Abstract - PowerPoint PPT Presentation

About This Presentation

Title:

Abstract

Description:

Title: Polynomial Selection for Number field Sieve Author: Peter Montgomery Last modified by: Peter Montgomery Created Date: 9/2/2005 10:54:01 PM Document ... – PowerPoint PPT presentation

Number of Views:33

Avg rating:3.0/5.0

Slides: 32

Provided by: PeterM237

Learn more at: https://wstein.org

Category:

more less

Transcript and Presenter's Notes

Title: Abstract

1
Abstract

The Number Field Sieve is asymptotically the
fastest known algorithm for factoring a large
integer N with no small prime factors, such as an
RSA modulus. An early step in the algorithm
selects two polynomials with a common root modulo
N. This talk will present some techniques for
choosing the polynomials when N has no nice
algebraic form.

2
Polynomial Selection for the General Number Field
Sieve

Peter L. Montgomery
Microsoft Research, USA
May 29, 2008

3
Number Field Sieve (NFS)

Asymptotically best known algorithm for factoring
large integers with no small prime factors.
Also best known algorithm for discrete logarithms
modulo large primes.

4
SNFS and GNFS

Special Number Field Sieve (SNFS)
Number being factored has nice algebraic form.
Record (21039 - 1)/5080711
(307 digits, 2007).
General Number Field Sieve (GNFS)
No known nice algebraic form.
Record RSA200 (200 digits, 2005).

5
NFS Stages Part I

Input Composite integer N, no small factors.
Polynomial selection
Find f1, f2 ? ZX with common root m modulo N.
Homogeneous form Fk(a, b) b deg(fk) fk(a/b) .
Sieving
Find many integer pairs (ai, bi) where both
homogeneous polynomial values Fk(ai, bi) are
smooth (k 1, 2).
Normalized so gcd(ai, bi) 1 and bi gt 0.
Called relations.
Need one relation per prime in your factor bases.

6
NFS Stages Part II

Matrix construction and linear algebra
Let ?k be a (complex) root of fk.
Find nonempty set S of indices such that
pj?S (aj bj ?k) is a square in Q(?k), for
each k.
Each aj bj ?k has smooth norm.
Find square roots in Q(?k).
Apply homomorphisms mapping each ?k to m mod N
.
Get integer congruence A2 B2 (mod N). Hope
GCD(A B, N) is nontrivial factor of N.

7
Finding Two Polynomials for NFS

Given N, which we want to factor.
Also input desired degrees d1, d2 .
Find irreducible polynomials f1, f2 of degrees
d1, d2 with common root m modulo N (but not in
C).
resultant(f1, f2) will be a nonzero multiple of
N, preferably a small multiple.
Determinant formula for resultant gives lower
bound on coefficient sizes in f1, f2 .

8
Sample SNFS Polynomial Selection

N (2512 1)/2424833 (148 digits).
9th Fermat number made SNFS famous (1990).
Guess to use degrees 5 and 1.
Common root m 2103.
f1(X) X - m and f2(X) X 5 8.
Resultant (m5 8) or 19e6 N.
Homogeneous F1 (a, b) a - mb,
and F2 (a, b) a5 8 b5.

9
Norm Sizes

Assume we sieve 2e12 points, in rectangle a ?
1e6 and 0 lt b ? 1e6.
Approximate homogeneous sizes
a - 1e31 b and a5 8b5.
Norm bounds approx 1e37 and 9e30.
Smaller norms more likely to be smooth.
Both norms must be smooth.

10
Alternate Choices for 2512 1

Degree 4, m 2128 3e38. f2(X) X4 1.
a - mb and a4 b4.
Bounds 3e44 and 2e24.
Degree 6, m 285 4e25. f2(X) 4X6 1.
a - mb and 4a6 b6.
Bounds 4e31 and 5e36.
Degree 5 bounds were 1e37 and 9e30.
Close call between degrees 5 and 6.
1990 technology needed monic polynomials.

11
Roots Modulo Small Primes

X 4 1
One root modulo 2, four modulo 17.
X 5 8
One root modulo each of 2, 3, 5, 7, 13, 17, 19,
23.
4X 6 1
Projective root modulo 2.
Two roots modulo each of 5, 17.
This quintic norm has more prime divisors lt 25
than the other norms, on average.

12
Lower Bounds on Sizes

Assume fk has degree dk, coefficient bound Bk (k
1, 2).
Determinant formula for resultant(f1, f2) has d2
rows with coefficients of f1 and d1 rows
with coefficients of f2.
Need B1d2 B2d1 ? N (approx).
If rectangular sieving region is 2A A, want
both Bk Adk small, about same size.

13
Base-m Method for GNFS

Set m N1/(d1) if degrees d and 1 wanted.
Write N a0 a1m ... ad md in base m.
Each ai is O(m), possibly negative.
f1(X) X - m .
f2(X) a0 a1X ... ad Xd .
Let rectangular sieving region be 2A A.
a ? A and 0 lt b ? A.
Norm bounds mA and (d1)mAd .
Norms too far apart.

14
Rating Polynomials

Heuristics to increase density of smooth norms
Try to make norm small on average.
Prefer real roots, so norm is near zero on parts
of sieving region.
Try to have many roots modulo small primes and
prime powers.
For example, X2 7 is divisible by 8 whenever it
is even.
Brian Murphy (ANTS, 1998) confirmed that these
properties improve yield when using two quadratic
polynomials.

15
Improved Base-m

Assume degree d ? 4 and linear wanted.
Looking for f(m) N where (if d 5)
f(X) a5X 5 a4X 4 a3X 3 a2X 2 a1X
a0.
Pick leading coefficient ad.
Prefer many small prime divisors.
Set m round(N/ad)1/d.
Fill in initial ad-1 to a0. Usually ad-1 ?
dad/2.
Reject unless ad-2 ltlt m.

16
Skewed Sieving Region

Let f0 be the initial f, with small ad to ad-2
and f0(m) N.
Suppose the rectangular sieving region of area
2A2 is a ? Ar and 0 lt b ? A/r.
If r 1, norm bound is about a0 Ad or m Ad.
If r gtgt 1, big terms are ad-3 (Ar)d-3 (A/r)3 and
ad-2 (Ar)d-2 (A/r)2 and ad (Ar)d.
Assuming first and last dominate, equate them
r (ad-3 / ad)1/6 or (m/ad)1/6.
New norm bound ad-3 (Ar)d-3 (A/r)3 is about m
Ad rd-6.
When d 5, this is factor of r improvement over
r 1.
Linear X - m norm improves slightly too.

17
Improved Modular Properties

Try f(X) f0(X) C(X) (X - m) .
C(X) of degree d-4 to be determined
ad to ad-2 not affected.
ad-3 to a0 grow, but little effect on norm bound
if C has small coefficients.
f(m) f0(m) N.
Sieve to find C(X) for which f has good modular
properties.
Used for RSA140 and RSA155 (1999).

18
Non-monic Linear Polynomial

Start with N, d, ad.
Instead of finding f0 with f0(m) N, find a P
for which the congruence ad md N (mod P) has
many solutions m.
P product of primes 1 (mod d). with N /ad
a d-th residue.
For each such m, find f0(X) with N Pd f0(m/P).
As earlier, reject unless coefficient of Xd-2 is
small.
Can perform this step quickly when same P is
reused.
f2(X) f0(X) C(X)(PX - m) for some C(X).
f2(X) and f1(X) PX - m share root m / P mod
N.
Due to Thorsten Kleinjung.
Used for RSA576 (2003) and RSA200 (2005).

19
Two Quadratic Polynomials

Suppose m is common root (mod N) of
fk ak X 2 bk X ck (k 1, 2) .
Assume O(N1/4) coefficients, coprime over Q.
m2, m, 1 orthogonal to both ak,bk,ck (mod
N) .
Let v cross product of ak,bk,ck over Z.
Coefficients of v are O(N1/2), not all zero.
v is multiple of m2, m, 1 (mod N).
v is a geometric progression mod N.
Not a GP over Z if fk are irreducible (m not a
root).
Polynomials ? Geometric progression mod N.

20
GP to Quadratic Polynomials

Let R r2, r1, r0 O(N1/2) be geometric
progression mod N, but not over Z.
Look at 2-D lattice in Z3 where R . v 0.
Smallest basis vectors ak, bk, ck have typical
size O(R1/2) O(N1/4).
Resulting polynomials have common root r2 /
r1 r1 / r0 mod N .

21
Constructing 3-term GP modulo N

Choose prime q slightly below N1/2 for which N is
a quadratic residue.
Find x0 near N1/2 with x02 N (mod q).
Return q, x0, (x02 N)/q.
Different q lead to different GP and different
pairs of quadratics.
Used for 3,367- c105 in 1993-94.

22
More than two Polynomials

If f and g are same-size quadratics with a common
root, merge them with f g.
Use four (say) polynomials.
Changes to rest of NFS straightforward.
Need to produce twice as many relations.
Six chances per (a, b) for two norms to be
smooth.
Sieve 2/6 as many points (hence smaller norms).
Sieving takes twice as long per (a, b).
Estimated time 2/3 as long as two quadratics.
Hard to find four quadratics which meet the
smoothness heuristics, so the 6 above is
unrealistic.

23
Two Cubics ? Five-term GP

Suppose m is common root (mod N) of
fk ak X3 bk X2 ck X dk (k 1, 2) .
By resultant bound, O(N1/6) coefficients is best
we can get.
Find vector v orthogonal over Z to both
ak, bk, ck , dk , 0 and both 0, ak, bk,
ck, dk .
Simple determinant formula for v.
Components of v will be O(N2/3).
Multiple of m4, m3, m2, m, 1 mod N.

24
Five-term GP ?Two Cubics

Let R r4, r3, r2, r1, r0 O(N2/3) be 5-term
GP mod N, but not over Z. Ratio s r1/r0 mod N.
Also must avoid 2nd-order linear recurrence.
Look at 2-D lattice in Z4 orthogonal to
R ' r3, r2, r1, r0 and ( r4, r3, r2, r1
-s R ' ) / N .
Smallest basis vectors ak, bk, ck, dk have
typical size O((R2/N)1/2) O(N1/6).
Resulting polynomials have common root s mod N .
For two degree-d, polynomials, with O(N1/2d)
coefficients, need 2d-1 terms of size O(N1-1/d ).

25
Need a five-term GP mod N

Exhaustive search finds many O(N2/3) solutions
when N 1e8.
Example
109, 151, 154, 11, 144 ratio 14 154/11 mod
2005
Largest entry 154 vs. 20052/3 159.0 .
X3 - 4X2 3X 3 and 3X3 - X2 - X - 2 share
root 14 mod 2005.
Avoid (1st or) 2nd order linear recurrence.
Example 39, 22, -39, -22, 39 mod 2005 392
222.
X3 X and X2 1 share a quadratic factor.
Dont know how to find quickly when N is large.

26
A Construction for Prime N

Choose irreducible cubic f1 to have known linear
factor X-? and O(1) coefficients.
One of X3 - (2, 3, 6, 12) will work.
Find quadratic f2 with O(N1/3) coefficients and
root ? modulo N.
Follow construction of GP from two O(N1/6) cubics
(one with a leading zero).
N is prime in discrete logarithm problem.

27
Can we use Matrix Inverse?

Matrix inverse scaled to have integer entries.
(109 151 154 ) (-11 10 11)
(151 154 11 ) ( 10 4 -11) 2005 I3
(154 11 144 ) ( 11 -11 3)
Entries in second are bilinear forms evaluated at
coefficients of f1 and f2 , hence O(N1/3).
(a1b2-b1a2 a1c2-c1a2
a1d2-d1a2)
(a1c2-c1a2 a1d2b1c2-c1b2-d1a2
b1d2-d1b2 )
(a1d2-d1a2 b1d2-d1b2
c1d2-d1c2 )
Second matrix symmetric, determinant N.
First has constant backwards diagonals.