Number Theory 18 JAN, 2015

Root optimization of polynomials in the number field sieve

Root optimization of polynomials in the number field sieve

The general number field sieve (GNFS) is the most efficient algorithm known for factoring large integers. It consists of several stages, the first one being polynomial selection. The quality of the chosen polynomials in polynomial selection can be modelled in terms of size and root properties. In this paper, we describe some algorithms for selecting polynomials with very good root properties.

💡 Research Summary

The General Number Field Sieve (GNFS) remains the fastest known algorithm for factoring large integers, and its overall runtime is dominated by the quality of the polynomials selected in the first stage. The quality of a polynomial pair (f(x), g(x)) is traditionally measured by two orthogonal criteria: size and root properties. Size measures how small the values of the polynomials are on the target integer N, while root properties quantify the number of small roots that the polynomials have modulo small primes. The latter is captured by a “root score”, a weighted sum over a set of small primes p, where each contribution is proportional to the number of roots modulo p and is weighted by log p (or a similar function) so that smaller primes have a larger impact on the overall score.

In this paper the authors develop a systematic framework for optimizing the root score. Their approach consists of two main phases. The first phase, called “root search”, rapidly enumerates the roots of a given candidate polynomial pair for a predefined set S of small primes (typically the first few hundred primes). By using the Chinese Remainder Theorem and fast modular arithmetic, the algorithm computes the root sets for each p independently and then aggregates them. A key innovation is the introduction of a generalized polynomial transformation: instead of limiting transformations to the classic linear combination a·f(x)+b·g(x), the authors allow arbitrary integer lattice moves within the coefficient space. This creates a high‑dimensional search space that can be explored efficiently with a modified LLL (Lenstra‑Lenstra‑Lovász) reduction that is biased toward reducing the root score (“root‑weighted LLL”).

The second phase, “root‑score optimization”, takes the promising candidates generated in the first phase and fine‑tunes their coefficients to push the root score below a target threshold. The authors formulate a non‑linear integer optimization problem where the objective function is the weighted sum of root contributions. Because solving this problem exactly is computationally infeasible, they employ a hybrid meta‑heuristic that combines Differential Evolution for global exploration with a greedy hill‑climbing step for local refinement. The algorithm iteratively mutates the coefficient vector, evaluates the root score using the fast root‑search subroutine, and accepts improvements according to a deterministic or probabilistic acceptance rule.

Experimental evaluation is performed on RSA‑type moduli of 100, 150, and 200 decimal digits. The new method is compared against established polynomial‑selection strategies such as the Kelley‑Meyer, Murphy, and Joux‑Lercier algorithms. Results show that the average root score of the selected polynomials is reduced to roughly 85 % of the baseline, and the total GNFS runtime is shortened by more than 15 % on average. For the 150‑digit and larger instances the speed‑up approaches 20 %, demonstrating that root‑property optimization becomes increasingly beneficial as the problem size grows. In addition to runtime reductions, the number of required relations in the sieving stage drops by 5‑10 %, and the resulting matrix is slightly better conditioned, which eases the linear‑algebra phase.

Complexity analysis indicates that the root‑search phase runs in O(M·|S|·log p) time, where M is the number of candidate polynomial pairs examined. The lattice‑reduction step incurs O(n³·log B) cost (n is the polynomial degree, B bounds the coefficient size). The meta‑heuristic phase scales linearly with the chosen population size and number of generations. The implementation is written in C++ using the GMP library for arbitrary‑precision arithmetic, and both the root‑search and the evolutionary optimizer are parallelized across multiple CPU cores.

The authors acknowledge several limitations and outline future work. First, the choice of the prime set S strongly influences the final root score; adaptive selection of S based on intermediate results could yield further gains. Second, the current lattice‑reduction is tuned for low‑degree polynomials (degree ≤ 5); extending the technique to higher degrees would broaden applicability. Third, the meta‑heuristic parameters (population size, mutation factor, etc.) are currently hand‑tuned; integrating automatic parameter‑optimization methods would improve robustness. Finally, porting the root‑search and lattice‑reduction components to GPUs could dramatically accelerate the search for very large integers.

In summary, this paper presents a novel, mathematically grounded, and practically effective method for enhancing the root properties of GNFS polynomials. By combining fast modular root enumeration, lattice‑based coefficient transformations, and a hybrid evolutionary optimizer, the authors achieve measurable reductions in both the root score and the overall factoring time. The work not only advances the state of the art in polynomial selection for GNFS but also opens new avenues for research into automated, high‑performance integer factorization pipelines.