FLIP-SEQUENCES AND SOME APPLICATIONS TO INTEGER FACTORIZATION HABEEB SYED Abstract. In this article we introduce the notion of flip-sequences. These sequences are easy to define and have good applications. Using flip-sequences we propose a new algorithm to compute factorization of integers.

1. Introduction Integer factorization is one the oldest problems in number theory. In simple terms it can be state as follows: Given N ∈ N = {1, 2, . . .} which is known to be product of two distinct odd primes (but the actual primes are not known), then find the primes. i.e., express N in the form (1)

N =p·q

where p, q are distinct odd primes.

This problem is very very old and has been studied extensively. Readers interested in the history of factorization can find several references easily, but may begin with [4, 5]. The problem of factorization acquired star status ever since introduction of Public Key Cryptography (PKC) in 1970s and use of factorization therein [3, 11] . Intractability of factorization (when N is large and does not have any “special” form) is basis of security of various PKCs and as such is a focused area of research world wide with immense amount of research output. During last few decades various algorithms have been published for factorization. We refrain from getting into details of these algorithms as it is very extensive subject, but refer to [1, 2, 7, 8, 9, 10, 12]. The idea of a flip-sequence is very simple. To understand what is a flip-sequence and how it can be used for factorization let us consider a simple example: Example 1.1. Suppose we want to factorize N = 347381. Let us fix B = {2, 3} as factor base (see next section for details). Consider the integer b = 1. By simple arithmetic manipulation we see that 1 mod N = −(N − 1) = −1 · 2 · 38645 = +1 · 2 · (N − 38645) = +1 · 25 · 32567 = −1 · 25 · (N − 32567) = −1 26 · 3 · 52469 = +1 · 26 · 3 · (N − 52469) = +1 · 221 · 33 Key words and phrases. Integer Factorization, Algorithms, Complexity . 1

2

HABEEB SYED

From these equations we have 1 = 221 · 33

(mod N ) 3

=⇒ 1 − (27 · 3) ≡ 0 7

14

(mod N ) 2

=⇒ (1 − 2 3) · (2 3 + 27 3 + 1) ≡ 0 mod N. One can easily check that 27 3 − 1 = 383 is a factor of N the other factor being N/383 = 907. In what follows we make the ideas involved in above example more precise and try to answer some related questions. Remaining part of this article is organized as follows: In Section 2 we introduce the notion of flip-sequence and prove few basic results needed. In section 3 we present a new algorithm to factorize integers using flip-sequences and discuss various aspects of the algorithm. The main objective of this short paper is to discuss some new ideas of factorization and not to propose anything that competes with state of the art algorithms or solutions. 2. Flip-Sequences: Introduction We begin with some terminology and notations. For a given B let B = {all positive primes ≤ B} = {2, 3, . . . q` : q` ≤ B} The integer B is called smoothness bound and the set B is called factor base. We use the notation GCD (b, B) = 1 to mean that the integer b is not divisible by any of primes q ∈ B. For a positive integer N the set ZN denotes the ring of integer mod N which will be represented by { 0, 1, 2, . . . , N − 1 } and Z∗N denotes the group of units mod N ; i.e., Z∗N = { 1 ≤ m ≤ N : GCD (m, N ) = 1 }. If N = p a prime, we use the notation F∗p instead of Z∗p whenever field structure needs to be emphasized.Next we introduce some notations related with prime decomposition of integers. For a given integer n ∈ Z \ {0} and a prime q we define νq (n) = e where e ≥ 0 is integer such that q e divides n and q e+1 doesn’t divide n. If n ∈ ZN \ {0} then the same e will be denoted by νq (n, mod N). Note that there is no ambiguity in the notation because ZN is always represented by {0, 1, . . . , N − 1}. Next we introduce some terms related with flipsequences. Definition 2.1. Given an integer n and a factor base B by Sm(n, B) we mean the B-smooth part of n i.e., Sm(n, B) =

` Y i=1

qei i ,

where ei = νqi (n).

FLIP-SEQUENCES AND SOME APPLICATIONS TO INTEGER FACTORIZATION 3

Note that in general 1 ≤ Sm(n, B) ≤ n. The integer n is B-smooth iff Sm(n, B) = n and (n, B) = 1 iff Sm(n, B) = 1. Further, integer n has unique representation of the form n = Sm(n, B) · n0 ,

(2)

where (n0 , B) = 1

with respect to a given factor base B. Definition 2.2. Let B be a factor base and N be any odd integer. For any b ∈ ZN , the flip-sequence of b with respect B is a sequence of integers (b1 , b2 , . . .) defined as follows: bi = N −

(3)

bi−1 , Sm(bi−1 , B)

i = 1, 2, . . .

beginning with b0 = b. We use the notation F-Seq(b, mod N, B) to denote the above flip-sequence. If there is no ambiguity we will drop mod N, B and just use F-Seq(b). Remark 2.3. (i) Every flip-sequence F-Seq(b, mod N, B) is a periodic sequence because all terms bi ∈ ZN which is a finite set. (ii) Assumption that N is odd is crucial to make a flip-sequence “nontrivial”. In the sequence (3) Sm(bi , B) ≥ 2 for all i ≥ 1, because N is odd and may not hold if N is assumed to be even. Example 2.4. Consider the simplest factor base B = {2}. Let us compute flip-sequence of 1 mod 19 with respect to B = 2. b1 = 18,

b2 = 10,

b3 = 14,

b4 = 12,

b5 = 16,

...

We have F-Seq(1, mod 19, 2) = (18, 10, 14, 12, 16, 18, . . .). Similarly, (4)

F-Seq(3, mod 43, 2) = (40, 38, 24, 40, . . .)

Every term of a flip-sequence consists of a B-smooth part and nonsmooth part of an integer and all the terms are connected. To understand this better let us suppose b0 = b and F-Seq(b, mod N, B) = (b1 , b2 , . . .). For i ≥ 0 denote by si the B-smooth part Sm(bi , B) and βi by bi /si . With these notations terms of flip-sequence F-Seq(b) can be rewritten as bi−1 (5) bi = N − = N − βi−1 = βi si Sm(bi−1 , B) Note that the notations βi , si are very generic and one should carefully keep track of B and mod N while dealing with them. As we mentioned earlier all terms of a flip-sequence are connected. This easy to prove connection is very important and is described in following lemma. Lemma 2.5. Consider a flip-sequence F-Seq(b, mod N, B) = (b1 , b2 , b3 , . . .). Assume notations as in (5), the the following hold:

4

HABEEB SYED

(i) Every term of the flip-sequence satisfies the relation (6)

b = (−1)

i

i Y

s j · βi

(mod N )

i = 1, 2, . . . .

j=0

(ii) Every flip-sequence is periodic. Suppose bj = bk which happens iff sj = sk and βj = βk , for some 0 ≤ j < k then (7)

j

b = (−1)

j Y

si · βj = (−1)

k

k Y

s i · βk

(mod N ).

i=0

i=0

(iii) If bi is B-smooth for some i > 0 then we obtain a B-smooth expression of b (resp. −b) if i is even (resp. odd). Proof. Assume notations as in (5). From the definition of flip-sequence we have, b = b0 = β0 · s0

(8)

and for i > 0 a term looks like bi−1 bi = N − = N − βi−1 = si βi si−1 =⇒ bi−1 = −bi si−1 (mod N). Combining all the terms b1 , b2 . . . we get (9)

b = (−1)

i

i−1 Y

sj bi = (−1)

j=0

i

i Y

s j βi .

j=0

from which first and second assertion of the lemma follow. The third assertion follows from (9) and simple observation that bi is B-smooth iff βi = 1.  A useful corollary to part (ii) of above theorem is the following result. Corollary 2.6. Consider a factor base B = {2, 3, . . . , q` } and b ∈ ZN such that GCD (b, N) = 1. Then the flip-sequence F-Seq(b, mod N, B) leads to a relation of the following form (10)

1=±

` Y

qiei , mod N

where ei ≥ 0

i=1

Proof. Consider flip-sequence F-Seq(b) = (b1 , b2 , . . .). Suppose that bj = bk for some k > j ≥ 0. From part (ii) of Lemma 2.5 and using the notations of (5) we see (11)

b = ±s0 s1 · · · sj βj = ±s0 · · · sj sj+1 · · · sk βk mod N.

Since bj = bk we have sj = sk and βj = βk . Using these in (11) we have (12)

s0 s1 · · · sj βk · (1 ± sj+1 · · · sk ) = 0 mod N.

FLIP-SEQUENCES AND SOME APPLICATIONS TO INTEGER FACTORIZATION 5

Remember that we always choose B such that GCD (N, B) = 1 and since GCD (b, N) = 1 we must have (βk , N ) = 1 which together imply that N divides 1 ± sj+1 · · · sk or equivalently 1 = ± sj+1 · · · sk mod N as required.



Remark 2.7. Note that part (iii) of above lemma is one way statement. If a flip-sequence contains a B-smooth element then it results in a Bsmooth expression of b but converse need not be true. For example consider F-Seq(5, mod 47, 3) = (42, 26, 34, 30, 42, . . .) which does not contain any 3-smooth element, but one can easily check that 5 has 3smooth expression 5 = 23 315 (mod 47). We make these ideas more precise in the following definition. Definition 2.8. Consider a flip-sequence F-Seq(b) = (b1 , b2 , . . .) (i) Period of Flip-Sequence Suppose for some j > i ≥ 0 bj = bi and bj 6= bk for every 0 ≤ k < j then we define the period of F-Seq(b) to be j − i which will be denoted by F-Per(b) (ii) Length of Flip-Sequence is defined to be least i > 0 for which bi is B-smooth or equivalently βi = 1. If no such i exists then length is defined to be ∞. Length of a flip-sequence will be denoted by F-Len(b) Example 2.9. Consider flip-sequences from Example 2.4. For these flip-sequences F-Len(1, mod 19, 2) = F-Per(1) = 5, while

F-Len(3, mod 43, 2) = ∞ and

F-Per(3) = 3.

With these examples we conclude this section. 3. Flip-Sequences: Some Applications to Factorization We discussed some applications of flip-sequences in computing F∗p discrete log problem in [6]. In this section we present a new algorithm to compute factorization of integers using the flip-sequences developed in previous section. The best known algorithm to compute factorization of large integers is the Number Field Sieve (NFS) algorithm. Main idea of this algorithm is to solve the equation (13)

X 2 ≡ Y 2 (mod N)

by setting up appropriate number fields and then using “sieves”. The algorithm involves several ideas from Algebraic Number Theory and is very compute intensive. Once a non-trivial solution of (13) found a factor can be obtained by computing GCD (X ± Y, N). The overall complexity of NFS algorithm is sub-exponential. The algorithm we are proposing also follows the same method of solving (13) and computing the GCD. However we do this using flip-sequences. The main idea is

6

HABEEB SYED

best explained by Example 1.1. A simple difference is that in Example 1.1 the flip-sequence F-Seq(1) leads to solution of the equation X 3 ≡ Y 3 mod N

(14)

which in turn leads to factorization. To give more details, suppose we want to factorize a positive integer N which is product of two distinct primes. Depending on N we choose appropriate factor base B = {2, 3, . . . , q` }. We begin with an arbitrary element b2 ∈ ZN and compute its flip-sequence F-Seq(b2 ). This leads us to following two cases: Case(i). If some term of flip-sequence is B-smooth or equivalently if F-Len(b2 ) = t < ∞ In this case we get a relation of the form (as described Lemma 2.5(iii)) 2

(15)

b =

l Y

qiei mod N

i=1 2

Case(ii) F-Len(b ) = ∞. We know that F-Per(b2 ) always finite say F-Per(b2 ) = δ. From Corollary 2.6 it follows that we get a relation of the form l Y (16) 1= qiei mod N i=1

