DOCSLIB.ORG

3. Integer Factorization and Discrete Logarithms

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
3. Integer Factorization and Discrete Logarithms 3. Integer Factorization and Discrete Logarithms Of all the problems in the theory of numbers to which computers have been applied, probably none has been influenced more than of factoring. Hugh C. Williams [260] 3.1 Introduction The integer factorization problem (IFP) is to ¯nd a nontrivial factor f (not necessarily prime) of a composite integer n. That is, + ) Input : n 2 Z>1 (3.1) Output : f such that f j n: Clearly, if there is an algorithm to test whether or not an integer n is a prime, and an algorithm to ¯nd a nontrivial factor f of a composite integer n, then by recursively calling the primality testing algorithm and the integer factorization algorithm, it should be easy to ¯nd the prime factorization of ®1 ®2 ®k n = p1 p2 ¢ ¢ ¢ pk : In this chapter we shall mainly be concerned with the integer factoriza- tion algorithms (the primality testing algorithms have been discussed in the previous chapter). Generally speaking, the most useful factoring algorithms fall into one of the following two main classes (Brent [33]): (A) General purpose factoring algorithms: the running time depends mainly on the size of N, the number to be factored, and is not strongly dependent on the size of the factor p found. Examples are: (1) Lehman's¡ method¢ , which has a rigorous worst-case running time bound O n1=3+² . 210 3. Integer Factorization and Discrete Logarithms (2) Shanks' SQUare FOrm Factorization¡ ¢ method SQUFOF, which has expected running time O n1=4 . ¡ ¢ (3) Shanks' class group method, which has running time O n1=5+² . (4) Continued FRACtion (CFRAC) method, which under plausible as- sumptions has expected running time ³ ³ p ´´ ³ p ´ O exp c log n log log n = O nc log log n= log n ; where c is ap constant (depending on the details of the algorithm); usually c = 2 ¼ 1:414213562. (5) Multiple Polynomial Quadratic Sieve (MPQS), which under plausi- ble assumptions has expected running time ³ ³ p ´´ ³ p ´ O exp c log n log log n = O nc log log n= log n ; where c is a constant (depending on the details of the algorithm); 3 usually c = p ¼ 1:060660172. 2 2 (6) Number Field Sieve (NFS), which under plausible assumptions has the expected running time ³ ³ p p ´´ O exp c 3 log n 3 (log log n)2 ; where c = (64=9)1=3 ¼ 1:922999427 if GNFS (a general version of NFS) is used to factor an arbitrary integer n, whereas c = (32=9)1=3 ¼ 1:526285657 if SNFS (a special version of NFS) is used to factor a special integer n such as n = re § s, where r and s are small, r > 1 and e is large. This is substantially and asymptotically faster than any other currently known factoring method. (B) Special purpose factoring algorithms: The running time depends mainlyp on the size of p (the factor found) of n. (We can assume that p · n.) Examples are: ¡ ¢ (1) Trial division, which has running time O p(log n)2 . (2) Pollard's ½-method (also known as Pollard's \rho" algorithm), which¡ under plausible¢ assumptions has expected running time O p1=2(log n)2 . (3) Lenstra's Elliptic Curve Method (ECM), which under plausible as- sumptions has expected running time ³ ³ p ´ ´ O exp c log p log log p ¢ (log n)2 ; where c ¼ 2 is a constant (depending on the details of the algorithm). 3.1 Introduction 211 ¡ ¢ 2 The term O (log n) is for the cost of¡ performing¢ arithmetic operations 2 on numbers which are O(log n)¡ or O (log¢n) bits long; the second can be theoretically replaced by O (log n)1+² for any ² > 0. Note that there is a quantum factoring algorithm, original proposed by Shor, which can run in polynomial-time O((log n)2+²): However, this quantum algorithm requires to be run on a quantum computer, which is not available at present. In practice, algorithms in both categories are important. It is sometimes very di±cult to say whether one method is better than another, but it is gen- erally worth attempting to ¯nd small factors with algorithms in the second class before using the algorithms in the ¯rst class. That is, we could ¯rst try the trial division algorithm, then use some other method such as NFS. This fact shows that the trial division method is still useful for integer