The quadratic sieve algorithm (QS) is an integer factorization algorithm and, in practice, the second-fastest method known (after the general number field sieve). It is still the fastest for integers under 100 decimal digits or so, and is considerably simpler than the number field sieve. It is a general-purpose factorization algorithm, meaning that its running time depends solely on the size of the integer to be factored, and not on special structure or properties. It was invented by Carl Pomerance in 1981 as an improvement to Schroeppel's linear sieve.[1]
The algorithm attempts to set up a congruence of squares modulo n (the integer to be factorized), which often leads to a factorization of n. The algorithm works in two phases: the data collection phase, where it collects information that may lead to a congruence of squares; and the data processing phase, where it puts all the data it has collected into a matrix and solves it to obtain a congruence of squares. The data collection phase can be easily parallelized to many processors, but the data processing phase requires large amounts of memory, and is difficult to parallelize efficiently over many nodes or if the processing nodes do not each have enough memory to store the whole matrix. The block Wiedemann algorithm can be used in the case of a few systems each capable of holding the matrix.
The naive approach to finding a congruence of squares is to pick a random number, square it, divide by n and hope the least non-negative remainder is a perfect square. For example,
802\equiv441=212\pmod{5959}
The quadratic sieve is a modification of Dixon's factorization method. The general running time required for the quadratic sieve (to factor an integer n) is conjectured to be
e(1
To factorize the integer n, Fermat's method entails a search for a single number a,, such that the remainder of a2 divided by n is a square. But these a are hard to find. The quadratic sieve consists of computing the remainder of a2/n for several a, then finding a subset of these whose product is a square. This will yield a congruence of squares.
For example, consider attempting to factor the number 1649. We have:
412\equiv32,422\equiv115,432\equiv200\pmod{1649}
32,115,200
32 ⋅ 200=802
1142\equiv802\pmod{1649}.
1142-802=(114+80) ⋅ (114-80)=194 ⋅ 34=k ⋅ 1649
k
1649=\gcd(194,1649) ⋅ \gcd(34,1649)=97 ⋅ 17
So the problem has now been reduced to: given a set of integers, find a subset whose product is a square. By the fundamental theorem of arithmetic, any positive integer can be written uniquely as a product of prime powers. We do this in a vector format; for example, the prime-power factorization of 504 is 23325071, it is therefore represented by the exponent vector (3,2,0,1). Multiplying two integers then corresponds to adding their exponent vectors. A number is a square when its exponent vector is even in every coordinate. For example, the vectors (3,2,0,1) + (1,0,0,1) = (4,2,0,2), so (504)(14) is a square. Searching for a square requires knowledge only of the parity of the numbers in the vectors, so it is sufficient to compute these vectors mod 2: (1,0,0,1) + (1,0,0,1) = (0,0,0,0).So given a set of (0,1)-vectors, we need to find a subset which adds to the zero vector mod 2.
Z/2Z
To summarize, the basic quadratic sieve algorithm has these main steps:
(a+b)(a-b)\equiv0\pmodn
The remainder of this article explains details and extensions of this basic algorithm.
The quadratic sieve attempts to find pairs of integers x and y(x) (where y(x) is a function of x) satisfying a much weaker condition than x2 ≡ y2 (mod n). It selects a set of primes called the factor base, and attempts to find x such that the least absolute remainder of y(x) = x2 mod n factorizes completely over the factor base. Such y values are said to be smooth with respect to the factor base.
The factorization of a value of y(x) that splits over the factor base, together with the value of x, is known as a relation. The quadratic sieve speeds up the process of finding relations by taking x close to the square root of n. This ensures that y(x) will be smaller, and thus have a greater chance of being smooth.
y(x)=\left(\left\lceil\sqrt{n}\right\rceil+x\right)2-n\hbox{(where}x\hbox{isasmallinteger)}
y(x) ≈ 2x\left\lceil\sqrt{n}\right\rceil
This implies that y is on the order of 2x[{{radic|''n''}}]. However, it also implies that y grows linearly with x times the square root of n.
Another way to increase the chance of smoothness is by simply increasing the size of the factor base. However, it is necessary to find at least one smooth relation more than the number of primes in the factor base, to ensure the existence of a linear dependency.
Even if for some relation y(x) is not smooth, it may be possible to merge two of these partial relations to form a full one, if the two ys are products of the same prime(s) outside the factor base. [Note that this is equivalent to extending the factor base.] For example, if the factor base is and n = 91, there are partial relations:
{212\equiv71 ⋅ 11\pmod{91}}
{292\equiv21 ⋅ 11\pmod{91}}
Multiply these together:
{(21 ⋅ 29)2\equiv21 ⋅ 71 ⋅ 112\pmod{91}}
and multiply both sides by (11-1)2 modulo 91. 11-1 modulo 91 is 58, so:
(58 ⋅ 21 ⋅ 29)2\equiv21 ⋅ 71\pmod{91}
142\equiv21 ⋅ 71\pmod{91}
producing a full relation. Such a full relation (obtained by combining partial relations) is called a cycle. Sometimes, forming a cycle from two partial relations leads directly to a congruence of squares, but rarely.
f(x)=x2-n
\begin{align} f(x)&=x2-n\\ f(x+kp)&=(x+kp)2-n\\ &=x2+2xkp+(kp)2-n\\ &=f(x)+2xkp+(kp)2\equivf(x)\pmod{p} \end{align}
Thus solving f(x) ≡ 0 (mod p) for x generates a whole sequence of numbers y for which y=f(x), all of which are divisible by p. This is finding a square root modulo a prime, for which there exist efficient algorithms, such as the Shanks - Tonelli algorithm. (This is where the quadratic sieve gets its name: y is a quadratic polynomial in x, and the sieving process works like the Sieve of Eratosthenes.)
The sieve starts by setting every entry in a large array A[] of bytes to zero. For each p, solve the quadratic equation mod p to get two roots α and β, and then add an approximation to log(p) to every entry for which y(x) = 0 mod p ... that is, A[''kp'' + ''α''] and A[''kp'' + ''β'']. It is also necessary to solve the quadratic equation modulo small powers of p in order to recognise numbers divisible by small powers of a factor-base prime.
At the end of the factor base, any A[] containing a value above a threshold of roughly log(x2−n) will correspond to a value of y(x) which splits over the factor base. The information about exactly which primes divide y(x) has been lost, but it has only small factors, and there are many good algorithms for factoring a number known to have only small factors, such as trial division by small primes, SQUFOF, Pollard rho, and ECM, which are usually used in some combination.
There are many y(x) values that work, so the factorization process at the end doesn't have to be entirely reliable; often the processes misbehave on say 5% of inputs, requiring a small amount of extra sieving.
This example will demonstrate standard quadratic sieve without logarithm optimizations or prime powers. Let the number to be factored N = 15347, therefore the ceiling of the square root of N is 124. Since N is small, the basic polynomial is enough: y(x) = (x + 124)2 − 15347.
Since N is small, only four primes are necessary. The first four primes p for which 15347 has a square root mod p are 2, 17, 23, and 29 (in other words, 15347 is a quadratic residue modulo each of these primes). These primes will be the basis for sieving.
Now we construct our sieve
VX
Y(X)=(X+\lceil\sqrt{N}\rceil)2-N=(X+124)2-15347
\begin{align}V&=\begin{bmatrix}Y(0)&Y(1)&Y(2)&Y(3)&Y(4)&Y(5)& … &Y(99)\end{bmatrix}\\ &=\begin{bmatrix}29&278&529&782&1037&1294& … &34382\end{bmatrix}\end{align}
The next step is to perform the sieve. For each p in our factor base
\lbrace2,17,23,29\rbrace
Y(X)\equiv(X+\lceil\sqrt{N}\rceil)2-N\equiv0\pmod{p}
to find the entries in the array V which are divisible by p.
