HYPERELLIPTIC CURVE METHOD FOR FACTORING INTEGERS. 1. Thoery and Algorithm



Similar documents
STUDY ON ELLIPTIC AND HYPERELLIPTIC CURVE METHODS FOR INTEGER FACTORIZATION. Takayuki Yato. A Senior Thesis. Submitted to

Faster deterministic integer factorisation

Chapter 4, Arithmetic in F [x] Polynomial arithmetic and the division algorithm.

Factoring Algorithms

Study of algorithms for factoring integers and computing discrete logarithms

CHAPTER SIX IRREDUCIBILITY AND FACTORIZATION 1. BASIC DIVISIBILITY THEORY

Factorization Methods: Very Quick Overview

7. Some irreducible polynomials

Is n a Prime Number? Manindra Agrawal. March 27, 2006, Delft. IIT Kanpur

Primality - Factorization

Breaking The Code. Ryan Lowe. Ryan Lowe is currently a Ball State senior with a double major in Computer Science and Mathematics and

An Overview of Integer Factoring Algorithms. The Problem

FACTORING SPARSE POLYNOMIALS

Introduction to Finite Fields (cont.)

Factoring & Primality

Short Programs for functions on Curves

EMBEDDING DEGREE OF HYPERELLIPTIC CURVES WITH COMPLEX MULTIPLICATION

PROBLEM SET 6: POLYNOMIALS

I. Introduction. MPRI Cours Lecture IV: Integer factorization. What is the factorization of a random number? II. Smoothness testing. F.

Factoring Algorithms

The Factor Theorem and a corollary of the Fundamental Theorem of Algebra

Lecture 8: Binary Multiplication & Division

CS 103X: Discrete Structures Homework Assignment 3 Solutions

Smooth numbers and the quadratic sieve

Number Theory. Proof. Suppose otherwise. Then there would be a finite number n of primes, which we may

Copy in your notebook: Add an example of each term with the symbols used in algebra 2 if there are any.

Factoring Polynomials

THE FUNDAMENTAL THEOREM OF ALGEBRA VIA PROPER MAPS

Quotient Rings and Field Extensions

Grade 7/8 Math Circles Fall 2012 Factors and Primes

On the largest prime factor of x 2 1

FACTORING LARGE NUMBERS, A GREAT WAY TO SPEND A BIRTHDAY

PROPERTIES OF ELLIPTIC CURVES AND THEIR USE IN FACTORING LARGE NUMBERS

Zeros of Polynomial Functions

Integer Factorization using the Quadratic Sieve

8 Primes and Modular Arithmetic

Factoring Polynomials

FACTORING POLYNOMIALS IN THE RING OF FORMAL POWER SERIES OVER Z

Arithmetic algorithms for cryptology 5 October 2015, Paris. Sieves. Razvan Barbulescu CNRS and IMJ-PRG. R. Barbulescu Sieves 0 / 28

MOP 2007 Black Group Integer Polynomials Yufei Zhao. Integer Polynomials. June 29, 2007 Yufei Zhao

Zeros of Polynomial Functions

Some facts about polynomials modulo m (Full proof of the Fingerprinting Theorem)

9. POLYNOMIALS. Example 1: The expression a(x) = x 3 4x 2 + 7x 11 is a polynomial in x. The coefficients of a(x) are the numbers 1, 4, 7, 11.

Faster polynomial multiplication via multipoint Kronecker substitution

JUST THE MATHS UNIT NUMBER 1.8. ALGEBRA 8 (Polynomials) A.J.Hobson

Lecture 13 - Basic Number Theory.

FACTORING. n = fall in the arithmetic sequence

U.C. Berkeley CS276: Cryptography Handout 0.1 Luca Trevisan January, Notes on Algebra

11 Ideals Revisiting Z

Homework until Test #2

March 29, S4.4 Theorems about Zeros of Polynomial Functions

The Prime Numbers. Definition. A prime number is a positive integer with exactly two positive divisors.

Algebra I Vocabulary Cards

Elementary Number Theory and Methods of Proof. CSE 215, Foundations of Computer Science Stony Brook University

Chapter 4 -- Decimals

Factoring Trinomials: The ac Method

Modern Algebra Lecture Notes: Rings and fields set 4 (Revision 2)

Lecture 6: Finite Fields (PART 3) PART 3: Polynomial Arithmetic. Theoretical Underpinnings of Modern Cryptography

63. Graph y 1 2 x and y 2 THE FACTOR THEOREM. The Factor Theorem. Consider the polynomial function. P(x) x 2 2x 15.

How To Factor In Prime Numbers

RSA Question 2. Bob thinks that p and q are primes but p isn t. Then, Bob thinks Φ Bob :=(p-1)(q-1) = φ(n). Is this true?

