and 611 + for small : Integer factorization Sieving 1 612 2 2 - - PowerPoint PPT Presentation

SLIDE 1

Integer factorization

• D. J. Bernstein

Thanks to: University of Illinois at Chicago NSF DMS–0140542 Alfred P. Sloan Foundation Sieving

and 611 + for small :

1 2 2 3 3 4 2 2 5 5 6 2 3 7 7 8 2 2 2 9 3 3 10 2 5 11 12 2 2 3 13 14 2 7 15 3 5 16 2 2 2 2 17 18 2 3 3 19 20 2 2 5 612 2 2 3 3 613 614 2 615 3 5 616 2 2 2 7 617 618 2 3 619 620 2 2 5 621 3 3 3 622 2 623 7 624 2 2 2 2 3 625 5 5 5 5 626 2 627 3 628 2 2 629 630 2 3 3 5 7 631

etc.

SLIDE 2

rization Illinois at Chicago DMS–0140542 Foundation Sieving

and 611 + for small :

1 2 2 3 3 4 2 2 5 5 6 2 3 7 7 8 2 2 2 9 3 3 10 2 5 11 12 2 2 3 13 14 2 7 15 3 5 16 2 2 2 2 17 18 2 3 3 19 20 2 2 5 612 2 2 3 3 613 614 2 615 3 5 616 2 2 2 7 617 618 2 3 619 620 2 2 5 621 3 3 3 622 2 623 7 624 2 2 2 2 3 625 5 5 5 5 626 2 627 3 628 2 2 629 630 2 3 3 5 7 631

etc. Have complete facto

(611 + ) for some

• 14

625 = 2130547

64

675 = 2633527

75

686 = 2131527

14

64 75 625 675

• = 28345874 = (243

gcd 14

64 75 ✁ ✂

= 47. 611 = 47

13.

SLIDE 3

Sieving

and 611 + for small :

1 2 2 3 3 4 2 2 5 5 6 2 3 7 7 8 2 2 2 9 3 3 10 2 5 11 12 2 2 3 13 14 2 7 15 3 5 16 2 2 2 2 17 18 2 3 3 19 20 2 2 5 612 2 2 3 3 613 614 2 615 3 5 616 2 2 2 7 617 618 2 3 619 620 2 2 5 621 3 3 3 622 2 623 7 624 2 2 2 2 3 625 5 5 5 5 626 2 627 3 628 2 2 629 630 2 3 3 5 7 631

etc. Have complete factorization of

(611 + ) for some ’s.

14

625 = 21305471.

64

675 = 26335270.

75

686 = 21315273.

14

64 75 625 675 686

= 28345874 = (24325472)2. gcd 14

64 75 ✁

24325472

✂ 611

= 47. 611 = 47

13.

SLIDE 4

• 611 +

for small :

2 2 3 3 2 3 5 2 2 2 7 2 3 2 2 5 3 3 3 2 7 2 2 2 2 3 5 5 5 5 2 3 2 2 2 3 3 5 7

Have complete factorization of

(611 + ) for some ’s.

14

625 = 21305471.

64

675 = 26335270.

75

686 = 21315273.

14

64 75 625 675 686

= 28345874 = (24325472)2. gcd 14

64 75 ✁

24325472

✂ 611

= 47. 611 = 47

13.

Given

• and parameter
• 1. Use powers of p

sieve

and

• +

fo

• 2. Look for nonempt
• with

(

• +

) completely

and with

✁ (

• +
• 3. Compute gcd

✂ ✂

• where

✂

=

✁

• ✁

✁

SLIDE 5

Have complete factorization of

(611 + ) for some ’s.

14

625 = 21305471.

64

675 = 26335270.

75

686 = 21315273.

14

64 75 625 675 686

= 28345874 = (24325472)2. gcd 14

64 75 ✁

24325472

✂ 611

= 47. 611 = 47

13.

Given

• and parameter

:

• 1. Use powers of primes

to sieve

and

• +

for 1

• 2.
• 2. Look for nonempty set of

’s

with

(

• +

) completely factored

and with

✁ (

• +

) square.

• 3. Compute gcd

✂ ✂

• where

✂

=

✁

• ✁

✁ (

• +

).

SLIDE 6

factorization of

• some

’s.

• 471.
• 270.
• 273.
• 675

686

4325472)2.

• ✁

24325472

✂ 611

• Given
• and parameter

:

• 1. Use powers of primes

to sieve

and

• +

for 1

• 2.
• 2. Look for nonempty set of

’s

with

(

• +

) completely factored

and with

✁ (

• +

) square.

• 3. Compute gcd

✂ ✂

• where

✂

=

✁

• ✁

✁ (

• +

).

This is the Q sieve Same principles: Continued-fraction (Lehmer, Powers, Brillhart, Morrison). Linear sieve (Schro Quadratic sieve (P Number-field sieve (Pollard, Buhler, Lenstra, Pomerance, Adleman).

SLIDE 7

Given

• and parameter

:

• 1. Use powers of primes

to sieve

and

• +

for 1

• 2.
• 2. Look for nonempty set of

’s

with

(

• +

) completely factored

and with

✁ (

• +

) square.

• 3. Compute gcd

✂ ✂

• where

✂

=

✁

• ✁

✁ (

• +

).

This is the Q sieve. Same principles: Continued-fraction method (Lehmer, Powers, Brillhart, Morrison). Linear sieve (Schroeppel). Quadratic sieve (Pomerance). Number-field sieve (Pollard, Buhler, Lenstra, Pomerance, Adleman).

SLIDE 8

• rameter

:

• f primes

to

• for 1
• 2.

nonempty set of

’s

• completely factored

✁

• +

) square. ✂ ✂

• ✂

✁

• ✁

✁ (

• +

).

This is the Q sieve. Same principles: Continued-fraction method (Lehmer, Powers, Brillhart, Morrison). Linear sieve (Schroeppel). Quadratic sieve (Pomerance). Number-field sieve (Pollard, Buhler, Lenstra, Pomerance, Adleman). Sieving speed Handle sieving in sieve

• + 1

✂

• ✂
• sieve
• +

+ 1

✂

• ✂
• sieve
• + 2 + 1

✂

• ✂
• etc.

Sieving

• + 1

✂

• +

✂

• ✂
• using primes

means finding, for

• + 1

✂

• + 2

✂

• ✂
• which

’s divide

SLIDE 9

This is the Q sieve. Same principles: Continued-fraction method (Lehmer, Powers, Brillhart, Morrison). Linear sieve (Schroeppel). Quadratic sieve (Pomerance). Number-field sieve (Pollard, Buhler, Lenstra, Pomerance, Adleman). Sieving speed Handle sieving in pieces: sieve

• + 1

✂

• ✂
• +

; sieve

• +

+ 1

✂

• ✂
• + 2

; sieve

• + 2 + 1

✂

• ✂
• + 3

; etc. Sieving

• + 1

✂

• + 2

✂

• ✂
• +

using primes means finding, for each

• + 1

✂

• + 2

✂

• ✂
• +

, which ’s divide

• +

.

SLIDE 10

sieve. Continued-fraction method ers, rrison). (Schroeppel). (Pomerance). sieve Buhler, Lenstra, Adleman). Sieving speed Handle sieving in pieces: sieve

• + 1

✂

• ✂
• +

; sieve

• +

+ 1

✂

• ✂
• + 2

; sieve

• + 2 + 1

✂

• ✂
• + 3

; etc. Sieving

• + 1

✂

• + 2

✂

• ✂
• +

using primes means finding, for each

• + 1

✂

• + 2

✂

• ✂
• +

, which ’s divide

• +

.

Consider all pairs (

• ✂

where

• +

is a multiple

Easy to generate pairs sorted by second comp (612

✂ 2), (614 ✂ 2), (616 ✂ ✂

(620

✂ 2), (612 ✂ 3), (615 ✂ ✂

(615

✂ 5), (620 ✂ 5), (616 ✂

Sieving means listing sorted by first comp (612

✂ 2), (612 ✂ 3), (614 ✂

(615

✂ 3), (615 ✂ 5), (616 ✂ ✂

(618

✂ 2), (618 ✂ 3), (620 ✂ ✂

SLIDE 11

Sieving speed Handle sieving in pieces: sieve

• + 1

✂

• ✂
• +

; sieve

• +

+ 1

✂

• ✂
• + 2

; sieve

• + 2 + 1

✂

• ✂
• + 3

; etc. Sieving

• + 1

✂

• + 2

✂

• ✂
• +

using primes means finding, for each

• + 1

✂

• + 2

✂

• ✂
• +

, which ’s divide

• +

.

Consider all pairs (

• +
• ✂

) where

• +

is a multiple of

. Easy to generate pairs sorted by second component: (612

✂ 2), (614 ✂ 2), (616 ✂ 2), (618 ✂ 2),

(620

✂ 2), (612 ✂ 3), (615 ✂ 3), (618 ✂ 3),

(615

✂ 5), (620 ✂ 5), (616 ✂ 7).

Sieving means listing pairs sorted by first component: (612

✂ 2), (612 ✂ 3), (614 ✂ 2),

(615

✂ 3), (615 ✂ 5), (616 ✂ 2), (616 ✂ 7),

(618

✂ 2), (618 ✂ 3), (620 ✂ 2), (620 ✂ 5).

SLIDE 12

pieces:

• ✂
• ✂
• +

;

• ✂
• ✂
• + 2

;

• 1

✂

• ✂
• + 3

;

• ✂
• + 2

✂

• ✂
• +

for each

• ✂
• 2

✂

• ✂
• +

,

• +

.

Consider all pairs (

• +
• ✂

) where

• +

is a multiple of

. Easy to generate pairs sorted by second component: (612

✂ 2), (614 ✂ 2), (616 ✂ 2), (618 ✂ 2),

(620

✂ 2), (612 ✂ 3), (615 ✂ 3), (618 ✂ 3),

(615

✂ 5), (620 ✂ 5), (616 ✂ 7).

Sieving means listing pairs sorted by first component: (612

✂ 2), (612 ✂ 3), (614 ✂ 2),

(615

✂ 3), (615 ✂ 5), (616 ✂ 2), (616 ✂ 7),

(618

✂ 2), (618 ✂ 3), (620 ✂ 2), (620 ✂ 5).

There are

1+

(1)

involving

• + 1

✂

• ✂
• ✂
• Sieving
• + 1

✂

• +

✂

• ✂
• takes

1+

(1) seconds

• n RAM costing
• 2-dimensional mesh

is much faster:

✁

• n machine costing
• Can do even better:
• n machine costing
• using “elliptic-curve

SLIDE 13

Consider all pairs (

• +
• ✂

) where

• +

is a multiple of

. Easy to generate pairs sorted by second component: (612

✂ 2), (614 ✂ 2), (616 ✂ 2), (618 ✂ 2),

(620

✂ 2), (612 ✂ 3), (615 ✂ 3), (618 ✂ 3),

(615

✂ 5), (620 ✂ 5), (616 ✂ 7).

Sieving means listing pairs sorted by first component: (612

✂ 2), (612 ✂ 3), (614 ✂ 2),

(615

✂ 3), (615 ✂ 5), (616 ✂ 2), (616 ✂ 7),

(618

✂ 2), (618 ✂ 3), (620 ✂ 2), (620 ✂ 5).

There are

1+

(1) pairs

involving

• + 1

✂

• + 2

✂

• ✂
• +

. Sieving

• + 1

✂

• + 2

✂

• ✂
• +

takes

1+

(1) seconds

• n RAM costing

1+

(1) dollars.

2-dimensional mesh computer is much faster:

✁ 5+ (1) seconds

• n machine costing

1+

(1) dollars.

Can do even better:

(1) seconds

• n machine costing

1+

(1) dollars,

using “elliptic-curve method.”

SLIDE 14

pairs (

• +
• ✂

)

• multiple of

. pairs component:

✂ ✂ 2), (616 ✂ 2), (618 ✂ 2), ✂ ✂ 3), (615 ✂ 3), (618 ✂ 3), ✂ ✂ 5), (616 ✂ 7).

listing pairs component:

✂ ✂ 3), (614 ✂ 2), ✂ ✂ 5), (616 ✂ 2), (616 ✂ 7), ✂ ✂ 3), (620 ✂ 2), (620 ✂ 5).

There are

1+

(1) pairs

involving

• + 1

✂

• + 2

✂

• ✂
• +

. Sieving

• + 1

✂

• + 2

✂

• ✂
• +

takes

1+

(1) seconds

• n RAM costing

1+

(1) dollars.

2-dimensional mesh computer is much faster:

✁ 5+ (1) seconds

• n machine costing

1+

(1) dollars.

Can do even better:

(1) seconds

• n machine costing

1+

(1) dollars,

using “elliptic-curve method.” Square-finding speed Start from factored

• 1(
• +

1) =

• ✁
• 2(
• +

2) =

• ✁
• etc.

Want to find

1

✂

2

✂

• such that

(

1(

• +

1)) 1( 2(

• is a square.

In other words:

• 1

✁ 1( )+ 2 ✁ 2(

• ✂✄✂☎✂

has even exponents.

SLIDE 15

There are

1+

(1) pairs

involving

• + 1

✂

• + 2

✂

• ✂
• +

. Sieving

• + 1

✂

• + 2

✂

• ✂
• +

takes

1+

(1) seconds

• n RAM costing

1+

(1) dollars.

2-dimensional mesh computer is much faster:

✁ 5+ (1) seconds

• n machine costing

1+

(1) dollars.

Can do even better:

(1) seconds

• n machine costing

1+

(1) dollars,

using “elliptic-curve method.” Square-finding speed Start from factored

(

• +

)’s: 1(

• +

1) =

• ✁ 1(

), 2(

• +

2) =

• ✁ 2(

),

etc. Want to find

1

✂

2

✂

• such that

(

1(

• +

1)) 1( 2(

• +

2)) 2

• is a square.

In other words:

• 1

✁ 1( )+ 2 ✁ 2( )+ ✂✄✂☎✂

has even exponents.

SLIDE 16 (1) pairs

• ✂
• + 2

✂

• ✂
• +

.

• ✂
• + 2

✂

• ✂
• +
• seconds

1+

(1) dollars.

mesh computer

✁ 5+ (1) seconds

costing

1+

(1) dollars.

etter:

(1) seconds

costing

1+

(1) dollars,

“elliptic-curve method.” Square-finding speed Start from factored

(

• +

)’s: 1(

• +

1) =

• ✁ 1(

), 2(

• +

2) =

• ✁ 2(

),

etc. Want to find

1

✂

2

✂

• such that

(

1(

• +

1)) 1( 2(

• +

2)) 2

• is a square.

In other words:

• 1

✁ 1( )+ 2 ✁ 2( )+ ✂✄✂☎✂

has even exponents. In other words:

1(

1(2) ✂ 1(3) ✂ 1(5) ✂

• +

2(

2(2) ✂ 2(3) ✂

• ✂
• +
• is even.

e.g. given 14

625 = 2130547

64

675 = 2633527

75

686 = 2131527

find

1

✂

2

✂

3 such 1(1

✂ 0 ✂ 4 ✂ 1) +

2(6

✂ ✂ ✂

+

3(1

✂ 1 ✂ 2 ✂ 3) is even.

SLIDE 17

Square-finding speed Start from factored

(

• +

)’s: 1(

• +

1) =

• ✁ 1(

), 2(

• +

2) =

• ✁ 2(

),

etc. Want to find

1

✂

2

✂

• such that

(

1(

• +

1)) 1( 2(

• +

2)) 2

• is a square.

In other words:

• 1

✁ 1( )+ 2 ✁ 2( )+ ✂✄✂☎✂

has even exponents. In other words:

1(

1(2) ✂ 1(3) ✂ 1(5) ✂

• )

+

2(

2(2) ✂ 2(3) ✂ 2(5) ✂

• )

+

• is even.

e.g. given 14

625 = 21305471,

64

675 = 26335270,

75

686 = 21315273:

find

1

✂

2

✂

3 such that 1(1

✂ 0 ✂ 4 ✂ 1) +

2(6

✂ 3 ✂ 2 ✂ 0)

+

3(1

✂ 1 ✂ 2 ✂ 3) is even.

