SNFS versus (G)NFS and the feasibility of factoring a 1024-bit number with SNFS Arjen K. Lenstra

1 / 22

# SNFS versus (G)NFS and the feasibility of factoring a 1024-bit number with SNFS Arjen K. Lenstra - PowerPoint PPT Presentation

SNFS versus (G)NFS and the feasibility of factoring a 1024-bit number with SNFS Arjen K. Lenstra Citibank, New York Technische Universiteit Eindhoven. Special purpose methods General purpose methods. Take advantage of special properties of p Cannot take advantage of any properties of p.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

## PowerPoint Slideshow about 'SNFS versus (G)NFS and the feasibility of factoring a 1024-bit number with SNFS Arjen K. Lenstra' - guri

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

SNFS versus (G)NFS

and the feasibility of

factoring a 1024-bit number with SNFS

Arjen K. Lenstra

Citibank, New York

Technische Universiteit Eindhoven

Special purpose methods

General purpose methods

Take advantage of special properties of p

Cannot take advantage of any properties of p

, but possibly of n

All based on the same approach

Examples:

Examples:

Trial division, Pollard- (find tiny p, up to 10 or 20 digits)

Pollard-p1 (finds p such that p1 has small factors)

Elliptic curve method (ECM) (finds p up to  60? digits)

 Relevant for RSA

CFRAC, Dixon’s algorithm

Number field sieve (NFS)

this talk

Variant: SNFS, takes advantage of special form of n

Factoring algorithms (to find factor p of n)

SNFS and NFS factorizations

when  # bits what how

199006 512 F9 = 2512+1 SNFS

199406 534 (121511)/11 SNFS

199407 384 p(11887) NFS

199411 392 p(13171) NFS

199604 429 RSA-130d NFS

199809 615 12167+1 SNFS

199902 462 RSA-140d NFS

199904 698 (10211 1)/9 SNFS

199908 512 RSA-155d NFS

200011 773 2773+1 SNFS

200201 522 c158d of 2953+1 NFS

200301 809 M809 SNFS

200303 529 RSA-160d NFS

200312 576 RSA-576 NFS

20?? 768 ?? NFS

20?? 1024 ?? SNFS/NFS

Special Number Field Sieve

Least squares prediction:

1024-bit SNFS factorization by 2012

Number Field Sieve

Least squares predictions:

768-bit NFS factorization by 2015

1024-bit NFS factorization by 2028

Goal of this workshop:

• Make sure that these predictions are
• too pessimistic from a factoring point of view
• too optimistic from a cryptographic point of view
• Thus, we should be able to complete a
• 1024-bit SNFS factorization well before 2012
• 768-bit NFS factorization well before 2015
• by 2005?
• by 2010?
• 1024-bit NFS factorization well before 2028 ?

Problem: since 1989 nothing seems to be happening!

• Examples of NFS related things that did (or will) not happen:
• 1994, integers can quickly be factored on a quantum computer
• no one knows how to build one yet
• 1999, TWINKLE opto-electronic device to factor 512-bit moduli
• estimates too optimistic
• 2001, Bernstein’s factoring circuits:1536 bits for cost of 512 bits
• new interpretation of the cost function
• 200308, TWIRL hardware siever: 1024 bits in a year for US\$10M
• does not include research and development cost
• 2004, TWIRL hardware siever: 1024 bits in a year for < US\$1M
• For the moment:
• stuck with existing algorithms and hardware ((G)NFS & PCs)
• see if we can push them even further
• x2 y2 mod n

If n divides x2y2, then n divides (xy)(x + y), so

n = gcd(xy, n)  gcd(x + y, n)may be a non-trivial factorization

• Finding such x, y based on two-step Morrison-Brillhart approach:
• Collect data
• Combine data

, Relation collection

, Matrix step

: allows ‘obvious’

parallelization (internet)

: often centralized

How do general purpose factoring methods work?

1. Relation collection: collect integers v such that

• v2 mod n factors into primes < B (i.e., is B-smooth)

 Need to efficiently test many integers for smoothness

• 2. Matrix step: select a subset of the v’s such that primes < B in
• corresponding (v2 mod n)’s occur an even number of times

 Need to find elements of null space of (B)(B) matrix

How to solve x2 y2 mod n?

• Matrix step not further discussed: based on reported ‘overcapacity’
• assume that current parallelized block Lanczos on
• current (and future) small broadband networks will suffice

How to find v’s such that v2mod n is smooth?

• Examples
• Dixon’s method:
• pick v at random in {0,1,…, n1}
• test v2 mod n {0,1,…, n1} for B-smoothness
• repeat until > (B) different v’s have been found
• Speed depends on B-smoothness probability of
• numbers of size comparable to n
• test (v + [n])2  n for B-smoothness for small v
• repeat until > (B) different v’s have been found ( v < S(B))
• Speed depends on B-smoothness probability of
• numbers of size comparable to 2S(B)n

 no way to take advantage of special properties of p or n

Smaller |v2mod n|: higher smoothness probability

• test (v + [n])2  n for B-smoothness for small v
• repeat until > (B) different v’s have been found ( v < S(B))
• Speed depends on B-smoothness probability of
• numbers of size comparable to 2S(B)n (as opposed to n)
• Number field sieve:
• select d; select m close to n1/(d+1)
• and f(X) Z[X] of degree d with f(m)  0 mod n
• look at S = S(Br,Ba) integer pairs (a,b) to find co-prime ones
• such that |a  bm| is Br-smooth and |bdf(a/b)| is Ba-smooth
• S such that: expect to find > (Br) + (Ba) ‘good’ (a,b) pairs
• Speed depends on simultaneous smoothness probability of
• numbers of sizes comparable to n1/(d+1)S and fSd/2

 for some n there may be an m and f with f exceptionally small

‘Good’ cases for Number Field Sieve

• select d; select m close to n1/(d+1)
• and f(X) Z[X] of degree d with f(m)  0 mod n
• look at S = S(Br,Ba) integer pairs (a,b) to find co-prime ones
• such that |a  bm| is Br-smooth and |bdf(a/b)| is Ba-smooth
• S such that: expect to find > (Br) + (Ba) ‘good’ (a,b) pairs
• Speed depends on simultaneous smoothness probability of
• numbers of sizes comparable to n1/(d+1)S and fSd/2

 for some n there may be an m and f with f exceptionally small

For those n for which f is bounded by a constant: SNFS applies to n

• Example: n = 2512+1
• n divides 2515+8
• m = 2103 and f(X) = X5+8, then f(m)  0 mod n
• In general, f cannot be expected to be bounded by a constant,
• f will be of size comparable to m (i.e., n1/(d+1)): NFS applies to n

SNFS versus NFS

• SNFS: speed depends on simultaneous smoothness probability of
• numbers of sizes comparable to n1/(d+1)S and Sd/2
• NFS: speed depends on simultaneous smoothness probability of
• numbers of sizes comparable to n1/(d+1)S and n1/(d+1)Sd/2
• SNFS overall heuristic asymptotic expected runtime is
• exp((1.53+o(1))(log n)1/3(loglogn)2/3), n 
• NFS overall heuristic asymptotic expected runtime is
• exp((1.92+o(1))(log n)1/3(loglogn)2/3), n 

for 1024-bit n and d = 6, difference n1/(d+1) is 147-bit number (45 digit)

S = 1020: smoothness of pairs of sizes (55d,60d) versus (55d,105d)

Determining Br, Ba, and S(Br, Ba) for n

• Traditionally based on combination of
• guesswork (‘extrapolation’)
• experience
• experiments
• for 1024-bit n:
• possibly unreliable
• unavailable (?)
• infeasible
• Alternative approach for TWIRL analysis (Asiacrypt 2003):
• Let P(x,B) denote probability that |x| is B-smooth and
• E(Br,Ba,A,B,m,f,t) = 0.6|a|  A0<bBP(abm,Br)P(bdf(a/b)/t,Ba)
• (‘expected yield’, approximated using numerical integration)
• For several degrees d:
• Find ‘ok-ish’ m, dth degree f (with correction t), skewness s
• For several Br and Ba determineS(Br,Ba) as least S such that
• E(Br,Ba,A,B,m,f,t)  ((Br) + (Ba))/c
• for B = (S/2s), A = sB, and ‘reasonable’ c (say, 20)
• Pick d for which ‘best’ feasible Br and Ba were found

 product of smoothness probabilities

a

b

• Realistic estimates for Br and Ba and
• upper bounds for factoring effort
• Rectangular region is not at all optimal: crown shaped regions

Results

Example of non-rectangular region

crown contains points with smoothness probability E16

Resulting parameter choices

• 1024-bit SNFS (pessimistic estimate):
• Br 6.7E7, Ba 1.3E8, (Br) + (Ba)  1.2E7, S  6.4E17
• 1024-bit NFS:
• Br 3.5E9, Ba 2.6E10, (Br) + (Ba)  1.7E9, S  3E23
• Comparing 1024-bit SNFS and 1024-bit NFS:
• Factor base sizes: about 140 times larger
• Sieving: about 5E5 times harder
• Matrix: about 140 times more rows
•  Potential feasibility of 1024-bit SNFS does not imply
• feasibility of 1024-bit NFS

Feasibility of 1024-bit SNFS

• 512-bit NFS:
• Br 1.7E6, Ba 1.7E6, (Br) + (Ba)  2.1E6, S  E15
• 1024-bit SNFS (pessimistic estimate):
• Br 6.7E7, Ba 1.3E8, (Br) + (Ba)  1.2E7, S  6.4E17
• Comparing 512-bit NFS and 1024-bit SNFS
• Factor base sizes: about 6 times larger
• Sieving: about 700 times harder
• Matrix: about 6 times more rows

512-bit NFS was (very) feasible in 1999

 based on Moore’s law 1024-bit SNFS feasible by 2005

Feasibility of 768-bit NFS

• 1024-bit SNFS:
• Br 6.7E7, Ba 1.3E8, (Br) + (Ba)  1.2E7, S  6.4E17
• 768-bit NFS
• Br E8, Ba E9, (Br) + (Ba)  5.6E7, S  3E20
• Comparing 1024-bit SNFS and 768-bit NFS
• Factor base sizes: about 5 times larger
• Sieving: about 500 times harder
• Matrix: about 5 times more rows
•  If 1024-bit SNFS is feasible, then based on Moore’s law
• 768-bit NFS should be feasible about 5 years later

Comparing 768-bit NFS and 1024-bit NFS

• 768-bit NFS
• Br E8, Ba E9, (Br) + (Ba)  5.6E7, S  3E20
• 1024-bit NFS:
• Br 3.5E9, Ba 2.6E10, (Br) + (Ba)  1.7E9, S  3E23
• Comparing 768-bit NFS and 1024-bit NFS
• Factor base sizes: about 30 times larger
• Sieving: at least 1000 times harder
• Matrix: about 30 times more rows
•  Once 768-bit NFS is feasible it will be a while (7 years?)

before 1024-bit NFS is feasible

(unless someone builds TWIRL)

Summary of 512, 768, 1024 estimates

• 512 NFS
• 1024 SNFS
• 768 NFS 1024 NFS

6  factor base size

700  effort

5  factor base size

500  effort

140  factor base size

5E5  effort

30  factor base size

1000  effort

(suboptimal choices: much smaller effort with larger factor bases)

Conclusion

• Factoring 1024-bit ‘special’ numbers is within reach
• We should prove it is
• Factoring 768-bit RSA moduli will soon be feasible
• using tomorrow’s hardware