public key cryptography q sieve daniel j bernstein
play

Public-key cryptography Q sieve Daniel J. Bernstein Sieving small - PowerPoint PPT Presentation

Nov 02, 2022 •303 likes •1.93k views

1 2 Public-key cryptography Q sieve Daniel J. Bernstein Sieving small integers i > 0 Tanja Lange using primes 2 ; 3 ; 5 ; 7: 1 Part II: 2 2 3 3 Factorization 4 2 2 5 5 6 2 3 15 August 2017 7 7 8 2 2 2 9 3 3 10 2 5 Sage

  1. 4 5 Why did this find a factor of 611? Why did the first three Was it just blind luck: completely factored congruences gcd { 611 ; random } = 47? have square product? Was it just blind luck? No. Yes. The exponent vectors By construction 611 divides s 2 − t 2 (1 ; 0 ; 4 ; 1) ; (6 ; 3 ; 2 ; 0) ; (1 ; 1 ; 2 ; 3) where s = 14 · 64 · 75 happened to have sum 0 mod 2. and t = 2 4 3 2 5 4 7 2 . So each prime > 7 dividing 611 But we didn’t need this luck! divides either s − t or s + t . Given long sequence of vectors, easily find nonempty subsequence Not terribly surprising with sum 0 mod 2. (but not guaranteed in advance!) that one prime divided s − t and the other divided s + t .

  2. 4 5 did this find a factor of 611? Why did the first three This is linea just blind luck: completely factored congruences Guaranteed 611 ; random } = 47? have square product? if number Was it just blind luck? exceeds length Yes. The exponent vectors e.g. for n construction 611 divides s 2 − t 2 (1 ; 0 ; 4 ; 1) ; (6 ; 3 ; 2 ; 0) ; (1 ; 1 ; 2 ; 3) 1( n + s = 14 · 64 · 75 happened to have sum 0 mod 2. 4( n + = 2 4 3 2 5 4 7 2 . 15( n + 15) each prime > 7 dividing 611 But we didn’t need this luck! 49( n + 49) either s − t or s + t . Given long sequence of vectors, 64( n + 64) easily find nonempty subsequence terribly surprising with sum 0 mod 2. F 2 -kernel not guaranteed in advance!) gen by (0 one prime divided s − t e.g., 1( n the other divided s + t . is a squa

  3. 4 5 find a factor of 611? Why did the first three This is linear algeb luck: completely factored congruences Guaranteed to find } = 47? have square product? if number of vecto Was it just blind luck? exceeds length of each Yes. The exponent vectors e.g. for n = 671: 611 divides s 2 − t 2 1( n + 1) = 2 5 3 1 (1 ; 0 ; 4 ; 1) ; (6 ; 3 ; 2 ; 0) ; (1 ; 1 ; 2 ; 3) 64 · 75 4( n + 4) = 2 2 3 3 happened to have sum 0 mod 2. 2 . 15( n + 15) = 2 1 3 1 7 dividing 611 But we didn’t need this luck! 49( n + 49) = 2 4 3 2 − t or s + t . Given long sequence of vectors, 64( n + 64) = 2 6 3 1 easily find nonempty subsequence rising with sum 0 mod 2. F 2 -kernel of exponent ranteed in advance!) gen by (0 1 0 1 1) divided s − t e.g., 1( n +1)15( n divided s + t . is a square.

  4. 4 5 of 611? Why did the first three This is linear algebra over F 2 completely factored congruences Guaranteed to find subsequence have square product? if number of vectors Was it just blind luck? exceeds length of each vecto Yes. The exponent vectors e.g. for n = 671: divides s 2 − t 2 1( n + 1) = 2 5 3 1 5 0 7 1 ; (1 ; 0 ; 4 ; 1) ; (6 ; 3 ; 2 ; 0) ; (1 ; 1 ; 2 ; 3) 4( n + 4) = 2 2 3 3 5 2 7 0 ; happened to have sum 0 mod 2. 15( n + 15) = 2 1 3 1 5 1 7 3 ; dividing 611 But we didn’t need this luck! 49( n + 49) = 2 4 3 2 5 1 7 2 ; t . Given long sequence of vectors, 64( n + 64) = 2 6 3 1 5 1 7 2 . easily find nonempty subsequence with sum 0 mod 2. F 2 -kernel of exponent matrix advance!) gen by (0 1 0 1 1) and (1 0 1 t e.g., 1( n +1)15( n +15)49( n t . is a square.

  5. 5 6 Why did the first three This is linear algebra over F 2 . completely factored congruences Guaranteed to find subsequence have square product? if number of vectors Was it just blind luck? exceeds length of each vector. Yes. The exponent vectors e.g. for n = 671: 1( n + 1) = 2 5 3 1 5 0 7 1 ; (1 ; 0 ; 4 ; 1) ; (6 ; 3 ; 2 ; 0) ; (1 ; 1 ; 2 ; 3) 4( n + 4) = 2 2 3 3 5 2 7 0 ; happened to have sum 0 mod 2. 15( n + 15) = 2 1 3 1 5 1 7 3 ; But we didn’t need this luck! 49( n + 49) = 2 4 3 2 5 1 7 2 ; Given long sequence of vectors, 64( n + 64) = 2 6 3 1 5 1 7 2 . easily find nonempty subsequence with sum 0 mod 2. F 2 -kernel of exponent matrix is gen by (0 1 0 1 1) and (1 0 1 1 0); e.g., 1( n +1)15( n +15)49( n +49) is a square.

  6. 5 6 did the first three This is linear algebra over F 2 . Plausible completely factored congruences Guaranteed to find subsequence separate square product? if number of vectors of any n just blind luck? exceeds length of each vector. Given n The exponent vectors e.g. for n = 671: Try to completely 1( n + 1) = 2 5 3 1 5 0 7 1 ; ; 1) ; (6 ; 3 ; 2 ; 0) ; (1 ; 1 ; 2 ; 3) ˘ for i ∈ 4( n + 4) = 2 2 3 3 5 2 7 0 ; ened to have sum 0 mod 2. into products 15( n + 15) = 2 1 3 1 5 1 7 3 ; e didn’t need this luck! 49( n + 49) = 2 4 3 2 5 1 7 2 ; Look for long sequence of vectors, 64( n + 64) = 2 6 3 1 5 1 7 2 . with i ( n find nonempty subsequence and with sum 0 mod 2. F 2 -kernel of exponent matrix is gen by (0 1 0 1 1) and (1 0 1 1 0); Compute e.g., 1( n +1)15( n +15)49( n +49) s = Q i is a square. i ∈ I

  7. 5 6 first three This is linear algebra over F 2 . Plausible conjecture: red congruences Guaranteed to find subsequence separate the odd p duct? if number of vectors of any n , not just luck? exceeds length of each vector. Given n and parameter onent vectors e.g. for n = 671: Try to completely 1( n + 1) = 2 5 3 1 5 0 7 1 ; 2 ; 0) ; (1 ; 1 ; 2 ; 3) ˘ for i ∈ 1 ; 2 ; 3 ; : : : 4( n + 4) = 2 2 3 3 5 2 7 0 ; have sum 0 mod 2. into products of primes 15( n + 15) = 2 1 3 1 5 1 7 3 ; need this luck! 49( n + 49) = 2 4 3 2 5 1 7 2 ; Look for nonempty sequence of vectors, 64( n + 64) = 2 6 3 1 5 1 7 2 . with i ( n + i ) completely nonempty subsequence and with Q i ( n + 2. F 2 -kernel of exponent matrix is i ∈ I gen by (0 1 0 1 1) and (1 0 1 1 0); Compute gcd { n; s e.g., 1( n +1)15( n +15)49( n +49) r s = Q i and t = is a square. i ∈ I

  8. 5 6 This is linear algebra over F 2 . Plausible conjecture: Q sieve congruences Guaranteed to find subsequence separate the odd prime diviso if number of vectors of any n , not just 611. exceeds length of each vector. Given n and parameter y : rs e.g. for n = 671: Try to completely factor i ( n 1( n + 1) = 2 5 3 1 5 0 7 1 ; ; 2 ; 3) 1 ; 2 ; 3 ; : : : ; y 2 ¯ ˘ for i ∈ 4( n + 4) = 2 2 3 3 5 2 7 0 ; mod 2. into products of primes ≤ y . 15( n + 15) = 2 1 3 1 5 1 7 3 ; luck! 49( n + 49) = 2 4 3 2 5 1 7 2 ; Look for nonempty set I of i vectors, 64( n + 64) = 2 6 3 1 5 1 7 2 . with i ( n + i ) completely facto subsequence and with Q i ( n + i ) square. F 2 -kernel of exponent matrix is i ∈ I gen by (0 1 0 1 1) and (1 0 1 1 0); Compute gcd { n; s − t } where e.g., 1( n +1)15( n +15)49( n +49) r Q s = Q i and t = i ( n + is a square. i ∈ I i ∈ I

  9. 6 7 This is linear algebra over F 2 . Plausible conjecture: Q sieve can Guaranteed to find subsequence separate the odd prime divisors if number of vectors of any n , not just 611. exceeds length of each vector. Given n and parameter y : e.g. for n = 671: Try to completely factor i ( n + i ) 1( n + 1) = 2 5 3 1 5 0 7 1 ; 1 ; 2 ; 3 ; : : : ; y 2 ¯ ˘ for i ∈ 4( n + 4) = 2 2 3 3 5 2 7 0 ; into products of primes ≤ y . 15( n + 15) = 2 1 3 1 5 1 7 3 ; 49( n + 49) = 2 4 3 2 5 1 7 2 ; Look for nonempty set I of i ’s 64( n + 64) = 2 6 3 1 5 1 7 2 . with i ( n + i ) completely factored and with Q i ( n + i ) square. F 2 -kernel of exponent matrix is i ∈ I gen by (0 1 0 1 1) and (1 0 1 1 0); Compute gcd { n; s − t } where e.g., 1( n +1)15( n +15)49( n +49) r Q s = Q i and t = i ( n + i ). is a square. i ∈ I i ∈ I

  10. 6 7 linear algebra over F 2 . Plausible conjecture: Q sieve can How large ranteed to find subsequence separate the odd prime divisors for this to number of vectors of any n , not just 611. Uniform exceeds length of each vector. has n 1 =u Given n and parameter y : r n = 671: roughly u Try to completely factor i ( n + i ) 1) = 2 5 3 1 5 0 7 1 ; 1 ; 2 ; 3 ; : : : ; y 2 ¯ ˘ for i ∈ Plausible 4) = 2 2 3 3 5 2 7 0 ; into products of primes ≤ y . Q sieve succe 15) = 2 1 3 1 5 1 7 3 ; with y = 49) = 2 4 3 2 5 1 7 2 ; Look for nonempty set I of i ’s for all n 64) = 2 6 3 1 5 1 7 2 . with i ( n + i ) completely factored here o (1) and with Q i ( n + i ) square. ernel of exponent matrix is i ∈ I (0 1 0 1 1) and (1 0 1 1 0); Compute gcd { n; s − t } where 1( n +1)15( n +15)49( n +49) r Q s = Q i and t = i ( n + i ). square. i ∈ I i ∈ I

