sign in sign up
<<
Home , Arjen Lenstra, Carl Pomerance, Delicate prime, Quadratic sieve, Sieve of Eratosthenes, Trial division

pomerance.qxp 5/7/98 9:16 AM Page 1473

A Tale of Two Sieves

(This paper is dedicated to the memory of my friend and teacher, Paul Erdos)

t is the best of times for the game of fac- was largely ignored, since it was considered triv- toring large into their prime fac- ial. After all, it was doable in principle, so what tors. In 1970 it was barely possible to fac- else was there to discuss? A few researchers ig- tor “hard” 20-digit numbers. In 1980, in nored the fashions of the time and continued to the heyday of the Brillhart-Morrison con- try to find fast ways to factor. To these few it Itinued fraction factoring , factoring of was a basic and fundamental problem, one that 50-digit numbers was becoming commonplace. should not be shunted to the side. In 1990 my own factoring algo- But times change. In the last few decades we rithm had doubled the length of the numbers have seen the advent of accessible and fast com- that could be factored, the record having 116 dig- puting power, and we have seen the rise of cryp- its. tographic systems that base their security on our By 1994 the quadratic sieve had factored the supposed inability to factor quickly (and on famous 129-digit RSA challenge that other number theoretic problems). Today there had been estimated in Martin Gardner’s 1976 Sci- are many people interested in factoring, recog- entific American column to be safe for 40 nizing it not only as a benchmark for the secu- quadrillion years (though other estimates around rity of cryptographic systems, but for comput- then were more modest). But the quadratic sieve ing itself. In 1984 the Association for Computing is no longer the champion. It was replaced by Machinery presented a plaque to the Institute for Pollard’s number field sieve in the spring of Electrical and Electronics Engineers (IEEE) on 1996, when that method successfully split a the occasion of the IEEE centennial. It was in- 130-digit RSA challenge number in about 15% of scribed with the prime of the num- the time the quadratic sieve would have taken. ber 2251 1 that was completed that year with − In this article we shall briefly meet these fac- the quadratic sieve. The president of the ACM torization —these two sieves—and made the following remarks: some of the many people who helped to de- velop them. About 300 years ago the French In the middle part of this century, computa- mathematician Mersenne speculated tional issues seemed to be out of fashion. In most that 2251 1 was a composite, that − books the problem of factoring big numbers is, a factorable number. About 100 years ago it was proved to be fac- torable, but even 20 years ago the Carl Pomerance is research professor of computational load to factor the at the University of Georgia, Athens, GA. His e-mail ad- number was considered insur- dress is [email protected]. mountable. Indeed, using conven- Supported in part by National Science Foundation grant tional machines and traditional number DMS-9206784. search algorithms, the search time

DECEMBER 1996 NOTICES OF THE AMS 1473 pomerance.qxp 5/7/98 9:16 AM Page 1474

was estimated to be about 1020 years. I had wasted too much time, and I missed the The number was factored in Febru- problem. ary of this year at Sandia on a Cray So can you find the clever way? If you wish computer in 32 hours, a world to think about this for a moment, delay reading record. We’ve come a long way in the next paragraph. computing, and to commemorate IEEE’s contribution to computing we Fermat and Kraitchik The trick is to write 8051 as 8100 49, which have inscribed the five factors of the − is 902 72, so we may use algebra, namely, fac- Mersenne composite on a plaque. − Happy Birthday, IEEE. toring a difference of squares, to factor 8051. It is 83 97. Factoring big numbers is a strange kind of Does× this always work? In fact, every odd mathematics that closely resembles the experi- composite can be factored as a difference of 2 mental sciences, where nature has the last and squares: just use the identity ab = 1 (a + b) 1 2 2 definitive word. If some method to factor n runs (a b) . Trying to find a pair of squares − 2 − for awhile and ends with the statement “d is a which work is, in fact, a factorization method of factor of n”, then this assertion may be easily Fermat. Just like , which has some checked; that is, the have the last and very easy cases (such as when there is a small definitive word. One can thus get by quite nicely prime factor), so too does the difference-of- without proving a theorem that a method works squares method have easy cases. For example, in general. But, as with the experimental sci- if n = ab where a and b are very close to √n, ences, both rigorous and heuristic analyses can as in the case of n = 8051, it is easy to find the be valuable in understanding the subject and two squares. But in its worst cases, the differ- moving it forward. And, as with the experimen- ence-of-squares method can be far worse than tal sciences, there is sometimes a tension be- trial division. It is worse in another way too. tween pure and applied practitioners. It is held With trial division, most numbers fall into the by some that the theoretical study of factoring easy case; namely, most numbers have a small is a freeloader at the table (or as factor. But with the difference-of-squares once colorfully put it, paraphrasing Siegel, “a pig method, only a small fraction of numbers have in the rose garden”), enjoying undeserved at- a near their square root, so the method tention by vapidly giving various algorithms la- works well on only a small fraction of possible bels, be they “”, “exponential”, “ran- inputs. (Though trial division allows one to begin dom”, etc., and offering little or nothing in return a factorization for most inputs, finishing with a to those hard workers who would seriously com- complete factorization is usually far more dif- pute. There is an element of truth to this view. ficult. Most numbers resist this, even when a But as we shall see, theory played a significant combination of trial division and difference-of- role in the development of the title’s two sieves. squares is used.) In the 1920s Maurice Kraitchik came up with A Contest Problem an interesting enhancement of Fermat’s differ- But let us begin at the beginning, at least my be- ence-of-squares technique, and it is this en- ginning. When I give talks on factoring, I often hancement that is at the basis of most modern repeat an incident that happened to me long factoring algorithms. (The idea had roots in the ago in high school. I was involved in a math con- work of Gauss and Seelhoff, but it was Kraitchik test, and one of the problems was to factor the who brought it out of the shadows, introducing number 8051. A time limit of five minutes was it to a new generation in a new century. For given. It is not that we were not allowed to use more on the early history of factoring, see [23].) pocket calculators; they did not exist in 1960, Instead of trying to find integers u and v with around when this event occurred! Well, I was u2 v2 equal to n, Kraitchik reasoned that it − fairly good at , and I was sure I could might suffice to find u and v with u2 v2 equal − trial divide up to the square root of 8051 (about to a multiple of n, that is, u2 v2 mod n. Such ≡ 90) in the time allowed. But on any test, espe- a congruence can have uninteresting solutions, cially a contest, many students try to get into the those where u v mod n, and interesting so- ≡± mind of the person who made it up. Surely they lutions, where u v mod n. In fact, if n is odd 6≡ ± would not give a problem where the only rea- and divisible by at least two different primes, sonable approach was to try possible then at least half of the solutions to frantically until one was found. There must be u2 v2 mod n, with uv coprime to n, are of the ≡ a clever alternate route to the answer. So I spent interesting variety. And for an interesting solu- a couple of minutes looking for the clever way, tion u, v, the greatest common factor of u v − but grew worried that I was wasting too much and n, denoted (u v,n), must be a nontrivial − time. I then belatedly started trial division, but factor of n. Indeed, n divides u2 v2 = −

