RSA CHALLANGE Division by zero is the pay-dirt of factorisation problems. LARGE NUMBERS Most numbers have few factors, but most people shout N! or N factorial is heavy in factors. Hardy said that most numbers have a small number of factors and this seems true. A large number with hundreds of digits is an enormous challenge. Many take months of computer work to get a factorisation. Seconds of computer work can eliminate factors such as 2 or 3, but there becomes a point when you want to go beyond factors that can be obtained from pre-determined lists. Factorisation is like trying to chip a diamond to dust with finger nails. It may eventually be done, but no one bothers. Factorisation is fashionable after the RSA (Rivest Shamir Adelman) method of encryption was proposed in the 1980s. They chose a number N and pass around values y=x^k (mod N). The message recipients do a similar operation z=y^h (mod N) and 'Lo and behold !' z is the plaintext message. Here h and k are chosen so that hk = 1 mod phi(N) where phi is the Euler totient function of N or the size of the set of numbers less than N which are relatively prime to N. RSA wncryption depends on the fact that there is no quick way to calculate phi(N) for large N. Large N means something like 10^300 .. or numbers with hundreds but not yet thousands of digits. MILLENIUM PROBLEMS Tim Radford, the Guardian's science editor covered the 2004 meeting of the British Association, in Exeter. The piece started off with the headline 'Maths holy grail could bring disaster for internet', and went on to describe the opinions of some experts on the status of the Clay Institute millenium problems. These are: 1. Birch Swinnerton-Dyer conjecture. 2. Poincare conjecture. 3. Navier Stokes equation. 4. P vs NP problem. 5. Riemann hypothesis. 6. Hodge conjecture. 7. Yang-Mills and Mass gap. Each of these problems has a \$ million price tag to encourage research. The RSA challange offers \$625000 for much less work. The RSA challange is more or less equivalent to the P solution to the P verses NP problem for factorization of large numbers. Essentially they ask that the computational work for the factorisation of N is bounded by a polynomial expression in log(N), or the number of digits in N. In turn this P vs NP problem for factorisation is likely to depend on an affirmative answer to the Riemann hypothesis (RH). Ordinary arithmetic operations on k-digit numbers are of order k log k, or polynomial of order 1+epsilon for however small you wish to make epsilon. Factorisation by trial division represents 10^(k/2) operations, so this is an exponential function of k, and therefore the factorisation problem is NP if you rely on trial division. Even if the RH is settled, and factorisation is indeed a polynomial time problem, the RSA challange numbers could remain unfactored for decades. The theoretical results could end up useless for actual computation. The Birch Swinnerton-Dyer conjecture concerns algebraic geometry. I attended Swinnerton-Dyer's course on Galois theory back in 1968. During that year Swinnerton Dyer negotiated a stand off during the famous Senate House occupation which pitted anti-Vietnam War demonstrators against the University authorities. Swinnerton-Dyer was also important in the development of computational number theory in the early days of the 1950s and later became famous for his management of the UGC (University Grants Commission) during the Thatcher era of the 1980s. A teacher giving a post graduate course in algebraic geometry could explain this conjecture in a few lectures. It's about curves on surfaces of two dimensions, represented by (x,y) with F(x,y)=0 for F a low degree (at most three or four ) polynomial equation. The student has to take in a large number of tricky definitions before the conjecture makes sense. You can bluff your way through this one by talking of the Tate-Shafarevich Group and a mention Wiles proof of Fermat's Last Theorem. Be careful to state that this is a conjecture about certain spaces of one dimension embedded into 2-space. These lines are called elliptic curves. The conjecture concerns the zeta function of an elliptic curve. The Poincare conjecture concerns surfaces in three dimensions. It's a problem of topology. It also goes one dimension up from elliptic curves. The Navier Stokes equation is connected with fluid mechanics. The Riemann Hypothesis is the most accesible of these problems. It can be explained in about half an hour to anyone with a knowledge of infinite series. The Hodge conjecture also concerns topology. The Yang Mills and Mass Gap is a problem of quantum mechanics. NINE ELEVEN PROBLEM The intergalactic hyperspace delivery company has imposed new rules to comply with anti-terrorist regulations. Each object is a 1-cube. Packages of N objects must be convex, and have no internal holes. The consignment must be broken down into hyperboxes of 1,2,3... dimensions, and the charge for each box is the maximum dimension. The sender may break the load into smaller packages if this helps to keep down the shipping cost. Work out the optimum cost of mailing a package of N-cubes. The first few numbers maybe approximated by assuming that you can split the load in two, then work recursively. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 1 2 3 2 3 3 4 2 3 4 5 3 4 5 5 2 3 3 4 4 5 5 6 3 Notice that 24=(2^3)*3 so that the customer pays three units to send a 4-dimensional hypercube. 20 gets its low value of 4 because 20=16+4 and both 16 and 4 are powers of two. The sender can always ship a series of 2^k dimensional boxes for a cost less than (2 log2(N)) -1. FACTORIZATION METHODS The methods known in 1994 Continued fraction algorithm, Class group method, Quadratic sieve algorithm, Elliptic curve algorithm, Number field sieve, Dixon's random squares algorithm, Valle's two-thirds algorithm, Seysen's class group algorithm, Taken from Mathematics FAQ 1994. Alex Lopez-Ortiz It is possible to give credence by any naive method which relies on luck, by calling it a Monte-Carlo method. Methods relying on luck and intuition are usually given respectability by calling them Baysian methods. 1. Trial division This defines a search space. For a number of size N the searchspace is of size sqrt(N). The searchspace is a random looking set of points. It's the set {x | n (mod x); x < #sqrt (n) } With small search spaces bit maps should provide factors. APL functions. ``` Z<-FACTORS N;X Z<-(Z>0)/Z<-(0=N #mod X)*X<-1+iN Z<-PRIMES N |Generate prime numbers less than N Z<-(2=+/y0=N #outer #mod 1+N)/N<-iN Z<-PRIMES_IN LST |Extract primes in list Z<-(2=+/y0=LST #outer #mod LST)/LST ``` 2. Establish absence of factors. Stop wasting time. 3. Quadratic sieve. This is really a development of Fermat's method. Based on the expression N=X^2-Y^2 Search for perfect squares in the set X^2-N By clever modular arithmetic it should be possible to eliminate most values of X^2-N without ever having to calculate a square root. In practice, starting from a given X it should be possible to compute new values X^2-N by simple additions assuming X goes up in unit steps. This allows the computation of large mostly zero, binary arrays to eliminate testing. Despite the ease of filtering the search space, the search space is much larger than testing up to sqrt(N). The quadratic sieve may be started at sqrt(p*N) to test for pN=X^2-Y^2. This method works best with large arrays of mostly zero elements, but it seems slow compared with trial division. There are many methods that rely on finding solutions to x^2=y^2 mod N or x^2-Y^2=kN. Clearly the fastest method would be to guess a pair of such numbers immediately. Both the continued fraction method and the quadratic sieve attempt to find small quadradic residues of N in the hope of building an equation kN= x^2-y^2 => x^2=y^2 (mod N) If for example residues x^2 = pq y^2=qr z^2=pr then (xyz)^2= (pqr)^2 and we find a solution s^2=t^2 mod N, and hopefully this gives a non trivial factorisation. There is much literature on this concept and there is a long history of splitting this trajectory chasing amongst a large number of machines. With numbers of the RSA challange size the search for quadratic residues which can factorize may take almost forever. 4. Trial GCD The GCD of N and a large number X will nearly always be 1. When it is not, you get a factor of N, or possibly N itself. The algorithm is: for (X<-RANDOM;1=R<-GCD(X,N);X<-RANDOM) return (R) Here RANDOM guesses numbers, and a lucky guess gives either a factor or the number N itself. Suppose N=pq then the number X could lie on one of the lines x=pk or x=qk or possibly x=pqk, where k is a positive integer. 