Self-initializing quadratic sieve

The self-initializing quadratic sieve (SIQS) is a factorization method based on the multiple polynomial quadratic sieve (MPQS).

Introduction

Let N be the number to be factored. This number must not be a perfect power. If somehow we find two integers X and Y such that ${\displaystyle X^2\equiv Y^2(\mathrm{mod}N)}$ and ${\displaystyle X\not\equiv \pm Y(\mathrm{mod}N)}$, then ${\displaystyle gcd(X+Y,N)}$ will reveal a proper factor of N.

In order to find these values X and Y the method finds relations which have the form ${\displaystyle t^2\equiv u(\mathrm{mod}N)}$ where u is the product of small prime numbers. The set of these primes is the factor base. These relations will be found using sieving as will be explained below.

The relations found are combined using multiplications. The left hand side will always be a square because is a product of squares, so the goal is to have a square at the right hand side. A number is a square when all its prime factors appear an even number of times.

For example: let the number to factor be N = 1817 and we have found the following relations with factor base = {2, 7, 13}:

${\displaystyle {45}^2\equiv 2^4\ast 7^0\ast {13}^1}$

${\displaystyle {123}^2\equiv 2^{10}\ast 7^0\ast {13}^1}$

Both relations have non-square RHS, since the exponent of 13 is not even. But multiplying them we get:

${\displaystyle {84}^2\equiv 2^{14}\ast {13}^2}$

${\displaystyle {84}^2\equiv (2^7\ast 13{)}^2}$

Since ${\displaystyle 2^7\ast 13\equiv 1664}$ we get the factor ${\displaystyle gcd(84+1664,1817)=23}$.

Which relations have to multiplied to find a square in the RHS is a linear algebra problem.

Sieving

We will sieve in the interval [-M, +M] using several polynomials ${\displaystyle g_{a,b}(x)=(ax+b{)}^2-N}$ where ${\displaystyle b^2-n=ac}$ so ${\displaystyle g_{a,b}(x)=a(a{x}^2+bx+c)}$ with different values of ${\displaystyle a}$ and ${\displaystyle b}$. The advantage here is that we know the factorization of ${\displaystyle a}$, so the other factor is small compared to ${\displaystyle N}$, thus increasing the probability that all its prime factors are included in the factor base. Using the notation of the previous section, ${\displaystyle t^2\equiv u(\mathrm{mod}N)}$ where ${\displaystyle t=ax+b}$ and ${\displaystyle u=g_{a,b}(x)}$.

The advantage of this method versus MPQS is that once the first polynomial to sieve is generated, a lot of polynomials using the same value of the coefficient ${\displaystyle a}$ can be quickly generated using the information used for the first one. This speeds a lot the sieving.

Generating the factor base

In order to determine the factor base, we have to notice that it includes all the possible factors of ${\displaystyle g_{a,b}(x)}$. Since ${\displaystyle g_{a,b}(x)=t^2-N}$, we get that ${\displaystyle 0\equiv t^2-N}$ or ${\displaystyle t^2\equiv N}$ modulo any prime of the factor base. This means that about half of the primes cannot be in the factor base because ${\displaystyle N}$ cannot be a quadratic residue modulo that prime. Notice that the content of this paragraph does not depend on the particular values of ${\displaystyle a}$ or ${\displaystyle b}$, so the factor base can be computed at the beginning of SIQS. The upper bound for the factor base is determined from experimentation, for example:

• Factoring a 60 digit number: F = 60000
• Factoring a 70 digit number: F = 350000
• Factoring a 80 digit number: F = 900000

The next step consists in computing the modular square roots of ${\displaystyle N}$ modulo the different primes in the factor base and computing the logarithms in base 2 of the different primes rounded to the nearest integer, storing these values in the arrays ${\displaystyle \mathrm{tsqrt}}$ and ${\displaystyle \mathrm{tlog}}$.

Generating the first polynomial

Now we compute a value of ${\displaystyle a}$ as the product of several primes ${\displaystyle q_1}$, ${\displaystyle q_2}$, ${\displaystyle q_3}$, ..., ${\displaystyle q_j}$, of the factor base, such that:

• Their product is about ${\displaystyle \sqrt{2N}/M}$.
• Each factor is on the range 2000 to 4000.
• When selecting the primes of the factor base for the second and further values of the coefficient ${\displaystyle a}$, there must be at least two different primes from previous selections.

The last two considerations reduce the probability of finding duplicate relations, i.e., relations that can be deduced from the others, that would be discarded by the linear algebra operations, thus increasing the computation time.

If the factors are very large, we will run out of polynomials too quickly and we have to select another value of the coefficient ${\displaystyle a}$ which is an expensive process.

Now for each value of the index ${\displaystyle i}$ such that ${\displaystyle 1\le i\le j}$ perform the following:

• Compute ${\displaystyle \gamma =\mathrm{tsqrt}[q_i]\ast (a/q_i{)}^{-1}mod{q}_i}$ where ${\displaystyle a/q_i(\mathrm{mod}{q}_i)}$ is computed by multiplying ${\displaystyle q_1\ast q_2\ast ...\ast q_n(\mathrm{mod}{q}_i)}$ excluding ${\displaystyle q_i}$ from the factors.
• If ${\displaystyle \gamma >q_i/2}$ then replace ${\displaystyle \gamma }$ with ${\displaystyle q_i-\gamma }$.
• Let ${\displaystyle B[i]=(a/q_i)\gamma }$ using multiple precision. This means that this array holds multiple precision integers.

