Predicting NFS time D. J. Bernstein University of Illinois at - PDF document

Predicting NFS time D. J. Bernstein University of Illinois at Chicago Thanks to: NSF DMS–9600083 NSF DMS–9970409 NSF DMS–0140542 Alfred P. Sloan Foundation NSF ITR–0716498

T as the time Define n . used by NFS to factor T depends on n . T also depends on parameters chosen by NFS user: f , a polynomial y 1 , an initial smoothness bound etc. T also depends on choices of NFS subroutines, choice of NFS hardware, etc. NFS isn’t just one algorithm.

T . Topic of this talk: computing Application #1: NFS parameter selection. n , have many choices Given f ; y 1 ; : : : ). for parameter vector ( T ? Which choice minimizes T and check. Answer: evaluate Can similarly select subroutines. Application #2: Anti-NFS parameter selection. Which key sizes are safe for RSA, pairing-based crypto, etc.?

T . NFS computes exactly But NFS is very slow. Want much faster algorithms T evaluations. to handle many T . We don’t need exactly Can select parameters using T . good approximations to How quickly can we compute something in [0 : 5 T ; 2 T ]? How quickly can we compute something in [0 : 9 T ; 1 : 1 T ]? How quickly can we compute something in [0 : 99 T ; 1 : 01 T ]?

r Easy-to-compute approximation: T � exp 3 n )(log log n ) 2 . 64 9 (log T estimate is conjectured This to be in [ T 1 � � T 1+ � ] for ; theoretician’s NFS parameters, but it’s unacceptably inaccurate. Obviously useless for NFS parameter selection. Often used for anti-NFS parameter selection, following (e.g.) 1996 Leyland–Lenstra– Dodson–Muffett–Wagstaff, but newer papers warn against this.

Expect a speed/accuracy tradeoff: [ T ; T ]: NFS, very slow. [0 : 99 T ; 1 : 01 T ]: Much faster. [0 : 9 T ; 1 : 1 T ]: Faster than that. [ T 1 � � T 1+ � ]: Very fast. ; For parameter selection need reasonable accuracy, high speed. T approximations. Can combine e.g. Feed 2 50 parameter choices to [0 : 5 T ; 2 T ] approximation. Feed best 2 30 parameter choices to [0 : 99 T ; 1 : 01 T ] approximation that is (e.g.) 2 20 times slower.

1. Sizes � � Sample NFS goal: Find x; y ) 2 Z 2 : xy = 611 ( . The Q sieve forms a square ( + 611 d ) as product of ; d ): for several pairs ( � 64(675) � 75(686) 14(625) = 4410000 2 . f 611 ; 14 � 64 � 75 � 4410000 g gcd = 47. = 47 = 13 are prime, 47 and 611 f x g = f� 1 ; � 13 ; � 47 ; � 611 g . so

p p The Q ( 14) sieve forms a square + 25 d )( + 14 d ) as product of ( ; d ): p for several pairs ( � 11 + 3 � 25)( � 11 + 3 p ( 14) � (3 + 25)(3 + p 14) � 16 14) 2 . = (112 Compute u = ( � 11 + 3 � 25) � (3 + 25), v = 112 � 16 � 25, f 611 ; u � v g = 13. gcd

How to find these squares? Traditional approach: H , R with 26 � 14 � R 3 = H . Choose ; d ) Look at all pairs ( � R ; R ] � [0 ; R ] in [ + 25 d )( 2 � 14 d 2 ) with ( 6 = 0 f ; d g = 1. and gcd + 25 d )( 2 � 14 d 2 ) is small: ( � H and H . between Conjecturally, good chance of being smooth. ) square. Many smooths

; d ) � � Find more pairs ( � ( � + 25 d )( 2 � 14 d 2 ) � H with in a less balanced rectangle. (1999 Murphy) ; d ) � � Can do better: set of ( � ( � + 25 d )( 2 � 14 d 2 ) � H with extends far beyond any inscribed f g for each d . rectangle. Find (Silverman, Contini, Lenstra) First tool in predicting NFS time (2004 Bernstein): Can compute, very quickly and accurately, ; d ). the number of pairs (

f 2 Z [ x ], Take any nonconstant < (deg f ) = 2: all real roots order f = ( x + 25)( x 2 � 14). e.g., f ( ; d ) 2 R � R : d > 0 ; Area of f j d deg f ( =d ) j � H g H 2 = deg f is (1 = 2) Q ( f ) where R 1 x ) 2 ) 1 = deg f . Q ( f ) = dx= ( f ( �1 Q ( f ) bounds. Will explain fast Extremely accurate estimate: # f ( ; d ) 2 Z � Z : gcd f ; d g = 1 ; f d > 0 ; j d deg f ( =d ) j � H g H 2 = deg f � (3 =� 2 ) Q ( f ).

Can verify accuracy of estimate ; d ), by finding all integer pairs ( i.e., by solving equations f d deg f ( =d ) = � 1, f f ( d deg =d ) = � 2, : : : f d deg f ( =d ) = � H . Slow but convincing. Another accurate estimate, easier to verify: # f ( ; d ) 2 Z � Z : gcd f ; d g = 1 ; f d > 0 ; j d deg f ( =d ) j � H ; d not very large g H 2 = deg f � (3 =� 2 ) Q ( f ).

