 Okay, so this is joint work with Michael Meyer and Michael Narrag. Now I have a habit of really talking over time when I do these pre-recorded talks, so I'm going to try to talk relatively quickly, but you can slow down the playback speed if it's going too fast. So in this work, we're very interested in looking for numbers like the two highlighted in the middle of the screen. Like most good problems in mathematics or computational number theory, it's again one of those problems that's quite easy to state and easy to understand what the problem is, but it turns out it's not as easy as you would hope to solve the problem. So the reason we're looking for two numbers like the two in the middle of the screen is that when we write prime factorization, both of these numbers are very smooth. Certainly with in reference to their neighbors relative to the numbers that are close by, the largest prime factor occurring in these two consecutive integers is 47. So the problem we're trying to solve is to find two consecutive integers whose product is very, very smooth with respect to some fixed smoothness bound. So you can see that the surrounding numbers have prime, their largest prime factors are a lot bigger than 47, but these two are very, very smooth relative to the numbers that they're surrounded by. So the rest of the talk is going to go like this. So first of all, we're going to motivate why we're interested in the problem. And then I'm going to talk about some first attempts at trying to find twin smooths before we move to the point of this work and the improvements that we found in this paper, which is the PTE sieve. Okay, so why are we interested in this problem? Well, some very recent constructions of isogenic based public key protocols are both reliant on finding two consecutive smooth integers. In fact, they're reliant on a special case of the problem where not only do we find two consecutive smooth integers, but we find these integers where their sum is a prime. Okay, so what these schemes rely on is finding a prime of the form 2M plus 1, large prime 2M plus 1, such that M and M plus 1 are both smooth. And therefore P plus or minus 1, which is 2M and 2M plus 2, are also both smooth. So what we're looking for to state the problem concisely is we're looking for two twin smooth numbers whose sum is a prime. And if we find such an instance, then we can instantiate B side and ski sign and perhaps some other variants of these protocols to be more efficient than if we were to instantiate them over a prime whose neighbors are not so smooth. So really the efficiency of these schemes is very, very dependent on the largest prime factor appearing in P plus 1 or P minus 1. Now to just unpack that for a moment, recall that in SIDH and Psyche, Alice and Bob set this prime P to be a power of 2 times a power of 3 minus 1. And that's because Alice computes 2 to the Aisogenes and Bob computes 3 to the Bisogenes. And for those Aisogene computations to be efficient within the protocol, we want those two factors, the 2 to the A and the 3 to the B, 3 to the power of B to divide P plus 1. But it turns out that Alice and Bob don't both need to squeeze their Aisogene degrees into P plus 1. It turns out that they can actually split so that Alice uses prime factors of P plus 1 and Bob uses prime factors of P minus 1. So if we take P plus 1 to be 2 times M and P minus 1 to be 2 times N, then quite trivially the GCD of M and N must be 1. The only common factor of P plus 1 and P minus 1 can be 2. So Alice is going to compute Misogenes and Bob is going to compute Anisogenes. And what we're looking for is for M and N to be as smooth as possible. So ideally what we would have is that M was 2 to the A just like before and N was 3 to the B just like before. But unfortunately the largest such prime where M and N can both be of this form is 17. So the largest pair of twins that are three smooth, the largest pair of consecutive integers that are three smooth are 8 and 9. There's no larger consecutive integers whose largest prime factor is less than 3. And it turns out that their sum is the prime 17. So that's our best prime that sits between two, three smooth numbers. So given that 17 is the largest such number that's sandwiched between a power of two and a power of three or two times a power of two and two times a power of three. What we want to do is to be able to bump up the size of that prime to be cryptographically sized, so say bigger than 200 bits. Such that it's sandwiched between two numbers whose prime factorization. It's not going to be prime powers for reasons that I won't get into. But whose factorization contains only primes that are up to some bound. So in this next stage I'm going to define what twin smooths are and look at the first attempts that were made at trying to find large cryptographically sized ones. So let's just recall what the definition of smoothness is. So an integer is said to be B smooth if it has no prime factors larger than B. So typically we fix some smoothness bound big B and we look for integers whose prime factors are no bigger than B. Now two consecutive integers M and M plus one are called B smooth twins, if their product is B smooth. So if each of them is B smooth, their product will be B smooth and vice versa. So that's what we're looking for. We're looking for numbers M and M plus one that are both B smooth. Now I'll ignore the criteria of their sum being a prime for most of the talk. But it should be said that this is a lot more rare for the types of numbers we'll be looking for. Finding these consecutive smooths is a lot more difficult than hoping that their sum is a prime. So we're looking for ways that we can find enough of these twin smooth pairs at a given size because once we find enough of them then heuristically we're guaranteed that we should have a very good probability that their sum will be a prime. Certainly if they both contain many small factors that are and they're co-prime to each other then that rules out their sum having either of those factors and so actually their sum being a prime is a little more likely than a random number of the same size. Okay so for concreteness our goal is to find this prime that is sandwiched between two smooth integers or equivalently as I said, we're looking for these two consecutive integers M and M plus one that are both smooth and if we find enough of them we'll be able to find such a pair whose sum is a prime but for the remainder of the talk just think that we're trying to find two consecutive smooth integers of a large cryptographic size. Now if we fix a smoothness bound and look for the largest consecutive smooth integers with respect to that smoothness bound that is a problem that has a deterministic solution. It's just that finding all such pairs and therefore finding the largest such pair is it takes exponential time. So to give some examples the largest three smooth twins, the largest consecutive integers whose product is three smooth is eight and nine. It just so happens that their sum is also prime as we saw before. The largest five consecutive smooth twins are 80 and 81. It just so happens that their sum is also a prime. In general the largest consecutive M smooth, B smooth twins, won't have a prime sum but again if we find all of them then one of the largest ones will have a prime sum. And so here we've also listed the largest 113 smooth twins. They have M being around 74 bits okay and then the largest 113 smooth twins whose sum is a prime is less than that example. It's around 66 bits. And as I said and I won't get into the details here but to find the largest B smooth twins, in fact to find all of the pairs of B smooth twins, you have to solve two to the power of Pi B Pell equations where Pi B is the number of primes up to B. So I think 113 there's including 113 there's 30 30 primes up to 113. So finding that largest 113 smooth twins required the solution of two to the 30 Pell equations. That's not really an easy task. So going much higher using this exhaustive method is becomes computationally infeasible quite quickly and turns out that we can't these M's are not big enough to be cryptographically secure. Remember we want these M's to be at least 200 bits in size. So exhausting all of the B smooth twins for a given smoothness bound B turns out to be infeasible for our purposes. Now something that's kind of important to understand this work is smoothness probability. So when we're looking at numbers of a certain size we want to know what the probability of them being B smooth with respect to a fixed smoothness bound is. And the way that these heuristics and this theory is presented is by presenting the smoothness bound as the youth root of the number you're looking at. So the probability that an integer M is B smooth where B is M to the power of 1 over U is given by this row function this Dickman row function and all of these heuristics rely on M approaching infinity but for our purposes our numbers are close enough to infinity that these heuristics are quite good. So suppose we take a random M of 256 bits the probability that it is 2 to the 128 smooth so the probability that it has no prime factors bigger than 2 to the 128 is roughly three-tenths so it's row of two. The probability that M is 2 to the 64 smooth so it contains no prime factors that are more than a quarter of its bit length is roughly one in 200 and you get the point that the probability that the largest prime factor isn't bigger than one-eighth of its bit length becomes very very small 3.2 by 10 to the negative 8 and so on. So we've got this we've got this concrete way to write down the probability that part of a number that a given number a number of a given size is smooth with respect to a smoothness bound so long as we write that smoothness bound as 1 over U. Now obviously if U is 1 the probability is 1 because the probability that M is M smooth is 1 but as long as the bigger you get or the smaller that we want the prime factors this probability degrades exponentially. Now this row function gives us a really easy way to analyze methods that we use to try to construct or to try to find these these twin smooth numbers. So on this slide I'm going to talk about the three prior methods prior to this work that we use to try to look for twin smooths and just for the sake of concreteness we're going to assume that we're looking for 256 bit numbers so M and M plus 1 are close to 2 to the 256 and let's suppose our smoothness bound B is 2 to the 16 so the the easiest way to look for these numbers now for the as far as the whole slide goes if you see a green number that's a number that's that we can construct to be smooth okay and then the red number is something that we hope to be smooth so in the first example we're looking for we can easily construct m's that are smooth so we can just take any any product of numbers that are less than B such that the product is is two to the around two to the 256 and then what we're hoping is that either M or M plus M minus one or M plus one is is smooth so the probability that a 256 bit number is is two to the 16 smooth that would be the row function of 16 which is two to the minus 70 so our chances of finding of constructing an M that's smooth and then it's one of its neighbors miraculously being smooth is close to two to the minus 70 so it really means that we'd have to try two to the 70 such such smooth numbers M until we can expect to find a smooth a smooth pair a pair of twin smooths a slightly better approach that gives us a better probability is the extended gcd approach so what we do there is we choose two numbers a and b that are both around half the bit length of M and we use the extended Euclidean algorithm to find co-prime numbers s and t such that a times s plus b times t is one and then as long as we arrange the signs properly then we get the absolute value of a times s and the absolute value of b times t differ by one and then what we're hoping is that both s and t were smooth now the chances of two numbers that are 128 bits being two to the 16 smooth is a lot better it's two to the minus 50 but it still means we'd have to search over a lot of a lot of ab pairs until we find an s and t that turn out to be two to the 16 smooth so again the the intuition here is that the smaller we chop up these numbers rather than looking for one 256 bit one 256 bit number that's that smooth it's it's a lot better to look for two to the two 128 bit numbers that are smooth and the intuition there is it kind of rules out any factors that are bigger than two to the 128 that could have appeared in the first method so to to now look at the third method is this power method where we set m to be some power of x some small nth power in this case n equals 6 and then m minus 1 is x to the 6 minus 1 and we're guaranteed that m minus 1 factors as x plus 1 times x minus 1 times these two quadratic terms so these setting the first the the larger number to be a power of a power of x and then looking at the the smaller number is the power of x minus 1 you're guaranteed that these two things factorizes as shown and then the the hope is that these smaller pieces these smaller pieces are smooth and the probability of each of the smaller pieces being smooth is again in this case a lot better than the probability that a random number of the the large sizes is smooth now prior to this paper the best examples in the literature were found using this third method so here's a couple of examples with m plus 1 being x to the power of 6 and m minus 1 being the product of those two linear terms in the two quadratic terms so in the first example Alice actually has the the factorization of p plus 1 or m plus 1 is 2 to the 6th move or in this case it's 53 smooth so her x is this this value that's raised the power of 6 and then over on bobside his factorization that the largest prime factor there is less than 2 to the 20 so that occurs as one of the prime factors of the the first quadratic term x squared minus x plus 1 and then in a more balanced example or slightly more balanced example the second example Alice chose an x that was 2 to the 12th smooth and over on bobside he got a he got a factorization of of x to the 6 minus 1 that was 2 to the 19th smooth so roughly speaking i think 2 b being close to 2 to the 19 was the best in terms of numbers that were close to 256 bits was the best kind of smoothness bound that the the twin the twin smooth satisfied prior to the prior to this work okay so what are we doing this paper that improves upon that that third method well if you look closely at the at the row function as applied to that third method the problem with it is these high degree terms these two quadratic terms so if we we were searching over x's to find x to the 6 and x to the 6 minus 1 being roughly 256 bits we're searching for x's that are around 2 to the 42 and in that case the probability of x itself or x minus 1 or x plus 1 being b smooth is far greater than the probability of the quadratic terms being b smooth so for example with b is 2 to the 14 the probability that a 42 bit number is 2 to the 14 smooth that's the row function of 3 which is roughly 1 in 20 or 0.0486 but the probability of a quadratic term being smooth is the row of 6 which is 10 to the negative 5 or 2 times 10 to the negative 5 um so the idea that we're that we're trying to look at in this work is can we find uh m and m plus 1 that are both uh polynomial functions rational rational polynomial functions where f of x and g of x split completely into linear terms so if we're talking about degree in the degree 2 case that's rather easy we can take f of x to be x squared and g of x to be x squared minus 1 and we've got a factorization of both f of x and g of x into linear terms but what we really want is to find uh to find f of x and g of x with with degrees uh a fair bit larger than 2 uh so that the the probability of these factors um being uh being smoothed with respect to a fixed smoothness bound becomes much greater so what we're looking for here is we're looking for split polynomials in uh in the polynomial ring uh whose coefficients are rational with constant differences so rather than differing by one we can we can relax the requirement that the polynomials differ by one and and actually tolerate constant differences um so in this example this these two degree four f of x and g of x functions um they they differ by 180 so they differ by a constant but then what we can do is we can search over x such that f of x and g of x are both zero mod 180 therefore dividing f of x and g of x at a particular value of x um by 180 you'll get two integers that differ by one okay so to to kind of give a highly overview of what we're doing here we're not searching for large numbers m such that m plus one is smooth but rather we're going to search for a lot smaller values of x such that a bunch of these linear terms that are that are much smaller because x is much smaller are all smooth so the the the probability that in this case uh one 256 bit number is is b smooth will be a lot less than the probability of say seven or eight uh 64 bit numbers being being b smooth now it turns out that the main difficulty in applying this approach to find to find twin smooth integers is in finding these polynomials f of x and g of x that differ by a constant and that that completely split over the rationals now after trying to construct them ourselves for a while and running into problems beyond degree degree three and four uh we dug around the literature and it turns out that this problem is um is connected to what's called the prairie tarry ascot problem now this problem um the the ideal formulation of this problem is to find two disjoint multisets a set of integers a one through a n and b one through b n such that their uh their sum is the same the sum of their squares is the same and the sum of their all of their powers up to the nth minus one powers is also the same so these two sets can't contain the same integer uh but they've they need to have the same sum and the same sum of squares and the same sum of cubes and so on up to the n minus one powers all sum together so that example the example of the two polynomials on the previous slide actually comes from the solution to the the pte problem where the the first set is zero four seven and eleven and the second set is one two nine ten and that's because the the sum of the numbers in these two sets is the same the sum of their squares is the same and the sum of their cubes is the same and it turns out that that's as as much as you could hope for um is the n n minus one powers of all these uh these integers to be the same and it's rather straightforward to see the connection between the solutions to the pte problem and how they turn into the into the two polynomials that we're looking for in fact all we do is take a linear function of whose whose roots are all of the uh solution in the solutions in the first set and a linear function whose roots are all the solutions in the second set and it turns out that these will always have a difference um a constant difference when uh viewed as polynomials over the rationals. Now it turns out that finding solutions to the pte problem is is rather non-trivial but fortunately for our purposes a lot of this hard work had been done for us already um so there's a there's a fair few methods out there that not only find um not only find solutions but also allow infinitely many solutions to be generated from a given solution to the to the pte problem. So in particular when we were looking for integers of around 256 bits in size it turns out that the solutions with n equals 6 was somewhat of a sweet spot. Now that's not only because um the number of solutions uh was plentiful it's also because the power n being 6 um is rather convenient so we don't want n to be too large because if n's too large it really shrinks the search space of uh x's so in this case if n was 12 then we only get roughly 2 to the 22 values of x that we can search over for smoothness but if n is too small then the probability of the the linear terms being smooth with respect to a fixed bound becomes a lot smaller so in this case n equals 6 was right on the money um because then what we're looking for is 12 uh 12 functions of linear functions of x that are smooth with respect to a given bound um and n equals 6 means that we're searching over x's being uh roughly 2 to the 43 in size so we've got enough x's there to to be able to sieve and look for for smooth uh for those 12 linear terms to be smooth. It's got really dark all of a sudden. Anyway I'm going to go over this next bit pretty quick because it's all kind of standard stuff from literature but uh the first phase of our sieving algorithm um needs to identify all of the smooth numbers in a given interval so I'm going to give an example here using the smoothness bound b equals 7 we're going to sieve the 50 numbers from 4350 to 4399 so the first thing we do is in every place we we put a 1 we start with a 1 and then we start with all of the primes up to b starting with 2 and we look at all the multiples of 2 and we multiply the the running uh the running product underneath each number by 2 then we do the multiples of 4 multiples of 2 cubed which is 8 multiples of 2 to the 4 and we keep doing multiples of 2 until there's no multiple in the interval the last one being 2 to the 6 64 or 2 to the 7 128 rather 26 I should have said and then there's no multiples of 2 to the 9 in that interval so we're done with 2 we do the same thing for 3 3 squared 3 cubed 3 to the 4 3 to the 5 3 to the 6 3 to the 7 multiples of 5 we keep going multiplying the the products underneath each number by the the multiple and so we're done same with the multiples of 7 7 cubed and then once we've processed all of the primes up to b we look at all the numbers in that interval and if any number underneath its index is the same as the number we know that that number is 7 smooth so in this case there's only two numbers in the interval that are 7 smooth and they happen to be twin smooths 4 3 7 4 and 4 3 7 5 so that when we write out their factorization of course we're guaranteed that there's no primes bigger than than 7 so all that we need to do then is to have one bit of information in each index that corresponds to whether that index was smooth or not whether that number was smooth or not so we put two ones in the smooth numbers and the rest of them were non-smooth with respect to 7 so we've sieved the whole interval and we've marked the smooth numbers with ones and left the the non-smooth numbers as zeros now i gave the naive version of the the sieving but this book the prime numbers book by Crandall and Pomerance gives a lot more optimizations that are much better in practice so we can replace the numbers themselves with their logarithms and that means we can start with zeros all along and then we can replace all of the multiple the multipliers with additions we can use approximations and we can skip the small primes and do all sorts of probabilistic versions of the sieving that are much faster in practice okay so now we come to phase two of the the pte sieve so what i just described is phase one that's the standard stuff the second phase is how we use the pte solutions once we've sieved the interval we we then check for ones that align with our pte solutions so now let's illustrate with a much bigger example a kind of real real sized example with b equals two to the power of 15 and the 50 numbers in this interval here so suppose we've done step one with all the primes from two three five seven all the way to 32 749 all the primes up to two to the 15 we've sieved the interval exactly as i described before and at the end of the day we've identified the smooth numbers in that interval and and mark those indexes with one and the other indexes indices are marked with with zero now the output of that step it's just a bit string of length 50 in that case but of length the size of the interval so once we've done phase one we've processed the whole interval we've got zeros for the non smooth numbers and one for the smooth numbers all we've got is a bit strength who's like a bit string whose length is the length of the interval and then we move on to phase two which is to check that bit string against our pte solutions so in this case our pte solution was uh zero three five eleven thirteen sixteen in the first set and the second set we've got some repetition there one one eight eight 1515 so what that means is if we move across this bit string with a a window of length 17 from the solutions from zero through to 16 then we we shift this moving one at a time until all of those indices align with ones that represent smooth numbers in the interval and in fact we don't have to shift by one each time we can just move the arrow above the zero to the very next one in the in the bit string so we can keep processing like that we start here we see that not all of the arrows are pointing to ones we move to the next one we move the zero to the next one not all of the arrows there are pointing to ones we keep doing that until array we've got all of the arrows pointing to ones and that means that with this particular pte solution we've found two numbers we found uh sorry in this case nine numbers that are all smooth but when we combine them according to those two polynomials that correspond to our pte solution we're guaranteed that we've got two integers that differ by one that are both b smooth and so here they are we that corresponds to this value of this value of u here and in this case we also have that the sum of the two twin smooths was a prime so we've got alice with p plus one is two to the 15 smooth and bob with p minus one also being two to the 15 smooth so this is kind of the high level summary of the results at least as far as we'd be concerned with in practice we found a prime that was close to 256 bits such that p plus or minus one were both two to the 15 smooth just like the one we just saw we found one that was 384 bits where that was sandwiched between two numbers that are two to the 19 smooth and we found a 512 bit prime or a prime close to 512 bits where the p plus one and p minus one were both two to the 28 smooth there's of course a lot more in the paper and i encourage you to take a look at it but to finish up the future work we're looking for for better methods of finding twin smooths and of course at any of those levels or at intermediate levels where we'd always be interested in any instances of smoother twins no matter how they're found