DOCSLIB.ORG

Integer Factorization - an Investigation of Methods and Implementation

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Integer Factorization - an Investigation of Methods and Implementation Integer Factorization - An Investigation of Methods and Implementation Josh Boone Southern Illinois University at Carbondale Carbondale, IL 62901 April 24, 2007 Abstract Integer factorization is the breaking down of a composite integer into its prime factors. This unique factorization is then used to ana- lyze the number, or in the case of most cryptographical applications, breaking the cryptoscheme. There are many methods of factorization, but we will focus on those based off of Fermat's Factorization Method. We will give a proof of correctness of this method, as well as an exam- ple. We will discuss Dixon's Factorization Method at length, with an example given to show how it works. Finally, we will give some insight on the Quadratic Sieve method, a factorization algorithm that uses quadratic congruences to reduce the amount of time needed to factor an integer. 1 Introduction Integer factorization has been a topic of study since the beginning of number theory. The French mathematicial Pierre de Fermat (1601-1665) is credited with one of the earliest algorithms, aptly named Fermat's Factorization Method. This method is based on a congruence of squares, which is the backbone of many factorization methods. We will prove the correctness and show the strength and weaknesses of this algorithm, and discuss the extensions of Fermat's Method that are more efficient: Dixon's Factorization Method and The Quadratic Sieve Method. Before we begin discussion of this and the other methods, we need some results and definitions from elementary number theory. 1 2 Some Number Theory All of our methods will rely upon the following important theorem, without which factorization would be unimportant. Theorem 2.1 (Fundamental Theorem of Arithmetic). Every integer greater than 1 can be written as a unique product of prime numbers. This rather intuitive result was first proven by Euclid in a more limited form, but was first proven completely by Carl Friedrich Gauss at the age of 21. Here is a simple proof. proof: Factorization: Assume that there exists a number that is not a product of primes. By the well-ordering principal, there must be a smallest integer that has this property. Call it n. It must be the case that n > 1, and that n is composite (since any prime is obviously a product of primes). Then n = ab, where a and b are positive integers less than n. It follows that a and b must be a product of primes. So, n = ab must be a product of primes, a contradiction. Uniqueness: Assume we have two factorizations, n = p1p2 : : : ps = q1q2 : : : qt, where pi and qi are primes and, WLOG, s ≤ t. Also WLOG, we can assume that the primes are written in increasing order, i.e. p1 ≤ p2 ≤ ::: ≤ ps, and q1 ≤ q2 ≤ ::: ≤ qt. We have p1jq1q2 : : : qt, so p1 = qk for some k )p1 ≥ q1. Similarly, q1jp1p2 : : : ps, so q1 ≥ p1. So p1 = q1. Continuing this algorithm, we end up with 1 = qs+1qs+2 : : : qt. Hence each q = 1. So we have s = t and pi = qi for each i. So, the factorizations are identical. We will also need some definitions to discuss our algorithms. Definition 2.2 (Congruence of Squares). Two integers x and y, x 6≡ ±y satisfy a congruence of squares modulo n if: x2 ≡ y2(mod n) for some positive integer n. Notice that this congruence implies x2 − y2 ≡ 0(mod n), i.e. (x − y)(x + y) ≡ 0(mod n). 2 Definition 2.3 (Quadratic Residue). Let a, m be positive integers. We say a is quadratic residue of m if gcd(a; m) = 1 and x2 ≡ a(mod n) has a solution. This term will come up when we discuss the Quadratic Sieve Method. 3 The Most Basic Algorithm: Trial Division Now that we know a little background material, we can discuss some factor- ization algorithms. We will begin with the most basic of algorithms, trial division. This algorithm should be familiar, since nearly every student has used it to factor an integer in an algebra class. Algorithm 3.1 (Trial Division). To factor an integer n, p 1. For p odd from 2 to n, if p divides n, p is a factor of n. 2. For each p dividing n, while pjjn; j 2 Z+, the multiplicity of the factor p equals j. If n has t factors, we get the factorization n = pj1 pj2 : : : pjt . However, p 1 2 t n this factorization takes, on average, 2 steps.