slide1
Download
Skip this Video
Download Presentation
SNFS versus (G)NFS and the feasibility of factoring a 1024-bit number with SNFS Arjen K. Lenstra

Loading in 2 Seconds...

play fullscreen
1 / 22

SNFS versus (G)NFS and the feasibility of factoring a 1024-bit number with SNFS Arjen K. Lenstra - PowerPoint PPT Presentation


  • 39 Views
  • Uploaded on

SNFS versus (G)NFS and the feasibility of factoring a 1024-bit number with SNFS Arjen K. Lenstra Citibank, New York Technische Universiteit Eindhoven. Special purpose methods General purpose methods. Take advantage of special properties of p Cannot take advantage of any properties of p.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' SNFS versus (G)NFS and the feasibility of factoring a 1024-bit number with SNFS Arjen K. Lenstra' - guri


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1

SNFS versus (G)NFS

and the feasibility of

factoring a 1024-bit number with SNFS

Arjen K. Lenstra

Citibank, New York

Technische Universiteit Eindhoven

slide2

Special purpose methods

General purpose methods

Take advantage of special properties of p

Cannot take advantage of any properties of p

, but possibly of n

All based on the same approach

Examples:

Examples:

Trial division, Pollard- (find tiny p, up to 10 or 20 digits)

Pollard-p1 (finds p such that p1 has small factors)

Elliptic curve method (ECM) (finds p up to  60? digits)

 Relevant for RSA

CFRAC, Dixon’s algorithm

Linear sieve, Quadratic sieve

Number field sieve (NFS)

this talk

Variant: SNFS, takes advantage of special form of n

Factoring algorithms (to find factor p of n)

slide3

SNFS and NFS factorizations

when  # bits what how

199006 512 F9 = 2512+1 SNFS

199406 534 (121511)/11 SNFS

199407 384 p(11887) NFS

199411 392 p(13171) NFS

199604 429 RSA-130d NFS

199809 615 12167+1 SNFS

199902 462 RSA-140d NFS

199904 698 (10211 1)/9 SNFS

199908 512 RSA-155d NFS

200011 773 2773+1 SNFS

200201 522 c158d of 2953+1 NFS

200301 809 M809 SNFS

200303 529 RSA-160d NFS

200312 576 RSA-576 NFS

20?? 768 ?? NFS

20?? 1024 ?? SNFS/NFS

slide4

Special Number Field Sieve

Least squares prediction:

1024-bit SNFS factorization by 2012

slide5

Number Field Sieve

Least squares predictions:

768-bit NFS factorization by 2015

1024-bit NFS factorization by 2028

slide6

Goal of this workshop:

  • Make sure that these predictions are
    • too pessimistic from a factoring point of view
    • too optimistic from a cryptographic point of view
  • Thus, we should be able to complete a
    • 1024-bit SNFS factorization well before 2012
    • 768-bit NFS factorization well before 2015
  • by 2005?
  • by 2010?
  • 1024-bit NFS factorization well before 2028 ?
slide7

Problem: since 1989 nothing seems to be happening!

  • Examples of NFS related things that did (or will) not happen:
  • 1994, integers can quickly be factored on a quantum computer
  • no one knows how to build one yet
  • 1999, TWINKLE opto-electronic device to factor 512-bit moduli
  • estimates too optimistic
  • 2001, Bernstein’s factoring circuits:1536 bits for cost of 512 bits
  • new interpretation of the cost function
  • 200308, TWIRL hardware siever: 1024 bits in a year for US$10M
  • does not include research and development cost
  • 2004, TWIRL hardware siever: 1024 bits in a year for < US$1M
  • For the moment:
    • stuck with existing algorithms and hardware ((G)NFS & PCs)
    • see if we can push them even further
slide8

To factor n, attempt to find integers x, y, x  y such that

        • x2 y2 mod n

If n divides x2y2, then n divides (xy)(x + y), so

n = gcd(xy, n)  gcd(x + y, n)may be a non-trivial factorization

  • Finding such x, y based on two-step Morrison-Brillhart approach:
  • Collect data
  • Combine data

, Relation collection

, Matrix step

: allows ‘obvious’

parallelization (internet)

: often centralized

(Cray, broadband network)

How do general purpose factoring methods work?

slide9

1. Relation collection: collect integers v such that

    • v2 mod n factors into primes < B (i.e., is B-smooth)

 Need to efficiently test many integers for smoothness

  • 2. Matrix step: select a subset of the v’s such that primes < B in
      • corresponding (v2 mod n)’s occur an even number of times

 Need to find elements of null space of (B)(B) matrix

How to solve x2 y2 mod n?