CONTRIBUTIONS TO ZERO SUM PROBLEMS

Basics of Polynomial Theory

The Division Algorithm for Polynomials Handout Monday March 5, 2012

Elementary factoring algorithms

3 1. Note that all cubes solve it; therefore, there are no more

Math Review. for the Quantitative Reasoning Measure of the GRE revised General Test

it is easy to see that α = a

The finite field with 2 elements The simplest finite field is

Module MA3411: Abstract Algebra Galois Theory Appendix Michaelmas Term 2013

ON THE EMBEDDING OF BIRKHOFF-WITT RINGS IN QUOTIENT FIELDS

Notes on Factoring. MA 206 Kurt Bryan


ELEMENTARY THOUGHTS ON DISCRETE LOGARITHMS. Carl Pomerance

Introduction to Programming (in C++) Loops. Jordi Cortadella, Ricard Gavaldà, Fernando Orejas Dept. of Computer Science, UPC

Example. Introduction to Programming (in C++) Loops. The while statement. Write the numbers 1 N. Assume the following specification:

ELLIPTIC CURVES AND LENSTRA S FACTORIZATION ALGORITHM

Runtime and Implementation of Factoring Algorithms: A Comparison

ABSTRACT ALGEBRA: A STUDY GUIDE FOR BEGINNERS

Grade 6 Math Circles March 10/11, 2015 Prime Time Solutions

11 Multivariate Polynomials

On the representability of the bi-uniform matroid

SOLVING POLYNOMIAL EQUATIONS

CORRELATED TO THE SOUTH CAROLINA COLLEGE AND CAREER-READY FOUNDATIONS IN ALGEBRA

PYTHAGOREAN TRIPLES KEITH CONRAD

International Journal of Information Technology, Modeling and Computing (IJITMC) Vol.1, No.3,August 2013

Lagrange Interpolation is a method of fitting an equation to a set of points that functions well when there are few points given.

The degree of a polynomial function is equal to the highest exponent found on the independent variables.

a 1 x + a 0 =0. (3) ax 2 + bx + c =0. (4)

Polynomials. Dr. philippe B. laval Kennesaw State University. April 3, 2005

H/wk 13, Solutions to selected problems

Prime Numbers and Irreducible Polynomials

Chapter 3. if 2 a i then location: = i. Page 40

A simple and fast algorithm for computing exponentials of power series

Today s Topics. Primes & Greatest Common Divisors

The cyclotomic polynomials

The Mathematics of the RSA Public-Key Cryptosystem

Transcription:

HYPERELLIPTIC CURVE METHOD FOR FACTORING INTEGERS WENHAN WANG 1. Thoery and Algorithm The idea of the method using hyperelliptic curves to factor integers is similar to the elliptic curve factoring method. However, they are different in some aspect: the algebraic group attached to hyperelliptic curve is its Jacobian J(C), which is the quotient of the group of divisor classes of zero degree Div 0 modulo the group of principal divisors. Therefore the elements of J(C) cannot be properly represented as coordinates, which is the main difference of algorithm for group operations. Usually we represent a divisor class of hyperelliptic curve over a field k by a pair of polynomials u(x), v(x) k[x], which is called the Mumford representation, corresponding to so-called reduced divisor, where u(x) and v(x) should satisfy the following conditions: (1) deg u(x) g; (2) deg v(x) < deg u(x); (3) u(x) has no repeated roots; (4) u v 2 + vb f. The cantor s algorithm shows how to add two divisors and then reduce the sum so that u(x) and v(x) satisfy the above conditions. If k is a field, the cantor s algorithm always give the sum of two divisors and reduce it with no problems. But if we consider hyperelliptic curves over the ring Z/NZ, which is not a field, as we can see later this result in some problems, Cantor s algorithm might fails and using proper algorithm this might give a non-trivial factor of N. If we are working with J(C), where the curve is C : y 2 +h(x)y = f(x) over Z/NZ, then for two reduced divisor (u 1, v 1 ) and (u 2, v 2 ), Cantor s algorithm computes v 1 +v 2 +h in the second step. If the leading coefficient of v 1 +v 2 +h is not invertible, i.e., v 1.leading coeffient().gcd(n) Date: 04-29-2009. Key words and phrases. Hyperelliptic Curve, Integer factorization, Sage. 1