[1] So, if n has two factors of similar size (like most cryptographic schemes) this algorithm is certainly computationally infeasible for large n. 4 Fermat's Factorization Method Now, our first algorithm involving the congruence of squares. Algorithm 4.1 (Fermat's Factorization Method). INPUT: An odd composite integer n. OUTPUT: Two integers a, b such that n = ab. p 1. r d( n)e s0 r2 − n 2. While s0 is not a perfect square: r r + 1 s0 r2 − n 3 3. If r = n+1 , return 'error: n is prime' 2 p p Otherwise, return a = r − s0; b = r + s0 Example 4.2. Factor n = 6077 using Fermat's Method p r = d ne = 78 782 − 6077 = 7 792 − 6077 = 164 802 − 6077 = 323 812 − 6077 = 484 Since 484 = 222, we see that: 6077 = 812 − 222 Hence, 6077 = (81 − 22)(81 + 22) = 59 ∗ 103 Of course, this method does not always give the full factorization, just two odd integers that divide n. The idea is that this information will lead to an easy analysis of n (or a complete factorization if n is simply a product of two primes). This seems like it would be a perfect algorithm for breaking the RSA modulus, so why is this not the end of our discussion? 5 Efficiency of Fermat's Method p Notice that Fermat's method is very fast if n = pq, where p ≈ q ≈ n. Be- cause of this fact, RSA primes are chosen carefully to not have this property, just as they are chosen to not have very small factors (which are easy to find with trial division). For this reason, Fermat's method is not as efficient for breaking cryptoschemes as it looks at first glance. In fact, as the distance p between p and n increases, the running time increases faster than expo- nentially.[2] So, with just a tiny bit of foresight, it is easy to design an RSA modulus that makes Fermat's method computationally infeasible. However, Fermat's Method is a very important topic of study, since it was the first factoring method to use the congruence of squares as a basis. We will see that two important extensions of Fermat's method are still in use today, one of which is the premier factoring algorithm for numbers with less than 115 decimal digits. For now, let us study Fermat's method in its entirety. 4 6 Correctness of Fermat's Method Now we will show that Fermat's method does indeed always find a factor of n. Say n = ab. We want to show that we will always find those factors, i.e. that either a or b is in the range of our iteration. The proof will also explain n+1 why n is prime if r reaches 2 . Theorem 6.1 (Correctness of Fermat's Method). For any odd composite integer n, Algorithm 4.1 will always find a divisor of n. proof: Let n = ab. Then, 1 1 2 2 a+b 2 a−b 2 n = ab = 4 (2ab + 2ab) = 4 ((a + b) − (a − b) ) = ( 2 ) − ( 2 ) a+b a−b 2 2 So, if we let r = 2 and s = 2 , we see that n = r − s Note: r and s are integers, because n odd ) a; b also odd. p We will now show that r is in the range of the iteration, i.e. d ne ≤ r < n+1 : p 2 Assume that r < n. Then, p n = r2 − s2 < n2 − s2 = n − s2 ) s2 < 0, an obvious contradiction. n+1 Assume that r ≥ 2 . Then, 2 2 n+1 2 2 n = r − s ≥ ( 2 ) − s 2 n+1 2 n2 n 1 n2 n 1 n−1 2 ) s ≥ ( 2 ) − n = ( 4 + 2 + 4 ) − n = 4 − 2 + 4 = ( 2 ) n−1 ) s ≥ 2 n+1 n−1 So, r + s ≥ 2 + 2 = n But we know that n = r2 − s2 = (r + s)(r − s) So it must be that r + s = n, r − s = 1. ) n is prime, another contradiction. So it must be that the value r can always be found by Algorithm 4.1, hence the factors a and b are always found. 7 Extension 1 of Fermat's Method - Dixon's Method Fermat's method is academically interesting, even if it has limited applica- tion, because it has extensions that are very useful for factoring integers. John D. Dixon of Carlten University, Ontario, devised this method in 1981 that is an extension of Fermat's method.[3] Dixon's method uses congru- ences of squares to find a divisor of n. It also uses Gaussian elimination to 5 solve the resulting matrix. We also must prepare a table of primes before we begin, the size of which we will discuss later. Algorithm 7.1 (Dixon's Factorization Method). INPUT: A composite integer n to be factored, a set fSg, called the factor base[3] of all primes less than some integer S called the prime bound, an integer R called the relation bound. OUTPUT: An integer a such that ajn. 1.
Load more

Recommended publications
  • On the Number Field Sieve: Polynomial Selection and Smooth Elements in Number Fields
    On the Number Field Sieve: Polynomial Selection and Smooth Elements in Number Fields Nicholas Vincent Coxon BSc (hons) A thesis submitted for the degree of Doctor of Philosophy at The University of Queensland in June 2012 School of Mathematics and Physics Abstract The number field sieve is the asymptotically fastest known algorithm for factoring large integers that are free of small prime factors. Two aspects of the algorithm are considered in this thesis: polynomial selection and smooth elements in number fields. The contributions to polynomial selection are twofold. First, existing methods of polynomial generation, namely those based on Montgomery's method, are extended and tools developed to aid in their analysis. Second, a new approach to polynomial generation is developed and realised. The development of the approach is driven by results obtained on the divisibility properties of univariate resultants. Examples from the literature point toward the utility of applying decoding algorithms for algebraic error-correcting codes to problems of finding elements in a ring with a smooth representation. In this thesis, the problem of finding algebraic integers in a number field with smooth norm is reformulated as a decoding problem for a family of error-correcting codes called NF-codes. An algorithm for solving the weighted list decoding problem for NF-codes is provided. The algorithm is then used to find algebraic integers with norm containing a large smooth factor. Bounds on the existence of such numbers are derived using algorithmic and combinatorial methods. ii Declaration by the Author This thesis is composed of my original work, and contains no material previously published or written by another person except where due reference has been made in the text.
    [Show full text]
  • Integer Factoring
    Designs, Codes and Cryptography, 19, 101–128 (2000) c 2000 Kluwer Academic Publishers, Boston. Manufactured in The Netherlands. Integer Factoring ARJEN K. LENSTRA [email protected] Citibank, N.A., 1 North Gate Road, Mendham, NJ 07945-3104, USA Abstract. Using simple examples and informal discussions this article surveys the key ideas and major advances of the last quarter century in integer factorization. Keywords: Integer factorization, quadratic sieve, number field sieve, elliptic curve method, Morrison–Brillhart Approach 1. Introduction Factoring a positive integer n means finding positive integers u and v such that the product of u and v equals n, and such that both u and v are greater than 1. Such u and v are called factors (or divisors)ofn, and n = u v is called a factorization of n. Positive integers that can be factored are called composites. Positive integers greater than 1 that cannot be factored are called primes. For example, n = 15 can be factored as the product of the primes u = 3 and v = 5, and n = 105 can be factored as the product of the prime u = 7 and the composite v = 15. A factorization of a composite number is not necessarily unique: n = 105 can also be factored as the product of the prime u = 5 and the composite v = 21. But the prime factorization of a number—writing it as a product of prime numbers—is unique, up to the order of the factors: n = 3 5 7isthe prime factorization of n = 105, and n = 5 is the prime factorization of n = 5.
    [Show full text]
  • Prime Factorization and Cryptography a Theoretical Introduction to the General Number Field Sieve
    Prime Factorization and Cryptography A theoretical introduction to the General Number Field Sieve Barry van Leeuwen University of Bristol 10 CP Undergraduate Project Supervisor: Dr. Tim Dokchitser February 1, 2019 Acknowledgement of Sources For all ideas taken from other sources (books, articles, internet), the source of the ideas is mentioned in the main text and fully referenced at the end of the report. All material which is quoted essentially word-for-word from other sources is given in quotation marks and referenced. Pictures and diagrams copied from the internet or other sources are labelled with a reference to the web page,book, article etc. Signed: Barry van Leeuwen Dated: February 1, 2019 Abstract From a theoretical puzzle to applications in cryptography and computer sci- ence: The factorization of prime numbers. In this paper we will introduce a historical retrospect by observing different methods of factorizing primes and we will introduce a theoretical approach to the General Number Field Sieve building from a foundation in Algebra and Number Theory. We will in this exclude most considerations of efficiency and practical im- plementation, and instead focus on the mathematical background. In this paper we will introduce the theory of algebraic number fields and Dedekind domains and their importance in understanding the General Number Field Sieve before continuing to explain, step by step, the inner workings of the General Number Field Sieve. Page 1 of 73 Contents Abstract 1 Table of contents 2 1 Introduction 3 2 Prime Numbers and the Algebra of Modern Cryptography 5 2.1 Preliminary Algebra and Number Theory .
    [Show full text]
  • Eindhoven University of Technology MASTER a Study of the General
    Eindhoven University of Technology MASTER A study of the general number field sieve and a development of a CT2 plug-in using YAFU Querejeta Azurmendi, I. Award date: 2016 Link to publication Disclaimer This document contains a student thesis (bachelor's or master's), as authored by a student at Eindhoven University of Technology. Student theses are made available in the TU/e repository upon obtaining the required degree. The grade received is not published on the document as presented in the repository. The required complexity or quality of research of student theses may vary by program, and the required minimum study period may vary in duration. General rights Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights. • Users may download and print one copy of any publication from the public portal for the purpose of private study or research. • You may not further distribute the material or use it for any profit-making activity or commercial gain A study of the General Number Field Sieve and a development of a CT2 plug-in using YAFU A thesis submitted for the degree of Master of Science. Technical University of Eindhoven Department of Mathematics and Computer Science Supervisors: Prof. Dr. Tanja Lange Author: Henry de Valence I~nigoQuerejeta Azurmendi Advisors: 0870120 Cristina Balasoiu Prof. Bernhard Esslinger Armin Krauss July 28, 2016 ii Abstract The Number Field Sieve (NFS) is the fastest known algorithm for factoring general numbers having more than 100 decimal digits.
    [Show full text]
  • New Pragmatic Algorithms to Improve Factoring of Large Numbers
    International Journal of Theoretical and Applied Mathematics 2017; 3(6): 199-202 http://www.sciencepublishinggroup.com/j/ijtam doi: 10.11648/j.ijtam.20170306.14 ISSN: 2575-5072 (Print); ISSN: 2575-5080 (Online) Methodology Article New Pragmatic Algorithms to Improve Factoring of Large Numbers Mohamed Zaki Abd El-Mageed 1, Hassan Hussein 2 1Department of Computer Since, Faculty of Engineering, Al-Zahra University, Cairo Egypt 2Research Development Center, National Defense Council, Cairo, Egypt Email address: [email protected] (M. Z. A. El-Mageed), [email protected] (H. Hussein) To cite this article: Mohamed Zaki Abd El-Mageed, Hassan Hussein. New Pragmatic Algorithms to Improve Factoring of Large Numbers. International Journal of Theoretical and Applied Mathematics . Vol. 3, No. 6, 2017, pp. 199-202. doi: 10.11648/j.ijtam.20170306.14 Received : September 28, 2017; Accepted : November 13, 2017; Published : December 5, 2017 Abstract: Rivest, Shamir, Adleman, RSA algorithm is a popular public key cryptosystem and is known to be secure, however, this fact relies on the difficulty of factoring large numbers. No algorithm has been published that can factor all integers in polynomial time. This paper proposes a new function that can be used to improve the process of factoring integer numbers. It gets the factor faster than known methods. By making use of such proposed function, corresponding two algorithms are proposed and pseudocoded. The utilization of these algorithms along with the basics of the theory of numbers led to three other new factoring algorithms. The five algorithms are implemented and verified using Python Language. The tabulated results that represent the time of factorization versus the number of digits of the large number have indicated the applicability of the last three algorithms.
    [Show full text]
  • Polynomial Selection for the Number Field Sieve
    Polynomial Selection for the Number Field Sieve Shi Bai 白石 Sep 2011 A thesis submitted for the degree of Doctor of Philosophy of the Australian National University Declaration The work in this thesis is my own except where otherwise stated. iii Dedicated to my parents for their love and inspiration. Acknowledgements It is difficult to overstate my gratitude to my Ph.D. supervisor, Richard Brent. Over the three-and-a-half years, Richard has provided tremendous help and encouragement, lots of interesting ideas and insightful advice, without which my Ph.D study and this thesis would not have been possible. His patience, valuable comments and careful proofreading for the thesis is deeply appreciated. Part of my research has been carried out during my visits to the CARAMEL group of INRIA Nancy. I was fortunate to be able to spend a few months working with Paul Zimmermann, from whom I learned much about the subject and to whom I must say thank you. I am also very grateful to Pierrick Gaudry and Emmanuel Thom´efor many suggestions and help. Many thanks go out to Thorsten Kleinjung, Peter Montgomery, Jason Papadopoulos and Herman te Riele for various discussions and instructions regarding the number field sieve, either face-to-face or via email. Many people in the Mathematical Sciences Institute (MSI) and the Research School of Computer Science (RSCS) of the Australian National University (ANU) assisted and encouraged me in various ways during my studies. I am particularly grateful to J¨org Arndt, Markus Hegland, Chin Khoo, Paul Leopardi, Weifa Liang, Jiakun Liu, Brendan Mckay, Sudi Mungkasi, Judy-anne Osborn, Srinivasa Subramanya Rao, Alistair Rendell, Peter Strazdins, Vikram Sunkara and Bin Zhou for various discussions and chatting; Nick Guoth, Joshua Rich and Warren Yang for helping me play around with the cluster.
