Prime Numbers
.pdf
6.3 Rigorous factoring |
301 |
allows one to use the same complexity estimates that one would have if one had sieved instead.
Assuming that about a total of B2 pairs a, b are put into the linear form a − bm, at the end, a total of B2k pairs of the linear form and the norm form of a polynomial are checked for simultaneous smoothness (the first being B-smooth, the second B/k-smooth). If the parameters are chosen so that at most B2/k pairs a, b survive the first sieve, then the total time spent is not much more than B2 total. This savings leads to a lower complexity in NFS. Coppersmith gives a heuristic argument that with an optimal choice of
parameters the running time to factor n is exp |
(c + o(1))(ln n)1/3 |
(ln ln n) |
2/3 |
, |
|||||
where |
1 |
92 + 26√ |
|
|
1/3 |
|
|
|
|
c = |
|
13 |
|
≈ 1.9019. |
|
|
|
||
3 |
|
|
|
|
|||||
This compares with the value c = (64/9)1/3 ≈ 1.9230 for the NFS as described in Algorithm 6.2.5. As mentioned previously, the smaller c in Coppersmith’s method is o set by a “fatter” o(1). This secondary factor likely makes the crossover point, after which Coppersmith’s variant is superior, in the thousands of digits. Before we reach this point, NFS will probably have been replaced by far better methods. Nevertheless, Coppersmith’s variant of NFS currently stands as the asymptotically fastest heuristic factoring method known.
There may yet be some practical advantage to using many polynomials. For a discussion, see [Elkenbracht-Huizing 1997].
6.3 Rigorous factoring
None of the factoring methods discussed so far in this chapter are rigorous. However, the subexponential ECM, discussed in the next chapter, comes close to being rigorous. Assuming a reasonable conjecture about the distribution in short intervals of smooth numbers, [Lenstra 1987] shows that ECM is
expected to find the least prime factor p of the composite number n in
√
exp((2 + o(1)) ln p ln ln p) arithmetic operations with integers the size of n, the “o(1)” term tending to 0 as p → ∞. Thus, ECM requires only one heuristic “leap.” In contrast, QS and NFS seem to require several heuristic leaps in their analyses.
It is of interest to see what is the fastest factoring algorithm that we can rigorously analyze. This is not necessarily of practical value, but seems to be
required by the dignity of the subject! |
|
|
|
|
The first issue |
one might address |
is whether a |
factoring |
algorithm |
is deterministic or |
probabilistic. Since |
randomness |
is such a |
powerful |
tool, we would expect to see lower complexity records for probabilistic factoring algorithms over deterministic ones, and indeed we do. The fastest deterministic factoring algorithm that has been rigorously analyzed is the Pollard–Strassen method. This uses fast polynomial evaluation techniques as discussed in Section 5.5, where the running time to factor n is seen to be
O n1/4+o(1) .
302 Chapter 6 SUBEXPONENTIAL FACTORING ALGORITHMS
Assuming the ERH, see Conjecture 1.4.2, an algorithm of Shanks deterministically factors n in a running-time bound of O(n1/5+o(1)). This method is described in Section 5.6.4.
That is it for rigorous, deterministic methods. What, then, of probabilistic methods? The first subexponential probabilistic factoring algorithm with a completely rigorous analysis was the “random-squares method” of J. Dixon; see [Dixon 1981]. His algorithm is to take random integers r in [1, n], looking for those where r2 mod n is smooth. If enough are found, then congruent squares can be assembled, as in QS, and so a factorization of n may be attempted. The randomness of the numbers r that are used allows one to say rigorously how frequently the residues r2 mod n are smooth, and how likely the congruent squares assembled lead to a nontrivial factorization of n. Dixon
showed that the expected running time for his algorithm to split n is bounded |
||
by exp (c + o(1))√ln n ln ln n , where c = √8. Subsequent improvements by |
||
Pomerance |
and later by B. Vall´ee |
lowered c to 4/3. |
The current lowest running-time bound for a rigorous probabilistic
√
factoring algorithm is exp((1 + o(1)) ln n ln ln n). This is achieved by the “class-group-relations method” of [Lenstra and Pomerance 1992]. Previously, this time bound was achieved by A. Lenstra for a very similar algorithm, but the analysis required the use of the ERH. It is interesting that this time bound is exactly the same as that heuristically achieved by QS. Again the devil is in the “o(1),” making the class-group-relations method impractical in comparison.
It is interesting that both the improved versions of the random-squares method and the class-group-relations method use ECM as a subroutine to quickly recognize smooth numbers. One might well wonder how a not-yet- rigorously analyzed algorithm can be used as a subroutine in a rigorous algorithm. The answer is that one need not show that the subroutine always works, just that it works frequently enough to be of use. It can be shown rigorously that ECM recognizes most y-smooth numbers below x in yo(1) ln x arithmetic operations with integers the size of x. There may be some exceptional numbers that are stubborn for ECM, but they are provably rare.
Concerning the issue of smoothness tests, a probabilistic algorithm announced in [Lenstra et al. 1993b] recognizes all y-smooth numbers n in yo(1) ln n arithmetic operations. That is, it performs similarly as ECM, but unlike ECM, the complexity estimate is completely rigorous and there are provably no exceptional numbers.
6.4Index-calculus method for discrete logarithms
In Chapter 5 we described some general algorithms for the computation of discrete logarithms that work in virtually any cyclic group for which we can represent group elements on a computer and perform the group operation. These exponential-time algorithms have the number of steps being about the square root of the group order. In certain specific groups we have more
6.4 Index-calculus method for discrete logarithms |
303 |
information that might be used profitably for DL computations. We have seen in this chapter the ubiquitous role of smooth numbers as an aid to factorization. In some groups sense can be made of saying that a group element is smooth, and when this is the case, it is often possible to perform DLs via a subexponential algorithm. The basic idea is embodied in the index-calculus method.
We first describe the index-calculus method for the multiplicative group of the finite field Fp, where p is prime. Later we shall see how the method can be used for all finite fields.
The fact that subexponential methods exist for solving DLs in the multiplicative group of a finite field have led cryptographers to use other groups, the most popular being elliptic-curve groups; see Chapter 7.
6.4.1Discrete logarithms in prime finite fields
Consider the multiplicative group Fp, where p is a large prime. This group is cyclic, a generator being known as a primitive root (Definition 2.2.6). Suppose g is a primitive root and t is an element of the group. The DL problem for Fp is, given p, g, t to find an integer l with gl = t. Actually, l is not well-defined by this equation, the integers l that work form a residue class modulo p − 1. We write l ≡ logg t (mod p − 1).
What makes the index-calculus method work in Fp is that we do not have to think of g and t as abstract group elements, but rather as integers, and we may think of the equation gl = t as the congruence gl ≡ t (mod p). The index-calculus method consists of two principal stages. The first stage involves gathering “relations.” These are congruences gr ≡ pr11 · · · prkk (mod p), where p1, . . . , pk are small prime numbers. Such a congruence gives rise to a congruence of discrete logarithms:
r ≡ r1 logg p1 + · · · + rk logg pk (mod p − 1).
If there are enough of these relations, it may then be possible to use linear algebra to solve for the various logg pi. After this precomputation, which is the heart of the method, the final discrete logarithm of t is relatively simple. If one has a relation of the form gRt ≡ pτ11 · · · pτkk (mod p), then we have that
logg t ≡ −R + τ1 logg p1 + · · · + logg pk (mod p − 1).
Both kinds of relations are found via random choices for the numbers r, R. A choice for r gives rise to some residue gr mod p, which may or may not factor completely over the small primes p1, . . . , pk. Similarly, a choice for R gives rise to the residue gRt mod p. By taking residues closest to 0 and allowing a factor −1 in a prime factorization, a small gain is realized. Note that we do not have to solve for the discrete logarithm of −1; it is already known as (p − 1)/2. We summarize the index-calculus method for Fp in the following pseudocode.
304 |
Chapter 6 SUBEXPONENTIAL FACTORING ALGORITHMS |
Algorithm 6.4.1 (Index-calculus method for Fp). We are given a prime p, a primitive root g, and a nonzero residue t (mod p). This probabilistic algorithm attempts to find logg t.
1. [Set smoothness bound]
Choose a smoothness bound B; // See text for reasonable B choices. Find the primes p1, . . . , pk in [1, B];
2. [Search for general relations]
Choose random integers r in [1, p−2] until B cases are found with gr mod p being B-smooth;
//It is slightly better to use the residue of gr mod p closest to 0.
3.[Linear algebra]
By some method of linear algebra, use the relations found to solve for logg p1, . . . , logg pk;
4. [Search for a special relation]
Choose random integers R in [1, p − 2] and find the residue closest to 0 of gRt (mod p) until one is found with this residue being B-smooth;
Use the special relation found together with the values of logg p1,. . .,logg pk found in Step [Linear algebra] to find logg t;
This brief description raises several questions:
(1)How does one determine whether a number is B-smooth?
(2)How does one do linear algebra modulo the composite number p − 1?
(3)Are B relations an appropriate number so that there is a reasonable chance of success in Step [Linear algebra]?
(4)What is a good choice for B?
(5)What is the complexity of this method, and is it really subexponential?
On question (1), there are several options including trial division, the Pollard rho method (Algorithm 5.2.1), and the elliptic curve method (Algorithm 7.4.2). Which method one employs a ects the overall complexity, but with any of these methods, the index-calculus method is subexponential.
It is a bit tricky doing matrix algebra over Zn with n composite. In Step [Linear algebra] we are asked to do this with n = p − 1, which is composite for all primes p > 3. As with solving polynomial congruences, one idea is to reduce the problem to prime moduli. Matrix algebra over Zq with q prime is just matrix algebra over a finite field, and the usual Gaussian methods work, as well as do various faster methods. As with polynomial congruences, one can also employ Hensel-type methods for matrix algebra modulo prime powers, and Chinese remainder methods for gluing powers of di erent primes. In addition, one does not have to work all that hard at the factorization. If some large factor of p − 1 is actually composite and di cult to factor further, one can proceed with the matrix algebra modulo this factor as if it were prime. If one is called to invert a nonzero residue, usually one will be successful, but if not, a factorization is found for free. So either one is successful in the matrix
6.4 Index-calculus method for discrete logarithms |
305 |
algebra, which is the primary goal, or one gets a factorization of the modulus, and so can restart the matrix algebra with the finer factors one has found.
Regarding question (3), it is likely that with somewhat more than π(B) relations of the form gr ≡ pr11 · · · prkk (mod p), where p1, . . . , pk are all of the primes in [1, B], that the various exponent vectors (r1, . . . , rk) found span the module Zkp−1. So obtaining B of these vectors is a bit of overkill. In addition, it is not even necessary that the vectors span the complete module, but only that the vector corresponding to the relation found in step [Search for a special relation] be in the submodule generated by them. This idea, then, would make the separate solutions for logg pi in Step [Linear algebra] unnecessary; namely, one would do the linear algebra only after the special relation is found.
The final two questions above can be answered together. Just as with the analysis of some of the factorization methods, we find that an asymptotically optimal choice for B is of the shape L(p)c, where L(p) is defined in (6.1). If
a fast smoothness test is used, such as the elliptic curve method, we would
√ √
choose c = 1/ 2, and end up with a total complexity of L(p) 2+o(1). If a slow smoothness test is used, such as trial division, a smaller value of c should be chosen, namely c = 1/2, leading to a total complexity of L(p)2+o(1). If a smoothness test is used that is of intermediate complexity, one is led to an intermediate value of c and an intermediate total complexity.
At finite levels, the asymptotic analysis is only a rough guide, and good choices should be chosen by the implementer following some trial runs. For details on the index-calculus method for prime finite fields, see [Pomerance 1987b].
6.4.2Discrete logarithms via smooth polynomials and smooth algebraic integers
What makes the index-calculus method successful, or even possible, for Fp is that we may think of Fp as Zp, and thus represent group elements with integers. It is not true that Fpd is isomorphic to Zpd when d > 1, and so there is no convenient way to represent elements of nonprime finite fields with integers. As we saw in Section 2.2.2, we may view Fpd as the quotient ring Zp[x]/(f (x)), where f (x) is an irreducible polynomial in Zp[x] of degree d. Thus, we may identify to each member of Fpd a nonzero polynomial in Zp[x] of degree less than d.
The polynomial ring Zp[x] is like the ring of integers Z in many ways. Both are unique factorization domains, where the “primes” of Zp[x] are the monic irreducible polynomials of positive degree. Both have only finitely many invertible elements (the residues 1, 2, . . . , p − 1 modulo p in the former case, and the integers ±1 in the latter case), and both rings have a concept of size. Indeed, though Zp[x] is not an ordered ring, we nevertheless have a rudimentary concept of size via the degree of a polynomial. And so, we have a concept of “smoothness” for a polynomial: We say that a polynomial is b- smooth if each of its irreducible factors has degree at most b. We even have a theorem analogous to (1.44): The fraction of b-smooth polynomials in Zp[x]
6.5 Exercises |
307 |
a nontrivial coprime factorization of n; that is, finding coprime integers A, B, both larger than 1, with n = AB.
6.2.Show that if n is odd, composite, and not a power, then at least
half of the pairs x, y with 0 ≤ x, y < n and x2 ≡ y2 (mod n) have 1 < gcd(x − y, n) < n.
6.3. Sometimes when one uses QS, the number n to be factored is replaced with kn for a small integer k. Though using a multiplier increases the magnitude of the residues being sieved for smoothness, there can be significant compensation. It can happen that k skews the set of sieving primes to favor smaller primes. Investigate the choice of a multiplier for using QS to factor
n = 1883199855619205203.
In particular, compare the time for factoring this number n with the time for factoring 3n. (That is, the number 3n is given to the algorithm which should eventually come up with a factorization 3n = ab where 3 < a < b.) Next, investigate the choice of multiplier for using QS to factor
n = 21565941721999797939843713963.
(If you are interested in actual program construction, see Exercise 6.14 for implementation issues.)
6.4. There are numerous factoring methods exploiting the idea of “small squares” as it is enunciated at the beginning of the chapter. While the QS and NFS are powerful manifestations of the idea, there are other, not so powerful, but interesting, methods that employ side factorizations of small residues, with eventual linear combination as in our QS discussion. One of the earlier methods of the class is the Brillhart–Morrison continued-fraction method (see
[Cohen 2000] for a concise summary), which involves using the continued |
||||||||||||||
fraction expansion of |
√ |
|
(or |
√ |
|
for a small integer k) for the generation of |
||||||||
|
kn |
|||||||||||||
n |
||||||||||||||
many congruences Q |
≡ |
x2 |
(mod n) with Q =x |
2 |
O(√ |
|
). One attempts |
|||||||
n |
||||||||||||||
|
|
|
|
, |Q| = 2 |
≡ v |
2 |
(mod n). An |
|||||||
to factor the numbers |
Q to construct instances of u |
|
||||||||||||
early triumph of this method was the 1974 demolition of F7 by Brillhart and Morrison (see Table 1.3). In the size of the quadratic residues Q that are formed, the method is somewhat superior to QS. However, the sequence of numbers Q does not appear to be amenable to a sieve, so practitioners of the continued-fraction method have been forced to spend a fair amount of time per Q value, even though most of the Q are ultimately discarded for not being su ciently smooth.
We shall not delve into the continued-fraction method further. Instead, we list here various tasks and questions intended to exemplify—through practice, algebra, and perhaps some entertainment!—the creation and use of “small squares” modulo a given n to be factored. We shall focus below on special numbers such as the Fermat numbers n = Fk = 22k + 1 or Mersenne numbers n = Mq = 2q − 1 because the manipulations are easier in many respects for
308 |
Chapter 6 SUBEXPONENTIAL FACTORING ALGORITHMS |
such special forms; but, like the mighty NFS, the notions can for the most part be extended to more general composite n.
(1) Use the explicit congruences
2588837172 mod M29 = −2 · 3 · 5 · 292, 3010361802 mod M29 = −3 · 5 · 11 · 79, 1266419592 mod M29 = 2 · 32 · 11 · 79,
to create an appropriate nontrivial congruence u2 ≡ v2 and thereby
discover a factor of M29.
√
(2) It turns out that 2 exists modulo each of the special numbers n = Fk, k ≥ 2, and the numbers n = Mq , q ≥ 3; and remarkably, one can give explicit such roots whether or not n is composite. To this end, show that
23·2k−2 − 22k−2 , 2(q+1)/2
are square roots of 2 in the respective Fermat, Mersenne cases. In addition, give an explicit, primitive fourth root of (−1) for the Fermat cases, and an explicit ((q mod 4)-dependent) fourth root of 2 in the Mersenne cases. Incidentally, these observations have actual application: One can now
remove any power of 2 in a squared residue, because there is now a closed
√
form for 2k; likewise in the Fermat cases factors of (−1) in squared residues can be removed.
(3) Using ideas from the previous item, prove “by hand” the congruence
2(26 − 8)2 ≡ (26 + 1)2 (mod M11),
and infer from this the factorization of M11.
(4)It is a lucky fact that for a certain ω, a primitive fourth root of 2 modulo M43, we have
2704ω2 − 3 2 mod M43 = 23 · 34 · 432 · 26992.
Use this fact to discover a factor of M43.
(5)For ω a primitive fourth root of −1 modulo Fk, k ≥ 2, and with given integers a, b, c, d, set
x = a + bω + cω2 + dω3.
It is of interest that certain choices of a, b, c, d automatically give small squares—one might call them small “symbolic squares”—for any of the Fk indicated. Show that if we adopt a constraint
ad + bc = 0
then x2 mod Fk can be written as a polynomial in ω with degree less than 3. Thus for example
−6 + 12ω + 4ω2 + 8ω3 2 ≡ 4(8ω2 − 52ω − 43),
6.5 Exercises |
309 |
and furthermore, the coe cients in this congruence hold uniformly across all the Fermat numbers indicated (except that ω, of course, depends on the Fermat number). Using these ideas, provide a lower bound, for a given constant K, on how many “symbolic squares” can be found with
|x2 mod Fk| < K Fk.
Then provide a similar estimate for small squares modulo Mersenne numbers Mq .
(6)Pursuant to the previous item, investigate this kind of factoring for more general odd composites N = ω4 + 1 using the square of a fixed cubic form,
e.g.
x = −16 + 8ω + 2ω2 + ω3,
along the following lines. Argue that (−1) is always a square modulo N ,
and also that
x2 ≡ 236 − 260ω − ω2 (mod N ).
In this way discover a proper factor of
N = 16452725990417
by finding a certain square that is congruent, nontrivially, to x2. Of course, the factorization of this particular N is easily done in other ways, but the example shows that certain forms ω4 + 1 are immediately susceptible to the present, small-squares formalism. Investigate, then, ways to juggle the coe cients of x in such a way that a host of other numbers N = ω4 + 1 become susceptible.
Related ideas on creating small squares, for factoring certain cubic forms, appear in [Zhang 1998].
6.5.Suppose you were in possession of a device such that if you give it a positive integer n and an integer a in [1, n], you are told one solution to x2 ≡ a (mod n) if such a solution exists, or told that no solution exists if this is the case. If the congruence has several solutions, the device picks one of these by some method unknown to you. Assume that the device takes polynomial time to do its work; that is, the time it takes to present its answer is bounded by a constant times a fixed power of the logarithm of n. Show how, armed with such a device, one can factor via a probabilistic algorithm with expected running time being polynomial. Conversely, show that if you can factor in polynomial time, then you can build such a device.
6.6.Suppose you had a magic algorithm that given an N to be factored could routinely (and quickly, say in polynomial time per instance) find integers x
satisfying |
√N < x < N − |
√N , x2 mod N < N α, |
|
for some fixed α. (Note that the continued-fraction method and the quadratic sieve do this essentially for α ≈ 1/2.) Assume, furthermore, that these “small
310 |
Chapter 6 SUBEXPONENTIAL FACTORING ALGORITHMS |
square” congruences each require O(lnβ N ) operations to discover. Give the (heuristic) complexity, then, for factoring via this magic algorithm.
6.7. A Gray code is a sequence of k-bit binary strings in such an order that when moving from one string to the next, one and only one bit flips to its opposite bit. Show that such a code—whether for the self-initialization QS option or any other application—can be generated with ease, using a function that employs exclusive-or “ ” and shift “>>” operators in the following elegant way:
g(n) = n (n >> 1).
This very simple generator is easily seen to yield, for example, a 3-bit Gray counter that runs:
(g(0), . . . , g(7)) = (000, 001, 011, 010, 110, 111, 101, 100),
this counting chain clearly having exactly one bit flip on each iteration.
6.8.Show that if n ≥ 64 and m = n1/3!, then n < 2m3. More generally,
show that if d is a positive integer, n > 1.5(d/ ln 2)d |
, and m = n |
1/d |
, then |
n < 2md. |
|
! |
6.9. The following result, which allows an integer factorization via a polynomial factorization, is shown in [Brillhart et al. 1981].
Theorem. Let n be a positive integer, let m be an integer with m ≥ 2, write n in base m as n = f (m) where f (x) = cdxd + cd−1xd−1 + · · · + c0, so that the ci’s are nonnegative integers less than m. Suppose f (x) is reducible in Z[x],
with f (x) = g(x)h(x) where neither g(x) nor h(x) is a constant polynomial with value ±1. Then n = g(m)h(m) is a nontrivial factorization of n. In particular, if n is prime, then f (x) is irreducible.
This exercise is to prove this theorem in the case m ≥ 3 using the following outline:
(1) Prove the inequality
zd−1 |
|
d |
z j−1 |
|
≥ Re(cdz) + cd−1 − j=2 |
||||
|
f (z) |
|
|
cd−j |
|
| | |
|||
|
|
|
|
|
|
|
|
|
|
and use it to show that f (z) = 0 for Rez ≥ m − 1. (Use that each cj satisfies 0 ≤ cj ≤ m − 1 and that cd ≥ 1.)
(2)Using the factorization of a polynomial by its roots show that |g(m)| > |c| ≥ 1, where c is the leading coe cient of g(x), and similarly that |h(m)| > 1. Thus, the factorization n = g(m)h(m) is nontrivial.
6.10. This exercise is to prove the theorem of Exercise 6.9 in the remaining case m = 2. Hint: By a slightly more elaborate inequality as in (1) of Exercise 6.9 (using that Re(cd−2/z) ≥ 0 for Re(z) > 0), show that every root ρ of f has Re(ρ) < 1.49. Then let G(x) = g(x+1.49) and show that all of the coe cients