Prime Numbers

292 Chapter 6 SUBEXPONENTIAL FACTORING ALGORITHMS
One method, suggested in [Buhler et al. 1993], begins by finding a prime p
such that f(x) is irreducible modulo p. Then we solve for γ (mod p) (that is,
for the coefficients of γ modulo p). We do this as a computation in the finite
field Zp[x]/(f(x)); see Section 2.2.2. The square root computation can follow
along the lines of Algorithm 2.3.8; see Exercise 2.16. So this is a start, since
we can actually find the residues a0 (mod p),...,ad−1 (mod p) fairly easily.
Why not do this for other primes p, and then glue using the Chinese remainder
theorem? There is a seemingly trivial problem with this overall approach. For
each prime p for which we do this, there are two square roots, and we don’t
know how to choose the signs in the gluing. We could try every possibility,
but if we use k primes, only 2 of the 2 k possibilities work. We may choose one
of the solutions for one of the primes p, and then get it down to 2 k−1 choices
for the other primes, but this is small comfort if k is large.
Thereareatleasttwopossiblewaystoovercomethisproblemofchoosing
the right signs. The method suggested in [Buhler et al. 1993] is not to use
Chinese remaindering with different primes, but rather to use Hensel lifting
to get solutions modulo higher and higher powers of the same fixed prime p;
see Algorithm 2.3.11. When the power of p exceeds a bound for the coefficients
aj, it means we have found them. This is simpler than using the polynomial
factorization methods of [Lenstra 1983], but at the top of the Hensel game
when we have our largest prime powers, we are doing arithmetic with huge
integers, and to keep the complexity bound under control we must use fast
subroutines as in Chapter 8.8.
Another strategy, suggested in [Couveignes 1993], allows Chinese remaindering,
but it works only for the case d odd. In this case, the norm of −1 is−1,
so that we can set off right from the beginning and insist that we are looking
for the choice for γ with positive norm. Since the prime factorization of N(γ)
is known from the exponent vectors, we may compute N(γ) (modp), where p
is as above, a prime modulo which f(x) is irreducible. When we compute γp
that satisfies γ 2 p ≡ γ 2 (mod p), we choose γp or −γp accordingtowhichhas
norm congruent to N(γ) (modp). This, then, allows a correct choice of signs
for each prime p used. This idea does not seem to generalize to even degrees d.
As it turns out there is a heuristic approach for finding square roots that
seems to work very well in practice, making this step of the algorithm not
of great consequence for the overall running time. The method uses some of
the ideas above, as well as some others. For details, see [Montgomery 1994],
[Nguyen 1998].
6.2.6 Basic NFS: Summary algorithm
We now sum up the preceding sections by giving a reasonably concise
description of the NFS. Due to the relative intricacy of the algorithm, we have
chosen to use a fair amount of English description in the following display.