Integer Factorization using lattices
|
|
- Meredith Brown
- 6 years ago
- Views:
Transcription
1 Integer Factorization using lattices Antonio Vera INRIA Nancy/CARAMEL team/anr CADO/ANR LAREDA Workshop Lattice Algorithmics - CIRM - February 2010
2 Plan Introduction
3 Plan Introduction Outline of the algorithm
4 Plan Introduction Outline of the algorithm The search for relations
5 Plan Introduction Outline of the algorithm The search for relations Termination considerations
6 Plan Introduction Outline of the algorithm The search for relations Termination considerations Conclusions
7 Outline Introduction Outline of the algorithm The search for relations Termination considerations Conclusions
8 The Integer Factorization Problem Given a composite integer N, compute a proper divisor.
9 The Integer Factorization Problem Given a composite integer N, compute a proper divisor. Example: given N = 6, return 2 or 3.
10 The Integer Factorization Problem Given a composite integer N, compute a proper divisor. Example: given N = 6, return 2 or 3. The decisional problem belongs to NP conp (Pratt, 1975).
11 The Integer Factorization Problem Given a composite integer N, compute a proper divisor. Example: given N = 6, return 2 or 3. The decisional problem belongs to NP conp (Pratt, 1975). Hence, it is unlikely to be NP-complete.
12 The Integer Factorization Problem Given a composite integer N, compute a proper divisor. Example: given N = 6, return 2 or 3. The decisional problem belongs to NP conp (Pratt, 1975). Hence, it is unlikely to be NP-complete. Practical intractability is at the base of the RSA public key cryptosystem.
13 The Integer Factorization Problem Given a composite integer N, compute a proper divisor. Example: given N = 6, return 2 or 3. The decisional problem belongs to NP conp (Pratt, 1975). Hence, it is unlikely to be NP-complete. Practical intractability is at the base of the RSA public key cryptosystem. Current record for factorization of RSA numbers : RSA 768 (232 decimal digits), in December 2009.
14 Integer Factorization with Lattice Reduction De Weger (1987) used lattice reduction and enumeration to effectively solve Diophantine equations.
15 Integer Factorization with Lattice Reduction De Weger (1987) used lattice reduction and enumeration to effectively solve Diophantine equations. Schnorr seems to be the first which applied this to integer factorization, in 1993.
16 Integer Factorization with Lattice Reduction De Weger (1987) used lattice reduction and enumeration to effectively solve Diophantine equations. Schnorr seems to be the first which applied this to integer factorization, in In the beginning, completely theoretical.
17 Integer Factorization with Lattice Reduction De Weger (1987) used lattice reduction and enumeration to effectively solve Diophantine equations. Schnorr seems to be the first which applied this to integer factorization, in In the beginning, completely theoretical. First working implementation : Ritter and Rössner, bit integer factored in 3 hours. Highly optimized enumeration.
18 Integer Factorization with Lattice Reduction De Weger (1987) used lattice reduction and enumeration to effectively solve Diophantine equations. Schnorr seems to be the first which applied this to integer factorization, in In the beginning, completely theoretical. First working implementation : Ritter and Rössner, bit integer factored in 3 hours. Highly optimized enumeration. Personal toy implementation in Magma, using the built-in enumeration routine. 40-bits integer in about 40 minutes.
19 Preliminary goals Improve the results of the original paper to make them effective.
20 Preliminary goals Improve the results of the original paper to make them effective. Understand the complexity of the algorithm.
21 Preliminary goals Improve the results of the original paper to make them effective. Understand the complexity of the algorithm. Implement an optimized version, à priori aimed at fixed-size integers.
22 Outline Introduction Outline of the algorithm The search for relations Termination considerations Conclusions
23 Philosophy of the algorithm Congruence of squares method As in many factorization methods, we want to find integers x, y Z, x ±y such that x 2 y 2 mod N.
24 Philosophy of the algorithm Congruence of squares method As in many factorization methods, we want to find integers x, y Z, x ±y such that x 2 y 2 mod N. Then, whenever x ±y mod N, we can factor N by computing gcd(x ± y, N).
25 Philosophy of the algorithm Congruence of squares method As in many factorization methods, we want to find integers x, y Z, x ±y such that x 2 y 2 mod N. Then, whenever x ±y mod N, we can factor N by computing gcd(x ± y, N).
26 Philosophy of the algorithm Congruence of squares method As in many factorization methods, we want to find integers x, y Z, x ±y such that x 2 y 2 mod N. Then, whenever x ±y mod N, we can factor N by computing gcd(x ± y, N). Definition An integer is B-smooth when all of its prime factors are B.
27 Philosophy of the algorithm Congruence of squares method As in many factorization methods, we want to find integers x, y Z, x ±y such that x 2 y 2 mod N. Then, whenever x ±y mod N, we can factor N by computing gcd(x ± y, N). Definition An integer is B-smooth when all of its prime factors are B. 100 is 5-smooth since 100 =
28 Philosophy of the algorithm Congruence of squares method As in many factorization methods, we want to find integers x, y Z, x ±y such that x 2 y 2 mod N. Then, whenever x ±y mod N, we can factor N by computing gcd(x ± y, N). Definition An integer is B-smooth when all of its prime factors are B. 100 is 5-smooth since 100 = All integers B are B-smooth.
29 Factorization algorithm principle Given an integer N to be factored, do the following:
30 Factorization algorithm principle Given an integer N to be factored, do the following: Fix d 1 and build the factor base {p 0,..., p d }, where p 0 = 1, p 1 = 2, p 2 = 3, p 3 = 5,....
31 Factorization algorithm principle Given an integer N to be factored, do the following: Fix d 1 and build the factor base {p 0,..., p d }, where p 0 = 1, p 1 = 2, p 2 = 3, p 3 = 5,.... Find d + 2 solutions of u = v + kn where k Z, and u, v are p d -smooth.
