Average Time Fast SVP and CVP Algorithms: Factoring ... - CITS

Average Time Fast SVP and CVP Algorithms: Factoring Integers in Polynomial Time Claus P. SCHNORR Fachbereich Informatik und Mathematik Goethe-Universität Frankfurt am Main Workshop Factoring 2009, Sept. 11,12 RUHR-UNIVERSITÄT BOCHUM http://www.mi.informatik.uni-frankfurt.de/research/papers.html

Road map

I Lattice notation, Time bound of new SVP/CVP algorithm II Factoring integers via easy CVP solutions III Outline and partial analysis of the new SVP algorithm We survey how to use known proof elements and we focus on novel proof elements that are not covered by published work.

2

I: Lattices, QR-decomposition, LLL-bases lattice basis lattice norm SV-length Successive minima

B = [b1 , . . . , bn ] ∈ Zm×n L(B) = {Bx | x ∈ Zn } P 1 1/2 kxk = hx, xi = ( m i=1 x1 ) λ1 (L) = min{kbk | b ∈ L\{0}} λ1 , ..., λn

QR-decomposition B = QR ⊂ Rm×n such that • the GNF — geom. normal form — R = [ri,j ] ∈ Rn×n is uppertriangular, ri,j = 0 for j < i and ri,i > 0, • Q ∈ Rm×n isometric: hQx, Qy i = hx, y i. LLL-basis B = QR for δ ∈ ( 14 , 1](Lenstra, Lenstra, Lovasz 82): 1. |ri,j | ≤ 21 ri,i for all j > i (size-reduced) 2 2 2. δri,i2 ≤ ri,i+1 + ri+1,i+1 for i = 1, . . . , n − 1.

3

Average time fast SVP algorithm Def. The relative density of L:

4 −1/2

rd(L) := λ1 γn

(det L)−1/n

rd(L) = λ1 (L)/ max λ1 (L0 ) holds for the maximum of λ1 (L0 ) over all lattices L0 such that dim L = dim L0 and det L = det L0 . The H ERMITE constant γn = max{λ21 / det(L)2/n | dim L = n}. We always have kb1 k2 = rd(L)2 γn (det L)2/n . Theorem Given a lattice basis such that √ 4.1 (GSA). b kb1 k ≤ 2eπ n λ1 , b ≥ 0, N EW E NUM solves SVP in time n+1 1 nO(1) + (O(n2b−ε )) 4 if rd(L) = n− 2 −ε , ε > 0. This time bound is polynomial if 2b < ε. GSA : Let B = QR = Q[ri,j ] satisfy (for ri,i = kb∗i k): 2 ri,i2 /ri−1,i−1 = q for i = 2, ..., n and some q > 0. W.l.o.g. let q < 1, otherwise kb1 k = λ1 . We outline the proof of Thm 4.1 in part III.

Average time fast CVP algorithm

Corollary 6.1 (GSA). Given b1 ∈ L, 0 6= kb1 k = O(λ1 ), N EW E NUM finds b ∈ L such that kb − tk = kL − tk in time √ n+1 4 . nO(1) + O( n rd(L) kL − tk2 λ−2 1 ) This time bound is polynomial if 1

kL − tk = O(λ1 ) and rd(L) ≤ n− 2 −ε for ε > 0. The required short vector b1 can in practice be added to the basis, extending the lattice by a short vector preserving rd(L). An example will be given in part II for factoring integers using the prime number lattice.

5

II: Factoring integers via easy CVP solutions Let N be a positive integer that is not a prime power. Let p1 < · · · < pn enumerate all primes less than (ln N)α . Then n = (ln N)α /(α ln ln N)(1 + O(1)/α ln ln N). Let the prime factors p of N satisfy p > pn . We show how to factor N by solving easy CVP’s for the prime number lattice L(B), basis matrix B = [b1 , . . . , bn ] ∈ R(n+1)×n :   p   ln p1 0 0 0     .. ..     . 0 0 .   ,  B= N= p ,     0 0 0 ln pn  c 0 c c N ln N N ln p1 · · · N ln pn and the target vector N ∈ Rn+1 , where either N 0 = N or N 0 = Npn+j for one of the next n primes pn+j > pn , j ≤ n. W.l.o.g. let N 0 = N for the analysis.

6

Outline of the factoring method P We identify the vector b = ni=1 ei bi ∈ L(B) with the pair (u, v ) Q Q e −e of integers u = ej >0 pj j , v = ej 0 i i=1 i Given n + 1 independent relations (7.1) we write these relations 0 Qn ei,j −ei,j 0 ∈ N as with p0 = −1 and ei,j , ei,j = 1 mod N i=0 pi for j = 1, ..., n + 1. P Any non trivial solution z1 , ..., zn+1 ∈ Z of the n+1 0 equations j=1 zj (ei,j − ei,j ) = 0 mod 2 for i = 0, ..., n Qn+1 Pni=0 zi ei,j 2 2 solves X = Y mod N with X = j=1 pj mod N, Pn 0 Qn+1 i=0 zi ei,j Y = j=1 pj mod N.

7

Computing relations (7.1) from smooth (u,v)

8

Lemma If |u − vN 0 | = o(N c ), v = Θ(N c−1 ), e1 , ..., en ∈ {0 ± 1} then kb − Nk2 = (2c − 1) ln N + ln(pn+j ) + Θ(|u − vN 0 |2 (N/N 0 )2 ). Proof. We see from e1 , ..., en ∈ {0 ± 1} that u 2 kb − Nk2 = ln u + ln v + N 2c | ln vN 0| . Clearly, v = Θ(N c−1 ), |u − vN 0 | = o(N c ) implies ln u + ln v = (2c − 1) ln N + ln(N 0 /N) + Θ(1). Moreover
u u−vN 0 | ln vN |= 0 | = | ln 1+ vN 0

|u−vN 0 | vN 0 (1+o(1))

Combining these equations proves the claim. Theorem 7.2 kb − Nk2 ≤ (2c − 1) ln N + 2δ ln pn implies 1

|u − vN 0 | ≤ pnα

+δ+o(1)

.

0

| = Θ( |u−vN ). N c−1 N 0



The existence of b ∈ L(B) such that |u − vN| = 1

9

An integer z is called y -smooth, if all prime factors p of z satisfy p ≤ y . Let N 0 be either N or Npn+j for one of the next n primes pn+j > pn . We denote n u ≤ N c , |u − vN 0 | = 1, N c−1 /2 < v < N c−1 o Mα,c,N = (u, v ) ∈ N2 . u, v are squarefree and (ln N)α −smooth Theorem 7.4 [S93] If the equation |u − du/NcN| = 1 is for random u of order N c nearly statistically independent from the event that u, du/Nc are squarefree and (ln N)α -smooth then #Mα,c,N = N ε+o(1) holds if α > 2c−1 c−1 , c > 1. We will use this theorem for c = ln N and α > 4.

Vectors b ∈ L closest to N yield relations (7.1) P Theorem 7.5 The vector b = ni=1 ei bi ∈ L(B) closest to N provides a non-trivial relation (7.1) provided that Mα,c,N 6= ∅. Theorem 7.6 If Mα,c,N 6= ∅ for c = ln N and α > 4 then we can minimize kL(B) − Nk in polynomial time under GSA given b ∈ L(B) such that 0 6= kbk = O(λ1 ). It follows from Mα,c,N 6= ∅ for N 0 ∈ {N, Npn+j } that kL − Nk2 ≤ (2c − 1) ln N 0 + 1 = (2c − 1 + o(1)) ln N. Lemma 5.3 of [MG02] proves that λ21 ≥ 2c ln N − Θ(1) Claim λ21 = 2c ln N + O(1). 1 √ rd(L) = λ1 /( γn (det L) n ) . = O(c ln N)(1−α)/2 =

2eπ 2c ln N (ln N)α 1−α O((ln N) ).

1

2

1 2 − 1/α > 0 that (α ln ln N)1−1/α (ln N)1−α > rd(L).