Suppose each ei (in (15) or (16) as the case may be) is divisible by 2 then we have solution to (13) as follows (17)

2

X = b or 1

and Y =

l Y

e /2

qi i

i=1

Suppose not all ei are divisible by 2 then we repeat the process with new b2 . We present these descriptions more precise in the following algorithms. As seen in Case(i) and Case(ii) above some flip-sequences lead to solution of (13) while some need not. We identify flip-sequences which lead to solutions through following definition: Definition 3.1. Given positive integer N and a factor-base B we say that a flip-sequence F-Seq(b, mod N, B) solves (13) if F-Seq(b) leads to a solution of the form (17) For the purpose of clarity first we present algorithm to compute a flip-sequence and then another algorithm to compute factorization using the flip-sequence.

FLIP-SEQUENCES AND SOME APPLICATIONS TO INTEGER FACTORIZATION 7

Algorithm 1 Compute Flip-Sequence F-Seq(b, mod N, B) INPUT: N, B, and b ∈ ZN OUTPUT: Relation of the form (15) or (16) 1: Initialize i = 0, bi = b2 (mod N), si = Sm(bi , B), βi = bi /si 2: while βi 6= 1 and βi 6= βj for j = 1, 2, . . . , i-1 do 3: i = i + 1, bi = N − βi−1 , si = Sm(bi , B), βi = bi /si . 4: if βi = 1 then 5: Return b2 ≡ s0 s1 · · · sj (mod N) 6: else 7: Return 1 ≡ s0 s1 · · · sj (mod N) 8: end if 9: end while In above algorithm we used the notation si for the sake of simplicity. So in line 5 when we say return b2 = s0 s1 · · · sj (mod N) what Q we actually mean is return 1 = `i=0 qiei . Complexity of Algorithm 3 depends on complexity of computing Sm(bi , B). Without an efficient algorithm for this computation one cannot compute flip-sequences efficiently. Next we present our algorithm to compute factorization using idea of flip-sequences. In the algorithm the constant θ(N, B) is needed in order to avoid trying too many elements with same B. There is no formula to compute a optimum value θ(N, B). One can compute it depending on computing power available and some heuristics. If a factor base B does not produce factorization after “sufficient” number of attempts we modify the factor base and start again. Algorithm 2 Compute Factorization of N using Flip-Sequences INPUT: N B, OUTPUT: Factor of N or Counter = θ(N, B) 1: Initialize: d = 1, Counter = 0 2: while d 6= 1, N or (Counter < θ(N, B)) do 3: Choose random b ∈ Z∗N and set X = b Compute F-Seq(X 2 , mod N, B) 4: if F-Seq(X) solves Eqn.13 then 5: Compute d = GCD (X ± Y, N) 6: end if 7: if d 6= 1, N then 8: Return d 9: else 10: Counter = Counter + 1. 11: end if 12: end while

8

HABEEB SYED

Example 3.2. Let us factorize N = 394279. Consider B = {2, 3}. Lets compute F-Seq(1, mod 394279, 3): F-Seq(1) =(394278, 328566, 339518, 224520, 384924, 362202, 333912, 380366, 204096, 393216, 394278 . . .) We have F-Per(1) = 10 and a relation of the form 1 = 236 38 (mod 394279) From which we get GCD (1 − 218 34 , 394279) = 419

GCD (1 + 218 34 , 394279) = 941

which factors 394279 completely. (ii) Similarly we can factorize N = 1455497 by computing the flipsequence F-Seq(1, mod 1455497, 5) : F-Seq(1) =(1455496, 1273560, 1444884, 1335090, 1410994, 750000, 1455496, . . .) In this case we have F-Per(1) = 6 and the following relation: 1 = 214 34 58 (mod 394279) which leads to factorization N = 1409 · 1033 Above examples show that for a given N we can choose a very small factor-base B and obtain factorization by computing flip-sequences whose period is also very very small (relative to integer which needs to be factored). 3.1. Complexity of Algorithms. In this sub section we discuss complexity issues related with Algorithm 1 and Algorithm 2. We will emphasis on qualitative aspects of complexities involved rather than giving some numeric bounds and as such the words “complexity” or “cost of computing” are used in broad sense. Let us denote by C(1), C(2) complexities of Algorithm 1 and Algorithm 2 respectively. Suppose, for a given N and B Algorithm 2 needs to try ζ(N, B) elements before successfully computing factorization, then Complexity of Algorithm 2 is (18)

C(2) = ζ(N, B) × C(1)

ignoring complexity of computing GCD which we assume to be negligible. Now, let us look at complexity of Algorithm 1, C(1) which is nothing but complexity of computing a flip-sequence F-Seq(b, mod N, B) = (b1 , b2 , . . .). Note that we keep computing terms bi till we reach bi = bk for some 0 ≤ i < k; in other words, we need to compute bi for as many terms as F-Per(b). Thus C(1) can be described as (19)

C(1) = F-Per(b) × average cost of computing Sm(b, B)

FLIP-SEQUENCES AND SOME APPLICATIONS TO INTEGER FACTORIZATION 9

We have clear idea about worst case scenario. For a given N and factor base B in worst case scenario F-Per(b) can be as big as N which makes Algorithm 1 “exponential” type. Similarly Algorithm 2 may also need to go through all elements b ∈ ZN , thus it is also “exponential” type. However, what really matters is the average case complexity of both algorithms which is still not known. To understand these average case complexities we need to answer following two questions: Question 3.3. Given N and a factor base B (i) How can we estimate value of F-Per(b, mod N, B) without actually computing flip-sequence of b (ii) How can we “optimize” of value of ζ(N, B) used in (18) Our efforts are directed towards answering the above two questions and hope to make progress soon. Till answers are found the average case complexities of Algorithm 1 and Algorithm 2 remain open questions. References [1] Brent, R. An Improved Monte Carlo Factorization Algorithm, Nordisk Tidskrift for Informationsbehandlung (BIT) 20, 176-184, 1980 [2] Buhler Joe, P., (editor), Algorithmic number theory: ANTS-III, Lecture Notes in Computer Science, 1423, Springer-Verlag, Berlin, 1998. [3] Diffie W., and Hellman, M.E., New Directions in Cryptography, IEEE Transac- tions on Information Theory, IT-22, 6, Nov 1976, pp. 644-654. [4] Dunham W., Euler - the master of us all, The Mathematical Association Of America, 1999 [5] Gauss C.F., Disquisitiones arithmeticae (english translation by Arthur A. Clarke), Yale University Press, 1801. [6] Habeeb Syed, A Short Note on Discrete Log Problem in F∗p , In Proc. of 10th National Workshop on Cryptology, INDIA, (2010) 34-39. [7] Odlyzko, A. M.,The Future of Integer Factorization, CryptoBytes: The Technical Newsletter of RSA Laboratories 1, No. 2, 5-12, 1995 [8] Lenstra, A.K., and Lenstra, H.W. Jr., (eds), The Development of the Number Field Sieve, Lecture Notes in Mathematics 1554, Springer-Verlag, New York, 1993. [9] Pollard, J. M., Theorems on factorization and primality testing, Proceedings of the Cambridge Philosophical Society 76 (1974), 521528. [10] Pomerance, C. Analysis and Comparison of Some Integer Factorization Algorithms, In Computational Methods in Number Theory, Part 1 (Ed. H. W. Lenstra and R. Tijdeman). Amsterdam, Netherlands: Mathematisch Centrum, pp. 89-139, 1982. [11] Rivest, R.L., Shamir, A., and Adleman, L.M., A method for obtaining digital sig- natures and public-key cryptosystems, Communications of the ACM, 21, 1978, pp. 120-126. [12] Riesel Hans, Prime numbers and computer methods for factorization, (2nd ed.), Birkhauser Verlag, Basel, Switzerland, Switzerland, 1994 Defense and Homeland Security Group Computational Research Laboratories Limited Pune, 411004 - INDIA E-mail address: [email protected]