JDetrey Tutorial

ARITH 22, Lyon, France — June 25, 2015
Factoring integers with

CADO-NFS
Jérémie Detrey
CARAMEL team, LORIA
INRIA Nancy – Grand Est, France
Jeremie.Detrey@loria.fr
CARAMEL
/* */ C,A,
/* */ R,a,
/* */ M,E,
L,i=
5,e,
d[5],Q[999 ]={0};main(N ){for
(;i--;e=scanf("%" "d",d+i));for(A =*d;
++i<A ;++Q[ i*i% A],R= i[Q]?
R:i); for(;i --;) for(M =A;M
--;N +=!M*Q [E%A ],e+= Q[(A
+E*E- R*L* L%A) %A]) for(
E=i,L=M,a=4;a;C= i*E+R*M*L,L=(M*E +i*L)
%A,E=C%A+a --[d]);printf ("%d"
"\n",
(e+N*
N)/2
/* cc caramel.c; echo f3 f2 f1 f0 p | ./a.out */ -A);}
Why factor?
I Cryptography:
• Integer factorization is a (supposedly) difficult problem, but
integer multiplication is not
• E.g., basis for the security of the
RSA public-key cryptosystem:
→ private key: large primes p and q
→ public key: N = p · q
• Key length recommendations
• Break weak instances of RSA (short keys)
Jérémie Detrey — Factoring integers with CADO-NFS 1 / 22

Why factor?
I Cryptography:
I Number theory:
• Cunningham tables: factorizations
X of b n ± 1
• Aliquot sequences: sn+1 = d − sn
• etc. d|sn

Why factor?
I Cryptography:
I Number theory:
• Cunningham tables: factorizations
X of b n ± 1
• Aliquot sequences: sn+1 = d − sn
• etc. d|sn
I For fun ,
Factorization algorithms (I)
I Find small- to medium-size prime factors p of an integer N:


• Trial division: O(p)


• Trial division: O(p) = O (exp (log p))
→ complexity exponential in log p


• ρ method [Pollard, 1975]:
√
O( p)



√ 1
O( p) = O exp log p
2



√ 1
O( p) = O exp log p
2
• p − 1 [Pollard, 1974] and p + 1 [Williams, 1982]



√ 1
O( p) = O exp log p
2
• p − 1 [Pollard, 1974] and p + 1 [Williams, 1982]
• ECM (Elliptic Curve Method) [Lenstra, 1987]:
p
O exp 2 log p log log p
→ subexponential complexity!

Factorization algorithms (II)
I Find all prime factors of an integer N:


• SQUFOF (SQUare FOrms Factorization) [Shanks, ca. 1975]:
√

4 1
O( N) = O exp log N
4
→ complexity exponential in log N


• SQUFOF (SQUare FOrms Factorization) [Shanks, ca. 1975]:
√

4 1
O( N) = O exp log N
4
→ complexity exponential in log N
• CFRAC (Continued FRACtions) [Morrison & Brillhart, 1975]:
p
O exp 2 log N log log N
→ subexponential complexity!

Factorization algorithms (III)
• QS (Quadratic Sieve) [Pomerance, 1981] and
MPQS (Multiple Polynomial QS) [Silverman, 1987] in
p
O exp log N log log N

p
• SNFS (Special Number Field Sieve)

[Lenstra, Lenstra, Manasse, & Pollard, 1990]:
r !!
3 32
O exp (log N)1/3 (log log N)2/3
9

p
• SNFS (Special Number Field Sieve)

[Lenstra, Lenstra, Manasse, & Pollard, 1990]:
r !!
3 32
9
• (G)NFS (General Number Field Sieve)

[Buhler, Lenstra, & Pomerance, 1993]:
r !!
3 64
9

Current factorization records
I ECM (small- to medium-size factors):
• 2013: found 83-digit-factor of 7337 + 1 (285 digits)

I SNFS (numbers of a special form):
9
• 1990: factorization of F9 = 22 + 1 (155 digits) in ∼ 340 CPU-years
• ...
• 2011–12: fact. of 21061 − 1 (320 digits) in ∼ 335 CPU-years
• 2010–14: fact. of 17 numbers of the form 2n − 1 for
1007 ≤ n ≤ 1199 (304–361 digits) in ∼ 7500 core-years

9
• ...
I GNFS (general numbers, esp. RSA moduli):
• 1996: fact. of RSA-130 (130 digits) in ∼ 17 CPU-years
• ...
• 2007–09: fact. of RSA-768 (232 digits) in ∼ 2000 core-years

