1 / 26

A Survey on Factoring Large Numbers ~ 巨大数の因数分解に関する調査 ~

A Survey on Factoring Large Numbers ~ 巨大数の因数分解に関する調査 ~. Kanada Lab. M1 47- 56338 Yoshida Hitoshi. Introduction. Factoring a number means representing it as the product of smaller numbers. It is difficult to factor a large number.

truda
Download Presentation

A Survey on Factoring Large Numbers ~ 巨大数の因数分解に関する調査 ~

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Survey on Factoring Large Numbers~ 巨大数の因数分解に関する調査 ~ Kanada Lab. M1 47-56338 Yoshida Hitoshi

  2. Introduction • Factoring a number means representing it as the product of smaller numbers. • It is difficult to factor a large number. • Some cryptosystems are based on the difficulty of the factoring integer problem. • It measures the security of the cryptosystems to factor large numbers in short time.

  3. Contents • Introduction • Factoring Methods • Calculation Records • Cryptosystem Security

  4. Contents • Introduction • Factoring Methods • Calculation Records • Cryptosystem Security

  5. Factoring Methods Trial Division Trial Division Euler’s Method Euler’s Method Pollard’s (p-1)-Method Pollard’s (p-1)-Method Pollard’s ρ Method Pollard’s ρ Method Square Forms Factorization Square Forms Factorization Pollard’s (p+1)-Method Pollard’s (p+1)-Method Elliptic Curve Method Elliptic Curve Method Difference of Squares Difference of Squares Continued Fraction Method Continued Fraction Method Quadratic Sieve Quadratic Sieve General Number Field Sieve General Number Field Sieve Multiple Polynomial Quadratic Sieve Multiple Polynomial Quadratic Sieve

  6. Trial Division • Algorithm • Check if “n mod i = 0” for i = 2,3,4,… • Merit • It can factor a number into prime numbers. • Demerit • ‘i’ may be nearly when n is the product of 2 primes of same size.

  7. Trial Division • Improvement • Don’t use multiples of 2,3,5 for “i”. • Use only prime numbers for “i”. • Cannot reduce operational costs. • This method can use at most 1030. π(1015)=29,844,570,422,669 ≒ 30T If one trial division can do in 50 clock π(1015)×50[clock]÷3G[Hz] = 500K [sec] = 5.8[day]

  8. Difference of Squares • Algorithm • Find x and y which implement x2-y2=n • Factor n with x2-y2=(x+y)(x-y) • Demerit • May not factor a number into prime numbers. • Merit • Factor a large composite number into small numbers • Operational cost • O(y)

  9. Difference of Squares • Improvement • How about using “x2-y2≡0 (mod n)” ? • 602-52≡0 (mod 143) ⇒ 65・55≡0 • 65 or 55 must have prime factor(s) of 143. • GCD(65,143)=13, GCD(55,143)=11 • How to find such x, y that implement “x2–y2≡0 (mod n)”? • Find many (ai, bi) pairs that implement ai≡bi (mod n) • Make a combination that implements Πai=x2, Πbi=y2 14・67≡ 3 mod 187 31・67≡20 mod 187 14・31≡60 mod 187 (14・31・67)2≡602 mod 187

  10. Difference of Squares • How can we find those numbers efficiently? • Quadratic Sieve (QS) Cf. Multiple Polynomial Quadratic Sieve (MPQS) • General Number Field Sieve (GNFS)

  11. Quadratic Sieve • Algorithm • for i = [√n]±1,2,… , factor i2-n into prime numbers (i2≡i2-n=p1p2p3…) • search a combination that make every exponent number even • x=Πi and y=√(Πprimes) implements x2-y2≡0

  12. Quadratic Sieve • Example n=3937, √n=62.7 i=63 632≡632-n= 32=25 i=64 642≡642-n=159=3・53 i=65 652≡652-n=288=25・32 i=66 662≡662-n=419=419 i=67 672≡672-n=552=23・3・23

  13. Quadratic Sieve • Example n=3937, √n=62.7 i=63 632≡632-n= 32=25 i=64 642≡642-n=159=3・53 i=65 652≡652-n=288=25・32 i=66 662≡662-n=419=419 i=67 672≡672-n=552=23・3・23 (63・65)2≡210・32=(25・3)2 ∴GCD(63・65-25・3, n)=31

  14. Quadratic Sieve • Operational cost • O(exp((9/8)(logn)1/2(loglogn)1/2)) • Now, QS is one of the fastest method to factor 30~60 decimal digit numbers. • Make faster • Large prime factors appear rarely • Smaller number has smaller primes. • How can we get small numbers efficiently?

  15. Quadratic Sieve • Example n=3937, √n=62.7 i=63 632≡632-n= 32=25 i=64 642≡642-n=159=3・53 i=65 652≡652-n=288=25・32 i=66 662≡662-n=419=419 i=67 672≡672-n=552=23・3・23 (63・65)2≡210・32=(25・3)2 ∴GCD(63・65-25・3, n)=31

  16. Quadratic Sieve • Operational cost • O(exp((9/8)(logn)1/2(loglogn)1/2)) • Now, QS is one of the fastest method to factor 30~60 decimal digit numbers. • Make faster • Large prime factors appear rarely • Smaller number has smaller primes. • How can we get small numbers efficiently?

  17. Quadratic Sieve • Make faster • MPQS (Multiple Polynomial QS) ; i2-n ⇒ (ai+b)2-n • MPQS is the fastest to factor 60~120 digit numbers QS MPQS

  18. General Number Field Sieve (GNFS) • Original “Number Field Sieve” was for special numbers ⇒ Special Number Field Sieve (SNFS) • Algorithm • Polynomial definition step • Sieving step • Matrix solving step • Making square root step • Operational cost O(exp((64/9)1/3(logn)1/3(loglogn)2/3)) [Cf. QS→O(exp((9/8)(logn)1/2(loglogn)1/2)) ]

  19. Contents • Introduction • Factoring Methods • Calculation Records • Cryptosystem Security

  20. Calculation Records • Factoring records

  21. Calculation Records • Factoring records • 200 decimal digits number (RSA200) • Bonn university • Algorithm : GNFS • Sieving step • Various machines and time • Dec 2003 ~ Oct 2004 (≒ 2.2GHz Opteron × 55 years) • Matrix step • 80 × 2.2GHz Opteron (Cluster) × 3 months (Dec 2004 ~) • May 2005 factoring completed

  22. Calculation Records • Factoring records • 176 decimal digits number (A factor of 11281+1) • Yuji Kida (Rikkyo university) and NTT laboratory • Algorithm : GNFS • Sieving step • Various machines (≒ 3.2GHz Pentium4 × 9.7 years) • 16 Mar 2005 ~ 12 Apr 2005 (27days) • Matrix step • 32 × 3.2GHz Pentium4 (Cluster) × 2.5 days • Apr 2005 factoring completed

  23. Contents • Introduction • Factoring Methods • Calculation Records • Cryptosystem Security

  24. Cryptosystem Security • RSA use 1024 bit length key • How long does it take to factor 1024bit number? • 5.8×105~1.4×106 years(?) [Kida, 2003] • RSA Factoring Challenge • 8 composite numbers (576~2048bit) to factor • 576 bit number was factored (Dec 3, 2003) • 200 decimal digit number (old problem) was factored • 640 bit number is 193 decimal digit

  25. Cryptosystem Security • TWIRL • Make sieving step of GNFS in device • It will take 1 year to sieve 1024bit length number • Not in practice yet • Quantum Computing • Shor’s algorithm may run very fast • Quantum computer is not in practice

  26. That’s All Thank you

More Related