  11. 6 7 algebra over F 2 . Plausible conjecture: Q sieve can How large does y have find subsequence separate the odd prime divisors for this to find a squa vectors of any n , not just 611. Uniform random integer of each vector. has n 1 =u -smoothness Given n and parameter y : roughly u − u . 671: Try to completely factor i ( n + i ) 3 1 5 0 7 1 ; 1 ; 2 ; 3 ; : : : ; y 2 ¯ ˘ for i ∈ Plausible conjecture: 3 3 5 2 7 0 ; into products of primes ≤ y . Q sieve succeeds 3 1 5 1 7 3 ; with y = ⌊ n 1 =u ⌋ 3 2 5 1 7 2 ; Look for nonempty set I of i ’s for all n ≥ u (1+ o (1)) 3 1 5 1 7 2 . with i ( n + i ) completely factored here o (1) is as u → and with Q i ( n + i ) square. onent matrix is i ∈ I 1) and (1 0 1 1 0); Compute gcd { n; s − t } where n +15)49( n +49) r Q s = Q i and t = i ( n + i ). i ∈ I i ∈ I

  12. 6 7 F 2 . Plausible conjecture: Q sieve can How large does y have to be subsequence separate the odd prime divisors for this to find a square? of any n , not just 611. Uniform random integer in [1 vector. has n 1 =u -smoothness chance Given n and parameter y : roughly u − u . Try to completely factor i ( n + i ) 1 ; 2 ; 3 ; : : : ; y 2 ¯ ˘ for i ∈ Plausible conjecture: into products of primes ≤ y . Q sieve succeeds with y = ⌊ n 1 =u ⌋ Look for nonempty set I of i ’s for all n ≥ u (1+ o (1)) u 2 ; with i ( n + i ) completely factored here o (1) is as u → ∞ . and with Q i ( n + i ) square. matrix is i ∈ I 0 1 1 0); Compute gcd { n; s − t } where 15)49( n +49) r Q s = Q i and t = i ( n + i ). i ∈ I i ∈ I

  13. 7 8 Plausible conjecture: Q sieve can How large does y have to be separate the odd prime divisors for this to find a square? of any n , not just 611. Uniform random integer in [1 ; n ] has n 1 =u -smoothness chance Given n and parameter y : roughly u − u . Try to completely factor i ( n + i ) 1 ; 2 ; 3 ; : : : ; y 2 ¯ ˘ for i ∈ Plausible conjecture: into products of primes ≤ y . Q sieve succeeds with y = ⌊ n 1 =u ⌋ Look for nonempty set I of i ’s for all n ≥ u (1+ o (1)) u 2 ; with i ( n + i ) completely factored here o (1) is as u → ∞ . and with Q i ( n + i ) square. i ∈ I Compute gcd { n; s − t } where r Q s = Q i and t = i ( n + i ). i ∈ I i ∈ I

  14. 7 8 Plausible conjecture: Q sieve can How large does y have to be More generally q` 1 rate the odd prime divisors for this to find a square? exp 2 n , not just 611. conjectured Uniform random integer in [1 ; n ] is 1 =y c + o has n 1 =u -smoothness chance n and parameter y : roughly u − u . Find enough completely factor i ( n + i ) by changing 1 ; 2 ; 3 ; : : : ; y 2 ¯ ˘ Plausible conjecture: replace y roducts of primes ≤ y . Q sieve succeeds r“ ( with y = ⌊ n 1 =u ⌋ exp for nonempty set I of i ’s for all n ≥ u (1+ o (1)) u 2 ; ( n + i ) completely factored Increasing here o (1) is as u → ∞ . with Q i ( n + i ) square. increases i ∈ I reduces linea Compute gcd { n; s − t } where So linear r Q i and t = i ( n + i ). when y is i ∈ I

  15. 7 8 conjecture: Q sieve can How large does y have to be More generally, if y q` 1 prime divisors for this to find a square? ´ exp 2 c + o (1) log just 611. conjectured y -smo Uniform random integer in [1 ; n ] is 1 =y c + o (1) . has n 1 =u -smoothness chance rameter y : roughly u − u . Find enough smooth completely factor i ( n + i ) by changing the range : : ; y 2 ¯ Plausible conjecture: replace y 2 with y c +1+ primes ≤ y . Q sieve succeeds r“ ( c +1) 2 + o (1) with y = ⌊ n 1 =u ⌋ exp 2 c mpty set I of i ’s for all n ≥ u (1+ o (1)) u 2 ; completely factored Increasing c past 1 here o (1) is as u → ∞ . + i ) square. increases number of reduces linear-algeb n; s − t } where So linear algebra never r Q i ( n + i ). when y is chosen p i ∈ I

  16. 7 8 sieve can How large does y have to be More generally, if y ∈ q` 1 divisors for this to find a square? ´ exp 2 c + o (1) log n log log conjectured y -smoothness chance Uniform random integer in [1 ; n ] is 1 =y c + o (1) . has n 1 =u -smoothness chance roughly u − u . Find enough smooth congruences ( n + i ) by changing the range of i ’s: Plausible conjecture: replace y 2 with y c +1+ o (1) = y . Q sieve succeeds r“ ( c +1) 2 + o (1) ” with y = ⌊ n 1 =u ⌋ exp log n log 2 c of i ’s for all n ≥ u (1+ o (1)) u 2 ; factored Increasing c past 1 here o (1) is as u → ∞ . re. increases number of i ’s but reduces linear-algebra cost. where So linear algebra never domin + i ). when y is chosen properly.

  17. 8 9 How large does y have to be More generally, if y ∈ q` 1 for this to find a square? ´ exp 2 c + o (1) log n log log n , conjectured y -smoothness chance Uniform random integer in [1 ; n ] is 1 =y c + o (1) . has n 1 =u -smoothness chance roughly u − u . Find enough smooth congruences by changing the range of i ’s: Plausible conjecture: replace y 2 with y c +1+ o (1) = Q sieve succeeds r“ ( c +1) 2 + o (1) ” with y = ⌊ n 1 =u ⌋ exp log n log log n . 2 c for all n ≥ u (1+ o (1)) u 2 ; Increasing c past 1 here o (1) is as u → ∞ . increases number of i ’s but reduces linear-algebra cost. So linear algebra never dominates when y is chosen properly.

  18. 8 9 large does y have to be More generally, if y ∈ Improving q` 1 is to find a square? ´ exp 2 c + o (1) log n log log n , Smoothness conjectured y -smoothness chance rm random integer in [1 ; n ] degrades is 1 =y c + o (1) . =u -smoothness chance Smaller fo roughly u − u . Find enough smooth congruences Crude analysis: by changing the range of i ’s: Plausible conjecture: ≈ yn if i replace y 2 with y c +1+ o (1) = ≈ y 2 n if sieve succeeds r“ ( c +1) 2 + o (1) ” = ⌊ n 1 =u ⌋ exp log n log log n . 2 c More careful n ≥ u (1+ o (1)) u 2 ; n + i do Increasing c past 1 (1) is as u → ∞ . i is alwa increases number of i ’s but only 30% reduces linear-algebra cost. So linear algebra never dominates Can we select when y is chosen properly. to avoid

  19. 8 9 y have to be More generally, if y ∈ Improving smoothness q` 1 square? ´ exp 2 c + o (1) log n log log n , Smoothness chance conjectured y -smoothness chance integer in [1 ; n ] degrades as i grows. is 1 =y c + o (1) . Smaller for i ≈ y 2 othness chance Find enough smooth congruences Crude analysis: i ( n by changing the range of i ’s: conjecture: ≈ yn if i ≈ y ; replace y 2 with y c +1+ o (1) = ≈ y 2 n if i ≈ y 2 . eds r“ ( c +1) 2 + o (1) ” ⌋ exp log n log log n . 2 c More careful analysis: (1)) u 2 ; n + i doesn’t degrade, Increasing c past 1 → ∞ . i is always smooth increases number of i ’s but only 30% chance fo reduces linear-algebra cost. So linear algebra never dominates Can we select congruences when y is chosen properly. to avoid this degradation?

  20. 8 9 be More generally, if y ∈ Improving smoothness chances q` 1 ´ exp 2 c + o (1) log n log log n , Smoothness chance of i ( n + conjectured y -smoothness chance [1 ; n ] degrades as i grows. is 1 =y c + o (1) . Smaller for i ≈ y 2 than for i chance Find enough smooth congruences Crude analysis: i ( n + i ) gro by changing the range of i ’s: ≈ yn if i ≈ y ; replace y 2 with y c +1+ o (1) = ≈ y 2 n if i ≈ y 2 . r“ ( c +1) 2 + o (1) ” exp log n log log n . 2 c More careful analysis: n + i doesn’t degrade, but Increasing c past 1 i is always smooth for i ≤ y increases number of i ’s but only 30% chance for i ≈ y 2 . reduces linear-algebra cost. So linear algebra never dominates Can we select congruences when y is chosen properly. to avoid this degradation?

  21. 9 10 More generally, if y ∈ Improving smoothness chances q` 1 ´ exp 2 c + o (1) log n log log n , Smoothness chance of i ( n + i ) conjectured y -smoothness chance degrades as i grows. is 1 =y c + o (1) . Smaller for i ≈ y 2 than for i ≈ y . Find enough smooth congruences Crude analysis: i ( n + i ) grows. by changing the range of i ’s: ≈ yn if i ≈ y ; replace y 2 with y c +1+ o (1) = ≈ y 2 n if i ≈ y 2 . r“ ( c +1) 2 + o (1) ” exp log n log log n . 2 c More careful analysis: n + i doesn’t degrade, but Increasing c past 1 i is always smooth for i ≤ y , increases number of i ’s but only 30% chance for i ≈ y 2 . reduces linear-algebra cost. So linear algebra never dominates Can we select congruences when y is chosen properly. to avoid this degradation?

  22. 9 10 generally, if y ∈ Improving smoothness chances Choose q ` 1 Choose a ´ 2 c + o (1) log n log log n , Smoothness chance of i ( n + i ) arithmetic conjectured y -smoothness chance degrades as i grows. + o (1) . where q Smaller for i ≈ y 2 than for i ≈ y . e.g. progression enough smooth congruences Crude analysis: i ( n + i ) grows. 2 q − ( n mo changing the range of i ’s: ≈ yn if i ≈ y ; etc. replace y 2 with y c +1+ o (1) = ≈ y 2 n if i ≈ y 2 . “ ( c +1) 2 + o (1) Check smo ” log n log log n . 2 c More careful analysis: generalized n + i doesn’t degrade, but for i ’s in Increasing c past 1 i is always smooth for i ≤ y , e.g. check increases number of i ’s but only 30% chance for i ≈ y 2 . smooth fo reduces linear-algebra cost. linear algebra never dominates Can we select congruences Try many y is chosen properly. to avoid this degradation? Rare for

  23. 9 10 if y ∈ Improving smoothness chances Choose q , square of Choose a “ q -sublattice” ´ (1) log n log log n , Smoothness chance of i ( n + i ) arithmetic progression -smoothness chance degrades as i grows. where q divides each Smaller for i ≈ y 2 than for i ≈ y . e.g. progression q smooth congruences Crude analysis: i ( n + i ) grows. 2 q − ( n mod q ), 3 q range of i ’s: ≈ yn if i ≈ y ; etc. y c +1+ o (1) = ≈ y 2 n if i ≈ y 2 . Check smoothness (1) ” log n log log n . More careful analysis: generalized congruence n + i doesn’t degrade, but for i ’s in this sublattice. past 1 i is always smooth for i ≤ y , e.g. check whethe er of i ’s but only 30% chance for i ≈ y 2 . smooth for i = q − r-algebra cost. never dominates Can we select congruences Try many large q ’s. chosen properly. to avoid this degradation? Rare for i ’s to overlap.