  • Matrix step not further discussed: based on reported ‘overcapacity’
    • assume that current parallelized block Lanczos on
    • current (and future) small broadband networks will suffice
slide10

How to find v’s such that v2mod n is smooth?

  • Examples
  • Dixon’s method:
    • pick v at random in {0,1,…, n1}
    • test v2 mod n {0,1,…, n1} for B-smoothness
    • repeat until > (B) different v’s have been found
    • Speed depends on B-smoothness probability of
      • numbers of size comparable to n
  • Quadratic sieve:
    • test (v + [n])2  n for B-smoothness for small v
    • repeat until > (B) different v’s have been found ( v < S(B))
    • Speed depends on B-smoothness probability of
      • numbers of size comparable to 2S(B)n

 no way to take advantage of special properties of p or n

slide11

Smaller |v2mod n|: higher smoothness probability

  • Quadratic sieve:
    • test (v + [n])2  n for B-smoothness for small v
    • repeat until > (B) different v’s have been found ( v < S(B))
    • Speed depends on B-smoothness probability of
      • numbers of size comparable to 2S(B)n (as opposed to n)
  • Number field sieve:
    • select d; select m close to n1/(d+1)
        • and f(X) Z[X] of degree d with f(m)  0 mod n
    • look at S = S(Br,Ba) integer pairs (a,b) to find co-prime ones
      • such that |a  bm| is Br-smooth and |bdf(a/b)| is Ba-smooth
    • S such that: expect to find > (Br) + (Ba) ‘good’ (a,b) pairs
    • Speed depends on simultaneous smoothness probability of
      • numbers of sizes comparable to n1/(d+1)S and fSd/2

 for some n there may be an m and f with f exceptionally small

slide12

‘Good’ cases for Number Field Sieve

  • select d; select m close to n1/(d+1)
      • and f(X) Z[X] of degree d with f(m)  0 mod n
  • look at S = S(Br,Ba) integer pairs (a,b) to find co-prime ones
    • such that |a  bm| is Br-smooth and |bdf(a/b)| is Ba-smooth
  • S such that: expect to find > (Br) + (Ba) ‘good’ (a,b) pairs
  • Speed depends on simultaneous smoothness probability of
    • numbers of sizes comparable to n1/(d+1)S and fSd/2

 for some n there may be an m and f with f exceptionally small

For those n for which f is bounded by a constant: SNFS applies to n

  • Example: n = 2512+1
    • n divides 2515+8
    • m = 2103 and f(X) = X5+8, then f(m)  0 mod n
  • In general, f cannot be expected to be bounded by a constant,
    • f will be of size comparable to m (i.e., n1/(d+1)): NFS applies to n
slide13

SNFS versus NFS

  • SNFS: speed depends on simultaneous smoothness probability of
    • numbers of sizes comparable to n1/(d+1)S and Sd/2
  • NFS: speed depends on simultaneous smoothness probability of
    • numbers of sizes comparable to n1/(d+1)S and n1/(d+1)Sd/2
  • SNFS overall heuristic asymptotic expected runtime is
      • exp((1.53+o(1))(log n)1/3(loglogn)2/3), n 
  • NFS overall heuristic asymptotic expected runtime is
      • exp((1.92+o(1))(log n)1/3(loglogn)2/3), n 

for 1024-bit n and d = 6, difference n1/(d+1) is 147-bit number (45 digit)

S = 1020: smoothness of pairs of sizes (55d,60d) versus (55d,105d)

slide14

Determining Br, Ba, and S(Br, Ba) for n

  • Traditionally based on combination of
    • guesswork (‘extrapolation’)
    • experience
    • experiments
      • for 1024-bit n:
  • possibly unreliable
  • unavailable (?)
  • infeasible
  • Alternative approach for TWIRL analysis (Asiacrypt 2003):
  • Let P(x,B) denote probability that |x| is B-smooth and
    • E(Br,Ba,A,B,m,f,t) = 0.6|a|  A0<bBP(abm,Br)P(bdf(a/b)/t,Ba)
    • (‘expected yield’, approximated using numerical integration)
  • For several degrees d:
    • Find ‘ok-ish’ m, dth degree f (with correction t), skewness s
    • For several Br and Ba determineS(Br,Ba) as least S such that
        • E(Br,Ba,A,B,m,f,t)  ((Br) + (Ba))/c
      • for B = (S/2s), A = sB, and ‘reasonable’ c (say, 20)
  • Pick d for which ‘best’ feasible Br and Ba were found
slide15

 product of smoothness probabilities

a

b

  • Realistic estimates for Br and Ba and
    • upper bounds for factoring effort
  • Rectangular region is not at all optimal: crown shaped regions

Results

slide16

Example of non-rectangular region

crown contains points with smoothness probability E16

slide17

Resulting parameter choices

  • 1024-bit SNFS (pessimistic estimate):
    • Br 6.7E7, Ba 1.3E8, (Br) + (Ba)  1.2E7, S  6.4E17
  • 1024-bit NFS:
    • Br 3.5E9, Ba 2.6E10, (Br) + (Ba)  1.7E9, S  3E23
  • Comparing 1024-bit SNFS and 1024-bit NFS:
    • Factor base sizes: about 140 times larger
    • Sieving: about 5E5 times harder
    • Matrix: about 140 times more rows
  •  Potential feasibility of 1024-bit SNFS does not imply
        • feasibility of 1024-bit NFS
slide18

Feasibility of 1024-bit SNFS

  • 512-bit NFS:
    • Br 1.7E6, Ba 1.7E6, (Br) + (Ba)  2.1E6, S  E15
  • 1024-bit SNFS (pessimistic estimate):
    • Br 6.7E7, Ba 1.3E8, (Br) + (Ba)  1.2E7, S  6.4E17
  • Comparing 512-bit NFS and 1024-bit SNFS
    • Factor base sizes: about 6 times larger
    • Sieving: about 700 times harder
    • Matrix: about 6 times more rows

512-bit NFS was (very) feasible in 1999

 based on Moore’s law 1024-bit SNFS feasible by 2005

slide19

Feasibility of 768-bit NFS

  • 1024-bit SNFS:
    • Br 6.7E7, Ba 1.3E8, (Br) + (Ba)  1.2E7, S  6.4E17
  • 768-bit NFS
    • Br E8, Ba E9, (Br) + (Ba)  5.6E7, S  3E20
  • Comparing 1024-bit SNFS and 768-bit NFS
    • Factor base sizes: about 5 times larger
    • Sieving: about 500 times harder
    • Matrix: about 5 times more rows
  •  If 1024-bit SNFS is feasible, then based on Moore’s law
    • 768-bit NFS should be feasible about 5 years later
slide20

Comparing 768-bit NFS and 1024-bit NFS

  • 768-bit NFS
    • Br E8, Ba E9, (Br) + (Ba)  5.6E7, S  3E20
  • 1024-bit NFS:
    • Br 3.5E9, Ba 2.6E10, (Br) + (Ba)  1.7E9, S  3E23
  • Comparing 768-bit NFS and 1024-bit NFS
    • Factor base sizes: about 30 times larger
    • Sieving: at least 1000 times harder
    • Matrix: about 30 times more rows
  •  Once 768-bit NFS is feasible it will be a while (7 years?)

before 1024-bit NFS is feasible

(unless someone builds TWIRL)

slide21

Summary of 512, 768, 1024 estimates

          • 512 NFS
          • 1024 SNFS
  • 768 NFS 1024 NFS

6  factor base size

700  effort

5  factor base size

500  effort

140  factor base size

5E5  effort

30  factor base size

1000  effort

(suboptimal choices: much smaller effort with larger factor bases)

slide22

Conclusion

  • Factoring 1024-bit ‘special’ numbers is within reach
      • We should prove it is
  • Factoring 768-bit RSA moduli will soon be feasible
    • using tomorrow’s hardware
      • We should get ready
  • Factoring 1024-bit RSA moduli still looks infeasible
    • using currently available hardware
  • but it may be expected before 2020
ad