# Quadratic Field Sieve QFS   Matt Spear   Steven Guy 251959084756578934940271832400483985714292 821262040320277771378360436620207075955562 640185258807844069182906412495150821892985.

## Presentation on theme: "Quadratic Field Sieve QFS   Matt Spear   Steven Guy 251959084756578934940271832400483985714292 821262040320277771378360436620207075955562 640185258807844069182906412495150821892985."— Presentation transcript:

Quadratic Field Sieve QFS   Matt Spear   Steven Guy 251959084756578934940271832400483985714292 821262040320277771378360436620207075955562 640185258807844069182906412495150821892985 591491761845028084891200728449926873928072 877767359714183472702618963750149718246911 650776133798590957000973304597488084284017 974291006424586918171951187461215151726546 322822168699875491824224336372590851418654 620435767984233871847744479207399342365848 238242811981638150106748104516603773060562 016196762561338441436038339044149526344321 901146575444541784240209246165157233507787 077498171257724679629263863563732899121548 314381678998850404453640235273819513786365 64391212010397122822120720357

Agenda 1. Introduction to sieves 2. Euclid’s GCD in base 2 3. Definitions 4. Algorithms 5. RHO example 6. Factor Bases 7. QFS example 8. Introduction to MPQFS

Prime Number Sieve 1. Start with all numbers greater than 1 2. Divide all by the first number 3. Repeat until no numbers are left to divide by, i.e. the last number is all left. 4. What remains are the prime numbers. Sieve of Eratosthenes

Prime Number Sieve 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 Initial Sieve Space

Prime Number Sieve 2 3 | 5 | 7 | 9 | 11 | 13 | 15 | 17 | 19 | 21 | 23 | 25 | 27 | 29 | 31 | 33 | 35 | 37 | 39 | 41 | 43 | 45 | 47 | 49 | 51 | 53 | 55 | 57 | 59 | 61 | 63 | 65 | 67 | 69 | 71 | 73 | 75 | 77 | 79 | 81 | 83 | 85 | 87 | 89 | 91 | 93 | 95 | 97 | 99 | 101 After Divide by two

Prime Number Sieve 2 3 | 5 | 7 | | | 11 | 13 | | | 17 | 19 | | | 23 | 25 | | | 29 | 31 | | | 35 | 37 | | | 41 | 43 | | | 47 | 49 | | | 53 | 55 | | | 59 | 61 | | | 65 | 67 | | | 71 | 73 | | | 77 | 79 | | | 83 | 85 | | | 89 | 91 | | | 95 | 97 | | | 101 After Divide by three

Prime Number Sieve 2 3 | 5 | 7 | | | 11 | 13 | | | 17 | 19 | | | 23 | | | | | 29 | 31 | | | | | 37 | | | 41 | 43 | | | 47 | 49 | | | 53 | | | | | 59 | 61 | | | | | 67 | | | 71 | 73 | | | 77 | 79 | | | 83 | | | | | 89 | 91 | | | | | 97 | | | 101 After Divide by five

Prime Number Sieve 2 3 | 5 | 7 | | | 11 | 13 | | | 17 | 19 | | | 23 | | | | | 29 | 31 | | | | | 37 | | | 41 | 43 | | | 47 | | | | | 53 | | | | | 59 | 61 | | | | | 67 | | | 71 | 73 | | | | | 79 | | | 83 | | | | | 89 | | | | | | | 97 | | | 101 After all possible divisions

Prime Number Less Than 1602 2 3 5 7 11 13 17 19 23 29 31 37 41 43 47 53 59 61 67 71 73 79 83 89 97 101 103 107 109 113 127 131 137 139 149 151 157 163 167 173 179 181 191 193 197 199 211 223 227 229 233 239 241 251 257 263 269 271 277 281 283 293 307 311 313 317 331 337 347 349 353 359 367 373 379 383 389 397 401 409 419 421 431 433 439 443 449 457 461 463 467 479 487 491 499 503 509 521 523 541 547 557 563 569 571 577 587 593 599 601 607 613 617 619 631 641 643 647 653 659 661 673 677 683 691 701 709 719 727 733 739 743 751 757 761 769 773 787 797 809 811 821 823 827 829 839 853 857 859 863 877 881 883 887 907 911 919 929 937 941 947 953 967 971 977 983 991 997 1009 1013 1019 1021 1031 1033 1039 1049 1051 1061 1063 1069 1087 1091 1093 1097 1103 1109 1117 1123 1129 1151 1153 1163 1171 1181 1187 1193 1201 1213 1217 1223 1229 1231 1237 1249 1259 1277 1279 1283 1289 1291 1297 1301 1303 1307 1319 1321 1327 1361 1367 1373 1381 1399 1409 1423 1427 1429 1433 1439 1447 1451 1453 1459 1471 1481 1483 1487 1489 1493 1499 1511 1523 1531 1543 1549 1553 1559 1567 1571 1579 1583 1597 1601

Euclid's GCD Algorithm (Binary) g := 1 while u is even && v is even u := u/2 v := v/2 g := 2*g EndWhile // now u or v (or both) are odd while u > 0 if u is even, then u := u/2 else if v is even, then v := v/2 else then t := |u-v|/2 if u < v, then v := t else u := t EndIf EndIf EndWhile return g*v

Groups  Δ)  An algebraic structure (G, Δ) with one associative composition (operation) (Δ)   Contains a neutral element for the Δ and every element is invertible over Δ   Is Abelian If the Δ is also commutative For Example: (N (N n,+) (addition modulo n) is an abelian group with neutral element e = 0 and inverse of x = n - x

Rings  An algebraic structure (A,+,·) with (A,+) being an abelian group and (A,·) being associative composition distributed over +  Is commutative ring if · is commutative For Example: (N n,+ n,· n ) is a commutative ring, called the ring of integers mod n.

Fields  A commutative ring with every nonzero element possessing a · inverse (x·x* = 1)  Is Finite if the size of the field is non- infinite For Example: Z/pZ is a Finite Field when p is a prime integer, the field of integers modulo p (F p ). (if p is not prime all numbers will not have an inverse i.e. if p = 10 then 2 has no inverse over ·)

Quadratic Residues  Solutions n to the equation x 2 ≡ n (mod p)  If an element is not the square of a number it is a nonresidue. For Example: In F 11 : the residues are {1, 4, 9, 5, 3} as 1 2 ≡ 1; 2 2 ≡ 4; 3 2 ≡ 9; 4 2 ≡ 5; 5 2 ≡ 3. The nonresidues are {2,6,7,8,10}.

Legendre Symbol  Used to determine if a number is a quadratic residue.  Defined as:

Legendre(a,p) if a ≡ 0 (mod p) then return 0 EndIf x := a, y := p, L := 1 while true x := (x mod y) if x > y/2 then x := y-x if y ≡ 3 (mod 4) then L := L · -1 EndIf EndIf if x = 0 then return –1 EndIf while x ≡ 0 (mod 4) x := x/4 EndWhile if x ≡ 0 (mod 2) then x := x/2 t := (y mod 8) if t = 5 or t = 3 then L := L · -1 EndIf EndIf if x = 1 then return L EndIf if x,y ≡ 3 (mod 4) then L := L · -1 EndIf t := x, x := y, y := t EndWhile

Square Root Modulo p  Sometimes it is useful to find an x such that x 2 ≡ n (mod p), there are two methods for finding such an x: 1. Iterate over the subset 0 < x < (p - 1)/2 2. Use the Shanks-Tonelli algorithm: Shanks-Tonelli(a,p) Choose random n until legendre(n.p) = -1 Find e,q such that p – 1 = 2 e · q and q is odd y := (n q mod p), r := e, x := a (q – 1)/2 (mod p), b := a · x 2 (mod p), x := a · x While b ≠ 1 (mod p) Find smallest m such that b 2 m ≡ 1 (mod p) t := y 2 (r-m-1) (mod p), y := t 2 (mod p), r := m, x := x · t (mod p), b := b · y (mod p) EndWhile Return x

RHO Derivation  Use proof any odd n є N + > 2 can be represented by x 2 - y 2 ; therefore any composite n = x 2 - y 2 = p · q. Try to find x such that x 2 ≡ y 2 (mod n). This follows simply from definition of mod: n = x 2 - y 2  x 2 = n + y 2 and as mod returns r such that r = y 2 – a · n (here a = 1)  x 2 ≡ y 2 (mod n).

RHO Algorithm  Basis for most algorithms (including both QFS and NFS). 1. Set ƒ i+1 (x) = a · x 2 + b · x + c with a,b,c є N + 2. Set ƒ 0 (x) = 1,2 or some small integer 3. Compute ƒ i (x) until gcd(ƒ i+1 – ƒ I, n) ≠ 1 4. This number will be a factor of n.

RHO Running Time  With a high probability RHO will find a factor inbit operations  Much faster than trial division

Factor Bases  A set of prime integers one of the elements can be –1 (B = {p 1,p 2,…,p k }).  An integer is smooth over B iff all of its factors exist in B  The least absolute residue is (x 2 mod n) in the interval (–n/2,n/2)  An integer is a B-number iff the least absolute residue (LAR) is smooth over B For Example: B = {-1,2,3,5}, n = 336, a = 8, b = 5, c = 9 LAR(a) = 64 = 2 6, LAR(b) = 25 = 5 2, LAR(C) = 81 = 3 4, these are B-numbers a = {0,6,0,0}, b = {0,0,0,2}, c = {0,0,4,0} therefore {b,c} is Linearly dependant over B mod 2 and gcd(b + c, n) = 14 a factor of n.

QFS  Quadratic Field Sieve  A fast method for factoring large numbers less than 110-digits long.  Relies on algebraic number theory  Discovered by Pomerance in the early 1980’s.  Uses the ideas of RHO and Factor Bases  Uses a sieve similar to the prime number sieve shown earlier.  We shall denote floor(x) as [x] in the following

QFS 1. Set P := 2. Set A := P 3 3. Make a matrix with row 1 all primes less than P such that legendre(n,p i ) = 1 (if not discard p i ) 4. Make column 1 be all t in the range ([√n] + 1,[√n] + A) 5. Make column 2 be t 2 – n for all t. 6. For all the odd p (2 gets handled specially) solve the equation t 2 ≡ n (mod p Θ ) for Θ = 1,2,… until there is no solution in the range of column 1. 7. Let t 1,t 2 be the last pair of integers that satisfied the equation.

QFS 8. For each element of column 2 if t differs from t 1 by a multiple of p place a 1 in the row,column, repeat for p 2, p 3,…,p Θ except change the 1 to a 2,3,…,Θ. 9. Each time a 1 is placed or changed replace the t 2 - n by (t 2 – n)/p. 10. For p = 2 if n ≡ 1 (mod 8) treat 2 as above, otherwise simply place a 1 next to all odd t and replace the t 2 - n by (t 2 – n)/2 11. Remove all rows where the t 2 – n has not become 1. 12. As with Factor Bases find a linearly dependant subset of the rows (mod 2) we shall denote this as {t 1,t 2,…,t k } and the corresponding prime factors for each t i as {p 1 B1,p 2 B2,…,p h Θh } where Θ i is the number in the row,column specified by t i, p j.

QFS 13. For this subset check that Where B Ψ is the sum of the Θ i in the Base vectors divided by 2. 14. Once a set has been found verify that 15. If so then will be a non-trivial factor of n

QFS Example (n = 2279)

 On 2 so check 2279 ≡ 7 (mod 8) good it is easier

QFS Example (n = 2279)  Looking at the table it is obvious that rows 48,50,52,54 are linearly dependant mod 2.  (48 · 50 · 52 · 54) 2 ≡ (5 2 · 7 · 13 · 17) 2 (mod 2279)  Therefore gcd((48 · 50 · 52 · 54) – (5 2 · 7 · 13 · 17), 2279) is a factor, namely 53  gcd((48 · 50 · 52 · 54) + (5 2 · 7 · 13 · 17), 2279) is the other factor namely 43.  It never hurts to double check so 53 · 43 = 2279 YAY We Factored 2279!!

QFS Running Time  Runs in time  Requires approximately an equivalent amount of space  Faster than RHO as the function is between polynomial in log(n) and polynomial in n.

MPQFS  Multiple Polynomial QFS  Allows for parallel processing of the QFS simply  Same algorithm except uses multiple polynomials of the form:  Q(x) := a · x 2 + b · x + c  Where a is the square of an integer, b is in the interval [0,a) such that b 2 ≡ a (mod n), c := b 2 /(4 · a).  By doing so reduces size of Factor Base and sieving interval for each Q(x) and can be run simultaneously

Download ppt "Quadratic Field Sieve QFS   Matt Spear   Steven Guy 251959084756578934940271832400483985714292 821262040320277771378360436620207075955562 640185258807844069182906412495150821892985."

Similar presentations