I. Introduction. MPRI Cours 2-12-2. Lecture IV: Integer factorization. What is the factorization of a random number? II. Smoothness testing. F.



Similar documents
FACTORING. n = fall in the arithmetic sequence

Arithmetic algorithms for cryptology 5 October 2015, Paris. Sieves. Razvan Barbulescu CNRS and IMJ-PRG. R. Barbulescu Sieves 0 / 28

Faster deterministic integer factorisation

Factoring & Primality

An Overview of Integer Factoring Algorithms. The Problem

Primality - Factorization

Modern Algebra Lecture Notes: Rings and fields set 4 (Revision 2)

Factorization Methods: Very Quick Overview

Factoring. Factoring 1

FACTORING LARGE NUMBERS, A GREAT WAY TO SPEND A BIRTHDAY

minimal polyonomial Example

Factoring Algorithms

Primality Testing and Factorization Methods

Elementary factoring algorithms

STUDY ON ELLIPTIC AND HYPERELLIPTIC CURVE METHODS FOR INTEGER FACTORIZATION. Takayuki Yato. A Senior Thesis. Submitted to

PROBLEM SET 6: POLYNOMIALS

The Division Algorithm for Polynomials Handout Monday March 5, 2012

Factorization Algorithms for Polynomials over Finite Fields

Winter Camp 2011 Polynomials Alexander Remorov. Polynomials. Alexander Remorov

ELEMENTARY THOUGHTS ON DISCRETE LOGARITHMS. Carl Pomerance

Chapter 4, Arithmetic in F [x] Polynomial arithmetic and the division algorithm.

Modern Factoring Algorithms

8 Divisibility and prime numbers

Integer Factorization using the Quadratic Sieve

Is n a Prime Number? Manindra Agrawal. March 27, 2006, Delft. IIT Kanpur

Today s Topics. Primes & Greatest Common Divisors

CHAPTER SIX IRREDUCIBILITY AND FACTORIZATION 1. BASIC DIVISIBILITY THEORY

HYPERELLIPTIC CURVE METHOD FOR FACTORING INTEGERS. 1. Thoery and Algorithm

U.C. Berkeley CS276: Cryptography Handout 0.1 Luca Trevisan January, Notes on Algebra

Lecture 13: Factoring Integers

The Mixed Binary Euclid Algorithm

Discrete Mathematics, Chapter 4: Number Theory and Cryptography

Unique Factorization

MOP 2007 Black Group Integer Polynomials Yufei Zhao. Integer Polynomials. June 29, 2007 Yufei Zhao

How To Factor In Prime Numbers

Introduction to Finite Fields (cont.)

FACTORING SPARSE POLYNOMIALS

8 Primes and Modular Arithmetic

Factoring Algorithms

Breaking The Code. Ryan Lowe. Ryan Lowe is currently a Ball State senior with a double major in Computer Science and Mathematics and

Smooth numbers and the quadratic sieve

Factoring Polynomials

H/wk 13, Solutions to selected problems

Lecture 13 - Basic Number Theory.

Prime Numbers and Irreducible Polynomials

The van Hoeij Algorithm for Factoring Polynomials

Quotient Rings and Field Extensions

Computer and Network Security

Public-Key Cryptanalysis 1: Introduction and Factoring

On Generalized Fermat Numbers 3 2n +1

7. Some irreducible polynomials

Runtime and Implementation of Factoring Algorithms: A Comparison

CS 103X: Discrete Structures Homework Assignment 3 Solutions

Library (versus Language) Based Parallelism in Factoring: Experiments in MPI. Dr. Michael Alexander Dr. Sonja Sewera.

calculating the result modulo 3, as follows: p(0) = = 1 0,

FPGA and ASIC Implementation of Rho and P-1 Methods of Factoring. Master s Thesis Presentation Ramakrishna Bachimanchi Director: Dr.

