I. Introduction. MPRI Cours Lecture IIb: Introduction to integer factorization. F. Morain. Input: an integer N; Output: N = k

Size: px

Start display at page:

Download "I. Introduction. MPRI Cours Lecture IIb: Introduction to integer factorization. F. Morain. Input: an integer N; Output: N = k"

Derick Clarke
5 years ago
Views:

1 F. Morain École polytechnique MPRI cours /26 F. Morain École polytechnique MPRI cours /26 MPRI Cours I. Introduction ECOLE POLYTECHNIQUE F. Morain Lecture IIb: Introduction to integer factorization 2009/11/30 I. Introduction. II. Finding small factors of integers. Input: an integer N; Output: N = k i=1 pα i i with p i (proven) prime. Major impact: estimate the security of RSA cryptosystems. Also: primitive for a lot of number theory problems. How do we test and compare algorithms? Cunningham project, RSA Security (partitions, RSA keys) though abandoned? III. Pollard s p 1 method. IV. ECM. F. Morain École polytechnique MPRI cours /26 F. Morain École polytechnique MPRI cours / ( )/9 200 CFRAC: QS: ( ) SNFS: RSA GNFS: F 9 p(11887) 140 RSA-129 RSA , 104+ RSA-130 RSA-120 2, 1450M F QS: SNFS: GNFS: ( )/9 ( ) 41 1 RSA-140 RSA , , 1642M RSA-200 RSA-160 RSA-576 RSA , 353

2 F. Morain École polytechnique MPRI cours /26 F. Morain École polytechnique MPRI cours /26 More figures for RSA-dd What is the factorization of a random number? dd who when time 100 Manasse & A. K. Lenstra MIPS-year 110 AKL 1992 one month on 5/8 of a MasPar 16K 120 AKL, Dodson, Denny, MIPS-year Manasse, Lioen, te Riele 129 Atkins, Graff, AKL, MIPS-year Leyland + INTERNET 130 Dodson, Montgomery, MIPS-year Elkenbracht-Huizing, AKL, WWW, Fante, Leyland, Weber, Zayer 140 te Riele, Cavallar, Lioen, MIPS-year Montgomery, Dodson, AKL, Leyland, Murphy, Zimmermann 155 CABAL MIPS-year 200 Franke et al. 05/ years 2.2GHz Opteron N = N 1 N 2 N r with N i prime, N i N i+1. Prop. r log 2 N; r = log log N. Size of the factors: D k = lim N + log N k / log N exists and On average k D k N 1 N 0.62, N 2 N 0.21, N 3 N an integer has one large factor, a medium size one and a bunch of small ones. F. Morain École polytechnique MPRI cours /26 A crucial species: smooth numbers Def. A B-smooth number N has all its prime factors B. Main interest: all relation collecting algorithms (Quadratic sieve, index calculus, etc.). de Bruijn s function: ψ(x, y) = Card{N x, p N p y}. Main theorem: (Canfield, Erdős, Pomerance) For all ε > 0, uniformly in y (log x) 1+ε, when x x ψ(x, y) =, u = log x/ log y. uu(1+o(1)) A useful function: ( ) L(x) = exp log x log log x. Prop. For all α > 0, β > 0, when x ψ(x α, L(x) β ) = x α L(x) α 2β +o(1). F. Morain École polytechnique MPRI cours /26 II. Finding small factors of integers Pb. Let P = {p 1, p 2,...,p m } be a finite set of primes, X = {x 1, x 2,...,x n } a finite sequence of integers. For x in X, define the P-smooth part of x F(x) = p e. p P p e x How can we compute all F(x) rapidly? Basic case: P B = {2, 3,...,B}; X = {x 1 }. Rem. building P B is a classical exercise (Eratosthenes sieve); B = 2 32 is not a problem (store (p i+1 p i )/2 as a char).

