An application of the LLL algorithm to integer factorization A Thesis Presented in Partial Fulfillment of the Requirements for the Degree Master of Mathematical Science in the Graduate School of The Ohio State University By Gerwin Pineda, BS Graduate Program in Mathematical Sciences The Ohio State University 2018 Master's Examination Committee: Ghaith Hiary, Advisor James Cogdell c Copyright by Gerwin Pineda 2018 Abstract Solving the shortest vector problem algorithmically gained a boom with the pub- lication of the LLL algorithm in 1982. Many problems can be reformulated as finding the shortest vector in a lattice, and the LLL can provide very good approximations to their true solutions. One of these problems is the factorization of a large integer given partial information about one of its factors. Coppersmith describes a novel method to do this in [4], which enables the factor- ization of a large integer N in polynomial time in log N, provided that (1=4) log2 N of the high order bits of one of the factors of N are given. However, in practice, this might require guessing some of the middle bits of the partially known factor and then apply the Coppersmith separately for each guess. In this thesis, we explore the LLL algorithm and how much information the Coppersmith method needs to factor N in one run. We also study the parameters of the Coppersmith algorithm with the hope of reducing the amount of information needed by it. We provide the Mathematica code for the various computations that we did, as well as instructive examples. ii Acknowledgments A big thank you to my adviser Dr. Ghaith Hiary for his advisement and for his careful proofreading of this thesis. Thank you to Dr. James Cogdell for agreeing on to be on my examination committee. iii Vita 2014 . .B.S. Mathematics and Computer Sci- ence University of Guam 2016 - present . Graduate Teaching Associate, Gradu- ate Research Associate The Ohio State University. Fields of Study Major Field: Mathematical Sciences Specializaition: Computational Sciences iv Contents Page Abstract . ii Acknowledgments . iii Vita......................................... iv List of Tables . vii List of Figures . viii 1. Introduction . .1 1.1 Notation . .1 1.2 The Shortest Vector Problem . .2 1.2.1 A brief history of the SVP . .4 1.2.2 Modern algorithms for finding approximate solutions to the SVP...............................5 2. The LLL Algorithm . .8 2.1 The mechanics of the LLL algorithm . .9 2.2 Interpreting a reduced basis . 11 2.3 The performance of LLL in practice . 13 3. Factoring with the Coppersmith Algorithm . 16 3.1 The Coppersmith Algorithm . 16 3.1.1 Example of finding roots with the Coppersmith algorithm . 23 3.2 Factoring large integers with partial information given . 24 3.2.1 Binary numbering system for integers . 25 3.2.2 Setup for factoring integers with partial information given . 26 v 4. Experiment . 30 4.1 Creating large integers . 30 4.2 Primary Search . 31 4.3 Refining the search . 33 4.4 Effects of k ............................... 35 4.5 Roots outside of the bounds . 37 Appendices 40 A. LLL Implementation in Mathematica . 40 B. Numerical Run Through of LLL . 43 C. Implementation of the Coppersmith Algorithm in Mathematica . 49 D. Auxiliary Polynomials and coefficients the example given in Section 3.1.1 53 Bibliography . 55 vi List of Tables Table Page 3.1 ML with d = 2 and k = 1 for the given qij(x; y) generated using q(x; y) = 1 + ax + by + cx2 + dxy + ey2. Each row is composed of the coefficients of the qij(x; y)'s and is a basis vector for L........ 21 3.2 Converting the decimal number 2153 into binary. The quotients are on the first row while the corresponding remainders are on the second row .................................... 26 −β α 1=(2−α) γ 4.1 In the table above, γbound is the γ from b(2 v ) c = N for integers of size 514 bits while γfound is the largest γ found for each k in the second search program . 38 vii List of Figures Figure Page 1.1 Examples of lattices in R2 ........................2 2.1 Lattice Title . 12 2.2 Histogram of the position of the shortest reduced basis vector for 1000 randomly chosen 100-dimensional full rank lattices. 14 2.3 Execution of LLL for a dense matrix, upper triangular matrix, and lower triangular matrix. 