I. Introduction. MPRI Cours Lecture IIb: Introduction to integer factorization. F. Morain. Input: an integer N; Output: N = k
|
|
- Derick Clarke
- 5 years ago
- Views:
Transcription
1 F. Morain École polytechnique MPRI cours /26 F. Morain École polytechnique MPRI cours /26 MPRI Cours I. Introduction ECOLE POLYTECHNIQUE F. Morain Lecture IIb: Introduction to integer factorization 2009/11/30 I. Introduction. II. Finding small factors of integers. Input: an integer N; Output: N = k i=1 pα i i with p i (proven) prime. Major impact: estimate the security of RSA cryptosystems. Also: primitive for a lot of number theory problems. How do we test and compare algorithms? Cunningham project, RSA Security (partitions, RSA keys) though abandoned? III. Pollard s p 1 method. IV. ECM. F. Morain École polytechnique MPRI cours /26 F. Morain École polytechnique MPRI cours / ( )/9 200 CFRAC: QS: ( ) SNFS: RSA GNFS: F 9 p(11887) 140 RSA-129 RSA , 104+ RSA-130 RSA-120 2, 1450M F QS: SNFS: GNFS: ( )/9 ( ) 41 1 RSA-140 RSA , , 1642M RSA-200 RSA-160 RSA-576 RSA , 353
2 F. Morain École polytechnique MPRI cours /26 F. Morain École polytechnique MPRI cours /26 More figures for RSA-dd What is the factorization of a random number? dd who when time 100 Manasse & A. K. Lenstra MIPS-year 110 AKL 1992 one month on 5/8 of a MasPar 16K 120 AKL, Dodson, Denny, MIPS-year Manasse, Lioen, te Riele 129 Atkins, Graff, AKL, MIPS-year Leyland + INTERNET 130 Dodson, Montgomery, MIPS-year Elkenbracht-Huizing, AKL, WWW, Fante, Leyland, Weber, Zayer 140 te Riele, Cavallar, Lioen, MIPS-year Montgomery, Dodson, AKL, Leyland, Murphy, Zimmermann 155 CABAL MIPS-year 200 Franke et al. 05/ years 2.2GHz Opteron N = N 1 N 2 N r with N i prime, N i N i+1. Prop. r log 2 N; r = log log N. Size of the factors: D k = lim N + log N k / log N exists and On average k D k N 1 N 0.62, N 2 N 0.21, N 3 N an integer has one large factor, a medium size one and a bunch of small ones. F. Morain École polytechnique MPRI cours /26 A crucial species: smooth numbers Def. A B-smooth number N has all its prime factors B. Main interest: all relation collecting algorithms (Quadratic sieve, index calculus, etc.). de Bruijn s function: ψ(x, y) = Card{N x, p N p y}. Main theorem: (Canfield, Erdős, Pomerance) For all ε > 0, uniformly in y (log x) 1+ε, when x x ψ(x, y) =, u = log x/ log y. uu(1+o(1)) A useful function: ( ) L(x) = exp log x log log x. Prop. For all α > 0, β > 0, when x ψ(x α, L(x) β ) = x α L(x) α 2β +o(1). F. Morain École polytechnique MPRI cours /26 II. Finding small factors of integers Pb. Let P = {p 1, p 2,...,p m } be a finite set of primes, X = {x 1, x 2,...,x n } a finite sequence of integers. For x in X, define the P-smooth part of x F(x) = p e. p P p e x How can we compute all F(x) rapidly? Basic case: P B = {2, 3,...,B}; X = {x 1 }. Rem. building P B is a classical exercise (Eratosthenes sieve); B = 2 32 is not a problem (store (p i+1 p i )/2 as a char).
3 F. Morain École polytechnique MPRI cours /26 F. Morain École polytechnique MPRI cours /26 A) Trial division Algorithm: divide all x s by all p s. Claims: Multiplication of two n-bit integers (resp. degree n polynomials over a ring R) can be realized in O(M int (n)) (resp. O(M pol (n))) bit-operations (resp. operations in R) with traditional (resp. best) value of n 2 (resp. n log n log log n). Quotient and remainder of a(x) of degree n + m by b(x) of degree n can be done using O(M pol (m) + M pol (n) + n) operations over R. A 2n-bit integer divided by a n-bit one takes O(M int (n)). Basic case: lg P B = p B lg p = O(B lg B) and TD costs O(B 1+o(1) (lg X)) (if all x i have the same size). B) Product trees Algorithm: Franke/Kleinjung/FM/Wirth improved by Bernstein 1. [Product tree] Compute z = p 1 p m. 2. [Remainder tree] Compute z mod x 1,..., z mod x n. z mod (x 1 x 2 x 3 x 4 ) z mod (x 1 x 2 ) z mod (x 3 x 4 ) z mod x 1 z mod x 2 z mod x 3 z mod x 4 F. Morain École polytechnique MPRI cours /26 Product trees (cont d) 3. [explode valuation] For each k {1,...,n}, compute y k = z 2e mod x k with e s.t. 2 2e x k ; print gcd(x k, y k ). F. Morain École polytechnique MPRI cours /26 Validity and analysis Imagine all p i s have the same size β. Product tree: 2M(β) + M(2β). M(2β) 2M(β) Naive case: p 1 p }{{} 2 +(p 1 p 2 )p 3 +(p 1 p 2 p 3 )p 4 6M(β). }{{}}{{} M(β) M(2β,β) M(3β,β) Comparison: 4M(β) vs. M(2β)? Equal if M(β) = β 2, product tree better if M(β) = β a, a < 2. General principle: only the last step counts. Validity: let y k = z 2e mod x k. Suppose p x k. Then ν p (x k ) 2 e, since 2 ν p ν 2 2e. Therefore ν p (y k ) 2 e ν and the gcd will contain the right valuation. Analysis: given b = total number of bits in P and X, O((lg b)m int (b) = O(b(lg b) 2+o(1) ). Step 1: O(log mm int (b)). Step 2: O(log nm int (b)). Step 3: O(b k (lg b)m int (b k )) since e O(lg b); overall cost is obtained via P bk = O(b). Rem. If more information is needed, use Bernstein for b(lg b) 3+o(1). See Bernstein s web page.
