SLIDE 1
The prime number lattice 2
The prime number lattice L(Bn,c) with basis Bn,c = [b1, ..., bn] ∈ R(n+1)×n for factoring large integers N : Bn,c =
- ln p1
· · · · · ...
- ln pn
Factoring Integers by CVP Algorithms for the Prime Number Lattice - - PowerPoint PPT Presentation
Factoring Integers by CVP Algorithms for the Prime Number Lattice - - PowerPoint PPT Presentation
Factoring Integers by CVP Algorithms for the Prime Number Lattice Claus P . Schnorr Department of Computer Science and Mathematics Goethe-University Frankfurt Main Quantum Cryptanalysis, Schloss Dagstuhl 1.-6. Oct. 2017 The prime number
SLIDE 2
SLIDE 3
The factoring method 3
The factoring method. Find (uj, vj) with pn-smooth uj, |uj − vjN| for j = 1, ..., n + 1. Hence uj − vjN = ± n
i=1 p e′
i,j
i
, uj = n
i=1 p ei,j i
= n
i=0 p e′
i,j
i
mod N, n
i=0 p ei,j−e′
i,j
i
= 1 mod N for p0 = −1, ei,j,e′
i,j ∈ N, e0,j = 0.
Any solution t1, ..., tn+1 ∈ {0, 1} of the equations n+1
j=1 tj(ei,j − e′ i,j) = 0 mod 2
for i = 0, ..., n (3.1) solves X 2 = 1 mod N by X = n
i=0 p
1 2
n+1
j=1 tj(ei,j−e′ i,j)
i
mod N. If X = ±1 mod N this yields factors gcd(X ± 1, N) / ∈ {1, N} of N. The linear equations (3.1) can be solved within O(n3) bit
- perations if the vectors (e0,j − e′
0,j, ..., en,j − e′ 1,n) for
j = 1, ..., n + 1 are linearly independent. This factoring method goes back to Morrison & Brillhart [MB75]. We get fac-relations n
i=1 piei,j = ± n i=0 pi e′
i,j
mod N from vectors b ∈ L(Bn,c) close to Nc. Then ˆ zb−Nc ≈ u−vN
vN Nc
makes |u − vN| ≤ vN1−c||b − Nc||/√n small for c > 1.
SLIDE 4
Results of Dickman, De Bruijn, Hildebrand 4
Let Ψ(X, y) denote the number of integers in [1, X] that are y-smooth. DICKMAN [1930] shows limy→∞ Ψ(yz, y)y−z = ρ(z) for any fixed z > 0. ρ(z) is the Dickman, De Bruijn ρ - function. It is known that ρ(z) = 1 for 0 ≤ z ≤ 1, ρ(z) = 1 − ln z for 1 ≤ z ≤ 2 ρ(z) = e±o(1)
z ln z
z = 1/zz+o(z) for z → ∞ (4.1) HILDEBRAND [H84] extended (4.1) to a wide finite range of z. For any fixed ε > 0 Ψ(yz, y)y−z = ρ(z)
- 1 + O
ln(z+1)
ln y
- (4.2)
holds uniformly for 1 ≤ z ≤ y1/2−ε, y ≥ 2 under the Riemann Hypothesis.
SLIDE 5
The relevant area of (u, v, |u − vN|) 5
The area of pn-smooth triplets (u, v, |u − vN|) for large v. Let #N,n,δ denote the number and RELN,n,δ the set of such triplets such that |u − vN| ≤ p3
n and 1 2Nδ < v ≤ Nδ, 1 2N1+δ < u ≤ N1+δ.
Neglecting for y = pn, yz = Nδ, z = δ ln N
ln pn the O( ln(z+1) ln y
)-term of (4.2), the number of pn-smooth v ∈ [ 1
2Nδ, Nδ] is for zv := δ ln N ln pn ,
z′
v := zv − ln 2 ln pn
Ψ(Nδ, pn) − Ψ(Nδ/2, pn) ≈ Nδ ρ(zv) − 1
2ρ(z′ v)
- .
Hence random v ∈R [ 1
2Nδ, Nδ] are pn-smooth with probability
close to 2(ρ(zv) − 1
2ρ(z′ v)). Random u ∈ [ 1 2N1+δ, N1+δ] are
pn-smooth with probability close to 2(ρ(zu) − 1
2ρ(z′ u)) for
zu := (1+δ) ln N
ln pn
, z′
u := zu − ln 2 ln pn . Hence
#N,n,δ ≈ 4 Nδp3
n ρ(3)
- ρ(zu) − 1
2ρ(z′ u)
- ρ(zv) − 1
2ρ(z′ v)
- (5.1)
if pn-smoothness of u, v and |u − vN| are nearly statist. indep.
SLIDE 6
I: The number of pn-smooth triplets u, v, |u − vN| 6
N ≈ 1014 1020 2100 2200 2400 2800 n 48 100 256 1350 7850 41350 pn 223 541 1619 11149 80173 497561 δ 0.35 0.55 0.71 1.2 1.57 2.1 #N,n,δ 126 215 392 1608 10131 49591 c 0.8468 1.14 1.3902 1.998 2.4478 3.029 ln(Nδ/p3
n)
−4.9 6.4 27 138 401 1132 Table 1 : parameters n, pn, δ, c = δ + 1 − 3 ln pn
ln N
for factoring N δ of table 1 nearly maximizes #N,n,δ and n is nearly minimal such that #N,n,δ clearly surpasses n. We have δ > 3 ln pn
ln N .
Corollary Let c = δ + 1 − ln p3
n
ln N , p3 n = No(1) and let
||b − Nc||2 ≈ ||L(Bn,c) − Nc||2 for nearly squarefree (u, v) ∼ b ∈ L(Bn,c) such that 1
2Nδ < v ≤ Nδ and
|u − vN| ≤ p3
- n. Then ||b − Nc||2 λ2
1(L) − ln N.
SLIDE 7
I: Proof of the Corollary 7
We get from ˆ zb−Nc = u−vNc
vN
Nc(1 ± o(1)) that |u − vN| ≈ vN1−c||b − Nc||/√n. Hence |u − vN| ≤ p3
n holds for 1 2Nδ < v ≤ Nδ if
1 + δ − c + ln(||b − ln Nc||/√n)/ ln N ≤ 3 ln pn
ln N
where ln(||b − Nc||/√n)/ ln N = o(1). As the run time of the CVP for L(Bn,c), Nc increases with c we choose for the search of fac-relations u, v, |u − vN| with
1 2Nδ < v ≤ Nδ in practice c ≈ δ + 1 − 3 ln pn/ ln N.
In fact the pn-smooth (u, v) that satisfy |u − vN| ≤ p3
n and 1 2Nδ < v ≤ Nδ yield b ∈ L(Bn,c), b ∼ (u, v) with nearly minimal
||b − Nc|| for c ≈ δ + 1 − 3 ln pn
ln N .
SLIDE 8
I: finding n + 1 fac-relations efficiently 8
Iterative increase of c so that vectors b ∈ L(Bn,c) close to Nc yield distinct pn-smooth u, |u − vN| (fac-relations). The Corollary shows that ||b − Nc||2 λ2
1 − ln N holds for
c = δ + 1 − ln p3
n/ ln N if b ∼ (u, v) and 1 2Nδ < v ≤ Nδ and
|u − vN| ≤ p3
- n. Such b are particularly close to Nc and yield a
fac-relation if |u − vN| is pn-smooth which happens with probability ρ(3) ≈ 0.0486. We get distinct fac-relations from c and c′ ≥ c + ln 2/ ln N. The vectors b ∈ L(Bn,c), b ∼ (u, v) close to Nc satisfy |ˆ zb−Nc| = Nc |u−vN|
vN
(1 ± o(1)). Then |u − vN| ≤ p3
n = No(1)
implies v ≥ Nc−1(1 − o(1)) for c > 1. Therefore both v and u/N increase proportionate to Nc−1. Thus v of (u, v) ∼ b close to Nc satisfies v Nc−1 and v′ of (u′, v′) ∼ b′ close to Nc′ satisfies v′ Nc′−1 ≥ 2Nc−1. Hence RelN,n,δ ∩ RelN,n,δ′ ≈ ∅ for δ′ ≥ δ + ln 2/ ln N. So we iteratively increase δ and c to δ′ := δ + ln 2/ ln N and c′ := c + ln 2/ ln N per round so that δ passes the area for which #N,n,δ of (4.1) is substantial.
SLIDE 9
I: Decreasing the dimension n of L(Bn,c) 9
Recall: We identify b = n
i=1 eibi ∈ L(Bn,c) ∼ (u, v) where
u :=
i>0 pei i , v := i<0 p−ei i
. To minimize the time to get about n fac-relations we simply transform a reduced basis of L(Bn,c) to a reduced basis of L(Bn,c′) by multiplying the last coordiates of the bi of Bn,cT and
- f Nc by Nc′−c.This replaces Nc by Nc′. We do not adjust the
success rate ¨ βt to small increases of c. By iteratively increasing c we can in table 1 decrease n = dim L(Bn,c) = 41350 for N ≈ 2800 to n = 40000. This decreases #N,n,2.1 from 49591 to 717. So we find about 700 fac-relations by minimizing ||L(Bn,c) − Nc|| for c = 2.1 − 3 ln pn/ ln N. Then we increase c to c + ln 2/ ln N to generate fac-relations in RelN,n,δ′ for δ′ := δ + ln 2/ ln N.
SLIDE 10
I: Time for SVP 10
The efficiency of our SVP algorithm for L(B) depends on the invariant rd(L) := λ1γ−1/2
n
(det L)−1/n which we call the relative density of L. ( λ2
1 = rd(L)2γn(det L)2
) Proposition Let the basis B = QR, R ∈ Rn×n of L satisfy rd(L) ≤ λ1
b1
- e π
2 n
1
2 and GSA and let L have a shortest lattice
vector b′ that satisfies SA. Then ENUM with linear pruning finds such b′ under the volume heuristics in polynomial time. GSA: The basis B = QR, R = [ri,j]1≤i,j≤n satisfies ri,j = 0 for i < j and r 2
i,i/r 2 i−1,i−1 = q for 2 ≤ i ≤ n for some q > 0.
SA: There is a vector b′ ∈ L(B) such that b′ = λ1 and πt(b′)2 n−t+1
n
λ2
1 for t = 1, . . . , n. ||b|| = r1,1.
Linear pruning means to cut off all stages (et, ..., en) that satisfy ||πt(n
i=t eibi)||2 > n−t+1 n
λ2
1.
SLIDE 11
I: The stages of the enumeration for SVP 11
Let B = [b1, ..., bn] = QR ∈ Zm×n, R = [ri,j]1≤i,j≤n ∈ Rn×n be the given basis of L = L(B). Let Lt = L(b1, ..., bt−1) and let πt : span(b1, ..., bn) → span(b1, ..., bt−1)⊥ = span(b∗
t , ..., b∗ n) for
t = 1, ..., n denote the orthogonal projections. At stage u = (ut, ..., un) of ENUM for SVP of L a vector b = n
i=t uibi ∈ L is given such that πt−1(b)2 ≤ λ2
- 1. Stage u
calls the substages (ut−1, ..., un) such that πt−2(n
i=t−1 uibi) ≤ λ1. We have
n
i=1 uibi2 = ζt + t−1 i=1 uibi2 + πt(b)2, where
ζt := b − πt(b) ∈ span Lt is b’s orthogonal projection in span Lt. Stage u and its substages enumerate the intersection Bt−1(ζt, ̺t) ∩ Lt of the sphere Bt−1(ζt, ̺t) ⊂ span Lt with radius ̺t := (λ2
1 − πt(b)2)1/2 and center ζt.
SLIDE 12
I: The success rate βt of stages 12
The GAUSSIAN volume heuristics estimates |Bt−1(ζt, ρt) ∩ Lt| to βt =def vol Bt−1(ζt, ρt)/ det Lt, vol Bt−1(ζt, ρt) = ρt−1
t
Vt−1, Vt = πt/2/(t/2)! ≈ ( 2eπ
t )t/2/
√ πt is the volume of the unit sphere of dimension t, det Lt = t−1
i=1 ri,i,
ρ2
t := λ2 1 − πt(n i=t uibi)2.
We call βt the success rate of stage (ut, ..., un). If ζt mod Lt is uniformly distributed over the parallelepiped Pt := {t−1
i=1 zibi | 0 ≤ z1, ..., zt−1 < 1}
then Eζt[ |Bt−1(ζt, ρt) ∩ Lt| ] = βt for ζt ∈R Pt, because 1/ det Lt is the number of points of Lt per volume. The center ζt = b − πt(b) ∈ span Lt changes within ENUM. If ζt mod Lt ∈ Pt distributes uniformly the estimate |Bt−1(ζt, ρt) ∩ Lt| ≈ vol Bt−1(ζt, ρt)/ det Lt
- f the vol. heur. holds on the average.
SLIDE 13
I: Outline of New Enum for SVP 13
INPUT LLL-basis B = QR ∈ Zm×n, R ∈ Rn×n, A := n
4(det BtB)1/n,
OUTPUT a sequence of b ∈ L(B) of decreasing length b2 ≤ A terminating with b = λ1.
- 1. s := 10, L := ∅,
(we call s the level)
- 2. Perform by algorithm ENUM [SE94] all stages with βt ≥ 2−st:
Upon entry of stage (ut, ..., un) compute βt. If βt < 2−st delay this stage and store (βt, ut, ..., un) in the list L of delayed stages. If βt ≥ 2−st perform this stage. Perform the stages (ut, ..., un) of L with βt ≥ 2−st in increasing
- rder of t and for fixed t in order of decreasing βt. As soon as
some b ∈ L of length 0 < b2 ≤ A has been found at t = 1 give out b and set A := b2 − 1.
- 3. s := s + 1,
IF L = ∅ THEN [ terminate by exhaustion ] ELSE GO TO 2
SLIDE 14