Integer Factorization using lattices

Antonio Vera

INRIA Nancy/CARAMEL team/ANR CADO/ANR LAREDA

Workshop Lattice Algorithmics - CIRM - February 2010 Outline of the algorithm

The search for “relations”

Termination considerations

Conclusions

Plan

Introduction The search for “relations”

Termination considerations

Conclusions

Plan

Introduction

Outline of the algorithm Termination considerations

Conclusions

Plan

Introduction

Outline of the algorithm

The search for “relations” Conclusions

Plan

Introduction

Outline of the algorithm

The search for “relations”

Termination considerations Plan

Introduction

Outline of the algorithm

The search for “relations”

Termination considerations

Conclusions Outline

Introduction

Outline of the algorithm

The search for “relations”

Termination considerations

Conclusions I Example: given N = 6, return 2 or 3.

I The decisional problem belongs to NP ∩ coNP (Pratt, 1975).

I Hence, it is unlikely to be NP-complete.

I Practical intractability is at the base of the RSA public key cryptosystem.

I Current record for factorization of RSA numbers : RSA 768 (232 decimal digits), in December 2009.

The Integer Factorization Problem

I Given a composite integer N, compute a proper divisor. I The decisional problem belongs to NP ∩ coNP (Pratt, 1975).

I Hence, it is unlikely to be NP-complete.

I Practical intractability is at the base of the RSA public key cryptosystem.

I Current record for factorization of RSA numbers : RSA 768 (232 decimal digits), in December 2009.

The Integer Factorization Problem

I Given a composite integer N, compute a proper divisor.

I Example: given N = 6, return 2 or 3. I Hence, it is unlikely to be NP-complete.

I Practical intractability is at the base of the RSA public key cryptosystem.

I Current record for factorization of RSA numbers : RSA 768 (232 decimal digits), in December 2009.

The Integer Factorization Problem

I Given a composite integer N, compute a proper divisor.

I Example: given N = 6, return 2 or 3.

I The decisional problem belongs to NP ∩ coNP (Pratt, 1975). I Practical intractability is at the base of the RSA public key cryptosystem.

I Current record for factorization of RSA numbers : RSA 768 (232 decimal digits), in December 2009.

The Integer Factorization Problem

I Given a composite integer N, compute a proper divisor.

I Example: given N = 6, return 2 or 3.

I The decisional problem belongs to NP ∩ coNP (Pratt, 1975).

I Hence, it is unlikely to be NP-complete. I Current record for factorization of RSA numbers : RSA 768 (232 decimal digits), in December 2009.

The Integer Factorization Problem

I Given a composite integer N, compute a proper divisor.

I Example: given N = 6, return 2 or 3.

I The decisional problem belongs to NP ∩ coNP (Pratt, 1975).

I Hence, it is unlikely to be NP-complete.

I Practical intractability is at the base of the RSA public key cryptosystem. The Integer Factorization Problem

I Given a composite integer N, compute a proper divisor.

I Example: given N = 6, return 2 or 3.

I The decisional problem belongs to NP ∩ coNP (Pratt, 1975).

I Hence, it is unlikely to be NP-complete.

I Practical intractability is at the base of the RSA public key cryptosystem.

I Current record for factorization of RSA numbers : RSA 768 (232 decimal digits), in December 2009. I Schnorr seems to be the first which applied this to integer factorization, in 1993.

I In the beginning, completely theoretical.

I First working implementation : Ritter and R¨ossner,1997. 60-bit integer factored in 3 hours. Highly optimized enumeration.

I Personal toy implementation in Magma, using the built-in enumeration routine. 40-bits integer in about 40 minutes.

Integer Factorization with Lattice Reduction

I De Weger (1987) used lattice reduction and enumeration to effectively solve Diophantine equations. I In the beginning, completely theoretical.

I First working implementation : Ritter and R¨ossner,1997. 60-bit integer factored in 3 hours. Highly optimized enumeration.

I Personal toy implementation in Magma, using the built-in enumeration routine. 40-bits integer in about 40 minutes.

Integer Factorization with Lattice Reduction

I De Weger (1987) used lattice reduction and enumeration to effectively solve Diophantine equations.

I Schnorr seems to be the first which applied this to integer factorization, in 1993. I First working implementation : Ritter and R¨ossner,1997. 60-bit integer factored in 3 hours. Highly optimized enumeration.

I Personal toy implementation in Magma, using the built-in enumeration routine. 40-bits integer in about 40 minutes.

Integer Factorization with Lattice Reduction

I De Weger (1987) used lattice reduction and enumeration to effectively solve Diophantine equations.

I Schnorr seems to be the first which applied this to integer factorization, in 1993.

I In the beginning, completely theoretical. I Personal toy implementation in Magma, using the built-in enumeration routine. 40-bits integer in about 40 minutes.

Integer Factorization with Lattice Reduction

I De Weger (1987) used lattice reduction and enumeration to effectively solve Diophantine equations.

I Schnorr seems to be the first which applied this to integer factorization, in 1993.

I In the beginning, completely theoretical.

I First working implementation : Ritter and R¨ossner,1997. 60-bit integer factored in 3 hours. Highly optimized enumeration. Integer Factorization with Lattice Reduction

I De Weger (1987) used lattice reduction and enumeration to effectively solve Diophantine equations.

I Schnorr seems to be the first which applied this to integer factorization, in 1993.

I In the beginning, completely theoretical.

I First working implementation : Ritter and R¨ossner,1997. 60-bit integer factored in 3 hours. Highly optimized enumeration.

I Personal toy implementation in Magma, using the built-in enumeration routine. 40-bits integer in about 40 minutes. I Understand the complexity of the algorithm.

I Implement an optimized version, `apriori aimed at fixed-size integers.

Preliminary goals

I Improve the results of the original paper to make them effective. I Implement an optimized version, `apriori aimed at fixed-size integers.

Preliminary goals

I Improve the results of the original paper to make them effective.

I Understand the complexity of the algorithm. Preliminary goals

I Improve the results of the original paper to make them effective.

I Understand the complexity of the algorithm.

I Implement an optimized version, `apriori aimed at fixed-size integers. Outline

Introduction

Outline of the algorithm

The search for “relations”

Termination considerations

Conclusions 2 2 I 100 is 5-smooth since 100 = 2 · 5 .

I All integers ≤ B are B-smooth.

I Then, whenever x 6≡ ±y mod N, we can factor N by computing gcd(x ± y, N).

Definition An integer is B-smooth when all of its prime factors are ≤ B.

Philosophy of the algorithm Congruence of squares method

I As in many factorization methods, we want to find integers x, y ∈ Z, x 6= ±y such that

x2 ≡ y 2 mod N. 2 2 I 100 is 5-smooth since 100 = 2 · 5 .

I All integers ≤ B are B-smooth.

Definition An integer is B-smooth when all of its prime factors are ≤ B.

Philosophy of the algorithm Congruence of squares method

I As in many factorization methods, we want to find integers x, y ∈ Z, x 6= ±y such that

x2 ≡ y 2 mod N.

I Then, whenever x 6≡ ±y mod N, we can factor N by computing gcd(x ± y, N). 2 2 I 100 is 5-smooth since 100 = 2 · 5 .

I All integers ≤ B are B-smooth.

Definition An integer is B-smooth when all of its prime factors are ≤ B.

Philosophy of the algorithm Congruence of squares method

I As in many factorization methods, we want to find integers x, y ∈ Z, x 6= ±y such that

x2 ≡ y 2 mod N.

I Then, whenever x 6≡ ±y mod N, we can factor N by computing gcd(x ± y, N). 2 2 I 100 is 5-smooth since 100 = 2 · 5 .

I All integers ≤ B are B-smooth.

Philosophy of the algorithm Congruence of squares method

I As in many factorization methods, we want to find integers x, y ∈ Z, x 6= ±y such that

x2 ≡ y 2 mod N.

I Then, whenever x 6≡ ±y mod N, we can factor N by computing gcd(x ± y, N).

Definition An integer is B-smooth when all of its prime factors are ≤ B. I All integers ≤ B are B-smooth.

Philosophy of the algorithm Congruence of squares method

I As in many factorization methods, we want to find integers x, y ∈ Z, x 6= ±y such that

x2 ≡ y 2 mod N.

I Then, whenever x 6≡ ±y mod N, we can factor N by computing gcd(x ± y, N).

Definition An integer is B-smooth when all of its prime factors are ≤ B.

2 2 I 100 is 5-smooth since 100 = 2 · 5 . Philosophy of the algorithm Congruence of squares method

I As in many factorization methods, we want to find integers x, y ∈ Z, x 6= ±y such that

x2 ≡ y 2 mod N.

I Then, whenever x 6≡ ±y mod N, we can factor N by computing gcd(x ± y, N).

Definition An integer is B-smooth when all of its prime factors are ≤ B.

2 2 I 100 is 5-smooth since 100 = 2 · 5 .

I All integers ≤ B are B-smooth. I Fix d ≥ 1 and build the factor base

{p0,..., pd }, where p0 = −1, p1 = 2, p2 = 3, p3 = 5,....

I Find d + 2 solutions of

u = v + kN

where k ∈ Z, and u, v are pd -smooth.Write the identities in the following form

d d Y ai,j Y bi,j pj ≡ pj mod N i ∈ 1, d + 2 . j=0 j=0 J K

These last equalities are called relations.

Factorization algorithm principle

Given an integer N to be factored, do the following: Write the identities in the following form

d d Y ai,j Y bi,j pj ≡ pj mod N i ∈ 1, d + 2 . j=0 j=0 J K

These last equalities are called relations.

I Find d + 2 solutions of

u = v + kN

where k ∈ Z, and u, v are pd -smooth.

Factorization algorithm principle

Given an integer N to be factored, do the following:

I Fix d ≥ 1 and build the factor base

{p0,..., pd }, where p0 = −1, p1 = 2, p2 = 3, p3 = 5,.... Write the identities in the following form

d d Y ai,j Y bi,j pj ≡ pj mod N i ∈ 1, d + 2 . j=0 j=0 J K

These last equalities are called relations.

Factorization algorithm principle

Given an integer N to be factored, do the following:

I Fix d ≥ 1 and build the factor base

{p0,..., pd }, where p0 = −1, p1 = 2, p2 = 3, p3 = 5,....

I Find d + 2 solutions of

u = v + kN

where k ∈ Z, and u, v are pd -smooth. Write the identities in the following form

d d Y ai,j Y bi,j pj ≡ pj mod N i ∈ 1, d + 2 . j=0 j=0 J K

These last equalities are called relations.

Factorization algorithm principle

Given an integer N to be factored, do the following:

I Fix d ≥ 1 and build the factor base

{p0,..., pd }, where p0 = −1, p1 = 2, p2 = 3, p3 = 5,....

I Find d + 2 solutions of

u = v + kN

where k ∈ Z, and u, v are pd -smooth. Factorization algorithm principle

Given an integer N to be factored, do the following:

I Fix d ≥ 1 and build the factor base

{p0,..., pd }, where p0 = −1, p1 = 2, p2 = 3, p3 = 5,....

I Find d + 2 solutions of

u = v + kN

where k ∈ Z, and u, v are pd -smooth.Write the identities in the following form

d d Y ai,j Y bi,j pj ≡ pj mod N i ∈ 1, d + 2 . j=0 j=0 J K

These last equalities are called relations. I Define d Pd+2 Y i=1 ci (ai,j +bi,j )/2 x = pj mod N, j=0 and d d Pd+2 Pd+2 Y i=1 ci ai,j Y i=1 ci bi,j y = pj = pj mod N. j=0 j=0

I If x 6= y mod N then return gcd(x + y, N). Else, restart with another vector c. If there are not more of them, fail.

Factorization algorithm principle

I Define the exponent vectors

ai = (ai,0,..., ai,d ), bi = (bi,0,..., bi,d ), d+2 and compute a vector c = (c1,..., cd+2) ∈ {0, 1} such that d+2 X ci (ai + bi ) = 0 mod 2. i=1 I If x 6= y mod N then return gcd(x + y, N). Else, restart with another vector c. If there are not more of them, fail.

Factorization algorithm principle

I Define the exponent vectors

ai = (ai,0,..., ai,d ), bi = (bi,0,..., bi,d ), d+2 and compute a vector c = (c1,..., cd+2) ∈ {0, 1} such that d+2 X ci (ai + bi ) = 0 mod 2. i=1

I Define d Pd+2 Y i=1 ci (ai,j +bi,j )/2 x = pj mod N, j=0 and d d Pd+2 Pd+2 Y i=1 ci ai,j Y i=1 ci bi,j y = pj = pj mod N. j=0 j=0 Factorization algorithm principle

I Define the exponent vectors

ai = (ai,0,..., ai,d ), bi = (bi,0,..., bi,d ), d+2 and compute a vector c = (c1,..., cd+2) ∈ {0, 1} such that d+2 X ci (ai + bi ) = 0 mod 2. i=1

I Define d Pd+2 Y i=1 ci (ai,j +bi,j )/2 x = pj mod N, j=0 and d d Pd+2 Pd+2 Y i=1 ci ai,j Y i=1 ci bi,j y = pj = pj mod N. j=0 j=0

I If x 6= y mod N then return gcd(x + y, N). Else, restart with another vector c. If there are not more of them, fail. Outline

Introduction

Outline of the algorithm

The search for “relations”

Termination considerations

Conclusions I We will see that lattices help in this search.

I Restate the equation we want to solve as

u − kN = v,

for u, v pd -smooth and k ∈ Z. I We can forget the constraint of pd -smoothness on v by solving

|u − kN| ≤ pd

for u pd -smooth and k ∈ Z.

Finding relations

I The core of the algorithm is the search for relations. I Restate the equation we want to solve as

u − kN = v,

for u, v pd -smooth and k ∈ Z. I We can forget the constraint of pd -smoothness on v by solving

|u − kN| ≤ pd

for u pd -smooth and k ∈ Z.

Finding relations

I The core of the algorithm is the search for relations.

I We will see that lattices help in this search. I We can forget the constraint of pd -smoothness on v by solving

|u − kN| ≤ pd

for u pd -smooth and k ∈ Z.

Finding relations

I The core of the algorithm is the search for relations.

I We will see that lattices help in this search.

I Restate the equation we want to solve as

u − kN = v,

for u, v pd -smooth and k ∈ Z. Finding relations

I The core of the algorithm is the search for relations.

I We will see that lattices help in this search.

I Restate the equation we want to solve as

u − kN = v,

for u, v pd -smooth and k ∈ Z. I We can forget the constraint of pd -smoothness on v by solving

|u − kN| ≤ pd

for u pd -smooth and k ∈ Z. I Schnorr codes a (u, k) pair in a vector

d z = (z1,..., zd ) ∈ Z ,

from which one recovers u and k by letting

Y zi Y −zi u = pi and k = pi . zi >0 zi <0

Finding relations

I This kind of equation can be solved by working on the exponents |u − kN| = |eln u − eln kN |, trying to make | ln u − ln kN| as small as possible, without increasing ln u and ln k too much. Finding relations

I This kind of equation can be solved by working on the exponents |u − kN| = |eln u − eln kN |, trying to make | ln u − ln kN| as small as possible, without increasing ln u and ln k too much.

I Schnorr codes a (u, k) pair in a vector

d z = (z1,..., zd ) ∈ Z ,

from which one recovers u and k by letting

Y zi Y −zi u = pi and k = pi . zi >0 zi <0 I We want the two quantities

d X | ln u − ln kN| = zi ln pi − ln N i=1 d X ln u + ln k = |zi | ln pi . i=1 to be small.

I This is where lattices enter the scene.

Finding relations

I With this notation, X X ln u = zi ln pi and ln k = −zi ln pi .

zi >0 zi <0 I This is where lattices enter the scene.

Finding relations

I With this notation, X X ln u = zi ln pi and ln k = −zi ln pi .

zi >0 zi <0

I We want the two quantities

d X | ln u − ln kN| = zi ln pi − ln N i=1 d X ln u + ln k = |zi | ln pi . i=1 to be small. Finding relations

I With this notation, X X ln u = zi ln pi and ln k = −zi ln pi .

zi >0 zi <0

I We want the two quantities

d X | ln u − ln kN| = zi ln pi − ln N i=1 d X ln u + ln k = |zi | ln pi . i=1 to be small.

I This is where lattices enter the scene. d I Let z ∈ Z be a coordinate vector. We have √  p  z1 ln p1 .  .  Spz − t =  √  .  z p ln p   d √ d  Pd p C( i=1 zi ln pi ln N)

Schnorr’s approach to factorization The Prime Number Lattice

I Define the Prime Number Basis and the target vector by √  p    ln p1 0 0 0 . .  0 .. 0   .  Sp =  √  and t =   .  p     0 0 ln pd   0  C ln p1 ··· C ln pd C ln N Schnorr’s approach to factorization The Prime Number Lattice

I Define the Prime Number Basis and the target vector by √  p    ln p1 0 0 0 . .  0 .. 0   .  Sp =  √  and t =   .  p     0 0 ln pd   0  C ln p1 ··· C ln pd C ln N

d I Let z ∈ Z be a coordinate vector. We have √  p  z1 ln p1 .  .  Spz − t =  √  .  z p ln p   d √ d  Pd p C( i=1 zi ln pi ln N) Theorem Let C ≥ 3. Then, for any nonzero integer vector z such that

||S1z − t||1 ≤ 2 ln C + 2 ln pd − ln N,

we have |u − kN| ≤ pd .

I By recycling a result of Micciancio [2, Prop. 5.10, page 105], one proves:

Schnorr’s approach to factorization Computing a relation using lattices.

I The norm is given by p d d p X p p X ||Spz − t||p = |zi | ln pi + C zi ln pi − ln N . i=1 i=1 Theorem Let C ≥ 3. Then, for any nonzero integer vector z such that

||S1z − t||1 ≤ 2 ln C + 2 ln pd − ln N,

we have |u − kN| ≤ pd .

Schnorr’s approach to factorization Computing a relation using lattices.

I The norm is given by p d d p X p p X ||Spz − t||p = |zi | ln pi + C zi ln pi − ln N . i=1 i=1

I By recycling a result of Micciancio [2, Prop. 5.10, page 105], one proves: Schnorr’s approach to factorization Computing a relation using lattices.

I The norm is given by p d d p X p p X ||Spz − t||p = |zi | ln pi + C zi ln pi − ln N . i=1 i=1

I By recycling a result of Micciancio [2, Prop. 5.10, page 105], one proves: Theorem Let C ≥ 3. Then, for any nonzero integer vector z such that

||S1z − t||1 ≤ 2 ln C + 2 ln pd − ln N,

we have |u − kN| ≤ pd . I Schnorr shows that for some choice of the parameters this polyhedron is expected to contain an exponential number of relations.

I Why not trying to solve the inequality

γ |u − kN | ≤ pd

for γ ≥ 1?

I Adleman used an approach similar to that of Schnorr, but where the search was of short vectors rather than close vectors.

Schnorr’s approach to factorization

I We have a polyhedron where every element of the lattice inside this polyhedron yields a relation. I Why not trying to solve the inequality

γ |u − kN | ≤ pd

for γ ≥ 1?

I Adleman used an approach similar to that of Schnorr, but where the search was of short vectors rather than close vectors.

Schnorr’s approach to factorization

I We have a polyhedron where every element of the lattice inside this polyhedron yields a relation.

I Schnorr shows that for some choice of the parameters this polyhedron is expected to contain an exponential number of relations. I Adleman used an approach similar to that of Schnorr, but where the search was of short vectors rather than close vectors.

Schnorr’s approach to factorization

I We have a polyhedron where every element of the lattice inside this polyhedron yields a relation.

I Schnorr shows that for some choice of the parameters this polyhedron is expected to contain an exponential number of relations.

I Why not trying to solve the inequality

γ |u − kN | ≤ pd

for γ ≥ 1? Schnorr’s approach to factorization

I We have a polyhedron where every element of the lattice inside this polyhedron yields a relation.

I Schnorr shows that for some choice of the parameters this polyhedron is expected to contain an exponential number of relations.

I Why not trying to solve the inequality

γ |u − kN | ≤ pd

for γ ≥ 1?

I Adleman used an approach similar to that of Schnorr, but where the search was of short vectors rather than close vectors. d+1 I We have, for z ∈ Z , √  p  z1 ln p1  .   √.  Apz =  p  .  zd ln pd   Pd   C i=1 zi ln pi + zd+1 ln N

Adleman’s approach to factorization

I The Prime Number Lattice of Adleman includes the previously called target vector : √  p  ln p1 0 0 0 .  0 .. 0 0  Ap =  √  .  p   0 0 ln pd 0  C ln p1 ··· C ln pd C ln N Adleman’s approach to factorization

I The Prime Number Lattice of Adleman includes the previously called target vector : √  p  ln p1 0 0 0 .  0 .. 0 0  Ap =  √  .  p   0 0 ln pd 0  C ln p1 ··· C ln pd C ln N

d+1 I We have, for z ∈ Z , √  p  z1 ln p1  .   √.  Apz =  p  .  zd ln pd   Pd   C i=1 zi ln pi + zd+1 ln N Theorem d+1 Let C ≥ 3 and z ∈ Z , with δ = |zd+1| and zd+1 ≤ 0. Then, if for γ ∈ N \{0}

||A1z||1 ≤ 2 ln C + 2 ln pd − (C(γ − δ) + δ) · ln N,

then γ |u − kN | ≤ pd .

Adleman’s approach to factorization

I The norm is given by

d d p X p p X p ||Apz||p = |zi | ln pi + C | zi ln pi + zd+1 ln N| . i=1 i=1 Adleman’s approach to factorization

I The norm is given by

d d p X p p X p ||Apz||p = |zi | ln pi + C | zi ln pi + zd+1 ln N| . i=1 i=1

Theorem d+1 Let C ≥ 3 and z ∈ Z , with δ = |zd+1| and zd+1 ≤ 0. Then, if for γ ∈ N \{0}

||A1z||1 ≤ 2 ln C + 2 ln pd − (C(γ − δ) + δ) · ln N,

then γ |u − kN | ≤ pd . Outline

Introduction

Outline of the algorithm

The search for “relations”

Termination considerations

Conclusions I Are there at least d + 2 of these vectors?

I Schnorr shows, making some probabilistic independency and uniform distribution hypotheses, that for the choice of parameters α c pd = (ln N) C = N with c > 1 and α > (2c − 1)/(c − 1) constants, there are at least N+o(1) solution vectors,  ≡ (α, c) > 0.

I The analysis of the algorithm is not rigorous by now.

Are there enough relations?

I We gave a sufficient condition for a vector to give a relation. I Schnorr shows, making some probabilistic independency and uniform distribution hypotheses, that for the choice of parameters α c pd = (ln N) C = N with c > 1 and α > (2c − 1)/(c − 1) constants, there are at least N+o(1) solution vectors,  ≡ (α, c) > 0.

I The analysis of the algorithm is not rigorous by now.

Are there enough relations?

I We gave a sufficient condition for a vector to give a relation.

I Are there at least d + 2 of these vectors? I The analysis of the algorithm is not rigorous by now.

Are there enough relations?

I We gave a sufficient condition for a vector to give a relation.

I Are there at least d + 2 of these vectors?

I Schnorr shows, making some probabilistic independency and uniform distribution hypotheses, that for the choice of parameters α c pd = (ln N) C = N with c > 1 and α > (2c − 1)/(c − 1) constants, there are at least N+o(1) solution vectors,  ≡ (α, c) > 0. Are there enough relations?

I We gave a sufficient condition for a vector to give a relation.

I Are there at least d + 2 of these vectors?

I Schnorr shows, making some probabilistic independency and uniform distribution hypotheses, that for the choice of parameters α c pd = (ln N) C = N with c > 1 and α > (2c − 1)/(c − 1) constants, there are at least N+o(1) solution vectors,  ≡ (α, c) > 0.

I The analysis of the algorithm is not rigorous by now. I Analytic and Probabilistic Number Theory. I Independence hypotheses on arithmetic properties.

I Minkowski’s Theorem. I Gaussian heuristic and the Gram-Schmidt lengths.

I Number Theoretic: define a particular set of relations which can be detected by the algorithm and show it has at least d + 2 elements. Tools:

A lower bound for the number of relations

Two approaches by now:

I Geometrical: show that the 1-norm ball of the theorem has at least d + 2 points. Tools: I Analytic and Probabilistic Number Theory. I Independence hypotheses on arithmetic properties.

I Gaussian heuristic and the Gram-Schmidt lengths.

I Number Theoretic: define a particular set of relations which can be detected by the algorithm and show it has at least d + 2 elements. Tools:

A lower bound for the number of relations

Two approaches by now:

I Geometrical: show that the 1-norm ball of the theorem has at least d + 2 points. Tools:

I Minkowski’s Theorem. I Analytic and Probabilistic Number Theory. I Independence hypotheses on arithmetic properties.

I Number Theoretic: define a particular set of relations which can be detected by the algorithm and show it has at least d + 2 elements. Tools:

A lower bound for the number of relations

Two approaches by now:

I Geometrical: show that the 1-norm ball of the theorem has at least d + 2 points. Tools:

I Minkowski’s Theorem. I Gaussian heuristic and the Gram-Schmidt lengths. I Analytic and Probabilistic Number Theory. I Independence hypotheses on arithmetic properties.

A lower bound for the number of relations

Two approaches by now:

I Geometrical: show that the 1-norm ball of the theorem has at least d + 2 points. Tools:

I Minkowski’s Theorem. I Gaussian heuristic and the Gram-Schmidt lengths.

I Number Theoretic: define a particular set of relations which can be detected by the algorithm and show it has at least d + 2 elements. Tools: I Independence hypotheses on arithmetic properties.

A lower bound for the number of relations

Two approaches by now:

I Geometrical: show that the 1-norm ball of the theorem has at least d + 2 points. Tools:

I Minkowski’s Theorem. I Gaussian heuristic and the Gram-Schmidt lengths.

I Number Theoretic: define a particular set of relations which can be detected by the algorithm and show it has at least d + 2 elements. Tools:

I Analytic and Probabilistic Number Theory. A lower bound for the number of relations

Two approaches by now:

I Geometrical: show that the 1-norm ball of the theorem has at least d + 2 points. Tools:

I Minkowski’s Theorem. I Gaussian heuristic and the Gram-Schmidt lengths.

I Number Theoretic: define a particular set of relations which can be detected by the algorithm and show it has at least d + 2 elements. Tools:

I Analytic and Probabilistic Number Theory. I Independence hypotheses on arithmetic properties. Outline

Introduction

Outline of the algorithm

The search for “relations”

Termination considerations

Conclusions Lemma Let C ≥ 3. Then, for any integer vector z such that

||S1z − t||1 ≤ ε,

we have √ ε N |u − kN| ≤ exp · . 2 C

Open problem

Prove a lemma like the following, for the Euclidean norm : Open problem

Prove a lemma like the following, for the Euclidean norm : Lemma Let C ≥ 3. Then, for any integer vector z such that

||S1z − t||1 ≤ ε,

we have √ ε N |u − kN| ≤ exp · . 2 C I The CVP formulation (Schnorr’s) allows precomputations. Potentially useful for doing many factorizations in a row.

I Enumeration versus sampling: we need to have good estimates on the number of relations, in order to choose.

Conclusions

I The algorithm works in practice. I Enumeration versus sampling: we need to have good estimates on the number of relations, in order to choose.

Conclusions

I The algorithm works in practice.

I The CVP formulation (Schnorr’s) allows precomputations. Potentially useful for doing many factorizations in a row. Conclusions

I The algorithm works in practice.

I The CVP formulation (Schnorr’s) allows precomputations. Potentially useful for doing many factorizations in a row.

I Enumeration versus sampling: we need to have good estimates on the number of relations, in order to choose. I This provides a means of evaluating a lower bound for the number of relations (or at least an estimate). Minkowski’s theorem can provide a completely deterministic proof for the validity of the algorithm.

I To do : perform extensive experimentations, and maybe probabilistic modelling.

Conclusions

I We provided an effective version of Schnorr’s criterion for detecting relations. I To do : perform extensive experimentations, and maybe probabilistic modelling.

Conclusions

I We provided an effective version of Schnorr’s criterion for detecting relations.

I This provides a means of evaluating a lower bound for the number of relations (or at least an estimate). Minkowski’s theorem can provide a completely deterministic proof for the validity of the algorithm. Conclusions

I We provided an effective version of Schnorr’s criterion for detecting relations.

I This provides a means of evaluating a lower bound for the number of relations (or at least an estimate). Minkowski’s theorem can provide a completely deterministic proof for the validity of the algorithm.

I To do : perform extensive experimentations, and maybe probabilistic modelling. Bibliography BMM De Weger. Solving exponential diophantine equations using lattice basis reduction algorithms. Journal of Number Theory, 26(325-367):31, 1987. Daniele Micciancio and Shafi Goldwasser. Complexity of Lattice Problems: a cryptographic perspective, volume 671 of The Kluwer International Series in Engineering and Computer Science. Kluwer Academic Publishers, Boston, Massachusetts, March 2002. Claus Peter Schnorr. Factoring integers and computing discrete logarithms via diophantine approximation. In Jin-Yi Cai, editor, Advances in Computational Complexity Theory, volume 13 of DIMACS Series in Discrete Mathematics and Theoretical Computer Science, pages 171–182. AMS, 1993.