copyright, yogesh malhotra, phd, 2013 special purpose factoring algorithms special purpose factoring...

Copyright, Yogesh Malhotra, PhD, 2013

www.yogeshmalhotra.com

SPECIAL PURPOSE FACTORING ALGORITHMS

Special Purpose Factoring Algorithms• For special class of numbers (M, F), can’t do hard composites • Mersenne primes of form 2n – 1.

• Efficiency depends on unknown factors. • Best for factoring smooth composites with small prime factors. • 1,620 has prime factors 22 × 34 × 5 ⇒ 1,620 is 5-smooth

• Too slow for most factoring jobs.• Would run forever or fail for RSA composites.

Examples• Trial division: Trial divide possible factors, check for zero remainder• Pollard’s p − 1: Based on Fermat’s Little Theorem

• Pollard’s ρ: Monte Carlo method: 8th Fermat number • Elliptic Curve Method (ECM): p − 1 for points on elliptic curve.



GENERAL PURPOSE FACTORING ALGORITHMS

General Purpose Factoring Algorithms• Efficiency depends on size of integer to factor. • Can factor any integer of a given size • in about same time as any integer of that size.

• Suitable for RSA-type hard composites • With no small prime factors.• RSA cryptosystem: Numbers used for modulus

• Do not have any small prime factors, e.g. RSA-768. 1230186684530117755130494958384962720772853569595334792197322452151726400507263657518745202199786469389956474942774063845925192557326303453731548268507917026122142913461670429214311602221240479274737794080665351419597459856902143413.

33478071698956898786044169848212690817704794983713768568912431388982883793878002287614711652531743087737814467999489x36746043666799590428244633799627952632279158164343087642676032283815739666511279233373417143396810270092798736308917



GENERAL PURPOSE FACTORING ALGORITHMSCongruent Squares: Underlies CFRAC, QS, NFSLegendre’s Congruence Prime Factors p & q



GENERAL PURPOSE FACTORING ALGORITHMSCONTINUED FRACTIONS (CFRAC), QUADRATIC SIEVE (QS),

NUMBER FIELD SIEVE (NFS)Above 3 GPFAs consist of same 3 basic steps

1. Identify set of relations smooth over some factor base.2. Solve linear equations system to find relations yielding squares.3. Compute GCD of composite and squares found above.

• Same I/O: I composite integer n, O nontrivial factor p of n.• Difference: Find integer pairs satisfying congruence (relation).• CFRAC

• QS

• NFS



NUMBER FIELD SIEVESMOST EFFICIENT FACTORIZATION OF LARGE INTEGERS

• Special Number Field Sieve (SNFS)• Special-purpose: efficient for integers of form re ± s.

• General Number Field Sieve (GNFS or NFS)• Most efficient classical algorithm known (> 100 digits)

• Quadratic Sieve (QS)• Second fastest method known (fastest for < 100 digits)

• Rational Sieve (RS)• Special case of NFS, far less efficient, useless for practice.




• Fastest General Purpose Factoring Algorithm• The Number Field Sieve (NFS) – faster than MPQS• NFS Variant used in recent 232-digit RSA-768 Factoring

“Recent improvements to the Number Field Sieve make the NFS more efficient than MPQS* in factoring numbers larger than about 115 digits, while MPQS is better for small integers… It is now estimated that if the NFS had been used for RSA-129, it would have taken one quarter of the time. Clearly, NFS has overtaken MPQS as the most widely used factoring algorithm.”Source: RSA Laboratories, “What are the best factoring methods in use today?”

*Multiple Polynomial Quadratic Sieve




“The best known algorithm for factoring large numbers is the General Number Field Sieve (GNFS).”

“GNFS consists of a sieving phase that searches a fixed set of prime numbers for candidates that have a particular algebraic relationship, modulo the number to be factored. This is followed by a matrix solving phase that creates a large matrix from the candidate values, then solves it to determine the factors.

“The sieving phase may be done in distributed fashion, on a large number of processors simultaneously. The matrix solving phase requires massive amounts of storage and is typically performed on a large supercomputer.”

Source: RSA Laboratories, “The RSA Factoring Challenge FAQ ”




For large n, NFS asymptotically outperforms QS, RS• RS & QS: find smooth numbers exponential in n• QS operates over integers only ℤ x ℤ• NFS operates over Number Field and Number Ring• over ℤ and ring ℤ[m], i.e., ℤ x ℤ[m]• m is root of polynomial f(x).

• NF is a finite field extension of the field ℚ.• NR is a subring of NF.

• NFS finds smooth numbers sub-exponential in n• Find congruent squares mod n (congruence,

relation)• Non-trivial factors of n



NUMBER FIELD SIEVEOUTLINE OF STEPS IN THE ALGORITHM

1. Polynomial Selection• Find f(x) irreducible over ℤ[x] • with root m modulo n, f(x) ϵ ℤ[x].

2. Finding Factor Bases• Choose size for factor bases and set up: • Rational Factor Base, RFB• Algebraic Factor Base, AFB• Quadratic Character Base, QCB

3. Sieving → Set S of relations (a, b)• Find pairs of integers (a, b) with properties:• gcd(a, b) = 1 a, b are relative primes• a + bm is smooth over RFB• bdeg(f)f(a/b) is smooth over AFB

• Pairs (a, b) with above properties: relation.




4. Solving Linear Equations using Matrix • Filter sieving results: remove duplicates and relations

containing a prime ideal not present in other relations.• Put relations into relation-sets. • Construct very large sparse matrix over GF(2) 2 = pm .• Reduce the matrix resulting in some dependencies• Elements which lead to a square modulo n.

5. Calculating Square Roots in Number Fields• Rational square root, y: y2 = • Algebraic square root, x: x2 = • where = root of f(x)

• p is found by gcd(n, x-y) and gcd(n, x+y).



