Prime Numbers

6.1 The quadratic sieve factorization method 273
And what, then, of three large primes? One can appreciate that the added
difficulties with two large primes increase still further. It may be worth it, but
it seems likely that instead, using a larger B would be more profitable.
6.1.5 Multiple polynomials
In the basic QS method we let x run over integers near √ n, searching for values
x 2 − n that are B-smooth. The reason we take x near √ n is to minimize the
size of x 2 − n, since smaller numbers are more likely to be smooth than larger
numbers. But for x near to √ n,wehavex 2 − n ≈ 2(x − √ n) √ n,andsoasx
marches away from √ n, so, too, do the numbers x 2 − n, and at a steady and
rapid rate. There is thus built into the basic QS method a certain diminishing
return as one runs the algorithm, with perhaps a healthy yield rate for smooth
reports at the beginning of the sieve, but this rate declining perceptibly as
one continues to sieve.
The multiple polynomial variation of the QS method allows one to get
around this problem by using a family of polynomials rather than just the
one polynomial x 2 − n. Different versions of using multiple polynomials have
been suggested independently by Davis, Holdridge, and Montgomery; see
[Pomerance 1985]. The Montgomery method is slightly better and is the
way we currently use the QS algorithm. Basically, what Montgomery does
is replace the variable x with a wisely chosen linear function in x.
Suppose a, b, c are integers with b 2 − ac = n. Consider the quadratic
polynomial f(x) =ax 2 +2bx + c. Then
so that
af(x) =a 2 x 2 +2abx + ac =(ax + b) 2 − n, (6.2)
(ax + b) 2 ≡ af(x) (modn).
If we have a value of a that is a square times a B-smooth number and a value
of x for which f(x) isB-smooth, then the exponent vector for af(x), once it is
reduced modulo 2, gives us a row for our matrix. Moreover, the possible odd
primes p that can divide f(x) (and do not divide n) are those with p
=1,
n
namely the same primes that we are using in the basic QS algorithm. (It is
somewhat important to have the set of primes occurring not depend on the
polynomial used, since otherwise, we will have more columns for our matrix,
and thus need more rows to generate a dependency.)
We are requiring that the triple a, b, c satisfy b2 − ac = n and that a be
a B-smooth number times a square. However, the reason we are using the
polynomial f(x) is that its values might be small, and so more likely to be
smooth. What conditions should we put on a, b, c to have small values for
f(x) =ax2 +2bx + c? Well, this depends on how long an interval we sieve
on for the given polynomial. Let us decide beforehand that we will only sieve
the polynomial for arguments x running in an interval of length 2M. Also,
by (6.2), we can agree to take the coefficient b so that it satisfies |b| ≤ 1
2a (assuming a is positive). That is, we are ensuring our interval of length 2M