factoring integers with cado-nfs

ARITH 22, Lyon, France — June 25, 2015

Factoring integers with

CADO-NFS

Jeremie DetreyCARAMEL team, LORIA

INRIA Nancy – Grand Est, France

[email protected]

/* */ C,A,/* */ R,a,/* */ M,E,

L,i=5,e,

d[5],Q[999 ]={0};main(N ){for(;i--;e=scanf("%" "d",d+i));for(A =*d;++i<A ;++Q[ i*i% A],R= i[Q]?R:i); for(;i --;) for(M =A;M--;N +=!M*Q [E%A ],e+= Q[(A+E*E- R*L* L%A) %A]) for(E=i,L=M,a=4;a;C= i*E+R*M*L,L=(M*E +i*L)

%A,E=C%A+a --[d]);printf ("%d""\n",(e+N*N)/2

/* cc caramel.c; echo f3 f2 f1 f0 p | ./a.out */ -A);}

CARAMEL

Why factor?

I Cryptography:

• Integer factorization is a (supposedly) difficult problem, but

integer multiplication is not

• E.g., basis for the security of the

RSA public-key cryptosystem:

→ private key: large primes p and q

→ public key: N = p · q• Key length recommendations

• Break weak instances of RSA (short keys)

I Number theory:

• Cunningham tables: factorizations of bn ± 1

• Aliquot sequences: sn+1 =∑d |sn

d − sn• etc.

I For fun ,

Jeremie Detrey — Factoring integers with CADO-NFS 1 / 22

Why factor?

I Cryptography:

I Number theory:

d − sn• etc.

I For fun ,

Why factor?

I Cryptography:

I Number theory:

d − sn• etc.

I For fun ,Jeremie Detrey — Factoring integers with CADO-NFS 1 / 22

Factorization algorithms (I)

I Find small- to medium-size prime factors p of an integer N :

• Trial division: O(p)

= O (exp (log p))

→ complexity exponential in log p

• ρ method [Pollard, 1975]:

O(√p)

2log p

• p − 1 [Pollard, 1974] and p + 1 [Williams, 1982]

• ECM (Elliptic Curve Method) [Lenstra, 1987]:

exp(√

2 log p log log p))

→ subexponential complexity!

• Trial division: O(p)

= O (exp (log p))

O(√p)

2log p

exp(√

2 log p log log p))

• Trial division: O(p) = O (exp (log p))

O(√p)

2log p

exp(√

2 log p log log p))

O(√p)

2log p

))• p − 1 [Pollard, 1974] and p + 1 [Williams, 1982]

exp(√

2 log p log log p))

O(√p) = O

2log p

exp(√

2 log p log log p))

O(√p) = O

2log p

exp(√

2 log p log log p))

O(√p) = O

2log p

exp(√

2 log p log log p))

Factorization algorithms (II)

I Find all prime factors of an integer N :

• SQUFOF (SQUare FOrms Factorization) [Shanks, ca. 1975]:

O(4√N) = O

→ complexity exponential in logN

• CFRAC (Continued FRACtions) [Morrison & Brillhart, 1975]:

exp(√

2 logN log logN))

O(4√N) = O

))→ complexity exponential in logN

exp(√

2 logN log logN))

O(4√N) = O

))→ complexity exponential in logN

exp(√

2 logN log logN))

Factorization algorithms (III)I Find all prime factors of an integer N :

• QS (Quadratic Sieve) [Pomerance, 1981] and

MPQS (Multiple Polynomial QS) [Silverman, 1987] in

exp(√

logN log logN))

• SNFS (Special Number Field Sieve)

[Lenstra, Lenstra, Manasse, & Pollard, 1990]:

9(logN)1/3 (log logN)2/3

))• (G)NFS (General Number Field Sieve)

[Buhler, Lenstra, & Pomerance, 1993]:

exp(√

logN log logN))

• (G)NFS (General Number Field Sieve)

exp(√

logN log logN))

))• (G)NFS (General Number Field Sieve)

Current factorization records

I ECM (small- to medium-size factors):

• 2013: found 83-digit-factor of 7337 + 1 (285 digits)

I SNFS (numbers of a special form):

• 1990: factorization of F9 = 229

+ 1 (155 digits) in ∼ 340 CPU-years• . . .• 2011–12: fact. of 21061 − 1 (320 digits) in ∼ 335 CPU-years• 2010–14: fact. of 17 numbers of the form 2n − 1 for

1007 ≤ n ≤ 1199 (304–361 digits) in ∼ 7500 core-years

I GNFS (general numbers, esp. RSA moduli):

• 1996: fact. of RSA-130 (130 digits) in ∼ 17 CPU-years• . . .• 2007–09: fact. of RSA-768 (232 digits) in ∼ 2000 core-years

I Quantum computer:

• 2012: fact. of 56153 (a whopping 5 digits!)

