factoring integers by cvp algorithms for the prime number
play

Factoring Integers by CVP Algorithms for the Prime Number Lattice - PowerPoint PPT Presentation

Jan 20, 2024 •232 likes •379 views

Factoring Integers by CVP Algorithms for the Prime Number Lattice Claus P . Schnorr Department of Computer Science and Mathematics Goethe-University Frankfurt Main Quantum Cryptanalysis, Schloss Dagstuhl 1.-6. Oct. 2017 The prime number

  1. Factoring Integers by CVP Algorithms for the Prime Number Lattice Claus P . Schnorr Department of Computer Science and Mathematics Goethe-University Frankfurt Main Quantum Cryptanalysis, Schloss Dagstuhl 1.-6. Oct. 2017

  2. The prime number lattice 2 The prime number lattice L ( B n , c ) with basis B n , c = [ b 1 , ..., b n ] ∈ R ( n + 1 ) × n for factoring large integers N : � 0  ln p 1 0 0    · · · · · ·     .     ... . B n , c = , N c =    .  0 0         � 0 0 ln p n 0     N c ln p 1 N c ln p n N c ln N · · · and target vector N c ∈ R n + 1 and the first n primes p 1 , ..., p n . Consider vectors b = � n i = 1 e i b i ∈ L ( B n , c ) close to N c ; e i ∈ Z . i > 0 p e i i < 0 p − e i We identify b ∼ ( u , v ) for u := � i , v := � . i Then || b − N c || 2 ≥ ln uv + ˆ z 2 b − N c holds for the last coordinate z b − N c = u − vN vN N c ( 1 ± o ( 1 )) of b − N c , using lim n , N →∞ o ( 1 ) = 0 ˆ with equality iff uv is squarefree. We compute b ∈ L ( B n , c ) close to N c with | u − vN | ≤ p 3 n .

  3. The factoring method 3 The factoring method. Find ( u j , v j ) with p n -smooth e ′ u j , | u j − v j N | for j = 1 , ..., n + 1. Hence u j − v j N = ± � n i , j i = 1 p , i e ′ e i , j − e ′ e i , j u j = � n = � n � n i , j i , j i = 1 p i = 0 p mod N , i = 0 p = 1 mod N i i i for p 0 = − 1, e i , j , e ′ i , j ∈ N , e 0 , j = 0. Any solution t 1 , ..., t n + 1 ∈ { 0 , 1 } of the equations � n + 1 j = 1 t j ( e i , j − e ′ i , j ) = 0 mod 2 for i = 0 , ..., n (3.1) 1 � n + 1 j = 1 t j ( e i , j − e ′ i , j ) solves X 2 = 1 mod N by X = � n 2 i = 0 p mod N . i If X � = ± 1 mod N this yields factors gcd ( X ± 1 , N ) / ∈ { 1 , N } of The linear equations (3.1) can be solved within O ( n 3 ) bit N . operations if the vectors ( e 0 , j − e ′ 0 , j , ..., e n , j − e ′ 1 , n ) for j = 1 , ..., n + 1 are linearly independent. This factoring method goes back to Morrison & Brillhart [MB75]. We get � n i = 1 p ie i , j = ± � n e ′ fac-relations i = 0 p i mod N i , j z b − N c ≈ u − vN from vectors b ∈ L ( B n , c ) close to N c . Then ˆ vN N c makes | u − vN | ≤ vN 1 − c || b − N c || / √ n small for c > 1.

  4. Results of Dickman, De Bruijn, Hildebrand 4 Let Ψ( X , y ) denote the number of integers in [ 1 , X ] that are y -smooth. D ICKMAN [1930] shows lim y →∞ Ψ( y z , y ) y − z = ρ ( z ) for any fixed z > 0. ρ ( z ) is the Dickman, De Bruijn ρ - function. It is known that ρ ( z ) = 1 for 0 ≤ z ≤ 1, ρ ( z ) = 1 − ln z for 1 ≤ z ≤ 2 � e ± o ( 1 ) � z = 1 / z z + o ( z ) for z → ∞ ρ ( z ) = (4.1) z ln z H ILDEBRAND [H84] extended (4.1) to a wide finite range of z . For any fixed ε > 0 � ln ( z + 1 ) Ψ( y z , y ) y − z = ρ ( z ) � �� 1 + O (4.2) ln y holds uniformly for 1 ≤ z ≤ y 1 / 2 − ε , y ≥ 2 under the Riemann Hypothesis.

  5. The relevant area of ( u , v , | u − vN | ) 5 The area of p n -smooth triplets ( u , v , | u − vN | ) for large v . Let # N , n ,δ denote the number and REL N , n ,δ the set of such triplets 2 N δ < v ≤ N δ , 1 2 N 1 + δ < u ≤ N 1 + δ . n and 1 such that | u − vN | ≤ p 3 Neglecting for y = p n , y z = N δ , z = δ ln N ln p n the O ( ln ( z + 1 ) ) -term of ln y (4.2), the number of p n -smooth v ∈ [ 1 2 N δ , N δ ] is for z v := δ ln N ln p n , v := z v − ln 2 z ′ ln p n Ψ( N δ , p n ) − Ψ( N δ / 2 , p n ) ≈ N δ � ρ ( z v ) − 1 2 ρ ( z ′ � v ) . Hence random v ∈ R [ 1 2 N δ , N δ ] are p n -smooth with probability close to 2 ( ρ ( z v ) − 1 v )) . Random u ∈ [ 1 2 ρ ( z ′ 2 N 1 + δ , N 1 + δ ] are p n -smooth with probability close to 2 ( ρ ( z u ) − 1 2 ρ ( z ′ u )) for z u := ( 1 + δ ) ln N , z ′ u := z u − ln 2 ln p n . Hence ln p n # N , n ,δ ≈ 4 N δ p 3 � ρ ( z u ) − 1 2 ρ ( z ′ �� ρ ( z v ) − 1 2 ρ ( z ′ � n ρ ( 3 ) u ) v ) (5.1) if p n -smoothness of u , v and | u − vN | are nearly statist. indep.

  6. I: The number of p n -smooth triplets u , v , | u − vN | 6 10 14 10 20 2 100 2 200 2 400 2 800 N ≈ n 48 100 256 1350 7850 41350 p n 223 541 1619 11149 80173 497561 δ 0 . 35 0 . 55 0 . 71 1 . 2 1 . 57 2.1 # N , n ,δ 126 215 392 1608 10131 49591 0 . 8468 1 . 14 1 . 3902 1 . 998 2 . 4478 3 . 029 c ln ( N δ / p 3 n ) − 4 . 9 6 . 4 27 138 401 1132 Table 1 : parameters n , p n , δ, c = δ + 1 − 3 ln p n for factoring N ln N δ of table 1 nearly maximizes # N , n ,δ and n is nearly minimal such that # N , n ,δ clearly surpasses n . We have δ > 3 ln p n ln N . Corollary Let c = δ + 1 − ln p 3 n = N o ( 1 ) and let ln N , p 3 n || b − N c || 2 ≈ ||L ( B n , c ) − N c || 2 for nearly squarefree 2 N δ < v ≤ N δ and ( u , v ) ∼ b ∈ L ( B n , c ) such that 1 n . Then || b − N c || 2 � λ 2 | u − vN | ≤ p 3 1 ( L ) − ln N .

  7. I: Proof of the Corollary 7 z b − N c = u − vN c N c ( 1 ± o ( 1 )) that We get from ˆ vN | u − vN | ≈ vN 1 − c || b − N c || / √ n . 2 N δ < v ≤ N δ if Hence | u − vN | ≤ p 3 n holds for 1 1 + δ − c + ln ( || b − ln N c || / √ n ) / ln N ≤ 3 ln p n ln N where ln ( || b − N c || / √ n ) / ln N = o ( 1 ) . As the run time of the CVP for L ( B n , c ) , N c increases with c we choose for the search of fac-relations u , v , | u − vN | with 2 N δ < v ≤ N δ in practice c ≈ δ + 1 − 3 ln p n / ln N . 1 In fact the p n -smooth ( u , v ) that satisfy | u − vN | ≤ p 3 n and 2 N δ < v ≤ N δ yield b ∈ L ( B n , c ) , b ∼ ( u , v ) with nearly minimal 1 || b − N c || for c ≈ δ + 1 − 3 ln p n ln N .