    [Show full text]
  • Integer Factorization with the General Number Field Sieve
    Viet Pham Hoang INTEGER FACTORIZATION WITH THE GENERAL NUMBER FIELD SIEVE Rovaniemen ammattikorkeakoulun julkaisusarja B 12 Rovaniemi University of Applied Sciences School of Technology Degree Programme in Information Technology Thesis INTEGER FACTORIZATION WITH THE GENERAL NUMBER FIELD SIEVE Pham Hoang Viet 2008 Rovaniemi University of Applied Sciences Publications Jokiv¨ayl¨a11C 96300 Rovaniemi Finland tel. +358 20 798 4000 www.ramk.fi/julkaisutoiminta julkaisut@ramk.fi ISSN: 1239-7733 ISBN: 978-952-5153-77-4 (vol) ISBN: 978-952-5153-78-1 (PDF) Rovaniemi University of Applied Sciences Publication Serie B no. 12 c RAMK University of Applied Sciences Rovaniemi 2008 Tornion kirjapaino Abstract Since Fermat’s work on integer factorization, the mathematical commu- nity has experienced substantial research and improvements following his method of decomposing integers. This mathematical aspect has nowadays been utilized in a number of applications, such as in testing the security level of several encryption methods like the RSA algorithm. As the latest achieve- ment, the General Number Fields Sieve (GNFS) has recently been recognized as the fastest algorithm of this kind that is being used for factoring integers of size up to 800 bits in length. Considering the topic of this thesis, it concentrates on explaining the most significant details necessary for understanding and implementing the GNFS. In particular, it exploits the fact that this algorithm is a sieve-like process which factors general form integers using a variety of results from the number field theory. In this aspect, the thesis firstly addresses the underlying principle as well as many other important concepts used for constructing the GNFS.
    [Show full text]
  • Number Field Sieve with Provable Complexity
    Number Field Sieve with provable complexity Barry van Leeuwen Supervisor: Dr. A.R. Booker Chair: Dr. T. Dokchitser (University of Bristol) Examiners: Dr. J. Bober (University of Bristol) Dr. S. Siksek (University of Warwick) A dissertation submitted to the University of Bristol in accordance with the requirements for award of the degree of Master of Science by Research in Mathematics at the Faculty of Science arXiv:2007.02689v2 [math.NT] 11 Jul 2020 School of Mathematics July 14, 2020 Word count: 28557 Abstract In this thesis we give an in-depth introduction to the General Number Field Sieve, as it was used by Buhler, Lenstra, and Pomerance, [17], before looking at one of the modern developments of this algorithm: A randomized version with provable complexity. This version was posited in 2017 by Lee and Venkatesan, [14], and will be preceded by ample material from both algebraic and analytic number theory, Galois theory, and probability theory. Page 1 of 114 Dedication and Acknowledgements I want to thank Dr. Andrew Booker, who as my supervisor managed to find what I needed even though it may not have been what I wanted. I also want to thank Dr. James Milne, Dr. Florian Bouyer, and Dr. Lynne Walling for providing some of the material used. I also want to thank Dr. Dan Fretwell, who helped me find my footing when I just started (which feels very long ago) and my mother, Cokky van Leeuwen, who with her sorcery managed to find typos that I could not. To my wife, Sarah van Leeuwen, who with her continued support and motivation made possible what I thought impossible.
    [Show full text]
  • Implementation of the Quadratic Sieve
    Page 1 of 28 Implementation of the Quadratic Sieve Mark Gordon Cryptography 475 November 30th, 2008 Introduction Finding the factorization of a number, n, is a computationally difficult problem that is at the heart of the security of the RSA encryption algorithm. The naïve solution, trial division, takes O(sqrt(n)) time and is ineffective for even moderately large n. The quadratic sieve offers an improvement on this algorithm and is currently the second asymptotically fastest algorithm for factoring integers. In this paper I present my implementation of the quadratic sieve and its results. The Quadratic Sieve The main idea behind the quadratic sieve is that if we have a and b such that a2=b2 (mod n) then we have a2-b2=n (mod n) which can be re-written as (a-b)(a+b)=n (mod n). Therefore we can take either a-b or a+b and test if it contains a non trivial factor of n using the Euclidean algorithm. One idea to find perfect squares is to find pairs (x, Q(x)), where Q(x) is x2-n (different polynomials are possible), and test if Q(x) is a perfect square. Note that x2=Q(x) mod n so if Q(x) happens to be a perfect square we have a congruence of squares which will allow us to factor n. Finding Squares Unfortunately there are very few x such that Q(x) will be a perfect square. An improvement on this concept would be to try and combine pairs (x, Q(x)) and (y, Q(y)) to yield (xy, Q(x)Q(y)).
    [Show full text]