Improved Factorization of \(N=p^rq^s\)

Abstract

Boneh et al. showed at Crypto 99 that moduli of the form \(N=p^rq\) can be factored in polynomial time when \(r \ge \log p\). Their algorithm is based on Coppersmith’s technique for finding small roots of polynomial equations. Recently, Coron et al. showed that \(N=p^rq^s\) can also be factored in polynomial time, but under the stronger condition \(r \ge \log ^3 p\). In this paper, we show that \(N=p^rq^s\) can actually be factored in polynomial time when \(r \ge \log p\), the same condition as for \(N=p^rq\).

A Proof of Theorem 6

In this section we use an application of LLL for simultaneous Diophantine approximation; we recall the theorem from [LLL82].

Theorem 7

There exists a polynomial time algorithm that, given a positive integer n and rational numbers \(e_1, e_2, \ldots , e_n, \varepsilon \) satisfying \(0< \varepsilon <1\), finds integers \(p_1, p_2, \dots , p_n, q\) for which

$$|p_i-q e_i| \leqslant \varepsilon \text{ for } 1 \leqslant i \leqslant n, \text{ and } \; 1 \leqslant q \leqslant 2^\frac{n(n+1)}{4} \varepsilon ^{-n}.$$

1.1 A.1 A Preliminary Lemma

We first provide a preliminary lemma to find integers \(a_i, b_i\) and u such that \(a_1 \cdot r_i=u \cdot a_i +b_i\) for \(1 \le i \le \ell \), where the integers \(a_i\) and \(b_i\) are relatively small, and u is relatively large.

Lemma 1

Let \(\ell \ge 1\), let \(r_1 \ge r_2 \ge \cdots \ge r_\ell >0\) be integers and let \(\varepsilon \) with \(0< \varepsilon <1\). One can compute in polynomial time integers u, \(a_i\) and \(b_i\) such that for all \(1 \le i \le \ell \), \(a_1 \cdot r_i=u \cdot a_i +b_i\), with \(a_1 \ne 0\), \(u>(1-\varepsilon ) \cdot r_1-1\), and for all \(1 \le i \le \ell \), \(0 \le a_i \le 2^{\ell ^2/4} \cdot \varepsilon ^{-(\ell -1)}\) and:

$$\begin{aligned} 0 \le b_i < a_1 + 2 \cdot r_1 \cdot \varepsilon \cdot \frac{r_1}{r_\ell } \end{aligned}$$

(4)

Proof

If \(\ell =1\) we take \(u=r_1\), \(a_1=1\) and \(b_1=0\). We now consider the case \(\ell \ge 2\). We start by finding \(\ell \) small integers \(a_1,\ldots ,a_\ell \) and \(\ell -1\) small integers \(c_2,\ldots ,c_\ell \) such that:

$$\begin{aligned} 2 \le i \le \ell , ~~~~r_1 \cdot a_i - r_i \cdot a_1=c_i \end{aligned}$$

(5)

For this we apply Theorem 7 with \(n:=\ell -1\) and \(e_{i-1}: = r_i/r_1\) for \(2 \leqslant i \leqslant \ell \). This gives integers \(a_1,a_2,\ldots ,a_\ell \) such that \(|a_i-a_1 \cdot r_i/r_1| \le \varepsilon \) for all \(2 \le i \le \ell \). Therefore we obtain (5) with

$$2\le i \le \ell ,~~|c_i| \le r_1 \cdot \varepsilon , \text{ and } 1 \le a_1 \le 2^{\ell ^2/4} \cdot \varepsilon ^{-(\ell -1)}$$

From (5), we have \(a_i =(c_i + r_i \cdot a_1)/r_1\), which gives using \(r_i \le r_1\) and \(0< \varepsilon <1\):

$$ -1< - \varepsilon< - \varepsilon + \frac{r_i \cdot a_1}{r_1} \le a_i =\frac{c_i + r_i \cdot a_1}{r_1} \le \varepsilon + \frac{r_i \cdot a_1}{r_1} < 1 + a_1, $$

and since \(a_1\) and \(a_i\) are integers, as required we must have \( 0 \le a_i \le a_1 \le 2^{\ell ^2/4} \cdot \varepsilon ^{-(\ell -1)}\) for all \(2 \le i \le \ell \).