I Quantum computer:

Free (as in free speech) factorization software

I p − 1, p + 1, and ECM:

• GMP-ECM [Zimmermann et al.]:

http://ecm.gforge.inria.fr/

I QS and MPQS:

• YAFU [Buhrow]:

http://yafu.sourceforge.net/

I SNFS and GNFS:

• NFS@home [Childers]:

http://escatter11.fullerton.edu/nfs/

• Msieve [Papadopoulos]:

http://www.boo.net/~jasonp/qs.html

• CADO-NFS:

http://cado-nfs.gforge.inria.fr/

I p − 1, p + 1, and ECM:

I QS and MPQS:

• YAFU [Buhrow]:

I SNFS and GNFS:

• CADO-NFS:

I p − 1, p + 1, and ECM:

I QS and MPQS:

• YAFU [Buhrow]:

I SNFS and GNFS:

• CADO-NFS:

CADO-NFSI Mostly developed in the CARAMEL team in Nancy, France, with

several regular external contributors:

• Shi Bai (AriC team, LIP, Lyon, France)• Cyril Bouvier (CARAMEL)• Alain Filbois (Inria Nancy – Grand Est, France)• Pierrick Gaudry (CARAMEL)• Laurent Imbert (ECO team, LIRMM, Montpellier, France)• Alexander Kruppa (CARAMEL)• Francois Morain (GRACE team, LIX, Saclay, France)• Emmanuel Thome (CARAMEL)• Paul Zimmermann (CARAMEL)

I Started in 2007, last release (2.1.1) in 2014, still under heavy

development (10k commits, almost 300k lines of code)

I Support for integer factorization (GNFS and SNFS), but also discrete

logarithm in finite fields (FFS, NFS-DL, NFS-HD)

I Website: http://cado-nfs.gforge.inria.fr/

I Website: http://cado-nfs.gforge.inria.fr/Jeremie Detrey — Factoring integers with CADO-NFS 7 / 22

The Number Field SieveI Based on Fermat’s factoring method (congruence of squares):• Find two integers x and y such that x2 ≡ y 2 (mod N)• With good probability, gcd(x ± y ,N) gives a non-trivial factor of N

I Obtain such equalities through two number fields

• f1 and f2 ∈ Z[X ] two polynomials, irreducible and coprime over Q• αi root of fi : Q(αi) is an algebraic number field• f1 and f2 chosen such that they have a common root m in Z/NZ

Γ(X ) ∈

Z[X ]/(f1(X ))

γ1(α1)2?=

Γ(α1) ∈ Z[α1] ⊂ OQ(α1)

X 7→ α1X 7→ X mod f1

OQ(α2) ⊃

Z[α2]

3 Γ(α2)

?= γ2(α2)2

X 7→ α2

α1 7→ m mod N α2 7→ m mod N

⇒ γ1(m)2 ≡ γ2(m)2 mod N

Γ(X ) ∈

Z[X ]/(f1(X ))

γ1(α1)2?=

Γ(α1) ∈ Z[α1] ⊂ OQ(α1)

OQ(α2) ⊃

Z[α2]

3 Γ(α2)

?= γ2(α2)2

X 7→ α2

⇒ γ1(m)2 ≡ γ2(m)2 mod N

Γ(X ) ∈

Z[X ]/(f1(X ))

γ1(α1)2?=

Γ(α1) ∈ Z[α1] ⊂ OQ(α1)

OQ(α2) ⊃

Z[α2]

3 Γ(α2)

?= γ2(α2)2

X 7→ α2

⇒ γ1(m)2 ≡ γ2(m)2 mod N

I Obtain such equalities through two number fields• f1 and f2 ∈ Z[X ] two polynomials, irreducible and coprime over Q

• αi root of fi : Q(αi) is an algebraic number field• f1 and f2 chosen such that they have a common root m in Z/NZ

Γ(X ) ∈

Z[X ]/(f1(X ))

γ1(α1)2?=

Γ(α1) ∈ Z[α1] ⊂ OQ(α1)

OQ(α2) ⊃

Z[α2]

3 Γ(α2)

?= γ2(α2)2

X 7→ α2

⇒ γ1(m)2 ≡ γ2(m)2 mod N

I Obtain such equalities through two number fields• f1 and f2 ∈ Z[X ] two polynomials, irreducible and coprime over Q

• αi root of fi : Q(αi) is an algebraic number field• f1 and f2 chosen such that they have a common root m in Z/NZ

Γ(X ) ∈

Z[X ]/(f1(X ))

γ1(α1)2?=

Γ(α1) ∈ Z[α1] ⊂ OQ(α1)

X 7→ α1

X 7→ X mod f1

OQ(α2) ⊃

Z[α2]

3 Γ(α2)

?= γ2(α2)2

X 7→ α2

⇒ γ1(m)2 ≡ γ2(m)2 mod N

I Obtain such equalities through two number fields• f1 and f2 ∈ Z[X ] two polynomials, irreducible and coprime over Q• αi root of fi : Q(αi) is an algebraic number field

• f1 and f2 chosen such that they have a common root m in Z/NZ

Γ(X ) ∈

Z[X ]/(f1(X ))

γ1(α1)2?=

Γ(α1) ∈

Z[α1] ⊂ OQ(α1)

X 7→ α1

X 7→ X mod f1

OQ(α2) ⊃

Z[α2]

3 Γ(α2)

?= γ2(α2)2

X 7→ α2

⇒ γ1(m)2 ≡ γ2(m)2 mod N

I Obtain such equalities through two number fields• f1 and f2 ∈ Z[X ] two polynomials, irreducible and coprime over Q• αi root of fi : Q(αi) is an algebraic number field

• f1 and f2 chosen such that they have a common root m in Z/NZ

Γ(X ) ∈

Z[X ]/(f1(X ))

γ1(α1)2?=

Γ(α1) ∈

Z[α1]

⊂ OQ(α1)

X 7→ α1

X 7→ X mod f1

OQ(α2) ⊃ Z[α2]

3 Γ(α2)

?= γ2(α2)2

X 7→ α2

⇒ γ1(m)2 ≡ γ2(m)2 mod N

I Obtain such equalities through two number fields• f1 and f2 ∈ Z[X ] two polynomials, irreducible and coprime over Q• αi root of fi : Q(αi) is an algebraic number field• f1 and f2 chosen such that they have a common root m in Z/NZ

Γ(X ) ∈

Z[X ]/(f1(X ))

γ1(α1)2?=

Γ(α1) ∈

Z[α1]

⊂ OQ(α1)

X 7→ α1

X 7→ X mod f1

OQ(α2) ⊃

Z[α2]

3 Γ(α2)

?= γ2(α2)2

X 7→ α2

⇒ γ1(m)2 ≡ γ2(m)2 mod N

Γ(X ) ∈

Z[X ]/(f1(X ))

γ1(α1)2?=

Γ(α1) ∈

Z[α1]

⊂ OQ(α1)

X 7→ α1

X 7→ X mod f1

OQ(α2) ⊃

Z[α2]

3 Γ(α2)

?= γ2(α2)2

X 7→ α2

⇒ γ1(m)2 ≡ γ2(m)2 mod N

Γ(X ) ∈ Z[X ]

Z[X ]/(f1(X ))

γ1(α1)2?=

Γ(α1) ∈

Z[α1]

⊂ OQ(α1)

X 7→ α1

X 7→ X mod f1

OQ(α2) ⊃

Z[α2]

3 Γ(α2)

?= γ2(α2)2

X 7→ α2

⇒ γ1(m)2 ≡ γ2(m)2 mod N

Γ(X ) ∈ Z[X ]

Z[X ]/(f1(X ))γ1(α1)2?=

Γ(α1) ∈ Z[α1]

⊂ OQ(α1)

X 7→ α1

X 7→ X mod f1

OQ(α2) ⊃

Z[α2] 3 Γ(α2)

?= γ2(α2)2

X 7→ α2

⇒ γ1(m)2 ≡ γ2(m)2 mod N

Γ(X ) ∈ Z[X ]

Z[X ]/(f1(X ))

γ1(α1)2?= Γ(α1) ∈ Z[α1]

⊂ OQ(α1)

X 7→ α1

X 7→ X mod f1

OQ(α2) ⊃

Z[α2] 3 Γ(α2)?= γ2(α2)2

X 7→ α2

⇒ γ1(m)2 ≡ γ2(m)2 mod N

Γ(X ) ∈ Z[X ]

Z[X ]/(f1(X ))

γ1(α1)2?= Γ(α1) ∈ Z[α1]

⊂ OQ(α1)

X 7→ α1

X 7→ X mod f1

OQ(α2) ⊃

Z[α2] 3 Γ(α2)?= γ2(α2)2

X 7→ α2

⇒ γ1(m)2 ≡ γ2(m)2 mod NJeremie Detrey — Factoring integers with CADO-NFS 8 / 22

The Number Field Sieve

I How can one find such a polynomial Γ(X )?

I For all pairs of coprime integers (a, b) ∈ [−A,A]×]0,A]:

• Consider the polynomial a − bX in the diagram

• Try to factor each a − bαi into a product of primes ≤ bound Bi

• Such a pair is called a relation: add (a, b) to R (set of relations)

a − bX ∈

a − bα1 ∈

Z[α1] Z[α2]

3 a − bα2

X 7→ α1 X 7→ α2

a − bX ∈

a − bα1 ∈

Z[α1] Z[α2]

3 a − bα2

X 7→ α1 X 7→ α2

a − bX ∈

a − bα1 ∈

Z[α1] Z[α2]

3 a − bα2

X 7→ α1 X 7→ α2

a − bX ∈

a − bα1 ∈

Z[α1] Z[α2]

3 a − bα2

X 7→ α1 X 7→ α2

a − bX ∈ Z[X ]

a − bα1 ∈

Z[α1] Z[α2]

3 a − bα2

X 7→ α1 X 7→ α2

a − bX ∈ Z[X ]

a − bα1 ∈ Z[α1] Z[α2] 3 a − bα2

X 7→ α1 X 7→ α2

a − bX ∈ Z[X ]

a − bα1 ∈ Z[α1] Z[α2] 3 a − bα2

X 7→ α1 X 7→ α2

a − bX ∈ Z[X ]

1,j = a − bα1 ∈ Z[α1] Z[α2] 3 a − bα2 =∏j

X 7→ α1 X 7→ α2

a − bX ∈ Z[X ]

1,j = a − bα1 ∈ Z[α1] Z[α2] 3 a − bα2 =∏j

X 7→ α1 X 7→ α2

I Once enough relations were collected, find subset S ⊂ R such that∏(a,b)∈S

(a − bαi) is a square in Z[αi ], for both i ∈ {1, 2}

I Example:

(a1, b1) : a1 − b1α1 = p21,1 p1,2 p21,3 a1 − b1α2 = p2,1 p

(a2, b2) : a2 − b2α1 = p31,2 p1,3 a2 − b2α2 = p2,1 p2,2 p2,3

(a3, b3) : a3 − b3α1 = p1,1 p21,2 p1,3 a3 − b3α2 = p2,2 p

(a4, b4) : a4 − b4α1 = p1,1 p1,3 a4 − b4α2 = p22,1 p2,2 p2,3∏i∈{1,2,4}

(ai − biα1) = p41,1 p41,2 p

∏i∈{1,2,4}

(ai − biα2) = p42,1 p62,2 p

I Tantamount to finding a vector of the left-kernel of the matrix over F2

formed by the exponents of the primes in the relations

I Example:

(a1, b1) : a1 − b1α1 = p21,1 p1,2 p21,3 a1 − b1α2 = p2,1 p

(a2, b2) : a2 − b2α1 = p31,2 p1,3 a2 − b2α2 = p2,1 p2,2 p2,3

(a3, b3) : a3 − b3α1 = p1,1 p21,2 p1,3 a3 − b3α2 = p2,2 p

(a4, b4) : a4 − b4α1 = p1,1 p1,3 a4 − b4α2 = p22,1 p2,2 p2,3∏i∈{1,2,4}

(ai − biα1) = p41,1 p41,2 p

∏i∈{1,2,4}

(ai − biα2) = p42,1 p62,2 p

I Example:

(a1, b1) : a1 − b1α1 = p21,1 p1,2 p21,3 a1 − b1α2 = p2,1 p

(a2, b2) : a2 − b2α1 = p31,2 p1,3 a2 − b2α2 = p2,1 p2,2 p2,3

(a3, b3) : a3 − b3α1 = p1,1 p21,2 p1,3 a3 − b3α2 = p2,2 p

(a4, b4) : a4 − b4α1 = p1,1 p1,3 a4 − b4α2 = p22,1 p2,2 p2,3∏i∈{1,2,4}

(ai − biα1) = p41,1 p41,2 p

∏i∈{1,2,4}

(ai − biα2) = p42,1 p62,2 p

I Example:

(a1, b1) : a1 − b1α1 = p21,1 p1,2 p21,3 a1 − b1α2 = p2,1 p

(a2, b2) : a2 − b2α1 = p31,2 p1,3 a2 − b2α2 = p2,1 p2,2 p2,3

(a3, b3) : a3 − b3α1 = p1,1 p21,2 p1,3 a3 − b3α2 = p2,2 p

(a4, b4) : a4 − b4α1 = p1,1 p1,3 a4 − b4α2 = p22,1 p2,2 p2,3∏i∈{1,2,4}

(ai − biα1) = p41,1 p41,2 p

∏i∈{1,2,4}

(ai − biα2) = p42,1 p62,2 p

I Example:

(a1, b1) : a1 − b1α1 = p21,1 p1,2 p21,3 a1 − b1α2 = p2,1 p

(a2, b2) : a2 − b2α1 = p31,2 p1,3 a2 − b2α2 = p2,1 p2,2 p2,3

(a3, b3) : a3 − b3α1 = p1,1 p21,2 p1,3 a3 − b3α2 = p2,2 p

(a4, b4) : a4 − b4α1 = p1,1 p1,3 a4 − b4α2 = p22,1 p2,2 p2,3∏i∈{1,2,4}

(ai − biα1) = p41,1 p41,2 p

∏i∈{1,2,4}

(ai − biα2) = p42,1 p62,2 p

I Example:

(a1, b1) : a1 − b1α1 = p21,1 p1,2 p21,3 a1 − b1α2 = p2,1 p

(a2, b2) : a2 − b2α1 = p31,2 p1,3 a2 − b2α2 = p2,1 p2,2 p2,3

(a3, b3) : a3 − b3α1 = p1,1 p21,2 p1,3 a3 − b3α2 = p2,2 p

(a4, b4) : a4 − b4α1 = p1,1 p1,3 a4 − b4α2 = p22,1 p2,2 p2,3

∏i∈{1,2,4}

(ai − biα1) = p41,1 p41,2 p

∏i∈{1,2,4}

(ai − biα2) = p42,1 p62,2 p

I Example:

(a1, b1) : a1 − b1α1 = p21,1 p1,2 p21,3 a1 − b1α2 = p2,1 p

(a2, b2) : a2 − b2α1 = p31,2 p1,3 a2 − b2α2 = p2,1 p2,2 p2,3

(a3, b3) : a3 − b3α1 = p1,1 p21,2 p1,3 a3 − b3α2 = p2,2 p

(a4, b4) : a4 − b4α1 = p1,1 p1,3 a4 − b4α2 = p22,1 p2,2 p2,3

∏i∈{1,2,4}

(ai − biα1) = p41,1 p41,2 p

∏i∈{1,2,4}

(ai − biα2) = p42,1 p62,2 p

I Example:

(a1, b1) : a1 − b1α1 = p21,1 p1,2 p21,3 a1 − b1α2 = p2,1 p

(a2, b2) : a2 − b2α1 = p31,2 p1,3 a2 − b2α2 = p2,1 p2,2 p2,3

(a3, b3) : a3 − b3α1 = p1,1 p21,2 p1,3 a3 − b3α2 = p2,2 p

(a4, b4) : a4 − b4α1 = p1,1 p1,3 a4 − b4α2 = p22,1 p2,2 p2,3∏i∈{1,2,4}

(ai − biα1) = p41,1 p41,2 p

∏i∈{1,2,4}

(ai − biα2) = p42,1 p62,2 p

I Example:

(a1, b1) : a1 − b1α1 = p21,1 p1,2 p21,3 a1 − b1α2 = p2,1 p

(a2, b2) : a2 − b2α1 = p31,2 p1,3 a2 − b2α2 = p2,1 p2,2 p2,3

(a3, b3) : a3 − b3α1 = p1,1 p21,2 p1,3 a3 − b3α2 = p2,2 p

(a4, b4) : a4 − b4α1 = p1,1 p1,3 a4 − b4α2 = p22,1 p2,2 p2,3∏i∈{1,2,4}

(ai − biα1) = p41,1 p41,2 p

∏i∈{1,2,4}

(ai − biα2) = p42,1 p62,2 p

I Example:

(a1, b1) : a1 − b1α1 = p21,1 p1,2 p21,3 a1 − b1α2 = p2,1 p

(a2, b2) : a2 − b2α1 = p31,2 p1,3 a2 − b2α2 = p2,1 p2,2 p2,3

(a3, b3) : a3 − b3α1 = p1,1 p21,2 p1,3 a3 − b3α2 = p2,2 p

(a4, b4) : a4 − b4α1 = p1,1 p1,3 a4 − b4α2 = p22,1 p2,2 p2,3

∏i∈{1,2,4}

(ai − biα1) = p41,1 p41,2 p

∏i∈{1,2,4}

(ai − biα2) = p42,1 p62,2 p

I Example:

(a1, b1) : a1 − b1α1 ≡ ( 2 1 2 ) a1 − b1α2 ≡ ( 1 4 0 )

(a2, b2) : a2 − b2α1 = p31,2 p1,3 a2 − b2α2 = p2,1 p2,2 p2,3

(a3, b3) : a3 − b3α1 = p1,1 p21,2 p1,3 a3 − b3α2 = p2,2 p

(a4, b4) : a4 − b4α1 = p1,1 p1,3 a4 − b4α2 = p22,1 p2,2 p2,3

∏i∈{1,2,4}

(ai − biα1) = p41,1 p41,2 p

∏i∈{1,2,4}

(ai − biα2) = p42,1 p62,2 p

I Example:

(a1, b1) : a1 − b1α1 ≡ ( 2 1 2 ) a1 − b1α2 ≡ ( 1 4 0 )

(a2, b2) : a2 − b2α1 ≡ ( 0 3 1 ) a2 − b2α2 ≡ ( 1 1 1 )

(a3, b3) : a3 − b3α1 ≡ ( 1 2 1 ) a3 − b3α2 ≡ ( 0 1 3 )

(a4, b4) : a4 − b4α1 ≡ ( 2 0 1 ) a4 − b4α2 ≡ ( 2 1 1 )

∏i∈{1,2,4}

(ai − biα1) ≡ ( 0 0 0 )∏

i∈{1,2,4}

(ai − biα2) ≡ ( 0 0 0 )

I Example:

(a1, b1) : a1 − b1α1 ≡ ( 0 1 0 ) a1 − b1α2 ≡ ( 1 0 0 )

(a2, b2) : a2 − b2α1 ≡ ( 0 1 1 ) a2 − b2α2 ≡ ( 1 1 1 )

(a3, b3) : a3 − b3α1 ≡ ( 1 0 1 ) a3 − b3α2 ≡ ( 0 1 1 )

(a4, b4) : a4 − b4α1 ≡ ( 0 0 1 ) a4 − b4α2 ≡ ( 0 1 1 )

∏i∈{1,2,4}

(ai − biα1) ≡ ( 0 0 0 )∏

i∈{1,2,4}

(ai − biα2) ≡ ( 0 0 0 )

I Example:

(a1, b1) : a1 − b1α1 ≡ ( 0 1 0 ) a1 − b1α2 ≡ ( 1 0 0 )

(a2, b2) : a2 − b2α1 ≡ ( 0 1 1 ) a2 − b2α2 ≡ ( 1 1 1 )

(a3, b3) : a3 − b3α1 ≡ ( 1 0 1 ) a3 − b3α2 ≡ ( 0 1 1 )

(a4, b4) : a4 − b4α1 ≡ ( 0 0 1 ) a4 − b4α2 ≡ ( 0 1 1 )

∏i∈{1,2,4}

(ai − biα1) ≡ ( 0 0 0 )∏

i∈{1,2,4}

(ai − biα2) ≡ ( 0 0 0 )

I Slight problem: no unique factorization of numbers in Z[αi ] or OQ(αi )I However, OQ(αi ) is a Dedekind domain: unique factorization of ideals

into products of prime ideals

• Prime ideals p of Z[αi ] given by integers (p, r) such that p is prime

and fi(r) ≡ 0 (mod p)• pe ”divides” 〈a− bαi〉 iff. a− br ≡ 0 (mod p) and pe|Ni(a− bαi),

where Ni(a − bαi) = fi(a/b)bdeg fi is called the norm of a − bαi

a − bX ∈ Z[X ]

= a − bα1 ∈

u1∏j

〈a − bα1〉 ⊂

Z[α1] Z[α2] 3 a − bα2 =∏j

×⊃ 〈a − bα2〉

= u2∏j

X 7→ α1 X 7→ α2

The Number Field SieveI Slight problem: no unique factorization of numbers in Z[αi ] or OQ(αi )

I However, OQ(αi ) is a Dedekind domain: unique factorization of ideals

a − bX ∈ Z[X ]

1,j×= a − bα1 ∈

u1∏j

〈a − bα1〉 ⊂

Z[α1] Z[α2] 3 a − bα2 =∏j

⊃ 〈a − bα2〉

= u2∏j

X 7→ α1 X 7→ α2

The Number Field SieveI Slight problem: no unique factorization of numbers in Z[αi ] or OQ(αi )I However, OQ(αi ) is a Dedekind domain: unique factorization of ideals

a − bX ∈ Z[X ]

1,j×= a − bα1 ∈

u1∏j

〈a − bα1〉 ⊂

Z[α1] Z[α2]

3 a − bα2 =∏j

2,j×⊃ 〈a − bα2〉

= u2∏j

X 7→ α1 X 7→ α2

a − bX ∈ Z[X ]

1,j×= a − bα1 ∈u1∏j

〈a − bα1〉 ⊂ Z[α1] Z[α2]

3 a − bα2 =∏j

⊃ 〈a − bα2〉

= u2∏j

X 7→ α1 X 7→ α2

and fi(r) ≡ 0 (mod p)

• pe ”divides” 〈a− bαi〉 iff. a− br ≡ 0 (mod p) and pe|Ni(a− bαi),

a − bX ∈ Z[X ]

1,j×= a − bα1 ∈u1∏j

〈a − bα1〉 ⊂ Z[α1] Z[α2]

3 a − bα2 =∏j

⊃ 〈a − bα2〉

= u2∏j

X 7→ α1 X 7→ α2

a − bX ∈ Z[X ]

1,j×= a − bα1 ∈u1∏j

〈a − bα1〉 ⊂ Z[α1] Z[α2]

3 a − bα2 =∏j

⊃ 〈a − bα2〉

= u2∏j

X 7→ α1 X 7→ α2

a − bX ∈ Z[X ]

1,j×= a − bα1 ∈

u1∏j

1,j = 〈a − bα1〉 ⊂ Z[α1] Z[α2]

3 a − bα2 =∏j

⊃ 〈a − bα2〉 = u2∏j

X 7→ α1 X 7→ α2

I Let’s recap!

• Sieving domain: coprime pairs (a, b) in [−A,A]×]0,A]

• Factor base Bi : prime ideals p = (p, r) of Z[αi ] with p ≤ Bi

I For each (a, b) pair in the sieving domain:

• Compute the norms Ni(a − bαi) = fi(a/b)bi

• Check if Ni(a − bαi) is Bi -smooth (all its prime factors are ≤ Bi)

• If both norms are smooth, then (a, b) is a relation

I We need more relations than elements of the factor bases:

#R > #B1 + #B2

I Let’s recap!

#R > #B1 + #B2

I Let’s recap!

#R > #B1 + #B2

I Let’s recap!

#R > #B1 + #B2

I Let’s recap!

#R > #B1 + #B2

I Let’s recap!

#R > #B1 + #B2

I Let’s recap!

#R > #B1 + #B2

I Let’s recap!

#R > #B1 + #B2

Ê Polynomial selection: find suitable polynomials f1 and f2

Ë Factor base generation: build factors bases B1 and B2

Ê Relation collection (a.k.a. sieving): build set of relations R

Í Filtering: build and simplify matrix from relations

Ë Linear algebra: find vector of left-kernel of the matrix over F2

Ï Characters: deal with number-field-related technicalities (e.g., units)

Ì Square root: compute elements γ1 ∈ Z[α1] and γ2 ∈ Z[α2] such

that γ1(m)2 ≡ γ2(m)2 (mod N)

Ñ Profit!

Ë Relation collection (a.k.a. sieving): build set of relations R

Ì Linear algebra: find vector of left-kernel of the matrix over F2

Í Square root: compute elements γ1 ∈ Z[α1] and γ2 ∈ Z[α2] such

Ñ Profit!

Ì Relation collection (a.k.a. sieving): build set of relations R

Í Linear algebra: find vector of left-kernel of the matrix over F2

Î Square root: compute elements γ1 ∈ Z[α1] and γ2 ∈ Z[α2] such

Ñ Profit!

Î Linear algebra: find vector of left-kernel of the matrix over F2

Ï Square root: compute elements γ1 ∈ Z[α1] and γ2 ∈ Z[α2] such

Ñ Profit!

Ð Square root: compute elements γ1 ∈ Z[α1] and γ2 ∈ Z[α2] such

Ñ Profit!

Ð Square root: compute elements γ1 ∈ Z[α1] and γ2 ∈ Z[α2] such

Ñ Profit!

Back to CADO-NFSI Each step is handled by a specific binary/script

I cadofactor.py: Python script to run whole factorization

→ All NFS parameters in a single parameter file

I factor.sh: Bash script for simple factorizations

Ê Polynomial selection polyselect/polyselect2l

Ë Factor base generation sieve/makefb

Ì Relation collection sieve/{freerel,las}

Í Filtering filter/{dup1,dup2,purge,merge,replay}

Î Linear algebra linalg/bwc/bwc.pl

Ï Characters linalg/characters

Ð Square root sqrt/sqrt

scripts/cadofactor/cadofactor.py

tfactor.sh

Ð Square root sqrt/sqrtPyt

tfactor.sh

Ð Square root sqrt/sqrtPyt

tfactor.sh

Let’s play!

I Requirements:

• GNU/Linux (or Mac OS X + Xcode)

• GCC 4.4 or later

• GMP 5 or later

• GNU Make and CMake 2.6.3 or later

• Python 3.2 or later

• SQLite 3, including Python bindings

• GNU Wget or cURL

• GNU Gzip

• GNU Bash

Let’s play!

I Go and download CADO-NFS 2.1.1 from

I Un-tar:

$ tar xzvf cado-nfs-2.1.1.tar.gz

$ cd cado-nfs-2.1.1

I Optional: tweak build configuration (esp. for Mac OS X):

$ cp local.sh.example local.sh

$ vi local.sh

I Build:

$ make

Let’s play!

I Un-tar:

$ cd cado-nfs-2.1.1

$ vi local.sh

I Build:

$ make

Let’s play!

I Un-tar:

$ cd cado-nfs-2.1.1

$ vi local.sh

I Build:

$ make

Let’s play!

I Un-tar:

$ cd cado-nfs-2.1.1

$ vi local.sh

I Build:

$ make

A toy factorizationI Let’s factor this 59-digit composite integer:

c59 = 90377629292003121684002147101760858109247336549001090677693

(you can just copy-paste it from

http://www.loria.fr/~detreyje/cado-nfs.txt)

I Run:$ export CADO DEBUG=1

$ mkdir /tmp/c59

$ t=/tmp/c59 ./factor.sh 903. . . 693 -t 2

I Get factors!. . .

Info:Complete Factorization: . . .

588120598053661 260938498861057

760926063870977 773951836515617

c59 = 90377629292003121684002147101760858109247336549001090677693

$ mkdir /tmp/c59

$ t=/tmp/c59 ./factor.sh 903. . . 693 -t 2

I Get factors!. . .

588120598053661 260938498861057

760926063870977 773951836515617

c59 = 90377629292003121684002147101760858109247336549001090677693

$ mkdir /tmp/c59

$ t=/tmp/c59 ./factor.sh 903. . . 693 -t 2

I Get factors!. . .

588120598053661 260938498861057

760926063870977 773951836515617

Diving into details – Polynomial selection

I Find polynomials f1 and f2 ∈ Z[X ] such that

• f1 and f2 are irreducible and coprime over Q• they have a common root m ∈ Z/NZ:

f1(m) ≡ 0 (mod N) and f2(m) ≡ 0 (mod N)

I In practice:

• Take a linear polynomial for f2: this is called the ”rational side”• Take a degree-d polynomial for f1, with d ∈ {4, 5, 6}: this is called

the ”algebraic side”

f1(X ) = f1,dXd + f1,d−1X

d−1 + · · · + f1,1X + f1,0

I Look for a polynomial f1 of degree d :

• such that norms N1(a − bα1) = f1(a/b)bd are as small as possible

for pairs (a, b) in the sieving domain• which has many roots modulo small primes

I In practice:

f1(X ) = f1,dXd + f1,d−1X

d−1 + · · · + f1,1X + f1,0

I In practice:

f1(X ) = f1,dXd + f1,d−1X

d−1 + · · · + f1,1X + f1,0

Diving into details – Polynomial selectionI Two main steps:

• Size optimization: find polynomials with small norm• Root optimization: translate/rotate candidates so that they have

many roots modulo small primes

I CADO-NFS parameters (tasks.polyselect.*):

• degree: degree d of polynomial f1• admin (0): minimum value for leading coefficient f1,d• admax: maximum value for leading coefficient f1,d• incr (60): force f1,d to be a multiple of this smooth number• nrkeep: how many candidates to keep after first step

• adrange: split search interval for f1,d into ranges of this size

→ easy parallelization

I Best polynomial stored in:

〈name〉.polyselect2.poly

• degree: degree d of polynomial f1• admin (0): minimum value for leading coefficient f1,d• admax: maximum value for leading coefficient f1,d• incr (60): force f1,d to be a multiple of this smooth number• nrkeep: how many candidates to keep after first step

• adrange: split search interval for f1,d into ranges of this size

• degree: degree d of polynomial f1• admin (0): minimum value for leading coefficient f1,d• admax: maximum value for leading coefficient f1,d• incr (60): force f1,d to be a multiple of this smooth number• nrkeep: how many candidates to keep after first step• adrange: split search interval for f1,d into ranges of this size

Diving into details – Relation collection

I Special-q sieving:

• Fix a prime ideal q = (q, ρ) of Z[α1]

• The set of (a, b) pairs such that q divides 〈a − bαi〉 is a Euclidean

lattice of Z2

• Compute basis (u, v) of this lattice

• Enumerate lattice elements as pairs (a, b) = iu + jv with

(i , j) ∈ [−I , I ]×]0, I ]

• One independent subtask for each special-q

lattice of Z2

(i , j) ∈ [−I , I ]×]0, I ]

lattice of Z2

(i , j) ∈ [−I , I ]×]0, I ]

lattice of Z2

(i , j) ∈ [−I , I ]×]0, I ]

lattice of Z2

(i , j) ∈ [−I , I ]×]0, I ]

lattice of Z2

(i , j) ∈ [−I , I ]×]0, I ]

lattice of Z2

(i , j) ∈ [−I , I ]×]0, I ]

I Example from c59:

• Polynomials:

f1(X ) = 60 · X 4 + 164823 · X 3 + 2561101187 · X 2

− 4872316534587 · X − 9288039622841198

f2(X ) = 4827001309 · X − 192616011406041

• Special-q: (q, ρ) = (200003, 74941)

• Sieving position: (a, b) = (−876877, 31)

I Is (a, b) a relation? Factor its norms

• Remove small factors by sieving techniques (up to bound B ′i )

• Co-factor remaining parts only if not too large

N1(a − bα1) = 34039772577219966371130285

N2(a − bα2) = −10203782780419264

I Example from c59:

• Polynomials:

f1(X ) = 60 · X 4 + 164823 · X 3 + 2561101187 · X 2

− 4872316534587 · X − 9288039622841198

f2(X ) = 4827001309 · X − 192616011406041

• Special-q: (q, ρ) = (200003, 74941)

N1(a − bα1) = 34039772577219966371130285

N2(a − bα2) = −10203782780419264

I Example from c59:

• Polynomials:

f1(X ) = 60 · X 4 + 164823 · X 3 + 2561101187 · X 2

− 4872316534587 · X − 9288039622841198

f2(X ) = 4827001309 · X − 192616011406041

• Special-q: (q, ρ) = (200003, 74941)

N1(a − bα1) = 34039772577219966371130285

N2(a − bα2) = −10203782780419264

I Example from c59:

• Polynomials:

f1(X ) = 60 · X 4 + 164823 · X 3 + 2561101187 · X 2

− 4872316534587 · X − 9288039622841198

f2(X ) = 4827001309 · X − 192616011406041

• Special-q: (q, ρ) = (200003, 74941)

N1(a − bα1) = 34039772577219966371130285

N2(a − bα2) = −10203782780419264

I Example from c59:

• Polynomials:

f1(X ) = 60 · X 4 + 164823 · X 3 + 2561101187 · X 2

− 4872316534587 · X − 9288039622841198

f2(X ) = 4827001309 · X − 192616011406041

• Special-q: (q, ρ) = (200003, 74941)

N1(a − bα1) = 34039772577219966371130285

N2(a − bα2) = −10203782780419264

I Example from c59:

• Polynomials:

f1(X ) = 60 · X 4 + 164823 · X 3 + 2561101187 · X 2

− 4872316534587 · X − 9288039622841198

f2(X ) = 4827001309 · X − 192616011406041

• Special-q: (q, ρ) = (200003, 74941)

N1(a − bα1) = 34039772577219966371130285

N2(a − bα2) = −10203782780419264

I Example from c59:

• Polynomials:

f1(X ) = 60 · X 4 + 164823 · X 3 + 2561101187 · X 2

− 4872316534587 · X − 9288039622841198

f2(X ) = 4827001309 · X − 192616011406041

• Special-q: (q, ρ) = (200003, 74941)

N1(a − bα1) = 170196309941450710095 · qN2(a − bα2) = −10203782780419264

I Example from c59:

• Polynomials:

f1(X ) = 60 · X 4 + 164823 · X 3 + 2561101187 · X 2

− 4872316534587 · X − 9288039622841198

f2(X ) = 4827001309 · X − 192616011406041

• Special-q: (q, ρ) = (200003, 74941)

N1(a − bα1) = 170196309941450710095 · qN2(a − bα2) = −10203782780419264

I Example from c59:

• Polynomials:

f1(X ) = 60 · X 4 + 164823 · X 3 + 2561101187 · X 2

− 4872316534587 · X − 9288039622841198

f2(X ) = 4827001309 · X − 192616011406041

• Special-q: (q, ρ) = (200003, 74941)

N1(a − bα1) = 32 · 5 · 43 · 53 · 59 · 61 · 151 · 3053757221 · qN2(a − bα2) = −26 · 67 · 311 · 617 · 709 · 17491

I Example from c59:

• Polynomials:

f1(X ) = 60 · X 4 + 164823 · X 3 + 2561101187 · X 2

− 4872316534587 · X − 9288039622841198

f2(X ) = 4827001309 · X − 192616011406041

• Special-q: (q, ρ) = (200003, 74941)

N1(a − bα1) = 32 · 5 · 43 · 53 · 59 · 61 · 151 · 3053757221 · qN2(a − bα2) = −26 · 67 · 311 · 617 · 709 · 17491

I Example from c59:

• Polynomials:

f1(X ) = 60 · X 4 + 164823 · X 3 + 2561101187 · X 2

− 4872316534587 · X − 9288039622841198

f2(X ) = 4827001309 · X − 192616011406041

• Special-q: (q, ρ) = (200003, 74941)

N1(a − bα1) = 32 · 5 · 43 · 53 · 59 · 61 · 151 · 22447 · 136043 · qN2(a − bα2) = −26 · 67 · 311 · 617 · 709 · 17491

I General parameters (tasks.*)

• alim / rlim: the maximum norm of sieved primes (B ′i )

• lpba / lpbr: the so-called large prime bound, in bits (log2 Bi)

• I: bounds on sieving domain

I Sieving parameters (tasks.sieve.*)

• mfba / mfbr: co-factorization threshold, in bits

• qmin: first special-q to sieve

• rels wanted: number of relations to collect

• qrange: number of special-q’s to sieve per subtask

Thank you for your attention

Happy factoring!

factoring integers with cado-nfs

Documents