  8. I: finding n + 1 fac-relations efficiently 8 Iterative increase of c so that vectors b ∈ L ( B n , c ) close to N c yield distinct p n -smooth u , | u − vN | (fac-relations) . The Corollary shows that || b − N c || 2 � λ 2 1 − ln N holds for 2 N δ < v ≤ N δ and n / ln N if b ∼ ( u , v ) and 1 c = δ + 1 − ln p 3 | u − vN | ≤ p 3 n . Such b are particularly close to N c and yield a fac-relation if | u − vN | is p n -smooth which happens with probability ρ ( 3 ) ≈ 0 . 0486. We get distinct fac-relations from c and c ′ ≥ c + ln 2 / ln N . The vectors b ∈ L ( B n , c ) , b ∼ ( u , v ) close to N c satisfy z b − N c | = N c | u − vN | ( 1 ± o ( 1 )) . Then | u − vN | ≤ p 3 n = N o ( 1 ) | ˆ vN implies v ≥ N c − 1 ( 1 − o ( 1 )) for c > 1. Therefore both v and u / N increase proportionate to N c − 1 . Thus v of ( u , v ) ∼ b close to N c satisfies v � N c − 1 and v ′ of ( u ′ , v ′ ) ∼ b ′ close to N c ′ satisfies v ′ � N c ′ − 1 ≥ 2 N c − 1 . Hence Rel N , n ,δ ∩ Rel N , n ,δ ′ ≈ ∅ for δ ′ ≥ δ + ln 2 / ln N . So we iteratively increase δ and c to δ ′ := δ + ln 2 / ln N and c ′ := c + ln 2 / ln N per round so that δ passes the area for which # N , n ,δ of (4.1) is substantial.

  9. I: Decreasing the dimension n of L ( B n , c ) 9 Recall: We identify b = � n i = 1 e i b i ∈ L ( B n , c ) ∼ ( u , v ) where i > 0 p e i i < 0 p − e i u := � i , v := � . i To minimize the time to get about n fac-relations we simply transform a reduced basis of L ( B n , c ) to a reduced basis of L ( B n , c ′ ) by multiplying the last coordiates of the b i of B n , c T and of N c by N c ′ − c .This replaces N c by N c ′ . We do not adjust the success rate ¨ β t to small increases of c . By iteratively increasing c we can in table 1 decrease n = dim L ( B n , c ) = 41350 for N ≈ 2 800 to n = 40000. This decreases # N , n , 2 . 1 from 49591 to 717. So we find about 700 fac-relations by minimizing ||L ( B n , c ) − N c || for c = 2 . 1 − 3 ln p n / ln N . Then we increase c to c + ln 2 / ln N to generate fac-relations in Rel N , n ,δ ′ for δ ′ := δ + ln 2 / ln N .

  10. I: Time for SVP 10 The efficiency of our SVP algorithm for L ( B ) depends on the invariant rd ( L ) := λ 1 γ − 1 / 2 ( det L ) − 1 / n which we call the relative n λ 2 1 = rd ( L ) 2 γ n ( det L ) 2 density of L . ( ) Proposition Let the basis B = QR , R ∈ R n × n of L satisfy � λ 1 � 1 � 2 and GSA and let L have a shortest lattice e π rd ( L ) ≤ � b 1 � 2 n vector b ′ that satisfies SA . Then E NUM with linear pruning finds such b ′ under the volume heuristics in polynomial time. GSA : The basis B = QR , R = [ r i , j ] 1 ≤ i , j ≤ n satisfies r i , j = 0 for i < j and r 2 i , i / r 2 i − 1 , i − 1 = q for 2 ≤ i ≤ n for some q > 0. SA : There is a vector b ′ ∈ L ( B ) such that � b ′ � = λ 1 and � π t ( b ′ ) � 2 � n − t + 1 λ 2 1 for t = 1 , . . . , n . || b || = r 1 , 1 . n Linear pruning means to cut off all stages ( e t , ..., e n ) that i = t e i b i ) || 2 > n − t + 1 satisfy || π t ( � n λ 2 1 . n

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Factoring integers and Producing primes Francesco Pappalardi Universit` a Roma Tre Erbil,

Factoring integers and Producing primes Francesco Pappalardi Universit` a Roma Tre Erbil,

Erbil, Kurdistan 0 Factoring integers,..., RSA Lecture in Number Theory College of Sciences Department of Mathematics University of Salahaddin Debember 4, 2014 Factoring integers and Producing primes Francesco Pappalardi Universit` a Roma

749 views • 30 slides
Factoring integers, Producing primes and the RSA cryptosystem Francesco Pappalardi Universit` a

Factoring integers, Producing primes and the RSA cryptosystem Francesco Pappalardi Universit` a

College of Science for Women 0 Factoring integers,..., RSA Lecture in Number Theory College of Science for Women Baghdad University March 31, 2014 Factoring integers, Producing primes and the RSA cryptosystem Francesco Pappalardi

2.06k views • 192 slides
Factoring Done by:Rashed salmeen Grade:9ASP2 Prime factorization Prime factorization:is finding

Factoring Done by:Rashed salmeen Grade:9ASP2 Prime factorization Prime factorization:is finding

Factoring Done by:Rashed salmeen Grade:9ASP2 Prime factorization Prime factorization:is finding which prime numbers multiply together to make the original number. Examples: 27 18 2 9 3 9 3 3 3 3 18=2x3x3 27=3x3x3 greatest common

365 views • 11 slides
Quantum algorithms for computing short discrete logarithms and factoring RSA integers PQCrypto

Quantum algorithms for computing short discrete logarithms and factoring RSA integers PQCrypto

Quantum algorithms for computing short discrete logarithms and factoring RSA integers PQCrypto 2017, 8th International Workshop, Utrecht, June 26-28, 2017 Martin Eker 1 , 2 Johan Hstad 1 1 KTH Royal Institute of Technology, SE-100 44

728 views • 31 slides
Number Theory Divisibility and Primes Definition. If a and b are integers and there is some

Number Theory Divisibility and Primes Definition. If a and b are integers and there is some

Number Theory Divisibility and Primes Definition. If a and b are integers and there is some integer c such that a = b c , then we say that b divides a or is a factor or divisor of a and write b | a . Definition (Prime Number). A prime number is

381 views • 24 slides
8. Factoring polynomials over finite fields CS-E4500 Advanced Course on Algorithms Spring 2018

8. Factoring polynomials over finite fields CS-E4500 Advanced Course on Algorithms Spring 2018

8. Factoring polynomials over finite fields CS-E4500 Advanced Course on Algorithms Spring 2018 Peteri Kaski Department of Computer Science Aalto University Lecture schedule Tue 16 Jan: 1. Polynomials and integers Tue 23 Jan: 2. The fast

661 views • 41 slides
Shors Algorithm for Factoring: Background Quantum Algorithms In 1994, Peter Shor came up with O

Shors Algorithm for Factoring: Background Quantum Algorithms In 1994, Peter Shor came up with O

Shors Algorithm for Factoring: Background Quantum Algorithms In 1994, Peter Shor came up with O ( n 3 ) -time algorithm DPV Chapter 10 for factoring n -bit integers on a quantum algorithm. Why is this a big deal? O ( e n 1/3 ( log n )

712 views • 5 slides
Travelling Integers Number of players 2 (or more) Adding and subtracting integers Math

Travelling Integers Number of players 2 (or more) Adding and subtracting integers Math

Travelling Integers Number of players 2 (or more) Adding and subtracting integers Math Concepts Deck of cards with face cards removed Materials Number line (from -25 to 25) Chips/pennies to mark players places on the number

363 views • 18 slides
Factoring RSA Modulus using Prime Reconstruction from Random Known Bits S. Maitra, S. Sarkar and

Factoring RSA Modulus using Prime Reconstruction from Random Known Bits S. Maitra, S. Sarkar and

Factoring RSA Modulus using Prime Reconstruction from Random Known Bits S. Maitra, S. Sarkar and S. Sen Gupta Cryptology Research Group, ASU Indian Statistcal Institute, Kolkata May 3, 2010 Background Slide 2 of 31 RSA Framework Key-Gen

607 views • 58 slides
What is a prime number? What is a prime number? What is a prime number? What is a prime number?

What is a prime number? What is a prime number? What is a prime number? What is a prime number?

What is a prime number? What is a prime number? What is a prime number? What is a prime number? Its a positive integer p with exactly two factors! What is a prime number? What is a prime number? Its a positive integer p with exactly two

1.35k views • 121 slides
Hardware- -Based Implementations Based Implementations Hardware of Factoring Algorithms of

Hardware- -Based Implementations Based Implementations Hardware of Factoring Algorithms of

Hardware- -Based Implementations Based Implementations Hardware of Factoring Algorithms of Factoring Algorithms Factoring Large Numbers with the TWIRL Device Factoring Large Numbers with the TWIRL Device Adi Shamir, Eran Tromer Adi

469 views • 42 slides
Structure and randomness in the prime numbers A small selection of results in number theory

Structure and randomness in the prime numbers A small selection of results in number theory

Structure and randomness in the prime numbers A small selection of results in number theory Science colloquium January 17, 2007 Terence Tao (UCLA) 1 Prime numbers A prime number is a natural number larger than 1 which cannot be expressed

629 views • 37 slides
Prime number races Greg Martin University of British Columbia Dartmouth Mathematics Colloquium

Prime number races Greg Martin University of British Columbia Dartmouth Mathematics Colloquium

Chebyshev, pretty pictures, and Dirichlet The prime number theorem Back to primes in arithmetic progressions Prime number races Greg Martin University of British Columbia Dartmouth Mathematics Colloquium May 6, 2010 Prime number races Greg

1.11k views • 83 slides
Number Theory Number Theory is the study of integers and their resulting structures . Why study

Number Theory Number Theory is the study of integers and their resulting structures . Why study

Number Theory Number Theory is the study of integers and their resulting structures . Why study it? 1 History: the first true algortihms were number-theoretic. 2 Analysis: Well learn about new kinds of running times and analyses. 3 Cryptography!

591 views • 10 slides
Number representation A number can be represented in binary in many ways. The most common number

Number representation A number can be represented in binary in many ways. The most common number

Number representation A number can be represented in binary in many ways. The most common number types to be represented are: Integers, positive integers one-complement, two-complement, sign-magnitude Decimal real numbers with a fixed

979 views • 72 slides
Number-Theoretic Algorithms (RSA and related algorithms) Chapter 31, CLRS book p1. Outline

Number-Theoretic Algorithms (RSA and related algorithms) Chapter 31, CLRS book p1. Outline

Number-Theoretic Algorithms (RSA and related algorithms) Chapter 31, CLRS book p1. Outline Modular arithmetic RSA encryption scheme Miller-Rabin algorithm (a probabilistic algorithm) p2. Modular Arithmetic p3. Integers | :

803 views • 48 slides
Take two minutes to get your Notebooks, Signals, Calculators, &amp; Student Orgzniers before we

Take two minutes to get your Notebooks, Signals, Calculators, &amp; Student Orgzniers before we

AIM (5.4) : How do we factor by grouping? Take two minutes to get your Notebooks, Signals, Calculators, &amp; Student Orgzniers before we begin today's lesson. Alert! Alert! Aim 5.4: How do we factor by grouping? HW: Worksheet 5.4 DoNow

669 views • 19 slides
Factoring humans into autonomous systems Phaedra Gibson Head of Training BMT ITEC 2020 GLOBAL

Factoring humans into autonomous systems Phaedra Gibson Head of Training BMT ITEC 2020 GLOBAL

BMT TRAINING &amp; THE FUTURE ROLE OF THE HUMAN Factoring humans into autonomous systems Phaedra Gibson Head of Training BMT ITEC 2020 GLOBAL STRATEGIC TRENDS - CLARITY FROM COMPLEXITY GLOBAL STRATEGIC TRENDS Government Development, Concepts

481 views • 20 slides
Update on Re-factoring the LArSoft simulation Hans Wenzel 7 th May 2019 Simulation workflow

Update on Re-factoring the LArSoft simulation Hans Wenzel 7 th May 2019 Simulation workflow

Update on Re-factoring the LArSoft simulation Hans Wenzel 7 th May 2019 Simulation workflow Git: larsim branch feature_wenzel_electrondrift In larsim/ElectronDrift you find: CMakeLists.txt DriftElectronstoPlane_module.cc ISCalculation.cc l

181 views • 7 slides
;&quot;ffi '^A -tv&lt;n{t\g =+/ YxeZ&quot; ( -. , -=- q xe t lNfP,,''$e 1+ \f N, v ct '\{'9 W

;&quot;ffi '^A -tv&lt;n{t\g =+/ YxeZ&quot; ( -. , -=- q xe t lNfP,,''$e 1+ \f N, v ct '\{'9 W

(ts4 Ov'wio^' &quot;1&quot;&amp;&quot;W &quot; G^^dc4^IJ fta) Uro-*4 P vs I).tP fn^/t1r/Y\\u/q Abrn^ur^ (l-';(l 6^^tG*,&quot; lA^n* /rJ fl*- t-&quot;{&quot;,M-t ' ).I1^^,*l A,t,.r^d &quot;t hlutolJol/r/\ k' *q&quot;^&quot; 1c ^^'(^- Rt

374 views • 12 slides
From linear algebra to post-quantum cryptography Dr. Ir. Fr e Vercauteren

From linear algebra to post-quantum cryptography Dr. Ir. Fr e Vercauteren

Quantum computers and factoring Learning with errors Cryptography from LWE From linear algebra to post-quantum cryptography Dr. Ir. Fr e Vercauteren frederik.vercauteren@gmail.com Open Security Research (China) ESAT/COSIC - KU Leuven

1.34k views • 70 slides
Factoring by Grouping 6.1 Find the Greatest Common Factor (GCF) of a Set of Terms Factored form:

Factoring by Grouping 6.1 Find the Greatest Common Factor (GCF) of a Set of Terms Factored form:

Greatest Common Factor and Factoring by Grouping 6.1 Find the Greatest Common Factor (GCF) of a Set of Terms Factored form: A number or an expression written as a product of factors. Examples: 2 x + 8 = 2( x + 4) x 2 + 5 x + 6 = ( x + 2)( x +

148 views • 10 slides
CSCI-2320 Syntactic Analysis (Ch 3 &amp; Wikipedia for CYK) Mohammad T . Irfan AKA

CSCI-2320 Syntactic Analysis (Ch 3 &amp; Wikipedia for CYK) Mohammad T . Irfan AKA

10/3/17 CSCI-2320 Syntactic Analysis (Ch 3 &amp; Wikipedia for CYK) Mohammad T . Irfan AKA &quot;parser&quot; Stream of Parse tree/ Parser tokens syntax error Question: What is the grammar? 1 10/3/17 Parsing algorithms u Predictive

105 views • 10 slides
Sparsified Linear Programming for Zero-Sum Equilibrium Finding Brian Zhang 1 and Tuomas Sandholm 1

Sparsified Linear Programming for Zero-Sum Equilibrium Finding Brian Zhang 1 and Tuomas Sandholm 1

Sparsified Linear Programming for Zero-Sum Equilibrium Finding Brian Zhang 1 and Tuomas Sandholm 1 2 3 4 1 Carnegie Mellon University 2 Strategic Machine, Inc. 3 Strategy Robot, Inc. 4 Optimized Markets, Inc. Imperfect-information games Extensive

489 views • 16 slides

More recommend