6.4 Factoring

p2.

1. The Pollard’s p-1 algorithminput ： an integer n , and a prespecified

“bound” Boutput ： factors of n

)"("return else

)(return then

1 if

),1gcd(

mod do

to2for

2

failure

d

nd

nad

naa

Bj

a

j

p3.

Why?

Suppose p is a prime divisor of n, and suppose that

q <= B for every prime power q|(p-1). Then

(p-1)|B!

At the end of for loop, we have

a=2B! mod n

Now

2p-1=1 mod p (by Fermat’s little Thm)

Since (p-1)|B!, it follows

a=2B! =1 mod p

and hence p|(a-1). Since we also have p|n,

d=gcd(a-1, n) will be a non-trivial divisor of n

(unless a=1).

p4.

E.g. n=15770708441, B=180

a = 2180! = 11620221425

D = gcd(a-1, n) = 135979

In fact, the complete factorization of n into primes is

15770708441 = 135979 x 115979

The factorization succeeds because 135978 has only

“small” prime factors:

135978 = 2 x 3 x 131 x 173

p5.

2. The Pollard’s rho algorithminput ： an integer n output ： factors of n

(1) Selecting a “random” function f with integer coefficients , and

any

Begin with x=x0 and y=y0.

(2) Repeat the two calculations

until d=gcd(x-y,n)>1.

(3) Do the following compare

3.1 If d<n, we have succeeded.

3.2 If d=n, the method is failed. Goto (1).

(*) A typical choice of f(x)=x2+1, with a seed x0=2.

.0 nZx

nyffynxfx mod))(( and mod)(

0x

)( 01 xfx

)( 12 xfx

tx ctx

1ctx

1tx

p6.

Complexity of rho methodWe expect this method to use the function f at

most

E.g ： n=551, f(x)=x2+1 mod 551 and x0=2.

).()(2/3 4/1nOpOp

)(xfx

5

26

126

))(( yffy

26

449

240

)551,gcd( yxd

1

1

19

p7.

3. Dixon’s random squares algorithm The idea is to locate with

if

gcd(x+y,n) is a nontrivial

factor of n.

(Why?) since n|(x-y)(x+y) but neither of x-y or

x+y is divisible by n.

Eg. n=15, x=2, y=7 (22=72 mod 15) =>

gcd(2+7,15)=3 is a nontrivial factor of n.

Eg. n=77, x=10, y=32 (102=322 mod 77) =>

gcd(10+32,77)=7 is a nontrivial factor of n.

nZyx , );(mod22 nyx

then ),(modnyx

p8.

factor base and pt-smooth

A factor base B={p1, p2,…,pt} consisting of the

first t primes is selected. If b factors over B, b

is said to be pt-smooth.

Eg ： B={2,3,5}, b=23*56 is 5-smooth; b=23*76 is not 5-smooth.

We may include -1 in B to handle the negative b

B={p0, p1, p2,…,pt}, with p0=-1.

p9.

Algorithminput ： a composite integer n and factor base B= {p1, p2,

…,pt}

output ： factors of n

(1) Suppose t+1 pairs (ai, bi=ai2 mod n) are obtained, where

bi is pt-smooth over B and the factorizations are given by

(2) A set S is to be selected so that has only even

powers of primes appearing.

(3) Let , and do the following compare

3.1 If

3.2 If

.11 ,1

tipbt

j

ejiij

Si

ib

and

Sii

Sii byax

).,gcd(return then ),(mod nyxnyx

.factoring"not "return then ),(modnyx

p10.

Eg ： n=10057, t=5, B={2,3,5,7,11}

i

112

ia

231 1018968

nab ii mod2

2*509 (discard!)23*112

25*32*11105115

ionfactorizat

3168345

1006 63368800

26*32*1125*52*112*32*72

30104014 882

6 28*114023 2816

If S={4,5,6}, then x=3010*4014*4023 mod n=2748

y=27*3*5*7*11 mod n=7042

Since , we obtain a nontrivial factor gcd(x+y,n)=89, and 10057=89*113.

)(mod70422748 n

If S={1,5}, then x=105*4014 mod n=9133 and y=22*3*7*11=924.

Unfortunately, , and no useful information is obtained. )(mod9249133 n

p11.

Eg ： n=15770708441, t=6, B={2,3,5,7,11, 13}

83409341562 = 3*7 (mod n) 120449429442 = 2*7*13 (mod n) 27737000112 = 2*3*13 (mod n)

(8340934156*12044942944*2773700011)2 = (2*3*7*13)2 (mod n) 95034357852 = 5462 (mod n)

gcd(9503435785–546, 15770708441)=115759

to find the factor 115759 of n

p12.

Improvements:

We may include -1 in B to handle the negative b

B={p0, p1, p2,…,pt}, with p0=-1.

Define

Let ai=z+m and bi= q(z) = ai2 - kn

for z=0,1,-1,2,-2, … k=1,2, …

knmzzqknm 2)()( ,

p13.

Quadratic sieve algorithm (simple version)input ： a composite integer noutput ： factors of n

(1) choose a suitable P and construct a factor base

(2) Define

(3) Let ai=z+m and bi=q(z)=ai2-n for z=0,1,-1,2,-2,… A set

S is to be

selected so that has only even powers of

primes appearing.

(4) Let , and do the following

{-1} 1} and prime, is |{

iiii p

nPpppB

nmzzqnm 2)()( ,

Si

ib

and

Sii

Sii byax

).,gcd( return then),(mod nyxnyx

p14.

B. basefactor in the 1p

n with s'p thoseincludeonly weSo

. 1p

n is that ;p mod m)(zn i.e.

,p mod 0n-m)(z

then n,-m)(z|p if Since

B? basefactor in the usednot are 1p

n with s'p Why those

ii

ii

2

i2

2i

ii

p15.

Eg ： n=10057

z

0-11

mza

100 -57-256

)(zqb

-3*19-28

24*32

99101

ionfactorizat

144-35

97 -648968

-23*34

23*112105

If S={1}, then x=101 and y= =22*3.

Since , we obtain a nontrivial factor gcd(x+y,n)=113, and 10057=89*113.

100 nm

If S={-1,-3, 5}, then x=99*97*105 and y=27*32*11.

Unfortunately, , and no useful information is obtained. )(modnyx

10057)100()( 2 zzq

}1{}19,11,3,2{ B

)(modnyx

p16.

4. Factoring algorithms in practice (Asymptotic running times)

1. Quadratic sieve

2. Elliptic curve (p is the smallest prime factor of n)

3. Number field sieve

))lnln ln ))1(1(exp(( nnoO

)))lnln ()ln ))(1(92.1(exp(( 3/23/1 nnoO

))lnln ln 2))1(1(exp(( ppoO

p17.

The RSA Challengehttp://www.rsa.com/rsalabs/node.asp?id=2092

RSA-640 is factored! (11/2/2005) (193 digits)

RSA-200 is factored! (5/9/2005) (663 bits)

RSA-576 is factored! (12/3/2003) (174 digits)

RSA-160 is factored! (1/6/2003) (530 bits)

RSA-155 is factored! (8/22/1999) (512 bit)

RSA-140 is factored! (2/2/1999)