We start with one of the oldest sieving methods: Sieve of Eratosthenes

Algorithm:
1. create a list L = [2,3,4,...n]
2. start with p = 2
3. add p to prime list P
4. remove multiples of p from L
5. pick p = smallest number in L
6. repeat steps 3-5 until no numbers are left

Example:

- L = [2,3,4,5,6,7,8,9,10,11,12], P = [ ]
- L = [~~2~~,3,~~4~~,5,~~6~~,7,~~8~~,9,~~10~~,11,~~12~~], P = [ 2 ]
- L = [~~2~~,~~3~~,~~4~~,5,~~6~~,7,~~8~~,~~9~~,~~10~~,11,~~12~~], P = [ 2,3 ]
- L = [~~2~~,~~3~~,~~4~~,~~5~~,~~6~~,7,~~8~~,~~9~~,~~10~~,11,~~12~~], P = [ 2,3,5 ]
- L = [~~2~~,~~3~~,~~4~~,~~5~~,~~6~~,~~7~~,~~8~~,~~9~~,~~10~~,11,~~12~~], P = [ 2,3,5,7 ]
- L = [~~2~~,~~3~~,~~4~~,~~5~~,~~6~~,~~7~~,~~8~~,~~9~~,~~10~~,~~11~~,~~12~~], P = [ 2,3,5,7,11 ]

In [2]:
#Code
N = 12

L = [*range(2,N + 1)]
P_lst = []
while L:
    x = L.pop(0)
    P_lst.append(x)
    L = [i for i in L if i % x != 0]
    print("p = ", x,", L = ",L)
print("P_lst = ", P_lst)

p =  2 , L =  [3, 5, 7, 9, 11]
p =  3 , L =  [5, 7, 11]
p =  5 , L =  [7, 11]
p =  7 , L =  [11]
p =  11 , L =  []
P_lst =  [2, 3, 5, 7, 11]


In [None]:
# Warm-up exercise: Implement this to factor a number N
# Hint: high school factoring

Naive quadratic sieve (Fermat factoring)

Goal: factor N
Idea: use congruence of squares

We hope to find $x \not = y$ such that
$$
x^2 \equiv y^2 \pmod{N} \implies gcd(x + y, N) \not = 1 \text{ or } gcd( x - y,N) \not = 1
$$



In [3]:
# Example

N = 323

for x in range(1,323//2):
    print((x,x^2 % N, factor(x^2 % N)))

(1, 1, 1)
(2, 4, 2^2)
(3, 9, 3^2)
(4, 16, 2^4)
(5, 25, 5^2)
(6, 36, 2^2 * 3^2)
(7, 49, 7^2)
(8, 64, 2^6)
(9, 81, 3^4)
(10, 100, 2^2 * 5^2)
(11, 121, 11^2)
(12, 144, 2^4 * 3^2)
(13, 169, 13^2)
(14, 196, 2^2 * 7^2)
(15, 225, 3^2 * 5^2)
(16, 256, 2^8)
(17, 289, 17^2)
(18, 1, 1)
(19, 38, 2 * 19)
(20, 77, 7 * 11)
(21, 118, 2 * 59)
(22, 161, 7 * 23)
(23, 206, 2 * 103)
(24, 253, 11 * 23)
(25, 302, 2 * 151)
(26, 30, 2 * 3 * 5)
(27, 83, 83)
(28, 138, 2 * 3 * 23)
(29, 195, 3 * 5 * 13)
(30, 254, 2 * 127)
(31, 315, 3^2 * 5 * 7)
(32, 55, 5 * 11)
(33, 120, 2^3 * 3 * 5)
(34, 187, 11 * 17)
(35, 256, 2^8)
(36, 4, 2^2)
(37, 77, 7 * 11)
(38, 152, 2^3 * 19)
(39, 229, 229)
(40, 308, 2^2 * 7 * 11)
(41, 66, 2 * 3 * 11)
(42, 149, 149)
(43, 234, 2 * 3^2 * 13)
(44, 321, 3 * 107)
(45, 87, 3 * 29)
(46, 178, 2 * 89)
(47, 271, 271)
(48, 43, 43)
(49, 140, 2^2 * 5 * 7)
(50, 239, 239)
(51, 17, 17)
(52, 120, 2^3 * 3 * 5)
(53, 225, 3^2 * 5^2)
(54, 9, 3^2)
(55, 118, 2 * 59)
(56, 229, 229)
(57, 19, 19)
(58, 134, 2 * 67)
(

In [4]:
# pick x = 10, y = 143
assert(143^2 % N == 10^2 % N)

print(gcd(143-10,N), gcd(143 + 10,N))

19 17


In [5]:
N/19,N/ 17

(17, 19)

In [42]:
N == 19*17

True

Some potential improvements:

- only need to compute $x^2 \pmod{N}$ from $1, \ldots, \lfloor N/2 \rfloor + 1$
- the first instance of a collision $x^2 \equiv y^2 \pmod{N}$ may be enough
- baby step giant step
- $x \not = \pm y$