  24. 9 10 Improving smoothness chances Choose q , square of large prime. Choose a “ q -sublattice” of i log n , Smoothness chance of i ( n + i ) arithmetic progression of i ’s chance degrades as i grows. where q divides each i ( n + i Smaller for i ≈ y 2 than for i ≈ y . e.g. progression q − ( n mod congruences Crude analysis: i ( n + i ) grows. 2 q − ( n mod q ), 3 q − ( n mod ’s: ≈ yn if i ≈ y ; etc. = ≈ y 2 n if i ≈ y 2 . Check smoothness of log log n . More careful analysis: generalized congruence i ( n + n + i doesn’t degrade, but for i ’s in this sublattice. i is always smooth for i ≤ y , e.g. check whether i; ( n + i ) but only 30% chance for i ≈ y 2 . smooth for i = q − ( n mod q cost. ominates Can we select congruences Try many large q ’s. . to avoid this degradation? Rare for i ’s to overlap.

  25. 10 11 Improving smoothness chances Choose q , square of large prime. Choose a “ q -sublattice” of i ’s: Smoothness chance of i ( n + i ) arithmetic progression of i ’s degrades as i grows. where q divides each i ( n + i ). Smaller for i ≈ y 2 than for i ≈ y . e.g. progression q − ( n mod q ), Crude analysis: i ( n + i ) grows. 2 q − ( n mod q ), 3 q − ( n mod q ), ≈ yn if i ≈ y ; etc. ≈ y 2 n if i ≈ y 2 . Check smoothness of More careful analysis: generalized congruence i ( n + i ) =q n + i doesn’t degrade, but for i ’s in this sublattice. i is always smooth for i ≤ y , e.g. check whether i; ( n + i ) =q are only 30% chance for i ≈ y 2 . smooth for i = q − ( n mod q ) etc. Can we select congruences Try many large q ’s. to avoid this degradation? Rare for i ’s to overlap.

  26. 10 11 roving smoothness chances Choose q , square of large prime. e.g. n = Choose a “ q -sublattice” of i ’s: othness chance of i ( n + i ) Original arithmetic progression of i ’s degrades as i grows. i n where q divides each i ( n + i ). Smaller for i ≈ y 2 than for i ≈ y . 1 314159265358979324 e.g. progression q − ( n mod q ), 2 314159265358979325 analysis: i ( n + i ) grows. 2 q − ( n mod q ), 3 q − ( n mod q ), 3 314159265358979326 if i ≈ y ; etc. if i ≈ y 2 . Use 997 2 Check smoothness of i ∈ 802458 careful analysis: generalized congruence i ( n + i ) =q doesn’t degrade, but for i ’s in this sublattice. ays smooth for i ≤ y , 802458 e.g. check whether i; ( n + i ) =q are 30% chance for i ≈ y 2 . 1796467 smooth for i = q − ( n mod q ) etc. 2790476 e select congruences Try many large q ’s. avoid this degradation? Rare for i ’s to overlap.

  27. 10 11 othness chances Choose q , square of large prime. e.g. n = 314159265358979323: Choose a “ q -sublattice” of i ’s: chance of i ( n + i ) Original Q sieve: arithmetic progression of i ’s grows. i n + i where q divides each i ( n + i ). 2 than for i ≈ y . 1 314159265358979324 e.g. progression q − ( n mod q ), 2 314159265358979325 i ( n + i ) grows. 2 q − ( n mod q ), 3 q − ( n mod q ), 3 314159265358979326 etc. . Use 997 2 -sublattice, Check smoothness of i ∈ 802458 + 994009 analysis: generalized congruence i ( n + i ) =q degrade, but i ( n + for i ’s in this sublattice. oth for i ≤ y , 802458 316052737309 e.g. check whether i; ( n + i ) =q are chance for i ≈ y 2 . 1796467 316052737310 smooth for i = q − ( n mod q ) etc. 2790476 316052737311 congruences Try many large q ’s. degradation? Rare for i ’s to overlap.

  28. 10 11 chances Choose q , square of large prime. e.g. n = 314159265358979323: Choose a “ q -sublattice” of i ’s: + i ) Original Q sieve: arithmetic progression of i ’s i n + i where q divides each i ( n + i ). r i ≈ y . 1 314159265358979324 e.g. progression q − ( n mod q ), 2 314159265358979325 grows. 2 q − ( n mod q ), 3 q − ( n mod q ), 3 314159265358979326 etc. Use 997 2 -sublattice, Check smoothness of i ∈ 802458 + 994009 Z : generalized congruence i ( n + i ) =q ( n + i ) = 997 2 but i for i ’s in this sublattice. y , 802458 316052737309 e.g. check whether i; ( n + i ) =q are 2 . 1796467 316052737310 smooth for i = q − ( n mod q ) etc. 2790476 316052737311 Try many large q ’s. Rare for i ’s to overlap.

  29. 11 12 Choose q , square of large prime. e.g. n = 314159265358979323: Choose a “ q -sublattice” of i ’s: Original Q sieve: arithmetic progression of i ’s i n + i where q divides each i ( n + i ). 1 314159265358979324 e.g. progression q − ( n mod q ), 2 314159265358979325 2 q − ( n mod q ), 3 q − ( n mod q ), 3 314159265358979326 etc. Use 997 2 -sublattice, Check smoothness of i ∈ 802458 + 994009 Z : generalized congruence i ( n + i ) =q ( n + i ) = 997 2 i for i ’s in this sublattice. 802458 316052737309 e.g. check whether i; ( n + i ) =q are 1796467 316052737310 smooth for i = q − ( n mod q ) etc. 2790476 316052737311 Try many large q ’s. Rare for i ’s to overlap.

  30. 11 12 ose q , square of large prime. e.g. n = 314159265358979323: Crude analysis: ose a “ q -sublattice” of i ’s: eliminate Original Q sieve: rithmetic progression of i ’s Have practically i n + i q divides each i ( n + i ). of generalized 1 314159265358979324 rogression q − ( n mod q ), ( q − ( n mo 2 314159265358979325 n mod q ), 3 q − ( n mod q ), between 3 314159265358979326 More careful Use 997 2 -sublattice, smoothness of are even i ∈ 802458 + 994009 Z : generalized congruence i ( n + i ) =q For q ≈ n ( n + i ) = 997 2 i in this sublattice. i ≈ ( n + 802458 316052737309 check whether i; ( n + i ) =q are so smoothness 1796467 316052737310 oth for i = q − ( n mod q ) etc. ( u= 2) − u= 2790476 316052737311 2 u times many large q ’s. for i ’s to overlap.

  31. 11 12 re of large prime. e.g. n = 314159265358979323: Crude analysis: Sublattices -sublattice” of i ’s: eliminate the growth Original Q sieve: rogression of i ’s Have practically unlimited i n + i each i ( n + i ). of generalized congruences 1 314159265358979324 ( q − ( n mod q )) n + q − ( n mod q ), 2 314159265358979325 3 q − ( n mod q ), between 0 and n . 3 314159265358979326 More careful analysis: Use 997 2 -sublattice, othness of are even better than i ∈ 802458 + 994009 Z : congruence i ( n + i ) =q For q ≈ n 1 = 2 have ( n + i ) = 997 2 i sublattice. i ≈ ( n + i ) =q ≈ n 802458 316052737309 her i; ( n + i ) =q are so smoothness chance 1796467 316052737310 − ( n mod q ) etc. ( u= 2) − u= 2 ( u= 2) − u= 2790476 316052737311 2 u times larger than q ’s. overlap.

  32. 11 12 prime. e.g. n = 314159265358979323: Crude analysis: Sublattices of i ’s: eliminate the growth problem. Original Q sieve: ’s Have practically unlimited supply i n + i i ). of generalized congruences 1 314159265358979324 ( q − ( n mod q )) n + q − ( n mod d q ), 2 314159265358979325 q mod q ), between 0 and n . 3 314159265358979326 More careful analysis: Sublattices Use 997 2 -sublattice, are even better than that! i ∈ 802458 + 994009 Z : + i ) =q For q ≈ n 1 = 2 have ( n + i ) = 997 2 i i ≈ ( n + i ) =q ≈ n 1 = 2 ≈ y u= 2 802458 316052737309 i ) =q are so smoothness chance is roughly 1796467 316052737310 d q ) etc. ( u= 2) − u= 2 ( u= 2) − u= 2 = 2 u =u 2790476 316052737311 2 u times larger than before.

  33. 12 13 e.g. n = 314159265358979323: Crude analysis: Sublattices eliminate the growth problem. Original Q sieve: Have practically unlimited supply i n + i of generalized congruences 1 314159265358979324 ( q − ( n mod q )) n + q − ( n mod q ) 2 314159265358979325 q between 0 and n . 3 314159265358979326 More careful analysis: Sublattices Use 997 2 -sublattice, are even better than that! i ∈ 802458 + 994009 Z : For q ≈ n 1 = 2 have ( n + i ) = 997 2 i i ≈ ( n + i ) =q ≈ n 1 = 2 ≈ y u= 2 802458 316052737309 so smoothness chance is roughly 1796467 316052737310 ( u= 2) − u= 2 ( u= 2) − u= 2 = 2 u =u u , 2790476 316052737311 2 u times larger than before.

  34. 12 13 = 314159265358979323: Crude analysis: Sublattices Even larger eliminate the growth problem. from changing Original Q sieve: Have practically unlimited supply “Quadratic n + i of generalized congruences i 2 − n with 314159265358979324 ( q − ( n mod q )) n + q − ( n mod q ) have i 2 − 314159265358979325 q between 0 and n . much smaller 314159265358979326 More careful analysis: Sublattices 997 2 -sublattice, are even better than that! 802458 + 994009 Z : For q ≈ n 1 = 2 have ( n + i ) = 997 2 i i ≈ ( n + i ) =q ≈ n 1 = 2 ≈ y u= 2 802458 316052737309 so smoothness chance is roughly 1796467 316052737310 ( u= 2) − u= 2 ( u= 2) − u= 2 = 2 u =u u , 2790476 316052737311 2 u times larger than before.

  35. 12 13 314159265358979323: Crude analysis: Sublattices Even larger improvements eliminate the growth problem. from changing polynomial sieve: Have practically unlimited supply “Quadratic sieve” i 2 − n with i ≈ √ of generalized congruences 314159265358979324 ( q − ( n mod q )) n + q − ( n mod q ) have i 2 − n ≈ n 1 = 314159265358979325 q between 0 and n . much smaller than 314159265358979326 More careful analysis: Sublattices -sublattice, are even better than that! 994009 Z : For q ≈ n 1 = 2 have + i ) = 997 2 i ≈ ( n + i ) =q ≈ n 1 = 2 ≈ y u= 2 316052737309 so smoothness chance is roughly 316052737310 ( u= 2) − u= 2 ( u= 2) − u= 2 = 2 u =u u , 316052737311 2 u times larger than before.

  36. 12 13 314159265358979323: Crude analysis: Sublattices Even larger improvements eliminate the growth problem. from changing polynomial i ( Have practically unlimited supply “Quadratic sieve” (QS) uses i 2 − n with i ≈ √ n ; of generalized congruences 314159265358979324 ( q − ( n mod q )) n + q − ( n mod q ) have i 2 − n ≈ n 1 = 2+ o (1) , 314159265358979325 q between 0 and n . much smaller than n . 314159265358979326 More careful analysis: Sublattices are even better than that! For q ≈ n 1 = 2 have 2 i ≈ ( n + i ) =q ≈ n 1 = 2 ≈ y u= 2 316052737309 so smoothness chance is roughly 316052737310 ( u= 2) − u= 2 ( u= 2) − u= 2 = 2 u =u u , 316052737311 2 u times larger than before.

  37. 13 14 Crude analysis: Sublattices Even larger improvements eliminate the growth problem. from changing polynomial i ( n + i ). Have practically unlimited supply “Quadratic sieve” (QS) uses i 2 − n with i ≈ √ n ; of generalized congruences ( q − ( n mod q )) n + q − ( n mod q ) have i 2 − n ≈ n 1 = 2+ o (1) , q between 0 and n . much smaller than n . More careful analysis: Sublattices are even better than that! For q ≈ n 1 = 2 have i ≈ ( n + i ) =q ≈ n 1 = 2 ≈ y u= 2 so smoothness chance is roughly ( u= 2) − u= 2 ( u= 2) − u= 2 = 2 u =u u , 2 u times larger than before.

  38. 13 14 Crude analysis: Sublattices Even larger improvements eliminate the growth problem. from changing polynomial i ( n + i ). Have practically unlimited supply “Quadratic sieve” (QS) uses i 2 − n with i ≈ √ n ; of generalized congruences ( q − ( n mod q )) n + q − ( n mod q ) have i 2 − n ≈ n 1 = 2+ o (1) , q between 0 and n . much smaller than n . More careful analysis: Sublattices “MPQS” improves o (1) using sublattices: ( i 2 − n ) =q . are even better than that! For q ≈ n 1 = 2 have But still ≈ n 1 = 2 . i ≈ ( n + i ) =q ≈ n 1 = 2 ≈ y u= 2 so smoothness chance is roughly ( u= 2) − u= 2 ( u= 2) − u= 2 = 2 u =u u , 2 u times larger than before.

  39. 13 14 Crude analysis: Sublattices Even larger improvements eliminate the growth problem. from changing polynomial i ( n + i ). Have practically unlimited supply “Quadratic sieve” (QS) uses i 2 − n with i ≈ √ n ; of generalized congruences ( q − ( n mod q )) n + q − ( n mod q ) have i 2 − n ≈ n 1 = 2+ o (1) , q between 0 and n . much smaller than n . More careful analysis: Sublattices “MPQS” improves o (1) using sublattices: ( i 2 − n ) =q . are even better than that! For q ≈ n 1 = 2 have But still ≈ n 1 = 2 . i ≈ ( n + i ) =q ≈ n 1 = 2 ≈ y u= 2 “Number-field sieve” (NFS) so smoothness chance is roughly achieves n o (1) . ( u= 2) − u= 2 ( u= 2) − u= 2 = 2 u =u u , 2 u times larger than before.

  40. 13 14 analysis: Sublattices Even larger improvements Generalizing eliminate the growth problem. from changing polynomial i ( n + i ). The Q sieve ractically unlimited supply “Quadratic sieve” (QS) uses the numb i 2 − n with i ≈ √ n ; generalized congruences mod q )) n + q − ( n mod q ) Recall ho have i 2 − n ≈ n 1 = 2+ o (1) , q factors 611: een 0 and n . much smaller than n . Form a squa careful analysis: Sublattices “MPQS” improves o (1) as product using sublattices: ( i 2 − n ) =q . even better than that! for several ≈ n 1 = 2 have But still ≈ n 1 = 2 . 14(625) + i ) =q ≈ n 1 = 2 ≈ y u= 2 “Number-field sieve” (NFS) = 4410000 othness chance is roughly achieves n o (1) . u= 2 ( u= 2) − u= 2 = 2 u =u u , gcd { 611 ; = 47. times larger than before.

  41. 13 14 Sublattices Even larger improvements Generalizing beyond growth problem. from changing polynomial i ( n + i ). The Q sieve is a sp unlimited supply “Quadratic sieve” (QS) uses the number-field sie i 2 − n with i ≈ √ n ; congruences + q − ( n mod q ) Recall how the Q sieve have i 2 − n ≈ n 1 = 2+ o (1) , q factors 611: . much smaller than n . Form a square analysis: Sublattices “MPQS” improves o (1) as product of i ( i + using sublattices: ( i 2 − n ) =q . than that! for several pairs ( i; But still ≈ n 1 = 2 . have 14(625) · 64(675) · n 1 = 2 ≈ y u= 2 = 4410000 2 . “Number-field sieve” (NFS) chance is roughly achieves n o (1) . − u= 2 = 2 u =u u , gcd { 611 ; 14 · 64 · 75 = 47. than before.

  42. 13 14 Sublattices Even larger improvements Generalizing beyond Q roblem. from changing polynomial i ( n + i ). The Q sieve is a special case supply “Quadratic sieve” (QS) uses the number-field sieve. i 2 − n with i ≈ √ n ; congruences mod q ) Recall how the Q sieve have i 2 − n ≈ n 1 = 2+ o (1) , factors 611: much smaller than n . Form a square Sublattices “MPQS” improves o (1) as product of i ( i + 611 j ) using sublattices: ( i 2 − n ) =q . for several pairs ( i; j ): But still ≈ n 1 = 2 . 14(625) · 64(675) · 75(686) u= 2 = 4410000 2 . “Number-field sieve” (NFS) roughly achieves n o (1) . =u u , gcd { 611 ; 14 · 64 · 75 − 4410000 = 47. re.

  43. 14 15 Even larger improvements Generalizing beyond Q from changing polynomial i ( n + i ). The Q sieve is a special case of “Quadratic sieve” (QS) uses the number-field sieve. i 2 − n with i ≈ √ n ; Recall how the Q sieve have i 2 − n ≈ n 1 = 2+ o (1) , factors 611: much smaller than n . Form a square “MPQS” improves o (1) as product of i ( i + 611 j ) using sublattices: ( i 2 − n ) =q . for several pairs ( i; j ): But still ≈ n 1 = 2 . 14(625) · 64(675) · 75(686) = 4410000 2 . “Number-field sieve” (NFS) achieves n o (1) . gcd { 611 ; 14 · 64 · 75 − 4410000 } = 47.

  44. √ 14 15 larger improvements Generalizing beyond Q The Q ( changing polynomial i ( n + i ). factors 611 The Q sieve is a special case of “Quadratic sieve” (QS) uses the number-field sieve. Form a squa with i ≈ √ n ; as product Recall how the Q sieve − n ≈ n 1 = 2+ o (1) , for several factors 611: ( − 11 + 3 smaller than n . Form a square · (3 “MPQS” improves o (1) as product of i ( i + 611 j ) = (112 − sublattices: ( i 2 − n ) =q . for several pairs ( i; j ): still ≈ n 1 = 2 . Compute 14(625) · 64(675) · 75(686) s = ( − 11 = 4410000 2 . “Number-field sieve” (NFS) t = 112 − achieves n o (1) . gcd { 611 ; 14 · 64 · 75 − 4410000 } gcd { 611 ; = 47.

  45. √ 14 15 rovements Generalizing beyond Q The Q ( 14) sieve olynomial i ( n + i ). factors 611 as follo The Q sieve is a special case of sieve” (QS) uses the number-field sieve. Form a square √ n ; as product of ( i + Recall how the Q sieve 1 = 2+ o (1) , for several pairs ( i; factors 611: ( − 11 + 3 · 25)( − 11 than n . Form a square · (3 + 25)(3 + √ roves o (1) as product of i ( i + 611 j ) 14) 2 = (112 − 16 sublattices: ( i 2 − n ) =q . for several pairs ( i; j ): . Compute 14(625) · 64(675) · 75(686) s = ( − 11 + 3 · 25) = 4410000 2 . sieve” (NFS) t = 112 − 16 · 25, gcd { 611 ; 14 · 64 · 75 − 4410000 } gcd { 611 ; s − t } = = 47.

  46. √ 14 15 Generalizing beyond Q The Q ( 14) sieve i ( n + i ). factors 611 as follows: The Q sieve is a special case of uses the number-field sieve. Form a square √ as product of ( i + 25 j )( i + Recall how the Q sieve for several pairs ( i; j ): √ factors 611: ( − 11 + 3 · 25)( − 11 + 3 14) √ Form a square · (3 + 25)(3 + 14) √ as product of i ( i + 611 j ) 14) 2 . = (112 − 16 =q . for several pairs ( i; j ): Compute 14(625) · 64(675) · 75(686) s = ( − 11 + 3 · 25) · (3 + 25), = 4410000 2 . (NFS) t = 112 − 16 · 25, gcd { 611 ; 14 · 64 · 75 − 4410000 } gcd { 611 ; s − t } = 13. = 47.

  47. √ 15 16 Generalizing beyond Q The Q ( 14) sieve factors 611 as follows: The Q sieve is a special case of the number-field sieve. Form a square √ as product of ( i + 25 j )( i + 14 j ) Recall how the Q sieve for several pairs ( i; j ): √ factors 611: ( − 11 + 3 · 25)( − 11 + 3 14) √ Form a square · (3 + 25)(3 + 14) √ as product of i ( i + 611 j ) 14) 2 . = (112 − 16 for several pairs ( i; j ): Compute 14(625) · 64(675) · 75(686) s = ( − 11 + 3 · 25) · (3 + 25), = 4410000 2 . t = 112 − 16 · 25, gcd { 611 ; 14 · 64 · 75 − 4410000 } gcd { 611 ; s − t } = 13. = 47.

  48. √ 15 16 Generalizing beyond Q The Q ( 14) sieve Why does factors 611 as follows: sieve is a special case of Answer: √ number-field sieve. Form a square Z [ 14] → √ since 25 2 as product of ( i + 25 j )( i + 14 j ) how the Q sieve for several pairs ( i; j ): √ 611: Apply ring ( − 11 + 3 · 25)( − 11 + 3 14) √ ( − 11 + 3 a square · (3 + 25)(3 + 14) √ · (3 duct of i ( i + 611 j ) 14) 2 . = (112 − 16 = (112 − everal pairs ( i; j ): Compute i.e. s 2 = 14(625) · 64(675) · 75(686) s = ( − 11 + 3 · 25) · (3 + 25), 4410000 2 . Unsurprising t = 112 − 16 · 25, 611 ; 14 · 64 · 75 − 4410000 } gcd { 611 ; s − t } = 13.

  49. √ 15 16 ond Q The Q ( 14) sieve Why does this work? factors 611 as follows: special case of Answer: Have ring √ sieve. Form a square Z [ 14] → Z = 611, √ since 25 2 = 14 in Z as product of ( i + 25 j )( i + 14 j ) Q sieve for several pairs ( i; j ): √ Apply ring morphism ( − 11 + 3 · 25)( − 11 + 3 14) √ ( − 11 + 3 · 25)( − 11 · (3 + 25)(3 + 14) √ · (3 + 25)(3 + i + 611 j ) 14) 2 . = (112 − 16 = (112 − 16 · 25) 2 ( i; j ): Compute i.e. s 2 = t 2 in Z = 611. 64(675) · 75(686) s = ( − 11 + 3 · 25) · (3 + 25), Unsurprising to find t = 112 − 16 · 25, · 75 − 4410000 } gcd { 611 ; s − t } = 13.

  50. √ 15 16 The Q ( 14) sieve Why does this work? factors 611 as follows: case of Answer: Have ring morphism √ √ Form a square Z [ 14] → Z = 611, 14 �→ 25, √ since 25 2 = 14 in Z = 611. as product of ( i + 25 j )( i + 14 j ) for several pairs ( i; j ): √ Apply ring morphism to squa ( − 11 + 3 · 25)( − 11 + 3 14) √ ( − 11 + 3 · 25)( − 11 + 3 · 25) · (3 + 25)(3 + 14) √ · (3 + 25)(3 + 25) 14) 2 . = (112 − 16 = (112 − 16 · 25) 2 in Z = 611. Compute i.e. s 2 = t 2 in Z = 611. 75(686) s = ( − 11 + 3 · 25) · (3 + 25), Unsurprising to find factor. t = 112 − 16 · 25, 4410000 } gcd { 611 ; s − t } = 13.

  51. √ 16 17 The Q ( 14) sieve Why does this work? factors 611 as follows: Answer: Have ring morphism √ √ Form a square Z [ 14] → Z = 611, 14 �→ 25, √ since 25 2 = 14 in Z = 611. as product of ( i + 25 j )( i + 14 j ) for several pairs ( i; j ): √ Apply ring morphism to square: ( − 11 + 3 · 25)( − 11 + 3 14) √ ( − 11 + 3 · 25)( − 11 + 3 · 25) · (3 + 25)(3 + 14) √ · (3 + 25)(3 + 25) 14) 2 . = (112 − 16 = (112 − 16 · 25) 2 in Z = 611. Compute i.e. s 2 = t 2 in Z = 611. s = ( − 11 + 3 · 25) · (3 + 25), Unsurprising to find factor. t = 112 − 16 · 25, gcd { 611 ; s − t } = 13.

  52. √ 16 17 ( 14) sieve Why does this work? Generalize 611 as follows: to ( f ; m Answer: Have ring morphism √ √ m ∈ Z , f a square Z [ 14] → Z = 611, 14 �→ 25, √ since 25 2 = 14 in Z = 611. duct of ( i + 25 j )( i + 14 j ) Write d = f = f d x d everal pairs ( i; j ): √ Apply ring morphism to square: 3 · 25)( − 11 + 3 14) √ ( − 11 + 3 · 25)( − 11 + 3 · 25) Can take (3 + 25)(3 + 14) √ · (3 + 25)(3 + 25) but larger 14) 2 . (112 − 16 = (112 − 16 · 25) 2 in Z = 611. better pa Compute i.e. s 2 = t 2 in Z = 611. Pick ¸ ∈ 11 + 3 · 25) · (3 + 25), Then f d ¸ Unsurprising to find factor. 112 − 16 · 25, monic g 611 ; s − t } = 13. Q ( ¸ ) ←O

  53. 16 17 sieve Why does this work? Generalize from ( x follows: to ( f ; m ) with irred Answer: Have ring morphism √ √ m ∈ Z , f ( m ) ∈ n Z Z [ 14] → Z = 611, 14 �→ 25, √ since 25 2 = 14 in Z = 611. + 25 j )( i + 14 j ) Write d = deg f , f = f d x d + · · · + f ( i; j ): √ Apply ring morphism to square: 11 + 3 14) √ ( − 11 + 3 · 25)( − 11 + 3 · 25) Can take f d = 1 fo 25)(3 + 14) · (3 + 25)(3 + 25) but larger f d allows 14) 2 . = (112 − 16 · 25) 2 in Z = 611. better parameter selection. i.e. s 2 = t 2 in Z = 611. Pick ¸ ∈ C , root of 25) · (3 + 25), Then f d ¸ is a root Unsurprising to find factor. 25, monic g = f d − 1 f ( d = 13. Q ( ¸ ) ←O← Z [ f d ¸

  54. 16 17 Generalize from ( x 2 − 14 ; 25) Why does this work? to ( f ; m ) with irred f ∈ Z [ x Answer: Have ring morphism √ √ m ∈ Z , f ( m ) ∈ n Z . Z [ 14] → Z = 611, 14 �→ 25, √ since 25 2 = 14 in Z = 611. 14 j ) Write d = deg f , f = f d x d + · · · + f 1 x 1 + f 0 x Apply ring morphism to square: 14) ( − 11 + 3 · 25)( − 11 + 3 · 25) Can take f d = 1 for simplicit · (3 + 25)(3 + 25) but larger f d allows = (112 − 16 · 25) 2 in Z = 611. better parameter selection. i.e. s 2 = t 2 in Z = 611. Pick ¸ ∈ C , root of f . 25), Then f d ¸ is a root of Unsurprising to find factor. monic g = f d − 1 f ( x=f d ) ∈ Z d f d ¸ �→ f d m Q ( ¸ ) ←O← Z [ f d ¸ ] − − − − − − − →

  55. 17 18 Generalize from ( x 2 − 14 ; 25) Why does this work? to ( f ; m ) with irred f ∈ Z [ x ], Answer: Have ring morphism √ √ m ∈ Z , f ( m ) ∈ n Z . Z [ 14] → Z = 611, 14 �→ 25, since 25 2 = 14 in Z = 611. Write d = deg f , f = f d x d + · · · + f 1 x 1 + f 0 x 0 . Apply ring morphism to square: ( − 11 + 3 · 25)( − 11 + 3 · 25) Can take f d = 1 for simplicity, · (3 + 25)(3 + 25) but larger f d allows = (112 − 16 · 25) 2 in Z = 611. better parameter selection. i.e. s 2 = t 2 in Z = 611. Pick ¸ ∈ C , root of f . Then f d ¸ is a root of Unsurprising to find factor. monic g = f d − 1 f ( x=f d ) ∈ Z [ x ]. d f d ¸ �→ f d m Q ( ¸ ) ←O← Z [ f d ¸ ] − − − − − − − → Z =n

  56. 17 18 Generalize from ( x 2 − 14 ; 25) does this work? Build squa to ( f ; m ) with irred f ∈ Z [ x ], congruences er: Have ring morphism √ m ∈ Z , f ( m ) ∈ n Z . with i Z + 14] → Z = 611, 14 �→ 25, 25 2 = 14 in Z = 611. Write d = deg f , Could replace f = f d x d + · · · + f 1 x 1 + f 0 x 0 . higher-deg ring morphism to square: quadratics 3 · 25)( − 11 + 3 · 25) Can take f d = 1 for simplicity, for some (3 + 25)(3 + 25) but larger f d allows But let’s (112 − 16 · 25) 2 in Z = 611. better parameter selection. Say we have = t 2 in Z = 611. Pick ¸ ∈ C , root of f . Q ( i;j ) ∈ S Then f d ¸ is a root of Unsurprising to find factor. in Q ( ¸ ); monic g = f d − 1 f ( x=f d ) ∈ Z [ x ]. d f d ¸ �→ f d m Q ( ¸ ) ←O← Z [ f d ¸ ] − − − − − − − → Z =n

  57. 17 18 Generalize from ( x 2 − 14 ; 25) ork? Build square in Q ( to ( f ; m ) with irred f ∈ Z [ x ], congruences ( i − j ring morphism √ m ∈ Z , f ( m ) ∈ n Z . with i Z + j Z = Z 611, 14 �→ 25, in Z = 611. Write d = deg f , Could replace i − j f = f d x d + · · · + f 1 x 1 + f 0 x 0 . higher-deg irred in rphism to square: quadratics seem fairly 11 + 3 · 25) Can take f d = 1 for simplicity, for some number fields. 25)(3 + 25) but larger f d allows But let’s not bother. 25) 2 in Z = 611. better parameter selection. Say we have a squa = 611. Pick ¸ ∈ C , root of f . Q ( i;j ) ∈ S ( i − j m )( Then f d ¸ is a root of find factor. in Q ( ¸ ); now what? monic g = f d − 1 f ( x=f d ) ∈ Z [ x ]. d f d ¸ �→ f d m Q ( ¸ ) ←O← Z [ f d ¸ ] − − − − − − − → Z =n

  58. 17 18 Generalize from ( x 2 − 14 ; 25) Build square in Q ( ¸ ) from to ( f ; m ) with irred f ∈ Z [ x ], congruences ( i − j m )( i − j ¸ rphism m ∈ Z , f ( m ) ∈ n Z . with i Z + j Z = Z and j > 0. 25, Write d = deg f , Could replace i − j x by f = f d x d + · · · + f 1 x 1 + f 0 x 0 . higher-deg irred in Z [ x ]; square: quadratics seem fairly small 25) Can take f d = 1 for simplicity, for some number fields. but larger f d allows But let’s not bother. 611. better parameter selection. Say we have a square Pick ¸ ∈ C , root of f . Q ( i;j ) ∈ S ( i − j m )( i − j ¸ ) Then f d ¸ is a root of r. in Q ( ¸ ); now what? monic g = f d − 1 f ( x=f d ) ∈ Z [ x ]. d f d ¸ �→ f d m Q ( ¸ ) ←O← Z [ f d ¸ ] − − − − − − − → Z =n

  59. 18 19 Generalize from ( x 2 − 14 ; 25) Build square in Q ( ¸ ) from to ( f ; m ) with irred f ∈ Z [ x ], congruences ( i − j m )( i − j ¸ ) m ∈ Z , f ( m ) ∈ n Z . with i Z + j Z = Z and j > 0. Write d = deg f , Could replace i − j x by f = f d x d + · · · + f 1 x 1 + f 0 x 0 . higher-deg irred in Z [ x ]; quadratics seem fairly small Can take f d = 1 for simplicity, for some number fields. but larger f d allows But let’s not bother. better parameter selection. Say we have a square Pick ¸ ∈ C , root of f . Q ( i;j ) ∈ S ( i − j m )( i − j ¸ ) Then f d ¸ is a root of in Q ( ¸ ); now what? monic g = f d − 1 f ( x=f d ) ∈ Z [ x ]. d f d ¸ �→ f d m Q ( ¸ ) ←O← Z [ f d ¸ ] − − − − − − − → Z =n

  60. 18 19 Generalize from ( x 2 − 14 ; 25) Q ( i − j m Build square in Q ( ¸ ) from m ) with irred f ∈ Z [ x ], congruences ( i − j m )( i − j ¸ ) is a squa , f ( m ) ∈ n Z . with i Z + j Z = Z and j > 0. ring of in d = deg f , Could replace i − j x by Multiply x d + · · · + f 1 x 1 + f 0 x 0 . higher-deg irred in Z [ x ]; putting squa quadratics seem fairly small compute take f d = 1 for simplicity, Q ( i − j m for some number fields. rger f d allows But let’s not bother. parameter selection. Then apply Say we have a square ’ : Z [ f d ¸ ∈ C , root of f . Q ( i;j ) ∈ S ( i − j m )( i − j ¸ ) f d ¸ to f f d ¸ is a root of in Q ( ¸ ); now what? ’ ( r ) − g g = f d − 1 f ( x=f d ) ∈ Z [ x ]. d In Z =n have f d ¸ �→ f d m g ′ ( f d m ) 2 ←O← Z [ f d ¸ ] − − − − − − − → Z =n

  61. 18 19 ( x 2 − 14 ; 25) Q ( i − j m )( i − j ¸ Build square in Q ( ¸ ) from irred f ∈ Z [ x ], congruences ( i − j m )( i − j ¸ ) is a square in O , n Z . with i Z + j Z = Z and j > 0. ring of integers of Multiply by g ′ ( f d ¸ , Could replace i − j x by f 1 x 1 + f 0 x 0 . higher-deg irred in Z [ x ]; putting square root compute r with r 2 quadratics seem fairly small for simplicity, Q ( i − j m )( i − j ¸ for some number fields. allows But let’s not bother. rameter selection. Then apply the ring ’ : Z [ f d ¸ ] → Z =n Say we have a square ot of f . Q ( i;j ) ∈ S ( i − j m )( i − j ¸ ) f d ¸ to f d m . Compute ot of ’ ( r ) − g ′ ( f d m ) Q in Q ( ¸ ); now what? f ( x=f d ) ∈ Z [ x ]. In Z =n have ’ ( r ) 2 f d ¸ �→ f d m g ′ ( f d m ) 2 Q ( i − j m ¸ ] − − − − − − − → Z =n

  62. 18 19 Q ( i − j m )( i − j ¸ ) f 2 25) Build square in Q ( ¸ ) from d [ x ], congruences ( i − j m )( i − j ¸ ) is a square in O , with i Z + j Z = Z and j > 0. ring of integers of Q ( ¸ ). Multiply by g ′ ( f d ¸ ) 2 , Could replace i − j x by 0 x 0 . higher-deg irred in Z [ x ]; putting square root into Z [ f d compute r with r 2 = g ′ ( f d ¸ quadratics seem fairly small implicity, Q ( i − j m )( i − j ¸ ) f 2 for some number fields. d . But let’s not bother. selection. Then apply the ring morphism ’ : Z [ f d ¸ ] → Z =n taking Say we have a square Q ( i;j ) ∈ S ( i − j m )( i − j ¸ ) f d ¸ to f d m . Compute gcd { ’ ( r ) − g ′ ( f d m ) Q ( i − j m ) f in Q ( ¸ ); now what? Z [ x ]. In Z =n have ’ ( r ) 2 = m g ′ ( f d m ) 2 Q ( i − j m ) 2 f 2 d . − → Z =n

  63. 19 20 Q ( i − j m )( i − j ¸ ) f 2 Build square in Q ( ¸ ) from d congruences ( i − j m )( i − j ¸ ) is a square in O , with i Z + j Z = Z and j > 0. ring of integers of Q ( ¸ ). Multiply by g ′ ( f d ¸ ) 2 , Could replace i − j x by higher-deg irred in Z [ x ]; putting square root into Z [ f d ¸ ]: compute r with r 2 = g ′ ( f d ¸ ) 2 · quadratics seem fairly small Q ( i − j m )( i − j ¸ ) f 2 for some number fields. d . But let’s not bother. Then apply the ring morphism ’ : Z [ f d ¸ ] → Z =n taking Say we have a square Q ( i;j ) ∈ S ( i − j m )( i − j ¸ ) f d ¸ to f d m . Compute gcd { n; ’ ( r ) − g ′ ( f d m ) Q ( i − j m ) f d } . in Q ( ¸ ); now what? In Z =n have ’ ( r ) 2 = g ′ ( f d m ) 2 Q ( i − j m ) 2 f 2 d .

  64. 19 20 Q ( i − j m )( i − j ¸ ) f 2 square in Q ( ¸ ) from How to find d congruences ( i − j m )( i − j ¸ ) is a square in O , of congruences Z + j Z = Z and j > 0. ring of integers of Q ( ¸ ). Start with e.g., y 2 pairs Multiply by g ′ ( f d ¸ ) 2 , replace i − j x by higher-deg irred in Z [ x ]; putting square root into Z [ f d ¸ ]: Look for compute r with r 2 = g ′ ( f d ¸ ) 2 · quadratics seem fairly small y -smooth Q ( i − j m )( i − j ¸ ) f 2 ome number fields. d . y -smooth let’s not bother. f d i d + · Then apply the ring morphism ’ : Z [ f d ¸ ] → Z =n taking e have a square Here “ y -smo S ( i − j m )( i − j ¸ ) f d ¸ to f d m . Compute gcd { n; “has no ’ ( r ) − g ′ ( f d m ) Q ( i − j m ) f d } . ); now what? Find enough In Z =n have ’ ( r ) 2 = Perform g ′ ( f d m ) 2 Q ( i − j m ) 2 f 2 d . exponent

  65. 19 20 Q ( i − j m )( i − j ¸ ) f 2 Q ( ¸ ) from How to find square d j m )( i − j ¸ ) is a square in O , of congruences ( i − Z and j > 0. ring of integers of Q ( ¸ ). Start with congruences e.g., y 2 pairs ( i; j ). Multiply by g ′ ( f d ¸ ) 2 , − j x by in Z [ x ]; putting square root into Z [ f d ¸ ]: Look for y -smooth compute r with r 2 = g ′ ( f d ¸ ) 2 · fairly small y -smooth i − j m Q ( i − j m )( i − j ¸ ) f 2 er fields. d . y -smooth f d norm( other. f d i d + · · · + f 0 j d = Then apply the ring morphism ’ : Z [ f d ¸ ] → Z =n taking square Here “ y -smooth” means )( i − j ¸ ) f d ¸ to f d m . Compute gcd { n; “has no prime diviso ’ ( r ) − g ′ ( f d m ) Q ( i − j m ) f d } . what? Find enough smooth In Z =n have ’ ( r ) 2 = Perform linear algeb g ′ ( f d m ) 2 Q ( i − j m ) 2 f 2 d . exponent vectors mo

  66. 19 20 Q ( i − j m )( i − j ¸ ) f 2 How to find square product d j ¸ ) is a square in O , of congruences ( i − j m )( i − 0. ring of integers of Q ( ¸ ). Start with congruences for, e.g., y 2 pairs ( i; j ). Multiply by g ′ ( f d ¸ ) 2 , putting square root into Z [ f d ¸ ]: Look for y -smooth congruences: compute r with r 2 = g ′ ( f d ¸ ) 2 · small y -smooth i − j m and Q ( i − j m )( i − j ¸ ) f 2 d . y -smooth f d norm( i − j ¸ ) = f d i d + · · · + f 0 j d = j d f ( i=j Then apply the ring morphism ’ : Z [ f d ¸ ] → Z =n taking Here “ y -smooth” means f d ¸ to f d m . Compute gcd { n; “has no prime divisor > y .” ’ ( r ) − g ′ ( f d m ) Q ( i − j m ) f d } . Find enough smooth congruences. In Z =n have ’ ( r ) 2 = Perform linear algebra on g ′ ( f d m ) 2 Q ( i − j m ) 2 f 2 d . exponent vectors mod 2.

  67. 20 21 Q ( i − j m )( i − j ¸ ) f 2 How to find square product d is a square in O , of congruences ( i − j m )( i − j ¸ )? ring of integers of Q ( ¸ ). Start with congruences for, e.g., y 2 pairs ( i; j ). Multiply by g ′ ( f d ¸ ) 2 , putting square root into Z [ f d ¸ ]: Look for y -smooth congruences: compute r with r 2 = g ′ ( f d ¸ ) 2 · y -smooth i − j m and Q ( i − j m )( i − j ¸ ) f 2 d . y -smooth f d norm( i − j ¸ ) = f d i d + · · · + f 0 j d = j d f ( i=j ). Then apply the ring morphism ’ : Z [ f d ¸ ] → Z =n taking Here “ y -smooth” means f d ¸ to f d m . Compute gcd { n; “has no prime divisor > y .” ’ ( r ) − g ′ ( f d m ) Q ( i − j m ) f d } . Find enough smooth congruences. In Z =n have ’ ( r ) 2 = Perform linear algebra on g ′ ( f d m ) 2 Q ( i − j m ) 2 f 2 d . exponent vectors mod 2.

  68. 20 21 j m )( i − j ¸ ) f 2 How to find square product Asymptotic d square in O , of congruences ( i − j m )( i − j ¸ )? Number of integers of Q ( ¸ ). Start with congruences for, in number-field e.g., y 2 pairs ( i; j ). Multiply by g ′ ( f d ¸ ) 2 , with theo is L 1 : 90 ::: putting square root into Z [ f d ¸ ]: Look for y -smooth congruences: compute r with r 2 = g ′ ( f d ¸ ) 2 · exp((log y -smooth i − j m and j m )( i − j ¸ ) f 2 d . y -smooth f d norm( i − j ¸ ) = What are f d i d + · · · + f 0 j d = j d f ( i=j ). apply the ring morphism Choose degree d ¸ ] → Z =n taking Here “ y -smooth” means d= (log n ) f d m . Compute gcd { n; “has no prime divisor > y .” ∈ 1 : 40 : : g ′ ( f d m ) Q ( i − j m ) f d } . Find enough smooth congruences. have ’ ( r ) 2 = Perform linear algebra on ) 2 Q ( i − j m ) 2 f 2 d . exponent vectors mod 2.

  69. 20 21 j ¸ ) f 2 How to find square product Asymptotic cost exp d , of congruences ( i − j m )( i − j ¸ )? Number of bit operations of Q ( ¸ ). Start with congruences for, in number-field sieve e.g., y 2 pairs ( i; j ). ¸ ) 2 , with theorists’ parameters, is L 1 : 90 ::: + o (1) where root into Z [ f d ¸ ]: Look for y -smooth congruences: r 2 = g ′ ( f d ¸ ) 2 · exp((log n ) 1 = 3 (log y -smooth i − j m and j ¸ ) f 2 d . y -smooth f d norm( i − j ¸ ) = What are theorists’ f d i d + · · · + f 0 j d = j d f ( i=j ). ring morphism Choose degree d with =n taking Here “ y -smooth” means d= (log n ) 1 = 3 (log log Compute gcd { n; “has no prime divisor > y .” ∈ 1 : 40 : : : + o (1). Q ( i − j m ) f d } . Find enough smooth congruences. ) 2 = Perform linear algebra on j m ) 2 f 2 d . exponent vectors mod 2.

  70. 20 21 How to find square product Asymptotic cost exponents of congruences ( i − j m )( i − j ¸ )? Number of bit operations Start with congruences for, in number-field sieve, e.g., y 2 pairs ( i; j ). with theorists’ parameters, is L 1 : 90 ::: + o (1) where L = [ f d ¸ ]: Look for y -smooth congruences: ¸ ) 2 · exp((log n ) 1 = 3 (log log n ) 2 = 3 ). y -smooth i − j m and y -smooth f d norm( i − j ¸ ) = What are theorists’ paramete f d i d + · · · + f 0 j d = j d f ( i=j ). rphism Choose degree d with Here “ y -smooth” means d= (log n ) 1 = 3 (log log n ) − 1 = 3 gcd { n; “has no prime divisor > y .” ∈ 1 : 40 : : : + o (1). ) f d } . Find enough smooth congruences. Perform linear algebra on exponent vectors mod 2.

  71. 21 22 How to find square product Asymptotic cost exponents of congruences ( i − j m )( i − j ¸ )? Number of bit operations Start with congruences for, in number-field sieve, e.g., y 2 pairs ( i; j ). with theorists’ parameters, is L 1 : 90 ::: + o (1) where L = Look for y -smooth congruences: exp((log n ) 1 = 3 (log log n ) 2 = 3 ). y -smooth i − j m and y -smooth f d norm( i − j ¸ ) = What are theorists’ parameters? f d i d + · · · + f 0 j d = j d f ( i=j ). Choose degree d with Here “ y -smooth” means d= (log n ) 1 = 3 (log log n ) − 1 = 3 “has no prime divisor > y .” ∈ 1 : 40 : : : + o (1). Find enough smooth congruences. Perform linear algebra on exponent vectors mod 2.

  72. 21 22 to find square product Asymptotic cost exponents Choose integer congruences ( i − j m )( i − j ¸ )? Write n Number of bit operations m d + f d ith congruences for, in number-field sieve, with each 2 pairs ( i; j ). with theorists’ parameters, Choose f is L 1 : 90 ::: + o (1) where L = for y -smooth congruences: in case there exp((log n ) 1 = 3 (log log n ) 2 = 3 ). oth i − j m and Test smo oth f d norm( i − j ¸ ) = What are theorists’ parameters? for all cop · · · + f 0 j d = j d f ( i=j ). Choose degree d with with 1 ≤ y -smooth” means d= (log n ) 1 = 3 (log log n ) − 1 = 3 using prime no prime divisor > y .” ∈ 1 : 40 : : : + o (1). L 1 : 90 ::: + o enough smooth congruences. Conjecturally rm linear algebra on smooth values onent vectors mod 2.

  73. 21 22 square product Asymptotic cost exponents Choose integer m i − j m )( i − j ¸ )? Write n as Number of bit operations m d + f d − 1 m d − 1 + congruences for, in number-field sieve, with each f k below j ). with theorists’ parameters, Choose f with some is L 1 : 90 ::: + o (1) where L = oth congruences: in case there are b exp((log n ) 1 = 3 (log log n ) 2 = 3 ). and Test smoothness of rm( i − j ¸ ) = What are theorists’ parameters? for all coprime pairs d = j d f ( i=j ). Choose degree d with with 1 ≤ i; j ≤ L 0 : oth” means d= (log n ) 1 = 3 (log log n ) − 1 = 3 using primes ≤ L 0 : 95 divisor > y .” ∈ 1 : 40 : : : + o (1). L 1 : 90 ::: + o (1) pairs. smooth congruences. Conjecturally L 1 : 65 algebra on smooth values of i rs mod 2.

  74. 21 22 Choose integer m ≈ n 1 =d . duct Asymptotic cost exponents − j ¸ )? Write n as Number of bit operations m d + f d − 1 m d − 1 + · · · + f 1 m r, in number-field sieve, with each f k below n (1+ o (1)) with theorists’ parameters, Choose f with some randomness is L 1 : 90 ::: + o (1) where L = congruences: in case there are bad f ’s. exp((log n ) 1 = 3 (log log n ) 2 = 3 ). Test smoothness of i − j m = What are theorists’ parameters? for all coprime pairs ( i; j ) i=j ). Choose degree d with with 1 ≤ i; j ≤ L 0 : 95 ::: + o (1) , d= (log n ) 1 = 3 (log log n ) − 1 = 3 using primes ≤ L 0 : 95 ::: + o (1) . .” ∈ 1 : 40 : : : + o (1). L 1 : 90 ::: + o (1) pairs. congruences. Conjecturally L 1 : 65 ::: + o (1) smooth values of i − j m .

  75. 22 23 Choose integer m ≈ n 1 =d . Asymptotic cost exponents Write n as Number of bit operations m d + f d − 1 m d − 1 + · · · + f 1 m + f 0 in number-field sieve, with each f k below n (1+ o (1)) =d . with theorists’ parameters, Choose f with some randomness is L 1 : 90 ::: + o (1) where L = in case there are bad f ’s. exp((log n ) 1 = 3 (log log n ) 2 = 3 ). Test smoothness of i − j m What are theorists’ parameters? for all coprime pairs ( i; j ) Choose degree d with with 1 ≤ i; j ≤ L 0 : 95 ::: + o (1) , d= (log n ) 1 = 3 (log log n ) − 1 = 3 using primes ≤ L 0 : 95 ::: + o (1) . ∈ 1 : 40 : : : + o (1). L 1 : 90 ::: + o (1) pairs. Conjecturally L 1 : 65 ::: + o (1) smooth values of i − j m .

  76. 22 23 Choose integer m ≈ n 1 =d . Use L 0 : 12 Asymptotic cost exponents Write n as er of bit operations For each m d + f d − 1 m d − 1 + · · · + f 1 m + f 0 number-field sieve, with smo with each f k below n (1+ o (1)) =d . theorists’ parameters, test smo Choose f with some randomness ::: + o (1) where L = and i − j in case there are bad f ’s. exp((log n ) 1 = 3 (log log n ) 2 = 3 ). using prime Test smoothness of i − j m L 1 : 77 ::: + o are theorists’ parameters? for all coprime pairs ( i; j ) Each | j d ose degree d with with 1 ≤ i; j ≤ L 0 : 95 ::: + o (1) , Conjecturally n ) 1 = 3 (log log n ) − 1 = 3 using primes ≤ L 0 : 95 ::: + o (1) . smooth congruences. : : : + o (1). L 1 : 90 ::: + o (1) pairs. L 0 : 95 ::: + o Conjecturally L 1 : 65 ::: + o (1) in the exp smooth values of i − j m .

  77. 22 23 Use L 0 : 12 ::: + o (1) numb Choose integer m ≈ n 1 =d . exponents Write n as operations For each ( i; j ) m d + f d − 1 m d − 1 + · · · + f 1 m + f 0 sieve, with smooth i − j m with each f k below n (1+ o (1)) =d . parameters, test smoothness of Choose f with some randomness where L = and i − j ˛ and so in case there are bad f ’s. (log log n ) 2 = 3 ). using primes ≤ L 0 : 82 Test smoothness of i − j m L 1 : 77 ::: + o (1) tests. rists’ parameters? for all coprime pairs ( i; j ) Each | j d f ( i=j ) | ≤ with with 1 ≤ i; j ≤ L 0 : 95 ::: + o (1) , Conjecturally L 0 : 95 log n ) − 1 = 3 using primes ≤ L 0 : 95 ::: + o (1) . smooth congruences. (1). L 1 : 90 ::: + o (1) pairs. L 0 : 95 ::: + o (1) components Conjecturally L 1 : 65 ::: + o (1) in the exponent vecto smooth values of i − j m .

  78. 22 23 Use L 0 : 12 ::: + o (1) number fields. Choose integer m ≈ n 1 =d . onents Write n as For each ( i; j ) m d + f d − 1 m d − 1 + · · · + f 1 m + f 0 with smooth i − j m , with each f k below n (1+ o (1)) =d . rameters, test smoothness of i − j ¸ Choose f with some randomness and i − j ˛ and so on, in case there are bad f ’s. 3 ). using primes ≤ L 0 : 82 ::: + o (1) . Test smoothness of i − j m L 1 : 77 ::: + o (1) tests. rameters? for all coprime pairs ( i; j ) Each | j d f ( i=j ) | ≤ m 2 : 86 ::: + o with 1 ≤ i; j ≤ L 0 : 95 ::: + o (1) , Conjecturally L 0 : 95 ::: + o (1) using primes ≤ L 0 : 95 ::: + o (1) . smooth congruences. L 1 : 90 ::: + o (1) pairs. L 0 : 95 ::: + o (1) components Conjecturally L 1 : 65 ::: + o (1) in the exponent vectors. smooth values of i − j m .

  79. 23 24 Use L 0 : 12 ::: + o (1) number fields. Choose integer m ≈ n 1 =d . Write n as For each ( i; j ) m d + f d − 1 m d − 1 + · · · + f 1 m + f 0 with smooth i − j m , with each f k below n (1+ o (1)) =d . test smoothness of i − j ¸ Choose f with some randomness and i − j ˛ and so on, in case there are bad f ’s. using primes ≤ L 0 : 82 ::: + o (1) . Test smoothness of i − j m L 1 : 77 ::: + o (1) tests. for all coprime pairs ( i; j ) Each | j d f ( i=j ) | ≤ m 2 : 86 ::: + o (1) . with 1 ≤ i; j ≤ L 0 : 95 ::: + o (1) , Conjecturally L 0 : 95 ::: + o (1) using primes ≤ L 0 : 95 ::: + o (1) . smooth congruences. L 1 : 90 ::: + o (1) pairs. L 0 : 95 ::: + o (1) components Conjecturally L 1 : 65 ::: + o (1) in the exponent vectors. smooth values of i − j m .

  80. 23 24 Use L 0 : 12 ::: + o (1) number fields. ose integer m ≈ n 1 =d . Three sizes n as (log n ) 1 = For each ( i; j ) f d − 1 m d − 1 + · · · + f 1 m + f 0 with smooth i − j m , y , i , j . each f k below n (1+ o (1)) =d . test smoothness of i − j ¸ (log n ) 2 = ose f with some randomness and i − j ˛ and so on, m , i − j there are bad f ’s. using primes ≤ L 0 : 82 ::: + o (1) . log n bits: smoothness of i − j m L 1 : 77 ::: + o (1) tests. coprime pairs ( i; j ) Each | j d f ( i=j ) | ≤ m 2 : 86 ::: + o (1) . Unavoidably ≤ i; j ≤ L 0 : 95 ::: + o (1) , Conjecturally L 0 : 95 ::: + o (1) usual smo primes ≤ L 0 : 95 ::: + o (1) . forces (log smooth congruences. + o (1) pairs. balancing L 0 : 95 ::: + o (1) components Conjecturally L 1 : 65 ::: + o (1) forces d log in the exponent vectors. and d log oth values of i − j m .

  81. 23 24 Use L 0 : 12 ::: + o (1) number fields. ≈ n 1 =d . Three sizes of numb (log n ) 1 = 3 (log log n For each ( i; j ) + · · · + f 1 m + f 0 with smooth i − j m , y , i , j . elow n (1+ o (1)) =d . test smoothness of i − j ¸ (log n ) 2 = 3 (log log n some randomness and i − j ˛ and so on, m , i − j m , j d f ( i=j bad f ’s. using primes ≤ L 0 : 82 ::: + o (1) . log n bits: n . of i − j m L 1 : 77 ::: + o (1) tests. pairs ( i; j ) Each | j d f ( i=j ) | ≤ m 2 : 86 ::: + o (1) . Unavoidably 1 = 3 in 0 : 95 ::: + o (1) , Conjecturally L 0 : 95 ::: + o (1) usual smoothness optim 0 : 95 ::: + o (1) . forces (log y ) 2 ≈ log smooth congruences. balancing norms with pairs. L 0 : 95 ::: + o (1) components 65 ::: + o (1) forces d log y ≈ log in the exponent vectors. and d log m ≈ log n of i − j m .

  82. 23 24 Use L 0 : 12 ::: + o (1) number fields. Three sizes of numbers here: (log n ) 1 = 3 (log log n ) 2 = 3 bits: For each ( i; j ) 1 m + f 0 with smooth i − j m , y , i , j . (1)) =d . test smoothness of i − j ¸ (log n ) 2 = 3 (log log n ) 1 = 3 bits: randomness and i − j ˛ and so on, m , i − j m , j d f ( i=j ). using primes ≤ L 0 : 82 ::: + o (1) . log n bits: n . L 1 : 77 ::: + o (1) tests. Each | j d f ( i=j ) | ≤ m 2 : 86 ::: + o (1) . Unavoidably 1 = 3 in exponent: (1) , Conjecturally L 0 : 95 ::: + o (1) usual smoothness optimization . forces (log y ) 2 ≈ log m ; smooth congruences. balancing norms with m L 0 : 95 ::: + o (1) components forces d log y ≈ log m ; in the exponent vectors. and d log m ≈ log n .

  83. 24 25 Use L 0 : 12 ::: + o (1) number fields. Three sizes of numbers here: (log n ) 1 = 3 (log log n ) 2 = 3 bits: For each ( i; j ) with smooth i − j m , y , i , j . test smoothness of i − j ¸ (log n ) 2 = 3 (log log n ) 1 = 3 bits: and i − j ˛ and so on, m , i − j m , j d f ( i=j ). using primes ≤ L 0 : 82 ::: + o (1) . log n bits: n . L 1 : 77 ::: + o (1) tests. Each | j d f ( i=j ) | ≤ m 2 : 86 ::: + o (1) . Unavoidably 1 = 3 in exponent: Conjecturally L 0 : 95 ::: + o (1) usual smoothness optimization forces (log y ) 2 ≈ log m ; smooth congruences. balancing norms with m L 0 : 95 ::: + o (1) components forces d log y ≈ log m ; in the exponent vectors. and d log m ≈ log n .

  84. 24 25 : 12 ::: + o (1) number fields. Three sizes of numbers here: Batch NFS (log n ) 1 = 3 (log log n ) 2 = 3 bits: each ( i; j ) The numb L 1 : 90 ::: + o smooth i − j m , y , i , j . oothness of i − j ¸ finding smo (log n ) 2 = 3 (log log n ) 1 = 3 bits: L 1 : 77 ::: + o − j ˛ and so on, m , i − j m , j d f ( i=j ). primes ≤ L 0 : 82 ::: + o (1) . finding smo log n bits: n . + o (1) tests. Many n ’s | j d f ( i=j ) | ≤ m 2 : 86 ::: + o (1) . L 1 : 90 ::: + o Unavoidably 1 = 3 in exponent: Conjecturally L 0 : 95 ::: + o (1) usual smoothness optimization to find squa forces (log y ) 2 ≈ log m ; oth congruences. Oops, linea balancing norms with m + o (1) components fix by reducing forces d log y ≈ log m ; exponent vectors. But still and d log m ≈ log n . batch in factoring

Recommend

The libpqcrypto software library for post-quantum cryptography Daniel J. Bernstein and many

The libpqcrypto software library for post-quantum cryptography Daniel J. Bernstein and many

The libpqcrypto software library for post-quantum cryptography Daniel J. Bernstein and many contributors libpqcrypto.org Daniel J. Bernstein Context libpqcrypto.org Daniel J. Bernstein Redesigning crypto for security New requirements for

541 views • 51 slides
Post-quantum cryptography Daniel J. Bernstein & Tanja Lange University of Illinois at

Post-quantum cryptography Daniel J. Bernstein & Tanja Lange University of Illinois at

Post-quantum cryptography Daniel J. Bernstein & Tanja Lange University of Illinois at Chicago; Ruhr University Bochum & Technische Universiteit Eindhoven 12 September 2020 Cryptography Sender Receiver Alice Bob Tsai

760 views • 48 slides
Cryptography worst practices Daniel J. Bernstein University of Illinois at Chicago

Cryptography worst practices Daniel J. Bernstein University of Illinois at Chicago

Cryptography worst practices Daniel J. Bernstein University of Illinois at Chicago http://cr.yp.to/talks.html #2012.03.08-1 Alice and Bob are communicating. Eve is eavesdropping. What cryptography promises to Alice and Bob: Confidentiality

1.12k views • 108 slides
Post-quantum cryptography Tanja Lange (with Daniel J. Bernstein) Technische Universiteit

Post-quantum cryptography Tanja Lange (with Daniel J. Bernstein) Technische Universiteit

Post-quantum cryptography Tanja Lange (with Daniel J. Bernstein) Technische Universiteit Eindhoven 17 January 2016 8th Winter School on Quantum Cybersecurity Cryptography Motivation #1: Communication channels are spying on our

894 views • 68 slides
Lattice-based cryptography: Episode V: the ring strikes back Daniel J. Bernstein University of

Lattice-based cryptography: Episode V: the ring strikes back Daniel J. Bernstein University of

1 Lattice-based cryptography: Episode V: the ring strikes back Daniel J. Bernstein University of Illinois at Chicago Crypto 1999 Nguyen: At Crypto 97, Goldreich, Goldwasser and Halevi proposed a public-key cryptosystem based on the

683 views • 32 slides
Post-quantum cryptography Daniel J. Bernstein 1 Tanja Lange 1 Peter Schwabe 2 Technische

Post-quantum cryptography Daniel J. Bernstein 1 Tanja Lange 1 Peter Schwabe 2 Technische

Post-quantum cryptography Daniel J. Bernstein 1 Tanja Lange 1 Peter Schwabe 2 Technische Universiteit Eindhoven Radboud University 08 September 2016 Cryptography Motivation #1: Communication channels are spying on our data.

1.34k views • 117 slides
Post-quantum cryptography Daniel J. Bernstein Turing, 1950 I have set up on the Manchester

Post-quantum cryptography Daniel J. Bernstein Turing, 1950 I have set up on the Manchester

Post-quantum cryptography Daniel J. Bernstein Turing, 1950 I have set up on the Manchester computer a small programme using only 1000 units of storage, whereby the machine supplied with one sixteen figure number replies with another within

2.74k views • 95 slides
Post-quantum cryptography Daniel J. Bernstein & Tanja Lange University of Illinois at Chicago

Post-quantum cryptography Daniel J. Bernstein & Tanja Lange University of Illinois at Chicago

Post-quantum cryptography Daniel J. Bernstein & Tanja Lange University of Illinois at Chicago & Ruhr University Bochum & Technische Universiteit Eindhoven 10 June 2019 Cryptography Motivation #1: Communication channels are spying

1.17k views • 91 slides
Implementing Practical leakage-resilient symmetric cryptography Daniel J. Bernstein

Implementing Practical leakage-resilient symmetric cryptography Daniel J. Bernstein

Implementing Practical leakage-resilient symmetric cryptography Daniel J. Bernstein University of Illinois at Chicago, Technische Universiteit Eindhoven CHES 2012 paper Practical leakage-resilient symmetric cryptography (Faust,

669 views • 30 slides
Three algorithms related to the number-field sieve D. J. Bernstein Thanks to: University of

Three algorithms related to the number-field sieve D. J. Bernstein Thanks to: University of

Three algorithms related to the number-field sieve D. J. Bernstein Thanks to: University of Illinois at Chicago NSF DMS0140542 Alfred P. Sloan Foundation The number-field sieve Goal: Find

435 views • 25 slides
High-speed cryptography, part 3: more cryptosystems Daniel J. Bernstein University of Illinois

High-speed cryptography, part 3: more cryptosystems Daniel J. Bernstein University of Illinois

High-speed cryptography, part 3: more cryptosystems Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Cryptographers Working systems Cryptanalytic algorithm designers Unbroken

739 views • 44 slides
High-speed cryptography Do we care about speed? Daniel J. Bernstein Almost all software is

High-speed cryptography Do we care about speed? Daniel J. Bernstein Almost all software is

1 2 High-speed cryptography Do we care about speed? Daniel J. Bernstein Almost all software is University of Illinois at Chicago & much slower than it could be. Technische Universiteit Eindhoven Is software applied to much data? with

1.17k views • 115 slides
Post-quantum cryptography Daniel J. Bernstein University of Illinois at Chicago; Ruhr University

Post-quantum cryptography Daniel J. Bernstein University of Illinois at Chicago; Ruhr University

Post-quantum cryptography Daniel J. Bernstein University of Illinois at Chicago; Ruhr University Bochum Wikipedia: Hoover became a controversial figure as evidence of his secretive abuses of power began to surface. He was found to have

1.21k views • 103 slides
SafeCurves: Cryptography choosing safe curves for Public-key signatures: elliptic-curve

SafeCurves: Cryptography choosing safe curves for Public-key signatures: elliptic-curve

SafeCurves: Cryptography choosing safe curves for Public-key signatures: elliptic-curve cryptography e.g., RSA, DSA, ECDSA. Daniel J. Bernstein Some uses: signed OS updates, University of Illinois at Chicago & SSL certificates,

1.85k views • 165 slides
PQCHacks: a gentle introduction to post-quantum cryptography Daniel J. Bernstein 1 , 2 Tanja Lange

PQCHacks: a gentle introduction to post-quantum cryptography Daniel J. Bernstein 1 , 2 Tanja Lange

PQCHacks: a gentle introduction to post-quantum cryptography Daniel J. Bernstein 1 , 2 Tanja Lange 1 1 Technische Universiteit Eindhoven 2 University of Illinois at Chicago 27 December 2015 D-Wave quantum computer isnt universal . . .

789 views • 65 slides
Classic McEliece: conservative code-based cryptography Daniel J. Bernstein 1 , Tung Chou 2 , Tanja

Classic McEliece: conservative code-based cryptography Daniel J. Bernstein 1 , Tung Chou 2 , Tanja

Classic McEliece: conservative code-based cryptography Daniel J. Bernstein 1 , Tung Chou 2 , Tanja Lange 3 , Ingo von Maurich, Rafael Misoczki 4 , Ruben Niederhagen 5 , Edoardo Persichetti 6 , Christiane Peters, Peter Schwabe 7 , Nicolas Sendrier 8

684 views • 25 slides
Cryptography for the paranoid Daniel J. Bernstein (University of Illinois at Chicago, Technische

Cryptography for the paranoid Daniel J. Bernstein (University of Illinois at Chicago, Technische

Cryptography for the paranoid Daniel J. Bernstein (University of Illinois at Chicago, Technische Universiteit Eindhoven) Based on joint work with: Tanja Lange (Technische Universiteit Eindhoven) Christiane Peters (Danmarks Tekniske

1.12k views • 89 slides
Next-generation elliptic-curve cryptography (ECC) Daniel J. Bernstein Cryptographic

Next-generation elliptic-curve cryptography (ECC) Daniel J. Bernstein Cryptographic

Next-generation elliptic-curve cryptography (ECC) Daniel J. Bernstein Cryptographic Implementations group: eindhoven.cr.yp.to working closely with the Coding Theory and Cryptology group: www.win.tue.nl/cc/ Next-generation elliptic-curve

456 views • 18 slides
High-speed high-security cryptography on ARMs Daniel J. Bernstein Research Professor, University

High-speed high-security cryptography on ARMs Daniel J. Bernstein Research Professor, University

High-speed high-security cryptography on ARMs Daniel J. Bernstein Research Professor, University of Illinois at Chicago Professor, Cryptographic Implementations, Technische Universiteit Eindhoven Tanja Lange Professor, Coding and Cryptology,

288 views • 17 slides
The number-field sieve Finding small factors of integers D. J. Bernstein University of Illinois

The number-field sieve Finding small factors of integers D. J. Bernstein University of Illinois

The number-field sieve Finding small factors of integers D. J. Bernstein University of Illinois at Chicago The Q sieve factors n by combining enough y -smooth congruences i ( n + i ). Enough > = log y . y Plausible

347 views • 31 slides
The year in post-quantum crypto Daniel J. Bernstein, Tanja Lange University of Illinois at

The year in post-quantum crypto Daniel J. Bernstein, Tanja Lange University of Illinois at

The year in post-quantum crypto Daniel J. Bernstein, Tanja Lange University of Illinois at Chicago, Eindhoven University of Technology Post-quantum cryptography: Cryptography designed under the assumption that the attacker (not the user!) has

1.29k views • 94 slides
High-speed cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische

High-speed cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische

1 High-speed cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven with some slides from: Tanja Lange Technische Universiteit Eindhoven 2 Do we care about speed? Almost all software is

1.36k views • 44 slides
You thought your communication was secure? Quantum computers are coming! Daniel J. Bernstein 1 , 2

You thought your communication was secure? Quantum computers are coming! Daniel J. Bernstein 1 , 2

You thought your communication was secure? Quantum computers are coming! Daniel J. Bernstein 1 , 2 Tanja Lange 1 1 Technische Universiteit Eindhoven 2 University of Illinois at Chicago 16 April 2016 1 / 33 Cryptography Motivation

1.01k views • 57 slides
New Curves in DNSSEC Ond ej Sur, CZ.NIC SafeCurves(.cr.yp.to) Work by Daniel J. Bernstein

New Curves in DNSSEC Ond ej Sur, CZ.NIC SafeCurves(.cr.yp.to) Work by Daniel J. Bernstein

New Curves in DNSSEC Ond ej Sur, CZ.NIC SafeCurves(.cr.yp.to) Work by Daniel J. Bernstein and Tanja Lange Difference between security of: Elliptic-Curve Cryptography (ECC) Elliptic-Curve Discrete-Logarithm Problem (ECDLP)

384 views • 6 slides

More recommend