Number Field Sieve
Cryptography Seminar Fall 2018
2
“A Tale of Two Sieves” by Carl Pomerance
An insightful and beautifully written exposition on the methods and history of using sieves to factor.
Number Field Sieve History
3
Number Field Sieve: Set Up
4
Number Field Sieve
5
The Set S
6
(Property 1)
(Property 2)
The Set S
Why do we want S?
7
The Set S: Property 1
8
What about Property 2?
Property 2
9
Ideally, we want:
This gives unique factorization into primes. This usually won’t be true.
Property 2
10
Ideally, we want:
Get unique factorization of ideals into prime ideals.
Property 2
11
Ideally, we want:
Property 2
12
Ideally, we want:
Then we can repeat a similar sieving argument.
13
How do we do anything?
14
Number Field Sieve: First Steps
15
Factoring Primitive Polynomials
16
polynomial time:
Factoring Primitive Polynomials
17
Factoring Primitive Polynomials
18
The Norm Map
19
Sieving Norms
20
CounterExample
21
Primes Above p
22
Elongating the Exponent Vector
Define
23
Elongating the Exponent Vector
24
But we’re getting a bit closer.
Obstructions
25
Algebraic Object
The Obstruction Group
Let
26
27
28
29
A Minor Problem
30
A Major Problem
31
The Square Root Problem
32
Run Time
33
Comparison of Methods
34
Method | Run Time |
Trial Division | |
Quadratic Sieve | |
Number Field Sieve | |
Comparison of Methods
35
36
37
Concluding Remarks
In practice, number field sieve is faster for digits > 130.
38
Record: Largest number factored by number field sieve is RSA-768 (232 digits)
RSA-768 = 12301866845301177551304949583849627207728535695953347921973224521517264005 07263657518745202199786469389956474942774063845925192557326303453731548268 50791702612214291346167042921431160222124047927473779408066535141959745985 6902143413 =
33478071698956898786044169848212690817704794983713768568912431388982883793 878002287614711652531743087737814467999489 × 36746043666799590428244633799627952632279158164343087642676032283815739666 511279233373417143396810270092798736308917
39
Thank you.