Factoring of Large Numbers using Number Field Sieve Matrix Step Chandana Anand, Arman Gungor, and Kimberly A. Thomas ECE 646 Fall 2006

ECE 646, Fall 2006F-2: Factoring of Large Numbers Using Number Field Sieve INTRODUCTION The ability to conduct secure electronic transactions is becoming more and more important everyday It is computationally difficult to factor a large number into its prime factors What happens if an algorithm that can achieve this in a reasonable amount of time is discovered?

ECE 646, Fall 2006F-2: Factoring of Large Numbers Using Number Field Sieve INTRODUCTION Number Field Sieve (NFS) is the fastest known algorithm to factor numbers larger than 110 digits Its development in the past few years has facilitated factoring of integers that were once considered to be infeasible to factor with today ’ s technology

ECE 646, Fall 2006F-2: Factoring of Large Numbers Using Number Field Sieve INTRODUCTION GNFS was used in factoring a 512-bit number in 1999 as part of the RSA Challenge It was estimated that had the RSA-129 challenge used the GNFS instead of the Multiple Polynomial Quadratic Sieve, it would have taken a quarter of the time

ECE 646, Fall 2006F-2: Factoring of Large Numbers Using Number Field Sieve INTRODUCTION RSA-155 Details (512-bits) Calendar time for the polynomial selection 9 weeks Sieving: 35.7 CPU-years in total, 3.7 months Matrix and Square Root Steps: 1.5 months Total Calendar Time: 7.4 months

ECE 646, Fall 2006F-2: Factoring of Large Numbers Using Number Field Sieve INTRODUCTION MHz SGI and Sun workstations 8250 MHz SGI Origin 2000 processors MHz Pentium II PCs 4500 MHz Digital/Compaq boxes This CPU-effort is estimated to be equivalent to approximately 8000 MIPS years

ECE 646, Fall 2006F-2: Factoring of Large Numbers Using Number Field Sieve GENERAL INFORMATION Number field sieve is a fast factorization method developed by Pollard et al. Number Field Sieve factors an integer n in expected time: exp((c +o (1))(logn ) 1/3 (loglogn ) 2/3 ) with c = 2(2/3) 2/3 ~ Number Field Sieve can be thought of as an extension of the rational sieve where smooth numbers of order n are sought for, rarity of which makes the algorithm impractical

ECE 646, Fall 2006F-2: Factoring of Large Numbers Using Number Field Sieve GENERAL INFORMATION Polynomial selection: Find two Z-irreducible polynomials f(x) and g(x) so that f(m)=0 (mod n) and g(x)=0 (mod n) for some known m Sieving: Here we find pairs of small integers, (a,b) Matrix step: Here we take the (a,b) pairs found in the last step and construct a large matrix Square root: Given the two squares from the previous steps and their prime factorizations, we must compute their square roots to finally factor n

ECE 646, Fall 2006F-2: Factoring of Large Numbers Using Number Field Sieve GNFS Matrix Solving Involves finding the dependencies in a very large, very sparse matrix –EXAMPLE: For the RSA-130 challenge, factoring a 130 digit number, the matrix had 3,516,502 rows and 3,504,823 columns with on average 39.4 non-zero entries per row. Storing the position of all 138,690,744 ones would take “ only ” 600 MB of memory vs over 1500 GB to store the entire matrix. Traditional matrix solving methods (e.g. Gaussian) are infeasible

ECE 646, Fall 2006F-2: Factoring of Large Numbers Using Number Field Sieve Wiedemann Algorithm Intended to make GNFS Matrix step more computationally feasible – allows solving the matrix dependencies without modifying the matrix, leaving the matrix sparse and easier to store and operate on Block Wiedemann –multiplies the sparse matrix by 32 or 64 vectors at once –takes advantage of the 32-bit or 64-bit architecture of modern computers

ECE 646, Fall 2006F-2: Factoring of Large Numbers Using Number Field Sieve WLSS2 Block Wiedemann implementation created in the mid-90s Composed of four steps, two of which may be run in a distributed manner Input: matrix file in an adjacency list format – –1f 2b 53 af c8 d4 f e 13f 15a f 1b9 1ee207 25e 271 2b3 2e1 2f6 2fd 2ff 30c a3 3b3 3bc 3d3 3d7 Output: list of candidate factors

ECE 646, Fall 2006F-2: Factoring of Large Numbers Using Number Field Sieve WLSS2 Program runs on enigma.gmu.edu without problem – did not try running distributed Found several inconsistencies between the program and its documentation Program has now “ disappeared ” from original Internet source

ECE 646, Fall 2006F-2: Factoring of Large Numbers Using Number Field Sieve LiDIA LiDIA is a C++ library for computational number theory Allows operations on vectors and matrices such as: –u = A*v; –v.shift_left(n,1); Also allows operations on vectors of vectors –required for implementation of Block Wiedemann

ECE 646, Fall 2006F-2: Factoring of Large Numbers Using Number Field Sieve LiDIA Implementations Wiedemann Implementation –working on enigma.gmu.edu –needs further debugging –reprogramming of matrix creation –addition of matrix importation functionality Block Wiedemann Implemenation –in progress but needs further work on initialization of the vectors of vectors

ECE 646, Fall 2006F-2: Factoring of Large Numbers Using Number Field Sieve Next Steps Matrix Creation and Input –need to create a program to intelligently create matrices for testing –need a standard matrix format to allow comparisons between WLSS2 and the LiDIA implementations One solution – add a function to LiDIA implementation to read WLSS2 style adjacency list Complete debugging of LiDIA Wiedemann implementation Complete implementation of LiDIA Block Wiedemann algorithm

ECE 646, Fall 2006F-2: Factoring of Large Numbers Using Number Field Sieve Next Steps Continued Testing of WLSS2, Wiedemann implementation, Block Wiedemann implementation –Functionality testing – do all implementations agree on the results of a given input matrix –Timing comparison

ECE 646, Fall 2006F-2: Factoring of Large Numbers Using Number Field Sieve Block Wiedemann Algorithm Input to Block Wiedemann: Matrix A of size DxD, D є [10 7, ] Sparse matrix: Column density << D Most time consuming operations: Matrix-by- vector multiplications A.v i, A 2.v i,....., A k.v i

ECE 646, Fall 2006F-2: Factoring of Large Numbers Using Number Field Sieve Matrix-by-Vector Multiplication Non-zero entries in the columns of A - packets that need to be routed to their destinations m x m mesh, m = √D: row indices of resultant matrix multiplication vector Mesh Cell i value at index i of the vector v packets in column i of the matrix A

ECE 646, Fall 2006F-2: Factoring of Large Numbers Using Number Field Sieve Mesh Routing Architecture Lenstra et al proposed two versions of the routing based circuit simple routing version improved routing version The improved version was implemented by Dr. Gaj et al in reconfigurable hardware We implemented the emulation of this hardware in Java

ECE 646, Fall 2006F-2: Factoring of Large Numbers Using Number Field Sieve Routing in the Mesh Phase 1 – Odd row negotiates with the top even row Phase 2 – Odd column negotiates with right even row Phase 3 – Odd row negotiates with the bottom even row. Phase 4 – Odd column negotiates with left even column.

ECE 646, Fall 2006F-2: Factoring of Large Numbers Using Number Field Sieve Compare-Exchange Both cells determine they will be closer to their destination after a swap The cell that is the farthest from its destination determines it will be closer to its destination after a swap The cell that is farthest will not be closer after the swap, but the cell with the smaller distance will be closer Neither will become closer to its destination

ECE 646, Fall 2006F-2: Factoring of Large Numbers Using Number Field Sieve Implementation Routines Randomly populate the mesh Determine the destination row and column indices of a packet Perform the negotiations (4 times the size of the mesh) Determine exchange cases Update the partial results

ECE 646, Fall 2006F-2: Factoring of Large Numbers Using Number Field Sieve Results The mesh routing architecture was implemented for a mesh size of 4x4. Compare-exchange operations were repeated 4*4 =16 times On an average, routing was completed after all 4 phases of Round 1 and 2 phases of the Round 2 The architecture was then scaled for a mesh size of 12x12 Compare-exchange operations were repeated 4*12 = 48 times Routing was completed at the end of all rounds

ECE 646, Fall 2006F-2: Factoring of Large Numbers Using Number Field Sieve Results (contd..) The code was then modified to perform multiple vector multiplications in the 12x12 mesh Java threads were used to emulate the multiple matrix-by-vector multiplications taking place simultaneously in hardware A new thread was spawned to process the matrix-by- vector multiplication for each vector Each thread updates its own resultant vector

ECE 646, Fall 2006F-2: Factoring of Large Numbers Using Number Field Sieve Future Work Development of a routine to examine the state of the mesh after each phase To find number of phases that are actually required to complete routing in the 12x12 mesh