1474 NOTICES OF THE AMS VOLUME 43, NUMBER 12 pomerance.qxp 5/7/98 9:16 AM Page 1475

(u v)(u + v) but divides neither factor. So n Lehmer and R. E. Powers suggested replacing − must be somehow split between u v and u + v. Kraitchik’s function Q(x)=x2 n with another − − As an aside, it should be remarked that find- that is derived from the continued-fraction ex- ing the (a, b) of two pansion of √n. given numbers a and b is a very easy task. If If ai/bi is the i-th continued fraction con- 0 he can tell that the entists standing at a blackboard filled with ar- product of these four numbers is 210 34 54 72 , a square! Thus he has cane notation, and one points to a particularly × × × u2 v2 mod n, where delicate juncture and says to the other that at ≡ this point a miracle occurs. Is it a miracle that u =46 47 49 51 311 mod 2041, we were able to find the numbers 75, 168, 360, · · · ≡ v =25 32 52 7 1416 mod 2041. and 560 in Kraitchik’s sequence with product a · · · ≡ square? Why should we expect to find such a sub- He is now nearly done, since sequence, and, if it exists, how can we find it ef- 311 1416 mod 2041. Using Euclid’s algo- 6≡ ± ficiently? rithm to compute the greatest common factor A systematic strategy for finding a subse- (1416 311, 2041), he finds that this is 13, and − quence of a given sequence with product a square so 2041 = 13 157. × was found by John Brillhart and Michael Morri- Continued Fractions son, and, surprisingly, it is at heart only (see [16]). Every positive m has The essence of Kraitchik’s method is to “play” with the sequence x2 n as x runs through in- an exponent vector v(m) that is based on the − tegers near √n to find a subsequence with prod- prime factorization of m. Let pi denote the i-th vi uct a square. If the square root of this square is prime, and say m = pi . (The product is over v and the product of the corresponding x val- all primes, but only Qfinitely many of the expo- ues is u, then u2 v2 mod n, and there is now nents vi are nonzero.) Then v(m) is the vector ≡ a hope that this congruence is “interesting”, (v1,v2,...). For example, leaving off the infinite namely, that u v mod n. In 1931 D. H. string of zeros after the fourth place, we have 6≡ ±

DECEMBER 1996 NOTICES OF THE AMS 1475 pomerance.qxp 5/7/98 9:16 AM Page 1476

v(75) = (0, 1, 2, 0), are not negative. However, we can put an extra v(168) = (3, 1, 0, 1), coordinate in each exponent vector, one that is v(360) = (3, 2, 1, 0), 0 for positive numbers and 1 for negative num- bers. (It is as if we are including the “prime” 1 − v(560) = (4, 0, 1, 1). in the factor base.) So allowing the auxiliary For our purposes the exponent vectors give too numbers to be negative just increases the di- much information. We are interested only in mension of the problem by 1. squares, and since a positive integer m is a For example, let us consider again the num- square if and only if every entry of v(m) is even, ber 2041 and try to factor it via Kraitchik’s poly- we should be reducing exponents modulo 2. nomial, but now allowing negative values. So with Q(x)=x2 2041 and the factor base 2, 3, Since v takes products to sums, we are looking − for numbers such that the sum of their exponent and 5, we have vectors is the zero vector mod 2. The mod 2 re- Q(43) = 192 = 26 3 (1, 0, 1, 0) − − · ↔ ductions of the above exponent vectors are Q(44) = 105 − v(75) (0, 1, 0, 0) mod 2, Q(45) = 16 = 24 (1, 0, 0, 0) ≡ − − 2 ↔ v(168) (1, 1, 0, 1) mod 2, Q(46) = 75 = 3 5 (0, 0, 1, 0), ≡ · ↔ v(360) (1, 0, 1, 0) mod 2, where the first coordinates correspond to the ex- ≡ ponent on 1. So, using the smaller factor base v(560) (0, 0, 1, 1) mod 2. − ≡ of 2, 3, and 5 but allowing also negatives, we are Note that their sum is the zero vector! Thus the especially lucky, since the three vectors assem- product of 75, 168, 360, and 560 is a square. bled so far are dependent. This leads to the con- To systematize this procedure, Brillhart and gruence (43 45 46)2 ( 192)( 16) (75) mod · 2 · 2≡ − − Morrison suggest that we choose some number 2041, or 1247 480 mod 2041. This again ≡ B and look only at those numbers in the se- gives us the divisor 13 of 2041, since (1247 480, 2041) = 13. quence that completely factor over the first B − primes. So in the case above, we have B =4. As Does the final greatest common divisor step soon as B +1 such numbers have been assem- always lead to a nontrivial factorization? No it bled, we have B +1vectors in the B-dimensional does not. The reader is invited to try still another B assemblage of a square in connection with 2041. vector space F2 . By linear algebra they must be linearly dependent. But what is a linear depen- This one involves Q(x) for x =41, 45, and 49 and gives rise to the congruence dence relation over the field F2? Since the only 6012 14402 mod 2041. In our earlier termi- scalars are 0 and 1, a linear dependence relation ≡ is simply a subset sum equaling the 0-vector. And nology, this congruence is uninteresting, since 601 1440 mod 2041. And sure enough, the we have many algorithms from linear algebra ≡− greatest common divisor (601 1440, 2041) is that can help us find this dependency. − Note that we were a little lucky here, since we the quite uninteresting divisor 1. were able to find the dependency with just four Smooth Numbers and the Stirrings of vectors rather than the five vectors needed in the Complexity Theory worst case. Brillhart and Morrison call the primes With the advent of the RSA public key cryp- tosystem in the late 1970s, it became particularly p1,p2,...,pB the “factor base”. (To be more pre- important to try to predict just how hard fac- cise, they discard those primes pj for which n toring is. Not only should we know the state of is not congruent to a square, since such primes the art at present, we would like to predict just will never divide a number Q in the continued- i what it would take to factor larger numbers be- fraction method nor a number Q(x) in Kraitchik’s yond what is feasible now. In particular, it seems method.) How is B to be chosen? If it is chosen empirically that dollar for dollar computers dou- small, then we do not need to assemble too ble their speed and capacity every one and a half many numbers before we can stop. But if it is cho- to two years. Assuming this and no new factor- sen too small, the likelihood of finding a num- ing algorithms, what will be the state of the art ber in the sequence that completely factors over in ten years? the first B primes will be so minuscule that it It is to this type of question that complexity will be difficult to find even one number. Thus theory is well suited. So how then might one an- somewhere there is a happy balance, and with alyze factoring via Kraitchik’s polynomial or the factoring 2041 via Kraitchik’s method, the happy Lehmer-Powers continued fraction? Richard balance turned out to be B =4. Schroeppel, in unpublished correspondence in Some of the auxiliary numbers may be nega- the late 1970s, suggested a way. Essentially, he tive. How do we handle their exponent vectors? begins by thinking of the numbers Qi in the con- Clearly we cannot ignore the sign, since squares tinued-fraction method or the numbers Q(x) in

