Integer factorization via Selmer group of a number field and HT90

Question

There is the following nice new method to produce a polynomial with 'small' coefficients with a given constraint on the discriminant, using lattice reduction.

We are given $n \in \mathbb{Z}$ and we construct $f \in \mathbb{Z}[x]$ of degree $d$ with $n \vert \Delta(f)$, the discriminant of $f$, such that the coefficients of $f$ are of size $O(n^{2/(d+1)})$.

I will outline the lattice in the case $d = 4$, the method easily generalizes to other $d$.

Choose $0 < m < n$ at random and construct the lattice

$L_m = \begin{bmatrix} n & 0 & m^2 & 2m^3 & 3m^4 \\ 0 & n & -2m & -3m^2 & -4m^3 \\ 0 & 0 & 1 & 0 & 0 \\ 0 & 0 & 0 & 1 & 0 \\ 0 & 0 & 0 & 0 & 1 \end{bmatrix}$

and reduce it with e.g. LLL. The columns will give the coefficients of a quartic polynomial $f$ with $n \vert \Delta(f)$, which has a good chance of being irreducible. You can see why this works by considering that $n \vert \Delta(f)$ if $n \vert \text{Res}(f,f')$ and notice that e.g. for $f = x^2 -2mx + m^2$, we have both $f(m) = 0$ and $f'(m) = 0$.

Such polynomials are not necessarily optimal (smallest $L^\infty$ norm), unless we are very lucky with the choice of $m$. An optimal polynomial (going by the formula for discriminant) has coefficients of size $O(n^{2/(2d-2)})$, this method gives $O(n^{2/(d+1)})$, so it is not 'too bad'.

The algorithm for computing a basis for the units/class group of a number field $K$, due to J.Buchmann in the general case, uses index calculus and has subexponential complexity. It was shown by J.F.Biasse and others that the algorithm can be improved if we can find a 'nice' defining polynomial for $K$ (the benefit comes from smaller norms/resultants which makes finding relations in the unit/class groups easier). The above algorithm gives such a polynomial (although not necessarily totally optimal).

For a given $n$, which we would like to factor, fix a degree $d$ and choose a polynomial $f$ using the above idea, which defines $K$. It means we have a better chance than usual to compute its unit/class group.

Let $p$ be a small prime. Let $S$ be the set of primes of bad reduction for $K$, together with $p$. It usual to define the $p$-Selmer group $K(S,p)$ of the $S$-integers of $K$ to equal the subgroup of $K^\times/(K^\times)^p$ having valuation at all $\mathfrak{p} \notin S$ equal to zero modulo $p$.

Let $S_{partial}$ be a subset of $S$ containing those primes which we can quickly find using existing factorization algorithms. We assume we can't find the factors of $n$, but perhaps some of the other prime factors of $\Delta(f)$.

Let $Z = K(S_{partial},p)$, a subgroup of $K(S,p)$ (note that the $p$-Selmer group is a finite group with a multiplicative basis, in fact it has the structure of an $\mathbb{F}_p$-vector space).

There is a mysterious paper of Paul Kirchner ('NFS factorization: new hopes' which can be found on ResearchGate) which describes a way to factor the relative discriminant of an extension of number fields $L/K$ using technology such as Hilbert's Theorem 90, and computing unit/class groups. It works by finding an ambiguous ideal $\mathfrak{a} \in \mathcal{O}_L$, i.e. for an automorphism $\sigma$ of $L$, such that $\sigma(\mathfrak{a}) = \mathfrak{a}$, which are known to correspond to the factors of the discriminant (in this case the relative discriminant).

There is a chance to compute such an ideal using linear algebra on the $p$-Selmer group $L(S,p)$.

To explain the repeated use of 'computing the unit/class groups', the $p$-Selmer group of $K$ is at least not too mysterious in its construction - once you have the roots of unity of $K$, generators for the unit group, and generators $\alpha$ for ideals above the primes in $S$, i.e. $\alpha\mathcal{O}_K = \mathfrak{p}^h$, for $\mathfrak{p}$ above the primes in $S$ and $h$ the class number of $\mathcal{O}_K$, you have a basis for the entire $p$-Selmer group.

What was missing before was the ability to construct a number field $K$ with a given discriminant and also have some chance of computing its unit/class groups.

What is still missing is the requisite automorphism $\sigma$ and extension $L$ of $K$. However this can be constructed easily by taking a quadratic extension $L = K(\sqrt{q})$ for some small prime factor $q$ of $\Delta(f)$ (which we should require), this will be galois and we will get an automorphism for free.

Kirchner's paper seems to require also the units of $L$, not just those of $K$. There may be a way to get by with relative quantities (e.g. in Cohen's Advanced Topics in Computational Number Theory we are told about relative class groups, there might be an analogue for relative units which is less costly than computing in the absolute number field).

My reason for posting this is that hopefully an expert can comment on the feasibility of this as a new factoring idea, so that is the question. It is not optimal (if it even works as described) because we don't get the optimum polynomials for a given discriminant $n$, but maybe this also could be improved.

The main weak point so far may be that we are trying to make do with $K(S_{partial},p)$ as opposed to $K(S,p)$, i.e. we only have a subgroup of the full $p$-Selmer group. But it is not clear that we always strictly need the full group - e.g. there could be many more elements of $K(S,p)$ than divisors of the discriminant.

Edit: Although the above gives the main points of a new factoring idea, the question is fairly vague. So I will modify this to ask a better question.

We are trying to factor $n \in \mathbb{Z}$. Assume we can compute a polynomial $f$ with coefficients bounded by $O(n^{2/(d+1)})$. Then define $K$ using the above lattice algorithm. Here is another variation on constructing $L$. Let $g = f(1/x+x)x^d$. Then $g$ is of degree $2d$, with coefficients also bounded by $O(n^{2/(d+1)})$, and is palindromic, therefore $L = K[x]/(g)$ has an automorphism $\sigma$.

Here is the improved question: Assuming that computing unit group/class group of both $K$ and $L$ is all that is required for the algorithm to work (i.e. we assume with this we can compute $\mathfrak{a}$ such that $\sigma(\mathfrak{a}) = \mathfrak{a}$ and factor $n$), what is the complexity in $L$-notation?

We have that $d$ is a parameter that needs to be tuned, and for an integer $n$, the complexity of a subexponential algorithm in $L$-notation is

$L_n(\alpha,c) = \text{exp}((c + o(1))(\log{n})^\alpha(\log{\log{n}})^{1-\alpha})$.

A natural follow-up question is, suppose we could find optimal polynomials defining $K$ with coefficients bounded by $O(n^{1/(2d-2)})$, what is the complexity?

Answer 1

This is an interesting approach, and I certainly don't know enough about Selmer groups to answer your question if everything works. However, I can say something about how this algorithm would perform versus the number field sieve (if it al works). Btw, that paper by Paul Kirchner definitely sounds interesting, I will take a look at it later.

Now, the number field sieve (NFS) generates two polynomials $f_1,f_2$ with a common root $m$ mod $n$, with coefficients of size roughly $\mathcal{O}(n^{1/(d+1)})$, using a similar technique as you described above (actually, the coefficient sized are skewed towards to lower order terms, i.e. the constant coefficient is a bit bigger than the leading coefficient).

Now, the NFS succeeds if it finds enough inputs $(x,y)$ such that $f_1(x/y) \cdot y^{\deg(f_1)}$ and $f_2(x/y) \cdot y^{\deg(f_2)}$ are both smooth. These numbers will be of the order of $\mathcal{O}(n^{1/(d+1)})$.

In your algorithm, you have to compute the unit group of a number field defined by a polynomial that has coefficients of size $\mathcal{O}(n^{2/(d+1)})$. This calculation is essentially the same as in the NFS algorithm, so here we are hoping that integers of the order of $\mathcal{O}(n^{2/(d+1)})$ are smooth.

Now the question becomes which one is harder to do? The NFS uses smaller numbers, but it does require that both numbers are smooth at the same time. It turns out that (unless there is good reason for increased smoothness in your approach) the NFS will end faster.

This can be roughly seen by looking at the $u^{-u}$ approximation of the Dickman function. Let $N = n^{1/(d+1)}$ and fix some smoothness bound $B$. Then you need to try about $\log_B(N)^{2\log_B(N)}$ numbers in the NFS before you find one relation. On the other hand, in your case it would take about $(2\log_B(N))^{2\log_B(N)}$ numbers, which unfortunately is more. This additional factor $2^{2\log_B(N)}$ isn't even that big I guess, since $B$ is quite large (for example $\log(B) = (8/9)^{1/3} \log(N)^{1/3} \log(\log(N))^{2/3}$ can be used). So the complexity would be somewhat close to the complexity of the NFS.

If you would be able to get a better complexity bound on the coefficients in your approach, say $\mathcal{O}(n^{1.5/(d+1)})$ (I don't see how, but please let me know if you find a way!), then it would quicly beat the NFS, in terms of complexity at least (there are many many tricks that are used in practice which make the algorithm a lot faster). You could look at this article if you would want to compute the complexity more precisely.