![Factoring
Quadratic Sieve
Define quadratic polynomial
Q(x) = (sqrt(N) + x)2
− N
The is the “quadratic” in QS
Use Q(x) to find B-smooth values
o For each x ∈ [−M,M] compute y = Q(x)
o Mod N, we have y = z2
, where z = sqrt(N) + x
o Test y for B-smoothness
o If y is smooth, save mod 2 exponent vector](https://image.slidesharecdn.com/18factoring-150412035528-conversion-gate01/85/factoring-23-320.jpg)
![Factoring
Quadratic Sieve
How to sieve for B-smooth relations
Array: Q(x) for x = −M,−M+1,…, M−1,M
For first prime p in factor base
o Generate all x ∈ [−M,M] for which p divides Q(x)
(as described on previous slide)
o For each, divide by highest power of p
o For each, store power, mod 2, in vector for x
Repeat for all primes in factor base
Numbers reduced to 1 are B-smooth](https://image.slidesharecdn.com/18factoring-150412035528-conversion-gate01/85/factoring-31-320.jpg)
![Factoring
Quadratic Sieve
Linear algebra phase same as Dixon’s
Sieving is the dominant work
Lots of tricks used to speed up sieving
o For example, “logarithms” to avoid division
Multiple Polynomial QS (MPQS)
o Multiple polynomials of form (ax+b)2
− N
o Can then use smaller interval [−M,M]
o Yields much faster parallel implementations](https://image.slidesharecdn.com/18factoring-150412035528-conversion-gate01/85/factoring-32-320.jpg)
factoring
- 2. Factoring Factoring Security of RSA algorithm depends on (presumed) difficulty of factoring o Given N = pq, find p or q and RSA is broken o Rabin cipher also based on factoring Factoring like “exhaustive search” for RSA Lots of interest/research in factoring What are best factoring methods? o How does RSA “key size” compare to symmetric cipher key size?
- 3. Factoring Factoring Methods Trial division o Obvious method but not practical Dixon’s algorithm o Less obvious and much faster Quadratic sieve o Refinement of Dixon’s algorithm o Best algorithm up to about 110 decimal digits Number field sieve o Best for numbers greater than 100 digits o We only briefly mention this algorithm
- 4. Factoring Trial Division Given N, try to divide N by each of 2,3,5,7,9,11,…,sqrt(N) As soon as a factor found, we are done o So, expected work is about sqrt(N)/2 Improvement: try only prime numbers Work is then on order of π(N) o Where π(N) ≈ N/ln(N) is number of primes up to N
- 5. Factoring Congruence of Squares We want to factor N = pq Suppose we find x,y such that N = x2 − y2 Then N = (x − y)(x + y), have factored N More generally, congruence of squares… Suppose x2 = y2 (mod N) Then x2 − y2 = kN for some k Which implies (x − y)(x + y) = kN
- 6. Factoring Congruence of Squares Suppose x2 = y2 (mod N) Then (x − y)(x + y) = kN Implies (x − y) or (x + y) is factor of N o Or x − y = k and x + y = N (or vice versa) With probability at least 1/2, we obtain a factor of N o If so, gcd(N, x − y) or gcd(N, x + y) factors N o And the gcd is easy to compute
- 7. Factoring Congruence of Squares For example 102 = 32 (mod 91) That is, (10 − 3)(10 + 3) = 91 o Factors of 91 are, in fact, 7 and 13 Also, 342 = 82 (mod 91) o Then 26⋅42 = 0 (mod 91) and we have gcd(26,91) = 13 and gcd(42,91) = 7 In general, gcd is necessary
- 8. Factoring Congruence of Squares Find congruence of squares: x2 = y2 (mod N) and we can likely factor N How to find congruence of squares? Consider, for example, 412 = 32 (mod 1649) and 432 = 200 (mod 1649) Neither 32 nor 200 is a square But 32⋅200 = 6400 = 802 Therefore, (41⋅43)2 = 802 (mod 1649)
