SNFS versus (G)NFS and the feasibility of factoring a 1024-bit number with SNFS Arjen K. Lenstra Citibank, New York Technische Universiteit Eindhoven

Factoring algorithms (to find factor p of n) Special purpose methods General purpose methods Take advantage of special properties of p Cannot take advantage of any properties of p All based on the same approach  Relevant for RSA Examples: Trial division, Pollard-  (find tiny p, up to 10 or 20 digits) Pollard-p  1 (finds p such that p  1 has small factors) Elliptic curve method (ECM) (finds p up to  60? digits) CFRAC, Dixon’s algorithm Linear sieve, Quadratic sieve Number field sieve (NFS) Variant: SNFS, takes advantage of special form of n, but possibly of n  this talk

SNFS and NFS factorizations when  # bits whathow F 9 = SNFS (  1)/11SNFS p(11887) NFS p(13171) NFS RSA-130 d NFS SNFS RSA-140 d NFS (  1)/9SNFS RSA-155 d NFS SNFS c158 d of NFS M809SNFS RSA-160 d NFS RSA-576 NFS 20?? 768 ?? NFS 20?? 1024 ??SNFS/NFS

Special Number Field Sieve Least squares prediction: 1024-bit SNFS factorization by 2012

Number Field Sieve Least squares predictions: 768-bit NFS factorization by bit NFS factorization by 2028

Goal of this workshop: Make sure that these predictions are too pessimistic from a factoring point of view too optimistic from a cryptographic point of view Thus, we should be able to complete a 1024-bit SNFS factorization well before bit NFS factorization well before 2015 by 2005? by 2010? 1024-bit NFS factorization well before 2028 ?

Problem: since 1989 nothing seems to be happening! Examples of NFS related things that did (or will) not happen: 1994, integers can quickly be factored on a quantum computer no one knows how to build one yet 1999, TWINKLE opto-electronic device to factor 512-bit moduli estimates too optimistic 2001, Bernstein’s factoring circuits:1536 bits for cost of 512 bits new interpretation of the cost function , TWIRL hardware siever: 1024 bits in a year for US$10M does not include research and development cost 2004, TWIRL hardware siever: 1024 bits in a year for < US$1M For the moment: stuck with existing algorithms and hardware ((G)NFS & PCs) see if we can push them even further

How do general purpose factoring methods work? To factor n, attempt to find integers x, y, x  y such that x 2  y 2 mod n If n divides x 2  y 2, then n divides (x  y)(x + y), so n = gcd(x  y, n)  gcd(x + y, n) may be a non-trivial factorization Finding such x, y based on two-step Morrison-Brillhart approach: 1.Collect data 2.Combine data, Relation collection, Matrix step : allows ‘obvious’ parallelization (internet) : often centralized (Cray, broadband network)

How to solve x 2  y 2 mod n? 1. Relation collection: collect integers v such that v 2 mod n factors into primes < B (i.e., is B-smooth)  Need to efficiently test many integers for smoothness 2. Matrix step: select a subset of the v’s such that primes < B in corresponding (v 2 mod n)’s occur an even number of times  Need to find elements of null space of  (B)  (B) matrix Matrix step not further discussed: based on reported ‘overcapacity’ assume that current parallelized block Lanczos on current (and future) small broadband networks will suffice

How to find v’s such that v 2 mod n is smooth? Examples Dixon’s method: pick v at random in {0,1,…, n  1} test v 2 mod n  {0,1,…, n  1} for B-smoothness repeat until >  (B) different v’s have been found Speed depends on B-smoothness probability of numbers of size comparable to n Quadratic sieve: test (v + [  n]) 2  n for B-smoothness for small v repeat until >  (B) different v’s have been found (  v < S(B)) Speed depends on B-smoothness probability of numbers of size comparable to 2S(B)  n  no way to take advantage of special properties of p or n

Smaller |v 2 mod n|: higher smoothness probability Quadratic sieve: test (v + [  n]) 2  n for B-smoothness for small v repeat until >  (B) different v’s have been found (  v < S(B)) Speed depends on B-smoothness probability of numbers of size comparable to 2S(B)  n (as opposed to n) Number field sieve: select d; select m close to n 1/(d+1) and f(X)  Z[X] of degree d with f(m)  0 mod n look at S = S(B r,B a ) integer pairs (a,b) to find co-prime ones such that |a  bm| is B r -smooth and |b d f(a/b)| is B a -smooth S such that: expect to find >  (B r ) +  (B a ) ‘good’ (a,b) pairs Speed depends on simultaneous smoothness probability of numbers of sizes comparable to n 1/(d+1)  S and f  S d/2  for some n there may be an m and f with f  exceptionally small

‘Good’ cases for Number Field Sieve select d; select m close to n 1/(d+1) and f(X)  Z[X] of degree d with f(m)  0 mod n look at S = S(B r,B a ) integer pairs (a,b) to find co-prime ones such that |a  bm| is B r -smooth and |b d f(a/b)| is B a -smooth S such that: expect to find >  (B r ) +  (B a ) ‘good’ (a,b) pairs Speed depends on simultaneous smoothness probability of numbers of sizes comparable to n 1/(d+1)  S and f  S d/2  for some n there may be an m and f with f  exceptionally small For those n for which f  is bounded by a constant: SNFS applies to n Example: n = n divides m = and f(X) = X 5 +8, then f(m)  0 mod n In general, f  cannot be expected to be bounded by a constant, f  will be of size comparable to m (i.e., n 1/(d+1) ): NFS applies to n

