Factoring integers with CADO-NFS
Transcript of Factoring integers with CADO-NFS
ARITH 22, Lyon, France — June 25, 2015
Factoring integers with
CADO-NFS
Jeremie DetreyCARAMEL team, LORIA
INRIA Nancy – Grand Est, France
/* */ C,A,/* */ R,a,/* */ M,E,
L,i=5,e,
d[5],Q[999 ]={0};main(N ){for(;i--;e=scanf("%" "d",d+i));for(A =*d;++i<A ;++Q[ i*i% A],R= i[Q]?R:i); for(;i --;) for(M =A;M--;N +=!M*Q [E%A ],e+= Q[(A+E*E- R*L* L%A) %A]) for(E=i,L=M,a=4;a;C= i*E+R*M*L,L=(M*E +i*L)
%A,E=C%A+a --[d]);printf ("%d""\n",(e+N*N)/2
/* cc caramel.c; echo f3 f2 f1 f0 p | ./a.out */ -A);}
CARAMEL
Why factor?
I Cryptography:
• Integer factorization is a (supposedly) difficult problem, but
integer multiplication is not
• E.g., basis for the security of the
RSA public-key cryptosystem:
→ private key: large primes p and q
→ public key: N = p · q• Key length recommendations
• Break weak instances of RSA (short keys)
I Number theory:
• Cunningham tables: factorizations of bn ± 1
• Aliquot sequences: sn+1 =∑d |sn
d − sn• etc.
I For fun ,
Jeremie Detrey — Factoring integers with CADO-NFS 1 / 22
Why factor?
I Cryptography:
• Integer factorization is a (supposedly) difficult problem, but
integer multiplication is not
• E.g., basis for the security of the
RSA public-key cryptosystem:
→ private key: large primes p and q
→ public key: N = p · q• Key length recommendations
• Break weak instances of RSA (short keys)
I Number theory:
• Cunningham tables: factorizations of bn ± 1
• Aliquot sequences: sn+1 =∑d |sn
d − sn• etc.
I For fun ,
Jeremie Detrey — Factoring integers with CADO-NFS 1 / 22
Why factor?
I Cryptography:
• Integer factorization is a (supposedly) difficult problem, but
integer multiplication is not
• E.g., basis for the security of the
RSA public-key cryptosystem:
→ private key: large primes p and q
→ public key: N = p · q• Key length recommendations
• Break weak instances of RSA (short keys)
I Number theory:
• Cunningham tables: factorizations of bn ± 1
• Aliquot sequences: sn+1 =∑d |sn
d − sn• etc.
I For fun ,Jeremie Detrey — Factoring integers with CADO-NFS 1 / 22
Factorization algorithms (I)
I Find small- to medium-size prime factors p of an integer N :
• Trial division: O(p)
= O (exp (log p))
→ complexity exponential in log p
• ρ method [Pollard, 1975]:
O(√p)
= O
(exp
(1
2log p
))
• p − 1 [Pollard, 1974] and p + 1 [Williams, 1982]
• ECM (Elliptic Curve Method) [Lenstra, 1987]:
O(
exp(√
2 log p log log p))
→ subexponential complexity!
Jeremie Detrey — Factoring integers with CADO-NFS 2 / 22
Factorization algorithms (I)
I Find small- to medium-size prime factors p of an integer N :
• Trial division: O(p)
= O (exp (log p))
→ complexity exponential in log p
• ρ method [Pollard, 1975]:
O(√p)
= O
(exp
(1
2log p
))
• p − 1 [Pollard, 1974] and p + 1 [Williams, 1982]
• ECM (Elliptic Curve Method) [Lenstra, 1987]:
O(
exp(√
2 log p log log p))
→ subexponential complexity!
Jeremie Detrey — Factoring integers with CADO-NFS 2 / 22
Factorization algorithms (I)
I Find small- to medium-size prime factors p of an integer N :
• Trial division: O(p) = O (exp (log p))
→ complexity exponential in log p
• ρ method [Pollard, 1975]:
O(√p)
= O
(exp
(1
2log p
))
• p − 1 [Pollard, 1974] and p + 1 [Williams, 1982]
• ECM (Elliptic Curve Method) [Lenstra, 1987]:
O(
exp(√
2 log p log log p))
→ subexponential complexity!
Jeremie Detrey — Factoring integers with CADO-NFS 2 / 22
Factorization algorithms (I)
I Find small- to medium-size prime factors p of an integer N :
• Trial division: O(p) = O (exp (log p))
→ complexity exponential in log p
• ρ method [Pollard, 1975]:
O(√p)
= O
(exp
(1
2log p
))• p − 1 [Pollard, 1974] and p + 1 [Williams, 1982]
• ECM (Elliptic Curve Method) [Lenstra, 1987]:
O(
exp(√
2 log p log log p))
→ subexponential complexity!
Jeremie Detrey — Factoring integers with CADO-NFS 2 / 22
Factorization algorithms (I)
I Find small- to medium-size prime factors p of an integer N :
• Trial division: O(p) = O (exp (log p))
→ complexity exponential in log p
• ρ method [Pollard, 1975]:
O(√p) = O
(exp
(1
2log p
))
• p − 1 [Pollard, 1974] and p + 1 [Williams, 1982]
• ECM (Elliptic Curve Method) [Lenstra, 1987]:
O(
exp(√
2 log p log log p))
→ subexponential complexity!
Jeremie Detrey — Factoring integers with CADO-NFS 2 / 22
Factorization algorithms (I)
I Find small- to medium-size prime factors p of an integer N :
• Trial division: O(p) = O (exp (log p))
→ complexity exponential in log p
• ρ method [Pollard, 1975]:
O(√p) = O
(exp
(1
2log p
))• p − 1 [Pollard, 1974] and p + 1 [Williams, 1982]
• ECM (Elliptic Curve Method) [Lenstra, 1987]:
O(
exp(√
2 log p log log p))
→ subexponential complexity!
Jeremie Detrey — Factoring integers with CADO-NFS 2 / 22
Factorization algorithms (I)
I Find small- to medium-size prime factors p of an integer N :
• Trial division: O(p) = O (exp (log p))
→ complexity exponential in log p
• ρ method [Pollard, 1975]:
O(√p) = O
(exp
(1
2log p
))• p − 1 [Pollard, 1974] and p + 1 [Williams, 1982]
• ECM (Elliptic Curve Method) [Lenstra, 1987]:
O(
exp(√
2 log p log log p))
→ subexponential complexity!
Jeremie Detrey — Factoring integers with CADO-NFS 2 / 22
Factorization algorithms (II)
I Find all prime factors of an integer N :
• SQUFOF (SQUare FOrms Factorization) [Shanks, ca. 1975]:
O(4√N) = O
(exp
(1
4logN
))
→ complexity exponential in logN
• CFRAC (Continued FRACtions) [Morrison & Brillhart, 1975]:
O(
exp(√
2 logN log logN))
→ subexponential complexity!
Jeremie Detrey — Factoring integers with CADO-NFS 3 / 22
Factorization algorithms (II)
I Find all prime factors of an integer N :
• SQUFOF (SQUare FOrms Factorization) [Shanks, ca. 1975]:
O(4√N) = O
(exp
(1
4logN
))→ complexity exponential in logN
• CFRAC (Continued FRACtions) [Morrison & Brillhart, 1975]:
O(
exp(√
2 logN log logN))
→ subexponential complexity!
Jeremie Detrey — Factoring integers with CADO-NFS 3 / 22
Factorization algorithms (II)
I Find all prime factors of an integer N :
• SQUFOF (SQUare FOrms Factorization) [Shanks, ca. 1975]:
O(4√N) = O
(exp
(1
4logN
))→ complexity exponential in logN
• CFRAC (Continued FRACtions) [Morrison & Brillhart, 1975]:
O(
exp(√
2 logN log logN))
→ subexponential complexity!
Jeremie Detrey — Factoring integers with CADO-NFS 3 / 22
Factorization algorithms (III)I Find all prime factors of an integer N :
• QS (Quadratic Sieve) [Pomerance, 1981] and
MPQS (Multiple Polynomial QS) [Silverman, 1987] in
O(
exp(√
logN log logN))
• SNFS (Special Number Field Sieve)
[Lenstra, Lenstra, Manasse, & Pollard, 1990]:
O
(exp
(3
√32
9(logN)1/3 (log logN)2/3
))• (G)NFS (General Number Field Sieve)
[Buhler, Lenstra, & Pomerance, 1993]:
O
(exp
(3
√64
9(logN)1/3 (log logN)2/3
))
Jeremie Detrey — Factoring integers with CADO-NFS 4 / 22
Factorization algorithms (III)I Find all prime factors of an integer N :
• QS (Quadratic Sieve) [Pomerance, 1981] and
MPQS (Multiple Polynomial QS) [Silverman, 1987] in
O(
exp(√
logN log logN))
• SNFS (Special Number Field Sieve)
[Lenstra, Lenstra, Manasse, & Pollard, 1990]:
O
(exp
(3
√32
9(logN)1/3 (log logN)2/3
))
• (G)NFS (General Number Field Sieve)
[Buhler, Lenstra, & Pomerance, 1993]:
O
(exp
(3
√64
9(logN)1/3 (log logN)2/3
))
Jeremie Detrey — Factoring integers with CADO-NFS 4 / 22
Factorization algorithms (III)I Find all prime factors of an integer N :
• QS (Quadratic Sieve) [Pomerance, 1981] and
MPQS (Multiple Polynomial QS) [Silverman, 1987] in
O(
exp(√
logN log logN))
• SNFS (Special Number Field Sieve)
[Lenstra, Lenstra, Manasse, & Pollard, 1990]:
O
(exp
(3
√32
9(logN)1/3 (log logN)2/3
))• (G)NFS (General Number Field Sieve)
[Buhler, Lenstra, & Pomerance, 1993]:
O
(exp
(3
√64
9(logN)1/3 (log logN)2/3
))
Jeremie Detrey — Factoring integers with CADO-NFS 4 / 22
Current factorization records
I ECM (small- to medium-size factors):
• 2013: found 83-digit-factor of 7337 + 1 (285 digits)
I SNFS (numbers of a special form):
• 1990: factorization of F9 = 229
+ 1 (155 digits) in ∼ 340 CPU-years• . . .• 2011–12: fact. of 21061 − 1 (320 digits) in ∼ 335 CPU-years• 2010–14: fact. of 17 numbers of the form 2n − 1 for
1007 ≤ n ≤ 1199 (304–361 digits) in ∼ 7500 core-years
I GNFS (general numbers, esp. RSA moduli):
• 1996: fact. of RSA-130 (130 digits) in ∼ 17 CPU-years• . . .• 2007–09: fact. of RSA-768 (232 digits) in ∼ 2000 core-years
I Quantum computer:
• 2012: fact. of 56153 (a whopping 5 digits!)
Jeremie Detrey — Factoring integers with CADO-NFS 5 / 22
Current factorization records
I ECM (small- to medium-size factors):
• 2013: found 83-digit-factor of 7337 + 1 (285 digits)
I SNFS (numbers of a special form):
• 1990: factorization of F9 = 229
+ 1 (155 digits) in ∼ 340 CPU-years• . . .• 2011–12: fact. of 21061 − 1 (320 digits) in ∼ 335 CPU-years• 2010–14: fact. of 17 numbers of the form 2n − 1 for
1007 ≤ n ≤ 1199 (304–361 digits) in ∼ 7500 core-years
I GNFS (general numbers, esp. RSA moduli):
• 1996: fact. of RSA-130 (130 digits) in ∼ 17 CPU-years• . . .• 2007–09: fact. of RSA-768 (232 digits) in ∼ 2000 core-years
I Quantum computer:
• 2012: fact. of 56153 (a whopping 5 digits!)
Jeremie Detrey — Factoring integers with CADO-NFS 5 / 22
Current factorization records
I ECM (small- to medium-size factors):
• 2013: found 83-digit-factor of 7337 + 1 (285 digits)
I SNFS (numbers of a special form):
• 1990: factorization of F9 = 229
+ 1 (155 digits) in ∼ 340 CPU-years• . . .• 2011–12: fact. of 21061 − 1 (320 digits) in ∼ 335 CPU-years• 2010–14: fact. of 17 numbers of the form 2n − 1 for
1007 ≤ n ≤ 1199 (304–361 digits) in ∼ 7500 core-years
I GNFS (general numbers, esp. RSA moduli):
• 1996: fact. of RSA-130 (130 digits) in ∼ 17 CPU-years• . . .• 2007–09: fact. of RSA-768 (232 digits) in ∼ 2000 core-years
I Quantum computer:
• 2012: fact. of 56153 (a whopping 5 digits!)
