Algorithms for factoring

Similar documents
Attacks on RSA The Rabin Cryptosystem Semantic Security of RSA Cryptology, Tuesday, February 27th, 2007 Nils Andersen. Complexity Theoretic Reduction

DISCRIMINANTS AND RAMIFIED PRIMES. 1. Introduction A prime number p is said to be ramified in a number field K if the prime ideal factorization

Some Consequences. Example of Extended Euclidean Algorithm. The Fundamental Theorem of Arithmetic, II. Characterizing the GCD and LCM

THE CHINESE REMAINDER THEOREM. We should thank the Chinese for their wonderful remainder theorem. Glenn Stevens

SMARANDACHE-GALOIS FIELDS

a new crytoytem baed on the dea of Shmuley and roved t rovably ecure baed on ntractablty of factorng [Mc88] After that n 999 El Bham, Dan Boneh and Om

Counting Solutions to Discrete Non-Algebraic Equations Modulo Prime Powers

Hidden Markov Model Cheat Sheet

Confidence intervals for weighted polynomial calibrations

Problem Solving in Math (Math 43900) Fall 2013

Section 3.6 Complex Zeros

Example: (13320, 22140) =? Solution #1: The divisors of are 1, 2, 3, 4, 5, 6, 9, 10, 12, 15, 18, 20, 27, 30, 36, 41,

18.1 Introduction and Recap

Finding Primitive Roots Pseudo-Deterministically

Foundations of Arithmetic

Introduction to Algorithms

Lecture 3. Ax x i a i. i i

A New Refinement of Jacobi Method for Solution of Linear System Equations AX=b

1 Bref Introducton Ths memo reorts artal results regardng the task of testng whether a gven bounded-degree grah s an exander. The model s of testng gr

Lecture 4: Universal Hash Functions/Streaming Cont d

An Introduction to Morita Theory

Errors for Linear Systems

Problem Set 9 Solutions

2.3 Nilpotent endomorphisms

2-Adic Complexity of a Sequence Obtained from a Periodic Binary Sequence by Either Inserting or Deleting k Symbols within One Period

5 The Rational Canonical Form

PARTIAL QUOTIENTS AND DISTRIBUTION OF SEQUENCES. Department of Mathematics University of California Riverside, CA

Lectures - Week 4 Matrix norms, Conditioning, Vector Spaces, Linear Independence, Spanning sets and Basis, Null space and Range of a Matrix

(2mn, m 2 n 2, m 2 + n 2 )

Math 217 Fall 2013 Homework 2 Solutions

n α j x j = 0 j=1 has a nontrivial solution. Here A is the n k matrix whose jth column is the vector for all t j=0

Dr. Shalabh Department of Mathematics and Statistics Indian Institute of Technology Kanpur

Case A. P k = Ni ( 2L i k 1 ) + (# big cells) 10d 2 P k.

Math 261 Exercise sheet 2

1 Matrix representations of canonical matrices

Complex Numbers. x = B B 2 4AC 2A. or x = x = 2 ± 4 4 (1) (5) 2 (1)

Smarandache-Zero Divisors in Group Rings

Chapter 5. Solution of System of Linear Equations. Module No. 6. Solution of Inconsistent and Ill Conditioned Systems

= z 20 z n. (k 20) + 4 z k = 4

PRIME NUMBER GENERATION BASED ON POCKLINGTON S THEOREM

Finding Dense Subgraphs in G(n, 1/2)

Unit 5: Quadratic Equations & Functions

Introduction to Algorithms

Min Cut, Fast Cut, Polynomial Identities

Notes on Frequency Estimation in Data Streams

Generalized Linear Methods

Polynomials. 1 What is a polynomial? John Stalker

Grover s Algorithm + Quantum Zeno Effect + Vaidman

18.781: Solution to Practice Questions for Final Exam

where a is any ideal of R. Lemma 5.4. Let R be a ring. Then X = Spec R is a topological space Moreover the open sets

Fuzzy approach to solve multi-objective capacitated transportation problem

Lecture 10 Support Vector Machines II

8.6 The Complex Number System

Bernoulli Numbers and Polynomials

Singular Value Decomposition: Theory and Applications

Dr. Shalabh Department of Mathematics and Statistics Indian Institute of Technology Kanpur

