Copyright, Yogesh Malhotra, PhD, 2013www.yogeshmalhotra.com SPECIAL PURPOSE FACTORING ALGORITHMS Special Purpose Factoring Algorithms For special class of numbers ( M, F ), can’t do hard composites M ersenne primes of form 2 n – 1. Efficiency depends on unknown factors. Best for factoring smooth composites with small prime factors. 1,620 has prime factors 2 2 × 3 4 × 5 ⇒ 1,620 is 5-smooth Too slow for most factoring jobs. Would run forever or fail for RSA composites. Examples Trial division: Trial divide possible factors, check for zero remainder Pollard’s p − 1: Based on Fermat’s Little Theorem Pollard’s ρ : Monte Carlo method: 8 th F ermat number Elliptic Curve Method (ECM): p − 1 for points on elliptic curve.

Copyright, Yogesh Malhotra, PhD, 2013www.yogeshmalhotra.com GENERAL PURPOSE FACTORING ALGORITHMS General Purpose Factoring Algorithms Efficiency depends on size of integer to factor. Can factor any integer of a given size in about same time as any integer of that size. Suitable for RSA-type hard composites With no small prime factors. RSA cryptosystem: Numbers used for modulus Do not have any small prime factors, e.g. RSA x

Copyright, Yogesh Malhotra, PhD, 2013www.yogeshmalhotra.com GENERAL PURPOSE FACTORING ALGORITHMS Congruent Squares: Underlies CFRAC, QS, NFS Legendre’s Congruence Prime Factors p & q

Copyright, Yogesh Malhotra, PhD, 2013www.yogeshmalhotra.com GENERAL PURPOSE FACTORING ALGORITHMS CONTINUED FRACTIONS (CFRAC), QUADRATIC SIEVE (QS), NUMBER FIELD SIEVE (NFS) Above 3 GPFAs consist of same 3 basic steps 1.Identify set of relations smooth over some factor base. 2.Solve linear equations system to find relations yielding squares. 3.Compute GCD of composite and squares found above. Same I/O: I composite integer n, O nontrivial factor p of n. Difference: Find integer pairs satisfying congruence (relation). CFRAC QS NFS

Copyright, Yogesh Malhotra, PhD, 2013www.yogeshmalhotra.com NUMBER FIELD SIEVES MOST EFFICIENT FACTORIZATION OF LARGE INTEGERS Special Number Field Sieve (SNFS) Special-purpose: efficient for integers of form r e ± s. General Number Field Sieve (GNFS or NFS ) Most efficient classical algorithm known (> 100 digits) Quadratic Sieve (QS) Second fastest method known (fastest for < 100 digits) Rational Sieve (RS) Special case of NFS, far less efficient, useless for practice.

Copyright, Yogesh Malhotra, PhD, 2013www.yogeshmalhotra.com NUMBER FIELD SIEVES MOST EFFICIENT FACTORIZATION OF LARGE INTEGERS Fastest General Purpose Factoring Algorithm The Number Field Sieve (NFS) – faster than MPQS NFS Variant used in recent 232-digit RSA-768 Factoring “Recent improvements to the Number Field Sieve make the NFS more efficient than MPQS* in factoring numbers larger than about 115 digits, while MPQS is better for small integers… It is now estimated that if the NFS had been used for RSA-129, it would have taken one quarter of the time. Clearly, NFS has overtaken MPQS as the most widely used factoring algorithm.” Source: RSA Laboratories, “What are the best factoring methods in use today?” *Multiple Polynomial Quadratic Sieve

Copyright, Yogesh Malhotra, PhD, 2013www.yogeshmalhotra.com NUMBER FIELD SIEVES MOST EFFICIENT FACTORIZATION OF LARGE INTEGERS “The best known algorithm for factoring large numbers is the General Number Field Sieve (GNFS).” “GNFS consists of a sieving phase that searches a fixed set of prime numbers for candidates that have a particular algebraic relationship, modulo the number to be factored. This is followed by a matrix solving phase that creates a large matrix from the candidate values, then solves it to determine the factors. “The sieving phase may be done in distributed fashion, on a large number of processors simultaneously. The matrix solving phase requires massive amounts of storage and is typically performed on a large supercomputer.” Source: RSA Laboratories, “The RSA Factoring Challenge FAQ ”

Copyright, Yogesh Malhotra, PhD, 2013www.yogeshmalhotra.com NUMBER FIELD SIEVES MOST EFFICIENT FACTORIZATION OF LARGE INTEGERS For large n, NFS asymptotically outperforms QS, RS RS & QS: find smooth numbers exponential in n QS operates over integers only ℤ x ℤ NFS operates over N umber F ield and N umber R ing over ℤ and ring ℤ[m], i.e., ℤ x ℤ[m] m is root of polynomial f(x). NF is a finite field extension of the field ℚ. NR is a subring of NF. NFS finds smooth numbers sub-exponential in n Find congruent squares mod n (congruence, relation) Non-trivial factors of n

Copyright, Yogesh Malhotra, PhD, 2013www.yogeshmalhotra.com NUMBER FIELD SIEVE OUTLINE OF STEPS IN THE ALGORITHM 1.Polynomial Selection Find f(x) irreducible over ℤ [x] with root m modulo n, f(x) ϵ ℤ [x]. 2.Finding Factor Bases Choose size for factor bases and set up: Rational Factor Base, RFB Algebraic Factor Base, AFB Quadratic Character Base, QCB 3.Sieving → Set S of relations (a, b) Find pairs of integers (a, b) with properties: gcd(a, b) = 1 a, b are relative primes a + bm is smooth over RFB b deg(f) f(a/b) is smooth over AFB Pairs (a, b) with above properties: relation.

Copyright, Yogesh Malhotra, PhD, 2013www.yogeshmalhotra.com NUMBER FIELD SIEVE OUTLINE OF STEPS IN THE ALGORITHM

Copyright, Yogesh Malhotra, PhD, 2013www.yogeshmalhotra.com NUMBER FIELD SIEVE [ALGEBRAIC] NUMBER FIELD r is an algebraic number of degree k – 1 if r root of nonzero polynomial where a ϵ ℚ r satisfies no similar equation of degree < k – 1 (irreducible) [Algebraic] Number Field ℚ [r]: all expressions constructed from r by repeated +, –, ∗, ∕. Finite degree field extension ℚ [r] of the field ℚ Degree: its dimension as a vector space over ℚ. Field – Commutative Ring – Abelian Group – Set (axioms Cl,As,In,Id) ⇒

Copyright, Yogesh Malhotra, PhD, 2013www.yogeshmalhotra.com NUMBER FIELD SIEVE ALGORITHM POLYNOMIAL SELECTION Find f(x) irreducible over ℤ [x] with root m modulo n, f(x) ϵ ℤ [x]. Base-m for desired root set ℤ/ℤ n [ x ] Polynomial yield Polynomial Selection Steps Identify large set of usable polynomials Remove bad polynomials from set ( α heuristics) Small sieving experiments on remaining polynomials Choose one with best yield.

Copyright, Yogesh Malhotra, PhD, 2013www.yogeshmalhotra.com NUMBER FIELD SIEVE ALGORITHM FINDING FACTOR BASES Factor bases (FB) specify well defined domain of smooth primes for the NFS algorithm consistent with congruence Choose FB and set up primes smooth over respective FB: Rational Algebraic Quadratic higher p i ’s Factor bases specify primes smooth over RFB, AFB, QCB RFB primes 2, 3, 5 up to empirically known bound (a + bm). AFB set of prime ideals in a ring of algebraic integers. QCB small set of first degree prime ideals not in AFB.

Copyright, Yogesh Malhotra, PhD, 2013www.yogeshmalhotra.com NUMBER FIELD SIEVE ALGORITHM SIEVING → SET S OF RELATIONS (a, b) Find usable relations (a, b) with properties: gcd(a, b) = 1 a, b are relative primes a + bm is smooth over RFB b deg(f) f(a/b) is smooth over AFB Optimization of sieving → Biggest efficiency gain Optimization of memory usage Reuse arrays, use smallest possible data types Rational Sieve a – bm ϵ ℤ vs. Algebraic Sieve (a, b) passing through both is smooth over RFB and AFB Classical Line Sieving vs. Faster Lattice Sieving

Copyright, Yogesh Malhotra, PhD, 2013www.yogeshmalhotra.com NUMBER FIELD SIEVE ALGORITHM SIEVING → SET S OF RELATIONS (a, b) Line Sieving Needs less memory, best for small to medium primes Sieve over all (a, b) pairs, one b-value at a time For each prime (p, r), find all pairs divisible by it. Lattice Sieving Needs more memory, best for large primes Fix a medium sized prime (q, s) ϵ AFB Sieve over all (a, b) pairs s.t. |(q, s) Form lattice of vectors for two such pairs. Output: Set of (a, b) pairs that are RFB and AFB smooth.

Copyright, Yogesh Malhotra, PhD, 2013www.yogeshmalhotra.com NUMBER FIELD SIEVE ALGORITHM SOLVING LINEAR EQUATIONS USING MATRIX RFB and AFB smooth (a, b) pairs filtered… Find subset of pairs which yields a square i.e. …. Elements in its unique factors have even powers. E.g. of {34, 89, 46, 32, 56, 8, 51, 43, 69} for {34, 46, 51, 69} 34· 46· 51· 69 = = 22· 32·172· 232 = (2· 3·17· 23) 2 Equivalent to solving a system of linear equations Solve using a matrix of RFB and AFB smooth (a, b) pairs Matrix consists of factorization over RFB and AFB Minimize matrix size: [1 for odd, 0 for even] power Transform the matrix to reduced echelon form Use Gaussian Elimination to solve the matrix… suboptimal… Block Lanczos or Block Wiedemann for optimal run time.

Copyright, Yogesh Malhotra, PhD, 2013www.yogeshmalhotra.com NUMBER FIELD SIEVE ALGORITHM SOLVING LINEAR EQUATIONS USING MATRIX

Copyright, Yogesh Malhotra, PhD, 2013www.yogeshmalhotra.com NUMBER FIELD SIEVE ALGORITHM CALCULATING SQUARE ROOTS IN NUMBER FIELDS

Copyright, Yogesh Malhotra, PhD, 2013www.yogeshmalhotra.com NUMBER FIELD SIEVE OUTLINE OF STEPS IN THE ALGORITHM 1.Polynomial Selection Find f(x) irreducible over ℤ [x] with root m modulo n, f(x) ϵ ℤ [x]. 2.Finding Factor Bases Choose size for factor bases and set up: Rational Factor Base, RFB Algebraic Factor Base, AFB Quadratic Character Base, QCB 3.Sieving → Set S of relations (a, b) Find pairs of integers (a, b) with properties: gcd(a, b) = 1 a, b are relative primes a + bm is smooth over RFB b deg(f) f(a/b) is smooth over AFB Pairs (a, b) with above properties: relation.

Copyright, Yogesh Malhotra, PhD, 2013www.yogeshmalhotra.com NUMBER FIELD SIEVE OUTLINE OF STEPS IN THE ALGORITHM