Sieve-based factoring algorithms From bicycle chains to number fields Eran Tromer [email protected] Weizmann Institute of Science Sieve-based factoring – p.1/23 Factoring by square root extraction Factoring a composite n can be reduced to computing square roots modulo n. Given a black box p : Pick x Z randomly and compute x2 p y. 2 n ! ! With probability at least 1=2, x2 y2; x y (mod n) ≡ 6≡ and then gcd(x y; n) is a non-trivial factor of n. − Sieve-based factoring – p.2/23 Fermat’s method Special case: n = x2 y2 (difference of squares) − Find x > pn such that x2 n is a square. • − Equivalently (by p ): • x = a + l nm 2 f(a) = a pn n − l m − 2 g(a) = a pn always a square − l m Try a = 0; 1; 2; : : : until you find a such that f(a) is also a square over Z. Compute x = g(a); y = f(a) over Z. • p p Sieve-based factoring – p.3/23 Idea #1: exploit regularity for any prime p is 0 or a quadratic f(a) is a f(a) = residue modulo p: square over Z ) f(a) 0; 1 p 2 f g • f(a) (mod p) has period p. • About half the values in this period are “good” (quadratic residues or 0). • We can easily compute these periods. Sieve-based factoring – p.4/23 Lehmer's bicycle chain sieve [1928] (implementation of Fermat's method) Sieve-based factoring – p.5/23 Lehmer’s movie film sieve [1932] (implementation of Fermat’s method) Choose many small primes and precompute the corre- sponding periods of f(a) . p Scan a = 1; 2; 3; : : : sequentially while keeping track of the index in each period. When all periods are at a “good” value, stop and (hopefully) compute f(a). p Sieve-based factoring – p.6/23 Complexity of Fermat’s method The efficient sieving hardware is nice, but doesn’t change the asymptotic performance. There are only pn squares smaller than n, so for a general n we expect to sieve for about pn steps. This is worse than trial division! Sieve-based factoring – p.7/23 Idea #2: Combine relations [Morrison,Brillhart 1975] 2 2 Let f 0(a) = a mod n ; g0(a) = a . It’s too hard to directly find a > pn such that f 0(a) is a square, so instead find a nonempty set S Z ⊂ such that a S f 0(a) is a square. Then compute x; y such thatQ 2 2 2 f 0(a) = y ; g0(a) = x Y Y a S a S 2 2 Because a : f (a) g (a) (mod n), we get 8 0 ≡ 0 x2 y2 (mod n) ≡ and gcd(x y; n) may be a non-trivial factor of n. − Sieve-based factoring – p.8/23 Idea #2: Combine relations (example) f 0(629) = 102 = 2 3 17 f 0(792) = 33 = 3 11 ! f 0(120) = 1495 = 5 13 23 f 0(105) = 84 = 22 3 7 f 0(52) = 616 = 23 7 11 ! f 0(403) = 145 = 5 29 f 0(201) = 42 = 2 3 7 ! . A square . e xponents because 4 2 0 2 2 f 0(a) = 2 3 5 7 11 are Y ev all a2f792;52;201g en. Sieve-based factoring – p.9/23 Dixon’s algorithm [ 1981] How to find S such that a S f 0(a) is a square? Q 2 Consider only the π(B) primes smaller than a bound B, and search for f 0(a) values that are B-smooth (i.e., factor into primes smaller than B). • Pick random a 1; : : : ; n and check if f 0(a) is B-smooth. If so2, representf it asg a vector of exponents: f (a) = p e1 p e2 p e3 p ek (e ; e ; e ; : : : ; e ) 0 1 2 3 · · · k 7! 1 2 3 k • Find a subset S of these vectors whose sum has even entries: place the vectors as the rows of a matrix A and find v such that vA ~0 (mod 2). ≡ e1 e2 e3 ek a S f 0(a) = p1 p2 p3 pk where ei are all Q 2 · · · even, so it’s a square. Sieve-based factoring – p.10/23 Complexity of Dixon’s algorithm • Let ρ(γ; B) be the probability that a random number around γ is B-smooth. Since f 0(a) is distributed randomly in 0; : : : ; n 1 , each trial finds a relation with probabilityf ρ−(n;gB). ∼ • We need π(B) + 1 relations. Thus, we need roughly π(B)/ρ(n; B) trials. • In each trial we check divisibility by π(B) primes. • Tradeoff: Decrease B relations are rarer (smaller ρ). • ! • Increase B more relations are needed and they are harder! to identify. Also, computing S is harder since the matrix is