32 Factorization algorithm principle Given an integer N to be factored, do the following: Fix d 1 and build the factor base {p 0,..., p d }, where p 0 = 1, p 1 = 2, p 2 = 3, p 3 = 5,.... Find d + 2 solutions of u = v + kn where k Z, and u, v are p d -smooth.
33 Factorization algorithm principle Given an integer N to be factored, do the following: Fix d 1 and build the factor base {p 0,..., p d }, where p 0 = 1, p 1 = 2, p 2 = 3, p 3 = 5,.... Find d + 2 solutions of u = v + kn where k Z, and u, v are p d -smooth.write the identities in the following form d j=0 p a i,j j d j=0 p b i,j j mod N i 1, d + 2. These last equalities are called relations.
34 Factorization algorithm principle Define the exponent vectors a i = (a i,0,..., a i,d ), b i = (b i,0,..., b i,d ), and compute a vector c = (c 1,..., c d+2 ) {0, 1} d+2 such that d+2 c i (a i + b i ) = 0 mod 2. i=1
35 Factorization algorithm principle Define the exponent vectors a i = (a i,0,..., a i,d ), b i = (b i,0,..., b i,d ), and compute a vector c = (c 1,..., c d+2 ) {0, 1} d+2 such that d+2 c i (a i + b i ) = 0 mod 2. Define and y = x = d j=0 i=1 d j=0 P d+2 i=1 p c i (a i,j +b i,j )/2 j mod N, P d+2 i=1 p c i a i,j j = d j=0 p P d+2 i=1 c i b i,j j mod N.
36 Factorization algorithm principle Define the exponent vectors a i = (a i,0,..., a i,d ), b i = (b i,0,..., b i,d ), and compute a vector c = (c 1,..., c d+2 ) {0, 1} d+2 such that d+2 c i (a i + b i ) = 0 mod 2. Define and y = x = d j=0 i=1 d j=0 P d+2 i=1 p c i (a i,j +b i,j )/2 j mod N, P d+2 i=1 p c i a i,j j = d j=0 P d+2 i=1 p c i b i,j j mod N. If x y mod N then return gcd(x + y, N). Else, restart with another vector c. If there are not more of them, fail.
37 Outline Introduction Outline of the algorithm The search for relations Termination considerations Conclusions
38 Finding relations The core of the algorithm is the search for relations.
39 Finding relations The core of the algorithm is the search for relations. We will see that lattices help in this search.
40 Finding relations The core of the algorithm is the search for relations. We will see that lattices help in this search. Restate the equation we want to solve as u kn = v, for u, v p d -smooth and k Z.
41 Finding relations The core of the algorithm is the search for relations. We will see that lattices help in this search. Restate the equation we want to solve as u kn = v, for u, v p d -smooth and k Z. We can forget the constraint of p d -smoothness on v by solving for u p d -smooth and k Z. u kn p d
42 Finding relations This kind of equation can be solved by working on the exponents u kn = e ln u e ln kn, trying to make ln u ln kn as small as possible, without increasing ln u and ln k too much.
43 Finding relations This kind of equation can be solved by working on the exponents u kn = e ln u e ln kn, trying to make ln u ln kn as small as possible, without increasing ln u and ln k too much. Schnorr codes a (u, k) pair in a vector z = (z 1,..., z d ) Z d, from which one recovers u and k by letting u = p z i i and k = p z i i. z i >0 z i <0
44 Finding relations With this notation, ln u = z i ln p i and ln k = z i ln p i. z i >0 z i <0
45 Finding relations With this notation, ln u = z i >0 z i ln p i and ln k = z i <0 z i ln p i. We want the two quantities ln u ln kn = ln u + ln k = d z i ln p i ln N i=1 d z i ln p i. i=1 to be small.
46 Finding relations With this notation, ln u = z i >0 z i ln p i and ln k = z i <0 z i ln p i. We want the two quantities ln u ln kn = ln u + ln k = d z i ln p i ln N i=1 d z i ln p i. i=1 to be small. This is where lattices enter the scene.
47 Schnorr s approach to factorization The Prime Number Lattice Define the Prime Number Basis and the target vector by p ln p S p = p 0 0 ln p d and t =. 0. C ln p 1 C ln p d C ln N
48 Schnorr s approach to factorization The Prime Number Lattice Define the Prime Number Basis and the target vector by p ln p S p = p 0 0 ln p d and t =. 0. C ln p 1 C ln p d C ln N Let z Z d be a coordinate vector. We have z p 1 ln p 1 S p z t =. p z d ln p d C(. d i=1 z p i ln pi ln N)
49 Schnorr s approach to factorization Computing a relation using lattices. The norm is given by d p d S p z t p p = z i p ln p i + C p z i ln p i ln N. i=1 i=1
50 Schnorr s approach to factorization Computing a relation using lattices. The norm is given by d d S p z t p p = z i p ln p i + C p z i ln p i ln N i=1 By recycling a result of Micciancio [2, Prop. 5.10, page 105], one proves: i=1 p.
51 Schnorr s approach to factorization Computing a relation using lattices. The norm is given by d d S p z t p p = z i p ln p i + C p z i ln p i ln N i=1 By recycling a result of Micciancio [2, Prop. 5.10, page 105], one proves: Theorem Let C 3. Then, for any nonzero integer vector z such that i=1 S 1 z t 1 2 ln C + 2 ln p d ln N, p. we have u kn p d.
52 Schnorr s approach to factorization We have a polyhedron where every element of the lattice inside this polyhedron yields a relation.
53 Schnorr s approach to factorization We have a polyhedron where every element of the lattice inside this polyhedron yields a relation. Schnorr shows that for some choice of the parameters this polyhedron is expected to contain an exponential number of relations.
54 Schnorr s approach to factorization We have a polyhedron where every element of the lattice inside this polyhedron yields a relation. Schnorr shows that for some choice of the parameters this polyhedron is expected to contain an exponential number of relations. Why not trying to solve the inequality for γ 1? u kn γ p d
55 Schnorr s approach to factorization We have a polyhedron where every element of the lattice inside this polyhedron yields a relation. Schnorr shows that for some choice of the parameters this polyhedron is expected to contain an exponential number of relations. Why not trying to solve the inequality for γ 1? u kn γ p d Adleman used an approach similar to that of Schnorr, but where the search was of short vectors rather than close vectors.
