1 / 26

Circuit Design Projects in Integer Factorization

The Factoring Problem. Let N be the product of two or more primesThe factoring problem is to find the prime factors of NExample:N = 1363factors = 29 * 47Factoring is considered a hard computational problem in that its complexity grows rapidly as the size of N increases. Why It's Important. Fact

tommy
Download Presentation

Circuit Design Projects in Integer Factorization

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


    1. Circuit Design Projects in Integer Factorization Burt Kaliski, RSA Security March 29, 2006

    2. The Factoring Problem Let N be the product of two or more primes The factoring problem is to find the prime factors of N Example: N = 1363 factors = 29 * 47 Factoring is considered a hard computational problem in that its complexity grows rapidly as the size of N increases

    3. Why Its Important Factoring is important because its the basis for security of a widely used encryption algorithm, the RSA cryptosystem A user, Alice, has two keys in this cryptosystem: a public key, consisting of a modulus N and an exponent e a private key, consisting of the factors p, q of N Anyone can encrypt a message m for Alice by computing c = me mod N Only Alice can decrypt c to recover m by computing m = cd mod n Here, d is easy to compute given p and q, but hard given only N

    4. Goals of this Talk In this talk, well look at some of the methods for factoring Well also look at some hardware circuits that can be used in a large-scale factoring effort These could be the basis for a VLSI design project

    5. Basic Method: Trial Division At least one of the prime factors of N must be ? sqrt(N) Try all possible primes until a factor is found: 2, 3, 5, 7, 11, Expected time for this method: sqrt(N) / ln N divisions This is impractical even for modest sized N 100-digit N would take nearly 2160 operations, not counting the time to enumerate the primes

    6. Better Method: Relation Finding Let x, y be random integers such that x2 ? y2 (mod N) Then with probability , (x-y) and (x+y) each share a prime factor with N Factors can be found by computing GCD Find x, y that have this relationship How?

    7. Finding Relations Let x be a random integer and let a, b, c, be non-negative integers such that x2 ? 2a 3b 5c ? ? ? (mod N) This is called a relation. The right hand side is the factorization of z = x2 mod N Find many such relations. Then collect a subset such that the sum of exponents for every prime is even this is called the matrix step. The x and y such that x2 ? y2 (mod N) come from the product of the subset. But first, how to factor z = x2 mod N?

    8. Relation Finding Principles Principle 1: We dont need to factor every z, just many Principle 2: If x is near sqrt(N), then z = x2 N will be O(sqrt(N)), so easier to factor Principle 3: z will be even easier to factor if all its factors are small, e.g., ? some small bound B Such z are called B-smooth Approach: Generate many random x starting near sqrt(N); compute z = x2 N; try to factor z up to bound B; output z if B-smooth

    9. Example: N = 1363, B = 5 x = 37 z = 1369 mod N = 6 = 2 * 3 x = 38 z = 1444 mod N = 81 = 34 x = 39 z = 1521 mod N = 158 = 2 * [too large] x = 40 z = 1600 mod N = 237 = 3 * [too large] x = 41 z = 1681 mod N = 318 = 2 * 3 * [too large] x = 42 z = 1764 mod N = 401 = [too large] x = 43 z = 1849 mod N = 486 = 2 * 35

    10. Solving the Relations Three relations were found: 372 ? 2 * 3 (mod N) 382 ? 34 (mod N) 432 ? 2 * 35 (mod N) Two subsets can be combined to produce even exponents: 372 * 432 ? 22 * 36 ? (37 * 43)2 ? (2 * 33)2 ? 2282 ? 542 GCD (228+54, 1363) = 47; GCD (228-54, 1363) = 29 382 ? (32)2 ? 382 ? 92 GCD (38+9, 1363) = 47; GCD (38-9, 1363) = 29 Factors of N = 1363 are 29 and 47

    11. A Brief History of Factoring Methods Antiquity: Trial division Search for p dividing N Renaissance: Fermats method Search for x, y such that x2 y2 = N directly 1970s: Pollards rho method Construct a cycle that reveals a factor of N x0 = 2, xi+1 = xi2 + 1 mod N For some i, j, GCD (xi xj, N) may reveal the factor

    12. A Brief History (contd) 1970s: Pollards p-1 method Compute an exponential that reveals a factor: z = 2M mod N where M = 2a * 3b * 5c * up to bound B If p is B-smooth, then GCD (z-1, M) may reveal the factor 1980s: Lenstras Elliptic Curve Method A more general recurrence based on elliptic curve arithmetic that works by any factor

    13. A Brief History (contd) 1970s: Dixons method Find relations by factoring x2 N, then solve relations 1980s: Pomerance et al.s Quadratic Sieve Find relations by sieving x against small primes ? 1990s: Pollard et al.s Number Field Sieve The fastest method known for finding relations 2000s: Shamir and Tromers TWIRL circuit The fastest circuit design known for finding relations ? Many other methods as well: Morrison & Brillharts Continued Fraction, Shanks SQUFOF, Silvermans MPQS, other circuits by Shamir, Bernstein

    14. A Brief Future (?) 1990s: Shors algorithm Breaks the factoring problem using a quantum computer Factoring would be almost as easy as multiplying if such a computer could be built

    15. The RSA Factoring Challenge Since 1991, RSA Laboratories has been offering prizes for the factorization of large numbers The current record in this challenge is RSA-200, a 200-digit number factored in May 2005 by a team led by Jens Franke of the University of Bonn the prize was US $10,000 This number took an equivalent of 55 years work for a single 2.2 GHz Opteron-based computer for sieving and the matrix step took about three months on 80 such computers The progress of the challenge has closely tracked estimates of the difficulty of factoring

    16. A Relation-Finding Circuit

More Related