Integer factorization, part 1: the Q sieve. D. J. Bernstein

Similar documents
Finding small factors of integers. Speed of the number-field sieve. D. J. Bernstein University of Illinois at Chicago

Integer factorization, part 1: the Q sieve. part 2: detecting smoothness. D. J. Bernstein

part 2: detecting smoothness part 3: the number-field sieve

Factoring Algorithms Pollard s p 1 Method. This method discovers a prime factor p of an integer n whenever p 1 has only small prime factors.

1 The Fundamental Theorem of Arithmetic. A positive integer N has a unique prime power decomposition. Primality Testing. and. Integer Factorisation

The factorization of RSA D. J. Bernstein University of Illinois at Chicago

Dixon s Factorization method

22. The Quadratic Sieve and Elliptic Curves. 22.a The Quadratic Sieve

Algorithms. Shanks square forms algorithm Williams p+1 Quadratic Sieve Dixon s Random Squares Algorithm

This is a recursive algorithm. The procedure is guaranteed to terminate, since the second argument decreases each time.

Computational algebraic number theory tackles lattice-based cryptography

SOLUTIONS Math 345 Homework 6 10/11/2017. Exercise 23. (a) Solve the following congruences: (i) x (mod 12) Answer. We have

Factoring. there exists some 1 i < j l such that x i x j (mod p). (1) p gcd(x i x j, n).

8 Primes and Modular Arithmetic

Computing Discrete Logarithms. Many cryptosystems could be broken if we could compute discrete logarithms quickly.

Discrete Structures Lecture Primes and Greatest Common Divisor

Computational algebraic number theory tackles lattice-based cryptography

Elliptic Curves Spring 2013 Lecture #12 03/19/2013

Sieve-based factoring algorithms

PRACTICE PROBLEMS: SET 1

2x 1 7. A linear congruence in modular arithmetic is an equation of the form. Why is the solution a set of integers rather than a unique integer?

Commutative Rings and Fields

2x 1 7. A linear congruence in modular arithmetic is an equation of the form. Why is the solution a set of integers rather than a unique integer?

Number Theory Math 420 Silverman Exam #1 February 27, 2018

Discrete Math, Fourteenth Problem Set (July 18)

Distinguishing prime numbers from composite numbers: the state of the art. D. J. Bernstein University of Illinois at Chicago

Math 109 HW 9 Solutions

Topics in Computer Mathematics

Lecture 6: Cryptanalysis of public-key algorithms.,

Homework #2 solutions Due: June 15, 2012

Math 312/ AMS 351 (Fall 17) Sample Questions for Final

CPSC 467b: Cryptography and Computer Security

Thanks to: University of Illinois at Chicago NSF DMS Alfred P. Sloan Foundation

SMOOTH NUMBERS AND THE QUADRATIC SIEVE. Carl Pomerance

Fall 2017 Test II review problems

1 Overview and revision

Solutions to Problem Set 4 - Fall 2008 Due Tuesday, Oct. 7 at 1:00

Math 3 Variable Manipulation Part 3 Polynomials A

CPSC 467b: Cryptography and Computer Security

Euler s ϕ function. Carl Pomerance Dartmouth College

(x 1 +x 2 )(x 1 x 2 )+(x 2 +x 3 )(x 2 x 3 )+(x 3 +x 1 )(x 3 x 1 ).

Speeding up characteristic 2: I. Linear maps II. The Å(Ò) game III. Batching IV. Normal bases. D. J. Bernstein University of Illinois at Chicago

Kim Bowman and Zach Cochran Clemson University and University of Georgia

Discrete Logarithm Problem

Quadratic Equations Part I

OBTAINING SQUARES FROM THE PRODUCTS OF NON-SQUARE INTEGERS

Elementary Properties of the Integers

Chapter 9 Mathematics of Cryptography Part III: Primes and Related Congruence Equations

LP03 Chapter 5. A prime number is a natural number greater that 1 that has only itself and 1 as factors. 2, 3, 5, 7, 11, 13, 17, 19, 23, 29,

Distinguishing prime numbers from composite numbers: the state of the art. D. J. Bernstein University of Illinois at Chicago

CHAPTER 1 REAL NUMBERS KEY POINTS

Another Attempt to Sieve With Small Chips Part II: Norm Factorization

Fully Deterministic ECM

Evaluate and Graph Polynomial Functions

AN ALGEBRA PRIMER WITH A VIEW TOWARD CURVES OVER FINITE FIELDS

Math 131 notes. Jason Riedy. 6 October, Linear Diophantine equations : Likely delayed 6

Q 2.0.2: If it s 5:30pm now, what time will it be in 4753 hours? Q 2.0.3: Today is Wednesday. What day of the week will it be in one year from today?