4 F. Morain École polytechnique MPRI cours /26 F. Morain École polytechnique MPRI cours /26 C) Pollard s ρ (again!) Prop. Let f : E E, #E = m; X n+1 = f(x n ) with X 0 E. The functional digraph of X is: X 0 X 1 X 2 X µ X µ 1 X µ+1 X µ+λ 1 Fact. There exists a unique e > 0 (epact) s.t. µ e < λ + µ and X 2e = X e. On average, e = O( m). Floyd s algorithm: X <- X0; Y <- X0; e <- 0; repeat X <- f(x); Y <- f(f(y)); e <- e+1; until X = Y; Application to the factorization of N Idea: suppose p N and we have a random f mod N s.t. f mod p is random. function f(x, N) return (x 2 + 1) mod N; end. function rho(n) 1. [initialization] x:=1; y:=1; g:=1; 2. [loop] while (g = 1) do x:=f(x, N); y:=f(f(y, N), N); g:=gcd(x-y, N); endwhile; 3. return g; F. Morain École polytechnique MPRI cours /26 F. Morain École polytechnique MPRI cours /26 D) Pollard Strassen Conjecture. RHO finds p N using O( p) iterations. Thm. (Bach, 1991) Proba finding p N after k iterations is at least when p goes to infinity. In practice: ( k 2) p + O(p 3/2 ) Trick: compute gcd( i (x 2i x i ), N). Choosing f : some choices are bad, as x x 2 et x x 2 2. Tables exist for given f s. Improvements: reducing the number of evaluation of f, see Brent, Montgomery. Input: B N. Output: smallest p B dividing N if any. 0. Let C = B. 1. Compute f(x) = 1 j C (X + j) Z/NZ[X]. 2. Compute all g i = f(ic) Z/NZ for 0 i < C. 3. if gcd(g i, N) = 1 for all i then return FAILURE else set k = min i {gcd(g i, N) > 1}. 4. return min d {kc + 1 d kc + c, d N}. Validity: p N and p f(ic) for some 0 i < C if and only if p divides some number in {ic + 1,...,iC + C}.
5 F. Morain École polytechnique MPRI cours /26 F. Morain École polytechnique MPRI cours /26 Analysis III. Pollard s p 1 method Step 1: product tree again, hence O(M pol (C) log C) additions and multiplications in Z/NZ. Step 2: multipoint evaluation O(M pol (C) log C), same as remainder tree, since f(a) = f(x) mod (X a). Step 3: C gcd s for a cost of O(CM int (log N) log log N). Step 4: O(CM int (log N)). Total: O(M pol (B 0.5 )M int (log N)(log B + log log N)). Deterministic. Rem. Bostant/Gaudry/Schost got rid of the log B term. Idea: assume p N and a is prime to p. Then (p a p 1 1 and p N) p gcd(a p 1 1, N). Same if some R is known s.t. p 1 R and we compute gcd((a R mod N) 1, N). How do we find R? Only reasonable hope is that p 1 B! for some (small) B. In other words, p is B-smooth. Algorithm: R = p α B 1 p α = lcm(2,...,b 1 ). Rem. (usual trick) we compute gcd( k ((ar k 1) mod N), N). F. Morain École polytechnique MPRI cours /26 Second phase: the classical one F. Morain École polytechnique MPRI cours /26 Second phase: faster Let b = a R mod N and gcd(b, N) = 1. Hyp. p 1 = Qs with Q R and s prime, B 1 < s B 2. Test: is gcd(b s 1, N) > 1 for some s. Let s j denote the j-th prime. In practice all s j+1 s j are small (Cramer s conjecture implies s j+1 s j (log B 2 ) 2 ). Precompute c δ b δ mod N for all possible δ (small); Compute next value with one multiplication b s j+1 = b s j c sj+1 s j mod N. Cost: O((log B 2 ) 2 ) + O(log s 1 ) + (π(b 2 ) π(b 1 )) multiplications +(π(b 2 ) π(b 1 )) gcd s. When B 2 B 1, π(b 2 ) dominates. Rem. We need a table of all primes < B 2 ; memory is O(B 2 ). Select w B 2, v 1 = B 1 /w, v 2 = B 2 /w. Write our prime s as s = vw u, with 0 u < w, v 1 v v 2. One has gcd(b s 1, N) > 1 iff gcd(b wv b u, N) > Precompute b u mod N for all 0 u < w. 2. Precompute all(b w ) v for all v 1 v v For all u and all v evaluate gcd(b vw b u, N). Number of multiplications is w + (v 2 v 1 ) + O(log 2 w) = O( B 2 ), memory is also O( B 2 ). Number of gcd is still π(b 2 ) π(b 1 ). Record. Zimmermann (58 dd of , 2005).
