shubham sahai srivastava - cse factorization_diophantine.pdfshubham sahai srivastava (iitk)...

Factoring Integers via Diophantine Approximation

Shubham Sahai Srivastava

Indian Institute of Technology, Kanpur

[email protected]

January 16, 2014

Shubham Sahai Srivastava (IITK) Factoring Integers January 16, 2014 1 / 14

Introduction and Surview

The task of factoring large composite integer N has a long history andis still a challenging problem.

Here, this task is reduced to the following diophantine approximation :

Definition (Problem)

Find atleast t + 2 integer vectors (e1, e2, ...et) ∈ Zt satisfying:

1. |∑t

i=1 ei log pi − log N| ≤ N−cpo(1)t

2. |∑t

i=1 ei log pi | ≤ (2c − 1) log N + 2 log pt

where, c > 1 and p1, ...pt are first t prime numbers.

Whats next ??

1. |∑t

2. |∑t

Whats next ??

1. |∑t

2. |∑t

Whats next ??

Given these t + 2 diophantine approximations of log N, we can factorize Nas follows:

The integer u :=∏

ej>0 pejj must be close approximation to vN, where

v :=∏

ej<0 p|ej |j .

Following Theorem shows that |u − vN| ≤ p1+o(1)t

Theorem (1)

Let c > 1, β, γ ≥ 0 be fixed and let pt < N. If (e1, ..., et) ∈ Zt satisfiesthe inequalities

1. |∑t

i=1 ei log pi − log N| ≤ N−cpβ+o(1)t

2. |∑t

i=1 ei log pi | ≤ (2c − 1) log N + 2δ log pt

then we have for u :=∏

ej>0 pejj , v :=

∏ej<0 p

|ej |j that:

|u − vN| ≤ pβ+δ+o(1)t

The integer u :=∏

v :=∏

ej<0 p|ej |j .

Theorem (1)

1. |∑t

2. |∑t

ej>0 pejj , v :=

∏ej<0 p

|ej |j that:

|u − vN| ≤ pβ+δ+o(1)t

The integer u :=∏

v :=∏

ej<0 p|ej |j .

Theorem (1)

1. |∑t

2. |∑t

ej>0 pejj , v :=

∏ej<0 p

|ej |j that:

|u − vN| ≤ pβ+δ+o(1)t

So, we have |u − vN| ≤ p1+o(1)t

Hence, the residue u (mod N) factorizes completely over the primesp1, ..., pt

And we obtain a non-trivial congruence∏ej>0 p

ejj = ±

∏tj=1 p

ejj (mod N).

Given t + 2 of these congruences we compute x , y satisfying x2 = y2

(mod N)

So, we can compute a factor of N as gcd(x+y, N).

This gives us one factor and thus we can reduce N, by divinding N withthis factor and continuing till we completely factorize N.

ejj = ±

∏tj=1 p

ejj (mod N).

(mod N)

ejj = ±

∏tj=1 p

ejj (mod N).

(mod N)

ejj = ±

∏tj=1 p

ejj (mod N).

(mod N)

ejj = ±

∏tj=1 p

ejj (mod N).

(mod N)

Reduction to Lattice problem

So, we are good to go, if we are able to solve the following problem:

Definition (Diophantine Approximation Problem)

1. |∑t

2. |∑t

The above problem can be formulated as a nearly closest vectorproblem in the 1-norm.

1. |∑t

2. |∑t

1. |∑t

2. |∑t

We associate with N a point N ∈ Rt+1

and with the primes p1, ..., pt a lattice L ⊂ Rt+1 of rank t and basisB.

log p1 0 · · · 0

.... . .

0. . . 0

0 0 · · · log ptNc log p1 Nc log p2 · · · Nc log pt

00...0

Nc ln N ′

, c ≥ 1

log p1 0 · · · 0

.... . .

0. . . 0

00...0

Nc ln N ′

, c ≥ 1

log p1 0 · · · 0

.... . .

0. . . 0

00...0

Nc ln N ′

, c ≥ 1

The following theorem shows that every lattice vector that issufficiently close to N in the 1-norm yields a desired diophantineapproximation of log N.