5. Curve enumeration Enumerate points on the hyperbola xy=N. Normally (N,1) and (1,N) are there, but other points are hard to find. Math proofs of the average order of functions such as d(n) and phi(n) depend very much on these arguements. The simplest factor search would look for min {x^2+y^2 | xy = N} with x, y integer. The smallest values could be as near as x=y= sqrt N. Fermat's test can tell if the number of points is more than two, but does not say where these points are. 6. Follow trajectories. (Z/NZ) is a ring and (Z/NZ)* is a semi-group with unit. It is not a group, and this is easily verified for composite N. Finding a particular non invertible element is equivalent to the factorization problem. The idea is to generate sequences of numbers X so that gcd(X, N) gives a factorization. The elliptic curve method does a group addition algorithm many times in order to find a non invertible element of the semi-group (Z/NZ)*. The group inversions are all those of point distances in some geometrical structure imposed on Z/NZ. Pollard's p-1 method is based on this logic. This essentially iterates the sequence X<-(X^p) #mod N where p runs through a list of primes and prime powers up to a limit. There is a way of reducing the number of GCD tests by only checking after a hundred iterations or so, but it is possible to miss out factors this way. Pollard's p-1 method depends on the fact that one of the values p-1 where p runs through prime factors of N has a factorisation in terms of very small primes: in other words p-1 is a round number. If the number N does not have this property then the method will not work. A more general method uses properties of elliptic curves. An elliptic curve is defined by an equation such as Y^2=X^3+aX+b (mod N). An elliptic curve over N is the set EC={ (x,y) | y^2=x^3+aX+b (mod N)} U { O=(N,N) } Here O=(N,N) is the point at infinity. Given points P=(s,t) and Q=(u,v) it is possible to define a third point R=P+Q by the chord-tangent process. Draw the line through P,Q to meet the curve in a third point R'. Draw a vertical line through R' to intersect the curve at its reflection about the X axis at the point R. This operation is commutative and associative: to add together points X,Y and Z then order in which the points are added does not affect the result of the calculation. (X+Y)+Z = X+(Y+Z)=(X+Z)+Y Proof of this fact is not trivial. If you prove that points on the curve can be paramaterized by values of the Weirstrass P-function (pronounced pay) then associativity is a trivial consequence, but this depends on algebra and analysis that took about 80 years to get worked out. Given points P=(s,t) and Q=(u,v) the coordinates of the point R=(x,y) which is equal to P+Q may be calculated by the following formulae. Firstly if s-u is none zero define theta=(t-v)/(s-u) Then x = theta^2 -(s+u) y' is defined by (y'-t)/(x-s) = theta y' = t + theta*(x-s) y = -y' = -t - theta*(x-s) Secondly if s-u and v-t are both zero, then point addition gives R=P+P = P. In this case the value theta is the slope of the tangent to the curve at P=(s,t). theta = (a+3s^2)/2t. x = theta^2- 2s; y'= t+theta*(x-s) and y= -t-theta*(x-s). All calculations are done modulo N. Expressions such as a/b are converted to values modulo N by finding the number b' such that bb' = 1 (mod N) then replacing a/b by a*b' (mod N). b', the multiplicative inverse of b mod N is found by an process known as the Euclidian algorithm. If N is composite then there are some values for which the inversion process fails. These numbers are multiples of a factor of N. In case N=pq is the product of two prime factors then there are p+q such points. Division by zero is pay-dirt in factorisation challanges. In the case that P and Q have equal values for x, i.e. s-u=0, but the y values are distinct i.e. t+v=0, then we say the vertical line meets the curve at infinity (O), and P+Q=O. For a given number N it is easy to construct an elliptic curve EC passing through any pair of points P,Q in (Z/NZ)x(Z/NZ). The set of points O,P,P+P,P+P+P, ... etc. forms the orbit of the point P in EC. For convenience the sum P+P...+P taken m times is written [m]P. Point multiplication starts off as a dynamic system on (Z/NZ)x(Z/NZ). Elliptic curves introduce an extra point at infinity. For any point a on the curve E the mapping F(x) = x+a is a function which is complicated enough to be used in cryptography. The easy to write function in fact gives a set of points which jump all over the box [0,N-1]x[0,N-1]. Elliptic curve works as follows. Select elliptic curves over Z/NZ then work out the values [m]P for a point P on the curve with a specially selected value m. If calculation of [m]P requires a division by zero somewhere along the line, then a factor has been found. In most cases the calculation will proceed without a hitch, so it is necessary to chose a new curve and a new point to restart the calculation. In practice this method much tuning in order to avoid intolerably sluggish performance. A function long studied by mathematicians is the bilinear transformation T(Z)<- (AZ+B)/CZ+D. This can be used for factorisation. The arithmetic is simpler than the elliptic curve method. Given a non zero point Z in Z/NZ and a 2x2 matrix T = |A B| with AB-CD non zero then |C D| it is possible to define the orbit of Z under T by the rule Z[n+1] = (A*Z[n]+B)/C*Z[n]+D) This could be called the 'blit' method of factorisation and it is undoubtedly well known. Because the successive powers of the matrix T may be computed by a squaring and multiplication method it should be possible to compute T^m * Z for large values of m with only order K*log(m) operations. Whether this increases the likelyhood of finding divisors of zero is another question. In practice the blit method with short orbits (less than 100) seems more effective than the elliptic curve method in finding small divisors. Special choices of the matrix M give lucas sequences. (X[n+1], Y[n+1]) <- M * (X[n],Y[n]) The fractal curve trajectory z<-z^2+c is used in Pollard's rho method of factorisation. This gives a very simple method of finding large factors of a number. The Pollard Rho method was invented in the 1980s, and the idea is extremely clever. The running time is of order sqrt(p) where p is a factor of the composite number N. Getting the formula from a book  took some time. The local library eventually provided an inter library loan. For RSAC numbers with from 200-700 digits the effort would still require 10^50 - 10^200 steps. The method is called the rho method because it looks at a trajectory of points and seeks a place where the trajectory degenerates into a closed loop, visiting a set of points in sequence. ._________________________________. | | | | x3=x15 | 89 | | 7 10 | The trajectory x1,x2,x3... | 6 11 | looks like the greek letter | 5 12 | rho. | 4 13 | | 314 | | 2 | | 1 | ._________________________________. ``` Z<-P_FACTOR STR;CNT;A;N;Q;QV;SEED;T;X;Y |Pollard's rho-method. |See Reisel  pp 180-181 CNT<-12000 & A<-SEED<-"" & QV<-0 N<-"-cnt CNT<-#fi SHIFT|-a A<-SHIFT|-seed SEED<-SHIFT|-v QV<-1" GETOPTS STR IF 0=rA; A<-YRAND N IF 0=rSEED; SEED<-YRAND N Q<-"1" & X<-Y<-SEED & Z<-N WHILE 00 |Q<-"1" WEND Z<-A EA B;C;D;R |Euclidean algorithm with A>B R<-A #mod B & D<-B WHILE ~R #equiv "0"; C<-D & D<-R & R<-C #mod D & WEND Z<-D Z<-YRAND X;N |Long random 0<=ZN<-rX; Z<-z ? #fi X & ->0 Z<-(z ? #fi 5tX),"0123456789"[?(N-5)r10] Z<-X YMOD M |Modulus function including negative X IF "-" #ne 1tX; Z<-X #mod M & ->0 Z<-M-("0"-X) #mod M ``` 6. Analytic expression. The number theoretic functions phi(N) and sigma(N) have well known generating functions. The values of these number theoretic functions can be extracted by contour integration. Numerical integration techniques could give a method of evaluating these functions. In practice these integration techniques would be rather flakey and depend very much on guesswork. People call this stuff a 'Monte Carlo Method'. There are also options of finding really rapid evaluations of numbers such as the 2^n binomial coefficient (mod N) for really high values of n in time polynomial in n. These can be resolved as integrals of (large) powers of trignometrical functions. 7. Summary The Rho method was the first breakthrough in hundreds of years. Many methods have been adapted to factorising numbers of distinct forms such as 2^n+-1. The RSA challange numbers are so large that elementary arithmetic operations are significantly slow. The Number Field Sieve (NFS)  seem most promising of the present methods because there seems plenty of opportunity to bring in results from other areas of mathematics. There is plenty of choice. Much of algebraic number theory was motivated by people looking for a proof of Fermat's conjecture. The book by Crandell and Pomerance  outlines factorisation methods to be used by the as yet to be invented quantum computer. In this area researchers are busy teaching the computer to factorize tough numbers such as 6 and 15.  Prime Numbers and computer methods for factorisation (2 nd edition) Hans Reisel. Pub Berkhauser. Boston 1994  www.rsasecurity.com/rsalabs/challenges/factoring/challengenumbers.txt www.rsasecurity.com/rsalabs/challenges/factoring/RSA-640.txt  Prime Numbers. A computational Perspective Crandell & Pomerance Springer  http://nfsnet.org Website devoted to number field sieve.  Maths Holy Grail could bring disaster to internet. Tim Radford , Guardian 7/9/2004