quadratic sieve

Algorithm

To factor a number $n$ using the quadratic sieve, one seekstwo numbers $x$ and $y$ which are not congruent modulo $n$ with $x$ not congruent to $-y$ modulo $n$ buthave $x^{2}\\equiv y^{2}\\pmod{n}$ . If two such numbers are found,one can then say that $(x+y)(x-y)\\equiv 0\\pmod{n}$ . Then, $x+y$ and $x-y$ must have non-trivial factors in common with $n$ .

The quadratic sieve method of factoring depends upon being ableto create a set of numbers whose factorization can be expressedas a product of pre-chosen primes. These factorizations arerecorded as vectors of the exponents. Once enough vectors arecollected to form a set which contains a linear dependence,this linear dependence is exploited to find two squares whichare equivalent modulo $n$ .

To accomplish this, the quadratic sieve method uses a set ofprime numbers called a factor base. Then, it searches fornumbers which can be factored entirely within that factor base.If there are $k$ prime numbers in the factor base, then eachnumber which can be factored within the factor base is storedas a $k$ -dimensional vector where the $i$ -th component of thevector for $y$ gives the exponent of the $i$ -th prime from thefactor base in the factorization of $y$ . For example, if thefactor base were $\\left\\{2,3,5,7,11,13\\right\\}$ , thenthe number $y=2^{3}\\cdot 3^{2}\\cdot 11^{5}$ would be stored as thevector $\\left<3,2,0,0,5,0\\right>$ .

Once $k+1$ of these vectors have been collected, there must bea linear dependence among them. The $k+1$ vectors are takenmodulo $2$ to form vectors in $\\mathbb{Z}_{2}^{k}$ . The linear dependenceamong them is used to find a combination of the vectors whichsum up to the zero vector in $\\mathbb{Z}_{2}^{k}$ . Summing these vectorsis equivalent to multiplying the $y$ ’s to which they correspond.And, the zero vector in $\\mathbb{Z}_{2}^{k}$ signals a perfect square.

To factor $n$ , chose a factor base $\\mathbf{B}=\\left\\{p_{1},p_{2},\\ldots,p_{k}\\right\\}$ such that $2\\in\\mathbf{B}$ and for each oddprime $p_{j}$ in $\\mathbf{B}$ , $n$ is a quadratic residue of $p_{j}$ . Now,start picking $x_{i}$ near $\\sqrt{n}$ and calculate $y_{i}=x_{i}^{2}-n$ . Clearly $y_{i}\\equiv x_{i}^{2}\\pmod{n}$ . If $y_{i}$ can becompletely factored by numbers in $\\mathbf{B}$ , then it is called $\\mathbf{B}$ -smooth. If it is not $\\mathbf{B}$ -smooth, then discard $x_{i}$ and $y_{i}$ and move on to a new choice of $x_{i}$ . If it is $\\mathbf{B}$ -smooth,then store $x_{i}$ , $y_{i}$ , and the vector of its exponents forthe primes in $\\mathbf{B}$ . Also, record a copy of the exponent vectorwith each component taken modulo $2$ .

Once $k+1$ vectors have been recorded, there must be a lineardependence among them. Using the copies of the exponent vectorsthat were taken modulo $2$ , determine which ones can be addedtogether to form the zero vector. Multiply together the $x_{i}$ that correspond to those chosen vectors—call this $x$ . Also,add together the original vectors that correspond to the chosenvectors to form a new vector $\\vec{v}$ . Every component ofthis vector will be even. Divide each element of $\\vec{v}$ by $2$ . Form $y=\\prod_{i=1}^{k}p_{i}^{v_{i}}$ .

Because each $y_{i}\\equiv x_{i}^{2}\\pmod{n}$ , $x^{2}\\equiv y^{2}\\pmod{n}$ . If $x\\equiv y\\pmod{n}$ , then find some more $\\mathbf{B}$ -smoothnumbers and try again. If $x$ is not congruent to $y$ modulo $n$ , then $(x+y)$ and $(x-y)$ are factors of $n$ .

Example

Consider the number $n=16843009$ The integer nearest itssquare root is $4104$ . Given the factor base

\\mathbf{B}=\\left\\{2,3,5,7,13\\right\\}

, the first few $\\mathbf{B}$ -smooth valuesof $y_{i}=f(x_{i})=x_{i}^{2}-n$ are:

Using $x_{0}=4241$ and $x_{1}=4497$ , one obtains:

y_{0}=1143072=2^{5}\\cdot 3^{6}\\cdot 5^{0}\\cdot 7^{2}\\cdot 13^{0}

y_{1}=3380000=2^{5}\\cdot 3^{0}\\cdot 5^{4}\\cdot 7^{0}\\cdot 13^{2}

Which results in:

x=4241\\cdot 4497=19071777

y=2^{5}\\cdot 3^{3}\\cdot 5^{2}\\cdot 7^{1}\\cdot 13^{1}=1965600

From there:

\\gcd(x-y,n)=257

\\gcd(x+y,n)=65537

It may not be completely obvious why we required that $n$ be a quadratic residue of each $p_{i}$ in thefactor base $\\mathbf{B}$ . One mightintuitively think that we actually want the $p_{i}$ tobe quadratic residues of $n$ instead. But, that isnot the case.

We are trying to express $n$ as:

(x+y)(x-y)=x^{2}-y^{2}=n

where

y=\\prod_{i=1}^{k}p_{i}^{v_{i}}

Because we end up squaring $y$ , there is no reasonthat the $p_{i}$ would need to be quadratic residuesof $n$ .

So, why do we require that $n$ be a quadratic residueof each $p_{i}$ ? We can rewrite the $x^{2}-y^{2}=n$ as:

x^{2}-\\prod_{i=1}^{k}p_{i}^{2v_{i}}=n

If we take that expression modulo $p_{i}$ for any $p_{i}$ for which the corresponding $v_{i}$ is non-zero, we areleft with:

x^{2}\\equiv n\\pmod{p_{i}}

Thus, in order for $p_{i}$ to show up in a usefulsolution, $n$ must be a quadratic residue of $p_{i}$ .We would be wasting time and space to employ otherprimes in our factoring and linear combinations.