9
• ...
I GNFS (general numbers, esp. RSA moduli):
• 1996: fact. of RSA-130 (130 digits) in ∼ 17 CPU-years
• ...
• 2007–09: fact. of RSA-768 (232 digits) in ∼ 2000 core-years
I Quantum computer:
• 2012: fact. of 56153 (a whopping 5 digits!)
Free (as in free speech) factorization software
I p − 1, p + 1, and ECM:
• GMP-ECM [Zimmermann et al.]:
http://ecm.gforge.inria.fr/

I p − 1, p + 1, and ECM:
I QS and MPQS:
• YAFU [Buhrow]:
http://yafu.sourceforge.net/

I p − 1, p + 1, and ECM:
I QS and MPQS:
• YAFU [Buhrow]:
http://yafu.sourceforge.net/
I SNFS and GNFS:

• NFS@home [Childers]:
http://escatter11.fullerton.edu/nfs/
• Msieve [Papadopoulos]:
http://www.boo.net/~jasonp/qs.html
• CADO-NFS:
http://cado-nfs.gforge.inria.fr/
CADO-NFS
I Mostly developed in the CARAMEL team in Nancy, France, with
several regular external contributors:
• Shi Bai (AriC team, LIP, Lyon, France)
• Cyril Bouvier (CARAMEL)
• Alain Filbois (Inria Nancy – Grand Est, France)
• Pierrick Gaudry (CARAMEL)
• Laurent Imbert (ECO team, LIRMM, Montpellier, France)
• Alexander Kruppa (CARAMEL)
• François Morain (GRACE team, LIX, Saclay, France)
• Emmanuel Thomé (CARAMEL)
• Paul Zimmermann (CARAMEL)

CADO-NFS
I Started in 2007, last release (2.1.1) in 2014, still under heavy
development (10k commits, almost 300k lines of code)

CADO-NFS
I Support for integer factorization (GNFS and SNFS), but also discrete
logarithm in finite fields (FFS, NFS-DL, NFS-HD)

CADO-NFS
I Support for integer factorization (GNFS and SNFS), but also discrete
logarithm in finite fields (FFS, NFS-DL, NFS-HD)
I Website: http://cado-nfs.gforge.inria.fr/
The Number Field Sieve
I Based on Fermat’s factoring method (congruence of squares):
• Find two integers x and y such that x 2 ≡ y 2 (mod N)
• With good probability, gcd(x ± y , N) gives a non-trivial factor of N

I Obtain such equalities through two number fields

Z[X ]

• f1 and f2 ∈ Z[X ] two polynomials, irreducible and coprime over Q
Z[X ]

Z[X ]
X 7→ X mod f1
Z[X ]/(f1(X ))

• αi root of fi : Q(αi ) is an algebraic number field
Z[X ]
X 7→ α1
Z[α1] ⊂ OQ(α1)

Z[X ]
X 7→ α1 X 7→ α2
Z[α1] OQ(α2) ⊃ Z[α2]

• f1 and f2 chosen such that they have a common root m in Z/N Z
Z[X ]
X 7→ α1 X 7→ α2
Z[α1] Z[α2]

Z[X ]
X 7→ α1 X 7→ α2
Z[α1] Z[α2]
α1 7→ m mod N α2 7→ m mod N
Z/N Z
Γ(X ) ∈ Z[X ]
X 7→ α1 X 7→ α2
Z[α1] Z[α2]
Z/N Z
Γ(X ) ∈ Z[X ]
X 7→ α1 X 7→ α2
Γ(α1) ∈ Z[α1] Z[α2] 3 Γ(α2)
Z/N Z
Γ(X ) ∈ Z[X ]
X 7→ α1 X 7→ α2
γ1(α1)2 = Γ(α1) ∈ Z[α1] Z[α2] 3 Γ(α2) =? γ2(α2)2

?
Z/N Z
Γ(X ) ∈ Z[X ]
X 7→ α1 X 7→ α2
γ1(α1)2 = Γ(α1) ∈ Z[α1] Z[α2] 3 Γ(α2) =? γ2(α2)2

?
Z/N Z
⇒ γ1(m)2 ≡ γ2(m)2 mod N
I How can one find such a polynomial Γ(X )?

