Finding small factors of integers. Speed of the number-field sieve. D. J. Bernstein University of Illinois at Chicago

Size: px

Start display at page:

Download "Finding small factors of integers. Speed of the number-field sieve. D. J. Bernstein University of Illinois at Chicago"

Justin Houston
5 years ago
Views:

1 The number-field sieve Finding small factors of integers Speed of the number-field sieve D. J. Bernstein University of Illinois at Chicago

2 Prelude: finding denominators in R. Easily compute digits given Can we work backwards: find given digits ? 2-dim integer-relation finding ; 2-dim lattice-basis reduction ; half-gcd computation ; etc. Yes, via continued fractions.

3 Compute successively ( ) ; ( ) ; ( ) 37428; ( ) 4; (4 ) 25; (25 2) 2 2. Evidently is very close to the continued fraction =

4 Can obtain Ý-digit numerator and Ý-digit denominator from 2Ý digits of quotient. Ý(lg Ý) Ç() bit operations using fast multiplication, fast continued fractions. Analogous polynomial algorithms find two Ý-coefficient polynomials from 2Ý coefficients of their power-series quotient. Ý(lg Ý) Ç() coefficient operations using fast algorithms.

5 Linear algebra Ý Ý matrix Å over F 2 specifies linear map F Ý 2 FÝ 2. e.g. Å = ¼ specifies (Ú Ú 2 Ú 3 Ú 4 ) (Ú + Ú 2 + Ú 3 + Ú 4 Ú + Ú 2 + Ú 3 + Ú 4 Ú + Ú 2 + Ú 3 + Ú 4 Ú + Ú 2 + Ú 3 + Ú 4 ). ½

6 Subroutine in Q sieve etc., combining smooth congruences to form a square: Find linear dependency = find nonzero kernel element = find nonzero nullspace element : find nonzero Ú ¾ F Ý 2 with ÅÚ =. e.g. previous Å(Ú Ú 2 Ú 3 Ú 4 ) is only if (Ú Ú 2 Ú 3 Ú 4 ) =, so can t find linear dependency.

7 Solve linear equations : given Û ¾ F Ý 2, find some Ú ¾ F Ý 2 with ÅÚ = Û. e.g. given Û = ( ) and Å = ¼ ½ : find (Ú Ú 2 Ú 3 Ú 4 ) with (Ú + Ú 2 + Ú 3 + Ú 4 Ú + Ú 2 + Ú 3 + Ú 4 Ú + Ú 2 + Ú 3 + Ú 4 Ú + Ú 2 + Ú 3 + Ú 4 ) = Û.

8 We have fast methods to solve linear equations. Easily apply those methods to find linear dependencies, if any dependencies exist. Choose uniform random Ö ¾ F Ý 2 ; compute Û = ÅÖ; use linear-equation solver to find Ú with ÅÚ = Û. This produces uniform random kernel element, namely Ú Ö. Try again if Ú = Ö.

9 Elimination solves linear equations using Ç(Ý 3 ) bit operations. Series denominators solve linear equations using Ý 2+Ó() bit operations if the equations are sparse. Sparse : can evaluate Ú ÅÚ using Ý +Ó() bit operations. Certainly true in Q sieve with usual choices of Ý.

10 Series denominators ¼ ½ e.g. Given Û = Å = ¼ Have magic equation and ½ : Û + Å 3 Û + Å 4 Û = implying Û = ÅÚ for Ú = Å 2 Û Å 3 Û. How did I find magic equation? First explore its consequences.

11 Consider the power series Ë = Û+(ÅÛ)Ø+(Å 2 Û)Ø 2 + = ¼ ½ + ¼ ½ Ø + ¼ ½ Ø 2 + ¼ ½ Ø 3 + ¼ ½ Ø 4 + ¼ ½ Ø 5 + ¼ ½ Ø 6 + ¼ ½ Ø 7 + in F 4 2 [[Ø]].

12 Ë is rational: Ë( + Ø + Ø 4 ) = ¼ ½ Ø 2 + ¼ ¼ ½ Ø 3. ½ + ¼ ½ Ø + For Ò 4, coefficient of Ø Ò in ( È Å ÛØ )( + Ø + Ø 4 ) is Å Ò Û + Å Ò Û + Å Ò 4 Û = Å Ò 4 (Å 4 Û + Å 3 Û + Û) = by magic equation.

13 Squeeze Ë by projecting from F 4 2 [[Ø]] to F 2[[Ø]]. e.g. Define Ö = ( ). ÖË = ÖÛ + ÖÅÛØ + ÖÅ 2 ÛØ 2 + = Ø+Ø 5 +Ø 6 +Ø 7 +Ø 8 +Ø +. Have ÖË( + Ø + Ø 4 ) = Ø + Ø 2. Similar for every Ö : F 4 2 F 2. The series ÖË ¾ F 2 [[Ø]] is rational, specifically a poly of degree 4 divided by + Ø + Ø 4. Can use continued fractions to quickly find denominator +Ø+Ø 4, and thus to find magic equation.

