SNFS versus (G)NFS
Download
1 / 22

SNFS versus (G)NFS and the feasibility of factoring a 1024-bit number with SNFS Arjen K. Lenstra - PowerPoint PPT Presentation


  • 39 Views
  • Uploaded on

SNFS versus (G)NFS and the feasibility of factoring a 1024-bit number with SNFS Arjen K. Lenstra Citibank, New York Technische Universiteit Eindhoven. Special purpose methods General purpose methods. Take advantage of special properties of p Cannot take advantage of any properties of p.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' SNFS versus (G)NFS and the feasibility of factoring a 1024-bit number with SNFS Arjen K. Lenstra' - guri


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

SNFS versus (G)NFS

and the feasibility of

factoring a 1024-bit number with SNFS

Arjen K. Lenstra

Citibank, New York

Technische Universiteit Eindhoven


Special purpose methods

General purpose methods

Take advantage of special properties of p

Cannot take advantage of any properties of p

, but possibly of n

All based on the same approach

Examples:

Examples:

Trial division, Pollard- (find tiny p, up to 10 or 20 digits)

Pollard-p1 (finds p such that p1 has small factors)

Elliptic curve method (ECM) (finds p up to  60? digits)

 Relevant for RSA

CFRAC, Dixon’s algorithm

Linear sieve, Quadratic sieve

Number field sieve (NFS)

this talk

Variant: SNFS, takes advantage of special form of n

Factoring algorithms (to find factor p of n)


SNFS and NFS factorizations

when  # bits what how

199006 512 F9 = 2512+1 SNFS

199406 534 (121511)/11 SNFS

199407 384 p(11887) NFS

199411 392 p(13171) NFS

199604 429 RSA-130d NFS

199809 615 12167+1 SNFS

199902 462 RSA-140d NFS

199904 698 (10211 1)/9 SNFS

199908 512 RSA-155d NFS

200011 773 2773+1 SNFS

200201 522 c158d of 2953+1 NFS

200301 809 M809 SNFS

200303 529 RSA-160d NFS

200312 576 RSA-576 NFS

20?? 768 ?? NFS

20?? 1024 ?? SNFS/NFS


Special Number Field Sieve

Least squares prediction:

1024-bit SNFS factorization by 2012


Number Field Sieve

Least squares predictions:

768-bit NFS factorization by 2015

1024-bit NFS factorization by 2028


Goal of this workshop:

  • Make sure that these predictions are

    • too pessimistic from a factoring point of view

    • too optimistic from a cryptographic point of view

  • Thus, we should be able to complete a

    • 1024-bit SNFS factorization well before 2012

    • 768-bit NFS factorization well before 2015

  • by 2005?

  • by 2010?

  • 1024-bit NFS factorization well before 2028 ?


Problem: since 1989 nothing seems to be happening!

  • Examples of NFS related things that did (or will) not happen:

  • 1994, integers can quickly be factored on a quantum computer

  • no one knows how to build one yet

  • 1999, TWINKLE opto-electronic device to factor 512-bit moduli

  • estimates too optimistic

  • 2001, Bernstein’s factoring circuits:1536 bits for cost of 512 bits

  • new interpretation of the cost function

  • 200308, TWIRL hardware siever: 1024 bits in a year for US$10M

  • does not include research and development cost

  • 2004, TWIRL hardware siever: 1024 bits in a year for < US$1M

  • For the moment:

    • stuck with existing algorithms and hardware ((G)NFS & PCs)

    • see if we can push them even further


  • To factor n, attempt to find integers x, y, x  y such that

    • x2 y2 mod n

If n divides x2y2, then n divides (xy)(x + y), so

n = gcd(xy, n)  gcd(x + y, n)may be a non-trivial factorization

  • Finding such x, y based on two-step Morrison-Brillhart approach:

  • Collect data

  • Combine data

, Relation collection

, Matrix step

: allows ‘obvious’

parallelization (internet)

: often centralized

(Cray, broadband network)

How do general purpose factoring methods work?


 Need to efficiently test many integers for smoothness

  • 2. Matrix step: select a subset of the v’s such that primes < B in

    • corresponding (v2 mod n)’s occur an even number of times

 Need to find elements of null space of (B)(B) matrix

How to solve x2 y2 mod n?

  • Matrix step not further discussed: based on reported ‘overcapacity’

    • assume that current parallelized block Lanczos on

    • current (and future) small broadband networks will suffice


How to find v’s such that v2mod n is smooth?

  • Examples

  • Dixon’s method:

    • pick v at random in {0,1,…, n1}

    • test v2 mod n {0,1,…, n1} for B-smoothness

    • repeat until > (B) different v’s have been found

    • Speed depends on B-smoothness probability of

      • numbers of size comparable to n

  • Quadratic sieve:

    • test (v + [n])2  n for B-smoothness for small v

    • repeat until > (B) different v’s have been found ( v < S(B))

    • Speed depends on B-smoothness probability of

      • numbers of size comparable to 2S(B)n

 no way to take advantage of special properties of p or n


Smaller |v2mod n|: higher smoothness probability

  • Quadratic sieve:

    • test (v + [n])2  n for B-smoothness for small v

    • repeat until > (B) different v’s have been found ( v < S(B))

    • Speed depends on B-smoothness probability of

      • numbers of size comparable to 2S(B)n (as opposed to n)

  • Number field sieve:

    • select d; select m close to n1/(d+1)

      • and f(X) Z[X] of degree d with f(m)  0 mod n

  • look at S = S(Br,Ba) integer pairs (a,b) to find co-prime ones

    • such that |a  bm| is Br-smooth and |bdf(a/b)| is Ba-smooth

  • S such that: expect to find > (Br) + (Ba) ‘good’ (a,b) pairs

  • Speed depends on simultaneous smoothness probability of

    • numbers of sizes comparable to n1/(d+1)S and fSd/2

 for some n there may be an m and f with f exceptionally small


‘Good’ cases for Number Field Sieve

  • select d; select m close to n1/(d+1)

    • and f(X) Z[X] of degree d with f(m)  0 mod n

  • look at S = S(Br,Ba) integer pairs (a,b) to find co-prime ones

    • such that |a  bm| is Br-smooth and |bdf(a/b)| is Ba-smooth

  • S such that: expect to find > (Br) + (Ba) ‘good’ (a,b) pairs

  • Speed depends on simultaneous smoothness probability of

    • numbers of sizes comparable to n1/(d+1)S and fSd/2

  •  for some n there may be an m and f with f exceptionally small

    For those n for which f is bounded by a constant: SNFS applies to n

    • Example: n = 2512+1

      • n divides 2515+8

      • m = 2103 and f(X) = X5+8, then f(m)  0 mod n

    • In general, f cannot be expected to be bounded by a constant,

      • f will be of size comparable to m (i.e., n1/(d+1)): NFS applies to n


    SNFS versus NFS

    • SNFS: speed depends on simultaneous smoothness probability of

      • numbers of sizes comparable to n1/(d+1)S and Sd/2

    • NFS: speed depends on simultaneous smoothness probability of

      • numbers of sizes comparable to n1/(d+1)S and n1/(d+1)Sd/2

    • SNFS overall heuristic asymptotic expected runtime is

      • exp((1.53+o(1))(log n)1/3(loglogn)2/3), n 

  • NFS overall heuristic asymptotic expected runtime is

    • exp((1.92+o(1))(log n)1/3(loglogn)2/3), n 

  • for 1024-bit n and d = 6, difference n1/(d+1) is 147-bit number (45 digit)

    S = 1020: smoothness of pairs of sizes (55d,60d) versus (55d,105d)


    Determining Br, Ba, and S(Br, Ba) for n

    • Traditionally based on combination of

      • guesswork (‘extrapolation’)

      • experience

      • experiments

    • for 1024-bit n:

  • possibly unreliable

  • unavailable (?)

  • infeasible

    • Alternative approach for TWIRL analysis (Asiacrypt 2003):

    • Let P(x,B) denote probability that |x| is B-smooth and

      • E(Br,Ba,A,B,m,f,t) = 0.6|a|  A0<bBP(abm,Br)P(bdf(a/b)/t,Ba)

      • (‘expected yield’, approximated using numerical integration)

    • For several degrees d:

      • Find ‘ok-ish’ m, dth degree f (with correction t), skewness s

      • For several Br and Ba determineS(Br,Ba) as least S such that

        • E(Br,Ba,A,B,m,f,t)  ((Br) + (Ba))/c

      • for B = (S/2s), A = sB, and ‘reasonable’ c (say, 20)

  • Pick d for which ‘best’ feasible Br and Ba were found


  •  product of smoothness probabilities

    a

    b

    • Realistic estimates for Br and Ba and

      • upper bounds for factoring effort

    • Rectangular region is not at all optimal: crown shaped regions

    Results


    Example of non-rectangular region

    crown contains points with smoothness probability E16


    Resulting parameter choices

    • 1024-bit SNFS (pessimistic estimate):

      • Br 6.7E7, Ba 1.3E8, (Br) + (Ba)  1.2E7, S  6.4E17

    • 1024-bit NFS:

      • Br 3.5E9, Ba 2.6E10, (Br) + (Ba)  1.7E9, S  3E23

    • Comparing 1024-bit SNFS and 1024-bit NFS:

      • Factor base sizes: about 140 times larger

      • Sieving: about 5E5 times harder

      • Matrix: about 140 times more rows

    •  Potential feasibility of 1024-bit SNFS does not imply

      • feasibility of 1024-bit NFS


    Feasibility of 1024-bit SNFS

    • 512-bit NFS:

      • Br 1.7E6, Ba 1.7E6, (Br) + (Ba)  2.1E6, S  E15

    • 1024-bit SNFS (pessimistic estimate):

      • Br 6.7E7, Ba 1.3E8, (Br) + (Ba)  1.2E7, S  6.4E17

    • Comparing 512-bit NFS and 1024-bit SNFS

      • Factor base sizes: about 6 times larger

      • Sieving: about 700 times harder

      • Matrix: about 6 times more rows

    512-bit NFS was (very) feasible in 1999

     based on Moore’s law 1024-bit SNFS feasible by 2005


    Feasibility of 768-bit NFS

    • 1024-bit SNFS:

      • Br 6.7E7, Ba 1.3E8, (Br) + (Ba)  1.2E7, S  6.4E17

    • 768-bit NFS

      • Br E8, Ba E9, (Br) + (Ba)  5.6E7, S  3E20

    • Comparing 1024-bit SNFS and 768-bit NFS

      • Factor base sizes: about 5 times larger

      • Sieving: about 500 times harder

      • Matrix: about 5 times more rows

    •  If 1024-bit SNFS is feasible, then based on Moore’s law

      • 768-bit NFS should be feasible about 5 years later


    Comparing 768-bit NFS and 1024-bit NFS

    • 768-bit NFS

      • Br E8, Ba E9, (Br) + (Ba)  5.6E7, S  3E20

    • 1024-bit NFS:

      • Br 3.5E9, Ba 2.6E10, (Br) + (Ba)  1.7E9, S  3E23

    • Comparing 768-bit NFS and 1024-bit NFS

      • Factor base sizes: about 30 times larger

      • Sieving: at least 1000 times harder

      • Matrix: about 30 times more rows

    •  Once 768-bit NFS is feasible it will be a while (7 years?)

      before 1024-bit NFS is feasible

      (unless someone builds TWIRL)


    Summary of 512, 768, 1024 estimates

    • 512 NFS

    • 1024 SNFS

  • 768 NFS 1024 NFS

  • 6  factor base size

    700  effort

    5  factor base size

    500  effort

    140  factor base size

    5E5  effort

    30  factor base size

    1000  effort

    (suboptimal choices: much smaller effort with larger factor bases)


    Conclusion

    • Factoring 1024-bit ‘special’ numbers is within reach

      • We should prove it is

  • Factoring 768-bit RSA moduli will soon be feasible

    • using tomorrow’s hardware

      • We should get ready

  • Factoring 1024-bit RSA moduli still looks infeasible

    • using currently available hardware

    • but it may be expected before 2020


    ad