In and About the Quadratic Sieve

Understanding the Quadratic Sieve

Shamir’s new hardware proposal includes a brief description of the quadratic sieve algorithm which was, for a while, the fastest known way to factor numbers. I have some comments on Shamir’s hardware but here I want to elaborate the algorithm itself.

Most of what I know is from Shamir’s brief description. Other information on the web that I have found about the algorithm is even briefer. For now however, you may find Åsbrink & Brynielsson’s description better.

There are several senses of understanding the algorithm: After I came to think that I could write the program several questions remain which puzzle me:

I could not predict its performance
Are there composites which it cannot factor?
Can one find such composites?
Why don’t obvious improvements work?
How to choose the size of the factor base
How to adapt the algorithm to other kinds of hardware.

We explore some of these here.

The scheme to factor n is to solve the equation y² = z² (mod n) non trivially. The trivial solutions are where y = z (mod n) or y = −z (mod n). This is why non trivial solutions factor n.

It is easy and sometimes useful when thinking about arithmetic modulo n to imagine that there are only n integers. Such notions confuse the arguments here and confused me for a while. I will use C’s notation “y%n” to denote the positive remainder of dividing y by n. Shamir denotes this by “y (mod n)” but that is at odds with some mathematical conventions that seem to designate an equivalence class by such notation.

We choose a factor base of small primes. Indeed we choose the set of all of the primes less than some number, perhaps a hundred thousand primes each less than several million. We will need to find many numbers y_i such that y_i²%n is a product of our small primes. If we can find more y_i’s than there are members of our factor base then we shall see that we win!

Here is how to find the y_i’s.
Here is how we solve y² = z² (mod n) by knowing enough y_i’s .

Notes

We are concerned with two sets of numbers here: Q = {y² + kn | y ∊ Z & k ∊ Z} (where Z is the set of integers) and P = (products of our small primes), and in particular R = P∩Q. We look for many members of R but always being careful to know values of y and k that will produce that member. R is closed under multiplication because both P and Q are.

A promising introduction to the number field sieve.