1476 NOTICES OF THE AMS VOLUME 43, NUMBER 12 pomerance.qxp 5/7/98 9:16 AM Page 1477

Kraitchik’s method as “random”. If you are pre- assemble the congruent squares we may be very sented with a stream of truly random numbers unlucky and only come up with uninteresting so- below a particular bound X, how long should you lutions which do not help in the factorization. expect to wait before you find some subset with Again assuming randomness, we do not expect product a square? inordinately long strings of bad luck, and this Call a number Y-smooth if it has no prime fac- heuristic again supports the conjecture. tor exceeding Y. (Thus a number which com- As mentioned, this complexity argument was pletely factors over the primes up to pB is pB- first made by Richard Schroeppel in unpublished smooth.) What is the probability that a random work in the late 1970s. (He assumed the result positive integer up to X is Y-smooth? It is mentioned above from [4], even though at that (X,Y)/[X] (X,Y)/X, where (X,Y) is the time it was not a theorem or even really a con- ≈ number of Y-smooth numbers in the interval jecture.) Armed with the tools to study com- [1,X]. Thus the expected number of random plexity, he used them during this time to come numbers that must be examined to find just up with a new method that came to be known one that is Y-smooth is the reciprocal of this as the linear sieve. It was the forerunner of the probability, namely, X/(X,Y). But we must quadratic sieve and also its inspiration. find about π(Y ) such Y-smooth numbers, where π(Y ) denotes the number of primes up to Y. So Using Complexity to Come Up With a the expected number of random numbers that Better Algorithm: The Quadratic Sieve must be examined is about π(Y )X/(X,Y). And The above complexity sketch shows a place how much work does it take to examine a num- where we might gain some improvement. It is the ber to see if it is Y-smooth? If one uses trial di- time we are taking to recognize auxiliary num- vision for this task, it takes about π(Y ) steps. bers that factor completely with the primes up So the expected number of steps is to Y = pB, that is, the Y-smooth numbers. In the 2 π(Y ) X/(X,Y). argument we assumed this is about π(Y ) steps, It is now a job for analytic to where π(Y ) is the number of primes up to Y. The choose Y as a function of X so as to minimize probability that a number is Y-smooth is, ac- 2 the expression π(Y ) X/(X,Y). In fact, in the cording to the notation above, (X,Y)/[X]. As late 1970s the tools did not quite exist to make you might expect and as is easily checked in this estimation accurately. practice, when Y is a reasonable size and X is This was remedied in a paper in 1983 (see [4]), very large, this probability is very, very small. So though preprints of this paper were around for one after the other, the auxiliary numbers pop several years before then. So what is the mini- up, and we have to invest all this time in each mum? It occurs when Y is about one, only to find out almost always that the 1 exp( 2 log X log log X) and the minimum value number is not Y-smooth and is thus a number is aboutp exp(2 log X log log X). But what are “X” that we will discard. 1 and “Y” anyway?p The number X is an estimate It occurred to me early in 1981 that one might for the typical auxiliary number the algorithm use something akin to the sieve of produces. In the continued-fraction method, X to quickly recognize the smooth values of can be taken as 2√n. With Kraitchik’s polyno- Kraitchik’s quadratic polynomial Q(x)=x2 n. 1/2+ε − mial, X is a little larger: it is n . And the num- The is the well-known de- ber Y is an estimate for pB, the largest prime in vice for finding all the primes in an initial interval the factor base. of the natural numbers. One circles the first Thus factoring n, either via the Lehmer-Pow- prime 2 and then crosses off every second num- ers continued fraction or via the Kraitchik poly- ber, namely, 4, 6, 8, etc. The next unmarked nomial, should take about exp( 2 log n log log n) number is 3. It is circled, and we then cross off steps. This is not a theorem; itp is a conjecture. every third number. And so on. After reaching The conjecture is supported by the above heuris- the square root of the upper limit of the sieve, tic argument which assumes that the auxiliary one can stop the procedure and circle every re- numbers generated by the continued fraction of maining unmarked number. The circled numbers √n or by Kraitchik’s quadratic polynomial are are the primes; the crossed-off numbers the “random” as far as the property of being composites. Y-smooth goes. This has not been proved. In ad- It should be noted that the sieve of Eratos- dition, getting many auxiliary numbers that are thenes does more than find primes. Some Y-smooth may not be sufficient for factoring n, crossed-off numbers are crossed off many times. since each time we use linear algebra over to F2 For example, 30 is crossed off three times, as is 42, since these numbers have three prime fac- 1Actually, this is a question that has perplexed many tors. Thus we can quickly scan the array look- a student in elementary algebra, not to mention many ing for numbers that are crossed off a lot and a philosopher of mathematics. so quickly find the numbers which have many