Let ${\displaystyle b=B[1]+B[2]+...+B[j]}$ and ${\displaystyle g_{a,b}(x)=(ax+b{)}^2-N}$. Then initialize the sieve array to zeros.

For each prime ${\displaystyle p}$ not in the list ${\displaystyle q_i}$ of factors of the coefficient ${\displaystyle a}$:

• Compute ${\displaystyle \mathrm{ainv}}$ as the inverse of ${\displaystyle a}$ modulo ${\displaystyle p}$. This can be computed using single precision, provided that ${\displaystyle p^2}$ fits in a computer word.
• For each value of the index ${\displaystyle i}$ such that ${\displaystyle 1\le i\le j}$ compute ${\displaystyle \mathrm{Bainv}2[i,p]=2B[i]\mathrm{ainv}modp}$.
• Compute the first solution as ${\displaystyle \mathrm{soln}1=\mathrm{ainv}\ast (\mathrm{tsqrt}[p]-b)modp}$ and add ${\displaystyle \mathrm{tlog}[p]}$ to all locations ${\displaystyle \mathrm{soln}1+k\ast p}$ of the sieve array.
• Compute the second solution as ${\displaystyle \mathrm{soln}2=\mathrm{ainv}\ast (-\mathrm{tsqrt}[p]-b)modp}$ and add ${\displaystyle \mathrm{tlog}[p]}$ to all locations ${\displaystyle \mathrm{soln}2+k\ast p}$ of the sieve array.

Obtaining relations

Walk through the sieve array. For each element greater than about ${\displaystyle \log (2x\sqrt{N})}$ minus a small error term (because the logarithms are rounded and we do not sieve with powers of prime numbers), perform a trial division of ${\displaystyle g_{a,b}(x)/a}$ by the elements of the factor base. If all prime factors are less than or equal to F, save the relation. If there are enough relations (generally about 5% more relations than elements of the factor base), perform the linear algebra stage. Otherwise more relations must be collected. When the sieve stage is exhausted, change polynomial.

Changing polynomial

Suppose we generated polynomial number i and we want to generate polynomial number i+1 where ${\displaystyle 1\le i\le 2^{j-1}-1}$ where j is the number of prime factors of the coefficient a. If ${\displaystyle i=2^{j-1}-1}$, go to the Generating the first polynomial subsection.

Let v be the number of bits set to zero at the right of the number 2i when written in binary.

If the bit immediately at the left of the rightmost "1" when the number i written in binary is zero, let e = 1, otherwise let e = -1.

Let ${\displaystyle b=b+e\ast B_v}$ and ${\displaystyle g_{a.b}(x)=(ax+b{)}^2-N}$.

Initialize the sieve array to zeros.

For each prime ${\displaystyle p}$ in the factor base that does not divide the coefficient ${\displaystyle a}$:

• Compute ${\displaystyle \mathrm{soln}1[p]=\mathrm{soln}1[p]+e\ast Bainv2[v,p]modp}$ and add ${\displaystyle \mathrm{tlog}[p]}$ to all locations ${\displaystyle \mathrm{soln}1+k\ast p}$ of the sieve array.
• Compute ${\displaystyle \mathrm{soln}2[p]=\mathrm{soln}2[p]+e\ast Bainv2[v,p]modp}$ and add ${\displaystyle \mathrm{tlog}[p]}$ to all locations ${\displaystyle \mathrm{soln}1+k\ast p}$ of the sieve array.

Then go to the Obtaining relations subsection.

Large prime variation

A variation that makes the sieving about twice as fast but requiring more memory, named PSIQS, consists in selecting a large prime bound (about 64 F). If after the trial division by the primes in the factor base the quotient is less than the large prime bound, we collect this partial relation in a different location than full relations (when the final quotient is 1). If the large prime found is the same than the large prime found in a previous partial relation, we can combine them:nnLet ${\displaystyle t^2\equiv u\ast p(\mathrm{mod}N)}$ and ${\displaystyle r^2\equiv v\ast p(\mathrm{mod}N)}$ be two partial relations with the same large prime ${\displaystyle p}$. Then a full relation will be:

${\displaystyle {\left(\frac{t\ast r}{p}\right)}^2\equiv u\ast v(\mathrm{mod}N)}$.

This full relation can be stored with the other full relations found. At the beginning of PSIQS the number of full relations found in this way will be small, but it increases as the algorithm progresses, and then there will be more relations found from partial relations than without large primes.

Complexity

The theoretical time and space complexity of the quadratic sieve is O(exp(sqrt(log n log log n))) where n is an integer. The constant e is usually used as the base of the logarithm.

External links

• Factoring Integers with the Self-Initializing Quadratic Sieve by Scott Contini (PDF).
• Factorization using the Elliptic Curve Method by Dario Alpern. This Web application performs PSIQS and includes source code.
• A Tale of Two Sieves by Carl Pomerance. Excellent introduction to the Quadratic Sieve and the Number Field Sieve.
• Msieve - SIQS with single and double large prime variation source code (in C language) and Windows executable by Jason Papadopoulos. This is the fastest SIQS version available.
• Quadratic_sieve
• MathWorld article on the quadratic sieve