A Comparison Of Integer Factoring Algorithms. Keyur Anilkumar Kanabar

Transcription

1 A Comparison Of Integer Factoring Algorithms Keyur Anilkumar Kanabar Batchelor of Science in Computer Science with Honours The University of Bath May 2007

2 This dissertation may be made available for consultation within the University Library and may be photocopied or lent to other libraries for the purposes of consultation. Signed:

3 A Comparison Of Integer Factoring Algorithms Submitted by: Keyur Anilkumar Kanabar COPYRIGHT Attention is drawn to the fact that copyright of this dissertation rests with its author. The Intellectual Property Rights of the products produced as part of the project belong to the University of Bath (see This copy of the dissertation has been supplied on condition that anyone who consults it is understood to recognise that its copyright rests with its author and that no quotation from the dissertation and no information derived from it may be published without the prior written consent of the author. Declaration This dissertation is submitted to the University of Bath in accordance with the requirements of the degree of Batchelor of Science in the Department of Computer Science. No portion of the work in this dissertation has been submitted in support of an application for any other degree or qualification of this or any other university or institution of learning. Except where specifcally acknowledged, it is the work of the author. Signed:

4 Abstract The problem of integer factorisation has been investigated for a number of centuries by mathematicians. In recent years the use of public key cryptosystems has increased the amount of research taking place in this field. In this report we will focus closely on five factoring algorithms: Trial Division, Fermat s Algorithm, Pollard ρ, Pollard p 1 and Lenstra s Elliptic Curve Method. We will investigate these algorithms, their running times and compare their performance. The report will also discusses how integer factorisation it paving the way for advances in Computer Science.

5 Contents 1 Introduction Background The Problem Planning Mathematical Introduction Greatest Common Divisor Modular Arithmetic Primes and Mersenne Primes Prime Numbers Mersenne Primes Pseudoprimes and Primality Testing Big O Notation Smoothness Integer Factorisation and RSA Introduction to RSA Algorithm Applying Factorisation to RSA Keys Literature Review Introduction Trial Division Algorithm Fermat s Algorithm Pollard ρ Algorithm Pollard p 1 Algorithm Elliptic Curve Method Conclusion Requirements Functional Requirements Non-functional Requirements System Requirements Hardware Requirements Software Requirements ii

6 CONTENTS iii 5 Design Trial Division Fermat s Algorithm Pollard ρ Method Pollard p 1 Method Elliptic Curve Method Testing Timing Algorithms Algorithms using Smoothness Bounds Results & Analysis Trial Division Results Trial Division Results Using 2 Nearby Factors Trial Division Results Using 3 Nearby Factors Trial Division Results Using 3 Arbitrary Factors All Trial Division Results Fermat s Algorithm Results Pollard ρ Results Pollard ρ Results Using 2 Nearby Factors Pollard ρ Results Using 3 Nearby Factors Pollard ρ Results Using 3 Arbitrary Primes All Pollard ρ Results Pollard p 1 Results Pollard p 1 Results Using 2 Nearby Factors Pollard p 1 Results Using 3 Nearby Factors Pollard p 1 Results Using 3 Arbitrary Factors All Pollard p 1 Results Elliptic Curve Method (ECM) Results ECM Results Using 2 Nearby Factors ECM Results Using 3 Nearby Factors ECM Results Using 3 Arbitrary Factors All ECM Results Comparing All Factoring Algorithms Summary Conclusions Introduction Critique Achievements Future Advances Summary A Test Data & Results Tables 57

7 CONTENTS iv B Code 64 C User Documentation 65 C.1 Trial Division C.2 Fermat s Algorithm C.3 Pollard ρ Algorithm C.4 Pollard p 1 Algorithm C.5 Elliptic Curve Method Algorithm D Gantt Chart 67 Bibliography 68

8 List of Figures 3.1 An Elliptic Curve B 1 values used for the Elliptic Curve Method Trial Division with data From Table A Trial Division with data From Table A Trial Division with data From Table A Trial Division with data From Table A.1, A.2 & A Fermat s Algorithms with Data From Table A Pollard ρ using data from Table A Pollard ρ using data from Table A Pollard ρ using data from Table A Pollard ρ with data From Table A.1, A.2 & A Pollard p 1 with data from Table A Pollard p 1 with data from Table A Pollard p 1 with data from Table A Pollard p 1 with data From Table A.1, A.2 & A Elliptic Curve Method using data from Table A Elliptic Curve Method using data from Table A Elliptic Curve Method using data from Table A Elliptic Curve Method with data From Table A.1, A.2 & A Comparing all algorithms using data from Table A Comparing all algorithms using data from Table A Comparing all algorithms using data from Table A v

9 List of Tables A.1 2 Nearby Factor. 1% difference between factors A.2 3 Nearby Primes. 1% difference between factors A.3 3 Arbitrary Factors A.4 Results generated using Table A A.5 Results generated using Table A A.6 Results generated using Table A vi

10 Acknowledgements I would first like to thank Dr Russell Bradford, whose guidance and support over the duration of this dissertation has been invaluable. I would also like to thank my family, for their unrivalled support throughout all that I do. vii

11 Chapter 1 Introduction 1.1 Background Number theory is probably one of the oldest branches of pure mathematics. One of the most important results in number theory is the Fundamental Theorem of Arithmetic. This theorem states: That every natural number greater than 1 can be written as a unique product of prime numbers Prime numbers can thus be considered the building blocks of the natural numbers. Integer factorisation is an area of number theory which takes composite numbers and breaks them down into their constituent prime factors. Gauss identified primality testing and integer factorisation as the two most fundamental problems in his Disquisitiones Arithmeticae (Gauss 1801) and they have been the prime subject of many mathematicians work ever since. In the past decades the rapid growth and use of WAN s 1 especially the Internet has had far reaching effects. The breath of human knowledge is now available to anyone with basic computer literacy. With this newly found ability to access information is a need for mechanisms to store and transmit data securely began to emerge. Cryptosystems were developed to meet this demand, the most notable being RSA (Rivest, Shamir & Adelman 1977). These cryptosystems were based on number theory. The strength of the RSA cryptosystems was based on the notion that the multiplication of two large prime numbers (so-called semiprimes) is much easier than factoring the resulting product. When the numbers are very large, no efficient integer factorization algorithm is publicly known (Brent 2000a); a recent effort which factored a 193 digit number (RSA-640) (Labs 2005) took approximately GHz- Opteron-CPU years according to the submitters and over five months of 1 Wide Area Networks i.e Intranets 1

12 CHAPTER 1. INTRODUCTION 2 calendar time. The presumed difficulty of this problem is at the heart of certain cryptography algorithms. Many areas of Mathematics and Computer Science have been brought to bear on the problem, including elliptic curves, algebraic number theory, and quantum computing. 1.2 The Problem Deterministic algorithms are algorithms which are guaranteed to find a solution if we let them run long enough. On the contrary, nondeterministic algorithms may never terminate. The most usual distinction, however, deals with the run-time of the algorithm. The running time of recent algorithms depends on the size of the input number N, whereas older algorithms depended on the size of the factor f which they find. The aim of this report is to study and implement these deterministic and nondeterministic factoring algorithms: Trial Division Algorithm Fermat s Algorithm Pollard ρ Method Pollard p 1 Method Elliptic Curve Method (ECM) and study their running time based on the lengths and number of factors found within the integers inputted. The investigation in this report will aim to compare and comment how these algorithms performed against one another with a given set of data. As opposed to hypothesise on the performance and expected behaviour of the algorithms. 1.3 Planning The success of any research or software project depends upon the amount of time and consideration taken when planning how the allotted time should be spent. Appendix D contains a Gantt chart that was developed at the outset of this project. Every effort was taken to ensure that the time spent on each task was allocated correctly. I will endeavour to follow the plan stated in Appendix D as closely as possible.

13 Chapter 2 Mathematical Introduction Though the intended audience for this report are academics and/or students who have some prior knowledge in this particular field, it would be presumptuous to assume that all the readers are familiar with the range of mathematical tools and techniques used in integer factorisation. This chapter will briefly cover these tools and techniques. 2.1 Greatest Common Divisor The greatest common divisor (GCD) is sometimes referred to as the the greatest common factor or the highest common factor. In this report we will use the term greatest common divisor. If u and v are both non-zero integers, we say that their greatest common divisor or gcd(u, v), is the largest integer that divides both numbers without a remainder. Two numbers are called coprime or relatively prime if their greatest common divisor equals 1. The most most efficient method for calculating the great common divisor is the Euclidean Algorithm. Recall the the division algorithm states that for two integers n and m (assume we may write m = nq + r, where q is called the quotient and r is called the remainder and satisfies the condition r < n). The Euclidean algorithm states: to find the greatest common divisor between n and m, divide m by n. If the remainder is zero, then m is a multiple of n and we are done, the least common multiple being n. If not, divide the divisor (n) by the remainder. Continue this process, dividing the last divisor by the last remainder, until the remainder is zero. The last non-zero remainder is then the greatest common divisor of the integers m and n. 3