6 F. Morain École polytechnique MPRI cours /26 F. Morain École polytechnique MPRI cours /26 Second phase: faster Algorithm: 1. Compute h(x) = 0 u<w (X bu ) Z/NZ[X] 2. Evaluate all h((b w ) v ) for all v 1 v v Evaluate all gcd(h(b wv ), N). Analysis: Step 1: O((log w)m pol (w)) operations (using a product tree). Step 2: O((log w)m int (log N)) for b w ; v 2 v 1 for (b w ) v ; multi-point evaluation on w points takes O((log w)m pol (w)). Rem. Evaluating h(x) along a geometric progression of length w takes O(w log w) operations (see Montgomery-Silverman). Total cost: O((log w)m pol (w)) = O(B 0.5+o(1) 2 ). Trick: use gcd(u, w) = 1 and w = F. Morain École polytechnique MPRI cours /26 Just the beginning of the story Continuing p 1 with the birthday paradox Consider B = b mod p. By hypothesis, #B = s. If we draw s elements at random in B, then we have a collision (birthday paradox). Algorithm: build (b i ) with b 0 = b, and { b 2 b i+1 = i mod N with proba 1/2 b 2 i b mod N with proba 1/2. We gather r s values and compute where r i=1 j i(b i b j ) = Disc(P(X)) = i P(X) = r (X b i ). i=1 use fast polynomial operations again. P (b i ) Rem. This idea can be reused in many factoring algorithms. F. Morain École polytechnique MPRI cours /26 IV. ECM Rem. Over a ring, the addition law must be defined with some care, due to singular points (see Lenstra for a rigorous presentation). Prototype of the Φ k factoring methods: Williams s p + 1 method, Bach + Shallit. Quadratic forms. ECM. E N = { (x, y), y 2 x 3 + ax + b mod N } { O N }, s.t. gcd(4a b 2, N) = 1. A point is an element of E N. Note for all prime p N, E p is actually an elliptic curve. Pseudo-addition: given two points P and Q, returns either a point R s.t. P p Q p = R p for all p N; or a divisor d of N.
7 ECM: Pollard s p 1 on a curve Algorithm: find (E, P = (x 0, y 0 )) s.t. y 2 0 x3 0 + ax 0 + b mod N; compute [R]P on E until the pseudo-addition returns a factor of N. all variants of p 1 works, except the FFT 2nd phase. An example: Computing [3]Q = [3!]P: E N : y 2 x 3 + x + 1 mod 143, P = (0, 1) Q = [2]P = (36, 124) [2]Q = (127, 71). λ = (124 71) (36 127) 1 mod 143. ECM: analysis ECM works when there exists E N s.t. E p has a smooth cardinality. Varying E makes #E vary we can use a lot of them. Rationale: #E p should behave as a random number p. Conjecture (Lenstra) Let L(x) = exp ( log x log log x ). Using L(p) 1/ 2 curves, we can find p N with O(L(p) 2 ) operations on curves. In practice: very very efficient for p , record of p with 67 decimal digits. Many tricks known: fast elliptic group laws (even Edwards); forcing a torsion subgroup is also possible. But gcd(36 127, 143) = gcd(52, 143) = 13. F. Morain École polytechnique MPRI cours /26 F. Morain École polytechnique MPRI cours /26
1 The Fundamental Theorem of Arithmetic. A positive integer N has a unique prime power decomposition. Primality Testing. and. Integer Factorisation
1 The Fundamental Theorem of Arithmetic A positive integer N has a unique prime power decomposition 2 Primality Testing Integer Factorisation (Gauss 1801, but probably known to Euclid) The Computational
More informationElliptic Curves Spring 2013 Lecture #12 03/19/2013
18.783 Elliptic Curves Spring 2013 Lecture #12 03/19/2013 We now consider our first practical application of elliptic curves: factoring integers. Before presenting the elliptic curve method (ECM) for factoring
More informationInteger factorization, part 1: the Q sieve. part 2: detecting smoothness. D. J. Bernstein
Integer factorization, part 1: the Q sieve Integer factorization, part 2: detecting smoothness D. J. Bernstein The Q sieve factors by combining enough -smooth congruences ( + ). Enough log. Plausible conjecture:
More informationBasic Algorithms in Number Theory
Basic Algorithms in Number Theory Algorithmic Complexity... 1 Basic Algorithms in Number Theory Francesco Pappalardi Discrete Logs, Modular Square Roots & Euclidean Algorithm. July 20 th 2010 Basic Algorithms
More informationApplied Cryptography and Computer Security CSE 664 Spring 2017
Applied Cryptography and Computer Security Lecture 11: Introduction to Number Theory Department of Computer Science and Engineering University at Buffalo 1 Lecture Outline What we ve covered so far: symmetric
More informationHOW TO FIND SMOOTH PARTS OF INTEGERS. 1. Introduction. usually negligible Smooth part of x. usually negligible Is x smooth?
