mersenneforum.org (https://www.mersenneforum.org/index.php)
-   Factoring (https://www.mersenneforum.org/forumdisplay.php?f=19)
-   -   Do easy to factor semi-primes exist? (https://www.mersenneforum.org/showthread.php?t=26659)

 naturevault 2021-04-01 13:36

Do easy to factor semi-primes exist?

I am working on a "cryptocurrency"-like proof of work that uses factoring large numbers as a proof of work. You can review the archive of it here if you want: [b][color=red]MODERATOR NOTE: link removed[/color][/b]

Basically a user generates a private key, then hashes it using some algorithm like sha-2 or sha-3 to get a public key. They then hash this public key with something like skien-1024 to get a large random number (and truncate to a given acceptable length). They then provide a prime factor of this number that is between 7/16ths and 1/2 the length of the number. So for the network to verify the PoW, they do a primality check of the factor, and divide the large number by the proposed factor. If it checks out, it is a valid proof of work (and of course the person who generated the challenge is the only one who can spend it because they are the only one that knows the private key). We would start around 140 or 150 digit numbers so people can complete a proof of work in about a week with a decent computer.

Is there any potential attack vectors to this method? My thought is one possibility is that someone generates mass amounts of numbers looking for one that is "easy to factor". But my gut tells me that if there exists a prime factor in the number that is between 7/16th and 1/2 of the digit length of the number, then it is not easy to factor generally. Also one would need to factor it to determine whether it is easy to factor, correct? Of course you can do checks to the number like primality checks but my point is, if it does indeed contain a prime factor of said length, then no "testing" would be able to determine if this number with said prime factor is easier than another number with said prime factor without factoring them, correct?

Another question I have is; could factoring algorithms be modified to do this challenge significantly faster than a typical GNFS or RSA algorithm, since only 1 factor is needed, or would you just run it through our typical programs and see if it returns a factor of required length?

Thanks.

 CRGreathouse 2021-04-01 14:12

If large enough quantum computers come to pass, then all numbers of a certain size will be easy to factor. This size will depend on various factors of the quantum computer, but in the worst case (for you -- best case for the person factoring) an n-qubit computer can factor a number up to 2^(n-1) or so.

There's a huge speedup to be gained if a person is factoring many numbers at once, so your security margin has to be wide enough to account for this.

Integer factorization is an area of active research, so you should be prepared for major advances that could reduce your security margin at any time.

I would not base a cryptocurrency on integer factorization, there are just too many risks. (Selfishly, I hope you do -- it would increase the incentive to do research in this area!)

 CRGreathouse 2021-04-01 14:25

[QUOTE=naturevault;574914]Basically a user generates a private key, then hashes it using some algorithm like sha-2 or sha-3 to get a public key. They then hash this public key with something like skien-1024 to get a large random number (and truncate to a given acceptable length). They then provide a prime factor of this number that is between 7/16ths and 1/2 the length of the number. So for the network to verify the PoW, they do a primality check of the factor, and divide the large number by the proposed factor. If it checks out, it is a valid proof of work (and of course the person who generated the challenge is the only one who can spend it because they are the only one that knows the private key). We would start around 140 or 150 digit numbers so people can complete a proof of work in about a week with a decent computer.

Is there any potential attack vectors to this method?[/QUOTE]

Yes, your users have too much flexibility. They could generate numbers until they find one with enough small factors (< 30 digits) to make finding the big one easy.

 xilman 2021-04-01 19:13