1 / 15

Factoring RSA Moduli: Current State of the Art J. Jeffry Howbert CSEP 590TU Winter 2006

Factoring RSA Moduli: Current State of the Art J. Jeffry Howbert CSEP 590TU Winter 2006. Algorithms for factoring large integers. special purpose algorithms run time depends on size of integer, size and number of factors, whether integer has special form

janna
Download Presentation

Factoring RSA Moduli: Current State of the Art J. Jeffry Howbert CSEP 590TU Winter 2006

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Factoring RSA Moduli:Current State of the ArtJ. Jeffry HowbertCSEP 590TUWinter 2006 J. Jeffry Howbert

  2. Algorithms for factoring large integers • special purpose algorithms • run time depends on size of integer, size and number of factors, whether integer has special form • run time exponential, except for elliptic curve method • general purpose algorithms • running time depends on size of integer only • run time subexponential • derived from congruence of squares method • only methods suitable for large RSA moduli J. Jeffry Howbert

  3. History of congruence ofsquares methods (1) • difference of squares (Fermat, 1600s) • n = ( a + b )( a – b ) = a2 – b2 • find x = ( n + i )2 – n for successive i = 0, 1, 2, ... • test whether x is integer square • congruence of squares (Kraitchik, 1920s) • find b2  a2 mod n where b !  a mod n • calculate gcd( n, a + b ), gcd( n, a – b ) to get factors real power of method: • exploit congruences where b not an integer square J. Jeffry Howbert

  4. History of congruence ofsquares methods (2) • congruence of squares (cont’d) • find two relations: b1  a12 mod n b2  a22 mod n where b1, b2 not integer squares, but b1  b2 is • then b1  b2  a12  a22 mod n gives a factorization • can be generalized to multiply more than two non-square relations • works best if non-square bi kept small  improves odds they will factor fully into small primes J. Jeffry Howbert

  5. History of congruence ofsquares methods (3) • process smooth relations in matrix with linear algebra (Morrison and Brillhart, 1975; Dixon) • choose factor base of small primes bounded by B • collect bi that factor fully over factor base (B-smooth): bi  ai2 mod n where ai near n • convert smooth bi to vector representation of prime factor exponents, e.g.: bi = 756 = 22  33  50  71 vi = [ 2, 3, 0, 1 ] • only care whether exponents even, so reduce vectors mod 2: vi mod 2 = [ 2, 3, 0, 1 ] mod 2 = [ 0, 1, 0, 1 ] J. Jeffry Howbert

  6. History of congruence ofsquares methods (4) • process smooth relations in matrix with linear algebra (cont’d) real power of method: • gather at least as many smooth relations as there are primes in factor base • place relations in matrix, use linear algebra to find linear combination of vi: vi = [ 0, 0, 0, ..., 0 ]  guarantees solution J. Jeffry Howbert

  7. History of congruence ofsquares methods (5) • quadratic sieve (Pomerance, 1981) • generate continuum of bi = ai2 – n ( ai near n ) • for each prime p in factor base: • extract square roots x1, x2 of n modulo p • flag all ai such that: ai = x1 + kp k = 0, 1, 2, ... ai = x2 + kp real power of method: bi  0 mod p for all flagged ai • for all flagged ai, divide corresponding bi by p • when sieving complete, bi which have been reduced to 1 by repeated division are smooth over factor base • tweaks: - multiple polynomials (MPQS) - combine partial relations J. Jeffry Howbert

  8. History of congruence ofsquares methods (6) • general number field sieve (GNFS) (Pollard, others, starting 1988) • both sieving and matrix steps performed in algebraic number fields real power of method: • restricts search for smooth numbers to those of order n1/d, where d ~ 5 – 6 J. Jeffry Howbert

  9. Congruence of squares methods: subexponential complexity • Dixon’s algorithm L( n )~ exp( ( 2 + o( 1 ) )  ( ln n )1/2 ( ln ln n )1/2 ) • Quadratic sieve – best for n up to 110 decimal digits L( n )~ exp( ( 1 + o( 1 ) )  ( ln n )1/2 ( ln ln n )1/2 ) • General number field sieve – best for n over 110 digits L( n )~ exp( ( ( 64/9 )1/3 + o( 1 ) )  ( ln n )1/3 ( ln ln n )2/3 ) J. Jeffry Howbert

  10. Implementation of advanced congruence of squares methods(MPQS and GNFS) • sieving step very CPU intensive, but highly parallelizable • historically, large efforts distributed over many processors (communication even by email) • matrix step very memory intensive • historically done on central supercomputer • more recently performed on tightly linked clusters J. Jeffry Howbert

  11. History of factoringRSA Challenge Numbers MPQS = multiple polynomial quadratic sieve GNFS = general number field sieve J. Jeffry Howbert

  12. Data and resource statistics onRSA Challenge Numbers RSA-129completed 1994 by MPQS size factor base 524339 large prime bound 230 regular full relations 1.1 X 105 full relations derived from partial / double partial relations 4.6 X 105 amount of data 2 GB time for sieving step 5000 MIPS-years time for matrix step 45 hrs RSA-200completed 2005 by GNFS factor base bound (algebraic side) 3 X 108 factor base bound (rational side) 18 X 107 large prime bound 235 relations from lattice sieving 26 X 108 relations from line sieving 5 X 107 total relations (after duplicates) 22.6 X 108 matrix size (rows and columns) 64 X 106 non-zero entries in matrix 11 X 109 time for sieving step 55 2.2-GHz Opteron-years time for matrix step 20 2.2-GHz Opteron-years J. Jeffry Howbert

  13. Your RSA keys:What are the risks? (1) • factoring new larger modulus n’ scales as: • L( n’ )GNFS / L( n )GNFS in time • ( L( n’ )GNFS / L( n )GNFS )1/2 in memory J. Jeffry Howbert

  14. Your RSA keys:What are the risks? (2) • working for a year with today’s hardware and algorithms: • 768 bit integer would take 18,000 PCs, each with 5 GB memory • might see factorization with massive effort in 5-7 years • 1024 bit integer would take 50,000,000 PCs, each with 10 GB main memory, plus additional DRAM • acquisition cost of hardware c. US$ 100B!! • no factorization foreseeable for at least 15 years J. Jeffry Howbert

  15. Your RSA keys:What are the risks? (3) BUT ... • fairly mature design proposals exist for special purpose hardware to perform sieving step • TWINKLE (electro-optics) • TWIRL (parallel processing pipelines) • mesh circuits (2D systolic arrays) • estimated that 200 TWIRL clusters could do sieving on 1024 bit integer in one year • US$ 10-20M one-time R&D costs • US$ 1.1M manufacturing costs • 5-6 orders of magnitude reduction in cost J. Jeffry Howbert

More Related