Enhanced Polynomial Selection Method for GNFS

GNFS를 위한 향상된 다항식 선택 기법

Abstract

RSA cryptosystem is one of the most widely used public key cryptosystem. The security of RSA cryptosystem is based on hardness of factoring large number and hence there are ongoing attempt to factor RSA modulus. General Number Field Sieve (GNFS) is currently the fastest known method for factoring large numbers so that CADO-NFS - publicly well-known software that was used to factor RSA-704 - is also based on GNFS. However, one disadvantage is that CADO-NFS could not always select the optimal polynomial for given parameters. In this paper, we analyze CADO-NFS's polynomial selection stage. We propose modified polynomial selection using Chinese Remainder Theorem and Euclidean Distance. In this way, we can always select polynomial better than original version of CADO-NFS and expected to use for factoring RSA-1024.

RSA 암호 시스템은 가장 널리 사용되는 공개키 암호 알고리즘 중 하나이며, RSA 암호 시스템의 안전성은 큰 수의 인수분해의 어려움에 기반을 둔다. 따라서 RSA 암호 시스템의 합성수 n을 인수분해하려는 시도는 계속 진행 중에 있다. General Number Field Sieve는 현재까지 알려진 가장 빠른 인수분해 방법이고, RSA-704를 인수분해 하는데 사용된 소프트웨어인 CADO-NFS도 GNFS를 기반으로 설계되어 있다. 그러나 CADO-NFS는 다항식 선택 과정에서 입력된 변수로부터 항상 최적의 다항식을 선택하지 못하는 문제점이 있다. 본 논문에서는 CADO-NFS의 다항식 선택 단계를 분석하고 중국인의 나머지 정리와 유클리드 거리를 사용하여 다항식을 선택하는 방법을 제안한다. 제안된 방법을 이용하면 기존의 방법보다 좋은 다항식이 매번 선택되며, RSA-1024를 인수분해 하는데 적용할 수 있을 것으로 기대한다.

I. Introduction

Public key cryptosystem is useful for sending information via insecure channel and its security is based on hardness of solving number theoretic problems. For example, RSA cryptosystem is based on hardness of factoring large numbers and Elliptic Curve Cryptography is based on discrete logarithm problem. Among other public key cryptosystems, RSA cryptosystem is popular for its simplicity.

In RSA cryptosystem, public modulus n is chosen as product of two distinct primes p, q and primes p, q are kept secret[1]. It is easy to generate such number n but hard to find p, q such that n=pq for n sufficiently large. Since RSA cryptosystem can be broken by factoring n, integer factorization is one of main topics for research. Currently, the best known factoring algorithm is the General Number Field Sieve (GNFS)[9]. Factoring based on GNFS is recently performed by T. Kleinjung et al. in 2009 for factoring RSA-768[6], and also by S. Bai et al. in 2012 for factoring RSA-704[5].

CADO-NFS is one of publicly well known factoring tool based on GNFS and it was used to factor RSA-704 and RSA-220[12]. It selects polynomial using Kleinjung’s second algorithm. However CADO-NFS could not always select the optimal polynomial for given parameters.

This paper targets CADO-NFS’s polynomial selection stage. We analyze the possible disadvantage that can occur when using CADO-NFS directly. By modifying CADO-NFS’s polynomial selection procedure we can now select better polynomial compare to polynomial selected by CADO-NFS.

This paper is organized as follows. In Section 2, we present backgrounds for polynomial selection. Then in Section 3, we explain Kleinjung’s second algorithm – algorithm for polynomial selection which is currently used in CADO-NFS. In Section 4, we analyze disadvantage in CADO-NFS and propose our new way of selecting polynomial. In Section 5, experimental results of our polynomial selection is presented.

II. Background

In this Section, underlying principle GNFS is first presented. Next, we describe earlier method for polynomial selection. Lastly, we introduce two measurements to score quality of selected polynomial.

2.1 General Number Field Sieve

Modern factoring algorithm is based on ‘difference of squares’. It factors by selecting random integers x, y such that x≠ y mod n and x₂ ≡ y²mod n. Then by computing gcd(x+y, n) and gcd(x-y, n) we can obtain non-trivial factors of n with high probability. This concept of using ‘square of random number’ is also employed in Quadratic Sieve(QS) and General Number Field Sieve.

GNFS is currently fastest known method for factoring numbers over 110 digits[9]. It can be seen as generalization of QS. QS uses quadratic polynomials whereas GNFS uses polynomials of higher degree so that a square is not produced directly in Z_n as before. It uses two polynomial f(x), g(x) having common root m mod n. Let α and β be roots of f(x), g(x) not in Z_n, respectively, and consider rings Z[α], Z[β]. Goal in GNFS is to find (a, b) pairs such that a-bα and a-bβ are smooth over chosen basis of primes. We say that an element is smooth if all of its factors are member of our chosen basis of primes.

We collect (a, b) pairs where \(\prod(a-b \alpha)=X^{2}\) for X∈Z[α] and \(\prod(a-b \beta)=Y^{2}\) for Y∈Z[β]. Consider homomorphisms from ring Z[α] and Z[β] to Z_n that maps α and β to m. Then there exist x, y∈Z_n such that X, Y are mapped to x, y respectively. Hence x² ≡ y² mod n is again obtained and non-trivial factors of n can be found with high probability.

Usually, GNFS is divided into four stages – polynomial selection, sieving, linear algebra, square roots – but we focus on first two stages of GNFS. Namely, polynomial selection where we select f(x) and g(x) and sieving where we collect pairs (a, b). It is known that sieving takes over 90% of total time for factoring using GNFS, and choice of polynomial dramatically affect time to complete sieving. In next Section, we briefly describe earlier method for polynomial selection.

2.2 Classical Polynomial Selection

Classic way to generate polynomial is using base-m method[10]. The base-m method expresses number n to be factored as \(n=m^{d}+c_{d-1} m^{d-1}+\ldots+c_{0}\), such that \(\left|c_{i}\right| \leq \frac{m}{2}\) for each i and generates monic polynomial f(x) of degree d and monic polynomial g(x)=x-m of degree 1 where m mod n is common root of f(x) and g(x). To reduce size of coefficient of f(x) this method is modified to select non-monic polynomial \(f(x)=\sum_{i=0}^{d} c_{i} x^{i}\) such that \(n=\sum_{i=0}^{d} c_{i} m^{i}\) . We choose m to be close to \(\left(n / c_{d}\right)^{1 / d}\) [4]. If c_d-2 is not small enough, try another c_d. Otherwise we optimize the generated polynomial pair.

2.3 Quantifying Quality of Polynomials

In Section 2.1, we emphasized the importance of selecting good polynomial. In this Section, we introduce measurements to evaluate whether generated polynomial can be considered ‘good’. Note that main goal of sieving stage is to collect many pairs (a, b) such that a-bα is smooth over chosen basis of primes where α is root of f(x). Usually basis of primes consist of ‘small’ primes and small value norm of f(x) is more likely to be factored by small primes and hence more likely to be smooth over basis than larger norm. Thus one of measurement to quantify quality of polynomial is called ‘lognorm’. Lognorm is logarithmic average of polynomial values across sieving region and lognorm of function is computed as below[11], where s refers to skewness of sieving region, calculated by ratio of a, b[4].

\(\frac{1}{2} \log \left(s^{-d} \int_{0}^{2 \pi} \int_{0}^{1} F^{2}(s \cos \theta, \sin \theta) r^{2 d+1} d r d \theta\right)\)

Hence small lognorm means size of polynomial is small so that it is more likely to be smooth over our chosen basis of primes. Thus we are searching for polynomial with smaller lognorm as possible. We may assume that size of g(x) does not vary much across sieving regions than f(x) due to the fact that g(x) is linear. So in practice, we only consider lognorm of f(x).

Combining f(x) and g(x) we can approximate number of sieving reports as equation below[11].

\(\frac{6}{\pi^{2}} \iint_{\Omega} \rho\left(\frac{\log |F(x, y)|+\alpha(F)}{\log B_{1}}\right) \rho\left(\frac{\log |G(x, y)|+\alpha(G)}{\log B_{2}}\right) d x d y\)

Above measurement is called ‘murphy E’ of polynomials. Since collecting as many relation as possible is goal in sieving stage, larger murphy E implies it is likely to have large number of sieving reports in sieving stage. Hence we focus on selecting f(x), g(x) pairs with larger murphy E value.

III. Kleinjung’s Second Algorithm and Its Implementation

In this Section, we describe Kleinjung’s second algorithm for selecting polynomial and how it is implemented in CADO-NFS. The algorithm gives an efficient way to control size of c_d-2 while producing polynomial with large skewness.

3.1 Kleinjung’s Second Algorithm

Kleinjung’s second algorithm extends current GNFS’s polynomial selection procedure[2]. Instead of using base-m method as in GNFS, Kleinjung’s second algorithm uses base-(m₁, m₂) method and generates non-monic polynomial f(x) of degree greater than 1 and non-monic polynomial g(x) of degree 1. Base-(m₁, m₂) represents the number n to be factored as \(n=\sum_{i=0}^{d} c_{d-i} m_{1}^{d-i} m_{2}^{i}\) and selects f(x), g(x) of the form \(f(x)=\sum_{i=0}^{d} c_{i} x^{i}\) and \(g(x)=m_{2} x-m_{1}\) having m₁m₂^-1 as common root.

Let Q be set of small primes and P be set of primes in [B, 2B] for some bound B so that P∩Q=∅ and primes in P are larger than primes in Q. Leading coefficient m₂ of g(x) is chosen to be of form m₂=p₁p₂q where \(q=\prod q_{i}\) for q_i∈Q and p₁p₂∈P.

Kleinjung’s second algorithm generates polynomial f(x) with smaller c_d-2 than as in first algorithm[2,4]. Method of selecting smaller c_d-2 is described below.

In equation \(n=\sum_{i=0}^{d} c_{d-i} m_{1}^{d-i} m_{2}^{i}\), we expand to

\(\begin{aligned} n &=\sum_{i=0}^{d} c_{d-i} m_{1}^{d-i} m_{2}^{i} \\ &=c_{d}\left(m_{1}^{d}+\frac{c_{d-1}}{c_{d}} m_{1}^{d-1} m_{2}\right)+\sum_{i=0}^{d-2} c_{i} m_{1}^{i} m_{2}^{d-i} \end{aligned}\)       (1)

and express (1) as in terms of d-th degree by using

\(c_{d}\left(m_{1}+\frac{c_{d-1}}{d c_{d}} m_{2}\right)^{d}=c_{d} m_{1}^{d}+c_{d-1} m_{1}^{d-1} m_{2}+m_{2}^{2} R_{0}, \\ where \ R_{0}=c_{d} \sum_{i=2}^{d} {}_d C_{i} m_{1}^{d-i}\left(\frac{c_{d-1}}{d c_{d}} m_{2}\right)^{i}.\)

Then equation (1) can be rewritten as \(n=c_{d}\left(m_{1}+\frac{c_{d-1}}{d c_{d}} m_{2}\right)^{d}-m_{2}^{2} R_{0}+\sum_{i=0}^{d-2} c_{i} m_{1}^{i} m_{2}^{d-i}\). To eliminate the denominator, we multiply d^dc_d^d-1 on both side and obtain

\(\begin{aligned} &d^{d} c_{d}^{d-1} n \\ &=\left(d c_{d} m_{1}+c_{d-1} m_{2}\right)^{d}-d^{d} c_{d}^{d-1} m_{2}^{2} R_{0} \\ &\quad+d^{d} c_{d}^{d-1} \sum_{i=0}^{d-2} c_{i} m_{1}^{i} m_{2}^{d-i} \end{aligned}\)       (2)

Let \(\tilde{n}=d^{d} c_{d}^{d-1} n\) and \(\widetilde{m}=d c_{d} m_{1}+c_{d-1} m_{2}\). By simplifying terms that has degree lower than d, equation (2) can be represented as

\(\tilde{n}=\widetilde{m}^{d}+m_{2}^{2} \widetilde{R}\)

Taking modulo by m₂², we have

\(\tilde{n}=\widetilde{m}^{d} \bmod m_{2}^{2} .\)       (3)

By obtaining solution for \(\tilde m\) in (3), \(\tilde m\) equals to value who satisfies \(\widetilde{m}=\tilde{n}^{\frac{1}{d}} \bmod m_{2}^{2}\). Since \(d c_{d} m_{1}+c_{d-1} m_{2}=\widetilde{m}\) , and two values d, c_d are known, by taking modulo dc_d we have

\(c_{d-1} m_{2} \equiv \widetilde{m} \bmod d c_{d}\)       (4)

By multiplying inverse of m₂ modulo dc_d on both side of equation (4), c_d-1 is determined. Due to the fact that we obtained c_d-1 by taking dc_d as modulus, |c_d-1| ≤ dc_d meaning that we have c_d-1 with appropriate size.

3.2 Implementation in CADO-NFS

The most direct way to solve equation (3) is to first solve \(\tilde n x^d mod p\) for each prime p in m₂, and solve \(\tilde{n} \equiv x^{d} \bmod p^{2}\) by using Hensel’s lemma. After obtaining d solutions for each prime p, by using Chinese Remainder Theorem(CRT) we can obtain solution for \(\tilde{n}=x^{d} \bmod m_{2}^{2}\) . To have larger cardinality of polynomial set to select the best polynomial, CADO-NFS uses only the primes p having d roots for \(\tilde{n}=x^{d} \bmod p\). Hence if m₂ consists of l primes, this means that by using CRT we have d^l number of roots in total. However, since we only need root \(\tilde m\) close to \(n ^{\frac {-1} {d}}\) [4], calculating all d^l solution is tedious. Hence to avoid using CRT and solve equation (3), CADO-NFS uses collision between roots to search for \(\tilde m\) close to \(n ^{\frac {-1} {d}}\) efficiently.

Given input n, d, c_d, let \(\tilde m_0\) be integral part of \(n ^{\frac {-1} {d}}\) . We first compute roots for \(\tilde{n} \equiv\left(\tilde{m}_{0}+r\right)^{d} \bmod p\) where p∈P. Then roots r are lifted to r_p modulo p² and recorded as (p, r_p). Second, we search for collision on r. This means that we are searching for r and r′ where r is root of \(\vec{n} \equiv\left(\widetilde{m}_{0}+r\right)^{d} \bmod p_{1}^{2}\) and r′is root of \(\tilde{n} \equiv\left(\tilde{m}_{0}+r^{\prime}\right)^{d} \bmod p_{2}^{2}\) and r=r' . Then we can obtain \(\tilde{n} \equiv\left(\tilde{m}_{0}+r\right)^{d} \bmod p_{1}^{2} p_{2}^{2}\) without using CRT. If collision is not detected, then we use primes q_i in set Q and let m₂=p₁p₂q where \(q=\prod_{q_{i}}\).

Note that we already have recorded roots (p, r_p) so that we only need to calculate roots for primes in Q. For each q∈Q solve \(\tilde{n} \equiv\left(\tilde{m}_{0}+r_{q}\right)^{d} \bmod q^{2}\) . Then for each q and for all p∈P we calculate i_p∈[0, q²) by solving r_q+i_pq²≡ r_pmodp² such that equation \(\tilde{n} \equiv\left(\tilde{m}_{0}+r_{q}+i_{p} q^{2}\right)^{d} \bmod p^{2}\) is satisfied. Then pair (p, i_p) is recorded and we search for collision on i between (p₁, i) and (p₂, i). If collision occurs

\(\tilde{n} \equiv\left(\tilde{m}_{0}+r_{q}+i q^{2}\right)^{d} \bmod p_{1}^{2} p_{2}^{2} q^{2}\)       (5)

is satisfied. Again, CRT is not used to calculate common roots between p₁², p₂², q² , and obtained \(\widetilde{m}=\widetilde{m}_{0}+r_{q}+i q^{2}\) is reasonably close to \(n^{- \frac 1 d}\) since \(\tilde m_0\) was chosen to be integral part of \(n^{- \frac 1 d}\) .

As a summary, total procedure of Kleinjung’s second algorithm is described in Algorithm 1.

Algorithm 1

V. Proposed Method

In this Section, we analyze the disadvantage in CADO-NFS and propose new method to find \(\tilde m\) that can generate polynomial with larger murphy E value than other roots. We used CRT to find root of \(\tilde{n} \equiv x^{d} \bmod m_{2}^{2}\) and polynomial is selected from \(\tilde m\) with smallest \(\left|\tilde{n}^{\frac{1}{d}}-\widetilde{m}\right|\).

4.1 Analysis of CADO-NFS

The major disadvantage of using collision is that there is a probability of existence of root closer to \(n^{- \frac 1 d}\) than root founded by using collision. More specifically, CADO-NFS uses one solution of \(\tilde{n} \equiv x^{d} \bmod m_{2}^{2} \) to generate polynomial not by searching all d^l roots but by fixing \(\tilde m_0\) and detecting collision between i in equation (5). Hence solution that generates better polynomial can be missed. Since good selection of polynomial can reduce time for searching relation in sieving stage [4,8], not checking candidates that has higher probability of generating polynomial of larger murphy E might be a problem. In fact for RSA-768 with degree 6 and ad=265482057982680, CADO-NFS found 2056726454298768247003538862069644448626824473920812 as \(\tilde m\) and generated polynomial with 8.53 × 10^-18 as murphy E value. But polynomial that was actually used for factoring RSA-768 has \(\tilde m\) with 2056722663530813341394738735297691839197379108251632 and 6.99 × 10^-17 as murphy E. Therefore we focused on checking all roots of \(\tilde{n} \equiv x^{d} \bmod m_{2}^{2}\).

4.2 Proposed Method

In order to check all d^l roots, CRT is necessary. Naive way of checking all d^l roots and observe which root generates better polynomial is to generate polynomial for each root, calculate lognorm, and compare if lognorm is smaller than lognorm calculated previously. However, calculation of lognorm for one polynomial takes 4.52 × 10^-7 s so that calculation of lognorm for all d^l polynomial takes 4.52 × 10^-7 × d^ls. If 11 primes and degree 6 are used as in RSA-768 this will take 12 hours for just searching 15 pairs of p₁, p₂ while it takes 38.5 minutes when using collision.

When considering RSA-1024, it is too inefficient to check all roots for each pair of (p₁, p₂, q), Since exact value of leading coefficient of f(x) is unknown, this leads to at least d^l ×(admax-admin)/incr amount of checking where admax and admin denotes maximal and minimal value of c_d we are searching for, respectively.

Thus instead of generating all d^l polynomials to calculate lognorm, we only generated polynomial for roots with smallest \(\left|\widetilde{n}^{\frac{1}{d}}-\widetilde{m}\right|\). This means that instead of generating polynomial and calculate lognorm for each root, only euclidean distance is calculated for each root and polynomial is generated only once for \(\tilde m\) with smallest \(\left|\widetilde{n}^{\frac{1}{d}}-\widetilde{m}\right|\). The total procedure for selecting polynomial is described in Algorithm 2.

Algorithm 2

In Step 1.2 in Algorithm 2, we modified CADO-NFS’s function ‘collision_on_sq’. Instead of moving to function ‘match’ in ‘hash-add’ if collision is found, we recorded prime pair (p₁, p₂) for detected collision. With this recorded prime pair and primes in q we solve \(\tilde{n} \equiv x^{d} \bmod k^{2}\) for prime k|m₂. At Step 1.6 we calculate euclidean distance D between solution x of \(\bar{n} \equiv x^{d} \bmod m_{2}^{2}\) and \(\tilde n\).

For each prime pair, polynomial is generated for \(\tilde m\) having smallest D and lognorm is calculated. Then (\(\widetilde{m}, f(x), g(x)\) ,lognorm) is insert-sorted if calculated lognorm is smaller than maximal lognorm of set calculated previously. In practice, we kept only 15 values of lognorm. Hence regardless of number of prime pairs and number of rounds occurs, our Algorithm 2 outputs 15 polynomials.

V. Implementation Results

Experiments were performed using gcc version 4.9.2 with processor Intel(R) Core(TM) i5-4690K CPU at 3.5 GHz with 8GB RAM. Size optimization and root optimization are same for both group. We used cado-2.1.1 version for optimization. Although latest version of CADO-NFS is 2.2.0, released in Dec. 2015, only optimization part of polynomial selection has been changed. Since we are only considering the generation of polynomial which is same in both versions, this experimental result will be same for cado-2.2.0 also.

Single round implies that test was done for one ad value and multiple rounds implies that test was done for range of ad values.

Note that ‘ad’ refers to leading coefficient of f(x) and CADO-NFS uses this value as input parameter. ‘lq’ means number of primes used in m₂, and ‘pairs’ means number of (p₁, p₂) that has collision. Hence total number of roots generated by l lq and n pairs is n×d^l .

Below is single-round test result for RSA-768 using degree 6, P=[100000, 200000].

Below is single-round test result for RSA-768 using parameters that includes parameters that were actually used for factoring RSA-768[6]. Namely, degree 6 and P=[900, 1800] were used.

Multiple rounds were tested with RSA-704 number with degree 6, increment 60 and P=[900, 1800].

In summary, the results of experiments show that by using our modified version of polynomial selecting method, we can search for polynomial with murphy E larger or equal to murphy E founded by CADO-NFS in practical time. This is guaranteed by the fact that we are actuatlly checking all the roots of equation (5).

In other words, we never generate polynomial with lower murphy E value than CADO-NFS. Since generating polynomial having larger murphy E as possible is most important in polynomial selection stage, it can be said that our modified version selects better polynomial in reasonable time.

Table 1. Implementation results for RSA-768 single round

Table 2. Implementation results for RSA-768 single round

Table 3. Implementation results for RSA-704 multiple round

VI. Conclusion

In this paper we propose modified version of polynomial selection in CADO-NFS. CADO-NFS uses collision to avoid CRT and find common roots between primes. In this way CADO-NFS generates polynomial with moderate – not best - murphy E. However largest murphy E value is necessary for shorter sieving time. Hence we used CRT to generate all roots but estimate performance of root by euclidean distance instead of calculating lognorm. In this way polynomial with murphy E value larger than CADO-NFS is guaranteed in practical time and can be expected to implemented in polynomial selection for RSA-1024.

* 이 논문은 2014년도 정부(미래창조과학부)의 재원으로 한국연구재단-차세대 정보x컴퓨팅기술개발사업의 지원을 받아 수행된 연구입니다(No. NRF-2014M3C4A7030649)