October,2006 Higher- Degree Polynomials Peter L. Montgomery Microsoft Research and CWI 1 Abstract The Number Field Sieve is asymptotically the fastest.

Slides:

Advertisements

Similar presentations

Advertisements

Factoring of Large Numbers using Number Field Sieve Matrix Step Chandana Anand, Arman Gungor, and Kimberly A. Thomas ECE 646 Fall 2006.

Integer Factorization By: Josh Tuggle & Kyle Johnson.

Rational Root Theorem.

Prime recognition and factorization

Chapter 8 – Introduction to Number Theory. Prime Numbers prime numbers only have divisors of 1 and self –they cannot be written as a product of other.

Computability and Complexity

Agrawal-Kayal-Saxena Presented by: Xiaosi Zhou

Notation Intro. Number Theory Online Cryptography Course Dan Boneh

Copyright © Cengage Learning. All rights reserved. 0 Precalculus Review.

1 Chapter 7– Introduction to Number Theory Instructor: 孫宏民 Room: EECS 6402, Tel: , Fax :

CSE115/ENGR160 Discrete Mathematics 03/15/11

The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.

Factoring 1 Factoring Factoring 2 Factoring  Security of RSA algorithm depends on (presumed) difficulty of factoring o Given N = pq, find p or q and.

Ch 7.3: Systems of Linear Equations, Linear Independence, Eigenvalues

Mathematics of Cryptography Part I: Modular Arithmetic, Congruence,

5. Similarity I.Complex Vector Spaces II.Similarity III.Nilpotence IV.Jordan Form Topics Goal: Given H = h B → B, find D s.t. K = h D → D has a simple.

Zeros of Polynomial Functions

Warm-up Find all the solutions over the complex numbers for this polynomial: f(x) = x4 – 2x3 + 5x2 – 8x + 4.

Polynomial Factorization Olga Sergeeva Ferien-Akademie 2004, September 19 – October 1.

The Integers and Division

Mathematics of Cryptography Part I: Modular Arithmetic, Congruence,

Boyce/DiPrima 9th ed, Ch 7.3: Systems of Linear Equations, Linear Independence, Eigenvalues Elementary Differential Equations and Boundary Value Problems,

Polynomials. 2 Content Evaluation Root finding Root Bracketing Interpolation Resultant.

2.1 Graphs of Quadratic Functions

May 29, 2008 GNFS polynomials Peter L. Montgomery Microsoft Research, USA 1 Abstract The Number Field Sieve is asymptotically the fastest known algorithm.

1 Calculating Polynomials We will use a generic polynomial form of: where the coefficient values are known constants The value of x will be the input and.

Mathematics of Cryptography Part I: Modular Arithmetic

FINITE FIELDS 7/30 陳柏誠.

Information Security and Management 4. Finite Fields 8

The Polynomial Time Algorithm for Testing Primality George T. Gilbert.

By: Hector L Contreras SSGT / USMC

Copyright, Yogesh Malhotra, PhD, 2013www.yogeshmalhotra.com SPECIAL PURPOSE FACTORING ALGORITHMS Special Purpose Factoring Algorithms For special class.

Selecting Class Polynomials for the Generation of Elliptic Curves Elisavet Konstantinou joint work with Aristides Kontogeorgis Department of Information.

College Algebra Sixth Edition James Stewart Lothar Redlin Saleem Watson.

Copyright © 2014, 2010 Pearson Education, Inc. Chapter 2 Polynomials and Rational Functions Copyright © 2014, 2010 Pearson Education, Inc.

Prabhas Chongstitvatana1 Factorizing large integers Finding the unique decomposition of n into a product of prime factors. Factorize(n) if n is prime done.

PRIMES is in P Manindra Agrawal NUS Singapore / IIT Kanpur.

CompSci 102 Discrete Math for Computer Science

Precalculus Complex Zeros V. J. Motto. Introduction We have already seen that an nth-degree polynomial can have at most n real zeros. In the complex number.

Copyright © Cengage Learning. All rights reserved. 4 Quadratic Functions.

Key Concept 1. Example 1 Leading Coefficient Equal to 1 A. List all possible rational zeros of f (x) = x 3 – 3x 2 – 2x + 4. Then determine which, if any,

Factorization of a 768-bit RSA modulus Jung Daejin Lee Sangho.

SNFS versus (G)NFS and the feasibility of factoring a 1024-bit number with SNFS Arjen K. Lenstra Citibank, New York Technische Universiteit Eindhoven.

Slide Copyright © 2007 Pearson Education, Inc. Publishing as Pearson Addison-Wesley.

3.4 Zeros of Polynomial Functions. The Fundamental Theorem of Algebra If f(x) is a polynomial of degree n, where n>0, then f has at least one zero in.

Zeros of Polynomials 2.5.

Information Security Lab. Dept. of Computer Engineering 87/121 PART I Symmetric Ciphers CHAPTER 4 Finite Fields 4.1 Groups, Rings, and Fields 4.2 Modular.

Power Functions A power function is a function of the form where k and p are constants. Problem. Which of the following functions are power functions?

UNIT 2, LESSON 1 POLYNOMIAL FUNCTIONS. WHAT IS A POLYNOMIAL FUNCTION? Coefficients must be real numbers. Exponents must be whole numbers.

Asymptotics and Recurrence Equations Prepared by John Reif, Ph.D. Analysis of Algorithms.

Fundamental Concepts of Algebra

1 © 2010 Pearson Education, Inc. All rights reserved © 2010 Pearson Education, Inc. All rights reserved Chapter 3 Polynomial and Rational Functions.

1 Chapter 4 Interpolation and Approximation Lagrange Interpolation The basic interpolation problem can be posed in one of two ways: The basic interpolation.

May 9, 2001Applied Symbolic Computation1 Applied Symbolic Computation (CS 680/480) Lecture 6: Multiplication, Interpolation, and the Chinese Remainder.

Real Zeros of Polynomial Functions

Chapter 4 With Question/Answer Animations 1. Chapter Summary Divisibility and Modular Arithmetic - Sec 4.1 – Lecture 16 Integer Representations and Algorithms.

3.3 Dividing Polynomials.

The Fundamental Theorem of Algebra and Complete Factorization

Copyright © Cengage Learning. All rights reserved.

3.3 Dividing Polynomials.

Rational Root Theorem.

Factoring RSA Moduli: Current State of the Art J

Find (x3 + 2x2 – 5x – 6) ÷ (x – 2) using synthetic division.

Copyright © Cengage Learning. All rights reserved.

Presentation transcript:

October,2006 Higher- Degree Polynomials Peter L. Montgomery Microsoft Research and CWI 1 Abstract The Number Field Sieve is asymptotically the fastest algorithm for factoring a large integer N with no small prime factors, such as an RSA modulus. An early step in the algorithm selects two polynomials with a common root modulo N and “small” coefficients. We know ways to select two polynomials when one is linear, but that choice causes one polynomial norm to be much larger than the other. This talk says what is known about higher-degree selections, esp. a search for two cubic polynomials.

Searching for Higher-Degree Polynomials for the General Number Field Sieve Peter L. Montgomery Microsoft Research, USA, and CWI October, 2006

October,2006 Higher- Degree Polynomials Peter L. Montgomery Microsoft Research and CWI 3 Number Field Sieve (NFS) Asymptotically best known algorithm for factoring large integers with no small prime factors. Also best known algorithm for discrete logarithms modulo large primes.

October,2006 Higher- Degree Polynomials Peter L. Montgomery Microsoft Research and CWI 4 SNFS and GNFS Special Number Field Sieve (SNFS) –Number being factored has nice algebraic form. –Record − 1 (274 digits, 2006). General Number Field Sieve (GNFS) –No known nice algebraic form. –Record RSA200 (200 digits, 2005).

October,2006 Higher- Degree Polynomials Peter L. Montgomery Microsoft Research and CWI 5 NFS Stages – Part I Input: Composite integer N, no small factors. Polynomial selection –Find polynomials f 1, f 2 with common root m modulo N. –Homogeneous form: F k (a, b) = b deg(fk) f k (a/b). Sieving –Find many integer pairs (a i, b i ) where both homogeneous polynomial values |F k (a i, b i )| are smooth (k = 1, 2). Normalized so gcd(a i, b i ) = 1 and b i > 0. Called relations. –Need one relation per prime ideal in your factor bases.

October,2006 Higher- Degree Polynomials Peter L. Montgomery Microsoft Research and CWI 6 NFS Stages – Part II Matrix construction and linear algebra –Let  k be a (complex) root of f k. –Find nonempty set S of indices such that π j  S (a j – b j  k ) is a square in Q(  k ), for each k. Each a j – b j  k has smooth norm. –Find square roots in Q(  k ). –Apply homomorphisms mapping each  k to m mod N. –Get integer congruence A 2 ≡ B 2 (mod N). Hope GCD(A + B, N) is nontrivial factor of N.

October,2006 Higher- Degree Polynomials Peter L. Montgomery Microsoft Research and CWI 7 NFS with Two Polynomials Given N, which we want to factor. Also input desired degrees d 1, d 2. Find irreducible polynomials f 1, f 2 of degrees d 1, d 2 with common root m modulo N (but not in C). resultant(f 1, f 2 ) will be a nonzero multiple of N, preferably a small multiple. Determinant formula for resultant gives lower bound on coefficient sizes in f 1, f 2.

October,2006 Higher- Degree Polynomials Peter L. Montgomery Microsoft Research and CWI 8 Sample SNFS Polynomial Selection N = ( )/ (148 digits). 9th Fermat number made SNFS famous. Guess to use degrees 5 and 1. Common root m = f 1 (X) = X − m and f 2 (X) = X Resultant = ± (m 5 + 8) or 19e6 N. Homogeneous F 1 (a, b) = a − mb, and F 2 (a, b) = a b 5.

October,2006 Higher- Degree Polynomials Peter L. Montgomery Microsoft Research and CWI 9 Norm Sizes Assume we sieve 2e12 points, in rectangle |a|  1e6 and 0 < b  1e6. Approximate homogeneous sizes a − 1e31 b and a 5 + 8b 5. Norm bounds approx 1e37 and 9e30. Smaller norms more likely to be smooth. –Both norms must be smooth.

October,2006 Higher- Degree Polynomials Peter L. Montgomery Microsoft Research and CWI 10 Alternate Choices for Degree 4, m = ≈ 3e38. f 2 (X) = X –a − mb and a 4 + b 4. –Bounds 3e44 and 2e24. Degree 6, m = 2 85 ≈ 4e25. f 2 (X) = 4X –a − mb and 4a 6 + b 6. –Bounds 4e31 and 5e36. Degree 5 bounds were 1e37 and 9e30. Close call between degrees 5 and 6. –1990 technology needed monic polynomials.

October,2006 Higher- Degree Polynomials Peter L. Montgomery Microsoft Research and CWI 11 Roots Modulo Small Primes X –One root modulo 2, four modulo 17. X –One root modulo each of 2, 3, 5, 7, 13, 17, 19, 23. 4X –Projective root modulo 2. –Two roots modulo each of 5, 17. This quintic norm has more prime divisors < 25 than the other norms, on average.

October,2006 Higher- Degree Polynomials Peter L. Montgomery Microsoft Research and CWI 12 Resultant Lower Bounds on Coefficient Sizes Assume f k has degree d k, coefficient bound B k (k = 1, 2). Determinant formula for resultant(f 1, f 2 ) has d 2 rows with coefficients of f 1 and d 1 rows with coefficients of f 2. Need B 1 d2 B 2 d1  N (approx). If rectangular sieving region is 2A × A, we want both B k A dk small, about same size.

October,2006 Higher- Degree Polynomials Peter L. Montgomery Microsoft Research and CWI 13 Base-m Method Set m ≈ N 1/(d+1) if degree d wanted. Write N = a 0 + a 1 m a d m d in base m. Each a i is O(m), possibly negative. –f 1 (X) = X − m. –f 2 (X) = a 0 + a 1 X a d X d. –Let rectangular sieving region be 2A × A. |a|  A and 0 < b  A. Norm bounds mA and (d+1)mA d. Norms too far apart (ratio (d+1)A d−1 ).

October,2006 Higher- Degree Polynomials Peter L. Montgomery Microsoft Research and CWI 14 Rating Polynomials Heuristics to increase density of smooth norms: –Try to make norm small on average. Prefer real roots, so norm is near zero on parts of sieving region. –Try to have many roots modulo small primes and prime powers. For example, X is divisible by 8 whenever it is even. Brian Murphy (ANTS, 1998) confirmed that these properties improve yield when using two quadratic polynomials.

October,2006 Higher- Degree Polynomials Peter L. Montgomery Microsoft Research and CWI 15 Improved Base-m Assume degrees d and 1 wanted, with d  4. Looking for f(m) = N where (if d = 5) f(X) = a 5 X 5 + a 4 X 4 + a 3 X 3 + a 2 X 2 + a 1 X + a 0. Pick leading coefficient a d. –Prefer many small prime divisors. Set m = round((N/a d ) 1/d ). Fill in initial a 0 to a d−1 using arithmetic mod m. Usually |a d−1 |  d a d / 2. Reject unless |a d−2 | << m.

October,2006 Higher- Degree Polynomials Peter L. Montgomery Microsoft Research and CWI 16 Skewed Sieving Region Let f 0 be the initial f, with “small” a d to a d−2 and f 0 (m) = N. Suppose the rectangular sieving region of area 2A 2 is |a|  Ar and 0 < b  A/r. –If r = 1, norm bound is about a 0 A d or m A d. –If r >> 1, big terms are a d−3 (Ar) d−3 (A/r) 3 and a d−2 (Ar) d−2 (A/r) 2 and a d (Ar) d. –Assuming first and last dominate, equate them r = (a d−3 / a d ) 1/6 or (m/a d ) 1/6. –New norm bound a d−3 (Ar) d−3 (A/r) 3 is about m A d r d−6. –When d = 5, this is factor of r improvement over r = 1. Linear X − m norm improves slightly too.

October,2006 Higher- Degree Polynomials Peter L. Montgomery Microsoft Research and CWI 17 Improved Modular Properties Try f(X) = f 0 (X) + C(X) (X − m). –C(X) of degree d−4 to be determined –a d to a d−2 not affected. –a d−3 to a 0 grow, but little effect on norm bound if C has small coefficients. f(m) = f 0 (m) = N. Sieve to find C(X) for which f has good modular properties. Used for RSA140 and RSA155 (1999). –Brian Murphy’s PhD thesis.

October,2006 Higher- Degree Polynomials Peter L. Montgomery Microsoft Research and CWI 18 Two Quadratic Polynomials Suppose m is common root (mod N) of f k = a k X 2 + b k X + c k (k = 1, 2). –Assume O(N 1/4 ) coefficients, coprime in Q[X]. –[m 2, m, 1] orthogonal to both [a k, b k, c k ] (mod N). Let v = cross product of [a k, b k, c k ] over Z. –Coefficients of v are O(N 1/2 ), not all zero. –v is multiple of [m 2, m, 1] (mod N). –v is a geometric progression mod N. –Not a GP over Z if f k are irreducible. Polynomials → Geometric progression mod N.

October,2006 Higher- Degree Polynomials Peter L. Montgomery Microsoft Research and CWI 19 GP → Quadratic Polynomials Let R = [r 2, r 1, r 0 ] = O(N 1/2 ) be geometric progression mod N, but not over Z. Look at 2-D lattice in Z 3 where R. v = 0. –Smallest basis vectors [a k, b k, c k ] have typical size O(|R| 1/2 ) = O(|N| 1/4 ). –Resulting polynomials a k X 2 + b k X + c k have common root r 2 / r 1 ≡ r 1 / r 0 mod N.

October,2006 Higher- Degree Polynomials Peter L. Montgomery Microsoft Research and CWI 20 Constructing 3-term GP modulo N Choose prime q < N 1/2 for which N is a quadratic residue. Find x 0 near N 1/2 with x 0 2 ≡ N (mod q). Return [q, x 0, (x 0 2 – N)/q]. Different q lead to different GP and different pairs of quadratics. Used for − 1 c105 in

October,2006 Higher- Degree Polynomials Peter L. Montgomery Microsoft Research and CWI 21 Two Quadratics for N = 2005 Guess q = ≡ 2005 mod 23 GP (23, 44, −3) since 44 2 ≡ −3 ∙ 23. Ratio 44/23 ≡ −3/44 ≡ 1048 mod [23, 44, −3] orthogonal to [−1, 1, 7] and [6, −3, 2]. 7X 2 + X −1 and 2X 2 −3X + 6 share root 1048 mod 2005.

October,2006 Higher- Degree Polynomials Peter L. Montgomery Microsoft Research and CWI 22 More than two Quadratics If f and g are two same-size quadratics with a common root, merge them with f ± g. Try ℓ quadratics, where ℓ  2, shared factor base bound. –Changes to rest of NFS straightforward. –ℓ (ℓ − 1)/2 chances per (a, b) for two norms to be smooth. –Need to produce ℓ / 2 times as many smooth relations. –Sieve 1 / (ℓ − 1) times as many points (hence smaller norms). –Sieving takes ℓ / 2 times as long per (a, b). –Estimate ℓ / 2(ℓ − 1) as much time as two quadratics. –Average ℓ /2 − −ℓ free ideals per prime. Hard to find over two quadratics which excellent modular properties, so the ℓ (ℓ − 1)/2 above is unrealistic.

October,2006 Higher- Degree Polynomials Peter L. Montgomery Microsoft Research and CWI 23 Two Cubics → Five-term GP Suppose m is common root (mod N) of f k = a k X 3 + b k X 2 + c k X + d k (k = 1, 2). –By resultant bound, O(N 1/6 ) coefficients is smallest we can hope for. Find vector v orthogonal over Z to both [a k, b k, c k, d k, 0] and both [0, a k, b k, c k, d k ]. –Simple determinant formula for v. –Components of v will be O(N 2/3 ). –Multiple of [m 4, m 3, m 2, m, 1] mod N.

October,2006 Higher- Degree Polynomials Peter L. Montgomery Microsoft Research and CWI 24 Five-term GP →Two Cubics Let R = [r 4, r 3, r 2, r 1, r 0 ] = O(N 2/3 ) be 5-term GP mod N, but not over Z. Ratio s = r 1 /r 0 mod N. Must avoid 2 nd -order linear recurrence. Look at 2-D lattice in Z 4 orthogonal to both R ′ = [r 3, r 2, r 1, r 0 ] and ( [r 4, r 3, r 2, r 1 ] −s R ′ ) / N. –Smallest basis vectors [a k, b k, c k, d k ] have typical size O((|R| 2 /N) 1/2 ) = O(|N| 1/6 ). –Resulting polynomials have common root s mod N. For two degree-d polynomials, with O(N 1/2d ) coefficients, need 2d−1 terms of size O(N 1−1/d ).

October,2006 Higher- Degree Polynomials Peter L. Montgomery Microsoft Research and CWI 25 Desire a five-term GP mod N Exhaustive search finds many O(N 2/3 ) solutions when N ≈ 1e8. Example: –[109, 151, 154, 11, 144] ratio 14 = 154/11 mod 2005 –Largest entry 154 vs /3 ≈ – X 3 − 4X 2 + 3X + 3 and 3X 3 − X 2 − X − 2 share root 14 mod Avoid (1 st or) 2 nd order linear recurrence. –Example: [39, 22, −39, −22, 39] mod 2005 = –X 3 + X and X share a quadratic factor. Don’t know how to find quickly when N is large.

October,2006 Higher- Degree Polynomials Peter L. Montgomery Microsoft Research and CWI 26 Can we use Matrix Inverse? Matrix inverse is O(N 1/3 ) / N ( ) (− ) ( ) ( 10 4 −11) = 2005 I 3 ( ) ( 11 −11 3) Entries in second are bilinear forms evaluated at coefficients of f 1 and f 2 (a 1 b 2 −b 1 a 2 a 1 c 2 −c 1 a 2 a 1 d 2 −d 1 a 2 ) (a 1 c 2 −c 1 a 2 a 1 d 2 +b 1 c 2 −c 1 b 2 −d 1 a 2 b 1 d 2 −d 1 b 2 ) (a 1 d 2 −d 1 a 2 b 1 d 2 −d 1 b 2 c 1 d 2 −d 1 c 2 ) –Related to coefficients of [f 1 (X)f 2 (Y) − f 2 (X)f 1 (Y)] / (X − Y). Second matrix O(N 1/3 ), symmetric, determinant ±N. First has constant backwards diagonals.

October,2006 Higher- Degree Polynomials Peter L. Montgomery Microsoft Research and CWI 27 O(1) Cubic and O(N 1/3 ) Quadratic for Prime N Choose irreducible cubic f 1 with known linear factor X−  mod N and O(1) coefficients. –One of X 3 − (2, 3, 6, 12) will work. Find quadratic f 2 with O(N 1/3 ) coefficients and root  modulo N. Can use LLL to choose f 2. Follow construction of GP from two O(N 1/6 ) cubics. Output satisfies 2 nd order recurrence. N is prime in discrete logarithm problem.

October,2006 Higher- Degree Polynomials Peter L. Montgomery Microsoft Research and CWI 28 Sizes when Factoring c200 Assume 2e18 points sieved. Two quadratics. –Coefficients 1e50. Norms 3e68. Two cubics. –Coefficients 2e33. Norms 8e60. Two degree 4. –Coefficients 1e25. Norms 5e61. Degree 3 or 4 appears best if we use equal degrees.

October,2006 Higher- Degree Polynomials Peter L. Montgomery Microsoft Research and CWI 29 c200 Sizes for Original Base-m Assume degree d = 5. Sieving area 2e18. m = (c200) 1/6 = 2e33. Coefficients (except leading) 1e33. Norms (d+2)(1e33)(1e9) d =7e78 and m(1e9) = 2e42. Norm bounds far apart, compared to equal degrees.

October,2006 Higher- Degree Polynomials Peter L. Montgomery Microsoft Research and CWI 30 c200 Sizes for Modified Base-m Assume degree d = 5. Sieving area 2e18. Assume a 5 ≈ 1e10 and m = (1e200/a 5 ) 1/5 ≈ 1e38. Assume we can find a 3 small enough. r ≈ (m/a 5 ) 1/6 ≈ 5e4. Bounds (1e18) 1/2 r = 5e13 on a and 2e4 on b. a 5 (5e13) 5 and m(5e13) 2 (2e4) 3 both 2e78. –Norm bound around 1e79 (six summands). Linear bound (2e4)(1e38) = 2e42. Little different than original base m. –But improved modular properties.

October,2006 Higher- Degree Polynomials Peter L. Montgomery Microsoft Research and CWI 31 Non-monic Linear Polynomial – Part I Start with N, d, a d. Instead of finding f 0 with f 0 (m) = N, find a P for which the congruence a d M d ≡ N (mod P) has many solutions M. –P is product of primes, each ≡ 1 (mod d) with N / a d a d-th residue. –Size of M chosen so | M − (N / a d ) 1/d |  P / 2.

October,2006 Higher- Degree Polynomials Peter L. Montgomery Microsoft Research and CWI 32 Non-monic Linear Polynomial – Part II For each such M, where a d M d ≡ N (mod P), find polynomial f 0 (X)= Σ j=0 d a j X j  Z[X] with N = P d f 0 (M/P). As earlier, reject unless coefficient of X d−2 is small. –Can perform this test quickly when same P is reused. f 2 (X) = f 0 (X) + C(X)(PX − M) for some C(X). f 2 (X) and f 1 (X) = PX − M share root m = M / P mod N. Due to Thorsten Kleinjung, Math. Comp., Oct –Used for RSA576 (2003) and RSA200 (2005).

October,2006 Higher- Degree Polynomials Peter L. Montgomery Microsoft Research and CWI 33 RSA200 polynomials Found by Kleinjung et al f 1 (X) = X X X 3 − X 2 − X M = P = =

October,2006 Higher- Degree Polynomials Peter L. Montgomery Microsoft Research and CWI 34 Norm Sizes for RSA200 a 5 ≈ ≈ 4e11. r ≈ Linear PX − M ≈ 1e22 X − 4e37. On rectangle |a| < 1.8e12 and 0 < b < 5.6e5, of area 2e18, norm bounds about 1e74 (quintic) and 2e43 (linear). Quintic much smaller than predicted.