shubham sahai srivastava - cse factorization_diophantine.pdfshubham sahai srivastava (iitk)...
TRANSCRIPT
Factoring Integers via Diophantine Approximation
Shubham Sahai Srivastava
Indian Institute of Technology, Kanpur
January 16, 2014
Shubham Sahai Srivastava (IITK) Factoring Integers January 16, 2014 1 / 14
Introduction and Surview
The task of factoring large composite integer N has a long history andis still a challenging problem.
Here, this task is reduced to the following diophantine approximation :
Definition (Problem)
Find atleast t + 2 integer vectors (e1, e2, ...et) ∈ Zt satisfying:
1. |∑t
i=1 ei log pi − log N| ≤ N−cpo(1)t
2. |∑t
i=1 ei log pi | ≤ (2c − 1) log N + 2 log pt
where, c > 1 and p1, ...pt are first t prime numbers.
Whats next ??
Shubham Sahai Srivastava (IITK) Factoring Integers January 16, 2014 2 / 14
Introduction and Surview
The task of factoring large composite integer N has a long history andis still a challenging problem.
Here, this task is reduced to the following diophantine approximation :
Definition (Problem)
Find atleast t + 2 integer vectors (e1, e2, ...et) ∈ Zt satisfying:
1. |∑t
i=1 ei log pi − log N| ≤ N−cpo(1)t
2. |∑t
i=1 ei log pi | ≤ (2c − 1) log N + 2 log pt
where, c > 1 and p1, ...pt are first t prime numbers.
Whats next ??
Shubham Sahai Srivastava (IITK) Factoring Integers January 16, 2014 2 / 14
Introduction and Surview
The task of factoring large composite integer N has a long history andis still a challenging problem.
Here, this task is reduced to the following diophantine approximation :
Definition (Problem)
Find atleast t + 2 integer vectors (e1, e2, ...et) ∈ Zt satisfying:
1. |∑t
i=1 ei log pi − log N| ≤ N−cpo(1)t
2. |∑t
i=1 ei log pi | ≤ (2c − 1) log N + 2 log pt
where, c > 1 and p1, ...pt are first t prime numbers.
Whats next ??
Shubham Sahai Srivastava (IITK) Factoring Integers January 16, 2014 2 / 14
Introduction and Surview
Given these t + 2 diophantine approximations of log N, we can factorize Nas follows:
The integer u :=∏
ej>0 pejj must be close approximation to vN, where
v :=∏
ej<0 p|ej |j .
Following Theorem shows that |u − vN| ≤ p1+o(1)t
Theorem (1)
Let c > 1, β, γ ≥ 0 be fixed and let pt < N. If (e1, ..., et) ∈ Zt satisfiesthe inequalities
1. |∑t
i=1 ei log pi − log N| ≤ N−cpβ+o(1)t
2. |∑t
i=1 ei log pi | ≤ (2c − 1) log N + 2δ log pt
then we have for u :=∏
ej>0 pejj , v :=
∏ej<0 p
|ej |j that:
|u − vN| ≤ pβ+δ+o(1)t
Shubham Sahai Srivastava (IITK) Factoring Integers January 16, 2014 3 / 14
Introduction and Surview
Given these t + 2 diophantine approximations of log N, we can factorize Nas follows:
The integer u :=∏
ej>0 pejj must be close approximation to vN, where
v :=∏
ej<0 p|ej |j .
Following Theorem shows that |u − vN| ≤ p1+o(1)t
Theorem (1)
Let c > 1, β, γ ≥ 0 be fixed and let pt < N. If (e1, ..., et) ∈ Zt satisfiesthe inequalities
1. |∑t
i=1 ei log pi − log N| ≤ N−cpβ+o(1)t
2. |∑t
i=1 ei log pi | ≤ (2c − 1) log N + 2δ log pt
then we have for u :=∏
ej>0 pejj , v :=
∏ej<0 p
|ej |j that:
|u − vN| ≤ pβ+δ+o(1)t
Shubham Sahai Srivastava (IITK) Factoring Integers January 16, 2014 3 / 14
Introduction and Surview
Given these t + 2 diophantine approximations of log N, we can factorize Nas follows:
The integer u :=∏
ej>0 pejj must be close approximation to vN, where
v :=∏
ej<0 p|ej |j .
Following Theorem shows that |u − vN| ≤ p1+o(1)t
Theorem (1)
Let c > 1, β, γ ≥ 0 be fixed and let pt < N. If (e1, ..., et) ∈ Zt satisfiesthe inequalities
1. |∑t
i=1 ei log pi − log N| ≤ N−cpβ+o(1)t
2. |∑t
i=1 ei log pi | ≤ (2c − 1) log N + 2δ log pt
then we have for u :=∏
ej>0 pejj , v :=
∏ej<0 p
|ej |j that:
|u − vN| ≤ pβ+δ+o(1)t
Shubham Sahai Srivastava (IITK) Factoring Integers January 16, 2014 3 / 14
Introduction and Surview
So, we have |u − vN| ≤ p1+o(1)t
Hence, the residue u (mod N) factorizes completely over the primesp1, ..., pt
And we obtain a non-trivial congruence∏ej>0 p
ejj = ±
∏tj=1 p
ejj (mod N).
Given t + 2 of these congruences we compute x , y satisfying x2 = y2
(mod N)
So, we can compute a factor of N as gcd(x+y, N).
This gives us one factor and thus we can reduce N, by divinding N withthis factor and continuing till we completely factorize N.
Shubham Sahai Srivastava (IITK) Factoring Integers January 16, 2014 4 / 14
Introduction and Surview
So, we have |u − vN| ≤ p1+o(1)t
Hence, the residue u (mod N) factorizes completely over the primesp1, ..., pt
And we obtain a non-trivial congruence∏ej>0 p
ejj = ±
∏tj=1 p
ejj (mod N).
Given t + 2 of these congruences we compute x , y satisfying x2 = y2
(mod N)
So, we can compute a factor of N as gcd(x+y, N).
This gives us one factor and thus we can reduce N, by divinding N withthis factor and continuing till we completely factorize N.
Shubham Sahai Srivastava (IITK) Factoring Integers January 16, 2014 4 / 14
Introduction and Surview
So, we have |u − vN| ≤ p1+o(1)t
Hence, the residue u (mod N) factorizes completely over the primesp1, ..., pt
And we obtain a non-trivial congruence∏ej>0 p
ejj = ±
∏tj=1 p
ejj (mod N).
Given t + 2 of these congruences we compute x , y satisfying x2 = y2
(mod N)
So, we can compute a factor of N as gcd(x+y, N).
This gives us one factor and thus we can reduce N, by divinding N withthis factor and continuing till we completely factorize N.
Shubham Sahai Srivastava (IITK) Factoring Integers January 16, 2014 4 / 14
Introduction and Surview
So, we have |u − vN| ≤ p1+o(1)t
Hence, the residue u (mod N) factorizes completely over the primesp1, ..., pt
And we obtain a non-trivial congruence∏ej>0 p
ejj = ±
∏tj=1 p
ejj (mod N).
Given t + 2 of these congruences we compute x , y satisfying x2 = y2
(mod N)
So, we can compute a factor of N as gcd(x+y, N).
This gives us one factor and thus we can reduce N, by divinding N withthis factor and continuing till we completely factorize N.
Shubham Sahai Srivastava (IITK) Factoring Integers January 16, 2014 4 / 14
Introduction and Surview
So, we have |u − vN| ≤ p1+o(1)t
Hence, the residue u (mod N) factorizes completely over the primesp1, ..., pt
And we obtain a non-trivial congruence∏ej>0 p
ejj = ±
∏tj=1 p
ejj (mod N).
Given t + 2 of these congruences we compute x , y satisfying x2 = y2
(mod N)
So, we can compute a factor of N as gcd(x+y, N).
This gives us one factor and thus we can reduce N, by divinding N withthis factor and continuing till we completely factorize N.
Shubham Sahai Srivastava (IITK) Factoring Integers January 16, 2014 4 / 14
Reduction to Lattice problem
So, we are good to go, if we are able to solve the following problem:
Definition (Diophantine Approximation Problem)
Find atleast t + 2 integer vectors (e1, e2, ...et) ∈ Zt satisfying:
1. |∑t
i=1 ei log pi − log N| ≤ N−cpo(1)t
2. |∑t
i=1 ei log pi | ≤ (2c − 1) log N + 2 log pt
where, c > 1 and p1, ...pt are first t prime numbers.
The above problem can be formulated as a nearly closest vectorproblem in the 1-norm.
Shubham Sahai Srivastava (IITK) Factoring Integers January 16, 2014 5 / 14
Reduction to Lattice problem
So, we are good to go, if we are able to solve the following problem:
Definition (Diophantine Approximation Problem)
Find atleast t + 2 integer vectors (e1, e2, ...et) ∈ Zt satisfying:
1. |∑t
i=1 ei log pi − log N| ≤ N−cpo(1)t
2. |∑t
i=1 ei log pi | ≤ (2c − 1) log N + 2 log pt
where, c > 1 and p1, ...pt are first t prime numbers.
The above problem can be formulated as a nearly closest vectorproblem in the 1-norm.
Shubham Sahai Srivastava (IITK) Factoring Integers January 16, 2014 5 / 14
Reduction to Lattice problem
So, we are good to go, if we are able to solve the following problem:
Definition (Diophantine Approximation Problem)
Find atleast t + 2 integer vectors (e1, e2, ...et) ∈ Zt satisfying:
1. |∑t
i=1 ei log pi − log N| ≤ N−cpo(1)t
2. |∑t
i=1 ei log pi | ≤ (2c − 1) log N + 2 log pt
where, c > 1 and p1, ...pt are first t prime numbers.
The above problem can be formulated as a nearly closest vectorproblem in the 1-norm.