We now show how to generate the integers u and \(b_i\). We let:

$$ u:= \min \left\{ \left\lfloor \frac{r_i \cdot a_1}{a_{i}} \right\rfloor \text{ for } {1\leqslant i \leqslant \ell }, \mathrm{with}\ a_i \ne 0 \right\} .$$

We know that such u exists because \(a_1 \ne 0\). We take the largest index j such that \( u=\lfloor r_j \cdot a_1 /a_{j} \rfloor \). Using \(r_1 \cdot a_j-r_j \cdot a_1=c_j\) with \(|c_j| \le r_1 \cdot \varepsilon \) we obtain as required:

$$ u=\left\lfloor \frac{r_j\cdot a_1}{a_j} \right\rfloor >\frac{r_j\cdot a_1}{a_j}-1 =r_1 - \frac{c_j}{a_j}-1 \ge r_1-\frac{r_1 \cdot \varepsilon }{a_j}-1 \ge {r_1} \cdot (1-\varepsilon )-1.$$

We let \(b_i:=r_i \cdot a_1-u \cdot a_i\) for all \(1 \le i \le \ell \), which gives as required:

$$\begin{aligned} r_i \cdot a_1 = u \cdot a_i + b_i \end{aligned}$$

(6)

and by definition of u we must have \(b_i \ge 0\) for all \(1 \le i \le \ell \).

By multiplying Eq. (6) where \(i=1\) by \(a_i\), we obtain \(r_1 \cdot a_1 \cdot a_i= u \cdot a_1 \cdot a_i + b_1 \cdot a_i\). Furthermore, by multiplying Eq. (6) by \(a_1\), we obtain \(r_i \cdot a_1 \cdot a_1= u \cdot a_i \cdot a_1 + b_i \cdot a_1\). Eventually, subtracting both relations and combining with (5) allows us to obtain:

$$\begin{aligned} b_1 \cdot a_i-b_i \cdot a_1=c_i \cdot a_1 \end{aligned}$$

(7)

From \(0 \le a_i \le a_1\) for all \(1 \le i \le \ell \), we obtain for all \(1 \le i \le \ell \):

$$\begin{aligned} b_i =\frac{b_1 \cdot a_i}{a_1}-c_i \le \frac{b_1 \cdot a_i}{a_1} +|c_i| \le b_1 +|c_i|. \end{aligned}$$

(8)

Moreover for index j by definition of u the integer \(b_j\) is the remainder of the division of \(r_j \cdot a_1\) by \(a_j\), therefore \(0 \le b_j<a_j\). Using \(b_1 = (b_j+c_j)a_1/a_j\) from (7), we obtain using (8) and \(|c_j| \le r_1 \cdot \varepsilon \), for all \(1 \le i \le \ell \):

$$\begin{aligned} b_i&\le b_1 + |c_i| \le \frac{(b_j+|c_j|) \cdot a_1}{a_j} +|c_i| \\&< \left( 1+ \frac{|c_j|}{a_j} \right) a_1 + |c_i| \le \left( 1+ \frac{2 \cdot r_1 \cdot \varepsilon }{a_j} \right) \cdot a_1 \end{aligned}$$

From the definition of j we have \(r_j/a_j \le r_1/a_1\), and therefore \(a_1/a_j \le r_1/r_j\), which gives:

$$\begin{aligned} b_i < a_1 + 2 \cdot r_1 \cdot \varepsilon \cdot \frac{r_1}{r_j} \end{aligned}$$

(9)

Eventually from \(r_j \ge r_\ell \) we obtain (4); this proves Lemma 1.    \(\square \)

1.2 A.2 Factoring N with Gaps

Using the previous lemma we show that \(N=\prod _{i=1}^k p_i^{r_i}\) can be factored in polynomial time under the condition that the largest exponent \(r_1\) is large enough, and moreover there should be a gap between \(r_\ell \) and \(r_{\ell +1}\) for some \(\ell <k\), or all the \(r_i\)’s should be large enough. We later show how to remove this additional condition, in order to get a condition on \(r_1\) only, as required in Theorem 6.

Lemma 2

Let \(k \geqslant 2\) be fixed and let \(N=\prod _{i=1}^k p_i^{r_i}\) with \(r_1 \geqslant r_2 \geqslant \dots \geqslant r_k\), and let \(p:= \max \{p_i, 1 \leqslant i \leqslant k\}\). Let \(\ell \in {\mathbb Z}\) with \(1 \le \ell \le k\) be such that \(r_1/r_\ell \leqslant \log ^{ \rho } p\) and \(r_1/r_{\ell +1} > \log ^{(\ell -1)(\rho +1)+1} p\) if \(\ell <k\). One can recover a non-trivial factor of N in polynomial time in \(\log N\) if \(r_1 = \varOmega (\log ^{(\ell -1)(\rho +1)+1} p)\).

Proof

As previously we can assume that the exponents \(r_i\)’s are known; otherwise we can recover them by exhaustive search in time \(\mathcal{O}(\log ^k N)\); for a fixed k this is still polynomial in \(\log N\).

We let \(\varepsilon :=1/\log ^{\rho +1} p\). From Lemma 1 we compute in polynomial time integers u, \(a_i\) and \(b_i\) such that for all \(1 \le i \le \ell \):

$$a_1 \cdot r_i=u \cdot a_i +b_i$$

In Lemma 1 the integers \(a_i\)’s and \(b_i\)’s are all non-negative. Therefore we can write:

$$ N^{a_1}=\prod \limits _{i=1}^k p_i^{a_1 \cdot r_i}=\left( \prod \limits _{i=1}^\ell p_i^{a_i} \right) ^{\!\!u} \left( \prod \limits _{i=1}^\ell p_i^{b_i} \prod \limits _{i=\ell +1}^k p_i^{a_1 \cdot r_i}\right) = P^uQ,$$

where

$$ P:=\prod _{i=1}^\ell p_i^{a_i},\qquad Q:=\left( \prod \limits _{i=1}^\ell p_i^{b_i} \right) \left( \prod \limits _{i=\ell +1}^k p_i^{a_1 \cdot r_i}\right) $$

According to Theorem 4, one can therefore apply the BDH factorization method on \(N=P^u Q\) to recover P and Q in polynomial time in \(\log N\) if \(u=\varOmega (\log Q)\). Using \(u>(1-\varepsilon ) \cdot r_1-1\), we get the sufficient condition \(r_1=\varOmega (\log Q)\). When \(\ell <k\), we have:

$$\log Q = \left( \sum \limits _{i=1}^\ell b_i \log p_i + \sum \limits _{i=\ell +1}^k a_1 \cdot r_i \log p_i \right) $$

Using (4) from Lemma 1, and \(r_i \le r_{\ell +1}\) for all \(\ell +1 \le i \le k\), we obtain:

$$\begin{aligned} \log Q&< \left( \ell \cdot \left( a_1 +2\cdot r_1 \cdot \varepsilon \cdot \frac{r_1}{r_\ell } \right) +(k-\ell ) \cdot a_1 \cdot r_{\ell +1} \right) \cdot \log p \end{aligned}$$

Under the conditions of Lemma 2 we have \(r_1/r_\ell \leqslant \log ^{ \rho } p\) and moreover we have \(r_1/r_{\ell +1} > \log ^{(\ell -1)(\rho +1)+1} p\), which gives:

$$ \log Q < a_1 \cdot k \cdot \log p+2k \cdot r_1 \cdot \varepsilon \cdot \log ^{ \rho +1} p +(k-\ell ) \cdot a_1 \cdot r_1 \cdot \log ^{-(\ell -1)(\rho +1)} p $$

From Lemma 1 and using \(\varepsilon =1/\log ^{\rho +1} p\), we have:

$$\begin{aligned} 0 <a_1 \le 2^{\ell ^2/4} \varepsilon ^{-(\ell -1)} \le 2^{k^2/4} \cdot \log ^{(\rho +1)(\ell -1)} p \end{aligned}$$

(10)

and therefore we obtain:

$$\begin{aligned} \log Q < k \cdot 2^{k^2/4} \cdot \log ^{(\rho +1)(\ell -1)+1} p+2k \cdot r_1 +(k-\ell ) \cdot 2^{k^2/4} \cdot r_1 \end{aligned}$$

(11)

Similarly when \(\ell =k\), we have:

$$ \log Q = \sum \limits _{i=1}^k b_i \log p_i \le k \cdot 2^{k^2/4} \cdot \log ^{(\rho +1)(\ell -1)+1} p+2k \cdot r_1 $$

Therefore (11) holds for any \(1 \le \ell \le k\).

Recall that to recover P and Q in polynomial time we must ensure \(r_1=\varOmega (\log Q)\). Since k is fixed, from (11) it suffices to have

$$\begin{aligned} r_1=\varOmega \left( \log ^{(\rho +1)(\ell -1)+1} p \right) . \end{aligned}$$

(12)

Finally since \(r_1=\varOmega (a_1 \log p)\) we must have \(r_1>a_1\) for large enough \(\log p\). This gives \(0<a_1<r_1\) and therefore \(1<P<N\); therefore P is a non-trivial factor of N. We can therefore obtain a non-trivial factor of N in polynomial time under condition (12); this proves Lemma 2.    \(\square \)

1.3 A.3 Proof of Theorem 6

The reasoning is exactly the same as in [CFRZ16], so we only provide a proof sketch. We define the same sequence \(\rho _1=0\) and for all \(1 \le \ell \le k-1\):

$$\rho _{\ell +1}=(\ell -1)(\rho _\ell +1) +1$$

which gives:

$$\rho _{\ell } = 1 + 2 \sum \limits _{i=1}^{\ell -2} \prod \limits _{j=i}^{\ell -2} j$$

The only difference is that in Lemma 2 we have a slightly improved condition on \(r_1\) compared to [CFRZ16, Lemma 3]. More precisely, our condition is now \(r_1 = \varOmega (\log ^{(\ell -1)(\rho +1)+1} p )\) instead of the condition \(r_1 = \varOmega (\log ^{2(\ell -1)(\rho +1)+1} p )\). Therefore we can define the sequence:

$$\begin{aligned} \theta _k=(k-1)(\rho _k+1)+1 \end{aligned}$$

(13)

instead of \(\theta _k=2(k-1)(\rho _k+1)+1\), and as in [CFRZ16] we obtain that we can find a non-trivial factor of N in polynomial-time under the condition \(r_1=\varOmega (\log ^{\theta _k} p)\).

From (13) we have \(\theta _2=3\) and for all \(k \ge 3\):

$$ \theta _k = (k-1)(\rho _k+1)+1 = (k-1)\left( 2 + 2 \sum \limits _{i=1}^{k-2} \prod \limits _{j=i}^{k-2} j\right) +1$$

which gives eventually:

$$\begin{aligned} \theta _k=2(k-1)\left( 1+ \sum \limits _{i=1}^{k-2} \prod \limits _{j=i}^{k-2} j\right) +1 \end{aligned}$$

(14)

Finally we obtain from (14):

$$\begin{aligned} \theta _k= & {} 1+2 \cdot (k-1) \cdot \left( 1+\sum \limits _{i=1}^{k-2} \frac{(k-2)!}{(i-1)!} \right) = 1+2 \cdot (k-1) \cdot \sum \limits _{i=1}^{k-1} \frac{(k-2)!}{(i-1)!} \\= & {} 1+2 \cdot \sum \limits _{i=1}^{k-1} \frac{(k-1)!}{(i-1)!} =1+2 \cdot \sum \limits _{i=0}^{k-2} \frac{(k-1)!}{i!}=2 \cdot \sum \limits _{i=0}^{k-1} \frac{(k-1)!}{i!}-1 \end{aligned}$$

Using \(\sum _{i=0}^\infty 1/i!=e\) we obtain:

$$\theta _k=2 \cdot (k-1)! \cdot \left( e-\sum \limits _{i=k}^\infty \frac{1}{i!} \right) -1$$

which gives eventually for large k:

$$ \theta _k=2e \cdot (k-1)! -1-\circ (1)$$

This terminates the proof of Theorem 6.

1.4 A.4 Comparison with [CFRZ16]

In Table 3, we provide the first values of \(\theta _k\), where the condition on the largest exponent \(r_1\) to find a non-trivial factor of \(N=\prod _{i=1}^k p_i^{r_i}\) with k prime factors is \(r_1=\varOmega (\log ^{\theta _k} \max _i p_i)\), and for comparison, we also provide the results obtained in [CFRZ16].

Table 3. Values of \(\theta _k\) in [CFRZ16] and in Theorem 6, for a modulus \(N=\prod _{i=1}^k p_i^{r_i}\) with k prime factors. The condition on the largest exponent \(r_1\) is \(r_1=\varOmega (\log ^{\theta _k} \max _i p_i)\).

Asymptotically we have obtained:

$$ \theta _k=2e \cdot (k-1)! -1-\circ (1)$$

instead of \( \theta _k=4e \cdot (k-1)! -3-\circ (1)\) in [CFRZ16].