Integer factorization, part 1: the Q sieve. part 2: detecting smoothness. D. J. Bernstein

Similar documents
Integer factorization, part 1: the Q sieve. D. J. Bernstein

part 2: detecting smoothness part 3: the number-field sieve

Finding small factors of integers. Speed of the number-field sieve. D. J. Bernstein University of Illinois at Chicago

Thanks to: University of Illinois at Chicago NSF DMS Alfred P. Sloan Foundation

Fully Deterministic ECM

Algorithms. Shanks square forms algorithm Williams p+1 Quadratic Sieve Dixon s Random Squares Algorithm

1 The Fundamental Theorem of Arithmetic. A positive integer N has a unique prime power decomposition. Primality Testing. and. Integer Factorisation

Discrete Structures Lecture Primes and Greatest Common Divisor

Factoring. there exists some 1 i < j l such that x i x j (mod p). (1) p gcd(x i x j, n).

Post-quantum RSA. We built a great, great 1-terabyte RSA wall, and we had the university pay for the electricity

The RSA Cryptosystem: Factoring the public modulus. Debdeep Mukhopadhyay

Integers and Division

Elementary factoring algorithms

Homework #2 solutions Due: June 15, 2012

Lecture 6: Cryptanalysis of public-key algorithms.,

I. Introduction. MPRI Cours Lecture IIb: Introduction to integer factorization. F. Morain. Input: an integer N; Output: N = k

CS March 17, 2009

Another Attempt to Sieve With Small Chips Part II: Norm Factorization

4 Number Theory and Cryptography

Speeding up characteristic 2: I. Linear maps II. The Å(Ò) game III. Batching IV. Normal bases. D. J. Bernstein University of Illinois at Chicago

Arithmetic, Algebra, Number Theory

Dixon s Factorization method

Distinguishing prime numbers from composite numbers: the state of the art. D. J. Bernstein University of Illinois at Chicago

Number theory (Chapter 4)

Speedy Maths. David McQuillan

Edwards Curves and the ECM Factorisation Method

COMP239: Mathematics for Computer Science II. Prof. Chadi Assi EV7.635

Number Theory and Divisibility

3 The fundamentals: Algorithms, the integers, and matrices

Chapter 9 Mathematics of Cryptography Part III: Primes and Related Congruence Equations

Number Theory. Number Theory. 6.1 Number Theory

Wilson s Theorem and Fermat s Little Theorem

Elliptic Curves Spring 2013 Lecture #12 03/19/2013

The set of integers will be denoted by Z = {, -3, -2, -1, 0, 1, 2, 3, 4, }

The factorization of RSA D. J. Bernstein University of Illinois at Chicago

Signatures and DLP-I. Tanja Lange Technische Universiteit Eindhoven

University of Illinois at Chicago. Prelude: What is the fastest algorithm to sort an array?

Blankits and Covers Finding Cover with an Arbitrarily Large Lowest Modulus

Signatures and DLP. Tanja Lange Technische Universiteit Eindhoven. with some slides by Daniel J. Bernstein

Chapter 3 Basic Number Theory

4 Powers of an Element; Cyclic Groups

Discrete Logarithm Problem

The numbers 1, 2, 3, are called the counting numbers or natural numbers. The study of the properties of counting numbers is called number theory.

This is a recursive algorithm. The procedure is guaranteed to terminate, since the second argument decreases each time.

Divisibility of Natural Numbers

Number Theory. Zachary Friggstad. Programming Club Meeting

CRYPTOGRAPHIC COMPUTING

MATH 501 Discrete Mathematics. Lecture 6: Number theory. German University Cairo, Department of Media Engineering and Technology.

Commutative Rings and Fields

A group of figures, representing a number, is called a numeral. Numbers are divided into the following types.

Factoring Algorithms Pollard s p 1 Method. This method discovers a prime factor p of an integer n whenever p 1 has only small prime factors.