14 CHAPTER 2. MATHEMATICAL INTRODUCTION Modular Arithmetic Modular arithmetic is the arithmetic of congruences, sometimes referred to as clock arithmetic. Addition, subtraction and multiplication work like in regular arithmetics, but there is no division. The notation used for expressions involving modular arithmetic is: x = y (mod m) Which reads as x is equivalent to y, modulo m. x is the integer remainder of dividing y by m. For example, 7 = 23 (mod 8) and 4 = 13 (mod 9). The following statement is a basic principle of modular arithmetic: a + kp = a (mod p) 2.3 Primes and Mersenne Primes Prime Numbers A prime number (or a prime) is a natural number that has exactly two (distinct) natural number divisors, which are 1 and the prime number itself. The first question that arises is whether or not the list of primes is finite. If it were then it would be possible to list all the primes and anyone wishing to determine whether an integer were prime could simply look it up. Euclid determined that there are an infinite number of primes (Ribenboim 2004). The proof can be easily obtained from a number of mathematical texts or the Internet. The almost random distribution of prime numbers within N make locating and verifying the primality of an integer increasingly difficult as the size of the number increases. Euler once commented Mathematicians have tried in vain to this day to discover some order in the sequence of prime numbers, and we have reason to believe that it is a mystery into which the mind will never penetrate (Havil 2003) The Sieve of Eratosthenes is a straightforward way to compute the list of all prime numbers up to a given integer limit n (Rev. Samuel Horsley 1772). To find all primes less than or equal to n, we list all the integers from 2 to n. We then proceed to work down the list. The first integer 2, must be prime. We cross off all multiples of 2 which are larger than 2. The first integer after 2 which has not been crossed is 3 - this is obviously prime. We cross off all multiples of 3 which are larger than 3. We continue down the list in this manner. When we have found a new prime, we cross off all multiples of that new prime which are larger than the prime itself and then move to the next integer which has not been crossed off and which must again be prime. One of the work savers that Eratosthenes discovered was that we do not need to continue this all the way up to n. Once we have found a prime larger

15 CHAPTER 2. MATHEMATICAL INTRODUCTION 5 than the square root of n, all of the remaining integers which have not been crossed off must be prime. If any of them were composite then they would have to have a factor less than or equal to their square root. If n = a b then a n or b n The Sieve of Eratosthenes was superceded by the Sieve of Atkin. This sieve was a much faster and more modern algorithm than the Sieve of Eratosthenes. The Sieve of Atkin was developed by A. O. L. Atkin and Daniel J. Bernstein. (Atkin & Bernstein 1999) Mersenne Primes A Mersenne prime is a number that has the form: M n = 2 n 1 which is prime. In order for M n to be prime, n must itself be prime. This is true since for composite n with factors r and s, n = rs. Therefore, 2 n 1 can be written as 2 (rs) 1, which is a binomial number that always has a factor (2 r 1). The first few examples of Mersenne primes are 3, 7, 31, 127, 8191, corresponding to n = 2, 3, 5, 7, 13, 17 Mersenne primes were first studied because of the remarkable properties that every Mersenne prime corresponds to exactly one perfect number Pseudoprimes and Primality Testing A pseudoprime is an integer which shares a property common to all prime numbers but is not actually prime. Pseudoprimes are classified according to which property they satisfy (Rivest 1991). The most significant class of pseudoprimes are derived from Fermat s little theorem and appropriately referred to as Fermat pseudoprimes. This theorem simply states that if p is prime and a is coprime to p, then a p 1 1 is divisible by p. If a number x is not prime, a is coprime to x and x divides a x 1 1, then x is called a pseudoprime to base a. A number x that is a pseudoprime for all values of a that are coprime to x is called a Carmichael number 2. The smallest Fermat pseudoprime for the base 2 is 341. It is not a prime, since it equals 11 31, but it satisfies Fermat s little theorem: 2341= 2(mod 341). The rarity of such pseudoprimes has important practical implications. For example, public-key cryptography algorithms such as RSA require the 1 A perfect number is a positive integer is said to be perfect if it is the sum of its proper divisors (those positive divisors strictly less than itself) 2 A Carmichael number is an odd composite number n which satisfies Fermat s little theorem

16 CHAPTER 2. MATHEMATICAL INTRODUCTION 6 ability to quickly find large primes. The usual algorithm to generate prime numbers is to generate random odd numbers and test them for primality. However, deterministic primality tests are slow. If the user is willing to tolerate a very small chance that the number found is not a prime number but a pseudoprime, it is possible to use the much faster and simpler Fermat primality test. Another approach is to use more refined notions of pseudoprimality, e.g. strong pseudoprimes or Euler-Jacobi (Guy 1994) pseudoprimes, for which there are no analogues of Carmichael numbers. This leads to probabilistic algorithms such as the Solovay-Strassen primality test and the Miller-Rabin primality test, which produce what are known as industrialgrade primes (Loudon 1999). Industrial-grade primes are integers for which primality has not been certified (i.e. rigorously proven), but have undergone a test such as the Miller-Rabin test which has positive, but impossibly low, probability of failure (Hurd 2003). 2.5 Big O Notation The function f(x) is O(g(x)) as x if and only if there are positive real constants c, k such that for every x >k, 0 f(n) cg(n). When Big O notation is applied to the running time or storage requirements of an algorithm, one may write simply O(g(x)), and it is assumed that x. If multiple variables are present, the variable which goes to infinity is indicated. As part of the definition of O(g(x)), all possible executions of the algorithms must be considered as x. 2.6 Smoothness We say that a positive integer is B-smooth if all its prime factors n are n B. An integer is said to be smooth with respect to S, where S is some set of integers, if it can be completely factored using the elements of S. We often simply use the term smooth, in which case the bound B or the set S is clear from the context. 2.7 Integer Factorisation and RSA As discussed earlier the vast increase of research into integer factorisation has come about due to the widespread use of computer based cryptosystems. Due to modern implementations of these cryptosystems (RSA in particular) we rarely get to see the underlying mechanics of how data is encrypted and decrypted. Hence, sometimes we fail to see the obvious relationship between cryptosystems, the mathematics involved and where integer factorisation comes into all this. In this chapter we will briefly look at the most commonly

17 CHAPTER 2. MATHEMATICAL INTRODUCTION 7 used cryptosystem - RSA. We will also look at how integer factorisation can (usually with small RSA key lengths) crack an encrypted RSA message Introduction to RSA Algorithm In 1978, the first general-purpose public-key algorithm RSA was created by Ron Rivest, Adi Shamir, and Leonard Adleman (Rivest et al. 1977). RSA is an incredibly simple algorithm that can be easily understood, implemented, and analyzed by someone with basic knowledge of number theory. It is well suited for encryption, digital signatures, and authentication. Before one can use RSA, a key-pair must be generated 3. To generate the keys, first find two large prime numbers p and q of approximately equal size. The modulus for the keys is defined as N = pq The user then must select an encryption exponent e that is relatively prime to φ(n) = (p 1)(q 1). The decryption exponent d is defined as d e 1 (modφ(n)) The public key now consists of e, N and the private key is d, N. If we wish to encrypt a plaintext message block m (with m < N ) we use the following method: c m e (mod N ) c is now referred to as the ciphertext. To decrypt the ciphertext back to plaintext is done using the following technique: We can verify this result m c d (mod N ) c d (m e ) d (mod N ) (m ed ) (mod N ) (m 1+kφ(N) ) (mod N ) m.(m φ(n) ) k (mod N ) m.1 (mod N ) We have assumed that both m and N are relatively prime. If they re not then we need to use Carmichael s λ function (Erdos, Pomerance & Schmutz 1991)in the place of Euler s φ function. 3 A public key can be distributed freely and a private key is to be kept secret by the key pair owner.

18 CHAPTER 2. MATHEMATICAL INTRODUCTION Applying Factorisation to RSA Keys The simplicity of the RSA algorithm is one of its major strengths. Let us assume we wish to intercept an encrypted message and return it back into plaintext. We have access to the public key 4 as well as the encrypted message. Using the value of N that is apart of the public key we can use a factoring algorithm to derive the value of of p and q. Once we have these two values we can the use the Euler function to generate a new decryption exponent e. We have now essentially created another private key which we can use to view the encrypted message m. 4 Assumption is made that reader understands the basics of asymmetric cryptography. If not please read Sun s introduction to public key cryptography

19 Chapter 3 Literature Review 3.1 Introduction Number theorists have been studying the problem of integer factorisation for hundreds of years. Some of the most brilliant mathematicians have spent their careers investigating this area. One such mathematician was C.F. Gauss who once wrote (Gauss 1801): The problem of distinguishing prime numbers from composite numbers and of resolving the latter into their prime factors is known to be one of the most important and useful in arithmetic. It has engaged the industry and wisdom of ancient and modern geometers to such an extent that it would be superfluous to discuss the problem at length Further, the dignity of the science itself seems to require solution of a problem so elegant and so celebrated. This problem has mostly remained in the domain of mathematics until recently. As information has become more readily available in an age where data can be transferred across vast public networks, security has become of paramount importance. Cryptosystems have been developed to address this problem. The very fact that large integers are difficult to factorise is the cornerstone of many modern cryptosystems. One such example is the RSA public key cryptosystem. As cryptosystems have become more widely adopted both mathematicians and computer scientists have become more interested in their actual strength. Commercial organisations such as RSA Laboratories have issued public competitions with cash prizes (Labs 2005). One purpose of this contest is to track the state of the art in factoring. Advances and studies into large integer factorisation will ultimately lead to more secure and robust cryptosystems. 9