Sub-problem: it  might not be easy to find collision between congruence of squares

Fix using partial relations:
- compute $a = x^2 \pmod{N}$
- factor $a \pmod{N}$
- find another $b = x'^2 \pmod{N}$ such that its product with a $\pmod{N}$ is a square

In [6]:
# Example

factor(82^2 % N), factor(92^2 % N), factor((82^2 % N)* (92^2 % N) % N)

# prime indices = (2,3,5,7,11,...) = (2,3,5,7,11)

# exponent vector

# 82^2 : (3,1,0,0,1)
# 92^2 : (1,1,0,0,1)

# (82*92)^2 : (4,2,0,0,2) even

# (82*92)^2 == 2^4 * 3^2 * 11^2 = (2^2 * 3 * 11)^2

(2^3 * 3 * 11, 2 * 3 * 11, 5 * 61)

In [8]:
(82*92)^2 % N == 5*61

True

In [56]:
gcd(82*92 - 5*61,N),gcd(82*92 + 5*61,N)

(19, 1)

Question: when do we stop, e.g., how many primes factor are we considering?

Answer: We consider primes $p < B$ where $B$ is called the smoothness bound

We say x is B-smooth if all prime factors of x are < B

- 45 = 3^2 * 5 , this is 10-smooth

Quadratic sieve

Algorithm:

- Choose a smoothness bound $B$ (there's some formula that can determine this wrt N)
- find numbers $b_i$ such that $b_i \equiv a_i^2 \pmod{N}$ is $B$-smooth (i.e., all prime factors of $b_i$ are $< B$)
- compute their factorisation $\pmod{N}$
- find exponent vectors (linear algebra over $\mathbf{F}_2$ ) such that product of some $b_i$'s is a square
- compute $gcd( a + b,N), gcd(a-b,N)$. If trivial factors, restart with different $a,b$


In [None]:
# Guided exercise (Implementing the quadratic sieve to factor N)

N = 191207

In [12]:
log(log(191207)).n()

2.49824331066437

From [Pomerance '08](https://math.dartmouth.edu/~carlp/PDF/qs08.pdf), the smoothness bound $B$ is given by the formula $$ B = exp((1/2 + o(1))((log(N)loglog(N))^{1/2} ) $$

You can think of o(1) approaching 0 as $N \rightarrow \infty$

In [None]:
# (a) find a smoothness bound B and find primes up to B (e.g., using Eratosthenes)

In [None]:
# (b) find numbers a_i^2 (mod N) that are B-smooth
# Remark: the key here is to check (a_i^2 % N) % p for p < B. Do not use factor(a_i^2 % N)

# Example: 
# 45 = 3^2 * 5 is 20-smooth since the prime factors 3,5 < 20  
# 92920 = 2^3 * 5 * 23 * 101 is not 20-smooth since we do not allow prime factors beyond 20

In [None]:
# (b') find the factorisations mod N of such numbers (trial division for example)

In [None]:
# (c) Find an exponent vector, i.e., find a vector v such that v*M = 0 over F_2

# Remark: 
# - this corresponds to finding a square (mod N)
# - M is the matrix with columns = prime indices, rows = exponents of a_i^2 mod N

# Example: 
# r_1 = 2*3*11^2 = (1,1,0,0,2)
# r_2 = 5*7      = (0,0,1,1,0)
# M = [1,1,0,0,2]
#     [0,0,1,1,0]

F = GF(2)

In [None]:
# (d) Factor N

There are a lot of improvements over the years:

- theoretical estimates for $B$-smooth numbers: Canfield-Erdős-Pomerance Theorem

- sometimes, $x^2 \pmod{N}$ has size close to $N$. Then, factoring this number $\pmod{N}$ will become difficult. [Wikipedia](https://en.wikipedia.org/wiki/Quadratic_sieve#How_QS_optimizes_finding_congruences) suggests using the following function for small inputs $x$: 

$$ f(x) = (\lceil \sqrt{N} \rceil + x)^2  - N$$

- we used trial division to check for $B$-smoothness, but there is an implementation which uses an array $T[i]$ to keep track of how many primes $ < B$ divide $f(i)$ by comparing the two quantities $T[i] "=" \sum_{p<B, p |f(i)} log(p)$ and $log |f(i)|$

- there are also tricks/techniques for linear algebra over $\mathbf{F}_2$ if we are dealing with large + sparse matrices (e.g., [block Wiedemann](https://en.wikipedia.org/wiki/Block_Wiedemann_algorithm))

- by considering functions that can replace $f(x)$ above, we are led to one of the improvements of QS: multiple polynomial quadratic sieve (MPQS) - allows parallelisation

- number field sieve...

In [13]:
M = MatrixSpace(GF(2),10^2,10^6,sparse = True)

In [14]:
M

Full MatrixSpace of 100 by 1000000 sparse matrices over Finite Field of size 2