number-theoretic algorithmsweb.cse.ohio-state.edu/~lai.1/6331/8-rsa.pdfp33. a difficult problem....
TRANSCRIPT
p3.
| : divides , is a divisor of . gcd( , ): greatest common divisor of and . Coprime or relatively prime: gcd( , ) 1. Euclid's algorithm: compute gcd( , ). Extented Eucli
Integersa b a b a b
a b a ba ba b
••• =•• d's algorithm: compute integers and such that gcd( , ).x y ax by a b+ =
p4.
Let 2 be an integer.
Def: is congruent to modulo , written
mod , if | ( ), i.e., and have the
same remainder when d
m
ivided by .
Note: dod an
Integers modulo n
a b n
a b n n a b a b
n
a b n
n•
•
• ≡
≥
≡ −
{ } are different.
Def: [ ] all integers congruent to modulo .
[ ] is called a residue class modulo , and is a
representati
mod
ve of that class.
n
n
a b
a a n
a n a
n
•
=
=
•
p5.
There are exactly residue classes modulo :
[0], [1], [2], , [ 1].
If [ ], [ ], then [ ] and [ ].
Define addition and multiplication for residue classes:
[ ] [n
n n
n
x a y b x y a b x y a b
a
−
∈ ∈ + ∈ + ⋅ ∈ ⋅•
•
+
•
] [ ]
[ ] [ ] [ ].n
b a b
a b a b
=
⋅⋅
+
=
p6.
A group, denoted by ( , ), is a set with a binary operation : such that 1. , , (closure) 1. ( ) ( ) (associativity) 2. s.t id. , ( entity
GroupG G
G G Gx y G
e
x y Gx y z x y z
e G x G x x e x
• ∗∗ × →
∀ ∈ ∗ ∈∗ ∗ = ∗ ∗
∃ ∈ ∀ ∈ ∗ = ∗ = ) 3. , s.t. ( )
A group ( , ) is if , , .
Examples: ( , ), ( , ), ( \ {0}, ), ( , ),
inverse
abelian
( \ {0}, ).
x G y G x y y x
G x y G x y y x
Z Q Q RR
e∀ ∈ ∃ ∈ ∗ = ∗ =
• ∗ ∀ ∈ ∗ = ∗
• + + × +×
p7.
{ }{ }
( )
Define [0], [1], ..., [ 1] .
Or, more conveniently, 0, 1, ..., 1 .
, forms an abelian additive group.
For , ,
( ) mod . (Or, [ ] [ ] [ ] [ mod ].)
0 is th
n
n
n
n
Z n
Z n
Z
a b Za b a b n a b a b a b n
+
+
= −
= −
∈
•
= + = + = +
•
+
•
•
10
e identity element. The inverse of , denoted by , is .
When doing addition/substraction in , just do the regular addition/substraction and reduce the result modulo .
In , 5
n
a a n a
Zn
Z
•
− −
5 9 4 6 2 8 3 ?+ + + + + + =+
p8.
( )
( )
1
1
1
, is not a group, because 0 does not exist.
Even if we exclude 0 and consider only \ {0},
, is not necessarily a group; some may not exist.
For , exists if and on
n
n n
n
n
Z
Z Z
Z a
a Z a
−
+
+ −
−
•
•
•
∗
=
∗
∈ ly if gcd( , ) 1.a n =
p9.
{ }( )
*
1
Let : gcd( , ) 1 .
, is an abelian multiplicative group.
mod .
mod . 1 is the identity elemen
t. The inverse of , written , can be computed by
n n
n
Z a Z a n
Z
a b ab n
a b ab n
a a−
= ∈ =
∗
∗ =
∗ =
•
•
•
{ }*12
*
the Extended Euclidean Algorithm.
For example, 1,5,7,
Q: How many e
11 . 5 7 35
lements ar
mod12 1
e there in ?
1.
n
Z
Z
= =•
•
∗ =
p10.
{ }
*
1
Euler's totient function:
Fac
( )
= : and gcd( , ) 1
1. ( ) ( 1) for prime
2. ( ) ( ) ( ) if gc
ts:
d( , ) 1
n
n
e e
n Z
a a Z a n
p p p p
ab a b a b
ϕ
ϕ
ϕ ϕ ϕ
−
=
∈ =
=
•
−
•
= =
p11.
