Prime Numbers

274 Chapter 6 SUBEXPONENTIAL FACTORING ALGORITHMS
for x to be precisely the interval [−M,M]. Note that the largest value of f(x)
on this interval is at the endpoints, where the value is about (a 2 M 2 − n)/a,
and the least value is at x = 0, being there about −n/a. Let us set the absolute
values of these two expressions approximately equal to each other, giving the
approximate equation a 2 M 2 ≈ 2n, sothata ≈ √ 2n/M.
If a satisfies this approximate equality, then the absolute value of f(x) on
the interval [−M,M] is bounded by (M/ √ 2) √ n. This should be compared
with the original polynomial x 2 − n used in the basic QS method. On the
interval [ √ n − M, √ n + M], the values are bounded by approximately 2M √ n.
So we have saved a factor 2 √ 2 in size. But we have saved much more than that.
In the basic QS method the values continue to grow, we cannot stop at a preset
value M. But when we use a family of polynomials, we can continually change.
Roughly, using the analysis of Section 6.1.1, we can choose M = B = L(n) 1/2
when we use multiple polynomials, but must choose M = B 2 = L(n) when
we use only one polynomial. So the numbers that “would be smooth” using
multiple polynomials are smaller on average by a factor B. A heuristic analysis
shows that using multiple polynomials speeds up the quadratic sieve method
by roughly a factor 1
√
ln n ln ln n. Whennis about 100 digits, this gives a
2
savings of about a factor 17; that is, QS with multiple polynomials runs about
17 times as fast as the basic QS method. (This “thought experiment” has not
been numerically verified, though there can be no doubt that using multiple
polynomials is considerably faster in practice.)
However, there is one last requirement for the leading coefficient a: We
need to find values of b, c to go along with it. If we can solve b2 ≡ n (mod a)
for b, then we can ensure that |b| ≤a/2, and we can let c =(b2− n)/a.
Note that the methods of Section 2.3.2 will allow us to solve the congruence
provided that we choose a such that a is odd, we know the prime factorization
of a, and for each prime p|a, wehave
n
p = 1. One effective way to do this is
to take various primes p ≈ (2n) 1/4 /M 1/2 ,with
n
2
p =1,andchoosea = p .
Then such values of a meet all the criteria we have set for them:
(1) We have a equal to a square times a B-smooth number.
(2) We have a ≈ √ 2n/M.
(3) We can efficiently solve b 2 ≡ n (mod a) forb.
The congruence b 2 ≡ n (mod a) has two solutions, if we take a = p 2 as
above. However, the two solutions lead to equivalent polynomials, so we use
only one of the solutions, say the one with 0