Z[X ]
X 7→ α1 X 7→ α2
Z[α1] Z[α2]
Z/N Z

I For all pairs of coprime integers (a, b) ∈ [−A, A]×]0, A]:
Z[X ]
X 7→ α1 X 7→ α2
Z[α1] Z[α2]
Z/N Z


• Consider the polynomial a − bX in the diagram
Z[X ]
X 7→ α1 X 7→ α2
Z[α1] Z[α2]
Z/N Z


a − bX ∈ Z[X ]
X 7→ α1 X 7→ α2
Z[α1] Z[α2]
Z/N Z


a − bX ∈ Z[X ]
X 7→ α1 X 7→ α2
a − bα1 ∈ Z[α1] Z[α2] 3 a − bα2
Z/N Z


• Try to factor each a − bαi into a product of primes ≤ bound Bi
a − bX ∈ Z[X ]
X 7→ α1 X 7→ α2
a − bα1 ∈ Z[α1] Z[α2] 3 a − bα2
Z/N Z


a − bX ∈ Z[X ]
X 7→ α1 X 7→ α2
= a − bα1 ∈ Z[α1] Z[α2] 3 a − bα2 =

Y e Y e
p1,j1,j p2,j2,j
j j
Z/N Z


• Such a pair is called a relation: add (a, b) to R (set of relations)
a − bX ∈ Z[X ]
X 7→ α1 X 7→ α2
= a − bα1 ∈ Z[α1] Z[α2] 3 a − bα2 =

Y e Y e
p1,j1,j p2,j2,j
j j
Z/N Z

I Once enough relations were collected, find subset S ⊂ R such that
(a − bαi ) is a square in Z[αi ], for both i ∈ {1, 2}

Y
(a,b)∈S


Y
(a,b)∈S
I Example:


Y
(a,b)∈S
I Example:
2 2 4
(a1, b1) : a1 − b1α1 = p1,1 p1,2 p1,3 a1 − b1α2 = p2,1 p2,2


Y
(a,b)∈S
I Example:
2 2 4
(a1, b1) : a1 − b1α1 = p1,1 p1,2 p1,3 a1 − b1α2 = p2,1 p2,2
3
(a2, b2) : a2 − b2α1 = p1,2 p1,3 a2 − b2α2 = p2,1 p2,2 p2,3


Y
(a,b)∈S
I Example:
2 2 4
(a1, b1) : a1 − b1α1 = p1,1 p1,2 p1,3 a1 − b1α2 = p2,1 p2,2
3
(a2, b2) : a2 − b2α1 = p1,2 p1,3 a2 − b2α2 = p2,1 p2,2 p2,3
2 3
(a3, b3) : a3 − b3α1 = p1,1 p1,2 p1,3 a3 − b3α2 = p2,2 p2,3


Y
(a,b)∈S
I Example:
2 2 4
(a1, b1) : a1 − b1α1 = p1,1 p1,2 p1,3 a1 − b1α2 = p2,1 p2,2
3
(a2, b2) : a2 − b2α1 = p1,2 p1,3 a2 − b2α2 = p2,1 p2,2 p2,3
2 3
(a3, b3) : a3 − b3α1 = p1,1 p1,2 p1,3 a3 − b3α2 = p2,2 p2,3
2
(a4, b4) : a4 − b4α1 = p1,1 p1,3 a4 − b4α2 = p2,1 p2,2 p2,3


Y
(a,b)∈S
I Example:
2 2 4
(a1, b1) : a1 − b1α1 = p1,1 p1,2 p1,3 a1 − b1α2 = p2,1 p2,2
3
(a2, b2) : a2 − b2α1 = p1,2 p1,3 a2 − b2α2 = p2,1 p2,2 p2,3
2 3
(a3, b3) : a3 − b3α1 = p1,1 p1,2 p1,3 a3 − b3α2 = p2,2 p2,3
2
(a4, b4) : a4 − b4α1 = p1,1 p1,3 a4 − b4α2 = p2,1 p2,2 p2,3


Y
(a,b)∈S
I Example:
2 2 4
(a1, b1) : a1 − b1α1 = p1,1 p1,2 p1,3 a1 − b1α2 = p2,1 p2,2
3
(a2, b2) : a2 − b2α1 = p1,2 p1,3 a2 − b2α2 = p2,1 p2,2 p2,3
2 3
(a3, b3) : a3 − b3α1 = p1,1 p1,2 p1,3 a3 − b3α2 = p2,2 p2,3
2
(a4, b4) : a4 − b4α1 = p1,1 p1,3 a4 − b4α2 = p2,1 p2,2 p2,3
4 4 4 4 6 2
Y Y
(ai − bi α1 ) = p1,1 p1,2 p1,3 (ai − bi α2 ) = p2,1 p2,2 p2,3
i∈{1,2,4} i∈{1,2,4}