3 F. Morain École polytechnique MPRI cours /26 F. Morain École polytechnique MPRI cours /26 A) Trial division Algorithm: divide all x s by all p s. Claims: Multiplication of two n-bit integers (resp. degree n polynomials over a ring R) can be realized in O(M int (n)) (resp. O(M pol (n))) bit-operations (resp. operations in R) with traditional (resp. best) value of n 2 (resp. n log n log log n). Quotient and remainder of a(x) of degree n + m by b(x) of degree n can be done using O(M pol (m) + M pol (n) + n) operations over R. A 2n-bit integer divided by a n-bit one takes O(M int (n)). Basic case: lg P B = p B lg p = O(B lg B) and TD costs O(B 1+o(1) (lg X)) (if all x i have the same size). B) Product trees Algorithm: Franke/Kleinjung/FM/Wirth improved by Bernstein 1. [Product tree] Compute z = p 1 p m. 2. [Remainder tree] Compute z mod x 1,..., z mod x n. z mod (x 1 x 2 x 3 x 4 ) z mod (x 1 x 2 ) z mod (x 3 x 4 ) z mod x 1 z mod x 2 z mod x 3 z mod x 4 F. Morain École polytechnique MPRI cours /26 Product trees (cont d) 3. [explode valuation] For each k {1,...,n}, compute y k = z 2e mod x k with e s.t. 2 2e x k ; print gcd(x k, y k ). F. Morain École polytechnique MPRI cours /26 Validity and analysis Imagine all p i s have the same size β. Product tree: 2M(β) + M(2β). M(2β) 2M(β) Naive case: p 1 p }{{} 2 +(p 1 p 2 )p 3 +(p 1 p 2 p 3 )p 4 6M(β). }{{}}{{} M(β) M(2β,β) M(3β,β) Comparison: 4M(β) vs. M(2β)? Equal if M(β) = β 2, product tree better if M(β) = β a, a < 2. General principle: only the last step counts. Validity: let y k = z 2e mod x k. Suppose p x k. Then ν p (x k ) 2 e, since 2 ν p ν 2 2e. Therefore ν p (y k ) 2 e ν and the gcd will contain the right valuation. Analysis: given b = total number of bits in P and X, O((lg b)m int (b) = O(b(lg b) 2+o(1) ). Step 1: O(log mm int (b)). Step 2: O(log nm int (b)). Step 3: O(b k (lg b)m int (b k )) since e O(lg b); overall cost is obtained via P bk = O(b). Rem. If more information is needed, use Bernstein for b(lg b) 3+o(1). See Bernstein s web page.

4 F. Morain École polytechnique MPRI cours /26 F. Morain École polytechnique MPRI cours /26 C) Pollard s ρ (again!) Prop. Let f : E E, #E = m; X n+1 = f(x n ) with X 0 E. The functional digraph of X is: X 0 X 1 X 2 X µ X µ 1 X µ+1 X µ+λ 1 Fact. There exists a unique e > 0 (epact) s.t. µ e < λ + µ and X 2e = X e. On average, e = O( m). Floyd s algorithm: X <- X0; Y <- X0; e <- 0; repeat X <- f(x); Y <- f(f(y)); e <- e+1; until X = Y; Application to the factorization of N Idea: suppose p N and we have a random f mod N s.t. f mod p is random. function f(x, N) return (x 2 + 1) mod N; end. function rho(n) 1. [initialization] x:=1; y:=1; g:=1; 2. [loop] while (g = 1) do x:=f(x, N); y:=f(f(y, N), N); g:=gcd(x-y, N); endwhile; 3. return g; F. Morain École polytechnique MPRI cours /26 F. Morain École polytechnique MPRI cours /26 D) Pollard Strassen Conjecture. RHO finds p N using O( p) iterations. Thm. (Bach, 1991) Proba finding p N after k iterations is at least when p goes to infinity. In practice: ( k 2) p + O(p 3/2 ) Trick: compute gcd( i (x 2i x i ), N). Choosing f : some choices are bad, as x x 2 et x x 2 2. Tables exist for given f s. Improvements: reducing the number of evaluation of f, see Brent, Montgomery. Input: B N. Output: smallest p B dividing N if any. 0. Let C = B. 1. Compute f(x) = 1 j C (X + j) Z/NZ[X]. 2. Compute all g i = f(ic) Z/NZ for 0 i < C. 3. if gcd(g i, N) = 1 for all i then return FAILURE else set k = min i {gcd(g i, N) > 1}. 4. return min d {kc + 1 d kc + c, d N}. Validity: p N and p f(ic) for some 0 i < C if and only if p divides some number in {ic + 1,...,iC + C}.

5 F. Morain École polytechnique MPRI cours /26 F. Morain École polytechnique MPRI cours /26 Analysis III. Pollard s p 1 method Step 1: product tree again, hence O(M pol (C) log C) additions and multiplications in Z/NZ. Step 2: multipoint evaluation O(M pol (C) log C), same as remainder tree, since f(a) = f(x) mod (X a). Step 3: C gcd s for a cost of O(CM int (log N) log log N). Step 4: O(CM int (log N)). Total: O(M pol (B 0.5 )M int (log N)(log B + log log N)). Deterministic. Rem. Bostant/Gaudry/Schost got rid of the log B term. Idea: assume p N and a is prime to p. Then (p a p 1 1 and p N) p gcd(a p 1 1, N). Same if some R is known s.t. p 1 R and we compute gcd((a R mod N) 1, N). How do we find R? Only reasonable hope is that p 1 B! for some (small) B. In other words, p is B-smooth. Algorithm: R = p α B 1 p α = lcm(2,...,b 1 ). Rem. (usual trick) we compute gcd( k ((ar k 1) mod N), N). F. Morain École polytechnique MPRI cours /26 Second phase: the classical one F. Morain École polytechnique MPRI cours /26 Second phase: faster Let b = a R mod N and gcd(b, N) = 1. Hyp. p 1 = Qs with Q R and s prime, B 1 < s B 2. Test: is gcd(b s 1, N) > 1 for some s. Let s j denote the j-th prime. In practice all s j+1 s j are small (Cramer s conjecture implies s j+1 s j (log B 2 ) 2 ). Precompute c δ b δ mod N for all possible δ (small); Compute next value with one multiplication b s j+1 = b s j c sj+1 s j mod N. Cost: O((log B 2 ) 2 ) + O(log s 1 ) + (π(b 2 ) π(b 1 )) multiplications +(π(b 2 ) π(b 1 )) gcd s. When B 2 B 1, π(b 2 ) dominates. Rem. We need a table of all primes < B 2 ; memory is O(B 2 ). Select w B 2, v 1 = B 1 /w, v 2 = B 2 /w. Write our prime s as s = vw u, with 0 u < w, v 1 v v 2. One has gcd(b s 1, N) > 1 iff gcd(b wv b u, N) > Precompute b u mod N for all 0 u < w. 2. Precompute all(b w ) v for all v 1 v v For all u and all v evaluate gcd(b vw b u, N). Number of multiplications is w + (v 2 v 1 ) + O(log 2 w) = O( B 2 ), memory is also O( B 2 ). Number of gcd is still π(b 2 ) π(b 1 ). Record. Zimmermann (58 dd of , 2005).