Shubham Sahai Srivastava (IITK) Factoring Integers January 16, 2014 5 / 14
Reduction to Lattice problem
We associate with N a point N ∈ Rt+1
and with the primes p1, ..., pt a lattice L ⊂ Rt+1 of rank t and basisB.
B =
log p1 0 · · · 0
.... . .
...
0. . . 0
0 0 · · · log ptNc log p1 Nc log p2 · · · Nc log pt
, N =
00...0
Nc ln N ′
, c ≥ 1
Shubham Sahai Srivastava (IITK) Factoring Integers January 16, 2014 6 / 14
Reduction to Lattice problem
We associate with N a point N ∈ Rt+1
and with the primes p1, ..., pt a lattice L ⊂ Rt+1 of rank t and basisB.
B =
log p1 0 · · · 0
.... . .
...
0. . . 0
0 0 · · · log ptNc log p1 Nc log p2 · · · Nc log pt
, N =
00...0
Nc ln N ′
, c ≥ 1
Shubham Sahai Srivastava (IITK) Factoring Integers January 16, 2014 6 / 14
Reduction to Lattice problem
We associate with N a point N ∈ Rt+1
and with the primes p1, ..., pt a lattice L ⊂ Rt+1 of rank t and basisB.
B =
log p1 0 · · · 0
.... . .
...
0. . . 0
0 0 · · · log ptNc log p1 Nc log p2 · · · Nc log pt
, N =
00...0
Nc ln N ′
, c ≥ 1
Shubham Sahai Srivastava (IITK) Factoring Integers January 16, 2014 6 / 14
Reduction to Lattice problem
We associate with N a point N ∈ Rt+1
and with the primes p1, ..., pt a lattice L ⊂ Rt+1 of rank t and basisB.
The following theorem shows that every lattice vector that issufficiently close to N in the 1-norm yields a desired diophantineapproximation of log N.
Theorem (2)
Let α, c > 1, δ > 0 be fixed and (log N)α = pt < N. If z ∈ L satisfies theinequality :
||z−N||1 ≤ (2c − 1) log N + 2δ log pt
then we have for (u, v) := g(z) that |u − vN| ≤ p1α+δ+o(1)
n
Shubham Sahai Srivastava (IITK) Factoring Integers January 16, 2014 7 / 14
Reduction to Lattice problem
We associate with N a point N ∈ Rt+1
and with the primes p1, ..., pt a lattice L ⊂ Rt+1 of rank t and basisB.
The following theorem shows that every lattice vector that issufficiently close to N in the 1-norm yields a desired diophantineapproximation of log N.
Theorem (2)
Let α, c > 1, δ > 0 be fixed and (log N)α = pt < N. If z ∈ L satisfies theinequality :
||z−N||1 ≤ (2c − 1) log N + 2δ log pt
then we have for (u, v) := g(z) that |u − vN| ≤ p1α+δ+o(1)
n
Shubham Sahai Srivastava (IITK) Factoring Integers January 16, 2014 7 / 14
Reduction to Lattice problem
We associate with N a point N ∈ Rt+1
and with the primes p1, ..., pt a lattice L ⊂ Rt+1 of rank t and basisB.
The following theorem shows that every lattice vector that issufficiently close to N in the 1-norm yields a desired diophantineapproximation of log N.
Theorem (2)
Let α, c > 1, δ > 0 be fixed and (log N)α = pt < N. If z ∈ L satisfies theinequality :
||z−N||1 ≤ (2c − 1) log N + 2δ log pt
then we have for (u, v) := g(z) that |u − vN| ≤ p1α+δ+o(1)
n
Shubham Sahai Srivastava (IITK) Factoring Integers January 16, 2014 7 / 14
Reduction to Lattice problem
Theorem (2)
Let α, c > 1, δ > 0 be fixed and (log N)α = pt < N. If z ∈ L satisfies theinequality :
||z−N||1 ≤ (2c − 1) log N + 2δ log pt
then we have for (u, v) := g(z) that |u − vN| ≤ p1α+δ+o(1)
n
Notation:
We associate with a lattice vector z = (z1, ..., zt+1) =∑t
i=1 eibi ,e1, ...et ∈ Z, the pair of integers g(z) = (u, v) ∈ N2, with
u :=∏
ej>0 pejj , v :=
∏ej<0 p
|ej |j
The 1-norm of a vector z = (z1, ...zt) ∈ Rt if by definition||z||1 =
∑ti=1 |zi |
Shubham Sahai Srivastava (IITK) Factoring Integers January 16, 2014 8 / 14
Reduction to Lattice problem
Theorem (2)
Let α, c > 1, δ > 0 be fixed and (log N)α = pt < N. If z ∈ L satisfies theinequality :
||z−N||1 ≤ (2c − 1) log N + 2δ log pt
then we have for (u, v) := g(z) that |u − vN| ≤ p1α+δ+o(1)
n
Notation:
We associate with a lattice vector z = (z1, ..., zt+1) =∑t
i=1 eibi ,e1, ...et ∈ Z, the pair of integers g(z) = (u, v) ∈ N2, with
u :=∏
ej>0 pejj , v :=
∏ej<0 p
|ej |j
The 1-norm of a vector z = (z1, ...zt) ∈ Rt if by definition||z||1 =
∑ti=1 |zi |
Shubham Sahai Srivastava (IITK) Factoring Integers January 16, 2014 8 / 14
Hypothesis : Near Independence
Lattice vectors sufficiently close to N exists if the following two propertiesare nearly independent for random integers u,v with0 < u < Nc ,Nc−1/2 < v < Nc−1:
u and v are free of prime factors larger that pt
|u − vN| = 1
Shubham Sahai Srivastava (IITK) Factoring Integers January 16, 2014 9 / 14
Hypothesis : Near Independence
Lattice vectors sufficiently close to N exists if the following two propertiesare nearly independent for random integers u,v with0 < u < Nc ,Nc−1/2 < v < Nc−1:
u and v are free of prime factors larger that pt
|u − vN| = 1
Shubham Sahai Srivastava (IITK) Factoring Integers January 16, 2014 9 / 14
Sufficiently many lattice vectors close to N
Assuming near independence we show in the following theorem that thereare atleast Nε+o(1) sufficiently close lattice vectors where ε > 0 ifα > (2c − 1)/(c − 1) holds with pt = (logN)α.
Theorem
For fixed α, c > 1 and for N →∞ there are atleast Nε+o(1) many vectorsz ∈ L that satisfy the inequality
||z−N||1 ≤ (2c − 1) log N + 2δ log pt
where ε = (c − 1)− (2c − 1)/α
i.e. if α > (2c − 1)/(c − 1) then there are exponentially manny latticevectors that satisfy the above inequality.
Shubham Sahai Srivastava (IITK) Factoring Integers January 16, 2014 10 / 14
Sufficiently many lattice vectors close to N
Assuming near independence we show in the following theorem that thereare atleast Nε+o(1) sufficiently close lattice vectors where ε > 0 ifα > (2c − 1)/(c − 1) holds with pt = (logN)α.
Theorem
For fixed α, c > 1 and for N →∞ there are atleast Nε+o(1) many vectorsz ∈ L that satisfy the inequality
||z−N||1 ≤ (2c − 1) log N + 2δ log pt
where ε = (c − 1)− (2c − 1)/α
i.e. if α > (2c − 1)/(c − 1) then there are exponentially manny latticevectors that satisfy the above inequality.
Shubham Sahai Srivastava (IITK) Factoring Integers January 16, 2014 10 / 14
Sufficiently many lattice vectors close to N
Assuming near independence we show in the following theorem that thereare atleast Nε+o(1) sufficiently close lattice vectors where ε > 0 ifα > (2c − 1)/(c − 1) holds with pt = (logN)α.
Theorem
For fixed α, c > 1 and for N →∞ there are atleast Nε+o(1) many vectorsz ∈ L that satisfy the inequality
||z−N||1 ≤ (2c − 1) log N + 2δ log pt
where ε = (c − 1)− (2c − 1)/α
i.e. if α > (2c − 1)/(c − 1) then there are exponentially manny latticevectors that satisfy the above inequality.
Shubham Sahai Srivastava (IITK) Factoring Integers January 16, 2014 10 / 14
Summary
Hence, the results seen so far reduce the problem of factoring a largeinteger N to the task of finding lattice vectors in L that are close to Nin the 1-norm.
Shubham Sahai Srivastava (IITK) Factoring Integers January 16, 2014 11 / 14
The Factoring Method: At a glance
Input : N (integer), α, c ∈ Q with α, c > 1
1 Form the list p1, ..., pt of the first t primes, pt = (log N)α
2 Generate from vectors in the lattice a list of m ≥ t + 2 pairs(ui , vi ) ∈ N2 with the property that:
ui =∏t
j=1 pai,jj with ai ,j ∈ N, |ui − viN| ≤ pt
3 Factorize ui − viN for i = 1, ...,m over the primes p1, ..., pt andp0 = −1.
Let ui − viN =∏t
j=0 pbi,jj , bi = (bi ,0, ..., bi ,t) and ai = (a1,0, ..., ai ,t)
with ai ,0 = 04 Find a nonzero 0,1-solution (c1, ...cm) of the equation∑m
i=1 ci (ai + b1) = 0 (mod 2)
5 x :=∏t
j=0 p∑m
i=1 ci (ai,j+bi,j )/2j (mod N),
y :=∏t
j=0 p∑m
i=1 cibi,jj (mod N) =
∏tj=0 p
∑mi=1 ciai,j
j (mod N)
The construction implies x2 = y2 (mod N)6 If x 6= ±y (mod N) then output gcd(x+y, N) and stop. Otherwise go
to 4 and generate a diffierent solution (c1, ...cm)
Shubham Sahai Srivastava (IITK) Factoring Integers January 16, 2014 12 / 14
The Factoring Method: At a glance
Input : N (integer), α, c ∈ Q with α, c > 11 Form the list p1, ..., pt of the first t primes, pt = (log N)α
2 Generate from vectors in the lattice a list of m ≥ t + 2 pairs(ui , vi ) ∈ N2 with the property that:
ui =∏t
j=1 pai,jj with ai ,j ∈ N, |ui − viN| ≤ pt
3 Factorize ui − viN for i = 1, ...,m over the primes p1, ..., pt andp0 = −1.
Let ui − viN =∏t
j=0 pbi,jj , bi = (bi ,0, ..., bi ,t) and ai = (a1,0, ..., ai ,t)
with ai ,0 = 04 Find a nonzero 0,1-solution (c1, ...cm) of the equation∑m
i=1 ci (ai + b1) = 0 (mod 2)
5 x :=∏t
j=0 p∑m
i=1 ci (ai,j+bi,j )/2j (mod N),
y :=∏t
j=0 p∑m
i=1 cibi,jj (mod N) =
∏tj=0 p
∑mi=1 ciai,j
j (mod N)
The construction implies x2 = y2 (mod N)6 If x 6= ±y (mod N) then output gcd(x+y, N) and stop. Otherwise go
to 4 and generate a diffierent solution (c1, ...cm)
Shubham Sahai Srivastava (IITK) Factoring Integers January 16, 2014 12 / 14
The Factoring Method: At a glance
Input : N (integer), α, c ∈ Q with α, c > 11 Form the list p1, ..., pt of the first t primes, pt = (log N)α
2 Generate from vectors in the lattice a list of m ≥ t + 2 pairs(ui , vi ) ∈ N2 with the property that:
ui =∏t
j=1 pai,jj with ai ,j ∈ N, |ui − viN| ≤ pt
3 Factorize ui − viN for i = 1, ...,m over the primes p1, ..., pt andp0 = −1.
Let ui − viN =∏t
j=0 pbi,jj , bi = (bi ,0, ..., bi ,t) and ai = (a1,0, ..., ai ,t)
with ai ,0 = 04 Find a nonzero 0,1-solution (c1, ...cm) of the equation∑m
i=1 ci (ai + b1) = 0 (mod 2)
5 x :=∏t
j=0 p∑m
i=1 ci (ai,j+bi,j )/2j (mod N),
y :=∏t
j=0 p∑m
i=1 cibi,jj (mod N) =
∏tj=0 p
∑mi=1 ciai,j
j (mod N)
The construction implies x2 = y2 (mod N)6 If x 6= ±y (mod N) then output gcd(x+y, N) and stop. Otherwise go
to 4 and generate a diffierent solution (c1, ...cm)
Shubham Sahai Srivastava (IITK) Factoring Integers January 16, 2014 12 / 14
The Factoring Method: At a glance
Input : N (integer), α, c ∈ Q with α, c > 11 Form the list p1, ..., pt of the first t primes, pt = (log N)α
2 Generate from vectors in the lattice a list of m ≥ t + 2 pairs(ui , vi ) ∈ N2 with the property that:
ui =∏t
j=1 pai,jj with ai ,j ∈ N,
|ui − viN| ≤ pt
3 Factorize ui − viN for i = 1, ...,m over the primes p1, ..., pt andp0 = −1.
Let ui − viN =∏t
j=0 pbi,jj , bi = (bi ,0, ..., bi ,t) and ai = (a1,0, ..., ai ,t)
with ai ,0 = 04 Find a nonzero 0,1-solution (c1, ...cm) of the equation∑m
i=1 ci (ai + b1) = 0 (mod 2)
5 x :=∏t
j=0 p∑m
i=1 ci (ai,j+bi,j )/2j (mod N),
y :=∏t
j=0 p∑m
i=1 cibi,jj (mod N) =
∏tj=0 p
∑mi=1 ciai,j
j (mod N)
The construction implies x2 = y2 (mod N)6 If x 6= ±y (mod N) then output gcd(x+y, N) and stop. Otherwise go
to 4 and generate a diffierent solution (c1, ...cm)
Shubham Sahai Srivastava (IITK) Factoring Integers January 16, 2014 12 / 14
The Factoring Method: At a glance
Input : N (integer), α, c ∈ Q with α, c > 11 Form the list p1, ..., pt of the first t primes, pt = (log N)α
2 Generate from vectors in the lattice a list of m ≥ t + 2 pairs(ui , vi ) ∈ N2 with the property that:
ui =∏t
j=1 pai,jj with ai ,j ∈ N, |ui − viN| ≤ pt
3 Factorize ui − viN for i = 1, ...,m over the primes p1, ..., pt andp0 = −1.
Let ui − viN =∏t
j=0 pbi,jj , bi = (bi ,0, ..., bi ,t) and ai = (a1,0, ..., ai ,t)
with ai ,0 = 04 Find a nonzero 0,1-solution (c1, ...cm) of the equation∑m
i=1 ci (ai + b1) = 0 (mod 2)
5 x :=∏t
j=0 p∑m
i=1 ci (ai,j+bi,j )/2j (mod N),
y :=∏t
j=0 p∑m
i=1 cibi,jj (mod N) =
∏tj=0 p
∑mi=1 ciai,j
j (mod N)
The construction implies x2 = y2 (mod N)6 If x 6= ±y (mod N) then output gcd(x+y, N) and stop. Otherwise go
to 4 and generate a diffierent solution (c1, ...cm)
Shubham Sahai Srivastava (IITK) Factoring Integers January 16, 2014 12 / 14
The Factoring Method: At a glance
Input : N (integer), α, c ∈ Q with α, c > 11 Form the list p1, ..., pt of the first t primes, pt = (log N)α
2 Generate from vectors in the lattice a list of m ≥ t + 2 pairs(ui , vi ) ∈ N2 with the property that:
ui =∏t
j=1 pai,jj with ai ,j ∈ N, |ui − viN| ≤ pt
3 Factorize ui − viN for i = 1, ...,m over the primes p1, ..., pt andp0 = −1.
Let ui − viN =∏t
j=0 pbi,jj , bi = (bi ,0, ..., bi ,t) and ai = (a1,0, ..., ai ,t)
with ai ,0 = 04 Find a nonzero 0,1-solution (c1, ...cm) of the equation∑m
i=1 ci (ai + b1) = 0 (mod 2)
5 x :=∏t
j=0 p∑m
i=1 ci (ai,j+bi,j )/2j (mod N),
y :=∏t
j=0 p∑m
i=1 cibi,jj (mod N) =
∏tj=0 p
∑mi=1 ciai,j
j (mod N)
The construction implies x2 = y2 (mod N)6 If x 6= ±y (mod N) then output gcd(x+y, N) and stop. Otherwise go
to 4 and generate a diffierent solution (c1, ...cm)
Shubham Sahai Srivastava (IITK) Factoring Integers January 16, 2014 12 / 14
The Factoring Method: At a glance
Input : N (integer), α, c ∈ Q with α, c > 11 Form the list p1, ..., pt of the first t primes, pt = (log N)α
2 Generate from vectors in the lattice a list of m ≥ t + 2 pairs(ui , vi ) ∈ N2 with the property that:
ui =∏t
j=1 pai,jj with ai ,j ∈ N, |ui − viN| ≤ pt
3 Factorize ui − viN for i = 1, ...,m over the primes p1, ..., pt andp0 = −1.
Let ui − viN =∏t
j=0 pbi,jj , bi = (bi ,0, ..., bi ,t) and ai = (a1,0, ..., ai ,t)
with ai ,0 = 0
4 Find a nonzero 0,1-solution (c1, ...cm) of the equation∑mi=1 ci (ai + b1) = 0 (mod 2)
5 x :=∏t
j=0 p∑m
i=1 ci (ai,j+bi,j )/2j (mod N),
y :=∏t
j=0 p∑m
i=1 cibi,jj (mod N) =
∏tj=0 p
∑mi=1 ciai,j
j (mod N)
The construction implies x2 = y2 (mod N)6 If x 6= ±y (mod N) then output gcd(x+y, N) and stop. Otherwise go
to 4 and generate a diffierent solution (c1, ...cm)
Shubham Sahai Srivastava (IITK) Factoring Integers January 16, 2014 12 / 14
The Factoring Method: At a glance
Input : N (integer), α, c ∈ Q with α, c > 11 Form the list p1, ..., pt of the first t primes, pt = (log N)α
2 Generate from vectors in the lattice a list of m ≥ t + 2 pairs(ui , vi ) ∈ N2 with the property that:
ui =∏t
j=1 pai,jj with ai ,j ∈ N, |ui − viN| ≤ pt
3 Factorize ui − viN for i = 1, ...,m over the primes p1, ..., pt andp0 = −1.
Let ui − viN =∏t
j=0 pbi,jj , bi = (bi ,0, ..., bi ,t) and ai = (a1,0, ..., ai ,t)
with ai ,0 = 04 Find a nonzero 0,1-solution (c1, ...cm) of the equation∑m
i=1 ci (ai + b1) = 0 (mod 2)
5 x :=∏t
j=0 p∑m
i=1 ci (ai,j+bi,j )/2j (mod N),
y :=∏t
j=0 p∑m
i=1 cibi,jj (mod N) =
∏tj=0 p
∑mi=1 ciai,j
j (mod N)
The construction implies x2 = y2 (mod N)6 If x 6= ±y (mod N) then output gcd(x+y, N) and stop. Otherwise go
to 4 and generate a diffierent solution (c1, ...cm)
Shubham Sahai Srivastava (IITK) Factoring Integers January 16, 2014 12 / 14
The Factoring Method: At a glance
Input : N (integer), α, c ∈ Q with α, c > 11 Form the list p1, ..., pt of the first t primes, pt = (log N)α
2 Generate from vectors in the lattice a list of m ≥ t + 2 pairs(ui , vi ) ∈ N2 with the property that:
ui =∏t
j=1 pai,jj with ai ,j ∈ N, |ui − viN| ≤ pt
3 Factorize ui − viN for i = 1, ...,m over the primes p1, ..., pt andp0 = −1.
Let ui − viN =∏t
j=0 pbi,jj , bi = (bi ,0, ..., bi ,t) and ai = (a1,0, ..., ai ,t)
with ai ,0 = 04 Find a nonzero 0,1-solution (c1, ...cm) of the equation∑m
i=1 ci (ai + b1) = 0 (mod 2)
5 x :=∏t
j=0 p∑m
i=1 ci (ai,j+bi,j )/2j (mod N),
y :=∏t
j=0 p∑m
i=1 cibi,jj (mod N) =
∏tj=0 p
∑mi=1 ciai,j
j (mod N)
The construction implies x2 = y2 (mod N)6 If x 6= ±y (mod N) then output gcd(x+y, N) and stop. Otherwise go
to 4 and generate a diffierent solution (c1, ...cm)
Shubham Sahai Srivastava (IITK) Factoring Integers January 16, 2014 12 / 14
The Factoring Method: At a glance
Input : N (integer), α, c ∈ Q with α, c > 11 Form the list p1, ..., pt of the first t primes, pt = (log N)α
2 Generate from vectors in the lattice a list of m ≥ t + 2 pairs(ui , vi ) ∈ N2 with the property that:
ui =∏t
j=1 pai,jj with ai ,j ∈ N, |ui − viN| ≤ pt
3 Factorize ui − viN for i = 1, ...,m over the primes p1, ..., pt andp0 = −1.
Let ui − viN =∏t
j=0 pbi,jj , bi = (bi ,0, ..., bi ,t) and ai = (a1,0, ..., ai ,t)
with ai ,0 = 04 Find a nonzero 0,1-solution (c1, ...cm) of the equation∑m
i=1 ci (ai + b1) = 0 (mod 2)
5 x :=∏t
j=0 p∑m
i=1 ci (ai,j+bi,j )/2j (mod N),
y :=∏t
j=0 p∑m
i=1 cibi,jj (mod N) =
∏tj=0 p
∑mi=1 ciai,j
j (mod N)
The construction implies x2 = y2 (mod N)
6 If x 6= ±y (mod N) then output gcd(x+y, N) and stop. Otherwise goto 4 and generate a diffierent solution (c1, ...cm)
Shubham Sahai Srivastava (IITK) Factoring Integers January 16, 2014 12 / 14
The Factoring Method: At a glance
Input : N (integer), α, c ∈ Q with α, c > 11 Form the list p1, ..., pt of the first t primes, pt = (log N)α
2 Generate from vectors in the lattice a list of m ≥ t + 2 pairs(ui , vi ) ∈ N2 with the property that:
ui =∏t
j=1 pai,jj with ai ,j ∈ N, |ui − viN| ≤ pt
3 Factorize ui − viN for i = 1, ...,m over the primes p1, ..., pt andp0 = −1.
Let ui − viN =∏t
j=0 pbi,jj , bi = (bi ,0, ..., bi ,t) and ai = (a1,0, ..., ai ,t)
with ai ,0 = 04 Find a nonzero 0,1-solution (c1, ...cm) of the equation∑m
i=1 ci (ai + b1) = 0 (mod 2)
5 x :=∏t
j=0 p∑m
i=1 ci (ai,j+bi,j )/2j (mod N),
y :=∏t
j=0 p∑m
i=1 cibi,jj (mod N) =
∏tj=0 p
∑mi=1 ciai,j
j (mod N)
The construction implies x2 = y2 (mod N)6 If x 6= ±y (mod N) then output gcd(x+y, N) and stop. Otherwise go
to 4 and generate a diffierent solution (c1, ...cm)Shubham Sahai Srivastava (IITK) Factoring Integers January 16, 2014 12 / 14
Present Bottlenecks
They have reduced lattice basis by block Korkin-Zolotarev reduction,a concept introduced by Scnorr(1987).
For lattices of very large rank it may be hard to find lattice vectorsthat are, in the 1-norm, sufficiently close to a given vector.In order to factor integer N, that is 500 bits long the basis shouldhave about 6300 primes.The input lattice would contain integers that are 1500 bits long.To make the method work for large N, we need to improve the latticeL and the present reduction algorithms.It has been suggested to use algorithms that directly perform thereduction in the 1-norm.Such algorithms have been proposed by Kaib[91] and Lovasz, Scarf[90].The Lovaz, Scarf algorithm works in arbitrary dimensions but seemsto be inefficient for our problem.The Kaib algorithm is quite efficient but it is restricted to lattices ofdimension 2
Shubham Sahai Srivastava (IITK) Factoring Integers January 16, 2014 13 / 14
Present Bottlenecks
They have reduced lattice basis by block Korkin-Zolotarev reduction,a concept introduced by Scnorr(1987).For lattices of very large rank it may be hard to find lattice vectorsthat are, in the 1-norm, sufficiently close to a given vector.
In order to factor integer N, that is 500 bits long the basis shouldhave about 6300 primes.The input lattice would contain integers that are 1500 bits long.To make the method work for large N, we need to improve the latticeL and the present reduction algorithms.It has been suggested to use algorithms that directly perform thereduction in the 1-norm.Such algorithms have been proposed by Kaib[91] and Lovasz, Scarf[90].The Lovaz, Scarf algorithm works in arbitrary dimensions but seemsto be inefficient for our problem.The Kaib algorithm is quite efficient but it is restricted to lattices ofdimension 2
Shubham Sahai Srivastava (IITK) Factoring Integers January 16, 2014 13 / 14
Present Bottlenecks
They have reduced lattice basis by block Korkin-Zolotarev reduction,a concept introduced by Scnorr(1987).For lattices of very large rank it may be hard to find lattice vectorsthat are, in the 1-norm, sufficiently close to a given vector.In order to factor integer N, that is 500 bits long the basis shouldhave about 6300 primes.The input lattice would contain integers that are 1500 bits long.
To make the method work for large N, we need to improve the latticeL and the present reduction algorithms.It has been suggested to use algorithms that directly perform thereduction in the 1-norm.Such algorithms have been proposed by Kaib[91] and Lovasz, Scarf[90].The Lovaz, Scarf algorithm works in arbitrary dimensions but seemsto be inefficient for our problem.The Kaib algorithm is quite efficient but it is restricted to lattices ofdimension 2
Shubham Sahai Srivastava (IITK) Factoring Integers January 16, 2014 13 / 14
Present Bottlenecks
They have reduced lattice basis by block Korkin-Zolotarev reduction,a concept introduced by Scnorr(1987).For lattices of very large rank it may be hard to find lattice vectorsthat are, in the 1-norm, sufficiently close to a given vector.In order to factor integer N, that is 500 bits long the basis shouldhave about 6300 primes.The input lattice would contain integers that are 1500 bits long.To make the method work for large N, we need to improve the latticeL and the present reduction algorithms.
It has been suggested to use algorithms that directly perform thereduction in the 1-norm.Such algorithms have been proposed by Kaib[91] and Lovasz, Scarf[90].The Lovaz, Scarf algorithm works in arbitrary dimensions but seemsto be inefficient for our problem.The Kaib algorithm is quite efficient but it is restricted to lattices ofdimension 2
Shubham Sahai Srivastava (IITK) Factoring Integers January 16, 2014 13 / 14
Present Bottlenecks
They have reduced lattice basis by block Korkin-Zolotarev reduction,a concept introduced by Scnorr(1987).For lattices of very large rank it may be hard to find lattice vectorsthat are, in the 1-norm, sufficiently close to a given vector.In order to factor integer N, that is 500 bits long the basis shouldhave about 6300 primes.The input lattice would contain integers that are 1500 bits long.To make the method work for large N, we need to improve the latticeL and the present reduction algorithms.It has been suggested to use algorithms that directly perform thereduction in the 1-norm.Such algorithms have been proposed by Kaib[91] and Lovasz, Scarf[90].
The Lovaz, Scarf algorithm works in arbitrary dimensions but seemsto be inefficient for our problem.The Kaib algorithm is quite efficient but it is restricted to lattices ofdimension 2
Shubham Sahai Srivastava (IITK) Factoring Integers January 16, 2014 13 / 14
Present Bottlenecks
They have reduced lattice basis by block Korkin-Zolotarev reduction,a concept introduced by Scnorr(1987).For lattices of very large rank it may be hard to find lattice vectorsthat are, in the 1-norm, sufficiently close to a given vector.In order to factor integer N, that is 500 bits long the basis shouldhave about 6300 primes.The input lattice would contain integers that are 1500 bits long.To make the method work for large N, we need to improve the latticeL and the present reduction algorithms.It has been suggested to use algorithms that directly perform thereduction in the 1-norm.Such algorithms have been proposed by Kaib[91] and Lovasz, Scarf[90].The Lovaz, Scarf algorithm works in arbitrary dimensions but seemsto be inefficient for our problem.
The Kaib algorithm is quite efficient but it is restricted to lattices ofdimension 2
Shubham Sahai Srivastava (IITK) Factoring Integers January 16, 2014 13 / 14
Present Bottlenecks
They have reduced lattice basis by block Korkin-Zolotarev reduction,a concept introduced by Scnorr(1987).For lattices of very large rank it may be hard to find lattice vectorsthat are, in the 1-norm, sufficiently close to a given vector.In order to factor integer N, that is 500 bits long the basis shouldhave about 6300 primes.The input lattice would contain integers that are 1500 bits long.To make the method work for large N, we need to improve the latticeL and the present reduction algorithms.It has been suggested to use algorithms that directly perform thereduction in the 1-norm.Such algorithms have been proposed by Kaib[91] and Lovasz, Scarf[90].The Lovaz, Scarf algorithm works in arbitrary dimensions but seemsto be inefficient for our problem.The Kaib algorithm is quite efficient but it is restricted to lattices ofdimension 2
Shubham Sahai Srivastava (IITK) Factoring Integers January 16, 2014 13 / 14
The End
Shubham Sahai Srivastava (IITK) Factoring Integers January 16, 2014 14 / 14