1 / 31

Abstract

Abstract.

ziarre
Télécharger la présentation

Abstract

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Abstract • The Number Field Sieve is asymptotically the fastest known algorithm for factoring a large integer N with no small prime factors, such as an RSA modulus. An early step in the algorithm selects two polynomials with a common root modulo N. This talk will present some techniques for choosing the polynomials when N has no nice algebraic form. Peter L. Montgomery Microsoft Research, USA

  2. Polynomial Selection for the General Number Field Sieve Peter L. Montgomery Microsoft Research, USA May 29, 2008

  3. Number Field Sieve (NFS) • Asymptotically best known algorithm for factoring large integers with no small prime factors. • Also best known algorithm for discrete logarithms modulo large primes. Peter L. Montgomery Microsoft Research, USA

  4. SNFS and GNFS • Special Number Field Sieve (SNFS) • Number being factored has nice algebraic form. • Record (21039− 1)/5080711 (307 digits, 2007). • General Number Field Sieve (GNFS) • No known nice algebraic form. • Record RSA200 (200 digits, 2005). Peter L. Montgomery Microsoft Research, USA

  5. NFS Stages – Part I • Input: Composite integer N, no small factors. • Polynomial selection • Find f1, f2 Z[X] with common root m modulo N. • Homogeneous form: Fk(a, b) = b deg(fk)fk(a/b) . • Sieving • Find many integer pairs (ai, bi) where both homogeneous polynomial values |Fk(ai, bi)| are smooth (k = 1, 2). • Normalized so gcd(ai, bi) = 1 and bi > 0. • Called relations. • Need one relation per prime in your factor bases. Peter L. Montgomery Microsoft Research, USA

  6. NFS Stages – Part II • Matrix construction and linear algebra • Let k be a (complex) root of fk. • Find nonempty set S of indices such that πjS (aj – bjk) is a square in Q(k), for each k. • Each aj – bjk has smooth norm. • Find square roots in Q(k). • Apply homomorphisms mapping each k to m mod N . • Get integer congruence A2≡B2 (mod N). Hope GCD(A + B, N) is nontrivial factor of N. Peter L. Montgomery Microsoft Research, USA

  7. Finding Two Polynomials for NFS • Given N, which we want to factor. • Also input desired degrees d1, d2 . • Find irreducible polynomials f1, f2 of degrees d1, d2 with common root m modulo N (but not in C). • resultant(f1, f2) will be a nonzero multiple of N, preferably a small multiple. • Determinant formula for resultant gives lower bound on coefficient sizes in f1, f2 . Peter L. Montgomery Microsoft Research, USA

  8. Sample SNFS Polynomial Selection • N = (2512 + 1)/2424833 (148 digits). • 9th Fermat number made SNFS famous (1990). • Guess to use degrees 5 and 1. • Common root m = 2103. • f1(X) = X−m and f2(X) = X 5 + 8. • Resultant = ± (m5 + 8) or 19e6 N. • Homogeneous F1 (a, b) = a−mb, and F2 (a, b) = a5 + 8 b5. Peter L. Montgomery Microsoft Research, USA

  9. Norm Sizes • Assume we sieve 2e12 points, in rectangle |a|  1e6 and 0 < b 1e6. • Approximate homogeneous sizes a− 1e31 b and a5 + 8b5. • Norm bounds approx 1e37 and 9e30. • Smaller norms more likely to be smooth. • Both norms must be smooth. Peter L. Montgomery Microsoft Research, USA

  10. Alternate Choices for 2512 + 1 • Degree 4, m = 2128≈ 3e38. f2(X) = X4 + 1. • a−mb and a4 + b4. • Bounds 3e44 and 2e24. • Degree 6, m = 285≈ 4e25. f2(X) = 4X6 + 1. • a−mb and 4a6 + b6. • Bounds 4e31 and 5e36. • Degree 5 bounds were 1e37 and 9e30. • Close call between degrees 5 and 6. • 1990 technology needed monic polynomials. Peter L. Montgomery Microsoft Research, USA

  11. Roots Modulo Small Primes • X 4 + 1 • One root modulo 2, four modulo 17. • X 5 + 8 • One root modulo each of 2, 3, 5, 7, 13, 17, 19, 23. • 4X 6 + 1 • Projective root modulo 2. • Two roots modulo each of 5, 17. • This quintic norm has more prime divisors < 25 than the other norms, on average. Peter L. Montgomery Microsoft Research, USA

  12. Lower Bounds on Sizes • Assume fk has degree dk, coefficient bound Bk (k = 1, 2). • Determinant formula for resultant(f1, f2) has d2 rows with coefficients of f1 and d1 rows with coefficients of f2. • Need B1d2B2d1N (approx). • If rectangular sieving region is 2A ×A, want both BkAdk small, about same size. Peter L. Montgomery Microsoft Research, USA

  13. Base-m Method for GNFS • Set m≈ N1/(d+1) if degrees d and 1 wanted. • Write N = a0 + a1m + ... + ad md in base m. • Each ai is O(m), possibly negative. • f1(X) = X−m . • f2(X) = a0 + a1X + ... + ad Xd . • Let rectangular sieving region be 2A ×A. • |a| A and 0 < bA. • Norm bounds mA and (d+1)mAd . • Norms too far apart. Peter L. Montgomery Microsoft Research, USA

  14. Rating Polynomials • Heuristics to increase density of smooth norms: • Try to make norm small on average. • Prefer real roots, so norm is near zero on parts of sieving region. • Try to have many roots modulo small primes and prime powers. • For example, X2 + 7 is divisible by 8 whenever it is even. • Brian Murphy (ANTS, 1998) confirmed that these properties improve yield when using two quadratic polynomials. Peter L. Montgomery Microsoft Research, USA

  15. Improved Base-m • Assume degree d 4 and linear wanted. • Looking for f(m) = N where (if d = 5) f(X) = a5X 5 + a4X 4 + a3X 3 + a2X 2 + a1X+ a0. • Pick leading coefficient ad. • Prefer many small prime divisors. • Set m = round(N/ad)1/d. • Fill in initial ad−1 to a0. Usually |ad−1| dad/2. • Reject unless |ad−2| << m. Peter L. Montgomery Microsoft Research, USA

  16. Skewed Sieving Region • Let f0 be the initial f, with small ad to ad−2 and f0(m) = N. • Suppose the rectangular sieving region of area 2A2 is |a| Ar and 0 < bA/r. • If r = 1, norm bound is about a0Ad or mAd. • If r >> 1, big terms are ad−3(Ar)d−3 (A/r)3 and ad−2(Ar)d−2 (A/r)2 and ad (Ar)d. • Assuming first and last dominate, equate them • r = (ad−3 /ad)1/6 or (m/ad)1/6. • New norm bound ad−3(Ar)d−3 (A/r)3 is about mAdrd−6. • When d = 5, this is factor of r improvement over r = 1. • Linear X−m norm improves slightly too. Peter L. Montgomery Microsoft Research, USA

  17. Improved Modular Properties • Try f(X) = f0(X) + C(X) (X − m) . • C(X) of degree d−4 to be determined • ad to ad−2 not affected. • ad−3 to a0 grow, but little effect on norm bound if C has small coefficients. • f(m) = f0(m) = N. • Sieve to find C(X) for which f has good modular properties. • Used for RSA140 and RSA155 (1999). Peter L. Montgomery Microsoft Research, USA

  18. Non-monic Linear Polynomial • Start with N, d, ad. • Instead of finding f0 with f0(m) = N, find a P for which the congruence admd≡ N (mod P) has many solutions m. • P product of primes ≡ 1 (mod d). with N /ad a d-th residue. • For each such m, find f0(X) with N = Pdf0(m/P). • As earlier, reject unless coefficient of Xd−2 is small. • Can perform this step quickly when same P is reused. • f2(X) = f0(X) + C(X)(PX−m) for some C(X). • f2(X) and f1(X) = PX−m share root m / P mod N. • Due to Thorsten Kleinjung. • Used for RSA576 (2003) and RSA200 (2005). Peter L. Montgomery Microsoft Research, USA

  19. Two Quadratic Polynomials • Suppose m is common root (mod N) of fk = ak X 2 + bk X + ck (k = 1, 2) . • Assume O(N1/4) coefficients, coprime over Q. • [m2, m, 1] orthogonal to both [ak,bk,ck ] (mod N) . • Let v = cross product of [ak,bk,ck ] over Z. • Coefficients of v are O(N1/2), not all zero. • vis multiple of [m2, m, 1] (mod N). • v is a geometric progression mod N. • Not a GP over Z if fk are irreducible (m not a root). • Polynomials → Geometric progression mod N. Peter L. Montgomery Microsoft Research, USA

  20. GP to Quadratic Polynomials • Let R = [r2, r1, r0] = O(N1/2) be geometric progression mod N, but not over Z. • Look at 2-D lattice in Z3 where R . v = 0. • Smallest basis vectors [ak, bk, ck] have typical size O(|R|1/2) = O(|N|1/4). • Resulting polynomials have common root r2 / r1≡r1 / r0 mod N . Peter L. Montgomery Microsoft Research, USA

  21. Constructing 3-term GP modulo N • Choose prime q slightly below N1/2 for which N is a quadratic residue. • Find x0 near N1/2 with x02≡N (mod q). • Return [q, x0, (x02 – N)/q]. • Different q lead to different GP and different pairs of quadratics. • Used for 3,367− c105 in 1993−94. Peter L. Montgomery Microsoft Research, USA

  22. More than two Polynomials • If f and g are same-size quadratics with a common root, merge them with f±g. • Use four (say) polynomials. • Changes to rest of NFS straightforward. • Need to produce twice as many relations. • Six chances per (a, b) for two norms to be smooth. • Sieve 2/6 as many points (hence smaller norms). • Sieving takes twice as long per (a, b). • Estimated time 2/3 as long as two quadratics. • Hard to find four quadratics which meet the smoothness heuristics, so the 6 above is unrealistic. Peter L. Montgomery Microsoft Research, USA

  23. Two Cubics → Five-term GP • Suppose m is common root (mod N) of fk = ak X3 + bk X2 + ck X + dk (k = 1, 2) . • By resultant bound, O(N1/6) coefficients is best we can get. • Find vector v orthogonal over Z to both [ak, bk,ck , dk , 0] and both [0, ak, bk,ck,dk ]. • Simple determinant formula for v. • Components of v will be O(N2/3). • Multiple of [m4, m3, m2, m, 1] mod N. Peter L. Montgomery Microsoft Research, USA

  24. Five-term GP →Two Cubics • Let R = [r4, r3, r2, r1, r0] = O(N2/3) be 5-term GP mod N, but not over Z. Ratio s = r1/r0 mod N. • Also must avoid 2nd-order linear recurrence. • Look at 2-D lattice in Z4 orthogonal to R ′ = [r3, r2, r1, r0] and ( [r4, r3, r2, r1] −s R ′ ) / N . • Smallest basis vectors [ak, bk, ck,dk] have typical size O((|R|2/N)1/2) = O(|N|1/6). • Resulting polynomials have common root s mod N . • For two degree-d, polynomials, with O(N1/2d) coefficients, need 2d−1 terms of size O(N1−1/d). Peter L. Montgomery Microsoft Research, USA

  25. Need a five-term GP mod N • Exhaustive search finds many O(N2/3) solutions when N≈ 1e8. • Example: • [109, 151, 154, 11, 144] ratio 14 = 154/11 mod 2005 • Largest entry 154 vs. 20052/3≈ 159.0 . • X3− 4X2 + 3X + 3 and 3X3−X2−X− 2 share root 14 mod 2005. • Avoid (1st or) 2nd order linear recurrence. • Example: [39, 22, −39, −22, 39] mod 2005 = 392 + 222. • X3 + X and X2 + 1 share a quadratic factor. • Don’t know how to find quickly when N is large. Peter L. Montgomery Microsoft Research, USA

  26. A Construction for Prime N • Choose irreducible cubic f1 to have known linear factor X− and O(1) coefficients. • One of X3− (2, 3, 6, 12) will work. • Find quadratic f2 with O(N1/3) coefficients and root  modulo N. • Follow construction of GP from two O(N1/6) cubics (one with a leading zero). • N is prime in discrete logarithm problem. Peter L. Montgomery Microsoft Research, USA

  27. Can we use Matrix Inverse? • Matrix inverse scaled to have integer entries. (109 151 154 ) (−11 10 11) (151 154 11 ) ( 10 4 −11) = 2005 I3 (154 11 144 ) ( 11 −11 3) • Entries in second are bilinear forms evaluated at coefficients of f1 and f2 , hence O(N1/3). • (a1b2−b1a2a1c2−c1a2a1d2−d1a2) • (a1c2−c1a2a1d2+b1c2−c1b2−d1a2 b1d2−d1b2 ) • (a1d2−d1a2 b1d2−d1b2 c1d2−d1c2 ) • Second matrix symmetric, determinant ±N. • First has constant backwards diagonals. Peter L. Montgomery Microsoft Research, USA

  28. Sizes when Factoring a c200 • Assume 2e20 points sieved. • Two quadratics. • Coefficients 1e50. Norms 1e70. • Two cubics. • Coefficients 2e33. Norms 2e63. • Two degree 4. • Coefficients 1e25. Norms 2e65. • Degree 3 or 4 appears best. Peter L. Montgomery Microsoft Research, USA

  29. c200 Sizes for Original Base-m • Assume degree d = 5. Sieving area 2e20. • m = (c200)1/6 = 2e33. • Coefficients (except leading) 1e33. • Norms (d+2)(1e33)(1e10)d =7e83 and m(1e10) = 2e43. • Norms too far apart, compared to equal degrees. Peter L. Montgomery Microsoft Research, USA

  30. c200 Sizes for Modified Base-m • Assume degree d = 5. Sieving area 2e20. • Assume a5≈ 1e10 and m = (1e200/a5)1/5≈ 1e38. • Assume we can find a3 small enough. • r≈ (m/a5)1/6≈ 5e4 (skewness). • Bounds 5e14 on a and 2e5 on b. • a5 (5e14)5 and m(5e14)2(2e4)3 both 2e83. • Norm bound around 1e84 (six summands). • Linear bound (2e5)(1e38) = 2e43. • Little different than original base-m. • But improved modular properties. Peter L. Montgomery Microsoft Research, USA

  31. Norm sizes for RSA200 • Quintic chosen by Kleinjung’s program. • P = 11.31.61.71.191.331.461.521.691.821. • Linear PX −m≈ 1e22 X− 4e37. • a5= 23 .35.5.7.13.422861 ≈ 4e11. • r≈ 1600. • On region of area 2e20, norm bounds about 1e79 (quintic) and 2e44 (linear). Peter L. Montgomery Microsoft Research, USA

More Related