6 F. Morain École polytechnique MPRI cours /26 F. Morain École polytechnique MPRI cours /26 Second phase: faster Algorithm: 1. Compute h(x) = 0 u<w (X bu ) Z/NZ[X] 2. Evaluate all h((b w ) v ) for all v 1 v v Evaluate all gcd(h(b wv ), N). Analysis: Step 1: O((log w)m pol (w)) operations (using a product tree). Step 2: O((log w)m int (log N)) for b w ; v 2 v 1 for (b w ) v ; multi-point evaluation on w points takes O((log w)m pol (w)). Rem. Evaluating h(x) along a geometric progression of length w takes O(w log w) operations (see Montgomery-Silverman). Total cost: O((log w)m pol (w)) = O(B 0.5+o(1) 2 ). Trick: use gcd(u, w) = 1 and w = F. Morain École polytechnique MPRI cours /26 Just the beginning of the story Continuing p 1 with the birthday paradox Consider B = b mod p. By hypothesis, #B = s. If we draw s elements at random in B, then we have a collision (birthday paradox). Algorithm: build (b i ) with b 0 = b, and { b 2 b i+1 = i mod N with proba 1/2 b 2 i b mod N with proba 1/2. We gather r s values and compute where r i=1 j i(b i b j ) = Disc(P(X)) = i P(X) = r (X b i ). i=1 use fast polynomial operations again. P (b i ) Rem. This idea can be reused in many factoring algorithms. F. Morain École polytechnique MPRI cours /26 IV. ECM Rem. Over a ring, the addition law must be defined with some care, due to singular points (see Lenstra for a rigorous presentation). Prototype of the Φ k factoring methods: Williams s p + 1 method, Bach + Shallit. Quadratic forms. ECM. E N = { (x, y), y 2 x 3 + ax + b mod N } { O N }, s.t. gcd(4a b 2, N) = 1. A point is an element of E N. Note for all prime p N, E p is actually an elliptic curve. Pseudo-addition: given two points P and Q, returns either a point R s.t. P p Q p = R p for all p N; or a divisor d of N.

7 ECM: Pollard s p 1 on a curve Algorithm: find (E, P = (x 0, y 0 )) s.t. y 2 0 x3 0 + ax 0 + b mod N; compute [R]P on E until the pseudo-addition returns a factor of N. all variants of p 1 works, except the FFT 2nd phase. An example: Computing [3]Q = [3!]P: E N : y 2 x 3 + x + 1 mod 143, P = (0, 1) Q = [2]P = (36, 124) [2]Q = (127, 71). λ = (124 71) (36 127) 1 mod 143. ECM: analysis ECM works when there exists E N s.t. E p has a smooth cardinality. Varying E makes #E vary we can use a lot of them. Rationale: #E p should behave as a random number p. Conjecture (Lenstra) Let L(x) = exp ( log x log log x ). Using L(p) 1/ 2 curves, we can find p N with O(L(p) 2 ) operations on curves. In practice: very very efficient for p , record of p with 67 decimal digits. Many tricks known: fast elliptic group laws (even Edwards); forcing a torsion subgroup is also possible. But gcd(36 127, 143) = gcd(52, 143) = 13. F. Morain École polytechnique MPRI cours /26 F. Morain École polytechnique MPRI cours /26

1 The Fundamental Theorem of Arithmetic. A positive integer N has a unique prime power decomposition. Primality Testing. and. Integer Factorisation

1 The Fundamental Theorem of Arithmetic A positive integer N has a unique prime power decomposition 2 Primality Testing Integer Factorisation (Gauss 1801, but probably known to Euclid) The Computational