Date post: | 27-Dec-2015 |
Category: |
Documents |
Upload: | jeffry-casey |
View: | 222 times |
Download: | 1 times |
p3.
| : divides , is a divisor of .
gcd( , ): greatest common divisor of and .
Coprime or relatively prime: gcd( , ) 1.
Euclid's algorithm: compute gcd( , ).
Extented Eucli
Integers
a b a b a b
a b a b
a b
a b
d's algorithm: compute integers
and such that gcd( , ).x y ax by a b
p4.
Let 2 be an integer.
Def: is congruent to modulo , written
mod , if | ( ), i.e., and have the
same remainder when d
m
ivided by .
Note: dod an
Integers modulo
n
a b n
a b n n a b a b
n
a b n
n
are different.
Def: [ ] all integers congruent to modulo .
[ ] is called a residue class modulo , and is a
representati
mod
ve of that class.
n
n
a b
a a n
a n a
n
p5.
congruence m
There are exactly residue classes modulo :
[0], [1], [2], , [ 1].
Note: " " is an equivalence relation, whose
equivalence classes are the residue classes.
If [ ]
,
od n
n n
n
x a
K
[ ], then [ ] and [ ].
Define addition and multiplication for residue classes:
[ ] [ ] [ ]
[ ] [ ] [ ].
n
n
y b x y a b x y a b
a b a b
a b a b
p6.
A group, denoted by ( , ), is a set with a
binary operation : such that
1. , , (closure)
1. ( ) ( ) (associativity)
2. s.t id. , ( entity
Group
G G
G G G
x y G
e
x y G
x y z x y z
e G x G x x e x
)
3. , s.t. ( )
A group ( , ) is if , , .
Examples: ( , ), ( , ), ( \ {0}, ), ( , ),
inverse
abelian
( \ {0}, ).
x G y G x y y x
G x y G x y y x
Z Q Q R
R
e
p7.
Define [0], [1], ..., [ 1] .
Or, more conveniently, 0, 1, ..., 1 .
, forms an abelian additive group.
For , ,
( )mod . (Or, [ ] [ ] [ ] [ mod ].)
0 is th
n
n
n
n
Z n
Z n
Z
a b Z
a b a b n a b a b a b n
g
g
10
e identity element.
The inverse of , denoted by , is .
When doing addition/substraction in , just do the regular
addition/substraction and reduce the result modulo .
In , 5
n
a a n a
Z
n
Z
g
g 5 9 4 6 2 8 3 ?
p8.
1
1
1
, is not a group, because 0 does not exist.
Even if we exclude 0 and consider only \ {0},
, is not necessarily a group; some may not exist.
For , exists if and on
n
n n
n
n
Z
Z Z
Z a
a Z a
ly if gcd( , ) 1.a n
p9.
*
1
Let : gcd( , ) 1 .
, is an abelian multiplicative group.
mod .
mod .
1 is the identity elemen
t.
The inverse of , written , can be computated b
n n
n
Z a Z a n
Z
a b ab n
a b ab n
a a
*12
*
y the
Extended Euclidean Algorithm.
For example, 1,5,7
Q: How many
,11 . 5 7
eleme
35mod12 11.
nts are ther ? e in nZ
Z
p10.
*
1
Euler's totient function:
Fa
( )
= : 1 and gcd( , ) 1
1. ( ) ( 1) for prime
2. ( ) ( ) ( ) if gcd( ,
cts:
) 1
n
e e
n Z
a a n a n
p p p p
ab a b a b
p11.
Let be a (multiplicative) group.
The order of , ord( ), is the number of elements in .
The order of , written ord( ), is the smallest
positive integer such that .
f
( , i
inite
t
G
G G G
a G a
t e ea
ord( )
( ) 1
| |
*
dentity element.)
Corollary: For any
Lagrange's theorem: For any element , ord( ) | ord( ).
Fermat's little theorem:
If ( a prime), t
element , .
hen
G G
p pp
a G a
a G a G
a Z
a e
p a a
*
* ( ) *
1 in .
Euler's theorem:
If (for any 1), then 1 in .
p
nn n
Z
a Z n a Z
p12.
*15
*15
*15
( ) 8
= 1, 2, 4, 7, 8, 11, 13, 14
(15) (3) (5) 2 4 8
: 1 2 4 7 8 11 13 14
ord( ) : 1 4 2 4 4 2 4 2
1
Example: 15
n
Z
Z
a Z
a
a a
n
p13.
The Chinese Remainder Problem
• A problem described in an ancient Chinese arithmetic
book, Sun Tze Suan Ching, by Sun Tze (around 300AD,
author of The Art of War).
• Problem: We have a number of objects, but we do not
know exactly how many. If we count them by threes we
have two left over. If we count them by fives we have
three left over. If we count them by sevens we have two
left over. How many objects are there?Mathematically, if 2mod3, 3mod5, 2mod7,
wh
at is ?
x x x
x
p14.
1
1 1
2 2
1 2
If integers , , are pairwise coprime,
then the system of congruences
mod
mod
mod
has a unique solution modulo :
Chinese remainder theorem
k
k k
k
i
n n
x a n
x a n
x a n
N n n n
x a N
1
1 A fo
mod
where an rmula by Gausd mod ( s)
k
i ii
i i i i i
y N
N N n y N n
p15.
1 1 1
1 1 1
Suppose
1 mod 3
6 mod 7
8 mod 10
By the Chinese remainer theorem, the solution is:
1 70 (70 mod3) 6 30 (30 mod7) 8 21 (21 mod10)
1 70 (1 mod3) 6 30 (2 mod7) 8 21 (1 mod10)
x
x
x
x
1 70 1 6 30 4 8 21 1 mod 210
958 mod 210
118 mod 210
Example: Chinese remainder theorem
p16.
1
1 2
1
(the numbers are pairwise coprime)
There is a one-to-one correspondence :
, , , where and mod
( ) ( ) ( ).
( )
Another version of CRT
k
k i
N n n
k N i i
N n n n n
Z Z Z
a a a a Z a a n
x y x y
x y
( ) ( ).
For math students: is a ring isomorphism.
x y
p17.
1 2
1 2 1
1 2
Let , where , , are pairwise coprime.
Define a mapping
:
( mod , mod , , mod )
Then,
is bijective (one-to-one and on
Chinese remainder theorem
k
k k
N n n n
k
N n n n n n
Z Z Z Z
x x n x n x n
to).
( ) ( ) ( ).
( ) ( ) ( ).
x y x y
x y x y
p18.
1 2
1
1
1
Computations in can be done by performing
corresponding computations in , , , , and
then solve the CRP.
, , If
, ,
then
k
N
n n n
k
k
Z
Z Z Z
a a a
b b b
a b a
*
1
1
1 1
1 1
, ,
, ,
, , if
mod mo d mod
k k
k k
k k
k
N
b a b
a b a b a b
a b a b a b b Z
N n n
p19.
* * *15 3 5 15 3 5
8 8mod3, 8mod5 (2,3)
11 11mod3, 11mod5 (2,1)
Suppose we want to compute 8 11 mod15.
8 11mod15 (2 2mod3, 3 1mod5) (1,3).
(1,3) (
Example: Chinese remainder theoremZ Z Z Z Z Z
x
15which number corresponds to (1,3)?)
1mod3 Solve 13
3mod5
x Z
xx
x
p21.
0
1
1
1 1
Comment: compute gcd( , ), where 1.
:
:
for : 1, 2, until = 0
: mod
return ( )
Running time:
(log ) i t
Euclidean Algorithm
n
i i i
n
a b a b
r a
r b
i r
r r r
r
O a
2
3
erations; (log ) time for each mod.
Overall running time: (lo g )
O a
O a
p22.
Example: gcd(299,221) ?
299 221
Given 0, compute , such that gcd( , ) .
1 78
2 65
221 78
78 65
78 65
78 221 78
1 13
65 5 13 0
gcd(229,221) 13
( 2 ) 3
78 2 1
(
2
23
Extended Euclidean Algorithm
a b x y a b ax by
99 221) 221
299
1
23 2 14
p23.
1
1 *
1
Compute in .
exists if and only if gcd( , ) 1.
Use extended Euclidean algorithm to find ,
such that gcd( , ) 1 (in )
mod
[ ]
?How to compute
na Z
a a n
x y
ax ny a n
a n
Z
a
1
[ ] [ ][ ] [1]
[ ][ ] [1] (since [ ] [0])
[ ] [ ].
Note: may omit [ ], but reduce everything modulo .
x n y
a x n
a x
n
p24.
1 Compute 15 mod 47.
47 15 3 (divide 47 by 15; remainder 2)
15 2 7 (divide 15 by 2; remainder 1)
1 15 7 (mod 47)
1
2
1
2
5 ( ) 7 (mod 47)47 15 3
Example
1
1 *47
15 22 47 7 (mod 47)
15 22 (mod 47)
15 mod 47 22
That is, 15 22 in Z
p25.
1 0
2
Comment: compute mod , where in binary.
1
for downto 0 do
mod
if 1 then mod
Algorithm: Square-and-Multiply( , , )c
k k
i
x n c c c c
z
i k
z z n
c z z x n
x c n
...Note: At the end of iteration
re
, .
turn ( )
k ic ci x
z
z
p26.
2
2
2
2
3
2
23 10111
1
11 mod 187 11 (square and multiply)
mod 187 121 (square)
11 mod 187 44 (square and multiply)
11 mod 187 165 (square and
11 mod187
mu
Example:
b
z
z z
z z
z z
z z
2
ltiply)
11 mod 187 88 (square and multiply)z z
p28.
By ivest, hamir & dleman of MIT in 1977.
Best known and most widely used public-key scheme.
Based on the one-way property
of mo
R S
du
lar
powering:
A
assumed
The RSA Cryptosystem
1
: mod (easy)
: mod
In turn based on the hardness
(hard)
of integer factorization.
e
e
f x x n
f x x n
p29.
1
RSA
R
*
SA
*
Encryption (easy):
Decryption (hard):
Looking for a "trapdoor": ( ) .
If is a number such t
It works in group . Let be a mess g
t
a e
ha
.
Idea behind RSA
e
e
n
d
n
e
x x
x x
x x
Z
d
Z x
( ) 1 ( )
1mod ( ), then
( ) 1 for some , and
( ) 1 .ke ed n k nd
ed n
ed k n k
x x x x x x x
p30.
1
(a) Choose large primes and , and let : .
(b) Choose (1 ( )) coprime to ( ), and
compute : mod ( ). ( .)
(c) Public ke
Key generation:
1 mod ( )
RSA Cryptosystem
p q n pq
e e n n
d nn ede
*
*
y: . Secret key: .
( ) : mod , w
( , ) ( , )
here .
( ) : mod , where .
E
ncryption:
Decryptio
n:
epk n
dsk n
E x x n x Z
D y y n y
pk n e sk n d
Z
p31.
*
* * ( )
The setting of RSA is the group , :
In group , , for any , we have 1.
We have chosen , such that 1 mod ( ),
i.e., ( ) 1 for some o
p
Why RSA Works?
n
nn n
Z
Z x Z x
e d ed n
ed k n
* ( ) 1 ( )
sitive integer .
For , . d ke ed k n n
n
k
x Z x x x x x x
p32.
*
( ) 1 ( 1)( 1) 1
*
RSA still works, but .
gcd( , ) 1 | or | .
Say | . Then, 0 mod and mod . Also,
0 mod
mod
not secur
e
\
B
?What if
n
ed
n n
ed ed k n k p q
x Z x n p x q x
p x x p x x q
x p
x x q x x x
x Z Z
y CRT,
mod mod
)
(
ed edx x n
D E
x n
x x
x
p33.
Select two primes: 17, 11.
Compute the modulus 187.
Compute ( ) ( 1)( 1) 160.
Select between 0 and 160 such that gcd( ,160) 1.
Say 7.
Compute
RSA Example: Key Setup
p q
n pq
n p q
e e
e
d
1 1mod ( ) 7 mod160 23
(using extended Euclid's algorithm).
Public key: .
Secret ke
( ,
y:
) (7, 187)
( , ) (23 ., 7 18 )
pk e n
e
s n
n
k d
p34.
7
23
23
23
Suppose 88.
Encryption: mod 88 mod187 11.
Decryption: mod 11 mod187 88.
When computing 11 mod187, we first
compute 11 and
d
the
o
n
ot
n
RSA Example: Encryption & Decryption
e
d
m
c m n
m c n
reduce it modulo 187.
Rather, use , and reduce intermediate
results modulo 187 whenever they g
square-a
et bigge
nd-mult
r than
iply
187.
p35.
4 16
To speed up encryption, small values are usually
used for .
Popular choices are 3, 17 2 1, 65537 2 1.
These values have only two 1's in their binary
representation.
Encryption Key
e
e
There is an interesting attack on small .e
p36.
1/4
One may be tempted to use a small to speed up
decryption.
Unfortunately, that is risky.
Wiener's attack: If
and 2 ,3
then the decryption exponent c
Decryption Key
d
nd p q
d
p
d
an be computed
from ( , ).
CRT can be used to speed up decryption.
n e
p37.
3
1 2
o1
*
m d1
Decryption:
Time: ( ).
In
mod (i.e., compute in )
mstead of computing directly,
we compute
: mod , an
d : mod
:
od
Speeding up Decryption by CRTd
n
d
d
d
O n
c c p c c
c n c Z
c n
q
m c
( ) mod ( )2 2
1
2
1 2
mod , and : mod
mod recover the plaintext by solving
mod
Time: 1 4 of the direct computation.
If ... , will speed up even
m
ore.
p d q
t
p m c q
x m p
x m q
n p p p
p39.
Four categories of attacks on RSA:
brute-force key search
infeasible given the large key space
mathem
atical attacks
timing attacks
chosen ciphe t r
Attacks on RSA
ext attacks
p40.
1
Then ( ) ( 1)( 1) and
mod ( ) can be calculated
Factor into .
Determine ( ) directly
easily.
Equivalent to factoring .
Knowing ( ) will enable us to f
.
Mathematical Attacks
n p q
d e n
n
n
n pq
n
Determine direc
actor by solving
( 1)( 1)
If is known, can be factored
tl
with high probability.
.
( )
y
n
pq
p
d
q
n
d
n
n
p41.
A difficult problem, assumed to be infeasible.
More and more efficient algorithms have been developed.
In 1977, RSA challenged researchers to decode a
ciphertext encrypt
Integer Factorization
ed with a key ( ) of 129 digits (428 bits).
Prize: $100. RSA thought it would take quadrillion years
to break the code using fastest algorithms and computers
of that time. Solved in 1994.
n
In 1991, RSA put forward more challenges, with prizes,
to encourage research on factorization.
p42.
Each RSA number is a semiprime. (A number is
semiprime if it is the product of two primes.)
There are two labeling schemes.
by the number of decimal digits:
RSA-100, .
RSA Numbers
.., RSA-500, RSA-617.
by the number of bits:
RSA-576, 640, 704, 768, 896, , 1536, 210 .24 048
p43.
RSA-100 ( bits), 1991, 7 MIPS-year, Quadratic Sieve.
RSA-110 ( bits), 1992, 75 MIPS-year, QS.
RSA-120
332
365
3 ( bits), 1993, 830 MIPS-year, QS.
RSA-129
98
4(
RSA Numbers which have been factored bits), 1994, 5000 MIPS-year, QS.
RSA-130 ( bits), 1996, 1000 MIPS-year, GNFS.
RSA-140 ( bits), 1999, 2000 MIPS-year, GNFS.
RSA-155 ( bits), 1999, 8000 MIPS-year, GNFS.
28
4
31
465
5
RSA-16
1
0 (
2
530
576
6
bits), 2003, Lattice Sieve.
RSA- (174 digits), 2003, Lattice Sieve.
RSA- (193 digits), 2005, Lattice Sieve.
RSA-200 ( bits), 2005, Lattice
40
663 Sieve.
p44.
RSA-200 =
27,997,833,911,221,327,870,829,467,638,
722,601,621,070,446,786,955,428,537,560,
009,929,326,128,400,107,609,345,671,052,
955,360,856,061,822,351,910,951,365,788,
637,105,954,482,006,576,775,098,580,557,
613,579,098,734,950,144,178,863,178,946,
295,187,237,869,221,823,983.
p45.
*
In light of current factorization technoligies,
RSA recommends 1024-2048 bits.
If a message \ ,
RSA works, but
Since gc
d( , ) 1, the sender can factor .
Sin
c
Remarks
n n
n
m Z Z
m n n
*
e gcd( , ) 1, the adversary can factor , too.
Question: how likely is \ ?
e
n n
m n n
m Z Z
p47.
1 2
1 2
Infinitely many.
First proved by Euclid:
Assume only a finite number of primes , , , .
Let 1.
is not a prime, bec
•
•
aus• e
How many prime numbers are there?
n
n
i
p p p
M p p p
M M p
, 1 .
So, is composite and has a prime factor for some
| |1 contradiction.
• i
i i
i n
M p i
p M p
p48.
*,
Let ( ) denote the number of primes . Then
( ) for lar
The Prime
ge .ln
For , let ( ) denote the num
Number Theorem:
Dirichlet' bes Theorem : r
Distribution of Prime Numbers
n n b
x x
xx x
x
b Z x
,
of primes such that and mod . Then,
1 ( ) for large .
ln ( )n b
y y x y b n
xx x
x n
p49.
Generate a random odd number of desired size.
Test if is prime.
If not, discard it and try a different number.
Q: How many numbers are expected to be
How to generate a large prime number?
n
n
tested before
a prime is found?
p50.
12
10.5
Can it be solved in polynomial time?
A long standing open problem until 2002.
AKS(Agrawal, Kayal, Saxena) : log .
Later improved by others to log ,
Primality test : Is a prime?
O n
O n
n
6
3
and then
to log .
In practice, Miller-Rabin's probabilistic algorithm is still
the most popular --- much faster, log .
O n
O n
p51.
*
*
Looking for a characteristic property of prime numbers:
is prime
is prime , ( )
is
wha
pri
t?
me , ( )
Miller-Rabin primality test : Is a prime?
n
n
n
n a Z P a true
n a Z P a t
n
*
*
not prime elements , ( )
Check ( ) for random elements .
If ( ) all true, then return "prime"
else return "composite.
n
n
rue
a Z P a false
P a t a Z
P a
k
*
"
A "prime" answer may be incorrect with prob ( , ).
1 1 If
,
then ( , )
2
.2
n t
p k t
k Z p k t
p53.
*nZ
*
not prime strong witnessIf is , then there are
which are elements s.t
es,
( ) .n P a
n
ea Z fals
( )P a true
p54.
1
* 1
Looking for ( ) :
How about ( ) 1 mod ?
Fermat's little theorem:
If is prime , 1 mod .
If is not prime maybe no strong witnesses.
(
n
nn
P a
P a a n
n a Z a n
n
1 *
1
composite numbers
for which 1 mod .)
Need to refine
Ca
the conditio
rmichael number
n 1 mod .
s :
nn
n
n
a n a Z
a n
p55.
*
* 2
Fact: if 2 is prime, then 1 has exactly two square
roots in , namely 1.
Write 1 2 , where is odd.
If is prime
, 1 mod (Fermat's little theorem)
k
n
k
un
n
Z
n u u
n
a Z a n
2 1
2
*
2 2 2 2
1 mod ( )
1 mod for some ,
, ( ) , where
Why? Consider the sequence
, ,
, ,
0
o
1
1
,
ri
k k
n
u u u u u
u
u
a nP a
a n i i k
a Z P a true
a a a a a
p56.
*
If not prime do strong witnesses always exist
Loosely speaking, : if is an odd compo
at least one ha
site and not
a prime power, then of the elements
are strong witnesses
?
s
lf
ye
n
n
n
a Z
.
A composite number is a if for
some prime and
prime power
perfect pointeger 2. (A if
for some integer and 2.)
wer
e
e
n n p
p e
n k k e
p57.
*
If is an odd composite and not a prime power,
then of the elements are strong
witnesses.
Sketch of proof: The set of
at least o
-str
Th
on
eor
g witnesses
forms a p
ne hal
e
f
m:
n
n
a Z
A non
* *
* *
roper subgroup of . So, ord( ) ord( ) and
1 ord( ) | ord( ). So, ord( ) ord( ).
2
n n
n n
Z A Z
A Z A Z
p58.
Input: integer 2 and parameter
Output: a decision as to whether is prime or
if is even, return "composit
composite
1. e"
if is a per2
. fect
Algorithm: Miller-Rabin primality testn t
n
n
n
power, return "composite"
for : 1 to do
choose a random integer , 2 1
if gcd( , ) 1, return "composite"
if is a strong witness, ret
3
urn "com
. i t
a a n
a n
a
posite"
return ("pri4. me")
p59.
If the algorithm answers "composite", it is always correct.
If the algorithm answers "prime", it may or may not be correct.
The algorithm gives a wrong answ
Analysis: Miller-Rabin primality test
er if is composite but
the algorithm fails to find a strong witness in iterations.
This may happen with probability at most 2 .
Actually, at most 4 , by a more sophisticated analysis.
t
t
n
t
p60.
A is a probabilistic algorithm
which always gives an answer
but sometimes the answer may be inco
Mo
rr
nte
ect.
Carlo a
A
lgorithm
Monte Carlo algorithm for a decisi
Monte Carlo algorithms
g
g
on problem is
if its “yes” answer is always correct but a “no” answer may
be incorrect with some error probability.
A -iteration Miller-Rabin is a “composite”-biased Mon
yes-bias
te Carl
ed
o
t
algorithm with error probability at most 1 4 .t
p61.
A is a probabilistic algorithm
which may sometimes fail to give an answer
but never gives an incorrect
Las Ve
one
gas algori
A Las Vegas algorithm can be conver
thm
Las Vegas algorithms
g
g
ted into a
Monte Carlo algorithm.
p62.
Integer Factorization
Reference on quadratic sieve:
http
://blogs.msdn.com/b/devdev/archive/2006/06/19/637332.aspx
p63.
2 2
2 2
Difference of squares
To factor , find an such that is a square, say .
Then, ( )( ).
Search for starting from .
Example: Suppos
Fermat's Method
n a n a n b
n a b a b a b
a a n
g
g
g
2
2 2 2
2 2
2
e 5959. Then, 78.
is not a square for 78 and 79.
is a square for 80 : 80 5959 441 21 .
Hence 5959 80 21 (80 21)(80 21) 59 101.
Slow: a linear search for
n n
a n a
a n a
b
g
g
g
2 is a poor strategy.a n
p64.
2 2
Basic idea: a generation of Fermat's difference of squares.
To factor , find (mod ) such that (mod ).
Then, | ( )( ), but divides nei
Dixon's Random Squares Algorithm
n x y n x y n
n x y x y n
g
g
2 2
ther of .
Hence, gcd( , ) are nontrivial factors of .
Example: 32 10 mod77. gcd(32 10, 77) 7 and 11.
Question: how to produce
Factor
such and ?
a set of base: small primes,
x y
x y n n
x y
B
g
1 2
1 2
1 2 1 2
say, { , , }.
An integer is if it can be factored over mod , i.e.,
mod for some , , ,
smoo
0
h
.
tb
b
ee eb b
B p p p
z B n
z p p p n e e e
K
K
p65.
1 2
2
21 2
2
Our goals:
First, find a set of integers such that are smooth:
mod
Second, select a subset such that the product
has an ev
i i ib
i
i i
e e ei b
ix S
U x x
x p p p n
S U
x
g
g
1 2
1 2
22 221 2 1 2
1 2
2 2
en exponent for each , say,
mod for some , , , 0.
Let mod and mod , and
we have mod .
If mod , no luck, try a differen
b
i
b
i
i
ee ei b b
x S
ee ei b
x S
p
x p p p n e e e
X x n Y p p p n
X Y n
X Y n
K
t set of 's.ix
p66.
2
2
2
Suppose 15770708441 and {2,3,5,7,11,13}.
Consider the three congruences:
8340934156 3 7mod
12044942944 2 7 13mod
2773700011
Example (from Stinson's book on Cryptography)n B
n
n
2
2
2 2
2 3 13mod .
8340934156 12044942944 2773700011
2 3 7 13 mod .
Reducing by modulo yields 9503435785 546 mod .
A factor of : gcd 9503435785 546, 15770708441 115759.
n
n
n n
n
p67.
1 2
1 2
2
21 2
1
Suppose { , , }. Let .
Suppose we have a set of integers such that are
smooth: mod (1 ).
Let mod 2,
To achieve our second goal
i i ib
b
i i
e e ei b
i i
B p p p c b
U c x x
x p p p n i c
e e
K
2 mod 2, , mod 2 .
The vectors are linearly independent (because ),
and we can find a subset of 's that sum modulo 2 to
(0, 0, , 0).
Let mod be the product of the 's
i ib
i
i
i i
e e
c e c b
S e
X x n x
K
K
corresponding
to the 's in . ie S
p68.
2 21
2 22
2 23
1
2
3
We have 2,3,5,7,11,13 and
8340934156 3 7mod
12044942944 2 7 13mod
2773700011 2 3 13mod .
0,1,0,1,0,0
1,0,0,1,0,1
1,1,0,0,0,1
Example (cont.)B
x n
x n
x n
e
e
e
1 2 3
2 21 2 3
2
(0,0,0,0,0,0)mod 2.
Thus, we let ( ) mod and
(3 7)(2 7 13)(2 3 13)mod .
e e e
X x x x n
Y n
p69.
2
Random Squares Met
Dixon's strategy: choose at random, hence the name
.
Trick 1: try numbers of the form ,
0, 1, 2, , and 1, 2, . F
ho
or
d
Searching for smooth squares
i
ix
x
x j kn
j k
K K
2
2 such , mod tends
to be small and has a better chance than average to be smooth.
Trick 2: also try numbers of the form ,
0, 1, 2, , and 1, 2, . For such , is ao
m d
x x n
x kn j
j k x x n
K K2
2
little bit smaller than . Try to factor instead of
Trick 3: to play trick 2, we need to in
(
c
mod )
lude 1 in
mod
.
.
n
B
x n n
x n
p70.
2 21
Suppose 1829 and { 1,2,3,5,7,11,13}.
42.77, 2 60.48, 3 74.07, 4 85.53.
Thus we try 42, 43, 60, 61, 74, 75, 85, 86, and obtain
42
Example (from Stinson's book on Cryptography)n B
n n n n
x
x
12 2 2
2 22 2 2
3 32 2
4 42 2
5 52 2 4
6 6
65 ( 1) 5 13. 1,0,0,1,0,0,1
43 20 2 5. 0,0,0,1,0,0,0
61 63 3 7. 0,0,0,0,1,0,0
74 11 ( 1) 11. 1,0,0,0,0,1,0
85 91 ( 1) 7 13. 1,0,0,0,1,0,1
86 80 2 5. 0,0,0,
e
x e
x e
x e
x e
x e
1,0,0,0
p71.
2 6
22 3
2 2
2 2
1 2 3 5
2 2
0,0,0,0,0,0,0 , but does not yield a factorization of .
43 86 2 5 mod1829.
3698 40 mod1829.
40 40 mod1829.
0,0,0,0,0,0,0 .
42 43 61 85 1 2 3 5 7 13 mod1
e e n
e e e e
g
g
g
g
2 2
829.
1459 901 mod1829.
gcd 1459 901, 1829 31.
1829 31 59.
g
g
g
p72.
1 2
1 2
2
Consider the interval , around for some
suitable integers , .
Let ( ) . We want to find a set of integers
for which ( ) is smooth.
Recall the factor
Quadratic Sieve
M M n
M M
Q x x n U x
Q x
1 2
1 2
base , , , .
Recall Dixon's method (pick an , and test if ( ) is
smooth) and observe how the computing time is wasted.
Idea of QS: use each as a "sieve" and sieve it through
bB p p p
x M M Q x
p B
K
1 2
.
Notice that if , , , , and | ( ), then we have
| ( ) iff mod .
A
p B x y M M p Q x
p Q y x y p
p73.
21 2
1 2
1 2
1 2
1. Array .. . Initially, .
2. for each , , , do
find an .. such that | ( );
for each .. such that m
Sketch of the Quadratic Sieve Algorithm
b
QA M M QA i i n
p p p p B
i M M p Q i
j M M i j
K
g
g
1 2
od do
, where is the largest possible;
keep record of mod 2.
3. Let be the set of all .. such that 1.
// ( ) is smooth for each //
4.
iei
i
p
QA i QA i p e
e
U i M M QA i
Q i i S
Construct a subset as in Dixon's. S U