Industrial Strength Factorization. Lawren Smithline Cornell University

Similar documents
Algorithms. Shanks square forms algorithm Williams p+1 Quadratic Sieve Dixon s Random Squares Algorithm

God may not play dice with the universe, but something strange is going on with the prime numbers.

Running time predictions for square products, and large prime variations. Ernie Croot, Andrew Granville, Robin Pemantle, & Prasad Tetali

Primes. Rational, Gaussian, Industrial Strength, etc. Robert Campbell 11/29/2010 1

Factoring Algorithms Pollard s p 1 Method. This method discovers a prime factor p of an integer n whenever p 1 has only small prime factors.

Number Theory Marathon. Mario Ynocente Castro, National University of Engineering, Peru

Number Theory Marathon. Mario Ynocente Castro, National University of Engineering, Peru

PRIMES is in P. Manindra Agrawal. NUS Singapore / IIT Kanpur

ECEN 5022 Cryptography

Primality Testing. 1 Introduction. 2 Brief Chronology of Primality Testing. CS265/CME309, Fall Instructor: Gregory Valiant

The RSA Cryptosystem: Factoring the public modulus. Debdeep Mukhopadhyay

All variables a, b, n, etc are integers unless otherwise stated. Each part of a problem is worth 5 points.

Dixon s Factorization method

SOLUTIONS Math 345 Homework 6 10/11/2017. Exercise 23. (a) Solve the following congruences: (i) x (mod 12) Answer. We have

Here is another characterization of prime numbers.

Instructor: Bobby Kleinberg Lecture Notes, 25 April The Miller-Rabin Randomized Primality Test

1 The Fundamental Theorem of Arithmetic. A positive integer N has a unique prime power decomposition. Primality Testing. and. Integer Factorisation

Elliptic Curves Spring 2013 Lecture #12 03/19/2013

Factoring. there exists some 1 i < j l such that x i x j (mod p). (1) p gcd(x i x j, n).

An integer p is prime if p > 1 and p has exactly two positive divisors, 1 and p.

PUTNAM TRAINING NUMBER THEORY. Exercises 1. Show that the sum of two consecutive primes is never twice a prime.

Sieve-based factoring algorithms

Chuck Garner, Ph.D. May 25, 2009 / Georgia ARML Practice

Integer factorization, part 1: the Q sieve. D. J. Bernstein

SMOOTH NUMBERS AND THE QUADRATIC SIEVE. Carl Pomerance

Fermat s Little Theorem. Fermat s little theorem is a statement about primes that nearly characterizes them.

1. Algebra 1.7. Prime numbers

Algorithms (II) Yu Yu. Shanghai Jiaotong University

A Few Primality Testing Algorithms

Great Theoretical Ideas in Computer Science

CSE 521: Design and Analysis of Algorithms I

Primes and Factorization

Corollary 4.2 (Pepin s Test, 1877). Let F k = 2 2k + 1, the kth Fermat number, where k 1. Then F k is prime iff 3 F k 1

RSA Cryptosystem and Factorization

Discrete Math, Fourteenth Problem Set (July 18)

PRACTICE PROBLEMS: SET 1

MATH 145 Algebra, Solutions to Assignment 4

Prime Numbers and Irrational Numbers

7.2 Applications of Euler s and Fermat s Theorem.

Riemann s Zeta Function and the Prime Number Theorem

Basic Algorithms in Number Theory

CHAPTER 6. Prime Numbers. Definition and Fundamental Results

Introduction: Pythagorean Triplets

Advanced Algorithms and Complexity Course Project Report

Factorization & Primality Testing

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

Theoretical Cryptography, Lectures 18-20

Applied Cryptography and Computer Security CSE 664 Spring 2017

Lecture 11 - Basic Number Theory.

