SNFS polynomial selection

For the SNFS factorization you need two polynomials with small coefficients and a common root modulo N, the number to be factored. Typically one polynomial is of degree 4, 5 or 6 (the algebraic side) and the other one is linear (the rational side).

Cyclotomic numbers

For cyclotomic numbers, there are four standard operations you can perform on the number to derive suitable polynomials:

1. Multiplying by a constant
2. Increasing or decreasing a power
3. Dividing out algebraic factors
4. halving the degree of a symmetric polynomial

1. Suppose you want to factor a number of the form ${\displaystyle a^{59}-1}$ for a given a with a quintic (a degree 5 polynomial). You can multiply N by a and get ${\displaystyle aN=a^{60}-a}$, which you can express as ${\displaystyle x^5-a}$ with root ${\displaystyle m=a^{12}}$. For example, the smallest ${\displaystyle a^{59}-1}$ number currently not completely factored is ${\displaystyle {208}^{59}-1}$, the polynomials would be ${\displaystyle x^5-208}$ on the algrebraic side and ${\displaystyle x-6557827967253220516257857536}$ on the rational side. Multiplying N by a constant increases the SNFS difficulty of the factorisation.

2. If you want to factor ${\displaystyle a^{61}-1}$, you can rewrite the power as ${\displaystyle a\cdot a^{60}}$ and get ${\displaystyle a\cdot a^{60}-1}$, or ${\displaystyle a{x}^5-1}$, again with root ${\displaystyle m=a^{12}}$. Thus, your polynomials are, for example for ${\displaystyle N={208}^{61}-1}$, ${\displaystyle 208x^5-1}$ and ${\displaystyle x-6557827967253220516257857536}$.

You can use both methods to get the exponent a multiple of the degree you want to use, choose the one that minimises the largest coefficient of the algebraic polynomial.

You can also combine both methods if the base is composite. If you want to factor, say, ${\displaystyle {10}^{113}-1}$ with a quintic, you could use ${\displaystyle 1000x^5-1}$ (difficulty 113) or ${\displaystyle x^5-100}$ (difficulty 115) by the method of 1. or 2. alone.

But you can also first multiply N by ${\displaystyle 5^2}$ to get ${\displaystyle 25N=2^{113}\cdot 5^{115}-25}$, then rewrite as ${\displaystyle 8(2^{110}{5}^{115})-25}$, or ${\displaystyle 8x^5-25}$, with root ${\displaystyle m=2^{22}\cdot 5^{23}}$ (difficulty ~114). So your polynomials are ${\displaystyle 8x^5-25}$ and ${\displaystyle x-50000000000000000000000}$. The advantage is that the largest coefficient in the algebraic poly is now only 25 instead of 100 and you still have a low difficulty.

3. If your exponent is divisible by 3, 5 or 7, you can divide out an algebraic factor and immediately get a polynomial of suitable degree and small coefficients.

• ${\displaystyle (a^{3k}-1)/(a^k-1)=a^{2k}+a^k+1}$ which can be converted to a quadratic ${\displaystyle x^2+x+1}$ with root ${\displaystyle a^k}$. However, a quadratic has too small degree, the coefficients on the rational side would become huge. Instead, if k is odd, we write ${\displaystyle a^2\cdot a^{2(k-1)}+a\cdot a^{k-1}+1}$ and can convert to a quartic in ${\displaystyle a^{(k-1)/2}}$. If you want a sextic, tweak the exponents accordingly by 2., perhaps multiplying by a power of a (as in 1.) to get small coefficients.
• ${\displaystyle (a^{5k}-1)/(a^k-1)=a^{4k}+a^{3k}+a^{2k}+a^k+1}$, which is a useable quartic in ${\displaystyle a^k}$.
• ${\displaystyle (a^{7k}-1)/(a^k-1)=a^{6k}+a^{5k}+a^{4k}+a^{3k}+a^{2k}+a^k+1}$, which is a useable sextic in ${\displaystyle a^k}$.

4. For ${\displaystyle a^{11k}-1}$ and ${\displaystyle a^{13k}-1}$ you'd get degrees 10 and 12, respectively - too large. But the resulting polynomial is symmetric: (for the sake of less typing, let ${\displaystyle b=a^k}$)

${\displaystyle (b^{11}-1)/(b-1)=b^{10}+b^9+b^8+b^7+b^6+b^5+b^4+b^3+b^2+b+1}$

We can multiply this by ${\displaystyle b^{-5}}$:

${\displaystyle b^5+b^4+b^3+b^2+b+1+b^{-1}+b^{-2}+b^{-3}+b^{-4}+b^{-5}}$

and regroup

${\displaystyle b^5+b^{-5}+b^4+b^{-4}+b^3+b^{-3}+b^2+b^{-2}+b+b^{-1}+1}$ (1)

Now we'd like to replace ${\displaystyle b^5+b^{-5}}$ by, say, ${\displaystyle (b+b^{-1}{)}^5}$, but that gives us more terms than just ${\displaystyle b^5+b^{-5}}$ due to the binomial theorem: ${\displaystyle (b+b^{-1}{)}^5=b^5+5b^3+10b+10b^{-1}+5b^{-3}+b^{-5}}$, and we have ${\displaystyle b^5+b^{-5}=(b+b^{-1}{)}^5-5b^3-10b-10b^{-1}-5b^{-3}}$.

Fortunately, those extra terms are again of the form ${\displaystyle c(b^n+b^{-n})}$ and can be combined with the other summands of (1):

${\displaystyle ((b+b^{-1}{)}^5-5b^3-10b-10b^{-1}-5b^{-3})+b^4+b^{-4}+b^3+b^{-3}+b^2+b^{-2}+b+b^{-1}+1=::(b+b^{-1}{)}^5+b^4+b^{-4}-4(b^3+b^{-3})+b^2+b^{-2}-9(b+b^{-1})+1}$

Handle the term ${\displaystyle b^4+b^{-4}}$ the same way, etc.

In the end, you'll have a polynomial

${\displaystyle c_5(b+b^{-1}{)}^5+c_4(b+b^{-1}{)}^4+c_3(b+b^{-1}{)}^3+c_2(b+b^{-1}{)}^2+c_1(b+b^{-1})+c_0}$.

Thus, you can use the quintic ${\displaystyle c_5{x}^5+c_4{x}^4+c_3{x}^3+c_2{x}^2+c_{1}x+c_0}$ with root ${\displaystyle b+1/b}$.

The siever input file wants the root as an integer, so you have to do a modular inversion: in Pari/GP, use Mod(b+1/b,N)

where you assigned N=(cofactor of ${\displaystyle a^{11k}-1}$), b=(value of ${\displaystyle a^k}$) before. The result will be printed as

Mod(M,N)

where the value in place of M is the desired root.

The linear poly will be ${\displaystyle x-(b+b^{-1})}$. Using ${\displaystyle x-M}$ directly is no good as M is about as large as N itself, so the linear polynomial would have a far too large coefficient. Instead, multiply the polynomial by b:

${\displaystyle g(x)=bx-(b^2+1)}$

Now the coefficients b and ${\displaystyle (b^2+1)}$ are small enough.

The method for getting the coefficients of the algebraic polynomial above shows why we should do a change of variable to ${\displaystyle b+b^{-1}}$, but it is a tedious way of actually getting the coefficients. It is easier to just set up a polynomial

${\displaystyle f(x)=a_5{x}^5+a_4{x}^4+a_3{x}^3+a_2{x}^2+a_{1}x+a_0}$,

and writing the difference

f(b+1/b)*b^5 - (b^11-1)/(b-1)

in Pari/GP (with b as a variable, not the value of ${\displaystyle a^k}$). This yields

${\displaystyle (a_5-1)b^{10}+(a_4-1)b^9+\dots +(a_4-1)b+(a_5-1)}$

and we want the difference to be zero, so we can immediately set

${\displaystyle a_5=1}$

${\displaystyle a_4=1}$

Evaluating the difference again yields

${\displaystyle (a_3+4)b^8+(a_2+3)b^7+...+(a_2+3)b^3+(a_3+4)b^2}$

so we set

${\displaystyle a_3=-4}$

${\displaystyle a_2=-3}$

Now the difference is

${\displaystyle (a_1-3)b^6+(a_0-1)b^5+(a_1-3)b^4}$

so we set

${\displaystyle a_1=3}$

${\displaystyle a_0=1}$

This produces the polynomials

${\displaystyle f(x)=x^5+x^4-4x^3-3x^2+3x+1}$

${\displaystyle g(x)=bx-(b^2+1)}$

with common root ${\displaystyle M=b+1/b(\mathrm{mod}N)}$ and ${\displaystyle b=a^k}$.

Similarly for numbers of the form ${\displaystyle a^{13k}-1}$.

See also

• SNFS polynomial generation calculator