From 776424787c9536e53c57f83fee71080afab7fb36 Mon Sep 17 00:00:00 2001 From: Jeremy Teitelbaum Date: Tue, 22 May 2018 08:33:03 -0400 Subject: [PATCH] initial commit for ctnt talk --- .gitignore | 246 +++++++++++++++++++++++++++++++++++++++++++++++++++ ECM.py | 112 +++++++++++++++++++++++ ctnt2018.tex | 237 +++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 595 insertions(+) create mode 100644 .gitignore create mode 100644 ECM.py create mode 100644 ctnt2018.tex diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..3d12d3f --- /dev/null +++ b/.gitignore @@ -0,0 +1,246 @@ +## Core latex/pdflatex auxiliary files: +*.aux +*.lof +*.log +*.lot +*.fls +*.out +*.toc +*.fmt +*.fot +*.cb +*.cb2 +.*.lb + +## Intermediate documents: +*.dvi +*.xdv +*-converted-to.* +# these rules might exclude image files for figures etc. +# *.ps +# *.eps +# *.pdf + +## Generated if empty string is given at "Please type another file name for output:" +.pdf + +## Bibliography auxiliary files (bibtex/biblatex/biber): +*.bbl +*.bcf +*.blg +*-blx.aux +*-blx.bib +*.run.xml + +## Build tool auxiliary files: +*.fdb_latexmk +*.synctex +*.synctex(busy) +*.synctex.gz +*.synctex.gz(busy) +*.pdfsync + +## Build tool directories for auxiliary files +# latexrun +latex.out/ + +## Auxiliary and intermediate files from other packages: +# algorithms +*.alg +*.loa + +# achemso +acs-*.bib + +# amsthm +*.thm + +# beamer +*.nav +*.pre +*.snm +*.vrb + +# changes +*.soc + +# cprotect +*.cpt + +# elsarticle (documentclass of Elsevier journals) +*.spl + +# endnotes +*.ent + +# fixme +*.lox + +# feynmf/feynmp +*.mf +*.mp +*.t[1-9] +*.t[1-9][0-9] +*.tfm + +#(r)(e)ledmac/(r)(e)ledpar +*.end +*.?end +*.[1-9] +*.[1-9][0-9] +*.[1-9][0-9][0-9] +*.[1-9]R +*.[1-9][0-9]R +*.[1-9][0-9][0-9]R +*.eledsec[1-9] +*.eledsec[1-9]R +*.eledsec[1-9][0-9] +*.eledsec[1-9][0-9]R +*.eledsec[1-9][0-9][0-9] +*.eledsec[1-9][0-9][0-9]R + +# glossaries +*.acn +*.acr +*.glg +*.glo +*.gls +*.glsdefs + +# gnuplottex +*-gnuplottex-* + +# gregoriotex +*.gaux +*.gtex + +# htlatex +*.4ct +*.4tc +*.idv +*.lg +*.trc +*.xref + +# hyperref +*.brf + +# knitr +*-concordance.tex +# TODO Comment the next line if you want to keep your tikz graphics files +*.tikz +*-tikzDictionary + +# listings +*.lol + +# makeidx +*.idx +*.ilg +*.ind +*.ist + +# minitoc +*.maf +*.mlf +*.mlt +*.mtc[0-9]* +*.slf[0-9]* +*.slt[0-9]* +*.stc[0-9]* + +# minted +_minted* +*.pyg + +# morewrites +*.mw + +# nomencl +*.nlg +*.nlo +*.nls + +# pax +*.pax + +# pdfpcnotes +*.pdfpc + +# sagetex +*.sagetex.sage +*.sagetex.py +*.sagetex.scmd + +# scrwfile +*.wrt + +# sympy +*.sout +*.sympy +sympy-plots-for-*.tex/ + +# pdfcomment +*.upa +*.upb + +# pythontex +*.pytxcode +pythontex-files-*/ + +# thmtools +*.loe + +# TikZ & PGF +*.dpth +*.md5 +*.auxlock + +# todonotes +*.tdo + +# easy-todo +*.lod + +# xmpincl +*.xmpi + +# xindy +*.xdy + +# xypic precompiled matrices +*.xyc + +# endfloat +*.ttt +*.fff + +# Latexian +TSWLatexianTemp* + +## Editors: +# WinEdt +*.bak +*.sav + +# Texpad +.texpadtmp + +# Kile +*.backup + +# KBibTeX +*~[0-9]* + +# auto folder when using emacs and auctex +./auto/* +*.el + +# expex forward references with \gathertags +*-tags.tex + +# standalone packages +*.sta + +# generated if using elsarticle.cls +*.spl diff --git a/ECM.py b/ECM.py new file mode 100644 index 0000000..d57cb16 --- /dev/null +++ b/ECM.py @@ -0,0 +1,112 @@ +# %load ec3.py +from math import factorial, gcd, log +import numpy as np +P=np.zeros(1000) +P[0]=1 +P[1]=1 +for i in range(2,100): + if P[i]==0: + j=2 + while i*j<100: + P[i*j]=1 + j=j+1 +Primes1000=[i for i,x in enumerate(P) if x==0 ] + + +def mexp(a,x,N): + m,s=1,a + while x>0: + if x % 2 ==1: + m=((m*s) % N) + s=((s*s) % N) + x=x//2 + return m + +def euclid(u,v): + if v==0: + raise ArithmeticError('Division by Zero') + x0,x1=u,v + a0,a1=1,0 + b0,b1=0,1 + while x1!