Elementary Number Theory and Methods of Proof. CSE 215, Foundations of Computer Science Stony Brook University

Index Calculation Attacks on RSA Signature and Encryption

Cryptography and Network Security Number Theory

The finite field with 2 elements The simplest finite field is

Intermediate Math Circles March 7, 2012 Linear Diophantine Equations II

Chapter Objectives. Chapter 9. Sequential Search. Search Algorithms. Search Algorithms. Binary Search

Integer Factorization

3. Computational Complexity.

Section 4.2: The Division Algorithm and Greatest Common Divisors

Lecture 3: Finding integer solutions to systems of linear equations

The Quadratic Sieve Factoring Algorithm

r + s = i + j (q + t)n; 2 rs = ij (qj + ti)n + qtn.

Optimization of the MPQS-factoring algorithm on the Cyber 205 and the NEC SX-2

Die ganzen zahlen hat Gott gemacht

Efficient and Robust Secure Aggregation of Encrypted Data in Wireless Sensor Networks

MATH 168: FINAL PROJECT Troels Eriksen. 1 Introduction

CHAPTER 5. Number Theory. 1. Integers and Division. Discussion

The Sieve Re-Imagined: Integer Factorization Methods

Quantum Algorithms in NMR Experiments. 25 th May 2012 Ling LIN & Michael Loretz

Two Integer Factorization Methods

The cyclotomic polynomials

Module MA3411: Abstract Algebra Galois Theory Appendix Michaelmas Term 2013

March 29, S4.4 Theorems about Zeros of Polynomial Functions

Elements of Applied Cryptography Public key encryption

Study of algorithms for factoring integers and computing discrete logarithms

Computational Number Theory

A Comparison Of Integer Factoring Algorithms. Keyur Anilkumar Kanabar

Factoring and Discrete Logarithms in Subexponential Time

Equivalence of Polynomial Identity Testing and Deterministic Multivariate Polynomial Factorization

On the number-theoretic functions ν(n) and Ω(n)

Constructing Pairing-Friendly Elliptic Curves with Embedding Degree 10

2 Primality and Compositeness Tests

RSA Question 2. Bob thinks that p and q are primes but p isn t. Then, Bob thinks Φ Bob :=(p-1)(q-1) = φ(n). Is this true?

9. POLYNOMIALS. Example 1: The expression a(x) = x 3 4x 2 + 7x 11 is a polynomial in x. The coefficients of a(x) are the numbers 1, 4, 7, 11.

How To Solve The Prime Factorization Of N With A Polynomials

ALGEBRAIC APPROACH TO COMPOSITE INTEGER FACTORIZATION

1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.

A simple and fast algorithm for computing exponentials of power series

Transcription:

F. Morain École polytechnique MPRI cours 2-12-2 2013-2014 3/22 F. Morain École polytechnique MPRI cours 2-12-2 2013-2014 4/22 MPRI Cours 2-12-2 I. Introduction Input: an integer N; logox F. Morain logocnrs logoinria Output: N = k i=1 pα i i with p i (proven) prime. Lecture IV: Integer factorization Major impact: estimate the security of RSA cryptosystems. Also: primitive for a lot of number theory problems. I. Introduction. II. Smoothness testing. III. Pollard s RHO method. IV. Pollard s p 1 method. 2013/10/14 How do we test and compare algorithms? Cunningham project, RSA Security (partitions, RSA keys) though abandoned? Decimals of π. F. Morain École polytechnique MPRI cours 2-12-2 2013-2014 1/22 What is the factorization of a random number? F. Morain École polytechnique MPRI cours 2-12-2 2013-2014 2/22 II. Smoothness testing N = N 1 N 2 N r with N i prime, N i N i+1. Prop. r log 2 N; r = log log N. Size of the factors: D k = lim N + log N k / log N exists and On average k D k 1 0.62433 2 0.20958 3 0.08832 N 1 N 0.62, N 2 N 0.21, N 3 N 0.09. an integer has one large factor, a medium size one and a bunch of small ones. Def. a B-smooth number has all its prime factors B. B-smooth numbers are the heart of all efficient factorization or discrete logarithm algorithms. De Bruijn s function: ψ(x, y) = #{z x, z is y smooth}. Thm. (Candfield, Erdős, Pomerance) ε > 0, uniformly in y (log x) 1+ε, as x with u = log x/ log y. ψ(x, y) = x u u(1+o(1))

