Integer Factorization using lattices

Transcription

1 Integer Factorization using lattices Antonio Vera INRIA Nancy/CARAMEL team/anr CADO/ANR LAREDA Workshop Lattice Algorithmics - CIRM - February 2010

2 Plan Introduction

3 Plan Introduction Outline of the algorithm

4 Plan Introduction Outline of the algorithm The search for relations

5 Plan Introduction Outline of the algorithm The search for relations Termination considerations

6 Plan Introduction Outline of the algorithm The search for relations Termination considerations Conclusions

7 Outline Introduction Outline of the algorithm The search for relations Termination considerations Conclusions

8 The Integer Factorization Problem Given a composite integer N, compute a proper divisor.

9 The Integer Factorization Problem Given a composite integer N, compute a proper divisor. Example: given N = 6, return 2 or 3.

10 The Integer Factorization Problem Given a composite integer N, compute a proper divisor. Example: given N = 6, return 2 or 3. The decisional problem belongs to NP conp (Pratt, 1975).

11 The Integer Factorization Problem Given a composite integer N, compute a proper divisor. Example: given N = 6, return 2 or 3. The decisional problem belongs to NP conp (Pratt, 1975). Hence, it is unlikely to be NP-complete.

12 The Integer Factorization Problem Given a composite integer N, compute a proper divisor. Example: given N = 6, return 2 or 3. The decisional problem belongs to NP conp (Pratt, 1975). Hence, it is unlikely to be NP-complete. Practical intractability is at the base of the RSA public key cryptosystem.

13 The Integer Factorization Problem Given a composite integer N, compute a proper divisor. Example: given N = 6, return 2 or 3. The decisional problem belongs to NP conp (Pratt, 1975). Hence, it is unlikely to be NP-complete. Practical intractability is at the base of the RSA public key cryptosystem. Current record for factorization of RSA numbers : RSA 768 (232 decimal digits), in December 2009.

14 Integer Factorization with Lattice Reduction De Weger (1987) used lattice reduction and enumeration to effectively solve Diophantine equations.

15 Integer Factorization with Lattice Reduction De Weger (1987) used lattice reduction and enumeration to effectively solve Diophantine equations. Schnorr seems to be the first which applied this to integer factorization, in 1993.

16 Integer Factorization with Lattice Reduction De Weger (1987) used lattice reduction and enumeration to effectively solve Diophantine equations. Schnorr seems to be the first which applied this to integer factorization, in In the beginning, completely theoretical.

17 Integer Factorization with Lattice Reduction De Weger (1987) used lattice reduction and enumeration to effectively solve Diophantine equations. Schnorr seems to be the first which applied this to integer factorization, in In the beginning, completely theoretical. First working implementation : Ritter and Rössner, bit integer factored in 3 hours. Highly optimized enumeration.

18 Integer Factorization with Lattice Reduction De Weger (1987) used lattice reduction and enumeration to effectively solve Diophantine equations. Schnorr seems to be the first which applied this to integer factorization, in In the beginning, completely theoretical. First working implementation : Ritter and Rössner, bit integer factored in 3 hours. Highly optimized enumeration. Personal toy implementation in Magma, using the built-in enumeration routine. 40-bits integer in about 40 minutes.

19 Preliminary goals Improve the results of the original paper to make them effective.

20 Preliminary goals Improve the results of the original paper to make them effective. Understand the complexity of the algorithm.

21 Preliminary goals Improve the results of the original paper to make them effective. Understand the complexity of the algorithm. Implement an optimized version, à priori aimed at fixed-size integers.

22 Outline Introduction Outline of the algorithm The search for relations Termination considerations Conclusions

23 Philosophy of the algorithm Congruence of squares method As in many factorization methods, we want to find integers x, y Z, x ±y such that x 2 y 2 mod N.

24 Philosophy of the algorithm Congruence of squares method As in many factorization methods, we want to find integers x, y Z, x ±y such that x 2 y 2 mod N. Then, whenever x ±y mod N, we can factor N by computing gcd(x ± y, N).

25 Philosophy of the algorithm Congruence of squares method As in many factorization methods, we want to find integers x, y Z, x ±y such that x 2 y 2 mod N. Then, whenever x ±y mod N, we can factor N by computing gcd(x ± y, N).

26 Philosophy of the algorithm Congruence of squares method As in many factorization methods, we want to find integers x, y Z, x ±y such that x 2 y 2 mod N. Then, whenever x ±y mod N, we can factor N by computing gcd(x ± y, N). Definition An integer is B-smooth when all of its prime factors are B.

