QuadSieveEx.mws

Quadratic Sieve Examples

© Mike May, S. J., 2002, maymk@slu.edu

>   

In the context of RSA, factoring the product of a pair of prime numbers is an important problem.  One of the current methods of solving this problem is with a quadratic sieve.  It is a difficult enough process that we would like to look at an example in detail.

We would like to look at using a quadratic sieve to factor a product of two primes.  We start with an n that is a product of two primes.

Example 1, n = 9091*3271

>    isprime(3271);
isprime(9091);
n := 9091*3271;

true

true

n := 29736661

We want to look at numbers whose squares that will be a product of small primes mod n.  For our example we will consider a prime to be small if it is less than 20.  We will also cheat a bit on checking if a number is a product of small primes.  Instead we will check if it divides the tenth power of the product of small primes.

>    smallprime := 2*3*5*7*11*13*17*19;

smallprime := 9699690

To find numbers whose square is a product of small primes we look for numbers whose square is small mod n.  We find candidates by taking the square root of n*i and rounding up.  If the result is a factor of (smallprime)^10, we factor it and store the result.

>    for i from 1 to 100 do
   t1 := ceil(sqrt(n*i)):
   t2 := t1^2 mod n:
   t3 := irem(smallprime^10, t2):
   if (t3 = 0) then print(i, t1, t2, ifactors(t2)) fi;
end do:

11, 18086, 125, [1, [[5, 3]]]

31, 30362, 14553, [1, [[3, 3], [7, 2], [11, 1]]]

44, 36172, 500, [1, [[2, 2], [5, 3]]]

99, 54258, 1125, [1, [[3, 2], [5, 3]]]

A line of output lists the i from the square root of n*i, the value m this rounds up to, the square mod n, and the prime factors with multiplicity of  M=m^2mod n.  We look for products of m's where the product of the M's is a perfect square.  The rows corresponding to 11 and 14 work.  They tell us that (18086*36172)^2 = (2*5^3)^2 mod n.  This means n divides (18086*36172-2*5^3)(18086*36172+2*5^3).  Hopefully one of the factors of n divides each of these factors.

>    igcd(18086*36172-2*5^3,n);

29736661

Unfortunately, that is not true so we need to try more numbers to get more relations.

>    for i from 1 to 400 do
   t1 := ceil(sqrt(n*i)):
   t2 := t1^2 mod n:
   t3 := irem(smallprime^10, t2):
   if (t3 = 0) then print(i, t1, t2, ifactors(t2)) fi;
end do:

11, 18086, 125, [1, [[5, 3]]]

31, 30362, 14553, [1, [[3, 3], [7, 2], [11, 1]]]

44, 36172, 500, [1, [[2, 2], [5, 3]]]

99, 54258, 1125, [1, [[3, 2], [5, 3]]]

124, 60724, 58212, [1, [[2, 2], [3, 3], [7, 2], [11, 1]]]

125, 60968, 14399, [1, [[7, 1], [11, 2], [17, 1]]]

176, 72344, 2000, [1, [[2, 4], [5, 3]]]

225, 81797, 484, [1, [[2, 2], [11, 2]]]

275, 90430, 3125, [1, [[5, 5]]]

278, 90922, 18326, [1, [[2, 1], [7, 2], [11, 1], [17, 1]]]

279, 91086, 130977, [1, [[3, 5], [7, 2], [11, 1]]]

349, 101873, 13440, [1, [[2, 7], [3, 1], [5, 1], [7, 1]]]

396, 108516, 4500, [1, [[2, 2], [3, 2], [5, 3]]]

397, 108653, 19992, [1, [[2, 3], [3, 1], [7, 2], [17, 1]]]

We can look at the product of the rows corresponding to 31, 278,  and 396, or rows 11 and 275, or row 225 all by itself.

>    igcd(30362*90922*108653-2^2*3^2*7^3*11*17,n);
igcd(18086*90430-5^4,n);
igcd(81797-22,n);

3271

29736661

3271

Two of these three sets of relations yield a prime factorization of n.

Example 2: n= 3701*3571

>    p := 3701;
q := 3571;
n := p*q;

p := 3701

q := 3571

n := 13216271

>    smallprime := 2*3*5*7*11*13*17*19;

smallprime := 9699690

>    for i from 1 to 400 do
t1 := ceil(sqrt(n*i)):
t2 := t1^2 mod n:
t3 := irem(smallprime^10, t2):
if (t3 = 0) then print(i, t1, t2, ifactors(t2)) fi;
od:

1, 3636, 4225, [1, [[5, 2], [13, 2]]]

7, 9619, 11264, [1, [[2, 10], [11, 1]]]

23, 17435, 4992, [1, [[2, 7], [3, 1], [13, 1]]]

26, 18538, 34398, [1, [[2, 1], [3, 3], [7, 2], [13, 1]]]

55, 26961, 616, [1, [[2, 3], [7, 1], [11, 1]]]

87, 33909, 4704, [1, [[2, 5], [3, 1], [7, 2]]]

92, 34870, 19968, [1, [[2, 9], [3, 1], [13, 1]]]

140, 43015, 12285, [1, [[3, 3], [5, 1], [7, 1], [13, 1]]]

159, 45841, 10192, [1, [[2, 4], [7, 2], [13, 1]]]

207, 52305, 44928, [1, [[2, 7], [3, 3], [13, 1]]]

220, 53922, 2464, [1, [[2, 5], [7, 1], [11, 1]]]

348, 67818, 18816, [1, [[2, 7], [3, 1], [7, 2]]]

354, 68400, 66, [1, [[2, 1], [3, 1], [11, 1]]]

389, 71702, 47385, [1, [[3, 6], [5, 1], [13, 1]]]

391, 71886, 35035, [1, [[5, 1], [7, 2], [11, 1], [13, 1]]]

This gives several possibilities

>    #92,207
igcd(52305*34870-2^8*3^2*13,n);

13216271

>    #87, 348
igcd(33909*67818-2^6*3*7^2,n);

13216271

>    #87, 92, 159
igcd(33909*34870*45841-2^9*3*7^2*13,n);

3701

This finally gives the factorization we need.

>   

>