WO2020231439A1 - Method and apparatus for factoring large integers - Google Patents

Method and apparatus for factoring large integers Download PDF

Info

Publication number
WO2020231439A1
WO2020231439A1 PCT/US2019/032681 US2019032681W WO2020231439A1 WO 2020231439 A1 WO2020231439 A1 WO 2020231439A1 US 2019032681 W US2019032681 W US 2019032681W WO 2020231439 A1 WO2020231439 A1 WO 2020231439A1
Authority
WO
WIPO (PCT)
Prior art keywords
signal
computer
equations
supercongruence
mod
Prior art date
Application number
PCT/US2019/032681
Other languages
French (fr)
Inventor
Giorgio Coraluppi
Original Assignee
Compunetix, Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Compunetix, Inc. filed Critical Compunetix, Inc.
Priority to PCT/US2019/032681 priority Critical patent/WO2020231439A1/en
Publication of WO2020231439A1 publication Critical patent/WO2020231439A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3006Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters
    • H04L9/302Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters involving the integer factorization problem, e.g. RSA or quadratic sieve [QS] schemes

Definitions

  • the present invention is related to solving an equation in two or more unknown io integer variables, where each variable is represented by a multiplicity of multiples of u powers of an odd prime p. Specifically, the present invention is related to factoring an i2 integer N Q by restating the problem into the factorization of an appropriate integer N is which is a quadratic residue modulo p, then factoring N in a time of order of is P. BACKGROUND * The problem of resolving a large integer into the product of its prime factors has IT stimulated the intellectual curiosity and the imagination of many generations of i* mathematicians.
  • Adleman proposed an encryption method which is based on the computational u difficulty of the factorization problem [2].
  • the method comprises the1 steps of storing the signal W in a non-transient memory.
  • the present invention pertains to a second computer for decoding an encrypted
  • the display can be reviewed to determine the relevance of the decrypted signal W.
  • the display can be reviewed to determine the relevance of the decrypted signal W.
  • 69 be a computer screen or smart phone screen or any screen or piece of paper on which the
  • the present invention pertains to a non-transitory readable storage medium
  • N Q r x r, where N 0 , r and s are integers and W is a function of r and s, where the
  • Figure 1 is a graphical representation of the integer A - N,
  • 95 F igure 3 is a graphical representation of the integer Y-A) .
  • Figure 4 is a graphical representation of the integer X .
  • FIG. 97 is a block diagram regarding the claimed invention. 8 V. DESCRIPTION OF THE INVENTION: THE PROBLEM 99 Given a positive odd integer N Q , it is desired to determine a pair of integers r 0 too such that
  • Y Q > JV 0 .
  • X 0 is greater than N 0 .
  • V 0 and U 0 are usually referred to as the symmetric and
  • N 0 is a non-quadratic residue modulo p, so is r . If r is odd, define the integer N us by the following
  • LG is a quadratic residue modulo p
  • the integer r 2 a 2 can be partitioned into the product of r- a by r a or i5i -r ⁇ a by -r- a, yielding
  • the product t a may be partitioned into the pair i which satisfies the second of (20). This case will not be considered l ea here because the pair ⁇ X, Y) would not be represented as in (26)
  • ns Such is the case when 2 is a primitive root modulo p.
  • T denote the least positive residue of T Q modulo p" . It will be
  • N could be defined as follows: 15 and (24) could be replaced by the following: 2 17 for some integers U 2 and V 4
  • LH t denote the RHS and LHS, respectively, of the congruence
  • the congruence (51) can be satisfied if the sum of the coefficients of any power of B p, say p , is congruent to zero modulo p 5 * . Specifically, in the example , it must be
  • each coefficient w ( of A is computed modulo p 5 ⁇ ' . If the magnitude constraint (49) were to be applied to the coefficients on the RHS of (59) and 303 (60), the coefficients w f would be reduced modulo p and the structure (57) would be ace demolished
  • sioNOTE 2 In (55) the representation of the coefficients is arbitrary. In (59) and (60)
  • the product A - also contains the following terms:
  • each w can be represented as
  • A contains terms of degree greater than p .
  • LH 6 and RH 6 denote the LHS and RHS of (92), respectively.
  • the LHS of this w latter congruence is a multiple of p M and does not contain any power of p greater than hi
  • Figure 2 illustrates the product A -(A - Y).
  • the columns are headed by the is ⁇ coefficients v t of p in Y
  • the rows are headed by the coefficients w of p J in A . loo
  • Some of the cells represent products ⁇ - which have been included in (94)
  • 462 contains w 0 ⁇ v M _ j and w w- 3 ⁇ u 2 represent coefficients of p which are employed 65 to write (94) modulo p .
  • Figure 3 illustrates ( — Y) . Rows and columns are headed by the coefficients
  • Figure 4 illustrates X 1 . Rows and columns are headed by the coefficients u t of 81 p in Some of the cells represent products w ⁇ which have been included in (94). sa Refer to (92) as an example.
  • the cells on the line of slope one which contains u x ⁇ u i- x 8b represents multiples of p M .
  • the coefficients of p includes a term dependent on w 3 .
  • a relationship between v t and u t can be produced by placing the condition that sit the carriers flow from any power ofp greater than p M t say p M+J (j 3 1 ) , to higher
  • the first set are the congruences (94). If u x 1 0 (mo p), for
  • the second set are the equations (110) or (115).
  • 667 determine a pair of divisors ( r , 5) when u M _ 2 1 0 , if such a pair exists.
  • 6 8 (126) and (128) can be written as follows:
  • the set of congruences (142) can be referred to as a SUPERCONGRUENCE.
  • each congruence produces a carry which must be added to i ⁇ M- 1 the carries produced by the congruences (148) are
  • the system (142) contains a sequence of components which are related to
  • a given M can be related to a corresponding embodiment for Af — M+ k - (p - l) for
  • Table II shows the feasible (w 1 u 2 ) pairs for a eo6 sequence of values of M which satisfy (159).
  • N 0 100301963155829713685288333
  • the periodicity of (148) is dependent on the periodicity of the two coeffi- 831 cients of u M- 2 in (157). If both coefficients have periodicity p - 1 , the resulting pen- 832 odicity of (148) and M are illustrated by Table V.
  • each one of the two coefficients of u M-2 may have its own
  • V M- 2 2 -"0- u A/-2 +2 ⁇ (*> 1— Mi) -3 ⁇ 4_ 3 + 2 ' 2 ,2- w A/-4( mod L
  • Each step would propose a new value of s as a candidate divisor of N Q . If none 0 of such steps offers a divisor of , the initial (u j j , u 2 j ) pair must be discarded.
  • execution time is of the order
  • the system (176) may produce a triad
  • T 2 the least positive solution of the following:
  • T$ N Q - a 2 (mod p M )
  • T 2 N ⁇ r 0 “ 3 ⁇ 4mod p M )
  • T 2 a solution of the following:
  • the present invention pertains to a method for decoding an encrypted
  • the method comprises the steps of storing the signal W in a non-transient memory.
  • N 0 is a non-quadratic residue modulo p, calculating w 0 satisfying the
  • 1129 There may be the step of enablmg the alerting of a government agency to prevent 1130 the act that will occur to prevent physical damage or bodily in j ury to a person occurring mi
  • the steps described herein allows for the ability to alert a desired government agency if a
  • N 0 is factored m time O ( log 6 JV 0 ) .
  • 11 5 second computer generated steps can achieve, because by havmg this speed for
  • the signal W representative of a message can be effectively decrypted and
  • P42 is inherent that to save lives if required, the second computer is required.
  • the encrypted electromagnetic signal W can be extracted from such messages or
  • this invention solves, to allow a recipient of the encrypted message W who does
  • the present invention pertains to a second computer for decoding an encrypted
  • the display can be a computer
  • the CPU of the second computer may perform the CPU generated steps of
  • the present invention pertains to a non-transitoiy readable storage medium
  • N 0 — r x s N 0 , r and s are integers and W is a function of r and s, where the
  • the computer program may have the second computer generated steps of

Abstract

This patent describes a method, apparatus and computer program which factor a large integer N 0 in a time of the order of p 2, logp 4, N 0 where p denotes a prime.

