Abstracts of the CADO workshop on integer factorization - SIGSAM

ACM Communications in Computer Algebra, Vol. 43, No. 1, March 2009
<strong>CADO</strong> Workshop <strong>Abstracts</strong>
<strong>Abstracts</strong> <strong>of</strong> <strong>the</strong> <strong>CADO</strong> <strong>workshop</strong> on integer factorization
Communicated by Emmanuel Thomé
INRIA Lorraine
http://www.loria.fr/~thome/
Emmanuel.Thomeatnormalesup.org
The <strong>CADO</strong> <strong>workshop</strong> on integer factorization was held in Nancy, France, on October 7-9th, 2008.
The <strong>workshop</strong> was focused on <strong>the</strong> Number Field Sieve and its implementation aspects. Fifty participants
attended <strong>the</strong> <strong>workshop</strong>.
The <strong>workshop</strong> was organized by Pierrick Gaudry, Emmanuel Thomé and Paul Zimmermann.
Slides from talks can be downloaded from http://cado.gforge.inria.fr/<strong>workshop</strong>/
<strong>Abstracts</strong> <strong>of</strong> invited talks
Numbers related to NFS
Kazumaro Aoki, NTT, Tokyo, Japan.
NFS requires a large amount <strong>of</strong> parameters. Though <strong>the</strong> order <strong>of</strong> <strong>the</strong> parameters is known, setting
optimal values requires some art. Not much data from large integer factorizations is available,
however experimentalists are helped a lot by seeing <strong>the</strong> numbers. I provide as detailed figures as I
have, including <strong>the</strong> following topics : 1. experimental results generated from factorization <strong>of</strong> c176 in
11,281+, 2. Mixed special-Q usage <strong>of</strong> algebraic side and rational side, 3. Experiences <strong>of</strong> hardware
failures in long term factorization, 4. R311 ECM.
Predicting NFS time
Daniel J. Bernstein, University <strong>of</strong> Illinois, Chicago, USA.
The time T (n, f, y 1 , . . .) used by NFS depends not only on <strong>the</strong> integer n to be factored but also on
various parameters chosen by <strong>the</strong> NFS user, such as a polynomial f, an initial smoothness bound
y 1 , etc. One can accurately compute T (n, f, y 1 , . . .) by running NFS, but <strong>of</strong> course this is ra<strong>the</strong>r
slow, especially if one wants to compute several values <strong>of</strong> this function T . I’ll discuss <strong>the</strong> speed and
accuracy <strong>of</strong> various approximations to T .
11

<strong>CADO</strong> Workshop <strong>Abstracts</strong>
<strong>CADO</strong> Workshop <strong>Abstracts</strong>
Polynomial selection
Thorsten Kleinjung, École polytechnique Fédérale de Lausanne, Switzerland.
This talk will describe some tricks for polynomial selection for GNFS. An analysis and some results
will also be given.
Discrete Logarithms and Galois Invariant Smoothness Basis
Reynald Lercier, Centre d’éléctronique de l’armement, Bruz, France.
The difficulty <strong>of</strong> computing discrete logarithms in <strong>the</strong> multiplicative group <strong>of</strong> finite fields GF(q)
with <strong>the</strong> function field sieve relies mostly on <strong>the</strong> ability <strong>of</strong> finding relations between elements <strong>of</strong>
a smoothness basis. We noticed in <strong>the</strong> past that in some very particularly cases (Kummer and
Artin-Schreier <strong>the</strong>ories), <strong>the</strong> factor basis can be constructed in such a way that it is left invariant
by automorphisms <strong>of</strong> GF(q). This significantly accelerates discrete logarithm computations since
it turns out that in such cases <strong>the</strong> dimensions <strong>of</strong> <strong>the</strong> linear system to be solved at <strong>the</strong> end <strong>of</strong> <strong>the</strong>
computation is much smaller. In this talk, we are going to explain how this nice property can be
generalized to a broad class <strong>of</strong> finite fields. (joint work with J.-M. Couveignes)
Preliminary Design <strong>of</strong> Post-Sieving Processing for RSA-768
Peter L. Montgomery, Micros<strong>of</strong>t Research, USA.
The security <strong>of</strong> <strong>the</strong> RSA cryptosystem relies on <strong>the</strong> believed difficulty <strong>of</strong> factoring large composite
integers. About eight sites are attempting to factor RSA-768, a 768-bit challenge number. The best
known algorithm is <strong>the</strong> Number Field Sieve, whose current record is 663 bits. Existing s<strong>of</strong>tware
needs upgrades to 64-bit manycore systems. I will describe some proposed algorithmic adjustments
as we work to meet this challenge on state-<strong>of</strong>-<strong>the</strong>-art hardware.
A Self-Tuning Filtering Implementation for <strong>the</strong> Number Field Sieve
Jason S. Papadopoulos, ViaSat Inc, USA.
This talk will describe <strong>the</strong> NFS filtering module <strong>of</strong> Msieve, an integer factorization library that has
helped complete some <strong>of</strong> <strong>the</strong> largest public factorizations. This module performs <strong>the</strong> task <strong>of</strong> building
a linear algebra problem from <strong>the</strong> collection <strong>of</strong> relations produced by NFS sieving. NFS filtering is
highly memory-intensive, and <strong>the</strong> quality <strong>of</strong> <strong>the</strong> solution found typically depends on <strong>the</strong> character
<strong>of</strong> <strong>the</strong> input dataset, user experience, and <strong>the</strong> values <strong>of</strong> many internal parameters. Msieve’s filtering
is designed to be memory-efficient and completely automatic, with no user tuning expected, and
produces matrix solutions <strong>of</strong> significantly higher quality compared to published results. We will
cover <strong>the</strong> algorithmic techniques that make this adaptive behavior possible, as well as ideas that
can potentially fur<strong>the</strong>r improve <strong>the</strong> result quality.
12

