Factoring Algorithms Pollard s p 1 Method. This method discovers a prime factor p of an integer n whenever p 1 has only small prime factors.

Similar documents
Computing Discrete Logarithms. Many cryptosystems could be broken if we could compute discrete logarithms quickly.

Factoring. there exists some 1 i < j l such that x i x j (mod p). (1) p gcd(x i x j, n).

Integer factorization, part 1: the Q sieve. D. J. Bernstein

Algorithms. Shanks square forms algorithm Williams p+1 Quadratic Sieve Dixon s Random Squares Algorithm

Dixon s Factorization method

Number Theory. CSS322: Security and Cryptography. Sirindhorn International Institute of Technology Thammasat University CSS322. Number Theory.

Fermat s Little Theorem. Fermat s little theorem is a statement about primes that nearly characterizes them.

CPSC 467b: Cryptography and Computer Security

Number Theory Math 420 Silverman Exam #1 February 27, 2018

Chapter 9 Mathematics of Cryptography Part III: Primes and Related Congruence Equations

Lecture notes: Algorithms for integers, polynomials (Thorsten Theobald)

Lecture 11 - Basic Number Theory.

COMP4109 : Applied Cryptography

Outline. Number Theory and Modular Arithmetic. p-1. Definition: Modular equivalence a b [mod n] (a mod n) = (b mod n) n (a-b)

CPSC 467b: Cryptography and Computer Security

Elliptic Curves Spring 2013 Lecture #12 03/19/2013

This is a recursive algorithm. The procedure is guaranteed to terminate, since the second argument decreases each time.

CSE 521: Design and Analysis of Algorithms I

Discrete Mathematics and Probability Theory Fall 2018 Alistair Sinclair and Yun Song Note 6

Sieve-based factoring algorithms

CPSC 467b: Cryptography and Computer Security

All variables a, b, n, etc are integers unless otherwise stated. Each part of a problem is worth 5 points.

Discrete Mathematics and Probability Theory Fall 2013 Vazirani Note 3

ENHANCING THE PERFORMANCE OF FACTORING ALGORITHMS

CPSC 467: Cryptography and Computer Security

Number Theory. Modular Arithmetic

AN ALGEBRAIC PROOF OF RSA ENCRYPTION AND DECRYPTION

NUMBER SYSTEMS. Number theory is the study of the integers. We denote the set of integers by Z:

2x 1 7. A linear congruence in modular arithmetic is an equation of the form. Why is the solution a set of integers rather than a unique integer?

The RSA Cryptosystem: Factoring the public modulus. Debdeep Mukhopadhyay

CSC 474 Network Security. Outline. GCD and Euclid s Algorithm. GCD and Euclid s Algorithm Modulo Arithmetic Modular Exponentiation Discrete Logarithms

Experience in Factoring Large Integers Using Quadratic Sieve

RSA Cryptosystem and Factorization

A field F is a set of numbers that includes the two numbers 0 and 1 and satisfies the properties:

2x 1 7. A linear congruence in modular arithmetic is an equation of the form. Why is the solution a set of integers rather than a unique integer?

Outline. Some Review: Divisors. Common Divisors. Primes and Factors. b divides a (or b is a divisor of a) if a = mb for some m

Outline. AIT 682: Network and Systems Security. GCD and Euclid s Algorithm Modulo Arithmetic Modular Exponentiation Discrete Logarithms

Discrete Logarithm Problem

CPSC 467: Cryptography and Computer Security

Congruence of Integers

Elementary factoring algorithms

Lecture 6: Cryptanalysis of public-key algorithms.,

Relations. Binary Relation. Let A and B be sets. A (binary) relation from A to B is a subset of A B. Notation. Let R A B be a relation from A to B.

Lecture Notes. Advanced Discrete Structures COT S

Lecture 14: Hardness Assumptions

The next sequence of lectures in on the topic of Arithmetic Algorithms. We shall build up to an understanding of the RSA public-key cryptosystem.

Chapter 9 Basic Number Theory for Public Key Cryptography. WANG YANG

CPSC 467b: Cryptography and Computer Security

1 2 3 style total. Circle the correct answer; no explanation is required. Each problem in this section counts 5 points.

CS 6260 Some number theory

An integer p is prime if p > 1 and p has exactly two positive divisors, 1 and p.

Number Theory Alex X. Liu & Haipeng Dai

Applied Cryptography and Computer Security CSE 664 Spring 2018

Algorithms (II) Yu Yu. Shanghai Jiaotong University

Congruence Classes. Number Theory Essentials. Modular Arithmetic Systems

22. The Quadratic Sieve and Elliptic Curves. 22.a The Quadratic Sieve

MATH 115, SUMMER 2012 LECTURE 4 THURSDAY, JUNE 21ST

Homework #2 solutions Due: June 15, 2012

Discrete Mathematics and Probability Theory Summer 2014 James Cook Note 5

LECTURE NOTES IN CRYPTOGRAPHY

Theoretical Cryptography, Lecture 13

part 2: detecting smoothness part 3: the number-field sieve

Elliptic Curves Cryptography and factorization. Part VIII. Elliptic curves cryptography and factorization. Historical Remarks.