Draft. Aimed at Math. Comp. I m rewriting [8] in light of this. HOW TO FIND SMOOTH PARTS OF INTEGERS DANIEL J. BERNSTEIN Abstract. Let P be a finite set of primes, and let S be a finite sequence of positive
More informationECE297:11 Lecture 12
ECE297:11 Lecture 12 RSA Genesis, operation & security Public Key (Asymmetric) Cryptosystems Public key of Bob - K B Private key of Bob - k B Network Alice Encryption Decryption Bob 1 Trap-door one-way
More informationRSA Cryptosystem and Factorization
RSA Cryptosystem and Factorization D. J. Guan Department of Computer Science National Sun Yat Sen University Kaoshiung, Taiwan 80424 R. O. C. guan@cse.nsysu.edu.tw August 25, 2003 RSA Cryptosystem was
More informationEncyclopedia of Information Security Entries related to integer factoring
Encyclopedia of Information Security Entries related to integer factoring Arjen K. Lenstra arjen.lenstra@citigroup.com Version: 0.1 August 30, 2007 Birthday paradox The birthday paradox refers to the fact
More informationThe Elliptic Curve Method and Other Integer Factorization Algorithms. John Wright
The Elliptic Curve Method and Other Integer Factorization Algorithms John Wright April 12, 2012 Contents 1 Introduction 2 2 Preliminaries 3 2.1 Greatest common divisors and modular arithmetic...... 3 2.2
More informationLecture 6: Cryptanalysis of public-key algorithms.,
T-79.159 Cryptography and Data Security Lecture 6: Cryptanalysis of public-key algorithms. Helsinki University of Technology mjos@tcs.hut.fi 1 Outline Computational complexity Reminder about basic number
More informationGood algebraic reading. MPRI Cours III. Integer factorization NFS. A) Definitions and properties
F. Morain École polytechnique MPRI cours -1 007-008 3/45 F. Morain École polytechnique MPRI cours -1 007-008 4/45 ECOLE POLYTECHNIQUE MPRI Cours -1 F. Morain III. Integer factorization NFS 007/10/01 I.
More informationcse 311: foundations of computing Spring 2015 Lecture 12: Primes, GCD, applications
cse 311: foundations of computing Spring 2015 Lecture 12: Primes, GCD, applications casting out 3s Theorem: A positive integer n is divisible by 3 if and only if the sum of its decimal digits is divisible
More informationFully Deterministic ECM
Fully Deterministic ECM Iram Chelli LORIA (CNRS) - CACAO Supervisor: P. Zimmermann September 23, 2009 Introduction The Elliptic Curve Method (ECM) is currently the best-known general-purpose factorization
More informationECM at Work. Joppe W. Bos 1 and Thorsten Kleinjung 2. 1 Microsoft Research, Redmond, USA
ECM at Work Joppe W. Bos 1 and Thorsten Kleinjung 2 1 Microsoft Research, Redmond, USA 2 Laboratory for Cryptologic Algorithms, EPFL, Lausanne, Switzerland 1 / 18 Security assessment of public-key cryptography
More informationFactoring integers, Producing primes and the RSA cryptosystem. December 14, 2005
Factoring integers, Producing primes and the RSA cryptosystem December 14, 2005 RSA cryptosystem University of Kathmandu, December 14, 2005 1 RSA 2048 = 25195908475657893494027183240048398571429282126204
More informationSecurity Level of Cryptography Integer Factoring Problem (Factoring N = p 2 q) December Summary 2
Security Level of Cryptography Integer Factoring Problem (Factoring N = p 2 ) December 2001 Contents Summary 2 Detailed Evaluation 3 1 The Elliptic Curve Method 3 1.1 The ECM applied to N = p d............................
More informationUncertainty can be Better than Certainty:
Abstract Uncertainty can be Better than Certainty: Some Algorithms for Primality Testing Richard P. Brent Australian National University For many years mathematicians and computer scientists have searched
More informationFactoring Algorithms Pollard s p 1 Method. This method discovers a prime factor p of an integer n whenever p 1 has only small prime factors.
Factoring Algorithms Pollard s p 1 Method This method discovers a prime factor p of an integer n whenever p 1 has only small prime factors. Input: n (to factor) and a limit B Output: a proper factor of
More informationChallenges in Solving Large Sparse Linear Systems over Finite Fields
Abstract Challenges in Solving Large Sparse Linear Systems over Finite Fields Richard P. Brent 23 September 2005 This talk outlines how very large, sparse linear systems arise in the solution of problems
More informationEdwards Curves and the ECM Factorisation Method
Edwards Curves and the ECM Factorisation Method Peter Birkner Eindhoven University of Technology CADO Workshop on Integer Factorization 7 October 2008 Joint work with Daniel J. Bernstein, Tanja Lange and
More informationFactoring. there exists some 1 i < j l such that x i x j (mod p). (1) p gcd(x i x j, n).
18.310 lecture notes April 22, 2015 Factoring Lecturer: Michel Goemans We ve seen that it s possible to efficiently check whether an integer n is prime or not. What about factoring a number? If this could
More informationcse 311: foundations of computing Fall 2015 Lecture 12: Primes, GCD, applications
cse 311: foundations of computing Fall 2015 Lecture 12: Primes, GCD, applications n-bit unsigned integer representation Represent integer x as sum of powers of 2: If x = n 1 i=0 b i 2 i where each b i
More informationBasic Algorithms in Number Theory
Basic Algorithms in Number Theory Algorithmic Complexity... 1 Basic Algorithms in Number Theory Francesco Pappalardi #2 - Discrete Logs, Modular Square Roots, Polynomials, Hensel s Lemma & Chinese Remainder
More informationRSA: Genesis, Security, Implementation & Key Generation
ECE 646 Lecture 8 RSA: Genesis, Security, Implementation & Key Generation Public Key (Asymmetric) Cryptosystems Public key of Bob - K B Private key of Bob - k B Network Alice Encryption Decryption Bob
More informationECE 646 Lecture 8. RSA: Genesis, Security, Implementation & Key Generation
ECE 646 Lecture 8 RSA: Genesis, Security, Implementation & Key Generation Public Key (Asymmetric) Cryptosystems Public key of Bob - K B Private key of Bob - k B Network Alice Encryption Decryption Bob
More information2 Richard P. Brent public-key cryptography, the RSA algorithm [75], would be insecure if a fast integer factorisation algorithm could be implemented [
Some Parallel Algorithms for Integer Factorisation Richard P. Brent Oxford University Computing Laboratory, Wolfson Building, Parks Road, Oxford OX1 3QD, UK rpb@comlab.ox.ac.uk http://www.comlab.ox.ac.uk/
More informationIMPROVEMENTS TO THE GENERAL NUMBER FIELD SIEVE FOR DISCRETE LOGARITHMS IN PRIME FIELDS.
