Factoring Algorithms



Similar documents
Factoring. Factoring 1

Primality - Factorization

Integer Factorization using the Quadratic Sieve

Factoring Algorithms

An Overview of Integer Factoring Algorithms. The Problem

Notes on Factoring. MA 206 Kurt Bryan

Computing exponents modulo a number: Repeated squaring

CS 103X: Discrete Structures Homework Assignment 3 Solutions

RSA Question 2. Bob thinks that p and q are primes but p isn t. Then, Bob thinks Φ Bob :=(p-1)(q-1) = φ(n). Is this true?

U.C. Berkeley CS276: Cryptography Handout 0.1 Luca Trevisan January, Notes on Algebra

FACTORING LARGE NUMBERS, A GREAT WAY TO SPEND A BIRTHDAY

Factoring & Primality

Applications of Fermat s Little Theorem and Congruences

FACTORING. n = fall in the arithmetic sequence

8 Primes and Modular Arithmetic

MATH 168: FINAL PROJECT Troels Eriksen. 1 Introduction

Section 4.2: The Division Algorithm and Greatest Common Divisors

Lecture 13: Factoring Integers

Computer and Network Security

Arithmetic algorithms for cryptology 5 October 2015, Paris. Sieves. Razvan Barbulescu CNRS and IMJ-PRG. R. Barbulescu Sieves 0 / 28

Elementary factoring algorithms

I. GROUPS: BASIC DEFINITIONS AND EXAMPLES

Homework until Test #2

Cryptography and Network Security Chapter 8

GREATEST COMMON DIVISOR

Integer roots of quadratic and cubic polynomials with integer coefficients

Primality Testing and Factorization Methods

Factorization Methods: Very Quick Overview

Discrete Mathematics, Chapter 4: Number Theory and Cryptography

Lecture 13 - Basic Number Theory.

Math 319 Problem Set #3 Solution 21 February 2002

Smooth numbers and the quadratic sieve

Elements of Applied Cryptography Public key encryption

Public Key Cryptography: RSA and Lots of Number Theory

Today s Topics. Primes & Greatest Common Divisors

Chapter 3. if 2 a i then location: = i. Page 40

The Prime Numbers. Definition. A prime number is a positive integer with exactly two positive divisors.

Faster deterministic integer factorisation

The application of prime numbers to RSA encryption

Principles of Public Key Cryptography. Applications of Public Key Cryptography. Security in Public Key Algorithms

Advanced Cryptography

The Quadratic Sieve Factoring Algorithm

Revised Version of Chapter 23. We learned long ago how to solve linear congruences. ax c (mod m)

RSA and Primality Testing

Continued Fractions and the Euclidean Algorithm

Number Theory. Proof. Suppose otherwise. Then there would be a finite number n of primes, which we may

8 Divisibility and prime numbers

ALGEBRAIC APPROACH TO COMPOSITE INTEGER FACTORIZATION

On Generalized Fermat Numbers 3 2n +1

RSA Encryption. Tom Davis October 10, 2003

Breaking The Code. Ryan Lowe. Ryan Lowe is currently a Ball State senior with a double major in Computer Science and Mathematics and

SUM OF TWO SQUARES JAHNAVI BHASKAR

Modern Factoring Algorithms

RSA Attacks. By Abdulaziz Alrasheed and Fatima

The Sieve Re-Imagined: Integer Factorization Methods

Algorithms with numbers

Kevin James. MTHSC 412 Section 2.4 Prime Factors and Greatest Comm

Factorization Algorithms for Polynomials over Finite Fields

minimal polyonomial Example

Study of algorithms for factoring integers and computing discrete logarithms

TEXAS A&M UNIVERSITY. Prime Factorization. A History and Discussion. Jason R. Prince. April 4, 2011

The last three chapters introduced three major proof techniques: direct,

Elementary Number Theory

SUBGROUPS OF CYCLIC GROUPS. 1. Introduction In a group G, we denote the (cyclic) group of powers of some g G by

Optimization of the MPQS-factoring algorithm on the Cyber 205 and the NEC SX-2

The Mathematics of the RSA Public-Key Cryptosystem

Introduction to Programming (in C++) Loops. Jordi Cortadella, Ricard Gavaldà, Fernando Orejas Dept. of Computer Science, UPC

Example. Introduction to Programming (in C++) Loops. The while statement. Write the numbers 1 N. Assume the following specification:

Number Theory: A Mathemythical Approach. Student Resources. Printed Version

Some Polynomial Theorems. John Kennedy Mathematics Department Santa Monica College 1900 Pico Blvd. Santa Monica, CA

Some practice problems for midterm 2

CONTINUED FRACTIONS AND FACTORING. Niels Lauritzen

Handout NUMBER THEORY

Factoring a semiprime n by estimating φ(n)

Chapter. Number Theory and Cryptography. Contents

CHAPTER 5. Number Theory. 1. Integers and Division. Discussion

Determining the Optimal Combination of Trial Division and Fermat s Factorization Method

Elementary Number Theory and Methods of Proof. CSE 215, Foundations of Computer Science Stony Brook University

2 Primality and Compositeness Tests

CHAPTER SIX IRREDUCIBILITY AND FACTORIZATION 1. BASIC DIVISIBILITY THEORY

SECTION 10-2 Mathematical Induction

MATH 537 (Number Theory) FALL 2016 TENTATIVE SYLLABUS

MATH 22. THE FUNDAMENTAL THEOREM of ARITHMETIC. Lecture R: 10/30/2003

Just the Factors, Ma am

PROBLEM SET 6: POLYNOMIALS

Welcome to Math Video Lessons. Stanley Ocken. Department of Mathematics The City College of New York Fall 2013

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

2 Polynomials over a field

Zero: If P is a polynomial and if c is a number such that P (c) = 0 then c is a zero of P.

Copy in your notebook: Add an example of each term with the symbols used in algebra 2 if there are any.

International Journal of Information Technology, Modeling and Computing (IJITMC) Vol.1, No.3,August 2013

Notes on Determinant

The Mean Value Theorem

= = 3 4, Now assume that P (k) is true for some fixed k 2. This means that

H/wk 13, Solutions to selected problems

k, then n = p2α 1 1 pα k

6. Cholesky factorization

MATH 289 PROBLEM SET 4: NUMBER THEORY

CSC474/574 - Information Systems Security: Homework1 Solutions Sketch

The van Hoeij Algorithm for Factoring Polynomials

Transcription:

Factoring Algorithms The p 1 Method and Quadratic Sieve November 17, 2008 () Factoring Algorithms November 17, 2008 1 / 12

Fermat s factoring method Fermat made the observation that if n has two factors that are near one another (and hence near the square root of n) then one can find them by searching the sequence n + y 2 for y = 0, 1, 2, 3,... until finding a perfect square x 2. Then n + y 2 = x 2, so n = x 2 y 2 = (x y)(x + y) is a factorization of n. If n = pq is a product of two primes that are near to one another, this finds the factors fairly quickly. () Factoring Algorithms November 17, 2008 2 / 12

The p 1 method Due to Pollard 1974. Assume that n has a prime factor p such that all the prime factors of p 1 are fairly small, then we can find a nontrivial factor of n by computing b a B! (mod n) for some chosen B. This computation can be done quickly so long as B is not chosen too large. If p 1 has only small prime factors, then for B sufficiently large p 1 will divide B!, so B! = (p 1)k for some integer k. Hence b = a B! = a (p 1)k = (a p 1 ) k 1 k = 1 (mod p) by Fermat s Little Theorem, so p is a factor of b 1 and n. Thus, gcd(b 1, n) will have p as a factor, so by computing gcd(b 1, n) we have found a non-trvial factor of n. () Factoring Algorithms November 17, 2008 3 / 12

The p 1 method The p 1 method works so long as B is big enough so that all the prime factors (with their multiplicity) of p 1 occur in B!, but not so big that computing b a B! (mod n) is prohibitively time consuming. Note that it is well known that the sequence B! of factorials is of exponential growth rate, so no matter how fast your computer, there will be some value of B such that the computation will take more than your lifetime to finish. To emphasize this last point, let s record the first few terms of the sequence n! below: 1, 2, 6, 24, 120, 720, 5040, 40320, 362880, 3628800, 39916800, 479001600, 6227020800,... Obviously it is growing pretty fast. In fact, this sequence eventually grows faster than a n for any given base a. () Factoring Algorithms November 17, 2008 4 / 12