factoriza- tion, even though it is simple. In this chapter we shall introduce some most useful and widely used factoring algorithms. It is interesting to note that integer factorization is related to many other number theoretic problems, that is, if we can ¯nd an algorithm for integer factorization, then with some modi¯cations, this algorithm can always be used for some other problems, such as the discrete logarithms, the quadratic residuosity problem and the square root problem, etc. So, in this chapter, we shall also introduce some of the algorithms for these problems. Problems for Section 3.1 Problem 3.1.1. Explain why general purpose factoring algorithms are slower than special purpose factoring algorithms, or why the special num- bers are easy to factor than general numbers. Problem 3.1.2. Show that addition of two log n bit integers can be per- formed in O(log n) bit operations. Problem 3.1.3. Show that multiplication of two log n bit integers can be performed in O((log n)2) bit operations. Problem 3.1.4. Show that there is an algorithm which can multiply two log n bit integers in O(log n log log n log log log n) = O((log n)1+²) bit operations. Problem 3.1.5. Estimate the bit operations for computing n!. 212 3. Integer Factorization and Discrete Logarithms 3.2 Simple Factoring Methods The simplest factoring algorithm is the trial division method, which tries all the possible divisors of n to obtain its complete prime factorization: n = p1p2 ¢ ¢ ¢ pt; p1 · p2 · ¢ ¢ ¢ · pt: (3.2) The following is the algorithm: Algorithm 3.2.1 (Factoring by trial divisions). This algorithm tries to factor an integer n > 1 using trial divisions by all the possible divisors of n. [1] Input n and set t à 0, k à 2. [2] If n = 1, then go to Step [5]. [3] q à n=k and r à n (mod k). If r 6= 0, go to Step [4]. t à t + 1, pt à k, n à q, go to Step [2]. [4] If q > k, then k à k + 1, and go to Step [3]. t à t + 1; pt à n. [5] Exit: terminate the algorithm. Exercise 3.2.1. Use Algorithm 3.2.1 to factor n = 2759. An immediate improvement of Algorithm 3.2.1 is to make use of an aux- iliary sequence of trial divisors: 2 = d0 < d1 < d2 < d3 < ¢ ¢ ¢ (3.3) p which includes all primes · n (possibly somep composites as well if it is convenient to do so) and at least one value dk ¸ n. The algorithm can be described as follows: Algorithm 3.2.2 (Factoring by Trial Division). This algorithm tries to factor an integer n > 1 using trial divisions by an auxiliary sequence of trial divisors. [1] Input n and set t à 0, k à 0. [2] If n = 1, then go to Step [5]. [3] q à n=dk and r à n (mod dk). If r 6= 0, go to Step [4]. t à t + 1, pt à dk, n à q, go to Step [2]. [4] If q > dk, then k à k + 1, and go to Step [3]. t à t + 1; pt à n. 3.2 Simple Factoring Methods 213 [5] Exit: terminate the algorithm. Exercise 3.2.2. Use Algorithmp 3.2.2 to factor n = 2759; assumep that we have the list L of all primes · b 2759c = 52 and at least one ¸ n, that is, L = f2; 3; 5; 7; 11; 13; 17; 19; 23; 29; 31; 37; 41; 43; 47; 53g. Theorem 3.2.1. Algorithm 3.2.2 requires a running time in p O (max (pt¡1; pt )) : If a primality test between stepsµ [2] and¶ [3] were inserted, the running time pt¡1 would then be in O(pt¡1), or O if one does trial division only by ln pt¡1 primes, where pt¡1 is the second largest prime factor of n. The trial division test is very useful for removing small factors, but it should not be used for factoring completely, except when n is very small, say, for example, n < 108. Now suppose n is any odd integer (if n were even we could repeatedly divide by 2 until an odd integer is obtained). If n = pq, where p · q are 1 1 both odd, then by setting x = 2 (p + q) and y = 2 (q ¡ p) we ¯nd that n = x2 ¡ y2 = (x + y)(x ¡ y), or y2 = x2 ¡ n. The following algorithm tries to ¯nd n = pq using the above idea. Algorithm 3.2.3 (Fermat's factoring algorithm). Givenp an odd integer n > 1, then this algorithm determines the largest factor · n, of n. p [1] Input n and set k à b nc + 1, y à k ¢ k ¡ n, d à 1 p p [2] If b yc = y go to Step [4] else y à y + 2k + d and d à d + 2 p [3] If b yc < n=2 go to Step [2] else print \No Factor Found" and go to Step [5] p p [4] x à n + y, y à y, print x ¡ y and x + y, the nontrivial factors of n [5] Exit: terminate the algorithm.
