Download Old and new deterministic factoring algorithms

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
Document related concepts

Mathematics of radio engineering wikipedia , lookup

History of mathematics wikipedia , lookup

Addition wikipedia , lookup

Ethnomathematics wikipedia , lookup

Foundations of mathematics wikipedia , lookup

Approximations of π wikipedia , lookup

Discrete mathematics wikipedia , lookup

List of prime numbers wikipedia , lookup

History of logarithms wikipedia , lookup

List of important publications in mathematics wikipedia , lookup

Quadratic reciprocity wikipedia , lookup

Factorization of polynomials over finite fields wikipedia , lookup

Transcript 
Old and new deterministic factoring algorithms
James McKee and Richard Pinch
Department of Pure Mathematics and Mathematical Statistics
University of Cambridge, 16 Mill Lane, Cambridge CB2 1SB, England
email:
[email protected]
[email protected]
In recent years, there has been spectacular progress in the practical art of
factoring. By contrast, the theoretical problem of nding deterministic algorithms
which provably factor composite n has made little, if any, progress since Pollard
([Pol]) and Strassen ([Str]) showed that FFT techniques could be utilised to
factor an integer n in O(n = ) steps. (Here, and in similar estimates, is a
positive real number, as small as we please, with the implied constant in the Oestimate depending on the choice of .) If an extension of the Riemann Hypothesis
were to be proved to hold, then class group methods ([Sha], [Sch]) would factor
n in O(n = ) steps. Without using Fourier transforms, the best asymptotic
running time of a deterministic factoring algorithm is O(n = ) steps. Three such
algorithms have been published, by R.S. Lehman ([Leh], 1974), H.W. Lenstra
([Len], 1984), and the rst author ([McK1], in press). In this paper, two more
O(n = ) factoring algorithms are presented, bringing the total to ve.
Although largely of theoretical interest, any new factoring method raises questions about the security of the moduli used in the RSA cryptosystem ([RSA]).
Moduli susceptible to attack by any particular method should be avoided. One of
the new algorithms presented here does indeed make a new class of RSA moduli
vulnerable. The other does not, but it has a feature unique amongst the O(n = )
algorithms: if n = pq with p and q prime, p < q, and a bound Q is known for q,
then the algorithm runs in O(Q = n) steps. For numbers n which are a product
1 4+
1 5+
1 3+
1 3+
1 3+
1 2
1
of two primes both of order n = , we get an O(n = ) algorithm, without using
Fourier transforms. For convenience, we shall refer to numbers which are a product of two primes of similar size as RSA numbers, since this is the traditional
shape for numbers used as RSA moduli. Thus we have a deterministic O(n = )
algorithm for factoring RSA numbers, without using FFT.
In this paper we shall review briey the old algorithms mentioned above, and
introduce some new ideas.
1. FFT, and factoring by computing discrete logarithms
Using Fourier transforms, a polynomial of degree d over Z=nZ can be evaluated
at d places in O(d n ) steps ([Tur], Corollary 2 to Theorem 4).
If n is composite, then the least prime p dividing n can be written as p =
am + b, with m = dn = e, 0 a; b < m. We evaluate Q b<m (mX + b) at
X = 0; : : :; m ? 1 in O(n = ) steps, and look for gcd(n; Q b<m (ma + b)) > 1.
If we get a gcd equal to n, then we backtrack to nd p. This gives Strassen's
O(n = ) algorithm.
Pollard's approach was to compute discrete logarithms modulo p using babystep-giant-step techniques. Writing p?1 = am+b, with m = dn = e, 0 a; b < m,
we compute powers of 2m (giant steps) and powers of 2? (baby steps) and look
for a match mod p. To nd this we evaluate the polynomial Q b<m (X ? 2?b ) at
X = 2m ; 2 m; : : :; 2 m? m in O(n = ) steps, and look for gcd(n; Q b<m (2am ?
2?b )) > 1. Again we may need to backtrack if we get a gcd equal to n, but now
there this the additional problem that 2 might have the same order modulo all
primes dividing n. This problem is tackled satisfactorily in [Pol].
The rst of our new O(n = ) algorithms is similar to Pollard's, in that it
works by computing a discrete logarithm by the baby-step-giant-step technique.
The distinction is that it computes discrete logarithms mod n, rather than mod
1 2
1 4+
1 4+
1+
1 4
0
1 4+
0
1 4+
1 4
1
0
2
(
1)
1 4+
0
1 3+
2
p. In this way one avoids the need to use FFT to nd a match mod p between two
lists dened mod n: here we seek a match mod n, which can be found simply by
sorting. The obvious diculty with taking discrete logarithms mod n is that the
multiplicative group mod n is too large: we would expect to take O(n = ) steps
to nd a discrete logarithm by the baby-step-giant-step technique. Here we use a
trick. Since we seek an O(n = ) algorithm, we may suppose (after trial division)
that n = pq with p and q primes, n = < p < q. Then we compute 2n 2q p?
(mod n). Since q + p = O(n = ), we can compute the base 2 discrete logarithm of
2n mod n in O(n = ) steps. From this, q + p is determined modulo b, the order
of 2 in (Z=nZ) . If b > n = , then we can nd q + p, and hence p, in O(n = )
steps. Otherwise, we must deal with the possibility that 2 has the same small
order mod p and mod q, and we show how to nd an element of suciently large
order to serve in place of 2, all within O(n = ) steps.
