1 / 22

# SNFS versus (G)NFS and the feasibility of factoring a 1024-bit number with SNFS Arjen K. Lenstra - PowerPoint PPT Presentation

SNFS versus (G)NFS and the feasibility of factoring a 1024-bit number with SNFS Arjen K. Lenstra Citibank, New York Technische Universiteit Eindhoven. Special purpose methods General purpose methods. Take advantage of special properties of p Cannot take advantage of any properties of p.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

## PowerPoint Slideshow about ' SNFS versus (G)NFS and the feasibility of factoring a 1024-bit number with SNFS Arjen K. Lenstra' - guri

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

and the feasibility of

factoring a 1024-bit number with SNFS

Arjen K. Lenstra

Citibank, New York

Technische Universiteit Eindhoven

General purpose methods

Take advantage of special properties of p

Cannot take advantage of any properties of p

, but possibly of n

All based on the same approach

Examples:

Examples:

Trial division, Pollard- (find tiny p, up to 10 or 20 digits)

Pollard-p1 (finds p such that p1 has small factors)

Elliptic curve method (ECM) (finds p up to  60? digits)

 Relevant for RSA

CFRAC, Dixon’s algorithm

Number field sieve (NFS)

this talk

Variant: SNFS, takes advantage of special form of n

Factoring algorithms (to find factor p of n)

when  # bits what how

199006 512 F9 = 2512+1 SNFS

199406 534 (121511)/11 SNFS

199407 384 p(11887) NFS

199411 392 p(13171) NFS

199604 429 RSA-130d NFS

199809 615 12167+1 SNFS

199902 462 RSA-140d NFS

199904 698 (10211 1)/9 SNFS

199908 512 RSA-155d NFS

200011 773 2773+1 SNFS

200201 522 c158d of 2953+1 NFS

200301 809 M809 SNFS

200303 529 RSA-160d NFS

200312 576 RSA-576 NFS

20?? 768 ?? NFS

20?? 1024 ?? SNFS/NFS

Least squares prediction:

1024-bit SNFS factorization by 2012

Least squares predictions:

768-bit NFS factorization by 2015

1024-bit NFS factorization by 2028

• Make sure that these predictions are

• too pessimistic from a factoring point of view

• too optimistic from a cryptographic point of view

• Thus, we should be able to complete a

• 1024-bit SNFS factorization well before 2012

• 768-bit NFS factorization well before 2015

• by 2005?

• by 2010?

• 1024-bit NFS factorization well before 2028 ?

• Examples of NFS related things that did (or will) not happen:

• 1994, integers can quickly be factored on a quantum computer

• no one knows how to build one yet

• 1999, TWINKLE opto-electronic device to factor 512-bit moduli

• estimates too optimistic

• 2001, Bernstein’s factoring circuits:1536 bits for cost of 512 bits

• new interpretation of the cost function

• 200308, TWIRL hardware siever: 1024 bits in a year for US\$10M

• does not include research and development cost

• 2004, TWIRL hardware siever: 1024 bits in a year for < US\$1M

• For the moment:

• stuck with existing algorithms and hardware ((G)NFS & PCs)

• see if we can push them even further

• To factor n, attempt to find integers x, y, x  y such that

• x2 y2 mod n

If n divides x2y2, then n divides (xy)(x + y), so

n = gcd(xy, n)  gcd(x + y, n)may be a non-trivial factorization

• Finding such x, y based on two-step Morrison-Brillhart approach:

• Collect data

• Combine data

, Relation collection

, Matrix step

: allows ‘obvious’

parallelization (internet)

: often centralized

How do general purpose factoring methods work?

 Need to efficiently test many integers for smoothness

• 2. Matrix step: select a subset of the v’s such that primes < B in

• corresponding (v2 mod n)’s occur an even number of times

 Need to find elements of null space of (B)(B) matrix

How to solve x2 y2 mod n?

• Matrix step not further discussed: based on reported ‘overcapacity’

• assume that current parallelized block Lanczos on

• current (and future) small broadband networks will suffice

How to find v’s such that v2mod n is smooth?

• Examples

• Dixon’s method:

• pick v at random in {0,1,…, n1}

• test v2 mod n {0,1,…, n1} for B-smoothness

• repeat until > (B) different v’s have been found

• Speed depends on B-smoothness probability of

• numbers of size comparable to n

• test (v + [n])2  n for B-smoothness for small v

• repeat until > (B) different v’s have been found ( v < S(B))

• Speed depends on B-smoothness probability of

• numbers of size comparable to 2S(B)n

 no way to take advantage of special properties of p or n

Smaller |v2mod n|: higher smoothness probability

• test (v + [n])2  n for B-smoothness for small v

• repeat until > (B) different v’s have been found ( v < S(B))

• Speed depends on B-smoothness probability of

• numbers of size comparable to 2S(B)n (as opposed to n)

• Number field sieve:

• select d; select m close to n1/(d+1)

• and f(X) Z[X] of degree d with f(m)  0 mod n

• look at S = S(Br,Ba) integer pairs (a,b) to find co-prime ones

• such that |a  bm| is Br-smooth and |bdf(a/b)| is Ba-smooth

• S such that: expect to find > (Br) + (Ba) ‘good’ (a,b) pairs

• Speed depends on simultaneous smoothness probability of

• numbers of sizes comparable to n1/(d+1)S and fSd/2

 for some n there may be an m and f with f exceptionally small

• select d; select m close to n1/(d+1)

• and f(X) Z[X] of degree d with f(m)  0 mod n

• look at S = S(Br,Ba) integer pairs (a,b) to find co-prime ones

• such that |a  bm| is Br-smooth and |bdf(a/b)| is Ba-smooth

• S such that: expect to find > (Br) + (Ba) ‘good’ (a,b) pairs

• Speed depends on simultaneous smoothness probability of

• numbers of sizes comparable to n1/(d+1)S and fSd/2

•  for some n there may be an m and f with f exceptionally small

For those n for which f is bounded by a constant: SNFS applies to n

• Example: n = 2512+1

• n divides 2515+8

• m = 2103 and f(X) = X5+8, then f(m)  0 mod n

• In general, f cannot be expected to be bounded by a constant,

• f will be of size comparable to m (i.e., n1/(d+1)): NFS applies to n

• SNFS: speed depends on simultaneous smoothness probability of

• numbers of sizes comparable to n1/(d+1)S and Sd/2

• NFS: speed depends on simultaneous smoothness probability of

• numbers of sizes comparable to n1/(d+1)S and n1/(d+1)Sd/2

• SNFS overall heuristic asymptotic expected runtime is

• exp((1.53+o(1))(log n)1/3(loglogn)2/3), n 

• NFS overall heuristic asymptotic expected runtime is

• exp((1.92+o(1))(log n)1/3(loglogn)2/3), n 

• for 1024-bit n and d = 6, difference n1/(d+1) is 147-bit number (45 digit)

S = 1020: smoothness of pairs of sizes (55d,60d) versus (55d,105d)

Determining Br, Ba, and S(Br, Ba) for n

• Traditionally based on combination of

• guesswork (‘extrapolation’)

• experience

• experiments

• for 1024-bit n:

• possibly unreliable

• unavailable (?)

• infeasible

• Alternative approach for TWIRL analysis (Asiacrypt 2003):

• Let P(x,B) denote probability that |x| is B-smooth and

• E(Br,Ba,A,B,m,f,t) = 0.6|a|  A0<bBP(abm,Br)P(bdf(a/b)/t,Ba)

• (‘expected yield’, approximated using numerical integration)

• For several degrees d:

• Find ‘ok-ish’ m, dth degree f (with correction t), skewness s

• For several Br and Ba determineS(Br,Ba) as least S such that

• E(Br,Ba,A,B,m,f,t)  ((Br) + (Ba))/c

• for B = (S/2s), A = sB, and ‘reasonable’ c (say, 20)

• Pick d for which ‘best’ feasible Br and Ba were found

•  product of smoothness probabilities

a

b

• Realistic estimates for Br and Ba and

• upper bounds for factoring effort

• Rectangular region is not at all optimal: crown shaped regions

Results

crown contains points with smoothness probability E16

• 1024-bit SNFS (pessimistic estimate):

• Br 6.7E7, Ba 1.3E8, (Br) + (Ba)  1.2E7, S  6.4E17

• 1024-bit NFS:

• Br 3.5E9, Ba 2.6E10, (Br) + (Ba)  1.7E9, S  3E23

• Comparing 1024-bit SNFS and 1024-bit NFS:

• Factor base sizes: about 140 times larger

• Sieving: about 5E5 times harder

• Matrix: about 140 times more rows

•  Potential feasibility of 1024-bit SNFS does not imply

• feasibility of 1024-bit NFS

• 512-bit NFS:

• Br 1.7E6, Ba 1.7E6, (Br) + (Ba)  2.1E6, S  E15

• 1024-bit SNFS (pessimistic estimate):

• Br 6.7E7, Ba 1.3E8, (Br) + (Ba)  1.2E7, S  6.4E17

• Comparing 512-bit NFS and 1024-bit SNFS

• Factor base sizes: about 6 times larger

• Sieving: about 700 times harder

• Matrix: about 6 times more rows

512-bit NFS was (very) feasible in 1999

 based on Moore’s law 1024-bit SNFS feasible by 2005

• 1024-bit SNFS:

• Br 6.7E7, Ba 1.3E8, (Br) + (Ba)  1.2E7, S  6.4E17

• 768-bit NFS

• Br E8, Ba E9, (Br) + (Ba)  5.6E7, S  3E20

• Comparing 1024-bit SNFS and 768-bit NFS

• Factor base sizes: about 5 times larger

• Sieving: about 500 times harder

• Matrix: about 5 times more rows

•  If 1024-bit SNFS is feasible, then based on Moore’s law

• 768-bit NFS should be feasible about 5 years later

• 768-bit NFS

• Br E8, Ba E9, (Br) + (Ba)  5.6E7, S  3E20

• 1024-bit NFS:

• Br 3.5E9, Ba 2.6E10, (Br) + (Ba)  1.7E9, S  3E23

• Comparing 768-bit NFS and 1024-bit NFS

• Factor base sizes: about 30 times larger

• Sieving: at least 1000 times harder

• Matrix: about 30 times more rows

•  Once 768-bit NFS is feasible it will be a while (7 years?)

before 1024-bit NFS is feasible

(unless someone builds TWIRL)

• 512 NFS

• 1024 SNFS

• 768 NFS 1024 NFS

• 6  factor base size

700  effort

5  factor base size

500  effort

140  factor base size

5E5  effort

30  factor base size

1000  effort

(suboptimal choices: much smaller effort with larger factor bases)

• Factoring 1024-bit ‘special’ numbers is within reach

• We should prove it is

• Factoring 768-bit RSA moduli will soon be feasible

• using tomorrow’s hardware