Integer Factorization using lattices Antonio Vera INRIA Nancy/CARAMEL team/ANR CADO/ANR LAREDA Workshop Lattice Algorithmics - CIRM - February 2010 Outline of the algorithm The search for \relations" Termination considerations Conclusions Plan Introduction The search for \relations" Termination considerations Conclusions Plan Introduction Outline of the algorithm Termination considerations Conclusions Plan Introduction Outline of the algorithm The search for \relations" Conclusions Plan Introduction Outline of the algorithm The search for \relations" Termination considerations Plan Introduction Outline of the algorithm The search for \relations" Termination considerations Conclusions Outline Introduction Outline of the algorithm The search for \relations" Termination considerations Conclusions I Example: given N = 6, return 2 or 3. I The decisional problem belongs to NP \ coNP (Pratt, 1975). I Hence, it is unlikely to be NP-complete. I Practical intractability is at the base of the RSA public key cryptosystem. I Current record for factorization of RSA numbers : RSA 768 (232 decimal digits), in December 2009. The Integer Factorization Problem I Given a composite integer N, compute a proper divisor. I The decisional problem belongs to NP \ coNP (Pratt, 1975). I Hence, it is unlikely to be NP-complete. I Practical intractability is at the base of the RSA public key cryptosystem. I Current record for factorization of RSA numbers : RSA 768 (232 decimal digits), in December 2009. The Integer Factorization Problem I Given a composite integer N, compute a proper divisor. I Example: given N = 6, return 2 or 3. I Hence, it is unlikely to be NP-complete. I Practical intractability is at the base of the RSA public key cryptosystem. I Current record for factorization of RSA numbers : RSA 768 (232 decimal digits), in December 2009. The Integer Factorization Problem I Given a composite integer N, compute a proper divisor. I Example: given N = 6, return 2 or 3. I The decisional problem belongs to NP \ coNP (Pratt, 1975). I Practical intractability is at the base of the RSA public key cryptosystem. I Current record for factorization of RSA numbers : RSA 768 (232 decimal digits), in December 2009. The Integer Factorization Problem I Given a composite integer N, compute a proper divisor. I Example: given N = 6, return 2 or 3. I The decisional problem belongs to NP \ coNP (Pratt, 1975). I Hence, it is unlikely to be NP-complete. I Current record for factorization of RSA numbers : RSA 768 (232 decimal digits), in December 2009. The Integer Factorization Problem I Given a composite integer N, compute a proper divisor. I Example: given N = 6, return 2 or 3. I The decisional problem belongs to NP \ coNP (Pratt, 1975). I Hence, it is unlikely to be NP-complete. I Practical intractability is at the base of the RSA public key cryptosystem. The Integer Factorization Problem I Given a composite integer N, compute a proper divisor. I Example: given N = 6, return 2 or 3. I The decisional problem belongs to NP \ coNP (Pratt, 1975). I Hence, it is unlikely to be NP-complete. I Practical intractability is at the base of the RSA public key cryptosystem. I Current record for factorization of RSA numbers : RSA 768 (232 decimal digits), in December 2009. I Schnorr seems to be the first which applied this to integer factorization, in 1993. I In the beginning, completely theoretical. I First working implementation : Ritter and R¨ossner,1997. 60-bit integer factored in 3 hours. Highly optimized enumeration. I Personal toy implementation in Magma, using the built-in enumeration routine. 40-bits integer in about 40 minutes. Integer Factorization with Lattice Reduction I De Weger (1987) used lattice reduction and enumeration to effectively solve Diophantine equations. I In the beginning, completely theoretical. I First working implementation : Ritter and R¨ossner,1997. 60-bit integer factored in 3 hours. Highly optimized enumeration. I Personal toy implementation in Magma, using the built-in enumeration routine. 40-bits integer in about 40 minutes. Integer Factorization with Lattice Reduction I De Weger (1987) used lattice reduction and enumeration to effectively solve Diophantine equations. I Schnorr seems to be the first which applied this to integer factorization, in 1993. I First working implementation : Ritter and R¨ossner,1997. 60-bit integer factored in 3 hours. Highly optimized enumeration. I Personal toy implementation in Magma, using the built-in enumeration routine. 40-bits integer in about 40 minutes. Integer Factorization with Lattice Reduction I De Weger (1987) used lattice reduction and enumeration to effectively solve Diophantine equations. I Schnorr seems to be the first which applied this to integer factorization, in 1993. I In the beginning, completely theoretical. I Personal toy implementation in Magma, using the built-in enumeration routine. 