Theorem (2)

Let α, c > 1, δ > 0 be fixed and (log N)α = pt < N. If z ∈ L satisfies theinequality :

||z−N||1 ≤ (2c − 1) log N + 2δ log pt

then we have for (u, v) := g(z) that |u − vN| ≤ p1α+δ+o(1)

Theorem (2)

||z−N||1 ≤ (2c − 1) log N + 2δ log pt

Theorem (2)

||z−N||1 ≤ (2c − 1) log N + 2δ log pt

Theorem (2)

||z−N||1 ≤ (2c − 1) log N + 2δ log pt

Notation:

We associate with a lattice vector z = (z1, ..., zt+1) =∑t

i=1 eibi ,e1, ...et ∈ Z, the pair of integers g(z) = (u, v) ∈ N2, with

u :=∏

ej>0 pejj , v :=

∏ej<0 p

|ej |j

The 1-norm of a vector z = (z1, ...zt) ∈ Rt if by definition||z||1 =

∑ti=1 |zi |

Theorem (2)

||z−N||1 ≤ (2c − 1) log N + 2δ log pt

Notation:

We associate with a lattice vector z = (z1, ..., zt+1) =∑t

i=1 eibi ,e1, ...et ∈ Z, the pair of integers g(z) = (u, v) ∈ N2, with

u :=∏

ej>0 pejj , v :=

∏ej<0 p

|ej |j

The 1-norm of a vector z = (z1, ...zt) ∈ Rt if by definition||z||1 =

∑ti=1 |zi |

Hypothesis : Near Independence

Lattice vectors sufficiently close to N exists if the following two propertiesare nearly independent for random integers u,v with0 < u < Nc ,Nc−1/2 < v < Nc−1:

u and v are free of prime factors larger that pt

|u − vN| = 1

Hypothesis : Near Independence

Lattice vectors sufficiently close to N exists if the following two propertiesare nearly independent for random integers u,v with0 < u < Nc ,Nc−1/2 < v < Nc−1:

u and v are free of prime factors larger that pt

|u − vN| = 1

Sufficiently many lattice vectors close to N

Assuming near independence we show in the following theorem that thereare atleast Nε+o(1) sufficiently close lattice vectors where ε > 0 ifα > (2c − 1)/(c − 1) holds with pt = (logN)α.

Theorem

For fixed α, c > 1 and for N →∞ there are atleast Nε+o(1) many vectorsz ∈ L that satisfy the inequality

||z−N||1 ≤ (2c − 1) log N + 2δ log pt

where ε = (c − 1)− (2c − 1)/α

i.e. if α > (2c − 1)/(c − 1) then there are exponentially manny latticevectors that satisfy the above inequality.

Theorem

||z−N||1 ≤ (2c − 1) log N + 2δ log pt

where ε = (c − 1)− (2c − 1)/α

Theorem

||z−N||1 ≤ (2c − 1) log N + 2δ log pt

where ε = (c − 1)− (2c − 1)/α

Summary

Hence, the results seen so far reduce the problem of factoring a largeinteger N to the task of finding lattice vectors in L that are close to Nin the 1-norm.

The Factoring Method: At a glance

Input : N (integer), α, c ∈ Q with α, c > 1

1 Form the list p1, ..., pt of the first t primes, pt = (log N)α

2 Generate from vectors in the lattice a list of m ≥ t + 2 pairs(ui , vi ) ∈ N2 with the property that:

ui =∏t

j=1 pai,jj with ai ,j ∈ N, |ui − viN| ≤ pt

3 Factorize ui − viN for i = 1, ...,m over the primes p1, ..., pt andp0 = −1.

Let ui − viN =∏t

j=0 pbi,jj , bi = (bi ,0, ..., bi ,t) and ai = (a1,0, ..., ai ,t)

with ai ,0 = 04 Find a nonzero 0,1-solution (c1, ...cm) of the equation∑m

i=1 ci (ai + b1) = 0 (mod 2)

5 x :=∏t

j=0 p∑m

i=1 ci (ai,j+bi,j )/2j (mod N),

y :=∏t

j=0 p∑m

i=1 cibi,jj (mod N) =

∏tj=0 p

∑mi=1 ciai,j

j (mod N)

The construction implies x2 = y2 (mod N)6 If x 6= ±y (mod N) then output gcd(x+y, N) and stop. Otherwise go

to 4 and generate a diffierent solution (c1, ...cm)

Input : N (integer), α, c ∈ Q with α, c > 11 Form the list p1, ..., pt of the first t primes, pt = (log N)α

ui =∏t

i=1 ci (ai + b1) = 0 (mod 2)