Jeremie Detrey — Factoring integers with CADO-NFS 5 / 22
Current factorization records
I ECM (small- to medium-size factors):
• 2013: found 83-digit-factor of 7337 + 1 (285 digits)
I SNFS (numbers of a special form):
• 1990: factorization of F9 = 229
+ 1 (155 digits) in ∼ 340 CPU-years• . . .• 2011–12: fact. of 21061 − 1 (320 digits) in ∼ 335 CPU-years• 2010–14: fact. of 17 numbers of the form 2n − 1 for
1007 ≤ n ≤ 1199 (304–361 digits) in ∼ 7500 core-years
I GNFS (general numbers, esp. RSA moduli):
• 1996: fact. of RSA-130 (130 digits) in ∼ 17 CPU-years• . . .• 2007–09: fact. of RSA-768 (232 digits) in ∼ 2000 core-years
I Quantum computer:
• 2012: fact. of 56153 (a whopping 5 digits!)
Jeremie Detrey — Factoring integers with CADO-NFS 5 / 22
Free (as in free speech) factorization software
I p − 1, p + 1, and ECM:
• GMP-ECM [Zimmermann et al.]:
http://ecm.gforge.inria.fr/
I QS and MPQS:
• YAFU [Buhrow]:
http://yafu.sourceforge.net/
I SNFS and GNFS:
• NFS@home [Childers]:
http://escatter11.fullerton.edu/nfs/
• Msieve [Papadopoulos]:
http://www.boo.net/~jasonp/qs.html
• CADO-NFS:
http://cado-nfs.gforge.inria.fr/
Jeremie Detrey — Factoring integers with CADO-NFS 6 / 22
Free (as in free speech) factorization software
I p − 1, p + 1, and ECM:
• GMP-ECM [Zimmermann et al.]:
http://ecm.gforge.inria.fr/
I QS and MPQS:
• YAFU [Buhrow]:
http://yafu.sourceforge.net/
I SNFS and GNFS:
• NFS@home [Childers]:
http://escatter11.fullerton.edu/nfs/
• Msieve [Papadopoulos]:
http://www.boo.net/~jasonp/qs.html
• CADO-NFS:
http://cado-nfs.gforge.inria.fr/
Jeremie Detrey — Factoring integers with CADO-NFS 6 / 22
Free (as in free speech) factorization software
I p − 1, p + 1, and ECM:
• GMP-ECM [Zimmermann et al.]:
http://ecm.gforge.inria.fr/
I QS and MPQS:
• YAFU [Buhrow]:
http://yafu.sourceforge.net/
I SNFS and GNFS:
• NFS@home [Childers]:
http://escatter11.fullerton.edu/nfs/
• Msieve [Papadopoulos]:
http://www.boo.net/~jasonp/qs.html
• CADO-NFS:
http://cado-nfs.gforge.inria.fr/
Jeremie Detrey — Factoring integers with CADO-NFS 6 / 22
CADO-NFSI Mostly developed in the CARAMEL team in Nancy, France, with
several regular external contributors:
• Shi Bai (AriC team, LIP, Lyon, France)• Cyril Bouvier (CARAMEL)• Alain Filbois (Inria Nancy – Grand Est, France)• Pierrick Gaudry (CARAMEL)• Laurent Imbert (ECO team, LIRMM, Montpellier, France)• Alexander Kruppa (CARAMEL)• Francois Morain (GRACE team, LIX, Saclay, France)• Emmanuel Thome (CARAMEL)• Paul Zimmermann (CARAMEL)
I Started in 2007, last release (2.1.1) in 2014, still under heavy
development (10k commits, almost 300k lines of code)
I Support for integer factorization (GNFS and SNFS), but also discrete
logarithm in finite fields (FFS, NFS-DL, NFS-HD)
I Website: http://cado-nfs.gforge.inria.fr/
Jeremie Detrey — Factoring integers with CADO-NFS 7 / 22
CADO-NFSI Mostly developed in the CARAMEL team in Nancy, France, with
several regular external contributors:
• Shi Bai (AriC team, LIP, Lyon, France)• Cyril Bouvier (CARAMEL)• Alain Filbois (Inria Nancy – Grand Est, France)• Pierrick Gaudry (CARAMEL)• Laurent Imbert (ECO team, LIRMM, Montpellier, France)• Alexander Kruppa (CARAMEL)• Francois Morain (GRACE team, LIX, Saclay, France)• Emmanuel Thome (CARAMEL)• Paul Zimmermann (CARAMEL)
I Started in 2007, last release (2.1.1) in 2014, still under heavy
development (10k commits, almost 300k lines of code)
I Support for integer factorization (GNFS and SNFS), but also discrete
logarithm in finite fields (FFS, NFS-DL, NFS-HD)
I Website: http://cado-nfs.gforge.inria.fr/
Jeremie Detrey — Factoring integers with CADO-NFS 7 / 22
CADO-NFSI Mostly developed in the CARAMEL team in Nancy, France, with
several regular external contributors:
• Shi Bai (AriC team, LIP, Lyon, France)• Cyril Bouvier (CARAMEL)• Alain Filbois (Inria Nancy – Grand Est, France)• Pierrick Gaudry (CARAMEL)• Laurent Imbert (ECO team, LIRMM, Montpellier, France)• Alexander Kruppa (CARAMEL)• Francois Morain (GRACE team, LIX, Saclay, France)• Emmanuel Thome (CARAMEL)• Paul Zimmermann (CARAMEL)
I Started in 2007, last release (2.1.1) in 2014, still under heavy
development (10k commits, almost 300k lines of code)
I Support for integer factorization (GNFS and SNFS), but also discrete
logarithm in finite fields (FFS, NFS-DL, NFS-HD)
I Website: http://cado-nfs.gforge.inria.fr/
Jeremie Detrey — Factoring integers with CADO-NFS 7 / 22
CADO-NFSI Mostly developed in the CARAMEL team in Nancy, France, with
several regular external contributors:
• Shi Bai (AriC team, LIP, Lyon, France)• Cyril Bouvier (CARAMEL)• Alain Filbois (Inria Nancy – Grand Est, France)• Pierrick Gaudry (CARAMEL)• Laurent Imbert (ECO team, LIRMM, Montpellier, France)• Alexander Kruppa (CARAMEL)• Francois Morain (GRACE team, LIX, Saclay, France)• Emmanuel Thome (CARAMEL)• Paul Zimmermann (CARAMEL)
I Started in 2007, last release (2.1.1) in 2014, still under heavy
development (10k commits, almost 300k lines of code)
I Support for integer factorization (GNFS and SNFS), but also discrete
logarithm in finite fields (FFS, NFS-DL, NFS-HD)
I Website: http://cado-nfs.gforge.inria.fr/Jeremie Detrey — Factoring integers with CADO-NFS 7 / 22
The Number Field SieveI Based on Fermat’s factoring method (congruence of squares):• Find two integers x and y such that x2 ≡ y 2 (mod N)• With good probability, gcd(x ± y ,N) gives a non-trivial factor of N
I Obtain such equalities through two number fields
• f1 and f2 ∈ Z[X ] two polynomials, irreducible and coprime over Q• αi root of fi : Q(αi) is an algebraic number field• f1 and f2 chosen such that they have a common root m in Z/NZ
Γ(X ) ∈
Z[X ]
Z[X ]/(f1(X ))
γ1(α1)2?=
Γ(α1) ∈ Z[α1] ⊂ OQ(α1)
X 7→ α1X 7→ X mod f1
OQ(α2) ⊃
Z[α2]
3 Γ(α2)
?= γ2(α2)2
X 7→ α2
Z/NZ
α1 7→ m mod N α2 7→ m mod N
⇒ γ1(m)2 ≡ γ2(m)2 mod N
Jeremie Detrey — Factoring integers with CADO-NFS 8 / 22
The Number Field SieveI Based on Fermat’s factoring method (congruence of squares):• Find two integers x and y such that x2 ≡ y 2 (mod N)• With good probability, gcd(x ± y ,N) gives a non-trivial factor of N
I Obtain such equalities through two number fields
• f1 and f2 ∈ Z[X ] two polynomials, irreducible and coprime over Q• αi root of fi : Q(αi) is an algebraic number field• f1 and f2 chosen such that they have a common root m in Z/NZ
Γ(X ) ∈
Z[X ]
Z[X ]/(f1(X ))
γ1(α1)2?=
Γ(α1) ∈ Z[α1] ⊂ OQ(α1)
X 7→ α1X 7→ X mod f1
OQ(α2) ⊃
Z[α2]
3 Γ(α2)
?= γ2(α2)2
X 7→ α2
Z/NZ
α1 7→ m mod N α2 7→ m mod N
⇒ γ1(m)2 ≡ γ2(m)2 mod N
Jeremie Detrey — Factoring integers with CADO-NFS 8 / 22
The Number Field SieveI Based on Fermat’s factoring method (congruence of squares):• Find two integers x and y such that x2 ≡ y 2 (mod N)• With good probability, gcd(x ± y ,N) gives a non-trivial factor of N
I Obtain such equalities through two number fields
• f1 and f2 ∈ Z[X ] two polynomials, irreducible and coprime over Q• αi root of fi : Q(αi) is an algebraic number field• f1 and f2 chosen such that they have a common root m in Z/NZ
Γ(X ) ∈
Z[X ]
Z[X ]/(f1(X ))
γ1(α1)2?=
Γ(α1) ∈ Z[α1] ⊂ OQ(α1)
X 7→ α1X 7→ X mod f1
OQ(α2) ⊃
Z[α2]
3 Γ(α2)
?= γ2(α2)2
X 7→ α2
Z/NZ
α1 7→ m mod N α2 7→ m mod N
⇒ γ1(m)2 ≡ γ2(m)2 mod N
Jeremie Detrey — Factoring integers with CADO-NFS 8 / 22
The Number Field SieveI Based on Fermat’s factoring method (congruence of squares):• Find two integers x and y such that x2 ≡ y 2 (mod N)• With good probability, gcd(x ± y ,N) gives a non-trivial factor of N
I Obtain such equalities through two number fields• f1 and f2 ∈ Z[X ] two polynomials, irreducible and coprime over Q
• αi root of fi : Q(αi) is an algebraic number field• f1 and f2 chosen such that they have a common root m in Z/NZ
Γ(X ) ∈
Z[X ]
Z[X ]/(f1(X ))
γ1(α1)2?=
Γ(α1) ∈ Z[α1] ⊂ OQ(α1)
X 7→ α1X 7→ X mod f1
OQ(α2) ⊃
Z[α2]
3 Γ(α2)
?= γ2(α2)2
X 7→ α2
Z/NZ
α1 7→ m mod N α2 7→ m mod N
⇒ γ1(m)2 ≡ γ2(m)2 mod N
Jeremie Detrey — Factoring integers with CADO-NFS 8 / 22
The Number Field SieveI Based on Fermat’s factoring method (congruence of squares):• Find two integers x and y such that x2 ≡ y 2 (mod N)• With good probability, gcd(x ± y ,N) gives a non-trivial factor of N
I Obtain such equalities through two number fields• f1 and f2 ∈ Z[X ] two polynomials, irreducible and coprime over Q
• αi root of fi : Q(αi) is an algebraic number field• f1 and f2 chosen such that they have a common root m in Z/NZ
Γ(X ) ∈
Z[X ]
Z[X ]/(f1(X ))
γ1(α1)2?=
Γ(α1) ∈ Z[α1] ⊂ OQ(α1)
X 7→ α1
X 7→ X mod f1
OQ(α2) ⊃
Z[α2]
3 Γ(α2)
?= γ2(α2)2
X 7→ α2
Z/NZ
α1 7→ m mod N α2 7→ m mod N
⇒ γ1(m)2 ≡ γ2(m)2 mod N
