Finding small factors of integers. Speed of the number-field sieve. D. J. Bernstein University of Illinois at Chicago

Similar documents
part 2: detecting smoothness part 3: the number-field sieve

Integer factorization, part 1: the Q sieve. D. J. Bernstein

Integer factorization, part 1: the Q sieve. part 2: detecting smoothness. D. J. Bernstein

Speeding up characteristic 2: I. Linear maps II. The Å(Ò) game III. Batching IV. Normal bases. D. J. Bernstein University of Illinois at Chicago

Thanks to: University of Illinois at Chicago NSF DMS Alfred P. Sloan Foundation

Distinguishing prime numbers from composite numbers: the state of the art. D. J. Bernstein University of Illinois at Chicago

Factoring Algorithms Pollard s p 1 Method. This method discovers a prime factor p of an integer n whenever p 1 has only small prime factors.

Code-based post-quantum cryptography. D. J. Bernstein University of Illinois at Chicago

A brief survey of post-quantum cryptography. D. J. Bernstein University of Illinois at Chicago

There are four irrational roots with approximate values of

Math 109 HW 9 Solutions

Dixon s Factorization method

Discrete Logarithm Problem

1 The Fundamental Theorem of Arithmetic. A positive integer N has a unique prime power decomposition. Primality Testing. and. Integer Factorisation

EAD 115. Numerical Solution of Engineering and Scientific Problems. David M. Rocke Department of Applied Science

Computing Discrete Logarithms. Many cryptosystems could be broken if we could compute discrete logarithms quickly.

Elementary factoring algorithms

Fully Deterministic ECM

Addition laws on elliptic curves. D. J. Bernstein University of Illinois at Chicago. Joint work with: Tanja Lange Technische Universiteit Eindhoven

Arithmetic, Algebra, Number Theory

Distinguishing prime numbers from composite numbers: the state of the art. D. J. Bernstein University of Illinois at Chicago

Elliptic Curves Spring 2013 Lecture #12 03/19/2013

F O R SOCI AL WORK RESE ARCH

Integers and Division

SMOOTH NUMBERS AND THE QUADRATIC SIEVE. Carl Pomerance

Block vs. Stream cipher

Computational algebraic number theory tackles lattice-based cryptography

The factorization of RSA D. J. Bernstein University of Illinois at Chicago

Math 101 Study Session Spring 2016 Test 4 Chapter 10, Chapter 11 Chapter 12 Section 1, and Chapter 12 Section 2

Number theory (Chapter 4)

Another Attempt to Sieve With Small Chips Part II: Norm Factorization

Factoring. there exists some 1 i < j l such that x i x j (mod p). (1) p gcd(x i x j, n).

Lecture 6: Cryptanalysis of public-key algorithms.,


Lecture Notes. Advanced Discrete Structures COT S

CPSC 467b: Cryptography and Computer Security

The tangent FFT. D. J. Bernstein University of Illinois at Chicago

COMP4109 : Applied Cryptography

UNIQUE FJORDS AND THE ROYAL CAPITALS UNIQUE FJORDS & THE NORTH CAPE & UNIQUE NORTHERN CAPITALS

Self-Testing Polynomial Functions Efficiently and over Rational Domains

What is The Continued Fraction Factoring Method

Math 312/ AMS 351 (Fall 17) Sample Questions for Final

Modular polynomials and isogeny volcanoes

2. Limits at Infinity

Introduction to Arithmetic Geometry Fall 2013 Lecture #2 09/10/2013

3.4. ZEROS OF POLYNOMIAL FUNCTIONS

D. J. Bernstein University of Illinois at Chicago

Algorithms. Shanks square forms algorithm Williams p+1 Quadratic Sieve Dixon s Random Squares Algorithm

22. The Quadratic Sieve and Elliptic Curves. 22.a The Quadratic Sieve

All variables a, b, n, etc are integers unless otherwise stated. Each part of a problem is worth 5 points.

Lab 2 Iterative methods and eigenvalue problems. Introduction. Iterative solution of the soap film problem. Beräkningsvetenskap II/NV2, HT (6)

Industrial Strength Factorization. Lawren Smithline Cornell University

Some Facts from Number Theory

Discrete Math, Fourteenth Problem Set (July 18)

Polynomial Selection. Thorsten Kleinjung École Polytechnique Fédérale de Lausanne

How many elliptic curves can have the same prime conductor? Alberta Number Theory Days, BIRS, 11 May Noam D. Elkies, Harvard University

Topics in Computer Mathematics

MATH 2112/CSCI 2112, Discrete Structures I Winter 2007 Toby Kenney Homework Sheet 5 Hints & Model Solutions

LARGE PRIME NUMBERS (32, 42; 4) (32, 24; 2) (32, 20; 1) ( 105, 20; 0).

