Post on 08-Jan-2018
description
A Survey on Factoring Large Numbers ~ 巨大数の因数分解に関する調査 ~
Kanada Lab. M147-56338 Yoshida Hitoshi
page2
Introduction
Factoring a number means representing it as the product of smaller numbers.
It is difficult to factor a large number. Some cryptosystems are based on the difficulty of
the factoring integer problem. It measures the security of the cryptosystems to
factor large numbers in short time.
page3
Contents
Introduction Factoring Methods Calculation Records Cryptosystem Security
page4
Contents
Introduction Factoring Methods Calculation Records Cryptosystem Security
page5
Trial Division
Difference ofSquares
Euler’s Method Pollard’s(p-1)-Method
Pollard’s(p+1)-Method
Pollard’sρ Method
Square FormsFactorization
Continued FractionMethod
Quadratic Sieve
Multiple PolynomialQuadratic Sieve
General NumberField Sieve
Elliptic CurveMethod
Trial Division
Difference ofSquares
Euler’s Method Pollard’s(p-1)-Method
Pollard’s(p+1)-Method
Pollard’sρ Method
Square FormsFactorization
Continued FractionMethod
Quadratic Sieve
Multiple PolynomialQuadratic Sieve
General NumberField Sieve
Elliptic CurveMethod
Factoring Methods
page6
Trial Division
Algorithm Check if “n mod i = 0” for i = 2,3,4,…
Merit It can factor a number into prime numbers.
Demerit ‘i’ may be nearly when n is the product of 2 primes of
same size.
page7
Trial Division
Improvement Don’t use multiples of 2,3,5 for “i”. Use only prime numbers for “i”.
Cannot reduce operational costs. This method can use at most 1030.
π(1015)=29,844,570,422,669 30T≒If one trial division can do in 50 clock
π(1015)×50[clock]÷3G[Hz] = 500K [sec] = 5.8[day]
page8
Difference of Squares
Algorithm Find x and y which implement x2-y2=n Factor n with x2-y2=(x+y)(x-y)
Demerit May not factor a number into prime numbers.
Merit Factor a large composite number into small numbers
Operational cost O(y)
page9
Improvement How about using “x2-y2≡0 (mod n)” ?
602-52≡0 (mod 143) 65⇒ ・ 55≡0 65 or 55 must have prime factor(s) of 143. GCD(65,143)=13, GCD(55,143)=11
How to find such x, y that implement “x2–y2≡0 (mod n)”? Find many (ai, bi) pairs that implement ai≡bi (mod n) Make a combination that implements Πai=x2, Πbi=y2
Difference of Squares
14 ・ 67≡ 3 mod 187 31 ・ 67≡20 mod 187 14 ・ 31≡60 mod 187(14 ・ 31 ・ 67 ) 2≡602 mod 187
page10
Difference of Squares
How can we find those numbers efficiently? Quadratic Sieve (QS)
Cf. Multiple Polynomial Quadratic Sieve (MPQS) General Number Field Sieve (GNFS)
page11
Quadratic Sieve Algorithm
1.for i = [√n]±1,2,… , factor i2-n into prime numbers(i2≡i2-n=p1p2p3…)
2.search a combination that make every exponent number even
3.x=Πi and y=√(Πprimes) implements x2-y2≡0
page12
n=3937, √n=62.7i=63 632≡632-n= 32=25
i=64 642≡642-n=159=3 ・ 53i=65 652≡652-n=288=25・ 32
i=66 662≡662-n=419=419i=67 672≡672-n=552=23・ 3 ・ 23
Quadratic Sieve Example
page13
n=3937, √n=62.7i=63 632≡632-n= 32=25
i=64 642≡642-n=159=3 ・ 53i=65 652≡652-n=288=25・ 32
i=66 662≡662-n=419=419i=67 672≡672-n=552=23・ 3 ・ 23( 63 ・ 65 ) 2≡210・ 32= ( 25・ 3 ) 2
∴GCD ( 63 ・ 65-25・ 3, n ) =31
Quadratic Sieve Example
page14
Quadratic Sieve
Operational costO(exp((9/8)(logn)1/2(loglogn)1/2))Now, QS is one of the fastest method to factor 30~60
decimal digit numbers. Make faster
Large prime factors appear rarelySmaller number has smaller primes.How can we get small numbers efficiently?
page15
n=3937, √n=62.7i=63 632≡632-n= 32=25
i=64 642≡642-n=159=3 ・ 53i=65 652≡652-n=288=25・ 32
i=66 662≡662-n=419=419i=67 672≡672-n=552=23・ 3 ・ 23( 63 ・ 65 ) 2≡210・ 32= ( 25・ 3 ) 2
∴ GCD ( 63 ・ 65-25・ 3, n ) =31
Quadratic Sieve Example
page16
Quadratic Sieve
Operational costO(exp((9/8)(logn)1/2(loglogn)1/2))Now, QS is one of the fastest method to factor 30~60
decimal digit numbers. Make faster
Large prime factors appear rarelySmaller number has smaller primes.How can we get small numbers efficiently?
page17
Quadratic Sieve
Make fasterMPQS (Multiple Polynomial QS) ; i2-n (ai+b)⇒ 2-nMPQS is the fastest to factor 60 ~ 120 digit numbers
QS MPQS
page18
General Number Field Sieve (GNFS)
Original “Number Field Sieve” was for special numbers Special Number Field Sieve (SNFS)⇒
Algorithm Polynomial definition step Sieving step Matrix solving step Making square root step
Operational costO(exp((64/9)1/3(logn)1/3(loglogn)2/3))[Cf. QS→O(exp((9/8)(logn)1/2(loglogn)1/2)) ]
page19
Contents
Introduction Factoring Methods Calculation Records Cryptosystem Security
page20
Calculation Records Factoring records
page21
Calculation Records
Factoring records1. 200 decimal digits number (RSA200)
Bonn university Algorithm : GNFS Sieving step
Various machines and time Dec 2003 ~ Oct 2004 ( 2.2GHz Opteron × 55 years)≒
Matrix step 80 × 2.2GHz Opteron (Cluster) × 3 months (Dec 2004 ~ )
May 2005 factoring completed
page22
Calculation Records
Factoring records2. 176 decimal digits number (A factor of 11281+1)
Yuji Kida (Rikkyo university) and NTT laboratory Algorithm : GNFS Sieving step
Various machines ( 3.2GHz Pentium4 × 9.7 years)≒ 16 Mar 2005 ~ 12 Apr 2005 (27days)
Matrix step 32 × 3.2GHz Pentium4 (Cluster) × 2.5 days
Apr 2005 factoring completed
page23
Contents
Introduction Factoring Methods Calculation Records Cryptosystem Security
page24
Cryptosystem Security
RSA use 1024 bit length key How long does it take to factor 1024bit number? 5.8×105 ~ 1.4×106 years(?) [Kida, 2003]
RSA Factoring Challenge 8 composite numbers (576 ~ 2048bit) to factor 576 bit number was factored (Dec 3, 2003) 200 decimal digit number (old problem) was factored 640 bit number is 193 decimal digit
page25
Cryptosystem Security
TWIRL Make sieving step of GNFS in device It will take 1 year to sieve 1024bit length number Not in practice yet
Quantum Computing Shor’s algorithm may run very fast Quantum computer is not in practice
page26
That’s All
Thank you