Prime Numbers

6.2 Number field sieve 291
is conjectured that it is sufficient to choose k = ⌊3lgn⌋ (with the k primes qj
chosen as the least possible). Probably a somewhat smaller value of k would
also suffice, but this aspect is not a time bottleneck for the algorithm.
We use the pairs qj,sj to augment our exponent vectors with k additional
entries. If a−bsj
= 1, the entry corresponding to qj,sj in the exponent vector
qj
for a − bα is 0. If the Legendre symbol is −1, the entry is 1. (This allows the
translation from the multiplicative group {1, −1} of order 2 to the additive
group Z2 of order 2.) These augmented exponent vectors turn out now to be
not only necessary, but also sufficient (in practice) for constructing squares.
6.2.5 Basic NFS: Square roots
Suppose we have overcome all the obstructions of the last section, and we now
have a set S of coprime integer pairs such that f ′ 2 (α) (a,b)∈S (a − bα) =γ2
for γ ∈ Z[α], and
(a,b)∈S (a − bm) =v2 for v ∈ Z. We then are nearly done,
for if u is an integer with φ(γ) ≡ u (mod n), then u 2 ≡ (f ′ (m)v) 2 (mod n),
and we may attempt to factor n via gcd(u − f ′ (m)v, n).
However, a problem remains. The methods of the above sections allow us
to find the set S with the above properties, but they do not say how we might
go about finding the square roots γ and v. That is, we have squares, one in
Z[α], the other in Z, and we wish to find their square roots.
The problem for v is simple, and can be done in the same way as in QS.
From the exponent vectors, we can deduce easily the prime factorization of
v 2 , and from this, we can deduce even more easily the prime factorization of
v. We actually do not need to know the integer v; rather, we need to know
only its residue modulo n. For each prime power divisor of v, compute its
residue mod n by a fast modular powering algorithm, say Algorithm 2.1.5.
Then multiply these residues together in Zn, finally getting v (mod n).
The more difficult, and more interesting, problem is the computation of γ.
If γ is expressed as a0 + a1α + ···+ ad−1α d−1 ,thenanintegeru that works is
a0 + a1m + ···+ ad−1m d−1 . Since again we are interested only in the residue
u (mod n), it means that we are interested only in the residues aj (mod n).
This is good, since the integers a0,...,ad−1 might well be very large, with
perhaps about as many digits as the square root of the number of steps for
the rest of the algorithm! One would not want to do much arithmetic with
such huge numbers. Even if one computed only the algebraic integer γ 2 ,and
did not worry about finding the square root γ, one would have to use the
fast multiplication methods of Chapter 8.8 in order to keep the computation
within the time bound of Section 6.2.3. And this does not even begin to touch
how one would take the square root.
If we are in the special case where Z[α] =I and this ring is a unique
factorization domain, we can use a method similar to the one sketched above
for computing v (mod n). But in the general case, our ring may be far from
being a UFD.