Solutions to Practice Final

Kim Bowman and Zach Cochran Clemson University and University of Georgia

Lecture 1: Introduction to Public key cryptography

A Guide to Arithmetic

Lecture 14: Hardness Assumptions

not to be republished NCERT REAL NUMBERS CHAPTER 1 (A) Main Concepts and Results

Elementary factoring algorithms

COMP4109 : Applied Cryptography

Arithmetic, Algebra, Number Theory

Number Theory Math 420 Silverman Exam #1 February 27, 2018

Chapter 1. Introduction to prime number theory. 1.1 The Prime Number Theorem

NUMBER THEORY AND CODES. Álvaro Pelayo WUSTL

MATH 501 Discrete Mathematics. Lecture 6: Number theory. German University Cairo, Department of Media Engineering and Technology.

LECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS

Math 312/ AMS 351 (Fall 17) Sample Questions for Final

7. Prime Numbers Part VI of PJE

NORTHWESTERN UNIVERSITY Thrusday, Oct 6th, 2011 ANSWERS FALL 2011 NU PUTNAM SELECTION TEST

Exercises Exercises. 2. Determine whether each of these integers is prime. a) 21. b) 29. c) 71. d) 97. e) 111. f) 143. a) 19. b) 27. c) 93.

Lecture 6: Cryptanalysis of public-key algorithms.,

WORKSHEET ON NUMBERS, MATH 215 FALL. We start our study of numbers with the integers: N = {1, 2, 3,...}

Some Own Problems In Number Theory

Theorem 1.1 (Prime Number Theorem, Hadamard, de la Vallée Poussin, 1896). let π(x) denote the number of primes x. Then x as x. log x.

Cryptosystem. Traditional Cryptosystems: The two parties agree on a secret (one to one) function f. To send a message M, thesendersendsthemessage

Chapter 1. Introduction to prime number theory. 1.1 The Prime Number Theorem

Cryptography IV: Asymmetric Ciphers

Winter Camp 2009 Number Theory Tips and Tricks

Wednesday, February 21. Today we will begin Course Notes Chapter 5 (Number Theory).

Finding small factors of integers. Speed of the number-field sieve. D. J. Bernstein University of Illinois at Chicago

Elliptic Curves Cryptography and factorization. Part VIII. Elliptic curves cryptography and factorization. Historical Remarks.

What is The Continued Fraction Factoring Method

= 1 2x. x 2 a ) 0 (mod p n ), (x 2 + 2a + a2. x a ) 2

Number Theory. Zachary Friggstad. Programming Club Meeting

MA094 Part 2 - Beginning Algebra Summary

Part 2 - Beginning Algebra Summary

Discrete Logarithms. Let s begin by recalling the definitions and a theorem. Let m be a given modulus. Then the finite set

The 98th Mathematics Colloquium Prague November 8, Random number theory. Carl Pomerance, Dartmouth College

CSC 373: Algorithm Design and Analysis Lecture 30

Improving Lenstra s Elliptic Curve Method

1. multiplication is commutative and associative;

MATHEMATICS 6180, SPRING 2017 SOME MOTIVATIONAL PROBLEMS IN NUMBER THEORY. p k

Summary Slides for MATH 342 June 25, 2018

FERMAT S TEST KEITH CONRAD

On prime factors of subset sums

AN ALGEBRA PRIMER WITH A VIEW TOWARD CURVES OVER FINITE FIELDS

that if a b (mod m) and c d (mod m), then ac bd (mod m) soyou aren't allowed to use this fact!) A5. (a) Show that a perfect square must leave a remain

MATH CSE20 Homework 5 Due Monday November 4

Outline. Number Theory and Modular Arithmetic. p-1. Definition: Modular equivalence a b [mod n] (a mod n) = (b mod n) n (a-b)

. As the binomial coefficients are integers we have that. 2 n(n 1).

One-to-one functions and onto functions

Basic elements of number theory

Basic elements of number theory

Transcription:

Industrial Strength Factorization Lawren Smithline Cornell University lawren@math.cornell.edu http://www.math.cornell.edu/~lawren

Industrial Strength Factorization Given an integer N, determine the prime divisors of N. Definition. An integer p is prime means: 1/p is not an integer, and for integers a, b, if p ab, then p a or p b.

