6.4 Factoring.

Slides:



Advertisements
Similar presentations
Integer Factorization By: Josh Tuggle & Kyle Johnson.
Advertisements

Prime recognition and factorization
WS Algorithmentheorie 03 – Randomized Algorithms (Primality Testing) Prof. Dr. Th. Ottmann.
Agrawal-Kayal-Saxena Presented by: Xiaosi Zhou
Lecture 8: Primality Testing and Factoring Piotr Faliszewski
COM 5336 Cryptography Lecture 7a Primality Testing
Notation Intro. Number Theory Online Cryptography Course Dan Boneh
CNS2010handout 8 :: introduction to number theory1 computer and network security matt barrie.
Announcements: 1. Term project groups and topics due tomorrow midnight Waiting for posts from most of you. Questions? This week: Primality testing, factoring.
and Factoring Integers (I)
Announcements: 1. Pass in Homework 5 now. 2. Term project groups and topics due by Friday 1.Can use discussion forum to find teammates 3. HW6 posted, due.
The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.
1 Cryptosystems Based on Discrete Logarithms. 2 Outline [1] Discrete Logarithm Problem [2] Algorithms for Discrete Logarithm –A trivial algorithm –Shanks’
Probabilistic Complexity. Probabilistic Algorithms Def: A probabilistic Turing Machine M is a type of non- deterministic TM, where each non-deterministic.
Elementary Number Theory and Methods of Proof. Basic Definitions An integer n is an even number if there exists an integer k such that n = 2k. An integer.
Factoring 1 Factoring Factoring 2 Factoring  Security of RSA algorithm depends on (presumed) difficulty of factoring o Given N = pq, find p or q and.
6/20/2015 5:05 AMNumerical Algorithms1 x x1x
CSE115/ENGR160 Discrete Mathematics 03/17/11 Ming-Hsuan Yang UC Merced 1.
Discrete Log 1 Discrete Log. Discrete Log 2 Discrete Logarithm  Discrete log problem:  Given p, g and g a (mod p), determine a o This would break Diffie-Hellman.
CS470, A.SelcukPublic Key Cryptography1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
and Factoring Integers
Chapter 4 – Finite Fields Introduction  will now introduce finite fields  of increasing importance in cryptography AES, Elliptic Curve, IDEA, Public.
Announcements: 1. Pass in worksheet on using RSA now. 2. DES graded soon 3. Short “pop” quiz on Ch 3 (Thursday at earliest) 4. Term project groups and.
implementations in a functional language
Theory I Algorithm Design and Analysis (9 – Randomized algorithms) Prof. Dr. Th. Ottmann.
Factoring Algorithms Ref: D. Stinson, Cryptography - Theory and Practice, 2001.
RSA Question 2 Bob thinks that p and q are primes but p isn’t. Then, Bob thinks ©Bob:=(p-1)(q-1) = Á(n). Is this true ? Bob chooses a random e (1 < e
The RSA Algorithm Based on the idea that factorization of integers into their prime factors is hard. ★ n=p . q, where p and q are distinct primes Proposed.
Topic 18: RSA Implementation and Security
CSE 321 Discrete Structures Winter 2008 Lecture 10 Number Theory: Primality.
Quadratic Residuosity and Two Distinct Prime Factor ZK Protocols By Stephen Hall.
Divisibility October 8, Divisibility If a and b are integers and a  0, then the statement that a divides b means that there is an integer c such.
Chapter 9 Mathematics of Cryptography Part III: Primes and Related Congruence Equations Copyright © The McGraw-Hill Companies, Inc. Permission required.
Integers Number Theory = Properties of Integers

May 29, 2008 GNFS polynomials Peter L. Montgomery Microsoft Research, USA 1 Abstract The Number Field Sieve is asymptotically the fastest known algorithm.
The Polynomial Time Algorithm for Testing Primality George T. Gilbert.
October,2006 Higher- Degree Polynomials Peter L. Montgomery Microsoft Research and CWI 1 Abstract The Number Field Sieve is asymptotically the fastest.
Copyright, Yogesh Malhotra, PhD, 2013www.yogeshmalhotra.com SPECIAL PURPOSE FACTORING ALGORITHMS Special Purpose Factoring Algorithms For special class.
Approximation Algorithms Pages ADVANCED TOPICS IN COMPLEXITY THEORY.
Prabhas Chongstitvatana1 Factorizing large integers Finding the unique decomposition of n into a product of prime factors. Factorize(n) if n is prime done.
PRIMES is in P Manindra Agrawal NUS Singapore / IIT Kanpur.
Modular Arithmetic with Applications to Cryptography Lecture 47 Section 10.4 Wed, Apr 13, 2005.
Basic Number Theory Divisibility Let a,b be integers with a≠0. if there exists an integer k such that b=ka, we say a divides b which is denoted by a|b.
SNFS versus (G)NFS and the feasibility of factoring a 1024-bit number with SNFS Arjen K. Lenstra Citibank, New York Technische Universiteit Eindhoven.
1 Elliptic curves cryptography CHAPTER 8: Elliptic Curves Cryptography and factorization Cryptography based on manipulation of points of so called elliptic.
CSE 311: Foundations of Computing Fall 2014 Lecture 12: Primes, GCD.
1 Elliptic curves cryptography CHAPTER 8: Elliptic Curves Cryptographyand factorization Cryptography based on manipulation of points of so called elliptic.
Scott CH Huang COM 5336 Cryptography Lecture 6 Public Key Cryptography & RSA Scott CH Huang COM 5336 Cryptography Lecture 6.
Cryptography and Network Security Chapter 4. Introduction  will now introduce finite fields  of increasing importance in cryptography AES, Elliptic.
Tuesday’s lecture: Today’s lecture: One-way permutations (OWPs)
Great Theoretical Ideas in Computer Science for Some.
Application: Algorithms Lecture 20 Section 3.8 Wed, Feb 21, 2007.
A Survey on Factoring Large Numbers ~ 巨大数の因数分解に関する調査 ~ Kanada Lab. M Yoshida Hitoshi.
11 RSA Variants.  Scheme ◦ Select s.t. p and q = 3 mod 4 ◦ n=pq, public key =n, private key =p,q ◦ y= e k (x)=x (x+b) mod n ◦ x=d k (y)=  y mod n.
6.3 Primality Testing. p2. (1) Prime numbers 1. How to generate large prime numbers? (1) Generate as candidate a random odd number n of appropriate size.
Great Theoretical Ideas in Computer Science.
CHAPTER 8: Elliptic Curves Cryptography and factorization
Revision. Cryptography depends on some properties of prime numbers. One of these is that it is rather easy to generate large prime numbers, but much harder.
A Prime Example CS Lecture 20 A positive integer p  2 is prime if the only positive integers that divide p are 1 and p itself. Positive integers.
Public Key Encryption Major topics The RSA scheme was devised in 1978
Numerical Algorithms x x-1 Numerical Algorithms
Public Key Cryptosystems - RSA
RSA Cryptosystem Bits PCs Memory MB ,000 4GB 1,020
Homework 3 As announced: not due today 
Parallel Quadratic Sieve
Analysis of the RSA Encryption Algorithm
Factoring RSA Moduli: Current State of the Art J
Mathematical Background for Cryptography
Presentation transcript:

6.4 Factoring

1. The Pollard’s p-1 algorithm input: an integer n , and a prespecified “bound” B output:factors of n

Why? Suppose p is a prime divisor of n, and suppose that q <= B for every prime power q|(p-1). Then (p-1)|B! At the end of for loop, we have a=2B! mod n Now 2p-1=1 mod p (by Fermat’s little Thm) Since (p-1)|B!, it follows a=2B! =1 mod p and hence p|(a-1). Since we also have p|n, d=gcd(a-1, n) will be a non-trivial divisor of n (unless a=1).

E.g. n=15770708441, B=180 a = 2180! = 11620221425 D = gcd(a-1, n) = 135979 In fact, the complete factorization of n into primes is 15770708441 = 135979 x 115979 The factorization succeeds because 135978 has only “small” prime factors: 135978 = 2 x 3 x 131 x 173

2. The Pollard’s rho algorithm input: an integer n output:factors of n (1) Selecting a “random” function f with integer coefficients , and any Begin with x=x0 and y=y0. (2) Repeat the two calculations until d=gcd(x-y,n)>1. (3) Do the following compare 3.1 If d<n, we have succeeded. 3.2 If d=n, the method is failed. Goto (1). (*) A typical choice of f(x)=x2+1, with a seed x0=2.

Complexity of rho method We expect this method to use the function f at most E.g:n=551, f(x)=x2+1 mod 551 and x0=2. 5 26 126 449 240 1 19

3. Dixon’s random squares algorithm The idea is to locate with if gcd(x+y,n) is a nontrivial factor of n. (Why?) since n|(x-y)(x+y) but neither of x-y or x+y is divisible by n. Eg. n=15, x=2, y=7 (22=72 mod 15) => gcd(2+7,15)=3 is a nontrivial factor of n. Eg. n=77, x=10, y=32 (102=322 mod 77) => gcd(10+32,77)=7 is a nontrivial factor of n.

factor base and pt-smooth A factor base B={p1, p2,…,pt} consisting of the first t primes is selected. If b factors over B, b is said to be pt-smooth. Eg:B={2,3,5}, b=23*56 is 5-smooth; b=23*76 is not 5-smooth. We may include -1 in B to handle the negative b B={p0, p1, p2,…,pt}, with p0=-1.

Algorithm input: a composite integer n and factor base B= {p1, p2,…,pt} output:factors of n (1) Suppose t+1 pairs (ai, bi=ai2 mod n) are obtained, where bi is pt-smooth over B and the factorizations are given by (2) A set S is to be selected so that has only even powers of primes appearing. (3) Let , and do the following compare 3.1 If 3.2 If

Eg :n=10057, t=5, B={2,3,5,7,11} 1 2 231 1018 968 2*509 (discard!) 23*112 25*32*11 105 115 3168 3 4 5 1006 6336 8800 26*32*11 25*52*11 2*32*72 3010 4014 882 6 28*11 4023 2816 If S={4,5,6}, then x=3010*4014*4023 mod n=2748 y=27*3*5*7*11 mod n=7042 Since , we obtain a nontrivial factor gcd(x+y,n)=89, and 10057=89*113. If S={1,5}, then x=105*4014 mod n=9133 and y=22*3*7*11=924. Unfortunately, , and no useful information is obtained.

Eg :n=15770708441, t=6, B={2,3,5,7,11, 13} 83409341562 = 3*7 (mod n) 120449429442 = 2*7*13 (mod n) 27737000112 = 2*3*13 (mod n) (8340934156*12044942944*2773700011)2 = (2*3*7*13)2 (mod n) 95034357852 = 5462 (mod n) gcd(9503435785–546, 15770708441)=115759 to find the factor 115759 of n

Improvements: We may include -1 in B to handle the negative b B={p0, p1, p2,…,pt}, with p0=-1. Define Let ai=z+m and bi= q(z) = ai2 - kn for z=0,1,-1,2,-2, … k=1,2, …

Quadratic sieve algorithm (simple version) input: a composite integer n output:factors of n (1) choose a suitable P and construct a factor base (2) Define (3) Let ai=z+m and bi=q(z)=ai2-n for z=0,1,-1,2,-2,… A set S is to be selected so that has only even powers of primes appearing. (4) Let , and do the following

Eg :n=10057 If S={1}, then x=101 and y= =22*3. -1 1 100 -57 -256 -3*19 -28 24*32 99 101 144 -3 5 97 -648 968 -23*34 23*112 105 If S={1}, then x=101 and y= =22*3. Since , we obtain a nontrivial factor gcd(x+y,n)=113, and 10057=89*113. If S={-1,-3, 5}, then x=99*97*105 and y=27*32*11. Unfortunately, , and no useful information is obtained.

4. Factoring algorithms in practice (Asymptotic running times) 1. Quadratic sieve 2. Elliptic curve (p is the smallest prime factor of n) 3. Number field sieve

The RSA Challenge http://www.rsa.com/rsalabs/node.asp?id=2092 RSA-640 is factored! (11/2/2005) (193 digits) RSA-200 is factored! (5/9/2005) (663 bits) RSA-576 is factored! (12/3/2003) (174 digits) RSA-160 is factored! (1/6/2003) (530 bits) RSA-155 is factored! (8/22/1999) (512 bit) RSA-140 is factored! (2/2/1999)

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.