Factoring Algorithms

Ref: D. Stinson, Cryptography - Theory and Practice, 2001

Motivation In RSA, the public modulus n=p×q,

where p and q are primes (pq) and private

Factoring the public modulus:n => p×q

=> (n)=(p-1)(q-1)

=> d ≡ e-1 mod (n)

=> break RSA

RSA-129 history Factoring 129 decimal digits Solved April 1994 Method: Multiple Polynomial Quadratic

Sieve People: used the internet to solicit the

help of about 600 volunteers and their computers from around the world

Time: eight months

RSA challenge Prize: $20,000 RSA-640(640 bits, 193 decimal digits) 3107418240490043721350750035888

567930037346022842727545720161948823206440518081504556346829671723286782437916272838033415471073108501919548529007337724822783525742386454014691736602477652346609

Outline Trial division Pollard p-1 algorithm Pollard Rho algorithm Dixon’s random squares algorithm

Main idea: Factor n is hard => calculate gcd(a, n) is easy => How to find a number a that has a

non-trivial gcd with n

Trial division If n is composite, it has a prime factor Trial division: divide n by every odd

integer up to Is this method practical?

: try times (about 428 bits): try

times It was solved in 1994 by quadrative sieve

method

np

n

1210n 612 105.0105.0 12910n 5.64105.0

Pollard p-1 algorithm 1974, make use of

Fermat’s theorem: xp-1 mod p = 1, gcd(x,p)=1 Target p : which is a prime factor of n (given

modulus) (Fermat’s theorem)(p-1) is even => its prime powers are less than B

kkqqqp 21

211 ki Bq ii 1 ,

,

A constant bound, discuss it later

=> (p-1) | B!

Compute n mod 2 !Ba 我們當然不知道 p, 所以藉由此關係式，由 B! 來估 p

1 2p-1 ≡1 mod p

Since p | n => p mod 2 !Ba 2 (a 可由給定 B 後計算得出 )

Pollard p-1 algorithm (cont.)

1 2p-1 ≡1 mod p

p mod 2 !Ba 2

Because (p-1) | B!

p mod 1

p mod )2(

p mod 2t1

!

p

Ba

=> p | (a-1)

We also have p | n=> p | d, d = gcd(a-1, n)

d is a non-trivial factor of n

Step1: compute n mod 2 !Ba Step2: compute d = gcd(a-1, n)

Example: Pollard p-1 algorithm

n=15770708441, B=180 Step 1: compute

a=11620221425 Step 2: compute d = gcd(a-1, n)

d=135979 is a factor of n We can verify that

15770708441=135979x115979 The key to success:

a-1=135978=2x3x131x173, the factors < B=180

n mod 2 !Ba

Issues about Pollard p-1 algorithm

Complexity: depend on B Compute Compute gcd If , then it is no faster than trial

division ! Drawback: it succeeds if p-1 has small prime

factors (implies small B) Improve RSA to resist Pollard p-1 algorithm Find a large prime p1 , such that p=2p1+1 is a prime

(This implies p-1 has a large prime factor p1) Find a large prime q1 , such that q=2q1+1 is a prime Set n=pq

n mod 2 !Ba

nB

Outline Trial division Pollard p-1 algorithm Pollard Rho algorithm Dixon’s random squares algorithm

Pollard Rho algorithm: basic idea

Let p be the smallest prime divisor of n Suppose there exists two integers

, such that and

nZxx ,xx p mod xx

)( xxp np

=> nnxxp ),gcd(

We can obtain a non-trivial factor of n by gcd

Q: How to find such integers ? nZxx ,

0 n-1p-1

x x ’

Pollard Rho algorithm: primitive method

Try to find a subset , and hope that such x, x’ exist

Condition of success: there is a collision in X after mod p

nZX

p mod xx We don’t know p, so we can’t compute

We compute for all distinct ),gcd( nxx Xxx ,

0 n-1p-1

x x ’

0 n-1p-1

x

Birthday paradox: if pX 17.1 , there is a 50%

probability of at least one collision

Pollard Rho algorithm: Challenge in complexity

We must compute for each pair of

),gcd( nxx Xxx ,

2

X=> gcd computation, we know

=>

pX 17.1

22

17.1

2

1

2

2ppXXX

If n=pq has two close prime factorsnqp , , this complexity is close

to trial division

Pollard Rho algorithm Goal: reduce gcd computation by

novel choice of subset X Generation of subset X

Choose f(x): a polynomial Initially choose Generate

Example: n=7171,

Ex. axxf 2)(nZx 1

n mod )( 1 ii xfx1 ,1)( 1

2 xxxf

1 => 2 => 5 => 26 => 677 => 6557 => 41056347 => 4903 => 2218 => 219 => 4936 => 4210 => 45604872 => 375 => 4377 => 4389 => 2016 => 5471 => 88

Pollard Rho algorithm (cont.)

Result: the previous subset requires few gcd computations, why?

Recall: subset if there exists

Thm: Rho() collision structure (after mod p)

nZX Xxx ,xx p mod xx and

=> ),gcd(factor prime nxx Hint: the subset has well-formed collision structure

(collision)

x1 x2f

x3 x4 … xi xi+1 … xj-1

… x2j-i-1xj xj+1

The first collision implies later collision

Pollard Rho algorithm (cont.)

Example: n=7171, 1 ,1)( 12 xxxf

1 2 5 26 677 6557 4105 6347 4903 2218 …4389 2016 5471 88

Generated subset:

n=7171=71x101 (we factor n for demonstration)

mod 711 2 5 26 38 25 58 28 4 17 … 58 28 4 17

Repeated collision

Fixed period

Recall: we don’t know p, we find the first collision by gcd computation

Pollard Rho algorithm (cont.)

How does the collision structure save gcd computation?x1 x2

fd=gcd(x1 - x2, n)

d=1We found the factor

d=1 Implies no period=1 cycles

x1 x2 x3 x4 d=gcd(x2 - x4, n)d=1

d=1Implies no period=2 cycles

x1 x2 x3 x4 x5 x6

x1 x2 x3 x4 x5 x6 x7 x8

x1 x2 x3 x4 x5 x6 x7 x8 x9 x10

Pollard Rho algorithm: proof for Rho structure

If then

If then

p mod ji xx p mod 11 ji xx

p mod )()( ji xfxf f is a polynomial

n mod )(1 ii xfx

definition

p mod n) mod )((p mod 1 ii xfx p mod )( ixfSimilarly.

p mod )(p mod 1 jj xfx

p | n

Δ

p mod ji xx p mod ji xx

Complexity of Polland Rho algolrithm

The expected complexity is Possible failure: the subset X doesn’t

contain a collision The probability is roughly p/n (small when

n is large, because ) Upon failure, simply try another initial x1

and polynomial function f(x)

)( 4/1nO

np

Outline Trial division Pollard p-1 algorithm Pollard Rho algorithm Dixon’s random squares algorithm

Dixon’s random squares algorithm

Fact: if we can find x≡y mod n such that

x2≡y2 mod n then n | (x-y)(x+y)

The above implies gcd(x+y,n) and gcd(x-y,n) are non-trivial factor of n Idea: 找到和 n 有最大公因數的數 (x+y and x-y

in this case) Ex.

knyx 22=> knyxyx ))((

102≡322 mod 77=> gcd(10+32, 77) = 7 is a factor of 77

Dixon’s random squares algorithm (cont.)

Q: How to find such x and y? Example: n=1577078441, we can

build a factor base B={2,3,5,7,11,13}

83409341562 ≡ 3×7 mod n120449429442 ≡ 2×7×13 mod n

27737000112 ≡ 2×3×13 mod n

x2≡y2 mod nx≡y mod n

If we can find

=> (8340934156×12044942944×2773700011)2 ≡ (2×3×7×13)2 mod n

=> 95034357852 ≡ 5462 mod n

Problem1: Generate random squares, talk later

Problem2: find a subset of congruences that yield a power of 2 on the right

Problem 2: find a subset of congruences

For a factor base B={2,3,…,pb} (b 個由小到大的質數 )

If we can obtain c (>b) congruences:1312111 5322

1b

bpz 2322212 5322

2b

bpz

bccccbc pz 321 5322

…

mod 2

a1=(0, 1, 0, 1, 0, 0) [ 前一頁例子 ]

a2=(1, 0, 0, 1, 0, 1)

a3=(1, 1, 0, 0, 0, 1)

a1+a2+a3 (mod 2) = (0, 0, 0, 0, 0, 0)Produce even powers in right

hand side =>

• The problem of find a subset of congruence is reduced to find a subset of a vectors such that they are linear dependent. (c>b can guarantee such dependence exists)

Problem 1: random squares

Q: How to find z, such that

Sol: try for k=1, 2, 3,… Ex. n=1829

n mod 532 3212 biiiibi pz

z / n 的餘數可由 factor base 內的質數因式分解 (Hint: factor base 內都是小的質數 )

kn

77.42n 48.602 n 07.743 n 53.854 n

Try z=42, 43 60, 61 74, 75 85, 86

Problem 1: random squares (cont.)

Set factor base B={-1, 2, 3, 5, 7, 11, 13} 135)1(654222

1 z522043 222

2 z736361 222

3 z

mod n (=1829)

11)1(1174224 z

137)1(9185225 z

528086 4226 z

=> Find a subset: 1829 mod )137532()85614342( 22

1829 mod 9011459 22 => gcd(1459+901, 1829) = 59

Issues about random squares

Q: How large is the factor base? It is a trade-off: |B| is larger, the more

possible that z2 mod n factors over B However, for larger |B|, we need to find

more congruences to find a linear dependent subset