20 CHAPTER 3. LITERATURE REVIEW 10 The following sections in this literature review will look at how a broad range of factoring algorithms will be integrated into the proposed integer factorisation system. 3.2 Trial Division Algorithm The trial division algorithm is the simplest of the factoring algorithms. It is a suitable algorithm to begin the investigation of integer factoring algorithms. This algorithm attempts to factorise a composite integer N using a brute force approach. The trial division algorithm attempts to divide N by every prime number up to and including the N. If a number p is found which evenly divides into N, then p is a prime factor of N. Trial division method guarantees to find the factors of N since it checks all the possible prime factors. If the algorithm is unable to find a factor of N then it proves that N is a prime it self. An alternative (and slower) technique of the trial division method is known. Instead of attempting to divide N by prime numbers it attempts to divide it by every integer up to and including N. The trial division algorithm is reasonably efficient (hence computationally feasible) for small numbers. One might use trial division to factorise numbers with factors of 7 or 8 digits. After that it gradually becomes inefficient, and cannot compete with the stronger algorithms (Flannery, Flannery & Flannery 2000). According to (Brent 1999) the complexity of the trial division algorithm is: O(f log N ) 2 ) where f is the size of the factor to be found. The time taken by the algorithm to find factors increases exponentially as f increases. 3.3 Fermat s Algorithm Fermat s algorithm can be viewed as a modern factoring algorithm (Uhl n.d.). Though the algorithm is not widely used today, it is implemented when the number to be factored has two factors which are relatively close to the square root of the number. The Continued Fractions and Quadratic Sieve algorithms are based on the key principles on Fermat s Algorithm (Morrison & Brillhart 1975). Fermat s algorithm works in the following way. Let us begin with a number N which we wish to factorise. Suppose that N can be written as the difference of two squares, such as: N = x 2 y 2

21 CHAPTER 3. LITERATURE REVIEW 11 then, N = (x y)(x + y) we have succeeded in breaking N into two smaller factors. Fermat s algorithm works in a different director to the Trial Division algorithm. With the Trial Division algorithm we begin by looking for a small factor and then working our way up to the N. With Fermat s algorithm we being by looking at the factors close to the N and begin working down. Let us begin with a positive integer N which is to be factored. We search for integers x and y such that x 2 y 2 = N. We begin with x equal to the smallest integer greater than or equal to the N and try increasing y until x 2 y 2 either equals or is less than N. In the first case we are done, in the second we increase x by one and iterate. We continue this until we have success. We could also set t to x 2 y 2 N, then we have success when t = 0. The next aspect of Fermat s Algorithm that we ll be looking at is the complexity of it. Let us suppose that N = a b, with a < b. Factorisation will be achieved when x = (a + b) / 2. Since the starting value of x is N, and b = N/a, the factorisation will take approximately 1 2 (a + N a ) N = ( N a) 2 2a cycles. If the two factors of N are very close, i.e. if a = k N, with 0 <k <1, then the number of cycles required in order to obtain the factorisation is (1 k) 2 2k N This complexity is of the order O(cN 1 2 ). However, the value of k can be very small, and thus making this algorithm impractical. For instance, let us consider an ordinary case where a N 1 3 and b N 2 3. In such a case, the number of cycles necessary will be ( N 3 N) N = ( 3 N) 2 ( 6 N 1) N 1 2 N 2 3 which is considerably higher than O(N 1 2 ). Therefore this algorithm is only practical when the factors a and b are almost equal to each other. 3.4 Pollard ρ Algorithm The Pollard ρ algorithm was developed in 1975, by a British mathematician John Pollard (Pollard 1975). This factoring algorithm is sometimes referred to as the Pollard Monte Carlo factorisation method due to its pseudo-random

22 CHAPTER 3. LITERATURE REVIEW 12 nature. This algorithm becomes inefficient if all the prime factors are large (larger than ) (Bressoud 1989).It s usually used to find moderately sized factors, around 10 5 to Richard P. Brent later refined the algorithm in a paper published in 1980 (Brent 1980). This refinement was claimed to improve the algorithm developed by Pollard by some 24%. It did this by using a different method of cycle detection that was considerably quicker than Floyd s original Rho algorithm (Floyd 1967). Let N the composite number we wish to factorise and d be an unknown nontrivial divisor of N. Let f(x) be a simple irreducible polynomial in x. Generally we would use x 2 +1 or something similar. Starting with an integer x 0, we create a sequence from the recursive definition: Let: x i = f(x i 1 )modn y i = x i mod d Since x i f(x i 1 ) (mod N ), y i is congruent to f(y i 1 ) modulo d. There are only a finite number of congruence classes, modulo d (namely d of them) and so eventually we will have y i = y j, for some pair (i, j). But once that happens, we will keep cycling and for all positive t: y i+t = y j+t The sequence begins to look like a circle with the tail - like the Greek letter ρ. It was because of this the algorithm was given lends its name that. If y i equals y j, then x i x j (mod d) and so d divides x i x j. There is a very good chance that x i and x j are not equal, and if this is the case then gcd(n, x i x j ) is a non-trivial divisor of N. The problem we face now is that since we do not know d, we do not know the values of the y i s and so we do not know when y i equals y j. There are in fact infinitely many pairs i, j for which y i and y j are equal. If the length of the cycle is c, then once we are off the tail, and (i, j) pair for which

23 CHAPTER 3. LITERATURE REVIEW 13 c divides j 1 will work. We find some systematic way of choosing a lot of pairs (i, j) and for each pair compute gcd(n, x i x j ). In order to avoid storing many values of the x i s we look at the differences, expressed in general as: x 2 n 1 x j, 2 n+1 2 n 1 j 2 n+1 1 The important factor here is the difference between the coordinates, which decrease by one each time. We keep moving the smaller coordinates up to guarantee we get of the tail. 3.5 Pollard p 1 Algorithm The pollard p 1 algorithm was developed by J.M. Pollard in 1974 (Pollard 1974). It is a special-purpose algorithm; this means that it is only suitable for integers with specific types of factors. The algorithm (Bressoud 1989) is loosely based on Fermat s little theorem: If p is prime, and a 0 mod p then a p 1 1 (mod p) Let us supposed that the integer we wish to find the factors of N, and that one of the prime factors is p. We also assume that p 1 divides Q. Using Fermat s little theorem, and assuming that (p 1) Q we can derive the following: a Q 1 (mod p) thus, p divides a Q -1. We apply the GCD (greatest common divisor)operator to N and a Q -1 to derive p or some other non-trivial divisor of N. We now wish to find a Q such that (p 1) Q, we also have to remember that we do not have a value for p. This problem can be approached using two different techniques. The first, and probably easier of the two is to set Q = max! (mod N ). This value can be computed quickly: a max! = (... (((a 1 ) 2 ) 3 ) 4...)max This method is quick because of the fact that exponential modulo N is a fast operation. a can be any number, so long as its relatively prime to N. The second, and faster technique for finding Q is to set Q = p 1 p 2 p 3... p k where p i is a prime number less that the limited specified. In some cases we may wish to add multiples of small primes to Q so we can ensure that we

24 CHAPTER 3. LITERATURE REVIEW 14 don t miss any factors of N. Doing this will reduce the number of exponentials required by a factor of eight. This algorithm does have some problems as well. It is possible that we may find the GCD to be equal to N, in which case we change the base to something else. There may also be scenarios where the algorithm may not terminate if p 1 has only large prime factors. It has been proven that the largest prime factor of an arbitrary integer N usually falls around the 0.63 power of that integer. For example if we set max value in the algorithm to 10,000 then it will usually find any prime factors that are less than two million. This algorithm is similar to the other Pollard algorithm and hence is most efficient finding factors similar to the ones found by the Pollard ρ algorithm. 3.6 Elliptic Curve Method The Elliptic Curve Method (ECM) is sometimes referred to as Lenstra Elliptic Curve Method (Lenstra 1987). This method implements elliptic curves to find factors of an integer. To understand this method it is necessary to study elliptic curves. Elliptic curves are equations of the form: y 2 = x 3 + ax + b where a and b are constants chosen so that 4a b 0 These curves have an unusual property that if a non-vertical line intersects it at two points, then it will have a third point of intersection. A tangent to the curve is considered to have two points of interaction at the point of tangency (Atkin & Morain 1993). A graph showing an elliptic curve can be seen on Fig 3.1 If we know the two points (x 1, y 1 ) and (x 2, y 2 ) of the intersection, we can compute the slope (λ) of the line, as well as the third point of intersection in the following way: λ = { 3x 2 1 +a 2y if x 1 = x 2 otherwise y 1 y 2 x 1 x 2 x 3 = λ 2 x 1 x 2 (mod n) y 3 = λ(x 3 x 1 ) + y 1 (mod n)

25 CHAPTER 3. LITERATURE REVIEW 15 Figure 3.1: An Elliptic Curve If we wish to use elliptic curves to perform factorisation we need to make the set of points on an elliptic curve into a group. We begin this operation by defining the following binary operation. We assume that the elliptic curve has two rational points on the curve (x 1, y 1 ) and (x 2, y 2 ) (x 1, y 1 ). The binary operation is: (x 1, y 1 ) (x 2, y 2 ) = (x 3, y 3 ), where x 3 and y 3 were defined earlier. We must note that the new point is not the third point of the intersection, but it is defined as a reflection on the x-axis. It is still, however, on the same elliptic curve. We now have a set and a binary operation. We proceed by defining the identity element of our group as follows: (x, y) (x, y) = (x, y) (x, y) = The point can be thought of as a point infinitely far north so that every vertical line passes thought it. One of the interesting facts about this definition is that now every straight line, which intersects the curve at two points, also intersects at a third. The notation E(a, b) denotes the group of rational points on the curve y 2 = x 3 + ax + b, where 4a b 0, together with the point. Also, with (x i, x j ) we denote (x i, x j )#i, where: (x i, x j )#i = (x 1, y 1 ) (x 1, y 1 ) (x 1, y 1 ) } {{ } itimes