3 Polynomial and Rational Functions

Equidivisible consecutive integers

Counting Perfect Polynomials

The Euclidean Algorithm and Multiplicative Inverses

Table of Contents. 2013, Pearson Education, Inc.

Blankits and Covers Finding Cover with an Arbitrarily Large Lowest Modulus

Math-3. Lesson 3-1 Finding Zeroes of NOT nice 3rd Degree Polynomials

4 Number Theory and Cryptography

Lecture 11: Number Theoretic Assumptions

Disproof MAT231. Fall Transition to Higher Mathematics. MAT231 (Transition to Higher Math) Disproof Fall / 16

MATH 501 Discrete Mathematics. Lecture 6: Number theory. German University Cairo, Department of Media Engineering and Technology.

Industrial Strength Factorization. Lawren Smithline Cornell University

Non-generic attacks on elliptic curve DLPs

Some Facts from Number Theory

ANALYZING THE QUADRATIC SIEVE ALGORITHM

CHAPTER 3. Congruences. Congruence: definitions and properties

Factorization & Primality Testing

SPEEDING FERMAT S FACTORING METHOD

HMMT February 2018 February 10, 2018

Integers and Division

Chapter 6 Randomization Algorithm Theory WS 2012/13 Fabian Kuhn

Math Circle Beginners Group February 28, 2016 Euclid and Prime Numbers Solutions

Numerical Methods. Equations and Partial Fractions. Jaesung Lee

Discrete Math. Instructor: Mike Picollelli. Day 10

Number theory (Chapter 4)

CPSC 467b: Cryptography and Computer Security

HOMEWORK 4 SOLUTIONS TO SELECTED PROBLEMS

Math 75 Mini-Mod Due Dates Spring 2016

Primality Testing. 1 Introduction. 2 Brief Chronology of Primality Testing. CS265/CME309, Fall Instructor: Gregory Valiant

Old and new algorithms for computing Bernoulli numbers

Algorithmic number theory. Questions/Complaints About Homework? The division algorithm. Division

MA257: INTRODUCTION TO NUMBER THEORY LECTURE NOTES

3 The fundamentals: Algorithms, the integers, and matrices

COMS W4995 Introduction to Cryptography September 29, Lecture 8: Number Theory

Arithmetic. Integers: Any positive or negative whole number including zero

3.4. ZEROS OF POLYNOMIAL FUNCTIONS

Definition For a set F, a polynomial over F with variable x is of the form

ORDERS OF UNITS IN MODULAR ARITHMETIC

1 Rabin Squaring Function and the Factoring Assumption

Possible Group Structures of Elliptic Curves over Finite Fields

Fermat s Little Theorem. Fermat s little theorem is a statement about primes that nearly characterizes them.

Solution Sheet (i) q = 5, r = 15 (ii) q = 58, r = 15 (iii) q = 3, r = 7 (iv) q = 6, r = (i) gcd (97, 157) = 1 = ,

Unit 2-1: Factoring and Solving Quadratics. 0. I can add, subtract and multiply polynomial expressions

Transcription:

Integer factorization, part 1: the Q sieve D. J. Bernstein

Sieving small integers 0 using primes 3 5 7: 1 3 3 4 5 5 6 3 7 7 8 9 3 3 10 5 11 1 3 13 14 7 15 3 5 16 17 18 3 3 19 0 5 etc.

Sieving and 611 + for small using primes 3 5 7: 1 3 3 4 5 5 6 3 7 7 8 9 3 3 10 5 11 1 3 13 14 7 15 3 5 16 17 18 3 3 19 0 5 61 3 3 613 614 615 3 5 616 7 617 618 3 619 60 5 61 3 3 3 6 63 7 64 3 65 5 5 5 5 66 67 3 68 69 630 3 3 5 7 631 etc.

Have complete factorization of the congruences (611 + ) for some s. 14 65 = 1 3 0 5 4 7 1. 64 675 = 6 3 3 5 7 0. 75 686 = 1 3 1 5 7 3. 14 64 75 65 675 686 = 8 3 4 5 8 7 4 = ( 4 3 5 4 7 ). gcd 611 14 64 75 = 47. 611 = 47 13. 4 3 5 4 7

Why did this find a factor of 611? Was it just blind luck: gcd 611 random = 47? No. By construction divides where = 14 64 75 and = 4 3 5 4 7. So each prime 7 dividing divides either or +. Not terribly surprising (but not guaranteed in advance!) that one prime divided and the other divided +.

Why did the first three completely factored congruences have square product? Was it just blind luck? Yes. The exponent vectors (1 0 4 1) (6 3 0) (1 1 3) happened to have sum 0 mod. But we didn t need this luck! Given long sequence of vectors, quickly find nonempty subsequence with sum 0 mod.

