Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright, Yogesh Malhotra, PhD, 2013www.yogeshmalhotra.com SPECIAL PURPOSE FACTORING ALGORITHMS Special Purpose Factoring Algorithms For special class.

Published byAdrian Hubbard Modified over 9 years ago

Similar presentations

Presentation on theme: "Copyright, Yogesh Malhotra, PhD, 2013www.yogeshmalhotra.com SPECIAL PURPOSE FACTORING ALGORITHMS Special Purpose Factoring Algorithms For special class."— Presentation transcript:

1 Copyright, Yogesh Malhotra, PhD, 2013www.yogeshmalhotra.com SPECIAL PURPOSE FACTORING ALGORITHMS Special Purpose Factoring Algorithms For special class of numbers ( M, F ), can’t do hard composites M ersenne primes of form 2 n – 1. Efficiency depends on unknown factors. Best for factoring smooth composites with small prime factors. 1,620 has prime factors 2 2 × 3 4 × 5 ⇒ 1,620 is 5-smooth Too slow for most factoring jobs. Would run forever or fail for RSA composites. Examples Trial division: Trial divide possible factors, check for zero remainder Pollard’s p − 1: Based on Fermat’s Little Theorem Pollard’s ρ : Monte Carlo method: 8 th F ermat number Elliptic Curve Method (ECM): p − 1 for points on elliptic curve.

2 Copyright, Yogesh Malhotra, PhD, 2013www.yogeshmalhotra.com GENERAL PURPOSE FACTORING ALGORITHMS General Purpose Factoring Algorithms Efficiency depends on size of integer to factor. Can factor any integer of a given size in about same time as any integer of that size. Suitable for RSA-type hard composites With no small prime factors. RSA cryptosystem: Numbers used for modulus Do not have any small prime factors, e.g. RSA-768. 123018668453011775513049495838496272077285356959533479219732245215172640050726 365751874520219978646938995647494277406384592519255732630345373154826850791702 6122142913461670429214311602221240479274737794080665351419597459856902143413. 334780716989568987860441698482126908177047949837137685689124313889828837938780022876147116 52531743087737814467999489 x 367460436667995904282446337996279526322791581643430876426760322838157396665112792333734171 43396810270092798736308917

3 Copyright, Yogesh Malhotra, PhD, 2013www.yogeshmalhotra.com GENERAL PURPOSE FACTORING ALGORITHMS Congruent Squares: Underlies CFRAC, QS, NFS Legendre’s Congruence Prime Factors p & q

4 Copyright, Yogesh Malhotra, PhD, 2013www.yogeshmalhotra.com GENERAL PURPOSE FACTORING ALGORITHMS CONTINUED FRACTIONS (CFRAC), QUADRATIC SIEVE (QS), NUMBER FIELD SIEVE (NFS) Above 3 GPFAs consist of same 3 basic steps 1.Identify set of relations smooth over some factor base. 2.Solve linear equations system to find relations yielding squares. 3.Compute GCD of composite and squares found above. Same I/O: I composite integer n, O nontrivial factor p of n. Difference: Find integer pairs satisfying congruence (relation). CFRAC QS NFS

5 Copyright, Yogesh Malhotra, PhD, 2013www.yogeshmalhotra.com NUMBER FIELD SIEVES MOST EFFICIENT FACTORIZATION OF LARGE INTEGERS Special Number Field Sieve (SNFS) Special-purpose: efficient for integers of form r e ± s. General Number Field Sieve (GNFS or NFS ) Most efficient classical algorithm known (> 100 digits) Quadratic Sieve (QS) Second fastest method known (fastest for < 100 digits) Rational Sieve (RS) Special case of NFS, far less efficient, useless for practice.

6 Copyright, Yogesh Malhotra, PhD, 2013www.yogeshmalhotra.com NUMBER FIELD SIEVES MOST EFFICIENT FACTORIZATION OF LARGE INTEGERS Fastest General Purpose Factoring Algorithm The Number Field Sieve (NFS) – faster than MPQS NFS Variant used in recent 232-digit RSA-768 Factoring “Recent improvements to the Number Field Sieve make the NFS more efficient than MPQS* in factoring numbers larger than about 115 digits, while MPQS is better for small integers… It is now estimated that if the NFS had been used for RSA-129, it would have taken one quarter of the time. Clearly, NFS has overtaken MPQS as the most widely used factoring algorithm.” Source: RSA Laboratories, “What are the best factoring methods in use today?” *Multiple Polynomial Quadratic Sieve

7 Copyright, Yogesh Malhotra, PhD, 2013www.yogeshmalhotra.com NUMBER FIELD SIEVES MOST EFFICIENT FACTORIZATION OF LARGE INTEGERS “The best known algorithm for factoring large numbers is the General Number Field Sieve (GNFS).” “GNFS consists of a sieving phase that searches a fixed set of prime numbers for candidates that have a particular algebraic relationship, modulo the number to be factored. This is followed by a matrix solving phase that creates a large matrix from the candidate values, then solves it to determine the factors. “The sieving phase may be done in distributed fashion, on a large number of processors simultaneously. The matrix solving phase requires massive amounts of storage and is typically performed on a large supercomputer.” Source: RSA Laboratories, “The RSA Factoring Challenge FAQ ”

8 Copyright, Yogesh Malhotra, PhD, 2013www.yogeshmalhotra.com NUMBER FIELD SIEVES MOST EFFICIENT FACTORIZATION OF LARGE INTEGERS For large n, NFS asymptotically outperforms QS, RS RS & QS: find smooth numbers exponential in n QS operates over integers only ℤ x ℤ NFS operates over N umber F ield and N umber R ing over ℤ and ring ℤ[m], i.e., ℤ x ℤ[m] m is root of polynomial f(x). NF is a finite field extension of the field ℚ. NR is a subring of NF. NFS finds smooth numbers sub-exponential in n Find congruent squares mod n (congruence, relation) Non-trivial factors of n

9 Copyright, Yogesh Malhotra, PhD, 2013www.yogeshmalhotra.com NUMBER FIELD SIEVE OUTLINE OF STEPS IN THE ALGORITHM 1.Polynomial Selection Find f(x) irreducible over ℤ [x] with root m modulo n, f(x) ϵ ℤ [x]. 2.Finding Factor Bases Choose size for factor bases and set up: Rational Factor Base, RFB Algebraic Factor Base, AFB Quadratic Character Base, QCB 3.Sieving → Set S of relations (a, b) Find pairs of integers (a, b) with properties: gcd(a, b) = 1 a, b are relative primes a + bm is smooth over RFB b deg(f) f(a/b) is smooth over AFB Pairs (a, b) with above properties: relation.

10 Copyright, Yogesh Malhotra, PhD, 2013www.yogeshmalhotra.com NUMBER FIELD SIEVE OUTLINE OF STEPS IN THE ALGORITHM

11 Copyright, Yogesh Malhotra, PhD, 2013www.yogeshmalhotra.com NUMBER FIELD SIEVE [ALGEBRAIC] NUMBER FIELD r is an algebraic number of degree k – 1 if r root of nonzero polynomial where a ϵ ℚ r satisfies no similar equation of degree < k – 1 (irreducible) [Algebraic] Number Field ℚ [r]: all expressions constructed from r by repeated +, –, ∗, ∕. Finite degree field extension ℚ [r] of the field ℚ Degree: its dimension as a vector space over ℚ. Field – Commutative Ring – Abelian Group – Set (axioms Cl,As,In,Id) ⇒

12 Copyright, Yogesh Malhotra, PhD, 2013www.yogeshmalhotra.com NUMBER FIELD SIEVE ALGORITHM POLYNOMIAL SELECTION Find f(x) irreducible over ℤ [x] with root m modulo n, f(x) ϵ ℤ [x]. Base-m for desired root set ℤ/ℤ n [ x ] Polynomial yield Polynomial Selection Steps Identify large set of usable polynomials Remove bad polynomials from set ( α heuristics) Small sieving experiments on remaining polynomials Choose one with best yield.

13 Copyright, Yogesh Malhotra, PhD, 2013www.yogeshmalhotra.com NUMBER FIELD SIEVE ALGORITHM FINDING FACTOR BASES Factor bases (FB) specify well defined domain of smooth primes for the NFS algorithm consistent with congruence Choose FB and set up primes smooth over respective FB: Rational Algebraic Quadratic higher p i ’s Factor bases specify primes smooth over RFB, AFB, QCB RFB primes 2, 3, 5 up to empirically known bound (a + bm). AFB set of prime ideals in a ring of algebraic integers. QCB small set of first degree prime ideals not in AFB.

14 Copyright, Yogesh Malhotra, PhD, 2013www.yogeshmalhotra.com NUMBER FIELD SIEVE ALGORITHM SIEVING → SET S OF RELATIONS (a, b) Find usable relations (a, b) with properties: gcd(a, b) = 1 a, b are relative primes a + bm is smooth over RFB b deg(f) f(a/b) is smooth over AFB Optimization of sieving → Biggest efficiency gain Optimization of memory usage Reuse arrays, use smallest possible data types Rational Sieve a – bm ϵ ℤ vs. Algebraic Sieve (a, b) passing through both is smooth over RFB and AFB Classical Line Sieving vs. Faster Lattice Sieving

15 Copyright, Yogesh Malhotra, PhD, 2013www.yogeshmalhotra.com NUMBER FIELD SIEVE ALGORITHM SIEVING → SET S OF RELATIONS (a, b) Line Sieving Needs less memory, best for small to medium primes Sieve over all (a, b) pairs, one b-value at a time For each prime (p, r), find all pairs divisible by it. Lattice Sieving Needs more memory, best for large primes Fix a medium sized prime (q, s) ϵ AFB Sieve over all (a, b) pairs s.t. |(q, s) Form lattice of vectors for two such pairs. Output: Set of (a, b) pairs that are RFB and AFB smooth.

16 Copyright, Yogesh Malhotra, PhD, 2013www.yogeshmalhotra.com NUMBER FIELD SIEVE ALGORITHM SOLVING LINEAR EQUATIONS USING MATRIX RFB and AFB smooth (a, b) pairs filtered… Find subset of pairs which yields a square i.e. …. Elements in its unique factors have even powers. E.g. of {34, 89, 46, 32, 56, 8, 51, 43, 69} for {34, 46, 51, 69} 34· 46· 51· 69 = 5503716 = 22· 32·172· 232 = (2· 3·17· 23) 2 Equivalent to solving a system of linear equations Solve using a matrix of RFB and AFB smooth (a, b) pairs Matrix consists of factorization over RFB and AFB Minimize matrix size: [1 for odd, 0 for even] power Transform the matrix to reduced echelon form Use Gaussian Elimination to solve the matrix… suboptimal… Block Lanczos or Block Wiedemann for optimal run time.

17 Copyright, Yogesh Malhotra, PhD, 2013www.yogeshmalhotra.com NUMBER FIELD SIEVE ALGORITHM SOLVING LINEAR EQUATIONS USING MATRIX

18 Copyright, Yogesh Malhotra, PhD, 2013www.yogeshmalhotra.com NUMBER FIELD SIEVE ALGORITHM CALCULATING SQUARE ROOTS IN NUMBER FIELDS

19 Copyright, Yogesh Malhotra, PhD, 2013www.yogeshmalhotra.com NUMBER FIELD SIEVE OUTLINE OF STEPS IN THE ALGORITHM 1.Polynomial Selection Find f(x) irreducible over ℤ [x] with root m modulo n, f(x) ϵ ℤ [x]. 2.Finding Factor Bases Choose size for factor bases and set up: Rational Factor Base, RFB Algebraic Factor Base, AFB Quadratic Character Base, QCB 3.Sieving → Set S of relations (a, b) Find pairs of integers (a, b) with properties: gcd(a, b) = 1 a, b are relative primes a + bm is smooth over RFB b deg(f) f(a/b) is smooth over AFB Pairs (a, b) with above properties: relation.

20 Copyright, Yogesh Malhotra, PhD, 2013www.yogeshmalhotra.com NUMBER FIELD SIEVE OUTLINE OF STEPS IN THE ALGORITHM

Download ppt "Copyright, Yogesh Malhotra, PhD, 2013www.yogeshmalhotra.com SPECIAL PURPOSE FACTORING ALGORITHMS Special Purpose Factoring Algorithms For special class."