2 WENHAN WANG 1 we may compute the value of v 1.leading coeffient().gcd(n), which might not be invertible in the ring Z/N Z. However, the probability that the leading coefficient of v 1 + v 2 + h is not so large. But we have another chance for factor N: in the reduction part of the Cantor s algorithm, as we iterates the algorithm, at some step the leading coefficient of v will be not invertible, and we may compute the above gcd and get a non-trivial factor. If we set N = pq, where p, q are large odd primes, then we have J(Z/NZ) = J(F p ) J(F q ). The above case happens if in the course of arithmetic the result is a divisor whose image is exactly 0 in the two components: in J(F p ) or in J(F q ). But there may be other conditions that make the above case happen, but I don t know yet. There is a senior thesis[1] by a Japanese undergraduate student (written in English) with the similar idea and similar algorithm states that the factor of N is found by computing the gcd of the leading coefficient of u(x) and N, but I ran the same example is SAGE, and got that the factor is produced by the gcd of N and the leading coefficient of v 1 + v 2 + h, not as the paper by Japanese. So in the algorithm, it is necessary to check also the gcd of leading coefficient of v(x) and N. In the papers[2] written by Lestra, et al., they pointed out that under some reasonable conjectures, the hyperelliptic curve method is less efficient than elliptic curves. The following theorem form there paper illustrates the fact: Theorem 1.1. [2] Under some reasonable hypothesis, the elliptic curve method takes optimal maximal choice of parameters takes at most: L p [ 1 2 + 2o(1)](log n) 2. The hyperelliptic curve method, under the same hypothesis, takes at most L p [ 1 2 + 2o(1)](log n) 2. Although by this theorem we may conclude that the HECM is less fast as ECM, as Lenstra, and et al. pointed out, HECM works well for generating smooth numbers. So I think it is still worthwhile to implement the algorithm for factoring in SAGE.

MATH583E TERM PROJECT I 3 2. Implement in SAGE Several function is defined in sage for the implementation: hecptgen(n): this function generates a point on a certain hyperelliptic curve over the ring Z/NZ. Such a point has small absolute x-coordinate value. This function generates the Mumford representation of a divisor corresponding to the points returned by the old version of hecptgen(n). In this new version of William Stein, he combined hecptgen and hecdivgen, so that hecptgen can directly generate a divisor (class). hecadd(u1,v1,u2,v2,n): this function adds two reduced divisors and return a raw divisor, not reduced. The algorithm is the combination part of the Cantor s algorithm. hecred(u,v,n): this function use the Cantor s reduction algorithm to reduce a divisor class (u, v). For factorization, this algorithm also computes the maximum of the gcd of the leading coefficient of u with N and the gcd of the leading coefficient of v. If the gcd is greater than 1, the function will output the non-trivial factor and break. hecmul(u,v,m,n): this function computes m times (u, v), i.e., add (u, v) by itself and then reduce for m times. factor_hecm(n): this function actually factor N by the hyperelliptic curve method using the idea in section 1. I will then show some examples that HECM works in sage. Example 2.1. In this example, I did exactly the same input in the Japanese paper and ran. However, the gcd of the leading coefficient of u and N is 1, and the output is truncated because the leading coefficient of v has non-trivial gcd with N, as shown in the result. Here is the result using the code of William s version and exactly the same example in [1]: sage: def hecred(u,v,n):... while u.degree()>genus:

4 WENHAN WANG... ur=(f-v*h-v^2)//u... url=ur.leading_coefficient()... g=gcd(url,n)... if g!= 1:... print "Non-trivial factor=",g... raise RuntimeError, g... return u, v, g...... vr=(-h-v)%ur... u=ur... v=vr... print "u=", u... print "v=", v... vl=v.leading_coefficient()... g=gcd(vl,n)... if g!= 1:... print "Non-trivial factor=",g... return u, v, g... return u,v,1 sage: def hecadd(u1,v1,u2,v2,n): sage: # add (u1,v1) and (u2,v2)... d1,e1,e2=xgcd(u1,u2)... d,c1,s3=xgcd(d1,v1+v2+h)... s1=c1*e1... s2=c1*e2... ui=u1*u2//d^2... vi=((s1*u1*v2+s2*u2*v1+s3*(v1*v2+f))//d)%ui... return hecred(ui,vi,n) sage: def hecmul(u,v,m,n): sage: # multiply (u,v) by m... sumu, sumv = u,v... for z in range(m-1):... sumu, sumv, g = hecadd(u,v,sumu,sumv,n)... return sumu,sumv sage: N=77 sage: x=polygen(zmod(n)) sage: f=x^5+3*x+40 sage: h=0 sage: genus=2 sage: u1=x+5%n sage: v1=0*x+1%n sage: u=hecmul(u1,v1,9,n)[0]

