Prime Numbers

6.2 Number field sieve 297
is a square in Q(α), and if S has an even number of pairs, then
F ′ 2
(cdα)
(acd − bcdα)
(a,b)∈S
is a square in Z[cdα], say γ 2 . Finding the integral coefficients (modulo n)
of γ with respect to the basis 1,cdα,...,(cdα) d−1 then allows us as before
to get two congruent squares modulo n, and so gives us a chance to factor
n. (Note that if F (x, y) =y d f(x/y) is the homogenized form of f(x), then
F (cdx, cd) =cdF (cdx), and so Fx(cdα, cd) =cdF ′ (cdα). We thus may use
Fx(cdα, cd) inplaceofF ′ (cdα) in the above, if we wish.) So, using a nonmonic
polynomial poses no great complications. To ensure that the cardinality of the
set S is even, we can enlarge all of our exponent vectors by one additional
coordinate, which is always set to be 1.
The above argument assumes that the coefficient cd is coprime to n.
However, it is a simple matter to check that cd and n are coprime. And, since
cd is smaller than n in all the cases that would be considered, a nontrivial
gcd would lead to a nontrivial splitting of n. For further details on how to
use nonmonic polynomials, and also how to use homogeneous polynomials,
[Buhler et al. 1993, Section 12].
There have been some exciting developments in polynomial selection,
developments that were very important in the record 155-digit factorization
of the famous RSA challenge number in late 1999. It turns out that a
good polynomial makes so much difference that it is worthwhile to spend
a considerable amount of resources searching through polynomial choices. For
details on the latest strategies see [Murphy 1998, 1999].
Polynomial pairs
The description of NFS given in the sections above actually involves two
polynomials, though we have emphasized only the single polynomial f(x) for
whichwehaveanintegerm with f(m) ≡ 0(modn). It is more precisely
the homogenized form of f that we considered, namely F (x, y) =y d f(x/y),
where d isthedegreeoff(x). The second polynomial is the rather trivial
g(x) = x − m. Its homogenized form is G(x, y) = yg(x/y) = x − my.
The numbers that we sieve looking for smooth values are the values of
F (x, y)G(x, y) in a box near the origin.
However, it is not necessary for the degree of g(x) to be 1. Suppose we have
two distinct, irreducible (not necessarily monic) polynomials f(x),g(x) ∈ Z[x],
andanintegerm with f(m) ≡ g(m) ≡ 0(modn). Let α be a root of f(x) in
C and let β be a root of g(x) inC. Assuming that the leading coefficient c of
f(x) andC of g(x) arecoprimeton, we have homomorphisms φ : Z[cα] → Zn
and ψ : Z[Cβ] → Zn, whereφ(cα) ≡ cm (mod n) andψ(Cβ) ≡ Cm (mod n).
Suppose, too, that we have a set S consisting of an even number of coprime
integer pairs a, b and elements γ ∈ Z[α] andβ ∈ Z[β] with
2
Fx(cα, c)
(a,b)∈S
(ac − bcα) =γ 2
2
, Gx(Cβ,C)
(a,b)∈S
(aC − bCβ) =δ 2 .