Y
(a,b)∈S
I Example:
2 2 4
(a1, b1) : a1 − b1α1 = p1,1 p1,2 p1,3 a1 − b1α2 = p2,1 p2,2
3
(a2, b2) : a2 − b2α1 = p1,2 p1,3 a2 − b2α2 = p2,1 p2,2 p2,3
2 3
(a3, b3) : a3 − b3α1 = p1,1 p1,2 p1,3 a3 − b3α2 = p2,2 p2,3
2
(a4, b4) : a4 − b4α1 = p1,1 p1,3 a4 − b4α2 = p2,1 p2,2 p2,3
4 4 4 4 6 2
Y Y
(ai − bi α1 ) = p1,1 p1,2 p1,3 (ai − bi α2 ) = p2,1 p2,2 p2,3
i∈{1,2,4} i∈{1,2,4}
I Tantamount to finding a vector of the left-kernel of the matrix over F2

formed by the exponents of the primes in the relations

Y
(a,b)∈S
I Example:
2 2 4
(a1, b1) : a1 − b1α1 = p1,1 p1,2 p1,3 a1 − b1α2 = p2,1 p2,2
3
(a2, b2) : a2 − b2α1 = p1,2 p1,3 a2 − b2α2 = p2,1 p2,2 p2,3
2 3
(a3, b3) : a3 − b3α1 = p1,1 p1,2 p1,3 a3 − b3α2 = p2,2 p2,3
2
(a4, b4) : a4 − b4α1 = p1,1 p1,3 a4 − b4α2 = p2,1 p2,2 p2,3


Y
(a,b)∈S
I Example:
(a1, b1) : a1 − b1α1 ≡ ( 2 1 2 ) a1 − b1α2 ≡ ( 1 4 0 )
3
(a2, b2) : a2 − b2α1 = p1,2 p1,3 a2 − b2α2 = p2,1 p2,2 p2,3
2 3
(a3, b3) : a3 − b3α1 = p1,1 p1,2 p1,3 a3 − b3α2 = p2,2 p2,3
2
(a4, b4) : a4 − b4α1 = p1,1 p1,3 a4 − b4α2 = p2,1 p2,2 p2,3


Y
(a,b)∈S
I Example:
(a1, b1) : a1 − b1α1 ≡ ( 2 1 2 ) a1 − b1α2 ≡ ( 1 4 0 )
(a2, b2) : a2 − b2α1 ≡ ( 0 3 1 ) a2 − b2α2 ≡ ( 1 1 1 )
(a3, b3) : a3 − b3α1 ≡ ( 1 2 1 ) a3 − b3α2 ≡ ( 0 1 3 )
(a4, b4) : a4 − b4α1 ≡ ( 2 0 1 ) a4 − b4α2 ≡ ( 2 1 1 )


Y
(a,b)∈S
I Example:
(a1, b1) : a1 − b1α1 ≡ ( 0 1 0 ) a1 − b1α2 ≡ ( 1 0 0 )
(a2, b2) : a2 − b2α1 ≡ ( 0 1 1 ) a2 − b2α2 ≡ ( 1 1 1 )
(a3, b3) : a3 − b3α1 ≡ ( 1 0 1 ) a3 − b3α2 ≡ ( 0 1 1 )
(a4, b4) : a4 − b4α1 ≡ ( 0 0 1 ) a4 − b4α2 ≡ ( 0 1 1 )


Y
(a,b)∈S
I Example:
(a1, b1) : a1 − b1α1 ≡ ( 0 1 0 ) a1 − b1α2 ≡ ( 1 0 0 )
(a2, b2) : a2 − b2α1 ≡ ( 0 1 1 ) a2 − b2α2 ≡ ( 1 1 1 )
(a3, b3) : a3 − b3α1 ≡ ( 1 0 1 ) a3 − b3α2 ≡ ( 0 1 1 )
(a4, b4) : a4 − b4α1 ≡ ( 0 0 1 ) a4 − b4α2 ≡ ( 0 1 1 )
Y Y
(ai − bi α1 ) ≡ ( 0 0 0 ) (ai − bi α2 ) ≡ ( 0 0 0 )
i∈{1,2,4} i∈{1,2,4}

