Improving the initial values of VFactor suitable for balanced modulus

Received Mar 8, 2020 Revised Jun 4, 2020 Accepted Jun 20, 2020 The aim of this study is to estimate the new initial values of VFactor. In general, this algorithm is one of the members in a group of special proposed integer factorization algorithm. It has very high performance whenever the result of the difference between two prime factors of the modulus is a little, it is also called as balanced modulus. In fact, if this situation is occurred, RSA which is a type of public key cryptosystem will be broken easily. In addition, the main process of VFactor is to increase and decrease two odd integers in order to compute the multiplication until the targets are found. However, the initial values are far from the targets especially that the large value of the difference between two prime factors that is not suitable for VFactor. Therefore, the new initial values which are closer to the targets than the traditional values are proposed to decrease loops of the computation. In experimental results, it is shown that the loops can be decreased about 26% for the example of 256 bits-length of modulus that is from the small result of the difference between prime factors.


INTRODUCTION
Integer factorization problem (IFP) has become one of the important issues since RSA [1] which is a type of asymmetric key crytosystem or public key cryptosystem [2] was proposed in 1978. The reason is that it can factor the modulus as prime numbers and then the private key kept secretly by owner is also recovered. That mean, this methodology is one of the tools for breaking RSA. At present, the length of the modulus should be assigned at least 1024 bits [3] to avoid attacking by intruders. However, if one of hidden parameters is weak, it is very easy to break this system, although bit-length of the modulus is very high. The examples of the weak parameters are consisting of a low private key [4][5][6], a high private key [7], a low prime factor [8,9], all prime factors of p-1 or q-1 [10] which are small, where p and q are represented as prime factors of the modulus and the small result of p-q [11][12][13][14].
The aim of this paper is to modify one of the factoring algortihms which is suitable for the small result of p-q. The algorithm is called VFactor [15]. Both of two initial values are usually assigned for VFactor, x and y. Referring to the conditions, y is always decreased until y=q and x is always increased until x=p. However, the initial value of x and y are usually far from p and q, respectively. Therefore, in this paper, the new initial values of x and y which are very closer to the targets than the traditional values are proposed.
The key concepts are from the considering the last m digits of p and q and the result of (p+q) mod 8 must be always equal to 0 when (n+1) mod 8 =0, where n is the modulus. Then, it implies that many unrelated values are removed from the computation.

6447
The rest of the paper is organized as follows. In section 2, it mentions about the related works which consist of an overview of RSA, VFactor, tecniques to analyze the last m digits of p and q and conditions of p+q and p -q. In section 3, the proposed method which is the generating of the new initial values of x and y are presented. In section 4, the experimental results and discussion are mentioned. Finally, the conclusion will be discussed in the last session.

RELATED WORKS 2.1. RSA
RSA is a type of public key cryptography. It was proposed by three researchers, Ron Rivest, Adi Shamir, and Len Adleman in 1978. There are three main processes for this technique. The first process is a key generation and there are three steps to finish this process.
Step 1 is to generate two prime numbers randomly, p and q, and then compute modulus, n=p*q, and euler totient value,  (n)=(p-1)*(q-1). The next step is to select a public key, t, with the following condition, 1<t<  (n) and gcd(t,  (n) )=1. After that, a private key, h, can be computed from t*h mod  (n)=1 by using some of extended euclidean algorithms [16][17][18][19]. The second process is an encryption process to convert original plaintext, m, as ciphertext, c, from the equation: c=m t mod n. The last process is a decryption process to recover m by using the equation: m=c h mod n. Generally, it is very difficult to break this system when bit-length of n is at least 1024 and all parameters are strong. In contrast, RSA becomes easily attacked when some of parameters are weak. One of the weak parameters is the small value of p-q. There are various tecniques which are suitable for this condition. One of them is VFactor which is a type of integer factorization algorithm.

VFactor and improvement
VFactor is one of integer factorization algorithms. This algorithm which was proposed by Sharma et al., has very high performance when the result of p-q is very close to 0. Two odd integers are chosen as the initial values. The first value is y=⌊√ ⌋ but y may be decreased by 1 to ensure that it is an odd number when it is an even number. The other value is x=y+2. The main process is to compute m=x*y. In fact, if m=n, then it implies that x and y are two large prime factors of n. However, it is divided into two cases. The first case is m > n while y is too large, then y has to be decreased by 2. On the other hand, the second case is occurred when m<n, x is too small and it must be increased by 2. In fact, the process is continuously repeated until m=n is found. Moreover, the modified algorithms of VFactor were proposed to remove some loops and time. MVFactor [20] is the technique to decrease both of x and y out of the computation when the last digit is equal to 5. In fact, the odd integers which the last digit is equal to 5, except 5, are not certainly a prime number, because 5 divides all of them. Later, MVFactorV2 [21] was proposed. The key is to choose only x and y which must be written in the following form: 6k+1 or 6k-1, where k. Moreover, the last digit of them must not be equal to 5. Therefore, the odd integers which the last digit is 5 and can not be written as the form 6k+1 or 6k-1 are certainly not a prime number. Table 1 is shown the steps of increasing the odd integer to skip unrelated values. Furthormore, the information in the table is also selected to consider the decreasing steps. The information in Table 1 shows the increasing steps of the odd integer that may be a prime number. All prime numbers, except 2 and 3, must be usually rewritten as two forms consisting of 6k-1 and 6k+1. That mean the integer which its condition is equal to the data in row 3 rd , 6 th , 8 th , 9 th , 12 th , 13 th and 15 th of this table is not certainly a prime. The reason is that the form of some of them is 6k+3 or the last digit is 5. Therefore, if x has to be increased or y has to be decreased, then the increasing steps in this table can be chosen to remove the odd integers which are not certainly a prime number. For example, assume that the lastest value of x has the last 2 digits as 63 and the condition is in 7 th row, the next value should have the last 2 digits as 69.