DECEMBER 1996 NOTICES OF THE AMS 1477 pomerance.qxp 5/7/98 9:16 AM Page 1478

prime factors. And clearly there is a correlation Implementations and Enhancements between having many prime factors and having In fact, I was very lucky that the quadratic sieve all small prime factors. turned out to be a competitive algorithm. More But we can do better than have a correlation. often than not, when one invents algorithms By dividing by the prime, instead of crossing off, solely via complexity arguments and thought numbers like 30 and 42 get transformed to the experiments, the result is likely to be too awk- number 1 at the end of the sieve, since they are ward to be a competitive method. In addition, completely factored by the primes used in the even if the basic idea is sound, there well could sieve. So instead of sieving with the primes up be important enhancements waiting to be dis- to the square root of the upper bound of the covered by the people who actually try the thing sieve, say we only sieve with the primes up to out. This in fact happened with the quadratic Y. And instead of crossing a number off, we di- sieve. vide it by the prime. At the end of the sieve any The first person to try out the quadratic sieve number that has been changed to the number 1 method on a big number was Joseph Gerver (see is Y-smooth. But not every Y-smooth is caught [9]). Using the task as an opportunity to learn pro- in this sieve. For example, 60 gets divided by its gramming, he successfully factored a 47-digit num- prime factors and is changed to the number 2. ber from the Cunningham project. This project, The problem is higher powers of the primes up begun early in this century by Lt.-Col. Allan J. Cun- to Y. We can rectify this by also sieving by these ningham and H. J. Woodall, consists of factor- higher powers and dividing hits by the under- ing into primes the numbers bn 1 for b up to ± lying prime. Then the residual 1’s at the end 12 (and not a power) and n up to high numbers correspond exactly to the Y-smooth numbers in (see [3]). Gerver’s number was a factor of the interval. 3225 1. − The time for doing this is unbelievably fast Actually I had a hard time getting people to compared with trial dividing each candidate try out the quadratic sieve. Many Cunningham number to see if it is Y-smooth. If the length of project factorers seemed satisfied with the con- the interval is N, the number of steps is only tinued-fraction method, and they thought that about N log log Y, or about log log Y steps on the larger values of Kraitchik’s polynomial Q(x), average per candidate. compared with the numbers Qi in the contin- So we can quickly recognize Y-smooth num- ued-fraction method, was too great a handicap bers in an initial interval. But can we use this idea for the fledgling quadratic sieve method. But at to recognize Y-smooth values of the quadratic a conference in Winnipeg in the fall of 1982, I polynomial Q(x)=x2 n? What it takes for a convinced Gus Simmons and Tony Warnock of − sieve to work is that for each modulus m in the Sandia Laboratories to give it a try on their Cray sieve, the multiples of the number m appear in computer. regular places in the array. So take a prime p, Jim Davis and Diane Holdridge were assigned for example, and ask, For which values of x do the task of coding up the quadratic sieve on the we have Q(x) divisible by p? This is not a diffi- Sandia Cray. Not only did they succeed, but they cult problem. If n (the number being factored) quickly began setting records. And Davis found is a nonzero square modulo p, then there are two an important enhancement that mitigated the residue classes a and b mod p such that handicap mentioned above. He found a way of Q(x) 0 mod p if and only if x a or b mod switching to other quadratic after ≡ ≡ p. If n is not a square modulo p, then Q(x) is values of the first one, Q(x)=x2 n, grew un- − never divisible by p and no further computations comfortably large. Though this idea did not sub- with p need be done. stantially change the complexity estimate, it So essentially the same idea can be used, and made the method much more practical. Their we can recognize the Y-smooth values of Q(x) success not only made the cover of the Math- in about log log Y steps per candidate value. ematical Intelligencer (the volume 6, number 3 What does the complexity argument give us? cover in 1984 had on it a Cray computer and the The time to factor n is now about factorization of the number consisting of 71 exp( log n log log n); namely, the factor √2 in ones), but there was even a short article in Time the exponentp is missing. Is this a big deal? You magazine, complete with a photo of Simmons. bet. This lower complexity and other friendly fea- It was ironic that shortly before the Sandia tures of the method allowed a twofold increase team began this project, another Sandia team had in the length of the numbers that could be fac- designed and manufactured an RSA chip for tored (compared with the continued-fraction public key , whose security was method discussed above). And so was born the based on our inability to factor numbers of quadratic sieve method as a complexity argu- about 100 digits. Clearly this was not safe ment and with no numerical experiments. enough, and the chip had to be scrapped.

1478 NOTICES OF THE AMS VOLUME 43, NUMBER 12 pomerance.qxp 5/7/98 9:16 AM Page 1479

Around this time Peter Montgomery inde- pendently came up with another, slightly better way of changing polynomials, and we now use his method rather than that of Davis. One great advantage of the quadratic sieve method over the continued-fraction method is that with the quadratic sieve it is especially easy to distribute the task of factoring to many com- puters. For example, using multiple polynomi- als, each computer can be given its own set of quadratic polynomials to sieve. At first, the great- est successes of the quadratic sieve came from supercomputers, such as the Cray XMP at San- dia Laboratories. But with the proliferation of low-cost workstations and PCs and the natural way that the quadratic sieve can be distributed, the records passed on to those who organized distributed attacks on target numbers. Robert Silverman was the first to factor a number using many computers. Later, Red Al- ford and I used over 100 very primitive, non- networked PCs to factor a couple of 100-digit Photograph courtesy of the Computer Museum, Boston, MA. numbers (see [2]). But we did not set a record, because while we were tooling up, Arjen Lenstra Modern model of the Lehmer Bicycle Chain Sieve constructed and Mark Manasse [12] took the ultimate step in by Robert Canepa and currently in storage at the Computer distributing the problem. They put the quadratic Museum, 300 Congress Street, Boston, MA 02210. sieve on the Internet, soliciting computer time from people all over the world. It was via such number fields. His original idea was not for any a shared effort that the 129-digit RSA challenge large composite, but for certain “pretty” com- number was eventually factored in 1994. This posites that had the property that they were project, led by Derek Atkins, Michael Graff, Paul close to powers and had certain other nice prop- Leyland, and Lenstra, took about eight months erties as well. He illustrated the idea with a fac- 27 of real time and involved over 1017 elementary torization of the number 2 +1, the seventh Fer- steps. mat number. It is interesting that this number The quadratic sieve is ultimately a very sim- was the first major success of the continued-frac- ple algorithm, and this is one of its strengths. tion factoring method, almost twenty years ear- Due to its simplicity one might think that it lier. could be possible to design a special-purpose I must admit that at first I was not too keen computer solely dedicated to factoring big num- on Pollard’s method, since it seemed to be ap- bers. Jeff Smith and Sam Wagstaff at the Uni- plicable to only a few numbers. However, some versity of Georgia had built a special-purpose people were taking it seriously, one being Hen- processor to implement the continued-fraction drik Lenstra. He improved some details in the al- method. Dubbed the “Georgia Cracker”, it had gorithm and, along with his brother Arjen and some limited success but was overshadowed by Mark Manasse, set about using the method to fac- quadratic sieve factorizations on conventional tor several large numbers from the Cunning- computers. Smith, Randy Tuler, and I (see [21]) ham project. After a few successes (most notably thought we might build a special-purpose qua- a 138-digit number) and after Brian LaMacchia dratic sieve processor. “Quasimodo”, for Qua- and Andrew Odlyzko had made some inroads in dratic Sieve Motor, was built but never func- dealing with the large, sparse matrices that come up in the method, the Lenstras and Manasse set tioned properly. The point later became moot 29 due to the exponential spread of low-cost, high- their eyes on a real prize, 2 +1, the ninth Fer- mat number.2 Clearly it was beyond the range of quality computers. the quadratic sieve. Hendrik Lenstra’s own el- The Dawn of the Number Field Sieve liptic curve method, which he discovered early Taking his inspiration from a algorithm of Don Coppersmith, Andrew Odlyzko, 2This number had already been suggested in Pollard’s and Richard Schroeppel [6] that used quadratic original note as a worthy goal. It was known to be com- number fields, John Pollard in 1988 circulated posite—in fact, we already knew a 7-digit prime factor— a letter to several people outlining an idea of his but the remaining 148-digit cofactor was still compos- for factoring certain big numbers via algebraic ite, with no factor known.