B-smooth numbers (cont d) A) Trial division Prop. Let L(x) = exp ( log x log log x ). For all real α > 0, β > 0, as x ψ(x α, L(x) β x α ) = L(x). α 2β +o(1) Ordinary interpretation: a number x α is L(x) β -smooth with probability ψ(x α, L(x) β ) x α = L(x) α 2β +o(1). Algorithm: divide x X by all p B, say {p 1, p 2,..., p m }, m = π(b) = O(B). Cost: m divisions or p B T(x, p) = O(m lg X lg B). Implementation: use any method to compute and store all primes 2 32 (one char per (p i+1 p i )/2; see Brent). Useful generalization: given x 1, x 2,..., x n X, can we find the B-smooth part of the x i s more rapidly than repeating the above in O(nm lg B lg X)? F. Morain École polytechnique MPRI cours 2-12-2 2013-2014 5/22 B) Product trees Algorithm: Franke/Kleinjung/FM/Wirth improved by Bernstein 1. [Product tree] Compute z = p 1 p m. p 1 p 2 p 3 p 4 p 1 p 2 p 3 p 4 p 1 p 2 p 3 p 4 2. [Remainder tree] Compute z mod x 1,..., z mod x n. z mod (x 1 x 2 x 3 x 4 ) z mod (x 1 x 2 ) z mod (x 3 x 4 ) z mod x 1 z mod x 2 z mod x 3 z mod x 4 3. [explode valuation] For each k {1,..., n}, compute y k = z 2e mod x k with e s.t. 2 2e x k ; print gcd(x k, y k ). F. Morain École polytechnique MPRI cours 2-12-2 2013-2014 7/22 F. Morain École polytechnique MPRI cours 2-12-2 2013-2014 6/22 Validity and analysis Validity: let y k = z 2e mod x k. Suppose p x k. Then ν p (x k ) 2 e, since 2 ν p ν 2 2e. Therefore ν p (y k ) 2 e ν and the gcd will contain the right valuation. Division: If A has r + s digits and B has s digits, then plain division requires D(r + s, s) = O(rs) word operations. In case r s, break into r/s divisions of complexity M(s). Step 1: M((m/2) lg B). Step 2: D(m lg B, n lg X) (m/n)m(n) lg B lg X. Ex. B = 2 32, m 1.9 10 8, X = 2 64. Rem. If space is an issue, do this by blocks. Rem. For more information see Bernstein s web page. F. Morain École polytechnique MPRI cours 2-12-2 2013-2014 8/22

F. Morain École polytechnique MPRI cours 2-12-2 2013-2014 11/22 F. Morain École polytechnique MPRI cours 2-12-2 2013-2014 12/22 III. Pollard s RHO method Epact Prop. Let f : E E, #E = m; X n+1 = f (X n ) with X 0 E. X 0 X 1 X 2 X µ 1 X µ X µ+1 X µ+λ 1 Thm. (Flajolet, Odlyzko, 1990) When m πm λ µ 8 0.627 m. Prop. There exists a unique e > 0 (epact) s.t. µ e < λ + µ and X 2e = X e. It is the smallest non-zero multiple of λ that is µ: if µ = 0, e = λ and if µ > 0, e = µ λ λ. Floyd s algorithm: X <- X0; Y <- X0; e <- 0; repeat X <- f(x); Y <- f(f(y)); e <- e+1; until X = Y; Thm. e π 5 m 288 1.03 m. F. Morain École polytechnique MPRI cours 2-12-2 2013-2014 9/22 Application to the factorization of N F. Morain École polytechnique MPRI cours 2-12-2 2013-2014 10/22 Practice Idea: suppose p N and we have a random f mod N s.t. f mod p is random. function f(x, N) return (x 2 + 1) mod N; end. function rho(n) 1. [initialization] x:=1; y:=1; g:=1; 2. [loop] while (g = 1) do x:=f(x, N); y:=f(f(y, N), N); g:=gcd(x-y, N); endwhile; 3. return g; Choosing f : some choices are bad, as x x 2 et x x 2 2. Tables exist for given f s. Trick: compute gcd( i (x 2i x i ), N), using backtrack whenever needed. Improvements: reducing the number of evaluations of f, the number of comparisons (see Brent, Montgomery). Conjecture. RHO finds p N using O( p) iterations.

F. Morain École polytechnique MPRI cours 2-12-2 2013-2014 15/22 F. Morain École polytechnique MPRI cours 2-12-2 2013-2014 16/22 Theoretical results (1/4) Bach (2/4) Thm. (Bach, 1991) Proba RHO with f (x) = x 2 + 1 finding p N after k iterations is at least ( k 2) when p goes to infinity. Sketch of the proof: define p + O(p 3/2 ) f 0 (X, Y) = X, f i+1 (X, Y) = f 2 i + Y, f 1 (X, Y) = X 2 + Y, f 2 (X, Y) = (X 2 + Y 2 ) + Y,... Divisor of N found by inspecting gcd(f 2i+1 (x, y) f i (x, y), N) for i = 0, 1, 2,.... Prop. (a) deg X (f i ) = 2 i ; (b) f i X 2i mod Y; (c) f i Y 2i 1 + + Y mod X; (d) f i+j (X, Y) = f i (f j (X, Y), Y). (e) f i is absolutely irreducible (Eisentein s criterion). (f) f j f i = fj 1 2 f i 1 2 = (f j 1 + f i 1 )(f j 2 + f i 2 ) (f j i + X)(f j i X). (g) For all k 1 f l+n ± f l f l+kn ± f l. F. Morain École polytechnique MPRI cours 2-12-2 2013-2014 13/22 Bach (3/4) For i < j, ρ i,j is the unique poly in Z[X, Y] s.t. (a) ρ i,j is a monic (in Y) irreducible divisor of f j f i. (b) Let ω i,j denote a primitive (2 j 2 i ) root of unity. Then ρ i,j (ω i,j, 0) = 0. Proof: and and for i 1: f j f i X 2i (X 2j 2 i 1) mod Y, X 2j 2 i 1 = µ 2 j 2 i Φ µ (X). f j f 0 ρ 0,j d j,d j ρ 0,d f j 1 + f i 1 ρ i,j d j i,d j i ρ. i,i+d Conj. we have in fact equalities instead of divisibility., F. Morain École polytechnique MPRI cours 2-12-2 2013-2014 14/22 Bach (4/4) Thm1. f k f l factor over Z[X, Y]. Moreover, they are squarefree. Proof uses projectivization of f. Weil s thm: if f Z[X, Y] is absolutely irreducible of degree d, then N p the number of projective zeroes of f is s.t. ( ) d 1 p. N p (p + 1) 2 2 Thm2. Fix k 1. Choose x and y at random s.t. 0 x, y < p. Then, proba for some i, j < k, i j, f i (x, y) = f j (x, y) mod p is at least ( k ) 2 /p + O(1/p 3/2 ) as p tends to infinity. Proof: same as i < j < k and ρ i,j (x, y) 0 mod p. Use inclusion-exclusion, Weil s inequality and Bézout s theorems. Same result for RHO to find p N.

F. Morain École polytechnique MPRI cours 2-12-2 2013-2014 19/22 F. Morain École polytechnique MPRI cours 2-12-2 2013-2014 20/22 IV. Pollard s p 1 method First phase Idea: assume p N and a is prime to p. Then Invented by Pollard in 1974. Williams: p + 1. Bach and Shallit: Φ k factoring methods. Shanks, Schnorr, Lenstra, etc.: quadratic forms. Lenstra (1985): ECM. Rem. Almost all the ideas invented for the classical p 1 can be transposed to the other methods. (p a p 1 1 and p N) p gcd(a p 1 1, N). Generalization: if R is known s.t. p 1 R, will yield a factor. gcd((a R mod N) 1, N) How do we find R? Only reasonable hope is that p 1 B! for some (small) B. In other words, p 1 is B-smooth. Algorithm: R = p α B 1 p α = lcm(2,..., B 1 ). Rem. (usual trick) we compute gcd( k ((ar k 1) mod N), N). F. Morain École polytechnique MPRI cours 2-12-2 2013-2014 17/22 Second phase: the classical one F. Morain École polytechnique MPRI cours 2-12-2 2013-2014 18/22 Second phase: BSGS Let b = a R mod N and gcd(b, N) = 1. Hyp. p 1 = Qs with Q R and s prime, B 1 < s B 2. Test: is gcd(b s 1, N) > 1 for some s. s j = j-th prime. In practice all s j+1 s j are small (Cramer s conjecture implies s j+1 s j (log B 2 ) 2 ). Precompute c δ b δ mod N for all possible δ (small); Compute next value with one multiplication b s j+1 = b s j c sj+1 s j mod N. Cost: O((log B 2 ) 2 ) + O(log s 1 ) + (π(b 2 ) π(b 1 )) multiplications +(π(b 2 ) π(b 1 )) gcd s. When B 2 B 1, π(b 2 ) dominates. Rem. We need a table of all primes < B 2 ; memory is O(B 2 ). Record. Nohara (66dd of 960 119 1, 2006; see http://www.loria.fr/~zimmerma/records/pminus1.html). Select w B 2, v 1 = B 1 /w, v 2 = B 2 /w. Write our prime s as s = vw u, with 0 u < w, v 1 v v 2. Lem. gcd(b s 1, N) > 1 iff gcd(b wv b u, N) > 1. Algorithm: 1. Precompute b u mod N for all 0 u < w. 2. Precompute all(b w ) v for all v 1 v v 2. 3. For all u and all v evaluate gcd(b vw b u, N). Number of multiplications: w + (v 2 v 1 ) + O(log 2 w) = O( B 2 ) Memory: O( B 2 ). Number of gcd: π(b 2 ) π(b 1 ).

Second phase: using fast polynomial arithmetic Algorithm: 1. Compute h(x) = 0 u<w (X bu ) Z/NZ[X] 2. Evaluate all h((b w ) v ) for all v 1 v v 2. 3. Evaluate all gcd(h(b wv ), N). Analysis: Step 1: O((log w)m pol (w)) operations (using a product tree). Step 2: O((log w)m int (log N)) for b w ; v 2 v 1 for (b w ) v ; multi-point evaluation on w points takes O((log w)m pol (w)). Rem. Evaluating h(x) along a geometric progression of length w takes O(w log w) operations (see Montgomery-Silverman). ( ) Total cost: O((log w)m pol (w)) = O. B 0.5+o(1) 2 Trick: use gcd(u, w) = 1 and w = 2 3 5.... F. Morain École polytechnique MPRI cours 2-12-2 2013-2014 21/22 Second phase: using the birthday paradox Consider B = b mod p ; s := #B. If we draw s elements at random in B, then we have a collision (birthday paradox). Algorithm: build (b i ) with b 0 = b, and { b 2 b i+1 = i mod N with proba 1/2 b 2 i b mod N with proba 1/2. We gather r s values and compute where r i=1 j i (b i b j ) = Disc(P(X)) = i P(X) = r (X b i ). i=1 use fast polynomial operations again. P (b i ) F. Morain École polytechnique MPRI cours 2-12-2 2013-2014 22/22

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information