On p153 of Hoffstein Pipher & Silverman's book "Intro. to Mathematical Cryptography", the list of numbers:
$$F(a),F(a+1),F(a+2),...,F(b)$$
is stated. Where $N$ is number to be factored, $F(T)=T^2 - N$, and $a=\lfloor{\sqrt{N}}\rfloor+1$
How does one calculate what $b$ should be? I.e. how do we know when to stop generating values for $F(T)$?
I suspect from reading "tale of two sieves" by Pomerance and from results found via google that it may be something to do with $\pi(B)$, where $B$ is approx $L(N)^{1/\sqrt{N}}$, and $\pi$ is the prime counting function. However I haven't found anything definitive to me.
It is my understanding that you compute this sequence to find smooth numbers with respect to your factor base. So you compute it until you have found one distinct smooth number for each member of your factor base, at which point the linear algebra step(s) takes over.
Now of course this begs the question "how big should my factor base be". The optimal choice I could (quickly) find (Handbook of Applied Crypto PDF) says that it should be about $L_{n}[\frac12,\frac12]=O(\exp((\frac12+o(1))\cdot \sqrt{\ln n}\sqrt{\ln\ln n}))$. If you want real-life values, I suggest you look at
msievewhich ha a multiple polynomial QS variant implementation (which is more realistic for practical applications anyways). In the linked array, the first entry defines the bit size and the second one the size of the factorbase. So e.g. for a 64-bit prime, they use 100 elements, for 200 bit 3000 elements and for 298 bits 60000 elements.