56 Adleman s approach to factorization The Prime Number Lattice of Adleman includes the previously called target vector : p ln p A p = p 0 0 ln p d 0. C ln p 1 C ln p d C ln N
57 Adleman s approach to factorization The Prime Number Lattice of Adleman includes the previously called target vector : p ln p A p = p 0 0 ln p d 0. C ln p 1 C ln p d C ln N We have, for z Z d+1, A p z = z 1 p ln p 1. z p ( d ln p d d ) C i=1 z i ln p i + z d+1 ln N.
58 Adleman s approach to factorization The norm is given by A p z p p = d d z i p ln p i + C p z i ln p i + z d+1 ln N p. i=1 i=1
59 Adleman s approach to factorization The norm is given by A p z p p = d d z i p ln p i + C p z i ln p i + z d+1 ln N p. i=1 i=1 Theorem Let C 3 and z Z d+1, with δ = z d+1 and z d+1 0. Then, if for γ N \ {0} A 1 z 1 2 ln C + 2 ln p d (C(γ δ) + δ) ln N, then u kn γ p d.
60 Outline Introduction Outline of the algorithm The search for relations Termination considerations Conclusions
61 Are there enough relations? We gave a sufficient condition for a vector to give a relation.
62 Are there enough relations? We gave a sufficient condition for a vector to give a relation. Are there at least d + 2 of these vectors?
63 Are there enough relations? We gave a sufficient condition for a vector to give a relation. Are there at least d + 2 of these vectors? Schnorr shows, making some probabilistic independency and uniform distribution hypotheses, that for the choice of parameters p d = (ln N) α C = N c with c > 1 and α > (2c 1)/(c 1) constants, there are at least N ɛ+o(1) solution vectors, ɛ ɛ(α, c) > 0.
64 Are there enough relations? We gave a sufficient condition for a vector to give a relation. Are there at least d + 2 of these vectors? Schnorr shows, making some probabilistic independency and uniform distribution hypotheses, that for the choice of parameters p d = (ln N) α C = N c with c > 1 and α > (2c 1)/(c 1) constants, there are at least N ɛ+o(1) solution vectors, ɛ ɛ(α, c) > 0. The analysis of the algorithm is not rigorous by now.
65 A lower bound for the number of relations Two approaches by now: Geometrical: show that the 1-norm ball of the theorem has at least d + 2 points. Tools:
66 A lower bound for the number of relations Two approaches by now: Geometrical: show that the 1-norm ball of the theorem has at least d + 2 points. Tools: Minkowski s Theorem.
67 A lower bound for the number of relations Two approaches by now: Geometrical: show that the 1-norm ball of the theorem has at least d + 2 points. Tools: Minkowski s Theorem. Gaussian heuristic and the Gram-Schmidt lengths.
68 A lower bound for the number of relations Two approaches by now: Geometrical: show that the 1-norm ball of the theorem has at least d + 2 points. Tools: Minkowski s Theorem. Gaussian heuristic and the Gram-Schmidt lengths. Number Theoretic: define a particular set of relations which can be detected by the algorithm and show it has at least d + 2 elements. Tools:
69 A lower bound for the number of relations Two approaches by now: Geometrical: show that the 1-norm ball of the theorem has at least d + 2 points. Tools: Minkowski s Theorem. Gaussian heuristic and the Gram-Schmidt lengths. Number Theoretic: define a particular set of relations which can be detected by the algorithm and show it has at least d + 2 elements. Tools: Analytic and Probabilistic Number Theory.
70 A lower bound for the number of relations Two approaches by now: Geometrical: show that the 1-norm ball of the theorem has at least d + 2 points. Tools: Minkowski s Theorem. Gaussian heuristic and the Gram-Schmidt lengths. Number Theoretic: define a particular set of relations which can be detected by the algorithm and show it has at least d + 2 elements. Tools: Analytic and Probabilistic Number Theory. Independence hypotheses on arithmetic properties.
71 Outline Introduction Outline of the algorithm The search for relations Termination considerations Conclusions
72 Open problem Prove a lemma like the following, for the Euclidean norm :
73 Open problem Prove a lemma like the following, for the Euclidean norm : Lemma Let C 3. Then, for any integer vector z such that S 1 z t 1 ε, we have u kn exp ( ε 2) N C.
74 Conclusions The algorithm works in practice.
75 Conclusions The algorithm works in practice. The CVP formulation (Schnorr s) allows precomputations. Potentially useful for doing many factorizations in a row.
76 Conclusions The algorithm works in practice. The CVP formulation (Schnorr s) allows precomputations. Potentially useful for doing many factorizations in a row. Enumeration versus sampling: we need to have good estimates on the number of relations, in order to choose.
77 Conclusions We provided an effective version of Schnorr s criterion for detecting relations.
78 Conclusions We provided an effective version of Schnorr s criterion for detecting relations. This provides a means of evaluating a lower bound for the number of relations (or at least an estimate). Minkowski s theorem can provide a completely deterministic proof for the validity of the algorithm.
79 Conclusions We provided an effective version of Schnorr s criterion for detecting relations. This provides a means of evaluating a lower bound for the number of relations (or at least an estimate). Minkowski s theorem can provide a completely deterministic proof for the validity of the algorithm. To do : perform extensive experimentations, and maybe probabilistic modelling.
80 Bibliography BMM De Weger. Solving exponential diophantine equations using lattice basis reduction algorithms. Journal of Number Theory, 26( ):31, Daniele Micciancio and Shafi Goldwasser. Complexity of Lattice Problems: a cryptographic perspective, volume 671 of The Kluwer International Series in Engineering and Computer Science. Kluwer Academic Publishers, Boston, Massachusetts, March Claus Peter Schnorr. Factoring integers and computing discrete logarithms via diophantine approximation. In Jin-Yi Cai, editor, Advances in Computational Complexity Theory, volume 13 of DIMACS Series in Discrete Mathematics and Theoretical Computer Science, pages AMS, 1993.
