Integer factorization: Exercise for the reader: a progress report - - PowerPoint PPT Presentation

integer factorization exercise for the reader a progress
SMART_READER_LITE
LIVE PREVIEW

Integer factorization: Exercise for the reader: a progress report - - PowerPoint PPT Presentation

Jan 21, 2024 43 likes •597 views

Integer factorization: Exercise for the reader: a progress report Find a nontrivial factor of 6366223796340423057152171586. D. J. Bernstein Thanks to: University of Illinois at Chicago NSF DMS0140542 Alfred P. Sloan Foundation rization:

slide-1
SLIDE 1

Integer factorization: a progress report

  • D. J. Bernstein

Thanks to: University of Illinois at Chicago NSF DMS–0140542 Alfred P. Sloan Foundation Exercise for the reader: Find a nontrivial factor of 6366223796340423057152171586.

slide-2
SLIDE 2

rization: rt Illinois at Chicago DMS–0140542 Foundation Exercise for the reader: Find a nontrivial factor of 6366223796340423057152171586. Exercise for the reader: Find a nontrivial facto 6366223796340423057152171586. Small prime factors are easy to find. Larger primes are ha “Elliptic-curve metho scales surprisingly (1987 Lenstra) ECM has found a p (2005 Dodson; rather 3

1012 Opteron

www.loria.fr/~zimmerma/records

slide-3
SLIDE 3

Exercise for the reader: Find a nontrivial factor of 6366223796340423057152171586. Exercise for the reader: Find a nontrivial factor of 6366223796340423057152171586. Small prime factors are easy to find. Larger primes are harder. “Elliptic-curve method” (ECM) scales surprisingly well. (1987 Lenstra) ECM has found a prime 2219. (2005 Dodson; rather lucky; 3

1012 Opteron cycles)

www.loria.fr/~zimmerma/records/p66

slide-4
SLIDE 4

reader: nontrivial factor of 6366223796340423057152171586. Exercise for the reader: Find a nontrivial factor of 6366223796340423057152171586. Small prime factors are easy to find. Larger primes are harder. “Elliptic-curve method” (ECM) scales surprisingly well. (1987 Lenstra) ECM has found a prime 2219. (2005 Dodson; rather lucky; 3

1012 Opteron cycles)

www.loria.fr/~zimmerma/records/p66

For worst-case integers two very large prime ECM does not scale “number-field sieve” (1988 Pollard, et al.) Latest record: NFS two prime factors

  • f “RSA-200” challenge.

Bahr Boehm Frank 5

1018 Opteron

How much more difficult is it to find prime facto

  • f an integer
  • 2

www.loria.fr/~zimmerma/records

slide-5
SLIDE 5

Exercise for the reader: Find a nontrivial factor of 6366223796340423057152171586. Small prime factors are easy to find. Larger primes are harder. “Elliptic-curve method” (ECM) scales surprisingly well. (1987 Lenstra) ECM has found a prime 2219. (2005 Dodson; rather lucky; 3

1012 Opteron cycles)

www.loria.fr/~zimmerma/records/p66

For worst-case integers with two very large prime factors, ECM does not scale as well as “number-field sieve” (NFS). (1988 Pollard, et al.) Latest record: NFS has found two prime factors 2332

  • f “RSA-200” challenge. (2005

Bahr Boehm Franke Kleinjung; 5

1018 Opteron cycles)

How much more difficult is it to find prime factors 2512

  • f an integer
  • 21024?

www.loria.fr/~zimmerma/records/rsa200

slide-6
SLIDE 6

reader: nontrivial factor of 6366223796340423057152171586. factors re harder. method” (ECM) risingly well. a prime 2219. rather lucky;

  • Opteron cycles)

www.loria.fr/~zimmerma/records/p66

For worst-case integers with two very large prime factors, ECM does not scale as well as “number-field sieve” (NFS). (1988 Pollard, et al.) Latest record: NFS has found two prime factors 2332

  • f “RSA-200” challenge. (2005

Bahr Boehm Franke Kleinjung; 5

1018 Opteron cycles)

How much more difficult is it to find prime factors 2512

  • f an integer
  • 21024?

www.loria.fr/~zimmerma/records/rsa200

NFS step 1: find attractive NFS tries to factor

  • inspecting values of

Select integer

  • find integers

5

4

✁ ✂ ✂ ✂ ✁

with

  • =

5 5 +

  • for various integers
✄ ✁

(

✄ ☎

)( 5

✄ 5 + 4 ✄
  • Practically every choice

will succeed in facto

  • Better speed from

(

✄ ☎

)( 5

✄ 5 + 4 ✄
slide-7
SLIDE 7

For worst-case integers with two very large prime factors, ECM does not scale as well as “number-field sieve” (NFS). (1988 Pollard, et al.) Latest record: NFS has found two prime factors 2332

  • f “RSA-200” challenge. (2005

Bahr Boehm Franke Kleinjung; 5

1018 Opteron cycles)

How much more difficult is it to find prime factors 2512

  • f an integer
  • 21024?

www.loria.fr/~zimmerma/records/rsa200

NFS step 1: find attractive ’s NFS tries to factor

  • by

inspecting values of a polynomial. Select integer [

1 6 ✁ 1 5];

find integers

5

4

✁ ✂ ✂ ✂ ✁

with

  • =

5 5 + 4 4 +

  • +

0;

for various integers

✄ ✁

inspect (

✄ ☎

)( 5

✄ 5 + 4 ✄ 4 +
  • + 0 5).

Practically every choice of will succeed in factoring

.

Better speed from smaller values (

✄ ☎

)( 5

✄ 5 + 4 ✄ 4 +
  • + 0 5).
slide-8
SLIDE 8

integers with rime factors, scale as well as sieve” (NFS). et al.) NFS has found rs 2332

  • challenge. (2005

ranke Kleinjung;

  • Opteron cycles)

difficult rime factors 2512

  • 21024?

www.loria.fr/~zimmerma/records/rsa200

NFS step 1: find attractive ’s NFS tries to factor

  • by

inspecting values of a polynomial. Select integer [

1 6 ✁ 1 5];

find integers

5

4

✁ ✂ ✂ ✂ ✁

with

  • =

5 5 + 4 4 +

  • +

0;

for various integers

✄ ✁

inspect (

✄ ☎

)( 5

✄ 5 + 4 ✄ 4 +
  • + 0 5).

Practically every choice of will succeed in factoring

.

Better speed from smaller values (

✄ ☎

)( 5

✄ 5 + 4 ✄ 4 +
  • + 0 5).

e.g.

  • = 314159265358979323:

Can choose = 1000,

5 = 314, 4 = 159, 2 = 358, 1 = 979,

NFS succeeds in facto

  • by inspecting values

(

✄ ☎

1000 )(314

✄ 5
  • for various integer
✄ ✁

But NFS succeeds using = 1370, insp (

✄ ☎

1370 )(65

✄ 5 + ✄

38

✄ 3 2 + 377 ✄ 2 3 + ✄
slide-9
SLIDE 9

NFS step 1: find attractive ’s NFS tries to factor

  • by

inspecting values of a polynomial. Select integer [

1 6 ✁ 1 5];

find integers

5

4

✁ ✂ ✂ ✂ ✁

with

  • =

5 5 + 4 4 +

  • +

0;

for various integers

✄ ✁

inspect (

✄ ☎

)( 5

✄ 5 + 4 ✄ 4 +
  • + 0 5).

Practically every choice of will succeed in factoring

.

Better speed from smaller values (

✄ ☎

)( 5

✄ 5 + 4 ✄ 4 +
  • + 0 5).

e.g.

  • = 314159265358979323:

Can choose = 1000,

5 = 314, 4 = 159, 3 = 265, 2 = 358, 1 = 979, 0 = 323.

NFS succeeds in factoring

  • by inspecting values

(

✄ ☎

1000 )(314

✄ 5 +
  • + 323 5)

for various integer pairs (

✄ ✁ ).

But NFS succeeds more quickly using = 1370, inspecting (

✄ ☎

1370 )(65

✄ 5 + 130 ✄ 4 +

38

✄ 3 2 + 377 ✄ 2 3 + 127 ✄

4 + 33 5).

slide-10
SLIDE 10

attractive ’s factor

  • by

values of a polynomial. [

1 6 ✁ 1 5]; ✁

4

✁ ✂ ✂ ✂ ✁
  • +

4 4 +

  • +

0;

integers

✄ ✁

inspect

✄ ☎ ✄

4

✄ 4 +
  • + 0 5).

choice of factoring

.

from smaller values

✄ ☎ ✄

4

✄ 4 +
  • + 0 5).

e.g.

  • = 314159265358979323:

Can choose = 1000,

5 = 314, 4 = 159, 3 = 265, 2 = 358, 1 = 979, 0 = 323.

NFS succeeds in factoring

  • by inspecting values

(

✄ ☎

1000 )(314

✄ 5 +
  • + 323 5)

for various integer pairs (

✄ ✁ ).

But NFS succeeds more quickly using = 1370, inspecting (

✄ ☎

1370 )(65

✄ 5 + 130 ✄ 4 +

38

✄ 3 2 + 377 ✄ 2 3 + 127 ✄

4 + 33 5).

NFS step 1: Consider, 245 possible choices Quickly identify, e.g., 225 attractive candidates. Will choose one If

  • and
✂ ✂ ( ✄ ☎

)( 5

✄ 5 +

(

)

6 where

(

✁ 1+ )( ✂ ✂

5 5

✂ ✂
✂ ✁ ✂ ✂

Attractive

: small

(1999 Murphy)

slide-11
SLIDE 11

e.g.

  • = 314159265358979323:

Can choose = 1000,

5 = 314, 4 = 159, 3 = 265, 2 = 358, 1 = 979, 0 = 323.

NFS succeeds in factoring

  • by inspecting values

(

✄ ☎

1000 )(314

✄ 5 +
  • + 323 5)

for various integer pairs (

✄ ✁ ).

But NFS succeeds more quickly using = 1370, inspecting (

✄ ☎

1370 )(65

✄ 5 + 130 ✄ 4 +

38

✄ 3 2 + 377 ✄ 2 3 + 127 ✄

4 + 33 5).

NFS step 1: Consider, e.g., 245 possible choices of . Quickly identify, e.g., 225 attractive candidates. Will choose one in step 2. If

  • and
  • ✁ 1

then

✂ ✂ ( ✄ ☎

)( 5

✄ 5 +
  • +

0 5)

✂ ✂

(

)

6 where

(

) = (

✁ 1+ )( ✂ ✂

5 5

✂ ✂ +
  • +
✂ ✂ ✁ 5 ✂ ✂ ).

Attractive

: small (

). (1999 Murphy)

slide-12
SLIDE 12
  • 314159265358979323:

1000, 159,

3 = 265,

979,

0 = 323.

factoring

  • values
✄ ☎ ✄ 5 +
  • + 323 5)

integer pairs (

✄ ✁ ).

succeeds more quickly 1370, inspecting

✄ ☎ ✄ 5 + 130 ✄ 4 + ✄ ✄

3 + 127

4 + 33 5).

NFS step 1: Consider, e.g., 245 possible choices of . Quickly identify, e.g., 225 attractive candidates. Will choose one in step 2. If

  • and
  • ✁ 1

then

✂ ✂ ( ✄ ☎

)( 5

✄ 5 +
  • +

0 5)

✂ ✂

(

)

6 where

(

) = (

✁ 1+ )( ✂ ✂

5 5

✂ ✂ +
  • +
✂ ✂ ✁ 5 ✂ ✂ ).

Attractive

: small (

). (1999 Murphy) Choosing one typical

  • produces

(

✁ 1)
  • Question: How much

need to save factor

with (

)

  • This has as much impact

chopping 3 lg

  • Searching for good

takes noticeable fraction total time of optimized (If not, consider mo End up with rather

slide-13
SLIDE 13

NFS step 1: Consider, e.g., 245 possible choices of . Quickly identify, e.g., 225 attractive candidates. Will choose one in step 2. If

  • and
  • ✁ 1

then

✂ ✂ ( ✄ ☎

)( 5

✄ 5 +
  • +

0 5)

✂ ✂

(

)

6 where

(

) = (

✁ 1+ )( ✂ ✂

5 5

✂ ✂ +
  • +
✂ ✂ ✁ 5 ✂ ✂ ).

Attractive

: small (

). (1999 Murphy) Choosing one typical

1 6

produces (

✁ 1) 2 6.

Question: How much time do we need to save factor of —to find

with (

)

✁ 1 2 6?

This has as much impact as chopping 3 lg bits out of

.

Searching for good values of takes noticeable fraction of total time of optimized NFS. (If not, consider more ’s!) End up with rather large .

slide-14
SLIDE 14

Consider, e.g., choices of . e.g., candidates. in step 2.

  • ✁ 1

then

✂ ✂ ✄ ☎ ✄

+

  • +

0 5)

✂ ✂ ✁

where (

) =

✁ ✂ ✂

5

✂ ✂ +
  • +
✂ ✂ ✁ 5 ✂ ✂ ). ✁

small (

). Choosing one typical

1 6

produces (

✁ 1) 2 6.

Question: How much time do we need to save factor of —to find

with (

)

✁ 1 2 6?

This has as much impact as chopping 3 lg bits out of

.

Searching for good values of takes noticeable fraction of total time of optimized NFS. (If not, consider more ’s!) End up with rather large . Four answers: Time

7

5+ ✁ (1) to 25 1 6

with (

✁ 1) ✁
  • by searching consecutive

Time

6+

✁ (1) by skipping

through ’s with small

Time

4

5+ ✁ (1) to
  • with

(

✁ 75) ✁
  • (1999 Murphy)

Time

3

5+ ✁ (1) by

controlling

  • 3. (2004

cr.yp.to/talks.html#2004.11.15

slide-15
SLIDE 15

Choosing one typical

1 6

produces (

✁ 1) 2 6.

Question: How much time do we need to save factor of —to find

with (

)

✁ 1 2 6?

This has as much impact as chopping 3 lg bits out of

.

Searching for good values of takes noticeable fraction of total time of optimized NFS. (If not, consider more ’s!) End up with rather large . Four answers: Time

7

5+ ✁ (1) to find 25 1 6

with (

✁ 1) ✁ 1 2 6

by searching consecutive ’s. Time

6+

✁ (1) by skipping

through ’s with small

5

4.

Time

4

5+ ✁ (1) to find

1

1 6

with (

✁ 75) ✁ 1 2 6.

(1999 Murphy) Time

3

5+ ✁ (1) by partly

controlling

  • 3. (2004 Bernstein)

cr.yp.to/talks.html#2004.11.15

slide-16
SLIDE 16

ypical

1 6 ✁ 1) 2 6.

much time do we factor of —to find

✁ ✁

)

✁ 1 2 6?

much impact as bits out of

.
  • d values of

fraction of

  • ptimized NFS.

more ’s!) rather large . Four answers: Time

7

5+ ✁ (1) to find 25 1 6

with (

✁ 1) ✁ 1 2 6

by searching consecutive ’s. Time

6+

✁ (1) by skipping

through ’s with small

5

4.

Time

4

5+ ✁ (1) to find

1

1 6

with (

✁ 75) ✁ 1 2 6.

(1999 Murphy) Time

3

5+ ✁ (1) by partly

controlling

  • 3. (2004 Bernstein)

cr.yp.to/talks.html#2004.11.15

New method uses lattice-basis reduction, specifically integer-relation Many lower-level sp effectively chopping a few more bits out

  • approximate reduction

(e.g., 2004 Schnorr), “PSLQ” (1999 Bailey “geometric” ideas (2004 Nguyen Stehl

www.loria.fr/~stehle/LOWDIM.ht www.loria.fr/~stehle/FPLLL.htm

slide-17
SLIDE 17

Four answers: Time

7

5+ ✁ (1) to find 25 1 6

with (

✁ 1) ✁ 1 2 6

by searching consecutive ’s. Time

6+

✁ (1) by skipping

through ’s with small

5

4.

Time

4

5+ ✁ (1) to find

1

1 6

with (

✁ 75) ✁ 1 2 6.

(1999 Murphy) Time

3

5+ ✁ (1) by partly

controlling

  • 3. (2004 Bernstein)

cr.yp.to/talks.html#2004.11.15

New method uses 4-dimensional lattice-basis reduction, specifically integer-relation finding. Many lower-level speedups, effectively chopping a few more bits out of

:

approximate reduction (e.g., 2004 Schnorr), “PSLQ” (1999 Bailey Ferguson), “geometric” ideas (2004 Nguyen Stehl´ e).

www.loria.fr/~stehle/LOWDIM.html www.loria.fr/~stehle/FPLLL.html

slide-18
SLIDE 18

to find

✁ 1 2 6

consecutive ’s.

skipping with small

5

4.

to find

1

1 6 ✁
  • )
✁ 1 2 6.

by partly (2004 Bernstein)

cr.yp.to/talks.html#2004.11.15

New method uses 4-dimensional lattice-basis reduction, specifically integer-relation finding. Many lower-level speedups, effectively chopping a few more bits out of

:

approximate reduction (e.g., 2004 Schnorr), “PSLQ” (1999 Bailey Ferguson), “geometric” ideas (2004 Nguyen Stehl´ e).

www.loria.fr/~stehle/LOWDIM.html www.loria.fr/~stehle/FPLLL.html

NFS step 2: choose Previous step inspected Kept the attractive as measured by NFS step 2: Evaluate

  • f each attractive

Choose highest-merit for factoring

.

Merit evaluation is but is applied to few More accurate than so selects better

slide-19
SLIDE 19

New method uses 4-dimensional lattice-basis reduction, specifically integer-relation finding. Many lower-level speedups, effectively chopping a few more bits out of

:

approximate reduction (e.g., 2004 Schnorr), “PSLQ” (1999 Bailey Ferguson), “geometric” ideas (2004 Nguyen Stehl´ e).

www.loria.fr/~stehle/LOWDIM.html www.loria.fr/~stehle/FPLLL.html

NFS step 2: choose one Previous step inspected many ’s. Kept the attractive ’s, as measured by values. NFS step 2: Evaluate merit

  • f each attractive

. Choose highest-merit for factoring

.

Merit evaluation is slower than but is applied to fewer ’s. More accurate than so selects better .

slide-20
SLIDE 20

uses 4-dimensional reduction, integer-relation finding. er-level speedups, chopping

  • ut of
:

reduction Schnorr), Bailey Ferguson), ideas Stehl´ e).

www.loria.fr/~stehle/LOWDIM.html www.loria.fr/~stehle/FPLLL.html

NFS step 2: choose one Previous step inspected many ’s. Kept the attractive ’s, as measured by values. NFS step 2: Evaluate merit

  • f each attractive

. Choose highest-merit for factoring

.

Merit evaluation is slower than but is applied to fewer ’s. More accurate than so selects better . Given

✁ ✁

5

✁ ✂ ✂ ✂ ✁

Consider integer pairs

✄ ✁

with 0 and gcd

✄ ✁

How many values (

✄ ☎

)( 5

✄ 5 +
  • are in [
☎ ✁

]? bound is quite crude. Instead enumerate count

✄ ’s for each

(Silverman, Contini,

slide-21
SLIDE 21

NFS step 2: choose one Previous step inspected many ’s. Kept the attractive ’s, as measured by values. NFS step 2: Evaluate merit

  • f each attractive

. Choose highest-merit for factoring

.

Merit evaluation is slower than but is applied to fewer ’s. More accurate than so selects better . Given

✁ ✁

5

✁ ✂ ✂ ✂ ✁

0:

Consider integer pairs (

✄ ✁ )

with 0 and gcd

✄ ✁

= 1. How many values (

✄ ☎

)( 5

✄ 5 +
  • +

0 5)

are in [

☎ ✁

]? bound is quite crude. Instead enumerate ’s, count

✄ ’s for each .

(Silverman, Contini, Lenstra)

slide-22
SLIDE 22
  • se one

inspected many ’s. attractive ’s, values. Evaluate merit attractive . highest-merit

  • is slower than

fewer ’s. than . Given

✁ ✁

5

✁ ✂ ✂ ✂ ✁

0:

Consider integer pairs (

✄ ✁ )

with 0 and gcd

✄ ✁

= 1. How many values (

✄ ☎

)( 5

✄ 5 +
  • +

0 5)

are in [

☎ ✁

]? bound is quite crude. Instead enumerate ’s, count

✄ ’s for each .

(Silverman, Contini, Lenstra) Faster (2004 Bernstein): Numerically approximate the area of (

✄ ✁ )

R

  • R :

Number of qualifying is extremely close to (3

✁ 2)

2

6 ✂ ✁ ✂ ✄ ✄
  • where

(

✄ ) = ( ✄ ☎

)(

  • Evaluate superelliptic

by standard techniques: partition, use series

cr.yp.to/talks.html#2004.11.15

slide-23
SLIDE 23

Given

✁ ✁

5

✁ ✂ ✂ ✂ ✁

0:

Consider integer pairs (

✄ ✁ )

with 0 and gcd

✄ ✁

= 1. How many values (

✄ ☎

)( 5

✄ 5 +
  • +

0 5)

are in [

☎ ✁

]? bound is quite crude. Instead enumerate ’s, count

✄ ’s for each .

(Silverman, Contini, Lenstra) Faster (2004 Bernstein): Numerically approximate the area of (

✄ ✁ )

R

  • R :
  • [
☎ ✁

] . Number of qualifying pairs is extremely close to (3

✁ 2)

2

6 ✂ ✁ ✂ ✄

( (

✄ )2)1 6

where (

✄ ) = ( ✄ ☎

)( 5

✄ 5 +
  • +

0).

Evaluate superelliptic integral by standard techniques: partition, use series expansions.

cr.yp.to/talks.html#2004.11.15

slide-24
SLIDE 24 ✁ ✁ ✁ ✂ ✂ ✂ ✁

0:

pairs (

✄ ✁ )

gcd

✄ ✁

= 1. values

✄ ☎ ✄
  • +

0 5)

☎ ✁

crude. enumerate ’s,

each . Contini, Lenstra) Faster (2004 Bernstein): Numerically approximate the area of (

✄ ✁ )

R

  • R :
  • [
☎ ✁

] . Number of qualifying pairs is extremely close to (3

✁ 2)

2

6 ✂ ✁ ✂ ✄

( (

✄ )2)1 6

where (

✄ ) = ( ✄ ☎

)( 5

✄ 5 +
  • +

0).

Evaluate superelliptic integral by standard techniques: partition, use series expansions.

cr.yp.to/talks.html#2004.11.15

Will see that NFS fully factored values (

✄ ☎

)( 5

✄ 5 +
  • Won’t be able to use

with unknown prime Merit of chance (

✄ ☎

)( 5

✄ 5 +
  • will be fully factored.

Simplified definition “fully factored”: “2 i.e., no prime diviso

slide-25
SLIDE 25

Faster (2004 Bernstein): Numerically approximate the area of (

✄ ✁ )

R

  • R :
  • [
☎ ✁

] . Number of qualifying pairs is extremely close to (3

✁ 2)

2

6 ✂ ✁ ✂ ✄

( (

✄ )2)1 6

where (

✄ ) = ( ✄ ☎

)( 5

✄ 5 +
  • +

0).

Evaluate superelliptic integral by standard techniques: partition, use series expansions.

cr.yp.to/talks.html#2004.11.15

Will see that NFS needs fully factored values (

✄ ☎

)( 5

✄ 5 +
  • +

0 5).

Won’t be able to use values with unknown prime divisors. Merit of chance that (

✄ ☎

)( 5

✄ 5 +
  • +

0 5)

will be fully factored. Simplified definition of “fully factored”: “240-smooth,” i.e., no prime divisors 240.

slide-26
SLIDE 26

Bernstein): roximate

✄ ✁
  • :
  • [
☎ ✁

] . qualifying pairs close to

✁ ✂ ✄

( (

✄ )2)1 6 ✄ ✄ ☎

)( 5

✄ 5 +
  • +

0).

erelliptic integral techniques: series expansions.

cr.yp.to/talks.html#2004.11.15

Will see that NFS needs fully factored values (

✄ ☎

)( 5

✄ 5 +
  • +

0 5).

Won’t be able to use values with unknown prime divisors. Merit of chance that (

✄ ☎

)( 5

✄ 5 +
  • +

0 5)

will be fully factored. Simplified definition of “fully factored”: “240-smooth,” i.e., no prime divisors 240. What is chance that (

✄ ☎

)( 5

✄ 5 +
  • will be fully factored,

given that it is in [

☎ ✁

Try to account for roots modulo small (Schroeppel, Murphy Can do this accurately (2002 Bernstein)

cr.yp.to/papers.html#psi cr.yp.to/psibound.html

slide-27
SLIDE 27

Will see that NFS needs fully factored values (

✄ ☎

)( 5

✄ 5 +
  • +

0 5).

Won’t be able to use values with unknown prime divisors. Merit of chance that (

✄ ☎

)( 5

✄ 5 +
  • +

0 5)

will be fully factored. Simplified definition of “fully factored”: “240-smooth,” i.e., no prime divisors 240. What is chance that (

✄ ☎

)( 5

✄ 5 +
  • +

0 5)

will be fully factored, given that it is in [

☎ ✁

]? Try to account for roots modulo small primes. (Schroeppel, Murphy, et al.) Can do this accurately. (2002 Bernstein)

cr.yp.to/papers.html#psi cr.yp.to/psibound.html

slide-28
SLIDE 28

NFS needs values

✄ ☎ ✄
  • +

0 5).

use values rime divisors. chance that

✄ ☎ ✄
  • +

0 5)

factored. definition of “240-smooth,” divisors 240. What is chance that (

✄ ☎

)( 5

✄ 5 +
  • +

0 5)

will be fully factored, given that it is in [

☎ ✁

]? Try to account for roots modulo small primes. (Schroeppel, Murphy, et al.) Can do this accurately. (2002 Bernstein)

cr.yp.to/papers.html#psi cr.yp.to/psibound.html

NFS step 3: find small Have integer , p (

✄ ) = ( ✄ ☎

)(

  • Consider values

6

(

✄ ☎

)( 5

✄ 5 +
  • NFS step 3: Choose

For each pair (

✄ ✁ )

with

6 (

) [

☎ ✁

find small prime diviso

  • f

6 (

).

slide-29
SLIDE 29

What is chance that (

✄ ☎

)( 5

✄ 5 +
  • +

0 5)

will be fully factored, given that it is in [

☎ ✁

]? Try to account for roots modulo small primes. (Schroeppel, Murphy, et al.) Can do this accurately. (2002 Bernstein)

cr.yp.to/papers.html#psi cr.yp.to/psibound.html

NFS step 3: find small primes Have integer , polynomial (

✄ ) = ( ✄ ☎

)( 5

✄ 5 +
  • +

0).

Consider values

6 (

) = (

✄ ☎

)( 5

✄ 5 +
  • +

0 5).

NFS step 3: Choose . For each pair (

✄ ✁ )

with

6 (

) [

☎ ✁

], find small prime divisors

  • f

6 (

).

slide-30
SLIDE 30

that

✄ ☎ ✄
  • +

0 5)

factored, in [

☎ ✁

]? for small primes. Murphy, et al.) accurately. Bernstein)

cr.yp.to/papers.html#psi cr.yp.to/psibound.html

NFS step 3: find small primes Have integer , polynomial (

✄ ) = ( ✄ ☎

)( 5

✄ 5 +
  • +

0).

Consider values

6 (

) = (

✄ ☎

)( 5

✄ 5 +
  • +

0 5).

NFS step 3: Choose . For each pair (

✄ ✁ )

with

6 (

) [

☎ ✁

], find small prime divisors

  • f

6 (

). Simplified definition 212. (Serious misconception: “Sieving”: Consider array of 215 consecutive

For each small prime Mark

✄ ’s with

6 (

) divisible b Can jump quickly through these

✄ ’s: they lie

arithmetic progressions

slide-31
SLIDE 31

NFS step 3: find small primes Have integer , polynomial (

✄ ) = ( ✄ ☎

)( 5

✄ 5 +
  • +

0).

Consider values

6 (

) = (

✄ ☎

)( 5

✄ 5 +
  • +

0 5).

NFS step 3: Choose . For each pair (

✄ ✁ )

with

6 (

) [

☎ ✁

], find small prime divisors

  • f

6 (

). Simplified definition of “small”: 212. (Serious misconception: 240.) “Sieving”: Consider one , array of 215 consecutive

✄ ’s.

For each small prime : Mark

✄ ’s with

6 (

) divisible by . Can jump quickly through these

✄ ’s: they lie in a few

arithmetic progressions mod .

slide-32
SLIDE 32

small primes polynomial

✄ ✄ ☎

)( 5

✄ 5 +
  • +

0). 6 (

) =

✄ ☎ ✄
  • +

0 5).

Choose .

✄ ✁ ) ✄

[

☎ ✁

], divisors

Simplified definition of “small”: 212. (Serious misconception: 240.) “Sieving”: Consider one , array of 215 consecutive

✄ ’s.

For each small prime : Mark

✄ ’s with

6 (

) divisible by . Can jump quickly through these

✄ ’s: they lie in a few

arithmetic progressions mod . Dramatically improve adapting to CPU a Example: For primes [215

each progression has 8 or 9 array entries. Always mark 9 entries,

  • ften overflowing a

to eliminate branch

slide-33
SLIDE 33

Simplified definition of “small”: 212. (Serious misconception: 240.) “Sieving”: Consider one , array of 215 consecutive

✄ ’s.

For each small prime : Mark

✄ ’s with

6 (

) divisible by . Can jump quickly through these

✄ ’s: they lie in a few

arithmetic progressions mod . Dramatically improve speed by adapting to CPU architecture. Example: For primes [215 9

✁ 215 8],

each progression has 8 or 9 array entries. Always mark 9 entries,

  • ften overflowing array,

to eliminate branch mispredictions.

slide-34
SLIDE 34

definition of “small”: misconception: 240.) Consider one , consecutive

✄ ’s.

rime :

✄ ✄

divisible by . quickly through

lie in a few rogressions mod . Dramatically improve speed by adapting to CPU architecture. Example: For primes [215 9

✁ 215 8],

each progression has 8 or 9 array entries. Always mark 9 entries,

  • ften overflowing array,

to eliminate branch mispredictions. Generalize

6 (

NFS can use

6 (

  • for (
✄ ✁ ) in a determinant-
  • (1984 Davis Holdridge,

1993 Pollard) Number of

6 (

is proportional to

  • Can choose surprisingly

and compensate by

  • (1995 Bernstein)

cr.yp.to/papers.html#mlnfs

slide-35
SLIDE 35

Dramatically improve speed by adapting to CPU architecture. Example: For primes [215 9

✁ 215 8],

each progression has 8 or 9 array entries. Always mark 9 entries,

  • ften overflowing array,

to eliminate branch mispredictions. Generalize

6 (

): NFS can use

6 (

)

  • for (
✄ ✁ ) in a determinant- lattice.

(1984 Davis Holdridge, 1993 Pollard) Number of

6 (

)

in [ ☎ ✁

] is proportional to

  • ✁ 2
3.

Can choose surprisingly small and compensate by using many

’s.

(1995 Bernstein)

cr.yp.to/papers.html#mlnfs

slide-36
SLIDE 36

improve speed by architecture. [215 9

✁ 215 8],

has entries. entries, wing array, ranch mispredictions. Generalize

6 (

): NFS can use

6 (

)

  • for (
✄ ✁ ) in a determinant- lattice.

(1984 Davis Holdridge, 1993 Pollard) Number of

6 (

)

in [ ☎ ✁

] is proportional to

  • ✁ 2
3.

Can choose surprisingly small and compensate by using many

’s.

(1995 Bernstein)

cr.yp.to/papers.html#mlnfs

NFS step 4: early Have many pairs (

✄ ✁

For each

6 (

), small prime divisors and not-yet-factored NFS step 4: Choose

  • Discard all values

not-yet-factored pa

  • How to choose
?

Balance time for step with time for step

slide-37
SLIDE 37

Generalize

6 (

): NFS can use

6 (

)

  • for (
✄ ✁ ) in a determinant- lattice.

(1984 Davis Holdridge, 1993 Pollard) Number of

6 (

)

in [ ☎ ✁

] is proportional to

  • ✁ 2
3.

Can choose surprisingly small and compensate by using many

’s.

(1995 Bernstein)

cr.yp.to/papers.html#mlnfs

NFS step 4: early abort Have many pairs (

✄ ✁ ).

For each

6 (

), know small prime divisors and not-yet-factored part. NFS step 4: Choose

.

Discard all values

6 (

) with not-yet-factored parts above

.

How to choose

? Answer:

Balance time for step 5 with time for step 3.

slide-38
SLIDE 38

): (

)

determinant-

lattice.

Holdridge,

)

in [ ☎ ✁

] to

  • ✁ 2
3.

risingly small by using many

’s.

Bernstein)

cr.yp.to/papers.html#mlnfs

NFS step 4: early abort Have many pairs (

✄ ✁ ).

For each

6 (

), know small prime divisors and not-yet-factored part. NFS step 4: Choose

.

Discard all values

6 (

) with not-yet-factored parts above

.

How to choose

? Answer:

Balance time for step 5 with time for step 3. NFS step 5: fully facto Have some pairs (

✄ ✁

For each value

6

know small prime diviso not-yet-factored pa

  • NFS step 5: Identify

6 (

) that are Should replace “240 with slightly different not discussed in this (e.g. 1993 Coppersmith)

slide-39
SLIDE 39

NFS step 4: early abort Have many pairs (

✄ ✁ ).

For each

6 (

), know small prime divisors and not-yet-factored part. NFS step 4: Choose

.

Discard all values

6 (

) with not-yet-factored parts above

.

How to choose

? Answer:

Balance time for step 5 with time for step 3. NFS step 5: fully factor Have some pairs (

✄ ✁ ).

For each value

6 (

): know small prime divisors; not-yet-factored part

.

NFS step 5: Identify values

6 (

) that are 240-smooth. Should replace “240-smooth” with slightly different notions, not discussed in this talk. (e.g. 1993 Coppersmith)

slide-40
SLIDE 40

rly abort (

✄ ✁ ). ✄

), know divisors et-factored part. Choose

.

values

6 (

) with parts above

. ? Answer:

step 5 step 3. NFS step 5: fully factor Have some pairs (

✄ ✁ ).

For each value

6 (

): know small prime divisors; not-yet-factored part

.

NFS step 5: Identify values

6 (

) that are 240-smooth. Should replace “240-smooth” with slightly different notions, not discussed in this talk. (e.g. 1993 Coppersmith) Assume that original are smooth with probabilit step 3 spends time step 5 spends time With proper balance, time roughly (

  • to find one smooth

(1982 Pomerance) Want 12 as large as to move from But want 12 below and want 15 small sieving fits into L1

cr.yp.to/bib/entries.html#1982

slide-41
SLIDE 41

NFS step 5: fully factor Have some pairs (

✄ ✁ ).

For each value

6 (

): know small prime divisors; not-yet-factored part

.

NFS step 5: Identify values

6 (

) that are 240-smooth. Should replace “240-smooth” with slightly different notions, not discussed in this talk. (e.g. 1993 Coppersmith) Assume that original values are smooth with probability 1 ; step 3 spends time per value; step 5 spends time per value. With proper balance, time roughly ( )12

40

to find one smooth value. (1982 Pomerance) Want 12 as large as possible to move from towards . But want 12 below 15, and want 15 small so that sieving fits into L1 cache.

cr.yp.to/bib/entries.html#1982/pomerance

slide-42
SLIDE 42

fully factor (

✄ ✁ ).

(

): rime divisors; part

.

Identify values

re 240-smooth. “240-smooth” different notions, this talk. ersmith) Assume that original values are smooth with probability 1 ; step 3 spends time per value; step 5 spends time per value. With proper balance, time roughly ( )12

40

to find one smooth value. (1982 Pomerance) Want 12 as large as possible to move from towards . But want 12 below 15, and want 15 small so that sieving fits into L1 cache.

cr.yp.to/bib/entries.html#1982/pomerance

Traditional algorithm For each pair (

✄ ✁ )

use ECM to find p dividing

6 (

). Complications save “rho,” more aborts, Much faster to handle a big batch of pairs

✄ ✁

(2000 Bernstein) Save even more time smoothness without

  • primes. (2004 Frank

Morain Wirth)

slide-43
SLIDE 43

Assume that original values are smooth with probability 1 ; step 3 spends time per value; step 5 spends time per value. With proper balance, time roughly ( )12

40

to find one smooth value. (1982 Pomerance) Want 12 as large as possible to move from towards . But want 12 below 15, and want 15 small so that sieving fits into L1 cache.

cr.yp.to/bib/entries.html#1982/pomerance

Traditional algorithm for step 5: For each pair (

✄ ✁ ) separately,

use ECM to find primes 240 dividing

6 (

). Complications save time: “rho,” more aborts, et al. Much faster to handle a big batch of pairs (

✄ ✁ ).

(2000 Bernstein) Save even more time by checking smoothness without first finding

  • primes. (2004 Franke Kleinjung

Morain Wirth)

slide-44
SLIDE 44

riginal values probability 1 ; time per value; time per value. balance, ( )12

40
  • th value.
  • merance)

rge as possible towards . elow 15, small so that L1 cache.

cr.yp.to/bib/entries.html#1982/pomerance

Traditional algorithm for step 5: For each pair (

✄ ✁ ) separately,

use ECM to find primes 240 dividing

6 (

). Complications save time: “rho,” more aborts, et al. Much faster to handle a big batch of pairs (

✄ ✁ ).

(2000 Bernstein) Save even more time by checking smoothness without first finding

  • primes. (2004 Franke Kleinjung

Morain Wirth) Streamlined batch (2004 Bernstein): Multiply primes in pairs, pairs of pairs, to obtain their pro Relies on fast disk-based multiplication of huge Compute mod

  • Relies on fast division.

Now a value

  • is smo

( mod

)2 ✁ lg lg ✂☎✄ mo
  • cr.yp.to/papers.html#smoothpar
slide-45
SLIDE 45

Traditional algorithm for step 5: For each pair (

✄ ✁ ) separately,

use ECM to find primes 240 dividing

6 (

). Complications save time: “rho,” more aborts, et al. Much faster to handle a big batch of pairs (

✄ ✁ ).

(2000 Bernstein) Save even more time by checking smoothness without first finding

  • primes. (2004 Franke Kleinjung

Morain Wirth) Streamlined batch algorithm (2004 Bernstein): Multiply primes 240 in pairs, pairs of pairs, etc., to obtain their product . Relies on fast disk-based multiplication of huge integers. Compute mod

  • for each value
.

Relies on fast division. Now a value

  • is smooth iff

( mod

)2 ✁ lg lg ✂☎✄ mod = 0.

cr.yp.to/papers.html#smoothparts

slide-46
SLIDE 46

rithm for step 5:

✄ ✁ ) separately,

primes 240

). save time: rts, et al. handle pairs (

✄ ✁ ).

Bernstein) time by checking without first finding ranke Kleinjung Streamlined batch algorithm (2004 Bernstein): Multiply primes 240 in pairs, pairs of pairs, etc., to obtain their product . Relies on fast disk-based multiplication of huge integers. Compute mod

  • for each value
.

Relies on fast division. Now a value

  • is smooth iff

( mod

)2 ✁ lg lg ✂☎✄ mod = 0.

cr.yp.to/papers.html#smoothparts

Many lower-level sp Compute with “FFT 1

✂ 5 times faster.

Compute mod

  • “scaled remainder

2

✂ 6 times faster.

(2004 Bernstein, adapting 2003 Bostan Lecerf Reduce communication (2004–2005 Bernstein)

cr.yp.to/papers.html#multapps cr.yp.to/papers.html#scaledmod

slide-47
SLIDE 47

Streamlined batch algorithm (2004 Bernstein): Multiply primes 240 in pairs, pairs of pairs, etc., to obtain their product . Relies on fast disk-based multiplication of huge integers. Compute mod

  • for each value
.

Relies on fast division. Now a value

  • is smooth iff

( mod

)2 ✁ lg lg ✂☎✄ mod = 0.

cr.yp.to/papers.html#smoothparts

Many lower-level speedups. Compute with “FFT doubling”: 1

✂ 5 times faster. (2004 Kramer)

Compute mod

  • with

“scaled remainder tree”: 2

✂ 6 times faster.

(2004 Bernstein, adapting 2003 Bostan Lecerf Schost) Reduce communication costs. (2004–2005 Bernstein)

cr.yp.to/papers.html#multapps cr.yp.to/papers.html#scaledmod

slide-48
SLIDE 48

batch algorithm Bernstein): 240 pairs, etc., roduct . disk-based huge integers.

  • for each value
.

division.

  • smooth iff
✂☎✄ mod = 0.

cr.yp.to/papers.html#smoothparts

Many lower-level speedups. Compute with “FFT doubling”: 1

✂ 5 times faster. (2004 Kramer)

Compute mod

  • with

“scaled remainder tree”: 2

✂ 6 times faster.

(2004 Bernstein, adapting 2003 Bostan Lecerf Schost) Reduce communication costs. (2004–2005 Bernstein)

cr.yp.to/papers.html#multapps cr.yp.to/papers.html#scaledmod

Contrary to popula properly designed pa computers can dramatically price-performance Huge improvement (2001 Bernstein) The batch algorithms

  • n today’s badly designed

(Pentium, PowerPC, but will eventually http://www.sharcs.org cryptanalytic-hardw

cr.yp.to/talks.html#2005.06.11 cr.yp.to/papers.html#nfscircui

slide-49
SLIDE 49

Many lower-level speedups. Compute with “FFT doubling”: 1

✂ 5 times faster. (2004 Kramer)

Compute mod

  • with

“scaled remainder tree”: 2

✂ 6 times faster.

(2004 Bernstein, adapting 2003 Bostan Lecerf Schost) Reduce communication costs. (2004–2005 Bernstein)

cr.yp.to/papers.html#multapps cr.yp.to/papers.html#scaledmod

Contrary to popular myth, properly designed parallel computers can dramatically improve price-performance ratio. Huge improvement for ECM etc. (2001 Bernstein) The batch algorithms are better

  • n today’s badly designed CPUs

(Pentium, PowerPC, Athlon, etc.) but will eventually be obsolete. http://www.sharcs.org: new cryptanalytic-hardware workshop.

cr.yp.to/talks.html#2005.06.11-1 cr.yp.to/papers.html#nfscircuit

slide-50
SLIDE 50

er-level speedups. “FFT doubling”:

  • faster. (2004 Kramer)
  • with

remainder tree”:

faster. Bernstein, adapting Lecerf Schost) communication costs. Bernstein)

cr.yp.to/papers.html#multapps cr.yp.to/papers.html#scaledmod

Contrary to popular myth, properly designed parallel computers can dramatically improve price-performance ratio. Huge improvement for ECM etc. (2001 Bernstein) The batch algorithms are better

  • n today’s badly designed CPUs

(Pentium, PowerPC, Athlon, etc.) but will eventually be obsolete. http://www.sharcs.org: new cryptanalytic-hardware workshop.

cr.yp.to/talks.html#2005.06.11-1 cr.yp.to/papers.html#nfscircuit

NFS step 6: linear Have some pairs (

✄ ✁

with complete facto

  • f the values

6 (

NFS step 6: Find nonempt

  • f pairs (
✄ ✁ ) for which ✄ ☎ ✄ ☎
  • both have

Here

  • =

is a ro Do this by finding dependency among Guaranteed to succeed if there are enough

slide-51
SLIDE 51

Contrary to popular myth, properly designed parallel computers can dramatically improve price-performance ratio. Huge improvement for ECM etc. (2001 Bernstein) The batch algorithms are better

  • n today’s badly designed CPUs

(Pentium, PowerPC, Athlon, etc.) but will eventually be obsolete. http://www.sharcs.org: new cryptanalytic-hardware workshop.

cr.yp.to/talks.html#2005.06.11-1 cr.yp.to/papers.html#nfscircuit

NFS step 6: linear algebra Have some pairs (

✄ ✁ )

with complete factorizations

  • f the values

6 (

). NFS step 6: Find nonempty subset

  • f pairs (
✄ ✁ ) for which ✄ ☎

and

✄ ☎
  • both have square product.

Here

  • =

is a root of . Do this by finding a linear dependency among vectors mod 2. Guaranteed to succeed if there are enough vectors.

slide-52
SLIDE 52
  • pular myth,

designed parallel dramatically improve rmance ratio. rovement for ECM etc. Bernstein) rithms are better designed CPUs erPC, Athlon, etc.) eventually be obsolete. http://www.sharcs.org: new rdware workshop.

cr.yp.to/talks.html#2005.06.11-1 cr.yp.to/papers.html#nfscircuit

NFS step 6: linear algebra Have some pairs (

✄ ✁ )

with complete factorizations

  • f the values

6 (

). NFS step 6: Find nonempty subset

  • f pairs (
✄ ✁ ) for which ✄ ☎

and

✄ ☎
  • both have square product.

Here

  • =

is a root of . Do this by finding a linear dependency among vectors mod 2. Guaranteed to succeed if there are enough vectors. Choose prime bound to minimize total time linear algebra and Larger bound would

  • f previous steps, but

algebra would be a Reduce bound to balance algebra with previous This balancing means somewhat less impact speedups in particula

slide-53
SLIDE 53

NFS step 6: linear algebra Have some pairs (

✄ ✁ )

with complete factorizations

  • f the values

6 (

). NFS step 6: Find nonempty subset

  • f pairs (
✄ ✁ ) for which ✄ ☎

and

✄ ☎
  • both have square product.

Here

  • =

is a root of . Do this by finding a linear dependency among vectors mod 2. Guaranteed to succeed if there are enough vectors. Choose prime bound 240 to minimize total time of linear algebra and previous steps. Larger bound would minimize time

  • f previous steps, but then linear

algebra would be a bottleneck. Reduce bound to balance linear algebra with previous steps. This balancing means somewhat less impact of speedups in particular steps.

slide-54
SLIDE 54

linear algebra (

✄ ✁ )

factorizations (

). Find nonempty subset

✄ ✁

r which

✄ ☎

and

✄ ☎
  • have square product.
  • root of

. finding a linear among vectors mod 2. succeed enough vectors. Choose prime bound 240 to minimize total time of linear algebra and previous steps. Larger bound would minimize time

  • f previous steps, but then linear

algebra would be a bottleneck. Reduce bound to balance linear algebra with previous steps. This balancing means somewhat less impact of speedups in particular steps. NFS step 7: square Have some pairs (

✄ ✁

Product of

✄ ☎

Product of

✄ ☎
  • NFS step 7: Use pairs

factor

, maybe nontrivially

Simplest method, computing (

✄ ☎ ), is not

Other methods in waste of programmer

slide-55
SLIDE 55

Choose prime bound 240 to minimize total time of linear algebra and previous steps. Larger bound would minimize time

  • f previous steps, but then linear

algebra would be a bottleneck. Reduce bound to balance linear algebra with previous steps. This balancing means somewhat less impact of speedups in particular steps. NFS step 7: square roots Have some pairs (

✄ ✁ ).

Product of

✄ ☎

is square. Product of

✄ ☎
  • is square.

NFS step 7: Use pairs to factor

, maybe nontrivially.

Simplest method, computing (

✄ ☎ ), is not a bottleneck.

Other methods in literature are a waste of programmer time.