By Briggs M.

The overall quantity box Sieve (GNFS) is the quickest recognized technique for factoring "large" integers, the place huge is usually taken to intend over a hundred and ten digits. This makes it the simplest set of rules for trying to unscramble keys within the RSA [2, bankruptcy four] public-key cryptography procedure, probably the most usual tools for transmitting and receiving mystery information. in truth, GNFS used to be used lately to issue a 130-digit "challenge" quantity released by means of RSA, the most important variety of cryptographic value ever factored.

**Example text**

Fortunately this problem is addressed by a solution to another problem that crops up when adapting the Lanczos method for use in GNFS, outlined below. 3, the goal is to find a dependency among the columns of the matrix B, which amounts to finding a non-trivial vector x such that B · x = 0. 4 is the zero vector in this case. 4 is the trivial vector x = 0. 4 can fail with binary vectors. 4 is adapted to a “block” scheme that works with subspaces of vectors instead of individual vectors. First, the matrix A is formed as A = B T B as alluded to earlier.

Experimentation and experience [8] have dictated that for factoring an integer with more than 110 digits, the degree d be set to 5. For integers between 50 and 80 digits a value of 3 for d is used. 6, early implementations of GNFS restricted d to an odd integer. In this case, d = 5 is usually substituted for d = 4. Having selected a value for d, the choice of f(x) and m is usually made simultaneously. First m is chosen with m ≈ n1/d and such that the quotient of n divided by md is exactly one. A “base-m” expansion [5, Section 3] of n then gives n = md + ad−1md−1 + · · · + a1m + a0 with coefficients 0 ≤ ai < m for 0 ≤ i < d.

1) i=0 Proof. 3] from abstract algebra that the non-zero elements of a field form a group under multiplication. In this case, that means the p − 1 non-zero elements of Z /pZ form a finite group of order p − 1 under multiplication. Then for any 0 < a < p it follows that ap−1 ≡ 1 (mod p) and therefore ap ≡ a (mod p) for all a with 0 ≤ a < p. Rearranging the last congruence yields ap − a ≡ 0 (mod p) and therefore a is seen to be a root of xp − x (mod p) for 0 ≤ a < p. This determines p roots for xp − x (mod p).