Factoring Algorithms Pollard s p 1 Method. This method discovers a prime factor p of an integer n whenever p 1 has only small prime factors.
Factoring Algorithms Pollard s p 1 Method This method discovers a prime factor p of an integer n whenever p 1 has only small prime factors. Input: n (to factor) and a limit B Output: a proper factor of
More informationShortest Vector Problem (1982; Lenstra, Lenstra, Lovasz)
Shortest Vector Problem (1982; Lenstra, Lenstra, Lovasz) Daniele Micciancio, University of California at San Diego, www.cs.ucsd.edu/ daniele entry editor: Sanjeev Khanna INDEX TERMS: Point lattices. Algorithmic
More informationCOMPLEXITY OF LATTICE PROBLEMS A Cryptographic Perspective
COMPLEXITY OF LATTICE PROBLEMS A Cryptographic Perspective THE KLUWER INTERNATIONAL SERIES IN ENGINEERING AND COMPUTER SCIENCE COMPLEXITY OF LATTICE PROBLEMS A Cryptographic Perspective Daniele Micciancio
More informationPractical Analysis of Key Recovery Attack against Search-LWE Problem
Practical Analysis of Key Recovery Attack against Search-LWE Problem The 11 th International Workshop on Security, Sep. 13 th 2016 Momonari Kudo, Junpei Yamaguchi, Yang Guo and Masaya Yasuda 1 Graduate
More informationLattice Reduction of Modular, Convolution, and NTRU Lattices
Summer School on Computational Number Theory and Applications to Cryptography Laramie, Wyoming, June 19 July 7, 2006 Lattice Reduction of Modular, Convolution, and NTRU Lattices Project suggested by Joe
More informationCSE 206A: Lattice Algorithms and Applications Spring Basis Reduction. Instructor: Daniele Micciancio
CSE 206A: Lattice Algorithms and Applications Spring 2014 Basis Reduction Instructor: Daniele Micciancio UCSD CSE No efficient algorithm is known to find the shortest vector in a lattice (in arbitrary
More informationLattices. A Lattice is a discrete subgroup of the additive group of n-dimensional space R n.
Lattices A Lattice is a discrete subgroup of the additive group of n-dimensional space R n. Lattices have many uses in cryptography. They may be used to define cryptosystems and to break other ciphers.
More informationA New Attack on RSA with Two or Three Decryption Exponents
A New Attack on RSA with Two or Three Decryption Exponents Abderrahmane Nitaj Laboratoire de Mathématiques Nicolas Oresme Université de Caen, France nitaj@math.unicaen.fr http://www.math.unicaen.fr/~nitaj
More informationThe Shortest Vector Problem (Lattice Reduction Algorithms)
The Shortest Vector Problem (Lattice Reduction Algorithms) Approximation Algorithms by V. Vazirani, Chapter 27 - Problem statement, general discussion - Lattices: brief introduction - The Gauss algorithm
More informationPILLAI S CONJECTURE REVISITED
PILLAI S COJECTURE REVISITED MICHAEL A. BEETT Abstract. We prove a generalization of an old conjecture of Pillai now a theorem of Stroeker and Tijdeman) to the effect that the Diophantine equation 3 x
More informationNumber Theory. CSS322: Security and Cryptography. Sirindhorn International Institute of Technology Thammasat University CSS322. Number Theory.
CSS322: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 29 December 2011 CSS322Y11S2L06, Steve/Courses/2011/S2/CSS322/Lectures/number.tex,
More informationChapter 9 Mathematics of Cryptography Part III: Primes and Related Congruence Equations
Chapter 9 Mathematics of Cryptography Part III: Primes and Related Congruence Equations Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 9.1 Chapter 9 Objectives
More informationNumber Theory. Modular Arithmetic
Number Theory The branch of mathematics that is important in IT security especially in cryptography. Deals only in integer numbers and the process can be done in a very fast manner. Modular Arithmetic
More informationA new attack on RSA with a composed decryption exponent
A new attack on RSA with a composed decryption exponent Abderrahmane Nitaj and Mohamed Ould Douh,2 Laboratoire de Mathématiques Nicolas Oresme Université de Caen, Basse Normandie, France abderrahmane.nitaj@unicaen.fr
More informationInstructor: Bobby Kleinberg Lecture Notes, 25 April The Miller-Rabin Randomized Primality Test
Introduction to Algorithms (CS 482) Cornell University Instructor: Bobby Kleinberg Lecture Notes, 25 April 2008 The Miller-Rabin Randomized Primality Test 1 Introduction Primality testing is an important
More informationCSE 206A: Lattice Algorithms and Applications Winter The dual lattice. Instructor: Daniele Micciancio
CSE 206A: Lattice Algorithms and Applications Winter 2016 The dual lattice Instructor: Daniele Micciancio UCSD CSE 1 Dual Lattice and Dual Basis Definition 1 The dual of a lattice Λ is the set ˆΛ of all
More informationHardness of the Covering Radius Problem on Lattices
Hardness of the Covering Radius Problem on Lattices Ishay Haviv Oded Regev June 6, 2006 Abstract We provide the first hardness result for the Covering Radius Problem on lattices (CRP). Namely, we show
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 11 February 21, 2013 CPSC 467b, Lecture 11 1/27 Discrete Logarithm Diffie-Hellman Key Exchange ElGamal Key Agreement Primitive Roots
More informationMODIFIED RSA IN THE DOMAIN OF GAUSSIAN INTEGERS
MODIFIED RSA IN THE DOMAIN OF GAUSSIAN INTEGERS A. N. El-Kassar Ramzi Haraty Y. A. Awad Department of Division of Computer Department of Mathematics Science Mathematics Mathematics Beirut Arab Lebanese
More informationBALANCED INTEGER SOLUTIONS OF LINEAR EQUATIONS
BALANCED INTEGER SOLUTIONS OF LINEAR EQUATIONS KONSTANTINOS A. DRAZIOTIS Abstract. We use lattice based methods in order to get an integer solution of the linear equation a x + +a nx n = a 0, which satisfies
More informationCOS 598D - Lattices. scribe: Srdjan Krstic
COS 598D - Lattices scribe: Srdjan Krstic Introduction In the first part we will give a brief introduction to lattices and their relevance in some topics in computer science. Then we show some specific
More informationconp = { L L NP } (1) This problem is essentially the same as SAT because a formula is not satisfiable if and only if its negation is a tautology.
