slide1 n.
Download
Skip this Video
Download Presentation
SNFS versus (G)NFS and the feasibility of factoring a 1024-bit number with SNFS Arjen K. Lenstra

Loading in 2 Seconds...

play fullscreen
1 / 22

SNFS versus (G)NFS and the feasibility of factoring a 1024-bit number with SNFS Arjen K. Lenstra - PowerPoint PPT Presentation


  • 39 Views
  • Uploaded on

SNFS versus (G)NFS and the feasibility of factoring a 1024-bit number with SNFS Arjen K. Lenstra Citibank, New York Technische Universiteit Eindhoven. Special purpose methods General purpose methods. Take advantage of special properties of p Cannot take advantage of any properties of p.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'SNFS versus (G)NFS and the feasibility of factoring a 1024-bit number with SNFS Arjen K. Lenstra' - guri


Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1

SNFS versus (G)NFS

and the feasibility of

factoring a 1024-bit number with SNFS

Arjen K. Lenstra

Citibank, New York

Technische Universiteit Eindhoven

slide2

Special purpose methods

General purpose methods

Take advantage of special properties of p

Cannot take advantage of any properties of p

, but possibly of n

All based on the same approach

Examples:

Examples:

Trial division, Pollard- (find tiny p, up to 10 or 20 digits)

Pollard-p1 (finds p such that p1 has small factors)

Elliptic curve method (ECM) (finds p up to  60? digits)

 Relevant for RSA

CFRAC, Dixon’s algorithm

Linear sieve, Quadratic sieve

Number field sieve (NFS)

this talk

Variant: SNFS, takes advantage of special form of n

Factoring algorithms (to find factor p of n)

slide3

SNFS and NFS factorizations

when  # bits what how

199006 512 F9 = 2512+1 SNFS

199406 534 (121511)/11 SNFS

199407 384 p(11887) NFS

199411 392 p(13171) NFS

199604 429 RSA-130d NFS

199809 615 12167+1 SNFS

199902 462 RSA-140d NFS

199904 698 (10211 1)/9 SNFS

199908 512 RSA-155d NFS

200011 773 2773+1 SNFS

200201 522 c158d of 2953+1 NFS

200301 809 M809 SNFS

200303 529 RSA-160d NFS

200312 576 RSA-576 NFS

20?? 768 ?? NFS

20?? 1024 ?? SNFS/NFS

slide4

Special Number Field Sieve

Least squares prediction:

1024-bit SNFS factorization by 2012

slide5

Number Field Sieve

Least squares predictions:

768-bit NFS factorization by 2015

1024-bit NFS factorization by 2028

slide6

Goal of this workshop:

  • Make sure that these predictions are
    • too pessimistic from a factoring point of view
    • too optimistic from a cryptographic point of view
  • Thus, we should be able to complete a
    • 1024-bit SNFS factorization well before 2012
    • 768-bit NFS factorization well before 2015
  • by 2005?
  • by 2010?
  • 1024-bit NFS factorization well before 2028 ?
slide7

Problem: since 1989 nothing seems to be happening!

  • Examples of NFS related things that did (or will) not happen:
  • 1994, integers can quickly be factored on a quantum computer
  • no one knows how to build one yet
  • 1999, TWINKLE opto-electronic device to factor 512-bit moduli
  • estimates too optimistic
  • 2001, Bernstein’s factoring circuits:1536 bits for cost of 512 bits
  • new interpretation of the cost function
  • 200308, TWIRL hardware siever: 1024 bits in a year for US$10M
  • does not include research and development cost
  • 2004, TWIRL hardware siever: 1024 bits in a year for < US$1M
  • For the moment:
    • stuck with existing algorithms and hardware ((G)NFS & PCs)
    • see if we can push them even further
slide8

To factor n, attempt to find integers x, y, x  y such that

        • x2 y2 mod n

If n divides x2y2, then n divides (xy)(x + y), so

n = gcd(xy, n)  gcd(x + y, n)may be a non-trivial factorization

  • Finding such x, y based on two-step Morrison-Brillhart approach:
  • Collect data
  • Combine data

, Relation collection

, Matrix step

: allows ‘obvious’

parallelization (internet)

: often centralized

(Cray, broadband network)

How do general purpose factoring methods work?

slide9

1. Relation collection: collect integers v such that

    • v2 mod n factors into primes < B (i.e., is B-smooth)

 Need to efficiently test many integers for smoothness

  • 2. Matrix step: select a subset of the v’s such that primes < B in
      • corresponding (v2 mod n)’s occur an even number of times

 Need to find elements of null space of (B)(B) matrix

How to solve x2 y2 mod n?