SLIDE 18

speed red

(

• +

)’s:

• ✁ 1(

),

• ✁ 2(

), ✂

2

✂

• (
• +

2)) 2

• ✁
• ✁

(

)+ ✂✄✂☎✂

• nents.

In other words:

1(

1(2) ✂ 1(3) ✂ 1(5) ✂

• )

+

2(

2(2) ✂ 2(3) ✂ 2(5) ✂

• )

+

• is even.

e.g. given 14

625 = 21305471,

64

675 = 26335270,

75

686 = 21315273:

find

1

✂

2

✂

3 such that 1(1

✂ 0 ✂ 4 ✂ 1) +

2(6

✂ 3 ✂ 2 ✂ 0)

+

3(1

✂ 1 ✂ 2 ✂ 3) is even.

This is linear algeb finding kernel of a

3+

(1) seconds

using Gaussian elimination.

2+

(1) seconds

using Wiedemann’s Again exploit parallelism:

1

✁ 5+ (1) seconds

• n a 2-dimensional

costing

1+

(1) dolla

SLIDE 19

In other words:

1(

1(2) ✂ 1(3) ✂ 1(5) ✂

• )

+

2(

2(2) ✂ 2(3) ✂ 2(5) ✂

• )

+

• is even.

e.g. given 14

625 = 21305471,

64

675 = 26335270,

75

686 = 21315273:

find

1

✂

2

✂

3 such that 1(1

✂ 0 ✂ 4 ✂ 1) +

2(6

✂ 3 ✂ 2 ✂ 0)

+

3(1

✂ 1 ✂ 2 ✂ 3) is even.

This is linear algebra mod 2: finding kernel of a matrix.

3+

(1) seconds

using Gaussian elimination.

2+

(1) seconds

using Wiedemann’s method. Again exploit parallelism:

1

✁ 5+ (1) seconds

• n a 2-dimensional mesh

costing

1+

(1) dollars.

SLIDE 20

• ✂
• ✂

1(5) ✂

• )
• ✂
• (3)

✂ 2(5) ✂

• )
• 471,
• 270,
• 273:

✂ ✂

such that

✂ ✂ ✂

(6

✂ 3 ✂ 2 ✂ 0) ✂ ✂ ✂

is even. This is linear algebra mod 2: finding kernel of a matrix.

3+

(1) seconds

using Gaussian elimination.

2+

(1) seconds

using Wiedemann’s method. Again exploit parallelism:

1

✁ 5+ (1) seconds

• n a 2-dimensional mesh

costing

1+

(1) dollars.

How big is ? Positive integers

✂

have

• ✁

✂

chance

• f completely facto

into primes , where

• = (log

✂ )

Very crude approximation but in right ballpark. (Try numerical exp count products of use fancy analytic

SLIDE 21

This is linear algebra mod 2: finding kernel of a matrix.

3+

(1) seconds

using Gaussian elimination.

2+

(1) seconds

using Wiedemann’s method. Again exploit parallelism:

1

✁ 5+ (1) seconds

• n a 2-dimensional mesh

costing

1+

(1) dollars.

How big is ? Positive integers

✂

have

• ✁

✂

chance

• f completely factoring

into primes , where

• = (log

✂ ) log .

Very crude approximation but in right ballpark. (Try numerical experiments; count products of primes; use fancy analytic theorems.)

SLIDE 22

algebra mod 2: a matrix.

• elimination.
• Wiedemann’s method.

rallelism:

✁

• seconds

2-dimensional mesh

• dollars.

How big is ? Positive integers

✂

have

• ✁

✂

chance

• f completely factoring

into primes , where

• = (log

✂ ) log .

Very crude approximation but in right ballpark. (Try numerical experiments; count products of primes; use fancy analytic theorems.) For log (1 2)

• Positive integers
• have

1 chance

• f completely facto

into primes . Presumably the integers 1(

• + 1)

✂ 2(

• + 2)

✂

• ✂
• have

complete thus produce a squa

• ften factor

.

SLIDE 23

How big is ? Positive integers

✂

have

• ✁

✂

chance

• f completely factoring

into primes , where

• = (log

✂ ) log .

Very crude approximation but in right ballpark. (Try numerical experiments; count products of primes; use fancy analytic theorems.) For log (1 2) log

log log :

Positive integers

2(

• +

2)

have 1 chance

• f completely factoring

into primes . Presumably the integers 1(

• + 1)

✂ 2(

• + 2)

✂

• ✂

2(

• +

2)

have complete factorizations; thus produce a square;

• ften factor

.

SLIDE 24 ✂

• ✁

✂

chance factoring

• ✂ ) log .

roximation ballpark. experiments;

• f primes;

analytic theorems.) For log (1 2) log

log log :

Positive integers

2(

• +

2)

have 1 chance

• f completely factoring

into primes . Presumably the integers 1(

• + 1)

✂ 2(

• + 2)

✂

• ✂

2(

• +

2)

have complete factorizations; thus produce a square;

• ften factor

.

So we believe that Q-sieve price-perfo is

+ (1) power of

exp( log

log log

• for some constant
• Continued-fraction

linear sieve, quadratic smaller power. Use integers around

• Number-field sieve:

exp( 3 (log

)(log log

• Use even smaller integers.

SLIDE 25

For log (1 2) log

log log :

Positive integers

2(

• +

2)

have 1 chance

• f completely factoring

into primes . Presumably the integers 1(

• + 1)

✂ 2(

• + 2)

✂

• ✂

2(

• +

2)

have complete factorizations; thus produce a square;

• ften factor

.

So we believe that Q-sieve price-performance ratio is

+ (1) power of

exp( log

log log ),

for some constant

.

Continued-fraction method, linear sieve, quadratic sieve: smaller power. Use integers around

.

Number-field sieve: power of exp( 3 (log

)(log log )2).

Use even smaller integers.

SLIDE 26

2) log

log log :

2(

• +

2)

chance factoring integers

• ✂
• 2)

✂

• ✂

2(

• +

2)

complete factorizations; square;

• So we believe that

Q-sieve price-performance ratio is

+ (1) power of

exp( log

log log ),

for some constant

.

Continued-fraction method, linear sieve, quadratic sieve: smaller power. Use integers around

.

Number-field sieve: power of exp( 3 (log

)(log log )2).

Use even smaller integers. Discrete logarithms Can use the same to compute given

• “Index-calculus metho

Exponential in log

• to compute discrete

by collisions, kanga Subexponential in

• to use index calculus.

Can cryptanalyze la

SLIDE 27

So we believe that Q-sieve price-performance ratio is

+ (1) power of

exp( log

log log ),

for some constant

.

Continued-fraction method, linear sieve, quadratic sieve: smaller power. Use integers around

.

Number-field sieve: power of exp( 3 (log

)(log log )2).

Use even smaller integers. Discrete logarithms Can use the same techniques to compute given 3

• mod

.

“Index-calculus methods.” Exponential in log

• to compute discrete logarithm

by collisions, kangaroos, etc. Subexponential in log

• to use index calculus.

Can cryptanalyze larger

.

SLIDE 28

that erformance ratio

• er of
• log

),

constant

.

Continued-fraction method, quadratic sieve: round

.

sieve: power of

)(log log )2).

smaller integers. Discrete logarithms Can use the same techniques to compute given 3

• mod

.

“Index-calculus methods.” Exponential in log

• to compute discrete logarithm

by collisions, kangaroos, etc. Subexponential in log

• to use index calculus.

Can cryptanalyze larger

.

Collisions, kangaro work for elliptic curves, so we can cryptanalyze small elliptic curves. We don’t know anything Index calculus doesn’t work for elliptic curves. Diffie-Hellman speed use elliptic curves. Signature-verification still use RSA/Rabin

SLIDE 29

Discrete logarithms Can use the same techniques to compute given 3

• mod

.

“Index-calculus methods.” Exponential in log

• to compute discrete logarithm

by collisions, kangaroos, etc. Subexponential in log

• to use index calculus.

Can cryptanalyze larger

.

Collisions, kangaroos, etc. work for elliptic curves, so we can cryptanalyze small elliptic curves. We don’t know anything better. Index calculus doesn’t work for elliptic curves. Diffie-Hellman speed records use elliptic curves. Signature-verification speed records still use RSA/Rabin variants.