1 conp and good characterizations In these lecture notes we discuss a complexity class called conp and its relationship to P and NP. This discussion will lead to an interesting notion of good characterizations
More informationA NEW ATTACK ON RSA WITH A COMPOSED DECRYPTION EXPONENT
A NEW ATTACK ON RSA WITH A COMPOSED DECRYPTION EXPONENT Abderrahmane Nitaj 1 and Mohamed Ould Douh 1,2 1 Laboratoire de Mathématiques Nicolas Oresme, Université de Caen, Basse Normandie, France Université
More informationDeterministic Polynomial Time Equivalence of Computing the RSA Secret Key and Factoring
Deterministic Polynomial Time Equivalence of Computing the RSA Secret Key and Factoring Jean-Sébastien Coron and Alexander May Gemplus Card International 34 rue Guynemer, 92447 Issy-les-Moulineaux, France
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 9 February 6, 2012 CPSC 467b, Lecture 9 1/53 Euler s Theorem Generating RSA Modulus Finding primes by guess and check Density of
More informationDixon s Factorization method
Dixon s Factorization method Nikithkumarreddy yellu December 2015 1 Contents 1 Introduction 3 2 History 3 3 Method 4 3.1 Factor-base.............................. 4 3.2 B-smooth...............................
More informationBasic Algorithms in Number Theory
Basic Algorithms in Number Theory Algorithmic Complexity... 1 Basic Algorithms in Number Theory Francesco Pappalardi Discrete Logs, Modular Square Roots & Euclidean Algorithm. July 20 th 2010 Basic Algorithms
More information1 The Fundamental Theorem of Arithmetic. A positive integer N has a unique prime power decomposition. Primality Testing. and. Integer Factorisation
1 The Fundamental Theorem of Arithmetic A positive integer N has a unique prime power decomposition 2 Primality Testing Integer Factorisation (Gauss 1801, but probably known to Euclid) The Computational
More informationA Fast Phase-Based Enumeration Algorithm for SVP Challenge through y-sparse Representations of Short Lattice Vectors
A Fast Phase-Based Enumeration Algorithm for SVP Challenge through y-sparse Representations of Short Lattice Vectors Dan Ding 1, Guizhen Zhu 2, Yang Yu 1, Zhongxiang Zheng 1 1 Department of Computer Science
More informationQuantum algorithms for computing short discrete logarithms and factoring RSA integers
Quantum algorithms for computing short discrete logarithms and factoring RSA integers Martin Ekerå, Johan Håstad February, 07 Abstract In this paper we generalize the quantum algorithm for computing short
More information9 Knapsack Cryptography
9 Knapsack Cryptography In the past four weeks, we ve discussed public-key encryption systems that depend on various problems that we believe to be hard: prime factorization, the discrete logarithm, and
More informationCryptanalysis of the Quadratic Generator
Cryptanalysis of the Quadratic Generator Domingo Gomez, Jaime Gutierrez, Alvar Ibeas Faculty of Sciences, University of Cantabria, Santander E 39071, Spain jaime.gutierrez@unican.es Abstract. Let p be
More informationEncryption: The RSA Public Key Cipher
Encryption: The RSA Public Key Cipher Michael Brockway March 5, 2018 Overview Transport-layer security employs an asymmetric public cryptosystem to allow two parties (usually a client application and a
More informationDimension-Preserving Reductions Between Lattice Problems
Dimension-Preserving Reductions Between Lattice Problems Noah Stephens-Davidowitz Courant Institute of Mathematical Sciences, New York University. noahsd@cs.nyu.edu Last updated September 6, 2016. Abstract
More informationA Note on Quadratic Residuosity and UP
A Note on Quadratic Residuosity and UP Jin-Yi Cai a, Robert A. Threlfall b a Computer Sciences Department, University of Wisconsin, 1210 West Dayton St, Madison, WI 53706, USA b B & C Group International,
More informationCourse 2BA1: Trinity 2006 Section 9: Introduction to Number Theory and Cryptography
Course 2BA1: Trinity 2006 Section 9: Introduction to Number Theory and Cryptography David R. Wilkins Copyright c David R. Wilkins 2006 Contents 9 Introduction to Number Theory and Cryptography 1 9.1 Subgroups
More informationImplicit Factoring with Shared Most Significant and Middle Bits
Implicit Factoring with Shared Most Significant and Middle Bits Jean-Charles Faugère, Raphaël Marinier, and Guénaël Renault UPMC, Université Paris 06, LIP6 INRIA, Centre Paris-Rocquencourt, SALSA Project-team
More informationLecture Examples of problems which have randomized algorithms
6.841 Advanced Complexity Theory March 9, 2009 Lecture 10 Lecturer: Madhu Sudan Scribe: Asilata Bapat Meeting to talk about final projects on Wednesday, 11 March 2009, from 5pm to 7pm. Location: TBA. Includes
More informationDiscrete Mathematics GCD, LCM, RSA Algorithm
Discrete Mathematics GCD, LCM, RSA Algorithm Abdul Hameed http://informationtechnology.pk/pucit abdul.hameed@pucit.edu.pk Lecture 16 Greatest Common Divisor 2 Greatest common divisor The greatest common
More informationLecture # 12. Agenda: I. Vector Program Relaxation for Max Cut problem. Consider the vectors are in a sphere. Lecturer: Prof.
Lecture # 12 Lecturer: Prof. Allan Borodin Scribe: Yeleiny Bonilla Agenda: I. Finish discussion of Vector Program Relaxation for Max-Cut problem. II. Briefly discuss same approach for Max-2-Sat. III. The
More informationCryptography. Number Theory with AN INTRODUCTION TO. James S. Kraft. Lawrence C. Washington. CRC Press
AN INTRODUCTION TO Number Theory with Cryptography James S Kraft Gilman School Baltimore, Maryland, USA Lawrence C Washington University of Maryland College Park, Maryland, USA CRC Press Taylor & Francis
More informationOn Deterministic Polynomial-Time Equivalence of Computing the CRT-RSA Secret Keys and Factoring
On Deterministic Polynomial-Time Equivalence of Computing the CRT-RSA Secret Keys and Factoring Subhamoy Maitra and Santanu Sarkar Applied Statistics Unit, Indian Statistical Institute, 203 B T Road, Kolkata
More informationLecture Notes, Week 6
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Week 6 (rev. 3) Professor M. J. Fischer February 15 & 17, 2005 1 RSA Security Lecture Notes, Week 6 Several
More informationSieving for Shortest Vectors in Ideal Lattices:
Sieving for Shortest Vectors in Ideal Lattices: a Practical Perspective Joppe W. Bos Microsoft Research LACAL@RISC Seminar on Cryptologic Algorithms CWI, Amsterdam, Netherlands Joint work with Michael
More informationCS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University
CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University March 15 2018 Review Hash functions Collision resistance Merkle-Damgaard
More informationOn the Security of Multi-prime RSA
On the Security of Multi-prime RSA M. Jason Hinek David R. Cheriton School of Computer Science University of Waterloo Waterloo, Ontario, N2L 3G, Canada mjhinek@alumni.uwaterloo.ca June 3, 2006 Abstract.
More informationPrimitive sets in a lattice
Primitive sets in a lattice Spyros. S. Magliveras Department of Mathematical Sciences Florida Atlantic University Boca Raton, FL 33431, U.S.A spyros@fau.unl.edu Tran van Trung Institute for Experimental
More informationComputing Discrete Logarithms. Many cryptosystems could be broken if we could compute discrete logarithms quickly.
Computing Discrete Logarithms Many cryptosystems could be broken if we could compute discrete logarithms quickly. The first discrete logarithm algorithms below apply in any group. They are about the best
More informationShor s Algorithm. Elisa Bäumer, Jan-Grimo Sobez, Stefan Tessarini May 15, 2015
Shor s Algorithm Elisa Bäumer, Jan-Grimo Sobez, Stefan Tessarini May 15, 2015 Integer factorization n = p q (where p, q are prime numbers) is a cryptographic one-way function Classical algorithm with best
More informationCourse MA2C02, Hilary Term 2013 Section 9: Introduction to Number Theory and Cryptography
Course MA2C02, Hilary Term 2013 Section 9: Introduction to Number Theory and Cryptography David R. Wilkins Copyright c David R. Wilkins 2000 2013 Contents 9 Introduction to Number Theory 63 9.1 Subgroups
More informationPrimitive Sets of a Lattice and a Generalization of Euclidean Algorithm
Primitive Sets of a Lattice and a Generalization of Euclidean Algorithm Spyros. S. Magliveras Center for Cryptology and Information Security Department of Mathematical Sciences Florida Atlantic University
More informationSome Lattice Attacks on DSA and ECDSA
Some Lattice Attacks on DSA and ECDSA Dimitrios Poulakis Department of Mathematics, Aristotle University of Thessaloniki, Thessaloniki 54124, Greece, email:poulakis@math.auth.gr November 10, 2010 Abstract
More information. In particular if a b then N(
Gaussian Integers II Let us summarise what we now about Gaussian integers so far: If a, b Z[ i], then N( ab) N( a) N( b). In particular if a b then N( a ) N( b). Let z Z[i]. If N( z ) is an integer prime,
More informationNotes on Systems of Linear Congruences
MATH 324 Summer 2012 Elementary Number Theory Notes on Systems of Linear Congruences In this note we will discuss systems of linear congruences where the moduli are all different. Definition. Given the
More informationUpper Bound on λ 1. Science, Guangzhou University, Guangzhou, China 2 Zhengzhou University of Light Industry, Zhengzhou, China
Λ A Huiwen Jia 1, Chunming Tang 1, Yanhua Zhang 2 hwjia@gzhu.edu.cn, ctang@gzhu.edu.cn, and yhzhang@zzuli.edu.cn 1 Key Laboratory of Information Security, School of Mathematics and Information Science,
More informationA Digital Signature Scheme based on CVP
A Digital Signature Scheme based on CVP Thomas Plantard Willy Susilo Khin Than Win Centre for Computer and Information Security Research Universiy Of Wollongong http://www.uow.edu.au/ thomaspl thomaspl@uow.edu.au
More informationComplexity Analysis of a Fast Modular Multiexponentiation Algorithm
Complexity Analysis of a Fast Modular Multiexponentiation Algorithm Haimin Jin 1,, Duncan S. Wong, Yinlong Xu 1 1 Department of Computer Science University of Science and Technology of China China jhm113@mail.ustc.edu.cn,
More informationand the polynomial-time Turing p reduction from approximate CVP to SVP given in [10], the present authors obtained a n=2-approximation algorithm that
Sampling short lattice vectors and the closest lattice vector problem Miklos Ajtai Ravi Kumar D. Sivakumar IBM Almaden Research Center 650 Harry Road, San Jose, CA 95120. fajtai, ravi, sivag@almaden.ibm.com
More informationNew Practical Algorithms for the Approximate Shortest Lattice Vector
New Practical Algorithms for the Approximate Shortest Lattice Vector Claus Peter Schnorr Fachbereiche Mathemati/Informati, Universität Franfurt, PSF 493, D-60054 Franfurt am Main, Germany. schnorr@cs.uni-franfurt.de
More informationPrimality Testing. 1 Introduction. 2 Brief Chronology of Primality Testing. CS265/CME309, Fall Instructor: Gregory Valiant
CS265/CME309, Fall 2018. Instructor: Gregory Valiant Primality Testing [These notes may not be distributed outside this class without the permission of Gregory Valiant.] 1 Introduction Prime numbers are
More informationMAT246H1S - Concepts In Abstract Mathematics. Solutions to Term Test 1 - February 1, 2018
MAT246H1S - Concepts In Abstract Mathematics Solutions to Term Test 1 - February 1, 2018 Time allotted: 110 minutes. Aids permitted: None. Comments: Statements of Definitions, Principles or Theorems should
More informationIn fact, 3 2. It is not known whether 3 1. All three problems seem hard, although Shor showed that one can solve 3 quickly on a quantum computer.
Attacks on RSA, some using LLL Recall RSA: N = pq hard to factor. Choose e with gcd(e,φ(n)) = 1, where φ(n) = (p 1)(q 1). Via extended Euclid, find d with ed 1 (mod φ(n)). Discard p and q. Public key is
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 8 February 1, 2012 CPSC 467b, Lecture 8 1/42 Number Theory Needed for RSA Z n : The integers mod n Modular arithmetic GCD Relatively
More informationCOMP4109 : Applied Cryptography
COMP409 : Applied Cryptography Fall 203 M. Jason Hinek Carleton University Applied Cryptography Day 3 public-key encryption schemes some attacks on RSA factoring small private exponent 2 RSA cryptosystem
More informationEstimation of the Success Probability of Random Sampling by the Gram-Charlier Approximation
Estimation of the Success Probability of Random Sampling by the Gram-Charlier Approximation Yoshitatsu Matsuda 1, Tadanori Teruya, and Kenji Kashiwabara 1 1 Department of General Systems Studies, Graduate
More informationLARGE PRIME NUMBERS (32, 42; 4) (32, 24; 2) (32, 20; 1) ( 105, 20; 0).
LARGE PRIME NUMBERS 1. Fast Modular Exponentiation Given positive integers a, e, and n, the following algorithm quickly computes the reduced power a e % n. (Here x % n denotes the element of {0,, n 1}
More informationFully Deterministic ECM
Fully Deterministic ECM Iram Chelli LORIA (CNRS) - CACAO Supervisor: P. Zimmermann September 23, 2009 Introduction The Elliptic Curve Method (ECM) is currently the best-known general-purpose factorization
More informationLecture notes: Algorithms for integers, polynomials (Thorsten Theobald)
Lecture notes: Algorithms for integers, polynomials (Thorsten Theobald) 1 Euclid s Algorithm Euclid s Algorithm for computing the greatest common divisor belongs to the oldest known computing procedures
More informationIntroduction to Cybersecurity Cryptography (Part 5)
Introduction to Cybersecurity Cryptography (Part 5) Prof. Dr. Michael Backes 13.01.2017 February 17 th Special Lecture! 45 Minutes Your Choice 1. Automotive Security 2. Smartphone Security 3. Side Channel
More informationA Note on the Density of the Multiple Subset Sum Problems
A Note on the Density of the Multiple Subset Sum Problems Yanbin Pan and Feng Zhang Key Laboratory of Mathematics Mechanization, Academy of Mathematics and Systems Science, Chinese Academy of Sciences,
More informationLattice Cryptography
CSE 06A: Lattice Algorithms and Applications Winter 01 Instructor: Daniele Micciancio Lattice Cryptography UCSD CSE Many problems on point lattices are computationally hard. One of the most important hard
More informationAlgorithms (II) Yu Yu. Shanghai Jiaotong University
Algorithms (II) Yu Yu Shanghai Jiaotong University Chapter 1. Algorithms with Numbers Two seemingly similar problems Factoring: Given a number N, express it as a product of its prime factors. Primality:
More informationChapter 9 Factorisation and Discrete Logarithms Using a Factor Base
Chapter 9 Factorisation and Discrete Logarithms Using a Factor Base February 15, 2010 9 The two intractable problems which are at the heart of public key cryptosystems, are the infeasibility of factorising
More informationA Lattice-Based Public-Key Cryptosystem
A Lattice-Based Public-Key Cryptosystem Jin-Yi Cai and Thomas W. Cusick 1 Department of Computer Science State University of New York at Buffalo, Buffalo, NY 1460 cai@cs.buffalo.edu Department of Mathematics
More informationRéduction de réseau et cryptologie.
Réduction de réseau et cryptologie Séminaire CCA Nicolas Gama Ensicaen 8 janvier 2010 Nicolas Gama (Ensicaen) Réduction de réseau et cryptologie 8 janvier 2010 1 / 54 Outline 1 Example of lattice problems
More informationCryptography IV: Asymmetric Ciphers
Cryptography IV: Asymmetric Ciphers Computer Security Lecture 7 David Aspinall School of Informatics University of Edinburgh 31st January 2011 Outline Background RSA Diffie-Hellman ElGamal Summary Outline
More informationA new security notion for asymmetric encryption Draft #12
A new security notion for asymmetric encryption Draft #12 Muhammad Rezal Kamel Ariffin 1,2 1 Al-Kindi Cryptography Research Laboratory, Institute for Mathematical Research, 2 Department of Mathematics,
More informationNUMBER THEORY AND CODES. Álvaro Pelayo WUSTL
NUMBER THEORY AND CODES Álvaro Pelayo WUSTL Talk Goal To develop codes of the sort can tell the world how to put messages in code (public key cryptography) only you can decode them Structure of Talk Part
More informationChapter 2 (Part 3): The Fundamentals: Algorithms, the Integers & Matrices. Integers & Algorithms (2.5)
CSE 54 Discrete Mathematics & Chapter 2 (Part 3): The Fundamentals: Algorithms, the Integers & Matrices Integers & Algorithms (Section 2.5) by Kenneth H. Rosen, Discrete Mathematics & its Applications,
More informationCryptography. Course 1: Remainder: RSA. Jean-Sébastien Coron. September 21, Université du Luxembourg
Course 1: Remainder: RSA Université du Luxembourg September 21, 2010 Public-key encryption Public-key encryption: two keys. One key is made public and used to encrypt. The other key is kept private and
More informationLocally Dense Codes. Daniele Micciancio. August 26, 2013
Electronic Colloquium on Computational Complexity, Report No. 115 (2013) Locally Dense Codes Daniele Micciancio August 26, 2013 Abstract The Minimum Distance Problem (MDP), i.e., the computational task
More informationLattice-Based Cryptography: Mathematical and Computational Background. Chris Peikert Georgia Institute of Technology.
Lattice-Based Cryptography: Mathematical and Computational Background Chris Peikert Georgia Institute of Technology crypt@b-it 2013 1 / 18 Lattice-Based Cryptography y = g x mod p m e mod N e(g a, g b
More informationFrom the shortest vector problem to the dihedral hidden subgroup problem
From the shortest vector problem to the dihedral hidden subgroup problem Curtis Bright University of Waterloo December 8, 2011 1 / 19 Reduction Roughly, problem A reduces to problem B means there is a
More informationICS141: Discrete Mathematics for Computer Science I
ICS141: Discrete Mathematics for Computer Science I Dept. Information & Computer Sci., Jan Stelovsky based on slides by Dr. Baek and Dr. Still Originals by Dr. M. P. Frank and Dr. J.L. Gross Provided by
More informationAlgorithms CMSC Homework set #1 due January 14, 2015
Algorithms CMSC-27200 http://alg15.cs.uchicago.edu Homework set #1 due January 14, 2015 Read the homework instructions on the website. The instructions that follow here are only an incomplete summary.
More informationComputational algebraic number theory tackles lattice-based cryptography
Computational algebraic number theory tackles lattice-based cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Moving to the left Moving to the right
More informationCONTINUED FRACTIONS, PELL S EQUATION, AND TRANSCENDENTAL NUMBERS
CONTINUED FRACTIONS, PELL S EQUATION, AND TRANSCENDENTAL NUMBERS JEREMY BOOHER Continued fractions usually get short-changed at PROMYS, but they are interesting in their own right and useful in other areas
More informationPrimality testing: variations on a theme of Lucas. Carl Pomerance, Dartmouth College Hanover, New Hampshire, USA
Primality testing: variations on a theme of Lucas Carl Pomerance, Dartmouth College Hanover, New Hampshire, USA In 1801, Carl Friedrich Gauss wrote: The problem of distinguishing prime numbers from composite
More informationSMOOTH NUMBERS AND THE QUADRATIC SIEVE. Carl Pomerance
SMOOTH NUMBERS AND THE QUADRATIC SIEVE Carl Pomerance When faced with a large number n to factor, what do you do first? You might say Look at the last digit, with the idea of cheaply pulling out possible
More informationcse 311: foundations of computing Fall 2015 Lecture 12: Primes, GCD, applications
cse 311: foundations of computing Fall 2015 Lecture 12: Primes, GCD, applications n-bit unsigned integer representation Represent integer x as sum of powers of 2: If x = n 1 i=0 b i 2 i where each b i
More informationSecurity Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography
Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography Peter Schwabe October 21 and 28, 2011 So far we assumed that Alice and Bob both have some key, which nobody else has. How
More informationHard Instances of Lattice Problems
Hard Instances of Lattice Problems Average Case - Worst Case Connections Christos Litsas 28 June 2012 Outline Abstract Lattices The Random Class Worst-Case - Average-Case Connection Abstract Christos Litsas
More informationDiscrete mathematics I - Number theory
Discrete mathematics I - Number theory Emil Vatai (based on hungarian slides by László Mérai) 1 January 31, 2018 1 Financed from the financial support ELTE won from the Higher Education
More informationA Simple Left-to-Right Algorithm for Minimal Weight Signed Radix-r Representations
A Simple Left-to-Right Algorithm for Minimal Weight Signed Radix-r Representations James A. Muir School of Computer Science Carleton University, Ottawa, Canada http://www.scs.carleton.ca/ jamuir 23 October
More informationAddition. Ch1 - Algorithms with numbers. Multiplication. al-khwārizmī. al-khwārizmī. Division 53+35=88. Cost? (n number of bits) 13x11=143. Cost?
Ch - Algorithms with numbers Addition Basic arithmetic Addition ultiplication Division odular arithmetic factoring is hard Primality testing 53+35=88 Cost? (n number of bits) O(n) ultiplication al-khwārizmī
More informationFERMAT S TEST KEITH CONRAD
FERMAT S TEST KEITH CONRAD 1. Introduction Fermat s little theorem says for prime p that a p 1 1 mod p for all a 0 mod p. A naive extension of this to a composite modulus n 2 would be: for all a 0 mod
More informationa the relation arb is defined if and only if = 2 k, k
DISCRETE MATHEMATICS Past Paper Questions in Number Theory 1. Prove that 3k + 2 and 5k + 3, k are relatively prime. (Total 6 marks) 2. (a) Given that the integers m and n are such that 3 (m 2 + n 2 ),
More informationLecture 11: Number Theoretic Assumptions
CS 6903 Modern Cryptography April 24, 2008 Lecture 11: Number Theoretic Assumptions Instructor: Nitesh Saxena Scribe: Robert W.H. Fisher 1 General 1.1 Administrative Homework 3 now posted on course website.
More informationComputing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring
Computing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring Alexander May Faculty of Computer Science, Electrical Engineering and Mathematics University of Paderborn 33102 Paderborn,
More informationMathematics of Public Key Cryptography
Mathematics of Public Key Cryptography Eric Baxter April 12, 2014 Overview Brief review of public-key cryptography Mathematics behind public-key cryptography algorithms What is Public-Key Cryptography?
More information