Solutions to Problem Set 4 - Fall 2008 Due Tuesday, Oct. 7 at 1:00

CIS 6930/4930 Computer and Network Security. Topic 5.1 Basic Number Theory -- Foundation of Public Key Cryptography

Ma/CS 6a Class 2: Congruences

Basic Algorithms in Number Theory

In fact, 3 2. It is not known whether 3 1. All three problems seem hard, although Shor showed that one can solve 3 quickly on a quantum computer.

Discrete Math, Fourteenth Problem Set (July 18)

10 Public Key Cryptography : RSA

MATH 3240Q Introduction to Number Theory Homework 5

Introduction to Cryptology. Lecture 20

CHAPTER 6. Prime Numbers. Definition and Fundamental Results

Elliptic curves: Theory and Applications. Day 3: Counting points.

Cryptography IV: Asymmetric Ciphers

2.3 In modular arithmetic, all arithmetic operations are performed modulo some integer.

3.2 Solving linear congruences. v3

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

CHAPTER 3. Congruences. Congruence: definitions and properties

Integer Factorization using lattices

Security Level of Cryptography Integer Factoring Problem (Factoring N = p 2 q) December Summary 2

ALGEBRA. 1. Some elementary number theory 1.1. Primes and divisibility. We denote the collection of integers

One can use elliptic curves to factor integers, although probably not RSA moduli.

Number Theory Homework.

[Part 2] Asymmetric-Key Encipherment. Chapter 9. Mathematics of Cryptography. Objectives. Contents. Objectives

1. multiplication is commutative and associative;

Exercise Sheet Cryptography 1, 2011

SMOOTH NUMBERS AND THE QUADRATIC SIEVE. Carl Pomerance

Ma/CS 6a Class 2: Congruences

Number Theory and Algebra: A Brief Introduction

Discrete Logarithms. Let s begin by recalling the definitions and a theorem. Let m be a given modulus. Then the finite set

Part V. Chapter 19. Congruence of integers

Number Theory. Introduction

SOLUTIONS Math 345 Homework 6 10/11/2017. Exercise 23. (a) Solve the following congruences: (i) x (mod 12) Answer. We have

Fully Deterministic ECM

Introduction to Information Security

ICS141: Discrete Mathematics for Computer Science I

COMP239: Mathematics for Computer Science II. Prof. Chadi Assi EV7.635

Chapter 8. Introduction to Number Theory

COMS W4995 Introduction to Cryptography September 29, Lecture 8: Number Theory

Transcription:

Factoring Algorithms Pollard s p 1 Method This method discovers a prime factor p of an integer n whenever p 1 has only small prime factors. Input: n (to factor) and a limit B Output: a proper factor of n or "fail" a = 2 for (i = 2 to B) { a = a^i mod n if ( ( g = gcd(a - 1, n) ) > 1) { print "g divides n" stop } } print "fail" 1

Note that at the end of the i-th iteration of the loop we have a 2 i! (mod n), so a 2 i! (mod p) if p divides n. When i is large enough so that p 1 divides i!, say, i! = (p 1)m for some m, we will have a 2 i! (2 p 1 ) m 1 m 1 (mod p), by Fermat s little theorem, so p divides a 1. If p also divides n, then p divides g = gcd(a 1, n). Occasionally, Pollard s p 1 method has a spectacular success, but it is unlikely to factor an RSA public modulus n. However, when generating a large prime p for RSA one should factor p 1 and be sure it contains a large prime factor. (A prime factor q of p 1 is large if no adversary can do q operations.) 2

Quadratic Sieve Method Recall this theorem: Theorem. If n = pq is the product of two distinct primes, and if x 2 y 2 (mod n), but x ±y (mod n), then gcd(x + y, n) = p or q. Proof: We are given that n divides (x+y)(x y) but not (x+y) or (x y). Hence, one of p, q must divide (x + y) and the other must divide (x y). In fact, if n has more than two prime factors and the congruence conditions of the theorem hold, then gcd(x+y, n) and gcd(x y, n) will be proper factors of n even if they are not prime. The conditions fail to lead to a proper factor of n only in case n is a power of a prime. 3

The quadratic sieve algorithm tries to factor n simply by finding x and y with x 2 y 2 (mod n), ignoring the conditions x ±y (mod n). (It just hopes for the best. Usually, it finds several such pairs x, y. Each pair succeeds in factoring n with probability at least 1/2.) 4

Definition. An integer k is a square if there exists an integer x so that k = x 2. The quadratic sieve method tries to factor n by finding two congruent squares modulo n. How can one recognize a square? Multiple choice question: Which of these numbers is a square? a. 21 b. 23 c. 25 d. 27 e. 29 5