14 In general, given Û ¾ F Ý 2 and Å : F Ý 2 FÝ 2, find magic equation as follows. Pick Ö : F Ý 2 F 2. Compute first 2Ý terms of series ÖÛ + ÖÅÛØ + ÖÅ 2 ÛØ 2 + in F 2 [[Ø]]. Use continued fractions to find denominator of series. Repeat for a few random Ö s, compute lcm of denominators. With very high probability obtain denominator of series Û + ÅÛØ + Å 2 ÛØ 2 +.

15 If final denominator is Ô Ø Ý + Ô Ø Ý + + Ô Ý Ø then Ô Û + Ô ÅÛ + + Ô Ý Å Ý Û =. If Ô = then Û = ÅÚ where Ú = Ô Û Ô Ý Å Ý Û. If Ô = then use slightly more complicated algorithm to solve linear equation. But still easy to find linear dependency. Overall there are Ç(Ý) applications of Å. Total Ý 2+Ó() bit operations if Å is sparse.

16 Asymptotic cost exponents Number of bit operations in number-field sieve, with theorists parameters, is Ä 9+Ó() where Ä = exp((log Ò) 3 (log log Ò) 23 ). What are theorists parameters? Choose degree with (log Ò) 3 (log log Ò) 3 ¾ 4 + Ó().

17 Choose integer Ñ Ò. Write Ò as Ñ + Ñ + + Ñ + with each below Ò (+Ó()). Choose with some randomness in case there are bad s. Test smoothness of Ñ for all coprime pairs ( ) with Ä 95+Ó(), using primes Ä 95+Ó(). Ä 9+Ó() pairs. Conjecturally Ä 65+Ó() smooth values of Ñ.

18 Use Ä 2+Ó() number fields. For each ( ) with smooth Ñ, test smoothness of «and and so on, using primes Ä 82+Ó(). Ä 77+Ó() tests. Each () Ñ 286+Ó(). Conjecturally Ä 95+Ó() smooth congruences. Ä 95+Ó() components in the exponent vectors.

19 Three sizes of numbers here: (log Ò) 3 (log log Ò) 23 bits: Ý,,. (log Ò) 23 (log log Ò) 3 bits: Ñ, Ñ, (). log Ò bits: Ò. Unavoidably 3 in exponent: usual smoothness optimization forces (log Ý) 2 log Ñ; balancing norms with Ñ forces log Ý log Ñ; and log Ñ log Ò.

20 The number-field sieve is asymptotically much faster than the quadratic sieve and the elliptic-curve method. Also works well in practice. Latest record: NFS found two prime factors of RSA-2 challenge, using 5 8 Opteron cycles.

21 Batch NFS The number-field sieve used Ä 9+Ó() bit operations finding smooth Ñ; only Ä 77+Ó() bit operations finding smooth (). Many Ò s can share one Ñ; Ä 9+Ó() bit operations to find squares for all Ò s. Oops, linear algebra hurts; fix by reducing Ý. But still end up factoring batch in much less time than factoring each Ò separately.

22 Polynomial selection Many choices of NFS polynomial. Which choices are best? Consider, e.g., poly degree = 5. Select integer Ñ ¾ [Ò 6 Ò 5 ]; find integers 5 4 with Ò = 5 Ñ Ñ ; for various integers inspect ( Ñ)( ). Practically every choice of Ñ will succeed in factoring Ò. For speed want smallest possible ( Ñ)( ).

23 e.g. Ò = : Can choose Ñ =, 5 = 34, 4 = 59, 3 = 265, 2 = 358, = 979, = 323. NFS succeeds in factoring Ò by inspecting congruences ( )( ) for various integer pairs ( ). But NFS succeeds more quickly using Ñ = 37, inspecting ( 37)( ).

24 Consider, e.g., 2 45 possible choices of Ñ. Quickly identify, e.g., 2 25 attractive candidates. Will choose one Ñ later. If ËÊ and Ë Ê then ( Ñ)( ) (Ñ Ë)Ê 6 where (Ñ Ë) = (ÑË +Ë)( 5 Ë Ë 5 ). Attractive Ñ Ë: small (Ñ Ë).

25 Choosing one typical Ñ Ò 6 produces (Ñ ) Ò 26. Question: How much time do we need to save factor of to find Ñ Ë with (Ñ Ë) Ò 26? This has as much impact as chopping 3 lg bits out of Ò. Searching for good values of Ñ takes noticeable fraction of total time of optimized NFS. (If not, consider more Ñ s!) End up with rather large.

26 Conjectured time 75+Ó() : Enumerate many possibilities for Ñ near 25 Ò 6. Have 5 25 Ò could be as large as 25 Ò 6. Hope that they are smaller, on scale of 25 Ò 6, so (Ñ ) Ò 26. Conjecturally this happens within roughly 75 trials.

27 Conjectured time 6+Ó() : Skip through Ñ s with small 4. Say Ò = 5 Ñ Ñ Choose integer Write Ò in base Ñ + : Ò = 5 (Ñ + ) 5 + ( )(Ñ + ) 4 +. Now degree-4 coefficient is on same scale as 5. Hope for small 3 2.