27 Philosophy of the algorithm Congruence of squares method As in many factorization methods, we want to find integers x, y Z, x ±y such that x 2 y 2 mod N. Then, whenever x ±y mod N, we can factor N by computing gcd(x ± y, N). Definition An integer is B-smooth when all of its prime factors are B. 100 is 5-smooth since 100 =

28 Philosophy of the algorithm Congruence of squares method As in many factorization methods, we want to find integers x, y Z, x ±y such that x 2 y 2 mod N. Then, whenever x ±y mod N, we can factor N by computing gcd(x ± y, N). Definition An integer is B-smooth when all of its prime factors are B. 100 is 5-smooth since 100 = All integers B are B-smooth.

29 Factorization algorithm principle Given an integer N to be factored, do the following:

30 Factorization algorithm principle Given an integer N to be factored, do the following: Fix d 1 and build the factor base {p 0,..., p d }, where p 0 = 1, p 1 = 2, p 2 = 3, p 3 = 5,....

31 Factorization algorithm principle Given an integer N to be factored, do the following: Fix d 1 and build the factor base {p 0,..., p d }, where p 0 = 1, p 1 = 2, p 2 = 3, p 3 = 5,.... Find d + 2 solutions of u = v + kn where k Z, and u, v are p d -smooth.

32 Factorization algorithm principle Given an integer N to be factored, do the following: Fix d 1 and build the factor base {p 0,..., p d }, where p 0 = 1, p 1 = 2, p 2 = 3, p 3 = 5,.... Find d + 2 solutions of u = v + kn where k Z, and u, v are p d -smooth.

33 Factorization algorithm principle Given an integer N to be factored, do the following: Fix d 1 and build the factor base {p 0,..., p d }, where p 0 = 1, p 1 = 2, p 2 = 3, p 3 = 5,.... Find d + 2 solutions of u = v + kn where k Z, and u, v are p d -smooth.write the identities in the following form d j=0 p a i,j j d j=0 p b i,j j mod N i 1, d + 2. These last equalities are called relations.

34 Factorization algorithm principle Define the exponent vectors a i = (a i,0,..., a i,d ), b i = (b i,0,..., b i,d ), and compute a vector c = (c 1,..., c d+2 ) {0, 1} d+2 such that d+2 c i (a i + b i ) = 0 mod 2. i=1

35 Factorization algorithm principle Define the exponent vectors a i = (a i,0,..., a i,d ), b i = (b i,0,..., b i,d ), and compute a vector c = (c 1,..., c d+2 ) {0, 1} d+2 such that d+2 c i (a i + b i ) = 0 mod 2. Define and y = x = d j=0 i=1 d j=0 P d+2 i=1 p c i (a i,j +b i,j )/2 j mod N, P d+2 i=1 p c i a i,j j = d j=0 p P d+2 i=1 c i b i,j j mod N.

36 Factorization algorithm principle Define the exponent vectors a i = (a i,0,..., a i,d ), b i = (b i,0,..., b i,d ), and compute a vector c = (c 1,..., c d+2 ) {0, 1} d+2 such that d+2 c i (a i + b i ) = 0 mod 2. Define and y = x = d j=0 i=1 d j=0 P d+2 i=1 p c i (a i,j +b i,j )/2 j mod N, P d+2 i=1 p c i a i,j j = d j=0 P d+2 i=1 p c i b i,j j mod N. If x y mod N then return gcd(x + y, N). Else, restart with another vector c. If there are not more of them, fail.

37 Outline Introduction Outline of the algorithm The search for relations Termination considerations Conclusions

38 Finding relations The core of the algorithm is the search for relations.

39 Finding relations The core of the algorithm is the search for relations. We will see that lattices help in this search.

40 Finding relations The core of the algorithm is the search for relations. We will see that lattices help in this search. Restate the equation we want to solve as u kn = v, for u, v p d -smooth and k Z.

41 Finding relations The core of the algorithm is the search for relations. We will see that lattices help in this search. Restate the equation we want to solve as u kn = v, for u, v p d -smooth and k Z. We can forget the constraint of p d -smoothness on v by solving for u p d -smooth and k Z. u kn p d

42 Finding relations This kind of equation can be solved by working on the exponents u kn = e ln u e ln kn, trying to make ln u ln kn as small as possible, without increasing ln u and ln k too much.