DECEMBER 1996 NOTICES OF THE AMS 1479 pomerance.qxp 5/7/98 9:16 AM Page 1480

in 1985 and which is especially good at splitting the ring Z[α] consisting of all polynomial ex- numbers which have a relatively small prime pressions in α with integer coefficients. Since factor (say, “only” 30 or so digits) had so far not f (α)=0 and f (m) 0 mod n, by substituting ≡ been of help in factoring it. The Lenstras and the residue m mod n for each occurrence of α Manasse succeeded in getting the prime factor- we have a natural map φ from Z[α] to Z/(nZ). 9 ization of 22 +1 in the spring of 1990. This Our conditions on f, α, and m ensure that φ is sensational achievement announced to the world well defined. And not only this, φ is a ring ho- that Pollard’s number field sieve had arrived. momorphism. But what of general numbers? In the summer Suppose now that is a finite set of coprime S of 1989 I was to give a talk at the meeting of the integer pairs a, b with two properties. The h i Canadian Number Theory Association in Van- first is that the product of the algebraic integers couver. It was to be a survey talk on factoring, a αb for all pairs a, b in is a square in − h i S and I figured it would be a good idea to mention Z[α], say, γ2. The second property for is that S Pollard’s new method. On the plane on the way the product of all the numbers a mb for pairs − to the meeting I did a complexity analysis of the a, b in is a square in Z, say, v2. Since γ may h i S method as to how it would work for general be written as a polynomial expression in α, we numbers, assuming myriad technical difficul- may replace each occurrence of α with the in- ties did not exist and that it was possible to run teger m, coming up with an integer u with it for general numbers. I was astounded. The φ(γ) u mod n. Then ≡ complexity for this algorithm-that-did-not-yet- 1/3 u2 φ(γ)2 = φ(γ2)=φ (a αb) exist was of the shape exp(c(log n)   2/3 ≡ − (log log n) ). The key difference over the com- a,bY S  h i∈  plexity of the quadratic sieve was that the most = φ(a αb) important quantity in the exponent, the power − a,bY S of log n, had its exponent reduced from 1/2 to h i∈ (a mb)=v2 mod n. 1/3. If reducing the constant in the exponent had ≡ − a,b such a profound impact in passing from the And we knowh Yi∈ Swhat to do with u and v. Just as continued-fraction method to the quadratic sieve, Kraitchik showed us seventy years ago, we hope think what reducing the exponent in the expo- that we have an interesting congruence, that is, nent might accomplish. Clearly this method de- u v mod n, and if so, we take the greatest served some serious thought! common6≡ ± divisor (u v,n) to get a nontrivial I do not wish to give the impression that with factor of n. − this complexity analysis I had single-handedly Where is the set of pairs a, b supposed found a way to apply the number field sieve to to come from? For atS least the secondh i property general composites. Far from it. I merely had a is supposed to have, namely, that the prod- shrouded glimpse of exciting possibilities for the uctS of the numbers a mb is a square, it is future. That these possibilities were ever realized clear we might again use− exponent vectors and was mostly due to Joe Buhler, Hendrik Lenstra, a sieve. Here there are two variables a and b in- and others. In addition, some months earlier stead of just the one variable in Q(x) in the qua- Lenstra had done a complexity analysis for Pol- dratic sieve. So we view this as a parametrized lard’s method applied to special numbers, and family of linear polynomials. We can fix b and he too arrived at the expression exp(c(log n)1/3 let a run over an interval, then change to the next (log log n)2/3). My own analysis was based on b and repeat. some optimistic algebraic assumptions and on But is to have a second property too: for arguments about what might be expected to the sameS pairs a, b , the product of a αb is h i − hold, via averaging arguments, for a general a square in Z[α]. It was Pollard’s thought that if number. we were in the nice situation that Z[α] is the full The starting point of Pollard’s method to fac- ring of algebraic integers in Q(α), if the ring is tor n is to come up with a monic polynomial f (x) a unique factorization domain, and if we know over the integers that is irreducible and an in- a basis for the units, then we could equally well teger m such that f (m) 0 mod n. The polyno- create exponent vectors for the algebraic inte- ≡ mial should have “moderate” degree d, meaning gers a αb and essentially repeat the same al- that if n has between 100 and 200 digits, then gorithm.− To arrange for both properties of to d should be 5 or 6. For a number such as the hold simultaneously, well, this would just involveS 9 ninth , n =22 +1, it is easy to longer exponent vectors having coordinates for come up with such a polynomial. Note that all the small prime numbers, for the sign of 515 5 8n =2 +8. So let f (x)=x +8, and let a αb, for all the “small” primes in Z[α], and m =2103. for− each unit in the unit basis. Of what possible use could such a polynomial But how are we supposed to do this for a be? Let α be a complex root of f (x), and consider general number n? In fact, how do we even

