An Application of the LLL Algorithm to Integer Factorization

An application of the LLL algorithm to integer factorization

A Thesis

Presented in Partial Fulﬁllment of the Requirements for the Degree Master of Mathematical Science in the Graduate School of The Ohio State University

Gerwin Pineda, BS

Graduate Program in Mathematical Sciences

The Ohio State University

2018

Master’s Examination Committee:

Ghaith Hiary, Advisor James Cogdell c Copyright by

Gerwin Pineda

2018 Abstract

Solving the shortest vector problem algorithmically gained a boom with the pub- lication of the LLL algorithm in 1982. Many problems can be reformulated as ﬁnding the shortest vector in a lattice, and the LLL can provide very good approximations to their true solutions. One of these problems is the factorization of a large integer given partial information about one of its factors.

Coppersmith describes a novel method to do this in [4], which enables the factorization of a large integer N in polynomial time in log N, provided that (1/4) log2 N of the high order bits of one of the factors of N are given. However, in practice, this might require guessing some of the middle bits of the partially known factor and then apply the Coppersmith separately for each guess. In this thesis, we explore the LLL algorithm and how much information the Coppersmith method needs to factor N in one run. We also study the parameters of the Coppersmith algorithm with the hope of reducing the amount of information needed by it. We provide the Mathematica code for the various computations that we did, as well as instructive examples.

ii Acknowledgments

A big thank you to my adviser Dr. Ghaith Hiary for his advisement and for his careful proofreading of this thesis. Thank you to Dr. James Cogdell for agreeing on to be on my examination committee.

iii Vita

2014 ...... B.S. Mathematics and Computer Sci- ence University of Guam 2016 - present ...... Graduate Teaching Associate, Gradu- ate Research Associate The Ohio State University.

Fields of Study

Major Field: Mathematical Sciences

Specializaition: Computational Sciences

iv Contents

Page

Abstract ...... ii

Acknowledgments ...... iii

Vita...... iv

List of Tables ...... vii

List of Figures ...... viii

1. Introduction ...... 1

1.1 Notation ...... 1 1.2 The Shortest Vector Problem ...... 2 1.2.1 A brief history of the SVP ...... 4 1.2.2 Modern algorithms for ﬁnding approximate solutions to the SVP...... 5

2. The LLL Algorithm ...... 8

2.1 The mechanics of the LLL algorithm ...... 9 2.2 Interpreting a reduced basis ...... 11 2.3 The performance of LLL in practice ...... 13

3. Factoring with the Coppersmith Algorithm ...... 16

3.1 The Coppersmith Algorithm ...... 16 3.1.1 Example of ﬁnding roots with the Coppersmith algorithm . 23 3.2 Factoring large integers with partial information given ...... 24 3.2.1 Binary numbering system for integers ...... 25 3.2.2 Setup for factoring integers with partial information given . 26

v 4. Experiment ...... 30

4.1 Creating large integers ...... 30 4.2 Primary Search ...... 31 4.3 Reﬁning the search ...... 33 4.4 Eﬀects of k ...... 35 4.5 Roots outside of the bounds ...... 37

Appendices 40

A. LLL Implementation in Mathematica ...... 40

B. Numerical Run Through of LLL ...... 43

C. Implementation of the Coppersmith Algorithm in Mathematica . . . . . 49

D. Auxiliary Polynomials and coeﬃcients the example given in Section 3.1.1 53

Bibliography ...... 55

vi List of Tables

Table Page

3.1 ML with d = 2 and k = 1 for the given qij(x, y) generated using q(x, y) = 1 + ax + by + cx2 + dxy + ey2. Each row is composed of the

coeﬃcients of the qij(x, y)’s and is a basis vector for L...... 21

3.2 Converting the decimal number 2153 into binary. The quotients are on the ﬁrst row while the corresponding remainders are on the second row ...... 26

−β α 1/(2−α) γ 4.1 In the table above, γbound is the γ from b(2 v ) c = N for integers of size 514 bits while γfound is the largest γ found for each k in the second search program ...... 38

vii List of Figures

Figure Page

1.1 Examples of lattices in R2 ...... 2

2.1 Lattice Title ...... 12

2.2 Histogram of the position of the shortest reduced basis vector for 1000 randomly chosen 100-dimensional full rank lattices...... 14

2.3 Execution of LLL for a dense matrix, upper triangular matrix, and lower triangular matrix...... 15

4.1 Number of successful runs of the CA for each power of two for k = 0, 1, 2, 3 with |N | = 5000...... 32

4.2 The CA did not succeed in ﬁnding roots of size N 0.2 for k = 0, 1, 2 and of size N 0.19 for k =3...... 34

4.3 Summary of the results. The frequency for k = 0, 1, 2, 3, 4 are shown against the powers of N ...... 35

4.4 Plot of the right hand side of Inequality (3.14) for various k ..... 36

4.5 Plot of the right hand side of Inequality (3.14) for various k and larger integers ...... 37

4.6 Individual histograms for k = 0, 1, 2, 3, 4 ...... 39

viii Chapter 1: Introduction

1.1 Notation

Unless noted otherwise, lowercase boldface Roman letters (e.g a, b, c, . . .) will denote real vectors and lowercase Greek letters (e.g. α, β, γ, . . . ) will denote real scalars. The inner product (dot product) of a and b will be denoted by ha, bi. For

n a = (a1, a2, . . . , an) ∈ R , its Euclidean and maximum norm will be denoted and deﬁned as v u n u X 2 |a|2 = t ai and |a|∞ = max |ai|, 1≤i≤n i=1 respectively. If no subscript is present e.g. |a|, then the norm will be assumed to be

Pd i the Euclidean norm. For polynomials p(x) = i=0 pix of degree d, the preceding norms will be deﬁned as follows

d !1/2 X 2 |p(x)|2 = pi and |p(x)|∞ = max |pi|. 1≤i≤d i=0

We will use the notation [α] to denote the nearest integer to α

1 1.2 The Shortest Vector Problem

n Let b1, b2,..., bm be a set of vectors in R , linearly independent over R. Let L be the space spanned by the integral linear combination of these vectors

( n ) X L = αibi | αi ∈ Z . i=1

L is called a lattice and the vectors bi are called a basis for L. Let us deﬁne the

dimension of L, denoted by dim(L), as the ambient dimension of the bi’s, which is the real dimension of Rn. Thus, dim(L) = n. Let B denote the m × n matrix whose

rows are the vectors b1, b2,..., bm. Then, we can deﬁne the rank of L as the row-

rank of the matrix B and denote it as rank(L). So, rank(L) = m as b1, b1,..., bm

are linearly independent. If rank(L) = dim(L), then L is said to be of full rank. From

here, we assume that our lattices are of full rank (i.e. m = n). The determinant

of L, denoted by det(L), is deﬁned to be the square root of the determinant of the q T Gram matrix formed by the b1, b2,..., bn i.e., det(L) = det(BB ). In particular,

if B is a full rank matrix, then det(L) = |det(B)|. Figure 1.1 shows some examples of

lattices in R2 and the basis vectors that generate them.

b2 b1 b1 b1 b2 b2

(a) (b) (c)

Figure 1.1: Examples of lattices in R2

2 Notice that the ﬁrst two lattices are the same but are generated by two diﬀerent

sets of basis vectors, {(1, 0), (0, 1)} in (a) and {(−1, 0), (1, −1)} in (b). In general, a lattice will have more than one choice of basis. These bases are related to each other by unimodular matrices, which are n × n matrices with integer entries and

determinant of ±1. The inverse of a unimodular matrix will also be unimodular and the set of unimodular matrices form a multiplicative group. .

Any lattice has a non-zero vector x whose norm is smallest, meaning 0 < |x| ≤

|y| ∀y ∈ L. Such a vector exist since L is a discrete group. Note that the norm does not necessarily have to be the Euclidean norm. We will refer to this vector x as the

shortest vector of L, though x need not be unique as there could be multiple non-zero

vectors in L of minimum norm. For example, consider the lattice Z2 = {(x, y) | x, y ∈

Z}, which is the lattice displayed in (a) and (b) of Figure 1.1. There are four shortest vectors in this lattice, namely the vectors {(0, 1), (1, 0), (−1, 0), (0, −1)}.

Finding the shortest vector x in L is referred to as the Shortest Vector Problem or

SVP. The following important result, due to Minkowski [12], gives an upper bound on the size of the shortest vector.

Theorem 1.2.1 (Minkowski). Let L be a n-dimensional lattice of full rank and let

λ(L) denote the Euclidean norm of its shortest non-zero vector. Then we have

√ λ(L) ≤ n det(L)1/n.

The SVP is an important problem of general interest. Many problems in mathematics and computer science can be reformulated in terms of solving the SVP. In lattice-based cryptography, the SVP is used in the security proof of some cryptosystem. It is also used in attacking the RSA cryptosystem. In number theory, it can be

3 used to solve simultaneous Diophantine approximation problems. It can also be used

to solve the problem of factoring large integers with the higher (or lower) bits known

for one of the factors. The latter problem will be the focus of this thesis.

1.2.1 A brief history of the SVP

Let us brieﬂy discuss the history of the SVP. In the late 19th century, mathemati-

cians like Dirichlet [10] considered the shortest vector problem in low dimensions in

the context of their studies of the class group of reduced quadratic forms of a given

discriminant. Expanding on the works of his predecessors, Dirichlet showed in [10] a

new way for ﬁnding a representative of each element in the group of ternary quadratic

forms of a given discriminant. His method relied on the existence of a point P in a

certain lattice space such that P is closest to a pre-chosen ﬁxed point O. This can

be thought of as an instance of the SVP.

For low dimensions like n = 2, ﬁnding P is easy since it can be found by inspec- tion. But as the dimension n increases, it gets harder to represent the lattice under consideration and to ﬁnd the shortest vector visually. For example, consider the following full rank lattice of dimension 3 given by the basis vectors b1 = (16, 3, 4), b2 =

(8, 2, 3), b3 = (9, 1, 1). The shortest vectors for this lattice are

(1, 0, 0), (0, 1, 0), (0, 0, 1), (−1, 0, 0), (0, −1, 0), (0, 0, −1),

0 0 0 since the lattice is also generated by b1 = (1, 0, 0), b2 = (0, 1, 0), b3 = (0, 0, 1). Hence, an eﬃcient algorithm for solving the SVP in high dimensions was needed.

Solving the SVP algorithmically in low dimensions began in the 1800s. In 1801,

Gauss [6] gave an algorithm for solving the SVP for n = 2, which can be regarded as an extension of the Euclidean algorithm. Suppose that a lattice L is generated

4 by vectors b and c with |b| ≤ |c|. The algorithm then ﬁnds an integral multiple αb

of b such that c0 = c − αb is as small as possible in the Euclidean norm. We can

1 take α to be the closest integer to |b|2 hc, bi. This means that αb is approximately

1 0 Projb(c) and are equal if |b|2 hc, bi is an integer. Note, c is almost orthogonal, if not orthogonal, to b. If |c0| < |b|, then we make the following changes

c = b and b = c0 and repeat the process from scratch. If we have |c0| ≥ |b|, the algorithm terminates and b is the shortest vector (see [3] for more details).

For a long time after, no signiﬁcant algorithmic improvements were made in solving the SVP exactly. This was not surprising in light of the 1981 result of Peter van

Emde Boas showing that solving the SVP exactly is NP-Hard in the inﬁnity norm.

Moreover in 1998, Ajtai [1] showed that the exact SVP is NP-hard in the 2-norm using randomized reductions.

1.2.2 Modern algorithms for ﬁnding approximate solutions to the SVP

Though solving SVP exactly is NP-Hard, ﬁnding an approximate solution of the

SVP to within a multiplicative factor of the shortest vector is not. In the 1982,

Lenstra, Lenstra, and Lovász[11] published their famous paper which described an efficient algorithm (see Theorem 2.0.1 in Chapter 2) to find an approximate solution to the SVP using lattice reduction techniques. This algorithm is called LLL after the authors’ initials. Since then, other algorithms that use additional ideas have been created to solve the SVP. We will discuss the LLL algorithm in detail in Chapter 2 and devote the rest of this subsection to survey other algorithms in brief.

5 One of these is an algorithm presented by Schnorr in [15, 16], which is an im- provement on an earlier algorithm found in [9] and is refered to as Block Korkin-

Zolotarev. Schnorr’s algorithm tries to strike a balance between LLL’s eﬃciency and the earlier Hermite-Korkine-Zolotarev’s superior near-orthogonality. Roughly speaking, Schnorr’s algorithm considers blocks of basis vectors. Within the blocks, the vectors are Hermite-Korkine-Zolotarev reduced and then the blocks are lattice reduced using LLL. More detail can be found in [15].

Ajtai et al. gave an example of a “sieve-type” algorithm in [2]. It starts by randomly choosing a set S containing N lattice vectors of length less than R = 2O(n).

The set S is then fed into the main part of the algorithm, called a sieve, which chooses vectors from S to form a subset J such that for any vector v ∈ S, there is a vector u ∈ J satisfying |u − v| ≤ R/2. This set J is in turn used to create a new subset

S0 ⊆ S with |S0| = |S| − |J|. The sieve is applied repeatedly to S0 with R decreasing each time. The algorithm terminates in logarithmically many steps in R when R has reached a certain minimal threshold. If N was large enough, the ﬁnal set S0 should contain the shortest vector.

Another type of SVP solver is given by Micciancio and Voulagaris in [13], which describes an algorithm based on the “Voronoi cell” of the lattice. The (open) Voronoi cell, denoted by V(L), of a lattice L is the set

n V(L) = {x ∈ R | ∀y ∈ L − {0}, |x| < |x − y|}.

Note from the deﬁnition, the vectors in V(L) are closer to the origin than they are to any other vectors in the lattice. In the algorithm, V(L) is described using a minimal

6 set V of vectors called relevant vectors such that

V(L) = ∩v∈V Hv,

n where Hv = {x ∈ R | |x| < |x − v|}. If we know the relevant vectors of L, then the shortest relevant vector is the shortest vector of L [7]. A detailed description on how these relevant vectors are found and how they are used to solve the SVP can be found in [13]

7 Chapter 2: The LLL Algorithm

In this chapter, we will describe and give a pseudocode for the LLL algorithm.

The LLL algorithm started a boom of activity in solving the SVP. The main utility of the LLL algorithm is in ﬁnding a vector that satisﬁes the inequality (2.1) in the following theorem.

n Theorem 2.0.1 (LLL). Let L ⊂ Z be the lattice spanned by b1, b2,..., bn, which are linearly independent over Z (equiv. over R), and let β ∈ R, such that β ≥ 2

2 and |bi| ≤ β for 1 ≤ i ≤ n. Given this basis, the LLL algorithm is able to ﬁnd in polynomial time in n and log β a vector b in L such that

n−1 |b| ≤ 2 2 |x| (2.1) for all x ∈ L, x 6= 0. Furthermore, we have

|b| ≤ 2(n−1)/4 det(L)1/n. (2.2)

Remark 2.1. Note that inequality (2.2) is stronger than what would be obtained from combining inequality (2.1) with Minkowski’s Theorem (Theorem 1.2.1), which gives

n−1 √ 1/n b ≤ 2 2 n det(L)

8 2.1 The mechanics of the LLL algorithm

The notion of a reduced basis is fundamental to the working of the LLL algorithm.

Given a lattice L with a basis {b1, b2,..., bn}, LLL can test if this basis is a reduced

basis for L as follows. LLL starts with applying the Gram–Schmidt orthogonalization

∗ process to the basis vectors. From this we get vectors bi and scalars uij (1 ≤ j < i ≤ n) recursively deﬁned by

i−1 ∗ X ∗ bi = bi − uijbj , (2.3) j=1 ∗ ∗ ∗ µij = bi, bj / bj , bj . (2.4)

If the following inequalities hold,

|µij| ≤ 1/2 for 1 ≤ j < i ≤ n, (2.5)

∗ ∗ 2 3 ∗ 2 b + ui i−1b ≥ b for 1 < i ≤ n, (2.6) i i−1 4 i−1

then the basis {b1, b2,..., bn} is called a reduced basis for L and the LLL algorithm

stops. It was shown in [11] that if {b1, b2,..., bn} is a reduced basis then we have

(n−1)/4 1/n |b1| ≤ 2 det(L) , (2.7)

which is exactly the bound appearing in inequality (2.2). If the basis is not already

∗ reduced, then the LLL algorithm operates on the bi, bi and µi j until the inequalities

(2.5) and (2.6) hold. In the process, the basis vectors b1, b2,..., bn will be modiﬁed

or rearranged if necessary, but will always remain a basis for L.

Remark 2.2. As we will see in Section 2.2, a reduced basis can be understood as a nearly orthogonal basis for L.

9 Algorithm 1 LLL algorithm 1: procedure LLL Algorithm 2: (0): . Step 0: Perform Gram-Schmidt on the basis 3: for i = 1, 2, . . . , n do ∗ 4: bi := bi; 5: for j = 1, 2, . . . , i − 1 do ∗ 6: µij := bi, bj /Bj; ∗ ∗ ∗ 7: bi := bi − uijbj ; ∗ ∗ 8: Bi := hbi , bi i ; 9: k := 2 10: (1): . Step 1: Check if basis is reduced 11: perform (3) for l = k − 1; 3 2 12: if Bk < 4 − µk k−2 Bk−1 then goto (2); 13: perform (3) for l = k − 2, k − 3,..., 1; 14: if k = n then terminate; 15: k := k + 1 16: goto (1); 17: (2): . Step 2: If not, switch and adjust basis 2 18: µ := µk k−1; B := Bk + µ Bk−1; µk k−1 := µBk−1/B; 19: Bk := Bk−1Bk/B; Bk−1 := B; b b 20: k−1 := k ; bk bk−1 21: for j = 1, 2, . . . k − 2 do µ µ 22: k−1 j := k j µkj µk−1 j 23: for i = k + 1, k + 2, . . . n do µ 1 µ 0 1 µ 24: i k−1 := k k−1 i k−1 µik 0 1 1 −µ µik 25: if k > 2 then k := k − 1; 26: goto (1); 27: (3): . Step 3: Mod by 1 if necessary 1 28: if |µkl| > 2 then 29: r := integer nearest to µkl; bk := bk − r bl; 30: for j = 1, 2, . . . , l − 1 do µk j := µk j − rµlj

31: µkl := µkl − r;

10 The pseudocode for LLL is given in Algorithm 1 and a simple implementation in

Mathematica paralleling the structure of the pseudocode is given in Appendix A. In

lines 2–6 of Algorithm 1, algorithm performs the Gram–Schmidt orthogonalization

process, which we will refer to as Step 0. After this step, the LLL only needs the

∗ ∗ ∗ 2 ∗ values of hbi , bi i = |bi | for 1 ≤ i ≤ n and not the vectors bi themselves. These

values are stored in the variables Bi in the pseudocode. From here on, let k denote the index of the current basis vector on which LLL is operating. In lines 10–15, LLL checks if the inequalities (2.5) and (2.6) are satisﬁed, i.e., checks if the current basis is reduced, which we will call Step 1. In lines 17–25, the current basis vector bk is switched with the previous vector bk−1 if inequality (2.6) is not satisﬁed, and the relevant values of µi j’s and Bi’s are updated accordingly. We will call this Step 2.

Lastly, in lines 28–30, the algorithm computes µij mod 1 by subtracting the nearest integer to µi j so as to satisfy inequality (2.5). We will refer to this as Step 3. A numerical example of this process is given in Appendix B.

2.2 Interpreting a reduced basis

If the basis {b1, b2,..., bn} for L is orthogonal, then the shortest nonzero vector in L is simply given by the shortest vector in the basis, which can be easily found.

In general, however, a basis for L is not going to be orthogonal. So, the motivation behind a reduced basis is to try to simultaneously satisfy, as best as we can, two goals: i) {b1, b2,..., bn} is a basis for L, and ii) {b1, b2,..., bn} is orthogonal. In this sense, a reduced basis can be thought of as a “nearly–orthogonal” basis for L.

∗ Recall a basis is reduced if the vectors bi and scalars µij obtained from the Gram– Schmidt orthogonalization satisfy inequalities (2.5) and (2.6). The ﬁrst condition,

11 inequality (2.5), is called the size reduction condition. This condition requires that

∗ ∗ the length of the projection of bi onto bj is at most half the length of bj for 1 ≤ j < i ≤ n. However, this condition alone cannot give us a basis that is nearly orthogonal. Take for example the lattice in Figure 2.1 deﬁned by the basis vectors b1 = (−6, 4), b2 = (2, −2). This lattice satisﬁes the size reduction condition since

Figure 2.1: Lattice Title

∗ hb2, b1i −20 1 |µ21| = ∗ ∗ = ≤ . hb1, b1i 52 2

However, from Figure 2.1, the lattice basis is far from being orthogonal (b1 and b2 are nearly parallel). This situation is avoided by imposing inequality (2.6), which is called the Lov´aszcondition. Note that this inequality can be re–written in the form

3 |b∗|2 ≥ − µ2 |b∗ |2. (2.8) i 4 i i−1 i−1

∗ 3 2 ∗ 2 In our example, |b2| ≈ 0.3076 and 4 − µ21 |b1| ≈ 31.307. So inequality (2.6) is far

from satisﬁed, which is expressing the fact that b1 and b2 are nearly parallel.

12 2.3 The performance of LLL in practice

Inequalities similar to (2.7) are given in [11] and provide upper bounds for the

sizes of the other basis vectors in a reduced basis. But in practice, these upper bounds

seem to be substantial overestimates.

Furthermore, the short vector b1 might not even be the shortest basis vector found by LLL. This is illustrated in Figure 2.2, where we show the distribution of the location of the shortest basis vector in the reduced basis found by LLL. The ﬁgure is based on 1000 randomly chosen full rank lattices of dimension 100. The ﬁgure shows that b1 is typically not the shortest vector in the reduced basis found by LLL.

Also, it does not reveal a clear pattern of the position of the shortest reduced vector.

In our particular experiment, the most common location for the shortest vector is somewhere in position 65 –70. Comparing the size of b1 to the size of the shortest reduced basis vector, the values follow a normal distribution with a mean of 1.185 and standard deviation of 0.1013. This means that on average |b1| is about 1.185 times the norm of the shortest reduced basis vector.

Another observation is that the speed of the LLL algorithm in practice seems highly sensitive to rearrangements of the starting basis vectors. In a small experiment, the LLL algorithm is given two bases for the same full rank lattice of dimension 2 up to 100. These bases are “Upper” and “Lower” in in Figure 2.3. Upper are bases that form an upper triangular matrix and Lower are bases formed from reversing the order of the Upper basis vectors. From the ﬁgure, one can see that the Upper basis took signiﬁcantly longer compared to the Lower basis. For comparison, the execution times for generic lattices with a basis that form a dense matrix are also included as the

13 Figure 2.2: Histogram of the position of the shortest reduced basis vector for 1000 randomly chosen 100-dimensional full rank lattices.

data points denoted by Dense. Note, also, that the LLL algorithm took signiﬁcantly less time with these bases compared to the Upper bases.

One possible explanation for this behavior is the LLL algorithm executes Step 2 more for the Upper bases compared to the Lower or Dense bases. Recall that if the

LLL algorithm executes Step 2 then the current basis vector is switched with the previous one. The algorithm then rechecks that inequalities (2.5) and (2.6) are still satisﬁed after the switched. Hence, the algorithm can terminate earlier if it does not execute Step 2 as much as possible. This was checked when doing the experiment for

Figure 2.3. The results mirrored Figure 2.3. The counts for Step 2 were considerably greater for the Upper bases compared to the Lower and dense bases. Thus, the LLL took longer for the Upper bases due to the number of times it had to perform Step 2.

14 Figure 2.3: Execution of LLL for a dense matrix, upper triangular matrix, and lower triangular matrix.

One question that naturally follows from the observation above is the following: does the longer execution time of the LLL for an Upper basis produce a shorter reduced basis vectors compared to the vectors found using a Lower basis? Most of the time, it turns out that is no diﬀerence in size when comparing the norm of the shortest reduced basis vector found by LLL for an Upper and Lower bases. When there is a diﬀerence, it is usually the case that the Lower basis will produce a shorter vector. In one experiment, the norm of the shortest reduced basis vector that the

LLL found for a Lower basis was 1/8 of the norm of the shortest reduced basis vector found for an Upper basis.

15 Chapter 3: Factoring with the Coppersmith Algorithm

3.1 The Coppersmith Algorithm

An important application of the LLL algorithm is to the Coppersmith algorithm

derived in [4]. The Coppersmith algorithm has been simpliﬁed and clariﬁed by Coron

in [5], which is the version that we closely follow here, but we clarify a several points

and supply explicit examples. The Coppersmith algorithm enables ﬁnding small

integer roots of bivariate integer polynomials eﬃciently, where “small” is measured

relative to the sizes of the polynomial’s coeﬃcients and degree.

Speciﬁcally, suppose we are given a polynomial in two variables

X i j p(x, y) = pijx y , 0≤i,j≤d which is irreducible and of maximum degree d in each variable with a nonzero constant term, i.e., p00 6= 0. Let X and Y denote the desired bounds on the coordinates of the integer roots (x0, y0) of p(x, y) that we wish to find, if they exist. So we want integer pairs (x0, y0) such that |x0| ≤ X, |y0| ≤ Y and p(x0, y0) = 0. As we will see, the choice of X and Y has to satisfy certain inequalities (depending on the sizes of the coefficients of p(x, y) and d) in order for the Coppersmith algorithm to find (x0, y0) efficiently. In addition, we assume that gcd(p00,XY ) = 1. If not, then we can step

16 through prime numbers between X and 2X and between Y and 2Y until we have gcd(p00,XY ) = 1.

The Coppersmith algorithm is able to ﬁnd such roots (x0, y0), |x0| ≤ X and |y0| ≤

Y , if they exist. To do this, auxiliary polynomials qij(x, y) are constructed such that

qij(x0, y0) ≡ 0 mod n for an integer n given in Equation (3.6). Then, the LLL algorithm is used to ﬁnd a linear combination h(x, y) of the qij(x, y) small enough in norm that h(x0, y0) ≡ 0 mod n implies h(x0, y0) = 0. This gives an additional equation satisﬁed by (x0, y0).

Thus (x0, y0) can be found by solving the system ( p(x, y) = 0 (3.1) h(x, y) = 0 which can be done easily (e.g. by well–known numerical methods found in [14]). For example, one could ﬁnd the resultant

Q(x) = resultanty(p(x, y), h(x, y)),

and use root ﬁnding algorithms for one variable to ﬁnd x0 such that Q(x0) = 0 and

|x0| < X. Then for each x0 found, y0 can be found by solving p(x0, y) = 0.

To generate the auxiliary polynomials, we let

W = |p(xX, yY )|∞. (3.2)

Next, we choose an integer k ≥ 0 and let

ω = (d + k + 1)2. (3.3)

The parameter k controls, to some extent, the trade-oﬀ between the speed of the

Coppersmith algorithm and the permissible sizes of X and Y.

17 Next, we deﬁne

u0 ≡ (1 − W ) mod |p00|, 0 ≤ u0 < p00 (3.4)

u = W + u0, (3.5)

n = u(XY )k. (3.6)

Since u0 = 1 − W + mp00 for some integer m, we have

u = W + 1 − W + m p00 = 1 + mp00,

which implies that gcd(p00, u) = 1.

−ω √ Remark 3.1. Any integer u that satisﬁes 2 W ω ≤ u < 2W and gcd(p00, u) = 1 will do. Thus, the choice of u in Equation (3.5) is not unique.

Remark 3.2. Since gcd(p00,XY ) = 1 and gcd(p00, u) = 1, it follows that gcd(p00, n) =

−1 1. In particular, this implies that p00 has an inverse p00 mod n.

Given these parameter choices, the Coppersmith algorithm generates the following

−1 polynomials. Let q(x, y) ≡ p00 p(x, y) mod n, where the coeﬃcients of q(x, y) are integers in [0, n). Let ( xiyjXk−iY k−jq(x, y) for 0 ≤ i, j ≤ k, qij(x, y) = (3.7) xiyjn for (i, j) ∈ [0, d + k]2 \ [0, k]2 ,

−1 where q(x, y) = p00 p(x, y) mod n. Note that if (x0, y0) is a zero of p(x, y), then by construction qij(x0, y0) ≡ 0 mod n for all 0 ≤ i, j ≤ d + k.

Let us identify each polynomial qij(xX, yY ) with the vector of its coeﬃcients. The coeﬃcients are ordered in increasing value of the sum i + j in xiyj, where monomials of the same sum are ordered with i increasing and j decreasing. See Table 3.1 for an example. Now, we consider the lattice L generated by all integer linear combinations

18 of these vectors. The ω × ω matrix ML, whose rows are the coeﬃcient vectors of the

polynomials qij(xX, yY ), is of full rank as it can always be rearranged such that ML

is an upper triangle matrix with nonzero diagonal entries. Therefore, L is a full rank

lattice.

2 2 For example, suppose q(x, y) = 1 + a0x + a1y + a2x + a3xy + a4ey and k = 1.

Then the qij(x, y)’s are

2 q00(x, y) = XY q(x, y) q10(x, y) = xY q(x, y) q01(x, y) = yXq(x, y) q20(x, y) = x n

2 3 2 q11(x, y) = xyq(x, y) q02(x, y) = y n q30(x, y) = x n q21(x, y) = x yn

2 3 3 2 2 q12(x, y) = xy n q03(x, y) = y n q31(x, y) = x yn q22(x, y) = x y

3 3 2 2 3 3 3 q13(x, y) = xy n q32(x, y) = x y n q23(x, y) = x y n q33(x, y) = x y n

The basis of the lattice spanned by these qij(xX, yY ) is given in Table 3.1.

Remark 3.3. The last three rows in Table 3.1 do not get used by the LLL when searching for a short vector as including them can only make the vector constructed by LLL larger in norm. This is a bit wasteful but is done to ensure that ML is a square matrix. This situation arises whenever k < d, but does not if k ≥ d.

Remark 3.4. In practice, it is best to reverse the order of the rows of ML to get a

“lower triangular” matrix as this will speed up the execution of LLL as discussed in

Section 2.3.

The Coppersmith algorithm then employs the LLL algorithm to ﬁnd a short vector in the lattice whose entries correspond to the coeﬃcients of some polynomial

X h(xX, yY ) = hijqij(xX, yY ), hij ∈ Z. 0≤i j≤d+k

19 (This is the same as taking a linear integer combination of the rows of the matrix

ML.) From Theorem 2.0.1, we know that

ω−1 1/ω |h(xX, yY )| < 2 4 det(L) . (3.8)

In addition, h(x0, y0) ≡ 0 mod n by construction. If the right hand side of inequality

√n (3.8) is less than ω . then n |h(xX, yY )| < √ . (3.9) ω

and by Lemma 3.1.1 we have h(x0, y0) = 0.

Lemma 3.1.1 (Howgrave-Graham ). Let h(x, y) be a bivariate polynomial over Z

and a sum of at most ω monomials. If h(x0, y0) = 0 mod n with |x0| ≤ X, |y0| ≤ Y

√n and |h(xX, yY )| < ω , then h(x0, y0) = 0 holds over the integers.

Next, for the system (3.1) to contain two independent equations, h(x, y) cannot

be a multiple of p(x, y). Supposing it is, we can apply Lemma 3 from [5]. Letting

b(x, y), a(x, y), d, and r from the lemma be h(xX, yY ), p(xX, yY ), d+k, and (XY )k,

respectively, we have

−(d+k+1)2 k −ω k |h(xX, yY )| ≥ 2 (XY ) |p(xX, yY )|∞ = 2 (XY ) W, (3.10)

Thus, if we have

|h(xX, yY )| < 2−ω(XY )k W, (3.11)

then h(x, y) cannot be a multiple of p(x, y).

Remark 3.5. Recall p(x, y) was assumed to be irreducible hence it could not have

been a multiple of h(x, y).

20 1 x y x2 xy y2 x3 x2y xy2 y3 x3y x2y2 xy3 x3y2 x2y3 x3y3

2 2 3 2 2 2 3 q00 XY a0X Y a1XY a2X Y a3X Y a4XY 2 2 3 2 2 3 q10 XY a0X Y a1XY a2X Y a3X Y a4XY 2 2 3 2 2 3 q01 XY a0X Y a1Y X a2X Y a3X Y a4XY 2 q20 X n 2 2 3 2 2 3 q11 XY a0X Y a1XY a2X Y a3X Y a4XY 2 q02 Y n 3 q30 X n 2 q21 X Y n 2 q12 XY n 21 3 q03 Y n 3 q31 X Y n 2 2 q22 X Y n 3 q13 XY n 3 2 q32 X Y n 2 3 q23 X Y n 3 3 q33 X Y n

2 2 Table 3.1: ML with d = 2 and k = 1 for the given qij(x, y) generated using q(x, y) = 1 + ax + by + cx + dxy + ey . Each row is composed of the coeﬃcients of the qij(x, y)’s and is a basis vector for L. Now, we have two conditions that h(xX, yY ) must satisfy: inequalities (3.9) and

(3.11). However, we just need to satisfy inequality (3.11) since √ 2−ω ω W (XY )k u(XY )k n 2−ω(XY )kW = √ ≤ √ = √ . (3.12) ω ω ω

Using inequality (3.8), it suﬃces to ensure that the following inequality holds

2(ω−1)/4 det(L)1/ω ≤ 2−ω(XY )kW. (3.13)

To ﬁgure out how to satisfy equation (3.13), we ﬁrst need to calculate det(L).

Recall that the basis vectors of the lattice L can always be ordered in a way such that

ML is an upper triangular matrix in which case the determinant will be given by the

product of the diagonal entries. For qij(xX, yY ) with 0 ≤ i, j ≤ k, each polynomial

will contribute a factor of (XY )k and thus give a total contribution of

Y 2 (XY )k = (XY )k(k+1) 0≤i, j≤k

2 2 to the determinant. For qij(xX, yY ) with (ij) ∈ [0, d + k] \ [0, k] , each polynomial

will contribute a factor of XiY jn and

Y i j (d+k)(d+k+1) − k(k+1) (d+k+1)2−(k+1)2 X Y n = (XY ) 2 2 n (ij)∈[0,d+k]2\[0,k]2 (d+k)(d+k+1) − k(k+1) d(d+2k+2) = (XY ) 2 2 n

Thus we have

(d+k)(d+k+1) − k(k+1) +k(k+1)2 d(d+2k+2) det(L) = (XY ) 2 2 n

(d+k)(d+k+1)+k(k+1) d(d+2k+2) = (XY ) 2 n

Substituting this into the left hand side of inequality (3.13) and using the inequality

on u found in Remark 3.1, inequality (3.13) is satisﬁed if we choose X and Y such

22 that they satisfy

XY < 2−βW α, (3.14) where

2(k + 1)2 α = (3.15) (d + k)(d + k + 1)2 − k(k + 1)2 10 ((d + k + 1)4 + (d + k + 1)2) β = . (3.16) 4 ((d + k)(d + k + 1)2 − k(k + 1)2)

Note that W depends on X and Y , so inequality (3.14) is not easy to simplify so that

X and Y appear on one side.

2 Remark 3.6. Note that as we let k → ∞, then α % 3d and β % ∞ , where % means

2 monotonic increase. So, certainly one should not take k larger than k0 = 3d log2 W as XY < 1 for k > k0.

3.1.1 Example of ﬁnding roots with the Coppersmith algorithm

Suppose we want to ﬁnd the integer roots of the following polynomial

p(x, y) = −1117094850532856 + 2224082069975971x + 1867494539163155y + xy.

We have d = 1. Letting k = 1, X = Y , and applying inequality (3.14), we arrive at the choice of X = 563 as the bound of the integer roots of p(x, y) we want to ﬁnd

(if they exist). By equation (3.2) and (3.6), we have W = 1252158205396471673 and n = 396928654637653242630113. From these, we get

q(x, y) =1 + 384174341316947718918705x

+ 364512155078075124661492y + 157286778454039740735475xy

23 and the auxiliary polynomials qij(x, y)’s, due to being too long, can be found in

Appendix D.

Using these, LLL ﬁnds the following h(x, y)

h(x, y) = −2352274815797138032 − 22160637444346564x + 40923824134845x2

− 5123394981767382y − 28944591634732xy + 40971081537x2y

− 37656489595907y2 + 81486711434xy2 − 24315611x2y2.

= h0q00(x, y) + h1q10(x, y) + h2q01(x, y) + h3q11(x, y) + h4q20(x, y)

+ h5 + q02(x, y) + h6q21(x, y) + h7q12(x, y) + h8q22(x, y),

where the number of digits of the hi’s can be as short as h0 = −7421151014128 or as long as

h3 = −658807333469527029465402777408740671172023085174290047360403418774.

All of the hi’s can be found Appendix D. Solving the system ( p(x, y) = 0 h(x, y) = 0 for the given p(x, y) and the h(x, y) that LLL found, we get (x0, y0) = (464, −552).

Note for our example, we were able to ﬁnd a root within the bounds we gave the

Coppersmith algorithm. However, there are times the algorithm is still able to ﬁnd roots even if they are outside of the bounds given. This is discussed in Section 4.5.

3.2 Factoring large integers with partial information given

The application of the Coppersmith algorithm of interest in this thesis is to the factorization of a large integer N with partial information given as discussed in [4] and [5]. Speciﬁcally, if we know some of the leading digits of one of the factors of N,

24 then we would like to factor N as efficiently as possible. But, first let us review the binary representation of numbers as it is needed when discussing the requirements of the Coppersmith algorithm to find the factors.

3.2.1 Binary numbering system for integers

Recall that in computers, data is represented as bits, strings of 1’s and 0’s. For example, the number 701 can written as 10101111012, where the subscript 2 denotes that the number is written in binary, since

701 = 1 · 29 + 0 · 28 + 1 · 27 + 0 · 26 + 1 · 25 + 1 · 24 + 1 · 23 + 1 · 22 + 0 · 21 + 1 · 20.

In a binary representation, the leftmost bit is called the most signiﬁcant or highest order bit, while the rightmost bit is the called the least signiﬁcant or lowest order bit.

So, the m high (low) order bits of an integer refer to the ﬁrst (last) m bits on the binary representation of the integer.

To convert a decimal number into binary, one can repeatedly divide the number by two until the quotient is 0, recording the remainders along the way, which will be either 0 or 1. The last remainder will be the highest order bit, while the ﬁrst remainder will be the lowest order bit. Thus, the binary representation is obtained from right to left. For example. let us convert the number 2153 into binary. The

Table 3.2 shows the quotients and remainders obtained by repeatedly dividing by two. With the highest order bit being the last remainder, which is always 1, and the lowest order bit the ﬁrst remainder, which is 1 for this example. So, the number 2153 is written in binary as 1000011010012. To ﬁgure out how many bits are needed to represent a decimal number, one can take the logarithm with base 2 then round up to the next integer. For example, log2 2153 ≈ 11.07 and rounding to the next integer

25 2153 1076 538 269 134 67 33 16 8 4 2 1 0 Remainder - 1 0 0 10110000 1 |{z} |{z} lowest order bit highest order bit

Table 3.2: Converting the decimal number 2153 into binary. The quotients are on the ﬁrst row while the corresponding remainders are on the second row

gives 12. This operation is the same as taking the ceiling of log2 2153.

dlog2 2153e = d11.07e = 12.

This means that we need 12 bits to represent 2153 in binary.

3.2.2 Setup for factoring integers with partial information given

We now describe how the Coppersmith algorithm is able to factor a large integer

N. Let N = PQ denote a large integer where P,Q are prime numbers. Without lost

of generality, we may assume that P ≤ Q. We will also assume that P and Q are

roughly the same size, say

Q/2 < P ≤ Q, (3.17)

as this is basically the most diﬃcult case. Note that this implies that the number

of bits of P and Q are equal. Thus, the number of bits of N is twice the number of

bits of P . Given some information about one of the factors, say P , we can use the

Coppersmith algorithm to ﬁnd P and Q.

Fix a small > 0. To be able to factor N, the Coppersmith algorithm requires

1 one to give it the d( 4 + ) log2 Ne of the high order bits of P . Let us denote by P0 the number obtained by padding the given high bits of P on the right with 0’s until

26 1 the total number of bits is half the number of bits of N, which is 2 dlog2 Ne. Let

Q0 = dN/P0e. Thus, we have

N = (P0 + x0)(Q0 + y0),

where x0, y0 denote the portions of P and Q that we do not know. By routine calculations, we have

|y0| = |Q − Q0| ≤ 8(P − P0) (3.18) and

1 1 1 1+ + log2 N−( +) log2 N |x0| = |P − P0| < 2 2 2 4

3/2 1 − log N = 2 2( 4 ) 2 (3.19)

3/2 1 − = 2 N 4 .

Remark 3.7. Note that P0 < P since we padded the given bits by zeros and P is prime. So, Q0 > Q and P0 < Q0. Thus, the root (x0, y0) that we want to find always satisfy x0 > 0 and y0 < 0. On the other hand, the Coppersmith algorithm searches in a symmetrical interval about zero. This might be a bit wasteful as the roots are always on a specific half of the search interval. So one might be able to increase the efficiency (i.e. the rages of the search intervals X and Y ) by centering the search interval about X and Y , so the Coppersmith algorithm searches for roots of the shifted polynomial g(x, y) = f(x − X, y + Y ), where f(x, y) is defined below.

Using this we can form the polynomial

f(x, y) = (P0 + x)(Q0 + y) − N (3.20)

and use the Coppersmith algorithm to try to ﬁnd the integer pair (x0, y0). This polynomial is irreducible in Z[x, y]. If it was not irreducible, then we can write as

27 f(x, y) = (x + c1)(y + c2) for some integer c1, c2. However, if we were to expand this factored form and comparing the coeﬃcients, f(x, y) is not irreducible would imply that P0 and Q0 would both have to divide N. (This cannot happen as P0 < P and

Q0 > Q)

To calculate the bounds X and Y that will satisfy equation (3.14), we will choose

X = Y to make the calculations easier. Doing this, equation (3.14) becomes

X2 < 2−βW α. (3.21)

Recall the deﬁnition of W ,

W = |f(xX, yY )|∞

2 = max{|P0Q0 − N|,P0X,Q0X,X }.

Note that W is usually of size approximately N 3/4. One can simplify the condition

(3.21) at the expense of some loss to get an expression for X. In particular, let v = max{P0,Q0}. Then since vX ≤ W , one can simply replace W by vX in (3.21).

This gives

X2 < 2−β(vX)α (3.22)

⇒ X < (2−βvα)1/(2−α) (3.23)

While this simpliﬁcation causes a loss, it is not too much as vX is of size about

N 3/4, which is approximately the same as the size of W . So, we can choose X = b(2−βvα)1/(2−α)c, which is the maximum allowed by (3.23). Note that with this choice of X, we have that X, |P − P0|, and |Q − Q0| are all bounded roughly by the same

1/4 power of N, which is N . While it is possible for X < max{|P − P0|, |Q − Q0|}, it will only be smaller by a constant factor depending on only, which is of size

28 ≤ 22/2+8. In this case, we can compensate by guessing approximately 2/2 + 8 more leading bits of P and apply the Coppersmith algorithm to each guess separately.

29 Chapter 4: Experiment

In the previous chapter, we described how the Coppersmith algorithm, which shall be referred to as the CA from now on, can be used to factor large integers N = PQ, as long as suﬃcient information about one of the factors is given to the algorithm.

In this chapter, we try to see if the CA can do better than what is guaranteed under the condition of inequality (3.23) and try to relate this to the minimum amount of information it needs to ﬁnd the factors N.

Some of the experiments in this chapter were partly motivated by the very simple algorithm in [8], which is based on simple continued fractions. The algorithm is able to ﬁnd a factor of N in polynomial time in log(N), provided that (1/3) log2 N of the high bits of one of the factors are given. And in special situations, this algorithm can do with as little as (1/4) log2 N of the high bits given. In view of this, it might be reasonable to expect that there are also special situations where the CA can perform much better than typically.

4.1 Creating large integers

For our experiments, the integers N used were products of primes, P and Q, of roughly the same size. The primes are chosen by ﬁrst randomly generating a real

256 number r0 between 1 and 2 and then ﬁnding the next prime to r02 . This implies

30 that P ’s and Q’s are 257 bits long and N’s are 514 bits longs. To avoid the unlikely event of generating the same integer again, new integers are discarded if they match any previously generated integers. The set of generated integers, which we denote by N , along with one of the factors were stored in text ﬁles that can be read by the search programs described below.

4.2 Primary Search

A program was written to try to ﬁnd the maximal c such that if P = P0 + c, and

P0 is given, the CA is able to ﬁnd P . The program does this by letting c be a power of 2 and choosing X = Y to be the largest prime smaller than the rhs of inequality

(3.23). These experiments were done using k = 0, 1, 2, and 3, which corresponds to full rank lattices of dimensions 4, 9, 16, and 25, respectively.

At the start of the search, c was initialized to 1 and changed to the next powers of

1 2 on successive runs of the CA. The search ran until c = 2 log2 N, which corresponds to none of the bits given. For each integer N, if the algorithm is successful in ﬁnding the factors, a value of 1 is recorded for that c If not, 0 was recorded. Thus each N had an vector vN of 1’s and 0’s associated with it denoting the successes and failures

2 1 log N of the CA as c stepped through 1, 2, 2 ,..., 2 2 2 .

After applying this search to all the integers in the set N , the vectors vN were summed up. The results are found in Figure 4.1, where the number of successes are plotted against log2 c, which represents the number of unknown bits of P . Looking at the ﬁgure, the CA succeeded in ﬁnding the root for all of the integers in N until around c = 290 and failed for all of the integers in N when c > 2100. So if the number

31 of unknown bits of P was ≤ 90, the CA always succeeded. And if the number of

unknown bits was > 100, the CA always failed.

(a) k = 0 (b) k = 1

Figure 4.1: Number of successful runs of the CA for each power of two for k = 0, 1, 2, 3 with |N | = 5000.

Next, the search program converted the values of the successful c’s in terms of N.

Specifically, it found γ such that c = N γ. This implies that as γ gets larger, the CA needs less and less information about P to still find P . The γ’s found are given in the histograms in Figure 4.2. Note that the total number frequencies found in each subfigure is larger than N since γ was found for each pair (N, c) such that the CA

32 was successful in finding P using P0 = P − c. From the figure, we can see that γ never passed 0.2, which implies that the CA is able to find roots of the polynomial

1/5 f(x, y) in (3.20) as long as they are of size / N . Theoretically, for the parameters that we used in the experiments, this implies that the CA would be able to ﬁnd P if one gives it more than (3/10) log2 N of the high bits of P . If the algorithm were to be given less, then we would have to guess the middle bits and apply the algorithm

1 for each guess. In theory, the given CA should do with only ( 4 + ) log2 N bits for any > 0 but only if k → ∞.

4.3 Reﬁning the search

Though the CA was unsuccessful in ﬁnding integer roots of f(x, y) of size larger than N 1/5, for some of the k’s, the roots it found were closer to N 1/5 compared to the other k’s. To investigate this, another search program was written to do a more reﬁned search for the maximal γ associated to each N where the CA is successful.

This is akin to zooming in on the right ends of the histograms in Figure 4.2.

For this search program, c was initialized to 2(1/4) log2 N . We can use this initial value since from the ﬁrst search program, we know that the CA fails when the power of 2 is larger than (1/5) log2 N. Through the search, lower powers of 2 are used to adjust the value of c. This adjustment depends on the success of the CA with the current value of c.

If the CA is successful for the current value of c, then c is adjusted by adding a lower power of two. For example, if the current value of c is 2100, then c is changed to 2100 + 299. If the algorithm is not able to ﬁnd the factors, then the last power of 2 added to c is changed to the next lower power of 2. Using the example above. The

33 (a) k = 0 (b) k = 1

Figure 4.2: The CA did not succeed in ﬁnding roots of size N 0.2 for k = 0, 1, 2 and of size N 0.19 for k = 3. .

value of c would be changed from 2100 to 299. The search program terminates once the power of 2 reaches 1. This gives the maximal c that the CA is able to ﬁnd the factors of N, which is converted to N γ. The γ’s are then recorded.

The search program just described was tested with the same k’s as before with the addition of k = 4, which corresponds to full rank lattices of dimension 36. The results are summarized as the histogram in Figure 4.3. From the ﬁgures, one can see

34 that using k = 2, which corresponds to full rank lattices of dimension 16, had the largest γ’s when compared to the other k’s. Also, k = 0 and k = 4 were furthest from

0.2.

Figure 4.3: Summary of the results. The frequency for k = 0, 1, 2, 3, 4 are shown against the powers of N

4.4 Eﬀects of k

As noted before and as Figure 4.3 shows, γ was closer to 0.2 when k = 1, 2, or 3, with k = 2 being the closest. Another ﬁnding to note is that the highest γ was not found using the highest value of k. This suggests that there is an optimal size of lattice, in the sense that it can be used to ﬁnd a larger root.

Using an optimal k allows us to ﬁnd larger roots, which translates to the CA requiring less bits from one of the factors of N. If were to use a less than optimal k,

35 the search interval X is smaller, which is due to the behavior of the powers α and β

2 α in inequality (3.14). Recall α % 3 and β % ∞ as k → ∞. This implies that W approaches a maximum while 2−β will keep on decreasing.

To check if k = 2 is the optimal k for experiment, we can plot the value of the right hand side of inequality (3.23). Recall that this quantity was used when ﬁnding the X to give to the CA. Figure 4.4 shows the values this quantity in log base 2 for various k and d = 1. From the ﬁgure, k = 2 does give the largest search intervals.

Thus, it can ﬁnd larger roots. Figure 4.5 shows the same information as Figure 4.4 but for larger integers than used in the dataset. Note that for integers that are 1024 bits long k = 3 is optimal while k = 4 is optimal for integers that are 2048 bits long.

Figure 4.4: Plot of the right hand side of Inequality (3.14) for various k

36 (a) Integers with 1024 bits (b) Integers with 2048 bits

Figure 4.5: Plot of the right hand side of Inequality (3.14) for various k and larger integers

4.5 Roots outside of the bounds

The CA is able to ﬁnd the roots (x0, y0) of a polynomial f(x, y) such that |x0| ≤ X and |y0| ≤ Y for some bounds X and Y , if they exists. As the bounds used are usually pessimistic, there are times where the CA is also able to ﬁnd the roots even if they are outside of the given bounds. This is observable in the results obtained from the experiments.

Remark 4.1. In the two search programs above, the requirement that the roots found by the CA satisfy the bounds was not enforced due to this phenomenon. The algorithm was allowed to terminate successfully if it was able to ﬁnd the roots even if they are outside the bounds.

Table 4.1 converts some of the bounds from Figure 4.4 to powers of N. Comparing these powers with the ones found in the two search programs, the CA was able to

37 ﬁnd roots larger than the given bounds. For example, when k = 2, the CA found roots of size N 0.194746, which is larger than the N 0.183501 from Table 4.1

k 0 1 2 3 4 γbound 0.151042 0.178809 0.183501 0.179009 0.169034 γfound 0.193007 0.194700 0.194746 0.189175 0.180247

−β α 1/(2−α) γ Table 4.1: In the table above, γbound is the γ from b(2 v ) c = N for integers of size 514 bits while γfound is the largest γ found for each k in the second search program

To see how much larger the maximal roots found by the CA are when compared to the bounds, we can calculate c/X from the results of the second search program above. Figure 4.6 shows the histograms of these calculations. Aside from k = 0, c/X increased as k increased. But this could be due a faster decrease in X than in c for the larger k’s since we know from Figure 4.4 X decreases after k = 2.

38 (a) k = 0 (b) k = 1

(e) k = 4

Figure 4.6: Individual histograms for k = 0, 1, 2, 3, 4

39 Appendix A: LLL Implementation in Mathematica

Below is an implementation of the LLL algorithm in Mathematica as it is given in Algorithm 1. Note the Step 3 block had to be defined first due to how Math- ematica requires modules to be defined before being used. (∗ Implementation of the LLL algorithm. b a s i s − a matrix where the rows are the basis vectors of the lattice ∗) l l l [ b a s i s ] := Module[ { b=basis ,adjust ,n,uij ,Bi,bstar ,r,j,l ,k,i ,u,B} , (∗ declare the variables needed for the module ∗)

n=Length [ b a s i s ] ; u i j=ConstantArray [ 0 , { n , n } ]; Bi=ConstantArray[0 ,n]; bstar=ConstantArray[0 , { n , n } ];

∗ Step 3 : Mod by 1 if necessary ∗) adjust [ k , l ] := Module[ {} , (∗ checking the condition ∗) I f [Abs[uij[[k,l]]] >1/2 , (∗ find the nearest integer to uij ∗) r=Round[uij[[k,l]]];

b[[k]]=b[[k]] − r ∗b [ [ l ] ] ; For [ j =1, j<=l −1, j ++, uij[[k,j]]=uij[[k,j]] − r ∗ uij[[l,j]]]; uij[[k,l]]=uij[[k,l]− r ; ] ; ] ;

(∗ Step 0: Perform Gram−Schmidt orthogonalization ∗)

40 For [ i =1, i<=n , i ++, bstar[[i]]=b[[i ]]; For [ j =1, j<=i −1, j ++, uij[[i,j]]=Dot [b[[i]],bstar[[j]]]/Bi[[j]]; bstar[[ i]]=bstar[[ i]] − u i j [ [ i , j ] ] ∗ bstar[[j]]]; Bi [ [ i ]]=Dot [bstar[[i]],bstar[[i ]]]; ]; k = 2 ;

(∗ Step 1: Check if basis is reduced ∗) Label [condCheck ]; l = k−1; (∗ Check the condition on uij ∗) adjust[k,l ];

(∗ Check the condition on the size of Bi ∗) I f [ Bi [ [ k]] <(3/4 − u i j [ [ k , k −1]]ˆ2)∗ Bi [ [ k − 1 ] ] , Goto [switching ]];

(∗ Adjust other uij ∗) For [ l=k−2, l >0, l −−, adjust[k,l]];

I f [ k==n , Goto [ end ] ] ; (∗ the algorithm terminates ∗) k=k+1; (∗Go check the conditions for the new value of k ∗) Goto [condCheck ];

(∗ Step 2: If not reduced, switch and adjust basis vectors ∗ Label[switching ]; u=u i j [ [ k , k −1]]; B=Bi[[k]]+uˆ2∗Bi [ [ k −1]];

(∗ switch and recalculate Bi’s and uij’s ∗) u i j [ [ k , k−1]]=u∗Bi [ [ k −1]]/B; Bi[[k]]=Bi[[k −1]]∗ Bi[[k]]/B; Bi[[k−1]]=B;

(∗ switch the current and previous basis vectors ∗) b [ [ { k−1,k }]]= b [ [ { k , k − 1 } ]];

(∗ re−calculate uij’s ∗) For [ j =1, j<=k−2, j ++, u i j [ [ { k−1,k } , j ]]= u i j [ [ { k , k−1}, j ] ] ; ] ;

41 For [ i=k+1, i<=n , i ++, u i j [ [ i , { k−1,k }]]= ({{1 , u i j [ [ k , k −1]]} ,{0 ,1}}.{{0 ,1} ,{1 , − u }} ). { u i j [ [ i , k −1]],uij[[i,k]] } ;]; I f [ k>2, k=k − 1 ; ] ;

(∗Go back to check the conditions ∗) Goto [condCheck ];

Label [ end ] ; (∗ return the reduced basis ∗) b ]

42 Appendix B: Numerical Run Through of LLL

In this appendix, we will step through the LLL algorithm as we apply to the following full ranked 3 × 3 upper triangular matrix

71 98 97  0 8 81 0 0 87

where each row represent basis vectors bi of a lattice L.

We start by doing Step 0 which is the Gram-Schmidt orthogonalization process and get the following outputs:         B1 24054 b1 71 98 97     b = 0 8 81   =  84690869   2   B2  24054      b3 0 0 87 2441941056 B3 84690869

8461 2813 96587139 µ = ≈ 0.3517, µ = ≈ 0.3508, µ = ≈ 1.1405 21 24054 31 8018 32 84690869

After Step 0, we let k = 2. Recall that k is used to keep track of the current vector we are working on. We start Step 1 by checking if we need to do Step 3. As

|µ21| ≈ 0.359 < 1/2, Step 3 is not needed.

2 Next, inequality (2.6) is checked in line 12. As B2 > (3/4 − µ21)B1, inequality (2.6) is not satisﬁed and thus the Step 2 block is executed. After executing the block,

43 we get the following updated values         B1 6625 b1 0 8 81     b 71 98 97      2 =   B2 =  84690869/6625  b3 0 0 87     B3 2441941056/84690869

µ21 = 8641/6625, µ31 = 7047/6625, µ32 = −4984752/84690869

From here, we go back to the start of the Step 1 block with k = 2. As |µ21| > 1/2,

Step 3 is performed to reduce µ21 by ﬁnding the nearest integer close to it, which in this case is 1. This will be subtracted from µ21 to satisfy inequality (2.5). Along with this change, we update b2 and get the following changes

b2 = [71 90 16] and µ21 = 2016/6625

Next, we go back to line 12 to check inequality (2.6). Since B2 ≥ (3/4 − µ21)B1, the condition is satisﬁed and there is no need to perform Step 2. Line 13 is not executed as the condition is not met as there is only one vector before b2. Thus we go back to the start of Step 1 but with k = 3.

As |µ32| ≈ 0.0588 < 1/2, Step 3 is not needed. Next, the condition in line 12 is checked, which evaluates to True. Thus Step 2 is done to switch b2 and b3 and update the corresponding µij’s and Bi’s. After the update we have         B1 6625 b1 0 8 81     b 0 0 87      2 =   B2 = 484416/6625 b3 71 90 16     B3 5041

µ21 = 7047/6625, µ31 = 2016/6625, µ32 = −3581/348

As k = 3, line 25 is executed and k is set to 2. Now we go back to the start of Step

1 with k = 2 and check if the new b’s, µ’s, and B’s still satisfy the two conditions.

44 As |µ21| > 1/2, Step 3 is performed, after which we get the following updates

b2 = [0 − 8 6] µ21 = 6625

3 2 Next, we check the condition in line 12. As B2 < ( 4 − µ21)B1, we execute Step 2, switching b1 and b2 and updating the Bi’s and µij’s. After the updates, we have

        B1 100 b1 0 −8 6     b 0 8 81      2 =   B2 = 121104/25 b3 71 90 16     B3 5041

µ21 = 211/50, µ31 = −156/25, µ32 = 167/174

We go back to the start of Step 1 to see if these changes still satisfy (2.5) and

(2.6). Seeing that |µ21| > 1/2, Step 3 is done, giving

b2 = [0 40 57] and µ21 = 11/50

3 2 Next, we go to line 12 and as B2 > ( 4 − µ21)B1, Step 2 is not needed. As before, line 13 is skipped and we restart Step 1 with k = 3.

As |µ32| > 1/2, Step 3 is executed to reduce it and get the following updates

b3 = [71 50 − 41] µ31 = −323/50 µ32 = −7/174

3 2 As B3 > ( 4 − µ32)B2, Step 2 is not needed. Thus we move on to line 13. As l = 1, we check if |µ31| < 1/2 is satisﬁed. Since |µ31| > 1/2, we execute Step 3 to reduce it and get the following

b3 = [71 2 − 5] µ31 = −23/50

45 Next we go back to Step 1 and execute line 14 as k = 3. This terminates the algorithm. We have the following as our ﬁnal quantities         B1 100 b1 0 −8 6     b 0 40 57      2 =   B2 = 121104/25 b3 71 2 −5     B3 5041

µ21 = 11/50, µ31 = −23/50 µ32 = −7/174

Thus the reduced basis for the lattice L is  0 −8 6   0 40 57  71 2 −5

This basis is an example of an Upper basis discussed in Section 2.3. One of the discussions in that section is the comparison of LLL algorithm’s performance when given an Upper basis vs a Lower basis. In the experiments, LLL algorithm terminated earlier when given a Lower basis compared to when it is given an Upper basis. Let us check this and apply the LLL to the following Lower basis

 0 0 87  0 8 81 , 71 98 97 which is obtained by switching rows 1 and 3. This is still a basis for L since we can multiply the Upper basis on the left by the following unimodular matrix

0 0 1 0 1 0 1 0 0 to obtain the Lower basis.

46 As before, we ﬁrst apply the Gram-Schmidt, we get the following         B1 7569 b1 0 0 87     b 0 8 81      2 =   B2 =  64  b3 71 98 97     B3 5041

µ21 = 27/29, µ31 = 97/87 µ32 = 49/4

With k = 2, Step 1 starts with checking if |µ21| < 1/2. As it is not, we execute

Step 3 and get the following

b2 = [0, 8, −6] µ21 = −2/29

3 2 Next, the condition on line 12 is checked. As B2 < ( 4 −µ21)B1, Step 2 is performed.

The vectors b1 and b2 are switched and the µij’s and Bi’s are updated. After this, we get the following         B1 100 b1 0 8 −6     b 0 0 87      2 =   B2 = 121104/25 b3 71 98 97     B3 5041

µ21 = −261/50, µ31 = 101/50 µ32 = 341/174

Now we go back to the start of Step 1 with k = 2. As |µ21| > 1/2, Step 3 is performed and we get the following:

b2 = [0, 40, 57] µ21 = −11/50.

3 2 We go to line 12 in Step 1. As B2 > ( 4 − µ21)B1, Step 2 is not needed. We restart Step 1 with k = 3.

As |µ32| > 1/2, Step 3 is done and the updated quantities are the following

b3 = [71, 18, −17] µ32 = −7/174

47 3 2 After this, we do not do Step 2 since B3 > ( 4 − µ32)B2. Thus, we move to the line

13 and check µ31. As |µ31| > 1/2, Step 3 is performed and get the following

b3 = [71, 2, −5] µ31 = 23/50

After going back to Step 1, line 14 is executed and the algorithm terminates. Thus our reduced basis is

 0 8 −6  0 40 57  71 2 −5

Comparing the number to steps needed to reduce the two basis, we can see that the

LLL algorithm did terminate earlier when given the Lower’ basis compared to when it was given the Upper basis.

48 Appendix C: Implementation of the Coppersmith Algorithm in Mathematica

The variables alpha and beta are deﬁned outside of this function as alpha = α(k, d) and beta = β(k, d), where α and β are from (3.15) and (3.16), respectively. coronCoppersmith2[ fx , X0 , Y0 , nN , k , debug : False ]:= Block [ {p=fx , X=X0 , Y=Y0 , Xp=X0 , Yp=Y0 , p00 , d , variable ,omega, gcdXYp00 ,W, u, n, ainv,q, h, qResultant, x0, y0, rootx, rooty, commonFactor, mL, L1,val, qij, temp, qij2, z, a, len , i, grntdNorm, time0 } , { (∗ create variable which will be used to order the coefficients ∗) v a r i a b l e=Flatten [ Table [ xˆ iy ˆ j , { j ,0 ,1+k } ,{ i ,0 ,1+k } ]]; variable=SortBy[ variable , { Total [ Exponent[#,{x , y }]]&, Exponent[# ,y ] & } ]; d = 1 ; (∗Max[Exponent[f ,x], Exponent[f ,y]]; ∗) commonFactor=Apply [GCD, DeleteCases [ Flatten [ CoefficientList [ p , { x , y } ] ] , 0 ] ] ; p=p/commonFactor ;

I f [ debug==True , Print [ ” f = ”,Expand[ p ] ] ] ; p00=p /.{ x−>0,y−>0};

(∗ Constant term is 0 so P0=P and Q=Q0∗) I f [ p00==0, I f [ debug , Print [ nN, ” f a c t o r s as ” ,p /.{ x−>1,y−>0}, ” and ” ,p /.{ x−>0, y − >1}]];Return [ {True, 0 } , Block ]];

49 (∗ Get correct X and Y∗) gcdXYp00=GCD[X∗Y, p00 ] ; I f [gcdXYp00!=1, {Xp=X; While [Xp| p00, Xp=NextPrime[Xp]]; Yp=Y; While [Yp| p00, Yp=NextPrime[Yp]]; } ];

I f [ Xp>2∗X | | Yp>2∗Y, { I f [ debug , Print [ ”Found no s u i t a b l e X, Y” ] ] ; Return [ { False , −1} ,Block ]; } ];

X=Xp;Y=Yp;

W=Max[Abs[MonomialList[p]/. { x−>X, y−>Y } ]]; I f [ (X Y)>= 2ˆ(− beta )∗Wˆalpha , Return [ { False , −2} ,Block ]]; I f [ debug , Print [ ”X∗Y= ”,X∗Y,”,X: ”,X,”, Y:”,Y]];

omega = (d + k + 1)ˆ2; u = W + (Mod[1−W,Abs[ p00 ] ] ) ; n = u (X Y)ˆ k ; ainv = PowerMod[ p00 , −1 ,n ] ;

I f [ debug , { Print [”Checking: gcd(u,p00)= ”, GCD[ u , p00 ] ] ; Print [ ”W = ” , W, ” , u = ” , u , ” , \nn = ” , n , ” , k = ” , k ] ; } ];

(∗ Create q i j = q (Xx , Yy) ∗) q = PolynomialMod [ ainv p , n ] ; (∗ Create qijs for (i,j) in [0,k]ˆ2 ∗) q i j = Flatten [ Table [ (xˆi yˆj Xˆ(k−i ) Yˆ(k−j ) q ) / . { x−>X x , y−>Y y } , { i , 0 , k } , { j , 0 , k } ]];

(∗ Create qigs for (i,j) in [0,d+k]ˆ2 \ [ 0 , k ]ˆ2 ∗) q i j 2 = DeleteCases [ Flatten [ Table [ I f [ i>k | | j>k, (X x)ˆi (Y y)ˆj n], { i , 0 , (d+k )} , { j , 0 , (d+k ) } ]], Null ];

(∗ Join the qijs ∗) q i j = Join [qij, qij2];

(∗ Optional: Order the qijs to achieve an upper triangular matrix ∗) For [ z=2, z

50 val = Flatten [ Position [ Coefficient [qij [[z;;omega]] , variable[[z]]]/. { x−>0, y−> 0} , ?(#!=0 &)]][[1]]; I f [val!= 1, temp = qij[[val−1+z ] ] ; q i j [ [ val+z −1]]=qij[[z]]; qij[[z]]= temp]];

(∗ Create the matrix mL from the coefficients of the qij ∗) mL = Table [ Flatten [ Table [ I f [i==1, qij[[j]]/. { x−>0,y−>0}, Coefficient [qij[[j]], variable[[i]]]/. { x−>0, y−>0}], { i , 1 , omega } ]], { j , 1 , omega } ];

(∗ Guaranteed Norm of the vector found by LLL∗) grntdNorm = 2ˆ((omega −1)/4) Abs[ Det [mL]]ˆ(1/omega);

time0 = Now; L1 = LatticeReduce [mL] ;

I f [ debug ==True , Print [ MatrixForm [ L1 ] ] ; Print [Now−time0 ] ; ] ; Off [N::”meprec”];

For [ a=1, a<=omega, a++,{ (∗ Search for a vector whose norm is \[LessEqual] grntdNorm ∗) (∗ Skip vectors with norms greater than guaranteed ∗) I f [Norm[ L1 [ [ a ]]] >=grntdNorm , Continue []];

(∗ create h(x,y) ∗) h = L1[[a]].variable; h = h /.{ x−> x/X, y−> y/Y} ;

(∗ Get resultant Q y ( x ) ∗) qResultant = Resultant [ p , h , y ] ; I f [ Length [ Variables [qResultant]] >0 ,{ rootx= x / . Solve [qResultant==0, x, Reals ];

(∗ For each x0 found, solve p(x0,y)=0 for y ∗) I f [ Length [ rootx ] >0 , {x0 = Select [DeleteDuplicates[Round[N[ rootx ] ] ] , (qResultant/.{ x−> #})==0 &]; I f [ debug==True , Print [”resultant = ”, Expand[qResultant]//N]; Print [ ”x0 = ” , x0 ] ] ; len = Length [ x0 ] ;

51 I f [ len >0, For [ i =1, i<=len , i ++, { rooty =y / . Solve [ ( p /.{ x−>x0 [ [ i ]]})==0 , y , Reals ];

I f [ Length [ rooty ] <1 , Break [];]; y0 = Round[ rooty ] ; I f [ Length [ y0]>0 && (p /.{ x−>x0 [ [ i ] ] , y−>y0 [ [ 1 ] ] } ) = = 0 , { (∗Found the roots ∗) Return [ {True , { x0[[i]], y0[[1]] }} , Block ] } ]; } ]; ]; } ]; } ]; } ]; Return [ { False , −3}, Block ] (∗ Found no solutions ∗) } ]

52 Appendix D: Auxiliary Polynomials and coeﬃcients the example given in Section 3.1.1

The auxiliary polynomials qij(x, y)’s are as follows:

q00(x, y) =316969 + 121771356792891601517943005145x

+ 115539053282942394188828457748y

+ 49855032879798522581182775275xy

2 q10(x, y) =563x + 216290154161441565751230915x

+ 205220343308956295184419996xy + 88552456269624374034072425x2y q01(x, y) =563y + 216290154161441565751230915xy

+ 205220343308956295184419996y2 + 88552456269624374034072425xy2

2 q11(x, y) =xy + 384174341316947718918705x y

+ 364512155078075124661492xy2 + 157286778454039740735475x2y2

2 q20(x, y) =396928654637653242630113x

2 q02(x, y) =396928654637653242630113y

2 q21(x, y) =396928654637653242630113x y

2 q12(x, y) =396928654637653242630113xy

2 2 q22(x, y) =396928654637653242630113x y

53 The coeﬃcients hi for the polynomial h(x, y) found:

h0 = −7421151014128 h1 = 1605121896901083535109159457654854755492 h2 = 1522971158866957329233088167000712996974 h3 = −658807333469527029465402777408740671172023085174290047360403418774 h4 = −874646006208763176922030642366378515809295 h5 = −787407662360961605486843496163857208867947 h6 = 637638201307175482947841184304399296236570666665528049470638705939 h7 = 605003640070879982717252742663302918182276962099354421305983571684 h8 = 261058711414805655933240380686478524337286765865994148761239500903.

54 Bibliography

[1] Mikl´osAjtai. The shortest vector problem in l2 is np-hard for randomized reductions (extended abstract). In Proceedings of the Thirtieth Annual ACM Sym- posium on Theory of Computing, STOC ’98, pages 10–19, New York, NY, USA, 1998. ACM.

[2] Mikl´osAjtai, Ravi Kumar, and D. Sivakumar. A sieve algorithm for the shortest lattice vector problem. In Proceedings of the Thirty-third Annual ACM Sympo- sium on Theory of Computing, STOC ’01, pages 601–610, New York, NY, USA, 2001. ACM.

[3] Jin-Yi Cai. Some recent progress on the complexity of lattice problems. Electronic Colloquium on Computational Complexity (ECCC), 6, 1999.

[4] Don Coppersmith. Finding a small root of a bivariate integer equation; factoring with high bits known. In Advances in cryptology—EUROCRYPT ’96 (Saragossa, 1996), volume 1070 of Lecture Notes in Comput. Sci., pages 178–189. Springer, Berlin, 1996.

[5] Jean-S´ebastienCoron. Finding small roots of bivariate integer polynomial equations revisited. In Advances in cryptology—EUROCRYPT 2004, volume 3027 of Lecture Notes in Comput. Sci., pages 492–505. Springer, Berlin, 2004.

[6] Carl Friedrich Gauss. Disquisitiones arithmeticae. Translated into English by Arthur A. Clarke, S. J. Yale University Press, New Haven, Conn.-London, 1966.

[7] Guillaume Hanrot, Xavier Pujol, and Damien Stehl´e.Algorithms for the shortest and closest lattice vector problems. In Yeow Meng Chee, Zhenbo Guo, San Ling, Fengjing Shao, Yuansheng Tang, Huaxiong Wang, and Chaoping Xing, editors, Coding and Cryptology, pages 159–190, Berlin, Heidelberg, 2011. Springer Berlin Heidelberg.

[8] G. A. Hiary. A deterministic algorithm for integer factorization. ArXiv e-prints, August 2014.

55 [9] Ravi Kannan. Improved algorithms for integer programming and related lattice problems. In Proceedings of the Fifteenth Annual ACM Symposium on Theory of Computing, STOC ’83, pages 193–206, New York, NY, USA, 1983. ACM.

[10] G. Lejeune Dirichlet. Uber¨ die reduction der positiven quadratischen formen mit drei unbestimmten ganzen zahlen. Journal f¨urdie reine und angewandte Mathematik, 40:209–227, 1850.

[11] A. K. Lenstra, H. W. Lenstra, Jr., and L. Lov´asz. Factoring polynomials with rational coeﬃcients. Math. Ann., 261(4):515–534, 1982.

[12] Daniele Micciancio. On the hardness of the shortest vector problem. PhD thesis, Massachusetts Institute of Technology, Cambridge, MA, USA, 1998.

[13] Daniele Micciancio and Panagiotis Voulgaris. A deterministic single exponential time algorithm for most lattice problems based on voronoi cell computations. In Proceedings of the Forty-second ACM Symposium on Theory of Computing, STOC ’10, pages 351–358, New York, NY, USA, 2010. ACM.

[14] William H. Press, Saul A. Teukolsky, William T. Vetterling, and Brian P. Flan- nery. Numerical Recipes 3rd Edition: The Art of Scientiﬁc Computing. Cam- bridge University Press, New York, NY, USA, 3 edition, 2007.

[15] C. P. Schnorr. A hierarchy of polynomial time lattice basis reduction algorithms. Theor. Comput. Sci., 53(2-3):201–224, August 1987.

[16] C. P. Schnorr and M. Euchner. Lattice basis reduction: Improved practical algorithms and solving subset sum problems. Mathematical Programming, 66(1):181– 199, Aug 1994.