- 9. Factoring Congruence of Squares Can combine non-squares to obtain a square, for example 32 = 25 ⋅50 and 200 = 23 ⋅52 And 32⋅200 = 28 ⋅52 = (24 ⋅51 )2 We obtain a perfect square provided each exponent in product is even Only concerned with exponents and only need consider even or odd, i.e., mod 2
- 10. Factoring Congruence of Squares Number has an exponent vector For example, first element of vector is power of 2 and second power of 5 Then And
- 11. Factoring Congruence of Squares Mod 2 exponent vector of product 200⋅32 is all zero, so perfect square Also, this vector is sum (mod 2) of vectors for 200 and 32 Any set of exponent vectors that sum to all-zero, mod 2, gives us a square We need to keep vectors small o Only allow numbers with “small” prime factors
- 12. Factoring Congruence of Squares Choose bound B and primes less than B o This is our factor base o For technical reasons, include “−1” in factor base A number that factors completely over the factor base is B-smooth Smooth relations factor over factor base Restrict our attention to B-smooth relations o Good: Exponent vectors are small o Bad: Harder to find relations
- 13. Factoring Example Want to factor N = 1829 Choose bound B = 13 Choose factor base −1,2,3,5,7,11,13 Look at values in −N/2 to N/2 To be systematic, we choose sqrt(kN) and sqrt(kN) for k = 1,2,3,4 And test each for B-smoothness
- 14. Factoring Example Compute All are B-smooth except 602 and 752
- 16. Factoring Example Find collection of exponent vectors that sum, mod 2, to zero vector Vectors corresponding to 422 , 432 , 612 and 852 work:
- 17. Factoring Example Implies that (42⋅43⋅61⋅85)2 = (2⋅3⋅5⋅ 7⋅13)2 (mod 1829) Simplifies to 14592 = 9012 (mod 1829) Since 1459 − 901 = 558, we find factor of 1829 by gcd(558,1829) = 31 Easily verified 1829 = 59⋅31
- 18. Factoring Example A systematic way to find set of vectors that sum to zero vector… In this example, want x0,x1,…,x5 This is a basic linear algebra problem
- 19. Factoring Linear Algebra Suppose n elements in factor base o Factor base includes “−1” o Then matrix on previous slide has n rows o Seek linearly dependent set of columns Theorem: If matrix has n rows and n + 1 or more columns then a linearly dependent set of columns exists Therefore, if we find n + 1 or more smooth relations, we can solve the linear equations
- 20. Factoring Dixon’s Algorithm 1. To factor N: select bound B and factor base with n−1 primes less than B and “−1” 2. Select r, compute y = r2 (mod N) Number r can be selected at random 3. If y factors completely over factor base, save mod 2 exponent vector 4. Repeat steps 2 and 3 to obtain n+1 vectors 5. Solve linear system and compute gcd
- 21. Factoring Dixon’s Algorithm If factor base is large, easier to find B-smooth relations o But linear algebra problem is harder Relation finding phase parallelizable o Linear algebra part is not Next, quadratic sieve o An improved version of Dixon’s algorithm
- 22. Factoring Quadratic Sieve Quadratic sieve (QS) algorithm o Dixon’s algorithm “on steroids” Finding B-smooth relations beefed up As in Dixon’s algorithm o Choose bound B and factor base of primes less than B o Must find lots of B-smooth relations
- 23. Factoring Quadratic Sieve Define quadratic polynomial Q(x) = (sqrt(N) + x)2 − N The is the “quadratic” in QS Use Q(x) to find B-smooth values o For each x ∈ [−M,M] compute y = Q(x) o Mod N, we have y = z2 , where z = sqrt(N) + x o Test y for B-smoothness o If y is smooth, save mod 2 exponent vector
- 24. Factoring Quadratic Sieve Advantage of QS over Dixon’s is that by using Q(x) we can sieve What is sieving? Glad you asked… First, consider sieve of Eratosthenes o Used to sieve for prime numbers Then modify it for B-smooth numbers