a − bX ∈ Z[X ]
X 7→ α1 X 7→ α2
= a − bα1 ∈ Z[α1] Z[α2] 3 a − bα2 =

Y e Y e
p1,j1,j p2,j2,j
j j
Z/N Z
I Slight problem: no unique factorization of numbers in Z[αi ] or OQ(αi )
a − bX ∈ Z[X ]
X 7→ α1 X 7→ α2
×Y
j
e
p1,j1,j = a − bα1 ∈ Z[α1]
×
Z[α2] 3 a − bα2 =
Y
j
e
p2,j2,j
Z/N Z
I However, OQ(αi ) is a Dedekind domain: unique factorization of ideals
into products of prime ideals
a − bX ∈ Z[X ]
X 7→ α1 X 7→ α2
Z[α1] Z[α2]
Z/N Z
a − bX ∈ Z[X ]
X 7→ α1 X 7→ α2
ha − bα1i ⊂ Z[α1] Z[α2] ⊃ ha − bα2i
Z/N Z
• Prime ideals p of Z[αi ] given by integers (p, r ) such that p is prime
and fi (r ) ≡ 0 (mod p)
a − bX ∈ Z[X ]
X 7→ α1 X 7→ α2
Z/N Z
• pe ”divides” ha − bαi i iff. a − br ≡ 0 (mod p) and p e |Ni (a − bαi ),
where Ni (a − bαi ) = fi (a/b)b deg fi is called the norm of a − bαi
a − bX ∈ Z[X ]
X 7→ α1 X 7→ α2
Z/N Z
• pe ”divides” ha − bαi i iff. a − br ≡ 0 (mod p) and p e |Ni (a − bαi ),
where Ni (a − bαi ) = fi (a/b)b deg fi is called the norm of a − bαi
a − bX ∈ Z[X ]
X 7→ α1 X 7→ α2
= ha − bα1i ⊂ Z[α1] Z[α2] ⊃ ha − bα2i = u2

Y e Y e
u1 p1,j1,j p2,j2,j
j j
Z/N Z
I Let’s recap!

I Let’s recap!
• Sieving domain: coprime pairs (a, b) in [−A, A]×]0, A]

I Let’s recap!
• Factor base Bi : prime ideals p = (p, r ) of Z[αi ] with p ≤ Bi

I Let’s recap!
I For each (a, b) pair in the sieving domain:

I Let’s recap!

• Compute the norms Ni (a − bαi ) = fi (a/b)b i

I Let’s recap!

• Check if Ni (a − bαi ) is Bi -smooth (all its prime factors are ≤ Bi )

I Let’s recap!

• If both norms are smooth, then (a, b) is a relation

I Let’s recap!

I We need more relations than elements of the factor bases:
#R > #B1 + #B2

Ê Relation collection (a.k.a. sieving): build set of relations R

Ë Linear algebra: find vector of left-kernel of the matrix over F2

Ë Linear algebra: find vector of left-kernel of the matrix over F2
Ì Square root: compute elements γ1 ∈ Z[α1] and γ2 ∈ Z[α2] such

that γ1(m)2 ≡ γ2(m)2 (mod N)

Ê Polynomial selection: find suitable polynomials f1 and f2
Ë Relation collection (a.k.a. sieving): build set of relations R
Ì Linear algebra: find vector of left-kernel of the matrix over F2
Í Square root: compute elements γ1 ∈ Z[α1] and γ2 ∈ Z[α2] such


Ë Factor base generation: build factors bases B1 and B2
Ì Relation collection (a.k.a. sieving): build set of relations R
Í Linear algebra: find vector of left-kernel of the matrix over F2
Î Square root: compute elements γ1 ∈ Z[α1] and γ2 ∈ Z[α2] such


Í Filtering: build and simplify matrix from relations
Î Linear algebra: find vector of left-kernel of the matrix over F2
Ï Square root: compute elements γ1 ∈ Z[α1] and γ2 ∈ Z[α2] such



Ï Characters: deal with number-field-related technicalities (e.g., units)
Ð Square root: compute elements γ1 ∈ Z[α1] and γ2 ∈ Z[α2] such



Ï Characters: deal with number-field-related technicalities (e.g., units)
Ð Square root: compute elements γ1 ∈ Z[α1] and γ2 ∈ Z[α2] such

Ñ Profit!

Back to CADO-NFS
I Each step is handled by a specific binary/script
Ê Polynomial selection polyselect/polyselect2l
Ë Factor base generation sieve/makefb
Ì Relation collection sieve/{freerel,las}
Í Filtering filter/{dup1,dup2,purge,merge,replay}
Î Linear algebra linalg/bwc/bwc.pl
Ï Characters linalg/characters
Ð Square root sqrt/sqrt

Back to CADO-NFS
I cadofactor.py: Python script to run whole factorization
→ All NFS parameters in a single parameter file
Ê Polynomial selection
scripts/cadofactor/cadofactor.py
polyselect/polyselect2l
Python script + parameter file

Back to CADO-NFS
I cadofactor.py: Python script to run whole factorization
→ All NFS parameters in a single parameter file
I factor.sh: Bash script for simple factorizations
Ê Polynomial selection
factor.sh
scripts/cadofactor/cadofactor.py
polyselect/polyselect2l
Python script + parameter file