Experience in Factoring Large Integers Using Quadratic Sieve

Distinguishing prime numbers from composite numbers: the state of the art. D. J. Bernstein University of Illinois at Chicago

Computational Number Theory. Adam O Neill Based on

MTH 346: The Chinese Remainder Theorem

7.2 Applications of Euler s and Fermat s Theorem.

Solution Sheet (i) q = 5, r = 15 (ii) q = 58, r = 15 (iii) q = 3, r = 7 (iv) q = 6, r = (i) gcd (97, 157) = 1 = ,

MATH 2112/CSCI 2112, Discrete Structures I Winter 2007 Toby Kenney Homework Sheet 5 Hints & Model Solutions

MATH 3240Q Introduction to Number Theory Homework 4

HOW TO FIND SMOOTH PARTS OF INTEGERS. 1. Introduction. usually negligible Smooth part of x. usually negligible Is x smooth?

Computing Discrete Logarithms. Many cryptosystems could be broken if we could compute discrete logarithms quickly.

Signature: (In Ink) UNIVERSITY OF MANITOBA TEST 1 SOLUTIONS COURSE: MATH 2170 DATE & TIME: February 11, 2019, 16:30 17:15

Security Level of Cryptography Integer Factoring Problem (Factoring N = p 2 q) December Summary 2

Applied Cryptography and Computer Security CSE 664 Spring 2017

Remainders. We learned how to multiply and divide in elementary

Math 312/ AMS 351 (Fall 17) Sample Questions for Final

Discrete Math, Fourteenth Problem Set (July 18)

CPSC 467: Cryptography and Computer Security

Number Tree LCM HCF Divisibility Rules Power cycle Remainder Theorem Remainder of powers a n b n Last and Second last digit Power of Exponents Euler s

Exercises Exercises. 2. Determine whether each of these integers is prime. a) 21. b) 29. c) 71. d) 97. e) 111. f) 143. a) 19. b) 27. c) 93.

ECM at Work. Joppe W. Bos 1 and Thorsten Kleinjung 2. 1 Microsoft Research, Redmond, USA

22. The Quadratic Sieve and Elliptic Curves. 22.a The Quadratic Sieve

D. J. Bernstein University of Illinois at Chicago

4. Congruence Classes

Computer Architecture 10. Residue Number Systems

Integer Factorization and Computing Discrete Logarithms in Maple

CSE 521: Design and Analysis of Algorithms I

Notes on Systems of Linear Congruences

Outline. Some Review: Divisors. Common Divisors. Primes and Factors. b divides a (or b is a divisor of a) if a = mb for some m

Outline. AIT 682: Network and Systems Security. GCD and Euclid s Algorithm Modulo Arithmetic Modular Exponentiation Discrete Logarithms

COMP4109 : Applied Cryptography

Senior Math Circles Cryptography and Number Theory Week 2

-bit integers are all in ThC. Th The following problems are complete for PSPACE NPSPACE ATIME QSAT, GEOGRAPHY, SUCCINCT REACH.

Part V. Chapter 19. Congruence of integers

Advanced Implementations of Tables: Balanced Search Trees and Hashing

8 Primes and Modular Arithmetic

Week 1 Factor & Remainder Past Paper Questions - SOLUTIONS

ENHANCING THE PERFORMANCE OF FACTORING ALGORITHMS

Factorization & Primality Testing

CSC 474 Network Security. Outline. GCD and Euclid s Algorithm. GCD and Euclid s Algorithm Modulo Arithmetic Modular Exponentiation Discrete Logarithms

CIS 6930/4930 Computer and Network Security. Topic 5.1 Basic Number Theory -- Foundation of Public Key Cryptography

Fermat s Little Theorem. Fermat s little theorem is a statement about primes that nearly characterizes them.