28 Conjectured time 45+Ó() : Increase Ë. Enumerate many possibilities for Ñ near Ò 6. Have 5 5 Ò could be as large as Ò 6. Force small 4. Hope for 3 on scale of 2 Ò 6, 2 on scale of 5 Ò 6. Then (Ñ 75 ) Ò 26.

29 Conjectured time 35+Ó() : Partly control 3. Say Ò = 5 Ñ Ñ Choose integer and integer Ñ5 5. Find all short vectors in lattice generated by (Ñ ), ( Ñ ), ( Ñ ), ( Ñ).

30 Hope for Ú below with ( ) + ( )Ú + ( 5 2 )Ú 2 below Ñ 3 modulo Ñ. Write Ò in base Ñ + + Ú. Obtain degree-5 coefficient on scale of 5 Ò 6 ; degree-4 coefficient on scale of 4 Ò 6 ; degree-3 coefficient on scale of 2 Ò 6. Hope for good degree 2.

31 After selecting attractive Ñ s, how to identify best (Ñ Ý)? Could check smoothness of some congruences for each Ñ to estimate smoothness chance. But this is expensive: smooth congruences are rare; need quite a few of them before estimate is reliable. Want something faster, to test more (Ñ Ý) s.

32 Quickly and accurately estimate number of small congruences by numerically approximating a superelliptic integral. Quickly and accurately estimate congruence smoothness chance by approximating distribution of a Dirichlet series. So can estimate cost of finding more smooth congruences than exponent-vector length. In practice: Fewer required. Open: Estimate how many.

33 Given À Ñ 5 : How many congruences survive initial selection of small congruences? Consider integer pairs ( ) with Z + Z = Z and. How many congruences ( Ñ)( ) are in [ À À]? bound is quite crude. Can instead enumerate s, count s for each.

34 Faster: Numerically approximate the area of ( ) ¾ R R : ¾ [ À À]. Number of qualifying pairs is extremely close to (3 2 )À 26 Ê ½ ½ Ü((Ü)2 ) 6 where (Ü) = (Ü Ñ)( 5 Ü ). Evaluate superelliptic integral by standard techniques: partition, use series expansions.

35 What is chance that a uniform random integer in [ À] is, e.g., -smooth? Define Ë as the set of -smooth integers Ò. The Dirichlet series for Ë is È [Ò ¾ Ë]Ü lg Ò = ( + Ü lg 2 + Ü 2 lg 2 + Ü 3 lg 2 + ) ( + Ü lg 3 + Ü 2 lg 3 + Ü 3 lg 3 + ) ( + Ü lg 5 + Ü 2 lg 5 + Ü 3 lg 5 + ) ( + Ü lg Ü 2 lg ).

36 Replace primes with slightly larger real numbers 2 = 8, 3 = 2, 5 = 7,, = 45. Replace each 2 3 in Ë with 2 3, obtaining multiset Ë. The Dirichlet series for Ë is È [Ò ¾ Ë]Ü lg Ò = ( + Ü lg 2 + Ü 2 lg 2 + Ü 3 lg 2 + ) ( + Ü lg 3 + Ü 2 lg 3 + Ü 3 lg 3 + ) ( + Ü lg 5 + Ü 2 lg 5 + Ü 3 lg 5 + ) ( + Ü lg Ü 2 lg ).

37 This is simply a power series Ý + Ý + = ( + Ý 8 + Ý Ý ) ( + Ý 2 + Ý Ý ) ( + Ý 7 + Ý Ý ) ( + Ý 45 + Ý ) in the variable Ý = Ü lg. Compute series mod (e.g.) Ý 29 ; i.e., compute 299. Ë has elements , so Ë has at least that many elements 2 4.

38 Can modify Dirichlet series to modify notion of smoothness. Use + Ü lg instead of ( + Ü lg Ü 2 lg ) to throw away Ò s having more than one factor Multiply Ý Ý 299 by Ü lg Ü lg to allow Ò s that are -smooth integers 2 4 times one prime in [ 6 9 ].

39 Number-field smoothness: replace + Ü lg Ô + Ü 2 lg Ô + with + Ü lg Æ(È) + Ü 2 lg Æ(È) + where È is ideal, Æ is norm. In all of these situations, can compute an upper bound on number of smooth values to check tightness of lower bound. If looser than desired, move closer to. Achieve any desired accuracy.

40 Smoothness chance for «in Q(«) is, conjecturally, very close to smoothness chance for ideals of the same size. Same for ( Ñ «) in Q Q(«). Integrate size distribution of ( Ñ)( «) against smoothness distribution of ideals.

part 2: detecting smoothness part 3: the number-field sieve

part 2: detecting smoothness part 3: the number-field sieve Integer factorization, part 1: the Q sieve Integer factorization, part 2: detecting smoothness Integer factorization, part 3: the number-field sieve D. J. Bernstein Problem: Factor 611. The Q sieve forms