4 Number Theory and Cryptography

1 Overview and revision

Homework #2 solutions Due: June 15, 2012

Slide 1 / 69. Slide 2 / 69. Slide 3 / 69. Whole Numbers. Table of Contents. Prime and Composite Numbers

Basic Equation Solving Strategies

Shor s Prime Factorization Algorithm

Computational algebraic number theory tackles lattice-based cryptography

Math 131 notes. Jason Riedy. 6 October, Linear Diophantine equations : Likely delayed 6

Basic elements of number theory

Basic elements of number theory

Computing modular polynomials with the Chinese Remainder Theorem

With Question/Answer Animations. Chapter 4

Chapter 3: Polynomial and Rational Functions

CMSC Discrete Mathematics SOLUTIONS TO SECOND MIDTERM EXAM November, 2005

3 The fundamentals: Algorithms, the integers, and matrices

This is a recursive algorithm. The procedure is guaranteed to terminate, since the second argument decreases each time.

Overview of Computer Algebra

2x 1 7. A linear congruence in modular arithmetic is an equation of the form. Why is the solution a set of integers rather than a unique integer?

CHAPTER 1 REAL NUMBERS KEY POINTS

Applications of Discrete Mathematics to the Analysis of Algorithms

Rounding and Chaining LLL: Finding Faster Small Roots of Univariate Polynomial Congruences

Discrete Structures Lecture Primes and Greatest Common Divisor

AN ALGEBRA PRIMER WITH A VIEW TOWARD CURVES OVER FINITE FIELDS

Factorization & Primality Testing

A Number Theorist s Perspective on Dynamical Systems

The number field sieve in the medium prime case

(x 1 +x 2 )(x 1 x 2 )+(x 2 +x 3 )(x 2 x 3 )+(x 3 +x 1 )(x 3 x 1 ).

Number Theory Math 420 Silverman Exam #1 February 27, 2018

Algorithmic number theory. Questions/Complaints About Homework? The division algorithm. Division

CONTINUED FRACTIONS, PELL S EQUATION, AND TRANSCENDENTAL NUMBERS

Equations in Quadratic Form

The Completion of a Metric Space

RSA Implementation. Oregon State University

MAT 243 Test 2 SOLUTIONS, FORM A

CDM. Recurrences and Fibonacci

MA094 Part 2 - Beginning Algebra Summary

Bjorn Poonen. MSRI Introductory Workshop on Rational and Integral Points on Higher-dimensional Varieties. January 17, 2006

Shor s Algorithm. Elisa Bäumer, Jan-Grimo Sobez, Stefan Tessarini May 15, 2015

Chapter 9 Mathematics of Cryptography Part III: Primes and Related Congruence Equations

2x 1 7. A linear congruence in modular arithmetic is an equation of the form. Why is the solution a set of integers rather than a unique integer?

Part 2 - Beginning Algebra Summary

Transcription:

The number-field sieve Finding small factors of integers Speed of the number-field sieve D. J. Bernstein University of Illinois at Chicago

Prelude: finding denominators 87366 22322444 in R. Easily compute digits 22322444 given 87 366. Can we work backwards: find 87 366 given digits 22322444? 2-dim integer-relation finding ; 2-dim lattice-basis reduction ; half-gcd computation ; etc. Yes, via continued fractions.

Compute successively (22322444 2) 4358823; (4358823 4) 326923; (326923 3) 37428; (37428 3) 4; (4 ) 25; (25 2) 2 2. Evidently 22322444 is very close to the continued fraction 2 + 4 + 3+ 3+ + 2+ 2 = 87 366.

Can obtain Ý-digit numerator and Ý-digit denominator from 2Ý digits of quotient. Ý(lg Ý) Ç() bit operations using fast multiplication, fast continued fractions. Analogous polynomial algorithms find two Ý-coefficient polynomials from 2Ý coefficients of their power-series quotient. Ý(lg Ý) Ç() coefficient operations using fast algorithms.

Linear algebra Ý Ý matrix Å over F 2 specifies linear map F Ý 2 FÝ 2. e.g. Å = ¼ specifies (Ú Ú 2 Ú 3 Ú 4 ) (Ú + Ú 2 + Ú 3 + Ú 4 Ú + Ú 2 + Ú 3 + Ú 4 Ú + Ú 2 + Ú 3 + Ú 4 Ú + Ú 2 + Ú 3 + Ú 4 ). ½

Subroutine in Q sieve etc., combining smooth congruences to form a square: Find linear dependency = find nonzero kernel element = find nonzero nullspace element : find nonzero Ú ¾ F Ý 2 with ÅÚ =. e.g. previous Å(Ú Ú 2 Ú 3 Ú 4 ) is only if (Ú Ú 2 Ú 3 Ú 4 ) =, so can t find linear dependency.