Bash script

Let’s play!
I Requirements:
• GNU/Linux (or Mac OS X + Xcode)
• GCC 4.4 or later
• GMP 5 or later
• GNU Make and CMake 2.6.3 or later
• Python 3.2 or later
• SQLite 3, including Python bindings
• GNU Wget or cURL
• GNU Gzip
• GNU Bash

Let’s play!
I Go and download CADO-NFS 2.1.1 from

Let’s play!
I Un-tar:
$ tar xzvf cado-nfs-2.1.1.tar.gz
$ cd cado-nfs-2.1.1

Let’s play!
I Un-tar:
$ cd cado-nfs-2.1.1
I Optional: tweak build configuration (esp. for Mac OS X):

$ cp local.sh.example local.sh
$ vi local.sh

Let’s play!
I Un-tar:
$ cd cado-nfs-2.1.1
I Optional: tweak build configuration (esp. for Mac OS X):

$ cp local.sh.example local.sh
$ vi local.sh
I Build:
$ make

A toy factorization
I Let’s factor this 59-digit composite integer:
c59 = 90377629292003121684002147101760858109247336549001090677693
(you can just copy-paste it from
http://www.loria.fr/~detreyje/cado-nfs.txt)

A toy factorization
c59 = 90377629292003121684002147101760858109247336549001090677693
I Run:
$ export CADO DEBUG=1
$ mkdir /tmp/c59
$ t=/tmp/c59 ./factor.sh 903. . . 693 -t 2

A toy factorization
c59 = 90377629292003121684002147101760858109247336549001090677693
I Run:
$ export CADO DEBUG=1
$ mkdir /tmp/c59
$ t=/tmp/c59 ./factor.sh 903. . . 693 -t 2
I Get factors!
...
Info:Complete Factorization: . . .
588120598053661 260938498861057
760926063870977 773951836515617
OK

Diving into details – Polynomial selection
I Find polynomials f1 and f2 ∈ Z[X ] such that
• f1 and f2 are irreducible and coprime over Q
• they have a common root m ∈ Z/N Z:
f1(m) ≡ 0 (mod N) and f2(m) ≡ 0 (mod N)


I In practice:
• Take a linear polynomial for f2: this is called the ”rational side”
• Take a degree-d polynomial for f1, with d ∈ {4, 5, 6}: this is called
the ”algebraic side”
f1(X ) = f1,d X d + f1,d−1X d−1 + · · · + f1,1X + f1,0


I In practice:
• Take a linear polynomial for f2: this is called the ”rational side”
• Take a degree-d polynomial for f1, with d ∈ {4, 5, 6}: this is called
the ”algebraic side”
f1(X ) = f1,d X d + f1,d−1X d−1 + · · · + f1,1X + f1,0

I Look for a polynomial f1 of degree d :
• such that norms N1(a − bα1) = f1(a/b)b d are as small as possible
for pairs (a, b) in the sieving domain
• which has many roots modulo small primes
I Two main steps:
• Size optimization: find polynomials with small norm
• Root optimization: translate/rotate candidates so that they have
many roots modulo small primes

I Two main steps:
I CADO-NFS parameters (tasks.polyselect.*):
• degree: degree d of polynomial f1
• admin (0): minimum value for leading coefficient f1,d
• admax: maximum value for leading coefficient f1,d
• incr (60): force f1,d to be a multiple of this smooth number
• nrkeep: how many candidates to keep after first step

I Two main steps:
• adrange: split search interval for f1,d into ranges of this size
→ easy parallelization

I Two main steps:
• adrange: split search interval for f1,d into ranges of this size
I Best polynomial stored in:
hnamei.polyselect2.poly

Diving into details – Relation collection



I Special-q sieving:


• Fix a prime ideal q = (q, ρ) of Z[α1]


• The set of (a, b) pairs such that q divides ha − bαi i is a Euclidean
lattice of Z2


lattice of Z2
• Compute basis (u, v) of this lattice


lattice of Z2
• Enumerate lattice elements as pairs (a, b) = iu + jv with
(i, j) ∈ [−I , I ]×]0, I ]


lattice of Z2
• Enumerate lattice elements as pairs (a, b) = iu + jv with
(i, j) ∈ [−I , I ]×]0, I ]
• One independent subtask for each special-q

I Example from c59:

I Example from c59:
• Polynomials:
f1(X ) = 60 · X 4 + 164823 · X 3 + 2561101187 · X 2
− 4872316534587 · X − 9288039622841198
f2(X ) = 4827001309 · X − 192616011406041

