A new approach to factoring

Adi Shamir is one of the great problem solvers of all times; certainly in the area of complexity theory. He is the “S” in the famous RSA crypto-system, and is a Turing Award winner—with Ron Rivest and Len Adleman.

Today we want to talk about a new approach to integer factoring.

Shamir has a vested interest in hoping that factoring is hard, since a good factoring algorithm would destroy RSA. Of course it still has had a pretty good run: as far as we know it is “unbreakable” for large enough parameters. He has voiced the opinion in public, see for instance here, that there may indeed be a way to break RSA. Ken heard him give a talk in Oxford in the mid-1980’s in which he supported the hypothesis of an exponential lower bound for factoring, but he has also designed devices for attacking it.

One of the great attributes of Adi is that he is fearless. That may sound like a strange attribute to attach to a great theorist, but he is indeed fearless. He attacks problems that others have avoided, and he also is willing to make conjectures on really small evidence. Some of these conjectures were eventually proved true, some were found to be false, and others are still open. In cryptography every time you suggest a new system or protocol you are really making a conjecture. He has suggested systems that were later broken—sometimes by him—and he has suggested systems that are still open. Of course the RSA system can really be viewed as a conjecture:

Conjecture: There is no polynomial time algorithm to break the RSA system.

I (Dick) would like to try to be a bit fearless and discuss a new conjecture that is related to joint work with Ken and with Atri Rudra. We will see if we are too fearless or not.

## A Game

Let’s consider, first, a simple game played between Alice and Bob. Alice has a secret odd number ${r}$ that is ${n}$ bits long, and Bob’s job is to determine her secret. Nothing new here, yet.

Alice stipulates that she will give Bob information about her secret in the following manner: She and Bob agree on the ${n}$ and on ${Q=2^{2n}}$. Alice then selects an integer ${t}$ uniformly at random in the range ${0,\dots,r-1}$ among numbers relatively prime to ${r}$. She next determines ${x}$ so that

$\displaystyle xr - tQ = k,$

for some ${k}$ such that ${-r/2 \le k \le r/2}$.

She then kindly tells Bob the value of ${x}$. Bob can ask for any polynomial number of ${x}$‘s in this manner, and he wins provided he can determine the value of ${r}$. Note that each time Bob asks, Alice selects a new ${t}$ and determines a potentially new ${x}$ to give to Bob, but her ${r}$ stays the same.

An important fact is that the value of ${x}$ is unique once ${t}$ is selected. Suppose there were another ${x'}$ so that

$\displaystyle x'r - tQ = k',$

with ${-r/2 \le k' \le r/2}$. Then subtracting the two equations shows that ${(x-x')r = k-k'}$. But since ${r}$ is odd,

$\displaystyle \left| (k-k') \right| < r$

which implies that ${x-x'}$ must be zero and so ${x ' = x}$. Saying this another way: there is a function ${\psi(r,t)}$ whose value is ${x}$.

## A Winning Play

It is not hard to see that Bob can win given just one ${x}$. For instance, he can just solve the integer program

$\displaystyle \begin{array}{rcl} xr - tQ &=& k \\ -r/2 &\le& k \\ k &\le& r/2, \end{array}$

where the variables are ${k,r,t}$, and the values of ${x}$ and ${Q}$ are given. The system has a solution, by the way that Alice generated ${x}$, so the only issue is to show that Bob gets the right ${r}$. Suppose that he solves the system and gets another set of values ${k',r',t'}$. Then,

$\displaystyle \frac{x}{Q} - \frac{t'}{r'} = \frac{k'}{r'Q}.$

But we have that

$\displaystyle \frac{x}{Q} - \frac{t}{r} = \frac{k}{rQ}.$

This implies that

$\displaystyle \left| \frac{t}{r}-\frac{t'}{r'} \right| < 1/Q,$

which is a contradiction since ${Q}$ is too large. Thus Bob will find the correct value for ${r}$. Further, it is known that integer programming is hard in general, but for a fixed number of variables it is in polynomial time (see also this recent improvement). Thus, Bob can find Alice’s secret with one ${x}$ in polynomial time.

## Hmmmm

You may notice that this problem seems like one that you have seen before. It is the last step of the famous quantum factoring algorithm of Peter Shor, with a small twist. One twist is that in Peter’s case the ${r}$ is not restricted to be an odd integer.

In the quantum factoring algorithm the last step is not done by using integer programming. Rather Peter notes that ${\frac{x}{Q}}$ needs only to be rounded down to recover ${\frac{t}{r}}$. This is essentially a very special integer program that can be solved in polynomial time by the computation of the continued fraction approximations to ${\frac{x}{Q}}$.

## A Harder Game

Let’s make things harder for poor Bob. Alice will select a ${t}$ and compute ${\psi(r,t)=x}$ as before. But now she will reveal to Bob not all the bits of ${x}$, but only some of them. Fix a number ${m < n}$; then she will reveal only ${m}$ bits of ${x}$. Call this version of the game ${{\cal G}_{n,m}}$.

More precisely, after Alice generates ${x}$, Bob can ask for any particular ${m}$ of the bits. For example, if ${m=2}$ he could ask for the value of ${x}$ modulo ${4}$; if ${m=3}$, he could ask for the top three bits of ${x}$. Each time that Alice selects an ${x}$, Bob can ask for another ${m}$ bits.

We have just argued that Bob wins the game ${{\cal G}_{n,n}}$ in polynomial time. This is essentially the argument used by Peter in his famous factoring algorithm. Now we ask the following: what is the computational complexity of the game if ${m}$ is much smaller than ${n}$? The reason this is interesting, I think, is the following theorem:

Theorem 1 If the game ${{\cal G}_{n,m}}$ can be solved in polynomial time where ${m}$ is logarithmic in ${n}$, then integer factoring is in polynomial time.

Ken and I, with Atri Rudra, have proved this theorem together. Curiously the only proof we know right now is via a general theorem in our paper on the simulation of quantum algorithms. Our Theorem 5.1 allows taking ${m}$ (there called “${r}$“) to be much larger, at the cost of getting a less efficient algorithm for factoring. For example, if ${m=n^{1/4}}$, then it gives an ${\tilde{O}(2^{n^{1/4}})}$-time probabilistic algorithm for factoring, which is better than the roughly ${\tilde{O}(2^{n^{1/3}})}$ time currently known. There are also possibilities for using other kinds of partial information about the period, along lines we began describing at the end of this post.

## Hard But Interestingly Hard?

The reason the game is hard is that each successive gift of ${m}$ bits comes from a different ${x}$. Even though Bob can ask for the topmost ${m}$ bits on one query, the second ${m}$ bits on the next query, down to the last ${m}$ bits, these do not allow piecing together all the bits of a single ${x}$.

If the values of ${x}$ were random, then the sequences of ${m}$ bits would be random, and Bob would gain no useful information. However, even though ${t}$ is generated uniformly at random, the domain of corresponding ${x}$‘s has large gaps owing to ${Q}$ being bigger than ${r}$. The question is whether the length-${m}$ segments of ${x}$ that Alice reveals would look random. We might expect that the lower ${m}$ is, and the lower the order of bits in the segment selected by Bob, the closer the distribution of of Alice’s answers would be to random. At what low points does Bob stop having useful distributional information to win the game ${{\cal G}_{n,m}}$? That is the question.

We see a potential win-win situation here. If the game is easy to solve, then we have a new efficient factoring algorithm—or at least a better one in cases of ${m = n^{\epsilon}}$. If, on the other hand, it is hard to solve even for such ${m}$, then ${\psi(r,t)}$ becomes a simple new type of function with potentially useful cryptographic properties. The function ${\psi(r,t)}$ is easy to compute—just a few operations. Could it be used to create very efficient crypto-system?

## Open Problems

What is the status of this game ${{\cal G}_{n,m}}$, for various ${m}$?

Another open problem is, can we prove the above theorem by a direct argument that avoids any use of quantum methods?

Developing: We note last week’s story on the paper by Arjen Lenstra and James Hughes and Maxime Augier and Joppe Bos and Thorsten Kleinjung and Christophe Wachter on vulnerabilities en-masse of public RSA keys, and further developments. This is not related to the above post, which we originally drafted last month. We also note the recent discovery (by declassification) of John Nash’s 1955 letter to the NSA; here is Noam Nisan’s post on it.

1. February 20, 2012 9:41 pm

Several years ago, at dinner, after the traditional Israeli theory day that takes place at the Open University in Raanana, somebody asked one of the speakers, who is among the greatest researchers in the world in cryptography and theoretical computer science, if factoring will turn out to be easy or hard. The speaker thought for a short while and then said, perhaps off hand, and perhaps anticipating the next question: “I guess it might turned out to be easy.” The next question was: “If factoring will turned out to be easy, what is the point in all the large body of practical and theoretical work which is based on the assumption that factoring is hard?”, the speaker smiled and then she said “because it is hard now!”