Industrial Strength Factorization Application: break certain public key cryprography. Metaproblem I: How much does it cost to factor a d digit number N? Metaproblem II: Given d, design a strategy for picking N which maximizes the cost to factor. Metaproblem III: Given a determined adversary who has solved Metaproblem II and who picks N, how much does it cost to factor N?

Fast and Slow Definition (for today) A fast algorithm is one which runs in polynomial time in the length of its input. Example. Multiplication of two numbers N 1 and N 2 each with at most d digits. about 2d 2 operations, depending how you count. 1 3 7 3 7 4 9 2 1 2 1 9 7 + 3 5 0 6 9

Fast and Slow Fast examples: Let N be a d digit integer. Write N on the board: O(d). For a < N, compute Na: O(d 2 ). For a < N, compute GCD(N, a): O(d 3 ).

Fast and Slow What is slow? Factor an odd integer N by trial division. Example N = 209. try 3 try 5 try 7 try 9 try 11!

Fast and Slow To factor N with d digits by trial division, we may have to go up to N, which has about d/2 digits. Slow example: O( N) = O(exp(d/2)). For d = 150, at speed of 10 9 trials / second, trial division potentially takes 10 66 seconds. One year is π 10 7 seconds. π = 10. π 10 58 years is a long time.

Trial Division Trial division is great for finding small factors. The adversary picks N with exactly two prime divisors, both large. What if we magically knew prime numbers? We wouldn t have to try 9 or 77. Definition. π(x) is the number of primes between 1 and x. Now check only π( N) things.

Trial Division Definition. π(x) is the number of primes between 1 and x. Chebyshev s Theorem π(x) > x/2 log x. Prime Number Theorem (1896) π(x) x/ log x. conjectured by Gauss, proved by Hadamard and de la Vallée-Poussin. Conclusion. O(π( N)) is still slow. Fun fact: p prime s<p s+100 e 100.

Summary of Fast and Slow Definition. L N [v, λ] is O(exp(λ(log N) v (log log N) 1 v )). L N [v] includes L N [v, λ] for every λ. L N [1] is slow. e.g. trial division. L N [0] is fast, e.g. GCD(N, a). Avoid embarrassment! Check whether N is composite. Answering Is N composite? is L[0]. New result in 02. Previous best was O((log N) c log log log N ).

Analytical Estimate Let Ψ(x, y) be number of integers between 1 and x with all prime divisors less than y. Theorem For u sufficiently large and x > 1, Ψ(x, x 1/u ) > x/u u(1+o(1)). Lemma (Canfield-Erdős-Pomerance) There is a constant c such that for u > c and all x > 1, if u > (log x) 3/8, then Ψ(x, x 1/u ) > x/u 3u.

Analytical Estimate Lemma (Canfield-Erdős-Pomerance) There is a constant c such that for u > c and all x > 1, if u > (log x) 3/8, then Ψ(x, x 1/u ) > x/u 3u. Proof. If x < u 3u, trivial. Suppose x u 3u c 3c c 3. By Chebyshev, π(x 1/u ) > ux 1/u /2 log x. Let m = u ; u = m + θ. Let π (y) = max(1, π(y)).

Analytical Estimate Lemma (Canfield-Erdős-Pomerance) There is a constant c such that for u > c and all x > 1, if u > (log x) 3/8, then Ψ(x, x 1/u ) > x/u 3u. Proof (continued). Claim. (2 log x) m+1 < u 3u : (2 log x) m+1 < (2 log x) u+1. For u > 3 and u log 3/8 x, (2 log x) u+1 (u 3 ) u.