1480 NOTICES OF THE AMS VOLUME 43, NUMBER 12 pomerance.qxp 5/7/98 9:16 AM Page 1481

achieve the first step of finding the polynomial uct of various algebraic integers a αb is a − f (x) and the integer m with f (m) 0 mod n? square of an algebraic integer, then so too is the ≡ And if we could find it, why should we expect corresponding product of norms a square of an that Z[α] has all of the nice properties to make integer. Note too that we know how to find a set Pollard’s plan work? of pairs a, b with the product of N(a αb) a h i − square. This could be done by using a sieve to The Number Field Sieve Evolves discover Y-smooth values of N(a αb) and then − There is at the least a very simple device to get combine them via exponent vector algebra over started, that is, to find f (x) and m. The trick is F2. to find f (x) last. First, one decides on the degree But having the product of the numbers d of f. Next, one lets m be the integer part of N(a αb) be a square, while a necessary con- n1/d . Now write n in the base m, so that − dition for the product of the a αb to be a n = md + c md 1 + + c , where the base − d 1 − 0 square, is far from sufficient. The principal rea- m “digits” −c satisfy ···0 c (2d)d, i i son for this is that the norm map takes various then the leading “digit” ≤c is 1.) The polynomial d prime ideals to the same thing in , and so the f (x) is now staring us in the face; it is Z d d 1 norm can easily be a square without the argu- x + cd 1x − + + c0. So we have a monic polynomial− f (x),··· but is it irreducible? ment being a square. For example, the two de- gree one primes in Z[i], 2+i and 2 i, have There are many strategies for factoring prim- − norm 5. Their product is 5, which has norm itive polynomials over Z into irreducible factors. 25 = 52, but (2 + i)(2 i)=5is squarefree. (Note In fact, we have the celebrated polynomial-time − algorithm of Arjen Lenstra, Hendrik Lenstra, that if we are working in the ring of all algebraic and Lászlo Lovász for factoring primitive poly- integers in Q(α), then all of the prime ideal fac- nomials in [x] (the running time is bounded by tors of a αb for a and b are Z − a fixed power of the sum of the degree and the degree one; namely, their norms are rational number of digits in the coefficients). So suppose primes.) For each prime p let Rp be the set of we are unlucky and the above procedure leads solutions to f (x) 0 mod p. When we come ≡ to a reducible polynomial f (x), say, across a pair a, b with p dividing N(a αb), h i − f (x)=g(x)h(x). Then n = f (m)=g(m)h(m), and then some prime ideal above p divides a αb. − from a result of John Brillhart, Michael Filaseta, And we can tell which one, since a/b will be con- and Andrew Odlyzko this factorization of n is gruent modulo p to one of the members of Rp, nontrivial. But our goal is to find a nontrivial fac- and this will serve to distinguish the various torization of n, so this is hardly unlucky at all! prime ideals above p. Thus we can arrange for Since almost all polynomials are irreducible, it our exponent vectors to have #Rp coordinates is much more likely that the construction will for each prime p and so keep track of the prime let us get started with the number field sieve, ideal factorization of a αb. Note that #Rp d, − ≤ and we will not be able to factor n immediately. the degree of f (x). There was still the main problem of how one So we have gotten over the principal hurdle, might get around the fact that there is no rea- but there are still many obstructions. We are son to expect the ring [α] to have any nice prop- Z supposed to be working in the ring [α], and this erties at all. By 1990 Joe Buhler, Hendrik Lenstra, Z may not be the full ring of algebraic integers. In and I had worked out the remaining difficulties fact, this ring may not be a Dedekind domain, and, incorporating a very practical idea of Len so we may not even have factorization into prime Adleman [1], which simplified some of our constructions,3 published a description of the ideals. And even if we have factorization into general number field sieve in [11]. prime ideals, the above paragraph merely as- Here is a brief summary of what we did. The sures us that the principal ideal generated by the product of the algebraic integers a αb is the norm N(a αb) (over Q ) of a αb is easily − worked out− to be bdf (a/b). This −is the homog- square of some ideal, not necessarily the square enized version of f. We define a αb to be of a principal ideal. And even if it is the square Y-smooth if N(a αb) is Y-smooth.− Since the of a principal ideal, it may not be a square of an norm is multiplicative,− it follows that if the prod- algebraic integer, because of units. (For example, the ideal generated by 9 is the square of an − 3 ideal in Z, but 9 is not a square.) And even if Though Adleman’s ideas did not change our theoret- − ical complexity estimates for the running time, the sim- the product of the numbers a αb is a square − plicities they introduced removed most remaining ob- stacles to making the method competitive in practice 4It is a theorem that if f is a monic irreducible poly- with the quadratic sieve. It is interesting that Adleman nomial over Z with a complex root α and if γ is in the himself, like most others around 1990, continued to ring of integers of Q(α), then f 0(α)γ is in Z[α]. So if think of the general number field sieve as purely a γ2 is a square in the ring of integers of Q(α), then 2 2 speculative method. f 0(α) γ is a square in Z[α].

DECEMBER 1996 NOTICES OF THE AMS 1481 pomerance.qxp 5/7/98 9:16 AM Page 1482

of an algebraic integer, how do we know it is the tity in a factorization method such as the qua- square of an element of Z[α]? dratic sieve or the number field sieve is what I The last obstruction is rather easily handled was calling “X” earlier. It is an estimate for the 2 4 by using f 0(α) as a multiplier, but the other ob- size of the auxiliary numbers that we are hop- structions seem difficult. However, there is a ing to combine into a square. Knowing X gives simple and ingenious idea of Len Adleman [1] you the complexity; it is about that in one fell swoop overcomes them all. The exp( 2 log X log log X). In the quadratic sieve point is that even though we are being faced with 1/2+ε we havep X about n . But in the number field some nasty obstructions, they form, modulo sieve, we may choose the polynomial f (x) and squares, an F2-vector space of fairly small di- the integer m in such a way that mension. So the first thought just might be to (a mb)N(a αb) (the numbers that we hope − − ignore the problem. But the dimension is not that to find smooth) is bounded by a value of X of small. Adleman suggested randomly choosing 2/3 1/3 the form exp(c0(log n) (log log n) ). Thus the some quadratic characters and using their val- number of digits of the auxiliary numbers that ues at the numbers a αb to augment the ex- − we sieve over for smooth values is about the 2/3 ponent vectors. (There is one fixed choice of the power of the number of digits of n, as opposed random quadratic characters made at the start.) to the quadratic sieve where the auxiliary num- So we are arranging for a product of numbers bers have more than half the number of digits a αb to not only be a square up to the “ob- − of n. That is why the number field sieve is struction space” but also highly likely actually asymptotically so fast in comparison. to be a square. For example, consider the above I mentioned earlier that the heuristic run- problem with 9 not being a square. If some- − ning time for the number field sieve to factor n how we cannot “see” the problem with the sign is of the form exp(c(log n)1/3(log log n)2/3), but but it sure looks like a square to us because we I did not reveal what “c” is. There are actually know that for each prime p the exponent on p three values of c depending on which version in the prime factorization of 9 is even, we − of the number field sieve is used. The “special” might still detect the problem. Here is how: Con- number field sieve, more akin to Pollard’s orig- sider a quadratic character evaluated at 9, in − inal method and well suited to factoring num- this case the Legendre symbol ( 9/p), which is 9 − bers like 22 +1which are near high powers, has 1 if 9 is a square mod p and 1 if 9 is not − − − c = (32/9)1/3 1.523. The “general” number a square mod p. Say we try this with p =7. It is ≈ field sieve is the method I sketched in this paper easy to compute this symbol, and it turns out and is for use on any odd that to be 1. So 9 is not a square mod 7, and so − − is not a power. It has c = (64/9)1/3 1.923. Fi- it cannot be a square in Z. If 9 is a square mod ≈ − nally, Don Coppersmith [5] proposed a version some prime p, however, this does not guaran- of the general number field sieve in which many tee it is a square in Z. For example, if we had tried this with 5 instead of 7, then 9 would still polynomials are used. The value of “c” for this − method is 1 (92 + 26√13)1/3 1.902 . This be looking like a square. Adleman’s idea is to 3 ≈ evaluate smooth values of a αb at the qua- stands as the champion worst-case factoring − dratic characters that were chosen and use the method asymptotically. It had been thought that linear algebra to create an element with two Coppersmith’s idea is completely impractical, but properties: its (unaugmented) exponent vector [8] considers whether the idea of using several has all even entries, and its value at each char- polynomials may have some practical merit. acter is 1. This algebraic integer is highly likely, The State of the Art in a heuristic sense, to be a square. If it is not a square, we can continue to use linear algebra over In April 1996 a large team (see [7]) finished the factorization of a 130-digit RSA challenge num- F2 to create another candidate. To be sure, there are still difficulties. One of ber using the general number field sieve. Thus these is the “square root problem”. If you have the gauntlet has finally been passed from the the prime factorizations of various rational in- quadratic sieve, which had enjoyed champion tegers and their product is a square, you can eas- status since 1983 for the largest “hard” number ily find the square root of the square via its factored. Though the real time was about the prime factorization. But in Z[α] the problem same as with the quadratic sieve factorization does not seem so transparent. Nevertheless, of the 129-digit challenge number two years ear- there are devices for solving this too, though it lier, it was estimated that the new factorization still remains as a computationally interesting took only about 15% of the computer time. This step in the algorithm. The interested reader discrepancy was due to fewer computers being should consult [15]. used on the project and some “down time” while Perhaps it is not clear why the number field code for the final stages of the algorithm was sieve is a good factoring algorithm. A key quan- being written.