To compute Q ( f ), good approximation to and hence good approximation to f d deg f ( =d ): distribution of R s x ) 2 ) 1 = deg f is within dx= ( f ( � s � � � � 2 s 1 � 2 e= deg f � � � 2 = deg f � � � � n n + 1 � 2 e= deg f )4 3(1 i +1 � 2 e= deg f X s 2 q i i + 1 � 2 e= deg f of i 2f 0 ; 2 ; 4 ;::: g e (1 + f ( x ) = x � � � ) in R [[ x ]], if j� � � j � 1 = 4 for x 2 [ � s; s ], � � P P � 2 = deg f j = i . � � � ) q x i 0 � j � n j (

f . Handle constant factors in v � s; v + s ]. Handle intervals [ �1 ; 1 ): Partition ( one interval around each f ; one interval real root of 1 , reversing f ; around e = 0. more intervals with Be careful with roundoff error. This is not the end of the story: f ’s more quickly can handle some by arithmetic-geometric mean.

2. Smoothness Consider a uniform random ; 2 400 ]. integer in [1 What is the chance that the integer is 1000000 -smooth , i.e., � 1000000? factors into primes “Objection: The integers in NFS are not uniform random integers!” True; will generalize later.

Traditional answer: � function is fast. Dickman’s A uniform random integer in u ] has chance [1 ; y � � ( u ) y -smooth. of being u is small then chance/ � ( u ) is If O (log log y = log y ) for y ! 1 . 1 + Flaw #1 in traditional answer: Not a very good approximation. Flaw #2 in traditional answer: Not easy to generalize.

Another traditional answer, trivial to generalize: Check smoothness of many independent uniform random integers. Can accurately estimate p smoothness probability =p integers; after inspecting 10000 � 1%. typical error But this answer is very slow.

Here’s a better answer. (starting point: 1998 Bernstein) S as the set of Define n � 1. 1000000-smooth integers S P [ n The Dirichlet series for n = 2 S ] x lg is x lg 2 + x 2 lg 2 + x 3 lg 2 + � � � ) (1 + x lg 3 + x 2 lg 3 + x 3 lg 3 + � � � ) (1 + x lg 5 + x 2 lg 5 + x 3 lg 5 + � � � ) (1 + � � � x lg 999983 + x 2 lg 999983 + � � � ). (1 +

Replace primes 2 ; 3 ; 5 ; 7 ; : : : ; 999983 with slightly larger real numbers 2 = 1 : 1 8 , 3 = 1 : 1 12 , 5 = 1 : 1 17 , : : : , 999983 = 1 : 1 145 . a 3 b � � � in S with a 3 b Replace each 2 � � � , obtaining multiset S . 2 S P [ n The Dirichlet series for n = 2 S ] x lg is x lg 2 + x 2 lg 2 + x 3 lg 2 + � � � ) (1 + x lg 3 + x 2 lg 3 + x 3 lg 3 + � � � ) (1 + x lg 5 + x 2 lg 5 + x 3 lg 5 + � � � ) (1 + � � � x lg 999983 + x 2 lg 999983 + � � � ). (1 +

This is simply a power series s 0 z 0 + s 1 z 1 + � � � = z 2 � 8 + z 3 � 8 + z 8 + � � � ) (1 + z 2 � 12 + z 3 � 12 + z 12 + � � � ) (1 + z 2 � 17 + z 3 � 17 + z 17 + � � � ) (1 + z 2 � 145 + � � � (1 + z 145 + � � � ) : 1 . z = x lg 1 in the variable z 2910 ; Compute series mod (e.g.) s 0 ; s 1 ; : : : ; s 2909 . i.e., compute S has s 0 + � � � + s 2909 elements � 1 : 1 2909 < 2 400 , so S has s 0 + � � � + s 2909 at least < 2 400 . elements

So have guaranteed lower bound on number of 1000000-smooth integers in [1 ; 2 400 ]. Can compute an upper bound to check looseness of lower bound. If looser than desired, : 1 closer to 1. move 1 Achieve any desired accuracy. 2007 Parsell–Sorenson: Replace big primes with RH bounds, faster to compute.

NFS smoothness is much more complicated than smoothness of uniform random integers. Most obvious issue: NFS doesn’t use all integers in [ � H ; H ]; f ( ; d ) it uses only values f . of a specified polynomial Traditional reaction (1979 Schroeppel, et al.): H by “typical” f value, replace heuristically adjusted for f mod small primes. roots of

Can compute smoothness chance much more accurately. No need for “typical” values. We’ve already computed series s 0 z 0 + s 1 z 1 + � � � + s 2909 z 2909 such that there are � s 0 smooth � 1 : 1 0 , � s 0 + s 1 smooth � 1 : 1 1 , � s 0 + s 1 + s 2 smooth � 1 : 1 2 , . . ., � s 0 + � � � + s 2909 smooth � 1 : 1 2909 . Approximations are very close.

f ( ; d ) values in Number of H 2 = deg f [ � H ; H ] is � (3 =� 2 ) Q ( f ). Q ( f ). We’ve already computed i � 2909, For each j f ( ; d ) j values number of smooth i � 1 i ] is approximately : 1 ; 1 : 1 in [1 1 : 1 2 i= deg f � 1 : 1 2( i � 1) = deg f 3 Q ( f ) s i i i � 1 � 2 1 : 1 � 1 : 1 . Add to see total number of f ( ; d ) values. smooth

Approximation so far f . has ignored roots of � ) Fix: Smoothness chance in Q ( � �d is, conjecturally, very for close to smoothness chance for � �d . ideals of the same size as Dirichlet series for smooth ideals: simply replace p + p + x lg x 2 lg � � � with 1 + P + P + x lg x 2 lg � � � 1 + P is norm of prime ideal. where Same computations as before. Should also be easy to adapt Parsell–Sorenson to ideals.