Analytical Estimate Lemma (Canfield-Erdős-Pomerance) There is a constant c such that for u > c and all x > 1, if u > (log x) 3/8, then Ψ(x, x 1/u ) > x/u 3u. Proof (concluded). Ψ(x, x 1/u ) > π(x 1/u ) m π (x θ/u )/(m + 1)! > (ux1/u ) m x θ/u 2u m log m+1 x = x/(2 log x) m+1 > x/u 3u. Exeunt Canfield, Erdős, and Pomerance. Enter Fermat.

Fermat s Method Quick... factor 3599. 3599 = 60 2 1 2. If x 2 y 2 (N), compute GCD(x y, N). 50% chance to get a factor of N, because (x y)(x + y) 0 (N). 3599 = 59 61.

Fermat s Method Fermat s method: for each x = 1, 2,..., check whether N + x 2 is a square. The adversary chooses N = pq with prime factors far away from N. p N 1/e will do. Now, Fermat s method is O( N), which is slow. Let s use another idea of Fermat.

Fermat s Method (This isn t the other useful Fermat idea.) Factor 64027. Yes, x 3 + y 3 = (x + y)(x 2 xy + y 2 ). But cubes are rarer than squares.

Pollard s p 1 Method Fermat s Little Theorem If p is prime and a Z, and GCD(a, p) = 1, then a p 1 1 (p). Given N, if a kind oracle would tell us p 1 for p dividing N, then a p 1 1 0 (p). Therefore, GCD(a p 1 1, N) is p or N. Pollard s method finds m such that (p 1) m. Thus, GCD(a m 1, N) is p or N.

Pollard s p 1 Method Let m j = LCM(1, 2,..., j). Given N = pq, for large enough j, p 1 divides m j. So: a m j 1 (p). Maybe a m j 1 (q). Then GCD(a m j 1, N) = p. Here s an example for N = 20701.

Pollard s p 1 Method for N = 20701 Pick a = 2. (If GCD(a, N), that s an instant win.) Let m j = LCM(1, 2,..., j). Let X j = 2 m j reduced modulo N. Let F j = GCD(X j 1, N). So N = 127 163. j m j X j F j 2 2 4 1 3 6 64 1 4 12 4096 1 5 60 6493 1 6 60 6493 1 7 420 17273 127 8 840 13717 127 9 2520 6986 127 Next: another example.

Pollard s p 1 Method for N = 5029 j m j X j F j 2 2 4 1 3 6 64 1 4 12 4096 1 5 60 1156 1 6 60 6493 1 7 420 4153 1 8 840 2968 1 9 2520 625 1 11 4920 1 13 4327 1 16 4991 1 17 850 1 19 2077 1 Better luck with the next method!

Pollard s p 1 Method Performance Pollard s method finds factors p such that prime power factors of p 1 are all small. Typical size of largest prime power factor of p 1 is p 1 1/e N 1/e 1/e2. So: Pollard s method is slow against a smart adversary.

Pollard s p 1 Method Performance The adversary already chooses: N = pq, the product of exactly two primes, p, q are not small. p, q are not too close to N (p N 1/e ) Now add: p 1, q 1 each have at least some large prime power factor.

Rational Sieve Method Given N, let s solve x 2 y 2 (N). Method: Find lots of integers a such that a and N + a have only small prime factors. Pick a subset of the a s such that i a i /(N + a i ) = s 2 /t 2. Conclude: For x = s, y = t, x 2 y 2 (N). GCD(x y, N) has even odds to be a prime divisor of N.

Rational Sieve Vocabulary Given N, we pick B, the smoothness bound. We treat a prime p less than B as small. An integer a is B-smooth means every prime p dividing a is less than B. The set B of small primes is the factor base. A pair (a, N + a) of smooth numbers is a relation or smooth relation. Here is an example with N = 5029, B = 20.