Analyzing the last m digits of p and q
In 2017, [22] the technique to analyze all last m digits of p and q was proposed. After finding all of them, many unrelated integers are removed out of the computation. In fact, they are chosen to leave some loops of FFA. Assuming some values which may be the last m digits of p and q are disclosed. There are two rules for analyzing the others which may be also the last m digits of p and q as follows: (Assigning pm is represented as the last m digits of p and qm is represented as the last m digits of q. In addition, after U and V are found, the initial value of u, ui, which is begun as 2 ⌈√ ⌉ can be reestimated. The last m digits of ui should be one of the members in U. That means it can be increased whenever the result is still not a member of U.

Analyzing the initial value of p-q
The initial value of p-q should be usually begun as 0, p=q. However, real value of p-q is very far from the initial value. In 2018, [23] the equation to estimate the new initial value of v, vi, was proposed. In fact, before using the equation, all last m digits of p and q must be disclosed. In addition, vi can be computed from the following equation: vi=⌈ √ 2 * 4 ⌉, where d is the distance between the traditional value of ui and the new value of ui. In addition, the new values of ui and vi can be also selected to decrease time for some other factorization algortihms. For example, in 2019, this technique is chosen to combine with trial divition algorithm (TDA) [24]. Before applying this method with TDA, the first divisor is usually begun as ⌊√ ⌋. On the other hand, it may be assigned as the integer which is less than this value when it is applied with TDA.

Analyzing the remainder of (p+q) mod 8
In [25], it is found that if the result of (n+1) mod 8=0, then the result of (p+q) mod 8 must be always equal to 0. Therefore, only pattern of p+q which is in the condition will be included to remove some loops of the computation.

THE PROPOSED METHOD
In this section, the new initial values to both of x and y for Vfactor are proposed to decrease the certainly unrelated values out of the computation. In general, the traditional initial value of x is 6449 the minimum odd integer which is larger than n . On the other hand, after the last m digits of n are analyzed, it can be estimated as qi when qi is an odd number or qi+1 when qi is an even number. In addition, the traditional initial value of y is the maximum odd integer which is still less than n . The same reason with above condition, the new value can be estimated as the maximum odd integer which is less than .
Furthermore, if the concepts of MVFactor and MVFactorV2 are also included, then the last digit must not be equal to 5 and the forms of them must be always 6k+1 or 6k-1.  Sol. Before using Algorithm1, ui and vi must be computed. Usually ui=2 ⌈√2620361083 ⌉=102380. However, the last 2 digits is 80 which is not a member of U. Therefore, ui can be increased as 102384, and then d=4. In addition, vi=2 ⌈ √4 2 * 2620361083 4 ⌉=906. Nevertheless, the last 2 digits is 06 which is not a member of V. Then, vi can be increased as 918. Therefore, each step in Algorithm 1 is as follows: Step 2-4: qi is not changed, because qi % 2=1 Step 5: x=51651 Step 6-7: x10=1 and x6=3 Step 8-12: x=51653 Step 13: y= ⌊ 2620361083 51653 ⌋ =50730 Step 14-16: y is changed as 50729, because y % 2=0 Step 17-18: y10=9 and y6=5 Step 19-23: y is not changed, because both of y10 and y6 are not matched with the conditions. Furthermore, total loops are more decreased when m is large. The reason is that the characteristic of n is analyzed more deeply. In contrast, loops are not reduced when the last m digits of 2 ⌈√ ⌉ is the member of U, because d is equal to 0. Therefore, both of ui and vi are not changed.
Moreover, the idea in [25] can be selected to apply with the proposed method when the result of (n+1) mod 8 is equal to 0. In fact, d is expanded, because ui can be modified in the conditions of U and u mod 8=0. However, both of ui and vi must be improved before using Algorithm 1. For Algortithm 2, it shows the process to improve ui and vi when (n+1) mod 8 is equal to 0.
Example 4: Finding the new initial value of x and y when n=3801472783 (63073*60271) by considering the last 2 digits of n=83 and using Algorithm 1 and Algorithm 2 Sol. First, the result of (n+1) mod 8 have to be determinded. Because the result is 0, then the pattern of (p+q) mod 8 must be also 0.
The process to find the new values of ui and vi by using Algorithm 2 is as follows: Usually ui=2 3801472783   = 123314. However, the last 2 digits is 14 which is not a member of U. Therefore, ui can be increased as 123316. In contrast, 123316 mod 8=4  0, then next value of ui should be 123324. However, 123324 mod 8=4  0, then next value of ui should be assigned as 123336. Because 123336 mod 8=0, it is the new value of ui, d=22. In addition, = 2⌈ √22 2 * 3801472783 4 ⌉ = 2330. However, the last 2 digits is 30 which is not a member of V. Therefore, vi can be increased as 2338. Therefore, each step in Algorithm 1 is as following: Step 1: qi= 123336+2338 2 = 62837 Step 2-4: qi is not changed, because qi % 2=1 Step 5: x=62837 Step 6-7: x10=7 and x6=5 Step 8-12: x is not changed, because both of x10 and x6 are not matched with the conditions.
Step 13: y= 3801472783 62837 Step 14-16: y is not changed, because y % 2=1 Step 17-18: y10=7 and y6=5 Step 19-22: y is not changed, because both of y10 and y6 are not matched with the conditions. In fact, in this example, assuming the concept in [25] is not chosen to combine with the proposed method, ui=123316, d=2 and vi=718. Hence, the total loops are decreased only 359. Therefore, loops are more decresed about three times. However, this technique can not be appied with n in example 3, because n+1 mod 8=4  0.

EXPERIMENTAL RESULTS AND DISCUSSION
In this section, experimental results and discussion will be presented. In fact, the last 2 digits of all values of n in the experiment are 83, because U and V are already considered in related works section to skip this process. However, if the other cases of n are occurred, both of U and V must be considered at first. Furthermore, n+1 mod 8=0 for all values of n in this section is selected to include the idea behind Algorithm 2. The experiment is about the comparison of decreasing loops between using only Algorithm 1 and the combination between Algorithm 1 with Algorithm 2. In addition, bit-length of n which is randomly chosen in this experiment consist of 32, 64, 128, 256, 512 and 1024. Moreover, 50 values of n are chosen for the same bit-length to find the average. However, the condition of n in this session is that d must not be equal to 0. The reason is that the new initial values for both of Algorithm 1 and the combination between Algorithm 1 and Algorithm 2 are still equal to the tradition initial values.
The information in Table 2 shows that if (n+1) mod 8=0 and d  0, decreasing loops of the computation by using the combination between Algorithm 1 and Algorithm 2 are much higher than using Algorithm 1 only. In addition, it is larger than the other about two times. Therefore, to ensure that all hidden parameters are strong, the result of (n+1) mod 8 should not be equal to 0. In fact, the probability is equal to 0.25 that the result of (n+1) mod 8=0, n is selected randomly. However, if n is larger than 1024 bits and all hidden parameters are strong, VFactor and all improving algorthms, including the proposed methods and the result of (n+1) mod 8=0, do not still break RSA within a polynomial time. The example is shown as follows: Assuming n=293060910868290979627266785232142097857*205030072726927862555415759877785028319= 60086299868745423605959016054076895558512635625836613350661870819438814212383 (256 bitslength), after estimating the new initial values, the decreasing loops are about 7.98 *10 19 . However, the total loops are 2.34*10 37 . Therefore, after using the proposed method, loops are decreased only 3.14*10 -11 % that is very too small. In contrast, the proposed method become high performance when p is close to q. The example is shown as follows: Assuming n=194456630408620613527183578802116928289* 194456630408620613127183578802116928247=37813381109874874999245217886281867608252777770 855434333178732422091857479383 (256 bits-length), after estimating the new initial values, the decreasing loops are about 2.78 *10 19 . However, the total loops are 1.06*10 20 . Therefore, after using the proposed method, loops are decreased about 26% that are very high. Therefore, the ratio of the decreasing loops is based on the characteristics of p and q and the proposed method is suitable for a small result of p and q.

CONCLUSION
The new initial values for VFactor are assigned to leave the unrelated values out of the computation. The key is to choose the concept of the consideration of the last m digits of p and q. In fact, after all of them are found, the patterns of the last m digits of p+q and p-q are also disclosed. Both of them are the keys to estimate the new initial values for this method. Moreover, this technique is also included with the other pattern of p+q that the result of (p+q) mod 8 is always equal to 0 when then result of (n+1) mod 8 is 0. Two algorithms are proposed in this paper. The first is called Algorithm 1 which can be applied with all values of n. However, before using this algorithm, U and V must be calculated. Another one is called Algorithm 2. This algorithm is chosen to support Algorithm 1 when the result of (n+1) mod 8=0. The experimental results show that if (n+1) mod 8=0, the decreasing loops of the computation by using the combination between Algorithm 1 and Algorithm 2 are higher than using only Algorithm 1 about two times. Furthormore, in experimental results, it is shown that the loops can be decreased 26% in the example of 256 bits-length of n when the difference between prime factors is small.