This is linear algebra over F. Guaranteed to find subsequence if number of vectors exceeds length of each vector. e.g. for = 671: 1( + 1) = 5 3 1 5 0 7 1 ; 4( + 4) = 3 3 5 7 0 ; 15( + 15) = 1 3 1 5 1 7 3 ; 49( + 49) = 4 3 5 1 7 ; 64( + 64) = 6 3 1 5 1 7. F -kernel of exponent matrix is gen by (0 1 0 1 1) and (1 0 1 1 0); e.g., 1( + 1)15( + 15)49( + 49) is a square.

Plausible conjecture: Q sieve can separate the odd prime divisors of any, not just 611. Given and parameter : 1. Try to completely factor ( + ) for 1 3 into products of primes.. Look for nonempty set of s with ( + ) completely factored and with ( + ) square. 3. Compute gcd where = and = ( + ).

How large does have to be for this to find a square? Let s aim for number of completely factored congruences to exceed length of each vector, guaranteeing a square. (This is somewhat pessimistic; smaller numbers usually work.) Vector length log. Will there be log completely factored congruences out of congruences?

What s chance of random ( + ) being -smooth, i.e., completely factored into primes? Consider, e.g., = 1 10. Uniform random integer in [1 ] has -smoothness chance 0 306; uniform random integer in [1 ] has chance 77 10 11. Plausible conjecture: -smoothness chance of ( + ) is 8 5 10 1. Find 8 5 10 1 fully factored congruences.

If 340 and = 1 10 then 8 5 10 1 3 log, and approximations seem fairly close, so conjecturally the Q sieve will find a square. Find many independent squares with negligible extra effort. If gcd turns out to be 1, try the next square. Conjecturally always works: splits odd into prime-power factors.

How about 1 for larger? Uniform random integer in [1 ] has 1 -smoothness chance roughly. Plausible conjecture: Q sieve succeeds with = 1 for all (1+ (1)) ; here (1) is as.

How about letting grow with? Given, try sequence of s in geometric progression until Q sieve works; e.g., increasing powers of. Plausible conjecture: final exp 1 + (1) log log log, ( + (1))log log log. Cost of Q sieve is a power of, hence subexponential in.

More generally, if exp 1 + (1) log log log, conjectured is 1 + (1). -smoothness chance Find enough smooth congruences by changing the range of s: replace with +1+ (1) = exp ( +1) + (1) log log log. Increasing past 1 increases number of s but reduces linear-algebra cost. So linear algebra never dominates when is chosen properly.

Improving smoothness chances Smoothness chance of ( + ) degrades as grows. Smaller for than for. Crude analysis: ( + ) grows. if ; if. More careful analysis: + doesn t degrade, but is always smooth for, only 30% chance for. Can we select congruences to avoid this degradation?

( ( ( ( Choose, square of large prime. Choose a -sublattice of s: arithmetic progression of s where divides each ( + ). e.g. progression mod ), 3 mod ), mod ), etc. Check smoothness of generalized congruence ( + ) for s in this sublattice. e.g. check whether ( + ) are smooth for = Try many large s. Rare for s to overlap. mod ) etc.

e.g. = 3141596535897933: Original Q sieve: + 1 3141596535897934 3141596535897935 3 3141596535897936 Use 997 -sublattice, 80458 + 994009Z: ( + ) 997 80458 31605737309 1796467 31605737310 790476 31605737311

( ( Crude analysis: Sublattices eliminate the growth problem. Have practically unlimited supply of generalized congruences ( mod )) + mod ) between 0 and. More careful analysis: Sublattices are even better than that! For 1 have ( + ) 1 so smoothness chance is roughly ) ) = ( (, times larger than before.

1 Even larger improvements from changing polynomial ( + ). Quadratic sieve (QS) uses with ; have + (1), much smaller than. MPQS improves (1) using sublattices: ( But still 1. ). Number-field sieve (NFS) achieves (1).

Fast linear algebra Given matrix over F specifying linear : F F. Solving linear equations : given F, find some F with =. Using an algorithm for that: Choose uniform random F ; compute = ; use algorithm to find with =. This produces uniform random kernel element, namely.

Elimination solves linear equations using ( 3 ) bit operations. Series denominators solve linear equations using + (1) bit operations if the equations are sparse. Sparse : can evaluate using 1+ (1) bit operations. Certainly true in Q sieve with usual choices of.

What s the denominators method? Consider nontrivial relation + + 0 + 1 = 0. I ll assume so = 1 = where 0 = 1 for simplicity, = 1. Consider series in F [[ ]]: + ( ) + ( ) +. Multiplying series by poly + 1 1 + + 0 0 in F [ ] produces poly in F [ ] of degree.

Save time by projecting from F [[ ]] to F [[ ]]. Choose linear : F F. Series ( ) + ( ) + has denominator dividing 0 + 1 1 + + 0. Compute denominator of series from first terms of series via continued fractions. Repeat for three random s, compute lcm of denominators. Obtain 0 1 with probability close to 1.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback