Download presentation

Presentation is loading. Please wait.

Published byRoberto Eastlick Modified over 2 years ago

1
Quadratic Field Sieve QFS Matt Spear Steven Guy

2
Agenda 1. Introduction to sieves 2. Euclid’s GCD in base 2 3. Definitions 4. Algorithms 5. RHO example 6. Factor Bases 7. QFS example 8. Introduction to MPQFS

3
Prime Number Sieve 1. Start with all numbers greater than 1 2. Divide all by the first number 3. Repeat until no numbers are left to divide by, i.e. the last number is all left. 4. What remains are the prime numbers. Sieve of Eratosthenes

4
Prime Number Sieve Initial Sieve Space

5
Prime Number Sieve 2 3 | 5 | 7 | 9 | 11 | 13 | 15 | 17 | 19 | 21 | 23 | 25 | 27 | 29 | 31 | 33 | 35 | 37 | 39 | 41 | 43 | 45 | 47 | 49 | 51 | 53 | 55 | 57 | 59 | 61 | 63 | 65 | 67 | 69 | 71 | 73 | 75 | 77 | 79 | 81 | 83 | 85 | 87 | 89 | 91 | 93 | 95 | 97 | 99 | 101 After Divide by two

6
Prime Number Sieve 2 3 | 5 | 7 | | | 11 | 13 | | | 17 | 19 | | | 23 | 25 | | | 29 | 31 | | | 35 | 37 | | | 41 | 43 | | | 47 | 49 | | | 53 | 55 | | | 59 | 61 | | | 65 | 67 | | | 71 | 73 | | | 77 | 79 | | | 83 | 85 | | | 89 | 91 | | | 95 | 97 | | | 101 After Divide by three

7
Prime Number Sieve 2 3 | 5 | 7 | | | 11 | 13 | | | 17 | 19 | | | 23 | | | | | 29 | 31 | | | | | 37 | | | 41 | 43 | | | 47 | 49 | | | 53 | | | | | 59 | 61 | | | | | 67 | | | 71 | 73 | | | 77 | 79 | | | 83 | | | | | 89 | 91 | | | | | 97 | | | 101 After Divide by five

8
Prime Number Sieve 2 3 | 5 | 7 | | | 11 | 13 | | | 17 | 19 | | | 23 | | | | | 29 | 31 | | | | | 37 | | | 41 | 43 | | | 47 | | | | | 53 | | | | | 59 | 61 | | | | | 67 | | | 71 | 73 | | | | | 79 | | | 83 | | | | | 89 | | | | | | | 97 | | | 101 After all possible divisions

9
Prime Number Less Than

10
Euclid's GCD Algorithm (Binary) g := 1 while u is even && v is even u := u/2 v := v/2 g := 2*g EndWhile // now u or v (or both) are odd while u > 0 if u is even, then u := u/2 else if v is even, then v := v/2 else then t := |u-v|/2 if u < v, then v := t else u := t EndIf EndIf EndWhile return g*v

11
Groups Δ) An algebraic structure (G, Δ) with one associative composition (operation) (Δ) Contains a neutral element for the Δ and every element is invertible over Δ Is Abelian If the Δ is also commutative For Example: (N (N n,+) (addition modulo n) is an abelian group with neutral element e = 0 and inverse of x = n - x

12
Rings An algebraic structure (A,+,·) with (A,+) being an abelian group and (A,·) being associative composition distributed over + Is commutative ring if · is commutative For Example: (N n,+ n,· n ) is a commutative ring, called the ring of integers mod n.

13
Fields A commutative ring with every nonzero element possessing a · inverse (x·x* = 1) Is Finite if the size of the field is non- infinite For Example: Z/pZ is a Finite Field when p is a prime integer, the field of integers modulo p (F p ). (if p is not prime all numbers will not have an inverse i.e. if p = 10 then 2 has no inverse over ·)

14
Quadratic Residues Solutions n to the equation x 2 ≡ n (mod p) If an element is not the square of a number it is a nonresidue. For Example: In F 11 : the residues are {1, 4, 9, 5, 3} as 1 2 ≡ 1; 2 2 ≡ 4; 3 2 ≡ 9; 4 2 ≡ 5; 5 2 ≡ 3. The nonresidues are {2,6,7,8,10}.

15
Legendre Symbol Used to determine if a number is a quadratic residue. Defined as:

16
Legendre(a,p) if a ≡ 0 (mod p) then return 0 EndIf x := a, y := p, L := 1 while true x := (x mod y) if x > y/2 then x := y-x if y ≡ 3 (mod 4) then L := L · -1 EndIf EndIf if x = 0 then return –1 EndIf while x ≡ 0 (mod 4) x := x/4 EndWhile if x ≡ 0 (mod 2) then x := x/2 t := (y mod 8) if t = 5 or t = 3 then L := L · -1 EndIf EndIf if x = 1 then return L EndIf if x,y ≡ 3 (mod 4) then L := L · -1 EndIf t := x, x := y, y := t EndWhile

17
Square Root Modulo p Sometimes it is useful to find an x such that x 2 ≡ n (mod p), there are two methods for finding such an x: 1. Iterate over the subset 0 < x < (p - 1)/2 2. Use the Shanks-Tonelli algorithm: Shanks-Tonelli(a,p) Choose random n until legendre(n.p) = -1 Find e,q such that p – 1 = 2 e · q and q is odd y := (n q mod p), r := e, x := a (q – 1)/2 (mod p), b := a · x 2 (mod p), x := a · x While b ≠ 1 (mod p) Find smallest m such that b 2 m ≡ 1 (mod p) t := y 2 (r-m-1) (mod p), y := t 2 (mod p), r := m, x := x · t (mod p), b := b · y (mod p) EndWhile Return x

18
RHO Derivation Use proof any odd n є N + > 2 can be represented by x 2 - y 2 ; therefore any composite n = x 2 - y 2 = p · q. Try to find x such that x 2 ≡ y 2 (mod n). This follows simply from definition of mod: n = x 2 - y 2 x 2 = n + y 2 and as mod returns r such that r = y 2 – a · n (here a = 1) x 2 ≡ y 2 (mod n).

19
RHO Algorithm Basis for most algorithms (including both QFS and NFS). 1. Set ƒ i+1 (x) = a · x 2 + b · x + c with a,b,c є N + 2. Set ƒ 0 (x) = 1,2 or some small integer 3. Compute ƒ i (x) until gcd(ƒ i+1 – ƒ I, n) ≠ 1 4. This number will be a factor of n.

20
RHO Running Time With a high probability RHO will find a factor inbit operations Much faster than trial division

21
Factor Bases A set of prime integers one of the elements can be –1 (B = {p 1,p 2,…,p k }). An integer is smooth over B iff all of its factors exist in B The least absolute residue is (x 2 mod n) in the interval (–n/2,n/2) An integer is a B-number iff the least absolute residue (LAR) is smooth over B For Example: B = {-1,2,3,5}, n = 336, a = 8, b = 5, c = 9 LAR(a) = 64 = 2 6, LAR(b) = 25 = 5 2, LAR(C) = 81 = 3 4, these are B-numbers a = {0,6,0,0}, b = {0,0,0,2}, c = {0,0,4,0} therefore {b,c} is Linearly dependant over B mod 2 and gcd(b + c, n) = 14 a factor of n.

22
QFS Quadratic Field Sieve A fast method for factoring large numbers less than 110-digits long. Relies on algebraic number theory Discovered by Pomerance in the early 1980’s. Uses the ideas of RHO and Factor Bases Uses a sieve similar to the prime number sieve shown earlier. We shall denote floor(x) as [x] in the following

23
QFS 1. Set P := 2. Set A := P 3 3. Make a matrix with row 1 all primes less than P such that legendre(n,p i ) = 1 (if not discard p i ) 4. Make column 1 be all t in the range ([√n] + 1,[√n] + A) 5. Make column 2 be t 2 – n for all t. 6. For all the odd p (2 gets handled specially) solve the equation t 2 ≡ n (mod p Θ ) for Θ = 1,2,… until there is no solution in the range of column Let t 1,t 2 be the last pair of integers that satisfied the equation.

24
QFS 8. For each element of column 2 if t differs from t 1 by a multiple of p place a 1 in the row,column, repeat for p 2, p 3,…,p Θ except change the 1 to a 2,3,…,Θ. 9. Each time a 1 is placed or changed replace the t 2 - n by (t 2 – n)/p. 10. For p = 2 if n ≡ 1 (mod 8) treat 2 as above, otherwise simply place a 1 next to all odd t and replace the t 2 - n by (t 2 – n)/2 11. Remove all rows where the t 2 – n has not become As with Factor Bases find a linearly dependant subset of the rows (mod 2) we shall denote this as {t 1,t 2,…,t k } and the corresponding prime factors for each t i as {p 1 B1,p 2 B2,…,p h Θh } where Θ i is the number in the row,column specified by t i, p j.

25
QFS 13. For this subset check that Where B Ψ is the sum of the Θ i in the Base vectors divided by Once a set has been found verify that 15. If so then will be a non-trivial factor of n

26
QFS Example (n = 2279)

27

28

29

30

31
On 2 so check 2279 ≡ 7 (mod 8) good it is easier

32
QFS Example (n = 2279) Looking at the table it is obvious that rows 48,50,52,54 are linearly dependant mod 2. (48 · 50 · 52 · 54) 2 ≡ (5 2 · 7 · 13 · 17) 2 (mod 2279) Therefore gcd((48 · 50 · 52 · 54) – (5 2 · 7 · 13 · 17), 2279) is a factor, namely 53 gcd((48 · 50 · 52 · 54) + (5 2 · 7 · 13 · 17), 2279) is the other factor namely 43. It never hurts to double check so 53 · 43 = 2279 YAY We Factored 2279!!

33
QFS Running Time Runs in time Requires approximately an equivalent amount of space Faster than RHO as the function is between polynomial in log(n) and polynomial in n.

34
MPQFS Multiple Polynomial QFS Allows for parallel processing of the QFS simply Same algorithm except uses multiple polynomials of the form: Q(x) := a · x 2 + b · x + c Where a is the square of an integer, b is in the interval [0,a) such that b 2 ≡ a (mod n), c := b 2 /(4 · a). By doing so reduces size of Factor Base and sieving interval for each Q(x) and can be run simultaneously

Similar presentations

© 2016 SlidePlayer.com Inc.

All rights reserved.

Ads by Google