IMPROVEMENTS TO THE GENERAL NUMBER FIELD SIEVE FOR DISCRETE LOGARITHMS IN PRIME FIELDS. A COMPARISON WITH THE GAUSSIAN INTEGER METHOD. ANTOINE JOUX AND REYNALD LERCIER Abstract. In this paper, we describe
More informationThe RSA Cryptosystem: Factoring the public modulus. Debdeep Mukhopadhyay
The RSA Cryptosystem: Factoring the public modulus Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives
More informationComputing Discrete Logarithms. Many cryptosystems could be broken if we could compute discrete logarithms quickly.
Computing Discrete Logarithms Many cryptosystems could be broken if we could compute discrete logarithms quickly. The first discrete logarithm algorithms below apply in any group. They are about the best
More informationSMOOTH NUMBERS AND THE QUADRATIC SIEVE. Carl Pomerance
SMOOTH NUMBERS AND THE QUADRATIC SIEVE Carl Pomerance When faced with a large number n to factor, what do you do first? You might say Look at the last digit, with the idea of cheaply pulling out possible
More informationDiscrete Math, Fourteenth Problem Set (July 18)
Discrete Math, Fourteenth Problem Set (July 18) REU 2003 Instructor: László Babai Scribe: Ivona Bezakova 0.1 Repeated Squaring For the primality test we need to compute a X 1 (mod X). There are two problems
More informationRemainders. We learned how to multiply and divide in elementary
Remainders We learned how to multiply and divide in elementary school. As adults we perform division mostly by pressing the key on a calculator. This key supplies the quotient. In numerical analysis and
More informationInstructor: Bobby Kleinberg Lecture Notes, 25 April The Miller-Rabin Randomized Primality Test
Introduction to Algorithms (CS 482) Cornell University Instructor: Bobby Kleinberg Lecture Notes, 25 April 2008 The Miller-Rabin Randomized Primality Test 1 Introduction Primality testing is an important
More informationFactorization of Integers Notes for talks given at London South Bank University 20 February, 19 March, 2008 Tony Forbes
Factorization of Integers Notes for talks given at London South Bank University 20 February, 19 March, 2008 Tony Forbes ADF37A version 1.7A THE PROBLEM Given a positive integer N, find a positive integer
More informationCorollary 4.2 (Pepin s Test, 1877). Let F k = 2 2k + 1, the kth Fermat number, where k 1. Then F k is prime iff 3 F k 1
4. Primality testing 4.1. Introduction. Factorisation is concerned with the problem of developing efficient algorithms to express a given positive integer n > 1 as a product of powers of distinct primes.
More informationPrimality Testing. 1 Introduction. 2 Brief Chronology of Primality Testing. CS265/CME309, Fall Instructor: Gregory Valiant
CS265/CME309, Fall 2018. Instructor: Gregory Valiant Primality Testing [These notes may not be distributed outside this class without the permission of Gregory Valiant.] 1 Introduction Prime numbers are
More informationCHAPMAN & HALL/CRC CRYPTOGRAPHY AND NETWORK SECURITY ALGORITHMIC CR YPTAN ALY51S. Ant nine J aux
CHAPMAN & HALL/CRC CRYPTOGRAPHY AND NETWORK SECURITY ALGORITHMIC CR YPTAN ALY51S Ant nine J aux (g) CRC Press Taylor 8* Francis Croup Boca Raton London New York CRC Press is an imprint of the Taylor &
More informationBasic elements of number theory
Cryptography Basic elements of number theory Marius Zimand 1 Divisibility, prime numbers By default all the variables, such as a, b, k, etc., denote integer numbers. Divisibility a 0 divides b if b = a
More informationBasic elements of number theory
Cryptography Basic elements of number theory Marius Zimand By default all the variables, such as a, b, k, etc., denote integer numbers. Divisibility a 0 divides b if b = a k for some integer k. Notation
More informationDistinguishing prime numbers from composite numbers: the state of the art. D. J. Bernstein University of Illinois at Chicago
Distinguishing prime numbers from composite numbers: the state of the art D. J. Bernstein University of Illinois at Chicago Is it easy to determine whether a given integer is prime? If easy means computable
More informationHyperelliptic curves
1/40 Hyperelliptic curves Pierrick Gaudry Caramel LORIA CNRS, Université de Lorraine, Inria ECC Summer School 2013, Leuven 2/40 Plan What? Why? Group law: the Jacobian Cardinalities, torsion Hyperelliptic
More informationElliptic Curves Cryptography and factorization. Part VIII. Elliptic curves cryptography and factorization. Historical Remarks.
Elliptic Curves Cryptography and factorization Part VIII Elliptic curves cryptography and factorization Cryptography based on manipulation of points of so called elliptic curves is getting momentum and
More informationCSE 521: Design and Analysis of Algorithms I
CSE 521: Design and Analysis of Algorithms I Randomized Algorithms: Primality Testing Paul Beame 1 Randomized Algorithms QuickSelect and Quicksort Algorithms random choices make them fast and simple but
More informationSpeeding up characteristic 2: I. Linear maps II. The Å(Ò) game III. Batching IV. Normal bases. D. J. Bernstein University of Illinois at Chicago
Speeding up characteristic 2: I. Linear maps II. The Å(Ò) game III. Batching IV. Normal bases D. J. Bernstein University of Illinois at Chicago NSF ITR 0716498 Part I. Linear maps Consider computing 0
More informationDistinguishing prime numbers from composite numbers: the state of the art. D. J. Bernstein University of Illinois at Chicago
Distinguishing prime numbers from composite numbers: the state of the art D. J. Bernstein University of Illinois at Chicago Is it easy to determine whether a given integer is prime? If easy means computable
More informationOn the factorization of RSA-120. T. Denny 1, B. Dodson 2, A. K. Lenstra 3, M. S. Manasse 4
On the factorization of RSA-120 T. Denny 1, B. Dodson 2, A. K. Lenstra 3, M. S. Manasse 4 1 Lehrstuhl Prof. Buchmann, Fachbereich Informatik, Universitat des Saarlandes, Postfach 1150, 66041 Saarbrucken,
More informationPostmodern Primality Proving
Preda Mihăilescu (University of Göttingen) Postmodern Primality Proving June 28, 2013 1 / 29 Postmodern Primality Proving Preda Mihăilescu Mathematical Institute, University of Göttingen, Germany June
More informationCounting points on hyperelliptic curves
University of New South Wales 9th November 202, CARMA, University of Newcastle Elliptic curves Let p be a prime. Let X be an elliptic curve over F p. Want to compute #X (F p ), the number of F p -rational
More informationApplied Cryptography and Computer Security CSE 664 Spring 2018
Applied Cryptography and Computer Security Lecture 12: Introduction to Number Theory II Department of Computer Science and Engineering University at Buffalo 1 Lecture Outline This time we ll finish the
More informationSome mysteries of multiplication, and how to generate random factored integers
Some mysteries of multiplication, and how to generate random factored integers Richard P. Brent Australian National University 6 February 2015 joint work with Carl Pomerance Presented at Hong Kong Baptist
More informationEfficiency of RSA Key Factorization by Open-Source Libraries and Distributed System Architecture
Baltic J. Modern Computing, Vol. 5 (2017), No. 3, 269-274\ http://dx.doi.org/10.22364/bjmc.2017.5.3.02 Efficiency of RSA Key Factorization by Open-Source Libraries and Distributed System Architecture Edgar
More informationCERIAS Tech Report
CERIAS Tech Report 2006-43 ELLIPTIC CURVE FACTORING METHOD VIA FFTS WITH DIVISION POLYNOMIALS by Zhihong Li Center for Education and Research in Information Assurance and Security, Purdue University, West
More informationD. J. Bernstein University of Illinois at Chicago
Algorithms for primes D. J. Bernstein University of Illinois at Chicago Some literature: Recognizing primes: 1982 Atkin Larson On a primality test of Solovay and Strassen ; 1995 Atkin Intelligent primality
More information5: The Integers (An introduction to Number Theory)
c Oksana Shatalov, Spring 2017 1 5: The Integers (An introduction to Number Theory) The Well Ordering Principle: Every nonempty subset on Z + has a smallest element; that is, if S is a nonempty subset
More informationDiscrete Logarithm Problem
Discrete Logarithm Problem Çetin Kaya Koç koc@cs.ucsb.edu (http://cs.ucsb.edu/~koc/ecc) Elliptic Curve Cryptography lect08 discrete log 1 / 46 Exponentiation and Logarithms in a General Group In a multiplicative
More informationpart 2: detecting smoothness part 3: the number-field sieve
Integer factorization, part 1: the Q sieve Integer factorization, part 2: detecting smoothness Integer factorization, part 3: the number-field sieve D. J. Bernstein Problem: Factor 611. The Q sieve forms
More informationChapter 9 Mathematics of Cryptography Part III: Primes and Related Congruence Equations
Chapter 9 Mathematics of Cryptography Part III: Primes and Related Congruence Equations Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 9.1 Chapter 9 Objectives
More informationECE 646 Lecture 9. RSA: Genesis, operation & security
ECE 646 Lecture 9 RSA: Genesis, operation & security Required Reading (1) W. Stallings, "Cryptography and Network-Security," Chapter 8.1 Prime Numbers Chapter 8.2 Fermat's and Euler's Theorems Chapter
More informationAlgorithms. Shanks square forms algorithm Williams p+1 Quadratic Sieve Dixon s Random Squares Algorithm
Alex Sundling Algorithms Shanks square forms algorithm Williams p+1 Quadratic Sieve Dixon s Random Squares Algorithm Shanks Square Forms Created by Daniel Shanks as an improvement on Fermat s factorization
More informationFFT extension for algebraic-group factorization algorithms