43 Finding relations This kind of equation can be solved by working on the exponents u kn = e ln u e ln kn, trying to make ln u ln kn as small as possible, without increasing ln u and ln k too much. Schnorr codes a (u, k) pair in a vector z = (z 1,..., z d ) Z d, from which one recovers u and k by letting u = p z i i and k = p z i i. z i >0 z i <0

44 Finding relations With this notation, ln u = z i ln p i and ln k = z i ln p i. z i >0 z i <0

45 Finding relations With this notation, ln u = z i >0 z i ln p i and ln k = z i <0 z i ln p i. We want the two quantities ln u ln kn = ln u + ln k = d z i ln p i ln N i=1 d z i ln p i. i=1 to be small.

46 Finding relations With this notation, ln u = z i >0 z i ln p i and ln k = z i <0 z i ln p i. We want the two quantities ln u ln kn = ln u + ln k = d z i ln p i ln N i=1 d z i ln p i. i=1 to be small. This is where lattices enter the scene.

47 Schnorr s approach to factorization The Prime Number Lattice Define the Prime Number Basis and the target vector by p ln p S p = p 0 0 ln p d and t =. 0. C ln p 1 C ln p d C ln N

48 Schnorr s approach to factorization The Prime Number Lattice Define the Prime Number Basis and the target vector by p ln p S p = p 0 0 ln p d and t =. 0. C ln p 1 C ln p d C ln N Let z Z d be a coordinate vector. We have z p 1 ln p 1 S p z t =. p z d ln p d C(. d i=1 z p i ln pi ln N)

49 Schnorr s approach to factorization Computing a relation using lattices. The norm is given by d p d S p z t p p = z i p ln p i + C p z i ln p i ln N. i=1 i=1

50 Schnorr s approach to factorization Computing a relation using lattices. The norm is given by d d S p z t p p = z i p ln p i + C p z i ln p i ln N i=1 By recycling a result of Micciancio [2, Prop. 5.10, page 105], one proves: i=1 p.

51 Schnorr s approach to factorization Computing a relation using lattices. The norm is given by d d S p z t p p = z i p ln p i + C p z i ln p i ln N i=1 By recycling a result of Micciancio [2, Prop. 5.10, page 105], one proves: Theorem Let C 3. Then, for any nonzero integer vector z such that i=1 S 1 z t 1 2 ln C + 2 ln p d ln N, p. we have u kn p d.

52 Schnorr s approach to factorization We have a polyhedron where every element of the lattice inside this polyhedron yields a relation.

53 Schnorr s approach to factorization We have a polyhedron where every element of the lattice inside this polyhedron yields a relation. Schnorr shows that for some choice of the parameters this polyhedron is expected to contain an exponential number of relations.

54 Schnorr s approach to factorization We have a polyhedron where every element of the lattice inside this polyhedron yields a relation. Schnorr shows that for some choice of the parameters this polyhedron is expected to contain an exponential number of relations. Why not trying to solve the inequality for γ 1? u kn γ p d

55 Schnorr s approach to factorization We have a polyhedron where every element of the lattice inside this polyhedron yields a relation. Schnorr shows that for some choice of the parameters this polyhedron is expected to contain an exponential number of relations. Why not trying to solve the inequality for γ 1? u kn γ p d Adleman used an approach similar to that of Schnorr, but where the search was of short vectors rather than close vectors.

56 Adleman s approach to factorization The Prime Number Lattice of Adleman includes the previously called target vector : p ln p A p = p 0 0 ln p d 0. C ln p 1 C ln p d C ln N

57 Adleman s approach to factorization The Prime Number Lattice of Adleman includes the previously called target vector : p ln p A p = p 0 0 ln p d 0. C ln p 1 C ln p d C ln N We have, for z Z d+1, A p z = z 1 p ln p 1. z p ( d ln p d d ) C i=1 z i ln p i + z d+1 ln N.

58 Adleman s approach to factorization The norm is given by A p z p p = d d z i p ln p i + C p z i ln p i + z d+1 ln N p. i=1 i=1

59 Adleman s approach to factorization The norm is given by A p z p p = d d z i p ln p i + C p z i ln p i + z d+1 ln N p. i=1 i=1 Theorem Let C 3 and z Z d+1, with δ = z d+1 and z d+1 0. Then, if for γ N \ {0} A 1 z 1 2 ln C + 2 ln p d (C(γ δ) + δ) ln N, then u kn γ p d.

60 Outline Introduction Outline of the algorithm The search for relations Termination considerations Conclusions

61 Are there enough relations? We gave a sufficient condition for a vector to give a relation.

62 Are there enough relations? We gave a sufficient condition for a vector to give a relation. Are there at least d + 2 of these vectors?