26 CHAPTER 3. LITERATURE REVIEW 16 All the points previously discussed still apply to elliptic curves modulo n. If x 1 x 2 (mod n) and y 1 y 2 (mod n) then: (x 1, y 1 ) (x 2, y 2 ) = Let us set s to be the inverse of x 1 x 2. We define the following: { (3x 2 λ = 1 + a) s if x 1 x 2 (mod n) (y 1 y 2 ) s otherwise x 3 = λ 2 x 1 x 2 (mod n) y 3 = λ(x 3 x 1 ) + y 1 (mod n) We can also define the binary operation as: (x 1, y 1 ) (x 2, y 2 ) (x 3, y 3 ) (mod n) we will also define (x i, y j ) mod n as: (x i, y j ) (x 1, y 1 )#i(mod n) The expression E(a, b)/n will indicate the elliptic group modulo n who has element pair (x, y) of non-negative integers less than n and satisfying the expression y 2 = x 3 + ax + b together with the point. If we are going to be able to implement factorisation techniques and primality tests using the arithmetic of elliptic curves, we need a fast way of computing (x, y)#i. Given the first coordinate of (x 1, y 1 ), we can compute the first coordinate of (x 2, y 2 ) as follows: x 2 = (x2 a) 2 8bx 4(x 3 +ax+b) Thus, give the first coordinates of (x, y)#i, we can compute the coordinates of (x, y)#2i using the above expression. To extend this (x, y)#2i + 1 with the following expression: x 2i+1 = (a x ix i+1 ) 2 4b(x i +x i+1 ) x 1 (x i x i+1 ) 2 We can avoid rational numbers and restrict our attention to integers if we introduce a third coordinate and write: x = X Y, y = Y Z

27 CHAPTER 3. LITERATURE REVIEW 17 where X, Y and Z are integers. An additional feature of using such notation is that the identity element now has the explicit representation (0, Y, 0) where Y can be any integer. If we have the following relationship (X i, Y i, Z i ) = (X, Y, Z) #i. We can then adjust our previous expression to obtain the following computational rules: X 2i = (X i 2 az i 2 ) 2 8bX i Z i 3 Z 2i = 4Z i (X i 3 + ax i Z i 2 + bz i 3 ) X 2i+1 = Z[(X i Xi + 1 az i Z i+1 ) 2 4bZ i Z i+1 (X i Z i+1 + X i+1 Z i )] Z 2i+1 = X 1 (X i+1 Z i X i Z i+1 ) 2 While we shall not need the value for Y i, it is worth noting that, up to sign Y i can be recovered from the value of X i and Z i. The following procedure for factoring integers by the means of elliptic curves is essentially due to A.K. Lenstra and H.W. Lenstra Jr. Let N be a composite number relatively prime to 6. In practice, N is known to have no small prime factors. We randomly choose a parameter a for our elliptic curve and a point (x, y) on the curve, 0 x, y N We must note that the values of a, x and y uniquely determine b: We verify that: b y 2 x 3 ax(mod n) gcd(4a b 2, N) = 1 if not then we have probably found a factor of N. Converting (X, Y, Z), our initial triple is (x, y, 1). If p is prime dividing N and E(a, b)/p divides k!, then (X, Y, Z)#k! = ( (((X, Y, Z)#1)#2)#3 )#k will be the identity in E(a, b)/p, which means that p will divide Z k!. If k is not too large, there is a very good chance that gcd(z k!, N) is a non-trivial divisor of N. The Elliptic Curve Method is used when the use of trial division becomes impossible. The largest factor that has been found using Elliptic Curve

28 CHAPTER 3. LITERATURE REVIEW 18 Method is the 66-digit factor n was found by B. Dodson on Apr. 6, (Zimmermann n.d.) The Elliptic Curve Method is inefficient for factoring smaller composite numbers. If RSA system were implemented with 512-bit keys and the three-factor variation, the smallest prime would be less that 66-digit, so Elliptic Curve method could be used to break the system. 3.7 Conclusion Having concluded a large amount of research in my chosen topic I feel that I now a solid grounding in this field of research. It has also clarified the direction that I wish to take my project in. These algorithms have been well research and implemented in a number of computer languages. My supervisor and I have decided that there should be another application, which has the ability to analyse the incoming number to be factorised. This application would then select the factoring algorithm that would be most appropriate to factorise it. As discussed earlier, these algorithms have been designed to operate on numbers of a certain size - the proposed application will remove this uncertainty of which algorithm to select. After searching through a wide range of material I have been unable to find any documentation or applications, which discuss or implement the idea I ve proposed. The proposed application could probably be used in the academic environment as a teaching tool to undergraduates to demonstrate the way different integer factoring algorithms operate.

29 Chapter 4 Requirements In this chapter we will outline the requirements and specifications required for implementing this project. Every attempt will be made to ensure that the requirements made here to be accurate and thorough. But there is a likelyhood that they could change as the project passes through the various stages of development. 4.1 Functional Requirements In this section we will look at the basic functionality that will be required of the software. 1.1 Should be able to accept input as an integer N. 1.2 Inputted integers maybe larger than the programming language is able to accept. We must use a arbitrary precision arithmetic library so that the limit of integer size is limited only by the system memory. 1.3 The function should be able to perform mathematical functions with the chosen arbitrary precision library. 1.4 Display the computational time taken (in seconds) to complete a factorisation & verify the results given are correct. 1.5 Users should be able to interact with the application via a command prompt interface 1.6 Users should have the ability to terminate the application at any point. 4.2 Non-functional Requirements In this section we will look at the criteria that can be used to judge the operation of a system, rather than specific behaviors. 19

30 CHAPTER 4. REQUIREMENTS Implement the following algorithms: Trial Division Algorithm Fermat s Algorithm Pollard s ρ Method Pollards s p 1 Method Elliptic Curve Method 2.2 The study should corroborate current literature and studies and offer further insight keeping the results relevant to the problem. 2.3 Implementation should not deviate from findings in Literature Review. 4.3 System Requirements This section will briefly look at the hardware and software requirements of the project Hardware Requirements The software is being developed on a machine with a Windows XP environment and Intel Pentium M 1.73GHz Processor. Hence the software should be able to run on any machine that is able to run the Windows XP operating system Software Requirements The two main consideration to be focused upon is the programming language that is going to be used and the arbitrary precision library used to allow us to deal with large integers. Programming Language Selection The nature of this project specifically focuses on the efficiency of how well the algorithm runs based on a given input by the user. Though there are a vast number of programming language available to us we have to focus on our key requirements from the programming langauge: 1. A language that is reasonably close to the machine. Hence functionality should be available to give direct access to system resources such as main memory. 2. A number of arbitrary precision library which interface with the language should be freely available.

31 CHAPTER 4. REQUIREMENTS Available on a number of different operating platforms i.e Unix, Windows, Mac OS. 4. Relatively easy to learn with a number of books and online resources available to aid development. 5. Programming tools are resources freely available. 6. Object orientated & other high level functionality is not required. Another important factor (apart from the ones described above) is that the chosen programming language should be familiar to myself. Due to time constraints it would be difficult to implement quite complex algorithms in a language which I am unfamiliar with. Based on all these factors the ANSI C programming is the most obvious choice. In this project I will be using the GNU C compiler 1. The motivation for using this language was it met the requirements described above. Arbitrary Precision Library Almost as important as the choice of programming language is the choice of which arbitrary precision library we are going to use. Due to the large size of integers we will be dealing with, the native types found in the C language such as int,float,long would not be large enough for our purposes. It is for this reason we use arbitrary precision libraries to allow us to use and perform arithmetic functions on large integers. The requirements for the library are as follows: 1. The library should be designed to perform as fast as possible 2. Easy to learn and should integrate without much difficulty with the C programming language. 3. Should be able to represent integers, rational numbers and floating point numbers. 4. Have a rich set of functions. 5. Well documented and freely available. Though a number of such libraries are available for the C language I have decided to use the GNU GMP library. Not only does it fulfill the requirement made above but it one of the larger big number libraries, hence there are a vast number of tutorials and guides available. Some of the large factorisation attempts also utilise this library as well e.g. GMP-ECM which can be found at 1 Documentation can be found at GNU C homepage

