factoring integers by cvp algorithms for the prime number
play

Factoring Integers by CVP Algorithms for the Prime Number Lattice - PowerPoint PPT Presentation

Jan 20, 2024 •232 likes •379 views

Factoring Integers by CVP Algorithms for the Prime Number Lattice Claus P . Schnorr Department of Computer Science and Mathematics Goethe-University Frankfurt Main Quantum Cryptanalysis, Schloss Dagstuhl 1.-6. Oct. 2017 The prime number

  1. Factoring Integers by CVP Algorithms for the Prime Number Lattice Claus P . Schnorr Department of Computer Science and Mathematics Goethe-University Frankfurt Main Quantum Cryptanalysis, Schloss Dagstuhl 1.-6. Oct. 2017

  2. The prime number lattice 2 The prime number lattice L ( B n , c ) with basis B n , c = [ b 1 , ..., b n ] ∈ R ( n + 1 ) × n for factoring large integers N : � 0  ln p 1 0 0    · · · · · ·     .     ... . B n , c = , N c =    .  0 0         � 0 0 ln p n 0     N c ln p 1 N c ln p n N c ln N · · · and target vector N c ∈ R n + 1 and the first n primes p 1 , ..., p n . Consider vectors b = � n i = 1 e i b i ∈ L ( B n , c ) close to N c ; e i ∈ Z . i > 0 p e i i < 0 p − e i We identify b ∼ ( u , v ) for u := � i , v := � . i Then || b − N c || 2 ≥ ln uv + ˆ z 2 b − N c holds for the last coordinate z b − N c = u − vN vN N c ( 1 ± o ( 1 )) of b − N c , using lim n , N →∞ o ( 1 ) = 0 ˆ with equality iff uv is squarefree. We compute b ∈ L ( B n , c ) close to N c with | u − vN | ≤ p 3 n .

  3. The factoring method 3 The factoring method. Find ( u j , v j ) with p n -smooth e ′ u j , | u j − v j N | for j = 1 , ..., n + 1. Hence u j − v j N = ± � n i , j i = 1 p , i e ′ e i , j − e ′ e i , j u j = � n = � n � n i , j i , j i = 1 p i = 0 p mod N , i = 0 p = 1 mod N i i i for p 0 = − 1, e i , j , e ′ i , j ∈ N , e 0 , j = 0. Any solution t 1 , ..., t n + 1 ∈ { 0 , 1 } of the equations � n + 1 j = 1 t j ( e i , j − e ′ i , j ) = 0 mod 2 for i = 0 , ..., n (3.1) 1 � n + 1 j = 1 t j ( e i , j − e ′ i , j ) solves X 2 = 1 mod N by X = � n 2 i = 0 p mod N . i If X � = ± 1 mod N this yields factors gcd ( X ± 1 , N ) / ∈ { 1 , N } of The linear equations (3.1) can be solved within O ( n 3 ) bit N . operations if the vectors ( e 0 , j − e ′ 0 , j , ..., e n , j − e ′ 1 , n ) for j = 1 , ..., n + 1 are linearly independent. This factoring method goes back to Morrison & Brillhart [MB75]. We get � n i = 1 p ie i , j = ± � n e ′ fac-relations i = 0 p i mod N i , j z b − N c ≈ u − vN from vectors b ∈ L ( B n , c ) close to N c . Then ˆ vN N c makes | u − vN | ≤ vN 1 − c || b − N c || / √ n small for c > 1.

