Algorithms for factoring

Transcription

1 CSA E0 235: Crytograhy Arl 9,2015 Instructor: Arta Patra Algorthms for factorng Submtted by: Jay Oza, Nranjan Sngh Introducton Factorsaton of large ntegers has been a wdely studed toc manly because of ts ractcal alcatons n crytorahy The securty of some of the most romnent crytosystems n Publc key crytograhy such as RSA rely on the assumton that factorsaton s hard However dffculty of factorsaton of ntegers has not been roven and hence there has been a lot of work done n comng u wth fast algorthms for factorsaton Here we wll talk about a few such factorsaton algorthms whch take lesser oeratons than the brute force algorthm to comute factors:- Pollard s -1 algorthm Pollard s rho algorthm Quadratc Seve algorthm The Fermat s Lttle Theorem s at the core of these algorthms Theorem 1 Fermat s Lttle Theorem : Let be a rme number and a Z be relatvely rme to then a 1 1(mod) We wll be consderng factorsaton of ntegers of tye N = q where and q are rme numbers and < q 1 Pollard s -1 Algorthm 11 The Man Idea: Let us consder an nteger m st ( 1) m but (q 1) m Now choose an x N ZN unformly randomly and comute y = (x m N 1)mod N Then accordng to the Chnese Remander Theorem we can fnd x Z and x q Zq such that we have, y (x, x q ) m (1, 1) = (x m 1 mod, x m q 1 mod q) Usng the fact that ( 1) m and the Fermat s Lttle Theorem we get, y = (0, x m q 1 mod q) If x m q 1 mod q then we can see that y but q y Ths n turn nles that gcd(y, N) = So by smly dong one gcd comutaton we can obtan the rme factor of N However 9-1

2 there are two roblems we stll need to deal wth 1) How to select m, 2) Once we have selected m st ( 1) m but (q 1) m, wll x m q 1 mod q hold wth hgh robablty? Lets address the second queston frst We wll show that ndeed f ( 1) m but (q 1) m, then x m q 1 mod q holds wth hgh robablty 12 The Algorthm works!(wth hgh robablty): If ( 1) m and (q 1) m then as long as x q s a generator of Z q, from Prooston 2 we can see that x m q 1 mod q Prooston 2 Let G be a fnte grou, and g G an element of G of order Then for any nteger x, we have g x = g [x mod ] Now all we need to do s analyse the robablty that x q s a generator of Z q Snce Z q s a cyclc grou from Theorem 3, the number of generator elements would be ϕ(q 1) snce q 1 s the order of ths grou Theorem 3 Let G be a cyclc grou of order q > 1 wth generator g generators of G, and these are exactly gven by {g x x Zq } There are ϕ(q) Also as x N was chosen unformly random from ZN and as the chnese remander theorem gves us a bjecton from ZN to Z Zq we can say that x q s also unformly dstrbuted n Zq Thus robablty that x q s a generator element s ϕ(q 1) q 1 = Ω(1/ log q) = Ω(1/n), from Theorem 4 Here n s the length of q Theorem 4 For N 3 for length n, we have N ϕ(n) < 2n Now by chosng multle values of x we can boost ths robablty Now let us look at how to select an m such that ( 1) m but (q 1) m 13 Selectng arorate m: One ossble soluton s to select m = k for some k where denotes the t h rme Here n s the length of Then notce that n/ log s the maxmum ower can have to ossbly dvde 1 If 1 can be wrtten as k =1 e, where e 0 then ( 1) m On the other hand f q 1 has any rme factor greater than k then (q 1) m Increasng the value of k would make comutng m more exensve and ths would make the algorthm mractcal Thus for the Pollard s -1 algorthm to work effcently t s mortant that -1 have only small rme factors We wll look at another algorthm namely Pollard s Rho Algorthm whch removes ths assumton 2 Pollard s Rho Algorthm =1 n/ log Ths algorthm can be used to comute factors of any arbtrary nteger N = q In ths aroach we fnd two dsctnct elements x, x Z N such that x mod = x mod We call such a ar a good ar It s clear that for such a good ar gcd(x x, N) = So comutng the gcd gves a non-trval rme factor However the catch s how can we come u wth 9-2

3 such a good ar? Suose we choose k elements x (1),, x (k) chosen unformly at random from ZN, where k = 2n/2 = O( ) Accordng to the chnese remander theorem these can be wrtten as (x (1), x (1) q ),, (x (k), x q (k) ) Here we can see that x () s unformly dstrbuted n Z Thus accordng to the brthday bound we can say that wth hgh robablty there exst dstnct, j such that x () = x (j) Thus wth hgh robablty we can obtan a good ar x (), x (j) Now let us analyse the tme comlexty of such a scheme For generatng k unform elements of Z N the tme comlexty wll be O(N 1/4 ) Testng all ars n order to dentfy a good ar wll take tme O(N 1/2 ) Thus as we can see ths s no better than the tral dvson Small sace brthday attack: Pollard s dea was to use a technque very smlar to the small sace brthday attack Frst we come u wth a sequence x (1), x (2), by lettng each value be a functon of the revous one Thus we fx some functon F : ZN Z N and chose a unformly random x(0) ZN and then comute the sequence x (1), x (2), by settng x () = F (x ( 1) ) Ths F must have the roerty that f x = x mod then F (x) = F (x ) mod Thus once equvalence modulo occurs, t erssts Also choose F to be random functon In the t h ste of the alogrthm we comute x = x () and x = x (2) and comute gcd(x x, N), f we get a non-trval gcd we are done else contnue to the next ste Now as F s a random functon, we know that are unformly dstrbuted over Z thus we exect a reeat wth robablty 1/2 n the frst k = 2 n/2 terms of the sequence We show that f there s a reeat n the frst k terms of the sequence then ths algorthm fnds a reeat n atmost k teratons x () Clam 5 Let x (1),, x (k) be a sequence of values wth x () = F (x ( 1) ) If x (I) = x (J) wth 1 I < J q, then there s a t < J such that x (t) = x (2t) Proof The sequence x (I), x (I+1), reeat wth erod T gven by J I Let t be the smallest multle of T greater than I We have t < J snce the sequence I, I+1,, I+T 1 = J 1 has atleast one multle of T Snce t I and t s a multle of T we have x (t) = x (2t) Thus usng the above clam our algorthm wll detect a non-trval gcd and hence the rme factor wth hgh robablty usng only O(k) = O( ) = O(N 1/4 ) oeratons Ths s much better than the tral dvson method 3 Quadratc Seve algorthm Defnton 1 Quadratc Resdue : An element z Z N s a quadratc resdue modulo N f x Z N such that x2 = z mod N Defnton 2 B-smooth : For some bound B, an nteger s sad to be B-smooth f all ts rme factors are less than or equal to B Lemma 6 Gven x, y such that x 2 = y 2 mod N but, x ±y mod N A non-trval factor of N can be comuted 9-3

4 Proof Gven x 2 = y 2 mod N mles 0 = x 2 y 2 = (x + y)(x y) mod N Ths n turn mles that, N dvdes (x + y)(x y) but, x ±y mod N So, N dvdes nether (x + y) nor (x y) Thus, t should be the case that gcd((x y), N) s one of the rme factor of N ( same thng follows for gcd((x + y), N) ) Ths algorthm tres to fnd such x, y such that x 2 = y 2 mod N and, x ±y mod N and tres to obtan a rme factor usng above lemma So, n ths algorthm a sequence of values of the form q 1 = x 2 1 mod N, q 2 = x 2 2 mod N, are roduced and a subset of those values are chosen whose roduct gves a square over the ntegers Followng stes are used for ths 1 choose a bound B, search for B-smooth ntegers of the form q = x 2 mod N and factor them Ths factorng would be easy f bound B s small so, {x } are chosen as x = N + 1, N + 2, N + 3, Due to ths we got q = x 2 mod N = x 2 N, whch s small so, q s more lkely to be B-smooth Now we can wrte the followng equatons, q 1 = x 2 1modN = b =a e 1, (1) q l = x 2 l modn = b =a e l, (2) { 1, 2,, k } are rme numbers less than or equal to bound B 2 fndng some subset S of {q } whose roduct s a square multlng subset S of {q } we get, z = q j = =1 e j, (3) here, z can be a square only f exonent of each s even so, such a subset s to be found whose exonent vectors sum to 0-vector modulo 2 3 such subset can be found easly usng Lner Algebra Reducng the exonents n all equatons (1)-(2) modulo 2, a 0/1 matrx can be obtaned lke- [e 1,1 mod2] [e 1,2 mod2] [e 1,k mod2] [e l,1 mod2] [e l,2 mod2] [e l,k mod2] If l = k + 1, then the matrx has more number of rows as comared to columns and there would exst a non-emty subset S of rows that sum to 0-vector modulo 2, whch can be obtaned usng lnear algebra 9-4

5 4 now, equaton (3) can be wrtten as, z = q j = =1 ( e j, = =1 ( j,) e /2 ) 2 (4) because { e j,} sums to 0-vector modulo 2, e, t s even Also we can wrte, z = q j = ( ) 2 x 2 j = x j modn (5) Thus, from equatons (4) and (5) we have obtaned two dstnct square roots of z or we can say x 2 = y 2 mod N and, x ±y mod N Now, above lemma can be used to obtan a rme factor of N Also, by takng l > k + 1 many subsets S wth requred roerty can be obtaned and tred to factor N Runnng tme : If a large value of bound B s chosen then more numbers of form q = x 2 modn can be obtaned as B-smooth but at the same tme t would also ncrease the dffculty n fndng the factors of those numbers that would n turn ncrease the sze of 0/1 matrx makng the lnear-algebrac ste slower Thus, consderng an otmal value of B the tme taken s gven by 2 O( logn loglogn), whch s sub-exonental n length of N Ths algorthm was fastest untl 1990s and stll s a choce for numbers u to 300 bts long 9-5