Jeremie Detrey — Factoring integers with CADO-NFS 8 / 22
The Number Field SieveI Based on Fermat’s factoring method (congruence of squares):• Find two integers x and y such that x2 ≡ y 2 (mod N)• With good probability, gcd(x ± y ,N) gives a non-trivial factor of N
I Obtain such equalities through two number fields• f1 and f2 ∈ Z[X ] two polynomials, irreducible and coprime over Q• αi root of fi : Q(αi) is an algebraic number field
• f1 and f2 chosen such that they have a common root m in Z/NZ
Γ(X ) ∈
Z[X ]
Z[X ]/(f1(X ))
γ1(α1)2?=
Γ(α1) ∈
Z[α1] ⊂ OQ(α1)
X 7→ α1
X 7→ X mod f1
OQ(α2) ⊃
Z[α2]
3 Γ(α2)
?= γ2(α2)2
X 7→ α2
Z/NZ
α1 7→ m mod N α2 7→ m mod N
⇒ γ1(m)2 ≡ γ2(m)2 mod N
Jeremie Detrey — Factoring integers with CADO-NFS 8 / 22
The Number Field SieveI Based on Fermat’s factoring method (congruence of squares):• Find two integers x and y such that x2 ≡ y 2 (mod N)• With good probability, gcd(x ± y ,N) gives a non-trivial factor of N
I Obtain such equalities through two number fields• f1 and f2 ∈ Z[X ] two polynomials, irreducible and coprime over Q• αi root of fi : Q(αi) is an algebraic number field
• f1 and f2 chosen such that they have a common root m in Z/NZ
Γ(X ) ∈
Z[X ]
Z[X ]/(f1(X ))
γ1(α1)2?=
Γ(α1) ∈
Z[α1]
⊂ OQ(α1)
X 7→ α1
X 7→ X mod f1
OQ(α2) ⊃ Z[α2]
3 Γ(α2)
?= γ2(α2)2
X 7→ α2
Z/NZ
α1 7→ m mod N α2 7→ m mod N
⇒ γ1(m)2 ≡ γ2(m)2 mod N
Jeremie Detrey — Factoring integers with CADO-NFS 8 / 22
The Number Field SieveI Based on Fermat’s factoring method (congruence of squares):• Find two integers x and y such that x2 ≡ y 2 (mod N)• With good probability, gcd(x ± y ,N) gives a non-trivial factor of N
I Obtain such equalities through two number fields• f1 and f2 ∈ Z[X ] two polynomials, irreducible and coprime over Q• αi root of fi : Q(αi) is an algebraic number field• f1 and f2 chosen such that they have a common root m in Z/NZ
Γ(X ) ∈
Z[X ]
Z[X ]/(f1(X ))
γ1(α1)2?=
Γ(α1) ∈
Z[α1]
⊂ OQ(α1)
X 7→ α1
X 7→ X mod f1
OQ(α2) ⊃
Z[α2]
3 Γ(α2)
?= γ2(α2)2
X 7→ α2
Z/NZ
α1 7→ m mod N α2 7→ m mod N
⇒ γ1(m)2 ≡ γ2(m)2 mod N
Jeremie Detrey — Factoring integers with CADO-NFS 8 / 22
The Number Field SieveI Based on Fermat’s factoring method (congruence of squares):• Find two integers x and y such that x2 ≡ y 2 (mod N)• With good probability, gcd(x ± y ,N) gives a non-trivial factor of N
I Obtain such equalities through two number fields• f1 and f2 ∈ Z[X ] two polynomials, irreducible and coprime over Q• αi root of fi : Q(αi) is an algebraic number field• f1 and f2 chosen such that they have a common root m in Z/NZ
Γ(X ) ∈
Z[X ]
Z[X ]/(f1(X ))
γ1(α1)2?=
Γ(α1) ∈
Z[α1]
⊂ OQ(α1)
X 7→ α1
X 7→ X mod f1
OQ(α2) ⊃
Z[α2]
3 Γ(α2)
?= γ2(α2)2
X 7→ α2
Z/NZ
α1 7→ m mod N α2 7→ m mod N
⇒ γ1(m)2 ≡ γ2(m)2 mod N
Jeremie Detrey — Factoring integers with CADO-NFS 8 / 22
The Number Field SieveI Based on Fermat’s factoring method (congruence of squares):• Find two integers x and y such that x2 ≡ y 2 (mod N)• With good probability, gcd(x ± y ,N) gives a non-trivial factor of N
I Obtain such equalities through two number fields• f1 and f2 ∈ Z[X ] two polynomials, irreducible and coprime over Q• αi root of fi : Q(αi) is an algebraic number field• f1 and f2 chosen such that they have a common root m in Z/NZ
Γ(X ) ∈ Z[X ]
Z[X ]/(f1(X ))
γ1(α1)2?=
Γ(α1) ∈
Z[α1]
⊂ OQ(α1)
X 7→ α1
X 7→ X mod f1
OQ(α2) ⊃
Z[α2]
3 Γ(α2)
?= γ2(α2)2
X 7→ α2
Z/NZ
α1 7→ m mod N α2 7→ m mod N
⇒ γ1(m)2 ≡ γ2(m)2 mod N
Jeremie Detrey — Factoring integers with CADO-NFS 8 / 22
The Number Field SieveI Based on Fermat’s factoring method (congruence of squares):• Find two integers x and y such that x2 ≡ y 2 (mod N)• With good probability, gcd(x ± y ,N) gives a non-trivial factor of N
I Obtain such equalities through two number fields• f1 and f2 ∈ Z[X ] two polynomials, irreducible and coprime over Q• αi root of fi : Q(αi) is an algebraic number field• f1 and f2 chosen such that they have a common root m in Z/NZ
Γ(X ) ∈ Z[X ]
Z[X ]/(f1(X ))γ1(α1)2?=
Γ(α1) ∈ Z[α1]
⊂ OQ(α1)
X 7→ α1
X 7→ X mod f1
OQ(α2) ⊃
Z[α2] 3 Γ(α2)
?= γ2(α2)2
X 7→ α2
Z/NZ
α1 7→ m mod N α2 7→ m mod N
⇒ γ1(m)2 ≡ γ2(m)2 mod N
Jeremie Detrey — Factoring integers with CADO-NFS 8 / 22
The Number Field SieveI Based on Fermat’s factoring method (congruence of squares):• Find two integers x and y such that x2 ≡ y 2 (mod N)• With good probability, gcd(x ± y ,N) gives a non-trivial factor of N
I Obtain such equalities through two number fields• f1 and f2 ∈ Z[X ] two polynomials, irreducible and coprime over Q• αi root of fi : Q(αi) is an algebraic number field• f1 and f2 chosen such that they have a common root m in Z/NZ
Γ(X ) ∈ Z[X ]
Z[X ]/(f1(X ))
γ1(α1)2?= Γ(α1) ∈ Z[α1]
⊂ OQ(α1)
X 7→ α1
X 7→ X mod f1
OQ(α2) ⊃
Z[α2] 3 Γ(α2)?= γ2(α2)2
X 7→ α2
Z/NZ
α1 7→ m mod N α2 7→ m mod N
⇒ γ1(m)2 ≡ γ2(m)2 mod N
Jeremie Detrey — Factoring integers with CADO-NFS 8 / 22
The Number Field SieveI Based on Fermat’s factoring method (congruence of squares):• Find two integers x and y such that x2 ≡ y 2 (mod N)• With good probability, gcd(x ± y ,N) gives a non-trivial factor of N
I Obtain such equalities through two number fields• f1 and f2 ∈ Z[X ] two polynomials, irreducible and coprime over Q• αi root of fi : Q(αi) is an algebraic number field• f1 and f2 chosen such that they have a common root m in Z/NZ
Γ(X ) ∈ Z[X ]
Z[X ]/(f1(X ))
γ1(α1)2?= Γ(α1) ∈ Z[α1]
⊂ OQ(α1)
X 7→ α1
X 7→ X mod f1
OQ(α2) ⊃
Z[α2] 3 Γ(α2)?= γ2(α2)2
X 7→ α2
Z/NZ
α1 7→ m mod N α2 7→ m mod N
⇒ γ1(m)2 ≡ γ2(m)2 mod NJeremie Detrey — Factoring integers with CADO-NFS 8 / 22
The Number Field Sieve
I How can one find such a polynomial Γ(X )?
I For all pairs of coprime integers (a, b) ∈ [−A,A]×]0,A]:
• Consider the polynomial a − bX in the diagram
• Try to factor each a − bαi into a product of primes ≤ bound Bi
• Such a pair is called a relation: add (a, b) to R (set of relations)
a − bX ∈
Z[X ]
∏j
pe1,j
1,j =
a − bα1 ∈
Z[α1] Z[α2]
3 a − bα2
=∏j
pe2,j
2,j
Z/NZ
X 7→ α1 X 7→ α2
α1 7→ m mod N α2 7→ m mod N
Jeremie Detrey — Factoring integers with CADO-NFS 9 / 22
The Number Field Sieve
I How can one find such a polynomial Γ(X )?
I For all pairs of coprime integers (a, b) ∈ [−A,A]×]0,A]:
• Consider the polynomial a − bX in the diagram
• Try to factor each a − bαi into a product of primes ≤ bound Bi
• Such a pair is called a relation: add (a, b) to R (set of relations)
a − bX ∈
Z[X ]
∏j
pe1,j
1,j =
a − bα1 ∈
Z[α1] Z[α2]
3 a − bα2
=∏j
pe2,j
2,j
Z/NZ
X 7→ α1 X 7→ α2
α1 7→ m mod N α2 7→ m mod N
Jeremie Detrey — Factoring integers with CADO-NFS 9 / 22
The Number Field Sieve
I How can one find such a polynomial Γ(X )?
I For all pairs of coprime integers (a, b) ∈ [−A,A]×]0,A]:
• Consider the polynomial a − bX in the diagram
• Try to factor each a − bαi into a product of primes ≤ bound Bi
• Such a pair is called a relation: add (a, b) to R (set of relations)
a − bX ∈
Z[X ]
∏j
pe1,j
1,j =
a − bα1 ∈
Z[α1] Z[α2]
3 a − bα2
=∏j
pe2,j
2,j
Z/NZ
X 7→ α1 X 7→ α2
α1 7→ m mod N α2 7→ m mod N
Jeremie Detrey — Factoring integers with CADO-NFS 9 / 22
The Number Field Sieve
I How can one find such a polynomial Γ(X )?
I For all pairs of coprime integers (a, b) ∈ [−A,A]×]0,A]:
• Consider the polynomial a − bX in the diagram
• Try to factor each a − bαi into a product of primes ≤ bound Bi
• Such a pair is called a relation: add (a, b) to R (set of relations)
a − bX ∈
Z[X ]
∏j
pe1,j
1,j =
a − bα1 ∈
Z[α1] Z[α2]
3 a − bα2
=∏j
pe2,j
2,j
Z/NZ
X 7→ α1 X 7→ α2
α1 7→ m mod N α2 7→ m mod N
Jeremie Detrey — Factoring integers with CADO-NFS 9 / 22
The Number Field Sieve
I How can one find such a polynomial Γ(X )?
I For all pairs of coprime integers (a, b) ∈ [−A,A]×]0,A]:
• Consider the polynomial a − bX in the diagram
• Try to factor each a − bαi into a product of primes ≤ bound Bi
• Such a pair is called a relation: add (a, b) to R (set of relations)
a − bX ∈ Z[X ]
∏j
pe1,j
1,j =
a − bα1 ∈
Z[α1] Z[α2]
3 a − bα2
=∏j
pe2,j
2,j
Z/NZ
X 7→ α1 X 7→ α2
α1 7→ m mod N α2 7→ m mod N
Jeremie Detrey — Factoring integers with CADO-NFS 9 / 22
The Number Field Sieve
I How can one find such a polynomial Γ(X )?
I For all pairs of coprime integers (a, b) ∈ [−A,A]×]0,A]:
• Consider the polynomial a − bX in the diagram
• Try to factor each a − bαi into a product of primes ≤ bound Bi
• Such a pair is called a relation: add (a, b) to R (set of relations)
a − bX ∈ Z[X ]
∏j
pe1,j
1,j =
a − bα1 ∈ Z[α1] Z[α2] 3 a − bα2
=∏j
pe2,j
2,j
Z/NZ
X 7→ α1 X 7→ α2
α1 7→ m mod N α2 7→ m mod N
Jeremie Detrey — Factoring integers with CADO-NFS 9 / 22
The Number Field Sieve
I How can one find such a polynomial Γ(X )?