=0: + q=x0//x1 + x2=x0-q*x1 + a2=a0-q*a1 + b2=b0-q*b1 + x0,a0,b0=x1,a1,b1 + x1,a1,b1=x2,a2,b2 + if x0<0: + return -x0,-a0,-b0 + else: + return x0,a0,b0 + +def mod_inv(u,N): + d,a,b=euclid(u,N) + if d==1: + return a + else: + raise ArithmeticError('Common factor is '+str(d)) + +def two_p(x,y,a,b,N): + Lu=(3*x**2+a) % N + # print(Lu) + Lb=mod_inv(2*y,N) + # print(Lb) + L=Lu*Lb % N + x_two=(L*L-2*x) % N + y_two=(L*(x-x_two)-y) %N + return x_two,y_two + +def sum_p(x1,y1,x2,y2,a,b,N): + Lu=(y2-y1) % N + Lb=mod_inv(x2-x1,N) + L=(Lu*Lb) % N + x_sum=(L*L-x1-x2) %N + y_sum=(L*(x1-x_sum)-y1) %N + return x_sum,y_sum + +def exp_p(x,y,a,b,m,N): + sx,sy=x,y + first=True + while m>0: + if m%2==1: + if first: + xm,ym=sx,sy + first=False + else: + xm,ym=sum_p(xm,ym,sx,sy,a,b,N) + sx,sy=two_p(sx,sy,a,b,N) + m=m//2 + return xm,ym + +#def mexp(a,x,N): + # m,s=1,a + # while x>0: + # if x % 2 ==1: + # m=((m*s) % N) + # s=((s*s) % N) + # x=x//2 + # return m + +def ecm_trial(N,arange=50,krange=30): + for a in range(-arange,arange): + xm,ym=0,1 + print(a) + for k in range(2,krange): + try: + xm,ym=exp_p(xm,ym,a,1,k,N) + except ArithmeticError: + print('try the following: a=',a,' and k=',k) + break + + + +#N=149185656432189838133 +#ecm_trial(N,arange=20,krange=10000) +N=2**128+1 +#ecm_trial(N,arange=100,krange=10000) +xm,ym=exp_p(0,1,-91,1,factorial(7883),N) + + + + diff --git a/ctnt2018.tex b/ctnt2018.tex new file mode 100644 index 0000000..fce1b44 --- /dev/null +++ b/ctnt2018.tex @@ -0,0 +1,237 @@ +\documentclass{beamer} +\usepackage{minted} +\newtheorem{proposition}{Proposition} +\newtheorem{algorithm}{Algorithm} +\begin{document} + +\begin{frame} + \begin{center} + Lenstra's Elliptic Curve Factoring Method \\ + Connecticut Number Theory Summer School \\ + May, 2018 \\ + \bigskip + Jeremy Teitelbaum + \end{center} +\end{frame} +\begin{frame}{The problem at hand} + \begin{problem} Given a positive composite integer $N$, find a proper prime divisor of $N$. + \end{problem} +\end{frame} +\begin{frame}{Factoring is important} + + {\small + Problema, numeros primos a compositis dignoscendi, + hosque in factores suos primos resolvendi, ad gravissima ac utilissima totius arithmeticae pertinere, + ...Praetereaque scientiae dignitas requirere videtur, ut omnia subsidia ad solutionem + problematis tam elegantis ac celebris sedulo excolantur. + + \medskip\noindent + The problem of distinguishing prime numbers from composite numbers and of + resolving the latter into their prime factors is known to be one of the most + important and useful in arithmetic. ..Further, the dignity of the + science itself seems to require that every possible means be explored for + the solution of a problem so elegant and so celebrated. + + \medskip\noindent + {\it Gauss, Disquisitiones Arithmeticae (1801): Article 329} + } + +\end{frame} +\begin{frame}{Cryptography} + \begin{block}{} + Gauss thought factoring was important and he was unaware of the role it + plays in the security of widely used public-key cryptographic systems. + \end{block} + \begin{block}{} + Although a major reason for current work on the problem, we won't get into the cryptographic applications in this talk. + \end{block} +\end{frame} + +\begin{frame}{Trial division is impractical} + +\begin{block}{} + The 'grade school' method to solve the factoring problem by systematically trying integers less than $N$ (or prime numbers less than $N$) + and checking to see if you find a factor requires, in the worst case, on the order of $\sqrt{N}$ divisions. +\end{block} +\begin{block}{} + If a division takes, say, $10^{-12}$ seconds on some miracle computer, then factoring a $100$ digit number would require + $10^{38}$ seconds or more than $10^{30}$ years. (The universe is about $10^{10}$ years old.) +\end{block} +\begin{block}{} + A different approach is needed. +\end{block} +\end{frame} + +\begin{frame}{Overview of factoring methods} + Modern methods of factoring fall into two categories: + \begin{itemize} + \item Methods based on algebraic groups (such as the $p-1$ method, the elliptic curve method, and generalizations) + \item Sieve methods (such as the quadratic and number field sieves) + \end{itemize} +\end{frame} +\begin{frame}{Overview of factoring} + + Typically, the algebraic group methods are used first to identify ``small + factors'' of large numbers $N$; and once those are found, or ruled out, the + sieve methods are used. + +\bigskip\noindent In the best case these algorithms are believed to be + sub-exponential, meaning that their running times grow more slowly than + exponential in the number of digits of $N$; but they are far from polynomial + time. + +\bigskip\noindent + The complexity of factoring is not known. + +\bigskip\noindent + There is a polynomial time algorithm for a ``quantum computer.'' +\end{frame} +\begin{frame}{First make sure your number is composite} + The complexity of factoring means factoring algorithms should only be applied to composite numbers. + + \begin{theorem}[Fermat] Suppose that $N$ and $a$ are integers with $(a,N)=1$. If + $$a^{N-1}\not\equiv 1\pmod{N}.$$ + then $N$ is composite. + \end{theorem} +\end{frame} +\begin{frame}{The Fermat Test} + Fermat's theorem allows for a quick test of compositeness. + + \begin{block}{The Fermat Test} + Given $N$ (large), pick a random small $a$ and compute $a^{N-1}\bmod{N}$. + If the result isn't $1$, $N$ is composite. + \end{block} + + \begin{definition} + If $a^{N-1}\equiv 1\pmod{N}$, then $N$ is called a pseudoprime to base $a$. + \end{definition} +\end{frame} +\begin{frame}{Pseudoprimes are rare} + There are $21853$ pseudoprimes to base $2$ less than $25\times 10^{9}$. + + \bigskip\noindent + If a number passes the Fermat test for a bunch of random bases, then spend your time trying to prove it prime + rather than trying to factor it. + + \bigskip\noindent + There are refinements to the Fermat test that are even more effective. + +\end{frame} +\begin{frame}[fragile]{Efficient Modular Exponentiation} + Applying the Fermat Test requires computing $a^x\bmod{N}$ where $x$ is + large; and similar calculations are needed in the ECM method as well. + + \begin{proposition} $a^x\bmod{N}$ can be computed in time $O(\log x)$ for fixed $N$ and $a$. + \end{proposition} + \begin{algorithm} + \begin{verbatim} + Set m=1 and s=a. + While x>0: + if x is odd, set m=(m*s mod N) + set s=s*s + set x=x/2, rounding off + return m as your answer + \end{verbatim} +\end{algorithm} +\end{frame} +\begin{frame}{The $p-1$ algorithm} + Suppose $N$ is composite. Then the multiplicative group of units $(\mathbf{Z}/N\mathbf{Z})^*$ is not cyclic, so it is a product of cyclic + groups by the fundamental theorem of abelian groups. + + \bigskip\noindent + The strategy of the $p-1$ method is to + \begin{enumerate} + \item pick a base $a$ (like $2$); + \item try to find an exponent $M$ so that $a^{M}\equiv 1$ in one of the cyclic factors of $(\mathbf{Z}/N\mathbf{Z})^*$ but not all of them. + \item then $(a^{M}-1,N)$ will be a non-trivial factor of $N$. + \end{enumerate} + + \bigskip\noindent + If $p$ is an odd prime factor of $N$, then we can try $M=K(p-1)$ for various $K$. But how to find this $M$ if we don't know $p$? + +\end{frame} +\begin{frame}{Smoothness} + \begin{definition} + An integer $N$ is called $B$-smooth if all the prime factors of $N$ are at most $B$. It is called $B$-powersmooth if all the prime + powers dividing $N$ are at most $B$. + \end{definition} + + For example, the number + $$ + N=33452526613163807108170062053440751665152000000000 + $$ + is $41$-smooth. (It is $41!$). It is divisible by $2^{164}$ and all the other prime powers dividing $41!$ so $41!$ is + $2^{164}+1$ powersmooth. + + +\end{frame} +\begin{frame}{The $p-1$ method, 2} + + The hope for the $p-1$ method is that if $p$ is one of the prime divisiors of our integer $N$ then $p$ has the property that $p-1$ is $B$-powersmooth + for some not too big $B$. + + \bigskip\noindent + Then we take a integer $M$ that is divisible by powers of the primes less than $B$ hoping to get a multiple of $p-1$. + For example, take: + $$ + M=\prod_{p\le B} p^{[\log_{p}(B)]}. + $$ + + \bigskip\noindent + Then compute $(a^{M}-1,N)$ and see what happens. If you don't find anything, make $B$ bigger. + +\end{frame} +\begin{frame}{A simple example} + Suppose $N=F_{5}=2^{2^5}+1$ is the fifth Fermat number. Take $B=150$. We can't use $a=2$ because clearly high powers of $a$ are going to be + $-1$ mod $N$; so let's try $a=3$. That doesn't work -- but $a=5$ does. Take $M=(128)*(81)*(25)(49)(121)(13)(17)\cdots(97)\cdots(149)$. + $$ + 5^M-1 \equiv 1741227785\pmod{F_{5}} + $$ + and $(1741227784,F_{5})=641$. +\end{frame} + +\begin{frame}{The Elliptic Curve Method} + For the $p-1$ method to work, we have to be lucky enough to have a prime factor that is $B$-powersmooth for a relatively small $B$. + If the number $N$ we are trying to factor doesn't have this property, then the $p-1$ method won't work. + + The elliptic curve method opens the door to more situations in which we can apply the idea of the $p-1$ method. +\end{frame} +\begin{frame}{ECM, cont'd} + Suppose $N=UV$ where $U$ and $V$ are proper factors. Let $E$ be an elliptic curve over $\mathbf{Z}$. Then + $$ + E(\mathbf{Z}/N\mathbf{Z})=E(\mathbf{Z}/U\mathbf{Z})\times E(\mathbf{Z}/V\mathbf{Z}). + $$ + Suppose that we can find a point $P$ on this curve mod $N$ so that a multiple $K$ of $P$ is zero in the first factor but not the second. + + \bigskip\noindent + If we were to write $E$ in Weierstrass form, and the point $P$ in homogeneous coordinates $[x(P):y(P):z(P)]$, then this condition + would mean that $z(KP)$ is divisible by $U$ but not by $V$. + + \bigskip\noindent + In other words, $(z(KP),N)$ would give us a proper factor of $N$. +\end{frame} +\begin{frame}{ECM,3} + + If we were fortunate enough that (say) the order of the first of the two factor groups + $n=|E(\mathbf{Z}/U\mathbf{Z})|$ were $B$-powersmooth for a (relatively) small $B$. + Then we could use the trick of the $p-1$ method and choose our $K$ to hopefully be divisible by $n$. + + The Riemann hypothesis for elliptic curves over finite fields tells us that if $U$ is prime then $n$ is roughly $p$. + So the chance that $n$ is $B$-powersmooth is the same order as $p-1$ having that property. + + But there are many elliptic curves! +\end{frame} + + + + + + + + + + + + + +\end{document} \ No newline at end of file