The p 1 method MORAL: In choosing p, q for an RSA system, it is important that both p and q are chosen so that each of p 1 and q 1 has at least one large prime factor. Otherwise, a clever attacker just might get lucky with the p 1 method, factor n, and decode the message. This is easy to do. Choose a large prime p 0 at random, say with 40 or so decimal digits. Now look in the sequence of numbers of the form kp 0 + 1, for k = 10 60 + 1, 10 60 + 2, 10 60 + 3,... until you find some prime p or roughly 100 decimal digits such that p = kp 0 + 1. Then p 1 has a large prime factor, namely p 0, by construction. Repeat the method to find q. It should also be noted that p, q should not be too close together, or else someone might find the factors of n using Fermat s approach. For this reason, it is important to choose p, q to NOT have exactly the same number of decimal digits. () Factoring Algorithms November 17, 2008 5 / 12

Theorem (Basic Principle) Let n be a positive integer. Suppose there exist integers x, y such that x 2 y 2 (modn) but x ±y (mod n). Then gcd(x y, n) gives a non-trivial factor of n. Proof. Set d = gcd(x y, n). Then d is a divisor of n so 1 d n. If d = n then n (x y) so x y (mod n), which is contrary to the hypothesis. If d = 1 then n does not divide x y. But n divides x 2 y 2 = (x y)(x + y) by hypothesis, so n must therefore divide the second factor x + y, by Euclid s Lemma. In other words, x y (mod n), which is again contrary to hypothesis. This shows that 1 < d < n, so d is a nontrivial factor of n. That s what we needed to show. () Factoring Algorithms November 17, 2008 6 / 12

EXAMPLE. Suppose we would like to factor n = 3837523. We observe the following: 9398 2 5 5 19 19095 2 2 2 5 11 13 19 1964 2 3 2 13 3 17078 2 2 6 3 2 11 where all the conguences are mod n. By multiplying these together, we obtain the congruence (9398 19095 1964 17078) 2 (2 4 3 2 5 3 11 13 2 19) 2 which simplifies mod n to give 2230387 2 2586705 2 (mod 3837523). () Factoring Algorithms November 17, 2008 7 / 12

EXAMPLE, CONTINUED. In this case, 2230387 ±2586705 (mod 3837523) so by computing gcd(2230387 2586705, 3837523) = 1093 we find a factor 1093 of n. Then the other factor is n/1093 = 3511, so n = 1093 3511. () Factoring Algorithms November 17, 2008 8 / 12

The idea is to find several relations of the form x 2 i a product of small primes (mod n). If you get enough relations of that form, then some of them can be combined to give a congruence x 2 y 2 (mod n). Sometimes you are unlucky, and x ±y (mod n). If that happens, look for more relations of the indicated type and try again. Eventually, if you happen upon a case where x 2 y 2 (mod n) but x ±y (mod n) then you have factored n. This is how the RSA challenge (Scientific American 1977) was finally cracked in 1994, using a factor base of more than half a million primes and 1600 computers in parallel. The project took 7 months to complete. () Factoring Algorithms November 17, 2008 9 / 12

How does one find numbers x i such that x 2 i a product of small primes (mod n)? (The set of desirable small primes is called the factor base.) Examine numbers of the form [ kn + j] where j is fairly small. Here [r] means the integer part of a real number r. The square of such a number x i will be likely to have only small factors mod n, since its residue mod n is fairly small relative to the size of n. EXAMPLE. For n = 3837523 as before, we get 8077 = [ 17n + 1] and 9398 = [ 23n + 1]. () Factoring Algorithms November 17, 2008 10 / 12

Let {p 1, p 2,..., p t } be a chosen factor base. Find numbers x i such that xi 2 is congruent to a product of primes from the factor base. So we can write x 2 i p e i1 1 pe i2 2 pe it t (mod n) for each i. Here the exponents e ij are non-negative integers. (Some of them might be zero.) The exponents e ij produced above give a matrix with t columns. We want to find rows in that matrix such that the sum of the rows gives a row vector whose entries are all even, since then the product of the corresponding xi 2 will be congruent to the square of a product of primes in the factor base. () Factoring Algorithms November 17, 2008 11 / 12

EXAMPLE. One can find such a matrix for n = 3837523 by repeatedly examining numbers of the form x i = [ kn + j] and factoring these numbers. This gives a matrix of the form 2 3 5 7 11 13 17 19 9398 2 0 0 5 0 0 0 0 1 19095 2 2 0 1 0 1 1 0 1 1964 2 0 2 0 0 0 3 0 0 17078 2 6 2 0 0 1 0 0 0 8077 2 1 0 0 0 0 0 0 1 3397 2 5 0 1 0 0 2 0 0 14262 2 0 0 2 2 0 1 0 0 () Factoring Algorithms November 17, 2008 12 / 12

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information