NUMBER FIELD SIEVE[ALGEBRAIC] NUMBER FIELD

• r is an algebraic number of degree k – 1 if• r root of nonzero polynomial where a ϵ ℚ• r satisfies no similar equation of degree < k – 1

(irreducible)• [Algebraic] Number Field ℚ[r]: all expressions • constructed from r by repeated +, –, ∗, ∕ .

• Finite degree field extension ℚ[r] of the field ℚ• Degree: its dimension as a vector space over ℚ.

• Field – Commutative Ring – Abelian Group – Set (axioms Cl,As,In,Id)

⇒



NUMBER FIELD SIEVE ALGORITHMPOLYNOMIAL SELECTION

Find f(x) irreducible over ℤ[x] • with root m modulo n, f(x) ϵ ℤ[x].

Base-m for desired root set ℤ/ℤn[x]

Polynomial yield

Polynomial Selection Steps• Identify large set of usable polynomials• Remove bad polynomials from set (α heuristics)• Small sieving experiments on remaining polynomials• Choose one with best yield.



NUMBER FIELD SIEVE ALGORITHMFINDING FACTOR BASES

• Factor bases (FB) specify well defined domain of smooth primes for the NFS algorithm consistent with congruence

• Choose FB and set up primes smooth over respective FB: • Rational • Algebraic• Quadratic higher pi’s

• Factor bases specify primes smooth over RFB, AFB, QCB• RFB primes 2, 3, 5 up to empirically known bound (a +

bm).• AFB set of prime ideals in a ring of algebraic integers.• QCB small set of first degree prime ideals not in AFB.



NUMBER FIELD SIEVE ALGORITHMSIEVING → SET S OF RELATIONS (a, b)

• Find usable relations (a, b) with properties:• gcd(a, b) = 1 a, b are relative primes• a + bm is smooth over RFB• bdeg(f)f(a/b) is smooth over AFB

• Optimization of sieving → Biggest efficiency gain• Optimization of memory usage• Reuse arrays, use smallest possible data types

• Rational Sieve a – bm ϵ ℤ vs. Algebraic Sieve • (a, b) passing through both is smooth over RFB and

AFB• Classical Line Sieving vs. Faster Lattice Sieving



NUMBER FIELD SIEVE ALGORITHMSIEVING → SET S OF RELATIONS (a, b)

• Line Sieving• Needs less memory, best for small to medium

primes• Sieve over all (a, b) pairs, one b-value at a time• For each prime (p, r), find all pairs divisible by it.

• Lattice Sieving• Needs more memory, best for large primes• Fix a medium sized prime (q, s) ϵ AFB• Sieve over all (a, b) pairs s.t. |(q, s) • Form lattice of vectors for two such pairs.

• Output: Set of (a, b) pairs that are RFB and AFB smooth.



NUMBER FIELD SIEVE ALGORITHMSOLVING LINEAR EQUATIONS USING MATRIX

• RFB and AFB smooth (a, b) pairs filtered…• Find subset of pairs which yields a square i.e. ….• Elements in its unique factors have even powers.

E.g. of {34, 89, 46, 32, 56, 8, 51, 43, 69} for {34, 46, 51, 69}34· 46· 51· 69 = 5503716 = 22· 32·172· 232 = (2· 3·17· 23)2

• Equivalent to solving a system of linear equations• Solve using a matrix of RFB and AFB smooth (a, b) pairs• Matrix consists of factorization over RFB and AFB• Minimize matrix size: [1 for odd, 0 for even] power• Transform the matrix to reduced echelon form• Use Gaussian Elimination to solve the matrix…

suboptimal…• Block Lanczos or Block Wiedemann for optimal run time.



NUMBER FIELD SIEVE ALGORITHMSOLVING LINEAR EQUATIONS USING MATRIX



NUMBER FIELD SIEVE ALGORITHMCALCULATING SQUARE ROOTS IN NUMBER FIELDS

• Matrix yields one or more products which are squares • can lead to a trivial or non-trivial factors of n.

• We need the square root of the product…• Rational square root, y ϵ ℤ: y2 =

Can avoid computing large number y2

Complete factorization of each in the product.• … and… Most complex part of NFS Algorithm• Algebraic square root, x ϵ ℤ[m]: x2 =

where = root of f(x) ⇔ finding square root of f(x)over extension field.• Montgomery’s method using lattice reduction most

optimal.• p is found by gcd(n, x-y) and gcd(n, x+y).




1. Polynomial Selection• Find f(x) irreducible over ℤ[x] • with root m modulo n, f(x) ϵ ℤ[x].

2. Finding Factor Bases• Choose size for factor bases and set up: • Rational Factor Base, RFB• Algebraic Factor Base, AFB• Quadratic Character Base, QCB

3. Sieving → Set S of relations (a, b)• Find pairs of integers (a, b) with properties:• gcd(a, b) = 1 a, b are relative primes• a + bm is smooth over RFB• bdeg(f)f(a/b) is smooth over AFB

• Pairs (a, b) with above properties: relation.




4. Solving Linear Equations using Matrix • Filter sieving results: remove duplicates and relations

containing a prime ideal not present in other relations.• Put relations into relation-sets. • Construct very large sparse matrix over GF(2) 2 = pm .• Reduce the matrix resulting in some dependencies• Elements which lead to a square modulo n.

5. Calculating Square Roots in Number Fields• Rational square root, y: y2 = • Algebraic square root, x: x2 = • where = root of f(x)

• p is found by gcd(n, x-y) and gcd(n, x+y).

copyright, yogesh malhotra, phd, 2013 special purpose factoring algorithms special purpose factoring...

Documents