Section 8.3 Polar Form of Complex Numbers

Lecture 10: May 6, 2013

1 GSW Iterative Techniques for y = Ax

Lecture 5 Decoding Binary BCH Codes

( ) 2 ( ) ( ) Problem Set 4 Suggested Solutions. Problem 1

Formulas for the Determinant

Christian Aebi Collège Calvin, Geneva, Switzerland

MATH 5707 HOMEWORK 4 SOLUTIONS 2. 2 i 2p i E(X i ) + E(Xi 2 ) ä i=1. i=1

Lecture Notes on Linear Regression

MATH 371 Homework assignment 1 August 29, 2013

SL n (F ) Equals its Own Derived Group

Lecture 21: Numerical methods for pricing American type derivatives

CALCULUS CLASSROOM CAPSULES

MAE140 - Linear Circuits - Fall 13 Midterm, October 31

Non-Ideality Through Fugacity and Activity

Topic 5: Non-Linear Regression

2. Independence and Bernoulli Trials

U.C. Berkeley CS294: Beyond Worst-Case Analysis Luca Trevisan September 5, 2017

APPENDIX A Some Linear Algebra

U.C. Berkeley CS294: Spectral Methods and Expanders Handout 8 Luca Trevisan February 17, 2016

LECTURE V. 1. More on the Chinese Remainder Theorem We begin by recalling this theorem, proven in the preceeding lecture.

New modular multiplication and division algorithms based on continued fraction expansion

Priority Queuing with Finite Buffer Size and Randomized Push-out Mechanism

Inexact Newton Methods for Inverse Eigenvalue Problems

MTH 819 Algebra I S13. Homework 1/ Solutions. 1 if p n b and p n+1 b 0 otherwise ) = 0 if p q or n m. W i = rw i

Advanced Algebraic Algorithms on Integers and Polynomials

Difference Equations

LECTURE 5: FIBRATIONS AND HOMOTOPY FIBERS

Short running title: A generating function approach A GENERATING FUNCTION APPROACH TO COUNTING THEOREMS FOR SQUARE-FREE POLYNOMIALS AND MAXIMAL TORI

10-701/ Machine Learning, Fall 2005 Homework 3

First day August 1, Problems and Solutions

Some congruences related to harmonic numbers and the terms of the second order sequences

Not-for-Publication Appendix to Optimal Asymptotic Least Aquares Estimation in a Singular Set-up

Maximizing the number of nonnegative subsets

A NOTE ON THE DISCRETE FOURIER RESTRICTION PROBLEM

Vapnik-Chervonenkis theory

Chapter Newton s Method

REAL ANALYSIS I HOMEWORK 1

Managing Capacity Through Reward Programs. on-line companion page. Byung-Do Kim Seoul National University College of Business Administration

Canonical transformations

Assortment Optimization under MNL

Linear Feature Engineering 11

SIO 224. m(r) =(ρ(r),k s (r),µ(r))

p 1 c 2 + p 2 c 2 + p 3 c p m c 2

Transcription:

CSA E0 235: Crytograhy Arl 9,2015 Instructor: Arta Patra Algorthms for factorng Submtted by: Jay Oza, Nranjan Sngh Introducton Factorsaton of large ntegers has been a wdely studed toc manly because of ts ractcal alcatons n crytorahy The securty of some of the most romnent crytosystems n Publc key crytograhy such as RSA rely on the assumton that factorsaton s hard However dffculty of factorsaton of ntegers has not been roven and hence there has been a lot of work done n comng u wth fast algorthms for factorsaton Here we wll talk about a few such factorsaton algorthms whch take lesser oeratons than the brute force algorthm to comute factors:- Pollard s -1 algorthm Pollard s rho algorthm Quadratc Seve algorthm The Fermat s Lttle Theorem s at the core of these algorthms Theorem 1 Fermat s Lttle Theorem : Let be a rme number and a Z be relatvely rme to then a 1 1(mod) We wll be consderng factorsaton of ntegers of tye N = q where and q are rme numbers and < q 1 Pollard s -1 Algorthm 11 The Man Idea: Let us consder an nteger m st ( 1) m but (q 1) m Now choose an x N ZN unformly randomly and comute y = (x m N 1)mod N Then accordng to the Chnese Remander Theorem we can fnd x Z and x q Zq such that we have, y (x, x q ) m (1, 1) = (x m 1 mod, x m q 1 mod q) Usng the fact that ( 1) m and the Fermat s Lttle Theorem we get, y = (0, x m q 1 mod q) If x m q 1 mod q then we can see that y but q y Ths n turn nles that gcd(y, N) = So by smly dong one gcd comutaton we can obtan the rme factor of N However 9-1

