Presentation is loading. Please wait.

Presentation is loading. Please wait.

Factoring Algorithms Ref: D. Stinson, Cryptography - Theory and Practice, 2001.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Factoring Algorithms Ref: D. Stinson, Cryptography - Theory and Practice, 2001."— Presentation transcript:

1 Factoring Algorithms Ref: D. Stinson, Cryptography - Theory and Practice, 2001

2 Motivation In RSA, the public modulus n=p×q, where p and q are primes (p  q) and private Factoring the public modulus: n => p×q =>  (n)=(p-1)(q-1) => d ≡ e -1 mod  (n) => break RSA

3 RSA-129 history Factoring 129 decimal digits Solved April 1994 Method: Multiple Polynomial Quadratic Sieve People: used the internet to solicit the help of about 600 volunteers and their computers from around the world Time: eight months

4 RSA challenge Prize: $20,000 RSA-640(640 bits, 193 decimal digits) 310741824049004372135075003588856793 003734602284272754572016194882320644 051808150455634682967172328678243791 627283803341547107310850191954852900 733772482278352574238645401469173660 2477652346609

5 Outline Trial division Pollard p-1 algorithm Pollard Rho  algorithm Dixon ’ s random squares algorithm Main idea: Factor n is hard => calculate gcd(a, n) is easy => How to find a number a that has a non- trivial gcd with n

6 Trial division If n is composite, it has a prime factor Trial division: divide n by every odd integer up to Is this method practical? : try times (about 428 bits): try times It was solved in 1994 by quadrative sieve method

7 Pollard p-1 algorithm 1974, make use of Fermat ’ s theorem: x p-1 mod p = 1, gcd(x,p)=1 Target p : which is a prime factor of n (given modulus) (Fermat’s theorem) (p-1) is even => its prime powers are less than B, A constant bound, discuss it later => (p-1) | B! Compute 我們當然不知道 p, 所以藉由此 關係式,由 B! 來估 p 1 2 p-1 ≡1 mod p Since p | n => 2 (a 可由給定 B 後計算得出 )

8 Pollard p-1 algorithm (cont.) 1 2 p-1 ≡1 mod p 2 Because (p-1) | B! => p | (a-1) We also have p | n => p | d, d = gcd(a-1, n) d is a non-trivial factor of n Step1: compute Step2: compute d = gcd(a-1, n)

9 Example: Pollard p-1 algorithm n=15770708441, B=180 Step 1: compute a=11620221425 Step 2: compute d = gcd(a-1, n) d=135979 is a factor of n We can verify that 15770708441=135979x115979 The key to success: a-1=135978=2x3x131x173, the factors < B=180

10 Issues about Pollard p-1 algorithm Complexity: depend on B Compute Compute gcd If, then it is no faster than trial division ! Drawback: it succeeds if p-1 has small prime factors (implies small B) Improve RSA to resist Pollard p-1 algorithm Find a large prime p 1, such that p=2p 1 +1 is a prime (This implies p-1 has a large prime factor p 1 ) Find a large prime q 1, such that q=2q 1 +1 is a prime Set n=pq

11 Outline Trial division Pollard p-1 algorithm Pollard Rho  algorithm Dixon’s random squares algorithm

12 Pollard Rho algorithm: basic idea Let p be the smallest prime divisor of n Suppose there exists two integers, such that and => We can obtain a non-trivial factor of n by gcd Q: How to find such integers ? 0n-1p-1 x x ’

13 Pollard Rho algorithm: primitive method Try to find a subset, and hope that such x, x’ exist Condition of success: there is a collision in X after mod p We don ’ t know p, so we can ’ t compute We compute for all distinct 0n-1p-1 x x ’ 0n-1p-1 x Birthday paradox: if, there is a 50% probability of at least one collision

14 Pollard Rho algorithm: Challenge in complexity We must compute for each pair of => gcd computation, we know => If n=pq has two close prime factors, this complexity is close to trial division

15 Pollard Rho algorithm Goal: reduce gcd computation by novel choice of subset X Generation of subset X Choose f(x): a polynomial Initially choose Generate Example: n=7171, Ex. 1 => 2 => 5 => 26 => 677 => 6557 => 4105 6347 => 4903 => 2218 => 219 => 4936 => 4210 => 4560 4872 => 375 => 4377 => 4389 => 2016 => 5471 => 88

16 Pollard Rho algorithm (cont.) Result: the previous subset requires few gcd computations, why? Recall: subset if there exists Thm: Rho(  ) collision structure (after mod p) and => Hint: the subset has well-formed collision structure (collision) x1x1 x2x2 f x3x3 x4x4 … xixi x i+1 … x j-1 … x 2j-i-1 xjxj x j+1 The first collision implies later collision

17 Pollard Rho algorithm (cont.) Example: n=7171, 1 2 5 26 677 6557 4105 6347 4903 2218 …4389 2016 5471 88 Generated subset: n=7171=71x101 (we factor n for demonstration) mod 71 1 2 5 26 38 25 58 28 4 17 … 58 28 4 17 Repeated collision Fixed period Recall: we don ’ t know p, we find the first collision by gcd computation

18 Pollard Rho algorithm (cont.) How does the collision structure save gcd computation? x1x1 x2x2 f d=gcd(x 1 - x 2, n) d=1 We found the factor d=1 Implies no period=1 cycles x1x1 x2x2 x3x3 x4x4 d=gcd(x 2 - x 4, n) d=1 Implies no period=2 cycles x1x1 x2x2 x3x3 x4x4 x5x5 x6x6 x1x1 x2x2 x3x3 x4x4 x5x5 x6x6 x7x7 x8x8 x1x1 x2x2 x3x3 x4x4 x5x5 x6x6 x7x7 x8x8 x9x9 x 10

19 Pollard Rho algorithm: proof for Rho structure If then f is a polynomial definition Similarly. p | n Δ

20 Complexity of Polland Rho algolrithm The expected complexity is Possible failure: the subset X doesn ’ t contain a collision The probability is roughly p/n (small when n is large, because ) Upon failure, simply try another initial x 1 and polynomial function f(x)

21 Outline Trial division Pollard p-1 algorithm Pollard Rho algorithm Dixon’s random squares algorithm

22 Fact: if we can find x≡y mod n such that x 2 ≡y 2 mod n then n | (x-y)(x+y) The above implies gcd( x+y,n) and gcd( x-y,n) are non-trivial factor of n Idea: 找到和 n 有最大公因數的數 (x+y and x-y in this case) Ex. => 10 2 ≡ 32 2 mod 77 => gcd(10+32, 77) = 7 is a factor of 77

23 Dixon ’ s random squares algorithm (cont.) Q: How to find such x and y? Example: n=1577078441, we can build a factor base B={2,3,5,7,11,13} 8340934156 2 ≡ 3×7 mod n 12044942944 2 ≡ 2×7×13 mod n 2773700011 2 ≡ 2×3×13 mod n x 2 ≡y 2 mod n x≡y mod n If we can find => (8340934156×12044942944×2773700011) 2 ≡ (2×3×7×13) 2 mod n => 9503435785 2 ≡ 546 2 mod n Problem1: Generate random squares, talk later Problem2: find a subset of congruences that yield a power of 2 on the right

24 Problem 2: find a subset of congruences For a factor base B={2,3, …,p b } (b 個由小到大的質數 ) If we can obtain c (>b) congruences: … mod 2 a 1 =(0, 1, 0, 1, 0, 0) [ 前一頁例子 ] a 2 =(1, 0, 0, 1, 0, 1) a 3 =(1, 1, 0, 0, 0, 1) a 1 +a 2 +a 3 (mod 2) = (0, 0, 0, 0, 0, 0) Produce even powers in right hand side => The problem of find a subset of congruence is reduced to find a subset of a vectors such that they are linear dependent. (c>b can guarantee such dependence exists)

25 Problem 1: random squares Q: How to find z, such that Sol: try for k=1, 2, 3, … Ex. n=1829  z / n 的餘數可由 factor base 內的質數因式分解 (Hint: factor base 內都是小的質數 ) Try z=42, 43 60, 61 74, 7585, 86

26 Problem 1: random squares (cont.) Set factor base B={-1, 2, 3, 5, 7, 11, 13} mod n (=1829) => Find a subset: => gcd(1459+901, 1829) = 59

27 Issues about random squares Q: How large is the factor base? It is a trade-off: |B| is larger, the more possible that z 2 mod n factors over B However, for larger |B|, we need to find more congruences to find a linear dependent subset

Download ppt "Factoring Algorithms Ref: D. Stinson, Cryptography - Theory and Practice, 2001."

