1 / 27

Factoring Algorithms

Factoring Algorithms. Ref: D. Stinson, Cryptography - Theory and Practice, 2001. Motivation. In RSA, the public modulus n=p×q, where p and q are primes (p  q) and private Factoring the public modulus:. n => p×q. => f (n)=(p-1)(q-1). => d ≡ e -1 mod f (n). => break RSA.

daquan-burch
Download Presentation

Factoring Algorithms

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Factoring Algorithms Ref: D. Stinson, Cryptography - Theory and Practice, 2001

  2. Motivation • In RSA, the public modulus n=p×q, where p and q are primes (pq) and private • Factoring the public modulus: n => p×q => f(n)=(p-1)(q-1) => d ≡ e-1 mod f(n) => break RSA

  3. RSA-129 history • Factoring 129 decimal digits • Solved April 1994 • Method: Multiple Polynomial Quadratic Sieve • People: used the internet to solicit the help of about 600 volunteers and their computers from around the world • Time: eight months

  4. RSA challenge • Prize: $20,000 • RSA-640(640 bits, 193 decimal digits) • 3107418240490043721350750035888567930037346022842727545720161948823206440518081504556346829671723286782437916272838033415471073108501919548529007337724822783525742386454014691736602477652346609

  5. Outline • Trial division • Pollard p-1 algorithm • Pollard Rho(r) algorithm • Dixon’s random squares algorithm • Main idea: Factor n is hard => calculate gcd(a, n) is easy => How to find a number a that has a non-trivial gcd with n

  6. Trial division • If n is composite, it has a prime factor • Trial division: divide n by every odd integer up to • Is this method practical? • : try times • (about 428 bits): try times • It was solved in 1994 by quadrative sieve method

  7. Pollard p-1 algorithm • 1974, make use of • Fermat’s theorem: xp-1 mod p = 1, gcd(x,p)=1 • Target p : which is a prime factor of n (given modulus) • (Fermat’s theorem) 2p-1≡1 mod p 1 (p-1) is even => its prime powers are less than B , A constant bound, discuss it later => (p-1) | B! 我們當然不知道 p, 所以藉由此 關係式,由 B! 來估 p Compute Since p | n => 2 (a 可由給定 B後計算得出)

  8. Pollard p-1 algorithm (cont.) 2p-1≡1 mod p Because (p-1) | B! 1 2 => p | (a-1) => p | d, d = gcd(a-1, n) We also have p | n d is a non-trivial factor of n Step1: compute Step2: compute d = gcd(a-1, n)

  9. Example: Pollard p-1 algorithm • n=15770708441, B=180 • Step 1: compute • a=11620221425 • Step 2: compute d = gcd(a-1, n) • d=135979 is a factor of n • We can verify that 15770708441=135979x115979 • The key to success: • a-1=135978=2x3x131x173, the factors < B=180

  10. Issues about Pollard p-1 algorithm • Complexity: depend on B • Compute • Compute gcd • If , then it is no faster than trial division ! • Drawback: it succeeds if p-1 has small prime factors (implies small B) • Improve RSA to resist Pollard p-1 algorithm • Find a large prime p1 , such that p=2p1+1 is a prime (This implies p-1 has a large prime factor p1) • Find a large prime q1 , such that q=2q1+1 is a prime • Set n=pq

  11. Outline • Trial division • Pollard p-1 algorithm • Pollard Rho(r) algorithm • Dixon’s random squares algorithm

  12. Pollard Rho algorithm: basic idea x ’ x 0 p-1 n-1 • Let p be the smallest prime divisor of n • Suppose there exists two integers , such that and => We can obtain a non-trivial factor of n by gcd Q: How to find such integers ?

  13. Pollard Rho algorithm: primitive method We don’t know p, so we can’t compute We compute for all distinct x ’ x 0 p-1 n-1 • Try to find a subset , and hope that such x, x’ exist • Condition of success: there is a collision in X after mod p x 0 p-1 n-1 Birthday paradox: if , there is a 50% probability of at least one collision

  14. Pollard Rho algorithm: Challenge in complexity • We must compute for each pair of gcd computation, we know => => If n=pq has two close prime factors , this complexity is close to trial division

  15. Pollard Rho algorithm Ex. • Goal: reduce gcd computation by novel choice of subset X • Generation of subset X • Choose f(x): a polynomial • Initially choose • Generate • Example: n=7171, 1 => 2 => 5 => 26 => 677 => 6557 => 4105 6347 => 4903 => 2218 => 219 => 4936 => 4210 => 4560 4872 => 375 => 4377 => 4389 => 2016 => 5471 => 88

  16. Pollard Rho algorithm (cont.) • Result: the previous subset requires few gcd computations, why? Recall: subset if there exists • Thm: Rho(r) collision structure (after mod p) and (collision) => Hint: the subset has well-formed collision structure x1 x2 x3 xi x4 xi+1 xj-1 … … f xj xj+1 x2j-i-1 … The first collision implies later collision

  17. Pollard Rho algorithm (cont.) • Example: n=7171, Generated subset: 1 2 5 26 677 6557 4105 6347 4903 2218 …4389 2016 5471 88 n=7171=71x101 (we factor n for demonstration) Fixed period mod 71 1 2 5 26 38 25 58 28 4 17 …58 28 4 17 Repeated collision Recall: we don’t know p, we find the first collision by gcd computation

  18. Pollard Rho algorithm (cont.) d=1 d=1 x1 x2 x3 x4 x1 x2 x3 x4 x5 x6 x1 x2 x3 x4 x5 x6 x7 x8 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 • How does the collision structure save gcd computation? x1 d=gcd(x1 - x2, n) x2 We found the factor f d=1 Implies no period=1 cycles d=gcd(x2 - x4, n) d=1 Implies no period=2 cycles

  19. Pollard Rho algorithm: proof for Rho structure f is a polynomial definition • If then • If then Similarly. p | n Δ

  20. Complexity of Polland Rho algolrithm • The expected complexity is • Possible failure: the subset X doesn’t contain a collision • The probability is roughly p/n (small when n is large, because ) • Upon failure, simply try another initial x1 and polynomial function f(x)

  21. Outline • Trial division • Pollard p-1 algorithm • Pollard Rho algorithm • Dixon’s random squares algorithm

  22. Dixon’s random squares algorithm • Fact: if we can find x≡y mod n such that x2≡y2 mod n then n | (x-y)(x+y) • The above implies gcd(x+y,n) and gcd(x-y,n)are non-trivial factor of n • Idea: 找到和n有最大公因數的數 (x+y and x-y in this case) • Ex. => 102≡322 mod 77 => gcd(10+32, 77) = 7 is a factor of 77

  23. Dixon’s random squares algorithm (cont.) x2≡y2 mod n x≡y mod n Problem1: Generate random squares, talk later Problem2: find a subset of congruences that yield a power of 2 on the right • Q: How to find such x and y? • Example: n=1577078441, we can build a factor base B={2,3,5,7,11,13} If we can find 83409341562≡ 3×7 mod n 120449429442≡ 2×7×13 mod n 27737000112≡ 2×3×13 mod n => (8340934156×12044942944×2773700011)2 ≡ (2×3×7×13)2 mod n => 95034357852≡ 5462 mod n

  24. Problem 2: find a subset of congruences • For a factor base B={2,3,…,pb} (b個由小到大的質數) • If we can obtain c (>b) congruences: mod 2 a1=(0, 1, 0, 1, 0, 0) [前一頁例子] a2=(1, 0, 0, 1, 0, 1) … a3=(1, 1, 0, 0, 0, 1) Produce even powers in right hand side => a1+a2+a3 (mod 2) = (0, 0, 0, 0, 0, 0) • The problem of find a subset of congruence is reduced to find a subset of • a vectors such that they are linear dependent. • (c>b can guarantee such dependence exists)

  25. Problem 1: random squares • Q: How to find z, such that • Sol: try for k=1, 2, 3,… • Ex. n=1829 • z / n 的餘數可由 factor base 內的質數因式分解 (Hint: factor base 內都是小的質數) 74, 75 85, 86 Try z= 42, 43 60, 61

  26. Problem 1: random squares (cont.) • Set factor base B={-1, 2, 3, 5, 7, 11, 13} mod n (=1829) => Find a subset: => gcd(1459+901, 1829) = 59

  27. Issues about random squares • Q: How large is the factor base? • It is a trade-off: |B| is larger, the more possible that z2 mod n factors over B • However, for larger |B|, we need to find more congruences to find a linear dependent subset

More Related