SNFS versus NFS SNFS: speed depends on simultaneous smoothness probability of numbers of sizes comparable to n 1/(d+1)  S and S d/2 NFS: speed depends on simultaneous smoothness probability of numbers of sizes comparable to n 1/(d+1)  S and n 1/(d+1) S d/2 SNFS overall heuristic asymptotic expected runtime is exp((1.53+o(1))(log n) 1/3 (loglogn) 2/3 ), n   NFS overall heuristic asymptotic expected runtime is exp((1.92+o(1))(log n) 1/3 (loglogn) 2/3 ), n   for 1024-bit n and d = 6, difference n 1/(d+1) is 147-bit number (45 digit) S = : smoothness of pairs of sizes (55 d,60 d ) versus (55 d,105 d )

Determining B r, B a, and S(B r, B a ) for n Traditionally based on combination of guesswork (‘extrapolation’) experience experiments Alternative approach for TWIRL analysis (Asiacrypt 2003): Let P(x,B) denote probability that |x| is B-smooth and E(B r,B a,A,B,m,f,t) = 0.6  |a|  A  0<b  B P(a  bm,B r )P(b d f(a/b)/t,B a ) (‘expected yield’, approximated using numerical integration) For several degrees d: Find ‘ok-ish’ m, dth degree f (with correction t), skewness s For several B r and B a determine S(B r,B a ) as least S such that E(B r,B a,A,B,m,f,t)  (  (B r ) +  (B a ))/c for B =  (S/2s), A = sB, and ‘reasonable’ c (say, 20) Pick d for which ‘best’ feasible B r and B a were found for 1024-bit n:  possibly unreliable  unavailable (?)  infeasible

Results aa bb  product of smoothness probabilities Rectangular region is not at all optimal: crown shaped regions Realistic estimates for B r and B a and upper bounds for factoring effort

Example of non-rectangular region crown contains points with smoothness probability  E  16

Resulting parameter choices 1024-bit SNFS (pessimistic estimate): B r  6.7 E 7, B a  1.3 E 8,  (B r ) +  (B a )  1.2 E 7, S  6.4 E bit NFS: B r  3.5 E 9, B a  2.6 E 10,  (B r ) +  (B a )  1.7 E 9, S  3 E 23 Comparing 1024-bit SNFS and 1024-bit NFS: Factor base sizes:about 140 times larger Sieving: about 5 E 5 times harder Matrix: about 140 times more rows  Potential feasibility of 1024-bit SNFS does not imply feasibility of 1024-bit NFS

Feasibility of 1024-bit SNFS 512-bit NFS: B r  1.7 E 6, B a  1.7 E 6,  (B r ) +  (B a )  2.1 E 6, S  E bit SNFS (pessimistic estimate): B r  6.7 E 7, B a  1.3 E 8,  (B r ) +  (B a )  1.2 E 7, S  6.4 E 17 Comparing 512-bit NFS and 1024-bit SNFS Factor base sizes:about 6 times larger Sieving: about 700 times harder Matrix: about 6 times more rows 512-bit NFS was (very) feasible in 1999  based on Moore’s law 1024-bit SNFS feasible by 2005

Feasibility of 768-bit NFS 1024-bit SNFS: B r  6.7 E 7, B a  1.3 E 8,  (B r ) +  (B a )  1.2 E 7, S  6.4 E bit NFS B r  E 8, B a  E 9,  (B r ) +  (B a )  5.6 E 7, S  3 E 20 Comparing 1024-bit SNFS and 768-bit NFS Factor base sizes:about 5 times larger Sieving: about 500 times harder Matrix: about 5 times more rows  If 1024-bit SNFS is feasible, then based on Moore’s law 768-bit NFS should be feasible about 5 years later

Comparing 768-bit NFS and 1024-bit NFS 768-bit NFS B r  E 8, B a  E 9,  (B r ) +  (B a )  5.6 E 7, S  3 E bit NFS: B r  3.5 E 9, B a  2.6 E 10,  (B r ) +  (B a )  1.7 E 9, S  3 E 23 Comparing 768-bit NFS and 1024-bit NFS Factor base sizes:about 30 times larger Sieving: at least 1000 times harder Matrix: about 30 times more rows  Once 768-bit NFS is feasible it will be a while (7 years?) before 1024-bit NFS is feasible (unless someone builds TWIRL)

Summary of 512, 768, 1024 estimates 512 NFS 1024 SNFS 768 NFS 1024 NFS 6  factor base size 700  effort 30  factor base size 1000  effort 140  factor base size 5 E 5  effort 5  factor base size 500  effort (suboptimal choices: much smaller effort with larger factor bases)

Conclusion Factoring 1024-bit ‘special’ numbers is within reach We should prove it is Factoring 768-bit RSA moduli will soon be feasible using tomorrow’s hardware We should get ready Factoring 1024-bit RSA moduli still looks infeasible using currently available hardware but it may be expected before 2020