Factoring RSA Moduli: Current State of the Art J

Slides:



Advertisements
Similar presentations
Chapter 0 Review of Algebra.
Advertisements

Factoring of Large Numbers using Number Field Sieve Matrix Step Chandana Anand, Arman Gungor, and Kimberly A. Thomas ECE 646 Fall 2006.
Error Control Code.
Integer Factorization By: Josh Tuggle & Kyle Johnson.
Section 4.1: Primes, Factorization, and the Euclidean Algorithm Practice HW (not to hand in) From Barr Text p. 160 # 6, 7, 8, 11, 12, 13.
Lecture 8: Primality Testing and Factoring Piotr Faliszewski
Capstone Project Presentation A Tool for Cryptography Problem Generation CSc 499 Mark Weston Winter 2006.
Notation Intro. Number Theory Online Cryptography Course Dan Boneh
RSA & F ACTORING I NTEGERS BY: MIKE NEUMILLER & BRIAN YARBROUGH.
ENGG2013 Unit 11 Row-Rank Feb,
The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.
Factoring 1 Factoring Factoring 2 Factoring  Security of RSA algorithm depends on (presumed) difficulty of factoring o Given N = pq, find p or q and.
Foundations of Network and Computer Security J J ohn Black Lecture #13 Sep 26 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
Discrete Log 1 Discrete Log. Discrete Log 2 Discrete Logarithm  Discrete log problem:  Given p, g and g a (mod p), determine a o This would break Diffie-Hellman.
1 Factoring Large Numbers with the TWIRL Device Adi Shamir, Eran Tromer.
Foundations of Network and Computer Security J J ohn Black Lecture #12 Sep 23 rd 2009 CSCI 6268/TLEN 5550, Fall 2009.
1 Hardware-Based Implementations of Factoring Algorithms Factoring Large Numbers with the TWIRL Device Adi Shamir, Eran Tromer Analysis of Bernstein’s.
Factoring Algorithms Ref: D. Stinson, Cryptography - Theory and Practice, 2001.
RSA Question 2 Bob thinks that p and q are primes but p isn’t. Then, Bob thinks ©Bob:=(p-1)(q-1) = Á(n). Is this true ? Bob chooses a random e (1 < e
1 Hardware-Based Implementations of Factoring Algorithms Factoring Estimates for a 1024-Bit RSA Modulus A. Lenstra, E. Tromer, A. Shamir, W. Kortsmit,
Foundations of Network and Computer Security J J ohn Black Lecture #14 Oct 1 st 2007 CSCI 6268/TLEN 5831, Fall 2007.
Section 5.6 – Complex Zeros; Fundamental Theorem of Algebra Complex Numbers Standard form of a complex number is: a + bi. Every complex polynomial function.
Chapter 9 Mathematics of Cryptography Part III: Primes and Related Congruence Equations Copyright © The McGraw-Hill Companies, Inc. Permission required.
Software Security Seminar - 1 Chapter 11. Mathematical Background 발표자 : 안병희 Applied Cryptography.
May 29, 2008 GNFS polynomials Peter L. Montgomery Microsoft Research, USA 1 Abstract The Number Field Sieve is asymptotically the fastest known algorithm.
Mathematics of Cryptography Modular Arithmetic, Congruence,
October,2006 Higher- Degree Polynomials Peter L. Montgomery Microsoft Research and CWI 1 Abstract The Number Field Sieve is asymptotically the fastest.
Copyright, Yogesh Malhotra, PhD, 2013www.yogeshmalhotra.com SPECIAL PURPOSE FACTORING ALGORITHMS Special Purpose Factoring Algorithms For special class.
Lesson 8-1 Multiplying Monomials. Mathematics Standards -Number, Number Sense and Operations: Explain the effects of operations such as multiplication.
Selecting Class Polynomials for the Generation of Elliptic Curves Elisavet Konstantinou joint work with Aristides Kontogeorgis Department of Information.
Complex Zeros; Fundamental Theorem of Algebra
Prabhas Chongstitvatana1 Factorizing large integers Finding the unique decomposition of n into a product of prime factors. Factorize(n) if n is prime done.
Algebra 1 Notes: Lesson 8-5: Adding and Subtracting Polynomials.
Factorization of a 768-bit RSA modulus Jung Daejin Lee Sangho.
SNFS versus (G)NFS and the feasibility of factoring a 1024-bit number with SNFS Arjen K. Lenstra Citibank, New York Technische Universiteit Eindhoven.
Fast Exponentiation (3/31) What is the most efficient way to compute (mod 32591)? We will need an efficient algorithm in order to do “RSA cryptography”,
3.4 Zeros of Polynomial Functions. The Fundamental Theorem of Algebra If f(x) is a polynomial of degree n, where n>0, then f has at least one zero in.
6.4 Factoring.
Scott CH Huang COM 5336 Cryptography Lecture 6 Public Key Cryptography & RSA Scott CH Huang COM 5336 Cryptography Lecture 6.
COSC 2007 Data Structures II Chapter 13 Advanced Implementation of Tables IV.
A Survey on Factoring Large Numbers ~ 巨大数の因数分解に関する調査 ~ Kanada Lab. M Yoshida Hitoshi.
Introduction to Number Theory
Key Generation Bob generates his keys as follows –Choose two large distinct random primes p, q –Set n = pq (in Z… no finite groups yet) –Compute  (n)
Chapter 1 Algorithms with Numbers. Bases and Logs How many digits does it take to represent the number N >= 0 in base 2? With k digits the largest number.
Lecture 6. RSA Use in Encryption to encrypt a message M the sender: – obtains public key of recipient PU={e,n} – computes: C = M e mod n, where 0≤M
MA/CSSE 473 Day 07 Extended Euclid's Algorithm Modular Division Fermat's little theorem intro.
Chapter 2 – Polynomial and Rational Functions 2.5 – The Fundamental Theorem of Algebra.
Chapter 3 The Fundamentals: Algorithms, the integers, and matrices Section 3.4: The integers and division Number theory: the part of mathematics involving.
Page : 1 bfolieq.drw Technical University of Braunschweig IDA: Institute of Computer and Network Engineering  W. Adi 2011 Lecture-5 Mathematical Background:
Hashing (part 2) CSE 2011 Winter March 2018.
Public Key Encryption Major topics The RSA scheme was devised in 1978
CSE565: Computer Security Lecture 7 Number Theory Concepts
Progress Report— 11/06 宗慶.
PUBLIC-KEY ENCRYPTION Focusing on RSA
UNIVERSITY OF MASSACHUSETTS Dept
Chapter 0 Review of Algebra.
Introduction to Number Theory
A low cost quantum factoring algorithm
© 2013 Goodrich, Tamassia, Goldwasser
Design and Analysis of Prime Number Sieves
Parallel Quadratic Sieve
Discrete Math for CS CMPSC 360 LECTURE 12 Last time: Stable matching
Week #5 – 23/25/27 September 2002 Prof. Marie desJardins
Parallel Sorting Algorithms
Hashing Sections 10.2 – 10.3 Lecture 26 CS302 Data Structures
Pseudorandom number, Universal Hashing, Chaining and Linear-Probing
Mathematical Background for Cryptography
Addition Subtraction Multiplication Division
GNFS Factoring Statistics of RSA-100, 110, ..., 1501
Mathematical Background: Extension Finite Fields
Presentation transcript:

Factoring RSA Moduli: Current State of the Art J Factoring RSA Moduli: Current State of the Art J. Jeffry Howbert CSEP 590TU Winter 2006 4/5/2019 J. Jeffry Howbert

Algorithms for factoring large integers special purpose algorithms run time depends on size of integer, size and number of factors, whether integer has special form run time exponential, except for elliptic curve method general purpose algorithms running time depends on size of integer only run time subexponential derived from congruence of squares method only methods suitable for large RSA moduli 4/5/2019 J. Jeffry Howbert

History of congruence of squares methods (1) difference of squares (Fermat, 1600s) n = ( a + b )( a – b ) = a2 – b2 find x = ( n + i )2 – n for successive i = 0, 1, 2, ... test whether x is integer square congruence of squares (Kraitchik, 1920s) find b2  a2 mod n where b !  a mod n calculate gcd( n, a + b ), gcd( n, a – b ) to get factors real power of method: exploit congruences where b not an integer square 4/5/2019 J. Jeffry Howbert

History of congruence of squares methods (2) congruence of squares (cont’d) find two relations: b1  a12 mod n b2  a22 mod n where b1, b2 not integer squares, but b1  b2 is then b1  b2  a12  a22 mod n gives a factorization can be generalized to multiply more than two non-square relations works best if non-square bi kept small  improves odds they will factor fully into small primes 4/5/2019 J. Jeffry Howbert

History of congruence of squares methods (3) process smooth relations in matrix with linear algebra (Morrison and Brillhart, 1975; Dixon) choose factor base of small primes bounded by B collect bi that factor fully over factor base (B-smooth): bi  ai2 mod n where ai near n convert smooth bi to vector representation of prime factor exponents, e.g.: bi = 756 = 22  33  50  71  vi = [ 2, 3, 0, 1 ] only care whether exponents even, so reduce vectors mod 2: vi mod 2 = [ 2, 3, 0, 1 ] mod 2 = [ 0, 1, 0, 1 ] 4/5/2019 J. Jeffry Howbert

History of congruence of squares methods (4) process smooth relations in matrix with linear algebra (cont’d) real power of method: gather at least as many smooth relations as there are primes in factor base place relations in matrix, use linear algebra to find linear combination of vi: vi = [ 0, 0, 0, ..., 0 ]  guarantees solution 4/5/2019 J. Jeffry Howbert

History of congruence of squares methods (5) quadratic sieve (Pomerance, 1981) generate continuum of bi = ai2 – n ( ai near n ) for each prime p in factor base: extract square roots x1, x2 of n modulo p flag all ai such that: ai = x1 + kp k = 0, 1, 2, ... ai = x2 + kp real power of method: bi  0 mod p for all flagged ai for all flagged ai, divide corresponding bi by p when sieving complete, bi which have been reduced to 1 by repeated division are smooth over factor base tweaks: - multiple polynomials (MPQS) - combine partial relations 4/5/2019 J. Jeffry Howbert

History of congruence of squares methods (6) general number field sieve (GNFS) (Pollard, others, starting 1988) both sieving and matrix steps performed in algebraic number fields real power of method: restricts search for smooth numbers to those of order n1/d, where d ~ 5 – 6 4/5/2019 J. Jeffry Howbert

Congruence of squares methods: subexponential complexity Dixon’s algorithm L( n ) ~ exp( ( 2 + o( 1 ) )  ( ln n )1/2  ( ln ln n )1/2 ) Quadratic sieve – best for n up to 110 decimal digits L( n ) ~ exp( ( 1 + o( 1 ) )  ( ln n )1/2  ( ln ln n )1/2 ) General number field sieve – best for n over 110 digits L( n ) ~ exp( ( ( 64/9 )1/3 + o( 1 ) )  ( ln n )1/3  ( ln ln n )2/3 ) 4/5/2019 J. Jeffry Howbert

Implementation of advanced congruence of squares methods (MPQS and GNFS) sieving step very CPU intensive, but highly parallelizable historically, large efforts distributed over many processors (communication even by email) matrix step very memory intensive historically done on central supercomputer more recently performed on tightly linked clusters 4/5/2019 J. Jeffry Howbert

History of factoring RSA Challenge Numbers DECIMAL DIGITS YEAR FACTORED FACTORING TEAM METHOD COMPUTE TIME RSA-120 120 1993 Lenstra, et al MPQS 830 MIPS-years RSA-129 129 1994 Atkins, et al 5000 MIPS-years RSA-130 130 1996 GNFS 1000 MIPS-years RSA-140 140 1999 Montgomery, et al 2000 MIPS-years RSA-155 (512 bits) 155 8000 MIPS-years RSA-160 160 2003 Franke, et al 2.7 1-GHz Pentium-years RSA-576 174 13 1-GHz Pentium-years RSA-640 193 2005 Bahr, et al 30 2.2-GHz Opteron-years RSA-200 200 Kleinjung, et al 75 2.2-GHz Opteron-years RSA-704 212 not factored RSA-768 232 RSA-896 270 RSA-1024 309 RSA-1536 463 RSA-2048 617 MPQS = multiple polynomial quadratic sieve GNFS = general number field sieve 4/5/2019 J. Jeffry Howbert

Data and resource statistics on RSA Challenge Numbers RSA-129 completed 1994 by MPQS size factor base 524339 large prime bound 230 regular full relations 1.1 X 105 full relations derived from partial / double partial relations 4.6 X 105 amount of data 2 GB time for sieving step 5000 MIPS-years time for matrix step 45 hrs RSA-200 completed 2005 by GNFS factor base bound (algebraic side) 3 X 108 factor base bound (rational side) 18 X 107 large prime bound 235 relations from lattice sieving 26 X 108 relations from line sieving 5 X 107 total relations (after duplicates) 22.6 X 108 matrix size (rows and columns) 64 X 106 non-zero entries in matrix 11 X 109 time for sieving step 55 2.2-GHz Opteron-years time for matrix step 20 2.2-GHz Opteron-years 4/5/2019 J. Jeffry Howbert

Your RSA keys: What are the risks? (1) factoring new larger modulus n’ scales as: L( n’ )GNFS / L( n )GNFS in time ( L( n’ )GNFS / L( n )GNFS )1/2 in memory 4/5/2019 J. Jeffry Howbert

Your RSA keys: What are the risks? (2) working for a year with today’s hardware and algorithms: 768 bit integer would take 18,000 PCs, each with 5 GB memory might see factorization with massive effort in 5-7 years 1024 bit integer would take 50,000,000 PCs, each with 10 GB main memory, plus additional DRAM acquisition cost of hardware c. US$ 100B!! no factorization foreseeable for at least 15 years 4/5/2019 J. Jeffry Howbert

Your RSA keys: What are the risks? (3) BUT ... fairly mature design proposals exist for special purpose hardware to perform sieving step TWINKLE (electro-optics) TWIRL (parallel processing pipelines) mesh circuits (2D systolic arrays) estimated that 200 TWIRL clusters could do sieving on 1024 bit integer in one year US$ 10-20M one-time R&D costs US$ 1.1M manufacturing costs 5-6 orders of magnitude reduction in cost 4/5/2019 J. Jeffry Howbert

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.