FFT extension for algebraic-group factorization algorithms Richard P. Brent, Alexander Kruppa, and Paul Zimmermann Australian National University, Canberra, Australia Technische Universität München, München,
More informationInteger Factorization Methods
Integer Factorization Methods Christopher Koch CSE489-01 Algorithms in CS & IT New Mexico Institute of Mining and Technology May 9, 2014 Contents List of Theorems and Definitions List of Algorithms List
More informationParametrizations for Families of ECM-Friendly Curves
Parametrizations for Families of ECM-Friendly Curves Thorsten Kleinjung Arjen K. Lenstra Laboratoire d Informatique de Paris 6 Sorbonne Universités UPMC École Polytechnique Fédérale de Lausanne, EPFL IC
More informationInteger Factoring Utilizing PC Cluster
Integer Factoring Utilizing PC Cluster Kazumaro Aoki maro at isl ntt co jp c NTT p.1/47 Contents Background Integer Factoring Algorithms World Records On 1024-bit GNFS My Experiences c NTT p.2/47 Integer
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 9 September 30, 2015 CPSC 467, Lecture 9 1/47 Fast Exponentiation Algorithms Number Theory Needed for RSA Elementary Number Theory
More informationFactorization of RSA 140 Using the Number Field Sieve
Factorization of RSA 140 Using the Number Field Sieve Stefania Cavallar 3,BruceDodson 5,ArjenLenstra 1,PaulLeyland 6,Walter Lioen 3, Peter L. Montgomery 7, Brian Murphy 2, Herman te Riele 3, and Paul Zimmermann
More informationA Beginner s Guide To The General Number Field Sieve
1 A Beginner s Guide To The General Number Field Sieve Michael Case Oregon State University, ECE 575 case@engr.orst.edu Abstract RSA is a very popular public key cryptosystem. This algorithm is known to
More informationThe attack of the RSA Subgroup Assumption
The attack of the RSA Subgroup Assumption Jiang Weng 1,2, Yunqi Dou 1,2, and Chuangui Ma 1,2 1 Zhengzhou Information Science and Technology Institute,Zhengzhou 450002, China 2 State Key Laboratory of Mathematical
More informationTheoretical Cryptography, Lecture 13
Theoretical Cryptography, Lecture 13 Instructor: Manuel Blum Scribe: Ryan Williams March 1, 2006 1 Today Proof that Z p has a generator Overview of Integer Factoring Discrete Logarithm and Quadratic Residues
More informationFinite Fields and Elliptic Curves in Cryptography
Finite Fields and Elliptic Curves in Cryptography Frederik Vercauteren - Katholieke Universiteit Leuven - COmputer Security and Industrial Cryptography 1 Overview Public-key vs. symmetric cryptosystem
More informationElliptic Curve Method for Integer Factorization on Parallel Architectures
EDIC RESEARCH PROPOSAL 1 Elliptic Curve Method for Integer Factorization on Parallel Architectures Andrea Miele I&C, EPFL Abstract The elliptic curve method (ECM) for integer factorization is an algorithm
More informationCS250: Discrete Math for Computer Science
CS250: Discrete Math for Computer Science L6: Euclid s Algorithm & Multiplicative Inverses Mod m Greatest Common Divisors, GCD If d a and d b then d is a common divisor of a and b. 1, 2, 3, and 6 are common
More informationAnother Generalization of Wiener s Attack on RSA
Another Generalization of Wiener s Attack on RSA Abderrahmane Nitaj Laboratoire de Mathématiques Nicolas Oresme Université de Caen, France BP 586, 4032 Caen Cedex, France http://www.math.unicaen.fr/~nitaj
More informationRSA Implementation. Oregon State University
RSA Implementation Çetin Kaya Koç Oregon State University 1 Contents: Exponentiation heuristics Multiplication algorithms Computation of GCD and Inverse Chinese remainder algorithm Primality testing 2
More informationMATH 361: NUMBER THEORY FOURTH LECTURE
MATH 361: NUMBER THEORY FOURTH LECTURE 1. Introduction Everybody knows that three hours after 10:00, the time is 1:00. That is, everybody is familiar with modular arithmetic, the usual arithmetic of the
More informationElliptic Curves Spring 2013 Lecture #4 02/14/2013
18.783 Elliptic Curves Spring 2013 Lecture #4 02/14/2013 4.1 Complexity of finite field arithmetic The table below summarizes the costs of various arithmetic operations. integers Z finite field F q addition/subtraction
More informationInteger Factorization and Computing Discrete Logarithms in Maple
Integer Factorization and Computing Discrete Logarithms in Maple Aaron Bradord, Michael Monagan, Colin Percival anbradfo@sfu.ca, mmonagan@cecm.sfu.ca, cperciva@irmacs.sfu.ca Department of Mathematics,
More informationCS483 Design and Analysis of Algorithms
CS483 Design and Analysis of Algorithms Lectures 2-3 Algorithms with Numbers Instructor: Fei Li lifei@cs.gmu.edu with subject: CS483 Office hours: STII, Room 443, Friday 4:00pm - 6:00pm or by appointments
More informationPARAMETRIZATIONS FOR FAMILIES OF ECM-FRIENDLY CURVES
PARAMETRIZATIONS FOR FAMILIES OF ECM-FRIENDLY CURVES ALEXANDRE GÉLIN, THORSTEN KLEINJUNG, AND ARJEN K. LENSTRA Abstract. We provide a new family of elliptic curves that results in a one to two percent
More information10 Public Key Cryptography : RSA
10 Public Key Cryptography : RSA 10.1 Introduction The idea behind a public-key system is that it might be possible to find a cryptosystem where it is computationally infeasible to determine d K even if
More informationIndustrial Strength Factorization. Lawren Smithline Cornell University