32 Chapter 5 Design Having reviewed the mathematics and the underlying concepts behind each of the algorithms we must now look at the task of implementing them. The success of any software project is firmly grounded on the how well the application is designed. Though every attempt will be made to follow the design laid out at this stage it may become apparent that certain design decision may hinder the efficiency of an algorithm implementation. This section will not deal with the actual implementation of the algorithms into C programming language. Also it will not explain all the functions and operations used within the GNU GMP library. If you are interested in this then the source code (see Appendix B) provided is fully commented and provides sufficient explanation. One function within the GMP library that is of particular importance is int mpz probab prime p (mpz t n, int reps). This function determines whether or not n is prime. Like any primality test it cannot guarantee the value passed in is prime. The function begins by performing some trial divisions, then some Miller-Rabin probabilistic primality tests. Miller-Rabin and similar tests can be more properly called compositeness tests. Numbers which fail are known to be composite but those which pass might be prime or might be composite. Only a few composites pass, hence those which pass are considered probably prime. The primary use of this function within the implemented factoring algorithms is to determine whether or not the value passed in by the user is prime. There is a deep philosophical difference between the approach of the Trial Division algorithm and Fermat s algorithm and Pollard ρ and Pollard p 1. The first two factorisation algorithms systematically search for factors (referred to as deterministic algorithms). Due to their analytical nature, they are quite straightforward to analyse. The Pollard ρ and Pollard p 1 are referred to probabilistic algorithms. These algorithms introduce randomness into the process. Due to this we can no longer be certain of finding a factor of a given size within a fixed 22

33 CHAPTER 5. DESIGN 23 amount of time. The trade-off for this probabilistic nature is that we gain the chance to determine the factors in much less time than compared to a deterministic algorithm would take. With probabilistic algorithms we cannot simply factor 20 to 30 digit numbers, much less 80 to 100 digit numbers, with deterministic methods. There maybe occasions when we maybe be misfortunate when determining factors of a composite number. The Pollard ρ and Pollard p 1 may not turn up any prime divisors that might be because there are no prime prime divisors in the appropriate interval or it may be down to bad luck! To overcome this we must find techniques that will increase the likelihood of finding factors. With the Pollard ρ we could replace the function used to generate the sequence: x Rather than develop the pseudocode from the material covered in the literature review (chapter 3) it was decided to use the pseudocode from published sources. The sources used were Handbook of Applied Cryptography (Menezes, van Oorschot & Vanston 1996) and Factorization & Primality Testing (Bressoud 1989). The reason for taking this step was to ensure that the algorithms being implemented are as close as possible to their mathematical version. Using published pseudocodes would ensure this. 5.1 Trial Division Due to the relative simplicity of the trial division algorithm there will be very little to comment upon the implementation. Below is the pseudocode of the implementation. Algorithm 1 Trial Division Algorithm Require: An integer N 0. bound N iter = 2 while N>1 AND iter < bound do if (N MOD iter) == 0 then N = N / iter PRINT iter else iter = iter + 1 end if end while The only attempt that has been made to optimise the algorithm is to ensure that that maximum value of the iter variable is the N. The source code is fully commented and can be studied for further detail on how the algorithm operates.

34 CHAPTER 5. DESIGN Fermat s Algorithm This section briefly looks at the pseudocode for the Fermat s Algorithm. Algorithm 2 Fermat s Algorithm Require: An integer N 0. for x to N do ysqr = x x N if issqaure(ysqr) then y = ysqr s = (x y) t = (x + y) if s<>1 & s<>n then return s, t end if end if end for Here the issquare(z) function is true if z is a square number and false otherwise. This algorithm does have a small flaw. This flaw is also experienced by the trial division algorithm where it will prove primality in the worst case.

35 CHAPTER 5. DESIGN Pollard ρ Method Algorithm 3 Pollard ρ Method Require: An integer N 0. a 2 b 2 for i = 1, 2, do a a mod N b b mod N Compute d = gcd(a b, N) if 1<d<N then return d and terminate end if if d = N then Terminate algorithm with failure end if end for This algorithm is probabilistic in its nature. This means that we have to be prepared for occasions were no results are produced. 5.4 Pollard p 1 Method Algorithm 4 Pollard p 1 Method Require: An integer N 0. Select smoothness bound B Select random integer a, 2 a N 1, and compute d = gcd(a, N). If d 2 return d. for Each prime q B do l = lnn lnq a a ql mod N Compute d = gcd(a 1, N) if d = 1 or d = N then terminate algorithm with failure. end if Otherwise return d end for This algorithm requires a smoothness bound to be inputted by the user. Smoothness is discussed in chapter 2. The smoothness variable could have an effect on the time taken to find factors using this algorithm. This will be discussed further in chapter 7 (Results & Analysis).

36 CHAPTER 5. DESIGN Elliptic Curve Method Algorithm 5 Elliptic Curve Method Require: An integer N 0, integer bound B 1 Select a random elliptic curve E a,b mod n and point P 0 = x 0 : y 0 : z 0 on it. Compute Q = Π Π B1 Π logb 1/logπ P 0 for Π prime, B 1 Π do (x Π : y Π : z Π ) g gcd(n, Z P i ) if g 1 then return g end if end for return FAIL. Like the previous algorithm this factorisation method also features a smoothness bound. The bound (B 1 ) used for this algorithm were not selected at random. Published sources have listed B 1 values for given lengths of composite numbers. Again this will be discussed in chapter 7 (Results & Analysis).

37 Chapter 6 Testing This chapter will focus on the steps and methods taken to test the algorithms described in the previous chapters. Our main focus is to study how much CPU time is taken by a given algorithm to factorise an integer. 6.1 Timing Algorithms Finding the amount of CPU time taken by the algorithm to work is a relatively straight forward process with the C programming language. Below is a code snippet of the code required to calculate the time time taken. #i n c l u d e <time. h> c l o c k t s t a r t, end ; double cpu time used ; Listing 6.1: CPU Time Code s t a r t = c l o c k ( ) ;... / Do the work. / end = c l o c k ( ) ; cpu time used = ( ( double ) ( end s t a r t ) ) / CLOCKS PER SEC; Obviously we then need to print the cpu time used variable to the console. The only limitation of using this code is that it can only measure execution time to a 1000 th of a second. Therefore any times that are outputted as 0 seconds could also mean that the execution took place quicker than the timing period. Times quicker than a thousandth of a second can be considered as negligible for the purposes of our investigation. When performing tests on these algorithms we will be looking for 2 main results. Firstly we will want to ensure that the output produced by the algorithm were actually the prime factors of the integer entered. We then 27

38 CHAPTER 6. TESTING 28 want to obtain the time taken for the algorithm to generate the results. Of course the code used for timing the algorithm takes time to execute as well. But for our investigation this execution time can be ignored. Testing was carried out using a black box 1 method. Black box testing allows scrutiny over the functionality important to the study, which is the input and the output. To check whether or not the algorithms were performing factorisation we simply checked within the main flow of the program. It was for this reason that external test modules were not required. Whilst developing these algorithms, numerous tests were carried out to ensure that the results being generated were the actual prime factors of the integer entered into the algorithm. One the main tools that assisted in this was a web based application Factorization using ECM 2. This web application was only used to ensure the validity of the output and not the processing time taken. Documentation is available on the website which demonstrates the result produced by the web application are reliable. The tests took the form of simple programs consisting of specific inputs allowing monitoring of the output. One of the most important considerations when testing, is the selection of the data that will be used to generate our results. During the development and implementation of these algorithms numerous tests were carried out to test the functionality of each implementation. It became clear that the type of composite integer used can greatly effect the amount of time taken for a algorithm to find its prime factors. As well as the actual length of the composite number to be factored, other influences are the number of prime factors that the composite number consists of and the distance the prime factors are from one another. Based on this it only seems logical to ensure the test data overcomes the differences described so that we have a consistent set of data from which we can draw valid conclusions. Therefore it was decided to use composite numbers with only two prime factors. The two prime factors also had be to be relatively close to one another - in our case there was only a 1% difference between the two. The second round of testing will contain integers with three prime factors. Again, these factors will have a difference of 1%. The final set of test data will have integers with 3 factors, but these factors will be selected at random. These tests should allow us to study the general behaviour of these algorithm implementation and should give us sufficient insight to allow us to draw relevant conclusions. An acknowledgment of a website must be made that assisted in the generation of the prime factors used in Table A.1, A.2 & A.3. The website What are the Next Ten Prime Numbers can be found at (http : 1 A software testing technique whereby the internal workings of the item being tested are not known by the tester. 2 Further information can be found at Factorization using the Elliptic Curve Method page

39 CHAPTER 6. TESTING 29 // jrm/next t en p rimes.html). 6.2 Algorithms using Smoothness Bounds As mentioned in chapter 5 the Elliptic Curve Method uses a smoothness bound. Figure 6.1: B 1 values used for the Elliptic Curve Method The data used to generate the graph (Fig 6.1) can be found on the following website (http : // M). The smoothness value used in the Pollard p 1 were a constant value of 100. A constant value was used as I was unable to find a source with suggested value for the smoothness bound. A considerable amount of time would have been required to find the optimal values to use with the Pollard p 1 method.

