Polynomial Selection Thorsten Kleinjung Ecole Polytechnique F ed - PowerPoint PPT Presentation

Polynomial Selection Thorsten Kleinjung ´ Ecole Polytechnique F´ ed´ erale de Lausanne

Contents Brief summary of polynomial selection (no root sieve) Motivation (lattice sieving, monic algebraic polynomial) General case (reduction to monic algebraic polynomial) Some results

Brief summary of polynomial selection Given N ∈ Z Find co-prime polynomials f, g ∈ Z [ x ] with common zero modulo N Degrees and coefficients as small as possible

Brief summary of polynomial selection Given N ∈ Z Find co-prime polynomials f, g ∈ Z [ x ] with common zero modulo N Degrees and coefficients as small as possible Restriction to deg( f ) = d , deg( g ) = 1 1 d +1 : Easy: coefficients of size N d a i x i where 1 d +1 ] + 1, set g = x − m , f = � Choose m = [ N i =0 d a i m i is the base- m -expansion of N . � N = i =0

Skewness: Change sieving area from − A ≤ a ≤ A, 0 < b ≤ A to − A √ s ≤ a ≤ A √ s, 0 < b ≤ A √ s for some s (skewness) d ⇒ want to minimise max( | a i | · s i − d 2 ) a i x i ) � ( f = i =0

Skewness: Change sieving area from − A ≤ a ≤ A, 0 < b ≤ A into − A √ s ≤ a ≤ A √ s, 0 < b ≤ A √ s for some s (skewness) d ⇒ want to minimise max( | a i | · s i − d 2 ) a i x i ) � ( f = i =0 � 1 � 1 d d +1 , choose m near N Choose a d smaller than N a d ⇒ | a d − 1 | roughly of size a d , small enough � 1 � d N Remaining coefficients of size a d ok for a 0 , a 1 (perhaps also for a 2 ) Coefficients a d − 2 , . . . , a 3 ( , a 2 ) too big biggest problem a d − 2

Motivation Lattice sieving for 768 bit numbers: e.g.: factor base bounds 1 . 1 · 10 9 (for f ), 2 · 10 8 (for g ) ⇒ ca. 67 million factor base elements gnfs-lasieveI16e needs 20 byte per factor base element: • prime ideal ( p, x − r ): 4 byte for p and 4 byte for r • two vectors in special q lattice: 2 · 4 byte • current location in special q lattice: 4 byte could reduce this: • use 1 byte for storing differences of p ⇒ 17 byte • handle larger p in a different way ⇒ 15 or 16 byte How can we reduce this further?

If skewness were equal to size of sieving area: form of sieving area: − A ≤ a ≤ A, b = 1 (one line)

If skewness were equal to size of sieving area: form of sieving area: − A ≤ a ≤ A, b = 1 (one line) Storage requirements for lattice siever (12 byte per factor base element): • prime ideal ( p, x − r ): 4 byte for p and 4 byte for r • current location in special q lattice: 4 byte We can • recalculate r from last location in special q lattice ⇒ 8 byte • store 1 byte differences of primes ⇒ 5 byte Reduced storage for factor base from 1GB (or 1.3GB) to 350MB How can we find such polynomials?

Polynomials with large skewness Example: 768-bit integer N , size of sieving area ≈ 2 64 ≈ skewness, f = a 4 x 4 + a 3 x 3 + a 2 x 2 + a 1 x + a 0 , g = lx − m N = a 4 m 4 + a 3 lm 3 + a 2 l 2 m 2 + a 1 l 3 m + a 0 l 4

Polynomials with large skewness Example: 768-bit integer N , size of sieving area ≈ 2 64 ≈ skewness, f = a 4 x 4 + a 3 x 3 + a 2 x 2 + a 1 x + a 0 , g = lx − m N = a 4 m 4 + a 3 lm 3 + a 2 l 2 m 2 + a 1 l 3 m + a 0 l 4 coefficient a 4 a 3 a 2 a 1 a 0 l m bit size 0 64 128 192 256 128 192 ⇒ values of polynomials: ca. 256 bit and 192 bit seems too be slightly worse than current degree 6 polynomials

Polynomials with large skewness Example: 768-bit integer N , size of sieving area ≈ 2 64 ≈ skewness, f = a 4 x 4 + a 3 x 3 + a 2 x 2 + a 1 x + a 0 , g = lx − m N = a 4 m 4 + a 3 lm 3 + a 2 l 2 m 2 + a 1 l 3 m + a 0 l 4 coefficient a 4 a 3 a 2 a 1 a 0 l m bit size 0 64 128 192 256 128 192 ⇒ values of polynomials: ca. 256 bit and 192 bit seems too be slightly worse than current degree 6 polynomials Check: 64 + 128 + 192 + 256 + 128 + 192 − 64 − 64 = 768 + 64 ⇒ expect to find 2 64 such polynomial pairs How can we find such polynomial pairs (with cost ≪ 2 64 )?

f = x 4 + a 3 x 3 + a 2 x 2 + a 1 x + a 0 , g = lx − m N = m 4 + a 3 lm 3 + a 2 l 2 m 2 + a 1 l 3 m + a 0 l 4

f = x 4 + a 3 x 3 + a 2 x 2 + a 1 x + a 0 , g = lx − m N = m 4 + a 3 lm 3 + a 2 l 2 m 2 + a 1 l 3 m + a 0 l 4 translation ⇒ can assume a 3 ∈ { 0 , 1 , 2 , 3 }

f = x 4 + a 3 x 3 + a 2 x 2 + a 1 x + a 0 , g = lx − m N = m 4 + a 3 lm 3 + a 2 l 2 m 2 + a 1 l 3 m + a 0 l 4 translation ⇒ can assume a 3 ∈ { 0 , 1 , 2 , 3 } m Restrict to a 3 = 0, assume l ≪ 2 64 : f = x 4 + a 2 x 2 + a 1 x + a 0 , g = lx − m : N = m 4 + a 2 l 2 m 2 + a 1 l 3 m + a 0 l 4 = m 4 + l 2 R R a 2 ≈ m 2 New problem: to find l, m such that l 2 | N − m 4 and | N − m 4 | is small l 2 m 2

General problem: N , d and bound B given, find l , m such that l 2 | N − m d and | N − m d | l 2 m d − 2 < B

General problem: N , d and bound B given, find l , m such that l 2 | N − m d and | N − m d | l 2 m d − 2 < B √ d Set m 0 = N , m = m 0 + i , i ∈ [ − M, M ] ≈ <dMm d − 1 ⇒ | N − m d | 0 want i , l such that l 2 | N − ( m 0 + i ) d and dMm 0 < B l 2

General problem: N , d and bound B given, find l , m such that l 2 | N − m d and | N − m d | l 2 m d − 2 < B √ d Set m 0 = N , m = m 0 + i , i ∈ [ − M, M ] ≈ <dMm d − 1 ⇒ | N − m d | 0 want i , l such that l 2 | N − ( m 0 + i ) d and dMm 0 < B l 2 Set l = p 1 p 2 , p i ∈ P primes, P = [ P, 2 P ] 1. generate pairs ( p, i ) such that p 2 | N − ( m 0 + i ) d 2. sort pairs w. r. t. second entry 3. for each collision, i. e., pairs ( p 1 , i ), ( p 2 , i ) with p 1 � = p 2 : output l = p 1 p 2 , m = m 0 + i ≈ result: | a d − 2 | ≈ | N − m d | < dM P 4 m 0 l 2 m d − 2

Analysis √ d m 0 = N , m = m 0 + i , i ∈ [ − M, M ] l = p 1 p 2 , p i ∈ P primes, P = [ P, 2 P ] M M number of pairs ≈ P log P , number of collisions ≈ 4 P 2 (log P ) 2

Analysis √ d m 0 = N , m = m 0 + i , i ∈ [ − M, M ] l = p 1 p 2 , p i ∈ P primes, P = [ P, 2 P ] M M number of pairs ≈ P log P , number of collisions ≈ 4 P 2 (log P ) 2 cost O ( M log M P P log P + log P ) ≈ < dM result: | a d − 2 | P 4 m 0

Analysis √ d m 0 = N , m = m 0 + i , i ∈ [ − M, M ] l = p 1 p 2 , p i ∈ P primes, P = [ P, 2 P ] M M number of pairs ≈ P log P , number of collisions ≈ 4 P 2 (log P ) 2 cost O ( M log M P P log P + log P ) ≈ < dM result: | a d − 2 | P 4 m 0 for 768 bit example choose M = 2 90 , P = 2 39 : P 4 m 0 ≈ 2 128 , cost 2 46 pairs ≈ 1 collision, dM

Analysis √ d m 0 = N , m = m 0 + i , i ∈ [ − M, M ] l = p 1 p 2 , p i ∈ P primes, P = [ P, 2 P ] M M number of pairs ≈ P log P , number of collisions ≈ 4 P 2 (log P ) 2 cost O ( M log M P P log P + log P ) ≈ < dM result: | a d − 2 | P 4 m 0 for 768 bit example choose M = 2 90 , P = 2 39 : P 4 m 0 ≈ 2 128 , cost 2 46 pairs ≈ 1 collision, dM choosing M = P 2 : ≈ cost per collision O ( P (log P ) 2 ), result | a d − 2 | < d P 2 m 0

Asymptotic considerations � 1 3 , sieving area ≈ L ( 1 � � 3 log N 64 degree d = 3 , 9 ) ≈ skewness 3 log log N product of coefficient ranges of algebraic polynomial = L (1 , 7 8 ) ⇒ cannot find such polynomial pairs Remark: polynomial pairs of degree d and d − 1 would be ok

General situation N = a d m d + a d − 1 lm d − 1 + l 2 R | R | Find l, m such that and m d − 2 ( ≈ | a d − 2 | ) is sufficiently small.

General situation N = a d m d + a d − 1 lm d − 1 + l 2 R | R | Find l, m such that and m d − 2 ( ≈ | a d − 2 | ) is sufficiently small. Reduction to a d = 1, a d − 1 = 0 (translation x �→ x − a d − 1 da d ): N = ( da d m + a d − 1 l ) d + l 2 � R − ( da d m ) d − 2 · � d d a d − 1 d d a d − 1 � d · a 2 � d − 1 − . . . d d 2

General situation N = a d m d + a d − 1 lm d − 1 + l 2 R | R | Find l, m such that and m d − 2 ( ≈ | a d − 2 | ) is sufficiently small. Reduction to a d = 1, a d − 1 = 0 (translation x �→ x − a d − 1 da d ): N = ( da d m + a d − 1 l ) d + l 2 � R − ( da d m ) d − 2 · � d d a d − 1 d d a d − 1 � d · a 2 � d − 1 − . . . d d 2 or m d + l 2 ˜ ˜ ˜ N = d d a d − 1 N = ˜ R where N, ˜ m = da d m + a d − 1 l d

General situation N = a d m d + a d − 1 lm d − 1 + l 2 R | R | Find l, m such that and m d − 2 ( ≈ | a d − 2 | ) is sufficiently small. Reduction to a d = 1, a d − 1 = 0 (translation x �→ x − a d − 1 da d ): N = ( da d m + a d − 1 l ) d + l 2 � R − ( da d m ) d − 2 · � d d a d − 1 d d a d − 1 � d · a 2 � d − 1 − . . . d d 2 or m d + l 2 ˜ ˜ ˜ N = d d a d − 1 N = ˜ R where N, ˜ m = da d m + a d − 1 l d 1. find l , ˜ m as above 2. ˜ m = da d m + a d − 1 l : find m , 0 ≤ a d − 1 < da d (gcd( l, da d ) = 1) ≈ | ˜ R | < dM ˜ d 2 a d P 4 ≈ M m 0 Result: | a d − 2 | ≈ P 4 m 0 d 2 a d ˜ m d − 2

Some tricks Replace l = p 1 p 2 by l = cp , c ∈ C , p ∈ P e. g.: C = [ P 1 , P 2 ], P = { p ∈ [ P 2 , P 3 ] | p prime } for some P 1 < P 2 < P 3 1. generate pairs ( c, i ), c ∈ C 2. generate pairs ( p, j ), p ∈ P 3. search for collisions between c -pairs and p -pairs, and for collisions within p -pairs many alternative approaches, e. g.: • arbitrary C , P , remove multiples of primes of P from C • C = { c ∈ [ P 1 , P 2 ] | p | c ⇒ p ≡ 1 (mod 4) } , P = { c ∈ [ P 1 , P 2 ] | p | c ⇒ p ≡ 3 (mod 4) } • ...