15 4.1 Number of successful runs of the CA for each power of two for k = 0; 1; 2; 3 with jN j = 5000: ......................... 32 4.2 The CA did not succeed in finding roots of size N 0:2 for k = 0; 1; 2 and of size N 0:19 for k =3.. ......................... 34 4.3 Summary of the results. The frequency for k = 0; 1; 2; 3; 4 are shown against the powers of N ......................... 35 4.4 Plot of the right hand side of Inequality (3.14) for various k ..... 36 4.5 Plot of the right hand side of Inequality (3.14) for various k and larger integers . 37 4.6 Individual histograms for k = 0; 1; 2; 3; 4 ................ 39 viii Chapter 1: Introduction 1.1 Notation Unless noted otherwise, lowercase boldface Roman letters (e.g a, b, c, . .) will denote real vectors and lowercase Greek letters (e.g. α, β, γ, . ) will denote real scalars. The inner product (dot product) of a and b will be denoted by ha; bi. For n a = (a1; a2; : : : ; an) 2 R , its Euclidean and maximum norm will be denoted and defined as v u n u X 2 jaj2 = t ai and jaj1 = max jaij; 1≤i≤n i=1 respectively. If no subscript is present e.g. jaj, then the norm will be assumed to be Pd i the Euclidean norm. For polynomials p(x) = i=0 pix of degree d, the preceding norms will be defined as follows d !1=2 X 2 jp(x)j2 = pi and jp(x)j1 = max jpij: 1≤i≤d i=0 We will use the notation [α] to denote the nearest integer to α 1 1.2 The Shortest Vector Problem n Let b1; b2;:::; bm be a set of vectors in R , linearly independent over R. Let L be the space spanned by the integral linear combination of these vectors ( n ) X L = αibi j αi 2 Z : i=1 L is called a lattice and the vectors bi are called a basis for L. Let us define the dimension of L, denoted by dim(L), as the ambient dimension of the bi's, which is the real dimension of Rn. Thus, dim(L) = n. Let B denote the m × n matrix whose rows are the vectors b1; b2;:::; bm. Then, we can define the rank of L as the row- rank of the matrix B and denote it as rank(L). So, rank(L) = m as b1; b1;:::; bm are linearly independent. If rank(L) = dim(L), then L is said to be of full rank. From here, we assume that our lattices are of full rank (i.e. m = n). The determinant of L, denoted by det(L), is defined to be the square root of the determinant of the q T Gram matrix formed by the b1; b2;:::; bn i.e., det(L) = det(BB ). In particular, if B is a full rank matrix, then det(L) = jdet(B)j. Figure 1.1 shows some examples of lattices in R2 and the basis vectors that generate them. b2 b1 b1 b1 b2 b2 (a) (b) (c) Figure 1.1: Examples of lattices in R2 2 Notice that the first two lattices are the same but are generated by two different sets of basis vectors, f(1; 0); (0; 1)g in (a) and f(−1; 0); (1; −1)g in (b). In general, a lattice will have more than one choice of basis. These bases are related to each other by unimodular matrices, which are n × n matrices with integer entries and determinant of ±1. The inverse of a unimodular matrix will also be unimodular and the set of unimodular matrices form a multiplicative group. Any lattice has a non-zero vector x whose norm is smallest, meaning 0 < jxj ≤ jyj 8y 2 L. Such a vector exist since L is a discrete group. Note that the norm does not necessarily have to be the Euclidean norm. We will refer to this vector x as the shortest vector of L, though x need not be unique as there could be multiple non-zero vectors in L of minimum norm. For example, consider the lattice Z2 = f(x; y) j x; y 2 Zg, which is the lattice displayed in (a) and (b) of Figure 1.1. There are four shortest vectors in this lattice, namely the vectors f(0; 1); (1; 0); (−1; 0); (0; −1)g. Finding the shortest vector x in L is referred to as the Shortest Vector Problem or SVP. The following important result, due to Minkowski [12], gives an upper bound on the size of the shortest vector. Theorem 1.2.1 (Minkowski). Let L be a n-dimensional lattice of full rank and let λ(L) denote the Euclidean norm of its shortest non-zero vector. Then we have p λ(L) ≤ n det(L)1=n: The SVP is an important problem of general interest. Many problems in math- ematics and computer science can be reformulated in terms of solving the SVP. In lattice-based cryptography, the SVP is used in the security proof of some cryptosys- tem.