Prime Numbers

288 Chapter 6 SUBEXPONENTIAL FACTORING ALGORITHMS
One can see that “at infinity,” NFS is far superior (heuristically) than QS.
The low complexity estimate should motivate us to forge on and solve the
remaining technical problems in connection with the algorithm.
If we could come up with a polynomial with smaller coefficients, the
complexity estimate would be smaller. In particular, if the polynomial f(x)
has coefficients that are bounded by nɛ/d √ , then the above analysis gives the
(2+2ɛ)/d+o(1) complexity L(n)
for fixed d; and for d →∞as n →∞,itis
exp (32(1 + ɛ)/9) 1/3 + o(1) (ln n) 1/3 (ln ln n) 2/3 . The case ɛ = o(1) is the
“special” number field sieve; see Section 6.2.7.
6.2.4 Basic NFS: Obstructions
After this interlude into complexity theory, we return to the strategy of NFS.
We are looking for some easily checkable condition for the product of (a − bα)
for (a, b) ∈Sto be a square in Z[α]. Lemma 6.2.1 goes a long way to meet
this condition, but there are several “obstructions” that remain. Suppose that
(6.7) holds. Let β =
(a,b)∈S (a − bα).
(1) If the ring Z[α] is equal to I (the ring of all algebraic integers in Q(α)),
then we at least have the ideal (β) inI being the square of some ideal J.
ButitmaynotbethatZ[α] =I. Soitmaynotbethat(β) inI is the
square of an ideal in I.
(2) Even if (β) =J 2 for some ideal J in I, itmaynotbethatJ is a principal
ideal.
(3) Even if (β) =(γ) 2 for some γ ∈I,itmaynotbethatβ = γ 2 .
(4) Even if β = γ 2 for some γ ∈I,itmaynotbethatγ ∈ Z[α].
Though these four obstructions appear forbidding, we shall see that two simple
devices can be used to overcome all four. We begin with the last of the four.
The following lemma is of interest here.
Lemma 6.2.3. Let f(x) be a monic irreducible polynomial in Z[x], withroot
α in the complex numbers. Let I be the ring of algebraic integers in Q(α), and
let β ∈I. Then f ′ (α)β ∈ Z[α].
Proof. Our proof follows an argument in [Weiss 1963, Sections 3–7]. Let
β0,β1,...,βd−1 be the coefficients of the polynomial f(x)/(x − α). That is,
f(x)/(x − α) = d−1
j=0 βjx j . From Proposition 3-7-12 in [Weiss 1963], a result
attributed to Euler, we have β0/f ′ (α),...,βd−1/f ′ (α) abasisforQ(α) over
Q, each βj ∈ Z[α], and the trace of α k βj/f ′ (α) is1ifj = k, and 0 otherwise.
(See Section 6.2.2 for the definition of trace. From this definition it is easy to
see that the trace operation is Q-linear, it takes values in Q, and on elements
of I it takes values in Z.) Let β ∈I. There are rationals s0,...,sd−1 such
that β = d−1
j=0 sjβj/f ′ (α). Then the trace of βα k is sk for k =0,...,d− 1.
So each sk ∈ Z. Thus,f ′ (α)β = d−1
j=0 sjβj is in Z[α]. ✷