Solve linear equations : given Û ¾ F Ý 2, find some Ú ¾ F Ý 2 with ÅÚ = Û. e.g. given Û = ( ) and Å = ¼ ½ : find (Ú Ú 2 Ú 3 Ú 4 ) with (Ú + Ú 2 + Ú 3 + Ú 4 Ú + Ú 2 + Ú 3 + Ú 4 Ú + Ú 2 + Ú 3 + Ú 4 Ú + Ú 2 + Ú 3 + Ú 4 ) = Û.

We have fast methods to solve linear equations. Easily apply those methods to find linear dependencies, if any dependencies exist. Choose uniform random Ö ¾ F Ý 2 ; compute Û = ÅÖ; use linear-equation solver to find Ú with ÅÚ = Û. This produces uniform random kernel element, namely Ú Ö. Try again if Ú = Ö.

Elimination solves linear equations using Ç(Ý 3 ) bit operations. Series denominators solve linear equations using Ý 2+Ó() bit operations if the equations are sparse. Sparse : can evaluate Ú ÅÚ using Ý +Ó() bit operations. Certainly true in Q sieve with usual choices of Ý.

Series denominators ¼ ½ e.g. Given Û = Å = ¼ Have magic equation and ½ : Û + Å 3 Û + Å 4 Û = implying Û = ÅÚ for Ú = Å 2 Û Å 3 Û. How did I find magic equation? First explore its consequences.

Consider the power series Ë = Û+(ÅÛ)Ø+(Å 2 Û)Ø 2 + = ¼ ½ + ¼ ½ Ø + ¼ ½ Ø 2 + ¼ ½ Ø 3 + ¼ ½ Ø 4 + ¼ ½ Ø 5 + ¼ ½ Ø 6 + ¼ ½ Ø 7 + in F 4 2 [[Ø]].

Ë is rational: Ë( + Ø + Ø 4 ) = ¼ ½ Ø 2 + ¼ ¼ ½ Ø 3. ½ + ¼ ½ Ø + For Ò 4, coefficient of Ø Ò in ( È Å ÛØ )( + Ø + Ø 4 ) is Å Ò Û + Å Ò Û + Å Ò 4 Û = Å Ò 4 (Å 4 Û + Å 3 Û + Û) = by magic equation.

Squeeze Ë by projecting from F 4 2 [[Ø]] to F 2[[Ø]]. e.g. Define Ö = ( ). ÖË = ÖÛ + ÖÅÛØ + ÖÅ 2 ÛØ 2 + = Ø+Ø 5 +Ø 6 +Ø 7 +Ø 8 +Ø +. Have ÖË( + Ø + Ø 4 ) = Ø + Ø 2. Similar for every Ö : F 4 2 F 2. The series ÖË ¾ F 2 [[Ø]] is rational, specifically a poly of degree 4 divided by + Ø + Ø 4. Can use continued fractions to quickly find denominator +Ø+Ø 4, and thus to find magic equation.

In general, given Û ¾ F Ý 2 and Å : F Ý 2 FÝ 2, find magic equation as follows. Pick Ö : F Ý 2 F 2. Compute first 2Ý terms of series ÖÛ + ÖÅÛØ + ÖÅ 2 ÛØ 2 + in F 2 [[Ø]]. Use continued fractions to find denominator of series. Repeat for a few random Ö s, compute lcm of denominators. With very high probability obtain denominator of series Û + ÅÛØ + Å 2 ÛØ 2 +.

If final denominator is Ô Ø Ý + Ô Ø Ý + + Ô Ý Ø then Ô Û + Ô ÅÛ + + Ô Ý Å Ý Û =. If Ô = then Û = ÅÚ where Ú = Ô Û Ô Ý Å Ý Û. If Ô = then use slightly more complicated algorithm to solve linear equation. But still easy to find linear dependency. Overall there are Ç(Ý) applications of Å. Total Ý 2+Ó() bit operations if Å is sparse.

Asymptotic cost exponents Number of bit operations in number-field sieve, with theorists parameters, is Ä 9+Ó() where Ä = exp((log Ò) 3 (log log Ò) 23 ). What are theorists parameters? Choose degree with (log Ò) 3 (log log Ò) 3 ¾ 4 + Ó().

Choose integer Ñ Ò. Write Ò as Ñ + Ñ + + Ñ + with each below Ò (+Ó()). Choose with some randomness in case there are bad s. Test smoothness of Ñ for all coprime pairs ( ) with Ä 95+Ó(), using primes Ä 95+Ó(). Ä 9+Ó() pairs. Conjecturally Ä 65+Ó() smooth values of Ñ.

Use Ä 2+Ó() number fields. For each ( ) with smooth Ñ, test smoothness of «and and so on, using primes Ä 82+Ó(). Ä 77+Ó() tests. Each () Ñ 286+Ó(). Conjecturally Ä 95+Ó() smooth congruences. Ä 95+Ó() components in the exponent vectors.

Three sizes of numbers here: (log Ò) 3 (log log Ò) 23 bits: Ý,,. (log Ò) 23 (log log Ò) 3 bits: Ñ, Ñ, (). log Ò bits: Ò. Unavoidably 3 in exponent: usual smoothness optimization forces (log Ý) 2 log Ñ; balancing norms with Ñ forces log Ý log Ñ; and log Ñ log Ò.

The number-field sieve is asymptotically much faster than the quadratic sieve and the elliptic-curve method. Also works well in practice. Latest record: NFS found two prime factors 2 332 of RSA-2 challenge, using 5 8 Opteron cycles.

Batch NFS The number-field sieve used Ä 9+Ó() bit operations finding smooth Ñ; only Ä 77+Ó() bit operations finding smooth (). Many Ò s can share one Ñ; Ä 9+Ó() bit operations to find squares for all Ò s. Oops, linear algebra hurts; fix by reducing Ý. But still end up factoring batch in much less time than factoring each Ò separately.

Polynomial selection Many choices of NFS polynomial. Which choices are best? Consider, e.g., poly degree = 5. Select integer Ñ ¾ [Ò 6 Ò 5 ]; find integers 5 4 with Ò = 5 Ñ 5 + 4 Ñ 4 + + ; for various integers inspect ( Ñ)( 5 5 + 4 4 + + 5 ). Practically every choice of Ñ will succeed in factoring Ò. For speed want smallest possible ( Ñ)( 5 5 + 4 4 + + 5 ).

e.g. Ò = 3459265358979323: Can choose Ñ =, 5 = 34, 4 = 59, 3 = 265, 2 = 358, = 979, = 323. NFS succeeds in factoring Ò by inspecting congruences ( )(34 5 + + 323 5 ) for various integer pairs ( ). But NFS succeeds more quickly using Ñ = 37, inspecting ( 37)(65 5 + 3 4 + 38 3 2 + 377 2 3 + 27 4 + 33 5 ).

Consider, e.g., 2 45 possible choices of Ñ. Quickly identify, e.g., 2 25 attractive candidates. Will choose one Ñ later. If ËÊ and Ë Ê then ( Ñ)(5 5 + + 5 ) (Ñ Ë)Ê 6 where (Ñ Ë) = (ÑË +Ë)( 5 Ë 5 + + Ë 5 ). Attractive Ñ Ë: small (Ñ Ë).

Choosing one typical Ñ Ò 6 produces (Ñ ) Ò 26. Question: How much time do we need to save factor of to find Ñ Ë with (Ñ Ë) Ò 26? This has as much impact as chopping 3 lg bits out of Ò. Searching for good values of Ñ takes noticeable fraction of total time of optimized NFS. (If not, consider more Ñ s!) End up with rather large.

Conjectured time 75+Ó() : Enumerate many possibilities for Ñ near 25 Ò 6. Have 5 25 Ò 6. 4 3 2 could be as large as 25 Ò 6. Hope that they are smaller, on scale of 25 Ò 6, so (Ñ ) Ò 26. Conjecturally this happens within roughly 75 trials.

Conjectured time 6+Ó() : Skip through Ñ s with small 4. Say Ò = 5 Ñ 5 + 4 Ñ 4 + +. Choose integer 4 5 5. Write Ò in base Ñ + : Ò = 5 (Ñ + ) 5 + ( 4 5 5 )(Ñ + ) 4 +. Now degree-4 coefficient is on same scale as 5. Hope for small 3 2.

Conjectured time 45+Ó() : Increase Ë. Enumerate many possibilities for Ñ near Ò 6. Have 5 5 Ò 6. 4 3 2 could be as large as Ò 6. Force small 4. Hope for 3 on scale of 2 Ò 6, 2 on scale of 5 Ò 6. Then (Ñ 75 ) Ò 26.

Conjectured time 35+Ó() : Partly control 3. Say Ò = 5 Ñ 5 + 4 Ñ 4 + +. Choose integer 4 5 5 and integer Ñ5 5. Find all short vectors in lattice generated by (Ñ 3 5 2 4 4 + 3 ), ( Ñ 4 2 5 4 4 ), ( Ñ 5 5 2 ), ( Ñ).

Hope for Ú below with ( 5 2 4 4 + 3 ) + (2 5 4 4 )Ú + ( 5 2 )Ú 2 below Ñ 3 modulo Ñ. Write Ò in base Ñ + + Ú. Obtain degree-5 coefficient on scale of 5 Ò 6 ; degree-4 coefficient on scale of 4 Ò 6 ; degree-3 coefficient on scale of 2 Ò 6. Hope for good degree 2.

After selecting attractive Ñ s, how to identify best (Ñ Ý)? Could check smoothness of some congruences for each Ñ to estimate smoothness chance. But this is expensive: smooth congruences are rare; need quite a few of them before estimate is reliable. Want something faster, to test more (Ñ Ý) s.

Quickly and accurately estimate number of small congruences by numerically approximating a superelliptic integral. Quickly and accurately estimate congruence smoothness chance by approximating distribution of a Dirichlet series. So can estimate cost of finding more smooth congruences than exponent-vector length. In practice: Fewer required. Open: Estimate how many.

Given À Ñ 5 : How many congruences survive initial selection of small congruences? Consider integer pairs ( ) with Z + Z = Z and. How many congruences ( Ñ)( 5 5 + + 5 ) are in [ À À]? bound is quite crude. Can instead enumerate s, count s for each.

Faster: Numerically approximate the area of ( ) ¾ R R : ¾ [ À À]. Number of qualifying pairs is extremely close to (3 2 )À 26 Ê ½ ½ Ü((Ü)2 ) 6 where (Ü) = (Ü Ñ)( 5 Ü 5 + + ). Evaluate superelliptic integral by standard techniques: partition, use series expansions.

What is chance that a uniform random integer in [ À] is, e.g., -smooth? Define Ë as the set of -smooth integers Ò. The Dirichlet series for Ë is È [Ò ¾ Ë]Ü lg Ò = ( + Ü lg 2 + Ü 2 lg 2 + Ü 3 lg 2 + ) ( + Ü lg 3 + Ü 2 lg 3 + Ü 3 lg 3 + ) ( + Ü lg 5 + Ü 2 lg 5 + Ü 3 lg 5 + ) ( + Ü lg 999983 + Ü 2 lg 999983 + ).

Replace primes 2 3 5 999983 with slightly larger real numbers 2 = 8, 3 = 2, 5 = 7,, 999983 = 45. Replace each 2 3 in Ë with 2 3, obtaining multiset Ë. The Dirichlet series for Ë is È [Ò ¾ Ë]Ü lg Ò = ( + Ü lg 2 + Ü 2 lg 2 + Ü 3 lg 2 + ) ( + Ü lg 3 + Ü 2 lg 3 + Ü 3 lg 3 + ) ( + Ü lg 5 + Ü 2 lg 5 + Ü 3 lg 5 + ) ( + Ü lg 999983 + Ü 2 lg 999983 + ).

This is simply a power series Ý + Ý + = ( + Ý 8 + Ý 2 8 + Ý 3 8 + ) ( + Ý 2 + Ý 2 2 + Ý 3 2 + ) ( + Ý 7 + Ý 2 7 + Ý 3 7 + ) ( + Ý 45 + Ý 2 45 + ) in the variable Ý = Ü lg. Compute series mod (e.g.) Ý 29 ; i.e., compute 299. Ë has + + 299 elements 299 2 4, so Ë has at least that many elements 2 4.

Can modify Dirichlet series to modify notion of smoothness. Use + Ü lg 999983 instead of ( + Ü lg 999983 + Ü 2 lg 999983 + ) to throw away Ò s having more than one factor 999983. Multiply Ý + + 299 Ý 299 by Ü lg 3 + + Ü lg 999999937 to allow Ò s that are -smooth integers 2 4 times one prime in [ 6 9 ].

Number-field smoothness: replace + Ü lg Ô + Ü 2 lg Ô + with + Ü lg Æ(È) + Ü 2 lg Æ(È) + where È is ideal, Æ is norm. In all of these situations, can compute an upper bound on number of smooth values to check tightness of lower bound. If looser than desired, move closer to. Achieve any desired accuracy.

Smoothness chance for «in Q(«) is, conjecturally, very close to smoothness chance for ideals of the same size. Same for ( Ñ «) in Q Q(«). Integrate size distribution of ( Ñ)( «) against smoothness distribution of ideals.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback