Prabhas Chongstitvatana 1

Factorizing large integers

Finding the unique decomposition of n into a product of prime factors.

Factorize(n)

if n is prime done

find a non trivial divisor m

factorize( m)

factorize( n/m )

Prabhas Chongstitvatana 2

Looking for divisor smaller than sqrt(n) by trying all m, called “trial division”.

“hard” : n is the product of two primes of roughly the same size

Let n be a composite integer. Let a and b be distinct integer 1..n-1 such that a+b != n. If a2 mod n = b2 mod n then gcd( a+b, n) is a non trivial divisor of n.

Prabhas Chongstitvatana 3

Example

n = 2537, let a = 2012, b = 1127,

a2 = 1595n + 1629

b2 = 500n + 1629

a != b, a + b != n

gcd(a+b, n) = 43 is a divisor of n

Prabhas Chongstitvatana 4

How to find a and b ?An integer is k-smooth if all its prime divisors are among the k smallest primes.

120 = 23 x 3 x 5 is 3-smooth

Use LV choose x randomly 1..n-1

y = x2 mod n

if y is k-smooth store x and factorization of y. Find k+1 different integers of these.

Prabhas Chongstitvatana 5

x1 = 2455 y1 = 1650 = 2 x 3 x 52 x 11

x2 = 970 y2 = 2210 = 2 x 5 x 13 x 17

x3 = 1105 y3 = 728 = 23 x 7 x 13

x4 = 1458 y4 = 2295 = 33 x 5 x 17

x5 = 216 y5 = 990 = 2 x 32 x 5 x 11

x6 = 80 y6 = 1326 = 2 x 3 x 13 x 17

x7 = 1844 y7 = 756 = 22 x 33 x 7

x8 = 433 y8 = 2288 = 24 x 11 x 13

Prabhas Chongstitvatana 6

Form (k+1) x k matrix M over {0, 1}. Each row corresponds to one success, each column corresponds to one admissible primes. Mij = 0 if j-th prime appears to an even power (including zero).

Prabhas Chongstitvatana 7

2 3 5 7 11 13 171 1 0 0 1 0 01 0 1 0 0 1 11 0 0 1 0 1 00 1 1 0 0 0 11 0 1 0 1 0 01 1 0 0 0 1 10 1 0 1 0 0 00 0 0 0 1 1 0

12345678

M =

y1 = 1650 = 2 x 3 x 52 x 11

y2 = 2210 = 2 x 5 x 13 x 17

Prabhas Chongstitvatana 8

Matrix M has more rows than columns hence the rows cannot be linearly independent.

There exists a nonempty set of rows that add up to the all-zero vector in arithmetic mod 2.

(can be found by Gauss-Jordan elimination)

There are seven solutions

1,2,4,8 or 1,3,4,5,6,7 . . .

Prabhas Chongstitvatana 9

1, 2, 4, 8 2 3 5 7 11 13 17

1 1 0 0 1 0 0

1 0 1 0 0 1 1

0 1 1 0 0 0 1

0 0 0 0 1 1 0

0 0 0 0 0 0 0

Prabhas Chongstitvatana 10

The exponents are necessarily even by construction. A square root can be found.

y1y2y4y8 = 26 x 34 x 54 x 112 x 132 x 172

y1y3y4y5y6y7 = 28 x 310 x 54 x 72 x 112 x 132 x 172

a = 23 x 32 x 52 x 11 x 13 x 17 mod 2537 = 1973

b = 2455 x 970 x 1458 x 433 mod 2537 = 1127

x1 * x2 * x4 * x8

Prabhas Chongstitvatana 11

The technique yields a, b in 1..n-1 such that a2 mod n = b2 mod n but no quarantee that a != b and a+b != n.

Prabhas Chongstitvatana 12

The technique yields a, b in 1..n-1 such that a2 mod n = b2 mod n but no quarantee that a != b and a+b != n.

Choose y1y3y4y5y6y7

It can be proved that this process succeeds with prob. at least 50%

a’ = 24 x 35 x 52 x 7 x 11 x 13 x 17 mod 2537 = 1973

b’ = 2455 x 1105 x 1458 x 216 x 80 x 1844 mod 2537 = 1127

But a’ + b’ = n

Prabhas Chongstitvatana 13

Determine the value of kk large ; higher prob. That x2 mod n will be k-smooth

k small; the faster for testing k-smoothness and factorize k-smooth values.

Prabhas Chongstitvatana 14

Determine the value of kk large ; higher prob. That x2 mod n will be k-smooth

k small; the faster for testing k-smoothness and factorize k-smooth values.

Let L = e^ sqrt( log n log log n )

let b an arbitrary positive real number

let t = L 1/2 b

Prabhas Chongstitvatana 15

If k ~ Lb, about one x in t is such that x2 mod n is k-smooth.

To build M, take k+1 successes (each use k div)

The expected number of “trial division” approx. O(t k 2 ) = O(L (1/2b) + 2b )

which minimize at O(L2 ) when b = 1/2

Find set of rows add to zero take O(k3 ) = O(L3b)

(use Gauss-Jordan)

Prabhas Chongstitvatana 16

Take k ~ sqrt(L), the algorithm splits n after an expected number of divisions that is approx. O(L2

).

An average 100 decimal digit number

L2 ~ 5 x 1030 whereas sqrt(n) ~ 7 x 1049

Prabhas Chongstitvatana 17

Take k ~ sqrt(L), the algorithm splits n after an expected number of divisions that is approx. O(L2

).

An average 100 decimal digit number

L2 ~ 5 x 1030 whereas sqrt(n) ~ 7 x 1049

Improvement

Choose x so that x2 mod n is more likely to be k-smooth

Prabhas Chongstitvatana 18

Randomness plays a fundamental role in this algorithm because no deterministic approach for finding so many good x’s has been proved efficient.

Other heuristic

•Choose x slightly larger than sqrt(n)•Quadratic sieve•Double large prime multiple polynomial variation of quadratic sieve•Elliptic curve•Number field sieve