1482 NOTICES OF THE AMS VOLUME 43, NUMBER 12 pomerance.qxp 5/7/98 9:16 AM Page 1483

The First Twenty Fermat Numbers

2m m known factorization of Fm =2 +1 03 15 217 3 257 4 65537 5 641 P7 · 6 274177 P14 · 7 59649589127497217 P22 · 8 1238926361552897 P62 · 9 2424833 7455602825647884208337395736200454918783366342657 P99 · · 10 45592577 6487031809 4659775785220018543264560743076778192897 P252 · · · 11 319489 974849 167988556341760475137 3560841906445833920513 P564 · · · · 12 114689 26017793 63766529 190274191361 1256132134125569 C1187 · · · · · 13 2710954639361 2663848877152141313 3603109844542291969 319546020820551643220672513 C2391 · · · · 14 C4933 15 1214251009 2327042503868417 C9840 · · 16 825753601 C19720 · 17 31065037602817 C39444 · 18 13631489 C78906 · 19 70525124609 646730219521 C157804 · ·

In the table, the notation P k means a of k decimal digits, while the notation C k means a composite number of k decimal digits for which we know no nontrivial factorization. The history of the factorization of Fermat numbers is a microcosm of the history of factoring. Fermat himself 2m knew about F0 through F4, and he conjectured that all of the remaining numbers in the sequence 2 +1are prime. However, Euler found the factorization of F5. It is not too hard to find this factorization, if one uses the result, es- m+2 sentially due to Fermat, that for p to be a prime factor of Fm it is necessary that p 1 mod 2 , when m is at least ≡ 2. Thus the prime factors of F5 are all 1 mod 128, and the first such prime, which is not a smaller Fermat number, is 641. It is via this idea that F6 was factored (by Landry in 1880) and that “small” prime factors of many other Fer- mat numbers have been found, including more than 80 beyond this table. The Fermat number F7 was the first success of the Brillhart-Morrison continued fraction factoring method. Brent and Pollard used an adaptation of Pollard’s “rho” method to factor F8. As discussed in the main article, F9 was fac- tored by the number field sieve. The Fermat numbers F10 and F11 were factored by Brent using Lenstra’s method. We know that F14,F20 and F22 are composite, but we do not know any prime factors of these numbers. That they (F 1)/2 are composite was discovered via Pepin’s criterion: Fm is prime if and only if 3 m 1 mod Fm. The smallest − ≡− Fermat number for which we do not know if it is prime or composite is F24. It is now thought by many number the- orists that every Fermat number after F4 is composite. Fermat numbers are connected with an ancient problem of Euclid: for which n is it possible to construct a regu- lar n-gon with straightedge and compass? Gauss showed that a regular n-gon is constructible if and only if n 3and the largest odd factor of n is a product of distinct, prime Fermat numbers. Gauss’s theorem, discovered at ≥the age of 19, followed him to his death: a regular 17-gon is etched on his gravestone.

So where is the crossover between the qua- much memory a computer has. The quadratic dratic sieve and the number field sieve? The an- sieve is as well, but not to such a large degree. swer to this depends somewhat on whom you There is much that was not said in this brief talk to. One thing everyone agrees on: for smaller survey. An important omission is a discussion numbers—say, less than 100 digits—the qua- of the algorithms and complexity of the linear algebra part of the quadratic sieve and the num- dratic sieve is better, and for larger numbers— ber field sieve. At the beginning we used Gauss- say, more than 130 digits—the number field ian elimination, as Brillhart and Morrison did with sieve is better. One reason a question like this the continued-fraction method. But the size of does not have an easy answer is that the issue the problem has kept increasing. Nowadays a fac- is highly dependent on fine points in the pro- tor base of size one million is in the ballpark for gramming and on the kind of computers used. record factorizations. Clearly, a linear algebra For example, as reported in [7], the performance problem that is one million by one million is not of the number field sieve is sensitive to how a trifling matter. There is interesting new work