there are two roblems we stll need to deal wth 1) How to select m, 2) Once we have selected m st ( 1) m but (q 1) m, wll x m q 1 mod q hold wth hgh robablty? Lets address the second queston frst We wll show that ndeed f ( 1) m but (q 1) m, then x m q 1 mod q holds wth hgh robablty 12 The Algorthm works!(wth hgh robablty): If ( 1) m and (q 1) m then as long as x q s a generator of Z q, from Prooston 2 we can see that x m q 1 mod q Prooston 2 Let G be a fnte grou, and g G an element of G of order Then for any nteger x, we have g x = g [x mod ] Now all we need to do s analyse the robablty that x q s a generator of Z q Snce Z q s a cyclc grou from Theorem 3, the number of generator elements would be ϕ(q 1) snce q 1 s the order of ths grou Theorem 3 Let G be a cyclc grou of order q > 1 wth generator g generators of G, and these are exactly gven by {g x x Zq } There are ϕ(q) Also as x N was chosen unformly random from ZN and as the chnese remander theorem gves us a bjecton from ZN to Z Zq we can say that x q s also unformly dstrbuted n Zq Thus robablty that x q s a generator element s ϕ(q 1) q 1 = Ω(1/ log q) = Ω(1/n), from Theorem 4 Here n s the length of q Theorem 4 For N 3 for length n, we have N ϕ(n) < 2n Now by chosng multle values of x we can boost ths robablty Now let us look at how to select an m such that ( 1) m but (q 1) m 13 Selectng arorate m: One ossble soluton s to select m = k for some k where denotes the t h rme Here n s the length of Then notce that n/ log s the maxmum ower can have to ossbly dvde 1 If 1 can be wrtten as k =1 e, where e 0 then ( 1) m On the other hand f q 1 has any rme factor greater than k then (q 1) m Increasng the value of k would make comutng m more exensve and ths would make the algorthm mractcal Thus for the Pollard s -1 algorthm to work effcently t s mortant that -1 have only small rme factors We wll look at another algorthm namely Pollard s Rho Algorthm whch removes ths assumton 2 Pollard s Rho Algorthm =1 n/ log Ths algorthm can be used to comute factors of any arbtrary nteger N = q In ths aroach we fnd two dsctnct elements x, x Z N such that x mod = x mod We call such a ar a good ar It s clear that for such a good ar gcd(x x, N) = So comutng the gcd gves a non-trval rme factor However the catch s how can we come u wth 9-2

such a good ar? Suose we choose k elements x (1),, x (k) chosen unformly at random from ZN, where k = 2n/2 = O( ) Accordng to the chnese remander theorem these can be wrtten as (x (1), x (1) q ),, (x (k), x q (k) ) Here we can see that x () s unformly dstrbuted n Z Thus accordng to the brthday bound we can say that wth hgh robablty there exst dstnct, j such that x () = x (j) Thus wth hgh robablty we can obtan a good ar x (), x (j) Now let us analyse the tme comlexty of such a scheme For generatng k unform elements of Z N the tme comlexty wll be O(N 1/4 ) Testng all ars n order to dentfy a good ar wll take tme O(N 1/2 ) Thus as we can see ths s no better than the tral dvson Small sace brthday attack: Pollard s dea was to use a technque very smlar to the small sace brthday attack Frst we come u wth a sequence x (1), x (2), by lettng each value be a functon of the revous one Thus we fx some functon F : ZN Z N and chose a unformly random x(0) ZN and then comute the sequence x (1), x (2), by settng x () = F (x ( 1) ) Ths F must have the roerty that f x = x mod then F (x) = F (x ) mod Thus once equvalence modulo occurs, t erssts Also choose F to be random functon In the t h ste of the alogrthm we comute x = x () and x = x (2) and comute gcd(x x, N), f we get a non-trval gcd we are done else contnue to the next ste Now as F s a random functon, we know that are unformly dstrbuted over Z thus we exect a reeat wth robablty 1/2 n the frst k = 2 n/2 terms of the sequence We show that f there s a reeat n the frst k terms of the sequence then ths algorthm fnds a reeat n atmost k teratons x () Clam 5 Let x (1),, x (k) be a sequence of values wth x () = F (x ( 1) ) If x (I) = x (J) wth 1 I < J q, then there s a t < J such that x (t) = x (2t) Proof The sequence x (I), x (I+1), reeat wth erod T gven by J I Let t be the smallest multle of T greater than I We have t < J snce the sequence I, I+1,, I+T 1 = J 1 has atleast one multle of T Snce t I and t s a multle of T we have x (t) = x (2t) Thus usng the above clam our algorthm wll detect a non-trval gcd and hence the rme factor wth hgh robablty usng only O(k) = O( ) = O(N 1/4 ) oeratons Ths s much better than the tral dvson method 3 Quadratc Seve algorthm Defnton 1 Quadratc Resdue : An element z Z N s a quadratc resdue modulo N f x Z N such that x2 = z mod N Defnton 2 B-smooth : For some bound B, an nteger s sad to be B-smooth f all ts rme factors are less than or equal to B Lemma 6 Gven x, y such that x 2 = y 2 mod N but, x ±y mod N A non-trval factor of N can be comuted 9-3