Load more

Recommended publications
  • Improvements in Computing Discrete Logarithms in Finite Fields
    ISSN (Print): 2476-8316 ISSN (Online): 2635-3490 Dutse Journal of Pure and Applied Sciences (DUJOPAS), Vol. 5 No. 1a June 2019 Improvements in Computing Discrete Logarithms in Finite Fields 1*Ali Maianguwa Shuaibu, 2Sunday Babuba & 3James Andrawus 1, 2,3 Department of Mathematics, Federal University Dutse, Jigawa State Email: [email protected] Abstract The discrete logarithm problem forms the basis of numerous cryptographic systems. The most efficient attack on the discrete logarithm problem in the multiplicative group of a finite field is via the index calculus. In this paper, we examined a non-generic algorithm that uses index calculus. If α is a generator × × for 퐹푝 then the discrete logarithm of 훽 ∈ 퐹푝 with respect to 훼 is also called the index of 훽 (with respect to 훼), whence the term index calculus. This algorithm depends critically on the distribution of smooth numbers (integers with small prime factors), which naturally leads to a discussion of two algorithms for factoring integers that also depend on smooth numbers: the Pollard 푝 − 1method and the elliptic curve method. In conclusion, we suggest improved elliptic curve as well as hyperelliptic curve cryptography methods as fertile ground for further research. Keywords: Elliptic curve, Index calculus, Multiplicative group, Smooth numbers Introduction 푥 It is known that the logarithm 푙표푔푏 푎 is a number x such that 푏 = 푎, for given numbers a and b. Similarly, in any group G, powers 푏푘 can be defined for all integers 푘, and 푘 the discrete logarithm푙표푔푏 푎 is an integer k such that 푏 = 푎. In number theory,푥 = 푥 푖푛푑푟푎(푚표푑 푚) is read as the index of 푎 to the base r modulo m which is equivalent to 푟 = 푎(푚표푑 푚) if r is the primitive root of m and greatest common divisor, 푔푐푑( 푎, 푚) = 1.
    [Show full text]
  • The Index Calculus Method Using Non-Smooth Polynomials
    MATHEMATICS OF COMPUTATION Volume 70, Number 235, Pages 1253{1264 S 0025-5718(01)01298-4 Article electronically published on March 7, 2001 THE INDEX CALCULUS METHOD USING NON-SMOOTH POLYNOMIALS THEODOULOS GAREFALAKIS AND DANIEL PANARIO Abstract. We study a generalized version of the index calculus method for n the discrete logarithm problem in Fq ,whenq = p , p is a small prime and n !1. The database consists of the logarithms of all irreducible polynomials of degree between given bounds; the original version of the algorithm uses lower bound equal to one. We show theoretically that the algorithm has the same asymptotic running time as the original version. The analysis shows that the best upper limit for the interval coincides with the one for the original version. The lower limit for the interval remains a free variable of the process. We provide experimental results that indicate practical values for that bound. We also give heuristic arguments for the running time of the Waterloo variant and of the Coppersmith method with our generalized database. 1. Introduction Let G denote a group written multiplicatively and hgi the cyclic subgroup gen- erated by g 2 G.Giveng and y 2hgi,thediscrete logarithm problem for G is to find the smallest integer x such that y = gx.Theintegerx is called the discrete logarithm of y in the base g, and is written x =logg y. The main reason for the intense current interest on the discrete logarithm prob- lem (apart from being interesting on a purely mathematical level) is that the se- curity of many public-key cryptosystems depends on the assumption that finding discrete logarithms is hard, at least for certain groups.