DECEMBER 1996 NOTICES OF THE AMS 1483 pomerance.qxp 5/7/98 9:16 AM Page 1484

on this that involves adapting iterative methods 18, 19, 20]. In addition, I am currently writing a for dealing with sparse matrices over the real book with Richard Crandall, PRIMES: A compu- numbers to sparse matrices over F2. For a recent tational perspective, that should be out sometime reference, see [14]. in 1997. Several variations on the basic idea of the I hope I have been able to communicate some number field sieve show some promise. One can of the ideas and excitement behind the devel- replace the linear expression a mb used in opment of the quadratic sieve and the number − the number field sieve with bkg(a/b), where field sieve. This development saw an interplay g(x) is an irreducible polynomial over Z of de- between theoretical complexity estimates and gree k with g(m) 0 mod n. That is, we use two good programming intuition. And neither could ≡ polynomials f (x),g(x) with a common root m have gotten us to where we are now without the mod n (the original scenario has us take other. g(x)=x m). It is a subject of current research − to come up with good strategies for choosing Acknowledgments polynomials. Another variation on the usual This article is based on a lecture of the same title number field sieve is to replace the polynomial given as part of the Pitcher Lecture Series at f (x) with a family of polynomials along the lines Lehigh University, April 30–May 2, 1996. I grate- suggested by Coppersmith. For a description of fully acknowledge their support and encour- the number field sieve incorporating both of agement for the writing of this article. I also these ideas, see [8]. thank the Notices editorial staff, especially Susan The discrete logarithm problem (given a cyclic Landau, for their encouragement. I am grateful group with generator g and an element h in the to the following individuals for their critical x group, find an integer x with g = h) is also of comments: Joe Buhler, Scott Contini, Richard keen interest in cryptography. As mentioned, Crandall, Bruce Dodson, , Hen- Pollard’s original idea for the number field sieve drik Lenstra, Kevin McCurley, Andrew Odlyzko, was born out of a discrete logarithm algorithm. David Pomerance, Richard Schroeppel, John Sel- We have come full circle, since Dan Gordon, fridge, and Hugh Williams. Oliver Schirokauer, and Len Adleman have all given variations of the number field sieve that References can be used to compute discrete logarithms in [1] L. M. Adelman, Factoring numbers using singu- multiplicative groups of finite fields. For a recent lar integers, Proc. 23rd Annual ACM Sympos. The- survey, see [22]. ory of Computing (STOC), 1991, pp. 64–71. I have said nothing on the subject of primal- [2] W. R. Alford and C. Pomerance, Implementing ity testing. It is generally much easier to recog- the self initializing quadratic sieve on a distributed nize that a number is composite than to factor network, Number Theoretic and Algebraic Meth- it. When we use complicated and time-consum- ods in Computer Science, Proc. Internat. Moscow ing factorization methods on a number, we al- Conf., June–July 1993 (A. J. van der Poorten, I. Sh- ready know from other tests that it is an odd parlinski, and H. G. Zimmer, eds.), World Scien- composite and it is not a power. tific, 1995, pp. 163–174. I have given scant mention of Hendrik [3] J. Brillhart, D. H. Lehmer, J. L. Selfridge, B. Tuckerman, and S. S. Wagstaff Jr., Factor- Lenstra’s elliptic curve factorization method. izations of bn 1, b =2, 3, 5, 6, 7, 10, 11, 12, This algorithm is much superior to both the up to high powers± , second ed., vol. 22, Contemp. quadratic sieve and the number field sieve for Math., Amer. Math. Soc., Providence, RI, 1988. all but a thin set of composites, the so-called [4] E. R. Canfield, P. Erdös, and C. Pomerance, On “hard” numbers, for which we reserve the sieve a problem of Oppenheim concerning “Factorisa- methods. tio Numerorum”, J. Number Theory 17 (1983), There is also a rigorous side to factoring, 1–28. where researchers try to dispense with heuris- [5] D. Coppersmith, Modifications to the number field tics and prove theorems about factorization al- sieve, J. Cryptology 6 (1993), 169–180. gorithms. So far we have had much more suc- [6] D. Coppersmith, A. M. Odlyzko, and R. Schroep- cess proving theorems about probabilistic pel, Discrete logarithms in GF(p), Algorithmica methods than deterministic methods. We do not 1 (1986), 1–15. seem close to proving that various practical [7] J. Cowie, B. Dodson, R. Marije Elkenbracht- Huizing, A. K. Lenstra, P. L. Montgomery, and methods, such as the quadratic sieve and the J. Zayer, A world wide number field sieve factor- number field sieve, actually work as advertised. ing record: On to 512 bits, Advances in Cryptol- It is fortunate that the numbers we are trying to ogy—Asiacrypt ‘96, to appear. factor have not been informed of this lack of [8] M. Elkenbracht-Huizing, A multiple polynomial proof! general number field sieve, Algorithmic Number For further reading I suggest several of the ref- Theory, Second Intern. Sympos., ANTS-II, to ap- erences already mentioned and also [10, 13, 17, pear.

1484 NOTICES OF THE AMS VOLUME 43, NUMBER 12 pomerance.qxp 5/7/98 9:16 AM Page 1485

[9] J. Gerver, Factoring large numbers with a qua- dratic sieve, Math. Comp. 41 (1983), 287–294. [10] A. K. Lenstra, Integer factoring, preprint. [11] A. K. Lenstra and H. W. Lenstra Jr. (eds.), The development of the number field sieve, Lecture Notes in Math. vol. 1554, Springer-Verlag, Berlin and Heidelberg, 1993. [12] A. K. Lenstra and M. S. Manasse, Factoring by elec- tronic mail, Advances in Cryptology—Eurocrypt ‘89 (J.-J. Quisquater and J. Vandewalle, eds.), Springer-Verlag, Berlin and Heidelberg, 1990, pp. 355–371. [13] H. W. Lenstra Jr., Elliptic curves and number the- oretic algorithms, Proc. Internat. Congr. Math., Berkeley, CA, 1986, vol. 1 (A. M. Gleason, ed.), Amer. Math. Soc., Providence, RI, 1987, pp. 99–120. [14] P. L. Montgomery, A block Lanczos algorithm for finding dependencies over GF(2), Advances in Cryptology—Eurocrypt ‘95 (L. C. Guillou and J.-J. Quisquater, eds.), Springer-Verlag, Berlin and Hei- delberg, 1995, pp. 106–120. [15] ———, Square roots of products of algebraic inte- gers, Mathematics of Computation 1943–1993, Fifty Years of Computational Mathematics (W. Gautschi, ed.), Proc. Sympos. Appl. Math. vol. 48, Amer. Math. Soc., Providence, RI, 1994, pp. 567–571. [16] M. A. Morrison and J. Brillhart, A method of fac- torization and the factorization of F7, Math. Comp. 29 (1975), 183–205. [17] A. M. Odlyzko, The future of , CryptoBytes (The technical newsletter of RSA Lab- oratories) 1, no. 2 (1995), 5–12. [18] C. Pomerance (ed.), Cryptology and computa- tional number theory, Proc. Sympos. Appl. Math. vol. 42, Amer. Math. Soc., Providence, RI, 1990. [19] ———, The number field sieve, Mathematics of Computation 1943–1993, Fifty Years of Compu- tational Mathematics (W. Gautschi, ed.), Proc. Sym- pos. Appl. Math. vol. 48, Amer. Math. Soc., Prov- idence, RI, 1994, pp. 465–480. [20] ———, On the role of smooth numbers in number theoretic algorithms, Proc. Internat. Congr. Math., Zürich, Switzerland, 1994, vol. 1 (S. D. Chatterji, ed.), Birkhaüser-Verlag, Basel, 1995, pp. 411–422. [21] C. Pomerance, J. W. Smith, and R. Tuler, A pipe- line architecture for factoring large integers with the quadratic sieve algorithm, SIAM J. Comput. 17 (1988), 387–403. [22] O. Schirokauer, D. Weber, and T. Denny, Discrete logarithms: The effectiveness of the index calcu- lus method, Algorithmic Number Theory, Second Intern. Sympos., ANTS-II, to appear. [23] H. C. Williams and J. O. Shallit, Factoring inte- gers before computers, Mathematics of Compu- tation 1943–1993, Fifty Years of Computational Mathematics (W. Gautschi, ed.), Proc. Sympos. Appl. Math. 48, Amer. Math. Soc., Providence, RI, 1994, pp. 481–531.

DECEMBER 1996 NOTICES OF THE AMS 1485