  4. Results of Dickman, De Bruijn, Hildebrand 4 Let Ψ( X , y ) denote the number of integers in [ 1 , X ] that are y -smooth. D ICKMAN [1930] shows lim y →∞ Ψ( y z , y ) y − z = ρ ( z ) for any fixed z > 0. ρ ( z ) is the Dickman, De Bruijn ρ - function. It is known that ρ ( z ) = 1 for 0 ≤ z ≤ 1, ρ ( z ) = 1 − ln z for 1 ≤ z ≤ 2 � e ± o ( 1 ) � z = 1 / z z + o ( z ) for z → ∞ ρ ( z ) = (4.1) z ln z H ILDEBRAND [H84] extended (4.1) to a wide finite range of z . For any fixed ε > 0 � ln ( z + 1 ) Ψ( y z , y ) y − z = ρ ( z ) � �� 1 + O (4.2) ln y holds uniformly for 1 ≤ z ≤ y 1 / 2 − ε , y ≥ 2 under the Riemann Hypothesis.

  5. The relevant area of ( u , v , | u − vN | ) 5 The area of p n -smooth triplets ( u , v , | u − vN | ) for large v . Let # N , n ,δ denote the number and REL N , n ,δ the set of such triplets 2 N δ < v ≤ N δ , 1 2 N 1 + δ < u ≤ N 1 + δ . n and 1 such that | u − vN | ≤ p 3 Neglecting for y = p n , y z = N δ , z = δ ln N ln p n the O ( ln ( z + 1 ) ) -term of ln y (4.2), the number of p n -smooth v ∈ [ 1 2 N δ , N δ ] is for z v := δ ln N ln p n , v := z v − ln 2 z ′ ln p n Ψ( N δ , p n ) − Ψ( N δ / 2 , p n ) ≈ N δ � ρ ( z v ) − 1 2 ρ ( z ′ � v ) . Hence random v ∈ R [ 1 2 N δ , N δ ] are p n -smooth with probability close to 2 ( ρ ( z v ) − 1 v )) . Random u ∈ [ 1 2 ρ ( z ′ 2 N 1 + δ , N 1 + δ ] are p n -smooth with probability close to 2 ( ρ ( z u ) − 1 2 ρ ( z ′ u )) for z u := ( 1 + δ ) ln N , z ′ u := z u − ln 2 ln p n . Hence ln p n # N , n ,δ ≈ 4 N δ p 3 � ρ ( z u ) − 1 2 ρ ( z ′ �� ρ ( z v ) − 1 2 ρ ( z ′ � n ρ ( 3 ) u ) v ) (5.1) if p n -smoothness of u , v and | u − vN | are nearly statist. indep.

  6. I: The number of p n -smooth triplets u , v , | u − vN | 6 10 14 10 20 2 100 2 200 2 400 2 800 N ≈ n 48 100 256 1350 7850 41350 p n 223 541 1619 11149 80173 497561 δ 0 . 35 0 . 55 0 . 71 1 . 2 1 . 57 2.1 # N , n ,δ 126 215 392 1608 10131 49591 0 . 8468 1 . 14 1 . 3902 1 . 998 2 . 4478 3 . 029 c ln ( N δ / p 3 n ) − 4 . 9 6 . 4 27 138 401 1132 Table 1 : parameters n , p n , δ, c = δ + 1 − 3 ln p n for factoring N ln N δ of table 1 nearly maximizes # N , n ,δ and n is nearly minimal such that # N , n ,δ clearly surpasses n . We have δ > 3 ln p n ln N . Corollary Let c = δ + 1 − ln p 3 n = N o ( 1 ) and let ln N , p 3 n || b − N c || 2 ≈ ||L ( B n , c ) − N c || 2 for nearly squarefree 2 N δ < v ≤ N δ and ( u , v ) ∼ b ∈ L ( B n , c ) such that 1 n . Then || b − N c || 2 � λ 2 | u − vN | ≤ p 3 1 ( L ) − ln N .

