FACTORING. n = 2 25 + 1. fall in the arithmetic sequence



Similar documents
Factoring & Primality

Primality Testing and Factorization Methods

Factoring Algorithms

Primality - Factorization

Factoring Algorithms

U.C. Berkeley CS276: Cryptography Handout 0.1 Luca Trevisan January, Notes on Algebra

I. Introduction. MPRI Cours Lecture IV: Integer factorization. What is the factorization of a random number? II. Smoothness testing. F.

Elementary factoring algorithms

FACTORING LARGE NUMBERS, A GREAT WAY TO SPEND A BIRTHDAY

Cryptography and Network Security Chapter 8

An Overview of Integer Factoring Algorithms. The Problem

Integer Factorization using the Quadratic Sieve

ELEMENTARY THOUGHTS ON DISCRETE LOGARITHMS. Carl Pomerance

Faster deterministic integer factorisation

Computer and Network Security

Study of algorithms for factoring integers and computing discrete logarithms

2 Primality and Compositeness Tests

Lecture 13 - Basic Number Theory.

Modern Factoring Algorithms

Factorization Methods: Very Quick Overview

On Generalized Fermat Numbers 3 2n +1

Factoring. Factoring 1

Arithmetic algorithms for cryptology 5 October 2015, Paris. Sieves. Razvan Barbulescu CNRS and IMJ-PRG. R. Barbulescu Sieves 0 / 28

CHAPTER SIX IRREDUCIBILITY AND FACTORIZATION 1. BASIC DIVISIBILITY THEORY

8 Divisibility and prime numbers

Elements of Applied Cryptography Public key encryption

ALGEBRAIC APPROACH TO COMPOSITE INTEGER FACTORIZATION

LUC: A New Public Key System

CS 103X: Discrete Structures Homework Assignment 3 Solutions

MATH 168: FINAL PROJECT Troels Eriksen. 1 Introduction

Today s Topics. Primes & Greatest Common Divisors

Recent Breakthrough in Primality Testing

The application of prime numbers to RSA encryption

Smooth numbers and the quadratic sieve

1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.

How To Solve The Prime Factorization Of N With A Polynomials

8 Primes and Modular Arithmetic

Advanced Cryptography

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

How To Know If A Message Is From A Person Or A Machine

Runtime and Implementation of Factoring Algorithms: A Comparison

Math 319 Problem Set #3 Solution 21 February 2002

Discrete Mathematics, Chapter 4: Number Theory and Cryptography

ELLIPTIC CURVES AND LENSTRA S FACTORIZATION ALGORITHM

Cryptography and Network Security Number Theory

International Journal of Information Technology, Modeling and Computing (IJITMC) Vol.1, No.3,August 2013

Revised Version of Chapter 23. We learned long ago how to solve linear congruences. ax c (mod m)

Public-Key Cryptanalysis 1: Introduction and Factoring

Primes in Sequences. Lee 1. By: Jae Young Lee. Project for MA 341 (Number Theory) Boston University Summer Term I 2009 Instructor: Kalin Kostadinov

Introduction to Finite Fields (cont.)

Library (versus Language) Based Parallelism in Factoring: Experiments in MPI. Dr. Michael Alexander Dr. Sonja Sewera.

NEW DIGITAL SIGNATURE PROTOCOL BASED ON ELLIPTIC CURVES

CIS 5371 Cryptography. 8. Encryption --

Lecture 13: Factoring Integers

RSA Attacks. By Abdulaziz Alrasheed and Fatima

Is n a Prime Number? Manindra Agrawal. March 27, 2006, Delft. IIT Kanpur

The Quadratic Sieve Factoring Algorithm

PRIME FACTORS OF CONSECUTIVE INTEGERS

Number Theory. Proof. Suppose otherwise. Then there would be a finite number n of primes, which we may

CHAPTER 5. Number Theory. 1. Integers and Division. Discussion

3. Computational Complexity.

Introduction. Digital Signature

STUDY ON ELLIPTIC AND HYPERELLIPTIC CURVE METHODS FOR INTEGER FACTORIZATION. Takayuki Yato. A Senior Thesis. Submitted to

Determining the Optimal Combination of Trial Division and Fermat s Factorization Method

Homework until Test #2

Textbook: Introduction to Cryptography 2nd ed. By J.A. Buchmann Chap 12 Digital Signatures

Module MA3411: Abstract Algebra Galois Theory Appendix Michaelmas Term 2013

Factoring a semiprime n by estimating φ(n)

A New Generic Digital Signature Algorithm

A Comparison Of Integer Factoring Algorithms. Keyur Anilkumar Kanabar

Integer Factorization

Overview of Public-Key Cryptography

11 Ideals Revisiting Z

On the largest prime factor of x 2 1

Computing exponents modulo a number: Repeated squaring

The Mathematics of the RSA Public-Key Cryptosystem

Cryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur

How To Factor In Prime Numbers

Public Key Cryptography: RSA and Lots of Number Theory

THE SEARCH FOR AURIFEUILLIAN-LIKE FACTORIZATIONS

Computational Number Theory

CoNP and Function Problems

minimal polyonomial Example

Breaking The Code. Ryan Lowe. Ryan Lowe is currently a Ball State senior with a double major in Computer Science and Mathematics and

I. GROUPS: BASIC DEFINITIONS AND EXAMPLES

Chapter 11 Number Theory

Doug Ravenel. October 15, 2008

Quantum Computing Lecture 7. Quantum Factoring. Anuj Dawar

Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs

Some practice problems for midterm 2

SUM OF TWO SQUARES JAHNAVI BHASKAR

Notes on Network Security Prof. Hemant K. Soni

The Sieve Re-Imagined: Integer Factorization Methods

On Factoring Integers and Evaluating Discrete Logarithms

Generic attacks and index calculus. D. J. Bernstein University of Illinois at Chicago

Transcription:

FACTORING The claim that factorization is harder than primality testing (or primality certification) is not currently substantiated rigorously. As some sort of backward evidence that factoring is hard, this writeup briefly introduces some factoring methods. 1. Futility of Trial Division Trial division attempts to divide a given integer n by integers 2 through n. Either we find a proper factor of n, or n is prime. A crude estimate shows the hopelessness of this method for factoring integers large enough to be relevant to public-key cryptology. Suppose that n 10 200, and either n is prime or n = pq where p, q 10 100 are primes. Determining whether n is prime or n = pq will take about 10 100 trial divisions. If 10 12 internet hosts each carried out 10 12 trials per second, then since there are fewer than 10 8 seconds per year, even this massively parallel attack would require some 10 68 years. The skeptics may generate ever larger probable primes and then test trial division on them. The process will become hopeless long before 200 digits. 2. The Euler Fermat Trick Consider a positive integer of the special form n = b e 1 For such n, if p is a prime divisor of n then either p b d 1 for some proper divisor d of e (possibly d = 1), or p = 1 mod e. This follows from the fact that p n then b is an eth root of unity in Z/pZ. In formulas, the argument that p b d 1 for some divisor d of e (possibly d = e) is: p b e 1 = b e = 1 mod p = b d = 1 mod p for some minimal positive d, d e = p b d 1 for the same d Now, either d is a proper divisor of e, or d = e. But if d = e then e is the order of b in (Z/pZ), a cyclic group of order p 1, and so e p 1, i.e., p = 1 mod e. Thus the statement in italics is justified. It reduces by a significant constant factor the amount of required trial division to check the primality of n. Similarly, if p is a prime divisor of the Fermat number n = 2 2q + 1 then 2 would be a 2 q th root of 1 in Z/pZ. Thus 2 would be a primitive 2 q+1 st root of unity in Z/pZ, forcing 2 q+1 p 1, i.e., p = 1 mod 2 q+1. Euler used this idea to show that possible prime factors of the fifth Fermat number fall in the arithmetic sequence n = 2 25 + 1 {64k + 1} = {65, 129,..., 641,... }, 1

2 FACTORING and in fact 641 is a factor. The difference between five trial divisions (641 is the fifth prime in the arithmetic sequence) and 116 trial divisions (641 is the 116th prime) is significant. Similarly, this method finds a six-digit prime factor of n = 2 27 + 1 in 150 trial divisions. The modern Lucas Lehmer test is much faster, but it does not actually find a prime factor. 3. Pollard s Rho Method This method quickly finds relatively small factors p of composite numbers in perhaps p steps, and it uses very little memory. [Pollard s rho method for discrete logarithms would make a good project topic. See his 1978 paper in Mathematics of Computation.] It is simple to implement, and it demonstrates the suprising power of algorithms that are irremedially probabilistic. Although an obvious heuristic suggests the reasonableness of Pollard s rho, it is difficult to prove that it works as well as it does. [But see the 1991 paper by E. Bach in Information and Computation.] Here is the method: Given n, define a function f : {0,..., n 1} {0,..., n 1}, f(x) = x 2 + 2 % n. Then Initialize x = 2, y = f(x). While gcd(x y, n) = 1, replace (x, y) by (f(x), f(f(y))). Now 1 < gcd(x y, n) n. If 1 < gcd(x y, n) < n then the gcd is a proper factor of n, but if gcd(x y, n) then the test has failed. When the test fails it can be tried again with a different starting value of x, or with a different function f. Not only does the test work surprisingly well, but it is hardly matters what starting value x or what function f is used. The most compelling explanation of Pollard s rho factorization method is heuristic, and attempts to be more rigorous do not succeed easily. The two critical components of the heuristic explanation are the birthday paradox and Floyd s cycledetection method. 3.1. The Birthday Paradox and the First Idea of Pollard s Rho. The number d of draws (with replacement) from n objects required to make the probability of at least two pair matching exceed 1/2 is essentially 1.2 n. This is perhaps a suprisingly small number. Indeed, the probability of no match is d 1 P d = (1 i/n). So the logarithm of the probability is d 1 ( log P d = log 1 i ) n d 1 i n = (d 1)d 2n d2 2n. So if d 2 > 2 log 2 n then log(p d ) log 2 = log(1/2), i.e., P d 1/2. Since P d is complementary to the probability of a match, we are done. And the condition is essentially d > n. (If we want to be more finicky, we can note that a precise estimate of the nomatch probability is log P d (d 1) 2 /(2n), and so a precise condition to make the match probability exceed 1/2 is d > 2 log 2 n + 1.)

FACTORING 3 Returning to Pollard s rho method, suppose that n has a proper divisor p that is much smaller than n. If we have more than p integers x 1,..., x t, then with probability greater than 1/2, two of the x i should agree modulo p. Since p is much smaller than n, if the sequence {x i } behaves somewhat randomly then two x i -values should agree modulo p long before any two agree modulo n. If, say, x i = x j mod p then gcd(x i x j, n) will be divisible by p. The gcd will be a divisor of n greater than 1 and probably smaller than n. But computing gcd(x i x j, n) for every pair {x i, x j } as we go along until we find a match could take roughly p p n comparisons, and this is as bad as trial division. To compute many fewer gcds with confidence of nonetheless finding a match quickly, Pollard s rho method is using a second idea beyond the birthday paradox. 3.2. Floyd s Cycle Detection Method and the Second Idea of Pollard s Rho Method. Pretend that the function f : {0,..., n 1} {0,..., n 1}, is a random map of Z/nZ to itself, and define a sequence x 1 = 2, x i = f(x i 1 ) for i > 1. f(x) = x 2 + 2 % n Note that if ever x j = x i (where j > i) then also x j+k = x i+k for all k 0. That is, as soon as the sequence reaches its first value that will repeat, it settles into a cycle of length j i, and so the sequence takes the form of the greek letter ρ. Consequently, x t = x t k(j i) whenever k 1 and t k(j i) i. Pollard s method compares only pairs of terms (x s, y s ) = (x s, x 2s ). That is, it searches for an equality as in the previous display but where t = 2s for some s and where the right subscript is s itself, x 2s = x 2s k(j i) whenever 2s k(j i) = s i. Such an equality will hold under the conditions s = k(j i) for some k 1, s i. Since Pollard s rho method compares x s and x 2s for s = 1, 2,..., the analysis here proves that it will find a match. 4. Pollard s p 1 Method Call a positive integer smooth if it divisible only by small primes. Pollard s p 1 method finds prime factors p of a given n with the property that p 1 is smooth. (Such primes p are called weak.) More specifically, let B some bound. Then positive integers of the form m = q eq q<b are called B-smooth. Pollard s p 1 method finds a prime factor p of n such that p 1 is B-smooth using O(B ln n/ ln b) multiplications modulo n. But the algorithm can fail. In practice, because the value of B must be kept too small to find all possible factors, the algorithm is used just a little hoping for luck or for

4 FACTORING negligence on the part of an adversary. The question of how large we should expect the prime factors of a randomly chosen number to be is not trivial. Here is the method: Given n, known to be composite but not a prime power, and given a smoothness bound B, proceed as follows. Choose a random integer b, with 2 b n 1. Let g = gcd(b, n). If g 2 then g is a proper factor of n, so stop. Otherwise let p 1,..., p t be the primes that are at most B. For i = 1,..., t, do the following (1) Let q = p i. (2) Let l = ln n/ ln q. (3) Replace b by b ql % n. (4) Compute g = gcd(b 1, n). (5) If 1 < g < n then g is a proper factor of n, so stop. If g = n then the algorithm has failed. If g = 1 then continue to the next value of i. Why does this work? Suppose that n has a prime factor p such that p 1 is B-smooth, t p = 1 + p ei i. For any b such that gcd(b, n) = 1, Fermat s Little Theorem says that b p 1 = 1 mod p, i.e., b pe 1 1 p e t t = 1 mod p. The calculation ln n ln p > ln j p ej j = j e j ln p j e i ln p i shows that the quantity l i = ln n/ ln p i is at least e i. Thus p 1 = i pei i diviides the quantity T = i pli i, and so bt = 1 mod p for any integer b coprime to p. That is, p gcd(b T 1, n). The format of the algorithm shows that the bound B serves only to ensure that the algorithm terminates after a while. Instead, one could try successively larger primes until deciding to quit by some criterion such as total time invested. Example. Factor 54541557732143. Initialize b = 3. The exponent for 2 is 46, the exponent for 3 is 29, and the exponent for 5 is 20. Replace b by b 246 % 54541557732143 = 7359375584408. Since gcd(b 1, n) = 1, continue. Replace b by b 329 % 54541557732143 = 8632659376632. Since gcd(b 1, n) = 1, continue. Replace b by b 520 % 54541557732143 = 22167690980770. This time the gcd is 54001, giving a proper factor. And indeed, 54001 is {2, 3, 5}- weak because 54000 = 2 4 3 3 5 3 is {2, 3, 5}-smooth.

FACTORING 5 There is an analogous p + 1 method due to Williams in Math Comp 39 (1982). More generally, for any cyclotomic polynomial ϕ n (x) = x n 1/ ϕ d (x) d n, d<n there is a ϕ n (p) method. The case n = 1 is Pollard s p 1, and the case n = 2 is Williams s p + 1.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information