40 Chapter 7 Results & Analysis The results were obtained from a machine with the following specification: Intel Pentium M Ghz 1 GB RAM Operating System: Microsoft Windows XP (Service Pack 2) Development Environment: Bloodshed Dev-C++ ver C Compiler: MinGW (bundled with Dev-C++ ver ) Every effort was taken to ensure that the machine the tests were being performed upon was running a minimum number of processes. Also, none of the algorithms were altered in any way during the collation of the results. The result tables found in Appendix A are slightly different from one another. Table A.1 shows that we tested the algorithms with composite numbers ranging from 8 digits to 34 digits. 8 digits was used as a stating point as smaller integer lengths did not produce any useful results. Other tests were also commenced from 8 digits for consistency. Unlike the other two tables Table A.1 ends at 34 digits. It ended at this value as one or more of the algorithms produced results for this lengths. Larger integers were used but did not produce results within a reasonable amount of time. The tables A.4 to A.6 list the time (in seconds) taken to factorise the given integer. The enteries in these tables that contain a - symbol signify that either the algorithm failed to find the factors or it took far too long to produce a results (usually greater than 30 minutes). The graphs on the following pages were created using Microsoft Excel The graphs of results are plotted with the number of digits in the composite number on the x-axis against CPU Time in seconds on the y-axis. Data used to generate these graphs can be found in Appendix A. 30

41 CHAPTER 7. RESULTS & ANALYSIS Trial Division Results The graphs in the following sections was generated using the data that can be found in Appendix A Trial Division Results Using 2 Nearby Factors Figure 7.1: Trial Division with data From Table A.1 The results in the graph above were generated using the data that can be found in Table A.1 in Appendix A. The two prime factors used to generate the composite number had a difference of 1% or less. The graph clearly shows that as the number of digits in the composite increase the time taken to find the factors increase at an almost exponential rate. The results also confirms that trial division is cost effective for relatively small composite numbers (5-10 digits). It also demonstrates the concept of the deterministic nature of the trial division algorithm - that factors can be obtained as long as we are prepared to wait. There is one result on the graph that appear to be abnormal. This is for composite numbers containing 17 digits. The reason for this would be the two prime factors were quite close to the prime factors that made up the 16

42 CHAPTER 7. RESULTS & ANALYSIS 32 digit composite number. Despite this result its still quite clear to see the overall trend Trial Division Results Using 3 Nearby Factors Figure 7.2: Trial Division with data From Table A.2 The results in the graph above were generated using the data that can be found in Table A.2 in Appendix A. The three prime factors used to generate the composite number had a difference of 1% or less. The graph in Fig 7.2 displays similar properties displayed in the graph in Fig 7.1. There is a point on both graphs were the time to factorise begins to rise at an almost exponential rate. With Fig 7.2 though this rapid increase in time happens when there are more digits in the composite number. A probable reason for this type of behaviour could be attributed towards a greater number of factors that make up the composite number(3 as opposed to 2). Hence, the composite number itself will obviously be larger because there are more similarly sized factors than with a composite number using the same size factors but only composed of two factors. This behaviour also agrees with the running time discussed in the Literature Review (chapter 3).

43 CHAPTER 7. RESULTS & ANALYSIS Trial Division Results Using 3 Arbitrary Factors Figure 7.3: Trial Division with data From Table A.3 The three prime factors used to generate the composite numbers were arbitrarily chosen. The results in Fig 7.3 are very similar to the results shown in Fig 7.2. Despite the factors are not within a certain distance to one another the size of the factors themselves are similar since they produce a composite number of the same size used to generate the results in Fig 7.2. Again we see that after a certain point the time required to factorise a composite begins to increase greatly. This feature is common with trial division - that after a certain point (dependant on the make-up of composite) it does become computationally expensive to use this algorithm.

44 CHAPTER 7. RESULTS & ANALYSIS All Trial Division Results Figure 7.4: Trial Division with data From Table A.1, A.2 & A.3 The graph in Fig 7.4 has combined all the results obtained from the tests carried out on the Trial Division algorithm. It is very clear to see that the algorithm performed similarly up to 15 digits in the composite number. After this point the results begin to diverge quite quickly. Comparing the three sets of results its clear that using a composite number consisting of 3 nearby factors is more computationally expensive. No plausible explanation can be given as to why this type of behaviour has emerged.

45 CHAPTER 7. RESULTS & ANALYSIS Fermat s Algorithm Results Figure 7.5: Fermat s Algorithms with Data From Table A.1 Fermat s Algorithm is the only algorithm able to deal with composite numbers that contain two factors. It is for this reason that it was only tested with data from Table A.1 in Appendix A. The results produced by the Fermat s algorithm is similar to the results obtained from the Trial Division algorithm. There is a slight anomaly with the results at the 27 th & 28 th results. Having investigated this I am unable to explain this result. The results have performed according to the running time described in the Literature Review.

46 CHAPTER 7. RESULTS & ANALYSIS Pollard ρ Results The graphs in the following sections was generated using the data that can be found in Appendix A Pollard ρ Results Using 2 Nearby Factors Figure 7.6: Pollard ρ using data from Table A.1 The results in the graph above were generated using the data that can be found in Table A.1 in Appendix A. The two prime factors used to generate the composite number had a difference of 1% or less. One observation that can be made is the graph appears to be similar to the Trial Division graphs, the only major difference being is the trend line is further down the x axis. Hence the Pollard ρ method is able to factorise larger composite numbers quicker than the trial division and is able to find the factors of larger composite numbers. With the test data used the Pollard ρ method would start to become expensive after the composite number had exceeded 40 digits.

47 CHAPTER 7. RESULTS & ANALYSIS Pollard ρ Results Using 3 Nearby Factors Figure 7.7: Pollard ρ using data from Table A.2 The results in the graphs above were generated using the data that can be found in Table A.2 in Appendix A. The graph in Fig 7.7 is of a similar shape to the one found in Fig 7.6. There are a few a few results which do not follow the general trend. These could be due to the pseudo random nature of the algorithm. Alterations could have been made to the parameters passed in to try and alter the time take to factorise those composite numbers.

48 CHAPTER 7. RESULTS & ANALYSIS Pollard ρ Results Using 3 Arbitrary Primes Figure 7.8: Pollard ρ using data from Table A.3 Again the graph in Fig 7.8 is similar to the graphs found in Fig 7.6 & Fig 7.7. The only major difference is the time taken to factorise some of the larger composite numbers ( 25 digit) grew very sharply. Overall this algorithm did take short period of time to arrive at the prime factors, the maximum time is less than 0.1 seconds.

49 CHAPTER 7. RESULTS & ANALYSIS All Pollard ρ Results Figure 7.9: Pollard ρ with data From Table A.1, A.2 & A.3 The graph in Fig 7.9 compares all the results generated by the Pollard ρ using the three sets of test data. One observation that is very clear is that the Pollard ρ algorithm is very efficient in factorising numbers with 3 factors. In comparison to the time take for 2 factor results, the 3 factor results could almost be considered negligible. Currently the Pollard ρ algorithm seems to be the most efficient in factorising composite number smaller than 35 digits. One thing we do have to keep in mind is that this algorithm is probabilistic. Therefore we have to bear in mind that the results generated shows that this algorithm is efficient for the data it was provided and should not assume that this is the case for all types of composite numbers (of varying length and number of factors).

50 CHAPTER 7. RESULTS & ANALYSIS Pollard p 1 Results The graphs in the following sections was generated using the data that can be found in Appendix A Pollard p 1 Results Using 2 Nearby Factors Figure 7.10: Pollard p 1 with data from Table A.1 The graph found in Fig 7.10 is similar to the ones seen earlier. They are able to perform factorisations in a relatively quick period of time up to a certain point. After this point the time taken to factorise begins to grow in an exponential manner. In Fig 7.10 we can see the possible characteristics of a pseudo random algorithm. The time taken to factorise an 18 digit composite number is longer than all the following composite numbers up to 21 digits.

51 CHAPTER 7. RESULTS & ANALYSIS Pollard p 1 Results Using 3 Nearby Factors Figure 7.11: Pollard p 1 with data from Table A.2 The graph found in Fig 7.11 displays a very unusual set of results. The best way to understand this graph is to observe its overall pattern. There is an obvious pattern for each group of factors. The timings seem to oscillate, with varying amplitude as the size of the composite number grows. Again, this type of behaviour can be attributed to the pseudo random nature of the Pollard p 1 algorithm. It does seem strange that this type of behaviour was observed with composite numbers consisting of three factors which are positioned within 1% on one another.

52 CHAPTER 7. RESULTS & ANALYSIS Pollard p 1 Results Using 3 Arbitrary Factors Figure 7.12: Pollard p 1 with data from Table A.3 The graph in Fig 7.12 returns back to a pattern that we are more familiar with. There are a couple points along the curve that do not follow the general trend. These can most likely be attributed to the pseudo random nature of the algorithm.

53 CHAPTER 7. RESULTS & ANALYSIS All Pollard p 1 Results Figure 7.13: Pollard p 1 with data From Table A.1, A.2 & A.3 The graph in Fig 7.13 puts the results generated by the Pollard p 1 onto a single graph. The algorithm performed best when given composite numbers composed of three factors located nearby to one another. The curve for 2 Nearby Factor & 3 Arbitrary Factor appear to share some similar characteristics - where on some occasions small composite numbers did take longer to factorise than some of the larger ones.

54 CHAPTER 7. RESULTS & ANALYSIS Elliptic Curve Method (ECM) Results The graphs in the following sections was generated using the data that can be found in Appendix A ECM Results Using 2 Nearby Factors Figure 7.14: Elliptic Curve Method using data from Table A.1 The graph in Fig 7.14 is again of a different characteristic to those seen earlier. The curve appears to peak at 18 digits and the begins to fall back. This kind of behavior is expected from the ECM (as mentioned in the Literature Review). It has been documented that the ECM struggles to factorise smaller integers when compared to the other algorithms discussed in this report.

55 CHAPTER 7. RESULTS & ANALYSIS ECM Results Using 3 Nearby Factors Figure 7.15: Elliptic Curve Method using data from Table A.2 The graph in Fig 7.15 returns back to a pattern we are more familiar with. There is a slight anomaly with the results produced between 25 digits and 20 digits.