    [Show full text]
  • Index Calculus in the Trace Zero Variety 3
    INDEX CALCULUS IN THE TRACE ZERO VARIETY ELISA GORLA AND MAIKE MASSIERER Abstract. We discuss how to apply Gaudry’s index calculus algorithm for abelian varieties to solve the discrete logarithm problem in the trace zero variety of an elliptic curve. We treat in particular the practically relevant cases of field extensions of degree 3 or 5. Our theoretical analysis is compared to other algorithms present in the literature, and is complemented by results from a prototype implementation. 1. Introduction Given an elliptic curve E defined over a finite field Fq, consider the group E(Fqn ) of rational points over a field extension of prime degree n. Since E is defined over Fq, the group E(Fqn ) contains the subgroup E(Fq) of Fq-rational points of E. Moreover, it contains the subgroup Tn of − points P E(F n ) whose trace P + ϕ(P )+ ... + ϕn 1(P ) is zero, where ϕ denotes the Frobenius ∈ q homomorphism on E. The group Tn is called the trace zero subgroup of E(Fqn ), and it is the group of Fq-rational points of the trace zero variety relative to the field extension Fqn Fq. In this paper, we study the hardness of the DLP in the trace zero variety. Our| interest in this question has several motivations. First of all, supersingular trace zero varieties can achieve higher security per bit than supersingular elliptic curves, as shown by Rubin and Silverberg in [RS02, RS09] and by Avanzi and Cesena in [AC07, Ces10]. Ideally, in pairing-based proto- F∗ cols the embedding degree k is such that the DLP in Tn and in qkn have the same complexity.
    [Show full text]
  • Integer Factorization and Computing Discrete Logarithms in Maple
    Integer Factorization and Computing Discrete Logarithms in Maple Aaron Bradford∗, Michael Monagan∗, Colin Percival∗ [email protected], [email protected], [email protected] Department of Mathematics, Simon Fraser University, Burnaby, B.C., V5A 1S6, Canada. 1 Introduction As part of our MITACS research project at Simon Fraser University, we have investigated algorithms for integer factorization and computing discrete logarithms. We have implemented a quadratic sieve algorithm for integer factorization in Maple to replace Maple's implementation of the Morrison- Brillhart continued fraction algorithm which was done by Gaston Gonnet in the early 1980's. We have also implemented an indexed calculus algorithm for discrete logarithms in GF(q) to replace Maple's implementation of Shanks' baby-step giant-step algorithm, also done by Gaston Gonnet in the early 1980's. In this paper we describe the algorithms and our optimizations made to them. We give some details of our Maple implementations and present some initial timings. Since Maple is an interpreted language, see [7], there is room for improvement of both implementations by coding critical parts of the algorithms in C. For example, one of the bottle-necks of the indexed calculus algorithm is finding and integers which are B-smooth. Let B be a set of primes. A positive integer y is said to be B-smooth if its prime divisors are all in B. Typically B might be the first 200 primes and y might be a 50 bit integer. ∗This work was supported by the MITACS NCE of Canada. 1 2 Integer Factorization Starting from some very simple instructions | \make integer factorization faster in Maple" | we have implemented the Quadratic Sieve factoring al- gorithm in a combination of Maple and C (which is accessed via Maple's capabilities for external linking).
    [Show full text]
  • Bound Estimation for Divisors of RSA Modulus with Small Divisor-Ratio
    International Journal of Network Security, Vol.23, No.3, PP.412-425, May 2021 (DOI: 10.6633/IJNS.202105 23(3).06) 412 Bound Estimation for Divisors of RSA Modulus with Small Divisor-ratio Xingbo Wang (Corresponding author: Xingbo Wang) Department of Mechatronic Engineering, Foshan University Guangdong Engineering Center of Information Security for Intelligent Manufacturing System, China Email: [email protected]; [email protected] (Received Nov. 16, 2019; Revised and Accepted Mar. 8, 2020; First Online Apr. 17, 2021) Abstract make it easier to find the small divisor; articles [2, 10] found out the distribution of an odd integer's square-root Through subtle analysis on relationships among ances- in the T3 tree; articles [11, 15, 17] investigated divisors' tors, symmetric brothers, and the square root of a node distribution of an RSA number, presenting in detail how on the T3 tree, the article puts a method forwards to cal- two divisors distribute on the levels of the T3 tree in terms culate an interval that contains a divisor of a semiprime of their divisor-ratio. whose divisor-ratio is less than 3/2. Concrete mathemat- This paper, following the studies in [11, 15, 17], and ical reasonings to derive the method and programming based on the inequalities proved in [12] as well as the procedure from realizing the calculations are shown in theorems proved in [13, 16], gives in detail a bound esti- detail. Numerical experiments are made by applying the mation to the divisors of an RSA number. The results in method on both ordinary small semiprimes and the RSA this paper are helpful to design algorithm to search the numbers.