Industrial Strength Factorization Lawren Smithline Cornell University lawren@math.cornell.edu http://www.math.cornell.edu/~lawren Industrial Strength Factorization Given an integer N, determine the prime
More informationWhat is The Continued Fraction Factoring Method
What is The Continued Fraction Factoring Method? Slide /7 What is The Continued Fraction Factoring Method Sohail Farhangi June 208 What is The Continued Fraction Factoring Method? Slide 2/7 Why is Factoring
More informationElementary factoring algorithms
Math 5330 Spring 018 Elementary factoring algorithms The RSA cryptosystem is founded on the idea that, in general, factoring is hard. Where as with Fermat s Little Theorem and some related ideas, one can
More informationImplementation of ECM Using FPGA devices. ECE646 Dr. Kris Gaj Mohammed Khaleeluddin Hoang Le Ramakrishna Bachimanchi
Implementation of ECM Using FPGA devices ECE646 Dr. Kris Gaj Mohammed Khaleeluddin Hoang Le Ramakrishna Bachimanchi Introduction Why factor numbers? Security of RSA relies on difficulty to factor large
More informationModular polynomials and isogeny volcanoes
Modular polynomials and isogeny volcanoes Andrew V. Sutherland February 3, 010 Reinier Bröker Kristin Lauter Andrew V. Sutherland (MIT) Modular polynomials and isogeny volcanoes 1 of 9 Isogenies An isogeny
More informationLecture notes: Algorithms for integers, polynomials (Thorsten Theobald)
Lecture notes: Algorithms for integers, polynomials (Thorsten Theobald) 1 Euclid s Algorithm Euclid s Algorithm for computing the greatest common divisor belongs to the oldest known computing procedures
More informationDiscrete logarithm and related schemes
Discrete logarithm and related schemes Martin Stanek Department of Computer Science Comenius University stanek@dcs.fmph.uniba.sk Cryptology 1 (2017/18) Content Discrete logarithm problem examples, equivalent
More informationThe next sequence of lectures in on the topic of Arithmetic Algorithms. We shall build up to an understanding of the RSA public-key cryptosystem.
CS 70 Discrete Mathematics for CS Fall 2003 Wagner Lecture 10 The next sequence of lectures in on the topic of Arithmetic Algorithms. We shall build up to an understanding of the RSA public-key cryptosystem.
More information1 Maintaining a Dictionary
15-451/651: Design & Analysis of Algorithms February 1, 2016 Lecture #7: Hashing last changed: January 29, 2016 Hashing is a great practical tool, with an interesting and subtle theory too. In addition
More informationCryptosystem. Traditional Cryptosystems: The two parties agree on a secret (one to one) function f. To send a message M, thesendersendsthemessage
Cryptosystem Traditional Cryptosystems: The two parties agree on a secret (one to one) function f. To send a message M, thesendersendsthemessage f(m). The receiver computes f 1 (f(m)). Advantage: Cannot
More informationSieve-based factoring algorithms
Sieve-based factoring algorithms From bicycle chains to number fields Eran Tromer tromer@wisdom.weizmann.ac.il Weizmann Institute of Science Sieve-based factoring p.1/23 Factoring by square root extraction
More informationExercises Exercises. 2. Determine whether each of these integers is prime. a) 21. b) 29. c) 71. d) 97. e) 111. f) 143. a) 19. b) 27. c) 93.
Exercises Exercises 1. Determine whether each of these integers is prime. a) 21 b) 29 c) 71 d) 97 e) 111 f) 143 2. Determine whether each of these integers is prime. a) 19 b) 27 c) 93 d) 101 e) 107 f)
More informationA brief overwiev of pairings
Bordeaux November 22, 2016 A brief overwiev of pairings Razvan Barbulescu CNRS and IMJ-PRG R. Barbulescu Overview pairings 0 / 37 Plan of the lecture Pairings Pairing-friendly curves Progress of NFS attacks
More informationA Few Primality Testing Algorithms
A Few Primality Testing Algorithms Donald Brower April 2, 2006 0.1 Introduction These notes will cover a few primality testing algorithms. There are many such, some prove that a number is prime, others
More informationPRIMES is in P. Manindra Agrawal. NUS Singapore / IIT Kanpur
PRIMES is in P Manindra Agrawal NUS Singapore / IIT Kanpur The Problem Given number n, test if it is prime efficiently. Efficiently = in time a polynomial in number of digits = (log n) c for some constant
More informationMathematics for Cryptography
Mathematics for Cryptography Douglas R. Stinson David R. Cheriton School of Computer Science University of Waterloo Waterloo, Ontario, N2L 3G1, Canada March 15, 2016 1 Groups and Modular Arithmetic 1.1
More informationPrimality testing: then and now
Seventy-five years of Mathematics of Computation ICERM, November 1 3, 2018 Primality testing: then and now Carl Pomerance Dartmouth College, Emeritus University of Georgia, Emeritus In 1801, Carl Friedrich
More informationSecurity Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography
Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography Peter Schwabe October 21 and 28, 2011 So far we assumed that Alice and Bob both have some key, which nobody else has. How
More informationDixon s Factorization method
Dixon s Factorization method Nikithkumarreddy yellu December 2015 1 Contents 1 Introduction 3 2 History 3 3 Method 4 3.1 Factor-base.............................. 4 3.2 B-smooth...............................
More information