A Note on Integer Factorization Using Lattices

Similar documents
Mobility management and vertical handover decision making in heterogeneous wireless networks

PRIME NUMBERS AND THE RIEMANN HYPOTHESIS

Introduction to NP-Completeness Written and copyright c by Jie Wang 1

ibalance-abf: a Smartphone-Based Audio-Biofeedback Balance System

Discussion on the paper Hypotheses testing by convex optimization by A. Goldenschluger, A. Juditsky and A. Nemirovski.

SECTION 6: FIBER BUNDLES

The Online Freeze-tag Problem

6.042/18.062J Mathematics for Computer Science December 12, 2006 Tom Leighton and Ronitt Rubinfeld. Random Walks

Point Location. Preprocess a planar, polygonal subdivision for point location queries. p = (18, 11)

ENFORCING SAFETY PROPERTIES IN WEB APPLICATIONS USING PETRI NETS

A Modified Measure of Covert Network Performance

SQUARE GRID POINTS COVERAGED BY CONNECTED SOURCES WITH COVERAGE RADIUS OF ONE ON A TWO-DIMENSIONAL GRID

Minkowski Sum of Polytopes Defined by Their Vertices

1 Gambler s Ruin Problem

A usage coverage based approach for assessing product family design

A MOST PROBABLE POINT-BASED METHOD FOR RELIABILITY ANALYSIS, SENSITIVITY ANALYSIS AND DESIGN OPTIMIZATION

SOME PROPERTIES OF EXTENSIONS OF SMALL DEGREE OVER Q. 1. Quadratic Extensions

Assignment 9; Due Friday, March 17

POISSON PROCESSES. Chapter Introduction Arrival processes

Lectures on the Dirichlet Class Number Formula for Imaginary Quadratic Fields. Tom Weston

Stochastic Derivation of an Integral Equation for Probability Generating Functions

Load Balancing Mechanism in Agent-based Grid

Computational Finance The Martingale Measure and Pricing of Derivatives

Risk and Return. Sample chapter. e r t u i o p a s d f CHAPTER CONTENTS LEARNING OBJECTIVES. Chapter 7

The Magnus-Derek Game

FREQUENCIES OF SUCCESSIVE PAIRS OF PRIME RESIDUES

Monitoring Frequency of Change By Li Qin

TRANSCENDENTAL NUMBERS

The van Hoeij Algorithm for Factoring Polynomials

Risk in Revenue Management and Dynamic Pricing

Concurrent Program Synthesis Based on Supervisory Control

Predicate Encryption Supporting Disjunctions, Polynomial Equations, and Inner Products

A graph based framework for the definition of tools dealing with sparse and irregular distributed data-structures

Beyond the F Test: Effect Size Confidence Intervals and Tests of Close Fit in the Analysis of Variance and Contrast Analysis

Failure Behavior Analysis for Reliable Distributed Embedded Systems

Comparing Dissimilarity Measures for Symbolic Data Analysis

Large Sample Theory. Consider a sequence of random variables Z 1, Z 2,..., Z n. Convergence in probability: Z n

Large-Scale IP Traceback in High-Speed Internet: Practical Techniques and Theoretical Foundation

Softmax Model as Generalization upon Logistic Discrimination Suffers from Overfitting

Multiperiod Portfolio Optimization with General Transaction Costs

Numerical Analysis Lecture Notes

The fast Fourier transform method for the valuation of European style options in-the-money (ITM), at-the-money (ATM) and out-of-the-money (OTM)

A Certification Authority for Elliptic Curve X.509v3 Certificates

PARAMETER CHOICE IN BANACH SPACE REGULARIZATION UNDER VARIATIONAL INEQUALITIES

Optimization results for a generalized coupon collector problem

Static and Dynamic Properties of Small-world Connection Topologies Based on Transit-stub Networks

MATRIX ALGEBRA AND SYSTEMS OF EQUATIONS. + + x 2. x n. a 11 a 12 a 1n b 1 a 21 a 22 a 2n b 2 a 31 a 32 a 3n b 3. a m1 a m2 a mn b m

FACTORING BIVARIATE SPARSE (LACUNARY) POLYNOMIALS

The Ideal Class Group

How To Prove The Dirichlet Unit Theorem

Online vehicle routing and scheduling with continuous vehicle tracking

The impact of metadata implementation on webpage visibility in search engine results (Part II) q

Effect Sizes Based on Means

Memory management. Chapter 4: Memory Management. Memory hierarchy. In an ideal world. Basic memory management. Fixed partitions: multiple programs

QASM: a Q&A Social Media System Based on Social Semantics

Service Network Design with Asset Management: Formulations and Comparative Analyzes

An inventory control system for spare parts at a refinery: An empirical comparison of different reorder point methods

Conjunctive, Subset, and Range Queries on Encrypted Data

The Fundamental Incompatibility of Scalable Hamiltonian Monte Carlo and Naive Data Subsampling

NEWSVENDOR PROBLEM WITH PRICING: PROPERTIES, ALGORITHMS, AND SIMULATION

Complex Conjugation and Polynomial Factorization

Title: Stochastic models of resource allocation for services

Price Elasticity of Demand MATH 104 and MATH 184 Mark Mac Lean (with assistance from Patrick Chan) 2011W

How To Solve The Prime Prime Prime Root Problem In Algebraic Theory

Branch-and-Price for Service Network Design with Asset Management Constraints

The risk of using the Q heterogeneity estimator for software engineering experiments

Primality - Factorization

X How to Schedule a Cascade in an Arbitrary Graph

Average Time Fast SVP and CVP Algorithms for Low Density Lattices and the Factorization of Integers. Claus P. SCHNORR

Ideal Class Group and Units

A Simple Model of Pricing, Markups and Market. Power Under Demand Fluctuations

Conjunctive, Subset, and Range Queries on Encrypted Data

Optimal Routing and Scheduling in Transportation: Using Genetic Algorithm to Solve Difficult Optimization Problems

NBER WORKING PAPER SERIES HOW MUCH OF CHINESE EXPORTS IS REALLY MADE IN CHINA? ASSESSING DOMESTIC VALUE-ADDED WHEN PROCESSING TRADE IS PERVASIVE

United Arab Emirates University College of Sciences Department of Mathematical Sciences HOMEWORK 1 SOLUTION. Section 10.1 Vectors in the Plane

Two-resource stochastic capacity planning employing a Bayesian methodology

U.C. Berkeley CS276: Cryptography Handout 0.1 Luca Trevisan January, Notes on Algebra

Machine Learning with Operational Costs

Robust Regression on MapReduce

z 0 and y even had the form

Asymmetric Information, Transaction Cost, and. Externalities in Competitive Insurance Markets *

On Multicast Capacity and Delay in Cognitive Radio Mobile Ad-hoc Networks

Characterizing and Modeling Network Traffic Variability

An important observation in supply chain management, known as the bullwhip effect,

Large firms and heterogeneity: the structure of trade and industry under oligopoly

On Software Piracy when Piracy is Costly

A Multivariate Statistical Analysis of Stock Trends. Abstract

c 2009 Je rey A. Miron 3. Examples: Linear Demand Curves and Monopoly

THE WELFARE IMPLICATIONS OF COSTLY MONITORING IN THE CREDIT MARKET: A NOTE

- The value of a state function is independent of the history of the system. - Temperature is an example of a state function.

Piracy and Network Externality An Analysis for the Monopolized Software Industry

2D Modeling of the consolidation of soft soils. Introduction

Methods for Estimating Kidney Disease Stage Transition Probabilities Using Electronic Medical Records

DAY-AHEAD ELECTRICITY PRICE FORECASTING BASED ON TIME SERIES MODELS: A COMPARISON

Service Network Design with Asset Management: Formulations and Comparative Analyzes

Coin ToGa: A Coin-Tossing Game

Faut-il des cyberarchivistes, et quel doit être leur profil professionnel?

3. Linear Programming and Polyhedral Combinatorics

A Class of Three-Weight Cyclic Codes

Lattice-Based Threshold-Changeability for Standard Shamir Secret-Sharing Schemes

Transcription:

A Note on Integer Factorization Using Lattices Antonio Vera To cite this version: Antonio Vera A Note on Integer Factorization Using Lattices [Research Reort] 2010, 12 <inria-00467590> HAL Id: inria-00467590 htts://halinriafr/inria-00467590 Submitted on 27 Mar 2010 HAL is a multi-discilinary oen access archive for the deosit and dissemination of scientific research documents, whether they are ublished or not The documents may come from teaching and research institutions in France or abroad, or from ublic or rivate research centers L archive ouverte luridiscilinaire HAL, est destinée au déôt et à la diffusion de documents scientifiques de niveau recherche, ubliés ou non, émanant des établissements d enseignement et de recherche français ou étrangers, des laboratoires ublics ou rivés

A NOTE ON INTEGER FACTORIZATION USING LATTICES ANTONIO VERA CNRS/INRIA/NANCY-UNIVERSITÉ Abstract We revisit Schnorr s lattice-based integer factorization algorithm, now with an effective oint of view We resent effective versions of Theorem 2 of [11], as well as new roerties of the Prime Number Lattice bases of Schnorr and Adleman Contents 1 Introduction 1 2 Detecting solutions 3 21 Coding a candidate solution 3 22 Making smoothness robable : the Prime Number Lattice of Adleman 3 23 A similar aroach : the Prime Number Lattice of Schnorr 4 3 Some roerties of the Prime Number Lattices 5 31 Volumes of the Prime Number Lattices 6 32 Exlicit Gram-Schmidt Orthogonalization 7 4 Conclusions and ersectives 7 41 Acknowledgements 8 References 8 Aendix A Underlng lemmas 8 A1 Lemmas used in section 2 8 A2 Lemmas used in section 3 10 1 Introduction Let N 1 be a comosite integer that we want to factor The congruence of squares method consists of finding x,y Z such that 1 x 2 y 2 mod N with x ±y mod N, and factor N by comuting gcdx+y,n Although this is a heuristic method, it works retty well in ractice and one can show under reasonable hyotheses see [3, age 268, remark 5] that for random x,y satisfng 1, one has x ±y mod N with robability 1/2 This reort considers an algorithm based on this hilosohy, namely Schnorr s algorithm [11], whose outline is given in figure 1 Call B-smooth an integer free of rime factors > B, and let i be the i-th rime number Fix some d 1 and suose that N is free of rime factors d The core comutational task of the algorithm consists in finding d + 2 integer quartets u,v,k,γ, with u,v d -smooth, k corime with N, and γ N \{0}, solutions of the Diohantine equation 2 u = v +kn γ 1

2 ANTONIO VERA 1 Receive inut number N to be factored 2 Set the dimension d and the constant C of the lattice S d,c, and form the extended rime number list P = { 0, 1,, d } where 0 = 1 and the rest is the usual sequence of the first d rime numbers Perform trial division of N by the rimes of P If N is factored, return the factor 3 Using the lattice described in section 2, construct a list of at least d + 2 airs u i,k i N Z such that u i is d -smooth with u i = d i=0 ai,j i, a i,0 = 0, and u i k i N d 4 Factorize u i k i N, for i 1,d+2 over P to obtain d u i k i N = bi,j i 5 Put a i = a i,0,,a i,d and b i = b i,0,,b i,d 6 For every nonzero c = c 1,,c d+1 {0,1} d+1 solution of do a Put and x = i=0 d+1 c i a i +b i = 0 mod 2 j=0 d+2 d+2 ciai,j+bi,j/2 j mod N, d+2 d+2 y = ciai,j j mod N b If x ±y mod N then return gcdx+y,n and sto Figure 1 Outline of Schnorr s algorithm Bydesign, Schnorr salgorithmis onlyable to find solutionswherek is d -smooth and γ = 1 Adleman s variant can eld, in rincile, solutions with γ > 1 We look for airs u,k of d -smooth numbers satisfng the inequality 3 u kn d, and we build solutions out of these airs by setting v = u kn: the inequality guarantees the d -smoothness of v This search is lattice-based, and it involves lattice reduction and lattice enumeration algorithms Although in 1987 de Weger [4] had already alied lattice reduction to the effective resolution of Diohantine equations of the form 2, it was Schnorr who first alied it to factorization, in 1993 [11] In 1995, Adleman [1] used Schnorr s aroach to roose a reduction not comletely roved from integer factorization to the search of a shortest nonzero vector in a lattice Schnorr s algorithm was successfully imlemented by Ritter and Rössner in 1997 [10] In this reort, we imrove a result of [11] by recycling a result of Micciancio [9, Pro 510] This result may be useful cf remark 4 to show the existence of solutions to 2 In addition, we rovide exlicit comutations of the volumes and

A NOTE ON INTEGER FACTORIZATION USING LATTICES 3 the Gram-Schmidt Orthogonalizations of the involved lattices and lattice bases, resectively The road ma is the following First, in section 2, we introduce the lattice framework of Adleman, and we exlain how can we solve the Diohantine equation 2 by searching short vectors in Adleman s lattice Later in the same section, we exlain the original aroach of Schnorr, by articularizing Adleman s aroach Afterwards, in section 3 we give some roerties of the Prime Number Lattices of Schnorr and Adleman Finally, in section 4, we rovide our conclusions and ersectives 2 Detecting solutions In this section we resent the aroaches of Adleman and Schnorr to solving 2 using lattices We start by the aroach of Adleman, which considers a search for short vectors We show a sufficient condition to solving inequality 3 Then we resent the aroach of Schnorr, which considers a search for close vectors, and which can be seen as a articular case of Adleman s We show a corresonding sufficient condition to solving 3 21 Coding a candidate solution Let z Z d+1 be a vector with negative last coordinate To this vector we associate a candidate solution to 2 in the following way 4 u = d z i>0,i d zi i, k = z i<0,i d zi i and γ = z d+1 Note that u and k are corime We would like to have candidate solutionsroviding anactualsolutionwithhighrobability,thatis,wewantv = u kn γ toberobably d -smooth Now we will describe a way to find such candidate solutions 22 Making smoothness robable : the Prime Number Lattice of Adleman Define Adleman s -norm Prime Number Lattice A by the columns of the basis matrix ln1 0 0 0 A = 0 0 0 0 0 ln d 0, Cln 1 Cln d ClnN where C > 0is an arbitraryconstant, which can deend on N The vectorz Z d+1 satisfies z 1 ln 1 A z = z d ln d d C z iln i +z d+1 lnn and d A z = z i ln i +C d z i ln i z d+1 lnn, and considering that this vector codes a candidate solution, we have and hence d A z = z i ln i +C lnu lnkn γ A 1 z 1 = lnu+lnk +C lnu lnkn γ

4 ANTONIO VERA We have the following theorem in the case of the 1-norm Theorem 1 Let C > 1 and z Z d+1, with γ = z d+1 and z d+1 < 0 Then, whenever 5 A 1 z 1 2lnC +2σln d γ lnn, we have u kn γ σ d Proof Just use lemma 1 in the aendix with ε = 2lnC+2σln d γ lnn Remark 1 The requirement z d+1 < 0 is just needed to obtain a valid candidate solution It does not reduce the sace of solutions in any way, since a lattice is an additive grou: for each vector of nonzero last coordinate, either itself or its oosite will have a strictly negative last coordinate Remark 2 When σ = 1 and z satisfies 5, we necessarily have a solution to the original equation 2 In addition, when σ > 1 is not too big, we can be quite otimistic about the d -smoothness of v = u kn γ, and hence on obtaining a solution too Remark 3 In order to factor N, one will tcally search for short vectors A 1 z satisfng 5 for some σ not too big, and then reconstruct from z the candidate solution to 2, testing afterwards if it really constitutes a solution In that case, the solution is stored, until we collect d+2 of them Remark 4 Together with some extra knowledge on the roerties of γ for z satisfng 5 see remark 6, theorem 1 could be useful to rove the existence of solutions to inequality 3 and hence to equation 2, since we have exlicit estimates on the length of a short nonzero vector of A 1, thanks to Minkowski s theorem for the 1-norm See Siegel [13, Theorem 14] Remark 5 Obtaining an analog of theorem 1 for the Euclidean norm could be very useful, since this norm has better roerties and it is the usual norm for lattice algorithms 23 A similar aroach : the Prime Number Lattice of Schnorr The Prime Number Lattice of Schnorr S is generated by the columns of the basis matrix ln1 0 0 6 S = 0 0 0 0 ln d Cln 1 Cln d The vector 7 t = 0 0 ClnN is the target vector of a close vector search in S, which relaces the short vector search of Adleman s aroach Schnorr s algorithm considers vectors z Z d, to which it associates the candidate solution u, k, γ to 3 with u and k defined

A NOTE ON INTEGER FACTORIZATION USING LATTICES 5 exactly as in 4, and γ = 1 We have and hence S z t = z 1 ln 1 z d ln d C d z i ln i lnn, d d S z t = z i ln i +C z i ln i lnn The following theorem is the analog of theorem 1 Theorem 2 Let C > 1 and z Z d Hence, if 8 S 1 z t 1 2lnC +2σln d lnn, then u kn σ d Proof Just use lemma 2 with ε = 2lnC +2σln d lnn Remark 6 In order to factor N, we should look for vectors of S 1 close to t The main idea is that vectors satisfng 8 for some σ 1 not too big are more likely to rovide candidate solutions which in turn will rovide solutions to 2 Adleman s aroach has the aarent advantage of having a larger search sace, hence having a greater otential for finding solutions In ractice, this seems to be a disadvantage, since the solutions to 2 seem to be exactly those coming from Schnorr s aroach too Hence, in Adleman s aroach one seems to search for many candidates that do not rovide solutions This could be related to the fact that the target vector t does not belong to the real san of S 1 : if the comonent of t in the orthogonal comlement of the san of S 1 is sufficiently big, any short vector in Adleman s lattice A 1 having nonzero last coordinate must have a last coordinate of absolute value equal to 1, hence leading to the same solutions as Schnorr s lattice see [9, Chater 4, Lemma 41] for a related discussion Remark 7 A great algorithmic advantage of the aroach of Schnorr over that of Adleman is that the choice of the basis can be essentially indeendent of the number N For examle, this will be the case if C deends only on the size of N This has the very imortant imlication of allowing a recomutation on the basis for examle an HKZ reduction valid for all numbers of some fixed size Remark 8 Proving the existence of solutions to 8 seems harder in this case, since one needs a bound on the covering radius, which is less well understood than the first minimum Remark 9 Just as in the case of Adleman, obtaining an analog of theorem 2 for the Euclidean norm could be very useful First attemts at finding this analog were stoed by involved comutations 3 Some roerties of the Prime Number Lattices We resent some useful comutations which extend those given by Micciancio and Goldwasser [9, Chater 5, section 23]

6 ANTONIO VERA 31 Volumes of the Prime Number Lattices Here we rovide closed forms for the volumes of the -norm Schnorr and Adleman lattices This generalizes Proosition 59 of [9], which considers only = 2 Remark 10 Recall that the volume of the lattice generated by the columns of a not necessarily full rank basis matrix B is vollb = detb T B, which is exactly detb when B has full rank Theorem 3 The volume of the -norm Adleman lattice A, whose basis is ln1 0 0 0 A = 0 0 0 0 0 ln d 0 Cln 1 Cln d ClnN is given by vola = ClnN d lni Furthermore, the volume of the -norm Schnorr lattice S, whose basis is ln1 0 0 S = 0 0 0 0 ln d, Cln 1 Cln d is given by vols = 1+C 2 d ln i 2 2/ d lni Proof The case of A is trivial, as the basis matrix is lower triangular Let us consider the case of S It is easy to see that the volume of S is a multilinear function of the columns of S Hence, factoring out ln i, i 1,d from the i-th column, we obtain vols = dets T S = detŝt Ŝ where Ŝ is of the form 11 see lemma 3 in the aendix with x i = C ln i 1 1/ Lemma 3 imlies that d detŝt Ŝ = 1+ Cln i 1 1/ 2 = 1+C 2 d lni, d ln i 2 2/, which concludes the roof

A NOTE ON INTEGER FACTORIZATION USING LATTICES 7 32 Exlicit Gram-Schmidt Orthogonalization Here we give exlicit exressions for the coefficients of the Gram-Schmidt Orthogonalization GSO of the set {b 1,,b d,t} of columns of S, augmented by the target vector t or, equivalently, of the set of columns of A Theorem 4 Consider the columns {b i } d of Schnorr s Prime Number Lattice basis 6, as well as the target vector t defined in 7 The Gram-Schmidt Orthogonalization of {b 1,,b d,t} involves the quantities and is given by j D j = 1+C 2 ln i 2 2/ b k i = C2 ln k ln i 1 1/ D 1 j d i < k ln k 1/ i = k 0 k < i < d+1 C ln k D i = d+1 and { t C2 lnnln i 1 1/ i = D d i < d+1 Cln N D d i = d+1 The corresonding Euclidean norms satisfy b k 2 2 = ln k 2/ D k D t 2 2 = ClnN2 D d Furthermore, the rojection t on the san of {b 1,,b d }, which is the effective target vector for the close vector search of Schnorr s algorithm, is given by { C 2 t t lnnln i 1 1/ i = D d i < d+1 ClnND d 1 D d i = d+1 Proof The matrix having {b 1,,b d,t} as columns is of the form 12 see lemma 4 in the aendix with x i = ln i, y i = C ln i 1 i d, and y d+1 = ClnN Hence, using lemma 4, we directly obtain the theorem Remark 11 The exlicit value of t 2 can be used to better understand the search for close vectors of Schnorr s algorithm This is a consequence of the fact that t does not belong to the san of {b 1,,b d } 4 Conclusions and ersectives Using an idea of Micciancio, we resented artial but rigorous results advancing towards an effective reduction from factorization to the search of short or close lattice vectors in the Prime Number Lattice of Adleman or Schnorr, resectively These results, valid only for the 1-norm, imrove over those of Schnorr[11, Theorem 2] by getting rid of asymtotically vanishing terms Proving similar results for the Euclidean norm may be very useful, since it has much better roerties than the 1-norm and it is the natural choice for lattice algorithms 1 1 Although recently, in [12, Theorem 2], Schnorr restated [11, Theorem 2] in the context of the Euclidean norm, this is essentially a generic restatement valid for every -norm, 1, which still involves asymtotic terms

8 ANTONIO VERA Furthermore, we rovided new roerties of the Prime Number Lattices and their usual bases in -norm, 1, extending those of Micciancio [9, Chater 5, Section 23] These roerties could be useful to better understand the close vector search which takes lace at the core of Schnorr s algorithm The next ste of this work is to understand the distribution of lattice elements roviding solutions to 3 or even 2, in order to choose on a well-grounded basis between enumeration algorithms [7, 5] and random samling algorithms [6], [8], in the context of an effective imlementation 41 Acknowledgements Thanks to Damien Stehlé for regular discussions and encouragement, as well as for many ointers to the relevant literature Thanks to Guillaume Hanrot for useful discussions References [1] Adleman, L M Factoring and lattice reduction A draft on the reduction of Factoring to the Shortest Vector Problem, 1995 [2] Brookes, M The matrix reference manual htt://wwweeicacuk/h/staff/dmb/matrix/roof003html#detsumi_ab_ [3] Crandall, R, and Pomerance, C Prime Numbers: A Comutational Persective, 2nd ed Sringer, 2005 [4] De Weger, B Solving exonential diohantine equations using lattice basis reduction algorithms Journal of Number Theory 26, 325-367 1987, 31 [5] Fincke, U, and Pohst, M A rocedure for determining algebraic integers of given norm In EUROCAL 1983, 194 202 [6] Gentry, C, Peikert, C, and Vaikuntanathan, V Tradoors for hard lattices and new crytograhic constructions In STOC 2008, 197 206 [7] Kannan, R Imroved algorithms for integer rogramming and related lattice roblems In STOC 1983, 193 206 [8] Klein, P N Finding the closest lattice vector when it s unusually close In SODA 2000, 937 941 [9] Micciancio, D, and Goldwasser, S Comlexity of Lattice Problems: a crytograhic ersective, vol 671 of The Kluwer International Series in Engineering and Comuter Science Kluwer Academic Publishers, Boston, Massachusetts, Mar 2002 [10] Ritter, H, and Rössner, C Factoring via strong lattice reduction algorithms Tech re, Goethe Universität Frankfurt, 1997 [11] Schnorr, C P Factoring integers and comuting discrete logarithms via diohantine aroximation In Advances in Comutational Comlexity Theory, J-Y Cai, Ed, vol 13 of DIMACS Series in Discrete Mathematics and Theoretical Comuter Science AMS, 1993, 171 182 [12] Schnorr, C P Average time fast SVP and CVP algorithms for low density lattices and the factorization of integers Tech re, Goethe Universität Frankfurt, March 2010 [13] Siegel, C L Lectures on the Geometry of Numbers Sringer-Verlag, 1989 Aendix A Underlng lemmas A1 Lemmas used in section 2 The following two lemmas are elementary generalizations of a result of Micciancio [9, Pro 510] Lemma 1 Let C > 1 and let z Z d+1 have negative last coordinate of module γ = z d+1 1, satisfng A 1 z 1 ε Hence, we have u kn γ N γ 2 ε C ex 2 Proof The roof is essentially the same of Proosition 510 of [9] We maximize u kn γ subject to the constraint 9 A 1 z 1 ε

A NOTE ON INTEGER FACTORIZATION USING LATTICES 9 Since A 1 z 1 = lnu+lnk +C lnu lnkn γ, the constraint 9 is symmetric in u and kn γ, and we can suose without loss of generality that u kn γ Now, the constraint 9 can be rewritten as which imlies C +1 lnu C 1 lnk ε+cγ lnn, u k C 1 Cγ C+1 N C+1 ε ex C +1 Relacing this maximal value for u in the objective function we get 10 k C 1 Cγ C+1 N C+1 ε ex kn γ C +1 Now, we otimize this last exression as a function of k Differentiating 10 with resect to k we obtain C 1 k 2 Cγ C+1 N C+1 ε ex N γ C +1 C +1 and hence the maximum is reached in the oint k = C+1 C 1 2 ε N γ 2 ex C +1 2 The maximum of the original function is hence C 1 C 1 2 N γ 2 ε 2 ex C +1 2 C +1 and as 2 for C > 1, we conclude that as wished C 1 C 1 2 2 1 C +1 C +1 C u kn γ N γ 2 ε C ex, 2 Lemma 2 Let C > 1 and let z Z d satisfng S 1 z t 1 ε Hence, u kn N ε C ex 2 Proof Just take γ = 1 in the roof of lemma 1 2 When x > 1, the function fx = x 1 x+1 x 1 2 2x x+1 is monotonically decreasing, with f0 + = 1

10 ANTONIO VERA A2 Lemmas used in section 3 The following are general lemmas, maybe of indeendent interest Lemma 4 could find an alication in the context of knasack lattice bases Lemma 3 The volume of the lattice L generated by the columns of the matrix 1 0 0 0 0 1 0 0 11 B = 0 0 0 0 0 0 1 x 1 x 2 x d satisfies voll = detb T B = d 1+ x 2 i Proof We use Sylvester s determinant theorem see for examle [2], which states that for every A R m n and B R n m, deti m +AB = deti n +BA, where I k is the k k identity matrix Writing the matrix B by blocks, and comuting the associated Gram matrix, we obtain [ ] Id B = x T B T B = I d +x x T, and hence, using Sylvester s theorem, as wished voll 2 = detb T B = deti d +x x T = deti 1 +x T x = 1+ d x 2 i, Lemma 4 The Gram-Schmidt Orthogonalization of the columns {v 1,,v d+1 } of a nonsingular square matrix x 1 0 0 0 0 0 x 2 0 0 0 12 0 0 0 0 0 0 0 x d 0 y 1 y 2 y d y d+1 can be secified in function of its entries and the quantities j 2 K j = 1+ 1 j d, K 0 = 1, by 13 vk i = x i yk K x i i < k x k i = k 0 k < i < d+1 y k K i = d+1 for k d, and by the same exression considering only the i < k and i = d + 1 cases, when k = d+1 The Euclidean norms satisfy 14 vk 2 = x 2 k, v K d+1 2 = y2 d+1, K d K k

A NOTE ON INTEGER FACTORIZATION USING LATTICES 11 and the Gram-Schmidt coefficients are 15 µ k,j = v k v j v j v j = y k y j x 2 j K, 1 j < k d+1 j Proof The roof of 13 is carried out by induction The result is clearly true for k = 1 Suose that it holds for v1,,v for some k 2,d+1 Let us show that it still holds for vk First, observe that for 1 j < k d+1, and v j 2 2 = v j v j = v k v j = v k d+1 v j d+1 = y k y j = j 1 x i yj 2 2 2 yj +x 2 j K + yj j 1 2 2 j 1 1+ x i +x 2 j = y 2 j +x 2 j 1+ y j/x j 2 = x 2 j Kj 1 +y j /x j 2 = x 2 j which entails K j = x 2 j, 16 µ k,j = v k v j v j v j = y k y j x 2 j K j Now, let i 1, By the definition of the Gram-Schmidt rocess, we have vk i = v k i µ k,j vj i = 0 µ k,j vj i j=i = µ k,i v i i yk y i = x 2 i K i x i j=i+1 = y k 1 x i K i = y k = y k K 1 K i x i x i, j=i+1 µ k,j v j i j=i+1 j=i+1 y k y j x 2 j K j 2 yj 1 x j K j 1 1 K j y iy j x i

12 ANTONIO VERA as we wanted Now, when i = k d, vk k = v k k µ k,j vj k = x k µ k,j 0 = x k, as we wanted When k < i d, we have vk i = v k i µ k,j vj i = 0 µ k,j 0 = 0 as wished Finally, when i = d+1 we obtain, for every k 2,d+1, vk d+1 = v k d+1 µ k,j vj d+1 y k y j yj = y k x 2 j K j 2 yj 1 = y k 1 x j K j 1 = y k 1 1 K j 1 K j 1 = y k 1 1 K 0 K y k =, K since K 0 = 1 Hence, 13 is roved, both in the 1 k d and the k = d+1 cases, as secified in the statement of the lemma As a consequence of the comutations receding 16, roerties 14 and 15 are also roved, excet for the Euclidean norm of vd+1, which is given by v d+1 2 2 = yd+1 K d 2 The roof of the lemma is now comlete 1+ d x i 2 = y2 d+1 K d

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information