Rational Sieve for N = 5029 Factor N = 5029. Factor base B = {2, 3, 5, 7, 11, 13, 17, 19}. a a + N 2 3 5 7 11 13 17 19 A 11 5040 0 0 1 1 1 0 0 0 B 20 5049 0 1 1 0 1 0 1 0 C 25 5054 1 0 0 1 0 0 0 0 D 91 5120 0 0 1 1 0 1 0 0 E 119 5148 0 0 0 1 1 1 1 0 F 171 5200 0 0 0 0 0 1 0 1 G 196 5225 0 0 0 0 1 0 0 1 H 221 5250 1 1 1 1 0 1 1 0 I 275 5304 1 1 0 0 1 1 1 0 Eliminate 19 with F + G replacing F, G. Eliminate 2 and 3 with B + C + H and H + I replacing B, C, H, I.

Eliminate 19 with F + G. Eliminate 2 and 3 with B + C + H and H + I. 5 7 11 13 17 A 1 1 1 0 0 D 1 1 0 1 0 E 0 1 1 1 1 F + G 0 0 1 1 0 B + C + H 0 0 1 1 0 H + I 1 1 1 0 0 Only row E has 17, so strike it. Relations: A + H + I A + D + F + G B + C + F + G + H 5 7 11 13 H + I 1 1 1 0 A 1 1 1 0 D 1 1 0 1 F + G 0 0 1 1 B + C + H 0 0 1 1

Rational Sieve for N = 5029 Assembling relations: a a + N 2 3 5 7 11 13 17 19 A 11 5040 0 0 1 1 1 0 0 0 H 221 5250 1 1 1 1 0 1 1 0 I 275 5304 1 1 0 0 1 1 1 0 Now compute over Z, not mod 2: a/(a + N) 2 3 5 7 11 13 17 19 A 11/5040 4 2 1 1 1 0 0 0 H 221/5250 1 1 3 1 0 1 1 0 I 275/5304 3 1 2 0 1 1 1 0 A + H + I 8 4 2 2 2 0 0 0 11 2 (2 4 3 2 5 7) 2 For x = 11, y = 5040, x 2 y 2 (N). Alas, N = y x.

Rational Sieve for N = 5029 Assembling relations: a a + N 2 3 5 7 11 13 17 19 A 11 5040 0 0 1 1 1 0 0 0 D 91 5120 0 0 1 1 0 1 0 0 F 171 5200 0 0 0 0 0 1 0 1 G 196 5225 0 0 0 0 1 0 0 1 Now compute over Z, not mod 2: a/(a + N) 2 3 5 7 11 13 17 19 A 11/5040 4 2 1 1 1 0 0 0 D 91/5120 10 0 1 1 0 1 0 0 F 171/5200 4 2 2 0 0 1 0 1 G 196/5225 2 0 2 2 1 0 0 1 total 16 0 6 2 0 0 0 0 For x = 7, y = 2 8 5 3 = 32000, x 2 y 2 (N). Hooray! GCD(N, 32007) = 47.

Rational Sieve Performance How common are smooth numbers? From a random sample of integers of size L[v, λ], the fraction of L[w, µ] smooth ones is: Ψ(L[v, λ], L[w, µ])/l[v, λ]. The expected sample size to find one L[w, µ] smooth ones is: L[v, λ]/ψ(l[v, λ], L[w, µ]) = L[v w, (v w)λ/µ]. The expected sample size to find L[w, µ] smooth ones is: L[w, µ]l[v w, (v w)λ/µ].

Rational Sieve Performance We choose a small prime bound B of size L[w, µ]. Factor base B has size L[w, µ]. Search for smooth pairs a, N + a; a is B-smooth. N + a has size L[1, 1]. Search region size: L[1 w, (1 w)/µ]l[w, µ]. Linear algebra problem: L[w, µ] 2 = L[w, 2µ].

Rational Sieve Performance Search region size: L[1 w, (1 w)/µ]l[w, µ]. Minimize max(w, 1 w): w = 1/2. Search region size is: L[1/2, µ + 1/2µ]. Minimum at µ = 2/2. Search region size is: L[1/2, 2]. Linear algebra is also L[1/2, 2].

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback