Polynomial Selection. Thorsten Kleinjung École Polytechnique Fédérale de Lausanne

Transcription

1 Polynomial Selection Thorsten Kleinjung École Polytechnique Fédérale de Lausanne

2 Contents Brief summary of polynomial selection (no root sieve) Motivation (lattice sieving, monic algebraic polynomial) General case (reduction to monic algebraic polynomial) Some results

3 Brief summary of polynomial selection Given N Z Find co-prime polynomials f, g Z[x] with common zero modulo N Degrees and coefficients as small as possible

4 Brief summary of polynomial selection Given N Z Find co-prime polynomials f, g Z[x] with common zero modulo N Degrees and coefficients as small as possible Restriction to deg(f) = d, deg(g) = 1 Easy: coefficients of size N 1 d+1 : Choose m = [N 1 d+1 ] + 1, set g = x m, f = d N = d a i m i is the base-m-expansion of N. i=0 i=0 a i x i where

5 Skewness: Change sieving area from A a A, 0 < b A to A s a A s, 0 < b A s for some s (skewness) want to minimise max( a i s i d 2 ) (f = d a i x i ) i=0

6 Skewness: Change sieving area from A a A, 0 < b A into A s a A s, 0 < b A s for some s (skewness) want to minimise max( a i s i d 2 ) (f = d i=0 a i x i ) ( ) Choose a d smaller than N 1 1 d d+1, choose m near N a d a d 1 roughly of size a d, small enough ( d Remaining coefficients of size ok for a 0, a 1 (perhaps also for a 2 ) ) 1 N a d Coefficients a d 2,..., a 3 (, a 2 ) too big biggest problem a d 2

7 Motivation Lattice sieving for 768 bit numbers: e.g.: factor base bounds (for f), (for g) ca. 67 million factor base elements gnfs-lasievei16e needs 20 byte per factor base element: prime ideal (p, x r): 4 byte for p and 4 byte for r two vectors in special q lattice: 2 4 byte current location in special q lattice: 4 byte could reduce this: use 1 byte for storing differences of p 17 byte handle larger p in a different way 15 or 16 byte How can we reduce this further?

8 If skewness were equal to size of sieving area: form of sieving area: A a A, b = 1 (one line)

9 If skewness were equal to size of sieving area: form of sieving area: A a A, b = 1 (one line) Storage requirements for lattice siever (12 byte per factor base element): prime ideal (p, x r): 4 byte for p and 4 byte for r current location in special q lattice: 4 byte We can recalculate r from last location in special q lattice 8 byte store 1 byte differences of primes 5 byte Reduced storage for factor base from 1GB (or 1.3GB) to 350MB How can we find such polynomials?

10 Polynomials with large skewness Example: 768-bit integer N, size of sieving area 2 64 skewness, f = a 4 x 4 + a 3 x 3 + a 2 x 2 + a 1 x + a 0, g = lx m N = a 4 m 4 + a 3 lm 3 + a 2 l 2 m 2 + a 1 l 3 m + a 0 l 4

11 Polynomials with large skewness Example: 768-bit integer N, size of sieving area 2 64 skewness, f = a 4 x 4 + a 3 x 3 + a 2 x 2 + a 1 x + a 0, g = lx m N = a 4 m 4 + a 3 lm 3 + a 2 l 2 m 2 + a 1 l 3 m + a 0 l 4 coefficient a 4 a 3 a 2 a 1 a 0 l m bit size values of polynomials: ca. 256 bit and 192 bit seems too be slightly worse than current degree 6 polynomials

12 Polynomials with large skewness Example: 768-bit integer N, size of sieving area 2 64 skewness, f = a 4 x 4 + a 3 x 3 + a 2 x 2 + a 1 x + a 0, g = lx m N = a 4 m 4 + a 3 lm 3 + a 2 l 2 m 2 + a 1 l 3 m + a 0 l 4 coefficient a 4 a 3 a 2 a 1 a 0 l m bit size values of polynomials: ca. 256 bit and 192 bit seems too be slightly worse than current degree 6 polynomials Check: = expect to find 2 64 such polynomial pairs How can we find such polynomial pairs (with cost 2 64 )?

13 f = x 4 + a 3 x 3 + a 2 x 2 + a 1 x + a 0, g = lx m N = m 4 + a 3 lm 3 + a 2 l 2 m 2 + a 1 l 3 m + a 0 l 4

14 f = x 4 + a 3 x 3 + a 2 x 2 + a 1 x + a 0, g = lx m N = m 4 + a 3 lm 3 + a 2 l 2 m 2 + a 1 l 3 m + a 0 l 4 translation can assume a 3 {0, 1, 2, 3}

15 f = x 4 + a 3 x 3 + a 2 x 2 + a 1 x + a 0, g = lx m N = m 4 + a 3 lm 3 + a 2 l 2 m 2 + a 1 l 3 m + a 0 l 4 translation can assume a 3 {0, 1, 2, 3} Restrict to a 3 = 0, assume l m 2 64 : f = x 4 + a 2 x 2 + a 1 x + a 0, g = lx m: N = m 4 + a 2 l 2 m 2 + a 1 l 3 m + a 0 l 4 = m 4 + l 2 R a 2 R m 2 New problem: to find l, m such that l 2 N m 4 and N m4 l 2 m 2 is small

16 General problem: N, d and bound B given, find l, m such that l 2 N m d and N md < B l 2 m d 2

17 General problem: N, d and bound B given, find l, m such that l 2 N m d and N md < B l 2 m d 2 Set m 0 = d N, m = m 0 + i, i [ M, M] N m d <dmm d 1 0 want i, l such that l 2 N (m 0 + i) d and dmm 0 l 2 < B

18 General problem: N, d and bound B given, find l, m such that l 2 N m d and N md < B l 2 m d 2 Set m 0 = d N, m = m 0 + i, i [ M, M] N m d <dmm d 1 0 want i, l such that l 2 N (m 0 + i) d and dmm 0 l 2 < B Set l = p 1 p 2, p i P primes, P = [P, 2P ] 1. generate pairs (p, i) such that p 2 N (m 0 + i) d 2. sort pairs w. r. t. second entry 3. for each collision, i. e., pairs (p 1, i), (p 2, i) with p 1 p 2 : output l = p 1 p 2, m = m 0 + i result: a d 2 N md l 2 m d 2 < dm P 4 m 0

19 Analysis m 0 = d N, m = m 0 + i, i [ M, M] l = p 1 p 2, p i P primes, P = [P, 2P ] number of pairs M P log P, number of collisions M 4P 2 (log P ) 2

20 Analysis m 0 = d N, m = m 0 + i, i [ M, M] l = p 1 p 2, p i P primes, P = [P, 2P ] number of pairs M P log P cost O( M log M P log P + P log P ), number of collisions M 4P 2 (log P ) 2 result: a d 2 < dm P 4 m 0

21 Analysis m 0 = d N, m = m 0 + i, i [ M, M] l = p 1 p 2, p i P primes, P = [P, 2P ] number of pairs M P log P cost O( M log M P log P + P log P ), number of collisions M 4P 2 (log P ) 2 result: a d 2 < dm P 4 m 0 for 768 bit example choose M = 2 90, P = 2 39 : 1 collision, dm P 4 m , cost 2 46 pairs

22 Analysis m 0 = d N, m = m 0 + i, i [ M, M] l = p 1 p 2, p i P primes, P = [P, 2P ] number of pairs M P log P cost O( M log M P log P + P log P ), number of collisions M 4P 2 (log P ) 2 result: a d 2 < dm P 4 m 0 for 768 bit example choose M = 2 90, P = 2 39 : 1 collision, dm P 4 m , cost 2 46 pairs choosing M = P 2 : cost per collision O(P (log P ) 2 ), result a d 2 < d P 2 m 0

23 Asymptotic considerations degree d = ( ) 1 3 log N 3 log log N, sieving area L( 1 3, ) skewness product of coefficient ranges of algebraic polynomial = L(1, 7 8 ) cannot find such polynomial pairs Remark: polynomial pairs of degree d and d 1 would be ok

24 General situation Find l, m such that and N = a d m d + a d 1 lm d 1 + l 2 R R m d 2 ( a d 2 ) is sufficiently small.

25 General situation Find l, m such that and N = a d m d + a d 1 lm d 1 + l 2 R R m d 2 ( a d 2 ) is sufficiently small. Reduction to a d = 1, a d 1 = 0 (translation x x a d 1 da d ): ( d d a d 1 d N = (da d m+a d 1 l) d +l 2 d d a d 1 d R (da d m) d 2 (d 2) a 2 d 1... )

26 General situation Find l, m such that and N = a d m d + a d 1 lm d 1 + l 2 R R m d 2 ( a d 2 ) is sufficiently small. Reduction to a d = 1, a d 1 = 0 (translation x x a d 1 da d ): ( d d a d 1 d N = (da d m+a d 1 l) d +l 2 d d a d 1 d R (da d m) d 2 (d 2) a 2 d 1... or Ñ = m d + l 2 R where Ñ = d d a d 1 d N, m = da d m + a d 1 l )

27 General situation Find l, m such that and N = a d m d + a d 1 lm d 1 + l 2 R R m d 2 ( a d 2 ) is sufficiently small. Reduction to a d = 1, a d 1 = 0 (translation x x a d 1 da d ): ( d d a d 1 d N = (da d m+a d 1 l) d +l 2 d d a d 1 d R (da d m) d 2 (d 2) a 2 d 1... or Ñ = m d + l 2 R where Ñ = d d a d 1 d N, m = da d m + a d 1 l 1. find l, m as above 2. m = da d m + a d 1 l: find m, 0 a d 1 < da d (gcd(l, da d ) = 1) ) Result: a d 2 R d 2 a d m d 2 < dm m 0 d 2 a d P 4 M P 4 m 0

28 Some tricks Replace l = p 1 p 2 by l = cp, c C, p P e. g.: C = [P 1, P 2 ], P = {p [P 2, P 3 ] p prime} for some P 1 < P 2 < P 3 1. generate pairs (c, i), c C 2. generate pairs (p, j), p P 3. search for collisions between c-pairs and p-pairs, and for collisions within p-pairs many alternative approaches, e. g.: arbitrary C, P, remove multiples of primes of P from C C = {c [P 1, P 2 ] p c p 1 (mod 4)}, P = {c [P 1, P 2 ] p c p 3 (mod 4)}...

29 Special q Choose q, 0 s < q 2 such that q 2 N (m 0 + s) d Search for l with l 2 N (m 0 + s + iq 2 ) d as above and set l = l q analysis remains the same, only l is increased by q Advantage: Initialisation costs drop, since expensive root calculation of N x d modulo p (resp. c) can be used for many q Even better: can do inversion modulo p 2 for many q simultaneously cost drops to a few modular additions + multiplications per generated pair

30 Some results number sieving time pol. sel. time improvement RSA a 4 d, 4 d, 4 d 0.84, 0.8, 0.84 RSA a 15 d 0.87 RSA a 10 d 0.77 (?) improvement = time for new pol. pair / time for old pol. pair RSA512: comparison with best polynomial pair found by old method RSA576, RSA640: comparison with polynomial pairs used in factorisation