pomerance.qxp 5/7/98 9:16 AM Page 1473 A Tale of Two Sieves Carl Pomerance (This paper is dedicated to the memory of my friend and teacher, Paul Erdos) t is the best of times for the game of fac- was largely ignored, since it was considered triv- toring large numbers into their prime fac- ial. After all, it was doable in principle, so what tors. In 1970 it was barely possible to fac- else was there to discuss? A few researchers ig- tor “hard” 20-digit numbers. In 1980, in nored the fashions of the time and continued to the heyday of the Brillhart-Morrison con- try to find fast ways to factor. To these few it Itinued fraction factoring algorithm, factoring of was a basic and fundamental problem, one that 50-digit numbers was becoming commonplace. should not be shunted to the side. In 1990 my own quadratic sieve factoring algo- But times change. In the last few decades we rithm had doubled the length of the numbers have seen the advent of accessible and fast com- that could be factored, the record having 116 dig- puting power, and we have seen the rise of cryp- its. tographic systems that base their security on our By 1994 the quadratic sieve had factored the supposed inability to factor quickly (and on famous 129-digit RSA challenge number that other number theoretic problems). Today there had been estimated in Martin Gardner’s 1976 Sci- are many people interested in factoring, recog- entific American column to be safe for 40 nizing it not only as a benchmark for the secu- quadrillion years (though other estimates around rity of cryptographic systems, but for comput- then were more modest). But the quadratic sieve ing itself. In 1984 the Association for Computing is no longer the champion. It was replaced by Machinery presented a plaque to the Institute for Pollard’s number field sieve in the spring of Electrical and Electronics Engineers (IEEE) on 1996, when that method successfully split a the occasion of the IEEE centennial. It was in- 130-digit RSA challenge number in about 15% of scribed with the prime factorization of the num- the time the quadratic sieve would have taken. ber 2251 1 that was completed that year with − In this article we shall briefly meet these fac- the quadratic sieve. The president of the ACM torization algorithms—these two sieves—and made the following remarks: some of the many people who helped to de- velop them. About 300 years ago the French In the middle part of this century, computa- mathematician Mersenne speculated tional issues seemed to be out of fashion. In most that 2251 1 was a composite, that − books the problem of factoring big numbers is, a factorable number. About 100 years ago it was proved to be fac- torable, but even 20 years ago the Carl Pomerance is research professor of mathematics computational load to factor the at the University of Georgia, Athens, GA. His e-mail ad- number was considered insur- dress is [email protected]. mountable. Indeed, using conven- Supported in part by National Science Foundation grant tional machines and traditional number DMS-9206784. search algorithms, the search time DECEMBER 1996 NOTICES OF THE AMS 1473 pomerance.qxp 5/7/98 9:16 AM Page 1474 was estimated to be about 1020 years. I had wasted too much time, and I missed the The number was factored in Febru- problem. ary of this year at Sandia on a Cray So can you find the clever way? If you wish computer in 32 hours, a world to think about this for a moment, delay reading record. We’ve come a long way in the next paragraph. computing, and to commemorate IEEE’s contribution to computing we Fermat and Kraitchik The trick is to write 8051 as 8100 49, which have inscribed the five factors of the − is 902 72, so we may use algebra, namely, fac- Mersenne composite on a plaque. − Happy Birthday, IEEE. toring a difference of squares, to factor 8051. It is 83 97. Factoring big numbers is a strange kind of Does× this always work? In fact, every odd mathematics that closely resembles the experi- composite can be factored as a difference of 2 mental sciences, where nature has the last and squares: just use the identity ab = 1 (a + b) 1 2 2 definitive word. If some method to factor n runs (a b) . Trying to find a pair of squares − 2 − for awhile and ends with the statement “d is a which work is, in fact, a factorization method of factor of n”, then this assertion may be easily Fermat. Just like trial division, which has some checked; that is, the integers have the last and very easy cases (such as when there is a small definitive word. One can thus get by quite nicely prime factor), so too does the difference-of- without proving a theorem that a method works squares method have easy cases. For example, in general. But, as with the experimental sci- if n = ab where a and b are very close to √n, ences, both rigorous and heuristic analyses can as in the case of n = 8051, it is easy to find the be valuable in understanding the subject and two squares. But in its worst cases, the differ- moving it forward. And, as with the experimen- ence-of-squares method can be far worse than tal sciences, there is sometimes a tension be- trial division. It is worse in another way too. tween pure and applied practitioners. It is held With trial division, most numbers fall into the by some that the theoretical study of factoring easy case; namely, most numbers have a small is a freeloader at the table (or as Hendrik Lenstra factor. But with the difference-of-squares once colorfully put it, paraphrasing Siegel, “a pig method, only a small fraction of numbers have in the rose garden”), enjoying undeserved at- a divisor near their square root, so the method tention by vapidly giving various algorithms la- works well on only a small fraction of possible bels, be they “polynomial”, “exponential”, “ran- inputs. (Though trial division allows one to begin dom”, etc., and offering little or nothing in return a factorization for most inputs, finishing with a to those hard workers who would seriously com- complete factorization is usually far more dif- pute. There is an element of truth to this view. ficult. Most numbers resist this, even when a But as we shall see, theory played a significant combination of trial division and difference-of- role in the development of the title’s two sieves. squares is used.) In the 1920s Maurice Kraitchik came up with A Contest Problem an interesting enhancement of Fermat’s differ- But let us begin at the beginning, at least my be- ence-of-squares technique, and it is this en- ginning. When I give talks on factoring, I often hancement that is at the basis of most modern repeat an incident that happened to me long factoring algorithms. (The idea had roots in the ago in high school. I was involved in a math con- work of Gauss and Seelhoff, but it was Kraitchik test, and one of the problems was to factor the who brought it out of the shadows, introducing number 8051. A time limit of five minutes was it to a new generation in a new century. For given. It is not that we were not allowed to use more on the early history of factoring, see [23].) pocket calculators; they did not exist in 1960, Instead of trying to find integers u and v with around when this event occurred! Well, I was u2 v2 equal to n, Kraitchik reasoned that it − fairly good at arithmetic, and I was sure I could might suffice to find u and v with u2 v2 equal − trial divide up to the square root of 8051 (about to a multiple of n, that is, u2 v2 mod n. Such ≡ 90) in the time allowed. But on any test, espe- a congruence can have uninteresting solutions, cially a contest, many students try to get into the those where u v mod n, and interesting so- ≡± mind of the person who made it up. Surely they lutions, where u v mod n. In fact, if n is odd 6≡ ± would not give a problem where the only rea- and divisible by at least two different primes, sonable approach was to try possible divisors then at least half of the solutions to frantically until one was found. There must be u2 v2 mod n, with uv coprime to n, are of the ≡ a clever alternate route to the answer. So I spent interesting variety. And for an interesting solu- a couple of minutes looking for the clever way, tion u, v, the greatest common factor of u v − but grew worried that I was wasting too much and n, denoted (u v,n), must be a nontrivial − time. I then belatedly started trial division, but factor of n. Indeed, n divides u2 v2 = − 1474 NOTICES OF THE AMS VOLUME 43, NUMBER 12 pomerance.qxp 5/7/98 9:16 AM Page 1475 (u v)(u + v) but divides neither factor. So n Lehmer and R. E. Powers suggested replacing − must be somehow split between u v and u + v. Kraitchik’s function Q(x)=x2 n with another − − As an aside, it should be remarked that find- that is derived from the continued-fraction ex- ing the greatest common divisor (a, b) of two pansion of √n.