M381 Number Theory 2004 Page 1

5 + 9(10) + 3(100) + 0(1000) + 2(10000) =

Introduction to Information Security

Algorithms and Networking for Computer Games

CHAPMAN & HALL/CRC CRYPTOGRAPHY AND NETWORK SECURITY ALGORITHMIC CR YPTAN ALY51S. Ant nine J aux

MATH 4400 SOLUTIONS TO SOME EXERCISES. 1. Chapter 1

CS1802 Week 11: Algorithms, Sums, Series, Induction

Number Theory Math 420 Silverman Exam #1 February 27, 2018

Transcription:

Integer factorization, part 1: the Q sieve Integer factorization, part 2: detecting smoothness D. J. Bernstein

The Q sieve factors by combining enough -smooth congruences ( + ). Enough log. Plausible conjecture: if exp 1 2 + (1) log log log then 2+ (1) congruences have enough smooth congruences. Linear sieve, quadratic sieve, number-field sieve: similar.

How to figure out which congruences are smooth? Could use trial division: For each congruence, remove factors of 2, remove factors of 3, remove factors of 5, etc.; use all primes. 3+ (1) bit operations: 1+ (1) for each congruence. Want something faster!

( Textbook answer: Sieving. Generate in order of, then sort in order of, all pairs ( ) with in range and ( + ) Z. Pairs for one are ( ), (2 ), (3 ), etc. and ( mod ) ) etc. (lg ) (1) bit operations for each congruence.

Do record-setting factorizations use the textbook answer? No! Sieving has two big problems. First problem: Sieving needs large range, 1+ (1) consecutive values. Limits number of sublattices, so limits smoothness chance. Can eliminate this problem using remainder trees.

Given 1 2 together having, (lg ) (1) bits: Can compute 1 2 with (lg ) (1) operations. Actually compute product tree of 1 2 Root: 1 2 Left subtree if 2: product tree of 1 Right subtree if 2: product tree of. 2. 2 +1..

e.g. tree for 23 29 84 15 58 19: 23 667 926142840 56028 29 84 15 Obtain each level of tree with 16530 870 19 58 (lg ) (1) operations by multiplying lower-level pairs. Use FFT-based multiplication.

Remainder tree of 1 2 has one node mod for each node in product tree of 1 2. e.g. remainder tree of 223092870 23 29 84 15 58 19: 223092870 45402 3990 46 42 510 0 0 17 0 46

Use product tree to compute product of primes. Use remainder tree to compute mod 1 mod 2. Now 1 is -smooth iff 2 mod 1 = 0 for minimal 0 with 2 2 1. Similarly 2 etc. Total (lg ) (1) operations if 1 2 together have (lg ) (1) bits.

Second problem with sieving, not fixed by remainder trees: Need 1+ (1) bits of storage. Real machines don t have much fast memory: it s expensive. Effect is not visible for small computations on single serial CPUs, but becomes critical in huge parallel computations. How to quickly find primes above size of fast memory?

The rho method Define 0 = 0, +1 = 2 + 11. Every prime 2 20 divides = ( 1 2)( 2 4)( 3 ( 3575 7150). Also many larger primes. 6) Can compute gcd using 2 14 multiplications mod, very little memory. Compare to 2 16 divisions for trial division up to 2 20.

More generally: Choose. Compute gcd where = ( 1 2)( 2 4) ( 2 ). How big does have to be for all primes to divide? Plausible conjecture: 1 2+ (1) ; so 1 2+ (1) mults mod. Reason: Consider first collision in 1 mod 2 mod. If mod = mod then mod = 2 mod for ( )Z [ ] [ ].

1 1)Z The method Have built an integer divisible by all primes. Less costly way to do this? First attempt: Define 1 = 2 ( ) 1 where ( ) = lcm 1 2 3. If ( ) ( then 1 Z. Can tweak to find more s: e.g., could instead use product of 2 ( ) 1 and 2 ( ) 1 for all primes [ + 1 log ]; could replace ( ) by ( ) 2.

e.g. = 20: ( ) = 2 4 3 2 5 7 11 13 17 19 = 232792560. 1 = 2 ( ) 1 has prime divisors 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43, 53, 61, 67, 71, 73, 79, 89, 97, 103, 109, 113, 127, 131, 137, 151, 157, 181, 191, 199, etc. Compute 1 with 34 mults.

1 As : (1 44 + (1)) multiplications to compute 1. Dividing ( ) is stronger than -smoothness but not much. Plausible conjecture: if exp 1 2 + (1) log log log then with chance 1 divides ( ) 1+ (1) for uniform random prime. So method finds some primes at surprisingly high speed. What about the other primes?

The + 1 method Second attempt: Define 0 = 2, 1 = 10, 2 = 2 2, 2 +1 = +1 1. Define 2 = ( ) 2. Point of formulas: = in Z[ ] ( + 2 10 If ( ) ( + 1)Z + 1). and 10 2 4 non-square in F then ] 2 + 1) F [ ( 10 is a field so 2 Z.

e.g. = 20, ( ) = 232792560: 2 = ( ) 2 has prime divisors 3, 5, 7, 11, 13, 17, 19, 23, 29, 37, 41, 43, 53, 59, 67, 71, 73, 79, 83, 89, 97, 103, 109, 113, 131, 151, 179, 181, 191, 211, 227, 233, 239, 241, 251, 271, 307, 313, 331, 337, 373, 409, 419, 439, 457, 467, 547, 569, 571, 587, 593, 647, 659, 673, 677, 683, 727, 857, 859, 881, 911, 937, 967, 971, etc.

The elliptic-curve method Fix 6 10 14 18. Define 1 = 2, 1 = 1, 2 = 2 ( 2 ) 2, 2 + + 2 ), 2 = 4 ( 2 +1 = 4( +1 +1) 2, 2 +1 = 8( +1 +1) 2. Define = ( ). Have now supplemented 1 2 with 6, 10, 14, etc. Variability of is important.

2 Point of formulas: If ( 2 4)(4 + 10) Z then th multiple of (2 1) on the elliptic curve (4 + 10) 2 = 3 + over F is ( ). 2 + If ( 2 4)(4 + 10) Z and ( ) (order of (2 1))Z then Z. Order of elliptic-curve group depends on but is always in [ + 1 + 1 + 2 ].

Consider smallest such that product of for first choices of is divisible by every. Plausible conjecture: exp 1 2 + (1) log log log. Computing this product takes 12 2 mults; i.e. exp (2 + (1))log log log.

Early aborts Neverending supply of congruences initial selection Smallest congruences Partial factorizations using primes 1 2 early abort Smallest unfactored parts Partial factorizations using primes final abort Smooth congruences

Say we use trial division. Time 1 2+ (1) for 1 2. Time 1+ (1) for. Say we choose smallest so that each congruence has chance 1 2+ (1) 1+ (1) of surviving early abort. Fact: A has chance -smooth congruence 1 4+ (1) of surviving early abort. Have reduced trial-division time by factor 1 2+ (1). Have reduced identify-a-smooth time by factor 1 4+ (1).

More generally, can abort at 1, 2, etc. to reduce trial-division time by factor 1 1 + (1). This reduces identify-a-smooth time by factor (1 1 ) 2+ (1). Generalize beyond trial division to sieving, remainder trees, trial division, rho, ECM. Use many aborts to combine many methods into one grand unified method for smoothness detection.

Are all primes small? Instead of using these methods to find smooth congruences, can apply them directly to. Worst case: is product of two primes. Take. Number of mults mod in elliptic-curve method: exp (2 + (1))log log log = exp (1 + (1))log log log.

Faster than Q sieve. Comparable to quadratic sieve, using much less memory. Slower than number-field sieve for sufficiently large. One elliptic-curve computation found a prime 2 219 in 3 10 12 Opteron cycles. Fairly lucky in retrospect.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback