Prime Numbers
.pdf6.5 Exercises |
311 |
of the rational polynomial G(x) have the same sign. Deduce from this that 1 ≤ |g(1)| = |G(−0.49)| < |G(0.51)| = |g(2)|, and similarly |h(2)| > 1, so that the factorization n = g(2)h(2) is nontrivial.
6.11.Use the method of Exercise 6.9 to factor n = 187 using the base m = 10. Do the same with n = 4189, m = 29.
6.12.Generalize the x(u, v), y(u, v) construction in Section 6.1.7 to arbitrary numbers n satisfying (6.4).
6.13.Give a heuristic argument for the complexity bound
exp(c + o(1))(ln n)1/3(ln ln n)2/3
operations, with c = (32/9)1/3, for the special number field sieve (SNFS).
6.14. Here we sketch some practical QS examples that can serve as guidance for the creation of truly powerful QS implementations. In particular, the reader who chooses to implement QS can use the following examples for program checking. Incidentally, each one of the examples below—except the last—can be e ected on a typical symbolic processor possessed of multiprecision operations. So the exercise shows that numbers in the 30digit region and beyond can be handled even without fast, compiled implementations.
(1)In Algorithm 6.1.1 let us take the very small example n = 10807 and, because this n is well below typical ranges of applicability of practical
QS, let us force at the start of the algorithm the smoothness limit B = 200. Then you should find k = 21 appropriate primes, You then get a 21 × 21 binary matrix, and can Gaussian-reduce said matrix. Incidentally, packages exist for such matrix algebra, e.g., in the Mathematica language a matrix m can be reduced for such purpose with the single statement
r = NullSpace[Transpose[m], Modulus->2];
(although, as pointed out to us by D. Lichtblau one may optimize the overall operation by intervention at a lower level, using bit operations rather than (mod 2) reduction, say). With such a command, there is a row of the reduced matrix r that has just three 1’s, and this leads to the
relation:
34 · 114 · 134 ≡ 1062 · 1282 · 1582 (mod n),
and thus a factorization of n.
(2)Now for a somewhat larger composite, namely n = 7001 · 70001, try using the B assignment of Algorithm 6.1.1 as is, in which case you should have B = 2305, k = 164. The resulting 164 × 164 matrix is not too unwieldy in this day and age, so you should be able to factor n using the same approach as in the previous item.
(3)Now try to factor the Mersenne number n = 267 − 1 but using smoothness bound B = 80000, leading to k = 3962. Not only will this example start
312 |
Chapter 6 SUBEXPONENTIAL FACTORING ALGORITHMS |
testing your QS implementation in earnest, it will demonstrate how 12digit factors can be extracted with QS in a matter of seconds or minutes (depending on the e ciency of the sieve and the matrix package). This is still somewhat slower than sheer sieving or say Pollard-rho methods, but of course, QS can be pressed much further, with its favorable asymptotic behavior.
(4) Try factoring the repunit
n = 1029 − 1 = 11111111111111111111111111111 9
using a forced parameter B = 40000, for which matrices will be about 2000 × 2000 in size.
(5)If you have not already for the above, implement Algorithm 6.1.1 in fast, compiled fashion to attempt factorization of, say, 100-digit composites.
6.15. In the spirit of Exercise 6.14, we here work through the following explicit examples of the NFS Algorithm 6.2.5. Again the point is to give the reader some guidance and means for algorithm debugging. We shall find that a particular obstruction—the square-rooting in the number field—begs to be handled in di erent ways, depending on the scale of the problem.
(1)Start with the simple choice n = 10403 and discover that the polynomial f is reducible, hence the very Step [Setup] yields a factorization, with no sieving required.
(2)Use Algorithm 6.2.5 with initialization parameters as is in the pseudocode listing, to factor n = F5 = 232 + 1. (Of course, the SNFS likes this composite, but the exercise here is to get the general NFS working!) From
the initialization we thus have d = 2, B = 265, m = 65536, k = 96, and thus matrix dimension V = 204. The matrix manipulations then accrue exactly as in Exercise 6.14, and you will obtain a suitable set S of (a, b) pairs. Now, for the small composite n in question (and the correspondingly small parameters) you can, in Step [Square roots], just
multiply out the product |
(a,b)S (a − bα) to generate a Gaussian integer, |
because the assignment |
α = i is acceptable. Note how one is lucky for |
|
|
such (d = 2) examples, in that square-rooting in the number field is a |
|
numerical triviality. In fact, the square root of a Gaussian integer c + di |
|
can be obtained by solving simple simultaneous relations. So for such small |
|
degree as d = 2, the penultimate Step [Square roots] of Algorithm 6.2.5 is about as simple as can be.
(3) As a kind of “second gear” with respect mainly to the square-root obstacle, try next the same composite n = F5 but force parameters d = 4, B = 600, which choices will result in successful NFS. Now, at the Step [Square
roots], you can again just multiply out the product of terms (a − bα)
√
where now α = i, and you can then take the square root of the resulting
element
s0 + s1α + s2α2 + s3α3
6.5 Exercises |
313 |
in the number field. There are easy ways to do this numerically, for example a simple version of the deconvolution of Exercise 6.18 will work, or you can just use the Vandermonde scheme discussed later in the present exercise.
(4) Next, choose n = 76409 and this time force parameters as: d = 2, B = 96, to get a polynomial f (x) = x2 +233x. Then, near the end of the algorithm, you can again multiply out the (a − bα) terms, then use simple arithmetic to take the number-field root and thereby complete the factorization.
(5) Just as in the last item, factor the repunit n = 11111111111 by initializing parameters thus: d = 2, B = 620.
(6) Next, for n = F6 = 264 +1, force d = 4, B = 2000, and this time force even
the parameter k = 80 for convenience. Use any of the indicated methods
√
to take a square root in the number field with α = i.
(7)Now we can try a “third gear” in the sense of the square-root obstruction. Factor the repunit n = (1017 − 1)/9 = 11111111111111111 but by forcing parameters d = 3, B = 2221. This time, the square root needs be taken in a number field with a cube root of 1. It is at this juncture that we
may as well discuss the Vandermonde matrix method for rooting. Let us form γ2, that is the form f (α)2 (a,b) S (a − bα), simply by multiplying all relevant terms together modulo f (α). (Such a procedure would always work in principle, yet for large enough n the coe cients of the result γ2 become unwieldy.) The Vandermonde matrix approach then runs like so. Write the entity to be square-rooted as
γ2 = s0 + s1α + · · · + sd−1αd−1.
Then, use the (su ciently precise) d roots of f , call them α1, . . . , αd, to construct the matrix of ascending powers of roots
H = |
|
1 |
α1 |
α12 |
· · · |
α1d−1 |
. |
||
. . |
. |
·. · · |
2 . |
|
|||||
|
|
1 |
α2 |
α22 |
|
|
α d−1 |
|
|
|
. . |
2 |
|
|
d |
1 |
|
||
|
|
1 |
αd |
αd |
|
|
αd − |
|
|
|
|
. . . . |
. |
|
|
||||
|
|
|
|
. |
. . |
|
|
||
|
|
|
|
· · · |
|
|
|||
Then take su ciently high-precision square roots of real numbers, that is, calculate the vector √
β = HsT ,
where s = (s0, . . . , sd−1) is the vector of coe cients of γ2, and the square root of the matrix-vector product is simply taken componentwise. Now the idea is to calculate matrix-vector products:
± β0
−1 ± β1
H |
|
. |
1 |
|
, |
|
β..d |
|
|||
|
± |
− |
|
|
|
314 Chapter 6 SUBEXPONENTIAL FACTORING ALGORITHMS
where the ± ambiguities are tried one at a time, until the vector resulting from this multiplication by H−1 has all integer components. Such a vector will be a square root in the number field. To aid in any implementations, we give here an explicit, small example of this rooting method. Let us take the polynomial f (x) = x3 + 5x + 6 and square-root the entity γ2 = 117 − 366x + 46x2 modulo f (x) (we are using preknowledge that the
entity here really is a square). We construct the Vandermode matrix using |
|||||||
√ |
|
|
√ |
|
|
|
|
zeros of f , namely (α1, α2, α3) = −1, 1 − i |
|
23 /2, 1 + i |
|
23 |
|
/2 , as a |
|
numerical entity whose first row is (1, −1, 1) |
with complex entries in the |
||||||
|
|
|
|
|
|||
other rows. There needs to be enough precision, which for this present example is say 12 decimal digits. Then we take a (componentwise) square root and try the eight possible (±) combinations
γ = H−1 |
±r2 |
, |
r2 |
|
= |
6 |
|
|
|
|
|
||
H |
|
366 |
. |
||||||||||
|
|
± |
r1 |
|
r1 |
|
|
7 |
|
177 |
|
|
|
|
|
r3 |
|
r3 |
|
|
|
− |
46 |
|
|
||
|
|
± |
|
|
|
7 |
|
|
|
|
|||
|
|
|
|
|
|
|
7 |
|
|
|
|
||
|
|
|
|
8 |
|
|
|||||||
Sure enough, one of these eight combinations is the vector
15 γ = − 9
−1
indicating that
15 − 9x − x2 2 mod f (x) = 117 − 366x + 46x2
as desired.
(8)Just as with Exercise 6.14, we can only go so far with symbolic processors and must move to fast, compiled programs to handle large composites. Still, numbers in the region of 30 digits can indeed be handled interpretively. Take the repunit n = (1029 − 1)/9, force d = 4, B = 30000, and this time force also k = 100, to see a successful factorization that is doable without fast programs. In this case, you can use any of the above methods for handling degree-4 number fields, still with bruteforce multiplying-out for the γ2 entity (although for the given parameters one already needs perhaps 3000-digit precision, and the advanced means discussed in the text and in Exercise 6.18 start to look tantalizing for the square-rooting stage).
The explicit tasks above should go a long way toward the polishing of a serious NFS implementation. However, there is more that can be done even for these relatively minuscule composites. For example, the free relations and other optimizations of Section 6.2.7 can help even for the above tasks, and should certainly be invoked for large composites.
6.16. Here we solve an explicit and simple DL problem to give an illustration of the index-calculus method (Algorithm 6.4.1). Take the prime p = 213 − 1,
6.6 Research problems |
315 |
primitive root g = 17, and say we want to solve gl ≡ 5 (mod p). Note the following congruences, which can be obtained rapidly by machine:
g3513 ≡ 23 · 3 · 52 (mod p), g993 ≡ 24 · 3 · 52 (mod p), g1311 ≡ 22 · 3 · 5 (mod p).
(In principle, one can do this by setting a smoothness limit on prime factors of the residue, then just testing random powers of g.) Now solve the indicated DL problem by finding via linear algebra three integers a, b, c such that
g3513a+993b+1311c ≡ 5 (mod p).
6.6Research problems
6.17. Investigate the following idea for forging a subexponential factoring algorithm. Observe first the amusing algebraic identity [Crandall 1996a]
F (x) = (x2 − 85)2 − 4176 2 − 28802
= (x − 13)(x − 11)(x − 7)(x − 1)(x + 1)(x + 7)(x + 11)(x + 13),
so that F actually has 8 simple, algebraic factors in Z[x]. Another of this type is
G(x) = ((x2 − 377)2 − 73504)2 − 504002
= (x − 27)(x − 23)(x − 15)(x − 5)(x + 5)(x + 15)(x + 23)(x + 27),
and there certainly exist others. It appears on the face of it that for a number N = pq to be factored (with primes p ≈ q, say) one could simply take
gcd(F (x) mod N, N ) for random x (mod N ), so that N should be factored
√
in about N /(2 · 8) evaluations of F . (The extra 2 is because we can get by chance either p or q as a factor.) Since F is calculated via 3 squarings modulo N , and we expect 1 multiply to accumulate a new F product, we should have an operational gain of 8/4 = 2 over naive product accumulation. The gain is even more when we acknowledge the relative simplicity of a modular squaring operation vs. a modular multiply. But what if we discovered an appropriate set {aj } of fixed integers, and defined
H(x) = (· · · ((((x2 − a1)2 − a2)2 − a3)2 − a4)2 − · · ·)2 − a2k,
so that a total of k squarings (we assume a2k prestored) would generate 2k algebraic factors? Can this successive-squaring idea lead directly to subexponential (if not polynomial-time) complexity for factoring? Or are there blockades preventing such a wonderful achievement? Another question is, noting that the above two examples (F, G) have disjoint roots, i.e., F (x)G(x) has 16 distinct factors, can one somehow use two identities at a time to improve the gain? Yet another observation is, since all roots of F (x)G(x) are odd, x
6.6 Research problems |
317 |
be determined,
z = γ ×− γ,
where ×− denotes negacyclic convolution, and z is the signal consisting of the zj coe cients. But we know how to do negacyclic convolution via fast transform methods. Writing
d−1
Γk = γj αj α−2kj , j=0
one can establish the weighted-convolution identity
|
|
|
1 d−1 |
Γ2 |
α+2nk. |
|
z |
n |
= α−n |
|
|||
|
|
|||||
|
|
d |
k |
|
||
|
|
|
|
k=0 |
|
|
The deconvolution idea, then, is simple: Given the signal z to be squarerooted, transform this last equation above to obtain the Γ2k, then assign one of 2d−1 distinct choices of sign for the respective ± Γ2k, k [1, d − 1], then solve for γj via another transform. This negacyclic deconvolution procedure will result in a correct square root γ of γ2. The research question is this: Since we know that number fields based on f (x) = xd + 1 are easily handled in many other ways, can this deconvolution approach be generalized? How about f (x) = xd + c, or even much more general f ? It is also an interesting question whether the transforms above need to be floating-point ones (which does, in fact, do the job at the expense of the high precision), or whether errorless, pure-integer number-theoretical transforms can be introduced.