40-bits integer in about 40 minutes. Integer Factorization with Lattice Reduction I De Weger (1987) used lattice reduction and enumeration to effectively solve Diophantine equations. I Schnorr seems to be the first which applied this to integer factorization, in 1993. I In the beginning, completely theoretical. I First working implementation : Ritter and R¨ossner,1997. 60-bit integer factored in 3 hours. Highly optimized enumeration. Integer Factorization with Lattice Reduction I De Weger (1987) used lattice reduction and enumeration to effectively solve Diophantine equations. I Schnorr seems to be the first which applied this to integer factorization, in 1993. I In the beginning, completely theoretical. I First working implementation : Ritter and R¨ossner,1997. 60-bit integer factored in 3 hours. Highly optimized enumeration. I Personal toy implementation in Magma, using the built-in enumeration routine. 40-bits integer in about 40 minutes. I Understand the complexity of the algorithm. I Implement an optimized version, `apriori aimed at fixed-size integers. Preliminary goals I Improve the results of the original paper to make them effective. I Implement an optimized version, `apriori aimed at fixed-size integers. Preliminary goals I Improve the results of the original paper to make them effective. I Understand the complexity of the algorithm. Preliminary goals I Improve the results of the original paper to make them effective. I Understand the complexity of the algorithm. I Implement an optimized version, `apriori aimed at fixed-size integers. Outline Introduction Outline of the algorithm The search for \relations" Termination considerations Conclusions 2 2 I 100 is 5-smooth since 100 = 2 · 5 . I All integers ≤ B are B-smooth. I Then, whenever x 6≡ ±y mod N, we can factor N by computing gcd(x ± y; N). Definition An integer is B-smooth when all of its prime factors are ≤ B. Philosophy of the algorithm Congruence of squares method I As in many factorization methods, we want to find integers x; y 2 Z, x 6= ±y such that x2 ≡ y 2 mod N: 2 2 I 100 is 5-smooth since 100 = 2 · 5 . I All integers ≤ B are B-smooth. Definition An integer is B-smooth when all of its prime factors are ≤ B. Philosophy of the algorithm Congruence of squares method I As in many factorization methods, we want to find integers x; y 2 Z, x 6= ±y such that x2 ≡ y 2 mod N: I Then, whenever x 6≡ ±y mod N, we can factor N by computing gcd(x ± y; N). 2 2 I 100 is 5-smooth since 100 = 2 · 5 . I All integers ≤ B are B-smooth. Definition An integer is B-smooth when all of its prime factors are ≤ B. Philosophy of the algorithm Congruence of squares method I As in many factorization methods, we want to find integers x; y 2 Z, x 6= ±y such that x2 ≡ y 2 mod N: I Then, whenever x 6≡ ±y mod N, we can factor N by computing gcd(x ± y; N). 2 2 I 100 is 5-smooth since 100 = 2 · 5 . I All integers ≤ B are B-smooth. Philosophy of the algorithm Congruence of squares method I As in many factorization methods, we want to find integers x; y 2 Z, x 6= ±y such that x2 ≡ y 2 mod N: I Then, whenever x 6≡ ±y mod N, we can factor N by computing gcd(x ± y; N). Definition An integer is B-smooth when all of its prime factors are ≤ B. I All integers ≤ B are B-smooth. Philosophy of the algorithm Congruence of squares method I As in many factorization methods, we want to find integers x; y 2 Z, x 6= ±y such that x2 ≡ y 2 mod N: I Then, whenever x 6≡ ±y mod N, we can factor N by computing gcd(x ± y; N). Definition An integer is B-smooth when all of its prime factors are ≤ B. 2 2 I 100 is 5-smooth since 100 = 2 · 5 . Philosophy of the algorithm Congruence of squares method I As in many factorization methods, we want to find integers x; y 2 Z, x 6= ±y such that x2 ≡ y 2 mod N: I Then, whenever x 6≡ ±y mod N, we can factor N by computing gcd(x ± y; N). Definition An integer is B-smooth when all of its prime factors are ≤ B. 2 2 I 100 is 5-smooth since 100 = 2 · 5 . I All integers ≤ B are B-smooth. I Fix d ≥ 1 and build the factor base fp0;:::; pd g; where p0 = −1; p1 = 2; p2 = 3; p3 = 5;:::: I Find d + 2 solutions of u = v + kN where k 2 Z, and u, v are pd -smooth.Write the identities in the following form d d Y ai;j Y bi;j pj ≡ pj mod N i 2 1; d + 2 : j=0 j=0 J K These last equalities are called relations. Factorization algorithm principle Given an integer N to be factored, do the following: Write the identities in the following form d d Y ai;j Y bi;j pj ≡ pj mod N i 2 1; d + 2 : j=0 j=0 J K These last equalities are called relations.