I For all pairs of coprime integers (a, b) ∈ [−A,A]×]0,A]:
• Consider the polynomial a − bX in the diagram
• Try to factor each a − bαi into a product of primes ≤ bound Bi
• Such a pair is called a relation: add (a, b) to R (set of relations)
a − bX ∈ Z[X ]
∏j
pe1,j
1,j =
a − bα1 ∈ Z[α1] Z[α2] 3 a − bα2
=∏j
pe2,j
2,j
Z/NZ
X 7→ α1 X 7→ α2
α1 7→ m mod N α2 7→ m mod N
Jeremie Detrey — Factoring integers with CADO-NFS 9 / 22
The Number Field Sieve
I How can one find such a polynomial Γ(X )?
I For all pairs of coprime integers (a, b) ∈ [−A,A]×]0,A]:
• Consider the polynomial a − bX in the diagram
• Try to factor each a − bαi into a product of primes ≤ bound Bi
• Such a pair is called a relation: add (a, b) to R (set of relations)
a − bX ∈ Z[X ]
∏j
pe1,j
1,j = a − bα1 ∈ Z[α1] Z[α2] 3 a − bα2 =∏j
pe2,j
2,j
Z/NZ
X 7→ α1 X 7→ α2
α1 7→ m mod N α2 7→ m mod N
Jeremie Detrey — Factoring integers with CADO-NFS 9 / 22
The Number Field Sieve
I How can one find such a polynomial Γ(X )?
I For all pairs of coprime integers (a, b) ∈ [−A,A]×]0,A]:
• Consider the polynomial a − bX in the diagram
• Try to factor each a − bαi into a product of primes ≤ bound Bi
• Such a pair is called a relation: add (a, b) to R (set of relations)
a − bX ∈ Z[X ]
∏j
pe1,j
1,j = a − bα1 ∈ Z[α1] Z[α2] 3 a − bα2 =∏j
pe2,j
2,j
Z/NZ
X 7→ α1 X 7→ α2
α1 7→ m mod N α2 7→ m mod N
Jeremie Detrey — Factoring integers with CADO-NFS 9 / 22
The Number Field Sieve
I Once enough relations were collected, find subset S ⊂ R such that∏(a,b)∈S
(a − bαi) is a square in Z[αi ], for both i ∈ {1, 2}
I Example:
(a1, b1) : a1 − b1α1 = p21,1 p1,2 p21,3 a1 − b1α2 = p2,1 p
42,2
(a2, b2) : a2 − b2α1 = p31,2 p1,3 a2 − b2α2 = p2,1 p2,2 p2,3
(a3, b3) : a3 − b3α1 = p1,1 p21,2 p1,3 a3 − b3α2 = p2,2 p
32,3
(a4, b4) : a4 − b4α1 = p1,1 p1,3 a4 − b4α2 = p22,1 p2,2 p2,3∏i∈{1,2,4}
(ai − biα1) = p41,1 p41,2 p
41,3
∏i∈{1,2,4}
(ai − biα2) = p42,1 p62,2 p
22,3
I Tantamount to finding a vector of the left-kernel of the matrix over F2
formed by the exponents of the primes in the relations
Jeremie Detrey — Factoring integers with CADO-NFS 10 / 22
The Number Field Sieve
I Once enough relations were collected, find subset S ⊂ R such that∏(a,b)∈S
(a − bαi) is a square in Z[αi ], for both i ∈ {1, 2}
I Example:
(a1, b1) : a1 − b1α1 = p21,1 p1,2 p21,3 a1 − b1α2 = p2,1 p
42,2
(a2, b2) : a2 − b2α1 = p31,2 p1,3 a2 − b2α2 = p2,1 p2,2 p2,3
(a3, b3) : a3 − b3α1 = p1,1 p21,2 p1,3 a3 − b3α2 = p2,2 p
32,3
(a4, b4) : a4 − b4α1 = p1,1 p1,3 a4 − b4α2 = p22,1 p2,2 p2,3∏i∈{1,2,4}
(ai − biα1) = p41,1 p41,2 p
41,3
∏i∈{1,2,4}
(ai − biα2) = p42,1 p62,2 p
22,3
I Tantamount to finding a vector of the left-kernel of the matrix over F2
formed by the exponents of the primes in the relations
Jeremie Detrey — Factoring integers with CADO-NFS 10 / 22
The Number Field Sieve
I Once enough relations were collected, find subset S ⊂ R such that∏(a,b)∈S
(a − bαi) is a square in Z[αi ], for both i ∈ {1, 2}
I Example:
(a1, b1) : a1 − b1α1 = p21,1 p1,2 p21,3 a1 − b1α2 = p2,1 p
42,2
(a2, b2) : a2 − b2α1 = p31,2 p1,3 a2 − b2α2 = p2,1 p2,2 p2,3
(a3, b3) : a3 − b3α1 = p1,1 p21,2 p1,3 a3 − b3α2 = p2,2 p
32,3
(a4, b4) : a4 − b4α1 = p1,1 p1,3 a4 − b4α2 = p22,1 p2,2 p2,3∏i∈{1,2,4}
(ai − biα1) = p41,1 p41,2 p
41,3
∏i∈{1,2,4}
(ai − biα2) = p42,1 p62,2 p
22,3
I Tantamount to finding a vector of the left-kernel of the matrix over F2
formed by the exponents of the primes in the relations
Jeremie Detrey — Factoring integers with CADO-NFS 10 / 22
The Number Field Sieve
I Once enough relations were collected, find subset S ⊂ R such that∏(a,b)∈S
(a − bαi) is a square in Z[αi ], for both i ∈ {1, 2}
I Example:
(a1, b1) : a1 − b1α1 = p21,1 p1,2 p21,3 a1 − b1α2 = p2,1 p
42,2
(a2, b2) : a2 − b2α1 = p31,2 p1,3 a2 − b2α2 = p2,1 p2,2 p2,3
(a3, b3) : a3 − b3α1 = p1,1 p21,2 p1,3 a3 − b3α2 = p2,2 p
32,3
(a4, b4) : a4 − b4α1 = p1,1 p1,3 a4 − b4α2 = p22,1 p2,2 p2,3∏i∈{1,2,4}
(ai − biα1) = p41,1 p41,2 p
41,3
∏i∈{1,2,4}
(ai − biα2) = p42,1 p62,2 p
22,3
I Tantamount to finding a vector of the left-kernel of the matrix over F2
formed by the exponents of the primes in the relations
Jeremie Detrey — Factoring integers with CADO-NFS 10 / 22
The Number Field Sieve
I Once enough relations were collected, find subset S ⊂ R such that∏(a,b)∈S
(a − bαi) is a square in Z[αi ], for both i ∈ {1, 2}
I Example:
(a1, b1) : a1 − b1α1 = p21,1 p1,2 p21,3 a1 − b1α2 = p2,1 p
42,2
(a2, b2) : a2 − b2α1 = p31,2 p1,3 a2 − b2α2 = p2,1 p2,2 p2,3
(a3, b3) : a3 − b3α1 = p1,1 p21,2 p1,3 a3 − b3α2 = p2,2 p
32,3
(a4, b4) : a4 − b4α1 = p1,1 p1,3 a4 − b4α2 = p22,1 p2,2 p2,3∏i∈{1,2,4}
(ai − biα1) = p41,1 p41,2 p
41,3
∏i∈{1,2,4}
(ai − biα2) = p42,1 p62,2 p
22,3
I Tantamount to finding a vector of the left-kernel of the matrix over F2
formed by the exponents of the primes in the relations
Jeremie Detrey — Factoring integers with CADO-NFS 10 / 22
The Number Field Sieve
I Once enough relations were collected, find subset S ⊂ R such that∏(a,b)∈S
(a − bαi) is a square in Z[αi ], for both i ∈ {1, 2}
I Example:
(a1, b1) : a1 − b1α1 = p21,1 p1,2 p21,3 a1 − b1α2 = p2,1 p
42,2
(a2, b2) : a2 − b2α1 = p31,2 p1,3 a2 − b2α2 = p2,1 p2,2 p2,3
(a3, b3) : a3 − b3α1 = p1,1 p21,2 p1,3 a3 − b3α2 = p2,2 p
32,3
(a4, b4) : a4 − b4α1 = p1,1 p1,3 a4 − b4α2 = p22,1 p2,2 p2,3
∏i∈{1,2,4}
(ai − biα1) = p41,1 p41,2 p
41,3
∏i∈{1,2,4}
(ai − biα2) = p42,1 p62,2 p
22,3
I Tantamount to finding a vector of the left-kernel of the matrix over F2
formed by the exponents of the primes in the relations
Jeremie Detrey — Factoring integers with CADO-NFS 10 / 22
The Number Field Sieve
I Once enough relations were collected, find subset S ⊂ R such that∏(a,b)∈S
(a − bαi) is a square in Z[αi ], for both i ∈ {1, 2}
I Example:
(a1, b1) : a1 − b1α1 = p21,1 p1,2 p21,3 a1 − b1α2 = p2,1 p
42,2
(a2, b2) : a2 − b2α1 = p31,2 p1,3 a2 − b2α2 = p2,1 p2,2 p2,3
(a3, b3) : a3 − b3α1 = p1,1 p21,2 p1,3 a3 − b3α2 = p2,2 p
32,3
(a4, b4) : a4 − b4α1 = p1,1 p1,3 a4 − b4α2 = p22,1 p2,2 p2,3
∏i∈{1,2,4}
(ai − biα1) = p41,1 p41,2 p
41,3
∏i∈{1,2,4}
(ai − biα2) = p42,1 p62,2 p
22,3
I Tantamount to finding a vector of the left-kernel of the matrix over F2
formed by the exponents of the primes in the relations
Jeremie Detrey — Factoring integers with CADO-NFS 10 / 22
The Number Field Sieve
I Once enough relations were collected, find subset S ⊂ R such that∏(a,b)∈S
(a − bαi) is a square in Z[αi ], for both i ∈ {1, 2}
I Example:
(a1, b1) : a1 − b1α1 = p21,1 p1,2 p21,3 a1 − b1α2 = p2,1 p
42,2
(a2, b2) : a2 − b2α1 = p31,2 p1,3 a2 − b2α2 = p2,1 p2,2 p2,3
(a3, b3) : a3 − b3α1 = p1,1 p21,2 p1,3 a3 − b3α2 = p2,2 p
32,3
(a4, b4) : a4 − b4α1 = p1,1 p1,3 a4 − b4α2 = p22,1 p2,2 p2,3∏i∈{1,2,4}
(ai − biα1) = p41,1 p41,2 p
41,3
∏i∈{1,2,4}
(ai − biα2) = p42,1 p62,2 p
22,3
I Tantamount to finding a vector of the left-kernel of the matrix over F2
formed by the exponents of the primes in the relations
Jeremie Detrey — Factoring integers with CADO-NFS 10 / 22
The Number Field Sieve
I Once enough relations were collected, find subset S ⊂ R such that∏(a,b)∈S
(a − bαi) is a square in Z[αi ], for both i ∈ {1, 2}
I Example:
(a1, b1) : a1 − b1α1 = p21,1 p1,2 p21,3 a1 − b1α2 = p2,1 p
42,2
(a2, b2) : a2 − b2α1 = p31,2 p1,3 a2 − b2α2 = p2,1 p2,2 p2,3
(a3, b3) : a3 − b3α1 = p1,1 p21,2 p1,3 a3 − b3α2 = p2,2 p
32,3
(a4, b4) : a4 − b4α1 = p1,1 p1,3 a4 − b4α2 = p22,1 p2,2 p2,3∏i∈{1,2,4}
(ai − biα1) = p41,1 p41,2 p
41,3
∏i∈{1,2,4}
(ai − biα2) = p42,1 p62,2 p
22,3
I Tantamount to finding a vector of the left-kernel of the matrix over F2
formed by the exponents of the primes in the relations
Jeremie Detrey — Factoring integers with CADO-NFS 10 / 22
The Number Field Sieve
I Once enough relations were collected, find subset S ⊂ R such that∏(a,b)∈S
(a − bαi) is a square in Z[αi ], for both i ∈ {1, 2}
I Example:
(a1, b1) : a1 − b1α1 = p21,1 p1,2 p21,3 a1 − b1α2 = p2,1 p
42,2
(a2, b2) : a2 − b2α1 = p31,2 p1,3 a2 − b2α2 = p2,1 p2,2 p2,3
(a3, b3) : a3 − b3α1 = p1,1 p21,2 p1,3 a3 − b3α2 = p2,2 p
32,3
(a4, b4) : a4 − b4α1 = p1,1 p1,3 a4 − b4α2 = p22,1 p2,2 p2,3
∏i∈{1,2,4}
(ai − biα1) = p41,1 p41,2 p
41,3
∏i∈{1,2,4}
(ai − biα2) = p42,1 p62,2 p
22,3
I Tantamount to finding a vector of the left-kernel of the matrix over F2
formed by the exponents of the primes in the relations
Jeremie Detrey — Factoring integers with CADO-NFS 10 / 22
The Number Field Sieve
I Once enough relations were collected, find subset S ⊂ R such that∏(a,b)∈S
(a − bαi) is a square in Z[αi ], for both i ∈ {1, 2}
I Example:
(a1, b1) : a1 − b1α1 ≡ ( 2 1 2 ) a1 − b1α2 ≡ ( 1 4 0 )
(a2, b2) : a2 − b2α1 = p31,2 p1,3 a2 − b2α2 = p2,1 p2,2 p2,3
(a3, b3) : a3 − b3α1 = p1,1 p21,2 p1,3 a3 − b3α2 = p2,2 p
32,3
(a4, b4) : a4 − b4α1 = p1,1 p1,3 a4 − b4α2 = p22,1 p2,2 p2,3
∏i∈{1,2,4}
(ai − biα1) = p41,1 p41,2 p
41,3
∏i∈{1,2,4}
(ai − biα2) = p42,1 p62,2 p
22,3
I Tantamount to finding a vector of the left-kernel of the matrix over F2
formed by the exponents of the primes in the relations
Jeremie Detrey — Factoring integers with CADO-NFS 10 / 22
The Number Field Sieve
I Once enough relations were collected, find subset S ⊂ R such that∏(a,b)∈S
(a − bαi) is a square in Z[αi ], for both i ∈ {1, 2}
I Example:
(a1, b1) : a1 − b1α1 ≡ ( 2 1 2 ) a1 − b1α2 ≡ ( 1 4 0 )
(a2, b2) : a2 − b2α1 ≡ ( 0 3 1 ) a2 − b2α2 ≡ ( 1 1 1 )
(a3, b3) : a3 − b3α1 ≡ ( 1 2 1 ) a3 − b3α2 ≡ ( 0 1 3 )
(a4, b4) : a4 − b4α1 ≡ ( 2 0 1 ) a4 − b4α2 ≡ ( 2 1 1 )
∏i∈{1,2,4}
(ai − biα1) ≡ ( 0 0 0 )∏
i∈{1,2,4}
(ai − biα2) ≡ ( 0 0 0 )
I Tantamount to finding a vector of the left-kernel of the matrix over F2
formed by the exponents of the primes in the relations
Jeremie Detrey — Factoring integers with CADO-NFS 10 / 22
The Number Field Sieve
I Once enough relations were collected, find subset S ⊂ R such that∏(a,b)∈S
(a − bαi) is a square in Z[αi ], for both i ∈ {1, 2}
I Example:
(a1, b1) : a1 − b1α1 ≡ ( 0 1 0 ) a1 − b1α2 ≡ ( 1 0 0 )
(a2, b2) : a2 − b2α1 ≡ ( 0 1 1 ) a2 − b2α2 ≡ ( 1 1 1 )
(a3, b3) : a3 − b3α1 ≡ ( 1 0 1 ) a3 − b3α2 ≡ ( 0 1 1 )
(a4, b4) : a4 − b4α1 ≡ ( 0 0 1 ) a4 − b4α2 ≡ ( 0 1 1 )
∏i∈{1,2,4}
(ai − biα1) ≡ ( 0 0 0 )∏
i∈{1,2,4}
(ai − biα2) ≡ ( 0 0 0 )
I Tantamount to finding a vector of the left-kernel of the matrix over F2
formed by the exponents of the primes in the relations
Jeremie Detrey — Factoring integers with CADO-NFS 10 / 22
The Number Field Sieve
I Once enough relations were collected, find subset S ⊂ R such that∏(a,b)∈S
(a − bαi) is a square in Z[αi ], for both i ∈ {1, 2}
I Example:
(a1, b1) : a1 − b1α1 ≡ ( 0 1 0 ) a1 − b1α2 ≡ ( 1 0 0 )
(a2, b2) : a2 − b2α1 ≡ ( 0 1 1 ) a2 − b2α2 ≡ ( 1 1 1 )
(a3, b3) : a3 − b3α1 ≡ ( 1 0 1 ) a3 − b3α2 ≡ ( 0 1 1 )
(a4, b4) : a4 − b4α1 ≡ ( 0 0 1 ) a4 − b4α2 ≡ ( 0 1 1 )
∏i∈{1,2,4}
(ai − biα1) ≡ ( 0 0 0 )∏
i∈{1,2,4}
(ai − biα2) ≡ ( 0 0 0 )
I Tantamount to finding a vector of the left-kernel of the matrix over F2
formed by the exponents of the primes in the relations
Jeremie Detrey — Factoring integers with CADO-NFS 10 / 22
The Number Field Sieve
I Slight problem: no unique factorization of numbers in Z[αi ] or OQ(αi )I However, OQ(αi ) is a Dedekind domain: unique factorization of ideals
into products of prime ideals
• Prime ideals p of Z[αi ] given by integers (p, r) such that p is prime
and fi(r) ≡ 0 (mod p)• pe ”divides” 〈a− bαi〉 iff. a− br ≡ 0 (mod p) and pe|Ni(a− bαi),
where Ni(a − bαi) = fi(a/b)bdeg fi is called the norm of a − bαi
a − bX ∈ Z[X ]
∏j
pe1,j
1,j
×
= a − bα1 ∈
u1∏j
pe1,j
1,j =
〈a − bα1〉 ⊂
Z[α1] Z[α2] 3 a − bα2 =∏j
pe2,j
2,j
×⊃ 〈a − bα2〉
= u2∏j
pe2,j
2,j
Z/NZ
X 7→ α1 X 7→ α2
α1 7→ m mod N α2 7→ m mod N
Jeremie Detrey — Factoring integers with CADO-NFS 11 / 22
The Number Field SieveI Slight problem: no unique factorization of numbers in Z[αi ] or OQ(αi )
I However, OQ(αi ) is a Dedekind domain: unique factorization of ideals
into products of prime ideals
• Prime ideals p of Z[αi ] given by integers (p, r) such that p is prime
and fi(r) ≡ 0 (mod p)• pe ”divides” 〈a− bαi〉 iff. a− br ≡ 0 (mod p) and pe|Ni(a− bαi),
where Ni(a − bαi) = fi(a/b)bdeg fi is called the norm of a − bαi
a − bX ∈ Z[X ]
∏j
pe1,j
1,j×= a − bα1 ∈
u1∏j
pe1,j
1,j =
〈a − bα1〉 ⊂
Z[α1] Z[α2] 3 a − bα2 =∏j
pe2,j
2,j×
⊃ 〈a − bα2〉
= u2∏j
pe2,j
2,j
Z/NZ
X 7→ α1 X 7→ α2
α1 7→ m mod N α2 7→ m mod N
Jeremie Detrey — Factoring integers with CADO-NFS 11 / 22
The Number Field SieveI Slight problem: no unique factorization of numbers in Z[αi ] or OQ(αi )I However, OQ(αi ) is a Dedekind domain: unique factorization of ideals
into products of prime ideals
• Prime ideals p of Z[αi ] given by integers (p, r) such that p is prime
and fi(r) ≡ 0 (mod p)• pe ”divides” 〈a− bαi〉 iff. a− br ≡ 0 (mod p) and pe|Ni(a− bαi),
where Ni(a − bαi) = fi(a/b)bdeg fi is called the norm of a − bαi
a − bX ∈ Z[X ]
∏j
pe1,j
1,j×= a − bα1 ∈
u1∏j
pe1,j
1,j =
〈a − bα1〉 ⊂
Z[α1] Z[α2]
3 a − bα2 =∏j
pe2,j
2,j×⊃ 〈a − bα2〉
= u2∏j
pe2,j
2,j
Z/NZ
X 7→ α1 X 7→ α2
α1 7→ m mod N α2 7→ m mod N
Jeremie Detrey — Factoring integers with CADO-NFS 11 / 22
The Number Field SieveI Slight problem: no unique factorization of numbers in Z[αi ] or OQ(αi )I However, OQ(αi ) is a Dedekind domain: unique factorization of ideals
into products of prime ideals
• Prime ideals p of Z[αi ] given by integers (p, r) such that p is prime
and fi(r) ≡ 0 (mod p)• pe ”divides” 〈a− bαi〉 iff. a− br ≡ 0 (mod p) and pe|Ni(a− bαi),
where Ni(a − bαi) = fi(a/b)bdeg fi is called the norm of a − bαi
a − bX ∈ Z[X ]
∏j
pe1,j
1,j×= a − bα1 ∈u1∏j
pe1,j
1,j =
〈a − bα1〉 ⊂ Z[α1] Z[α2]
3 a − bα2 =∏j
pe2,j
2,j×
⊃ 〈a − bα2〉
= u2∏j
pe2,j
2,j
Z/NZ
X 7→ α1 X 7→ α2
α1 7→ m mod N α2 7→ m mod N
Jeremie Detrey — Factoring integers with CADO-NFS 11 / 22
The Number Field SieveI Slight problem: no unique factorization of numbers in Z[αi ] or OQ(αi )I However, OQ(αi ) is a Dedekind domain: unique factorization of ideals
into products of prime ideals
• Prime ideals p of Z[αi ] given by integers (p, r) such that p is prime
and fi(r) ≡ 0 (mod p)
• pe ”divides” 〈a− bαi〉 iff. a− br ≡ 0 (mod p) and pe|Ni(a− bαi),
where Ni(a − bαi) = fi(a/b)bdeg fi is called the norm of a − bαi
a − bX ∈ Z[X ]
∏j
pe1,j
1,j×= a − bα1 ∈u1∏j
pe1,j
1,j =
〈a − bα1〉 ⊂ Z[α1] Z[α2]
3 a − bα2 =∏j
pe2,j
2,j×
⊃ 〈a − bα2〉
= u2∏j
pe2,j
2,j
Z/NZ
X 7→ α1 X 7→ α2
α1 7→ m mod N α2 7→ m mod N
Jeremie Detrey — Factoring integers with CADO-NFS 11 / 22
The Number Field SieveI Slight problem: no unique factorization of numbers in Z[αi ] or OQ(αi )I However, OQ(αi ) is a Dedekind domain: unique factorization of ideals
into products of prime ideals
• Prime ideals p of Z[αi ] given by integers (p, r) such that p is prime
and fi(r) ≡ 0 (mod p)• pe ”divides” 〈a− bαi〉 iff. a− br ≡ 0 (mod p) and pe|Ni(a− bαi),
where Ni(a − bαi) = fi(a/b)bdeg fi is called the norm of a − bαi
a − bX ∈ Z[X ]
∏j
pe1,j
1,j×= a − bα1 ∈u1∏j
pe1,j
1,j =
〈a − bα1〉 ⊂ Z[α1] Z[α2]
3 a − bα2 =∏j
pe2,j
2,j×
⊃ 〈a − bα2〉
= u2∏j
pe2,j
2,j
Z/NZ
X 7→ α1 X 7→ α2
α1 7→ m mod N α2 7→ m mod N
Jeremie Detrey — Factoring integers with CADO-NFS 11 / 22
The Number Field SieveI Slight problem: no unique factorization of numbers in Z[αi ] or OQ(αi )I However, OQ(αi ) is a Dedekind domain: unique factorization of ideals
into products of prime ideals
• Prime ideals p of Z[αi ] given by integers (p, r) such that p is prime
and fi(r) ≡ 0 (mod p)• pe ”divides” 〈a− bαi〉 iff. a− br ≡ 0 (mod p) and pe|Ni(a− bαi),
where Ni(a − bαi) = fi(a/b)bdeg fi is called the norm of a − bαi
a − bX ∈ Z[X ]
∏j
pe1,j
1,j×= a − bα1 ∈
u1∏j
pe1,j
1,j = 〈a − bα1〉 ⊂ Z[α1] Z[α2]
3 a − bα2 =∏j
pe2,j
2,j×
⊃ 〈a − bα2〉 = u2∏j
pe2,j
2,j
Z/NZ
X 7→ α1 X 7→ α2
α1 7→ m mod N α2 7→ m mod N
Jeremie Detrey — Factoring integers with CADO-NFS 11 / 22
The Number Field Sieve
I Let’s recap!
• Sieving domain: coprime pairs (a, b) in [−A,A]×]0,A]
• Factor base Bi : prime ideals p = (p, r) of Z[αi ] with p ≤ Bi
I For each (a, b) pair in the sieving domain:
• Compute the norms Ni(a − bαi) = fi(a/b)bi
• Check if Ni(a − bαi) is Bi -smooth (all its prime factors are ≤ Bi)
• If both norms are smooth, then (a, b) is a relation
I We need more relations than elements of the factor bases:
#R > #B1 + #B2
Jeremie Detrey — Factoring integers with CADO-NFS 12 / 22
The Number Field Sieve
I Let’s recap!
• Sieving domain: coprime pairs (a, b) in [−A,A]×]0,A]
• Factor base Bi : prime ideals p = (p, r) of Z[αi ] with p ≤ Bi
I For each (a, b) pair in the sieving domain:
• Compute the norms Ni(a − bαi) = fi(a/b)bi
• Check if Ni(a − bαi) is Bi -smooth (all its prime factors are ≤ Bi)
• If both norms are smooth, then (a, b) is a relation
I We need more relations than elements of the factor bases:
#R > #B1 + #B2
Jeremie Detrey — Factoring integers with CADO-NFS 12 / 22
The Number Field Sieve
I Let’s recap!
• Sieving domain: coprime pairs (a, b) in [−A,A]×]0,A]
• Factor base Bi : prime ideals p = (p, r) of Z[αi ] with p ≤ Bi
I For each (a, b) pair in the sieving domain:
• Compute the norms Ni(a − bαi) = fi(a/b)bi
• Check if Ni(a − bαi) is Bi -smooth (all its prime factors are ≤ Bi)
• If both norms are smooth, then (a, b) is a relation
I We need more relations than elements of the factor bases:
#R > #B1 + #B2
Jeremie Detrey — Factoring integers with CADO-NFS 12 / 22
The Number Field Sieve
I Let’s recap!
• Sieving domain: coprime pairs (a, b) in [−A,A]×]0,A]
• Factor base Bi : prime ideals p = (p, r) of Z[αi ] with p ≤ Bi
I For each (a, b) pair in the sieving domain:
• Compute the norms Ni(a − bαi) = fi(a/b)bi
• Check if Ni(a − bαi) is Bi -smooth (all its prime factors are ≤ Bi)
• If both norms are smooth, then (a, b) is a relation
I We need more relations than elements of the factor bases:
#R > #B1 + #B2
Jeremie Detrey — Factoring integers with CADO-NFS 12 / 22
The Number Field Sieve
I Let’s recap!
• Sieving domain: coprime pairs (a, b) in [−A,A]×]0,A]
• Factor base Bi : prime ideals p = (p, r) of Z[αi ] with p ≤ Bi
I For each (a, b) pair in the sieving domain:
• Compute the norms Ni(a − bαi) = fi(a/b)bi
• Check if Ni(a − bαi) is Bi -smooth (all its prime factors are ≤ Bi)
• If both norms are smooth, then (a, b) is a relation
I We need more relations than elements of the factor bases:
#R > #B1 + #B2
Jeremie Detrey — Factoring integers with CADO-NFS 12 / 22
The Number Field Sieve
I Let’s recap!
• Sieving domain: coprime pairs (a, b) in [−A,A]×]0,A]
• Factor base Bi : prime ideals p = (p, r) of Z[αi ] with p ≤ Bi
I For each (a, b) pair in the sieving domain:
• Compute the norms Ni(a − bαi) = fi(a/b)bi
• Check if Ni(a − bαi) is Bi -smooth (all its prime factors are ≤ Bi)
• If both norms are smooth, then (a, b) is a relation
I We need more relations than elements of the factor bases:
#R > #B1 + #B2
Jeremie Detrey — Factoring integers with CADO-NFS 12 / 22
The Number Field Sieve
I Let’s recap!
• Sieving domain: coprime pairs (a, b) in [−A,A]×]0,A]
• Factor base Bi : prime ideals p = (p, r) of Z[αi ] with p ≤ Bi
I For each (a, b) pair in the sieving domain:
• Compute the norms Ni(a − bαi) = fi(a/b)bi
• Check if Ni(a − bαi) is Bi -smooth (all its prime factors are ≤ Bi)
• If both norms are smooth, then (a, b) is a relation
I We need more relations than elements of the factor bases:
#R > #B1 + #B2
Jeremie Detrey — Factoring integers with CADO-NFS 12 / 22
The Number Field Sieve
I Let’s recap!
• Sieving domain: coprime pairs (a, b) in [−A,A]×]0,A]
• Factor base Bi : prime ideals p = (p, r) of Z[αi ] with p ≤ Bi
I For each (a, b) pair in the sieving domain:
• Compute the norms Ni(a − bαi) = fi(a/b)bi
• Check if Ni(a − bαi) is Bi -smooth (all its prime factors are ≤ Bi)
• If both norms are smooth, then (a, b) is a relation
I We need more relations than elements of the factor bases:
#R > #B1 + #B2
Jeremie Detrey — Factoring integers with CADO-NFS 12 / 22
The Number Field Sieve
Ê Polynomial selection: find suitable polynomials f1 and f2
Ë Factor base generation: build factors bases B1 and B2
Ê Relation collection (a.k.a. sieving): build set of relations R
Í Filtering: build and simplify matrix from relations
Ë Linear algebra: find vector of left-kernel of the matrix over F2
Ï Characters: deal with number-field-related technicalities (e.g., units)
Ì Square root: compute elements γ1 ∈ Z[α1] and γ2 ∈ Z[α2] such
that γ1(m)2 ≡ γ2(m)2 (mod N)
Ñ Profit!
Jeremie Detrey — Factoring integers with CADO-NFS 13 / 22
The Number Field Sieve
Ê Polynomial selection: find suitable polynomials f1 and f2
Ë Factor base generation: build factors bases B1 and B2
Ê Relation collection (a.k.a. sieving): build set of relations R
Í Filtering: build and simplify matrix from relations
Ë Linear algebra: find vector of left-kernel of the matrix over F2
Ï Characters: deal with number-field-related technicalities (e.g., units)
Ì Square root: compute elements γ1 ∈ Z[α1] and γ2 ∈ Z[α2] such
that γ1(m)2 ≡ γ2(m)2 (mod N)
Ñ Profit!
Jeremie Detrey — Factoring integers with CADO-NFS 13 / 22
The Number Field Sieve
Ê Polynomial selection: find suitable polynomials f1 and f2
Ë Factor base generation: build factors bases B1 and B2
Ê Relation collection (a.k.a. sieving): build set of relations R
Í Filtering: build and simplify matrix from relations
Ë Linear algebra: find vector of left-kernel of the matrix over F2
Ï Characters: deal with number-field-related technicalities (e.g., units)
Ì Square root: compute elements γ1 ∈ Z[α1] and γ2 ∈ Z[α2] such
that γ1(m)2 ≡ γ2(m)2 (mod N)
Ñ Profit!
Jeremie Detrey — Factoring integers with CADO-NFS 13 / 22
The Number Field Sieve
Ê Polynomial selection: find suitable polynomials f1 and f2
Ë Factor base generation: build factors bases B1 and B2
Ë Relation collection (a.k.a. sieving): build set of relations R
Í Filtering: build and simplify matrix from relations
Ì Linear algebra: find vector of left-kernel of the matrix over F2
Ï Characters: deal with number-field-related technicalities (e.g., units)
Í Square root: compute elements γ1 ∈ Z[α1] and γ2 ∈ Z[α2] such
that γ1(m)2 ≡ γ2(m)2 (mod N)
Ñ Profit!
Jeremie Detrey — Factoring integers with CADO-NFS 13 / 22
The Number Field Sieve
Ê Polynomial selection: find suitable polynomials f1 and f2
Ë Factor base generation: build factors bases B1 and B2
Ì Relation collection (a.k.a. sieving): build set of relations R
Í Filtering: build and simplify matrix from relations
Í Linear algebra: find vector of left-kernel of the matrix over F2
Ï Characters: deal with number-field-related technicalities (e.g., units)
Î Square root: compute elements γ1 ∈ Z[α1] and γ2 ∈ Z[α2] such
that γ1(m)2 ≡ γ2(m)2 (mod N)
Ñ Profit!
Jeremie Detrey — Factoring integers with CADO-NFS 13 / 22
The Number Field Sieve
Ê Polynomial selection: find suitable polynomials f1 and f2
Ë Factor base generation: build factors bases B1 and B2
Ì Relation collection (a.k.a. sieving): build set of relations R
Í Filtering: build and simplify matrix from relations
Î Linear algebra: find vector of left-kernel of the matrix over F2
Ï Characters: deal with number-field-related technicalities (e.g., units)
Ï Square root: compute elements γ1 ∈ Z[α1] and γ2 ∈ Z[α2] such
that γ1(m)2 ≡ γ2(m)2 (mod N)
Ñ Profit!
Jeremie Detrey — Factoring integers with CADO-NFS 13 / 22
The Number Field Sieve
Ê Polynomial selection: find suitable polynomials f1 and f2
Ë Factor base generation: build factors bases B1 and B2
Ì Relation collection (a.k.a. sieving): build set of relations R
Í Filtering: build and simplify matrix from relations
Î Linear algebra: find vector of left-kernel of the matrix over F2
Ï Characters: deal with number-field-related technicalities (e.g., units)
Ð Square root: compute elements γ1 ∈ Z[α1] and γ2 ∈ Z[α2] such
that γ1(m)2 ≡ γ2(m)2 (mod N)
Ñ Profit!
Jeremie Detrey — Factoring integers with CADO-NFS 13 / 22
The Number Field Sieve
Ê Polynomial selection: find suitable polynomials f1 and f2
Ë Factor base generation: build factors bases B1 and B2
Ì Relation collection (a.k.a. sieving): build set of relations R
Í Filtering: build and simplify matrix from relations
Î Linear algebra: find vector of left-kernel of the matrix over F2
Ï Characters: deal with number-field-related technicalities (e.g., units)
Ð Square root: compute elements γ1 ∈ Z[α1] and γ2 ∈ Z[α2] such
that γ1(m)2 ≡ γ2(m)2 (mod N)
Ñ Profit!
Jeremie Detrey — Factoring integers with CADO-NFS 13 / 22
Back to CADO-NFSI Each step is handled by a specific binary/script
I cadofactor.py: Python script to run whole factorization
→ All NFS parameters in a single parameter file
I factor.sh: Bash script for simple factorizations
Ê Polynomial selection polyselect/polyselect2l
Ë Factor base generation sieve/makefb
Ì Relation collection sieve/{freerel,las}
Í Filtering filter/{dup1,dup2,purge,merge,replay}
Î Linear algebra linalg/bwc/bwc.pl
Ï Characters linalg/characters
Ð Square root sqrt/sqrt
Pyt
ho
nsc
rip
t+
par
am
eter
file
scripts/cadofactor/cadofactor.py
Ba
shsc
rip
tfactor.sh
Jeremie Detrey — Factoring integers with CADO-NFS 14 / 22
Back to CADO-NFSI Each step is handled by a specific binary/script
I cadofactor.py: Python script to run whole factorization
→ All NFS parameters in a single parameter file
I factor.sh: Bash script for simple factorizations
Ê Polynomial selection polyselect/polyselect2l
Ë Factor base generation sieve/makefb
Ì Relation collection sieve/{freerel,las}
Í Filtering filter/{dup1,dup2,purge,merge,replay}
Î Linear algebra linalg/bwc/bwc.pl
Ï Characters linalg/characters
Ð Square root sqrt/sqrtPyt
ho
nsc
rip
t+
par
am
eter
file
scripts/cadofactor/cadofactor.py
Ba
shsc
rip
tfactor.sh
Jeremie Detrey — Factoring integers with CADO-NFS 14 / 22
Back to CADO-NFSI Each step is handled by a specific binary/script
I cadofactor.py: Python script to run whole factorization
→ All NFS parameters in a single parameter file
I factor.sh: Bash script for simple factorizations
Ê Polynomial selection polyselect/polyselect2l
Ë Factor base generation sieve/makefb
Ì Relation collection sieve/{freerel,las}
Í Filtering filter/{dup1,dup2,purge,merge,replay}
Î Linear algebra linalg/bwc/bwc.pl
Ï Characters linalg/characters
Ð Square root sqrt/sqrtPyt
ho
nsc
rip
t+
par
am
eter
file
scripts/cadofactor/cadofactor.py
Ba
shsc
rip
tfactor.sh
Jeremie Detrey — Factoring integers with CADO-NFS 14 / 22
Let’s play!
I Requirements:
• GNU/Linux (or Mac OS X + Xcode)
• GCC 4.4 or later
• GMP 5 or later
• GNU Make and CMake 2.6.3 or later
• Python 3.2 or later
• SQLite 3, including Python bindings
• GNU Wget or cURL
• GNU Gzip
• GNU Bash
Jeremie Detrey — Factoring integers with CADO-NFS 15 / 22
Let’s play!
I Go and download CADO-NFS 2.1.1 from
http://cado-nfs.gforge.inria.fr/
I Un-tar:
$ tar xzvf cado-nfs-2.1.1.tar.gz
$ cd cado-nfs-2.1.1
I Optional: tweak build configuration (esp. for Mac OS X):
$ cp local.sh.example local.sh
$ vi local.sh
I Build:
$ make
Jeremie Detrey — Factoring integers with CADO-NFS 16 / 22
Let’s play!
I Go and download CADO-NFS 2.1.1 from
http://cado-nfs.gforge.inria.fr/
I Un-tar:
$ tar xzvf cado-nfs-2.1.1.tar.gz
$ cd cado-nfs-2.1.1
I Optional: tweak build configuration (esp. for Mac OS X):
$ cp local.sh.example local.sh
$ vi local.sh
I Build:
$ make
Jeremie Detrey — Factoring integers with CADO-NFS 16 / 22
Let’s play!
I Go and download CADO-NFS 2.1.1 from
http://cado-nfs.gforge.inria.fr/
I Un-tar:
$ tar xzvf cado-nfs-2.1.1.tar.gz
$ cd cado-nfs-2.1.1
I Optional: tweak build configuration (esp. for Mac OS X):
$ cp local.sh.example local.sh
$ vi local.sh
I Build:
$ make
Jeremie Detrey — Factoring integers with CADO-NFS 16 / 22
Let’s play!
I Go and download CADO-NFS 2.1.1 from
http://cado-nfs.gforge.inria.fr/
I Un-tar:
$ tar xzvf cado-nfs-2.1.1.tar.gz
$ cd cado-nfs-2.1.1
I Optional: tweak build configuration (esp. for Mac OS X):
$ cp local.sh.example local.sh
$ vi local.sh
I Build:
$ make
Jeremie Detrey — Factoring integers with CADO-NFS 16 / 22
A toy factorizationI Let’s factor this 59-digit composite integer:
c59 = 90377629292003121684002147101760858109247336549001090677693
(you can just copy-paste it from
http://www.loria.fr/~detreyje/cado-nfs.txt)
I Run:$ export CADO DEBUG=1
$ mkdir /tmp/c59
$ t=/tmp/c59 ./factor.sh 903. . . 693 -t 2
I Get factors!. . .
Info:Complete Factorization: . . .
588120598053661 260938498861057
760926063870977 773951836515617
OK
Jeremie Detrey — Factoring integers with CADO-NFS 17 / 22
A toy factorizationI Let’s factor this 59-digit composite integer:
c59 = 90377629292003121684002147101760858109247336549001090677693
(you can just copy-paste it from
http://www.loria.fr/~detreyje/cado-nfs.txt)
I Run:$ export CADO DEBUG=1
$ mkdir /tmp/c59
$ t=/tmp/c59 ./factor.sh 903. . . 693 -t 2
I Get factors!. . .
Info:Complete Factorization: . . .
588120598053661 260938498861057
760926063870977 773951836515617
OK
Jeremie Detrey — Factoring integers with CADO-NFS 17 / 22
A toy factorizationI Let’s factor this 59-digit composite integer:
c59 = 90377629292003121684002147101760858109247336549001090677693
(you can just copy-paste it from
http://www.loria.fr/~detreyje/cado-nfs.txt)
I Run:$ export CADO DEBUG=1
$ mkdir /tmp/c59
$ t=/tmp/c59 ./factor.sh 903. . . 693 -t 2
I Get factors!. . .
Info:Complete Factorization: . . .
588120598053661 260938498861057
760926063870977 773951836515617
OK
Jeremie Detrey — Factoring integers with CADO-NFS 17 / 22
Diving into details – Polynomial selection
I Find polynomials f1 and f2 ∈ Z[X ] such that
• f1 and f2 are irreducible and coprime over Q• they have a common root m ∈ Z/NZ:
f1(m) ≡ 0 (mod N) and f2(m) ≡ 0 (mod N)
I In practice:
• Take a linear polynomial for f2: this is called the ”rational side”• Take a degree-d polynomial for f1, with d ∈ {4, 5, 6}: this is called
the ”algebraic side”
f1(X ) = f1,dXd + f1,d−1X
d−1 + · · · + f1,1X + f1,0
I Look for a polynomial f1 of degree d :
• such that norms N1(a − bα1) = f1(a/b)bd are as small as possible
for pairs (a, b) in the sieving domain• which has many roots modulo small primes
Jeremie Detrey — Factoring integers with CADO-NFS 18 / 22
Diving into details – Polynomial selection
I Find polynomials f1 and f2 ∈ Z[X ] such that
• f1 and f2 are irreducible and coprime over Q• they have a common root m ∈ Z/NZ:
f1(m) ≡ 0 (mod N) and f2(m) ≡ 0 (mod N)
I In practice:
• Take a linear polynomial for f2: this is called the ”rational side”• Take a degree-d polynomial for f1, with d ∈ {4, 5, 6}: this is called
the ”algebraic side”
f1(X ) = f1,dXd + f1,d−1X
d−1 + · · · + f1,1X + f1,0
I Look for a polynomial f1 of degree d :
• such that norms N1(a − bα1) = f1(a/b)bd are as small as possible
for pairs (a, b) in the sieving domain• which has many roots modulo small primes
Jeremie Detrey — Factoring integers with CADO-NFS 18 / 22
Diving into details – Polynomial selection
I Find polynomials f1 and f2 ∈ Z[X ] such that
• f1 and f2 are irreducible and coprime over Q• they have a common root m ∈ Z/NZ:
f1(m) ≡ 0 (mod N) and f2(m) ≡ 0 (mod N)
I In practice:
• Take a linear polynomial for f2: this is called the ”rational side”• Take a degree-d polynomial for f1, with d ∈ {4, 5, 6}: this is called
the ”algebraic side”
f1(X ) = f1,dXd + f1,d−1X
d−1 + · · · + f1,1X + f1,0
I Look for a polynomial f1 of degree d :
• such that norms N1(a − bα1) = f1(a/b)bd are as small as possible
for pairs (a, b) in the sieving domain• which has many roots modulo small primes
Jeremie Detrey — Factoring integers with CADO-NFS 18 / 22
Diving into details – Polynomial selectionI Two main steps:
• Size optimization: find polynomials with small norm• Root optimization: translate/rotate candidates so that they have
many roots modulo small primes
I CADO-NFS parameters (tasks.polyselect.*):
• degree: degree d of polynomial f1• admin (0): minimum value for leading coefficient f1,d• admax: maximum value for leading coefficient f1,d• incr (60): force f1,d to be a multiple of this smooth number• nrkeep: how many candidates to keep after first step
• adrange: split search interval for f1,d into ranges of this size
→ easy parallelization
I Best polynomial stored in:
〈name〉.polyselect2.poly
Jeremie Detrey — Factoring integers with CADO-NFS 19 / 22
Diving into details – Polynomial selectionI Two main steps:
• Size optimization: find polynomials with small norm• Root optimization: translate/rotate candidates so that they have
many roots modulo small primes
I CADO-NFS parameters (tasks.polyselect.*):
• degree: degree d of polynomial f1• admin (0): minimum value for leading coefficient f1,d• admax: maximum value for leading coefficient f1,d• incr (60): force f1,d to be a multiple of this smooth number• nrkeep: how many candidates to keep after first step
• adrange: split search interval for f1,d into ranges of this size
→ easy parallelization
I Best polynomial stored in:
〈name〉.polyselect2.poly
Jeremie Detrey — Factoring integers with CADO-NFS 19 / 22
Diving into details – Polynomial selectionI Two main steps:
• Size optimization: find polynomials with small norm• Root optimization: translate/rotate candidates so that they have
many roots modulo small primes
I CADO-NFS parameters (tasks.polyselect.*):
• degree: degree d of polynomial f1• admin (0): minimum value for leading coefficient f1,d• admax: maximum value for leading coefficient f1,d• incr (60): force f1,d to be a multiple of this smooth number• nrkeep: how many candidates to keep after first step• adrange: split search interval for f1,d into ranges of this size
→ easy parallelization
I Best polynomial stored in:
〈name〉.polyselect2.poly
Jeremie Detrey — Factoring integers with CADO-NFS 19 / 22
Diving into details – Polynomial selectionI Two main steps:
• Size optimization: find polynomials with small norm• Root optimization: translate/rotate candidates so that they have
many roots modulo small primes
I CADO-NFS parameters (tasks.polyselect.*):
• degree: degree d of polynomial f1• admin (0): minimum value for leading coefficient f1,d• admax: maximum value for leading coefficient f1,d• incr (60): force f1,d to be a multiple of this smooth number• nrkeep: how many candidates to keep after first step• adrange: split search interval for f1,d into ranges of this size
→ easy parallelization
I Best polynomial stored in:
〈name〉.polyselect2.poly
Jeremie Detrey — Factoring integers with CADO-NFS 19 / 22
Diving into details – Relation collection
I For each (a, b) pair in the sieving domain:
• Compute the norms Ni(a − bαi) = fi(a/b)bi
• Check if Ni(a − bαi) is Bi -smooth (all its prime factors are ≤ Bi)
• If both norms are smooth, then (a, b) is a relation
I Special-q sieving:
• Fix a prime ideal q = (q, ρ) of Z[α1]
• The set of (a, b) pairs such that q divides 〈a − bαi〉 is a Euclidean
lattice of Z2
• Compute basis (u, v) of this lattice
• Enumerate lattice elements as pairs (a, b) = iu + jv with
(i , j) ∈ [−I , I ]×]0, I ]
• One independent subtask for each special-q
→ easy parallelization
Jeremie Detrey — Factoring integers with CADO-NFS 20 / 22
Diving into details – Relation collection
I For each (a, b) pair in the sieving domain:
• Compute the norms Ni(a − bαi) = fi(a/b)bi
• Check if Ni(a − bαi) is Bi -smooth (all its prime factors are ≤ Bi)
• If both norms are smooth, then (a, b) is a relation
I Special-q sieving:
• Fix a prime ideal q = (q, ρ) of Z[α1]
• The set of (a, b) pairs such that q divides 〈a − bαi〉 is a Euclidean
lattice of Z2
• Compute basis (u, v) of this lattice
• Enumerate lattice elements as pairs (a, b) = iu + jv with
(i , j) ∈ [−I , I ]×]0, I ]
• One independent subtask for each special-q
→ easy parallelization
Jeremie Detrey — Factoring integers with CADO-NFS 20 / 22
Diving into details – Relation collection
I For each (a, b) pair in the sieving domain:
• Compute the norms Ni(a − bαi) = fi(a/b)bi
• Check if Ni(a − bαi) is Bi -smooth (all its prime factors are ≤ Bi)
• If both norms are smooth, then (a, b) is a relation
I Special-q sieving:
• Fix a prime ideal q = (q, ρ) of Z[α1]
• The set of (a, b) pairs such that q divides 〈a − bαi〉 is a Euclidean
lattice of Z2
• Compute basis (u, v) of this lattice
• Enumerate lattice elements as pairs (a, b) = iu + jv with
(i , j) ∈ [−I , I ]×]0, I ]
• One independent subtask for each special-q
→ easy parallelization
Jeremie Detrey — Factoring integers with CADO-NFS 20 / 22
Diving into details – Relation collection
I For each (a, b) pair in the sieving domain:
• Compute the norms Ni(a − bαi) = fi(a/b)bi
• Check if Ni(a − bαi) is Bi -smooth (all its prime factors are ≤ Bi)
• If both norms are smooth, then (a, b) is a relation
I Special-q sieving:
• Fix a prime ideal q = (q, ρ) of Z[α1]
• The set of (a, b) pairs such that q divides 〈a − bαi〉 is a Euclidean