For
p=2
(X+124)2-15347\equiv0\pmod{2}
X\equiv\sqrt{15347}-124\equiv1\pmod{2}
Thus, starting at X=1 and incrementing by 2, each entry will be divisible by 2. Dividing each of those entries by 2 yields
V=\begin{bmatrix}29&139&529&391&1037&647& … &17191\end{bmatrix}
Similarly for the remaining primes p in
\lbrace17,23,29\rbrace
X\equiv\sqrt{15347}-124\pmod{p}
\begin{align} X&\equiv\sqrt{15347}-124&\equiv8-124&\equiv3\pmod{17}\\ &&\equiv9-124&\equiv4\pmod{17}\\ X&\equiv\sqrt{15347}-124&\equiv11-124&\equiv2\pmod{23}\\ &&\equiv12-124&\equiv3\pmod{23}\\ X&\equiv\sqrt{15347}-124&\equiv8-124&\equiv0\pmod{29}\\ &&\equiv21-124&\equiv13\pmod{29}\\ \end{align}
Each equation
X\equiva\pmod{p}
Vx
V=\begin{bmatrix}1&139&23&1&61&647& … &17191\end{bmatrix}
Any entry of V that equals 1 corresponds to a smooth number. Since
V0
V3
V71
| X + 124 | Y | factors | |
|---|---|---|---|
| 124 | 29 | 20 • 170 • 230 • 291 | |
| 127 | 782 | 21 • 171 • 231 • 290 | |
| 195 | 22678 | 21 • 171 • 231 • 291 |
Since smooth numbers Y have been found with the property
Y\equivZ2\pmod{N}
Writing the exponents of the product of a subset of the equations
\begin{align} 29&=20 ⋅ 170 ⋅ 230 ⋅ 291\\ 782&=21 ⋅ 171 ⋅ 231 ⋅ 290\ 22678&=21 ⋅ 171 ⋅ 231 ⋅ 291\\ \end{align}
as a matrix
\pmod{2}
S ⋅ \begin{bmatrix}0&0&0&1\ 1&1&1&0\ 1&1&1&1\end{bmatrix}\equiv\begin{bmatrix}0&0&0&0\end{bmatrix}\pmod{2}
A solution to the equation is given by the left null space, simply
S=\begin{bmatrix}1&1&1\end{bmatrix}
Thus the product of all three equations yields a square (mod N).
29 ⋅ 782 ⋅ 22678=226782
1242 ⋅ 1272 ⋅ 1952=30708602
So the algorithm found
226782\equiv30708602\pmod{15347}
Testing the result yields GCD(3070860 - 22678, 15347) = 103, a nontrivial factor of 15347, the other being 149.
This demonstration should also serve to show that the quadratic sieve is only appropriate when n is large. For a number as small as 15347, this algorithm is overkill. Trial division or Pollard rho could have found a factor with much less computation.
In practice, many different polynomials are used for y so that when y(x) starts to become large, resulting in poor density of smooth y, this growth can be reset by switching polynomials. As usual, we choose y(x) to be a square modulo n, but now with the form
B
B2=n\pmodA
B2-n=AC
C
y(x)=A ⋅ (Ax2+2Bx+C)
(Ax2+2Bx+C)
This approach, called Multiple Polynomial Quadratic Sieve (MPQS), is ideally suited for parallelization, since each processor involved in the factorization can be given n, the factor base and a collection of polynomials, and it will have no need to communicate with the central processor until it has finished sieving with its polynomials.
If, after dividing by all the factors less than A, the remaining part of the number (the cofactor) is less than A2, then this cofactor must be prime. In effect, it can be added to the factor base, by sorting the list of relations into order by cofactor. If y(a) = 7*11*23*137 and y(b) = 3*5*7*137, then y(a)y(b) = 3*5*11*23 * 72 * 1372. This works by reducing the threshold of entries in the sieving array above which a full factorization is performed.
Reducing the threshold even further, and using an effective process for factoring y(x) values into products of even relatively large primes - ECM is superb for this - can find relations with most of their factors in the factor base, but with two or even three larger primes. Cycle finding then allows combining a set of relations sharing several primes into a single relation.
To illustrate typical parameter choices for a realistic example on a real implementation including the multiple polynomial and large prime optimizations, the tool msieve was run on a 267-bit semiprime, producing the following parameters:
Until the discovery of the number field sieve (NFS), QS was the asymptotically fastest known general-purpose factoring algorithm. Now, Lenstra elliptic curve factorization has the same asymptotic running time as QS (in the case where n has exactly two prime factors of equal size), but in practice, QS is faster since it uses single-precision operations instead of the multi-precision operations used by the elliptic curve method.
On April 2, 1994, the factorization of RSA-129 was completed using QS. It was a 129-digit number, the product of two large primes, one of 64 digits and the other of 65 digits. The factor base for this factorization contained 524339 primes. The data collection phase took 5000 MIPS-years, done in distributed fashion over the Internet. The data collected totaled 2GB. The data processing phase took 45 hours on Bellcore's (now Telcordia Technologies) MasPar (massively parallel) supercomputer. This was the largest published factorization by a general-purpose algorithm, until NFS was used to factor RSA-130, completed April 10, 1996. All RSA numbers factored since then have been factored using NFS.
The current QS factorization record is the 140-digit (463-bit) RSA-140, which was factored by Patrick Konsor in June 2020 using approximately 6,000 core hours over 6 days.[3]