Prime Numbers

6.2 Number field sieve 299
polynomials do exist, and if we can find such polynomials, then the complexity
of NFS is significantly lowered. The special number field sieve (SNFS) refers to
the cases of NFS where we are able to find extraordinarily good polynomials.
The SNFS has principally been used to factor many Cunningham numbers
(these are numbers of the form b k ± 1 for b = 2, 3, 5, 6, 7, 10, 11, 12, see
[Brillhart et al. 1988]). We have already mentioned the factorization of the
ninth Fermat number, F9 =2 512 + 1, by [Lenstra et al. 1993a]. They used the
polynomial f(x) =x 5 + 8 and the integer m =2 103 ,sothatf(m) =8F9 ≡ 0
(mod F9). Even though we already knew the factor 2424833 of F9 (found by
A. E. Western in 1903), this was ignored. That is, the pretty nature of F9
itself was used; the number F9/2424833 is not so pretty!
What makes a polynomial extraordinary is that it has very small
coefficients. If we have a number n = b k ± 1, we can create a polynomial
as follows. Say we wish the degree of f(x) tobe5.Writek =5l + r, wherer
is the remainder when 5 is divided into k. Thenb 5−r n = b 5(l+1) ± b 5−r .Thus,
we may use the polynomial f(x) =x 5 ± b 5−r ,andchoosem = b l+1 .Whenk
is large, the coefficients of f(x) are very small in comparison to n.
A small advantage of a polynomial of the form x d + c is that the order of
the Galois group is a divisor of dϕ(d), rather than having the generic value
d! for degree-d polynomials. Recall that the usefulness of free relations is
proportional to the reciprocal of the order of the Galois group. Thus, free
relations are more useful with special polynomials of the form x d + c than in
the general case.
Sometimes a fair amount of ingenuity can go into the choosing of special
polynomials. Take the case of 10 193 − 1, factored in 1996 by M. Elkenbracht-
Huizing and P. Montgomery. They might have used the polynomial x 5 − 100
and m =10 39 , as suggested by the above discussion, or perhaps 10x 6 − 1and
m =10 32 . However, the factorization still would have been a formidable. The
number 10 193 − 1 was already partially factored. There is the obvious factor
9, but we also knew the factors
773, 39373, 561470969, 639701219449517, 4274417556076113498947,
26409540111952717487908689681403.
After dividing these known factors into 10 193 − 1, the resulting number n was
still composite and had 108 digits. It would have been feasible to use either
the quadratic sieve or the general NFS on n, but it seemed a shame not to
use n’s pretty ancestry. Namely, we know that 10 has a small multiplicative
order modulo n. This leads us to the congruence 10 64 3 ≡ 10 −1 (mod n),
and to the congruence 6 · 10 64 3 ≡ 6 3 · 10 −1 ≡ 108 · 5 −1 (mod n). Thus,
for the polynomial f(x) =5x 3 − 108 and m =6· 10 64 ,wehavef(m) ≡ 0
(mod n). However, m is too large to profitably use the linear polynomial
x−m. Instead, Elkenbracht-Huizing and Montgomery searched for a quadratic
polynomial g(x) with relatively small coefficients and with g(m) ≡ 0(modn).
This was done by considering the lattice of integer triples (A, B, C) with
Am 2 + Bm + C ≡ 0(modn). The task is to find a short vector in this