Prime Numbers

6.2 Number field sieve 295
Then it should be that
wf ′
2
(α)
(a,b)∈S
wf ′
2
(m)
(a,b)∈S
(a − bα) =γ 2 , for some γ ∈ Z[α],
(a − bm) =v 2 , for some v ∈ Z.
Then if φ(γ) =u, wehaveu 2 ≡ v 2 (mod n), as before.
The advantage of free relations is that the more of them there are, the
fewer relations need be uncovered in the time-consuming sieve stage. Also, the
vectors v(p) are sparser than a typical exponent vector v(a, b), so including
free relations allows the matrix stage to run faster.
So, how many free relations do we expect to find? A free relation
corresponds to a prime p that splits completely in the algebraic number field
Q(α). Let g be the order of the splitting field of f(x); that is, the Galois
closure of Q(α) in the complex numbers. It follows from the Chebotarev
density theorem that the number of primes p up to a bound X that split
completely in Q(α) is asymptotically 1
g π(X), as X →∞. That is, on average,
1 out of every g prime numbers corresponds to a free relation. Assuming that
our factor base bound B is large enough so that the asymptotics are beginning
to take over (this is yet another heuristic, but reasonable, assumption), we thus
should expect about 1
g π(B) free relations. Now, the order g of the splitting
field could be as small as d, the degree of f(x), or as high as d!. Obviously,
the smaller g is, the more free relations we should expect. Unfortunately, the
generic case is g = d!. That is, for most irreducible polynomials f(x) inZ[x]
of degree d, the order of the splitting field of f(x) isd!. So, for example, if
1
d = 5, we should expect only about 120π(B) free relations, if we choose our
polynomial f(x) according to the scheme in Step [Setup] in Algorithm 6.2.5.
Since our vectors have about 2π(B) coordinates, the free relations in this case
would only reduce the sieving time by less than one-half of 1 per cent. But
still, it is free, so to speak, and every little bit helps.
Free relations can help considerably more in the case of special polynomials
f(x) with small splitting fields. For example, in the factorization of the ninth
Fermat number F9, the polynomial f(x) =x5 + 8 was used. The order of
the splitting field here is 20, so free relations allowed the sieving time to be
reduced by about 2.5%.
Partial relations
As in the quadratic sieve method, sieving in the number field sieve not
only reveals those pairs a, b where both of the numbers N(a−bα) =F (a, b) =
b d f(a/b) anda − bm are B-smooth, but also pairs a, b where one or both of
these numbers are a B-smooth number times one somewhat larger prime. If
we allow relations that have such large primes, at most one each for N(a−bα)
and a − bm, we then have a data structure not unlike the quadratic sieve with
the double large-prime variation; see Section 6.1.4. It has also been suggested
that reports can be used with N(a − bα) having two large primes and a − bm