Proof Gven x 2 = y 2 mod N mles 0 = x 2 y 2 = (x + y)(x y) mod N Ths n turn mles that, N dvdes (x + y)(x y) but, x ±y mod N So, N dvdes nether (x + y) nor (x y) Thus, t should be the case that gcd((x y), N) s one of the rme factor of N ( same thng follows for gcd((x + y), N) ) Ths algorthm tres to fnd such x, y such that x 2 = y 2 mod N and, x ±y mod N and tres to obtan a rme factor usng above lemma So, n ths algorthm a sequence of values of the form q 1 = x 2 1 mod N, q 2 = x 2 2 mod N, are roduced and a subset of those values are chosen whose roduct gves a square over the ntegers Followng stes are used for ths 1 choose a bound B, search for B-smooth ntegers of the form q = x 2 mod N and factor them Ths factorng would be easy f bound B s small so, {x } are chosen as x = N + 1, N + 2, N + 3, Due to ths we got q = x 2 mod N = x 2 N, whch s small so, q s more lkely to be B-smooth Now we can wrte the followng equatons, q 1 = x 2 1modN = b =a e 1, (1) q l = x 2 l modn = b =a e l, (2) { 1, 2,, k } are rme numbers less than or equal to bound B 2 fndng some subset S of {q } whose roduct s a square multlng subset S of {q } we get, z = q j = =1 e j, (3) here, z can be a square only f exonent of each s even so, such a subset s to be found whose exonent vectors sum to 0-vector modulo 2 3 such subset can be found easly usng Lner Algebra Reducng the exonents n all equatons (1)-(2) modulo 2, a 0/1 matrx can be obtaned lke- [e 1,1 mod2] [e 1,2 mod2] [e 1,k mod2] [e l,1 mod2] [e l,2 mod2] [e l,k mod2] If l = k + 1, then the matrx has more number of rows as comared to columns and there would exst a non-emty subset S of rows that sum to 0-vector modulo 2, whch can be obtaned usng lnear algebra 9-4

4 now, equaton (3) can be wrtten as, z = q j = =1 ( e j, = =1 ( j,) e /2 ) 2 (4) because { e j,} sums to 0-vector modulo 2, e, t s even Also we can wrte, z = q j = ( ) 2 x 2 j = x j modn (5) Thus, from equatons (4) and (5) we have obtaned two dstnct square roots of z or we can say x 2 = y 2 mod N and, x ±y mod N Now, above lemma can be used to obtan a rme factor of N Also, by takng l > k + 1 many subsets S wth requred roerty can be obtaned and tred to factor N Runnng tme : If a large value of bound B s chosen then more numbers of form q = x 2 modn can be obtaned as B-smooth but at the same tme t would also ncrease the dffculty n fndng the factors of those numbers that would n turn ncrease the sze of 0/1 matrx makng the lnear-algebrac ste slower Thus, consderng an otmal value of B the tme taken s gven by 2 O( logn loglogn), whch s sub-exonental n length of N Ths algorthm was fastest untl 1990s and stll s a choce for numbers u to 300 bts long 9-5

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback