In mathematics, the rational sieve is a general algorithm for factoring integers into prime factors. It is a special case of the general number field sieve. While it is less efficient than the general algorithm, it is conceptually simpler. It serves as a helpful first step in understanding how the general number field sieve works.
Suppose we are trying to factor the composite number n. We choose a bound B, and identify the factor base (which we will call P), the set of all primes less than or equal to B. Next, we search for positive integers z and n such that both z and z+n are B-smooth - i.e. all of their prime factors are in P. We can therefore write, for suitable exponents
ai
| z=\prod | |
| pi\inP |
| ai | |
| p | |
| i |
and likewise, for suitable
bi
| z+n=\prod | |
| pi\inP |
| bi | |
| p | |
| i |
But
z
z+n
n
| \prod | |
| pi\inP |
| ai | |
| p | |
| i |
\equiv
| \prod | |
| pi\inP |
| bi | |
| p | |
| i |
\pmodn
(where the ai and bi are nonnegative integers.)
When we have generated enough of these relations (it's generally sufficient that the number of relations be a few more than the size of P), we can use the methods of linear algebra to multiply together these various relations in such a way that the exponents of the primes are all even. This will give us a congruence of squares of the form a2≡b2 (mod n), which can be turned into a factorization of n = gcd(a-b,n)×gcd(a+b,n). This factorization might turn out to be trivial (i.e. n=n×1), in which case we have to try again with a different combination of relations; but with luck we will get a nontrivial pair of factors of n, and the algorithm will terminate.
We will factor the integer n = 187 using the rational sieve. We'll arbitrarily try the value B=7, giving the factor base P = . The first step is to test n for divisibility by each of the members of P; clearly if n is divisible by one of these primes, then we are finished already. However, 187 is not divisible by 2, 3, 5, or 7. Next, we search for suitable values of z; the first few are 2, 5, 9, and 56. The four suitable values of z give four multiplicative relations (mod 187):
There are now several essentially different ways to combine these and end up with even exponents. For example,
Alternatively, equation is in the proper form already:
Like the general number field sieve, the rational sieve cannot factor numbers of the form pm, where p is a prime and m is an integer. This is not a huge problem, though—such numbers are statistically rare, and moreover there is a simple and fast process to check whether a given number is of this form. Probably the most elegant method is to check whether
\lfloorn\rfloorb=n
1<b\lelog2(n)
The biggest problem is finding a sufficient number of z such that both z and z+n are B-smooth. For any given B, the proportion of numbers that are B-smooth decreases rapidly with the size of the number. So if n is large (say, a hundred digits), it will be difficult or impossible to find enough z for the algorithm to work. The advantage of the general number field sieve is that one only needs to search for smooth numbers of order n1/d for some positive integer d (typically 3 or 5), rather than of order n as required here.