A Survey on Factoring Large Numbers ~ ?????????????? ~

1
A Survey on Factoring Large Numbers
??????????????

• Kanada Lab. M1
• 47-56338 Yoshida Hitoshi

2
Introduction

• Factoring a number means representing it as the
  product of smaller numbers.
• It is difficult to factor a large number.
• Some cryptosystems are based on the difficulty of
  the factoring integer problem.
• It measures the security of the cryptosystems to
  factor large numbers in short time.

3
Contents

• Introduction
• Factoring Methods
• Calculation Records
• Cryptosystem Security

4
Contents

• Introduction
• Factoring Methods
• Calculation Records
• Cryptosystem Security

5
Factoring Methods
Trial Division
Trial Division
Eulers Method
Eulers Method
Pollards (p-1)-Method
Pollards (p-1)-Method
Pollards ? Method
Pollards ? Method
Square Forms Factorization
Square Forms Factorization
Pollards (p1)-Method
Pollards (p1)-Method
Elliptic Curve Method
Elliptic Curve Method
Difference of Squares
Difference of Squares
Continued Fraction Method
Continued Fraction Method
Quadratic Sieve
Quadratic Sieve
General Number Field Sieve
General Number Field Sieve
Multiple Polynomial Quadratic Sieve
Multiple Polynomial Quadratic Sieve
6
Trial Division

• Algorithm
• Check if n mod i 0 for i 2,3,4,
• Merit
• It can factor a number into prime numbers.
• Demerit
• i may be nearly when n is the product of
  2 primes of same size.

7
Trial Division

• Improvement
• Dont use multiples of 2,3,5 for i.
• Use only prime numbers for i.
• Cannot reduce operational costs.
• This method can use at most 1030.
• p(1015)29,844,570,422,669 ? 30T
• If one trial division can do in 50 clock
• p(1015)50clock3GHz 500K sec 5.8day

8
Difference of Squares

• Algorithm
• Find x and y which implement x2-y2n
• Factor n with x2-y2(xy)(x-y)
• Demerit
• May not factor a number into prime numbers.
• Merit
• Factor a large composite number into small
  numbers
• Operational cost
• O(y)

9
Difference of Squares

• Improvement
• How about using x2-y20 (mod n) ?
• 602-520 (mod 143) ? 65550
• 65 or 55 must have prime factor(s) of 143.
• GCD(65,143)13, GCD(55,143)11
• How to find such x, y that implement x2y20
  (mod n)?
• Find many (ai, bi) pairs that implement aibi
  (mod n)
• Make a combination that implements ?aix2, ?biy2

14?67 3 mod 187 31?6720
mod 187 14?3160 mod
187 (14?31?67)2602 mod 187
10
Difference of Squares

• How can we find those numbers efficiently?
• Quadratic Sieve (QS)
• Cf. Multiple Polynomial Quadratic Sieve (MPQS)
• General Number Field Sieve (GNFS)

11
Quadratic Sieve

• Algorithm
• for i vn1,2, , factor i2-n into prime
  numbers
• (i2i2-np1p2p3)
• search a combination that make every exponent
  number even
• x?i and yv(?primes) implements x2-y20

12
Quadratic Sieve

• Example

• n3937, vn62.7
• i63 632632-n 3225
• i64 642642-n1593?53
• i65 652652-n28825?32
• i66 662662-n419419
• i67 672672-n55223?3?23

13
Quadratic Sieve

• Example

n3937, vn62.7 i63 632632-n 3225 i64
642642-n1593?53 i65 652652-n28825?32 i66
662662-n419419 i67 672672-n55223?3?23 (63
?65)2210?32(25?3)2 ?GCD(63?65-25?3, n)31
14
Quadratic Sieve

• Operational cost
• O(exp((9/8)(logn)1/2(loglogn)1/2))
• Now, QS is one of the fastest method to factor
  3060 decimal digit numbers.
• Make faster
• Large prime factors appear rarely
• Smaller number has smaller primes.
• How can we get small numbers efficiently?

15
Quadratic Sieve

• Example

n3937, vn62.7 i63 632632-n 3225 i64
642642-n1593?53 i65 652652-n28825?32 i66
662662-n419419 i67 672672-n55223?3?23 (63
?65)2210?32(25?3)2 ?GCD(63?65-25?3, n)31
16
Quadratic Sieve

• Operational cost
• O(exp((9/8)(logn)1/2(loglogn)1/2))
• Now, QS is one of the fastest method to factor
  3060 decimal digit numbers.
• Make faster
• Large prime factors appear rarely
• Smaller number has smaller primes.
• How can we get small numbers efficiently?

17
Quadratic Sieve

• Make faster
• MPQS (Multiple Polynomial QS) i2-n ? (aib)2-n
• MPQS is the fastest to factor 60120 digit
  numbers

QS
MPQS
18
General Number Field Sieve (GNFS)

• Original Number Field Sieve was for special
  numbers ? Special Number Field Sieve (SNFS)
• Algorithm
• Polynomial definition step
• Sieving step
• Matrix solving step
• Making square root step
• Operational cost
• O(exp((64/9)1/3(logn)1/3(loglogn)2/3))
• Cf. QS?O(exp((9/8)(logn)1/2(loglogn)1/2))

19
Contents

• Introduction
• Factoring Methods
• Calculation Records
• Cryptosystem Security

20
Calculation Records

• Factoring records

21
Calculation Records

• Factoring records
• 200 decimal digits number (RSA200)
• Bonn university
• Algorithm GNFS
• Sieving step
• Various machines and time
• Dec 2003 Oct 2004 (? 2.2GHz Opteron 55 years)
• Matrix step
• 80 2.2GHz Opteron (Cluster) 3 months (Dec
  2004 )
• May 2005 factoring completed

22
Calculation Records

• Factoring records
• 176 decimal digits number (A factor of 112811)
• Yuji Kida (Rikkyo university) and NTT laboratory
• Algorithm GNFS
• Sieving step
• Various machines (? 3.2GHz Pentium4 9.7 years)
• 16 Mar 2005 12 Apr 2005 (27days)
• Matrix step
• 32 3.2GHz Pentium4 (Cluster) 2.5 days
• Apr 2005 factoring completed

23
Contents

• Introduction
• Factoring Methods
• Calculation Records
• Cryptosystem Security

24
Cryptosystem Security

• RSA use 1024 bit length key
• How long does it take to factor 1024bit number?
• 5.81051.4106 years(?) Kida, 2003
• RSA Factoring Challenge
• 8 composite numbers (5762048bit) to factor
• 576 bit number was factored (Dec 3, 2003)
• 200 decimal digit number (old problem) was
  factored
• 640 bit number is 193 decimal digit

25
Cryptosystem Security

• TWIRL
• Make sieving step of GNFS in device
• It will take 1 year to sieve 1024bit length
  number
• Not in practice yet
• Quantum Computing
• Shors algorithm may run very fast
• Quantum computer is not in practice

26
Thats All

• Thank you