quadratic field sieve qfs matt spear steven guy 251959084756578934940271832400483985714292...
TRANSCRIPT
Quadratic Field SieveQuadratic Field Sieve
QFS
Matt Spear Steven Guy
25195908475657893494027183240048398571429282126204032027777137836043662020707595556264018525880784406918290641249515082189298559149176184502808489120072844992687392807287776735971418347270261896375014971824691165077613379859095700097330459748808428401797429100642458691817195118746121515172654632282216869987549182422433637259085141865462043576798423387184774447920739934236584823824281198163815010674810451660377306056201619676256133844143603833904414952634432190114657544454178424020924616515723350778707749817125772467962926386356373289912154831438167899885040445364023527381951378636564391212010397122822120720357
AgendaAgenda
1.1. Introduction to sievesIntroduction to sieves
2.2. Euclid’s GCD in base 2Euclid’s GCD in base 2
3.3. DefinitionsDefinitions
4.4. AlgorithmsAlgorithms
5.5. RHO exampleRHO example
6.6. Factor BasesFactor Bases
7.7. QFS exampleQFS example
8.8. Introduction to MPQFSIntroduction to MPQFS
Prime Number SievePrime Number Sieve
1.1. Start with all numbers greater than 1Start with all numbers greater than 1
2.2. Divide all by the first numberDivide all by the first number
3.3. Repeat until no numbers are left to divide Repeat until no numbers are left to divide by, i.e. the last number is all left.by, i.e. the last number is all left.
4.4. What remains are the prime numbers.What remains are the prime numbers.
Sieve of Eratosthenes
Prime Number SievePrime Number Sieve
2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 10197 98 99 100 101
Initial Sieve Space
Prime Number SievePrime Number Sieve
2 3 | 5 | 7 | 9 | 11 | 13 | 15 | 17 | 19 | 21 | 23 | 2 3 | 5 | 7 | 9 | 11 | 13 | 15 | 17 | 19 | 21 | 23 | 25 | 27 | 29 | 31 | 33 | 35 | 37 | 39 | 41 | 25 | 27 | 29 | 31 | 33 | 35 | 37 | 39 | 41 | 43 | 45 | 47 | 49 | 51 | 53 | 55 | 57 | 59 | 43 | 45 | 47 | 49 | 51 | 53 | 55 | 57 | 59 | 61 | 63 | 65 | 67 | 69 | 71 | 73 | 75 | 77 | 61 | 63 | 65 | 67 | 69 | 71 | 73 | 75 | 77 | 79 | 81 | 83 | 85 | 87 | 89 | 91 | 93 | 95 | 79 | 81 | 83 | 85 | 87 | 89 | 91 | 93 | 95 | 97 | 99 | 10197 | 99 | 101
After Divide by two
Prime Number SievePrime Number Sieve
2 3 | 5 | 7 | | | 11 | 13 | | | 17 | 19 | | | 23 | 25 | 2 3 | 5 | 7 | | | 11 | 13 | | | 17 | 19 | | | 23 | 25 | | | 29 | 31 | | | 35 | 37 | | | 41 | 43 | | | 47 | 49 | | 29 | 31 | | | 35 | 37 | | | 41 | 43 | | | 47 | 49 | | | 53 | 55 | | | 59 | 61 | | | 65 | 67 | | | 71 | | | | 53 | 55 | | | 59 | 61 | | | 65 | 67 | | | 71 | 73 | | | 77 | 79 | | | 83 | 85 | | | 89 | 91 | | | 95 73 | | | 77 | 79 | | | 83 | 85 | | | 89 | 91 | | | 95 | 97 | | | 101| 97 | | | 101
After Divide by three
Prime Number SievePrime Number Sieve
2 3 | 5 | 7 | | | 11 | 13 | | | 17 | 19 | | | 23 | | | | | 2 3 | 5 | 7 | | | 11 | 13 | | | 17 | 19 | | | 23 | | | | | 29 | 31 | | | | | 37 | | | 41 | 43 | | | 47 | 49 | | | 29 | 31 | | | | | 37 | | | 41 | 43 | | | 47 | 49 | | | 53 | | | | | 59 | 61 | | | | | 67 | | | 71 | 73 | | | 53 | | | | | 59 | 61 | | | | | 67 | | | 71 | 73 | | | 77 | 79 | | | 83 | | | | | 89 | 91 | | | | | 97 | | | 77 | 79 | | | 83 | | | | | 89 | 91 | | | | | 97 | | | 101101
After Divide by five
Prime Number SievePrime Number Sieve
2 3 | 5 | 7 | | | 11 | 13 | | | 17 | 19 | | | 23 | | | | | 2 3 | 5 | 7 | | | 11 | 13 | | | 17 | 19 | | | 23 | | | | | 29 | 31 | | | | | 37 | | | 41 | 43 | | | 47 | | | | | 29 | 31 | | | | | 37 | | | 41 | 43 | | | 47 | | | | | 53 | | | | | 59 | 61 | | | | | 67 | | | 71 | 73 | | | | 53 | | | | | 59 | 61 | | | | | 67 | | | 71 | 73 | | | | | 79 | | | 83 | | | | | 89 | | | | | | | 97 | | | 101| 79 | | | 83 | | | | | 89 | | | | | | | 97 | | | 101
After all possible divisions
Prime Number Less Than 1602Prime Number Less Than 16022 3 5 7 11 13 17 19 23 29 31 37 41 43 47 53 59 61 67 71 73 79
83 89 97 101 103 107 109 113 127 131 137 139 149 151 157 163 167 173 179 181 191 193 197 199 211 223 227 229 233 239 241 251 257 263 269 271 277 281 283 293 307 311 313 317 331 337 347 349 353 359 367 373 379 383 389 397 401 409 419 421 431 433 439 443 449 457 461 463 467 479 487 491 499 503 509 521 523 541 547 557 563 569 571 577 587 593 599 601 607 613 617 619 631 641 643 647 653 659 661 673 677 683 691 701 709 719 727 733 739 743 751 757 761 769 773 787 797 809 811 821 823 827 829 839 853 857 859 863 877 881 883 887 907 911 919 929 937 941 947 953 967 971 977 983 991 997 1009 1013 1019 1021 1031 1033 1039 1049 1051 1061 1063 1069 1087 1091 1093 1097 1103 1109 1117 1123 1129 1151 1153 1163 1171 1181 1187 1193 1201 1213 1217 1223 1229 1231 1237 1249 1259 1277 1279 1283 1289 1291 1297 1301 1303 1307 1319 1321 1327 1361 1367 1373 1381 1399 1409 1423 1427 1429 1433 1439 1447 1451 1453 1459 1471 1481 1483 1487 1489 1493 1499 1511 1523 1531 1543 1549 1553 1559 1567 1571 1579 1583 1597 1601
Euclid's GCD Algorithm (Binary)Euclid's GCD Algorithm (Binary)g := 1 while u is even && v is even
u := u/2v := v/2 g := 2*g
EndWhile// now u or v (or both) are odd while u > 0
if u is even, then u := u/2 else if v is even, then v := v/2 else then
t := |u-v|/2 if u < v, then v := t else u := t EndIf
EndIfEndWhilereturn g*v
GroupsGroups
An algebraic structure (G, ΔΔ)) with one associative composition (operation) (Δ)
Contains a neutral element for the Δ and every element is invertible over Δ
Is Abelian If the Δ is also commutativeFor Example:
(N(Nn,+) (addition modulo n) is an abelian group with neutral element e = 0 and inverse of x = n - x
RingsRings
An algebraic structure (A,+,·) with (A,+) An algebraic structure (A,+,·) with (A,+) being an abelian group and (A,·) being being an abelian group and (A,·) being associative composition distributed over +associative composition distributed over +
Is commutative ring if · is commutativeIs commutative ring if · is commutative
For Example:For Example:
(N(Nnn,+,+nn,·,·nn) is a commutative ring, called the ) is a commutative ring, called the
ring of integers mod n.ring of integers mod n.
FieldsFields
A commutative ring with every nonzero A commutative ring with every nonzero element possessing a · inverse (x·x* = 1)element possessing a · inverse (x·x* = 1)
Is Finite if the size of the field is non-Is Finite if the size of the field is non-infiniteinfinite
For Example:For Example:
Z/pZ is a Finite Field when p is a prime Z/pZ is a Finite Field when p is a prime integer, the field of integers modulo p (integer, the field of integers modulo p (FFpp). ).
(if p is not prime all numbers will not have (if p is not prime all numbers will not have an inverse i.e. if p = 10 then 2 has no an inverse i.e. if p = 10 then 2 has no inverse over ·)inverse over ·)
Quadratic ResiduesQuadratic Residues
Solutions n to the equation xSolutions n to the equation x2 2 ≡ n (mod p)≡ n (mod p) If an element is not the square of a number If an element is not the square of a number
it is a nonresidue.it is a nonresidue.
For Example:For Example:
In In FF11 11 ::
the residues are {1, 4, 9, 5, 3} as 1the residues are {1, 4, 9, 5, 3} as 12 2 ≡ 1; ≡ 1; 222 2 ≡ 4; ≡ 4; 332 2 ≡ 9; ≡ 9; 442 2 ≡ 5; ≡ 5; 552 2 ≡ 3.≡ 3.
The nonresidues are {2,6,7,8,10}.The nonresidues are {2,6,7,8,10}.
Legendre SymbolLegendre Symbol
Used to determine if a number is a Used to determine if a number is a quadratic residue.quadratic residue.
Defined as: Defined as:
Legendre(a,p)Legendre(a,p)ifif a a ≡ 0 (≡ 0 (modmod p) p) then returnthen return 0 0 EndIfEndIfx := a, y := p, L := 1x := a, y := p, L := 1while truewhile true
x := (x x := (x modmod y) y)ifif x > y/2 x > y/2 thenthen
x := y-xx := y-xifif y y ≡ 3 (≡ 3 (modmod 4) 4) thenthen L := L · -1 L := L · -1 EndIfEndIf
EndIfEndIfifif x = 0 x = 0 then returnthen return –1 –1 EndIfEndIfwhilewhile x ≡ 0 ( x ≡ 0 (modmod 4) x := x/4 4) x := x/4 EndWhileEndWhileif x if x ≡ 0 (≡ 0 (modmod 2) 2) thenthen
x := x/2x := x/2t := (y t := (y modmod 8) 8)ifif t = 5 t = 5 oror t = 3 t = 3 thenthen L := L · -1 L := L · -1 EndIfEndIf
EndIfEndIfifif x = 1 x = 1 then returnthen return L L EndIfEndIfifif x,y ≡ 3 ( x,y ≡ 3 (modmod 4) 4) thenthen L := L · -1 L := L · -1 EndIfEndIft := x, x := y, y := tt := x, x := y, y := t
EndWhileEndWhile
Square Root Modulo pSquare Root Modulo p Sometimes it is useful to find an x such Sometimes it is useful to find an x such
that xthat x22 ≡ n (mod p), there are two methods ≡ n (mod p), there are two methods for finding such an x:for finding such an x:
1.1. Iterate over the subset 0 < x < (p - 1)/2Iterate over the subset 0 < x < (p - 1)/2
2.2. Use the Shanks-Tonelli algorithm:Use the Shanks-Tonelli algorithm:Shanks-TonelliShanks-Tonelli(a,p)(a,p)
Choose randomChoose random n n untiluntil legendrelegendre(n.p) = -1(n.p) = -1FindFind e,q e,q such thatsuch that p – 1 = 2 p – 1 = 2ee · q · q andand q q is oddis oddy := (ny := (nqq modmod p), r := e, x := a p), r := e, x := a(q – 1)/2(q – 1)/2((modmod p), b := a · x p), b := a · x22 ( (modmod p), x := a · x p), x := a · xWhileWhile b b ≠ 1 (≠ 1 (modmod p) p)
Find smallestFind smallest m m such thatsuch that b b22m m ≡ 1 (≡ 1 (modmod p) p)t := yt := y22(r-m-1)(r-m-1) ( (modmod p), y := t p), y := t2 2 ((modmod p), r := m, x := x · t ( p), r := m, x := x · t (modmod p), p), b := b · y (b := b · y (modmod p) p)
EndWhileEndWhileReturnReturn x x
RHO DerivationRHO Derivation
Use proof any odd n Use proof any odd n єє N N++ > 2 can be > 2 can be represented by xrepresented by x2 2 - y- y22; therefore any ; therefore any composite n = xcomposite n = x22 - y - y22 = p · q. Try to find x = p · q. Try to find x such that xsuch that x22 ≡ y≡ y22 (mod n). (mod n).
This follows simply from definition of mod:This follows simply from definition of mod:
n = n = xx22 - y - y22 x x22 = n + y = n + y2 2 and as mod returns and as mod returns r such that r = yr such that r = y22 – a · n (here a = 1) – a · n (here a = 1) xx22
≡ y≡ y22 (mod n). (mod n).
RHO AlgorithmRHO Algorithm
Basis for most algorithms (including both Basis for most algorithms (including both QFS and NFS).QFS and NFS).
1.1. Set Set ƒƒi+1i+1(x) = a · x(x) = a · x22 + b · x + c with a,b,c + b · x + c with a,b,c єє
NN++
2.2. Set Set ƒƒ00(x) = 1,2 or some small integer(x) = 1,2 or some small integer
3.3. Compute ƒCompute ƒii(x) until gcd(ƒ(x) until gcd(ƒi+1i+1 – ƒ – ƒII, n) ≠ 1, n) ≠ 1
4.4. This number will be a factor of n.This number will be a factor of n.
RHO Running TimeRHO Running Time
With a high probability RHO will find a With a high probability RHO will find a factor infactor in bit operationsbit operations
Much faster than trial division Much faster than trial division
Factor BasesFactor Bases A set of prime integers one of the elements can be A set of prime integers one of the elements can be
–1 (B = {p–1 (B = {p11,p,p22,…,p,…,pkk}).}). An integer is smooth over B iff all of its factors exist An integer is smooth over B iff all of its factors exist
in Bin B The least absolute residue is (xThe least absolute residue is (x22 mod n) in the mod n) in the
interval (–n/2,n/2)interval (–n/2,n/2) An integer is a B-number iff the least absolute An integer is a B-number iff the least absolute
residue (LAR) is smooth over Bresidue (LAR) is smooth over BFor Example:For Example:B = {-1,2,3,5}, n = 336, a = 8, b = 5, c = 9B = {-1,2,3,5}, n = 336, a = 8, b = 5, c = 9LAR(a) = 64 = 2LAR(a) = 64 = 266, LAR(b) = 25 = 5, LAR(b) = 25 = 522, LAR(C) = 81 = 3, LAR(C) = 81 = 344, these are , these are
B-numbersB-numbersa = {0,6,0,0}, b = {0,0,0,2}, c = {0,0,4,0} therefore {b,c} is Linearly a = {0,6,0,0}, b = {0,0,0,2}, c = {0,0,4,0} therefore {b,c} is Linearly
dependant over B mod 2 and gcd(b + c, n) = 14 a factor of n.dependant over B mod 2 and gcd(b + c, n) = 14 a factor of n.
QFSQFS Quadratic Field SieveQuadratic Field Sieve A fast method for factoring large numbers less A fast method for factoring large numbers less
than 110-digits long.than 110-digits long. Relies on algebraic number theoryRelies on algebraic number theory Discovered by Pomerance in the early 1980’s.Discovered by Pomerance in the early 1980’s. Uses the ideas of RHO and Factor BasesUses the ideas of RHO and Factor Bases Uses a sieve similar to the prime number Uses a sieve similar to the prime number
sieve shown earlier.sieve shown earlier. We shall denote floor(x) as [x] in the followingWe shall denote floor(x) as [x] in the following
QFSQFS
1.1. Set P :=Set P :=2.2. Set A := PSet A := P33
3.3. Make a matrix with row 1 all primes less than P such that Make a matrix with row 1 all primes less than P such that legendre(n,plegendre(n,pii) = 1 (if not discard p) = 1 (if not discard pii))
4.4. Make column 1 be all t in the range ([Make column 1 be all t in the range ([√√n] + 1,[n] + 1,[√√n] + A)n] + A)5.5. Make column 2 be tMake column 2 be t22 – n for all t. – n for all t.6.6. For all the odd p (2 gets handled specially) solve the For all the odd p (2 gets handled specially) solve the
equation tequation t22 ≡ n (mod p≡ n (mod pΘΘ) for Θ = 1,2,… until there is no ) for Θ = 1,2,… until there is no solution in the range of column 1.solution in the range of column 1.
7.7. Let tLet t11,t,t22 be the last pair of integers that satisfied the be the last pair of integers that satisfied the equation.equation.
QFSQFS8.8. For each element of column 2 if t differs from tFor each element of column 2 if t differs from t11 by a by a
multiple of p place a 1 in the row,column, repeat for multiple of p place a 1 in the row,column, repeat for pp22, p, p33,…,p,…,pΘ Θ except change the 1 to a 2,3,…,Θ.except change the 1 to a 2,3,…,Θ.
9.9. Each time a 1 is placed or changed replace the tEach time a 1 is placed or changed replace the t22 - n - n by (tby (t22 – n)/p. – n)/p.
10.10. For p = 2 if n ≡ 1 (mod 8) treat 2 as above, otherwise For p = 2 if n ≡ 1 (mod 8) treat 2 as above, otherwise simply place a 1 next to all odd t and replace the tsimply place a 1 next to all odd t and replace the t22 - - n by (tn by (t22 – n)/2 – n)/2
11.11. Remove all rows where the tRemove all rows where the t22 – n has not become 1. – n has not become 1.12.12. As with Factor Bases find a linearly dependant As with Factor Bases find a linearly dependant
subset of the rows (mod 2) we shall denote this as subset of the rows (mod 2) we shall denote this as {t{t11,t,t22,…,t,…,tkk} and the corresponding prime factors for } and the corresponding prime factors for each teach tii as {p as {p11
B1B1,p,p22B2B2,…,p,…,phh
ΘhΘh} where Θ} where Θii is the number in is the number in the row,column specified by tthe row,column specified by t ii, p, pjj..
QFSQFS13.13. For this subset check thatFor this subset check that
Where BWhere BΨΨ is the sum of the is the sum of the ΘΘi i in the Base vectors in the Base vectors
divided by 2.divided by 2.
14.14. Once a set has been found verify that Once a set has been found verify that
15.15. If so thenIf so then
will be a non-trivial factor of nwill be a non-trivial factor of n
QFS Example (n = 2279)QFS Example (n = 2279)
N 2279 P 10 L(N) 53[sqrt(N)] 47 A 20
t t 2̂-n t 2̂-n 2 5 7 13 1748 25 2549 122 12250 221 22151 322 32252 425 42553 530 53054 637 63755 746 74656 857 85757 970 97058 1085 108559 1202 120260 1321 132161 1442 144262 1565 156563 1690 169064 1817 181765 1946 194666 2077 207767 2210 2210
QFS Example (n = 2279)QFS Example (n = 2279)N 2279 P 10 L(N) 53[sqrt(N)] 47 A 20
t t 2̂-n t 2̂-n 2 5 7 13 1748 25 2549 122 12250 221 13 151 322 32252 425 25 153 530 53054 637 63755 746 74656 857 85757 970 97058 1085 108559 1202 120260 1321 132161 1442 144262 1565 156563 1690 169064 1817 181765 1946 194666 2077 207767 2210 130 1
QFS Example (n = 2279)QFS Example (n = 2279)N 2279 P 10 L(N) 53[sqrt(N)] 47 A 20
t t 2̂-n t 2̂-n 2 5 7 13 1748 25 2549 122 12250 221 1 1 151 322 32252 425 25 153 530 53054 637 49 155 746 74656 857 85757 970 97058 1085 108559 1202 120260 1321 132161 1442 144262 1565 156563 1690 10 264 1817 181765 1946 194666 2077 207767 2210 10 1 1
QFS Example (n = 2279)QFS Example (n = 2279)N 2279 P 10 L(N) 53[sqrt(N)] 47 A 20
t t 2̂-n t 2̂-n 2 5 7 13 1748 25 2549 122 12250 221 1 1 151 322 32252 425 25 153 530 53054 637 1 2 155 746 74656 857 85757 970 97058 1085 155 159 1202 120260 1321 132161 1442 144262 1565 156563 1690 10 264 1817 181765 1946 194666 2077 207767 2210 10 1 1
QFS Example (n = 2279)QFS Example (n = 2279)N 2279 P 10 L(N) 53[sqrt(N)] 47 A 20
t t 2̂-n t 2̂-n 2 5 7 13 1748 25 1 249 122 12250 221 1 1 151 322 32252 425 1 2 153 530 53054 637 1 2 155 746 74656 857 85757 970 97058 1085 31 1 159 1202 120260 1321 132161 1442 144262 1565 156563 1690 2 1 264 1817 181765 1946 194666 2077 207767 2210 2 1 1 1
QFS Example (n = 2279)QFS Example (n = 2279) On 2 so check 2279On 2 so check 2279 ≡≡ 7 (mod 8) good it is easier 7 (mod 8) good it is easier
N 2279 P 10 L(N) 53[sqrt(N)] 47 A 20
t t 2̂-n t 2̂-n 2 5 7 13 1748 25 1 249 122 12250 221 1 1 151 322 32252 425 1 2 153 530 53054 637 1 2 155 746 74656 857 85757 970 97058 1085 31 1 159 1202 120260 1321 132161 1442 144262 1565 156563 1690 1 1 1 264 1817 181765 1946 194666 2077 207767 2210 1 1 1 1 1
QFS Example (n = 2279)QFS Example (n = 2279)Looking at the table it is obvious that rows Looking at the table it is obvious that rows
48,50,52,54 are linearly dependant mod 2.48,50,52,54 are linearly dependant mod 2. (48 · 50 · 52 · 54)(48 · 50 · 52 · 54)22 ≡ (5≡ (522 · 7 · 13 · 17) · 7 · 13 · 17)2 2 (mod (mod
2279)2279)Therefore gcd((Therefore gcd((48 · 50 · 52 · 54) – (48 · 50 · 52 · 54) – (5522 · 7 · 13 · · 7 · 13 ·
17), 2279) is a factor, namely 5317), 2279) is a factor, namely 53gcd((gcd((48 · 50 · 52 · 54) + (48 · 50 · 52 · 54) + (5522 · 7 · 13 · 17), 2279) · 7 · 13 · 17), 2279)
is the other factor namely 43.is the other factor namely 43. It never hurts to double check so 53 · 43 = 2279 It never hurts to double check so 53 · 43 = 2279
YAY We Factored 2279!!YAY We Factored 2279!!
QFS Running TimeQFS Running Time
Runs in time Runs in time
Requires approximately an equivalent Requires approximately an equivalent amount of spaceamount of space
Faster than RHO as the function is between Faster than RHO as the function is between polynomial in log(n) and polynomial in n.polynomial in log(n) and polynomial in n.
MPQFSMPQFSMultiple Polynomial QFSMultiple Polynomial QFSAllows for parallel processing of the QFS Allows for parallel processing of the QFS
simplysimplySame algorithm except uses multiple Same algorithm except uses multiple
polynomials of the form: polynomials of the form: Q(x) := a · xQ(x) := a · x22 + b · x + c + b · x + cWhere a is the square of an integer, b is in Where a is the square of an integer, b is in
the interval [0,a) such that bthe interval [0,a) such that b22 ≡ a (mod n)≡ a (mod n), , c := bc := b22/(4 · a)./(4 · a).
By doing so reduces size of Factor Base and By doing so reduces size of Factor Base and sieving interval for each Q(x) and can be run sieving interval for each Q(x) and can be run simultaneouslysimultaneously