If we know n = pq with q < Q, then the above algorithm can be adapted to
run in time O(Q = n). For RSA numbers we have Q = O(n = ), so that we get
a deterministic O(n = ) factoring algorithm for such numbers, without using
Fourier transforms.
2. Factoring with class groups
If n is composite and n 3 (mod 4), then Shanks's class group method
([Sha]) amounts to a search for a binary quadratic form of discriminant ?n not
in the principal genus. Without the Riemann hypothesis, we are not aware of
how to nd such a form in anything better than O(n = ) steps. If n 1
(mod 4), then there is an additional problem arising from what Shanks calls
`highly recessive' elements of the class group. A practical means of dealing with
these is given in [Sha], and if one assumes the extended Riemann Hypothesis,
then there is no diculty ([Sch]), and the method even becomes O(n = ).
1 2+
1 3+
1 3
+
2 3
1 3+
1 3
1 3+
1 3+
1 2
1 2
1 4+
1 2+
1 5+
3
1
In an extension of a method of Euler, the rst author showed that one could
obtain an O(n = ) factoring algorithm by considering representations of multiples of n by binary quadratic forms ([McK1]). This has the unique feature
amongst O(n = ) factoring algorithms that it requires only O(n = ) trial divisions.
q
3. Factoring by rational approximations to q=p, or q=p
Suppose that n = pq with p and q primes, and n = < p < q. Lehman ([Leh])
showed that by considering good rational approximations to q=p, one can extend
Fermat's factoring method to factor n in O(n = ) steps.
q
A more practical variant, which uses good rational approximations to q=p
is given in [McK2]. This is not a deterministic algorithm, so is of less relevance
here. It has an expected running time of O(n = ) steps, and shares with Shanks's
SQUFOF the advantageous feature of requiring an accuracy of only half the bits
of n for most of the computations.
4. Factoring by looking for divisors in residue classes
Lehmer (see [BS]) observed that if n = pq with p q 1 (mod k), p < q,
then Fermat's method can be speeded up to run in O(q=k ) steps. Here p and q
need not be prime.
Lenstra ([Len]) discovered a more generally useful method. He showed that
if m > n = , then all prime divisors of n in any given residue class mod m can
be found in polynomial time. One easily gets an O(n = ) factoring algorithm,
although the most useful application of Lenstra's result is to certain primality
proving methods.
In a similar vein, we show that Lehmer's method can be extended. If n =
pq with p q (mod k), p < q, then we show that n can be factored in
O(q=k ) steps. Thus, whereas Lehmer's method gained a factor of k for one
1 3+
1 3+
1 6
1 3
1 3+
1 4+
2
1 3
1 3+
2
2
4
in k numbers, this generalisation gains a factor of k for one in k numbers. It
makes certain RSA moduli vulnerable to attack. Moreover, we show that by
taking k n = , and testing O(n = ) dierent multiples of n, we get another
O(n = ) deterministic factoring algorithm.
For factoring RSA numbers n = pq, we have a more practical variant, with
expected running time O(n = ) steps, under the assumption that there exist
small and , and k between n = and 2n = , such that p ? q 0 (mod k).
References
[BS] J. Brillhart and J.L. Selfridge, `Some factorizations of 2n 1 and
related results', Mathematics of Computation 21 (1967), 87{96.
[Leh] R. Sherman Lehman, `Factoring large integers', Mathematics of
Computation, volume 28, number 126 (1974), 637{646.
[Len] H.W. Lenstra, Jr., `Divisors in residue classes', Mathematics of Computation, volume 42, number 165 (1984), 331{340.
[McK1] J.F. McKee, `Turning Euler's factoring method into a factoring
algorithm', Bulletin of the London Mathematical Society, to appear.
[McK2] J.F. McKee, `Interpolating the quadratic sieve', in preparation.
[Pol] J.M. Pollard, `Theorems on factorization and primality testing', Proceedings of the Cambridge Philosophical Society 76 (1974), 521{528.
[RSA] R.L. Rivest, A. Shamir and L. Adleman, `A method for obtaining
digital signatures and public-key cryptosystems', Communications of the ACM,
volume 21, number 2 (1978).
[Sch] R.J. Schoof, `Quadratic elds and factorization', in Computational
Methods in Number Theory, Part II, edited by H.W. Lenstra, Jr. and R. Tijdeman, Mathematical Centre Tracts 155, Mathematisch Centrum, Amsterdam
1982.
2
2
1 3
1 3
1 3+
1 4+
1 4
1 4
5
[Sha] D. Shanks, `Class number, a theory of factorization and genera',
Proceedings of the Symposium in Pure Mathematics 20, AMS (1971), 415{440.
[Str] V. Strassen, `Einige Resultate uber Berechnungskomplexitat', Jahresber. Deutsch. Math.-Verein. 78 (1976/77), 1{8.
[Tur] J.W.M. Turk, `Fast arithmetic operations on numbers and polynomials', in Computational Methods in Number Theory, Part I, edited by H.W. Lenstra,
Jr. and R. Tijdeman, Mathematical Centre Tracts 154, Mathematisch Centrum,
Amsterdam 1982.
6
Related documents
If , find all values of x such that f(x) = 256
If , find all values of x such that f(x) = 256
CSCI6268L37
CSCI6268L37
"a", "b" - Course Notes
"a", "b" - Course Notes
Warm up
Warm up
Lecture 9
Lecture 9
5_4 - jflanneryswikipage
5_4 - jflanneryswikipage
6.4 Factoring Trinomials
6.4 Factoring Trinomials
REVIEW SENTENCE, FRAGMENT, RUN
REVIEW SENTENCE, FRAGMENT, RUN
Fermat*s Little Theorem (2/24)
Fermat*s Little Theorem (2/24)
8.1.1 wkst
8.1.1 wkst
FACTORING INTEGERS USING THE WEB AND THE
FACTORING INTEGERS USING THE WEB AND THE