  • Matrix step not further discussed: based on reported ‘overcapacity’
    • assume that current parallelized block Lanczos on
    • current (and future) small broadband networks will suffice
slide10

How to find v’s such that v2mod n is smooth?

  • Examples
  • Dixon’s method:
    • pick v at random in {0,1,…, n1}
    • test v2 mod n {0,1,…, n1} for B-smoothness
    • repeat until > (B) different v’s have been found
    • Speed depends on B-smoothness probability of
      • numbers of size comparable to n
  • Quadratic sieve:
    • test (v + [n])2  n for B-smoothness for small v
    • repeat until > (B) different v’s have been found ( v < S(B))
    • Speed depends on B-smoothness probability of
      • numbers of size comparable to 2S(B)n

 no way to take advantage of special properties of p or n

slide11

Smaller |v2mod n|: higher smoothness probability

  • Quadratic sieve:
    • test (v + [n])2  n for B-smoothness for small v
    • repeat until > (B) different v’s have been found ( v < S(B))
    • Speed depends on B-smoothness probability of
      • numbers of size comparable to 2S(B)n (as opposed to n)
  • Number field sieve:
    • select d; select m close to n1/(d+1)
        • and f(X) Z[X] of degree d with f(m)  0 mod n
    • look at S = S(Br,Ba) integer pairs (a,b) to find co-prime ones
      • such that |a  bm| is Br-smooth and |bdf(a/b)| is Ba-smooth
    • S such that: expect to find > (Br) + (Ba) ‘good’ (a,b) pairs
    • Speed depends on simultaneous smoothness probability of
      • numbers of sizes comparable to n1/(d+1)S and fSd/2

 for some n there may be an m and f with f exceptionally small

slide12

‘Good’ cases for Number Field Sieve

  • select d; select m close to n1/(d+1)
      • and f(X) Z[X] of degree d with f(m)  0 mod n
  • look at S = S(Br,Ba) integer pairs (a,b) to find co-prime ones
    • such that |a  bm| is Br-smooth and |bdf(a/b)| is Ba-smooth
  • S such that: expect to find > (Br) + (Ba) ‘good’ (a,b) pairs
  • Speed depends on simultaneous smoothness probability of
    • numbers of sizes comparable to n1/(d+1)S and fSd/2

 for some n there may be an m and f with f exceptionally small

For those n for which f is bounded by a constant: SNFS applies to n

  • Example: n = 2512+1
    • n divides 2515+8
    • m = 2103 and f(X) = X5+8, then f(m)  0 mod n
  • In general, f cannot be expected to be bounded by a constant,
    • f will be of size comparable to m (i.e., n1/(d+1)): NFS applies to n
slide13

SNFS versus NFS

  • SNFS: speed depends on simultaneous smoothness probability of
    • numbers of sizes comparable to n1/(d+1)S and Sd/2
  • NFS: speed depends on simultaneous smoothness probability of
    • numbers of sizes comparable to n1/(d+1)S and n1/(d+1)Sd/2
  • SNFS overall heuristic asymptotic expected runtime is
      • exp((1.53+o(1))(log n)1/3(loglogn)2/3), n 
  • NFS overall heuristic asymptotic expected runtime is
      • exp((1.92+o(1))(log n)1/3(loglogn)2/3), n 

for 1024-bit n and d = 6, difference n1/(d+1) is 147-bit number (45 digit)

S = 1020: smoothness of pairs of sizes (55d,60d) versus (55d,105d)

slide14

Determining Br, Ba, and S(Br, Ba) for n

  • Traditionally based on combination of
    • guesswork (‘extrapolation’)
    • experience
    • experiments
      • for 1024-bit n:
  • possibly unreliable
  • unavailable (?)
  • infeasible
  • Alternative approach for TWIRL analysis (Asiacrypt 2003):
  • Let P(x,B) denote probability that |x| is B-smooth and
    • E(Br,Ba,A,B,m,f,t) = 0.6|a|  A0<bBP(abm,Br)P(bdf(a/b)/t,Ba)
    • (‘expected yield’, approximated using numerical integration)
  • For several degrees d:
    • Find ‘ok-ish’ m, dth degree f (with correction t), skewness s
    • For several Br and Ba determineS(Br,Ba) as least S such that
        • E(Br,Ba,A,B,m,f,t)  ((Br) + (Ba))/c
      • for B = (S/2s), A = sB, and ‘reasonable’ c (say, 20)
  • Pick d for which ‘best’ feasible Br and Ba were found
slide15

 product of smoothness probabilities

a

b

  • Realistic estimates for Br and Ba and
    • upper bounds for factoring effort
  • Rectangular region is not at all optimal: crown shaped regions

Results

slide16

Example of non-rectangular region

crown contains points with smoothness probability E16

slide17

Resulting parameter choices

  • 1024-bit SNFS (pessimistic estimate):
    • Br 6.7E7, Ba 1.3E8, (Br) + (Ba)  1.2E7, S  6.4E17
  • 1024-bit NFS:
    • Br 3.5E9, Ba 2.6E10, (Br) + (Ba)  1.7E9, S  3E23
  • Comparing 1024-bit SNFS and 1024-bit NFS:
    • Factor base sizes: about 140 times larger
    • Sieving: about 5E5 times harder
    • Matrix: about 140 times more rows
  •  Potential feasibility of 1024-bit SNFS does not imply
        • feasibility of 1024-bit NFS
slide18

Feasibility of 1024-bit SNFS

  • 512-bit NFS:
    • Br 1.7E6, Ba 1.7E6, (Br) + (Ba)  2.1E6, S  E15
  • 1024-bit SNFS (pessimistic estimate):
    • Br 6.7E7, Ba 1.3E8, (Br) + (Ba)  1.2E7, S  6.4E17
  • Comparing 512-bit NFS and 1024-bit SNFS
    • Factor base sizes: about 6 times larger
    • Sieving: about 700 times harder
    • Matrix: about 6 times more rows

512-bit NFS was (very) feasible in 1999

 based on Moore’s law 1024-bit SNFS feasible by 2005

slide19

Feasibility of 768-bit NFS

  • 1024-bit SNFS:
    • Br 6.7E7, Ba 1.3E8, (Br) + (Ba)  1.2E7, S  6.4E17
  • 768-bit NFS
    • Br E8, Ba E9, (Br) + (Ba)  5.6E7, S  3E20
  • Comparing 1024-bit SNFS and 768-bit NFS
    • Factor base sizes: about 5 times larger
    • Sieving: about 500 times harder
    • Matrix: about 5 times more rows
  •  If 1024-bit SNFS is feasible, then based on Moore’s law
    • 768-bit NFS should be feasible about 5 years later
slide20

Comparing 768-bit NFS and 1024-bit NFS

  • 768-bit NFS
    • Br E8, Ba E9, (Br) + (Ba)  5.6E7, S  3E20
  • 1024-bit NFS:
    • Br 3.5E9, Ba 2.6E10, (Br) + (Ba)  1.7E9, S  3E23
  • Comparing 768-bit NFS and 1024-bit NFS
    • Factor base sizes: about 30 times larger
    • Sieving: at least 1000 times harder
    • Matrix: about 30 times more rows
  •  Once 768-bit NFS is feasible it will be a while (7 years?)

before 1024-bit NFS is feasible

(unless someone builds TWIRL)

slide21

Summary of 512, 768, 1024 estimates

          • 512 NFS
          • 1024 SNFS
  • 768 NFS 1024 NFS

6  factor base size

700  effort

5  factor base size

500  effort

140  factor base size

5E5  effort

30  factor base size

1000  effort

(suboptimal choices: much smaller effort with larger factor bases)

slide22

Conclusion

  • Factoring 1024-bit ‘special’ numbers is within reach
      • We should prove it is
  • Factoring 768-bit RSA moduli will soon be feasible
    • using tomorrow’s hardware
      • We should get ready
  • Factoring 1024-bit RSA moduli still looks infeasible
    • using currently available hardware
  • but it may be expected before 2020