    [Show full text]
  • Factorization of RSA-180
    Factorization of RSA-180 S. A. Danilov, I. A. Popovyan Moscow State University, Russia May 9, 2010∗ Abstract We present a brief report on the factorization of RSA-180, currently smallest unfactored RSA number. We show that the numbers of similar size could be factored in a reasonable time at home using open source factoring software running on a few Intel Core i7 PCs. 1 Introduction In 1991 RSA Labs published a list of semiprime numbers of different size and announced a reward for their factorization. The numbers from that list called RSA numbers became a measure of the quality of the factorization tools. We began working on our factorization project on November 2009. We started with the smallest unfactored RSA number for that moment, RSA-170, written in 170 decimal digits. The factorization was finished on 31 December 2009, then we found out that Dominik Bonenberger and Martin Krone [1] were ahead of us for two days and had already presented the RSA-170 prime de- compostion. Meanwhile the new world record in factorization was set [2] – the international team of scientists managed to factor the RSA-768, a 232 decimal digits long RSA number. On January 2010 after a short break we decided to continue the project and took the number RSA-180 = 191147927718986609689229466631454649812986246 276667354864188503638807260703436799058776201 365135161278134258296128109200046702912984568 752800330221777752773957404540495707851421041, the next smallest RSA number with unknown factorization. ∗Revised at 13.04.2010 1 2 Factorization of RSA-180 Our tools for factorization are essentially based on two open source implemen- tations of General Numebr Field Sieve (GNFS) algorithm – the community maintained GGNFS suite [3] and Jason Papadopoulos’s msieve [4].
    [Show full text]
  • Introducing Quaternions to Integer Factorisation
    Journal of Physical Science and Application 5 (2) (2015) 101-107 doi: 10.17265/2159-5348/2015.02.003 D DAVID PUBLISHING Introducing Quaternions to Integer Factorisation HuiKang Tong 4500 Ang Mo Kio Avenue 6, 569843, Singapore Abstract: The key purpose of this paper is to open up the concepts of the sum of four squares and the algebra of quaternions into the attempts of factoring semiprimes, the product of two prime numbers. However, the application of these concepts here has been clumsy, and would be better explored by those with a more rigorous mathematical background. There may be real immediate implications on some RSA numbers that are slightly larger than a perfect square. Key words: Integer factorisation, RSA, quaternions, sum of four squares, euler factorisation method. Nomenclature In Section 3, we extend the Euler factoring method to one using the sum of four squares and the algebra p, q: prime factors n: semiprime pq, the product of two primes of quaternions. We comment on the development of P: quaternion with norm p the mathematics in Section 3.1, and introduce the a, b, c, d: components of a quaternion integral quaternions in Section 3.2, and its relationship 1. Introduction with the sum of four squares in Section 3.3. In Section 3.4, we mention an algorithm to generate the sum of We assume that the reader know the RSA four squares. cryptosystem [1]. Notably, the ability to factorise a In Section 4, we propose the usage of concepts of random and large semiprime n (the product of two the algebra of quaternions into the factorisation of prime numbers p and q) efficiently can completely semiprimes.
