Factoring bi-primes with Orion Dr. William Macready, Vice-President, Product Development July

confidential 2 Given an n T -bit integer T which is the product of an n p -bit prime p and an n q -bit prime q; find p or q Problem is useful for a number of reasons Potential cryptanalytic applications Source of difficult optimization problems (lots of local minima) where we know the answer Applications:\\factoring bi-primes

confidential 3 Multiplying out the factors long-hand gives a set of equality constraints that the bits of p and q must satisfy Objective function consists in adding the squared constraint violations Applications:\\factoring bi-primes

confidential 4 Number to be factored must be odd Both factors must be odd So we know the ones-place bits are 1 There are n T possible bit lengths {n p, n q } Most significant bit of each factor must be 1 Example:\\factoring 119

confidential 5 Step 1 - Multiplication n T = n 119 =7 possible factor bit lengths –In the worst case, all 7 possible combinations must be tried –in this example we try n p =5 and n q =3 Write factors using x i,y for unknown bits 1 x 3 x 2 x 1 1 & 1 y 1 Write out long multiplication for the factors

confidential 6 Factor 1:1x3x3 x2x2 x1x1 1 Factor 2:1y1 1x3x3 x2x2 x1x1 1 yx3yx3yx2yx2yx1yx1yy 1x3x3 x2x2 x1x Long Multiplication for 119

confidential 7 Step 2 – Derive Equations An equation to be satisfied can be derived from each column Need to introduce new binary variables, z i, for carries For 119, we get a system of 6 equations

confidential 8 Step 3 – Polynomial Time Simplification of Equations Using a polynomial (in n T ) time algorithm, simplify the equations as much as possible –eliminate variables which can easily be inferred to have a certain value –current method is O(n T 3 ), but could do better If goal is the factoring of n T =1,024-bit bi-primes then we need to do more/better polynomial preprocessing to reduce number of variables

confidential 9 System of Equations for 119 x 1 + y=1(1) x 2 + x 1 y + 1=1 + 2z 1 (2) x 3 + x 2 y + x 1 + z 1 =0 + 2z 2 + 4z 3 (3) 1 +x 3 y + x 2 + z 2 =1 + 2z 4 (4) y + x 3 + z 3 + z 4 =1 + 2z 5 (5) 1 + z 5 =1(6)

confidential 10 System of Equations for 119 x 1 + y=1(1) x 2 + x 1 y + 1=1 + 2z 1 (2) x 3 + x 2 y + x 1 + z 1 =0 + 2z 2 + 4z 3 (3) 1 +x 3 y + x 2 + z 2 =1 + 2z 4 (4) y + x 3 + z 3 + z 4 =1 + 2z 5 (5) 1 + z 5 =1(6)

confidential 11 System of Equations for 119 x 1 + y=1(1) x 2 + x 1 y + 1=1 + 2z 1 (2) x 3 + x 2 y + x 1 + z 1 =0 + 2z 2 + 4z 3 (3) 1 +x 3 y + x 2 + z 2 =1 + 2z 4 (4) y + x 3 + z 3 + z 4 =1(5) 1=1(6)

confidential 12 System of Equations for 119 x 1 + y=1 => x 1 y=0(1) x 2 + x 1 y + 1=1 + 2z 1 (2) x 3 + x 2 y + x 1 + z 1 =0 + 2z 2 + 4z 3 (3) 1 +x 3 y + x 2 + z 2 =1 + 2z 4 (4) y + x 3 + z 3 + z 4 =1(5) 1=1(6)

confidential 13 System of Equations for 119 x 1 + y=1(1) x 2 + 1=1 + 2z 1 (2) x 3 + x 2 y + x 1 + z 1 =0 + 2z 2 + 4z 3 (3) 1 +x 3 y + x 2 + z 2 =1 + 2z 4 (4) y + x 3 + z 3 + z 4 =1(5) 1=1(6)

confidential 14 System of Equations for 119 x 1 + y=1(1) x 2 + 1=1 + 2z 1 (2) x 3 + x 2 y + x 1 + z 1 =0 + 2z 2 + 4z 3 (3) 1 +x 3 y + x 2 + z 2 =1 + 2z 4 (4) y + x 3 + z 3 + z 4 =1(5) 1=1(6)

confidential 15 System of Equations for 119 x 1 + y=1(1) x 2 + 1=1(2) x 3 + x 2 y + x 1 =0 + 2z 2 + 4z 3 (3) 1 + x 3 y + x 2 + z 2 =1 + 2z 4 (4) y + x 3 + z 3 + z 4 =1(5) 1=1(6)

confidential 16 System of Equations for 119 x 1 + y=1(1) x 2 + 1=1(2) x 3 + x 2 y + x 1 =0 + 2z 2 + 4z 3 (3) 1 + x 3 y + x 2 + z 2 =1 + 2z 4 (4) y + x 3 + z 3 + z 4 =1(5) 1=1(6)

confidential 17 System of Equations for 119 x 1 + y=1(1) 1=1(2) x 3 + x 1 =0 + 2z 2 + 4z 3 (3) 1 + x 3 y + z 2 =1 + 2z 4 (4) y + x 3 + z 3 + z 4 =1(5) 1=1(6)

confidential 18 System of Equations for 119 x 1 + y=1(1) 1=1(2) x 3 + x 1 =0 + 2z 2 + 4z 3 (3) 1 + x 3 y + z 2 =1 + 2z 4 (4) y + x 3 + z 3 + z 4 =1(5) 1=1(6)

confidential 19 System of Equations for 119 x 1 + y=1(1) 1=1(2) x 3 + x 1 =0 + 2z 2 (3) 1 + x 3 y + z 2 =1 + 2z 4 (4) y + x 3 + z 4 =1(5) 1=1(6)

confidential 20 Step 4 – Convert to a Quadratic Optimization Objective After simplification algorithm complete, replace all bi-linear terms (e.g. x 3 y) with new binary variables (w), w is 1 if and only if x 3 and y are both 1. –actually this is done first since it might offer the potential for additional simplification Each new binary variable (w) introduces 3 new binary slack variables: (s 1, s 2, s 3 ) –can get by with only 1 slack variable Can now convert the equations into an energy function.

confidential 21 System of Equations for 119 x 1 + y=1(1) 1=1(2) x 3 + x 1 =0 + 2z 2 (3) 1 + w + z 2 =1 + 2z 4 (4) y + x 3 + z 4 =1(5) 1=1(6)

confidential 22 Energy terms for 119 x 1 + y - 1=0(1) 1 - 1=0(2) x 3 + x 1 -2z 2 =0(3) w + z 2 -2z 4 =0(4) y + x 3 + z 4 - 1=0(5) 1 - 1=0(6)

confidential 23 Quadratic terms for 119 (x 1 + y – 1) 2 =0(1) 0=0(2) (x 3 + x 1 -2z 2 ) 2 =0(3) (w + z 2 -2z 4 ) 2 =0(4) (y + x 3 + z 4 - 1) 2 =0(5) 0=0(6)

confidential 24 Step 5 – Orion To find the factors, all terms must be zero Sum all the terms together in one energy function –Can weight each term differently –This freedom used to tune the quantum mechanical annealing schedule

confidential 25 Energy Function E = μ 1 (x 1 +y–1) 2 + μ 2 (x 3 +x 1 -2z 2 ) 2 + μ 3 (w+z 2 -2z 4 ) 2 + μ 4 (y+x 3 +z 4 -1) 2 + λ 1 (w- x 3 +s 1 ) 2 + λ 2 (w-y+s 2 ) 2 + λ 3 (x 3 +y-w+s 3 -1) 2 We know that ground state has E min = 0 We can be smart in how the Lagrange multipliers are chosen to minimize the number of local minima

confidential 26 Factor Graph for factoring 119

confidential 27 Factoring Algorithm Given: an integer T of n T bits to be factored Determine possible bit sizes of factors For each bit size pair {n p, n q } –Derive factoring equations Number of variables = bit positions of each factor + carry variables –Simplify factoring equations (scaling behaviour) –Result is a set of multi-linear equations to be solved over the Booleans –Map equations to an energy function solved by the hardware map quartic interaction to quadratic –Introduces slack variables (scaling of number of variables) –Minimize energy function (scaling ?) –Read result –Solution factors T? Yes -> done No -> rerun (perhaps modify energy function, e.g. adjust multipliers)

confidential 28 Scaling behaviour

confidential 29 Scaling behaviour – space complexity Space complexity –With limited sophistication in simplifying the factoring equations Number of variables required to factor an n T bit integer is O(n T ) Number of variables required after removal of quartic interactions is O(n T 2 ) –Arises from the pair-wise products –With more intelligence in simplifying the equations can probably do much better Currently do not include the fact that factors are prime in simplification

confidential 30 Scaling behaviour – time complexity Time complexity governed by three separate tasks –Derivation and simplification of multi-linear equations –Orion run time Classical preprocessing is tractable by construction Orion run-time performance unknown

confidential 31 Integer factoring can be addressed as discrete optimization in O(n T 2 ) variables Optimization used to find integer solutions to a multi-linear set of equations –Equations to be solved can probably be simplified without too much effort Method is parallelizable as different bit length of factors can all be tested in parallel Factoring bi-primes:\\conclusions