20180211, 17:47  #1 
"Tilman Neumann"
Jan 2016
Germany
1FB_{16} Posts 
QS polynomials
Hi,
reading http://www.karlin.mff.cuni.cz/~krypt.../main_file.pdf let me investigate using the polynomial Q2(x) = (2ax + b)^2  kN instead of the usual Q(x) = (ax + b)^2  kN for SIQS. Regarding performance, I found that the output of the KnuthSchroeppel algorithm is decisive: If it finds some k with kN == 1 (mod 8) then Q2(x) is faster; otherwise Q(x) is the better choice. The difference in each case may be about 510%. Are there more papers looking at Q2(x)? Is or was anybody else using case distinctions on kN (mod 8) that improve SIQS (or maybe MPQS) performance? 
20180212, 01:25  #2 
Tribal Bullet
Oct 2004
3×7×13^{2} Posts 
Every prime factor that is in the A value of a chosen QA polynomial yields one sieving root, whereas primes in the factor base always have two sieving roots. So sieving will be faster if the factors of A are not very small.
That's separate from the choice of multiplier k. Some implementations force kN==1 mod 8 but ultimately the factor base will have many primes, and luck of the draw could point to a different as better. My small SIQS code here sorts the choice of multipliers by the value of kN mod {8,3,5} to reduce the number of multipliers to try while still maximizing the chance of picking an optimal one. 
20180212, 05:53  #3  
"Tilman Neumann"
Jan 2016
Germany
3·13^{2} Posts 
Hi Jason,
Quote:
Maybe you didn't spot the little subtlety with the 2 in Q2(x) = (2ax+b)^2  kN ? The point here is that under certain conditions, Q2(x) is divisible by 4a "by design", while Q(x) = (ax+b)^2  kN is only divisible by a. Although the aparameter of Q2(x) must be chosen 1 bit smaller than in Q(x) to get polynomial values in the same bounds, the part of polynomial values that must be checked for smoothness, Q2(x)/(4a) vs. Q(x)/a, is one bit smaller in Q2(x). Furthermore Q2 has 2 bit more that can be removed very fast in trial division / resieving. The conditions that guarantee that Q2(x) is divisible by 4a are: * we need k with kN == 1 (mod 8) * the bparameter must be odd We can still use Q2(x) if these conditions are not met, but then its "12 bit advantage" is gone. My performance test result was that Q2(x) is indeed faster than Q(x) if and only if the KnuthSchroeppel algorithm (following Pomerance "The Quadratic Sieve Factoring Algorithm") gives us some k with kN == 1 (mod 8). If the KnuthSchroeppel algorithm gives us some k with kN == 3, 5, 7 (mod 8), then using Q2(x) will be slower, no matter if we use that k or the "best" k with kN == 1 (mod 8). 

20180212, 10:35  #4  
Just call me Henry
"David"
Sep 2007
Liverpool (GMT/BST)
176F_{16} Posts 
Quote:


20180212, 16:28  #5  
"Tilman Neumann"
Jan 2016
Germany
3·13^{2} Posts 
Quote:
On average, using Q2(x) is faster than Q(x) if the KnuthSchroeppel algorithm (following Pomerance "The Quadratic Sieve Factoring Algorithm") gives us some k with kN == 1 (mod 8). If the KnuthSchroeppel algorithm gives us some k with kN == 3, 5, 7 (mod 8), then using Q2(x) will usually be slower, (no matter if we use that k or the "best" k with kN == 1 (mod 8). ) 

20180212, 16:30  #6 
"Tilman Neumann"
Jan 2016
Germany
3·13^{2} Posts 

20210803, 21:21  #7 
"Ben"
Feb 2007
2^{2}·919 Posts 
I finally got around to implementing Q2(x) polynomials and tuning the KS multiplier selection and I'm quite happy with the results.
As one test case I generated 100 random rsa semiprimes. Of the 100, 85 used kN==1 mod 8 and were about 10% faster on average. Rarely (3 times out of 100) it seems to be a little overzealous trying to get kN == 1 mod 8 and will pick a slightly worse multiplier for 45% slowdown or so. But overall, quite an improvement in my view. Many thanks Till! 
20210804, 12:11  #8 
Nov 2005
2^{3}·13 Posts 
When we only pick odd numbers on the left by taking
q(x) = (2x+b)^2  k*n We can expect a factor of 4 on the right i.e. q(x) = 0 mod 4, as long as k*n is odd. But kn = 1 mod 8 gives an extra factor 2 if b is odd (2x+b)^2  k*n = (2x+b)^2  1 = 4x^2 + 4bx + b^2  1 = 4x^2 + 4bx (mod 8) Since b^2 = 1 mod 8 for odd b And such (2x+b)^2  k*n = 4x^2 + 4bx = 4x (x + b) (mod 8) Since either x or x+b are even we know (2x+b)^2  k*n = 0 mod 8 I remember that when playing with the QS in some cases of k and n q(x) has many 2 in its prime factors. There also was a kind of a structure in it, which works nicely with sieving. But for some n there is no k to get many 2's on the right side. I was not able to come up with some approach using this nice feature. Last fiddled with by ThiloHarich on 20210804 at 12:42 
20210804, 13:57  #9  
"Tilman Neumann"
Jan 2016
Germany
773_{8} Posts 
Quote:
Yes, it does not work on all numbers but on most of them. Your results look similar to mine. I estimated the "benalty" for kN == 1 (mod 8) from a scatter plot of f(k1)f(k*) vs. runtime(k1)runtime(k*), where k1 is the best k with kN == 1 (mod 8) and k* is the best k with kN == 3, 5, 7 (mod 8). Do you still get convincing kN == 2 (mod 8) ? That looked like a 5050 case to me, so I still do not consider them. Last fiddled with by Till on 20210804 at 13:58 Reason: parentheses 

20210804, 14:26  #10  
"Ben"
Feb 2007
111001011100_{2} Posts 
Quote:
1) a C60 where the k=2, kn==2 mod 8 case was 15% faster than kn==1 mod 8 (with k=1) 2) a C78 where the k=2, kn==6 mod 8 case was 5% slower than kn==1 mod 8 (with k=203) In any case the k=2 multiplier is rarely used. Both of the above examples were the only ones out of 100 samples at those sizes. 

20210804, 15:17  #11 
"Tilman Neumann"
Jan 2016
Germany
3·13^{2} Posts 

Thread Tools  
Similar Threads  
Thread  Thread Starter  Forum  Replies  Last Post 
GCD of Polynomials over a finite field for NFS  paul0  Programming  6  20150116 15:12 
SNFS polynomials.  chris2be8  FactorDB  1  20120310 16:49 
orthogonal polynomials  yemsy  Aliquot Sequences  1  20110217 10:25 
SNFS polynomials for k*b^n+1  mdettweiler  Factoring  15  20100114 21:13 
Polynomials and Probability  Orgasmic Troll  Puzzles  4  20030916 16:23 