Average Time Fast SVP and CVP Algorithms: Factoring Integers in Polynomial Time



We use pruned enumeration algorithms to find lattice vectors close to a specific target vector for the prime number lattice. These algorithms generate multiplicative prime number relations modulo N that factorize a given integer N. The algorithm New Enum performs the stages of exhaustive enumeration of close lattice vectors in order of decreasing success rate. For example an integer N ≈ 10¹⁴ can be factored by about 90 prime number relations modulo N for the 90 smallest primes. Our randomized algorithm generated for example 139 such relations in 15 minutes. This algorithm can be further optimized. The optimization for larger integers N is still open.
Average Time Fast SVP and CVP Algorithms:
Factoring Integers in Polynomial Time
Fachbereich Informatik und Mathematik
Frankfurt am Main
Workshop Factoring 2009, Sept. 11,12
Road map 2
ILattice notation, Time bound of new SVP/CVP algorithm
II Factoring integers via easy CVP solutions
III Outline and partial analysis of the new SVP algorithm
We survey how to use known proof elements and we focus on
novel proof elements that are not covered by published work.
I: Lattices, QR-decomposition, LLL-bases 3
lattice basis B= [b1, . . . , bn]Zm×n
lattice L(B) = {Bx |xZn}
norm kxk=hx,xi= (Pm
SV-length λ1(L) = min{kbk | b∈ L\{0}}
Successive minima λ1, ..., λn
QR-decomposition B=QR Rm×nsuch that
the GNF — geom. normal form — R= [ri,j]Rn×nis
uppertriangular, ri,j=0 for j<iand ri,i>0,
LLL-basis B=QR for δ(1
4,1](Lenstra, Lenstra, Lovasz 82):
1. |ri,j| ≤ 1
2ri,ifor all j>i(size-reduced)
2. δr2
i+1,i+1for i=1, . . . , n1.
Average time fast SVP algorithm 4
Def. The relative density of L:rd(L):=λ1γ1/2
n(det L)1/n
rd(L) = λ1(L)/max λ1(L0)holds for the maximum of λ1(L0)
over all lattices L0such that dim L=dim L0and det L=det L0.
The HERMITE constant γn=max{λ2
1/det(L)2/n|dim L=n}.
We always have kb1k2=rd(L)2γn(det L)2/n.
Theorem 4.1 (GSA). Given a lattice basis such that
kb1k ≤ 2eπnbλ1,b0, NE W ENU M solves SVP in time
nO(1)+ (O(n2bε))n+1
4if rd(L) = n1
2ε,ε > 0.
This time bound is polynomial if 2b< ε.
GSA : Let B=QR =Q[ri,j]satisfy (for ri,i=kb
i1,i1=qfor i=2, ..., nand some q>0.
W.l.o.g. let q<1, otherwise kb1k=λ1.
We outline the proof of Thm 4.1 in part III.
Average time fast CVP algorithm 5
Corollary 6.1 (GSA). Given b1∈ L, 0 6=kb1k=O(λ1),
NEW ENUM finds b∈ L such that kbtk=kL − tkin time
nO(1)+O(n rd(L)kL − tk2λ2
This time bound is polynomial if
kL − tk=O(λ1)and rd(L)n1
2εfor ε > 0.
The required short vector b1can in practice be added to the
basis, extending the lattice by a short vector preserving rd(L).
An example will be given in part II for factoring integers using
the prime number lattice.
II: Factoring integers via easy CVP solutions 6
Let Nbe a positive integer that is not a prime power. Let
p1<··· <pnenumerate all primes less than (ln N)α. Then
n= (ln N)α/(αln ln N)(1+O(1)ln ln N).
Let the prime factors pof Nsatisfy p>pn.
We show how to factor Nby solving easy CVP’s for the prime
number lattice L(B), basis matrix B= [b1, . . . , bn]R(n+1)×n:
pln p10 0
0 0 pln pn
Ncln p1··· Ncln pn
Ncln N0
and the target vector NRn+1, where either N0=Nor
N0=Npn+jfor one of the next nprimes pn+j>pn,jn.
W.l.o.g. let N0=Nfor the analysis.
Outline of the factoring method 7
We identify the vector b=Pn
i=1eibi∈ L(B)with the pair (u,v)
of integers u=Qej>0pej
Then u,vare free of primes larger than pnand gcd(u,v) = 1.
We compute vectors b=Pn
i=1eibi∈ L(B)close to Nsuch that
|uvN0|<u. The prime factorizations |uvN 0|=Qn
and of uyield a non-trivial relation
imod N. (7.1)
Given n+1 independent relations (7.1) we write these relations
with p0=1 and ei,j,e0
i,jNas Qn
i=1 mod N
for j=1, ..., n+1. Any non trivial solution z1, ..., zn+1Zof the
equations Pn+1
i,j) = 0 mod 2 for i=0, ..., n
solves X2=Y2mod Nwith X=Qn+1
jmod N,
jmod N.
Computing relations (7.1) from smooth (u,v) 8
Lemma If |uvN0|=o(Nc),v= Θ(Nc1),e1, ..., en∈ {0±1}
then kbNk2= (2c1)ln N+ln(pn+j) + Θ(|uvN0|2(N/N0)2).
Proof. We see from e1, ..., en∈ {0±1}that
kbNk2=ln u+ln v+N2c|ln u
Clearly, v= Θ(Nc1),|uvN0|=o(Nc)implies
ln u+ln v= (2c1)ln N+ln(N0/N) + Θ(1).
|ln u
vN0|=|ln 1+uvN 0
vN0|=|uvN 0|
vN0(1+o(1)) = Θ( |uvN0|
Combining these equations proves the claim.
Theorem 7.2 kbNk2(2c1)ln N+2δln pnimplies
|uvN0| ≤ p
The existence of b∈ L(B)such that |uvN|=19
An integer zis called y-smooth, if all prime factors pof zsatisfy
py. Let N0be either Nor Npn+jfor one of the next nprimes
pn+j>pn. We denote
u,vare squarefree and (ln N)αsmooth o.
Theorem 7.4 [S93] If the equation |u− du/NcN|=1 is for
random uof order Ncnearly statistically independent from the
event that u,du/Ncare squarefree and (ln N)α-smooth then
#Mα,c,N=Nε+o(1)holds if α > 2c1
We will use this theorem for c=ln Nand α > 4.
Vectors b∈ L closest to Nyield relations (7.1) 10
Theorem 7.5 The vector b=Pn
i=1eibi∈ L(B)closest to N
provides a non-trivial relation (7.1) provided that Mα,c,N6=.
Theorem 7.6 If Mα,c,N6=for c=ln Nand α > 4 then we can
minimize kL(B)Nkin polynomial time under GSA given
b∈ L(B)such that 0 6=kbk=O(λ1).
It follows from Mα,c,N6=for N0∈ {N,Npn+j}that
kL − Nk2(2c1)ln N0+1= (2c1+o(1)) ln N.
Lemma 5.3 of [MG02] proves that λ2
12cln NΘ(1)
Claim λ2
1=2cln N+O(1).
rd(L) = λ1/(γn(det L)1
n).2eπ2cln N
(ln N)α1
=O(cln N)(1α)/2=O((ln N)1α).
Moreover, we have for c=ln N,α > 4 and ε=1
21/α > 0 that
2ε=n1+1(αln ln N)11(ln N)1α>rd (L).
Providing a nearly shortest vector of L(B)11
We extend the prime number basis Band L(B)by a nearly
shortest lattice vector of the extended lattice, preserving rd(L),
det(L)and the structure of the lattice.
We extend the prime base by a prime ¯
pn+1of order Θ(Nc)such
that |u¯
pn+1|=O(1)holds for a squarefree (ln N)α-smooth u.
Then kPieibibn+1k2=2cln N+O(1)holds for u=Qipei
the additional basis vector bn+1corresponding to ¯
Pieibibn+1is a nearly shortest vector of L(b1, ..., bn+1).
Efficient construction of ¯
pn+1. Generate uat random and
test the nearby ¯
pfor primality. If the density of primes near the
uis not exceptionally small ¯
pn+1and bn+1can be found in
probabilistic polynomial time. A single ¯
pn+1can be used to
solve all CVP’s for the factorization of all integers of order Θ(N).
III: A novel enumeration of short lattice vectors 12
Let πt:span(b1, ..., bn)span(b1, ..., bt1)for t=1, ..., n
denote the orthogonal projections and let Lt=L(b1, ..., bt1).
Stage (ut, ..., un)of ENUM. b := Pn
i=tuibi∈ L and
ut, ..., unZare given. The stage searches exhaustively for all
i=1uibi∈ L such that kPn
i=1uibik2Aholds for a given
upper bound Aλ2
1. We have
where ζt:= bπt(b) = Qvtspan Ltis the orthogonal
projection in span Ltof the given b=Pn
vt= (v1, ..., vt1,0nt+1)tfor vi=Pn
i=tri,juj. Stage (ut, ..., un)
exhaustively enumerates Bt1(ζt, ρt)∩ Lt, the intersection of
the lattice Ltand the sphere Bt1(ζt, ρt)span Ltof dimension
t1 with radius ρt:= (A− kπt(b)k2)1/2and center ζt.
The success rate βtof stages 13
The GAUSSIAN volume heuristics estimates |Bt1(ζt, ρt)∩ Lt|
for t>1 to
βt=def vol Bt1(ζt, ρt)/det Lt.
Here vol Bt1(ζt, ρt) = Vt1ρt1
is the volume of the unit sphere of dimension t1,
det Lt=Qt1
t:= A− kπt(Pn
We call βtthe success rate of stage (ut, ..., un).
If ζtmod Ltis uniformly distributed over
i=1ribi|0r1, ..., rt1<1}
then Eζt[|Bt1(ζt, ρt)∩ Lt|] = βt, where Eζtrefers to a random
ζtmod Lt. This holds because 1/det Ltis the number of
lattice points of Ltper volume in span Lt. The formal analysis of
NEW ENUM by Theorem 4.1 uses a proven version of the
volume heuristics without assuming that ζtmod Ltis random.
Outline of New Enum for SVP 14
INPUT LLL-basis B=QR Zm×n,RRn×n,A:= n
4(det BtB)2/n,
OUTPUT a sequence of b∈ L(B)of decreasing length
kbk2Aterminating with kbk=λ1.
1. s:= 1, Ls:= , (we call sthe level)
2. Perform algorithm ENUM [SE94] pruned to stages with βt2s:
Upon entry of stage (ut, ..., un)compute βt. If βt<2sdelay
this stage and store (βt,ut, ..., un)in the list Lsof delayed stages
If βt2sperform stage (ut, ..., un)on level s, and as soon
as some non-zero b∈ L of length kbk2Ahas been found
give out band set A:= kbk21.
3. Ls+1:= , perform the stages (ut, ..., un)of Lswith βt2s1
in increasing order of tand for fixed tin order of decreasing βt.
Collect the appearing substages (ut0, ..., ut, ..., un)
with βt0<2s1in Ls+1.
4. IF Ls+16=THEN [s:= s+1, GO TO 3 ]
ELSE terminate by exhaustion.
Proof of Theorem 4.1 15
Thm 4.1 NEW EN UM solves SVP in time nO(1)+ (O(n2bε)) n+1
if rd(L) = n1
2ε,ε > 0 and if b1k ≤ 2eπnb.
NEW ENUM essentially performs stages in decreasing order of
the success rate βt. Let b0=Pn
ibi∈ L denote the unique
vector of length λ1that is found by NEW ENUM.
Let β0
tbe the success rate of stage (u0
t, ..., u0
NEW ENUM performs stage (u0
t, ..., u0
n)prior to all stages
(ut, ..., un)of success rate βt1
Simplifying assumption. We assume that NEW ENUM
performs stage (u0
t, ..., u0
n)prior to all stages of success rate
βt< β0
t, ( i.e., ρt< ρ0
By definition ρ2
t=A− kπt(b)k2and ρ0
2=A− kπt(b0)k2.
Without using the simplifying assumption, the proven time
bound of Theorem 4.1 increases at most by the factor 2.
A proven version of the volume heuristics 16
Consider the number Mtof stages (ut, ..., un)with
i=tuibi)k ≤ λ1:Mt:= #Bnt+1(0, λ1)πt(L).
Modulo the heuristic simplifications Mtcovers the stages that
precede (u0
t, ..., u0
n)and those that finally prove kb0k=λ1.
Lemma 4.2 Mtent+1
i=t(1+8π λ1
Proof. We use the method of Lemma 1 of [MO90] and follow
the adjusted proof of (2) in section 4.1 of [HS07]. We
abbreviate nt=nt+1. Consider the ellipsoid
Et={(xt, ..., xn)tRnt|kπt(Pn
1}, where
By definition Mt#(EtZnt). We set
Pix:= Pj>i
ri,ixjand x0
i:= xi+dPixc,
{Pix}:= Pix− dPixc,
Ft:= {(x0
t, ..., x0
Claim #(EtZnt)#(FtZnt)17
Proof. The transformation (xt, ..., xn)7→ (x0
t, ..., x0
n)is injective.
[ If itis the least index such that (yi, ..., yn)and (zi, ..., zn)
differ then y0
i. Moreover (x0
We simplify Etto E0
Since |{Pix}| ≤ 1
2,xiZand |xi+ε|2x2
i/4 for |ε| ≤ 1
see that FtZnt⊂ E0
tZnt. Hence Mt#(E0
We bound #(E0
tZnt)using the method of [MO90, Lemma 1].
Denoting Nr:= #{(kt, ..., kn)tZnt|Pn
i=r}we have
tZnt) = P
since PkZeTk2=1+2P
0eTx2dx =
1+pπ/T. We get for s:= 1/(8λ2
i=t(1+8π λ1
Proof of Theorem 4.1 continued 18
Now r2
1/(γnrd(L)2) = (det L)2
hold by GSA and thus γnn
2eπdirectly imply for i=t, ..., n
By Lemma 4.2 MtQn
eπrd(L)1λ1q(2in1)/4+8eπ λ1
For ¯η:= 2+e,t:= n
m(q,c) := [if c>0then q1c2
4else 1]we get
Mtm(q,c)¯η2eπ λ1
nt+1rd(L)nt+1/det πt(L), (4.1)
because m(q,c) = q1c2
¯η2eπ λ1
for c>0. We see from (4.1) and
det πt(L) = kb1knt+1qPn1
Mtm(q,c)¯η2eπ λ1
Now γn1.744 (n+o(n))
2eπ[KL78] implies via GSA
eπ λ2
n rd(L)2kb1k2qn1
2for nn0. (4.3)
(4.2), (4.3), 1
Mtm(q,c)¯η2eπ λ1
nt+1rd(L)kb1knt+1n rd(L)kb1k
eπ λ1n(t1)(t2)
The difference of the exponents
de(t) = n(t1)(t2)
n1n+t1= (t1)(1t2
is positive for tnand maximal for tmax =n
2+1c) = n+1
n1. We get for kb1k ≤ 2eπnbλ1,
Hence Mt= (O(n1
2+2brd(L) ) n+1
Open problems 20
Main open problem
Can the factoring algorithm be improved by the method of the
number field sieve ?
We factor Nvia easy CVP-solutions that correspond to
multiplicative relations mod N, related to the quadratic sieve.
The last coordinate of an CVP-solution yields a multiplicative
relation of the factor base, under the natural logarithm ln.
How to incorporate mod Nreductions under the ln transform ?