larger. Sieve-based factoring – p.11/23 Complexity of Dixon’s algorithm (cont.) • Time complexity for optimal choice of B: (c+o(1)) (log n)1=2 (log log n)1=2 e · · • Simple implementation: c = 2 (trial division, Guassian elimination) p • Improved implementation: c = 2 (ECM factorization, Lancos/Wiedemann kernel) • The approach of combining relations works very well, but we can do better. Sieve-based factoring – p.12/23 The Quadratic Sieve [Pomerance] Dixon’s method looks at the values f 0(a); g0(a) for random a. 2 f 0(a) =a mod n n ∼ 2 g0(a) =a Instead look at f(a); g(a) for a = 0; 1; 2; : : : as in Fermat’s method: 2 f(a) = a pn n 2apn − l m − ∼ 2 g(a) = a pn − l m Smaller number are more likely to be smooth! ρ(pn; B) ρ(n; B). Sieve-based factoring – p.13/23 The Quadratic Sieve – remember Lehmer • Task: find many a for which f(a) is B-smooth. We look for a such that p f(a) for many large p: • j log p > T log f(a) X ≈ p : p f(a) j • Each prime p “hits” at arithmetic progressions: a : p f(a) = a : f(a) 0 (modp) f j g f ≡ g = ri + kp : k Z Sif 2 g where ri are the roots modulo p of the polynomial f (there are either 0 or 2; one on average). Sieve-based factoring – p.14/23 The Quadatic Sieve – sieve Sieve-based factoring – p.15/23 The Quadatic Sieve – TWINKLE Sieve-based factoring – p.16/23 The Quadatic Sieve – PC-based Sieve-based factoring – p.17/23 Complexity of the Quadatic Sieve • Conjectured time for optimal choice of B: (c+o(1)) (log n)1=2 (log log n)1=2 e · · with c = 1, compared to c = p2 for Dixon’s algorithm can factor integers that are twice longer. ) • Variants — self initializing multiple polynomial quadratic sieve. • Subexponential time, subexponential space but can practically factor integers up to 400 bits. 1=2 ∼ • Can we decrease the (log n) term in the exponent? Sieve-based factoring – p.18/23 Can we? (log n)1=2 Key observation: the e··· ··· is there essentially because we sieve over numbers of size n1=2, which aren’t very likely to be smooth. ∼ Find a way to sieve over smaller numbers! But we don’t know how to do that with quadratic polynomials... Sieve-based factoring – p.19/23 The Number Field Sieve [Pollard,Lenstra,Lenstra,Manasse,Adleman,Montgomery,. 1988±] As before we have two polynomials f; g that are related modulo n, but now the relation is more subtle: f and g both have a known root m modulo n. f(m) g(m) 0 (mod n) ≡ ≡ Also, suppose f and g are monic and irreducible. Let α be a complex root of f. Consider the ring Z[α] (equivalently, Z[x]=(f(x))). The members of this ring are of the form 2 degf 1 q(α) = q0 + q1α + q2α + q + qdα − . Operations in this ring are done ·modulo· · f(α), simply because f(α) = 0. Similarly define Z[β], where β is a complex root of g. Sieve-based factoring – p.20/23 The Number Field Sieve (cont.) Consider the ring homomorphism φ : Z[α] Zn defined by φ : α m (i.e., replacing all occur! ances of α with m). Like7!wise, : Z[β] Z; : β m. ! 7! Suppose we found a set of integer pairs S Z Z and also q(α) Z[α] and t(β) Z[β] such⊂ that× 2 2 2 Z q(α) = (a;b) S(a bα) over [α] Q 2 − 2 Z t(β) = (a;b) S(a bβ) over [β] Then modn... Q 2 − 2 φ(q(α)) φ (a;b) S(a bα) ≡ Q 2 − (a bm) 2 o ≡ Y − (t(β)) (a;b) S(a bβ) (a;b) S ≡ Q 2 − 2 Sieve-based factoring – p.21/23 The Number Field Sieve Let F (a; b) = bdegf f(a=b). It turns out that Z (a;b) S(a bα) is a square in [α] Q 2 − Z = (a;b) S F (a; b) is a square in ) Q 2 Moreover, the converse “almost” holds. Therefore, we can work as before: find (a; b) pairs such that F (a; b) is B-smooth, compute their exponent vectors and find dependencies. To find pairs, we fix values of b and sieve over a. We do the same for g and Z[β], and find S that satisfies both conditions. Sieve-based factoring – p.22/23 Complexity of the Number Field Sieve • The point: wisely choose f; g so that their values near 0 are small and therefore likely to be smooth.