I Example from c59:
• Polynomials:
f1(X ) = 60 · X 4 + 164823 · X 3 + 2561101187 · X 2
− 4872316534587 · X − 9288039622841198
f2(X ) = 4827001309 · X − 192616011406041
• Special-q: (q, ρ) = (200003, 74941)

I Example from c59:
• Polynomials:
f1(X ) = 60 · X 4 + 164823 · X 3 + 2561101187 · X 2
− 4872316534587 · X − 9288039622841198
f2(X ) = 4827001309 · X − 192616011406041
• Special-q: (q, ρ) = (200003, 74941)

• Sieving position: (a, b) = (−876877, 31)

I Example from c59:
• Polynomials:
f1(X ) = 60 · X 4 + 164823 · X 3 + 2561101187 · X 2
− 4872316534587 · X − 9288039622841198
f2(X ) = 4827001309 · X − 192616011406041
• Special-q: (q, ρ) = (200003, 74941)

I Is (a, b) a relation? Factor its norms

I Example from c59:
• Polynomials:
f1(X ) = 60 · X 4 + 164823 · X 3 + 2561101187 · X 2
− 4872316534587 · X − 9288039622841198
f2(X ) = 4827001309 · X − 192616011406041
• Special-q: (q, ρ) = (200003, 74941)

N1(a − bα1) = 34039772577219966371130285

N2(a − bα2) = −10203782780419264

I Example from c59:
• Polynomials:
f1(X ) = 60 · X 4 + 164823 · X 3 + 2561101187 · X 2
− 4872316534587 · X − 9288039622841198
f2(X ) = 4827001309 · X − 192616011406041
• Special-q: (q, ρ) = (200003, 74941)

N1(a − bα1) = 170196309941450710095 · q

N2(a − bα2) = −10203782780419264

I Example from c59:
• Polynomials:
f1(X ) = 60 · X 4 + 164823 · X 3 + 2561101187 · X 2
− 4872316534587 · X − 9288039622841198
f2(X ) = 4827001309 · X − 192616011406041
• Special-q: (q, ρ) = (200003, 74941)


• Remove small factors by sieving techniques (up to bound Bi0)
N1(a − bα1) = 170196309941450710095 · q

N2(a − bα2) = −10203782780419264

I Example from c59:
• Polynomials:
f1(X ) = 60 · X 4 + 164823 · X 3 + 2561101187 · X 2
− 4872316534587 · X − 9288039622841198
f2(X ) = 4827001309 · X − 192616011406041
• Special-q: (q, ρ) = (200003, 74941)


N1(a − bα1) = 32 · 5 · 43 · 53 · 59 · 61 · 151 · 3053757221 · q

N2(a − bα2) = −26 · 67 · 311 · 617 · 709 · 17491

I Example from c59:
• Polynomials:
f1(X ) = 60 · X 4 + 164823 · X 3 + 2561101187 · X 2
− 4872316534587 · X − 9288039622841198
f2(X ) = 4827001309 · X − 192616011406041
• Special-q: (q, ρ) = (200003, 74941)


• Co-factor remaining parts only if not too large
N1(a − bα1) = 32 · 5 · 43 · 53 · 59 · 61 · 151 · 3053757221 · q
N2(a − bα2) = −26 · 67 · 311 · 617 · 709 · 17491

I Example from c59:
• Polynomials:
f1(X ) = 60 · X 4 + 164823 · X 3 + 2561101187 · X 2
− 4872316534587 · X − 9288039622841198
f2(X ) = 4827001309 · X − 192616011406041
• Special-q: (q, ρ) = (200003, 74941)


• Co-factor remaining parts only if not too large
N1(a − bα1) = 32 · 5 · 43 · 53 · 59 · 61 · 151 · 22447 · 136043 · q
N2(a − bα2) = −26 · 67 · 311 · 617 · 709 · 17491

I General parameters (tasks.*)

• alim / rlim: the maximum norm of sieved primes (Bi0)
• lpba / lpbr: the so-called large prime bound, in bits (log2 Bi )
• I: bounds on sieving domain


I Sieving parameters (tasks.sieve.*)

• mfba / mfbr: co-factorization threshold, in bits
• qmin: first special-q to sieve
• rels wanted: number of relations to collect


I Sieving parameters (tasks.sieve.*)

• mfba / mfbr: co-factorization threshold, in bits
• qmin: first special-q to sieve
• rels wanted: number of relations to collect
• qrange: number of special-q’s to sieve per subtask

Thank you for your attention
Happy factoring!