    [Show full text]
  • INDEX CALCULUS in the TRACE ZERO VARIETY 1. Introduction
    INDEX CALCULUS IN THE TRACE ZERO VARIETY ELISA GORLA AND MAIKE MASSIERER Abstract. We discuss how to apply Gaudry's index calculus algorithm for abelian varieties to solve the discrete logarithm problem in the trace zero variety of an elliptic curve. We treat in particular the practically relevant cases of field extensions of degree 3 or 5. Our theoretical analysis is compared to other algorithms present in the literature, and is complemented by results from a prototype implementation. 1. Introduction Given an elliptic curve E defined over a finite field Fq, consider the group E(Fqn ) of rational points over a field extension of prime degree n. Since E is defined over Fq, the group E(Fqn ) contains the subgroup E(Fq) of Fq-rational points of E. Moreover, it contains the subgroup Tn of n−1 points P 2 E(Fqn ) whose trace P + '(P ) + ::: + ' (P ) is zero, where ' denotes the Frobenius homomorphism on E. The group Tn is called the trace zero subgroup of E(Fqn ), and it is the group of Fq-rational points of the trace zero variety relative to the field extension Fqn jFq. In this paper, we study the hardness of the DLP in the trace zero variety. Our interest in this question has several motivations. First of all, supersingular trace zero varieties can achieve higher security per bit than supersingular elliptic curves, as shown by Rubin and Silverberg in [RS02, RS09] and by Avanzi and Cesena in [AC07, Ces10]. Ideally, in pairing-based proto- ∗ cols the embedding degree k is such that the DLP in Tn and in Fqkn have the same complexity.
    [Show full text]
  • The Past, Evolving Present and Future of Discrete Logarithm
    The Past, evolving Present and Future of Discrete Logarithm Antoine Joux, Andrew Odlyzko and Cécile Pierrot Abstract The first practical public key cryptosystem ever published, the Diffie-Hellman key exchange algorithm, relies for its security on the assumption that discrete logarithms are hard to compute. This intractability hypothesis is also the foundation for the security of a large variety of other public key systems and protocols. Since the introduction of the Diffie-Hellman key exchange more than three decades ago, there have been substantial algorithmic advances in the computation of discrete logarithms. However, in general the discrete logarithm problem is still considered to be hard. In particular, this is the case for the multiplicative group of finite fields with medium to large characteristic and for the additive group of a general elliptic curve. This paper presents a current survey of the state of the art concerning discrete logarithms and their computation. 1 Introduction 1.1 The Discrete Logarithm Problem Many popular public key cryptosystems are based on discrete exponentiation. If G is a multi- plicative group, such as the group of invertible elements in a finite field or the group of points on an elliptic curve, and g is an element of G, then gx is the discrete exponentiation of base g to the power x. This operation shares basic properties with ordinary exponentiation, for example gx+y = gx · gy. The inverse operation is, given h in G, to determine a value of x, if it exists, such that h = gx. Such a number x is called a discrete logarithm of h to the base g, since it shares many properties with the ordinary logarithm.
    [Show full text]
  • Cover and Decomposition Index Calculus on Elliptic Curves Made Practical
    Cover and Decomposition Index Calculus on Elliptic Curves made practical Application to a previously unreachable curve over Fp6 Antoine Joux1 and Vanessa Vitse2 1 DGA and Universit´ede Versailles Saint-Quentin, Laboratoire PRISM, 45 avenue des Etats-Unis,´ F-78035 Versailles cedex, France [email protected] 2 Universit´ede Versailles Saint-Quentin, Laboratoire PRISM, 45 avenue des Etats-Unis,´ F-78035 Versailles cedex, France [email protected] Abstract. We present a new \cover and decomposition" attack on the elliptic curve discrete logarithm problem, that combines Weil descent and decomposition-based index calculus into a single discrete logarithm algorithm. This attack applies, at least theoretically, to all composite degree extension fields, and is particularly well-suited for curves defined 3 over Fp6 . We give a real-size example of discrete logarithm computations on a curve over a 151-bit degree 6 extension field, which would not have been practically attackable using previously known algorithms. Key words: elliptic curve, discrete logarithm, index calculus, Weil descent, decomposition attack 1 Introduction Elliptic curves are used in cryptography to provide groups where the discrete logarithm problem is thought to be difficult. We recall that given a finite group G (written additively) and two elements P; Q 2 G, the discrete logarithm problem (DLP) consists in computing, when it exists, an integer x such that Q = xP . When elliptic curves are used in cryptographic applications, the DLP is usually considered to be as difficult as in a generic group of the same size [31]. As a consequence, for a given security level, the key size is much smaller than for other popular cryptosystems based on factorization or discrete logarithms in finite fields.
