Given an integer and an odd integer at random. Then repeat applying function on for times will expect to yield

a value

Note that when gets a value less than or equal to further applying on it may not decrease its value at all. This is one of the differences between and which should be taken into account in algorithm design.

Similar to algorithm we can develop a complementary algorithm as follows:

Algorithm

Input: Odd numbers and 1.

2.

3.

4.

If else

If output and stop.

If let and goto step 2;

else report failure and stop.

If there exits a such that algorithm can find a proper factor of then is called a differentia of associated with algorithm or

Those values of satisfying the properties of theorem 4.2 are Similar to the case of there might exit a

much smaller than those satisfying the properties of theorem 4.2.

Proof: The proof of the theorem is similar to that of theorem 3.1 by noticing Theorem 4.2. Let where and q do not have to be primes. If there exist integers and such that and then the algorithm

will yield a nontrivial factor of

Differential Factoring for Integers 29

Note: In the factorization of using algorithm has to be smaller than q. However, if algorithm is used, could be anything

provided that it satisfies the properties of theorem 4.2. But in practical imple-mentation, is normally initialized by a small odd integer, then increased by 2 in each trial. So it cannot be very large. Nevertheless, algorithm allows multiple choices of must be less than in any circumstances). Once we find a correct we can get a factor of

Note: Like algorithm we cannot figure out what kind of integers are vulnerable to algorithm But theorem 4.2 tells that if one of the factors of has a long all-one string in its binary representation, algorithm works efficiently by initializing and increased by step 2.

5. Some perfect primes are not perfect

Pollard’s method works efficiently when has only small prime factors, where is a prime factor of As an impact of this method on RSA, it was suggested to use strong primes in RSA. A prime is said strong if has a large prime factor. Rivest [6] further restrict the condition as: Such a prime should be used in RSA that has a large prime factor and also has a large prime factor. Based on the algorithm when a prime has particular properties, even if it satisfies Rivest’s condition, a composite with the prime as a factor can be factorized very easily. For examples,

is a prime, and are primes

as well. For any integer with using algorithm

it can be factorized by choosing This is not too hard if we initialize and let it increase by 2 in every round. Although is by the conventional knowledge known as perfect prime, and satisfies Rivest condition, and it is even a prime applicable to Rabin cryptosystem [4], it is not safe if used in RSA or Rabin cryptosystem.

In the implementation of RSA, if the primes are chosen at random, then the algorithms above do not work effectively. However, there are no methods to efficiently determine whether a given large number is prime in general case. The most acceptable method is probabilistic method [7, pages 129-138]. Although it can give us as high confidence as we wish to believe whether a number is prime, there is still a possibility that some people would still use particular classes of primes where their primality can be completely determined. There is a way to determine whether a number in the form is a prime, where is a smaller prime [ 1, Vol.2, page 409]:

Lemma 5.1. Let q be odd prime. Define sequence by:

Then is prime if and only if

Based on lemma 5.1, if a prime in the form is used in RSA or similar systems where the security is based on the hardness of integer factorization, then the system is insecure as an integer having such a prime factor can be factorized using algorithm at no cost (the first round is successful) provided that the remaining factor is not larger than So, the algorithms in this paper further address that practical primes used for designing public key cryptosystems should be chosen at random.

6. Preprocessing for parallel computation

Let If can be factorized into

then we can write With a similar analysis as the proof of theorem 3.1 we know that if then using algorithm will be able to find a proper factor of and hence is an We may find other using different factorization of when is sufficiently small. However when is of similar size as or is a prime as well, this method does not work. So we need some other techniques.

Let Denote by If

can be factorized into where and is odd, then further applying algorithm on will be successful in finding a proper factor of Note that in this case the routine in algorithm should be revised so that it starts with instead of itself. This preprocessing for gives the following advantages:

Preprocessing for may yield a smaller which enables algorithm to find a proper factor of while the smallest of is larger than

As different value of in the preprocessing may result in totally different outcomes, parallel computation is made possible by taking different initial values of

When the value of is sufficiently large, further using algorithm on may be more efficient than using algorithm

Note: When has small preprocessing may lead to a worse result. So when implementing parallel computation, at least one computation is devoted to the direct algorithm

Similar preprocessing techniques can be developed for the algorithm In contrary to that of algorithm a value should be added to instead of subtracted from When the value of is sufficiently large, using algorithm may be more efficient than using algorithm in the forthcoming computation. So we can develop the following algorithm with multiple routines.

Differential Factoring for Integers 31 Algorithm

Input: Odd numbers and B.

Properties: is the integer to be factorized; is an arbitrary integer for preprocessing; B is an upper bound of the algorithm. Preprocessing:

while do while do

else report failure and exit.

Routine 4:

else report failure and exit.

Routine 5:

else report failure and exit.

Routine 6:

else report failure and exit.

It is noted that algorithm can further be implemented in parallel by feeding different values for Further digging up of the algorithm may include multiple preprocessing, i.e., after the preprocessing for we get then further preprocess we get continue this procedure for times to get

and then use in routines 3 and 4 instead of

7. A few small examples

In this section we demonstrate a few small examples to illustrate how the algorithms work. We denote by the smallest theoretical (as in

theorem 3.1) and the smallest theoretical (as in theorem 4.2) of a given number means routine 3 is successful and means routine 6 is successful, where is used in preprocessing, and

is the differentia when factoring from the appropriate routine gets a nontrivial factor. Routine 4 and 5 have not been tested.

From table 1 we can see that with the preprocessing, we may be able to find a which is much smaller than the and the of and after the preprocessing with we can find a proper factor of much easier.

8. Concluding remarks

In this paper we have developed two new methods for factoring integers.

They are efficient for integers with particular properties. It is seen that one class of those integers in that one of their factors (not necessarily prime factors) has a long segment of all-zero or all-one string in its binary representation.

The idea for preprocessing is that, in case one of the factors of has a larger number of zeros compared with the number of ones (or vice versa) in its binary representation, but not a segment of all-zero (or all-one) string, the preprocess would hopefully join the strings into a longer one and consequently one of the complementary algorithms works.

D.E. Knuth, The Art of Computer Programming, 3rd ed., Addision-Wesley, 1997.

J.M.Pollard, Theorems on factorization and primality testing, Proc. of Cambridge Philos.

Soc., Vol.76, 1974.

C. Pomerance, The Quadratic Sieve Factoring Algorithm”,EUROCRYPT’84, 1985.

M.O. Rabin, Digitized signatures and public-key functions as intractable as factorization, MIT Laboratory for Computer Science Technical Report, LCS/TR-212, 1979.

R.L.Rivest, A.Shamir, and L.Adleman, A method for obtaining digital signatures and public-key cryptosystems, Comm. ACM, Vol.21, No.2, 1978.

R.L.Rivest, Remarks on a proposed cryptanalytic attack on M.I.T. public-key cryptosystem, Cryptologia,Vol.2, 1978.

D.R. Stinson, Cryptography, Theory and Practice, CRC Press, 1995.

SIMPLE AND EFFICIENT