Quadratic Field Sieve

1
Quadratic Field Sieve

• QFS
• Matt Spear
• Steven Guy

25195908475657893494027183240048398571429282126204
03202777713783604366202070759555626401852588078440
69182906412495150821892985591491761845028084891200
72844992687392807287776735971418347270261896375014
97182469116507761337985909570009733045974880842840
17974291006424586918171951187461215151726546322822
16869987549182422433637259085141865462043576798423
38718477444792073993423658482382428119816381501067
48104516603773060562016196762561338441436038339044
14952634432190114657544454178424020924616515723350
77870774981712577246796292638635637328991215483143
81678998850404453640235273819513786365643912120103
97122822120720357
2
Agenda

1. Introduction to sieves
2. Euclids GCD in base 2
3. Definitions
4. Algorithms
5. RHO example
6. Factor Bases
7. QFS example
8. Introduction to MPQFS

3
Prime Number Sieve
Sieve of Eratosthenes

1. Start with all numbers greater than 1
2. Divide all by the first number
3. Repeat until no numbers are left to divide by,
   i.e. the last number is all left.
4. What remains are the prime numbers.

4
Prime Number Sieve
Initial Sieve Space

• 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
  21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36
  37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52
  53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68
  69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84
  85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100
  101

5
Prime Number Sieve
After Divide by two

• 2 3 5 7 9 11 13 15 17 19 21
  23 25 27 29 31 33 35 37 39 41
  43 45 47 49 51 53 55 57 59 61
  63 65 67 69 71 73 75 77 79
  81 83 85 87 89 91 93 95 97 99
  101

6
Prime Number Sieve
After Divide by three

• 2 3 5 7 11 13 17 19 23
  25 29 31 35 37 41 43
  47 49 53 55 59 61 65
  67 71 73 77 79 83 85
  89 91 95 97 101

7
Prime Number Sieve
After Divide by five

• 2 3 5 7 11 13 17 19 23
  29 31 37 41 43
  47 49 53 59 61 67
  71 73 77 79 83 89
  91 97 101

8
Prime Number Sieve
After all possible divisions

• 2 3 5 7 11 13 17 19 23
  29 31 37 41 43
  47 53 59 61 67
  71 73 79 83 89
  97 101

9
Prime Number Less Than 1602

• 2 3 5 7 11 13 17 19 23 29 31 37 41 43 47 53 59 61
  67 71 73 79 83 89 97 101 103 107 109 113 127 131
  137 139 149 151 157 163 167 173 179 181 191 193
  197 199 211 223 227 229 233 239 241 251 257 263
  269 271 277 281 283 293 307 311 313 317 331 337
  347 349 353 359 367 373 379 383 389 397 401 409
  419 421 431 433 439 443 449 457 461 463 467 479
  487 491 499 503 509 521 523 541 547 557 563 569
  571 577 587 593 599 601 607 613 617 619 631 641
  643 647 653 659 661 673 677 683 691 701 709 719
  727 733 739 743 751 757 761 769 773 787 797 809
  811 821 823 827 829 839 853 857 859 863 877 881
  883 887 907 911 919 929 937 941 947 953 967 971
  977 983 991 997 1009 1013 1019 1021 1031 1033
  1039 1049 1051 1061 1063 1069 1087 1091 1093 1097
  1103 1109 1117 1123 1129 1151 1153 1163 1171 1181
  1187 1193 1201 1213 1217 1223 1229 1231 1237 1249
  1259 1277 1279 1283 1289 1291 1297 1301 1303 1307
  1319 1321 1327 1361 1367 1373 1381 1399 1409 1423
  1427 1429 1433 1439 1447 1451 1453 1459 1471 1481
  1483 1487 1489 1493 1499 1511 1523 1531 1543 1549
  1553 1559 1567 1571 1579 1583 1597 1601

10
Euclid's GCD Algorithm (Binary)

• g 1
• while u is even v is even
• u u/2
• v v/2
• g 2g
• EndWhile
• // now u or v (or both) are odd
• while u gt 0
• if u is even, then u u/2
• else if v is even, then v v/2
• else then
• t u-v/2
• if u lt v, then v t else u t EndIf
• EndIf
• EndWhile
• return gv

11
Groups

• An algebraic structure (G, ?) with one
  associative composition (operation) (?)
• Contains a neutral element for the ? and every
  element is invertible over ?
• Is Abelian If the ? is also commutative
• For Example
• (Nn,) (addition modulo n) is an abelian group
  with neutral element e 0 and inverse of x n -
  x

12
Rings

• An algebraic structure (A,,) with (A,) being
  an abelian group and (A,) being associative
  composition distributed over
• Is commutative ring if is commutative
• For Example
• (Nn,n,n) is a commutative ring, called the ring
  of integers mod n.

13
Fields

• A commutative ring with every nonzero element
  possessing a inverse (xx 1)
• Is Finite if the size of the field is
  non-infinite
• For Example
• Z/pZ is a Finite Field when p is a prime integer,
  the field of integers modulo p (Fp). (if p is
  not prime all numbers will not have an inverse
  i.e. if p 10 then 2 has no inverse over )

14
Quadratic Residues

• Solutions n to the equation x2 n (mod p)
• If an element is not the square of a number it is
  a nonresidue.
• For Example
• In F11
• the residues are 1, 4, 9, 5, 3 as 12 1 22
  4 32 9 42 5 52 3.
• The nonresidues are 2,6,7,8,10.

15
Legendre Symbol

• Used to determine if a number is a quadratic
  residue.
• Defined as

16
Legendre(a,p)
if a 0 (mod p) then return 0 EndIf x a, y
p, L 1 while true x (x mod y) if x gt y/2
then x y-x if y 3 (mod 4) then L L
-1 EndIf EndIf if x 0 then return 1
EndIf while x 0 (mod 4) x x/4 EndWhile if
x 0 (mod 2) then x x/2 t (y mod
8) if t 5 or t 3 then L L -1
EndIf EndIf if x 1 then return L EndIf if
x,y 3 (mod 4) then L L -1 EndIf t x, x
y, y t EndWhile
17
Square Root Modulo p

• Sometimes it is useful to find an x such that x2
  n (mod p), there are two methods for finding
  such an x
• Iterate over the subset 0 lt x lt (p - 1)/2
• Use the Shanks-Tonelli algorithm

Shanks-Tonelli(a,p) Choose random n until
legendre(n.p) -1 Find e,q such that p 1 2e
q and q is odd y (nq mod p), r e, x
a(q 1)/2(mod p), b a x2 (mod p), x a
x While b ? 1 (mod p) Find smallest m such
that b2m 1 (mod p) t y2(r-m-1) (mod p), y
t2 (mod p), r m, x x t (mod p), b
b y (mod p) EndWhile Return x
18
RHO Derivation

• Use proof any odd n ? N gt 2 can be represented
  by x2 - y2 therefore any composite n x2 - y2
  p q. Try to find x such that x2 y2 (mod n).
• This follows simply from definition of mod
• n x2 - y2 ? x2 n y2 and as mod returns r
  such that r y2 a n (here a 1) ? x2 y2
  (mod n).

19
RHO Algorithm

• Basis for most algorithms (including both QFS and
  NFS).
• Set ƒi1(x) a x2 b x c with a,b,c ? N
• Set ƒ0(x) 1,2 or some small integer
• Compute ƒi(x) until gcd(ƒi1 ƒI, n) ? 1
• This number will be a factor of n.

20
RHO Running Time

• With a high probability RHO will find a factor
  in bit operations
• Much faster than trial division

21
Factor Bases

• A set of prime integers one of the elements can
  be 1 (B p1,p2,,pk).
• An integer is smooth over B iff all of its
  factors exist in B
• The least absolute residue is (x2 mod n) in the
  interval (n/2,n/2)
• An integer is a B-number iff the least absolute
  residue (LAR) is smooth over B
• For Example
• B -1,2,3,5, n 336, a 8, b 5, c 9
• LAR(a) 64 26, LAR(b) 25 52, LAR(C) 81
  34, these are B-numbers
• a 0,6,0,0, b 0,0,0,2, c 0,0,4,0
  therefore b,c is Linearly dependant over B mod
  2 and gcd(b c, n) 14 a factor of n.

22
QFS

• Quadratic Field Sieve
• A fast method for factoring large numbers less
  than 110-digits long.
• Relies on algebraic number theory
• Discovered by Pomerance in the early 1980s.
• Uses the ideas of RHO and Factor Bases
• Uses a sieve similar to the prime number sieve
  shown earlier.
• We shall denote floor(x) as x in the following

23
QFS

1. Set P
2. Set A P3
3. Make a matrix with row 1 all primes less than P
   such that legendre(n,pi) 1 (if not discard pi)
4. Make column 1 be all t in the range (vn
   1,vn A)
5. Make column 2 be t2 n for all t.
6. For all the odd p (2 gets handled specially)
   solve the equation t2 n (mod pT) for T 1,2,
   until there is no solution in the range of column
   1.
7. Let t1,t2 be the last pair of integers that
   satisfied the equation.

24
QFS

1. For each element of column 2 if t differs from t1
   by a multiple of p place a 1 in the row,column,
   repeat for p2, p3,,pT except change the 1 to a
   2,3,,T.
2. Each time a 1 is placed or changed replace the t2
   - n by (t2 n)/p.
3. For p 2 if n 1 (mod 8) treat 2 as above,
   otherwise simply place a 1 next to all odd t and
   replace the t2 - n by (t2 n)/2
4. Remove all rows where the t2 n has not become
   1.
5. As with Factor Bases find a linearly dependant
   subset of the rows (mod 2) we shall denote this
   as t1,t2,,tk and the corresponding prime
   factors for each ti as p1B1,p2B2,,phTh where
   Ti is the number in the row,column specified by
   ti, pj.

25
QFS

• For this subset check that
• Where B? is the sum of the Ti in the Base
  vectors divided by 2.
• Once a set has been found verify that
• If so then
• will be a non-trivial factor of n

26
QFS Example (n 2279)
27
QFS Example (n 2279)
28
QFS Example (n 2279)
29
QFS Example (n 2279)
30
QFS Example (n 2279)
31
QFS Example (n 2279)

• On 2 so check 2279 7 (mod 8) good it is easier

32
QFS Example (n 2279)

• Looking at the table it is obvious that rows
  48,50,52,54 are linearly dependant mod 2.
• (48 50 52 54)2 (52 7 13 17)2 (mod
  2279)
• Therefore gcd((48 50 52 54) (52 7 13
  17), 2279) is a factor, namely 53
• gcd((48 50 52 54) (52 7 13 17),
  2279) is the other factor namely 43.
• It never hurts to double check so 53 43 2279
  YAY We Factored 2279!!

33
QFS Running Time

• Runs in time
• Requires approximately an equivalent amount of
  space
• Faster than RHO as the function is between
  polynomial in log(n) and polynomial in n.

34
MPQFS

• Multiple Polynomial QFS
• Allows for parallel processing of the QFS simply
• Same algorithm except uses multiple polynomials
  of the form
• Q(x) a x2 b x c
• Where a is the square of an integer, b is in the
  interval 0,a) such that b2 a (mod n), c
  b2/(4 a).
• By doing so reduces size of Factor Base and
  sieving interval for each Q(x) and can be run
  simultaneously