Factoring Algorithms Ref: D. Stinson, Cryptography - Theory and Practice, 2001

Motivation In RSA, the public modulus n=p×q, where p and q are primes (p  q) and private Factoring the public modulus: n => p×q =>  (n)=(p-1)(q-1) => d ≡ e -1 mod  (n) => break RSA

RSA-129 history Factoring 129 decimal digits Solved April 1994 Method: Multiple Polynomial Quadratic Sieve People: used the internet to solicit the help of about 600 volunteers and their computers from around the world Time: eight months

RSA challenge Prize: $20,000 RSA-640(640 bits, 193 decimal digits)

Outline Trial division Pollard p-1 algorithm Pollard Rho  algorithm Dixon ’ s random squares algorithm Main idea: Factor n is hard => calculate gcd(a, n) is easy => How to find a number a that has a non- trivial gcd with n

Trial division If n is composite, it has a prime factor Trial division: divide n by every odd integer up to Is this method practical? : try times (about 428 bits): try times It was solved in 1994 by quadrative sieve method

Pollard p-1 algorithm 1974, make use of Fermat ’ s theorem: x p-1 mod p = 1, gcd(x,p)=1 Target p : which is a prime factor of n (given modulus) (Fermat’s theorem) (p-1) is even => its prime powers are less than B, A constant bound, discuss it later => (p-1) | B! Compute 我們當然不知道 p, 所以藉由此 關係式，由 B! 來估 p 1 2 p-1 ≡1 mod p Since p | n => 2 (a 可由給定 B 後計算得出 )

Pollard p-1 algorithm (cont.) 1 2 p-1 ≡1 mod p 2 Because (p-1) | B! => p | (a-1) We also have p | n => p | d, d = gcd(a-1, n) d is a non-trivial factor of n Step1: compute Step2: compute d = gcd(a-1, n)

Example: Pollard p-1 algorithm n= , B=180 Step 1: compute a= Step 2: compute d = gcd(a-1, n) d= is a factor of n We can verify that =135979x The key to success: a-1=135978=2x3x131x173, the factors < B=180

Issues about Pollard p-1 algorithm Complexity: depend on B Compute Compute gcd If, then it is no faster than trial division ! Drawback: it succeeds if p-1 has small prime factors (implies small B) Improve RSA to resist Pollard p-1 algorithm Find a large prime p 1, such that p=2p 1 +1 is a prime (This implies p-1 has a large prime factor p 1 ) Find a large prime q 1, such that q=2q 1 +1 is a prime Set n=pq

Outline Trial division Pollard p-1 algorithm Pollard Rho  algorithm Dixon’s random squares algorithm

Pollard Rho algorithm: basic idea Let p be the smallest prime divisor of n Suppose there exists two integers, such that and => We can obtain a non-trivial factor of n by gcd Q: How to find such integers ? 0n-1p-1 x x ’

Pollard Rho algorithm: primitive method Try to find a subset, and hope that such x, x’ exist Condition of success: there is a collision in X after mod p We don ’ t know p, so we can ’ t compute We compute for all distinct 0n-1p-1 x x ’ 0n-1p-1 x Birthday paradox: if, there is a 50% probability of at least one collision

Pollard Rho algorithm: Challenge in complexity We must compute for each pair of => gcd computation, we know => If n=pq has two close prime factors, this complexity is close to trial division

Pollard Rho algorithm Goal: reduce gcd computation by novel choice of subset X Generation of subset X Choose f(x): a polynomial Initially choose Generate Example: n=7171, Ex. 1 => 2 => 5 => 26 => 677 => 6557 => => 4903 => 2218 => 219 => 4936 => 4210 => => 375 => 4377 => 4389 => 2016 => 5471 => 88

Pollard Rho algorithm (cont.) Result: the previous subset requires few gcd computations, why? Recall: subset if there exists Thm: Rho(  ) collision structure (after mod p) and => Hint: the subset has well-formed collision structure (collision) x1x1 x2x2 f x3x3 x4x4 … xixi x i+1 … x j-1 … x 2j-i-1 xjxj x j+1 The first collision implies later collision

Pollard Rho algorithm (cont.) Example: n=7171, … Generated subset: n=7171=71x101 (we factor n for demonstration) mod … Repeated collision Fixed period Recall: we don ’ t know p, we find the first collision by gcd computation

Pollard Rho algorithm (cont.) How does the collision structure save gcd computation? x1x1 x2x2 f d=gcd(x 1 - x 2, n) d=1 We found the factor d=1 Implies no period=1 cycles x1x1 x2x2 x3x3 x4x4 d=gcd(x 2 - x 4, n) d=1 Implies no period=2 cycles x1x1 x2x2 x3x3 x4x4 x5x5 x6x6 x1x1 x2x2 x3x3 x4x4 x5x5 x6x6 x7x7 x8x8 x1x1 x2x2 x3x3 x4x4 x5x5 x6x6 x7x7 x8x8 x9x9 x 10

Pollard Rho algorithm: proof for Rho structure If then f is a polynomial definition Similarly. p | n Δ

Complexity of Polland Rho algolrithm The expected complexity is Possible failure: the subset X doesn ’ t contain a collision The probability is roughly p/n (small when n is large, because ) Upon failure, simply try another initial x 1 and polynomial function f(x)

Outline Trial division Pollard p-1 algorithm Pollard Rho algorithm Dixon’s random squares algorithm

Fact: if we can find x≡y mod n such that x 2 ≡y 2 mod n then n | (x-y)(x+y) The above implies gcd( x+y,n) and gcd( x-y,n) are non-trivial factor of n Idea: 找到和 n 有最大公因數的數 (x+y and x-y in this case) Ex. => 10 2 ≡ 32 2 mod 77 => gcd(10+32, 77) = 7 is a factor of 77

Dixon ’ s random squares algorithm (cont.) Q: How to find such x and y? Example: n= , we can build a factor base B={2,3,5,7,11,13} ≡ 3×7 mod n ≡ 2×7×13 mod n ≡ 2×3×13 mod n x 2 ≡y 2 mod n x≡y mod n If we can find => ( × × ) 2 ≡ (2×3×7×13) 2 mod n => ≡ mod n Problem1: Generate random squares, talk later Problem2: find a subset of congruences that yield a power of 2 on the right

Problem 2: find a subset of congruences For a factor base B={2,3, …,p b } (b 個由小到大的質數 ) If we can obtain c (>b) congruences: … mod 2 a 1 =(0, 1, 0, 1, 0, 0) [ 前一頁例子 ] a 2 =(1, 0, 0, 1, 0, 1) a 3 =(1, 1, 0, 0, 0, 1) a 1 +a 2 +a 3 (mod 2) = (0, 0, 0, 0, 0, 0) Produce even powers in right hand side => The problem of find a subset of congruence is reduced to find a subset of a vectors such that they are linear dependent. (c>b can guarantee such dependence exists)

Problem 1: random squares Q: How to find z, such that Sol: try for k=1, 2, 3, … Ex. n=1829  z / n 的餘數可由 factor base 內的質數因式分解 (Hint: factor base 內都是小的質數 ) Try z=42, 43 60, 61 74, 7585, 86

Problem 1: random squares (cont.) Set factor base B={-1, 2, 3, 5, 7, 11, 13} mod n (=1829) => Find a subset: => gcd( , 1829) = 59

Issues about random squares Q: How large is the factor base? It is a trade-off: |B| is larger, the more possible that z 2 mod n factors over B However, for larger |B|, we need to find more congruences to find a linear dependent subset