(3)For any of these various ideas, a paramount issue is how to avoid the rapid growth of coe cient sizes. Therefore one needs to be aware that a squareroot procedure, even if it is numerically sound, has to somehow keep coe cients under control. One general suggestion is to combine whatever square-rooting algorithm with a CRT; that is, work somehow modulo many small primes simultaneously. In this way, machine parallelism may be possible as well. As we intimated in text, ideas of Couveignes and Montgomery have brought the square-root obstacle down to a reasonably e cient phase in the best prevailing NFS implementations. Still, it would be good to have a simple, clear, and highly e cient scheme that generalizes not just to cases of parity on the degree d, but also manages somehow to control coe cients and still avoid CRT reconstruction.
Chapter 7
ELLIPTIC CURVE ARITHMETIC
The history of what are called elliptic curves goes back well more than a century. Originally developed for classical analysis, elliptic curves have found their way into abstract and computational number theory, and now sit squarely as a primary tool. Like the prime numbers themselves, elliptic curves have the wonderful aspects of elegance, complexity, and power. Elliptic curves are not only celebrated algebraic constructs; they also provide considerable leverage in regard to prime number and factorization studies. Elliptic curve applications even go beyond these domains; for example, they have an increasingly popular role in modern cryptography, as we discuss in Section 8.1.3.
In what follows, our primary focus will be on elliptic curves over fields Fp, with p > 3 an odd prime. One is aware of a now vast research field— indeed even an industry—involving fields Fpk where k > 1 or (more prevalent in current applications) fields F2k . Because the theme of the present volume is prime numbers, we have chosen to limit discussion to the former fields of primary interest. For more information in regard to the alternative fields, the interested reader may consult references such as [Seroussi et al. 1999] and various journal papers referenced therein.
7.1 Elliptic curve fundamentals
Consider the general equation of a degree-3 polynomial in two variables, with coe cients in a field F , set equal to 0:
ax3 + bx2y + cxy2 + dy3 + ex2 + f xy + gy2 + hx + iy + j = 0. (7.1)
To ensure that the polynomial is really of degree 3, we assume that at least one of a, b, c, d is nonzero. We also assume that the polynomial is absolutely irreducible; that is, it is irreducible in F [x, y], where F is the algebraic closure of F . One might consider the pairs (x, y) F × F that satisfy (7.1); they are called the a ne solutions to the equation. Or one might consider the projective solutions. For these we begin with triples (x, y, z) F × F × F (with x, y, z not all zero) that satisfy
ax3 + bx2y + cxy2 + dy3 + ex2z + f xyz + gy2z + hxz2 + iyz2 + jz3 = 0. (7.2)
Note that (x, y, z) is a solution if and only if (tx, ty, tz) is also a solution, for t F , t = 0. Thus, in the projective case, it makes more sense to talk of
320 Chapter 7 ELLIPTIC CURVE ARITHMETIC
[x, y, z] being a solution, the notation indicating that we consider as identical
any two solutions (x, y, z), (x , y , z ) of (7.2) if and only if there is a nonzero t F with x = tx, y = ty, z = tz.
The projective solutions of (7.2) are almost exactly the same as the a ne solutions of (7.1). In particular, a solution (x, y) of (7.1) may be identified with the solution [x, y, 1] of (7.2), and any solution [x, y, z] of (7.2) with z = 0 may be identified with the solution (x/z, y/z) of (7.1). The solutions [x, y, z] with z = 0 do not correspond to any a ne solutions, and are called the “points at infinity” for the equation.
Equations (7.1) and (7.2) are cumbersome. It is profitable to consider a change in variables that sends solutions with coordinates in F to like solutions, and vice versa for the inverse transformation. For example, consider the Fermat equation for exponent 3, namely,
x3 + y3 = z3.
Assume we are considering solutions in a field F with characteristic not equal to 2 or 3. Letting X = 12z, Y = 36(x − y), Z = x + y, we have the equivalent
equation
Y 2Z = X3 − 432Z3.
The inverse change of variables is x = 721 Y + 12 Z, y = − 721 Y + 12 Z, z = 121 X. The projective curve (7.2) is considered to be “nonsingular” (or “smooth”)
over the field F if even over the algebraic closure of F there is no point [x, y, z] on the curve where all three partial derivatives vanish. In fact, if the characteristic of F is not equal to 2 or 3, any nonsingular projective equation (7.2) with at least one solution in F × F × F (with not all of the coordinates zero) may be transformed by a change of variables to the standard form
y2z = x3 + axz2 + bz3, a, b F, |
(7.3) |
where the one given solution of the original equation is sent to [0, 1, 0]. Further, it is clear that a curve given by (7.3) has just this one point at infinity, [0, 1, 0]. The a ne form is
y2 = x3 + ax + b. |
(7.4) |
Such a form for a cubic curve is called a Weierstrass form. It is sometimes convenient to replace x with (x + constant), and so get another Weierstrass form:
y2 = x3 + Cx2 + Ax + B, A, B, C F. |
(7.5) |
If we have a curve in the form (7.4) and the characteristic of F is not 2 or 3, then the curve is nonsingular if and only if 4a3 +27b2 is not 0; see Exercise 7.3. If the curve is in the form (7.5), the condition that the curve be nonsingular is more complicated: It is that 4A3 + 27B2 − 18ABC − A2C2 + 4BC3 = 0.
Whether we are dealing with the a ne form (7.4) or (7.5), we use the notation O to denote the one point at infinity [0, 1, 0] that occurs for the projective form of the curve.
We now make the fundamental definition for this chapter.
7.1 Elliptic curve fundamentals |
321 |
Definition 7.1.1. A nonsingular cubic curve (7.2) with coe cients in a field F and with at least one point with coordinates in F (that are not all zero) is said to be an elliptic curve over F . If the characteristic of F is not 2 or 3, then the equations (7.4) and (7.5) also define elliptic curves
over F , provided that 4a3 |
2+ |
27b2 |
|
= |
0 in the case of equation (7.4) and |
||||||
4A |
3 |
+ 27B |
2 |
|
2 |
|
|
3 |
= 0 in the case of equation (7.5). |
||
|
|
− 18ABC − A C |
|
+ 4BC |
|
||||||
In these two cases, we denote by E(F ) the set of points with coordinates in F that satisfy the equation together with the point at infinity, denoted by O. So, in the case of (7.4),
E(F ) = (x, y) F × F : y2 = x3 + ax + b {O},
and similarly for a curve defined by equation (7.5).
Note that we are concentrating on fields of characteristic not equal to 2 or 3. For fields such as F2m the modified equation (7.11) of Exercise 7.1 must be used (see, for example, [Koblitz 1994] for a clear exposition of this).
We use the form (7.5) because it is sometimes computationally useful in, for example, cryptography and factoring studies. Since the form (7.4) corresponds to the special case of (7.5) with C = 0, it should be su cient to give any formulae for the form (7.5), allowing the reader to immediately convert to a formula for the form (7.4) in case the quadratic term in x is missing. However, it is important to note that equation (7.5) is overspecified because of an extra parameter. So in a word, the Weierstrass form (7.4) is completely general for curves over the fields in question, but sometimes our parameterization (7.5) is computationally convenient.
The following parameter classes will be of special practical importance:
(1)C = 0, giving immediately the Weierstrass form y2 = x3 + Ax + B. This parameterization is the standard form for much theoretical work on elliptic curves.
(2)A = 1, B = 0, so curves are based on y2 = x3 + Cx2 + x. This parameterization has particular value in factorization implementations [Montgomery 1987], [Brent et al. 2000], and admits of arithmetic enhancements in practice.
(3)C = 0, A = 0, so the cubic is y2 = x3 + B. This form has value in finding particular curves of specified order (the number elements of the set E, as we shall see), and also allows practical arithmetic enhancements.
(4)C = 0, B = 0, so the cubic is y2 = x3 + Ax, with advantages as in (3).
The tremendous power of elliptic curves becomes available when we define a certain group operation, under which E(F ) becomes, in fact, an abelian group:
Definition 7.1.2. Let E(F ) be an elliptic curve defined by (7.5) over a field F of characteristic not equal to 2 or 3. Denoting two arbitrary curve points by P1 = (x1, y1), P2 = (x2, y2) (not necessarily distinct), and denoting by O