Title: A Survey on Factoring Large Numbers
1A Survey on Factoring Large Numbers
??????????????
- Kanada Lab. M1
- 47-56338 Yoshida Hitoshi
2Introduction
- Factoring a number means representing it as the
product of smaller numbers. - It is difficult to factor a large number.
- Some cryptosystems are based on the difficulty of
the factoring integer problem. - It measures the security of the cryptosystems to
factor large numbers in short time.
3Contents
- Introduction
- Factoring Methods
- Calculation Records
- Cryptosystem Security
4Contents
- Introduction
- Factoring Methods
- Calculation Records
- Cryptosystem Security
5Factoring Methods
Trial Division
Trial Division
Eulers Method
Eulers Method
Pollards (p-1)-Method
Pollards (p-1)-Method
Pollards ? Method
Pollards ? Method
Square Forms Factorization
Square Forms Factorization
Pollards (p1)-Method
Pollards (p1)-Method
Elliptic Curve Method
Elliptic Curve Method
Difference of Squares
Difference of Squares
Continued Fraction Method
Continued Fraction Method
Quadratic Sieve
Quadratic Sieve
General Number Field Sieve
General Number Field Sieve
Multiple Polynomial Quadratic Sieve
Multiple Polynomial Quadratic Sieve
6Trial Division
- Algorithm
- Check if n mod i 0 for i 2,3,4,
- Merit
- It can factor a number into prime numbers.
- Demerit
- i may be nearly when n is the product of
2 primes of same size.
7Trial Division
- Improvement
- Dont use multiples of 2,3,5 for i.
- Use only prime numbers for i.
- Cannot reduce operational costs.
- This method can use at most 1030.
- p(1015)29,844,570,422,669 ? 30T
- If one trial division can do in 50 clock
- p(1015)50clock3GHz 500K sec 5.8day
8Difference of Squares
- Algorithm
- Find x and y which implement x2-y2n
- Factor n with x2-y2(xy)(x-y)
- Demerit
- May not factor a number into prime numbers.
- Merit
- Factor a large composite number into small
numbers - Operational cost
- O(y)
9Difference of Squares
- Improvement
- How about using x2-y20 (mod n) ?
- 602-520 (mod 143) ? 65550
- 65 or 55 must have prime factor(s) of 143.
- GCD(65,143)13, GCD(55,143)11
- How to find such x, y that implement x2y20
(mod n)? - Find many (ai, bi) pairs that implement aibi
(mod n) - Make a combination that implements ?aix2, ?biy2
14?67 3 mod 187 31?6720
mod 187 14?3160 mod
187 (14?31?67)2602 mod 187
10Difference of Squares
- How can we find those numbers efficiently?
- Quadratic Sieve (QS)
- Cf. Multiple Polynomial Quadratic Sieve (MPQS)
- General Number Field Sieve (GNFS)
11Quadratic Sieve
- Algorithm
- for i vn1,2, , factor i2-n into prime
numbers - (i2i2-np1p2p3)
- search a combination that make every exponent
number even - x?i and yv(?primes) implements x2-y20
12Quadratic Sieve
- n3937, vn62.7
- i63 632632-n 3225
- i64 642642-n1593?53
- i65 652652-n28825?32
- i66 662662-n419419
- i67 672672-n55223?3?23
13Quadratic Sieve
n3937, vn62.7 i63 632632-n 3225 i64
642642-n1593?53 i65 652652-n28825?32 i66
662662-n419419 i67 672672-n55223?3?23 (63
?65)2210?32(25?3)2 ?GCD(63?65-25?3, n)31
14Quadratic Sieve
- Operational cost
- O(exp((9/8)(logn)1/2(loglogn)1/2))
- Now, QS is one of the fastest method to factor
3060 decimal digit numbers. - Make faster
- Large prime factors appear rarely
- Smaller number has smaller primes.
- How can we get small numbers efficiently?
15Quadratic Sieve
n3937, vn62.7 i63 632632-n 3225 i64
642642-n1593?53 i65 652652-n28825?32 i66
662662-n419419 i67 672672-n55223?3?23 (63
?65)2210?32(25?3)2 ?GCD(63?65-25?3, n)31
16Quadratic Sieve
- Operational cost
- O(exp((9/8)(logn)1/2(loglogn)1/2))
- Now, QS is one of the fastest method to factor
3060 decimal digit numbers. - Make faster
- Large prime factors appear rarely
- Smaller number has smaller primes.
- How can we get small numbers efficiently?
17Quadratic Sieve
- Make faster
- MPQS (Multiple Polynomial QS) i2-n ? (aib)2-n
- MPQS is the fastest to factor 60120 digit
numbers
QS
MPQS
18General Number Field Sieve (GNFS)
- Original Number Field Sieve was for special
numbers ? Special Number Field Sieve (SNFS) - Algorithm
- Polynomial definition step
- Sieving step
- Matrix solving step
- Making square root step
- Operational cost
- O(exp((64/9)1/3(logn)1/3(loglogn)2/3))
- Cf. QS?O(exp((9/8)(logn)1/2(loglogn)1/2))
19Contents
- Introduction
- Factoring Methods
- Calculation Records
- Cryptosystem Security
20Calculation Records
21Calculation Records
- Factoring records
- 200 decimal digits number (RSA200)
- Bonn university
- Algorithm GNFS
- Sieving step
- Various machines and time
- Dec 2003 Oct 2004 (? 2.2GHz Opteron 55 years)
- Matrix step
- 80 2.2GHz Opteron (Cluster) 3 months (Dec
2004 ) - May 2005 factoring completed
22Calculation Records
- Factoring records
- 176 decimal digits number (A factor of 112811)
- Yuji Kida (Rikkyo university) and NTT laboratory
- Algorithm GNFS
- Sieving step
- Various machines (? 3.2GHz Pentium4 9.7 years)
- 16 Mar 2005 12 Apr 2005 (27days)
- Matrix step
- 32 3.2GHz Pentium4 (Cluster) 2.5 days
- Apr 2005 factoring completed
23Contents
- Introduction
- Factoring Methods
- Calculation Records
- Cryptosystem Security
24Cryptosystem Security
- RSA use 1024 bit length key
- How long does it take to factor 1024bit number?
- 5.81051.4106 years(?) Kida, 2003
- RSA Factoring Challenge
- 8 composite numbers (5762048bit) to factor
- 576 bit number was factored (Dec 3, 2003)
- 200 decimal digit number (old problem) was
factored - 640 bit number is 193 decimal digit
25Cryptosystem Security
- TWIRL
- Make sieving step of GNFS in device
- It will take 1 year to sieve 1024bit length
number - Not in practice yet
- Quantum Computing
- Shors algorithm may run very fast
- Quantum computer is not in practice
26Thats All