Which of these numbers is a square? a. 431641 b. 431643 c. 431645 d. 431647 e. 431649 This is harder. 6

Suppose I give you the prime factorizations of the numbers. Which of these numbers is a square? a. 431641 = 7 2 23 383 b. 431643 = 3 143881 c. 431645 = 5 131 659 d. 431647 = 17 25391 e. 431649 = 3 4 73 2 Theorem. If n = k i=1 p e i i is the prime factorization of n into the product of powers of distinct primes, then n is square if and only if all exponents e i are even numbers. 7

The quadratic sieve factoring algorithm finds congruences x 2 y 2 (mod n) as follows. Generate many relations j 2 m (mod n), where m is small and therefore easy to factor. Factor the numbers m and match their prime factors to form a product of some ms in which each prime occurs as a factor an even number of times, so it is a square. Let y 2 be the product of these ms. Let x be the product of the js in the relations used to make y 2. Then x 2 is the product of the j 2 s, which is congruent to the the product of the ms. This product is y 2 by the choice of relations. 8

Example. Let us factor n = 1649. Note that n 40.6, so the numbers 41 2 mod n, 42 2 mod n,..., will be fairly small compared to n. We have 41 2 1681 32 = 2 5 (mod 1649), 42 2 1764 115 = 5 23 (mod 1649), 43 2 1849 200 = 2 3 5 2 (mod 1649). Now 32 200 = 2 8 5 2 = 80 2 is a square. Therefore, (41 43) 2 80 2 (mod 1649). Note that 41 43 = 1763 114 (mod 1649) and that 114 ±80 (mod 1649). We get the factors of 1649 from gcd(114 80, 1649) = 17 and gcd(114 + 80, 1649) = 97, so 1649 = 17 97. 9

In a real application of the quadratic sieve there may be millions of relations j 2 m (mod n) with m factored. How can we efficiently match the prime factors of the ms to make each prime occur an even number of times? Answer: Use linear algebra over the field F 2 with 2 elements. Let p 1, p 2,..., p b be all of the prime numbers that occur as factors of any of the ms. If m = b i=1 p e i i, where each exponent e i 0, associate m to the vector v(m) = (e 1, e 2,..., e b ). Multiplying ms corresponds to adding their associated vectors. If S {1, 2,..., r}, where r is the total number of relations, then i S m i is a square if and only if i S v(m i ) has all even coordinates. 10

Reduce the exponent vectors v(m) modulo 2 and think of them as vectors in the b-dimensional vector space F b 2 over F 2 = {0, 1}. Linear combinations of distinct vectors v(m) correspond to subset sums. Finding a nonempty subset of integers whose product is a square is reduced to finding a linear dependency among the vectors v(m). We know from linear algebra that if we have more vectors than the dimension b of the vector space (r > b), then there will be linear dependencies among the vectors. Also from linear algebra we have efficient algorithms, such as matrix reduction, for finding linear dependencies. Row reduction over F 2 is especially efficient because adding (or subtracting) two rows is the same as finding their exclusive-or. 11

The analysis of the quadratic sieve algorithm shows that its time complexity to factor n is about bit operations. e (ln n)(ln ln n) To understand what this means, consider e (ln n)(ln ln n) e (ln n)(ln n) = e ln n = n and e (ln n)(ln ln n) e (ln ln n)(ln ln n) = e ln ln n = ln n. Thus, e (ln n)(ln ln n) n ε for any ε > 0 and e (ln n)(ln ln n) (ln n) c for any constant c > 0. That is, the time complexity is subexponential but not polynomial time. 12

Discrete Logarithms via Index Calculus There is a faster way to solve a x b (mod p) using a method similar to the integer factoring algorithm QS. It is called the index calculus method. If a x b (mod p), then we write x = Log a (b). Note that Log a (b) is an integer determined modulo p 1 because of Fermat s theorem: a p 1 1 (mod p). Log a (b) is called the discrete logarithm of b to base a. (The modulus p is usually supressed.) 13

Choose a factor base of primes p 1,..., p k, usually all primes B. Perform the following precomputation which depends on a and p but not on b. For many random values of x, try to factor a x mod p using the primes in the factor base. Save at least k + 20 of the factored residues: a x j k i=1 or equivalently p e ij i (mod p) for 1 j k + 20, x j k i=1 e ij Log a p i (mod p 1) for 1 j k+20. 14

Use linear algebra to solve for the Log a p i. When b is given, perform the following main computation to find Log a b. Try many random values for s until one is found for which ba s mod p can be factored using only the primes in the factor base. Write it as or ba s k i=1 p c i i (mod p) (Log a b) + s k i=1 c i Log a p i (mod p 1). Substitute the values of Log a p i found in the precomputation to get Log a b. 15

Using arguments like those for the running time of the quadratic sieve factoring algorithms, one can prove that the precomputation takes time ( ) exp 2 log p log log p, while the main computation takes time ( ) exp log p log log p. 16

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback