A subfield-logarithm attack against ideal lattices, part 1: the - - PDF document

A subfield-logarithm attack against ideal lattices, part 1: the number-field sieve

• D. J. Bernstein

University of Illinois at Chicago & Technische Universiteit Eindhoven

Sieving small integers ✐ ❃ 0 using primes 2❀ 3❀ 5❀ 7:

1 2 2 3 3 4 2 2 5 5 6 2 3 7 7 8 2 2 2 9 3 3 10 2 5 11 12 2 2 3 13 14 2 7 15 3 5 16 2 2 2 2 17 18 2 3 3 19 20 2 2 5

etc.

Sieving ✐ and 611 + ✐ for small ✐ using primes 2❀ 3❀ 5❀ 7:

1 2 2 3 3 4 2 2 5 5 6 2 3 7 7 8 2 2 2 9 3 3 10 2 5 11 12 2 2 3 13 14 2 7 15 3 5 16 2 2 2 2 17 18 2 3 3 19 20 2 2 5 612 2 2 3 3 613 614 2 615 3 5 616 2 2 2 7 617 618 2 3 619 620 2 2 5 621 3 3 3 622 2 623 7 624 2 2 2 2 3 625 5 5 5 5 626 2 627 3 628 2 2 629 630 2 3 3 5 7 631

etc.

Have complete factorization of the “congruences” ✐(611 + ✐) for some ✐’s. 14 ✁ 625 = 21305471. 64 ✁ 675 = 26335270. 75 ✁ 686 = 21315273. 14 ✁ 64 ✁ 75 ✁ 625 ✁ 675 ✁ 686 = 28345874 = (24325472)2. gcd ✟ 611❀ 14 ✁ 64 ✁ 75 24325472✠ = 47. 611 = 47 ✁ 13.

Why did this find a factor of 611? Was it just blind luck: gcd❢611❀ random❣ = 47?

Why did this find a factor of 611? Was it just blind luck: gcd❢611❀ random❣ = 47? No. By construction 611 divides s2t2 where s = 14 ✁ 64 ✁ 75 and t = 24325472. So each prime ❃7 dividing 611 divides either s t or s + t. Not terribly surprising (but not guaranteed in advance!) that one prime divided s t and the other divided s + t.

Why did the first three completely factored congruences have square product? Was it just blind luck?

Why did the first three completely factored congruences have square product? Was it just blind luck?

• Yes. The exponent vectors

(1❀ 0❀ 4❀ 1)❀ (6❀ 3❀ 2❀ 0)❀ (1❀ 1❀ 2❀ 3) happened to have sum 0 mod 2.

Why did the first three completely factored congruences have square product? Was it just blind luck?

• Yes. The exponent vectors

(1❀ 0❀ 4❀ 1)❀ (6❀ 3❀ 2❀ 0)❀ (1❀ 1❀ 2❀ 3) happened to have sum 0 mod 2. But we didn’t need this luck! Given long sequence of vectors, quickly find nonempty subsequence with sum 0 mod 2.

This is linear algebra over F2. Guaranteed to find subsequence if number of vectors exceeds length of each vector. e.g. for ♥ = 671: 1(♥ + 1) = 25315071; 4(♥ + 4) = 22335270; 15(♥ + 15) = 21315173; 49(♥ + 49) = 24325172; 64(♥ + 64) = 26315172.

This is linear algebra over F2. Guaranteed to find subsequence if number of vectors exceeds length of each vector. e.g. for ♥ = 671: 1(♥ + 1) = 25315071; 4(♥ + 4) = 22335270; 15(♥ + 15) = 21315173; 49(♥ + 49) = 24325172; 64(♥ + 64) = 26315172. F2-kernel of exponent matrix is gen by (0 1 0 1 1) and (1 0 1 1 0); e.g., 1(♥+1)15(♥+15)49(♥+49) is a square.

Plausible conjecture: Q sieve can separate the odd prime divisors

• f any ♥, not just 611.

Given ♥ and parameter ②:

• 1. Try to fully factor ✐(♥ + ✐)

into products of primes ✔ ② for ✐ ✷ ✟ 1❀ 2❀ 3❀ ✿ ✿ ✿ ❀ ②2✠ .

• 2. Look for nonempty set of ✐’s

with ✐(♥ + ✐) completely factored and with ◗

✐

✐(♥ + ✐) square.

• 3. Compute gcd❢♥❀ s t❣ where

s = ◗

✐

✐ and t = r ◗

✐

✐(♥ + ✐).

How large does ② have to be for this to find a square?

How large does ② have to be for this to find a square? Let’s aim for number of completely factored congruences to exceed length of each vector, guaranteeing a square. (This is somewhat pessimistic; smaller numbers usually work.) Vector length ✙ ②❂log ②. Will there be ❃ ②❂log ② completely factored congruences

• ut of ②2 congruences?

What’s chance of random ✐(♥ + ✐) being ②-smooth, i.e., completely factored into primes ✔ ②?

What’s chance of random ✐(♥ + ✐) being ②-smooth, i.e., completely factored into primes ✔ ②? Consider, e.g., ② = ❜♥1❂10❝. Uniform random integer in [1❀ ②2] has ②-smoothness chance ✙0✿306; uniform random integer in [1❀ ♥] has chance ✙ 2✿77 ✁ 1011. Plausible conjecture: ②-smoothness chance of ✐(♥ + ✐) is ✙ 8✿5 ✁ 1012. Find ✙ 8✿5 ✁ 1012②2 fully factored congruences.

If ♥ ✕ 2340 and ② = ❜♥1❂10❝ then 8✿5 ✁ 1012②2 ❃ 3②❂log ②, and approximations seem fairly close, so conjecturally the Q sieve will find a square. Find many independent squares with negligible extra effort. If gcd turns out to be 1, try the next square. Conjecturally always works: splits odd ♥ into prime-power factors.

How about ② ✙ ♥1❂✉ for larger ✉? Uniform random integer in [1❀ ♥] has ♥1❂✉-smoothness chance roughly ✉✉. Plausible conjecture: Q sieve succeeds with ② = ❜♥1❂✉❝ for all ♥ ✕ ✉(1+♦(1))✉2; here ♦(1) is as ✉ ✦ ✶.

How about letting ✉ grow with ♥? Given ♥, try sequence of ②’s in geometric progression until Q sieve works; e.g., increasing powers of 2. Plausible conjecture: final ② ✷ exp q1

2 + ♦(1)

✁ log ♥ log log ♥, ✉ ✷ ♣ (2 + ♦(1))log ♥❂ log log ♥. Cost of Q sieve is a power of ②, hence subexponential in ♥.

More generally, if ② ✷ exp q 1

2❝ + ♦(1)

✁ log ♥ log log ♥, conjectured ②-smoothness chance is 1❂②❝+♦(1). Find enough smooth congruences by changing the range of ✐’s: replace ②2 with ②❝+1+♦(1) = exp r✏(❝+1)2+♦(1)

2❝

✑ log ♥ log log ♥. Increasing ❝ past 1 increases number of ✐’s but reduces linear-algebra cost. So linear algebra never dominates when ② is chosen properly.

Improving smoothness chances Smoothness chance of ✐(♥ + ✐) degrades as ✐ grows. Smaller for ✐ ✙ ②2 than for ✐ ✙ ②. Crude analysis: ✐(♥ + ✐) grows. ✙ ②♥ if ✐ ✙ ②; ✙ ②2♥ if ✐ ✙ ②2. More careful analysis: ♥ + ✐ doesn’t degrade, but ✐ is always smooth for ✐ ✔ ②,

• nly 30% chance for ✐ ✙ ②2.

Can we select congruences to avoid this degradation?

Choose q, square of large prime. Choose a “q-sublattice” of ✐’s: arithmetic progression of ✐’s where q divides each ✐(♥ + ✐). e.g. progression q (♥ mod q), 2q (♥ mod q), 3q (♥ mod q), etc. Check smoothness of generalized congruence ✐(♥ + ✐)❂q for ✐’s in this sublattice. e.g. check whether ✐❀ (♥+✐)❂q are smooth for ✐ = q (♥ mod q) etc. Try many large q’s. Rare for ✐’s to overlap.

e.g. ♥ = 314159265358979323: Original Q sieve: ✐ ♥ + ✐ 1 314159265358979324 2 314159265358979325 3 314159265358979326 Use 9972-sublattice, ✐ ✷ 802458 + 994009Z: ✐ (♥ + ✐)❂9972 802458 316052737309 1796467 316052737310 2790476 316052737311

Crude analysis: Sublattices eliminate the growth problem. Have practically unlimited supply

• f generalized congruences

(q(♥ mod q))♥+q(♥ mod q) q between 0 and ♥. More careful analysis: Sublattices are even better than that! For q ✙ ♥1❂2 have ✐ ✙ (♥ + ✐)❂q ✙ ♥1❂2 ✙ ②✉❂2 so smoothness chance is roughly (✉❂2)✉❂2(✉❂2)✉❂2 = 2✉❂✉✉, 2✉ times larger than before.

Even larger improvements from changing polynomial ✐(♥+✐). “Quadratic sieve” (QS) uses ✐2 ♥ with ✐ ✙ ♣♥; have ✐2 ♥ ✙ ♥1❂2+♦(1), much smaller than ♥. “MPQS” improves ♦(1) using sublattices: (✐2 ♥)❂q. But still ✙ ♥1❂2. “Number-field sieve” (NFS) achieves ♥♦(1).

Generalizing beyond Q The Q sieve is a special case of the number-field sieve. Recall how the Q sieve factors 611: Form a square as product of ✐(✐ + 611❥) for several pairs (✐❀ ❥): 14(625) ✁ 64(675) ✁ 75(686) = 44100002. gcd❢611❀ 14 ✁ 64 ✁ 75 4410000❣ = 47.

The Q( ♣ 14) sieve factors 611 as follows: Form a square as product of (✐ + 25❥)(✐ + ♣ 14❥) for several pairs (✐❀ ❥): (11 + 3 ✁ 25)(11 + 3 ♣ 14) ✁ (3 + 25)(3 + ♣ 14) = (112 16 ♣ 14)2. Compute s = (11 + 3 ✁ 25) ✁ (3 + 25), t = 112 16 ✁ 25, gcd❢611❀ s t❣ = 13.

Why does this work? Answer: Have ring morphism Z[ ♣ 14] ✦ Z❂611, ♣ 14 ✼✦ 25, since 252 = 14 in Z❂611. Apply ring morphism to square: (11 + 3 ✁ 25)(11 + 3 ✁ 25) ✁ (3 + 25)(3 + 25) = (112 16 ✁ 25)2 in Z❂611. i.e. s2 = t2 in Z❂611. Unsurprising to find factor.

Diagram of ring morphisms: Q[①]

①✼✦ ♣ 14 Q[

♣ 14] = Q( ♣ 14) Z[①]

• ①✼✦

♣ 14 Z[

♣ 14]

• ♣

14✼✦25

• Z❂611

Z[①] uses poly arithmetic on ✟ ✐0①0 + ✐1①1 + ✁ ✁ ✁ : all ✐♠ ✷ Z ✠ ; Z[ ♣ 14] uses R arithmetic on ✟ ✐0 + ✐1 ♣ 14 : ✐0❀ ✐1 ✷ Z ✠ ; Z❂611 uses arithmetic mod 611

• n ❢0❀ 1❀ ✿ ✿ ✿ ❀ 610❣.

Generalize from (①2 14❀ 25) to (❢❀ ♠) with irred ❢ ✷ Z[①], ♠ ✷ Z, ❢(♠) ✷ ♥Z. Write ❞ = deg ❢, ❢ = ❢❞①❞ + ✁ ✁ ✁ + ❢1①1 + ❢0①0. Can take ❢❞ = 1 for simplicity, but larger ❢❞ allows better parameter selection. Pick ☛ ✷ C, root of ❢. Then ❢❞☛ is a root of monic ❣ = ❢❞1

❞

❢(①❂❢❞) ✷ Z[①].

Q(☛) = ✽ ❃ ❁ ❃ ✿ r0 + r1☛ + r2☛2 + ✁ ✁ ✁ + r❞1☛❞1: r0❀ ✿ ✿ ✿ ❀ r❞1 ✷ Q ✾ ❃ ❂ ❃ ❀ ❖ = ✚algebraic integers in Q(☛) ✛

• Z[❢❞☛] =

✽ ❁ ✿ ✐0 + ✐1❢❞☛ + ✁ ✁ ✁ + ✐❞1❢❞1

❞

☛❞1: ✐0❀ ✿ ✿ ✿ ❀ ✐❞1 ✷ Z ✾ ❂ ❀

• ❢❞☛✼✦❢❞♠
• Z❂♥ = ❢0❀ 1❀ ✿ ✿ ✿ ❀ ♥ 1❣

Build square in Q(☛) from congruences (✐ ❥♠)(✐ ❥☛) with ✐Z + ❥Z = Z and ❥ ❃ 0. Could replace ✐ ❥① by higher-deg irred in Z[①]; quadratics seem fairly small for some number fields. But let’s not bother. Say we have a square ◗

(✐❀❥)✷❙(✐ ❥♠)(✐ ❥☛)

in Q(☛); now what?

◗(✐ ❥♠)(✐ ❥☛)❢2

❞

is a square in ❖, ring of integers of Q(☛). Multiply by ❣✵(❢❞☛)2, putting square root into Z[❢❞☛]: compute r with r2 = ❣✵(❢❞☛)2✁ ◗(✐ ❥♠)(✐ ❥☛)❢2

❞.

Then apply the ring morphism ✬ : Z[❢❞☛] ✦ Z❂♥ taking ❢❞☛ to ❢❞♠. Compute gcd❢♥❀ ✬(r) ❣✵(❢❞♠) ◗(✐ ❥♠)❢❞❣. In Z❂♥ have ✬(r)2 = ❣✵(❢❞♠)2 ◗(✐ ❥♠)2❢2

❞.

How to find square product

• f congruences (✐ ❥♠)(✐ ❥☛)?

Start with congruences for, e.g., ②2 pairs (✐❀ ❥). Look for ②-smooth congruences: ②-smooth ✐ ❥♠ and ②-smooth ❢❞ norm(✐ ❥☛) = ❢❞✐❞ + ✁ ✁ ✁ + ❢0❥❞ = ❥❞❢(✐❂❥). Find enough smooth congruences. Perform linear algebra on exponent vectors mod 2.

Exponent vectors have many “rational” components, many “algebraic” components, a few “character” components. One rational component for each prime ♣ ✔ ②. Value ord♣(✐ ❥♠). One rational component for 1. Value 0 if ✐ ❥♠ ❃ 0, value 1 if ✐ ❥♠ ❁ 0. If ◗(✐ ❥♠) is a square then vectors add to 0 in rational components.

One algebraic component for each pair (♣❀ r) such that ♣ is a prime ✔ ②; ❢❞ ❂ ✷ ♣Z; disc ❢ ❂ ✷ ♣Z; r ✷ F♣; ❢(r) = 0 in F♣. Value 0 if ✐ ❥r ❂ ✷ ♣Z;

• therwise ord♣(❥❞❢(✐❂❥)).

This is the same as the valuation of ✐ ❥☛ at the prime ♣❖ + (❢❞☛ ❢❞r)❖. Recall that ✐Z + ❥Z = Z, so no higher-degree primes.

One character component for each pair (♣❀ r) with ♣ in a short range above ②. Value 0 if ✐ ❥r is a square in F♣, else 1. If ◗(✐ ❥☛) is a square then vectors add to 0 in algebraic components and character components.

Conversely, consider vectors adding to 0 in all components. ◗(✐ ❥♠) must be a square. Is ◗(✐ ❥☛) a square? Ideal ◗(✐ ❥☛)❖ must be square outside ❢❞ disc ❢. What about primes in ❢❞ disc ❢? Even if ideal is square, is square root principal? Even if ideal is generated by square of element, does square equal ◗(✐ ❥☛)?

Obstruction group is small, conjecturally very small. “(❢❞ disc ❢)-Selmer group.” A few characters suffice to generate dual, forcing ◗(✐ ❥☛) to be a square. Can be quite sloppy here; easy to redo linear algebra with more characters if non-square is encountered.

Sublattices Consider a sublattice

• f pairs (✐❀ ❥) where

q divides ❥❞❢(✐❂❥). Assume squarish lattice. (✐ ❥♠)❥❞❢(✐❂❥) expands by factor q(❞+1)❂2 before division by q. Number of sublattice elements within any particular bound

• n (✐ ❥♠)❥❞❢(✐❂❥)

is proportional to q(❞1)❂(❞+1).

Compared to just using q = 1, conjecturally obtain ②4❂(❞+1)+♦(1) times as many congruences by using sublattices for all ②-smooth integers q ✔ ②2. Separately consider ✐ ❥♠ and ❥❞❢(✐❂❥)❂q for more precise analysis. Limit congruences accordingly, increasing smoothness chances.

Multiple number fields Assume that ❢ + ① ♠ ✷ Z[①] is also irred. Pick ☞ ✷ C, root of ❢ + ① ♠. Two congruences for (✐❀ ❥): (✐❥♠)(✐❥☛); (✐❥♠)(✐❥☞). Expand exponent vectors to handle both Q(☛) and Q(☞). Merge smoothness tests by testing ✐ ❥♠ first, aborting if ✐ ❥♠ not smooth. Can use many number fields: ❢ + 2(① ♠) etc.