sage: v=hecmul(u1,v1,9,n)[1] sage: u,v u= x^2 + 18*x + 18 v= x + 19 u= x^2 + 45*x + 2 v= 72*x + 29 u= x^2 + 33*x + 5 v= 15*x + 76 u= x^2 + 39*x + 42 v= 62*x + 1 u= x^2 + 74*x + 39 v= 71*x + 58 u= x^2 + 50*x + 43 v= 49*x + 76 Non-trivial factor= 7 u= x^2 + 28*x + 48 v= 20*x + 75 u= x^2 + 18*x + 18 v= x + 19 u= x^2 + 45*x + 2 v= 72*x + 29 u= x^2 + 33*x + 5 v= 15*x + 76 u= x^2 + 39*x + 42 v= 62*x + 1 u= x^2 + 74*x + 39 v= 71*x + 58 u= x^2 + 50*x + 43 v= 49*x + 76 Non-trivial factor= 7 u= x^2 + 28*x + 48 v= 20*x + 75 (x^2 + 28*x + 48, 20*x + 75) MATH583E TERM PROJECT I 5 Now we can see before the statement Non-trivial factor= 7, the leading coefficient of v is 49, which has non-trivial gcd with 77, whereas the leading coefficient can always scaled to be 1. Therefore in [1], they did not consider all possible cases. The William s version of source code and several output is printed below. The function hecmul() may be modified by calculating the addition in binary partitions.

6 WENHAN WANG sage: def hecred(u,v,n):... while u.degree()>genus:... ur=(f-v*h-v^2)//u... url=ur.leading_coefficient()... g=gcd(url,n)... if g!= 1:... print "Non-trivial factor=",g... raise RuntimeError, g... return u, v, g...... vr=(-h-v)%ur... u=ur... v=vr... vl=v.leading_coefficient()... g=gcd(vl,n)... if g!= 1:... print "Non-trivial factor=",g... return u, v, g... return u,v,1 sage: def hecadd(u1,v1,u2,v2,n): sage: # add (u1,v1) and (u2,v2)... d1,e1,e2=xgcd(u1,u2)... d,c1,s3=xgcd(d1,v1+v2+h)... s1=c1*e1... s2=c1*e2... ui=u1*u2//d^2... vi=((s1*u1*v2+s2*u2*v1+s3*(v1*v2+f))//d)%ui... return hecred(ui,vi,n) sage: def hecmul(u,v,m,n): sage: # multiply (u,v) by m... sumu, sumv = u,v... for z in range(m-1):... sumu, sumv, g = hecadd(u,v,sumu,sumv,n)... return sumu,sumv sage: def hecptgen(n):... x = polygen(zmod(n))... R = x.parent()... for i in (0..(N-1)//2):... r = Mod(f(i),N)... if r.is_square():

MATH583E TERM PROJECT I 7... return x-i, R(sqrt(r)) sage: f = None sage: x = None sage: def factor_hecm(n):... if is_prime_power(n):... print "N is prime"... return N... global f, x... x = polygen(integers(n))... f = x^5+3*x+40... u, v = hecptgen(n)... j=1... gc=1... ur=u... vr=v... while gc==1:... try:... up=ur... print "up=", up... vp=vr... print "vp=", vp... upc, vpc = hecmul(up,vp,j,n)... print "upc=", upc... print "vpc=", vpc... gc=hecred(up,vp,n)[2]... print "gc=", gc... print "j=",j... print "======"... j+=1... print "j=",j... ur=upc... vr=vpc... except RuntimeError, msg:... return msg[0] sage: a = factor_hecm(77) up= x + 76 vp= 11 upc= x + 76 vpc= 11 gc= 1 j= 1 ======

8 WENHAN WANG j= 2 up= x + 76 vp= 11 upc= x^2 + 75*x + 1 vpc= 53*x + 68 gc= 1 j= 2 ====== j= 3 up= x^2 + 75*x + 1 vp= 53*x + 68 Non-trivial factor= 11 Non-trivial factor= 7 sage: a 7 3. Conclusion The main purpose of this project is to implement HECM in SAGE. The result is that our code can factor a 2 decimal digits composite number somehow effectively. But for larger composite numbers, this algorithm is slow, because (1) the divisor multiplication step is not clever; and the HECM, like ECM, factors a number efficiently if the number of divisor classes on the Jacobian is smooth, otherwise it may take longer time. Another problem of HECM is that for some small numbers or numbers contains power of 2 or 3 could not be factored, like in ECM. There is also some further work to do: (1) use binary algorithm to modify the function hecmul(); (2) if an input number is a prime or a prime power, break the loop somewhere and output the statement: it is prime or prime power, without check before factoring. (3) how to choose a proper curve such that the number of divisor classes in the Jacobian is smooth. References [1] Study on Elliptic Curve and Hyperelliptic Curve Methods for Integer Factorization. Takayuki Yato, 2000-02.

MATH583E TERM PROJECT I 9 [2] A Hyperelliptic Smooth Text. H.W.Lenstra, J.Pila, Carl Pomerance. Phil. Trans. R. Soc. Lond. A Novenber 15, 1993. E-mail address: hans.cryptologiste@gmail.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information