Similar presentations

Integer Factorization By: Josh Tuggle & Kyle Johnson.

Integer Factorization By: Josh Tuggle & Kyle Johnson.
Prime recognition and factorization

Prime recognition and factorization
Chapter 8 – Introduction to Number Theory. Prime Numbers prime numbers only have divisors of 1 and self –they cannot be written as a product of other.

Chapter 8 – Introduction to Number Theory. Prime Numbers prime numbers only have divisors of 1 and self –they cannot be written as a product of other.
Section 4.1: Primes, Factorization, and the Euclidean Algorithm Practice HW (not to hand in) From Barr Text p. 160 # 6, 7, 8, 11, 12, 13.

Section 4.1: Primes, Factorization, and the Euclidean Algorithm Practice HW (not to hand in) From Barr Text p. 160 # 6, 7, 8, 11, 12, 13.
Chapter 8 Introduction To Number Theory. Prime Numbers Prime numbers only have divisors of 1 and Prime numbers only have divisors of 1 and self. self.

Chapter 8 Introduction To Number Theory. Prime Numbers Prime numbers only have divisors of 1 and Prime numbers only have divisors of 1 and self. self.
Primality Testing Patrick Lee 12 July 2003 (updated on 13 July 2003)

Primality Testing Patrick Lee 12 July 2003 (updated on 13 July 2003)
22C:19 Discrete Structures Integers and Modular Arithmetic

22C:19 Discrete Structures Integers and Modular Arithmetic
Lecture 8: Primality Testing and Factoring Piotr Faliszewski

Lecture 8: Primality Testing and Factoring Piotr Faliszewski
Introduction to Modern Cryptography Lecture 6 1. Testing Primitive elements in Z p 2. Primality Testing. 3. Integer Multiplication & Factoring as a One.

Introduction to Modern Cryptography Lecture 6 1. Testing Primitive elements in Z p 2. Primality Testing. 3. Integer Multiplication & Factoring as a One.
Primality Testing By Ho, Ching Hei Cheung, Wai Kwok.

Primality Testing By Ho, Ching Hei Cheung, Wai Kwok.
22C:19 Discrete Math Integers and Modular Arithmetic Fall 2010 Sukumar Ghosh.

22C:19 Discrete Math Integers and Modular Arithmetic Fall 2010 Sukumar Ghosh.
Notation Intro. Number Theory Online Cryptography Course Dan Boneh

Notation Intro. Number Theory Online Cryptography Course Dan Boneh
15-251 Great Theoretical Ideas in Computer Science.

Great Theoretical Ideas in Computer Science.
Foundations of Network and Computer Security J J ohn Black Lecture #7 Sep 14 th 2004 CSCI 6268/TLEN 5831, Fall 2004.

Foundations of Network and Computer Security J J ohn Black Lecture #7 Sep 14 th 2004 CSCI 6268/TLEN 5831, Fall 2004.
CNS2010handout 8 :: introduction to number theory1 computer and network security matt barrie.

CNS2010handout 8 :: introduction to number theory1 computer and network security matt barrie.
Announcements: 1. Term project groups and topics due tomorrow midnight Waiting for posts from most of you. Questions? This week: Primality testing, factoring.

Announcements: 1. Term project groups and topics due tomorrow midnight Waiting for posts from most of you. Questions? This week: Primality testing, factoring.
and Factoring Integers (I)

and Factoring Integers (I)
Announcements: 1. Pass in Homework 5 now. 2. Term project groups and topics due by Friday 1.Can use discussion forum to find teammates 3. HW6 posted, due.

Announcements: 1. Pass in Homework 5 now. 2. Term project groups and topics due by Friday 1.Can use discussion forum to find teammates 3. HW6 posted, due.
1 Chapter 7– Introduction to Number Theory Instructor: 孫宏民 Room: EECS 6402, Tel:03- 5742968, Fax : 886-3-572-3694.

1 Chapter 7– Introduction to Number Theory Instructor: 孫宏民 Room: EECS 6402, Tel: , Fax :
The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.

The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.

Similar presentations

Ads by Google