Description

l
. METHOD AND APPARATUS FOR FACTORING , LARGE INTEGERS
CROSS-REFERENCE TO RELATED APPLICATIONS
4
5
ft
7
<1. FIELD OF THE INVENTION s The present invention is related to solving an equation in two or more unknown io integer variables, where each variable is represented by a multiplicity of multiples of u powers of an odd prime p. Specifically, the present invention is related to factoring an i2 integer NQ by restating the problem into the factorization of an appropriate integer N is which is a quadratic residue modulo p, then factoring N in a time of order of
Figure imgf000002_0001
is P. BACKGROUND * The problem of resolving a large integer into the product of its prime factors has IT stimulated the intellectual curiosity and the imagination of many generations of i* mathematicians.
is In 1801 Gauss wrote: the dignity of the science itself seems to require that at every possible means be explored for the solution of a problem so elegant and so ji celebrated.” [1, 397]
2 The problem has attracted renewed interest, ever since R.L, Rivest, A. Shamir
23 and L. Adleman proposed an encryption method which is based on the computational u difficulty of the factorization problem [2].
5 This note introduces a method and apparatus which allows the factorization of a * large odd integer //in logarithmic time. 7 III. SUMMARY
The present invention pertains to a method for decoding an encrypted electromagnetic signal W encoded by a first computer with public key NQ = r s ,0 where N0 , r and s are integers and W is a function of r and s. The method comprises the1 steps of storing the signal W in a non-transient memory. There is the step of decoding2 with a second computer in communication with the memory the signal W in the memory3 with the second computer generated steps of selecting a prime number p of the form4 p— 4L+ 1 for an odd integer k such that the public key N0 is a non-quadratic residue 5 modulo p calculating n0 satisf ing the inequalities p*0 1 < N0 < p"° ; computing N = t N0 with a selection of r such that N is a quadratic residue modulo p”° ; 7 calculating n satisfying the inequalities p <N<p and calculating a solution to
NºAZ (mod p") (1) 9 by using the representation
Figure imgf000003_0001
i where a>t satisfies the condition 42 0 < w t <pn 1 (3)
43 There is the step of decrypting with the second computer the signal W with the public key JV0 and the prime factors of integer N0 There is the step of displaying on a
45 display by the second computer the decrypted signal W. There is the step of reviewing
46 the decrypted signal W and its relevance.
7 The present invention pertains to a second computer for decoding an encrypted
48 electromagnetic signal W encoded by a first computer with public key N0 = r x , 9 where N0 , r and s are integers and W is a function of r and s, comprising:
50
si a non-transient memory in which the signal W is stored,
52
53 decoding with a CPU in communication with the memory the signal W in the
54 memory that decodes the signal W by the second computer generated steps of selecting a
55 prime number p of the form p— 4k + 1 for an odd integer k such that the public key N0 so is a non-quadratic residue modulo p calculating; «0 satisfying the inequalities
57 p 0 < NQ <p 0 ; computing N = tN0 with a selection of t such that W is a quadratic s» residue modulo pn° ; calculating n satisfying the inequalities pn ~ 1 < N<pn and 5 calculating a solution to
60 Nº A2 (mod pn) (4)
6i by using the representation 63 where (ol satisfies the condition
64 0 < wi < pn (6)
65 the CPU decrypting the signal W with the public key N0 and the prime factors of integer
66 NQ ; and
67 a display on which the decrypted signal W is displayed so the decrypted signal W
68 can be reviewed to determine the relevance of the decrypted signal W. The display can
69 be a computer screen or smart phone screen or any screen or piece of paper on which the
70 decrypted signal W is printed or any medium on which the decrypted signal W can be
71 reviewed.
72 The present invention pertains to a non-transitory readable storage medium
73 which includes a computer program stored on the storage medium for decoding an
7 encrypted electromagnetic signal W encoded by a first computer with public key
75 NQ = r x r, where N0 , r and s are integers and W is a function of r and s, where the
7 signal W has been stored in a non-transient memory of a second computer, having the
77 second computer generated steps of.
re selecting a prime number p of the form p = 4k + \ for an odd integer k such that
79 the public key N0 is a non-quadratic residue modulo p; calculating NQ satisfying the go inequalities p 0 < N0 <p 0 ; computing N = TNQ with a selection of t such that N is si a quadratic residue modulo ”0; calculating « satisfying the inequalities pn <N <pn ; 82 and calculating a solution to M by using the representation
Figure imgf000006_0001
86 where wί satisfies the condition
87 0 < w, <rh ~i (9)
8« There is the step of decrypting with the second computer the signal W with the
89 public key N0 , and the prime factors of integer N0. There is the step of displaying on a so display by the second computer the decrypted signal W for predetermined words to 9i determine the relevance of the decrypted signal W. 9 IV. BRIEF DESCRIPTION OF THE FIGURES
2
98 Figure 1 is a graphical representation of the integer A - N,
to Figure 2 is a graphical representation of the integer A * (Y A) .
- 2
95 F igure 3 is a graphical representation of the integer Y-A) .
6 Figure 4 is a graphical representation of the integer X .
Figure imgf000006_0002
97 Figure 5 is a block diagram regarding the claimed invention. 8 V. DESCRIPTION OF THE INVENTION: THE PROBLEM 99 Given a positive odd integer NQ , it is desired to determine a pair of integers r0 too such that
ioi 0 r0 - s0. (10)
102 The problem can also be stated as the search for two integers Y0 and XQ such
1 3 that
Figure imgf000007_0001
105 The pairs (r0, SQ) and (F0, XQ) are related as follows·
Figure imgf000007_0002
107 Conversely,
Figure imgf000007_0003
if» If r0 > Ϊ0 > 0 , both U0 and XQ are positive In this case it is useful to consider some limit no cases in order to develop an appreciation for the magnitude of the variables,
in One of the limit cases occurs when the pair (r0, i0) is a pair of“twin primes”,
112 such as (43, 41) In these cases,
Figure imgf000008_0001
iu At the other end is the case when r0 approximates NQ . At the limit, consider a uspair (r0, sQ) equaling (N0, 1) Then
Figure imgf000008_0002
i Therefore, in all cases
Figure imgf000008_0003
2 2
ns Thus, in all cases, YQ > JV0. In some cases, X0 is greater than N0.
120 VI. A RESTATEMENT
Hi Given N0 and an odd prime p, the general solution of ( 10) has the following
122 form:
Figure imgf000009_0001
124 where or, ?, lϋ and m0 denote integers and where a b= N0 (mod p). If a and b are
125 both even or both odd, Q and m0 have the same parity. Otherwise, define b' = b + p no and m'0 = m0 - 1 . Thus, without loss of generality, it is possible to define two integers 127 t/0 and VQ as follows:
Figure imgf000009_0003
29 Then
Figure imgf000009_0002
is! The integers V0 and U0 are usually referred to as the symmetric and
132 antisymmetric components of the pair (r0, s0) , respectively In general, in the search for
133 ( UQi VQ) , all values of a in the interval 1 £ a <p may need to be tested.
134 The complexity of the problem is reduced in the cases when
Figure imgf000010_0001
In such cases V0 º 0 (mod p).
137 In order to realize this situation, it is possible to restate the problem of factoring i3s N0 into the problem of factoring some integer N which satisfies (20). To this end, select 139 a prime p such that JV0 is a non-quadratic residue modulo p. It will be p 0 <N0 <p 0 ,
HO for some integer nQ .
HI Select a candidate value of a, say a. Then define r by the following:
- 2 2
142 Nn = T· a (mod p ). (21)
M3 Let r denote the least positive residue of (21 ) modulo p . Then b º t · a (mod p).
1 4 Since N0 is a non-quadratic residue modulo p, so is r . If r is odd, define the integer N us by the following
146 N = T- NQ (22) n
H7 where, for some integer n, p < N <p . Then LG is a quadratic residue modulo p and
143 Nº t2 · a2 (mod p2). (23)
us If p = 4 · k + 1 , then t¹± 1 (mod p) for all a and t ¹ 1 (mod p)
iso The integer r2 a2 can be partitioned into the product of r- a by r a or i5i -r· a by -r- a, yielding
Figure imgf000011_0001
i53 where
Figure imgf000011_0002
iso and where U and V denote integers. Similar relationships hold if r = s =— r a (mod 156/7). Notice that, if U> 0, r > s.
157 In the case of (24), it will be iso Also, since r is odd,
Figure imgf000012_0001
1 1 The factorization problem requires the identification of a pair (U , V) such that,
162 for the corresponding (/·, s ) , it is
16 N = r - s (28)
iM If, using the given a, the algorithm were successful in factonng N, then r would be «s divisible
Figure imgf000012_0002
166 NOTE 1: There is the possibility that r - a be divisible by some integer /j = 1 + h ·r
-2 - 2
167 with 0 < h <p . In this case, the product t a may be partitioned into the pair i
Figure imgf000012_0003
which satisfies the second of (20). This case will not be considered lea here because the pair {X, Y) would not be represented as in (26)
370 It should be noted that the proposed restatement of the problem is motivated by the i7i convenience of using search tools such as (24) and (26), which operate on lattices of
2
1 2 rectangular cells of sides p and p .
173 NOTE 2: In general, all the values of a should be tested. Since N0 is a non-quadratic
174 residue modulo p, it is sufficient to test the values of a which are non-quadratic residues us modulo p.
ns NOTE 3 : In order to avoid singular cases, it is convenient to select p in such a way that, 1 7 for all non-quadratic residues modulo p, it is
Figure imgf000013_0001
ns Such is the case when 2 is a primitive root modulo p.
iso The prime p was selected of the form 4 k + 1 . Also, it has been shown that the integer lei 2 is a primitive of the primes of the form 8 - A ± 3 [3, p.79] Therefore, 2 is a primitive 182 of the primes defined by
8 A ± 3 = 4 - A + t (30)
184 or
p = 4 · ODD + 1 . (31) 189
187 NOTE 4: In general, in (24) the product t * a can be replaced by any integer A such
w „ 2 * 2 2
1 e that º r -or (mod p ) and N = t · N0 = A (mod p ). In particular, such is the case lea when
JV º r2 · a2(mod p2)
190 (32) º ¾2(mod pn<>)
191 Consider the expression of Y when A is used in lieu of t a:
Figure imgf000014_0001
193 for some integer Vl .
194 Recall that, by (16),
195 JN < Y< N . (34)
I% There are two significant particular cases· If A < JN, then V > 0. Also, if
197 A > N, then Vl < 0 . is» Throughout this presentation, A will be greater than N. For simplicity of notation, the 1 integer V will be constrained to be positive. Then (24) takes the following form:
Figure imgf000015_0001
201 NOTE 5: A particular definition of N can be produced when r is computed modulo
202 pn° . In this case, define the integer to TQ by the following:
203 N0 º T0 - a modpn°) . (36)
£
aw Let T denote the least positive residue of TQ modulo p" . It will be
7b º N0 · a 2 (mod p °)
(37) º r(mod p2) .
Figure imgf000015_0002
odd let 20» In this case, the magnitude of NTo is of the order of
Figure imgf000016_0001
.
