Special Number Field Sieve

In number theory, a branch of mathematics, the special number field sieve (SNFS) is a special-purpose integer factorization algorithm. The general number field sieve (GNFS) was derived from it.

The special number field sieve is efficient for integers of the form ''r''^''e'' ± ''s'', where ''r'' and ''s'' are small (for instance Mersenne numbers).

Heuristically, its complexity for factoring an integer $n$ is of the form:

:\exp\left(\left(1+o(1)\right)\left(\tfrac\log n\right)^\left(\log\log n\right)^\right)=L_n\left /3,(32/9)^\right/math>

in O and L-notations.

The SNFS has been used extensively by NFSNet (a volunteer distributed computing effort)
NFS@Home
and others to factorise numbers of the Cunningham project; for some time the records for integer factorization have been numbers factored by SNFS.

Overview of method

The SNFS is based on an idea similar to the much simpler rational sieve; in particular, readers may find it helpful to read about the rational sieve first, before tackling the SNFS.

The SNFS works as follows. Let ''n'' be the integer we want to factor. As in the rational sieve, the SNFS can be broken into two steps:
*First, find a large number of multiplicative relations among a ''factor base'' of elements of Z/''n''Z, such that the number of multiplicative relations is larger than the number of elements in the factor base.
*Second, multiply together subsets of these relations in such a way that all the exponents are even, resulting in congruences of the form ''a''²≡''b''² (mod ''n''). These in turn immediately lead to factorizations of ''n'': ''n''= gcd(''a''+''b'',''n'')×gcd(''a''-''b'',''n''). If done right, it is almost certain that at least one such factorization will be nontrivial.

The second step is identical to the case of the rational sieve, and is a straightforward linear algebra problem. The first step, however, is done in a different, more efficient way than the rational sieve, by utilizing number fields.

Details of method

Let ''n'' be the integer we want to factor. We pick an irreducible polynomial ''f'' with integer coefficients, and an integer ''m'' such that ''f''(''m'')≡0 (mod ''n'') (we will explain how they are chosen in the next section). Let ''α'' be a root of ''f''; we can then form the ring Z alpha; There is a unique ring homomorphism φ from Z 'α''to Z/nZ that maps ''α'' to ''m''. For simplicity, we'll assume that Z 'α''is a unique factorization domain; the algorithm can be modified to work when it isn't, but then there are some additional complications.

Next, we set up two parallel ''factor bases'', one in Z 'α''and one in Z. The one in Z 'α''consists of all the prime ideals in Z 'α''whose norm is bounded by a chosen value $N_$. The factor base in Z, as in the rational sieve case, consists of all prime integers up to some other bound.

We then search for relatively prime pairs of integers (''a'',''b'') such that:
*''a''+''bm'' is smooth with respect to the factor base in Z (i.e., it is a product of elements in the factor base).
*''a''+''bα'' is smooth with respect to the factor base in Z 'α'' given how we chose the factor base, this is equivalent to the norm of ''a''+''bα'' being divisible only by primes less than $N_$.

These pairs are found through a sieving process, analogous to the Sieve of Eratosthenes; this motivates the name "Number Field Sieve".

For each such pair, we can apply the ring homomorphism φ to the factorization of ''a''+''bα'', and we can apply the canonical ring homomorphism from Z to Z/nZ to the factorization of ''a''+''bm''. Setting these equal gives a multiplicative relation among elements of a bigger factor base in Z/nZ, and if we find enough pairs we can proceed to combine the relations and factor ''n'', as described above.

Choice of parameters

Not every number is an appropriate choice for the SNFS: you need to know in advance a polynomial ''f'' of appropriate degree (the optimal degree is conjectured to be $\left(3 \frac\right) ^\frac$, which is 4, 5, or 6 for the sizes of N currently feasible to factorise) with small coefficients, and a value ''x'' such that $f(x) \equiv 0 \pmod N$ where N is the number to factorise. There is an extra condition: ''x'' must satisfy $ax+b \equiv 0 \pmod N$ for a and b no bigger than $N^$.

One set of numbers for which such polynomials exist are the $a^b \pm 1$ numbers from the Cunningham tables; for example, when NFSNET factored , they used the polynomial with , since , and $3^+3 \equiv 0 \pmod$.

Numbers defined by linear recurrences, such as the Fibonacci and Lucas numbers, also have SNFS polynomials, but these are a little more difficult to construct. For example, $F_$ has polynomial $n^5 + 10n^3 + 10n^2 + 10n + 3$, and the value of ''x'' satisfies $F_ x - F_ = 0$.

If you already know some factors of a large SNFS-number, you can do the SNFS calculation modulo the remaining part; for the NFSNET example above, times a 197-digit composite number (the small factors were removed by ECM), and the SNFS was performed modulo the 197-digit number. The number of relations required by SNFS still depends on the size of the large number, but the individual calculations are quicker modulo the smaller number.

Limitations of algorithm

This algorithm, as mentioned above, is very efficient for numbers of the form ''r''^''e''±''s'', for ''r'' and ''s'' relatively small. It is also efficient for any integers which can be represented as a polynomial with small coefficients. This includes integers of the more general form ''ar''^''e''±''bs''^''f'', and also for many integers whose binary representation has low Hamming weight. The reason for this is as follows: The Number Field Sieve performs sieving in two different fields.
The first field is usually the rationals. The second is a higher degree field. The efficiency of the algorithm strongly depends on the norms of certain elements in these fields. When an integer can be represented as a polynomial with small coefficients, the norms that arise are much smaller than those that arise when an integer is represented by a general polynomial. The reason is that a general polynomial will have much larger coefficients, and the norms will be correspondingly larger. The algorithm attempts to factor these norms over a fixed set of prime numbers. When the
norms are smaller, these numbers are more likely to factor.

See also

* General number field sieve

References

Further reading

*
*
*
*

{{number theoretic algorithms
Integer factorization algorithms