General number field sieve

In mathematics,general number field sieve ismost efficient algorithm knownfactoring integers. It uses O(exp( ((64/9) n)^1/3 (log n)^2/3 )) stepsfactor integer n.

Itan improvementolder sieving method which factors n by finding numbers k_i such that r_i=k_i²-n factor completely overfixed set (called basis)small primes. Then, having enough such r_i - whichcalled smooth relative tochosen basisprimes, using Gauss elimination methodlinear algebra we can choose exponents c_i equal0 or 1 such that productr_i^c_i issquare, say x². Onother hand, ifproductk_i^c_iy, then x²-y²divisible by nwith probability at least one half we getfactorn by finding greatest common divisornx-y. In this method,idea waschoose k_i close tosquare rootn - then r_iofordermagnitudesquare rootn toothereenough smooth values there.

The general number field sieve''' works as follows:

• We choose two irreducible polynomials f(x)g(x)common root m mod n - itnot known what isbest waychoosepolynomials, but usually itdone by pickingdegree d forpolynomialconsidering expansionnbasis m where m isorder n^1/d. The point isget coefficientsfg as small as possible -will beorderm, while having small degrees deour polynomials.

• Now, we consider number field rings Z[r1]Z[r2] where r1r2rootspolynomials fg,lookvalues ab such that r=b^d*f(a/b)s=b^e*g(a/b)smooth relative tochosen basisprimes. If absmall, rs will be too (but at leastorderm),we havebetter chancethembe smooth atsame time.

• Having enough such pairs, using Gauss elimination method we can get productscertain r andcorresponding sbe squares atsame time. We needslightly stronger condition - that theynormssquaresour number fields, but we can get that condition by this method too. Each r isnorma- r1*bhence we get that productcorresponding factors a- r1*b issquareZ[r1], with"square root" which can be determined (asproductknown factorsZ[r1]) -will typically be represented asnonrational algebraic number. Similary we get that productfactors a- r2*b issquareZ[r2], with"square root" which we can also compute.

• Since mrootboth fg mod n, therehomomorphisms fromrings Z[r1]Z[r2] toring Z/nZ, which map r1r2m,these homomorphisms will map each "square root" (typically not represented asrational number) into its integer representative. Now productfactors a-m*b mod n we can get assquaretwo ways - oneeach homomorphism. Thus, we get two numbers xy,x²-y² divisible by nagainprobability at least one half we getfactorn by finding greatest common divisornx-y

The second-best-known algorithminteger factorization isLenstra elliptic curve factorization method. Itbetter thangeneral number field sieve when factorsof small size, asworks by finding smooth valuesorder ofsmallest prime divisorn,its running time depends onsizethis divisor.