Quadratic Field Sieve
advertisement
Quadratic Field Sieve
QFS
Matt Spear
Steven Guy
251959084756578934940271832400483985714292
821262040320277771378360436620207075955562
640185258807844069182906412495150821892985
591491761845028084891200728449926873928072
877767359714183472702618963750149718246911
650776133798590957000973304597488084284017
974291006424586918171951187461215151726546
322822168699875491824224336372590851418654
620435767984233871847744479207399342365848
238242811981638150106748104516603773060562
016196762561338441436038339044149526344321
901146575444541784240209246165157233507787
077498171257724679629263863563732899121548
314381678998850404453640235273819513786365
64391212010397122822120720357
Agenda
1.
2.
3.
4.
5.
6.
7.
8.
Introduction to sieves
Euclid’s GCD in base 2
Definitions
Algorithms
RHO example
Factor Bases
QFS example
Introduction to MPQFS
Prime Number Sieve
Sieve of Eratosthenes
1.
2.
3.
4.
Start with all numbers greater than 1
Divide all by the first number
Repeat until no numbers are left to divide
by, i.e. the last number is all left.
What remains are the prime numbers.
Prime Number Sieve
Initial Sieve Space
2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
19 20 21 22 23 24 25 26 27 28 29 30 31
32 33 34 35 36 37 38 39 40 41 42 43 44
45 46 47 48 49 50 51 52 53 54 55 56 57
58 59 60 61 62 63 64 65 66 67 68 69 70
71 72 73 74 75 76 77 78 79 80 81 82 83
84 85 86 87 88 89 90 91 92 93 94 95 96
97 98 99 100 101
Prime Number Sieve
After Divide by two
2 3 | 5 | 7 | 9 | 11 | 13 | 15 | 17 | 19 | 21 | 23 |
25 | 27 | 29 | 31 | 33 | 35 | 37 | 39 | 41 |
43 | 45 | 47 | 49 | 51 | 53 | 55 | 57 | 59 |
61 | 63 | 65 | 67 | 69 | 71 | 73 | 75 | 77 |
79 | 81 | 83 | 85 | 87 | 89 | 91 | 93 | 95 |
97 | 99 | 101
Prime Number Sieve
After Divide by three
2 3 | 5 | 7 | | | 11 | 13 | | | 17 | 19 | | | 23 | 25 |
| | 29 | 31 | | | 35 | 37 | | | 41 | 43 | | | 47 | 49
| | | 53 | 55 | | | 59 | 61 | | | 65 | 67 | | | 71 |
73 | | | 77 | 79 | | | 83 | 85 | | | 89 | 91 | | | 95
| 97 | | | 101
Prime Number Sieve
After Divide by five
2 3 | 5 | 7 | | | 11 | 13 | | | 17 | 19 | | | 23 | | | | |
29 | 31 | | | | | 37 | | | 41 | 43 | | | 47 | 49 | | |
53 | | | | | 59 | 61 | | | | | 67 | | | 71 | 73 | | |
77 | 79 | | | 83 | | | | | 89 | 91 | | | | | 97 | | |
101
Prime Number Sieve
After all possible divisions
2 3 | 5 | 7 | | | 11 | 13 | | | 17 | 19 | | | 23 | | | | |
29 | 31 | | | | | 37 | | | 41 | 43 | | | 47 | | | | |
53 | | | | | 59 | 61 | | | | | 67 | | | 71 | 73 | | | |
| 79 | | | 83 | | | | | 89 | | | | | | | 97 | | | 101
Prime Number Less Than 1602
2 3 5 7 11 13 17 19 23 29 31 37 41 43 47 53 59 61 67 71 73 79
83 89 97 101 103 107 109 113 127 131 137 139 149 151 157
163 167 173 179 181 191 193 197 199 211 223 227 229 233
239 241 251 257 263 269 271 277 281 283 293 307 311 313
317 331 337 347 349 353 359 367 373 379 383 389 397 401
409 419 421 431 433 439 443 449 457 461 463 467 479 487
491 499 503 509 521 523 541 547 557 563 569 571 577 587
593 599 601 607 613 617 619 631 641 643 647 653 659 661
673 677 683 691 701 709 719 727 733 739 743 751 757 761
769 773 787 797 809 811 821 823 827 829 839 853 857 859
863 877 881 883 887 907 911 919 929 937 941 947 953 967
971 977 983 991 997 1009 1013 1019 1021 1031 1033 1039
1049 1051 1061 1063 1069 1087 1091 1093 1097 1103 1109
1117 1123 1129 1151 1153 1163 1171 1181 1187 1193 1201
1213 1217 1223 1229 1231 1237 1249 1259 1277 1279 1283
1289 1291 1297 1301 1303 1307 1319 1321 1327 1361 1367
1373 1381 1399 1409 1423 1427 1429 1433 1439 1447 1451
1453 1459 1471 1481 1483 1487 1489 1493 1499 1511 1523
1531 1543 1549 1553 1559 1567 1571 1579 1583 1597 1601
Euclid's GCD Algorithm (Binary)
g := 1
while u is even && v is even
u := u/2
v := v/2
g := 2*g
EndWhile
// now u or v (or both) are odd
while u > 0
if u is even, then u := u/2
else if v is even, then v := v/2
else then
t := |u-v|/2
if u < v, then v := t else u := t EndIf
EndIf
EndWhile
return g*v
Groups
An algebraic structure (G, Δ) with one
associative composition (operation) (Δ)
Contains a neutral element for the Δ and every
element is invertible over Δ
Is Abelian If the Δ is also commutative
For Example:
(Nn,+) (addition modulo n) is an abelian group
with neutral element e = 0 and inverse of x = n x
Rings
An algebraic structure (A,+,·) with (A,+)
being an abelian group and (A,·) being
associative composition distributed over +
Is commutative ring if · is commutative
For Example:
(Nn,+n,·n) is a commutative ring, called the
ring of integers mod n.
Fields
A commutative ring with every nonzero
element possessing a · inverse (x·x* = 1)
Is Finite if the size of the field is noninfinite
For Example:
Z/pZ is a Finite Field when p is a prime
integer, the field of integers modulo p (Fp).
(if p is not prime all numbers will not have
an inverse i.e. if p = 10 then 2 has no
inverse over ·)
Quadratic Residues
Solutions n to the equation x2 ≡ n (mod p)
If an element is not the square of a number
it is a nonresidue.
For Example:
In F11 :
the residues are {1, 4, 9, 5, 3} as 12 ≡ 1; 22 ≡
4; 32 ≡ 9; 42 ≡ 5; 52 ≡ 3.
The nonresidues are {2,6,7,8,10}.
Legendre Symbol
Used to determine if a number is a
quadratic residue.
Defined as:
Legendre(a,p)
if a ≡ 0 (mod p) then return 0 EndIf
x := a, y := p, L := 1
while true
x := (x mod y)
if x > y/2 then
x := y-x
if y ≡ 3 (mod 4) then L := L · -1 EndIf
EndIf
if x = 0 then return –1 EndIf
while x ≡ 0 (mod 4) x := x/4 EndWhile
if x ≡ 0 (mod 2) then
x := x/2
t := (y mod 8)
if t = 5 or t = 3 then L := L · -1 EndIf
EndIf
if x = 1 then return L EndIf
if x,y ≡ 3 (mod 4) then L := L · -1 EndIf
t := x, x := y, y := t
EndWhile
Square Root Modulo p
Sometimes it is useful to find an x such
that x2 ≡ n (mod p), there are two methods
for finding such an x:
1.
2.
Iterate over the subset 0 < x < (p - 1)/2
Use the Shanks-Tonelli algorithm:
Shanks-Tonelli(a,p)
Choose random n until legendre(n.p) = -1
Find e,q such that p – 1 = 2e · q and q is odd
y := (nq mod p), r := e, x := a(q – 1)/2(mod p), b := a · x2 (mod p), x := a · x
While b ≠ 1 (mod p)
m
Find smallest m such that b2 ≡ 1 (mod p)
(r-m-1)
t := y2
(mod p), y := t2 (mod p), r := m, x := x · t (mod p),
b := b · y (mod p)
EndWhile
Return x
RHO Derivation
Use proof any odd n є N+ > 2 can be
represented by x2 - y2; therefore any
composite n = x2 - y2 = p · q. Try to find x
such that x2 ≡ y2 (mod n).
This follows simply from definition of mod:
n = x2 - y2 x2 = n + y2 and as mod returns
r such that r = y2 – a · n (here a = 1)
x2 ≡ y2 (mod n).
RHO Algorithm
1.
2.
3.
4.
Basis for most algorithms (including both
QFS and NFS).
Set ƒi+1(x) = a · x2 + b · x + c with a,b,c є
N+
Set ƒ0(x) = 1,2 or some small integer
Compute ƒi(x) until gcd(ƒi+1 – ƒI, n) ≠ 1
This number will be a factor of n.
RHO Running Time
With a high probability RHO will find a
factor in
bit operations
Much faster than trial division
Factor Bases
A set of prime integers one of the elements can be
–1 (B = {p1,p2,…,pk}).
An integer is smooth over B iff all of its factors exist
in B
The least absolute residue is (x2 mod n) in the
interval (–n/2,n/2)
An integer is a B-number iff the least absolute
residue (LAR) is smooth over B
For Example:
B = {-1,2,3,5}, n = 336, a = 8, b = 5, c = 9
LAR(a) = 64 = 26, LAR(b) = 25 = 52, LAR(C) = 81 = 34, these are
B-numbers
a = {0,6,0,0}, b = {0,0,0,2}, c = {0,0,4,0} therefore {b,c} is Linearly
dependant over B mod 2 and gcd(b + c, n) = 14 a factor of n.
QFS
Quadratic Field Sieve
A fast method for factoring large numbers less
than 110-digits long.
Relies on algebraic number theory
Discovered by Pomerance in the early 1980’s.
Uses the ideas of RHO and Factor Bases
Uses a sieve similar to the prime number
sieve shown earlier.
We shall denote floor(x) as [x] in the following
QFS
1.
2.
3.
4.
5.
6.
7.
Set P :=
Set A := P3
Make a matrix with row 1 all primes less than P
such that legendre(n,pi) = 1 (if not discard pi)
Make column 1 be all t in the range ([√n] + 1,[√n] +
A)
Make column 2 be t2 – n for all t.
For all the odd p (2 gets handled specially) solve the
equation t2 ≡ n (mod pΘ) for Θ = 1,2,… until there is
no solution in the range of column 1.
Let t1,t2 be the last pair of integers that satisfied the
equation.
QFS
8.
9.
10.
11.
12.
For each element of column 2 if t differs from t1 by a
multiple of p place a 1 in the row,column, repeat for
p2, p3,…,pΘ except change the 1 to a 2,3,…,Θ.
Each time a 1 is placed or changed replace the t2 - n
by (t2 – n)/p.
For p = 2 if n ≡ 1 (mod 8) treat 2 as above, otherwise
simply place a 1 next to all odd t and replace the t2 n by (t2 – n)/2
Remove all rows where the t2 – n has not become 1.
As with Factor Bases find a linearly dependant
subset of the rows (mod 2) we shall denote this as
{t1,t2,…,tk} and the corresponding prime factors for
each ti as {p1B1,p2B2,…,phΘh} where Θi is the number
in the row,column specified by ti, pj.
QFS
13.
For this subset check that
14.
Where BΨ is the sum of the Θi in the Base vectors
divided by 2.
Once a set has been found verify that
15.
If so then
will be a non-trivial factor of n
QFS Example (n = 2279)
N
[sqrt(N)]
t
t^2-n
t^2-n
2279
P
10
47
A
20
2
48
25
25
49
122
122
50
221
221
51
322
322
52
425
425
53
530
530
54
637
637
55
746
746
56
857
857
57
970
970
58
1085
1085
59
1202
1202
60
1321
1321
61
1442
1442
62
1565
1565
63
1690
1690
64
1817
1817
65
1946
1946
66
2077
2077
67
2210
2210
5
7
13
L(N)
17
53
QFS Example (n = 2279)
N
[sqrt(N)]
t
t^2-n
t^2-n
2279
P
10
47
A
20
2
48
25
25
49
122
122
50
221
13
51
322
322
52
425
25
53
530
530
54
637
637
55
746
746
56
857
857
57
970
970
58
1085
1085
59
1202
1202
60
1321
1321
61
1442
1442
62
1565
1565
63
1690
1690
64
1817
1817
65
1946
1946
66
2077
2077
67
2210
130
5
7
13
L(N)
17
1
1
1
53
QFS Example (n = 2279)
N
[sqrt(N)]
t
t^2-n
t^2-n
2279
P
10
47
A
20
2
48
25
25
49
122
122
50
221
1
51
322
322
52
425
25
53
530
530
54
637
49
55
746
746
56
857
857
57
970
970
58
1085
1085
59
1202
1202
60
1321
1321
61
1442
1442
62
1565
1565
63
1690
10
64
1817
1817
65
1946
1946
66
2077
2077
67
2210
10
5
7
L(N)
13
17
1
1
1
1
2
1
1
53
QFS Example (n = 2279)
N
[sqrt(N)]
t
t^2-n
t^2-n
2279
P
10
47
A
20
2
48
25
25
49
122
122
50
221
1
51
322
322
52
425
25
53
530
530
54
637
1
55
746
746
56
857
857
57
970
970
58
1085
155
59
1202
1202
60
1321
1321
61
1442
1442
62
1565
1565
63
1690
10
64
1817
1817
65
1946
1946
66
2077
2077
67
2210
10
5
7
L(N)
13
17
1
1
1
2
1
1
2
1
1
53
QFS Example (n = 2279)
N
[sqrt(N)]
t
t^2-n
t^2-n
2279
P
10
47
A
20
2
48
25
1
49
122
122
50
221
1
51
322
322
52
425
1
53
530
530
54
637
1
55
746
746
56
857
857
57
970
970
58
1085
31
59
1202
1202
60
1321
1321
61
1442
1442
62
1565
1565
63
1690
2
64
1817
1817
65
1946
1946
66
2077
2077
67
2210
2
5
7
L(N)
13
17
1
1
2
2
1
2
1
1
1
1
2
1
1
1
53
QFS Example (n = 2279)
On 2 so check 2279 ≡ 7 (mod 8) good it is easier
N
[sqrt(N)]
t
t^2-n
t^2-n
2279
P
10
47
A
20
2
48
25
1
49
122
122
50
221
1
51
322
322
52
425
1
53
530
530
54
637
1
55
746
746
56
857
857
57
970
970
58
1085
31
59
1202
1202
60
1321
1321
61
1442
1442
62
1565
1565
63
1690
1
64
1817
1817
65
1946
1946
66
2077
2077
67
2210
1
5
7
L(N)
13
17
1
1
2
2
1
2
1
1
1
1
1
2
1
1
1
1
53
QFS Example (n = 2279)
Looking at the table it is obvious that rows
48,50,52,54 are linearly dependant mod 2.
(48 · 50 · 52 · 54)2 ≡ (52 · 7 · 13 · 17)2 (mod
2279)
Therefore gcd((48 · 50 · 52 · 54) – (52 · 7 · 13 ·
17), 2279) is a factor, namely 53
gcd((48 · 50 · 52 · 54) + (52 · 7 · 13 · 17), 2279)
is the other factor namely 43.
It never hurts to double check so 53 · 43 = 2279
YAY We Factored 2279!!
QFS Running Time
Runs in time
Requires approximately an equivalent
amount of space
Faster than RHO as the function is between
polynomial in log(n) and polynomial in n.
MPQFS
Multiple Polynomial QFS
Allows for parallel processing of the QFS
simply
Same algorithm except uses multiple
polynomials of the form:
Q(x) := a · x2 + b · x + c
Where a is the square of an integer, b is in
the interval [0,a) such that b2 ≡ a (mod n),
c := b2/(4 · a).
By doing so reduces size of Factor Base and
sieving interval for each Q(x) and can be run
simultaneously
