Montgomery Microsoft Research, USA

More than two Polynomials • If f and g are same-size quadratics with a common root, merge them with f ± g. • Use four (say) polynomials. – – – Changes to rest of NFS straightforward. Need to produce twice as many relations. Six chances per (a, b) for two norms to be smooth. Sieve 2/6 as many points (hence smaller norms). Sieving takes twice as long per (a, b). Estimated time 2/3 as long as two quadratics. • Hard to find four quadratics which meet the smoothness heuristics, so the 6 above is unrealistic. May 29, 2008 GNFS polynomials Peter L. Montgomery Microsoft Research, USA

Two Cubics → Five-term GP • Suppose m is common root (mod N) of fk = ak X 3 + bk X 2 + ck X + dk (k = 1, 2). – By resultant bound, O(N 1/6) coefficients is best we can get. • Find vector v orthogonal over Z to both [ak, bk, ck , dk , 0] and both [0, ak, bk, ck, dk ]. – Simple determinant formula for v. – Components of v will be O(N 2/3). – Multiple of [m 4, m 3, m 2, m, 1] mod N. May 29, 2008 GNFS polynomials Peter L. Montgomery Microsoft Research, USA

Five-term GP →Two Cubics • Let R = [r 4, r 3, r 2, r 1, r 0] = O(N 2/3) be 5 -term GP mod N, but not over Z. Ratio s = r 1/r 0 mod N. • Also must avoid 2 nd-order linear recurrence. • Look at 2 -D lattice in Z 4 orthogonal to R ′ = [r 3, r 2, r 1, r 0] and ( [r 4, r 3, r 2, r 1] −s R ′ ) / N. – Smallest basis vectors [ak, bk, ck, dk] have typical size O((|R|2/N)1/2) = O(|N|1/6). – Resulting polynomials have common root s mod N. • For two degree-d, polynomials, with O(N 1/2 d) coefficients, need 2 d− 1 terms of size O(N 1− 1/d ). May 29, 2008 GNFS polynomials Peter L. Montgomery Microsoft Research, USA

Need a five-term GP mod N • Exhaustive search finds many O(N 2/3) solutions when N ≈ 1 e 8. • Example: – [109, 151, 154, 11, 144] ratio 14 = 154/11 mod 2005 – Largest entry 154 vs. 20052/3 ≈ 159. 0. – X 3 − 4 X 2 + 3 X + 3 and 3 X 3 − X 2 − X − 2 share root 14 mod 2005. • Avoid (1 st or) 2 nd order linear recurrence. – Example: [39, 22, − 39, − 22, 39] mod 2005 = 392 + 222. – X 3 + X and X 2 + 1 share a quadratic factor. • Don’t know how to find quickly when N is large. May 29, 2008 GNFS polynomials Peter L. Montgomery Microsoft Research, USA

A Construction for Prime N • Choose irreducible cubic f 1 to have known linear factor X− and O(1) coefficients. – One of X 3 − (2, 3, 6, 12) will work. • Find quadratic f 2 with O(N 1/3) coefficients and root modulo N. • Follow construction of GP from two O(N 1/6) cubics (one with a leading zero). • N is prime in discrete logarithm problem. May 29, 2008 GNFS polynomials Peter L. Montgomery Microsoft Research, USA

Can we use Matrix Inverse? • Matrix inverse scaled to have integer entries. (109 151 154 ) (− 11 10 11) (151 154 11 ) ( 10 4 − 11) = 2005 I 3 (154 11 144 ) ( 11 − 11 3) • Entries in second are bilinear forms evaluated at coefficients of f 1 and f 2 , hence O(N 1/3). – (a 1 b 2−b 1 a 2 – (a 1 c 2−c 1 a 2 – (a 1 d 2−d 1 a 2 a 1 c 2−c 1 a 2 a 1 d 2+b 1 c 2−c 1 b 2−d 1 a 2 b 1 d 2−d 1 b 2 a 1 d 2−d 1 a 2) b 1 d 2−d 1 b 2 ) c 1 d 2−d 1 c 2 ) • Second matrix symmetric, determinant ±N. • First has constant backwards diagonals. May 29, 2008 GNFS polynomials Peter L. Montgomery Microsoft Research, USA

Sizes when Factoring a c 200 • Assume 2 e 20 points sieved. • Two quadratics. – Coefficients 1 e 50. Norms 1 e 70. • Two cubics. – Coefficients 2 e 33. Norms 2 e 63. • Two degree 4. – Coefficients 1 e 25. Norms 2 e 65. • Degree 3 or 4 appears best. May 29, 2008 GNFS polynomials Peter L. Montgomery Microsoft Research, USA

c 200 Sizes for Original Base-m • Assume degree d = 5. Sieving area 2 e 20. • m = (c 200)1/6 = 2 e 33. • Coefficients (except leading) 1 e 33. • Norms (d+2)(1 e 33)(1 e 10)d =7 e 83 and m(1 e 10) = 2 e 43. • Norms too far apart, compared to equal degrees. May 29, 2008 GNFS polynomials Peter L. Montgomery Microsoft Research, USA

c 200 Sizes for Modified Base-m • • • Assume degree d = 5. Sieving area 2 e 20. Assume a 5 ≈ 1 e 10 and m = (1 e 200/a 5)1/5 ≈ 1 e 38. Assume we can find a 3 small enough. r ≈ (m/a 5)1/6 ≈ 5 e 4 (skewness). Bounds 5 e 14 on a and 2 e 5 on b. a 5 (5 e 14)5 and m(5 e 14)2(2 e 4)3 both 2 e 83. – Norm bound around 1 e 84 (six summands). • • Linear bound (2 e 5)(1 e 38) = 2 e 43. Little different than original base-m. – But improved modular properties. May 29, 2008 GNFS polynomials Peter L. Montgomery Microsoft Research, USA

Norm sizes for RSA 200 • • • Quintic chosen by Kleinjung’s program. P = 11. 31. 61. 71. 191. 331. 461. 521. 691. 821. Linear PX − m ≈ 1 e 22 X − 4 e 37. a 5 = 23. 35. 5. 7. 13. 422861 ≈ 4 e 11. r ≈ 1600. On region of area 2 e 20, norm bounds about 1 e 79 (quintic) and 2 e 44 (linear). May 29, 2008 GNFS polynomials Peter L. Montgomery Microsoft Research, USA