56 CHAPTER 7. RESULTS & ANALYSIS ECM Results Using 3 Arbitrary Factors Figure 7.16: Elliptic Curve Method using data from Table A.3 The graph in Fig 7.16 is similar in shape to n Fig The results in these last to graphs seem to contradict the findings in Fig 7.14 that the ECM is able to factorise integers quicker as the size of the composite number grows.

57 CHAPTER 7. RESULTS & ANALYSIS All ECM Results Figure 7.17: Elliptic Curve Method with data From Table A.1, A.2 & A.3 The ECM algorithm seems to perform well when given composite numbers composed of three arbitrary integers. The results for the composite number made up of 2 nearby factors seems to be quite unusual considering that the ECM is the most powerful algorithm that we ll be investigating. We would have assumed that the results would have followed the same pattern as the 2 Nearby Factor curve.

58 CHAPTER 7. RESULTS & ANALYSIS Comparing All Factoring Algorithms This section looks at how the algorithms investigated perform against one another given the same set of data. Obtaining and analysing these results were one of the central motivations of this report. The data used to generate the graphs can be found in Appendix A. Results Using 2 Nearby Factors Figure 7.18: Comparing all algorithms using data from Table A.1 The graph in Fig 7.18 look at how all the algorithms performed against one another. With the given data set the Pollard p 1 seems to perform relatively well compared to the other factoring algorithms. It was expected that that the Elliptic Curve Method would perform well. After peaking at 18 digits it was expected that the times to factor large integers would continue to decrease. Instead the time increased to an extent where the result could not be obtained within a reasonable period of time. The likely reason for this could be due to some problem in the implementation. The Pollard ρ algorithm may have not beaten the other algorithms in terms of time but has shown it is capable of factoring up to 34 digits within a reasonable period

59 CHAPTER 7. RESULTS & ANALYSIS 49 of time. The findings in the literature review did suggest that the Pollard ρ algorithm may struggle after the factors exceed digits. The other algorithms performed as expected.

60 CHAPTER 7. RESULTS & ANALYSIS 50 Results Using 3 Nearby Factors Figure 7.19: Comparing all algorithms using data from Table A.2 It is clear to see that the Pollard ρ algorithm performed the best with the given set of data. One could have assumed that the ECM method would have performed better considering it is one of the more powerful algorithms. Again the Pollard p 1 performed well. With integers containing 3 factors we can see the trial division algorithm beginning to struggle. This comment could also be made about the Elliptic Curve Method results as well. For integers composed of 3 nearby factors the Pollard ρ algorithm seemed to take the least amount of time for the algorithm to obtain the correct factors.

61 CHAPTER 7. RESULTS & ANALYSIS 51 Results Using 3 Arbitrary Factors Figure 7.20: Comparing all algorithms using data from Table A.3 The graph in Fig 7.20 seems to show a behaviour that is expected of the type of factoring algorithms we are using. Unlike previous results the Elliptic Curve Method performed well against the other algorithms. The Pollard p 1 performed poorly considering the results we ve seen previously. Clearly the Pollard ρ algorithm performed excellently considering the type of data we re using. For integers composed of 3 arbitrary factors the Pollard ρ algorithm is least expensive algorithm to run.

62 CHAPTER 7. RESULTS & ANALYSIS Summary Reviewing the results we have seen some clear pattern emerge. Irrespective of which data set we used the trial division method was the most computationally expensive. Realistically this algorithm could only be used in scenarios which require the factoring of small integers. Despite its poor performance, the advantage of the trial division algorithm is the ease of implementation. The Fermat s algorithm performed reasonably well when compared to the other algorithms. It was expected to perform better than trial division - which it did. The Pollard ρ algorithm performed very well across the range of test data sets. It was the least computationally expensive algorithm and also was able to factorise the larger integers in the test data set than expected. The Pollard p 1 algorithm performed well, especially when using the 3 nearby factor data set. The other two set of results showed the Pollard p 1 performing relatively well. Unfortunately it could not handle the larger integers as well as the Pollard ρ algorithm. The results of the Elliptic Curve Method (ECM) are unusual for the algorithm which was expected to perform well. The ECM algorithm did perform well when tested with integers with 3 factors. But it did struggle as the integer sizes started to grow. The results in Appendix A will show that the ECM did not report a time with the largest integers in the test data set. The Literature Review did comment that the ECM may struggle with smaller factors but it was expected to do well with the larger composite numbers, especially since ECM has successfully cracked small RSA keys. The probable reason for this could be due to errors during implementation. Further investigations should have been performed to find any improvements with the ECM when it began posting poor results.

63 Chapter 8 Conclusions 8.1 Introduction In the Introduction (chapter 1) of the project it was stated that this project aimed to study and implement the following algorithms: Trial Division Algorithm Fermat s Algorithm Pollard ρ Method Pollard p 1 Method Elliptic Curve Method (ECM) This chapter aims to assess how well this project has met this aim and covers any suggested future developments. The chapter starts with a critique of the processes undertaken. This discusses the good and bad choices made and what has been learnt from undertaking this project. The next section covers the achievements of the project. It details where the project fits within the field and what the project brings to this field. Finally, the future of the project is discussed, how any unmet requirements can be fulfilled and what development could be undertaken based on this project in the future. 8.2 Critique The project was started by conducting a review of the literature in the field. After studying a few papers it became clear that the level of mathematics involved was unfamiliar and would require some additional study. A couple of books that were particularly useful were Guide to Elliptic Cryptography (Hankerson, Menezes & Vanstone n.d.) and Primality Testing and Integer Factorization in Public-Key Cryptography (Yan 2003). The Internet was also a a useful tool, especially the Wolfram Mathworld site. 53

64 CHAPTER 8. CONCLUSIONS 54 It was clear from the outset that this report would not be contributing to the current research taking place in this field. This was not due to a lack of trying, but down to the sheer size and depth of of research being conducting in integer factorisation. The algorithms currently known are loosely grouped into two camps. The first would most likely contain the more powerful algorithms such as Number Field Sieve (NFS) and the second would contain the algorithms discussed in this report. One of the motivations for integer factorisation was to attack cryptosystems such as RSA. Attempts on RSA could only be realistically attacked with the larger algorithms (Robinson 2003). Hence, any report that would possibly extend on the current research taking place would need to discuss and build upon the larger algorithms. Due to time constraints it was not possible to embark upon studying and possibly implementing the larger factoring algorithms (e.g. Number Field Sieve) (Pomerance 1996) let alone extending upon these larger algorithms. Despite this, this report does provide a good starting point for students wishing to conduct research into this field. The algorithms discussed in this report may not be considered cutting edge but did contribute to the development of the large factoring algorithms (Montgomery 1994). After deciding the algorithms to be investigated, the first source that provided an excellent starting point was a book by Donald Knuth (Knuth 1997). This gave a clear sense of the direction the report would take. Research material was found and studied and compiled into the Literature Review (chapter 3). Unlike traditional software development projects, the requirements for extensive design and analysis was not required. Pseudocode for these algorithms is available available from a number of sources (discussed in chapter 5). An investigation was conducted to study the tools required to implement these algorithms. The findings for this can be found with the Requirements chapter (chapter 4). Having implemented the algorithms the next stage was to begin testing. As discussed in the testing chapter (chapter 5) the tests comprised of three main tests: testing with 2 nearby factors, testing with 3 nearby factor and 3 arbitrary factors. These tests could have been extending to include ones which look at integers of a similar size but are composed of a different number of factors. Also, with the probabilistic algorithms (Pollard ρ, Pollard p 1 and Elliptic Curve Method) tests could have been conducted to investigate which bounds (especially the Pollard p 1 algorithm) would be optimal given an integer type. At the beginning of the project it was discussed that an additional application would be developed. This application would take an input from the user (a large composite integer) and selects the appropriate factoring algorithm to generate a result. The development for this application was abandoned shortly after beginning of the implementation of the five main algorithms. The reasons for the abandonment of this application was mainly due to time constraints. An application of this nature would require a con-

65 CHAPTER 8. CONCLUSIONS 55 siderable amount time to implement. Another reason was the application would not provide any data (that was not already available to us) to contribute to the results. An emphasis was placed on the understanding and obtaining a good set of results for the algorithms already selected. With regards to the plan set out in Appendix D, I managed to stay to track from most of the tasks. Changes occurred due to other commitments such as examinations or social events. 8.3 Achievements The project has successfully implemented the five factoring algorithms we set out in chapter 1. During research undertaken for the literature review (chapter 3) it was determined that this is an area in which there is a great deal of research that has taken place. Despite the large volume of research that has taken place I was unable to find any comprehensive studies aimed at people who are new to the field of research. Hopefully this report meets that need. Every effort was taken to ensure that the code generated for this project could be reused. This would allow students to build upon the research carried out in this report and possibly taking it further. Reusability was done by ensuring that the code was well documented. Steps were also taken to ensure the code was complied to a coding standard. More information can be found in Appendix B. 8.4 Future Advances If the opportunity was given to continue and build upon this project there are a number of directions that could be taken. The most obvious progression would have been to study and implement the larger algorithm such as: Quadratic Sieve Multiple Polynomial Sieve (MPQS) Number Field Sieve (NFS) This would aid the breadth of this study and allow for a top-level view over the integer factorisation problem. Most contemporary research into integer factorisation would primarily focus on the algorithms listed and build upon them. Other advances could be to investigate how the algorithms discussed in this report would perform when implemented using different computer languages and implemented on different hardware platforms. The project could have also been extended to into another exciting research fields such as

66 CHAPTER 8. CONCLUSIONS 56 Grid and Cluster Computing. Research in this area studies how these computationally expensive algorithms can be performed in a relatively cheap distributed environment (Yan, James & Wu 2006). 8.5 Summary Integer factorisation has become an important research field within Computer Science. It has acted as a catalyst for reasearch area such as Quantum Computing, High Performance Processing (Wunderlich 1983) and Parallel Computing (Brent 2000b). This project has provided a valuable insight into a well researched topic within Computer Science. This project serves a solid and comprehensive foundation to students (and possibly academics) wishing to embark upon research into this this exciting area of research. The current set of factoring algorithms pose no serious threat to modern cryptosystems e.g RSA (Odlyzko 1995). But it will be interesting to see how this field continues to grow and challenge the computer security industry.