Let be a (multiplicative) group. The order of , written ord( ), is the smallest
p ( , identity eositive integer such that . Lagrange's theorem: For an
fin
y elementl
it
ement.
e
)k
Ga G a
ek a ea
•• ∈
=
•| |
mod
* ( ) *
, ord( ) | .
Euler's the
Corollary: For any e
orem: If
lement , .
Corollary:
(for any 1), then 1 in . Fermat
For any elem
's little theore
ent , .
nn
G
m G
n
m
G a G
a Z n
a G a e
a
a
a
Z
a G
ϕ
∈
•
••
∈ > =•
∈ =
∈ =
* ( ) 1 *
m: If ( a prime), then 1 in . p p
p pa Z p a a Zϕ −∈ = =
p12.
{ }*15
*15
*15
( ) 8
816243240481
= 1, 2, 4, 7, 8, 11, 13, 14
(15) (3) (5) 2 4 8
: 1 2 4 7 8 11 13 14ord( ) : 1 4 2 4 4 2 4 2
ord( ) : smallest integer such that 1.
1
13
?
Example: 15
k
n
Z
Z
a Za
a k a
a a
n
ϕ
ϕ ϕ ϕ
•
•
•
•
•
= = × = × =
∈
=
•
= =
=
=
p13.
Algorithms( )
( )
1
3
gcd ,
mod mod
Running time: log
Here we assume , .
k
n
a b
a na n
O n
a b Z
−•
•
• ∈
•
•
p14.
Given 0, compute gcd( , ).
Theorem: If 0, gcd( , ) . If 0, gcd( , ) gcd( , mod )
Euclid( , ) 0 re
if then
turn( )
Euclid's Algorithma b a b
b a b ab a b b a b
a bb
a
•
•
•
> ≥
= => =
=
( )
2
return Euclid( , mod )
The number of recursive calls to Euclid is (log ).
Computing mod
takes (log ).
el
se b a b
O a
a b O a
•
•14
p15.
Example: gcd(299,221)
Given 0, compute , such that gcd( , ) .
1 782 65
1 13
65 5 13 0
gcd(229,221) 13
299 221221 7878 65
78 6578 221 78 78 2( 2 ) 3
21
3
?
Extended Euclidean Algorithma b x y d a b ax by> ≥ = = +
= × += × += × += ⋅ +
= = −= − − × = ⋅ −=
=
× 299 221) 221299 221( 1
3 4− ⋅ −
= × − ×
p16.
Given 0, compute , such that gcd( , ) .
Extended - Euclid( , )
0
return( ,1,0)
( , , ) Extended - Euclid(
if then
else
Extended Euclidean Algorithma b x y d a b ax by
a b
b
a
d x y
> ≥ = = +
=
′ ′ ′ ← ( )
( ), mod )
( , , ) , ,
return( , , )
b a b
d x y d y x a b y
d x y
′ ′ ′ ′← −
p17.
( )
If 0, gcd( , ) .
The returned answer is correct.
If ( , , ) is correct,
1 0
( ,1,0)
gcd( , mod ) ( mod )
gcd( , mod )
Correctness Proofb a b a b
d x y
b a b d b x a b y
b a b d b x a a
a
b b y
a= = = ⋅ + ⋅
′ ′ ′
′ ′ ′⇒ = = ⋅ + ⋅
′ ′ ′⇒ = = ⋅ + − ⋅ ⋅
•
•
( )( )
gcd( , )
( , , ) , , is correct
a b a b
d x y d y x a
d y y
y
x a b
b
⇒ = = ⋅ + ⋅
′ ′ ′ ′⇒ ← −
′ ′ ′ ′−
p18.
1
1 *
1
Compute in . exists if and only if gcd( , ) 1. Use extended Euclidean algorithm to find ,
such that gcd( , ) 1 (in )
mod
[ ]
?How to compute na Z
a a nx y
ax ny a n
a n
Za
−
−
−
•
• =•
+ = =⇒
1
[ ] [ ][ ] [1] [ ][ ] [1] (since [ ] [0]) [ ] [ ]. Note: may omit [ ], but reduce everything modulo .
x n ya x na x
n
−
+ =⇒ = =
⇒ =•
p19.
1 Compute 15 mod 47. 47 15 3 (divide 47 by 15; remainder 2) 15 2 7 (divide 15 by 2; remainder 1) 1 15 7 (mod 47) 1
21
25 ( ) 7 (mod 47)47 15 3
Example−•
= × + == × + == − ×= − ×− ×
1
1 *47
15 22 47 7 (mod 47) 15 22 (mod 47) 15 mod 47 22 That is, 15 22 in Z
−
−
= × − ×= ×
=
=
p20.
( )
1 0
2
Comment: compute mod , where in binary.
1 for downto 0 do mod if 1 then mod
Algorithm: Square-and-Multiply( , , )c
k k
i
x n c c c c
zi kz z n
c z z x n
x c n
−=
←←
←
= ← ⋅
( )( )
22
22
if c i
retu
s even Note:
if is
rn (
o
)
dd
c
c
c
xx
x x
z
c
= ⋅
p21.
2
2
2
2
3
2
23 10111
1 11 mod 187 11 (square and multiply) mod 187 121 (square) 11 mod 187 44 (square and multiply) 11 mod 187 165 (square and
11 mod187
mu
Example:
b
zz zz zz zz z
=
←
← ⋅ =
← =
← ⋅ =
← ⋅ =2
ltiply) 11 mod 187 88 (square and multiply)z z← ⋅ =
p23.
mcE D
Bob Alice
m
Alice’s Alice’spublic key secret key
Public-key Encryption
plaintext encryption ciphertext decryption algorithm algorithm
p24.
By ivest, hamir & dleman of MIT in 1977. Best known and most widely used public-key scheme. Based on the one-way property
of mo
R S
du
lar powering:
A
assumed
The RSA Cryptosystem•••
1
: mod (easy) : mod
In turn based on the hardness
(hard)
of integer factorization.
e
e
f x x nf x x n−
•
→
→
p25.
1
1
RSA
RSA
RSA
* *
Encryption (easy):
Decryption
It works in group . Let be
(hard):
Decryption (easy with "trapdoor"):
a messa
Lookin
ge
g
.
Idea behind RSA
e
n
e
e
n
x x
x x
x x
Z x Z
−
−
→
←
←
∈
( )( ) 1 ( )
for a "trapdoor": ( ) .If is a number such that 1mod ( ), then
( ) 1 for some , and
( ) 1 .
e
ke d n k
d
ed n
x xd ed n
ed k n k
x x x x x x xϕ ϕ
ϕϕ
+
=≡
= +
= = = ⋅ = ⋅ =
p26.
1
(a) Choose large primes and , and let : . (b) Choose (1 ( )) coprime to ( ), and compute : mod ( ). ( .) (c) Public ke
Key generation:
1 mod ( )
RSA Cryptosystem
p q n pqe e n n
d nn edeϕ ϕ
ϕϕ−
=< <
= ≡
•
*
*
y: . Secret key: . ( ) : mod , w
( , ) ( , )here .
( ) : mod , where .
E
ncryption:
Decryptio
n:
epk n
dsk n
E x x n x Z
D y y n y
pk n e sk n d
Z
=
∈
= ∈
•
=
=
•
p27.
( )( )
*
* * ( )
The setting of RSA is the group , :
In group , , for any , we have 1.
We have chosen , such that 1 mod ( ), i.e., ( ) 1 for some o
p
Why RSA Works?
n
nn n
Z
Z x Z x
e d ed ned k n
ϕ
ϕϕ=
•
∈ =
≡+
( ) ( )* ( ) 1 ( )
sitive integer .
For , . d ke ed k n n
n
k
x Z x x x x x xϕ ϕ+∈ = = = =
p28.
Select two primes: 17, 11. Compute the modulus 187. Compute ( ) ( 1)( 1) 160. Select between 0 and 160 such that gcd( ,160) 1.
Say 7. Compute
RSA Example: Key Setupp q
n pqn p q
e ee
d
ϕ
= == =
••• = −
•
==
•− =
1 1mod ( ) 7 mod160 23 (using extended Euclid's algorithm). Public key: . Secret ke
( ,y:
) (7, 187)( , ) (23 ., 7 18 )
pk e n
e
s n
n
k d
ϕ− −
= == =
=
•
= =
•
p29.
7
23
23
23
Suppose 88. Encryption: mod 88 mod187 11. Decryption: mod 11 mod187 88. When computing 11 mod187, we first
compute 11 andd
theo
not
n
RSA Example: Encryption & Decryption
e
d
mc m nm c n
•
•
•
•
=
= = =
= = =
reduce it modulo 187. Rather, use , and reduce intermediate
results modulo 187 whenever they gsquare-a
et biggend-mult
r than iply
187.•
p30.
4 16
To speed up encryption, small values are usually used for .
Popular choices are 3, 17 2 1, 65537 2 1. These values have only two 1's in their binary representation.
Encryption Key
e
e•
• = + = +
p32.
There are many attacks on RSA: brute-force key search mathematical attacks timing attacks chosen ciphertext attack
s The
m
ost important one is intege
Attacks on RSA•
•
1
r factorization:If the adversary can Then he can
calculate ( ) ( 1)( 1) and the secret key m
factor into .
d ( ). on p q
n pq
d e nϕ
ϕ−
= − −
=
p33.
A difficult problem.
More and more efficient algorithms have been developed.
In 1977, RSA challenged researchers to decode a ciphertext encrypted with a modulus of 129
Integer Factorization
n
•
•
• digits (428 bits).
Prize: $100. RSA thought it would take quadrillion years to break the code using fastest algorithms and computers of that time. Solved in 1994.
In 1991, RSA put forw• ard more challenges (called RSA numbers), with prizes, to encourage research on factorization.
p34.
Each RSA number is a semiprime. (A number is semiprime if it is the product of two primes.) There are two labeling schemes.
by the number of decimal digits: RSA-100, .
RSA Numbers•
•
.., RSA-500, RSA-617. by the number of bits: RSA-576, 640, 704, 768, 896, , 1536, 210 .24 048
p35.
RSA-100 ( bits), 1991, 7 MIPS-year, Quadratic Sieve. RSA-110 ( bits), 1992, 75 MIPS-year, QS. RSA-120
3323653 ( bits), 1993, 830 MIPS-year, QS.
RSA-129 98
4(
RSA Numbers which have been factored•••• bits), 1994, 5000 MIPS-year, QS. RSA-130 ( bits), 1996, 1000 MIPS-year, GNFS. RSA-140 ( bits), 1999, 2000 MIPS-year, GNFS. RSA-155 ( bits), 1999, 8000 MIPS-year, GNFS.
284
314655
RSA-161
0 (2
530
••••
576 6
bits), 2003, Lattice Sieve. RSA- (174 digits), 2003, Lattice Sieve. RSA- (193 digits), 2005, Lattice Sieve. RSA-200 ( bits), 2005, Lattice
40663 Sieve.
•••
p36.
RSA-200 =27,997,833,911,221,327,870,829,467,638,
722,601,621,070,446,786,955,428,537,560,
009,929,326,128,400,107,609,345,671,052,
955,360,856,061,822,351,910,951,365,788,
637,105,954,482,006,576,775,098,580,557,
613,579,098,734,950,144,178,863,178,946,
295,187,237,869,221,823,983.
p37.
*
In light of current factorization technoligies, RSA recommends using an of 1024-2048 bits.
If a message \ ,
RSA works, but Since gcd( , ) 1, the sender can factor
Remarks
n n
n
m Z Z
m n n>
•
• ∈
*
. Since gcd( , ) 1, the adversary can factor , too.
Question: how likely is
\ ?
e
n n
m n n
m Z Z∈•
>
p39.
1 2
1 2
Infinitely many.
First proved by Euclid: Assume only a finite number of primes , , , . Let 1. is not a prime, bec
••
aus• e
How many prime numbers are there?
n
n
i
p p pM p p p
M M p
•
…•
= … +≠ , 1 .
So, is composite and has a prime factor for some | |1 contradiction.
• i
i i
i nM p ip M p
≤ ≤
⇒ ⇒ ⇒⇐
p40.
Let ( ) denote the number of primes . Then
( ) for large .ln
For any 1, the fraction of -bit integ
The Prime Number Theorem:
Bertrand's Theorem: ers
Distribution of Prime Numbers
x xxx xx
n n
π
π
≤
≈
>1that are prime is at least .3n
p41.
Generate a random odd number of desired size.
Test if is prime.
If not, discard it and try a different number.
Q: How many numbers are expected to be
How to generate a large prime number?n
n
•
•
•
• tested before a prime is found?
p42.
( )( )( )( )
12
10.5
Can it be solved in polynomial time? A long standing open problem until 2002.
AKS(Agrawal, Kayal, Saxena) : log .
Later improved by others to log ,
Primality test : Is a prime?
O n
O n
n
ε+
••
•
( )( )
( )( )
6
3
and then
to log .
In practice, Miller-Rabin's probabilistic algorithm is still
the most popular --- much faster, log .
O n
O n
ε+
•
p43.
Using some characteristic property of prime numbers:
is prime 2, , | .
Miller-Rabin's idea: look for some property ( ) s.t.
Miller-Rabin primality test : Is a prime?
n a n a n false
P a
n
∀ ∈
•
•
⇔ =
*
*
is prime For , ( ) not prime For a portion of elements , ( )
Algorithm: Check ( ) for random eleme
allat most
n
1
ts
n
n
n
kn a Z P a truen
a P a true
P a t a
⇒ ∈
∈
∈
⇒=
=
•
( )
* . If ( ) is true for all of them then return
else return . A "prime" answer may be incorrect with
primecompos
probabilit
ite
y
1 t
P a
k
•
≤
p45.
*nZ
*
not prime strong witnessIf is , then there are which are elements s.t
es,( ) .n P a
nea Z fals∈ =
( )P a true=
p46.
1
* 1
Looking for ( ) :
How about ( ) 1 mod ?
Fermat's little theorem: If is prime , 1 mod .
Unfortunately, when is composite, it is possible
n
nn
P a
P a a n
n a Z a n
n
−
−
⇒
•
= ≡
∀ ∈ ≡
1 *
1 *
1
that 1 mod .
( composite numbers
for which 1 mod .)
Need to refine the conditi
Carmichael
on 1
numb
mod .
ers :
nn
nn
n
a n a Z
n
a n a Z
a n
−
−
−
≡ ∀ ∈
≡ ∀ ∈
≡
p47.
Theorem: A positive composite integer is a Carmichael number if and only if is square-free and for all prime
Carmichael numbers : (may skip
factors of it is true t
)
hat
nn
p n
•
1| 1.
Example: 561 is a Carmichael number, since 561 3 11 17 is square-free and 2 | 560, 10 | 560, 16 | 560.
p n− −
= ⋅ ⋅
p48.
*
* 2
Fact: if 2 is prime, then 1 has exactly two square roots in , namely 1. Write 1 2 , where is odd. If is prime
, 1 mod (Fermat's little theorem)
k
nk
un
nZ
n u un
a Z a n
• ≠
±
• − =•
∀ ∈ ≡⇒
2 1
*
2
2 2 2 2
, ( ) , where
1 mod ( )
1 mod for some , 0 1 Why? Consider the
o
sequence
, , , , , 1
ri
k k
n
u
u
u u u u u
a Z P a true
a nP a
a n i i k
a a a a a−
∀ ∈ =
≡= ≡ − ≤ ≤ −
⇒
•
=
p49.
If not prime do strong witnesses always exist (Strong witness are elements with ( ) .)
Loosely speaking, : if is an odd composite
?
at leand not
a prime poweryes
, then as
n
na Z P a false
n
∗
•
=
•
∈
⇒
* of the elements are strong witnesses. A composite number is a if for
some prime and integer
t one half
prime powerperfec2. (A if
for some integer and t power
2
n
e
e
a Z
n n pp e
n k k e
∈
=•≥
= ≥ .)
p50.
Input: integer 2 and parameter Output: a decision as to whether is prime or if is even, return "composit
composite1. e"
if is a per2
. fect
Algorithm: Miller-Rabin primality testn t
nnn
>
power, return "composite" for : 1 to do choose a random integer , 2 1 if gcd( , ) 1, return "composite" if is a strong witness, ret
3
urn "com
. i ta a n
a na
=≤ ≤ −
≠posite"
return ("pri4. me")
p51.
If the algorithm answers "composite", it is always correct.
If the algorithm answers "prime", it may or may not be correct.
The algorithm gives a wrong answ
Analysis: Miller-Rabin primality test•
•
• er if is composite but the algorithm fails to find a strong witness in iterations.
This may happen with probability at most 2 .
Actually, at most 4 , by a more sophisticated analysis.
t
t
nt
−
−
•
•
p52.
A is a probabilistic algorithm which always gives an answer but sometimes the answer may be inco
Mo
rr
nte
ect.
Carlo a
A
lgorithm
Monte Carlo algorithm for a decisi
Monte Carlo algorithms•
•
on problem is if its “yes” answer is always correct but a “no” answer may be incorrect with some error probability.
A -iteration Miller-Rabin is a “composite”-biased Mon
yes-bias
te Carl
ed
o
t•
algorithm with error probability at most 1 4 .t
p53.
A is a probabilistic algorithm which may sometimes fail to give an answer but never gives an incorrect
Las Ve
one
gas algori
A Las Vegas algorithm can be conver
thm
Las Vegas algorithms•
•
ted into a Monte Carlo algorithm.
p54.
Integer Factorization
Reference on quadratic sieve:
http://blogs.msdn.com/b/devdev/archive/2006/06/19/637332.aspx
p55.
2 2
2 2
Difference of squares
To factor , find an such that is a square, say . Then, ( )( ).
Search for starting from .
Example: Suppos
Fermat's Method
n a n a n bn a b a b a b
a a n
≥ −
= − = − +
=
•
•
2
2 2 2
2 2
2
e 5959. Then, 78.
is not a square for 78 and 79. is a square for 80 : 80 5959 441 21 . Hence 5959 80 21 (80 21)(80 21) 59 101.
Slow: a linear search for
n n
a n aa n a
b•
= = − =
− = − = =
= − = − + = ×
2 is a poor strategy.a n= −
p56.
2 2
Basic idea: a generalization of Fermat's difference of squares. To factor , find (mod ) such that (mod ). Then, | ( )( ), but divides
Dixon's Random Squares Algorithm
n x y n x y nn x y x y n
≠ ± ≡− +
•
2 2
neither of . Hence, gcd( , ) are nontrivial factors of .
Example: 32 10 mod77. gcd(32 10, 77) 7 and 11.
Question: how to produce such and ?
Factor ba as set of smae: ll prime
x yx y n n
x y
±
≡•
±
±
•
=
•
1 2
1 2
1 2 1 2
s, say, { , , }. ( may also include 1.)
An integer is if it can be factored over mod , i.e., mod for some
smoot, 0
h, , .b
b
ee eb b
B p p pB
z B nz p p p n e e e
•
=−
≡ … ≥
p57.
1 2
2
21 2
2
Our goals: First, find a set of integers such that are smooth:
mod Second, select a subset such that the product has an ev
i i ib
i
i ie e e
i b
ix S
U x x
x p p p nS U
x∈
≡
•
…⊆
∏
1 2
1 2
22 221 2 1 2
1 2
2 2
en exponent for each , say,
mod for some , , , 0.
Let mod and mod , and
we have mod .
If mod , no luck, try a differen
b
i
b
i
i
ee ei b b
x S
ee ei b
x S
p
x p p p n e e e
X x n Y p p p n
X Y n
X Y n
∈
∈
≡ … ≥
= = …
≡
•
±• ≡
∏
∏
t set of 's.ix
p58.
2
2
2
Suppose 15770708441 and {2,3,5,7,11,13}. Consider the three congruences:
8340934156 3 7mod 12044942944 2 7 13mod 2773700011
Example (from Stinson's book on Cryptography)n B
nn
= =
≡ ×
≡ × ×
••
≡
( )( )
( ) ( )( )
2
2
2 2
2 3 13mod .
8340934156 12044942944 2773700011
2 3 7 13 mod .
Reducing by modulo yields 9503435785 546 mod .
A factor of : gcd 9503435785 546, 15770708441 115759.
n
n
n n
n
× ×
× ×
≡ × × ×
− =
• ≡
•
•
p59.
1 2
1 2
2
21 2
1
Suppose { , , }. Let .
Suppose we have a set of integers such that are
smooth: mod (1 ).
Let mod 2,
To achieve our second goal
i i ib
b
i ie e e
i b
i i
B p p p c b
U c x x
x p p p n i c
e e
= >
≡
=•
… ≤ ≤
•
•
( )2 mod 2, , mod 2 .
The vectors are linearly dependent (because ), and we can find a subset of 's that sum modulo 2 to (0, 0, , 0). Let mod be the product of the 's c
i ib
i
i
i i
e e
c e c bS e
X x n x
•
•
>
=∏
orresponding to the 's in . ie S
p60.
{ }
( )( )( )
2 212 222 23
1
2
3
We have 2,3,5,7,11,13 and
8340934156 3 7mod 12044942944 2 7 13mod 2773700011 2 3 13mod . 0,1,0,1,0,0
1,0,0,1,0,1
1,1,0,0,0,1
Example (cont.)B
x nx nx n
e
e
e
=
= ≡ ×
= ≡ × ×
= ≡ ×
•
•
×
=
•
=
=
1 2 32 2
1 2 32
(0,0,0,0,0,0) mod 2. Thus, we let ( ) mod and
(3 7)(2 7 13)(2 3 13) mod .
e e eX x x x n
Y n
+ + ≡
=
= × × ×
•
× ×
p61.
2
Random Squares Met Dixon's strategy: choose at random, hence the name
.
Trick 1: try numbers of the form ,
0, 1, 2, , and 1, 2, . F
ho
or
d
Searching for smooth squares
i
ix
x
x j kn
j k
= + =
•
=
•
2
2
such , tends to be small and has a better chance than average to be smooth.
Trick 2: also try numbers of the form ,
0, 1, 2, , and 1, 2, . For such , is a
mod
mod
x
x kn
x n
x
j
j k nx
= − =
•
=
2
2
little bit smaller than . Try to factor instead of
Trick 3: to play trick 2, we need to in
(
c
mod )
lude 1 in
mod
.
.
n
B
x n nx n
−
−
•
p62.
2 21
Suppose 1829 and { 1,2,3,5,7,11,13}.
42.77, 2 60.48, 3 74.07, 4 85.53. Thus we try 42, 43, 60, 61, 74, 75, 85, 86, and obtain
42
Example (from Stinson's book on Cryptography)n B
n n n nx
x
•
••
= = −
= = = ==
≡ ( )( )( )( )( )
12 2 2
2 22 2 2
3 32 2
4 42 2
5 52 2 4
6 6
65 ( 1) 5 13. 1,0,0,1,0,0,143 20 2 5. 0,0,0,1,0,0,061 63 3 7. 0,0,0,0,1,0,074 11 ( 1) 11. 1,0,0,0,0,1,085 91 ( 1) 7 13. 1,0,0,0,1,0,186 80 2 5. 0,0,0,
ex ex ex ex ex e
≡ − ≡ − × × =≡ ≡ ≡ × =≡ ≡ ≡ × =≡ ≡ − ≡ − × =≡ ≡ − ≡ − × × =≡ ≡ ≡ × = ( )1,0,0,0
p63.
( )
( ) ( )( ) ( )( ) ( )
( )( ) ( )
2 6
22 3
2 2
2 2
1 2 3 5
2 2
0,0,0,0,0,0,0 , but does not yield a factorization of .
43 86 2 5 mod1829.
3698 40 mod1829.
40 40 mod1829.
0,0,0,0,0,0,0 .
42 43 61 85 1 2 3 5 7 13 mod1
e e n
e e e e
+ =
× ≡ ×
≡
≡
+ + + =
× × × ≡ − × ×
•
× ×
•
×
( )
2 2
829.
1459 901 mod1829. gcd 1459 901, 1829 31. 1829 31 59.
≡
− =
= ×
p64.
[ ]1 2
1 2
2
Consider the interval , around for some suitable integers , .
Let ( ) . We want to find a set of integers for which ( ) is smooth.
Recall the facto
Quadratic Sieve
A M M nM M
Q x x n U xQ x=
•
−
•
•
=
{ }
[ ]1 2
1 2
r base , , , .
Recall Dixon's method (pick an , and test if ( ) is smooth) and observe how the computing time is wasted.
Idea of QS: use each "si as a and sieve it throueve"
bB p p p
x M M Q x
p B
•
•
=
∈
∈
[ ]1 2
gh .
Notice that if , , , , and | ( ), then we have | ( ) iff mod .
A
p B x y M M p Q xp Q y y x p
∈ ∈
≡ ±
•
p65.
[ ] [ ] [ ]
[ ]
21 2 1 2
1 22
1 2
1. Array .. . Initially, ..
2. for each , , , do find an .. such that | ( ), //solve mod //
for
Sketch of the Quadratic Sieve Algorithm
b
QA M M QA x x n x M M
p p p p Bx M M p Q x x n p
← − ∀ ∈
← ∈
∈ ≡
[ ][ ] [ ]
[ ] [ ]
1 2
1 2
each .. such that mod do
, where is the largest possible; keep record of mod 2.
3. Let be the set of all .. such that 1. // (
yey
y
y M M y x p
QA y QA y p ee
U x M M QA xQ x
∈ ≡ ±
←
∈ =
) is smooth for each //
4. Construct a subset as in Dixon's.
x U
S U
∈
⊆