Speeding up Integer Multiplication and Factorization

This thesis explores improvements to well-known algorithms for integer multiplication and factorization. The Schonhage-Strassen algorithm for integer multiplication, published in 1971, was the first to achieve complexity O(n log(n) log(log(n))) for multiplication of n-bit numbers and is still among the fastest in practice. It reduces integer multiplication to multiplication of polynomials over finite rings which allow the use of the Fast Fourier Transform for computing the convolution product. In joint work with Gaudry and Zimmermann, we describe an efficient implementation of the algorithm based on the GNU Multiple Precision arithmetic library, improving cache utilization, parameter selection and convolution length for the polynomial multiplication over previous implementations, resulting in nearly 2-fold speedup. The P-1 and P+1 factoring algorithms find a prime factor p of a composite number quickly if p-1, respectively p+1, contains no large prime factors. They work in two stages: the first step computes a high power g 1 of an element g 0 of a finite group defined over F p , respectively F p^2 , the second stage looks for a collision of powers of g 1 which can be performed efficiently via polynomial multi-point evaluation. In joint work with Peter Lawrence Montgomery, we present an improved stage 2 for these algorithms with faster construction of the required polynomial and very memory-efficient evaluation, increasing the practical search limit for the largest permissible prime in p-1, resp. p+1, approximately 100-fold over previous implementations. The Number Field Sieve (NFS) is the fastest known factoring algorithm for ``hard'' integers where the factors have no properties that would make them easy to find. In particular, the modulus of the RSA encryption system is chosen to be a hard composite integer, and its factorization breaks the encryption. Great efforts are therefore made to improve NFS in order to assess the security of RSA accurately. We give a brief overview of the NFS and its history. In the sieving phase of NFS, a great many smaller integers must be factored. We present in detail an implementation of the P-1, P+1, and Elliptic Curve methods of factorization optimized for high-throughput factorization of small integers. Finally, we show how parameters for these algorithms can be chosen accurately, taking into account the distribution of prime factors in integers produced by NFS to obtain an accurate estimate of finding a prime factor with given parameters.

[1]  Richard P. Brent,et al.  Some integer factorization algorithms using elliptic curves , 2010, ArXiv.

[2]  H. Lenstra,et al.  Factoring integers with the number field sieve , 1993 .

[3]  F. N. Cole On the factoring of large numbers , 1903 .

[4]  Anatolij A. Karatsuba,et al.  Multiplication of Multidigit Numbers on Automata , 1963 .

[5]  Phong Q. Nguyen A Montgomery-Like Square Root for the Number Field Sieve , 1998, ANTS.

[6]  H. Edwards A normal form for elliptic curves , 2007 .

[7]  J. Quisquater,et al.  Elliptic Curve Factorization Method : Towards Better Exploitation of Reconfigurable Hardware , 2007 .

[8]  A. K. Lenstra,et al.  The factorization of the ninth Fermat number , 1993 .

[9]  D. Coppersmith Solving homogeneous linear equations over GF (2) via block Wiedemann algorithm , 1994 .

[10]  Daniel M. Gordon,et al.  Discrete Logarithms in GF(P) Using the Number Field Sieve , 1993, SIAM J. Discret. Math..

[11]  P. L. Montgomery Modular multiplication without trial division , 1985 .

[12]  S. Cook,et al.  ON THE MINIMUM COMPUTATION TIME OF FUNCTIONS , 1969 .

[13]  Arjen K. Lenstra,et al.  A Kilobit Special Number Field Sieve Factorization , 2007, ASIACRYPT.

[14]  J. Pollard A monte carlo method for factorization , 1975 .

[15]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[16]  Daniel J. Bernstein,et al.  Circuits for Integer Factorization: A Proposal , 2001 .

[17]  Colin Percival,et al.  Rapid multiplication modulo the sum and difference of highly composite numbers , 2003, Math. Comput..

[18]  H. Nussbaumer Fast Fourier transform and convolution algorithms , 1981 .

[19]  Carl Pomerance,et al.  The Quadratic Sieve Factoring Algorithm , 1985, EUROCRYPT.

[20]  S. H. Cavallar The three-large-primes variant of the number field sieve , 2002 .

[21]  Christof Paar,et al.  SHARK: A Realizable Special Hardware Sieving Device for Factoring 1024-Bit Integers , 2005, CHES.

[22]  H. W. Lenstra,et al.  Factoring integers with elliptic curves , 1987 .

[23]  Arjen K. Lenstra,et al.  Factorization of RSA-140 Using the Number Field Sieve , 1999, ASIACRYPT.

[24]  Jeff Gilchrist,et al.  Factorization of a 512-Bit RSA Modulus , 2000, EUROCRYPT.

[25]  P. L. Montgomery,et al.  An FFT extension of the elliptic curve method of factorization , 1992 .

[26]  W. M. Gentleman,et al.  Fast Fourier Transforms: for fun and profit , 1966, AFIPS '66 (Fall).

[27]  Christof Paar,et al.  Generalizations of the Karatsuba Algorithm for Efficient Implementations , 2006, IACR Cryptol. ePrint Arch..

[28]  R. Gregory Taylor,et al.  Modern computer algebra , 2002, SIGA.

[29]  Robert D. Silverman The multiple polynomial quadratic sieve , 1987 .

[30]  Thorsten Kleinjung,et al.  On polynomial selection for the general number field sieve , 2006, Math. Comput..

[31]  Richard P. Brent,et al.  Three new factors of Fermat numbers , 2000, Math. Comput..

[32]  Christof Paar,et al.  Area-time efficient hardware architecture for factoring integers with the elliptic curve method , 2005 .

[33]  Patrick Baier,et al.  Implementing the Elliptic Curve Method of Factoring in Reconfigurable Hardware , 2006, CHES.

[34]  Peter L. Montgomery,et al.  A Block Lanczos Algorithm for Finding Dependencies Over GF(2) , 1995, EUROCRYPT.

[35]  Karim Drouiche,et al.  A new superfast bit reversal algorithm , 2002 .

[36]  J. M. Pollard,et al.  Theorems on factorization and primality testing , 1974, Mathematical Proceedings of the Cambridge Philosophical Society.

[37]  Pierrick Gaudry,et al.  A gmp-based implementation of schönhage-strassen's large integer multiplication algorithm , 2007, ISSAC '07.

[38]  Manfred Tasche,et al.  Fast Polynomial Multiplication and Convolutions Related to the Discrete Cosine Transform , 1997 .

[39]  Chen,et al.  The billion-mulmod-per-second PC , 2009 .

[40]  J. Tukey,et al.  An algorithm for the machine calculation of complex Fourier series , 1965 .

[41]  H. De Man,et al.  Parametrizable behavioral IP module for a data-localized low-power FFT , 1999, 1999 IEEE Workshop on Signal Processing Systems. SiPS 99. Design and Implementation (Cat. No.99TH8461).

[42]  Marco Bodrato,et al.  Integer and polynomial multiplication: towards optimal toom-cook matrices , 2007, ISSAC '07.

[43]  R. Brent,et al.  Factorization of the eighth Fermat number , 1981 .

[44]  T. Kleinjung Cofactorisation strategies for the number field sieve and an estimate for the sieving step for factoring 1024-bit integers , 2022 .

[45]  Peter L. Montgomery,et al.  Improved Stage 2 to P±1 Factoring Algorithms , 2008, ANTS.

[46]  Arnold Schönhage,et al.  Fast algorithms - a multitape Turing machine implementation , 1994 .

[47]  Donald E. Knuth,et al.  Analysis of a Simple Factorization Algorithm , 1976, Theor. Comput. Sci..

[48]  Arjen K. Lenstra,et al.  Factorization of a 768-Bit RSA Modulus , 2010, CRYPTO.

[49]  Peter L. Montgomery,et al.  Square roots of products of algebraic numbers , 1994 .

[50]  Peter L. Montgomery,et al.  Five, six, and seven-term Karatsuba-like formulae , 2005, IEEE Transactions on Computers.

[51]  K. Dickman On the frequency of numbers containing prime factors of a certain relative magnitude , 1930 .

[52]  Stefania Cavallar,et al.  Strategies in Filtering in the Number Field Sieve , 2000, ANTS.

[53]  Daniel J. Bernstein,et al.  Modular exponentiation via the explicit Chinese remainder theorem , 2007, Math. Comput..

[54]  B. Murphy Polynomial Selection for the Number Field Sieve Integer Factorisation Algorithm , 1999 .

[55]  G. Marsaglia,et al.  Numerical solution of some classical differential-difference equations , 1989 .

[56]  David H. Bailey,et al.  FFTs in external or hierarchical memory , 1989, Proceedings of the 1989 ACM/IEEE Conference on Supercomputing (Supercomputing '89).

[57]  Peter L. Montgomery,et al.  Division by invariant integers using multiplication , 1994, PLDI '94.

[58]  Richard P. Brent,et al.  An improved Monte Carlo factorization algorithm , 1980 .

[59]  Robert D. Silverman,et al.  AN FFT EXTENSION TO THE P - 1 FACTORING ALGORITHM , 1990 .

[60]  Scott Contini,et al.  Factoring Integers with the Self-Initializing Quadratic Sieve , 1997 .

[61]  Carl Pomerance,et al.  The Development of the Number Field Sieve , 1994 .

[62]  Paul Barrett,et al.  Implementing the Rivest Shamir and Adleman Public Key Encryption Algorithm on a Standard Digital Signal Processor , 1986, CRYPTO.

[63]  Martin Fürer Faster integer multiplication , 2007, STOC '07.

[64]  Steven G. Johnson,et al.  The Design and Implementation of FFTW3 , 2005, Proceedings of the IEEE.

[65]  C. Pomerance,et al.  Prime Numbers: A Computational Perspective , 2002 .

[66]  P. L. Montgomery Speeding the Pollard and elliptic curve methods of factorization , 1987 .

[67]  Arnold Schönhage,et al.  Asymptotically Fast Algorithms for the Numerical Multiplication and Division of Polynomials with Complex Coeficients , 1982, EUROCAM.