Similar presentations

Mathematics of Cryptography Part II: Algebraic Structures

Mathematics of Cryptography Part II: Algebraic Structures
Factoring of Large Numbers using Number Field Sieve Matrix Step Chandana Anand, Arman Gungor, and Kimberly A. Thomas ECE 646 Fall 2006.

Factoring of Large Numbers using Number Field Sieve Matrix Step Chandana Anand, Arman Gungor, and Kimberly A. Thomas ECE 646 Fall 2006.
Cryptography and Network Security

Cryptography and Network Security
Chapter 4 Finite Fields. Introduction of increasing importance in cryptography –AES, Elliptic Curve, IDEA, Public Key concern operations on “numbers”

Chapter 4 Finite Fields. Introduction of increasing importance in cryptography –AES, Elliptic Curve, IDEA, Public Key concern operations on “numbers”
Chapter 4 – Finite Fields. Introduction will now introduce finite fields of increasing importance in cryptography –AES, Elliptic Curve, IDEA, Public Key.

Chapter 4 – Finite Fields. Introduction will now introduce finite fields of increasing importance in cryptography –AES, Elliptic Curve, IDEA, Public Key.
Integer Factorization By: Josh Tuggle & Kyle Johnson.

Integer Factorization By: Josh Tuggle & Kyle Johnson.
Lecture 8: Primality Testing and Factoring Piotr Faliszewski

Lecture 8: Primality Testing and Factoring Piotr Faliszewski
Notation Intro. Number Theory Online Cryptography Course Dan Boneh

Notation Intro. Number Theory Online Cryptography Course Dan Boneh
RSA & F ACTORING I NTEGERS BY: MIKE NEUMILLER & BRIAN YARBROUGH.

RSA & F ACTORING I NTEGERS BY: MIKE NEUMILLER & BRIAN YARBROUGH.
CNS2010handout 8 :: introduction to number theory1 computer and network security matt barrie.

CNS2010handout 8 :: introduction to number theory1 computer and network security matt barrie.
A Creative Way of Breaking RSA Azeem Jiva. Overview ● What is RSA? – Public Key Algorithm – Is it secure? ● Ways to break RSA – Discover the Public Key.

A Creative Way of Breaking RSA Azeem Jiva. Overview ● What is RSA? – Public Key Algorithm – Is it secure? ● Ways to break RSA – Discover the Public Key.
1 Chapter 7– Introduction to Number Theory Instructor: 孫宏民 Room: EECS 6402, Tel:03- 5742968, Fax : 886-3-572-3694.

1 Chapter 7– Introduction to Number Theory Instructor: 孫宏民 Room: EECS 6402, Tel: , Fax :
The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.

The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.
Factoring 1 Factoring Factoring 2 Factoring  Security of RSA algorithm depends on (presumed) difficulty of factoring o Given N = pq, find p or q and.

Factoring 1 Factoring Factoring 2 Factoring  Security of RSA algorithm depends on (presumed) difficulty of factoring o Given N = pq, find p or q and.
and Factoring Integers

and Factoring Integers
Introduction Polynomials

Introduction Polynomials
Chapter 4 – Finite Fields Introduction  will now introduce finite fields  of increasing importance in cryptography AES, Elliptic Curve, IDEA, Public.

Chapter 4 – Finite Fields Introduction  will now introduce finite fields  of increasing importance in cryptography AES, Elliptic Curve, IDEA, Public.
Factoring Algorithms Ref: D. Stinson, Cryptography - Theory and Practice, 2001.

Factoring Algorithms Ref: D. Stinson, Cryptography - Theory and Practice, 2001.
Manindra Agrawal NUS / IITK

Manindra Agrawal NUS / IITK
Foundations of Network and Computer Security J J ohn Black Lecture #14 Oct 1 st 2007 CSCI 6268/TLEN 5831, Fall 2007.

Foundations of Network and Computer Security J J ohn Black Lecture #14 Oct 1 st 2007 CSCI 6268/TLEN 5831, Fall 2007.

Similar presentations

Ads by Google