5 x :=∏t

j=0 p∑m

y :=∏t

j=0 p∑m

∏tj=0 p

∑mi=1 ciai,j

j (mod N)

ui =∏t

i=1 ci (ai + b1) = 0 (mod 2)

5 x :=∏t

j=0 p∑m

y :=∏t

j=0 p∑m

∏tj=0 p

∑mi=1 ciai,j

j (mod N)

ui =∏t

j=1 pai,jj with ai ,j ∈ N,

|ui − viN| ≤ pt

i=1 ci (ai + b1) = 0 (mod 2)

5 x :=∏t

j=0 p∑m

y :=∏t

j=0 p∑m

∏tj=0 p

∑mi=1 ciai,j

j (mod N)

ui =∏t

i=1 ci (ai + b1) = 0 (mod 2)

5 x :=∏t

j=0 p∑m

y :=∏t

j=0 p∑m

∏tj=0 p

∑mi=1 ciai,j

j (mod N)

ui =∏t

i=1 ci (ai + b1) = 0 (mod 2)

5 x :=∏t

j=0 p∑m

y :=∏t

j=0 p∑m

∏tj=0 p

∑mi=1 ciai,j

j (mod N)

ui =∏t

with ai ,0 = 0

4 Find a nonzero 0,1-solution (c1, ...cm) of the equation∑mi=1 ci (ai + b1) = 0 (mod 2)

5 x :=∏t

j=0 p∑m

y :=∏t

j=0 p∑m

∏tj=0 p

∑mi=1 ciai,j

j (mod N)

ui =∏t

i=1 ci (ai + b1) = 0 (mod 2)

5 x :=∏t

j=0 p∑m

y :=∏t

j=0 p∑m

∏tj=0 p

∑mi=1 ciai,j

j (mod N)

ui =∏t

i=1 ci (ai + b1) = 0 (mod 2)

5 x :=∏t

j=0 p∑m

y :=∏t

j=0 p∑m

∏tj=0 p

∑mi=1 ciai,j

j (mod N)

ui =∏t

i=1 ci (ai + b1) = 0 (mod 2)

5 x :=∏t

j=0 p∑m

y :=∏t

j=0 p∑m

∏tj=0 p

∑mi=1 ciai,j

j (mod N)

The construction implies x2 = y2 (mod N)

6 If x 6= ±y (mod N) then output gcd(x+y, N) and stop. Otherwise goto 4 and generate a diffierent solution (c1, ...cm)

ui =∏t

i=1 ci (ai + b1) = 0 (mod 2)

5 x :=∏t

j=0 p∑m

y :=∏t

j=0 p∑m

∏tj=0 p

∑mi=1 ciai,j

j (mod N)

to 4 and generate a diffierent solution (c1, ...cm)Shubham Sahai Srivastava (IITK) Factoring Integers January 16, 2014 12 / 14

Present Bottlenecks

They have reduced lattice basis by block Korkin-Zolotarev reduction,a concept introduced by Scnorr(1987).

For lattices of very large rank it may be hard to find lattice vectorsthat are, in the 1-norm, sufficiently close to a given vector.In order to factor integer N, that is 500 bits long the basis shouldhave about 6300 primes.The input lattice would contain integers that are 1500 bits long.To make the method work for large N, we need to improve the latticeL and the present reduction algorithms.It has been suggested to use algorithms that directly perform thereduction in the 1-norm.Such algorithms have been proposed by Kaib[91] and Lovasz, Scarf[90].The Lovaz, Scarf algorithm works in arbitrary dimensions but seemsto be inefficient for our problem.The Kaib algorithm is quite efficient but it is restricted to lattices ofdimension 2

Present Bottlenecks

They have reduced lattice basis by block Korkin-Zolotarev reduction,a concept introduced by Scnorr(1987).For lattices of very large rank it may be hard to find lattice vectorsthat are, in the 1-norm, sufficiently close to a given vector.

In order to factor integer N, that is 500 bits long the basis shouldhave about 6300 primes.The input lattice would contain integers that are 1500 bits long.To make the method work for large N, we need to improve the latticeL and the present reduction algorithms.It has been suggested to use algorithms that directly perform thereduction in the 1-norm.Such algorithms have been proposed by Kaib[91] and Lovasz, Scarf[90].The Lovaz, Scarf algorithm works in arbitrary dimensions but seemsto be inefficient for our problem.The Kaib algorithm is quite efficient but it is restricted to lattices ofdimension 2

Present Bottlenecks

They have reduced lattice basis by block Korkin-Zolotarev reduction,a concept introduced by Scnorr(1987).For lattices of very large rank it may be hard to find lattice vectorsthat are, in the 1-norm, sufficiently close to a given vector.In order to factor integer N, that is 500 bits long the basis shouldhave about 6300 primes.The input lattice would contain integers that are 1500 bits long.

To make the method work for large N, we need to improve the latticeL and the present reduction algorithms.It has been suggested to use algorithms that directly perform thereduction in the 1-norm.Such algorithms have been proposed by Kaib[91] and Lovasz, Scarf[90].The Lovaz, Scarf algorithm works in arbitrary dimensions but seemsto be inefficient for our problem.The Kaib algorithm is quite efficient but it is restricted to lattices ofdimension 2

Present Bottlenecks

They have reduced lattice basis by block Korkin-Zolotarev reduction,a concept introduced by Scnorr(1987).For lattices of very large rank it may be hard to find lattice vectorsthat are, in the 1-norm, sufficiently close to a given vector.In order to factor integer N, that is 500 bits long the basis shouldhave about 6300 primes.The input lattice would contain integers that are 1500 bits long.To make the method work for large N, we need to improve the latticeL and the present reduction algorithms.

It has been suggested to use algorithms that directly perform thereduction in the 1-norm.Such algorithms have been proposed by Kaib[91] and Lovasz, Scarf[90].The Lovaz, Scarf algorithm works in arbitrary dimensions but seemsto be inefficient for our problem.The Kaib algorithm is quite efficient but it is restricted to lattices ofdimension 2

Present Bottlenecks

They have reduced lattice basis by block Korkin-Zolotarev reduction,a concept introduced by Scnorr(1987).For lattices of very large rank it may be hard to find lattice vectorsthat are, in the 1-norm, sufficiently close to a given vector.In order to factor integer N, that is 500 bits long the basis shouldhave about 6300 primes.The input lattice would contain integers that are 1500 bits long.To make the method work for large N, we need to improve the latticeL and the present reduction algorithms.It has been suggested to use algorithms that directly perform thereduction in the 1-norm.Such algorithms have been proposed by Kaib[91] and Lovasz, Scarf[90].

The Lovaz, Scarf algorithm works in arbitrary dimensions but seemsto be inefficient for our problem.The Kaib algorithm is quite efficient but it is restricted to lattices ofdimension 2

Present Bottlenecks

They have reduced lattice basis by block Korkin-Zolotarev reduction,a concept introduced by Scnorr(1987).For lattices of very large rank it may be hard to find lattice vectorsthat are, in the 1-norm, sufficiently close to a given vector.In order to factor integer N, that is 500 bits long the basis shouldhave about 6300 primes.The input lattice would contain integers that are 1500 bits long.To make the method work for large N, we need to improve the latticeL and the present reduction algorithms.It has been suggested to use algorithms that directly perform thereduction in the 1-norm.Such algorithms have been proposed by Kaib[91] and Lovasz, Scarf[90].The Lovaz, Scarf algorithm works in arbitrary dimensions but seemsto be inefficient for our problem.

The Kaib algorithm is quite efficient but it is restricted to lattices ofdimension 2

Present Bottlenecks

They have reduced lattice basis by block Korkin-Zolotarev reduction,a concept introduced by Scnorr(1987).For lattices of very large rank it may be hard to find lattice vectorsthat are, in the 1-norm, sufficiently close to a given vector.In order to factor integer N, that is 500 bits long the basis shouldhave about 6300 primes.The input lattice would contain integers that are 1500 bits long.To make the method work for large N, we need to improve the latticeL and the present reduction algorithms.It has been suggested to use algorithms that directly perform thereduction in the 1-norm.Such algorithms have been proposed by Kaib[91] and Lovasz, Scarf[90].The Lovaz, Scarf algorithm works in arbitrary dimensions but seemsto be inefficient for our problem.The Kaib algorithm is quite efficient but it is restricted to lattices ofdimension 2

The End

shubham sahai srivastava - cse factorization_diophantine.pdfshubham sahai srivastava (iitk)...

Documents