Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Download
Standard view
Full view
of .
Save to My Library
Look up keyword
Like this
1Activity
0 of .
Results for:
No results containing your search query
P. 1
A NOTE ON INTEGER FACTORIZATION USING LATTICES

A NOTE ON INTEGER FACTORIZATION USING LATTICES

Ratings: (0)|Views: 151|Likes:
Published by terminatory808
A NOTE ON INTEGER FACTORIZATION USING LATTICES
ANTONIO VERA ´ CNRS/INRIA/NANCY-UNIVERSITE

arXiv:1003.5461v1 [cs.DS] 29 Mar 2010

Abstract. We revisit Schnorr’s lattice-based integer factorization algorithm, now with an effective point of view. We present effective versions of Theorem 2 of [11], as well as new properties of the Prime Number Lattice bases of Schnorr and Adleman.

Contents 1. Introduction 1 2. Detecting solutions 3 2.1. Coding a candidate solution 3 2.2. Making smoothness probable :
A NOTE ON INTEGER FACTORIZATION USING LATTICES
ANTONIO VERA ´ CNRS/INRIA/NANCY-UNIVERSITE

arXiv:1003.5461v1 [cs.DS] 29 Mar 2010

Abstract. We revisit Schnorr’s lattice-based integer factorization algorithm, now with an effective point of view. We present effective versions of Theorem 2 of [11], as well as new properties of the Prime Number Lattice bases of Schnorr and Adleman.

Contents 1. Introduction 1 2. Detecting solutions 3 2.1. Coding a candidate solution 3 2.2. Making smoothness probable :

More info:

Published by: terminatory808 on Nov 12, 2011
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

11/12/2011

pdf

text

original

 
A NOTE ON INTEGER FACTORIZATION USING LATTICES
ANTONIO VERACNRS/INRIA/NANCY-UNIVERSIT´E
Abstract.
We revisit Schnorr’s lattice-based integer factorization algorithm,now with an effective point of view. We present effective versions of Theorem 2of [11], as well as new properties of the Prime Number Lattice bases of Schnorrand Adleman.
Contents
1. Introduction12. Detecting solutions32.1. Coding a candidate solution32.2. Making smoothness probable : the Prime Number Lattice of Adleman32.3. A similar approach : the Prime Number Lattice of Schnorr43. Some properties of the Prime Number Lattices53.1. Volumes of the Prime Number Lattices63.2. Explicit Gram-Schmidt Orthogonalization74. Conclusions and perspectives74.1. Acknowledgements8References8Appendix A. Underlying lemmas8A.1. Lemmas used in section28A.2. Lemmas used in section3101.
Introduction
Let
1 be a composite integer that we want to factor. The
congruence of squares method 
consists of finding
x,y
Z
such that(1)
x
2
y
2
mod
with
x
≡ ±
y
mod
, and factor
by computing gcd(
x
+
y,
). Although this is aheuristic method, it works pretty well in practice and one can show under reasonablehypotheses (see [3,page 268, remark (5)]) that for random
x,y
satisfying (1), onehas
x
≡ ±
y
mod
with probability
1
/
2. This report considers an algorithmbased on this philosophy, namely Schnorr’s algorithm[11], whose outline is givenin figure1.Call
B
-smooth an integer free of prime factors
> B
, and let
p
i
be the
i
-th primenumber. Fix some
d
1 and suppose that
is free of prime factors
p
d
. Thecore computational task of the algorithm consists in finding
d
+ 2 integer quartets(
u,v,k,γ 
), with
u,v p
d
-smooth,
k
coprime with
, and
γ 
N
\{
0
}
, solutions of the Diophantine equation(2)
u
=
v
+
kN 
γ
.
1
 
2 ANTONIO VERA
(1) Receive input number
to be factored.(2) Set the dimension
d
and the constant
of the lattice
 p
(
d,
), and formthe extended prime number list
=
{
 p
0
,p
1
,...,p
d
}
where
p
0
=
1 andthe rest is the usual sequence of the first
d
prime numbers. Perform trialdivision of 
by the primes of 
. If 
is factored, return the factor.(3) Using the lattice described in section2,construct a list of at least
d
+ 2pairs (
u
i
,k
i
)
N
×
Z
such that
u
i
is
p
d
-smooth with
u
i
=
d
i
=0
 p
a
i,j
i
, a
i,
0
= 0
,
and
|
u
i
k
i
| ≤
p
d
.
(4) Factorize
u
i
k
i
, for
i
1
,d
+ 2
over
to obtain
u
i
k
i
=
d
i
=0
 p
b
i,j
i
.
(5) Put
a
i
= (
a
i,
0
,...,a
i,d
) and
b
i
= (
b
i,
0
,...,b
i,d
).(6) For every nonzero
c
= (
c
1
,...,c
d
+1
)
{
0
,
1
}
d
+1
solution of 
d
+1
j
=0
c
i
(
a
i
+
b
i
) =
0
mod 2do(a) Put
x
=
d
+2
j
=1
 p
d
+2
i
=1
c
i
(
a
i,j
+
b
i,j
)
/
2
j
mod
N,
and
y
=
d
+2
j
=1
 p
d
+2
i
=1
c
i
a
i,j
j
mod
N.
(b) If 
x
=
±
y
mod
then return gcd(
x
+
y,
) and stop.
Figure 1.
Outline of Schnorr’s algorithmBy design, Schnorr’s algorithm is only able to find solutions where
k
is
p
d
-smoothand
γ 
= 1 (Adleman’s variant can yield, in principle, solutions with
γ >
1). Welook for pairs (
u,k
) of 
p
d
-smooth numbers satisfying the inequality(3)
|
u
kN 
|
 p
d
,
and we build solutions out of these pairs by setting
v
=
u
kN 
: the inequalityguarantees the
p
d
-smoothness of 
v
. This search is lattice-based, and it involveslattice reduction and lattice enumeration algorithms.Although in 1987 de Weger[4] had already applied lattice reduction to the ef-fective resolution of Diophantine equations of the form (2), it was Schnorr whofirst applied it to factorization, in 1993[11]. In 1995, Adleman [1]used Schnorr’s approach to propose a reduction (not completely proved) from integer factorizationto the search of a shortest nonzero vector in a lattice. Schnorr’s algorithm wassuccessfully implemented by Ritter and R¨ossner in 1997 [10]. In this report, we improve a result of [11] by recycling a result of Micciancio[9, Prop. 5.10]. This result may be useful (cf. remark4) to show the existence of  solutions to (2). In addition, we provide explicit computations of the volumes and
 
A NOTE ON INTEGER FACTORIZATION USING LATTICES 3
the Gram-Schmidt Orthogonalizations of the involved lattices and lattice bases,respectively.The road map is the following. First, in section2,we introduce the latticeframework of Adleman, and we explain how can we solve the Diophantine equation(2) by searching short vectors in Adleman’s lattice. Later in the same section, weexplain the original approach of Schnorr, by particularizing Adleman’s approach.Afterwards, in section3we give some properties of the Prime Number Latticesof Schnorr and Adleman. Finally, in section4, we provide our conclusions andperspectives.2.
Detecting solutions
In this section we present the approaches of Adleman and Schnorr to solving (2)using lattices. We start by the approach of Adleman, which considers a search forshort vectors. We show a sufficient condition to solving inequality(3). Then wepresent the approach of Schnorr, which considers a search for close vectors, andwhich can be seen as a particular case of Adleman’s. We show a correspondingsufficient condition to solving (3).2.1.
Coding a candidate solution.
Let
z
Z
d
+1
be a vector with negative lastcoordinate. To this vector we associate a candidate solution to (2) in the followingway(4)
u
=
d
z
i
>
0
,i
d
 p
z
i
i
, k
=
z
i
<
0
,i
d
 p
z
i
i
and
γ 
=
|
z
d
+1
|
.
Note that
u
and
k
are coprime. We would like to have candidate solutions providingan actual solution with high probability, that is, we want
v
=
u
kN 
γ
to be probably
 p
d
-smooth. Now we will describe a way to find such candidate solutions.2.2.
Making smoothness probable : the Prime Number Lattice of Adle-man.
Define Adleman’s
p
-norm Prime Number Lattice
A
 p
by the columns of thebasis matrix
A
 p
=
p
ln
 p
1
0 0 00...0 00 0
p
ln
 p
d
0
ln
 p
1
···
ln
 p
d
ln
,
where
C >
0 is an arbitrary constant, which can depend on
. The vector
z
Z
d
+1
satisfies
A
 p
z
=
z
1
p
ln
 p
1
...
z
d
p
ln
 p
d
di
=1
z
i
ln
 p
i
+
z
d
+1
ln
and
||
A
 p
z
||
 p p
=
d
i
=1
|
z
i
|
 p
p
 
ln
 p
i p
+
 p
d
i
=1
z
i
ln
 p
i
|
z
d
+1
|
ln
 p
,
and considering that this vector codes a candidate solution, we have
||
A
 p
z
||
 p p
=
d
i
=1
|
z
i
|
 p
ln
 p
i
+
 p
|
ln
u
ln(
kN 
γ
)
|
 p
and hence
||
A
1
z
||
1
= ln
u
+ ln
k
+
|
ln
u
ln(
kN 
γ
)
|
.

You're Reading a Free Preview

Download
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->