  7. I: Proof of the Corollary 7 z b − N c = u − vN c N c ( 1 ± o ( 1 )) that We get from ˆ vN | u − vN | ≈ vN 1 − c || b − N c || / √ n . 2 N δ < v ≤ N δ if Hence | u − vN | ≤ p 3 n holds for 1 1 + δ − c + ln ( || b − ln N c || / √ n ) / ln N ≤ 3 ln p n ln N where ln ( || b − N c || / √ n ) / ln N = o ( 1 ) . As the run time of the CVP for L ( B n , c ) , N c increases with c we choose for the search of fac-relations u , v , | u − vN | with 2 N δ < v ≤ N δ in practice c ≈ δ + 1 − 3 ln p n / ln N . 1 In fact the p n -smooth ( u , v ) that satisfy | u − vN | ≤ p 3 n and 2 N δ < v ≤ N δ yield b ∈ L ( B n , c ) , b ∼ ( u , v ) with nearly minimal 1 || b − N c || for c ≈ δ + 1 − 3 ln p n ln N .

  8. I: finding n + 1 fac-relations efficiently 8 Iterative increase of c so that vectors b ∈ L ( B n , c ) close to N c yield distinct p n -smooth u , | u − vN | (fac-relations) . The Corollary shows that || b − N c || 2 � λ 2 1 − ln N holds for 2 N δ < v ≤ N δ and n / ln N if b ∼ ( u , v ) and 1 c = δ + 1 − ln p 3 | u − vN | ≤ p 3 n . Such b are particularly close to N c and yield a fac-relation if | u − vN | is p n -smooth which happens with probability ρ ( 3 ) ≈ 0 . 0486. We get distinct fac-relations from c and c ′ ≥ c + ln 2 / ln N . The vectors b ∈ L ( B n , c ) , b ∼ ( u , v ) close to N c satisfy z b − N c | = N c | u − vN | ( 1 ± o ( 1 )) . Then | u − vN | ≤ p 3 n = N o ( 1 ) | ˆ vN implies v ≥ N c − 1 ( 1 − o ( 1 )) for c > 1. Therefore both v and u / N increase proportionate to N c − 1 . Thus v of ( u , v ) ∼ b close to N c satisfies v � N c − 1 and v ′ of ( u ′ , v ′ ) ∼ b ′ close to N c ′ satisfies v ′ � N c ′ − 1 ≥ 2 N c − 1 . Hence Rel N , n ,δ ∩ Rel N , n ,δ ′ ≈ ∅ for δ ′ ≥ δ + ln 2 / ln N . So we iteratively increase δ and c to δ ′ := δ + ln 2 / ln N and c ′ := c + ln 2 / ln N per round so that δ passes the area for which # N , n ,δ of (4.1) is substantial.

  9. I: Decreasing the dimension n of L ( B n , c ) 9 Recall: We identify b = � n i = 1 e i b i ∈ L ( B n , c ) ∼ ( u , v ) where i > 0 p e i i < 0 p − e i u := � i , v := � . i To minimize the time to get about n fac-relations we simply transform a reduced basis of L ( B n , c ) to a reduced basis of L ( B n , c ′ ) by multiplying the last coordiates of the b i of B n , c T and of N c by N c ′ − c .This replaces N c by N c ′ . We do not adjust the success rate ¨ β t to small increases of c . By iteratively increasing c we can in table 1 decrease n = dim L ( B n , c ) = 41350 for N ≈ 2 800 to n = 40000. This decreases # N , n , 2 . 1 from 49591 to 717. So we find about 700 fac-relations by minimizing ||L ( B n , c ) − N c || for c = 2 . 1 − 3 ln p n / ln N . Then we increase c to c + ln 2 / ln N to generate fac-relations in Rel N , n ,δ ′ for δ ′ := δ + ln 2 / ln N .