67 Appendix A Test Data & Results Tables This chapter contains all the data that was used to generate the results in Chapter 7. A couple of tools were used to generate this data. First, was a website 1 that is able to generate the next ten 10 prime numbers after the number inputted by myself. The second tool was a small application developed by myself using C and GNU GMP to allow me to multiple together the large factors to produce the composite numbers. The source code and documentation for this application have been excluded from this report as the application was insignificant and irrelevant to the main objective to the report. 1 John Moyer s What are the Next Ten Prime Numbers? 57

68 APPENDIX A. TEST DATA & RESULTS TABLES 58 Factor 1 Factor 2 Composite N Composite Length digit digit digit digit digit digit digit digit digit digit digit digit digit digit digit digit digit digit digit digit digit digit digit digit digit digit digit Table A.1: 2 Nearby Factor. 1% difference between factors

69 APPENDIX A. TEST DATA & RESULTS TABLES 59 Factor 1 Factor 2 Factor 3 Composite N Composite Length digit digit digit digit digit digit digit digit digit digit digit digit digit digit digit digit digit digit digit digit digit Table A.2: 3 Nearby Primes. 1% difference between factors

70 APPENDIX A. TEST DATA & RESULTS TABLES 60 Factor 1 Factor 2 Factor 3 Composite N Composite Length digit digit digit digit digit digit digit digit digit digit digit digit digit digit digit digit digit digit digit digit digit digit digit Table A.3: 3 Arbitrary Factors.

71 APPENDIX A. TEST DATA & RESULTS TABLES 61 Digits in Composite Number Trial Algorithm Pollard ρ Pollard p 1 Fermat s Algorithm Elliptic Curve Method 8 digits digits digits digits digits digits digits digits digits digits digits digits digits digits digits digits digits digits digits digits digits digits digits digits digits digits digits Table A.4: Results generated using Table A.1

72 APPENDIX A. TEST DATA & RESULTS TABLES 62 Digits in Composite Number Trial Algorithm Pollard ρ Pollard p 1 Elliptic Curve Method 8 digits digits digits digits digits digits digits digits digits digits digits digits digits digits digits digits digits digits digits digits digits digits digits Table A.5: Results generated using Table A.2

73 APPENDIX A. TEST DATA & RESULTS TABLES 63 Digits in Composite Number Trial Algorithm Pollard ρ Pollard p 1 Elliptic Curve Method 8 digits digits digits digits digits digits digits digits digits digits digits digits digits digits digits digits digits digits digits digits digits digits digits Table A.6: Results generated using Table A.3

74 Appendix B Code Coding standards are important for any piece of software that could potentially be use by others. They promote easily readable code which enable more people to identify extensions and bugs rapidly. This project follows the coding standards set out by GNU Coding Standards and found at 64

75 Appendix C User Documentation This chapter briefly looks at how to use the implemented algorithms. These algorithms were compiled using a pre-compiled GNU GMP library for the Windows platform. To download and for further information please visit ( The source code and executables for this project are available from my homepage ( wb1kak). For further information on the GNU GMP library please visit ( The following instructions assume that the user is using a Windows environment. C.1 Trial Division To run, type the following at the command prompt: (C:\>td composite) where composite is the integer to be factored. C.2 Fermat s Algorithm To run, type the following at the command prompt: (C:\>fermat composite) where composite is the integer to be factored. C.3 Pollard ρ Algorithm To run, type the following at the command prompt: (C:\>rho composite) where composite is the integer to be factored. 65

76 APPENDIX C. USER DOCUMENTATION 66 C.4 Pollard p 1 Algorithm To run, type the following at the command prompt: (C:\>pollard composite b) where composite is the integer to be factored & b is small integer for computation. C.5 Elliptic Curve Method Algorithm To run, type the following at the command prompt: (C:\>ecm composite bound) where composite is the integer to be factored & b is smoothness bound B1. For any queries please [email protected]

77 Appendix D Gantt Chart This chapter contains the Gantt chart used to timetable my time for the duration of this project. This Gantt chart was created using the GanttProject application which can be found at 67

78 Bibliography Atkin, A. & Bernstein, D. (1999), Prime sieves using binary quadratic forms. Atkin, A. & Morain, F. (1993), Finding suitable curves for the elliptic curve method of factorization., Mathematics of Computation (60), Brent, R. P. (1980), An improved monte carlo factorization algorithm., Nordisk Tidskrift for Informationsbehandlung (BIT) 20, Brent, R. P. (1999), Some parallel algorithms for integer factorisation, in European Conference on Parallel Processing, pp Brent, R. P. (2000a), Recent progress and prospects for integer factorisation algorithms, Lecture Notes in Computer Science 1858, 3+. Brent, R. P. (2000b), Recent progress and prospects for integer factorisation algorithms, Lecture Notes in Computer Science 1858, 3+. Bressoud, D. M. (1989), Factorization and Primality Testing, Springer - Verlag. Erdos, P., Pomerance, C. & Schmutz, E. (1991), Carmichael s lambda function, Acta Arithmetica 58, Flannery, S., Flannery, D. & Flannery, D. (2000), In Code: A Mathematical Journey, Profile Books Ltd. Floyd, R. W. (1967), Nondeterministic algorithms, Journal of the ACM 14(4). Gauss, C. F. (1801), Disquisitiones Arithmeticae (English Translation by Arthur A. Clarke), Yale University Press. Guy, R. (1994), Unsolved Problems in Number Theory, Vol. 2, New York: Springer-Verlag. Chapter 12: Pseudoprimes. Euler Pseudoprimes. Strong Pseudoprimes. Hankerson, D., Menezes, A. & Vanstone, S. (n.d.), Guide to Elliptic Curve Cryptography, Springer Professional Computing. 68

79 BIBLIOGRAPHY 69 Havil, J. (2003), Gamma: Exploring Euler s Constant, Princeton University. Hurd, J. (2003), Verification of the Miller-Rabin probabilistic primality test, Journal of Logic and Algebraic Programming 50(1 2), Knuth, D. (1997), Art of Computer Programming, Volume 2: Seminumerical Algorithms (3rd Edition), Vol. 2, Addison-Wesley Professional. Labs, R. (2005), Rsa factoring challenge, node.asp?id=2093. Lenstra, H. W. (1987), Factoring integers with elliptic curves, Annals of Mathematics 2(126). Loudon, K. (1999), Mastering Algorithms with C, O Reilly. Menezes, A., van Oorschot, P. & Vanston, S. A. (1996), Handbook of Applied Cryptography, CRC Press Inc. Montgomery, P. (1994), A survey of modern integer factorization algorithms. Morrison, M. A. & Brillhart, J. (1975), A method of factoring and the factorization of f7, Mathematics. of Computation 29(129), Odlyzko, A. M. (1995), The future of integer facotization, Technical report, AT & T Bell Labs. Pollard, J. M. (1974), Theorems on factorization and primality testing, Proc. Cambridge Phil. Soc 76, Pollard, J. M. (1975), A monte carlo method for factorization., Nordisk Tidskrift for Informationsbehandlung (BIT) 15, Pomerance, C. (1996), A tale of two sieves, Notices of the AMS. Rev. Samuel Horsley, F. R. S. (1772), The sieve of eratosthenes. being an account of his method of finding all the prime numbers, Philosophical Transactions ( ) 62, Ribenboim, P. (2004), The New Book of Prime Number Records, 3rd edn, Springer. Rivest, R. L. (1991), Finding four million large random primes, Lecture Notes in Computer Sciences 537, Rivest, R. L., Shamir, A. & Adelman, L. M. (1977), A method for obtaining digital signatures and public-key cryptosystems, Technical Report MIT/LCS/TM-82.

80 BIBLIOGRAPHY 70 Robinson, S. (2003), Still guarding secrets after years of attacks, rsa earns accolades for its founders, SIAM News 36(5). Uhl, A. (n.d.), Parallel computing in cryptoanalysis: Experiences in a graduate students project - workpackage wp5.1. Wunderlich, M. (1983), Recent advances in the design and implementation of large integer factorization algorithms, Proceedings of the 1983 IEEE Symposium on Security and Privacy p. 67. Yan, S. (2003), Primality Testing and Integer Factorization in Public-Key Cryptography, Kluwer Academic Publishers. Yan, S. Y., James, G. & Wu, G. (2006), Cryptographic and computational challenges in grid computing., in FCS, pp Zimmermann, P. (n.d.), Ecm top 100 table, rsalabs/node.asp?id=2093.