    [Show full text]
  • Parallel Strategy to Factorize Fermat Numbers with Implementation in Maple Software
    Journal of Software Parallel Strategy to Factorize Fermat Numbers with Implementation in Maple Software Jianhui Li*, Manlan Liu Foshan Polytechnic, Foshan City, PRC, 528000, China. * Corresponding author. Tel.: +86075787263015; email: [email protected] Manuscript submitted October 08, 2020; accepted December 11, 2020. doi: 10.17706/jsw.16.4.167-173 Abstract: In accordance with the traits of parallel computing, the paper proposes a parallel algorithm to factorize the Fermat numbers through parallelization of a sequential algorithm. The kernel work to parallelize a sequential algorithm is presented by subdividing the computing interval into subintervals that are assigned to the parallel processes to perform the parallel computing. Maple experiments show that the parallelization increases the computational efficiency of factoring the Fermat numbers, especially to the Fermat number with big divisors. Key words: Integer factorization, fermat number, parallel computing, algorithm. 1. Introduction Factorization of big integer has been a hard problem and has been paid attention to in mathematics and cryptography. Any factoring algorithm is both scientifically valuable and practically applicable, as stated in [1]. Historically, factorization of big integer always took huge computing resources and involved in parallel computing. For example, it took half a year and 80 4-cored CPUs of AMD Opteron @ 2.2GHz to factorize RSA768 [2]. Actually, Brent R P began to study the possibility of parallel computing early in 1990 since Pollard Rho algorithm came into being [3]. And then parallel approaches for the elliptic curve method (ECM), continued fraction, quadric sieve (QS) and number field sieve (NFS) were developed respectively [4]-[7]. Now the NFS has been regarded to be the most efficient method.
    [Show full text]
  • RSA, Integer Factorization, Diffie–Hellman, Discrete Logarithm
    RSA, integer factorization, Diffie–Hellman, discrete logarithm computation Aurore Guillevic Inria Nancy, France November 12, 2020 1/71 Aurore Guillevic [email protected] • L1-L2 at Université de Bretagne Sud, Lorient (2005–2007) • L3 Vannes (2007–2008) • M1-M2 maths and cryptography at Université de Rennes 1 (2008–2010) • internship and PhD at Thales Communication, Gennevilliers (92) • post-doc at Inria Saclay (2 years) and Calgary (Canada, 1 year) • researcher in cryptography at Inria Nancy since November 2016 • adjunct assistant professor at Polytechnique (2017–2020) 2/71 Outline Preliminaries RSA, and integer factorization problem Naive methods Quadratic sieve Number Field Sieve Bad randomness: gcd, Coppersmith attacks Diffie-Hellman, and the discrete logarithm problem Generic algorithms of square root complexity Pairings 3/71 Introduction: public-key cryptography Introduced in 1976 (Diffie–Hellman, DH) and 1977 (Rivert–Shamir–Adleman, RSA) Asymmetric means distinct public and private keys • encryption with a public key • decryption with a private key • deducing the private key from the public key is a very hard problem Two hard problems: • Integer factorization (for RSA) • Discrete logarithm computation in a finite group (for Diffie–Hellman) 4/71 Textbooks Alfred Menezes, Paul C. van Oorschot, and Scott A. Vanstone. Handbook of Applied Cryptography. CRC Press, 1996. Christof Paar and Jan Pelzl. Understanding Cryptography, a Textbook for Students and Practitioners. Springer, 2010. (Two texbooks [PP10] (Paar and Pelzl) are available at the library at Lorient, code 005.8 PAA). Relvant chapters: 6, 7, 8, and 10. During lockdown, the library is opened: see La BU sur rendez-vous https://www-actus.univ-ubs.fr/fr/index/actualites/scd/ covid-19-la-bu-sur-rdv.html Lecture notes: https://gitlab.inria.fr/guillevi/enseignement/ (Lorient → Master-CSSE.md) 5/71 Textbooks The Handbook is available in PDF for free.
    [Show full text]