<strong>CADO</strong> Workshop <strong>Abstracts</strong>
<strong>Abstracts</strong> <strong>of</strong> contributed talks
Cryptanalysis on a PlayStation 3 Cluster
Joppe Bos, École polytechnique Fédérale de Lausanne, Switzerland.
The Cell Broadband Engine (Cell) Architecture is <strong>the</strong> heart <strong>of</strong> <strong>the</strong> PlayStation 3 (PS3) video game
console. In this presentation more technical details about <strong>the</strong> Cell are given. It is explained how <strong>the</strong>
SIMD organization inside <strong>the</strong> PS3 can be used in order to obtain high-performance cryptanalytic
algorithms. Examples are high-throughput hashing, factorization using <strong>the</strong> elliptic curve method
and solving <strong>the</strong> elliptic curve discrete logarithm problem using <strong>the</strong> Pollard rho method.
Edwards Curves and <strong>the</strong> ECM Factorisation Method
Peter Birkner, Technische Universiteit Eindhoven, The Ne<strong>the</strong>rlands.
The ECM method, introduced about 20 years ago by Lenstra, is one <strong>of</strong> <strong>the</strong> best algorithms for
factoring integers. This method employs elliptic curves, usually in Montgomery form, to find a
factor <strong>of</strong> a given integer. The recently introduced Edwards and Twisted Edwards curves <strong>of</strong>fer very
efficient arithmetic and can improve <strong>the</strong> speed <strong>of</strong> <strong>the</strong> ECM algorithm. We give a brief overview
<strong>of</strong> <strong>the</strong> ECM method and Edwards curves, and show how to construct Edwards curves which are
suitable for ECM, that is, Edwards curves with large torsion and positive rank over Q.
Friable values <strong>of</strong> binary forms
Cécile Dartyge, Institut Élie Cartan, Nancy, France.
Let P + (n) denote <strong>the</strong> greatest prime factor <strong>of</strong> a natural integer n, with <strong>the</strong> convention that P + (1) =
1. An integer n is said to be y-friable if P + (n) y.
A standard conjecture in probabilistic number <strong>the</strong>ory is that <strong>the</strong> values <strong>of</strong> an irreducible polynomial
in one or many variables behave statistically as a random integer <strong>of</strong> similar size. Accordingly, it is
expected that, given any binary form F and a real number ε > 0, we have P + (F (a, b)) < max(a, b) ε
for a positive proportion <strong>of</strong> positive integers (a, b).
We establish this conjecture in <strong>the</strong> case <strong>of</strong> cubic, reducible binary forms.
When F is ei<strong>the</strong>r cubic irreducible or has degree 4, we show that <strong>the</strong>re exists a non trivial
exponent α F such that, for every ε > 0, we have
|{1 a, b x : P + (F (a, b)) < x α F +ε }| ≍ x 2 (x 1).
In particular, we show that, if F is irreducible and has degree d 3, <strong>the</strong>n <strong>the</strong> value α F = d − 2 is
admissible.
Joint work with Antal Balog (Budapest), Valentin Blomer (Göttingen, Toronto), Gérald Tenenbaum
(IECN Nancy).
13

<strong>CADO</strong> Workshop <strong>Abstracts</strong>
<strong>CADO</strong> Workshop <strong>Abstracts</strong>
Factoring into large primes with P-1, P+1 and ECM
Alexander Kruppa, LORIA, Nancy, France.
This talk presents an implementataion <strong>of</strong> <strong>the</strong> P-1, P+1 and Elliptic Curve Methods for factoring into
large primes in <strong>the</strong> NFS sieving phase. It describes some optimizations used in <strong>the</strong> implementation,
considerations for parameter selection for individual methods, and how to combine methods into
efficient factoring strategies.
no abstract
ECM on graphics cards
Tanja Lange, Technische Universiteit Eindhoven, The Ne<strong>the</strong>rlands.
Optimizations to NFS Linear Algebra
Patrick Stach, TruState International Inc, USA.
This talk aims to address some <strong>of</strong> <strong>the</strong> algorithmic, arithmetic, and I/O bottlenecks associated with
<strong>the</strong> Block Wiedemann algorithm with respect to large matrices. Items to be discussed include scaling
Block Wiedemann and Block Lanczos, considerations on modern x86 hardware, considerations on
modern GPU hardware, and optimizing distributed computation <strong>of</strong> matrix vector products.
14