Moreover, we have for c = ln N, α > 4 and ε = n− 2 −ε = n−1+1/α ≈


1

10

Providing a nearly shortest vector of L(B) We extend the prime number basis B and L(B) by a nearly shortest lattice vector of the extended lattice, preserving rd(L), det(L) and the structure of the lattice. ¯n+1 of order Θ(N c ) such We extend the prime base by a prime p ¯ that |u − for a squarefree (ln N)α -smooth Ppn+1 | = O(1) holds Q eu. 2 Then k i ei bi − bn+1 k = 2c ln N + O(1) holds for u = i pi i ¯ the P additional basis vector bn+1 corresponding to pn+1 . i ei bi − bn+1 is a nearly shortest vector of L(b1 , ..., bn+1 ). ¯n+1 . Generate u at random and Efficient construction of p ¯ for primality. If the density of primes near the test the nearby p ¯n+1 and bn+1 can be found in u is not exceptionally small p ¯n+1 can be used to probabilistic polynomial time. A single p solve all CVP’s for the factorization of all integers of order Θ(N).

11

III: A novel enumeration of short lattice vectors Let πt : span(b1 , ..., bn ) → span(b1 , ..., bt−1 )⊥ for t = 1, ..., n denote the orthogonal projections and let Lt = L(b1 , ..., bt−1 ). P Stage (ut , ..., un ) of ENUM. b := ni=t ui bi ∈ L and ut , ..., un ∈ Z are given. The searches exhaustively for all Pstage P n t−1 2 u b u b ∈ L such that k i=1 i i k ≤ A holds for a given i=1 i i upper bound A ≥ λ21 . We have P Pt−1 k ni=1 ui bi k2 = kζt + i=1 ui bi k2 + kπt (b)k2 . where ζt := b − πt (b) = Qvt ∈ span LP t is the orthogonal projection in span Lt of the given bP = ni=t ui bi and vt = (v1 , ..., vt−1 , 0n−t+1 )t for vi = ni=t ri,j uj . Stage (ut , ..., un ) exhaustively enumerates Bt−1 (ζt , ρt ) ∩ Lt , the intersection of the lattice Lt and the sphere Bt−1 (ζt , ρt ) ⊂ span Lt of dimension t − 1 with radius ρt := (A − kπt (b)k2 )1/2 and center ζt .

12

The success rate βt of stages

13

The G AUSSIAN volume heuristics estimates |Bt−1 (ζt , ρt ) ∩ Lt | for t > 1 to βt =def vol Bt−1 (ζt , ρt )/ det Lt . t−1

Here vol Bt−1 (ζt , ρt ) = Vt−1 ρt−1 , Vt−1 = π 2 /( t−1 t 2 )! is the volume ofQthe unit sphere of dimension t − 1, P t−1 det Lt = i=1 ri,i , ρ2t := A − kπt ( ni=t ui bi )k2 . We call βt the success rate of stage (ut , ..., un ). If ζt mod Lt is uniformly distributed over P { t−1 i=1 ri bi | 0 ≤ r1 , ..., rt−1 < 1} then Eζt [ |Bt−1 (ζt , ρt ) ∩ Lt | ] = βt , where Eζt refers to a random ζt mod Lt . This holds because 1/ det Lt is the number of lattice points of Lt per volume in span Lt . The formal analysis of N EW E NUM by Theorem 4.1 uses a proven version of the volume heuristics without assuming that ζt mod Lt is random.

Outline of New Enum for SVP

14

INPUT LLL-basis B = QR ∈ Zm×n , R ∈ Rn×n , A := n4 (det B t B)2/n , OUTPUT a sequence of b ∈ L(B) of decreasing length kbk2 ≤ A terminating with kbk = λ1 . 1. s := 1, Ls := ∅,

(we call s the level)

2. Perform algorithm E NUM [SE94] pruned to stages with βt ≥ 2−s : Upon entry of stage (ut , ..., un ) compute βt . If βt < 2−s delay this stage and store (βt , ut , ..., un ) in the list Ls of delayed stages If βt ≥ 2−s perform stage (ut , ..., un ) on level s, and as soon as some non-zero b ∈ L of length kbk2 ≤ A has been found give out b and set A := kbk2 − 1. 3. Ls+1 := ∅, perform the stages (ut , ..., un ) of Ls with βt ≥ 2−s−1 in increasing order of t and for fixed t in order of decreasing βt . Collect the appearing substages (ut 0 , ..., ut , ..., un ) with βt 0 < 2−s−1 in Ls+1 . 4. IF Ls+1 6= ∅ THEN [ s := s + 1, GO TO 3 ] ELSE terminate by exhaustion.

Proof of Theorem 4.1 Thm 4.1 N EW E NUM solves SVP in time nO(1) + (O(n2b−ε )) √ 1 if rd(L) = n− 2 −ε , ε > 0 and if b1 k ≤ 2eπ nb .

15 n+1 4

N EW E NUM essentially performs P stages in decreasing order of the success rate βt . Let b0 = ni=1 ui0 bi ∈ L denote the unique vector of length λ1 that is found by N EW E NUM. Let βt0 be the success rate of stage (ut0 , ..., un0 ). N EW E NUM performs stage (ut0 , ..., un0 ) prior to all stages (ut , ..., un ) of success rate βt ≤ 21 βt0 Simplifying assumption. We assume that NEW ENUM performs stage (ut0 , ..., un0 ) prior to all stages of success rate βt < βt0 , ( i.e., ρt < ρ0t ). By definition ρ2t = A − kπt (b)k2 and ρ0t 2 = A − kπt (b0 )k2 . Without using the simplifying assumption, the proven time bound of Theorem 4.1 increases at most by the factor 2.

A proven version of the volume heuristics Consider
P the number Mt of stages (ut , ..., un ) with kπt ( ni=t ui bi )k ≤ λ1 : Mt := # Bn−t+1 (0, λ1 ) ∩ πt (L) . Modulo the heuristic simplifications Mt covers the stages that precede (ut0 , ..., un0 ) and those that finally prove kb0 k = λ1 . √ n−t+1 Qn √ 8π λ1 Lemma 4.2 Mt ≤ e 2 i=t (1 + n−t+1 r ). i,i

Proof. We use the method of Lemma 1 of [MO90] and follow the adjusted proof of (2) in section 4.1 of [HS07]. We abbreviate nt = n − t + 1. Consider the ellipsoid P Et = {(xt , ..., xn )t ∈ Rnt | kπt ( ni=t xi bi )k2 ≤ λ21 }, where P P P P P kπt ( ni=t xi bi )k2 = ni=t nj=i (ri,j xj )2 = ni=t nj=i (µj,i xj )2 kb∗i k2 . By definition Mt ≤ #(Et ∩ Znt ). We set P P ri,j P 0 i x := j>i ri,i xj and xi := xi + d i xc, P P P { i x} := i x − d i xc, P P Ft := {(xt0 , ..., xn0 )t ∈ Rnt | ni=t (xi0 + { i x} )2 ri,i2 ≤ λ21 }.

16

Claim #(Et ∩ Znt ) ≤ #(Ft ∩ Znt )

17

Proof. The transformation (xt , ..., xn ) 7→ (xt0 , ..., xn0 ) is injective. [ If i ≥ t is the least index such that (y Pi , ..., yn ) and Pn(zi , ..., zn ) 0 0 0 differ then yi 6= zi . Moreover (xi + { i x})ri,i = j=i ri,j xj .] P We simplify Et to Et0 = {x0 ∈ Rnt | ni=t xi0 2 ri,i2 ≤ 4λ21 }. P Since | { i x} | ≤ 21 , xi ∈ Z and |xi + ε|2 ≥ xi2 /4 for |ε| ≤ 12 we see that Ft ∩ Znt ⊂ Et0 ∩ Znt . Hence Mt ≤ #(Et0 ∩ Znt ). We bound #(Et0 ∩ Znt ) using the method Lemma 1]. Pn of2[MO90, t n 2 t Denoting Nr := #{(kt , ..., kn ) ∈ Z | i=t ri,i ki = r } we have P P 2 2 Nr e−srnt Nr es(4λ1 −r )nt ≤ es4λ1 nt #(Et0 ∩ Znt ) = ≤e

0≤r ≤4λ21 n Q P −sr 2 k 2 nt s4λ21 nt i,i i

e

i=t ki ∈Z 2 −Tk e =1

2

≤ es4λ1 nt

n Q i=t

(1

r ≥0 √ + √snπt r ) i,i

R P P −Tk 2 ≤ 1 + 2 ∞ e−Tx 2 dx = since +2 ∞ k =1 e 0 p k ∈Z 1 + π/T . We get for s := 1/(8λ21 ) : √ Q λ1 #(Et0 ∩ Znt ) ≤ ent /2 ni=t (1 + √8π ).  nt r i,i

Proof of Theorem 4.1 continued

18 2

n−1

Now ri,i2 = kb1 k2 q i−1 , λ21 /(γn rd(L)2 ) = (det L) n = kb1 k2 q 2 hold by GSA and thus γn ≥ 2 neπ directly imply for i = t, ..., n √ √ n − t + 1 ri,i ≤ 2eπ rd(L)−1 λ1 q (2i−n−1)/4 . √ √ −1 λ q (2i−n−1)/4 + 8eπ λ Q 1 1 By Lemma 4.2 Mt ≤ ni=t e π rd(L) √ . n−t+1 ri,i √ For η¯ := 2 + e, t := n2 + 1 − c, m(q, c) := [if c > 0 then q Mt ≤ m(q, c)

1−c 2 4

else 1] we get

√
n−t+1 √ η¯ 2eπ λ1 / det πt (L), n−t+1 rd(L)

(4.1)

Pc Qn/2+1 √n−t+1 ri,i 1−c 2 √ because m(q, c) = q 4 = q − i=0 (2i−1)/4) ≥ i=t η¯ 2eπ λ1 for c > 0. We see from P (4.1) and n−1 n−t+1 det πt (L) = kb1 k q i=t−1 i/2 that √
n−t+1 Pn−1 i/2 η¯ 2eπ λ1 Mt ≤ m(q, c) √n−t+1 /q i=t−1 (4.2) rd(L) kb k 1

19 Now γn ≤

1.744 (n+o(n)) [KL78] implies via GSA 2eπ n−1 eπ λ21 ≤ q 2 for n ≥ n0 . n rd(L)2 kb1 k2

(4.2), (4.3),

(t−1)(t−2) 2(n−1) yield √
n−t+1 √n rd(L) kb1 k
n− (t−1)(t−2) n−1 √ η¯ 2eπ λ1 √ . eπ λ1 n−t+1 rd(L) kb1 k

1 n−1

Mt ≤ m(q, c)

(4.3)

Pn−1

i=t−1 i

=

n 2

−

The difference of the exponents de(t) = n −

(t−1)(t−2) n−1

− n + t − 1 = (t − 1)(1 −

is positive for t ≤ n and maximal for tmax =

n 2

+ 1,

√ We get for kb1 k ≤ 2eπ nb λ1 ,
n+1 + 1/4−c2 1 n−1 + 1 − c : Mt ≤ m(q, c) O(n 2 +b rd(L)) 4 .

de( n2 + 1 − c) = t=

n 2

t−2 n−1 )

Hence

n+1 4

+

1/4−c 2 n−1 .

1

Mt = (O(n 2 +2b rd(L) )

n+1 4

.



Open problems

Main open problem Can the factoring algorithm be improved by the method of the number field sieve ? We factor N via easy CVP-solutions that correspond to multiplicative relations mod N, related to the quadratic sieve. The last coordinate of an CVP-solution yields a multiplicative relation of the factor base, under the natural logarithm ln. How to incorporate mod N reductions under the ln transform ?

20

Refences Ad95 L.A. Adleman, Factoring and lattice reduction. Manuscript, 1995. AEVZ02 E. Agrell, T. Eriksson, A. Vardy and K. Zeger, Closest point search in lattices. IEEE Trans. on Inform. Theory, 48 (8), pp. 2201–2214, 2002. Aj96 M. Ajtai, Generating hard instances of lattice problems. In Proc. 28th Annual ACM Symposium on Theory of Computing, pp. 99–108, 1996. AD97 M. Ajtai and C. Dwork, A public-key cryptosystem with worst-case / average-case equivalence. In Proc 29-th STOC, ACM, pp. 284–293, 1997. Ba86 L. Babai, On Lovasz’ lattice reduction and the nearest lattice point problem. Combinatorica 6 (1), pp.1–13, 1986. BL05 J. Buchmann and C. Ludwig, Practical lattice basis sampling reduction. eprint.iacr.org, TR 072, 2005.

21

References Ca98 Y.Cai, A new transference theorem and applications to Ajtai’s connection factor. ECCC, Report No. 5, 1998. CEP83 E.R. Canfield, P. Erdös and C. Pomerance, On a problem of Oppenheim concerning "Factorisatio Numerorum". J. of Number Theory, 17, pp. 1–28, 1983. CS93 J.H. Conway and N.J.A. Sloane, Sphere Packings, Lattices and Groups. third edition, Springer-Verlag1998. FP85 U. Fincke and M. Pohst, Improved methods for calculating vectors of short length in a lattice, including a complexity analysis. Math. of Comput., 44, pp. 463–471, 1985.

22

Refences HHHW09 P.Hirschhorn, J. Hoffstein, N. Howgrave-Graham, W. Whyte, Choosing NTRUEncrypt parameters in light of combined lattice reduction and MITM approaches. In Proc. ACNS 2009, LNCS 5536, Springer-Verlag,pp. 437–455, 2009. HPS98 J. Hoffstein, J. Pipher and J. Silverman, NTRU: A ring-based public key cryptosystem. In Proc. ANTS III, LNCS 1423, Springer-Verlag, pp. 267–288, 1998. H07 N. Howgrave-Graham, A hybrid lattice–reduction and meet-in-the-middle attiack against NTRU. In Proc, CRYPTO 2007, LNCS 4622, Springer-Verlag, pp. 150–169, 2007. HS07 G. Hanrot and D. Stehlé, Improved analysis of Kannan’s shortest lattice vector algorithm. In Proc. CRYPTO 2007, LNCS 4622, Springer-Verlag,pp. 170–186, 2007.

23

Refences HS08 G. Hanrot and D. Stehlé, Worst-case Hermite-Korkine-Zolotarev reduced lattice bases. CoRR, abs/0801.3331, http://arxix.org/abs/0801.3331. Ka87 R. Kannan, Minkowski’s convex body theorem and integer programming. Math. Oper. Res., 12, pp. 415–440, 1987. KL78 G.A.Kabatiansky and V.I. Levenshtein, Bounds for packing on a sphere and in space. Problems of Information Transmission, 14, pp. 1–17, 1978. LLL82 H. W. Lenstra Jr., , A. K. Lenstra, and L. Lovász , Factoring polynomials with rational coefficients, Mathematische Annalen 261, pp. 515–534, 1982. MO90 J. Mazo and A. Odlydzko, Lattice points in high-dimensional spheres. Monatsh. Math. 110, pp. 47–61, 1990.

24

Refences MG02 D. Micciancio and S. Goldwasser, Complexity of Lattice Problems: A Cryptographic Perspective. Kluwer Academic Publishers, Boston, London, 2002. S87 C.P. Schnorr, A Hierarchy of Polynomial Time Lattice Basis Reduction Algorithms. Theoret. Comput. Sci., 53, pp. 201–224, 1987. S93 C.P.Schnorr, Factoring integers and computing discrete logarithms via Diophantine approximation. In Advances in Computational Complexity, AMS, DIMACS Series in Discrete Mathematics and Theoretical Computer Science, 13, pp. 171–182, 1993. Preliminary version in Proc. EUROCRYPT’91, LNCS 547, Springer-Verlag,pp. 281–293, 1991. //www.mi.informatik.uni-frankfurt.de.

25

Refences SE94 C.P. Schnorr and M. Euchner, Lattce basis reduction: Improved practical algorithms and solving subset sum problems. Mathematical Programming 66, pp. 181–199, 1994. SH95 C.P. Schnorr and H.H. Hörner, Attacking the Chor–Rivest cryptosystem by improved lattice reduction. In Proc. EUROCRYPT’95, LNCS 921, Springer-Verlag, pp. 1–12, 1995. S03 C.P. Schnorr, Lattice reduction by sampling and birthday methods. Proc. STACS 2003: 20th Annual Symposium on Theoretical Aspects of Computer Science, LNCS 2007, Springer-Verlag, pp. 146–156, 2003. S06 C.P. Schnorr, Fast LLL-type lattice reduction. Information and Computation, 204, pp. 1–25, 2006.

26

References

S07 C.P. Schnorr, Progress on LLL and lattice reduction, Proceedings LLL+25, Caen, France, June 29–July 1, 2007, Final version to appear;

27