JDetrey Tutorial

Enviado por

Dados do documento

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

JDetrey Tutorial

Enviado por

Direitos autorais:

Formatos disponíveis

ARITH 22, Lyon, France — June 25, 2015

Factoring integers with

Jérémie Detrey — Factoring integers with CADO-NFS 1 / 22

Jérémie Detrey — Factoring integers with CADO-NFS 1 / 22

I Find small- to medium-size prime factors p of an integer N:

Jérémie Detrey — Factoring integers with CADO-NFS 2 / 22

I Find small- to medium-size prime factors p of an integer N:

Jérémie Detrey — Factoring integers with CADO-NFS 2 / 22

I Find small- to medium-size prime factors p of an integer N:

Jérémie Detrey — Factoring integers with CADO-NFS 2 / 22

I Find small- to medium-size prime factors p of an integer N:

Jérémie Detrey — Factoring integers with CADO-NFS 2 / 22

I Find small- to medium-size prime factors p of an integer N:

Jérémie Detrey — Factoring integers with CADO-NFS 2 / 22

I Find small- to medium-size prime factors p of an integer N:

Jérémie Detrey — Factoring integers with CADO-NFS 2 / 22

I Find small- to medium-size prime factors p of an integer N:

Jérémie Detrey — Factoring integers with CADO-NFS 2 / 22

I Find all prime factors of an integer N:

Jérémie Detrey — Factoring integers with CADO-NFS 3 / 22

I Find all prime factors of an integer N:

Jérémie Detrey — Factoring integers with CADO-NFS 3 / 22

I Find all prime factors of an integer N:

Jérémie Detrey — Factoring integers with CADO-NFS 3 / 22

Jérémie Detrey — Factoring integers with CADO-NFS 4 / 22

• SNFS (Special Number Field Sieve)

Jérémie Detrey — Factoring integers with CADO-NFS 4 / 22

• SNFS (Special Number Field Sieve)

• (G)NFS (General Number Field Sieve)

Jérémie Detrey — Factoring integers with CADO-NFS 4 / 22

Jérémie Detrey — Factoring integers with CADO-NFS 5 / 22

Jérémie Detrey — Factoring integers with CADO-NFS 5 / 22

Jérémie Detrey — Factoring integers with CADO-NFS 5 / 22

Jérémie Detrey — Factoring integers with CADO-NFS 6 / 22

Jérémie Detrey — Factoring integers with CADO-NFS 6 / 22

I SNFS and GNFS:

Jérémie Detrey — Factoring integers with CADO-NFS 7 / 22

Jérémie Detrey — Factoring integers with CADO-NFS 7 / 22

Jérémie Detrey — Factoring integers with CADO-NFS 7 / 22

Jérémie Detrey — Factoring integers with CADO-NFS 8 / 22

Jérémie Detrey — Factoring integers with CADO-NFS 8 / 22

Jérémie Detrey — Factoring integers with CADO-NFS 8 / 22

Jérémie Detrey — Factoring integers with CADO-NFS 8 / 22

Jérémie Detrey — Factoring integers with CADO-NFS 8 / 22

Jérémie Detrey — Factoring integers with CADO-NFS 8 / 22

Z[α1] OQ(α2) ⊃ Z[α2]

Jérémie Detrey — Factoring integers with CADO-NFS 8 / 22

Jérémie Detrey — Factoring integers with CADO-NFS 8 / 22

Γ(α1) ∈ Z[α1] Z[α2] 3 Γ(α2)

γ1(α1)2 = Γ(α1) ∈ Z[α1] Z[α2] 3 Γ(α2) =? γ2(α2)2

γ1(α1)2 = Γ(α1) ∈ Z[α1] Z[α2] 3 Γ(α2) =? γ2(α2)2

Jérémie Detrey — Factoring integers with CADO-NFS 9 / 22

Jérémie Detrey — Factoring integers with CADO-NFS 9 / 22

I For all pairs of coprime integers (a, b) ∈ [−A, A]×]0, A]:

Jérémie Detrey — Factoring integers with CADO-NFS 9 / 22

I For all pairs of coprime integers (a, b) ∈ [−A, A]×]0, A]:

Jérémie Detrey — Factoring integers with CADO-NFS 9 / 22

I For all pairs of coprime integers (a, b) ∈ [−A, A]×]0, A]:

Jérémie Detrey — Factoring integers with CADO-NFS 9 / 22

I For all pairs of coprime integers (a, b) ∈ [−A, A]×]0, A]:

a − bα1 ∈ Z[α1] Z[α2] 3 a − bα2

Jérémie Detrey — Factoring integers with CADO-NFS 9 / 22

I For all pairs of coprime integers (a, b) ∈ [−A, A]×]0, A]:

a − bα1 ∈ Z[α1] Z[α2] 3 a − bα2