it» NOTE 6: Consider the case where, after the selection of p and «, the integer U is 210 selected or computed to be U º u t ^ | (mod p) . In this case it would be possible to define 2P an integer t2 as the least positive solution of the following:
4
212
Figure imgf000016_0002
(mod p ) . (39)
213 Then N could be defined as follows:
Figure imgf000016_0003
15 and (24) could be replaced by the following: 217 for some integers U2 and V4
218 NOTE 7: There is the possibility that the solution r of (21) be even In this case, let
Figure imgf000017_0001
220 Then Ύ is odd. Thus,—T may be used in lieu of r m (22) and in (24)
221 As an example, let N0 = 73 71 = 5,183 . If p = 29, 73 = 15 + 2 p and
222 71 = 13 + 2 -p For a = 15, r is defined by NQ º t 152 (mod p2) The least
„ _ 2 ~ 2 - 2
223positive solution is t = 722 . It will be r = p — r = 119 Then— JV0 º (p — r) - 15
2 2 2 2 2 2
224 (mod p ) and -N0 (p —r) = (p — r) 15 (mod p ) Therefore, in this case, define
226 N = -(p2 - r) N0. (43)
226 Then (24) takes the following form where
Figure imgf000018_0001
Consider an algorithm which determines the pair (r, s) by successive approximations. In particular, consider the case when a candidate solution of s is determined sequentially
2 k
modulo p,p , ...,p . In such a case, it is convenient to verify, at each step, whether a proposed candidate solution yields a divisor of N0. Let s denote the least positive residue of s modulo pk Then let 5Q= pk— s and venfy whether gcd ( 0, NQ) ¹ 1 In this presentation, without loss of generality, it will be assumed that r is a positive odd integer. Vn. A NOTE ON THE REPRESENTATION OF N Given pn 1 < N < pn , where N is a quadratic residue modulo p, let
Figure imgf000018_0002
where { vt } denote mtegers, and 0 < vt <p . 24i It is desired to compute a solution of the following:
242 Nº A2 (mod p1) (47)
2n where
n
4 (mod p ), (48)
Figure imgf000019_0001
«a and where
246 0 < at <p. (49)
247 Subject to (49), the solution of (47) is provided by the following:
Figure imgf000020_0001
and LHt denote the RHS and LHS, respectively, of the congruence
0 containing vt .
1 The terms ( RHt—LHl ) /p are usually referred to as carries. They are caused by2 the constraint (49) and flow from the less significant digits to the more significant ones.3 As an example, consider the problem of solving
1 N= A 2 (mod p5), (51)
5 where N is a quadratic residue modulo p Assume p = 13 and
Figure imgf000020_0002
= 12,711 . 257 If 0 < at <p a solution of (51), say A , can be represented as follows:
Figure imgf000021_0001
253 A second solution of (51 ) occurs when a0 = 6 is replaced by o0 = p - a0 = 7. In this 60 case
Figure imgf000021_0002
262 Consider removing the magnitude constraints (49) from all at and representing
264 .<4 as
264
Figure imgf000021_0003
265 where the coefficients of any power of p are positive integers and are constrained by the sue following conditions
n - i
267 0 < wi < p (56)
268 Then the congruence (51) can be satisfied if the sum of the coefficients of any power of B p, say p , is congruent to zero modulo p5 * . Specifically, in the example , it must be
Figure imgf000022_0003
.
71 In the example, consider the condition
2 5
72 10 s 62 ø (mod p ) . (58)
73 For w 0 º 6 (mod p) , the least positive solution, say w 0 , is w 0 = 181 ,200 For
Figure imgf000022_0001
(mod p) , it is w 0 = 190,043 .
¾ To satisfy the second of (57) when ώ 0 = 181,200 , it must be
w 5
7b 2 · p º 2 · Q - w j ·r (mod p ), .
? The least positive solution, say
Figure imgf000022_0002
= 18,120 .
8 Thereafter, from the third of (57), let 279 (mod r5) ,
28owhence ώ 2 ~ 1,814.
281 Likewise, from the fourth of (57), let
282
Figure imgf000023_0001
283 whence 3 = 97 .
284 Finally, from the fifth of (57), let
285
Figure imgf000023_0002
280 whence <¾4 = 12. Then
Nº( 181,200 + 18,120 ·r + 1,814 ·r2 + 97 ·r3 + 12 ~p4i( S§p5 .
!«8 Proceeding in a similar fashion with eoQ = 190,093 , it is
2 9 A/'s (190,093 + 10,441 -/>+ 383 ·r2 + 72 ·r3 + 1 ./>4)2(pck¾50). 290 Comparison of the resulting w { with the corresponding wx yields
Figure imgf000024_0001
292 or
Figure imgf000024_0002
24 Thus, in the example,
181,200 + 190,093 = p 5
18,120 +10,441 = p4
1,814 +383 = p3 <63>
97 + 72 = p
12+1 = p
£6 and
297 A+A = 5 pS (64) assNotice that, when A and A are subject to the constraint (49), as in (53) and (54), their aw sum equals pS .
300 Comparing the representations of A by (59) and (53), it can be stated that the 01 representation proposed by (59) entails an equipartition of weight among the 5 degrees
302 of freedom of (55).
303 NOTE 1 : In the example, each coefficient w ( of A is computed modulo p5 ~ ' . If the magnitude constraint (49) were to be applied to the coefficients on the RHS of (59) and 303 (60), the coefficients w f would be reduced modulo p and the structure (57) would be ace demolished
307 In practice, the integer N, as represented on the RHS of (59) and (60), should be treated
308 as a polynomial in some integer variable u, say P(u), where P( ) happens to be computed 3w at w— p .
sioNOTE 2: In (55) the representation of the coefficients
Figure imgf000025_0001
is arbitrary. In (59) and (60)
311 such coefficients are represented in base 10. They may be represented in any other base,
312 such as p
313 NOTE 3. It should be noted that in (51 ) p4 < N<p5 and in (55) A is being defined an modulo p . In general, such may not be the case. It is possible that A be defined modulo 3i5 a larger power of p, depending on the requirements of the problem on hand. A similar sis situation occurs in the domain of irrational numbers, such as J2.
Figure imgf000025_0002
may be computed
31 with a large number of decimal digits, depending on the precision required by the prob- 18 Iem on hand No harm is done if the precision of the computed value of J2 is greater
319 than needed
20 As an example, consider the case when p = 13 and N1 <p . Assume that
321 Ng = v0 + Vj ·r = 10 + 2’p . It is desired to solve 322 (mod p 5) (65)
323 In this case the integers w ( are defined by the following:
Figure imgf000026_0001
326 For w0º6 (mod p), the result is
27 X 1 - 10 + 2 -p
3 (67)
= (181,200 + 18, 120 -p+ 1,291 -p + 23 ·r + 2·r4) (mod p5).
32b Compare with (59)
39 NOTE 4. As a further application of this method of representation of integers, consider MO the problem of computing A '(mod p) when A is defined as in (55), Let A * º w0 + Wj -p + w2‘p1 + -p + w4 · / (mod p ) (68)
and
A ' ºº 1 (mod p5) . (69)
The coefficients w should be defined as the least positive solutions of the following:
I
Figure imgf000027_0001
The product A - also contains the following terms:
vm. THE ROADMAP. 1) Introduction. Definition of M.
Given p and Nt select A as one of the solutions of (47) modulo p" , computed using the procedure described in Section VII. Assume A >pn (64).
Then, using (35), let
Figure imgf000028_0001
where
Figure imgf000028_0002
Referring to (59), recall that each w can be represented as
Figure imgf000029_0001
Also,
Figure imgf000029_0003
and
Figure imgf000029_0002
Then 356
Figure imgf000030_0001
358 . The representation (77) of r and s accounts for the fact that both r and s are
359 smaller than pn , However, using (77), the product of r by s contains powers of p greater
360 than pn , actually as high as p " n ~ 2.
61 In order to uncover the properties which relate the coefficients of (77), it is
362 necessary to compute, and represent without loss of information, the multiples of any p
363 which results from the multiplication of r by s To this end a new modulus is introduced, 363 namely pM , where
fi5
Figure imgf000030_0003
(78)
36b It should be noticed that
67 1) Mis always odd
36¾2) If n = 2 k + 1, then M= 4 · + 1 .
see 3) The use of M does not affect the magnitude of N. If N < pn , it can be represented
370 as follows·
Figure imgf000030_0002
3734) When M is employed m lieu of n, A should be computed as a solution of the 373 following:
374 Aº 42(mod pM) . (80)
3 ¾ 5) s = SQ and r > s0.
6) A comparable result is achieved when T0 is employed in lieu of r.
3772) The Approach
378 In the case where (79) is employed, reduction of (77) modulo p yields
Figure imgf000031_0001
38 Then, if the pair (ml, ¾> is a solution of (81) modulo p, it is
Figure imgf000031_0002
382 The LHS of this congruence contains a contribution to the set of multiples of p 3.
383 This contribution is usually denoted as a“carry”. The flow of carries from one digit to
38 the higher powers of p increases the complexity of the factorization problem. The flow 383 of carries would be controlled better if (81) were solved modulo pM and the pair 2 2
38 («j, u2) were defined modulo p . In this case (82) could take the following form:
Figure imgf000032_0001
This approach would require replacing the magnitude constraints (49) from the
3 elements of { u }
Figure imgf000032_0002
and assuring that the RHS of congruences such as (83)
390 include all the terms which are multiples of any given p . Following this procedure, still
3 1 there would be carries, as shown on the LHS of (83). However, such carries would flow
392 from any given congruence directly into a pool of multiples of pM ,
393 The plan of this presentation consists of analyzing each of the terms of (72) with
394 the appropriate definition of A and resolving them into the sum of powers of p. Then,
395 for any given power of p , say p1 , add all the coefficients of p1 which are produced by ~2 - - 2 2
3 A — N,—2 ·A ·{A— U\ (A - Y) and -X and place the condition that their sum be
397 congruent to zero modulo pM~ 1. 2
9s3) _ The Integer A —N
399 Let A be defined as in (73), where the integers w t are determined using the
400 procedure illustrated in Section VII Thus, for / < M,
02 where
(mod p)
403 (85)
Figure imgf000033_0001
(mod p2).
4M In fact, Nº T a (mod p2) and also Nº (o 0 + w j ·r ) (mod p2).
" 2
405 Consider then the integer A - N. As an illustration, refer to Figure 1. The 06 headings of the rows and columns represent the coefficients w t of A . Multiplication of
407 A by A generates the products w ( · w } which are represented by the cells of Figure 1. Cells on any given line of slope 1 contribute to the coefficient of the same power of p. 0 Let LH( and RH1 denote the LHS and the RHS, respectively, of the congruence 10 containing vt . For i < M each (LHi - RHt) , multiplied by the corresponding p‘ , in contributes to the resulting polynomial a known multiple of pM . In fact,
412 (mod pM). (86)
Figure imgf000033_0002
413 For i > M , A contains terms of degree greater than p . The highest power
Figure imgf000034_0001
4i of p in A - is p . In fact, the highest power of p in A is p . After squaring,
2 2 _
413 the highest power in this representation of A is p
say
Figure imgf000034_0005
M—j— 1
Figure imgf000034_0002
i = 1
420 The total contribution, for all / > 0 , is
Figure imgf000034_0003
422 As a conclusion:
423 1) For i < M, by (84),
Figure imgf000034_0004
(mod />"). (89)
32) For i = M each of the terms on the corresponding line of slope 1 is a coefficient
- M
426 01 /7 .
4273) For i > M each of the terms on the corresponding line of slope 1 is a coefficient Refer to Figure 1.
29 In particular, in the example (59), it is
Figure imgf000035_0002
3 4) The Relationship Between u( and ui- 1 when
Figure imgf000035_0001
(mod p)
432 Consider the representation of the pair (r, 5) as in (77), where A is constructed
433 as described in Section VII, and Jl is used in lieu of n. Thus, when r is multiplied by s, it
43 is possible to group all the terms which contain any multiple of any given power of 7, say 3s p ' , and place the condition that the sum of their coefficients be congruent to zero modulo M- t
436 p
*' 2
437 However, by (84), resolving the integer A - N into its components, the sum of
w2
38 the coefficients of p in ( A— N) equals
Figure imgf000035_0003
41 As a result, consider the case when it is desired to express L>6 as a function of all 442the u s 1 £ / < 5' and the vj s (2 £ j £ 5) . It will be -(2- w0- ϋ6 + 2·ά ! u5 + 2.ώ2· ϋ4 + 2-w3. i¾ + 2·w4· u2) + 2-u2- uA+
, 2
2 «i -«5 + 2- w2-w4 + w3 (mod p
M This congruence defines u6 modulo pM~6 as a function of lesser degree
45 variables. If « ( ¹ 0 (mod p ) and if all the variables of lesser degree are known, (92)
446 defines a linear congruence between i¾ and us modulo pM 6 After the determination AA7 of u6 , upon multiplication by p6 , it will be
448 (mod pM), (93)
Figure imgf000036_0001
4« where LH6 and RH6 denote the LHS and RHS of (92), respectively. The LHS of this w latter congruence is a multiple of pM and does not contain any power of p greater than hi
451 p .
452 In general, for 2 £ i £M- 1 ,
u,^0(mod p)
Figure imgf000036_0002
k = 2 k = 2 k = 1 5 The first summation on the LHS of (94) contains terms which result from the
55 multiplication of—2 · A by (A— Y), when A is represented as described in Section VII.
w 2
56 The second summation on the LHS results from A - Y) . 575) The Product 2 · ·(A - Y
8 Figure 2 illustrates the product A -(A - Y). The columns are headed by the is· coefficients vt of p in Y The rows are headed by the coefficients w of pJ in A . loo Some of the cells represent products ώ -
Figure imgf000037_0001
which have been included in (94)
461 Refer to (92) as an example. As a further example, the cells on the line of slope 1 which
462 contains w 0 · vM_ j and w w- 3 · u2 represent coefficients of p which are employed 65 to write (94) modulo p .
46 The cells on the line of slope 1 which contains w M_ ( · u2 represent coefficients
465 of pM+ 1 and are not included in (94).
Figure imgf000037_0002
466 The highest power of p contained in 2 - A· (A - Y) is p , obtained through
467 the product of w M_ , · pM~ 1 by uM_ i pM~ 1.
4686) The Integer (A— F)2
469 Figure 3 illustrates ( — Y) . Rows and columns are headed by the coefficients
470 vt of m Some of the cells represent products of of · v} which have been included in 4P (94). Refer to (92) as an example.
472 Since the largest power ofp in Tis pM~ 1 , (94) must also be written for 473 1— M— 1 . Then the LHS of (94) must include cells representing the products 7 v2 ¾/-3* °3 ' u M~4> etc- Cells representing coefficients of higher powers of p are not
475 absorbed into (94) and contribute to 2 0 , when åQ denotes the sum of all the products
476 u{ * Vj-p -p J which have not been absorbed as terms of any of the congruences (94). It 77 will be
+ 2 M- 2 2
R V - I'
4797) The Integer X2,
80 Figure 4 illustrates X1. Rows and columns are headed by the coefficients ut of 81 p in Some of the cells represent products w ·
Figure imgf000038_0001
which have been included in (94). sa Refer to (92) as an example.
83 Smce the largest power of p in is pM~ 1 , (94) must also be writen for 8 i = M- 1 . Then the RHS of (94) must include cells representing the products
4 5 , M3 - M- 4, etc. The cells on the line of slope one which contains ux · u i- x 8b represents multiples of pM . The cells on the line of slope one which contains u2 - Uu- 1
487 represents multiples of pM+ 1 . In general, let X0 denote the sum of the products
488 ut -u p1 - p- which have not be absorbed as terms of any of the (94). It will be 89
«1 Consider the case when uM_ l = 0 and uM_ 2 ¹ 0. In this case u2 · uM_ j = 0.
492 Then the line of slope one containing multiples of pM+ 1 does not contain any cell which 93 has a coefficient of pM+ 1 dependent on u2. Refer to Figure 4. If uM _2 ¹ 0, the sum of
A/+ l
9 the coefficients of p includes a term dependent on w3.
5 IX. THE RELATIONSHIP
Figure imgf000039_0001
4 61) The Approach
Figure imgf000039_0002
4 7 Consider the general expression of (r, s ) (77). Multiply r by s modulo p . Using 496 (94), it will be
(mod M), (97)
Figure imgf000039_0003
soo where the LHl and RHi denote the LHS and RHS of (94), respectively
sol Therefore, 97) (98)
505
506 Recall that, when using (94), for / £M— 1 , the multiples of pM produced by so? (97) do not contain any power of p greater than pM . Thus, their presence on the RHS of see (98) does not interfere with the process of analyzing the coefficients of higher powers of
50 p.
510 A relationship between vt and ut can be produced by placing the condition that sit the carriers flow from any power ofp greater than pM t say pM+J(j ³ 1 ) , to higher
512 powers ofp, say pM+J + 1 . This condition implies that the sum of the coefficients of any
513 power of p greater than pM equal zero modulo pJ and no carry flows into
Figure imgf000040_0001
51 Starting from the highest power of p, observe that in (95) the highest power of p sis is p 2. In fact, Y < pM and the highest power of p in Y is pM 1. After squaring, 5i6the highest power is p ~ . A similar situation occurs for A - TV, where
- 2
517
QM- 2 w M- \ · (99)
sis Concerning the product -2 A 'VM_ j , the highest power of p it contains is p M 2 , with 5 q a coefficient
Figure imgf000040_0002
Then
520
Figure imgf000040_0003
22 As a result, 524 or
5
Figure imgf000041_0001
527 Consider (98) in the case when uM_ j > 0 and
Figure imgf000041_0002
. The
2 A/— 3 ~ 2
52s second highest power of in 20 is p ' . The same is true in A -N. In
529 -2 · A ( A - Y ) the coefficient
Figure imgf000041_0003
530 Therefore,
531 0
Figure imgf000041_0004
532 or
Figure imgf000041_0005
3 By (102), if uM_ j ¹ 0 and wM_ ,— uM_ j = uM_ t , it must be 535 w M-2~uM-2~ u M—2 (105)
536 At the next iteration, the contributions to (98) are the following multiples of
2 M-4
537 p :
Figure imgf000042_0002
S3! Therefore,
540
Figure imgf000042_0001
542 (107)
543 By (102) and (105),
544 w hi-3~°M-3 UM- 3 (108) 545 At every iteration the sequence produces a similar relationship between and
5 6 ut . The sequence ends after it concludes that
547 w 2— u2‘ U 2 (109)
548 In general
549 (110)
Figure imgf000043_0002
550 These conclusions were reached without interference from (97), which contains
551 multiples of pM only. Indeed, the last equation in the sequence, the one which
552 produced (109), is an equation which operates on multiples of pM+ 1 . Refer to (94) and sis the illustration in Figure 3.
55 Consider the representation of the pair (r, s) as in (77) Substitution of (110)
555 into (77) yields
Figure imgf000043_0001
57 OG 558
Figure imgf000044_0001
5603) The Case when w M- - vM _ , = -uM_ j
sol Consider (98) in the case when uM_ } > 0 and M_ j - vM_ t = -uM_ j . In this
562 case (104) yields
565 w M-2~°M-2 —U M—2 (113)
5M Likewise, (107) yields
565 w M-3~uM 3 = — U A -3 (114)
566 and, in general,
567 (115)
Figure imgf000044_0002
56* In this case, substitution of (115) into (77) yields 570 or
Figure imgf000045_0001
572 NOTE 1 : There are two sets of conditions which can assist in the solution of the factor-
573 ization problem. The first set are the congruences (94). If ux ¹ 0 (mo p), for
574 2 < i < M they establish linear relationships between ut and u{_ j modulo p 4 1 when
5 5 the variables v} and u} of lesser degree are known Refer to the example in (92).
576 The second set are the equations (110) or (115).
577 Substitution of (110) into (77) produced (111) and (112). Substitution of (115) into (77) 578 produced (116) and (117).
579 NOTE 2· Using (111) or (112) to compute (r + s ) /2 and (r - s) /2 produce the same
580 results as (77). The benefit of ( 111 ) and (112) lies in the fact that, when r is multiplied by set s modulo pM , the product does not contain any power of p higher than pM . Also, except 582 for Uj , with ux ¹ 0 (mod/7), (112) and (111) are linear functions which contain only the 583 set { u,} or { uf } , respectively. Similar considerations apply to (116) and (117)
5M 4) The Case when uM- x = 0
585 Consider the case when uM_ x = 0 In this case, equation (102) becomes 586 ® M— 1 — VM- 1 = ® · (118)
sg7 Therefore, no information can be produced using (104). However, (107) yields
588 ¥ M-2 ~ VM- 2 ± uM- 2 (119)
5S9 If uM_2 ¹ 0 , the process can be continued until it concludes that
590
® 3 - y3 « 3 (120)
591 or
Figure imgf000046_0001
593 In fact, if uM_ , = 0 , w3 - p3 is the lowest degree element which, when multiplied by sw UM- 2 ' PM 2 > produces a multiple of pM+ 1 . Again, there is the possibility that uM_ 2
595 be zero. In this case (110) or (115) are applicable only when i equals or exceeds 4. The
596 situation is illustrated by Section VIII.7 and Figure 4.
597 In general, assume that ΐ cm 0 modulo p and M-j = 0 for 1 < j £ jQ . Then
598 (110) is applicable only fo
Figure imgf000046_0002
2 . In these cases the general expression of the pair
5 9 (r, s') is GOO
Figure imgf000047_0001
002 Compare with (111) Also, in this case, (112) becomes
60
Figure imgf000047_0002
605 Similarly, if (93) is used in lieu of (110), (116) is replaced by
60G
Figure imgf000047_0003
08 and (117) is replaced by 09
Figure imgf000048_0002
ii Notice that a priori there is no knowledge of whether uM_ j is or is not zero. Thei2 same is true for wjtf_2 , etc. Therefore, at this point, /0 is an undetermined integer. 13 NOTE 1 : When using (124) and (122), the pair {r, s) is dependent on the set { ut} andH on the first elements of { u{ } , for 2 < / £jQ + 1 . In such cases, the general expression of15 ( r, s ) is
Figure imgf000048_0001
17 where ei<) OG
Figure imgf000049_0001
621 where
Figure imgf000049_0002
e**X. THE PROCESS
6M 1) The Case when uM _ l ¹ 0 (y0 = 0)
1.1) Overview
62G Consider the case when uM_ j ¹ 0. In this case (111) becomes
Figure imgf000049_0003
If
(mod p)
(131)
Figure imgf000050_0001
(mod p) ,
M
multiplication of r by s modulo p yields ·
Figure imgf000050_0003
Let ί// (132), and L//(132), denote the RHS and the LHS, respectively, of that congruence in (132) which is defined modulo pM t . Then, it must be
Figure imgf000050_0002
(mod pM~ l). (133) 636 Define
637
RH (132), -LH (132),
6ΐ C (132), (134)
M- i
P
639 There is one condition which is not contained in (132): that is the condition that MO the sum of all the multiples of pM in the system be equal to zero Specifically, refer to
, the highest power oip is produced when (w j- ux) p is multiplied There are other multiples of pM in the system, specifically Q · pM , and the integers C(133), · pM for i³ 2. (Refer to (87) and (91)). e sum of all the coefficients of pM , it must be
Figure imgf000051_0001
Figure imgf000051_0002
6161.2) Tidbits
647 NOTE 1 : Refer to (77). By (7), X< N. The magnitude of the integer X is not depen- 646 dent on the representation of N. If N and X were represented in base p, and X were to M9 approximate closely N , it would be 0 < uM_ < p and one of the two factors of N would 650 approximate closely 1
651 NOTE 2. In general, the integers N0 are pre-screened to test divisibility by the first ele-
652 ments of the sequence of primes. Thus, it is reasonable to assume that in all cases 653 «Aί- 1 = 0 . Recall that the representation of U as in (73), where { ut} are pM 1 - con-
65 strained positive integers, offers many degrees of freedom and no practical limitation on
655 the magnitude of U results when uM_ t is set equal to zero. In fact, any integer U can be
656 represented by a multitude of selections of the set ( K ,
657 NOTE 3 There is a peculiar situation when the pair (r, s) can be described as in (130).
- 2
ess Consider the case when v0 is a perfect square, say v¾ = AQ <p . In these cases w 0 is a 659 small integer and w 0 = AQ Then the second of (130) yields
Figure imgf000052_0001
eel Some cases were observed when vQ= A0 <p, s was two digits long in base p and uM- l 662 was nonzero.
^ 2 2
663 NOTE 4: In this presentation it will be assumed that w0 >p .
6 42) The Case when /„ = 1 (uAf- J = 0 and uM- 2¹ 0)
2.1) Overview
666 Consider the case when it has been assumed that
Figure imgf000052_0002
x = 0. It is desired to
667 determine a pair of divisors ( r , 5) when uM_ 2 ¹ 0 , if such a pair exists. In this case 6 8 (126) and (128) can be written as follows:
^ 670 where
Figure imgf000053_0001
672 and
Figure imgf000053_0002
674 where Ac = w0 + wi · r (140)
and where z2 is defined as in (129):
Figure imgf000054_0001
Compare with (128) and (129).
Using (139), multiply r by J modulo pM . Setting the sum of the coefficients of any given power of p congruent to zero (mod pM 1 ) yields
UM- 2 ¹ 0
Figure imgf000055_0001
Let Aίί(142), and LH (142), denote the RHS and the LHS, respectively, of that congruence in (142) which is defined modulo pM~l . Then, it must be
RH (142), LH (142), º0 (mod pU '). (143)
Define
RH (142 ) -LH (142),
C(142), (144)
M-t
P
There is one condition which is not contained in (142): that is the condition that 689 the sum of all the multiples of pM in the system be equal to zero. Specifically, refer to
690 (139). If 2 ¹ 0 > the highest power of p is produced when z · p is multiplied by
Figure imgf000056_0001
The other multiples of pM in the system are Q pM , h 0 ·rM, h j -pM 692and the integers C( 142)t pM . Then, equating to zero the sum of the coefficients of 693 pM t it must be
Figure imgf000056_0002
ess Refer to (88) and (91).
2
69b In this equation the integer
Figure imgf000056_0003
defined modulo p by the second last congruence of
697(142).
698 Also, in the computation of C (142) M_ j , the integers wAi-2 and wA/- 3 equal esq the corresponding values in the second last congruence of (142)
700 The set of congruences (142) can be referred to as a SUPERCONGRUENCE.
7012*2) Tidbits
702 1) Subject to the condition (131 ), if (142) and (145) do not admit integer solutions,
703 there does not exist an integer r which can be described as in (142) and such that r| / . 012) The system (142) consists of M congruences Given the selection of an integer
70s «j <p , the third congruence of (142) defines a corresponding value of o modulo
7073) The selection of an integer u2 <p defines
70S z2 0) 2— L>2 ~ U 2 · (146)
709 Refer to (141). 7104) The solution of the fourth congruence of (142) produces a corresponding u3.
7P 5) The last congruence of (142) verifies the compatibility between uM- 2 and
Figure imgf000057_0001
j
712 and causes a paring down of the roster of candidate pairs (w u2) .
7136) If the system (142) produces a candidate pair («j, u2) . the viability of that pair 7M should be tested using (145). Of course, (145) can be satisfied only if
Figure imgf000057_0002
716 Refer to (87). 17 NOTE 1 : To expedite the execution of ( 142), observe that each one of the higher degree
718 congruences of (142) must hold true if they were reduced modulo p2. Therefore, (142)
719 could be reduced as follows:
uM-2 ¹ 0
Figure imgf000058_0003
In (148) each congruence produces a carry which must be added to
Figure imgf000058_0001
i < M- 1 the carries produced by the congruences (148) are
Figure imgf000058_0002
The total of these carries must satisfy the following:
+ 2 - 2 -uM-2(mod p) .
72D Notice that the magnitude of M does not burden the execution time of any of the
727 congruences of (148). However, it determines the NUMBER of such congruences and
728 the time required to execute the addition of M two digit numbers (which are represented
729 in base p).
7902.3) A Test
m Consider the case when the true divisors of NQ , say r0 and 50 , are known. Then,
732 after the computation of TQ,NTf> and the definition of M, the system (142) can be set into
733 place.
794 If the true solution pair (r0, j?0) were known, it would be
795
Figure imgf000059_0001
(mod p ), (151)
736 and the pair (Wj j,u2 I) would be an element of the set of pairs which satisfy (142).
797 (Table I).
798 In general, such is not the case.
779 The contradiction can be explained by observing that, given V0 , the set of
740 feasible pairs represented in Table I is dependent on the prior definition of M. Should 41 M be replaced by some Mx = M + 2 - mx (mx integer > 0) , the set of feasible pairs in
7 2 Table I would be different
3 Since JQ is not known, the situation can be addressed by exploring independently
74 all the possible definitions of (148), each one associated with a distinct value of M. TABLE I -PART 1
Figure imgf000060_0001
M = 4097
M - 1 > 2 - «ro-2
b?0»4.78 x 10748
a?!* 3.765 xlO748
*4.11 x 10752
749
75 TABLE I - PART 2
751 Feasible
Figure imgf000061_0001
752
Figure imgf000061_0002
7532.4) The Periodic Components of (148)
54 Consider the case when M has been defined using (78) In this case the system 755 (142) consists of M congruences The LHS of the last n— 1 congruences is congruent 756 to zero modulo pM~S . Thus, if n ~ 1 < i < M- 1 , it is
2
757
Figure imgf000062_0001
(mod p ). (152)
75b Notice that the coefficients w0, w^—u^ , and z2 , after reduction modulo p , do 7 0 not depend on i, but depend on the selection of the pair (u w2) ,
7B0 Thus, the system (142) contains a sequence of components which are related to
761 one another as follows:
762
Figure imgf000062_0002
7 m To clarify the role of the integer p - 1 , assume that (142) is satisfied. Then, if
Figure imgf000062_0003
767 and
768
Figure imgf000063_0001
770 whence
Figure imgf000063_0002
?72 In a similar fashion,
Figure imgf000063_0003
774 Similar relationships can be developed to relate uM- l to uM- 2 modulo p
775 Such relationships contain two terms As i increases, both terms display a periodicity of
776 p— 1 , or its divisors.
777 Thus, given a selection of the pair
Figure imgf000063_0004
u2 ) , the specific embodiment of (142) for
778 a given M can be related to a corresponding embodiment for Af — M+ k - (p - l) for
779 some integer k. Recall that, if M is increased by p— 1 , the number of congruences in 780 ( 142) is increased by p— 1 .
7812.5) A New Definition of M
82 The variability of M can be reduced by observing (24) and (41). Consider a
783 process which evolves (24) into (41). Assume it can be iterated into higher powers of p 783 until the resulting product r -
Figure imgf000064_0001
exceeds the corresponding N. The process could end at
785 that point and would offer a conclusion on the viability of a, U\ \ and the subsequent
7 6 sets of (Ut , V2 ,) variables
87 Notice that in (32), after multiplication of r by J0 , the highest power of p in the
* 4 S 2*
788 system is p . In (37) it is p . In the subsequent iterations it would be p for k > 2.
789 Thus, it is reasonable to select
Figure imgf000064_0002
791 or
792 (159)
Figure imgf000064_0003
793 Compare with (78).
7 1 .6) Privileged sets of exponents M
795 Consider the case when an integer A: - (p— 1) is added to M. It is desired that the 796pairs («,, u2) be proven still viable when Mis replaced by Ml = M+ k - (p - l) . This
797 condition can be satisfied if both L/j and M satisfy (159).
98 In this case, 2A + £ · 4 · ODD = 2J (160)
800 OG
Figure imgf000065_0001
802 where
803 k - 2h ~ 2 * k’ . (161)
804 If p - 29 = 4 - 7 + 1 , the condition is satisfied when k' = 1 and j ~ h = 2 . «os For the example of Table I, Table II shows the feasible (w1 u2) pairs for a eo6 sequence of values of M which satisfy (159).
807 Table III discards the
Figure imgf000065_0002
w2) pairs which are not confirmed when M— 1 is
3
so* multiplied by p .
800 Table IV shows an example of confirmed pair when p = 61.
810 Table V shows the values of k ' and pJ ~ h for a set of primes of the form eii p = 4 ODD + 1 .
S12
TABLE II - PART 1
3
814 Feasible (uj |, u2 j Pairs for the Example of TABLE 1 with Increments of A/by 2
Figure imgf000066_0001
3 g7 Feasible (uj ltu2 i) Pairs for the Example of TABLE 1 with Increments of by 2
Figure imgf000067_0001
TABLE III
Example of Confirmed (Uj ltu2 j ) Pairs in Table II
Figure imgf000068_0001
TABLE IV
Example of a Confirmed («, [, u2 l) Pairs with Increment of M by 2 for/? = 61
N0 = 100301963155829713685288333
= 165636239140789-605555666297
Figure imgf000069_0001
M~ 4097
Figure imgf000069_0002
82G
827 TABLE V
828 Examples of Privileged Sets of Exponents
829
Figure imgf000070_0002
83ONOTE 1 : The periodicity of (148) is dependent on the periodicity of the two coeffi- 831 cients of uM- 2 in (157). If both coefficients have periodicity p - 1 , the resulting pen- 832odicity of (148) and M are illustrated by Table V.
833 However, in general, each one of the two coefficients of uM-2 may have its own
8 4 periodicity, which equals any one of the divisors of p - 1 .
835 Table VI shows a case when p = 29 and the integer 2J h of Table V is replaced by 2* .
8362.7) The Determination of Ul 2
837 The system (142) has been developed without placing any condition on the sis magnitude of Uj , u2 , and the subsequent ut's . It is useful to explore the case when
Figure imgf000070_0001
839 and «2 are defined as follows 0
1 TABLE VI
2 Example of a Different Periodicity of M for p = 29
N0 - 100301962714574772614226437
= 165636239140789 - 605555663633
Figure imgf000071_0001
wi * 9.57 x lO2"4
A * 2.86 lO29"
Figure imgf000071_0002
8 6 Consider the system (128) when /0 = 1 , In this case the general expression of s
847 IS
Figure imgf000072_0001
8 9 If the pair («, , , u2, ,) were substituted in lieu of
Figure imgf000072_0002
u2) , it would be 2 3
850
Figure imgf000072_0003
(mod /? ) (164)
851 If the pair (t j 2, t/2 2) were substituted in lieu of
Figure imgf000072_0004
u2) , it would be
852
Figure imgf000072_0005
(mod p) . (165)
853 If u 2 ¹ 0 , reduction of (165) modulo p would produce a congruence which is not
85 consistent with (164). Therefore, Uj 2 must equal zero.
ess 2.8) The Determination of U2 2
856 Consider the case when, given M, the systems (142) and (148) have produced a 857 set of viable pairs (« j i , u2 i ) . Such pairs define viable expressions of s (mod p3).
4
858 It is desired to define corresponding viable expressions of s (mod p ).
859 This can be accomplished by defining that value of U2 2 which satisfies both
860 (142) and the corresponding condition on the carries. For this purpose:
861 1) Substitute a candidate U2 2 into (142) in lieu of u2 .
862 2) Define the integer
Figure imgf000073_0001
864 and substitute it into (142) in lieu of z2 - sea Notice that after these substitutions, every selection of U2 2 satisfies (142). see However, the pair
Figure imgf000073_0002
feasible only if there exists at least one value of u2 2 867 which satisfies the condition (147) on the carries modulo p
see To produce the solution u2 2 , it is convenient to use an approach similar to (148) sea Specifically, after replacement of u2 1 by f/2 2 » all the congruences of (148), with the 870 exception of the last two congruences, can be reduced modulo p yielding
2 3
Q (mod P )
* — 3
· w 0· w I (mod p )
2 ^2 - 3
«i + wi + 2iy 0* ' 22+2 -fi>0-u2 (mod p )
w0· W3+2 (w i- 1)-u2+ 2 ·wi·z2>2(ihoά p3)
6)Q’U4+ 2 w t -Uj) -t3+ 2 i’2,2'u2+^2,2(^°^ 3) for i> 4
·w0·ί/,+ 2 (¾!-«!)·«,_!+ 2 2 2· w,_ (mod p3) vA/-3= 2 * "o' WA/-3+ 2 (" I - »l) · «L/-4 + 2 2, 2‘uA/-5(mod )
VM- 2=2 -"0-uA/-2+2 · (*> 1— Mi) -¾_3 + 2 ' 2,2-wA/-4(mod L
^-1 = 2- ("] - »i) -«M-2 + 2 2.2‘ UAf-3 (m0d P) ·
Correspondingly, with the exception of the last two congruences, the carries should be defined as
Figure imgf000074_0001
and the condition (150) can be restated as follows 877 NOTE 1 : Compare two different expressions of s (mod p4) :
878
Figure imgf000075_0001
880 and
881
Figure imgf000075_0002
(mod p4) (171)
883 Then
884
Figure imgf000075_0003
(mod />) (172)
ess Recall that L>3 can be computed using (94).
see Table Vff shows the resulting
Figure imgf000075_0004
i) triads for the example of Table III. TABLE VII
Confirmed (wj j, «2, i* u3, i) triads for the Example of Table III
Figure imgf000076_0001
891 NOTE 2: In general, the execution of (167) and the corresponding (169) produce only
892 one candidate value of H2
Figure imgf000077_0001
some cases, more than one value results. In these cases, ess all the corresponding value of U2i 2 must be explored.
8942.9) The General Case
8 5 After the determination of
Figure imgf000077_0002
2 > a similar procedure can be employed to 8 0 determine U2 , where
Figure imgf000077_0003
898 and
899 ~~U2, 3 = w4— L - w4(mod p) . (174)
goo In this case the moduli of (167) should be increased to p and the corresponding 01 carries (168) should be adjusted accordingly. The resulting condition on the carries
902 (169) would be computed modulo p .
«a Thereafter, the procedure can be iterated to determine the higher components of
904 U.
905 Each step would propose a new value of s as a candidate divisor of NQ . If none 0 of such steps offers a divisor of
Figure imgf000077_0004
, the initial (uj j, u2 j) pair must be discarded.
9072.10) Execution Time
908 This section contains an estimate of the upper bound of the time required to goo factor N using the procedure just described.
910 For the purpose of this estimate, it will be assumed that elementary arithmetic on operations require a time of an order not exceeding logp N, where p denotes the base of 912 representation of N. 911 The same can be assumed for the computation of multiplicative inverses, other an linear congruences and square roots.
15 The proposed algorithm requires repeated execution of supercongruences such as 16 (142) or (148). These systems consist of M congruences which are defined by a modulus
917 as high as pM . Thus, their execution can be assumed to require a time of the order of
918 Af* .
91 Usually (142) is executed for the purpose of identifying the feasible values of a
920 particular variable. Such is the case when (142) is executed to identify the values of 21 «2, 1 which are consistent with a known ux j . Thus, the execution time of a
922 supercongruence is p M .
23 Accounting for the variability of u , and a, the production of all the feasible requires a time of the order of p3 L/3.
BLE III, it can be concluded that the number of feasible triads
Figure imgf000078_0001
the order of p - .
7 After the determination of the feasible pairs (wt x, u2> t) for a given a, such 928 pairs are employed to determine the corresponding sequence of u2 s . The
29 determination of all «'s for a given or requires the execution of as many as log^, N0
910 supercongruences. Thus the execution time for all or would be of the order of
Figure imgf000078_0002
32 In particular, when p approximates the value of M, execution time is of the order
933 of p .
9343) The Case when
Figure imgf000078_0003
353.1) Overview
9 6 Consider the case when a roster of candidate pairs {( E/^ i, U )} has been
937 determined and none of the corresponding pairs (r, s ) represent divisors of N. Thus a 8 new variable, z3 , can be introduced. The pair { ( t i, i ,
Figure imgf000078_0004
i) } is feasible only if there 39 exists an integer z3 such that, MI Notice that in (175) u , u2 and z2 are known integers, say «( , «2 and zz .
M2 Multiplication of r by s modulo pM yields:
Figure imgf000079_0001
L- f-3 3 W-4 p 944 For each initial selection of the pair (uj, u2) , the system (176) may produce a triad
4
945 («,, «2, *3) such that r -sº N (mod p ). 63.2) Determination of u3 (mod p) using (176)
element of the roster { (wt, w2) } representing a solution of (142), say
Figure imgf000080_0002
Figure imgf000080_0001
4), compute u3 (mod p ), say L>3 J The same result can be
0 obtained by observing that in (176) the congruence which is defined modulo pM 3 can 51 be written as follows·
Figure imgf000080_0003
953 This congruence does not contain w3 and allows one to determine L>3 J modulo pM 3.
954 STEP 3: To compute an integer w3 (mod p) which satisfies (176), select an initial value ass of w3 (mod p), say w3 1 .
95b STEP 4: Compute a corresponding value of z3 , say z^i , where
Figure imgf000080_0004
ess STEP 5: Substitute U\ j , i/2, 1 and *2 in lieu of Uj, u2 and z2 into (176). Also,
959 substitute in lieu of z3 into (176). Solve the congruences (176) starting with the 9w condition on v4 and proceeding to the condition on vn - 3 (mod p ). The last two i congruences of (176) verify the consistency of
Figure imgf000080_0005
with the corresponding LHS’s, 62 which are defined modulo p and modulo p, respectively. In the event such a
963 consistency is satisfied, a value of uM_ 3 (mod p) is produced and w3 1 is validated.
964 All possible selections of u3 1 must be tested If no selection of w3 , satisfies (176) for 965 the given pair ( u j i , 11 > then such a pair must be discarded.
9663*3) Validation of u2 2
967 The integer u3 j produced by (176) should be consistent with the value of
Figure imgf000081_0001
2 68 produced by (167) However, there are many selections of («j x, u2 ,) which, by (167), ««a produce a corresponding w2, 2
Figure imgf000081_0002
do not produce any corresponding «3> j .
070 Thus it appears that (176) is more severe than (167) in the determination of «3 , .
971 Therefore, it is possible to execute (176) for all the confirmed pairs («j j, u2 1
972 which survive (142) and are listed in TABLE III and produce a corresponding roster of
973 viable triads
Figure imgf000081_0003
974 This step depopulates TABLE III drastically. Compare TABLE VII with TABLE
975 VIII.
TABLE VIII
Example of Feasible (u(> ,, u2 ,, u3, j) Triads for Increasing M and p = 29 using Supercongruence (176)
Figure imgf000082_0001
TABLE IX
Calculation
Figure imgf000083_0001
Calculation of u2 n
Figure imgf000083_0002
Calculation of u
Figure imgf000083_0003
This corresponds to the factor s0 = 605555653519.
9383.4) Execution Time
89 After the depopulation of Table VII into Table VIII, the algorithm of Section 2.9
990 can resume and determine the appropriate u2 j's , for all i > 2. For the example of Table 911, Table IX shows the resulting values of
Figure imgf000084_0001
( and uI for all / > 2
992 The benefit of the validation of u2 2 is the reduction of the total execution time
9 3 by a factor of approximately p, thus reducing the total execution time to approximately
6
994 p .
995 XL AN ALTERNATIVE APPROACH TO THE HIGHER POWERS OF p 961) The Approach
997 Consider the case when the triad (a, U\ \ , ¾ 2) is a solution of (142) and (150), 9 S when JVis defined as in (37) and Mis used in lieu of n0.
9 In this case, it is possible to compute r0 modulo p as
1000 r o TQ * r (mod p4) (179)
looi where
1002
Figure imgf000084_0002
(mod p4) . (180)
loos Define r0 2 as the least positive solution of the following:
Figure imgf000084_0003
loos Define T2 as the least positive solution of the following:
Figure imgf000085_0001
1007 If T2 is odd, define
1008 N2 = T2 - N0. (183)
1000 Define A2 as a solution of the following
1010 N2 º A2 (mod pM) . (184)
1011 Then the general expression of the pair ( rts ) will be
Figure imgf000085_0002
ion for some integers U(T2) and V(T2) .
ion Compare with (41). 2 4 ids Notice that (41) and (185) operate on rectangular lattices of sides p and p . Compare ids with (24)
1017 NOTE 1 : The integers u2 and U(T2) are related to each other. In fact,
T$ = NQ - a 2(mod pM)
1013 (186)
T2 = N< r0 ¾mod pM)
1019 and
1020 U (f2) º T2 · TQ - ¼,2 (mod p4) (187)
1021 Thus ί/2,2 a known quantity, and the solution of (183) follows the pattern of (142). j n _ I
1022 NOTE 2: In (142) the congruences modulo p and p do not depend explicitly on
1023 the variables of the system ( ut and D( ), because such dependence is embedded in the IO2 definition of N. Likewise, the four highest degree congruences
io s (say pM ,pM pM 2,pM 3 ) do not depend explicitly on the corresponding vari- io G ables
1027 X11. THE CASE WHEN iti B 0(mod p )
1028 Consider the case when NQ is known not to be a prime number, and the algorithm
1029 does not determine any divisor of N0 for any a and for ul fi O (mod p). 10 0 It has been observed that, given p, this situation occurs in less than 1% of the
1031 integers under test.
1032 The problem can be addressed by defining T2 as a solution of the following:
1033 NQ = T2 · a { mod p ) (188)
low and restating (185) accordingly. In this case, a solution of (185) may exist only if is U(T2) ¹ 0(mod p2) .
1036 One possible strategy is to select a different prime, say p’ , relying on the low
1037 probability that w be congruent to zero both modulo p and modulo p' . Of course, it is mis also possible to execute the proposed algorithm in parallel using both p and p' .
10» xm. THE CASES WHEN w] - u\ =0(mod p) two A similar situation may occur when eol ~ l º0(mod p) . This situation was
1041 observed in less than 1 % of the cases under test Again duplicating the algorithm using a
1042 different pnme may solve the problem.
1043 XIV. OTHER SINGULAR EVENTS
1044 A variety of rare, singular events occur occasionally. Some of the Tables
1045 presented in this document describe unexpected events Gradually, such events are being io b understood. All of them can be sidestepped by changing the selection of p
1047 Fundamentally, the proposed representation of integers and the resulting
10 8 management of the carries offer a primary avenue towards the control of the factorization
10 9 problem. 1050 APPENDIX
1051 A NOTE ON CONGRUENCES WITH TRUNCATED VARIABLES
1052
1053 Consider the linear congruence
1054 A - x + B - y º C (modp2) (A.1)
loss where A 0(jnodp) and Bj 0 (mod p) ,
1056 Let
Figure imgf000088_0001
105» Consider the case when x and y are constrained by the conditions that lose 0 £ x0, y0 £p - 1 and also Xj = 0 and yx = 0. In other words, x and y are“truncated” looo modulo p
loti To solve (A.1) under these constraints, let C— c0 + cl p and solve
1062 A - x + B - y º c0 (mod p) . (A.3)
1003 There exist p solution pairs (*ø,,>¾) f°r this congruence. For each solution pair, low compute the integer 1065 l ·r = A - XQ + B y0 -c0. (A 4)
io6b Depending on the value of c j , there may be one or more solution pairs which
1067 satisfy
ltiGR (A 1), even though x and y are truncated modulo p. Also, in some cases, there is no loos solution pair for which l º Cj(mod p) .
1070 The situation is illustrated by Table A.I, which shows the case when
ion p ~ 29, A = 38, B = 41, c0 = 2, = 13
1072 The example illustrates the fact that a pair
Figure imgf000089_0001
y0) , which was truncated modulo
2
1073 p 9 may satisfy a congruence modulo p *
1074
1075 TABLE A.l
1076 Example of Truncated Linear Congruence
1077
1078 iP= 29, A = 38, 5-41, c0 = 2, c, - 13)
1079
Figure imgf000090_0001
1080
Figure imgf000090_0002
1081
10 REFERENCES (All of which are incorporated by reference, herein)
1083
1084 [1] C. F. Gauss, Disquisitiones Arithmeticae , New York, NY: Springer- Verlag, 19S6. loss [2] R. L. Rivest, A Shamir, L. Adleman,“A Method for Obtaining Digital lose Signatures and Public-Key Cryptosystems,” Communications of the ACM, Vol. 21 , pp 1087 120-125, 1978
ss [3] G H. Hardy, E. M. Wright, In Introduction to the Theory of Numbers, Oxford, U. 3089 K.,
1090 The Clarendon Press, 1979.
109 i
1092 Following is a list of relevant features of the invention.
The present invention pertains to a method for decoding an encrypted
1094 electromagnetic signal W representative of a message encoded by a first computer with loos public key N0 = r x s , where N0 , r and s are integers and W is a function of r and s. low The method comprises the steps of storing the signal W in a non-transient memory.
1097 There is the step of decoding with a second computer in communication with the
1098 memory the signal Win the memory with the second computer generated steps of
1099 selecting a prime number p of the form jt = 4& + 1 for an odd integer £ such that the
1100 public key N0 is a non-quadratic residue modulo p, calculating w0 satisfying the
Figure imgf000092_0001
HOI inequalities p < NQ <p 0 computing N = tN0 with a selection of r such that Wis a
1 102 quadratic residue modulo p 0 ; calculating n satisfying the inequalities pn l < N<pn P03 and calculating a solution to
1104 Nº A2" (mod pn) (189)
nos by using the representation
Figure imgf000092_0002
1107 where w( satisfies the condition nm There is the step of decrypting with the computer the signal W with the public mo key N0 and the prime factors of integer N0. There is the step of displaying on a display mi by the computer the decrypted signal W. There is the step of reviewing the decrypted m2 signal W to determine if the decrypted signal W indicates an act has occurred or will m3 occur that violates a law, or will violate a law.
mi There may be the second computer generated steps of defining M = 2 + 1 , for ms N ~ r x s with r > s , take the solution 1 and construct relations
Figure imgf000093_0001
in? with U, V as unknowns; forming a set of Supercongruence equations by matching ms coefficients of /V and coefficients of (A + U x p - Vx p )(A - U x p—V p ) , the set of ins Supercongruence equations establishes M relations m terms of M, 'S and v(‘s, which are
1120 coefficients of U and V respectively; performing steps 1-4 using the Supercongruence mi equations where steps 1-7 are as follows
1122 1) Testing feasibilities of digits ux‘s and i/2‘s.
1123 2) Calculating carries by tallying differences on two sides of the
1121 Supercongmence equations
1125 3) Using carries to identify subsequent digits given a feasible pair of u x and u2 by mo using Supercongruence equations again
1127 4) Using the Euclidean algorithm to test whether A + U x p - Vx p is a divisor
1128 of NQ .
1129 There may be the step of enablmg the alerting of a government agency to prevent 1130 the act that will occur to prevent physical damage or bodily injury to a person occurring mi The steps described herein allows for the ability to alert a desired government agency if a
1132 review of the decrypted signal W indicates that an alert is warranted.
ip3 By using the methods described herein, N0 is factored m time O ( log6JV0) . This
1134 speed is important, which only the operation of the second computer performing the
11 5 second computer generated steps can achieve, because by havmg this speed for
11 6 factoring, the signal W representative of a message can be effectively decrypted and
1137 deciphered in real time so any threat to property or individuals can be quickly acted upon
1138 to eliminate the threat before it occurs and actual damage to property or injury to
1139 mdivi duals is prevented or mitigated. In other words, for W to be effectively understood,
n 40 it must by decrypted fast enough that any threat identified m W can be stopped. The
ini present invention with the use of the second computer allows for this capability. Here, it
P42 is inherent that to save lives if required, the second computer is required.
P43 There may be the step of obtaining the electromagnetic signal W representative
11 4 of a message from a telecommunications network, or a data network or an Internet or a
11 5 non-transient memory Law enforcement departments, such as Homeland Security, the
ins FBI, the CIA, NS A, state and local Police or the Military have the well-known capability
1147 of obtaining or intercepting messages sent encrypted by a first computer operated by a
ins potential terrorist or criminal as an electromagnetic signal, such as by smart phone or
1149 computer or internet, or stored in the memory of a smart phone or computer, or a flash i use drive. The encrypted electromagnetic signal W can be extracted from such messages or
1151 memories and operated upon by the techniques described herein to decrypt the encrypted
1152 messages and read them to determine whether there is any violation of law or threat to
1153 property or individuals Of course, the intended recipient of the encrypted message W
1154 by the first computer has the key so the recipient can decrypt the encrypted message W
1155 the recipient has received and understand it It is the object of this invention, and the
use problem this invention solves, to allow a recipient of the encrypted message W who does
P57 not have the key to read it, to determine what the key NQ is by the techniques described
1158 here, and then using the determined key NQ , decrypting the encrypted message W,
lisa reviewing what the decrypted message says, and acting as necessary to protect property
ilea damage or bodily injury or any type of crime, as deemed appropriate. 1161 The present invention pertains to a second computer for decoding an encrypted
1162 electromagnetic signal W representative of a message encoded by a first computer with ii63public key N0 = r x s, where NQ , r and s are integers and W is a function of r and s,
116 comprising-
1165
nee a non-transient memory in which the signal W is stored,
1167
1168 decoding with a CPU in communication with the memory the signal Win the lies memory that decodes the signal W by the second computer generated steps of selecting a
1170 prime number p of the form p = 4A + 1 for an odd integer k such that the public key N0 mi is a non-quadratic residue modulo p; calculating n0 satisfying the inequalities
Figure imgf000095_0001
< N0 <p 0 computing N = TNQ with a selection of t such that //is a quadratic
1171 residue modulo p ; calculating n satisfying the inequalities p < N <p ; and i calculating a solution to
1175 Nº A2 (mo dp") (193)
lire by using the representation
Figure imgf000095_0002
1178 where w( satisfies the condition 1179 0 < at <p , (195)
use the CPU decrypting the signal W with the public key N0 and the prime factors of integer Mel N0 ; and a display on which the decrypted signal W is displayed so the decrypted signal
1182 W can be reviewed to determine if the decrypted signal W indicates an act has occurred lies or will occur that violates a law or will violate a law. The display can be a computer
1183 screen or smart phone screen or any screen or piece of paper on which the decrypted nes signal W is printed or any medium on which the decrypted signal W can be reviewed, use The CPU of the second computer may perform the CPU generated steps of
U87 defining M = 2 + 1 for JV0 = r x s with r > s, take the solution 1 and construct nee relations
Figure imgf000096_0001
iiTO with U, V as unknowns; forming a set of Supercongruence equations by matching Hoi coefficients of TV and coefficients of A + U x p ~ V x p )(A— U x p - V x p ) , the set ii92of Supercongruence equations establishes M relations in terms u(‘s and v(‘s, which are
P93 coefficients ofU and V respectively; performing steps 1-4 using the Supercongruence
1193 equations where steps 1-4 are as follows:
nos I) Testing feasibilities of digits u 's and u1 t s.
1196 2) Calculating carries by tallying differences on two sides of the
1197 Supercongruence equations.
nos 3) Using carries to identify subsequent digits given a feasible pair of u , and u2 by imusing Supercongruence equations again. la» 4) Using the Euclidean algorithm to test whether A + U x p— Vxp is a divisor
1201 of NQ
1202
1202 N0 is factored by the CPU of the second computer in the time O ( log6JV0).
1204 The present invention pertains to a non-transitoiy readable storage medium
1205 which includes a computer program stored on the storage medium for decoding an
1206 encrypted electromagnetic signal W encoded by a first computer with public key
1207 N0— r x s , where N0 , r and s are integers and W is a function of r and s, where the
12 8 signal W has been stored in a non-transient memory of a second computer, having the
1209 second computer generated steps of.
1210 Selecting a pnme number p of the form p = 4k + 1 for an odd integer k such
1211 that the public key NQ is a non-quadratic residue modulo p ; calculating nQ satisfying the
1212 inequalities p 0 < N0 <p 0 computing N = TNQ with a selection of t such that W is a
1213 quadratic residue modulo p”0 ; calculating n satisfying the inequalities pn ~ 1 < N < pn ; i2]4 and calculating a solution to
1215 Nº A2 (mod p") (197)
1216 by using the representation
Figure imgf000097_0001
1218 where wt satisfies the condition 1219 0 < <y( < p 1 1 (199)
1220 There is the step of decrypting with the second computer the signal W with the
1221 public key N0 and the prime factors of integer JV0. There is the step of displaying on a
1222 display by the second computer the decrypted signal W. There is the step of reviewing
1223 the decrypted signal W for predetermined words to determine if the decrypted signal W
1224 indicates an act has occurred or will occur that violates a law, or will violate a law. It is
1225 well know in the art to search for words, such as bomb or gun, to flag a message for i22f> further review for possible action, as deemed appropriate.
1227 The computer program may have the second computer generated steps of
1223 defining M ~ 2 + 1 for L¾ = r x s with r > s , take the solution 1 and construct i 2<) relations
Figure imgf000098_0001
1211 with U, Fas unknowns; forming a set of Supercongruence equations by matching «.w coefficients of Nand coefficients of (A + U x p - Vx p )(A - U x p— Vx p ) , the set 1233 of Supercongnience equations establishes M relations in terms of ut‘s and v,‘s, which
12.4 are coefficients of U and V respectively; performing steps 1-4 using the
12 5 Supercongruence equations where steps 1-4 are as follows:
12.6 1) Testing feasibilities of digits ux‘s and u2 s.
1237 2) Calculating carries by tallying differences on two sides of the
1233 Supercongruence equations.
i2 !i 3) Using carries to identify subsequent digits given a feasible pair of u j and u2 by ] 240 using Supercongruence equations again.
2
1241 4) Using the Euclidean algorithm to test whether A + Ux p—Vx p is a divisor
1242 Of NQ .
1241
124 Although the invention has been described in detail in the foregoing
1245 embodiments for the purpose of illustration, it is to be understood that such detail is
12 6 solely for that purpose and that variations can be made therein by those skilled in the art
1247 without departing from the spirit and scope of the invention except as it may be
12 8 described by the following claims.

Claims

Claims:
1. A method for decoding an encrypted electromagnetic signal W encoded by a first computer with public key NQ = G X S, where NQ, r and s are integers comprising the steps of: obtaining the electromagnetic signal W from a telecommunications network, or a data network or an Internet or a first non-transient memory; storing the signal W in a second non-transient memory; decoding with a second computer in communication with the second non-transient memory the signal W in the memory by factoring the public key N0 in time 0(log6 N0) with the second computer generated steps of selecting a prime number p of the form p = 4fc + 1 for an odd integer k such that the public key NQ is a non-quadratic residue modulo p; Calculating n0 satisfying the inequalities pn°~ 1 < NQ < pn°; Computing N = r N0 with a selection of t such that N is a quadratic residue modulo p; Calculating n satisfying the inequalities p”-1 < N < p"; and Calculating a solution to
N ~ A2 (mod rp) by using the representation
Figure imgf000100_0001
where satisfies the condition
Figure imgf000100_0002
decrypting with the second computer the signal W with the public key N0 and prime factors of integer NQ displaying on a display by the second computer the prime factors of integer N0 ; and reviewing the decrypted signal W for predetermined words with the second computer to determine if the decrypted signal W indicates an act has occurred or will occur that violates a law, or will violate a law, wherein the signal W representative of the message is effectively decrypted and deciphered thereby a threat to property or individuals in violation of the law can be acted upon to mitigate or eliminate the threat before the threat occurs and actual damage to property or injury to individuals is prevented or mitigated.
2. The method of claim 1 including the second computer generated steps of defining M = 2h + 1, for N = r X s with r > s, and constructing relations
Figure imgf000101_0001
with U, V as unknowns,
forming a set of Supercongruence equations by matching coefficients of N and coefficients of C A + U x p—V x p2) {A— U x p— V x p2), the set of Supercongmence equations establishes M relations in terms of iit's and Vi's, which are coefficients of U and V respectively; performing steps 1-4 using the Supercongmence equations where steps 1-4 are as follows:
1) Testing feasibilities of digits Ui's and U2's. 2) Calculating carries by tallying differences on two sides of the Supercongruence equations
3) Using carries to identify subsequent digits given a feasible pair of
Figure imgf000102_0001
and u2 by using Supercongruence equations again.
4) Using the Euclidean algorithm to test whether A—U X p— Vx p2 is a divisor of NQ.
3. The method of claim 2 enabling alerting a government agency to prevent the act that will occur to prevent physical damage or bodily injury to a person occurring.
4. A second computer for decoding an encrypted electromagnetic signal W encoded by a first computer with public key NQ— T X S, where NQ i r and s are integers and W is a function of r and s, comprising: an input for obtaining the electromagnetic signal W from a telecommunications network, or a data network or an Internet or a first non-transient memory a second non-transient memory in communication with the input in which the signal W is stored; a cpu in communication with the second non-transient memory the signal W in the memory that decodes the signal W by factoring the public key N0 in time 0(log6 7V0) by the second computer generated steps of selecting a prime number p of the form p = 4k + 1 for an odd integer k such that the public key N0 is a non-quadratic residue modulo p; calculating nQ satisfying the inequalities
Figure imgf000102_0002
computing N = t N0 with a selection of t such that N is a quadratic residue modulo p; calculating n satisfying the inequalities n_1 < N < pn ; and calculating a solution to N ~ A2 (mod pn) by using the representation
Figure imgf000103_0001
where wi satisfies the condition
0 < 0)( < pn the cpu decrypting the signal W with the public key N0 and prime factors of integer W0; and the cpu reviewing the decrypted signal W for predetermined words to determine if the decrypted signal W indicates an act has occurred or will occur that violates a law, or will violate a law, wherein the signal W representative of the message is effectively decrypted and deciphered thereby a threat to property or individuals in violation of the law can be quickly acted upon to eliminate the threat before the threat occurs and actual damage to property or injury to individuals is prevented or mitigated.
5, The apparatus of claim 4 wherein the cpu of the second computer performs the cpu generated steps of defining M— 2h + 1, for W = r X S with r > s, and constructing relations
= A + U x p— V x pz
- A - U x p - V x p2 with U, V as unknowns;
forming a set of Supercongruence equations by matching coefficients of N and coefficients of ( + U x p— V X p2) Q4— U x p— V x p2), the set of Supercongruence equations establishes M relations in terms of t^'s and v^s, which are coefficients of U and V respectively; performing steps 1*4 using the Supercongruence equations where steps 1 -4 are as follows:
1) Testing feasibilities of digits uTs and it2's.
2) Calculating carries by tallying differences on two sides of the Supercongruence equations.
3) Using carries to identify subsequent digits given a feasible pair of V-i and U2 by using Supercongruence equations again.
4) Using the Euclidean algorithm to test whether A—U X p— Vx 2 is a divisor of N0.
6. A non-transitory readable storage medium which includes a computer program stored on the storage medium for decoding an encrypted electromagnetic signal W encoded by a first computer with public key N0 — r X s, where N0, r and s are integers and W is a function of r and s, where the signal W has been stored in a second non-transient memory of a second computer, and the second computer factoring the public key NQ in time 0 (log6 LG0), the signal W obtained from a telecommunications network, or a data network or an Internet or a first non-transient memory, the computer program having the second computer generated steps of: selecting a prime number p of the form p = 4k + 1 for an odd integer k such that the public key N0 is a non-quadratic residue modulo p; calculating 7l0 satisfying the inequalities pn°-1 < N0 < pn°; computing N = T N0 with a selection of T such that N is a quadratic residue modulo p; calculating 71 satisfying the inequalities pn_1 < N < pn; and calculating a solution to
N º A2 (mod pn) by using the representation
Figure imgf000105_0001
where (Oi satisfies the condition
Figure imgf000105_0002
decrypting with the second computer the signal W with the public key NQ and prime factors of integer NQ displaying on a display by the second computer the decrypted signal W; and reviewing the decrypted signal W for predetermined words to determine if the decrypted signal W indicates an act has occurred or will occur that violates a law, or will violate a law .wherein the signal W representative of the message is effectively decrypted and deciphered thereby a threat to property or individuals in violation of the law can be quickly acted upon to eliminate the threat before the threat occurs and actual damage to property or injury to individuals is prevented or mitigated.
7. The storage medium of claim 6 having the second computer generated steps of defining M = 2h + 1, for N = r X S with r > s, and constructing relations
( r— A + U x p—V x p2
Is = A— U x p— V x p2 with U , V as unknowns;
forming a set of Supercongruence equations by matching coefficients of N and coefficients of (A + U x p— V X p2)( 4— U X p— V x p2), the set of Supercongruence equations establishes M relations in terms of
Figure imgf000106_0001
and Vl's, which are coefficients of U and V respectively; performing steps 1-4 using the Supercongruence equations where steps 1-4 are as follows:
1) Testing feasibilities of digits Uj s and ti2's.
2) Calculating carries by tallying differences on two sides of the Supercongruence equations.
3) Using carries to identify subsequent digits given a feasible pair of
Figure imgf000106_0002
and u2 by using Supercongruence equations again.
4) Using the Euclidean algorithm to test whether A—U x p— Vx p2 is a divisor of N0.
PCT/US2019/032681 2019-05-16 2019-05-16 Method and apparatus for factoring large integers WO2020231439A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/US2019/032681 WO2020231439A1 (en) 2019-05-16 2019-05-16 Method and apparatus for factoring large integers

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/US2019/032681 WO2020231439A1 (en) 2019-05-16 2019-05-16 Method and apparatus for factoring large integers

Publications (1)

Publication Number Publication Date
WO2020231439A1 true WO2020231439A1 (en) 2020-11-19

Family

ID=73289237

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2019/032681 WO2020231439A1 (en) 2019-05-16 2019-05-16 Method and apparatus for factoring large integers

Country Status (1)

Country Link
WO (1) WO2020231439A1 (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060159259A1 (en) * 2003-10-31 2006-07-20 Gentry Craig B Encryption and signature schemes using message mappings to reduce the message size
US20130136257A1 (en) * 2011-11-30 2013-05-30 Samsung Electronics Co., Ltd. Decryption apparatus and method of decrypting ciphertext of the same
WO2014016795A2 (en) * 2012-07-26 2014-01-30 Nds Limited Method and system for homomorphicly randomizing an input

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060159259A1 (en) * 2003-10-31 2006-07-20 Gentry Craig B Encryption and signature schemes using message mappings to reduce the message size
US20130136257A1 (en) * 2011-11-30 2013-05-30 Samsung Electronics Co., Ltd. Decryption apparatus and method of decrypting ciphertext of the same
WO2014016795A2 (en) * 2012-07-26 2014-01-30 Nds Limited Method and system for homomorphicly randomizing an input

Similar Documents

Publication Publication Date Title
Montgomery A survey of modern integer factorization algorithms
Wiener Cryptanalysis of short RSA secret exponents
KR101255393B1 (en) Elliptic curve point multiplication
Stein Elementary number theory: primes, congruences, and secrets: a computational approach
US9772821B2 (en) Cryptography method comprising an operation of multiplication by a scalar or an exponentiation
Lima et al. Image encryption based on the finite field cosine transform
CN111125736A (en) Pathogenic gene detection method based on privacy protection intersection calculation protocol
EP1306749A2 (en) Elliptic curve converting device, elliptic curve converting method, elliptic curve utilization device and elliptic curve generating device
CN110233736B (en) Digital signature generation method, verification method, device, equipment and medium
EP1331552A2 (en) Device and method for calculations based on elliptical curves
Barzu et al. Compact sequences of co-primes and their applications to the security of CRT-based threshold schemes
Rahman et al. MAKE: A matrix action key exchange
US7346637B2 (en) Polynomial time deterministic method for testing primality of numbers
JP2006527564A (en) How to defend against attacks made using differential power analysis
US20090028323A1 (en) Enhancing the security of public key cryptosystem implementations
CN112272082B (en) Image encryption/decryption method and device, electronic equipment and storage medium
Joux et al. When e-th roots become easier than factoring
WO2020231439A1 (en) Method and apparatus for factoring large integers
US6609141B1 (en) Method of performing modular inversion
Cardell et al. Recovering decimation-based cryptographic sequences by means of linear CAs
US10298393B1 (en) Method and apparatus for factoring large integers
KR102241252B1 (en) Method, apparatus and system for performing modular arithmetic
Harasawa et al. Fast Jacobian group arithmetic on C ab curves
Grassi et al. Survey of key-recovery attacks on lowmc in a single plaintext/ciphertext scenario
US10318245B2 (en) Device and method for determining an inverse of a value related to a modulus

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19929061

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19929061

Country of ref document: EP

Kind code of ref document: A1