1. A Survey on Factoring Large Numbers ～ 巨大数の因数分解に関する調査 ～ Kanada Lab. M1 47- 56338 Yoshida Hitoshi

2. page2 Introduction Factoring a number means representing it as the product of smaller numbers. It is difficult to factor a large number. Some cryptosystems are based on the difficulty of the factoring integer problem. It measures the security of the cryptosystems to factor large numbers in short time.

3. page3 Contents Introduction Factoring Methods Calculation Records Cryptosystem Security

4. page4 Contents Introduction Factoring Methods Calculation Records Cryptosystem Security

5. page5 Trial Division Difference of Squares Euler’s Method Pollard’s (p-1)-Method Pollard’s (p+1)-Method Pollard’s ρ Method Square Forms Factorization Continued Fraction Method Quadratic Sieve Multiple Polynomial Quadratic Sieve General Number Field Sieve Elliptic Curve Method Trial Division Difference of Squares Euler’s Method Pollard’s (p-1)-Method Pollard’s (p+1)-Method Pollard’s ρ Method Square Forms Factorization Continued Fraction Method Quadratic Sieve Multiple Polynomial Quadratic Sieve General Number Field Sieve Elliptic Curve Method Factoring Methods

6. page6 Trial Division Algorithm Check if “n mod i = 0” for i = 2,3,4,… Merit It can factor a number into prime numbers. Demerit ‘i’ may be nearly when n is the product of 2 primes of same size.

7. page7 Trial Division Improvement Don’t use multiples of 2,3,5 for “i”. Use only prime numbers for “i”. Cannot reduce operational costs. This method can use at most 10 30. π(10 15 )=29,844,570,422,669 ≒ 30T If one trial division can do in 50 clock π(10 15 )×50[clock]÷3G[Hz] = 500K [sec] = 5.8[day]

8. page8 Difference of Squares Algorithm Find x and y which implement x 2 -y 2 =n Factor n with x 2 -y 2 =(x+y)(x-y) Demerit May not factor a number into prime numbers. Merit Factor a large composite number into small numbers Operational cost O(y)

9. page9 Improvement How about using “x 2 -y 2 ≡0 (mod n)” ? 60 2 -5 2 ≡0 (mod 143) ⇒ 65 ・ 55≡0 65 or 55 must have prime factor(s) of 143. GCD(65,143)=13, GCD(55,143)=11 How to find such x, y that implement “x 2 –y 2 ≡0 (mod n)”?  Find many (a i, b i ) pairs that implement a i ≡b i (mod n)  Make a combination that implements Πa i =x 2, Πb i =y 2 Difference of Squares 14 ･ 67≡ 3 mod 187 31 ･ 67≡20 mod 187 14 ･ 31≡60 mod 187 (14 ･ 31 ･ 67 ） 2 ≡60 2 mod 187

10. page10 Difference of Squares How can we find those numbers efficiently? Quadratic Sieve (QS) Cf. Multiple Polynomial Quadratic Sieve (MPQS) General Number Field Sieve (GNFS)

11. page11 Quadratic Sieve Algorithm 1. for i = [√n]±1,2,…, factor i 2 -n into prime numbers (i 2 ≡i 2 -n=p 1 p 2 p 3 …) 2. search a combination that make every exponent number even 3. x=Πi and y=√(Πprimes) implements x 2 -y 2 ≡0

12. page12 n=3937, √n=62.7 i=63 63 2 ≡63 2 -n= 32=2 5 i=64 64 2 ≡64 2 -n=159=3 ･ 53 i=65 65 2 ≡65 2 -n=288=2 5 ･ 3 2 i=66 66 2 ≡66 2 -n=419=419 i=67 67 2 ≡67 2 -n=552=2 3 ･ 3 ･ 23 Quadratic Sieve Example

13. page13 n=3937, √n=62.7 i=63 63 2 ≡63 2 -n= 32=2 5 i=64 64 2 ≡64 2 -n=159=3 ･ 53 i=65 65 2 ≡65 2 -n=288=2 5 ･ 3 2 i=66 66 2 ≡66 2 -n=419=419 i=67 67 2 ≡67 2 -n=552=2 3 ･ 3 ･ 23 （ 63 ･ 65 ） 2 ≡2 10 ･ 3 2 = （ 2 5 ･ 3 ） 2 ∴ GCD （ 63 ･ 65-2 5 ･ 3, n ） =31 Quadratic Sieve Example

14. page14 Quadratic Sieve Operational cost O(exp((9/8)(logn) 1/2 (loglogn) 1/2 )) Now, QS is one of the fastest method to factor 30~60 decimal digit numbers. Make faster Large prime factors appear rarely Smaller number has smaller primes. How can we get small numbers efficiently?

15. page15 n=3937, √n=62.7 i=63 63 2 ≡63 2 -n= 32=2 5 i=64 64 2 ≡64 2 -n=159=3 ･ 53 i=65 65 2 ≡65 2 -n=288=2 5 ･ 3 2 i=66 66 2 ≡66 2 -n=419=419 i=67 67 2 ≡67 2 -n=552=2 3 ･ 3 ･ 23 （ 63 ･ 65 ） 2 ≡2 10 ･ 3 2 = （ 2 5 ･ 3 ） 2 ∴ GCD （ 63 ･ 65-2 5 ･ 3, n ） =31 Quadratic Sieve Example

16. page16 Quadratic Sieve Operational cost O(exp((9/8)(logn) 1/2 (loglogn) 1/2 )) Now, QS is one of the fastest method to factor 30~60 decimal digit numbers. Make faster Large prime factors appear rarely Smaller number has smaller primes. How can we get small numbers efficiently?

17. page17 Quadratic Sieve Make faster MPQS (Multiple Polynomial QS) ; i 2 -n ⇒ (ai+b) 2 -n MPQS is the fastest to factor 60 ～ 120 digit numbers QSMPQS

18. page18 General Number Field Sieve (GNFS) Original “Number Field Sieve” was for special numbers ⇒ Special Number Field Sieve (SNFS) Algorithm Polynomial definition step Sieving step Matrix solving step Making square root step Operational cost O(exp((64/9) 1/3 (logn) 1/3 (loglogn) 2/3 )) [Cf. QS→O(exp((9/8)(logn) 1/2 (loglogn) 1/2 )) ]

19. page19 Contents Introduction Factoring Methods Calculation Records Cryptosystem Security

20. page20 Calculation Records Factoring records

21. page21 Calculation Records Factoring records 1. 200 decimal digits number (RSA200) Bonn university Algorithm : GNFS Sieving step Various machines and time Dec 2003 ～ Oct 2004 ( ≒ 2.2GHz Opteron × 55 years) Matrix step 80 × 2.2GHz Opteron (Cluster) × 3 months (Dec 2004 ～ ) May 2005 factoring completed

22. page22 Calculation Records Factoring records 2. 176 decimal digits number (A factor of 11 281 +1) Yuji Kida (Rikkyo university) and NTT laboratory Algorithm : GNFS Sieving step Various machines ( ≒ 3.2GHz Pentium4 × 9.7 years) 16 Mar 2005 ～ 12 Apr 2005 (27days) Matrix step 32 × 3.2GHz Pentium4 (Cluster) × 2.5 days Apr 2005 factoring completed

23. page23 Contents Introduction Factoring Methods Calculation Records Cryptosystem Security

24. page24 Cryptosystem Security RSA use 1024 bit length key How long does it take to factor 1024bit number? 5.8×10 5 ～ 1.4×10 6 years(?) [Kida, 2003] RSA Factoring Challenge 8 composite numbers (576 ～ 2048bit) to factor 576 bit number was factored (Dec 3, 2003) 200 decimal digit number (old problem) was factored 640 bit number is 193 decimal digit

25. page25 Cryptosystem Security TWIRL Make sieving step of GNFS in device It will take 1 year to sieve 1024bit length number Not in practice yet Quantum Computing Shor’s algorithm may run very fast Quantum computer is not in practice

26. page26 That’s All Thank you