  10. I: Time for SVP 10 The efficiency of our SVP algorithm for L ( B ) depends on the invariant rd ( L ) := λ 1 γ − 1 / 2 ( det L ) − 1 / n which we call the relative n λ 2 1 = rd ( L ) 2 γ n ( det L ) 2 density of L . ( ) Proposition Let the basis B = QR , R ∈ R n × n of L satisfy � λ 1 � 1 � 2 and GSA and let L have a shortest lattice e π rd ( L ) ≤ � b 1 � 2 n vector b ′ that satisfies SA . Then E NUM with linear pruning finds such b ′ under the volume heuristics in polynomial time. GSA : The basis B = QR , R = [ r i , j ] 1 ≤ i , j ≤ n satisfies r i , j = 0 for i < j and r 2 i , i / r 2 i − 1 , i − 1 = q for 2 ≤ i ≤ n for some q > 0. SA : There is a vector b ′ ∈ L ( B ) such that � b ′ � = λ 1 and � π t ( b ′ ) � 2 � n − t + 1 λ 2 1 for t = 1 , . . . , n . || b || = r 1 , 1 . n Linear pruning means to cut off all stages ( e t , ..., e n ) that i = t e i b i ) || 2 > n − t + 1 satisfy || π t ( � n λ 2 1 . n

Recommend

Factoring integers and Producing primes Francesco Pappalardi Universit` a Roma Tre Erbil,

Factoring integers and Producing primes Francesco Pappalardi Universit` a Roma Tre Erbil,

Erbil, Kurdistan 0 Factoring integers,..., RSA Lecture in Number Theory College of Sciences Department of Mathematics University of Salahaddin Debember 4, 2014 Factoring integers and Producing primes Francesco Pappalardi Universit` a Roma

749 views • 30 slides
Factoring integers, Producing primes and the RSA cryptosystem Francesco Pappalardi Universit` a

Factoring integers, Producing primes and the RSA cryptosystem Francesco Pappalardi Universit` a

College of Science for Women 0 Factoring integers,..., RSA Lecture in Number Theory College of Science for Women Baghdad University March 31, 2014 Factoring integers, Producing primes and the RSA cryptosystem Francesco Pappalardi

2.06k views • 192 slides
Factoring Done by:Rashed salmeen Grade:9ASP2 Prime factorization Prime factorization:is finding

Factoring Done by:Rashed salmeen Grade:9ASP2 Prime factorization Prime factorization:is finding

Factoring Done by:Rashed salmeen Grade:9ASP2 Prime factorization Prime factorization:is finding which prime numbers multiply together to make the original number. Examples: 27 18 2 9 3 9 3 3 3 3 18=2x3x3 27=3x3x3 greatest common

365 views • 11 slides
Quantum algorithms for computing short discrete logarithms and factoring RSA integers PQCrypto

Quantum algorithms for computing short discrete logarithms and factoring RSA integers PQCrypto

Quantum algorithms for computing short discrete logarithms and factoring RSA integers PQCrypto 2017, 8th International Workshop, Utrecht, June 26-28, 2017 Martin Eker 1 , 2 Johan Hstad 1 1 KTH Royal Institute of Technology, SE-100 44

728 views • 31 slides
Number Theory Divisibility and Primes Definition. If a and b are integers and there is some

Number Theory Divisibility and Primes Definition. If a and b are integers and there is some

Number Theory Divisibility and Primes Definition. If a and b are integers and there is some integer c such that a = b c , then we say that b divides a or is a factor or divisor of a and write b | a . Definition (Prime Number). A prime number is

381 views • 24 slides
8. Factoring polynomials over finite fields CS-E4500 Advanced Course on Algorithms Spring 2018

8. Factoring polynomials over finite fields CS-E4500 Advanced Course on Algorithms Spring 2018

8. Factoring polynomials over finite fields CS-E4500 Advanced Course on Algorithms Spring 2018 Peteri Kaski Department of Computer Science Aalto University Lecture schedule Tue 16 Jan: 1. Polynomials and integers Tue 23 Jan: 2. The fast

661 views • 41 slides
Shors Algorithm for Factoring: Background Quantum Algorithms In 1994, Peter Shor came up with O

Shors Algorithm for Factoring: Background Quantum Algorithms In 1994, Peter Shor came up with O

Shors Algorithm for Factoring: Background Quantum Algorithms In 1994, Peter Shor came up with O ( n 3 ) -time algorithm DPV Chapter 10 for factoring n -bit integers on a quantum algorithm. Why is this a big deal? O ( e n 1/3 ( log n )

712 views • 5 slides
Travelling Integers Number of players 2 (or more) Adding and subtracting integers Math

Travelling Integers Number of players 2 (or more) Adding and subtracting integers Math

Travelling Integers Number of players 2 (or more) Adding and subtracting integers Math Concepts Deck of cards with face cards removed Materials Number line (from -25 to 25) Chips/pennies to mark players places on the number

363 views • 18 slides
Factoring RSA Modulus using Prime Reconstruction from Random Known Bits S. Maitra, S. Sarkar and

Factoring RSA Modulus using Prime Reconstruction from Random Known Bits S. Maitra, S. Sarkar and

Factoring RSA Modulus using Prime Reconstruction from Random Known Bits S. Maitra, S. Sarkar and S. Sen Gupta Cryptology Research Group, ASU Indian Statistcal Institute, Kolkata May 3, 2010 Background Slide 2 of 31 RSA Framework Key-Gen

607 views • 58 slides
What is a prime number? What is a prime number? What is a prime number? What is a prime number?

What is a prime number? What is a prime number? What is a prime number? What is a prime number?

What is a prime number? What is a prime number? What is a prime number? What is a prime number? Its a positive integer p with exactly two factors! What is a prime number? What is a prime number? Its a positive integer p with exactly two

1.35k views • 121 slides
Hardware- -Based Implementations Based Implementations Hardware of Factoring Algorithms of

Hardware- -Based Implementations Based Implementations Hardware of Factoring Algorithms of

Hardware- -Based Implementations Based Implementations Hardware of Factoring Algorithms of Factoring Algorithms Factoring Large Numbers with the TWIRL Device Factoring Large Numbers with the TWIRL Device Adi Shamir, Eran Tromer Adi

469 views • 42 slides
Structure and randomness in the prime numbers A small selection of results in number theory

Structure and randomness in the prime numbers A small selection of results in number theory

Structure and randomness in the prime numbers A small selection of results in number theory Science colloquium January 17, 2007 Terence Tao (UCLA) 1 Prime numbers A prime number is a natural number larger than 1 which cannot be expressed

629 views • 37 slides
Prime number races Greg Martin University of British Columbia Dartmouth Mathematics Colloquium

Prime number races Greg Martin University of British Columbia Dartmouth Mathematics Colloquium

Chebyshev, pretty pictures, and Dirichlet The prime number theorem Back to primes in arithmetic progressions Prime number races Greg Martin University of British Columbia Dartmouth Mathematics Colloquium May 6, 2010 Prime number races Greg

1.11k views • 83 slides
Number Theory Number Theory is the study of integers and their resulting structures . Why study

Number Theory Number Theory is the study of integers and their resulting structures . Why study

Number Theory Number Theory is the study of integers and their resulting structures . Why study it? 1 History: the first true algortihms were number-theoretic. 2 Analysis: Well learn about new kinds of running times and analyses. 3 Cryptography!

591 views • 10 slides
Number representation A number can be represented in binary in many ways. The most common number

Number representation A number can be represented in binary in many ways. The most common number

Number representation A number can be represented in binary in many ways. The most common number types to be represented are: Integers, positive integers one-complement, two-complement, sign-magnitude Decimal real numbers with a fixed

979 views • 72 slides
Number-Theoretic Algorithms (RSA and related algorithms) Chapter 31, CLRS book p1. Outline

Number-Theoretic Algorithms (RSA and related algorithms) Chapter 31, CLRS book p1. Outline

Number-Theoretic Algorithms (RSA and related algorithms) Chapter 31, CLRS book p1. Outline Modular arithmetic RSA encryption scheme Miller-Rabin algorithm (a probabilistic algorithm) p2. Modular Arithmetic p3. Integers | :

803 views • 48 slides
Number representation A number can be represented in binary in many ways. The most common number

Number representation A number can be represented in binary in many ways. The most common number

Number representation A number can be represented in binary in many ways. The most common number types to be represented are: Integers, positive integers one's complement, two's complement, sign-magnitude Decimal numbers with fixed

1k views • 67 slides
Prime Numbers Prime Numbers Prime number : an integer p&gt;1 that is divisible only by 1 and

Prime Numbers Prime Numbers Prime number : an integer p&gt;1 that is divisible only by 1 and

Prime Numbers Prime Numbers Prime number : an integer p&gt;1 that is divisible only by 1 and itself, ex. 2, 3,5, 7, 11, 13, 17 Composite number : an integer n&gt;1 that is not prime p g p Prime Numbers Fact : there are

472 views • 15 slides
The state of factoring algorithms and other cryptanalytic threats to RSA Daniel J. Bernstein

The state of factoring algorithms and other cryptanalytic threats to RSA Daniel J. Bernstein

The state of factoring algorithms and other cryptanalytic threats to RSA Daniel J. Bernstein University of Illinois at Chicago Technische Universiteit Eindhoven Nadia Heninger Microsoft Research New England Tanja Lange Technische

1.53k views • 130 slides
Two Fast Parallel GCD Algorithms of Many Integers Sidi Mohamed SEDJELMACI Laboratoire

Two Fast Parallel GCD Algorithms of Many Integers Sidi Mohamed SEDJELMACI Laboratoire

Two Fast Parallel GCD Algorithms of Many Integers Sidi Mohamed SEDJELMACI Laboratoire dInformatique Paris Nord, France . ISSAC 2017, Kaiserslautern, 24-28 July 2017 . 1 Motivations GCD of two integers : Used in CAS as a low operation,

701 views • 33 slides
Number Theory and Cryptography Chapter 4 Chapter Motivation Number theory is the part of

Number Theory and Cryptography Chapter 4 Chapter Motivation Number theory is the part of

Number Theory and Cryptography Chapter 4 Chapter Motivation Number theory is the part of mathematics devoted to the study of the integers and their properties. Key ideas in number theory include divisibility and the primality of integers.

1.77k views • 103 slides
Factoring integers, Producing primes and the RSA cryptosystem Harish-Chandra Research Institute

Factoring integers, Producing primes and the RSA cryptosystem Harish-Chandra Research Institute

HRI, Allahabad, February, 2005 0 RSA cryptosystem Factoring integers, Producing primes and the RSA cryptosystem Harish-Chandra Research Institute Allahabad (UP), INDIA February, 2005 Universit` a Roma Tre HRI, Allahabad, February, 2005 1

1.92k views • 170 slides
Factors 2 12 Factors Factors 3 13 and Unique Unique 14 4 to 10 to 15 Greatest Common

Factors 2 12 Factors Factors 3 13 and Unique Unique 14 4 to 10 to 15 Greatest Common

Slide 1 / 128 Slide 2 / 128 Table of Contents Factors and GCF Factoring out GCF's Polynomials Factoring Trinomials x 2 + bx + c Factoring Using Special Patterns Factoring Trinomials ax 2 + bx + c Factoring 4 Term Polynomials

472 views • 22 slides
Formalizing an Analytic Proof of the Prime Number Theorem Dedicated to Mike Gordon John Harrison

Formalizing an Analytic Proof of the Prime Number Theorem Dedicated to Mike Gordon John Harrison

Formalizing an Analytic Proof of the Prime Number Theorem Dedicated to Mike Gordon John Harrison Intel Corporation TTVSI (Mikefest) Royal Society, London Wed 26th March 2008 (10:00 10:45) 0 What is the prime number theorem? Let ( x )

495 views • 28 slides

More recommend