- 25. Factoring Sieve of Eratosthenes To find prime numbers less than M List all numbers 2,3,4,…,M−1 Cross out all numbers with factor of 2, other than 2 Cross out all numbers with factor of 3, other than 3, and so on Number that “fall thru” sieve are prime
- 26. Factoring Sieve of Eratosthenes To find prime numbers less than 31… 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 — — — — ————— — — — — — ⁄ ⁄ ⁄ ⁄ ⁄ ⁄ ⁄ ⁄ ⁄ | | ||| ∩ Find that primes less than 31 are 2,3,5,7,11,13,17,19,23 and 29
- 27. Factoring Sieve of Eratosthenes This sieve gives us primes But also provides info on non-primes For example, 24 marked with “ ” and “ ” so it is divisible by 2 and 3 Note: we only find that 24 is divisible by 2, not by 4 or 8 — ⁄
- 28. Factoring Sieving for Smooth Numbers Instead of crossing out, we divide by the prime (including prime itself) 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 1 1 3 2 5 3 7 4 9 5 All 1s represent 7-smooth numbers Some non-1s also 7-smooth o Must divide by highest powers of primes 1 1 1 2 5 1 1 1 1 2
- 29. Factoring Quadratic Sieve QS uses similar sieving strategy as on previous slide o And some computational refinements Suppose p in factor base divides Q(x) o Then p divides Q(x + kp) for all k ≠ 0 (homework) o That is, p divides Q of …,x−2p,x−p,x,x+p,x+2p,… o No need to test these for divisibility by p This observation allows us to sieve
- 30. Factoring Quadratic Sieve One trick to speed up sieving If Q(x) divisible by p, then Q(x) = 0 (mod p) Defn of Q implies (sqrt(N) + x)2 = N (mod p) Square roots of N (mod p), say, sp and p − sp o Let x0 = sp − sqrt(N) and x1 = p − sp − sqrt(N) o Then Q(x0) and Q(x1) divisible by p o Implies Q(x0 + kp) and Q(x1 + kp) divisible by p Efficient algorithm for these square roots
- 31. Factoring Quadratic Sieve How to sieve for B-smooth relations Array: Q(x) for x = −M,−M+1,…, M−1,M For first prime p in factor base o Generate all x ∈ [−M,M] for which p divides Q(x) (as described on previous slide) o For each, divide by highest power of p o For each, store power, mod 2, in vector for x Repeat for all primes in factor base Numbers reduced to 1 are B-smooth
- 32. Factoring Quadratic Sieve Linear algebra phase same as Dixon’s Sieving is the dominant work Lots of tricks used to speed up sieving o For example, “logarithms” to avoid division Multiple Polynomial QS (MPQS) o Multiple polynomials of form (ax+b)2 − N o Can then use smaller interval [−M,M] o Yields much faster parallel implementations
- 33. Factoring Sieving Conclusions QS/MPQS attack has two phases Distributed relation finding phase o Could recruit volunteers on Internet Linear equation solving phase o For big problems, requires a supercomputer Number field sieve better than QS o Requires 2 phases, like QS o Number field sieve uses advanced math
- 34. Factoring Factoring Algorithms Work to factor N = 2x Last column measures “bits” of work Symmetric cipher exhaustive key search: x bit key is x−1 bits of work
- 35. Factoring QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture. Factoring Algorithms Comparison of work factors QS best to 390 bit N o 117 digits 390-bit N is as secure as 60-bit key
- 36. Factoring Factoring Conclusions Work for factoring is subexponential o Better than exponential time but worse than polynomial time o Exhaustive key search is exponential Factoring is active area of research o Expect to see incremental improvement Next, discrete log algorithms…