lattice of Z2
• Compute basis (u, v) of this lattice
• Enumerate lattice elements as pairs (a, b) = iu + jv with
(i , j) ∈ [−I , I ]×]0, I ]
• One independent subtask for each special-q
→ easy parallelization
Jeremie Detrey — Factoring integers with CADO-NFS 20 / 22
Diving into details – Relation collection
I For each (a, b) pair in the sieving domain:
• Compute the norms Ni(a − bαi) = fi(a/b)bi
• Check if Ni(a − bαi) is Bi -smooth (all its prime factors are ≤ Bi)
• If both norms are smooth, then (a, b) is a relation
I Special-q sieving:
• Fix a prime ideal q = (q, ρ) of Z[α1]
• The set of (a, b) pairs such that q divides 〈a − bαi〉 is a Euclidean
lattice of Z2
• Compute basis (u, v) of this lattice
• Enumerate lattice elements as pairs (a, b) = iu + jv with
(i , j) ∈ [−I , I ]×]0, I ]
• One independent subtask for each special-q
→ easy parallelization
Jeremie Detrey — Factoring integers with CADO-NFS 20 / 22
Diving into details – Relation collection
I For each (a, b) pair in the sieving domain:
• Compute the norms Ni(a − bαi) = fi(a/b)bi
• Check if Ni(a − bαi) is Bi -smooth (all its prime factors are ≤ Bi)
• If both norms are smooth, then (a, b) is a relation
I Special-q sieving:
• Fix a prime ideal q = (q, ρ) of Z[α1]
• The set of (a, b) pairs such that q divides 〈a − bαi〉 is a Euclidean
lattice of Z2
• Compute basis (u, v) of this lattice
• Enumerate lattice elements as pairs (a, b) = iu + jv with
(i , j) ∈ [−I , I ]×]0, I ]
• One independent subtask for each special-q
→ easy parallelization
Jeremie Detrey — Factoring integers with CADO-NFS 20 / 22
Diving into details – Relation collection
I For each (a, b) pair in the sieving domain:
• Compute the norms Ni(a − bαi) = fi(a/b)bi
• Check if Ni(a − bαi) is Bi -smooth (all its prime factors are ≤ Bi)
• If both norms are smooth, then (a, b) is a relation
I Special-q sieving:
• Fix a prime ideal q = (q, ρ) of Z[α1]
• The set of (a, b) pairs such that q divides 〈a − bαi〉 is a Euclidean
lattice of Z2
• Compute basis (u, v) of this lattice
• Enumerate lattice elements as pairs (a, b) = iu + jv with
(i , j) ∈ [−I , I ]×]0, I ]
• One independent subtask for each special-q
→ easy parallelization
Jeremie Detrey — Factoring integers with CADO-NFS 20 / 22
Diving into details – Relation collection
I Example from c59:
• Polynomials:
f1(X ) = 60 · X 4 + 164823 · X 3 + 2561101187 · X 2
− 4872316534587 · X − 9288039622841198
f2(X ) = 4827001309 · X − 192616011406041
• Special-q: (q, ρ) = (200003, 74941)
• Sieving position: (a, b) = (−876877, 31)
I Is (a, b) a relation? Factor its norms
• Remove small factors by sieving techniques (up to bound B ′i )
• Co-factor remaining parts only if not too large
N1(a − bα1) = 34039772577219966371130285
N2(a − bα2) = −10203782780419264
Jeremie Detrey — Factoring integers with CADO-NFS 21 / 22
Diving into details – Relation collection
I Example from c59:
• Polynomials:
f1(X ) = 60 · X 4 + 164823 · X 3 + 2561101187 · X 2
− 4872316534587 · X − 9288039622841198
f2(X ) = 4827001309 · X − 192616011406041
• Special-q: (q, ρ) = (200003, 74941)
• Sieving position: (a, b) = (−876877, 31)
I Is (a, b) a relation? Factor its norms
• Remove small factors by sieving techniques (up to bound B ′i )
• Co-factor remaining parts only if not too large
N1(a − bα1) = 34039772577219966371130285
N2(a − bα2) = −10203782780419264
Jeremie Detrey — Factoring integers with CADO-NFS 21 / 22
Diving into details – Relation collection
I Example from c59:
• Polynomials:
f1(X ) = 60 · X 4 + 164823 · X 3 + 2561101187 · X 2
− 4872316534587 · X − 9288039622841198
f2(X ) = 4827001309 · X − 192616011406041
• Special-q: (q, ρ) = (200003, 74941)
• Sieving position: (a, b) = (−876877, 31)
I Is (a, b) a relation? Factor its norms
• Remove small factors by sieving techniques (up to bound B ′i )
• Co-factor remaining parts only if not too large
N1(a − bα1) = 34039772577219966371130285
N2(a − bα2) = −10203782780419264
Jeremie Detrey — Factoring integers with CADO-NFS 21 / 22
Diving into details – Relation collection
I Example from c59:
• Polynomials:
f1(X ) = 60 · X 4 + 164823 · X 3 + 2561101187 · X 2
− 4872316534587 · X − 9288039622841198
f2(X ) = 4827001309 · X − 192616011406041
• Special-q: (q, ρ) = (200003, 74941)
• Sieving position: (a, b) = (−876877, 31)
I Is (a, b) a relation? Factor its norms
• Remove small factors by sieving techniques (up to bound B ′i )
• Co-factor remaining parts only if not too large
N1(a − bα1) = 34039772577219966371130285
N2(a − bα2) = −10203782780419264
Jeremie Detrey — Factoring integers with CADO-NFS 21 / 22
Diving into details – Relation collection
I Example from c59:
• Polynomials:
f1(X ) = 60 · X 4 + 164823 · X 3 + 2561101187 · X 2
− 4872316534587 · X − 9288039622841198
f2(X ) = 4827001309 · X − 192616011406041
• Special-q: (q, ρ) = (200003, 74941)
• Sieving position: (a, b) = (−876877, 31)
I Is (a, b) a relation? Factor its norms
• Remove small factors by sieving techniques (up to bound B ′i )
• Co-factor remaining parts only if not too large
N1(a − bα1) = 34039772577219966371130285
N2(a − bα2) = −10203782780419264
Jeremie Detrey — Factoring integers with CADO-NFS 21 / 22
Diving into details – Relation collection
I Example from c59:
• Polynomials:
f1(X ) = 60 · X 4 + 164823 · X 3 + 2561101187 · X 2
− 4872316534587 · X − 9288039622841198
f2(X ) = 4827001309 · X − 192616011406041
• Special-q: (q, ρ) = (200003, 74941)
• Sieving position: (a, b) = (−876877, 31)
I Is (a, b) a relation? Factor its norms
• Remove small factors by sieving techniques (up to bound B ′i )
• Co-factor remaining parts only if not too large
N1(a − bα1) = 34039772577219966371130285
N2(a − bα2) = −10203782780419264
Jeremie Detrey — Factoring integers with CADO-NFS 21 / 22
Diving into details – Relation collection
I Example from c59:
• Polynomials:
f1(X ) = 60 · X 4 + 164823 · X 3 + 2561101187 · X 2
− 4872316534587 · X − 9288039622841198
f2(X ) = 4827001309 · X − 192616011406041
• Special-q: (q, ρ) = (200003, 74941)
• Sieving position: (a, b) = (−876877, 31)
I Is (a, b) a relation? Factor its norms
• Remove small factors by sieving techniques (up to bound B ′i )
• Co-factor remaining parts only if not too large
N1(a − bα1) = 170196309941450710095 · qN2(a − bα2) = −10203782780419264
Jeremie Detrey — Factoring integers with CADO-NFS 21 / 22
Diving into details – Relation collection
I Example from c59:
• Polynomials:
f1(X ) = 60 · X 4 + 164823 · X 3 + 2561101187 · X 2
− 4872316534587 · X − 9288039622841198
f2(X ) = 4827001309 · X − 192616011406041
• Special-q: (q, ρ) = (200003, 74941)
• Sieving position: (a, b) = (−876877, 31)
I Is (a, b) a relation? Factor its norms
• Remove small factors by sieving techniques (up to bound B ′i )
• Co-factor remaining parts only if not too large
N1(a − bα1) = 170196309941450710095 · qN2(a − bα2) = −10203782780419264
Jeremie Detrey — Factoring integers with CADO-NFS 21 / 22
Diving into details – Relation collection
I Example from c59:
• Polynomials:
f1(X ) = 60 · X 4 + 164823 · X 3 + 2561101187 · X 2
− 4872316534587 · X − 9288039622841198
f2(X ) = 4827001309 · X − 192616011406041
• Special-q: (q, ρ) = (200003, 74941)
• Sieving position: (a, b) = (−876877, 31)
I Is (a, b) a relation? Factor its norms
• Remove small factors by sieving techniques (up to bound B ′i )
• Co-factor remaining parts only if not too large
N1(a − bα1) = 32 · 5 · 43 · 53 · 59 · 61 · 151 · 3053757221 · qN2(a − bα2) = −26 · 67 · 311 · 617 · 709 · 17491
Jeremie Detrey — Factoring integers with CADO-NFS 21 / 22
Diving into details – Relation collection
I Example from c59:
• Polynomials:
f1(X ) = 60 · X 4 + 164823 · X 3 + 2561101187 · X 2
− 4872316534587 · X − 9288039622841198
f2(X ) = 4827001309 · X − 192616011406041
• Special-q: (q, ρ) = (200003, 74941)
• Sieving position: (a, b) = (−876877, 31)
I Is (a, b) a relation? Factor its norms
• Remove small factors by sieving techniques (up to bound B ′i )
• Co-factor remaining parts only if not too large
N1(a − bα1) = 32 · 5 · 43 · 53 · 59 · 61 · 151 · 3053757221 · qN2(a − bα2) = −26 · 67 · 311 · 617 · 709 · 17491
Jeremie Detrey — Factoring integers with CADO-NFS 21 / 22
Diving into details – Relation collection
I Example from c59:
• Polynomials:
f1(X ) = 60 · X 4 + 164823 · X 3 + 2561101187 · X 2
− 4872316534587 · X − 9288039622841198
f2(X ) = 4827001309 · X − 192616011406041
• Special-q: (q, ρ) = (200003, 74941)
• Sieving position: (a, b) = (−876877, 31)
I Is (a, b) a relation? Factor its norms
• Remove small factors by sieving techniques (up to bound B ′i )
• Co-factor remaining parts only if not too large
N1(a − bα1) = 32 · 5 · 43 · 53 · 59 · 61 · 151 · 22447 · 136043 · qN2(a − bα2) = −26 · 67 · 311 · 617 · 709 · 17491
Jeremie Detrey — Factoring integers with CADO-NFS 21 / 22
Diving into details – Relation collection
I General parameters (tasks.*)
• alim / rlim: the maximum norm of sieved primes (B ′i )
• lpba / lpbr: the so-called large prime bound, in bits (log2 Bi)
• I: bounds on sieving domain
I Sieving parameters (tasks.sieve.*)
• mfba / mfbr: co-factorization threshold, in bits
• qmin: first special-q to sieve
• rels wanted: number of relations to collect
• qrange: number of special-q’s to sieve per subtask
Jeremie Detrey — Factoring integers with CADO-NFS 22 / 22
Diving into details – Relation collection
I General parameters (tasks.*)
• alim / rlim: the maximum norm of sieved primes (B ′i )
• lpba / lpbr: the so-called large prime bound, in bits (log2 Bi)
• I: bounds on sieving domain
I Sieving parameters (tasks.sieve.*)
• mfba / mfbr: co-factorization threshold, in bits
• qmin: first special-q to sieve
• rels wanted: number of relations to collect
• qrange: number of special-q’s to sieve per subtask
Jeremie Detrey — Factoring integers with CADO-NFS 22 / 22
Diving into details – Relation collection
I General parameters (tasks.*)
• alim / rlim: the maximum norm of sieved primes (B ′i )
• lpba / lpbr: the so-called large prime bound, in bits (log2 Bi)
• I: bounds on sieving domain
I Sieving parameters (tasks.sieve.*)
• mfba / mfbr: co-factorization threshold, in bits
• qmin: first special-q to sieve
• rels wanted: number of relations to collect
• qrange: number of special-q’s to sieve per subtask
Jeremie Detrey — Factoring integers with CADO-NFS 22 / 22