63 Are there enough relations? We gave a sufficient condition for a vector to give a relation. Are there at least d + 2 of these vectors? Schnorr shows, making some probabilistic independency and uniform distribution hypotheses, that for the choice of parameters p d = (ln N) α C = N c with c > 1 and α > (2c 1)/(c 1) constants, there are at least N ɛ+o(1) solution vectors, ɛ ɛ(α, c) > 0.

64 Are there enough relations? We gave a sufficient condition for a vector to give a relation. Are there at least d + 2 of these vectors? Schnorr shows, making some probabilistic independency and uniform distribution hypotheses, that for the choice of parameters p d = (ln N) α C = N c with c > 1 and α > (2c 1)/(c 1) constants, there are at least N ɛ+o(1) solution vectors, ɛ ɛ(α, c) > 0. The analysis of the algorithm is not rigorous by now.

65 A lower bound for the number of relations Two approaches by now: Geometrical: show that the 1-norm ball of the theorem has at least d + 2 points. Tools:

66 A lower bound for the number of relations Two approaches by now: Geometrical: show that the 1-norm ball of the theorem has at least d + 2 points. Tools: Minkowski s Theorem.

67 A lower bound for the number of relations Two approaches by now: Geometrical: show that the 1-norm ball of the theorem has at least d + 2 points. Tools: Minkowski s Theorem. Gaussian heuristic and the Gram-Schmidt lengths.

68 A lower bound for the number of relations Two approaches by now: Geometrical: show that the 1-norm ball of the theorem has at least d + 2 points. Tools: Minkowski s Theorem. Gaussian heuristic and the Gram-Schmidt lengths. Number Theoretic: define a particular set of relations which can be detected by the algorithm and show it has at least d + 2 elements. Tools:

69 A lower bound for the number of relations Two approaches by now: Geometrical: show that the 1-norm ball of the theorem has at least d + 2 points. Tools: Minkowski s Theorem. Gaussian heuristic and the Gram-Schmidt lengths. Number Theoretic: define a particular set of relations which can be detected by the algorithm and show it has at least d + 2 elements. Tools: Analytic and Probabilistic Number Theory.

70 A lower bound for the number of relations Two approaches by now: Geometrical: show that the 1-norm ball of the theorem has at least d + 2 points. Tools: Minkowski s Theorem. Gaussian heuristic and the Gram-Schmidt lengths. Number Theoretic: define a particular set of relations which can be detected by the algorithm and show it has at least d + 2 elements. Tools: Analytic and Probabilistic Number Theory. Independence hypotheses on arithmetic properties.

71 Outline Introduction Outline of the algorithm The search for relations Termination considerations Conclusions

72 Open problem Prove a lemma like the following, for the Euclidean norm :

73 Open problem Prove a lemma like the following, for the Euclidean norm : Lemma Let C 3. Then, for any integer vector z such that S 1 z t 1 ε, we have u kn exp ( ε 2) N C.

74 Conclusions The algorithm works in practice.

75 Conclusions The algorithm works in practice. The CVP formulation (Schnorr s) allows precomputations. Potentially useful for doing many factorizations in a row.

76 Conclusions The algorithm works in practice. The CVP formulation (Schnorr s) allows precomputations. Potentially useful for doing many factorizations in a row. Enumeration versus sampling: we need to have good estimates on the number of relations, in order to choose.

77 Conclusions We provided an effective version of Schnorr s criterion for detecting relations.

78 Conclusions We provided an effective version of Schnorr s criterion for detecting relations. This provides a means of evaluating a lower bound for the number of relations (or at least an estimate). Minkowski s theorem can provide a completely deterministic proof for the validity of the algorithm.

79 Conclusions We provided an effective version of Schnorr s criterion for detecting relations. This provides a means of evaluating a lower bound for the number of relations (or at least an estimate). Minkowski s theorem can provide a completely deterministic proof for the validity of the algorithm. To do : perform extensive experimentations, and maybe probabilistic modelling.

80 Bibliography BMM De Weger. Solving exponential diophantine equations using lattice basis reduction algorithms. Journal of Number Theory, 26( ):31, Daniele Micciancio and Shafi Goldwasser. Complexity of Lattice Problems: a cryptographic perspective, volume 671 of The Kluwer International Series in Engineering and Computer Science. Kluwer Academic Publishers, Boston, Massachusetts, March Claus Peter Schnorr. Factoring integers and computing discrete logarithms via diophantine approximation. In Jin-Yi Cai, editor, Advances in Computational Complexity Theory, volume 13 of DIMACS Series in Discrete Mathematics and Theoretical Computer Science, pages AMS, 1993.