Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Hardware-Based Implementations of Factoring Algorithms Factoring Estimates for a 1024-Bit RSA Modulus A. Lenstra, E. Tromer, A. Shamir, W. Kortsmit,

Published byEdmund Spencer Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Hardware-Based Implementations of Factoring Algorithms Factoring Estimates for a 1024-Bit RSA Modulus A. Lenstra, E. Tromer, A. Shamir, W. Kortsmit,"— Presentation transcript:

1 1 Hardware-Based Implementations of Factoring Algorithms Factoring Estimates for a 1024-Bit RSA Modulus A. Lenstra, E. Tromer, A. Shamir, W. Kortsmit, B. Dodson, J. Hughes, and P. Leyland Springer On-line, Lecture Notes in CS 2894, pp. 55-74 (2003) (E. Tromer’s presentation)

2 2 Bicycle chain sieve [D. H. Lehmer, 1928]

3 3 The Quadratic Sieve How to find S such that is a square? Look at the factorization of f 1 (a): f 1 (0)= 102 f 1 (1)= 33 f 1 (2)= 1495 f 1 (3)= 84 f 1 (4)= 616 f 1 (5)= 145 f 1 (6)= 42  11 2 7272 5050 3232 24 24 This is a square, because all exponents are even. 1732 = 113 = 23135 = 732 = 1172323 = 295 = 732 = 

4 4 Comparison: Number Field Sieve (NFS): e (α+o ( 1 ) )·(log n) 1/3 ·(log log n) 2/3 Quadratic Sieve (QS): (log n)^(1/2)*(log log n)^(1/2) L_a(n): Exp{ (c +o(1))* (log n)^a * (log log n)^(1-a)}, Then a = 0 polynomial, a=1 exponential.

5 5 The Sieving Problem Input: a set of arithmetic progressions. Each progression has a prime interval p and value log p. OOO OOO OOOOO OOOOOOOOO OOOOOOOOOOOO Output: indices where the sum of values exceeds a threshold.

6 6 Example: handling large primes Primary consideration: efficient storage between contributions. Each memory+processor unit handle many progressions. It computes and sends contributions across the bus, where they are added at just the right time. Timing is critical. Memory Processor Memory Processor

7 7 Handling large primes (cont.) The memory used by past events can be reused. Think of the processor as rotating around the cyclic memory: By appropriate choice of parameters, we guarantee that new events are always written just behind the read head. There is a tiny (1:1000) window of activity which is “twirling” around the memory bank. It is handled by an SRAM-based cache. The bulk of storage is handled in compact DRAM. Processor

8 8 Rational vs. algebraic sieves We actually have two sieves: rational and algebraic. We are looking for the indices that accumulated enough value in both sieves. The algebraic sieve has many more progressions, and thus dominates cost. We cannot compensate by making s much larger, since the pipeline becomes very wide and the device exceeds the capacity of a wafer. rationalalgebraic

9 9 Estimating NFS parameters Predicting cost requires estimating the NFS parameters (smoothness bounds, sieving area, frequency of candidates etc.). Methodology: [Lenstra,Dodson,Hughes,Leyland] Find good NFS polynomials for the RSA-1024 and RSA-768 composites. Analyze and optimize relation yield for these polynomials according to smoothness probability functions. Hope that cycle yield, as a function of relation yield, behaves similarly to past experiments.

10 10 1024-bit NFS sieving parameters Smoothness bounds: Rational:3.5 £ 10 9 Algebraic: 2.6 £ 10 10 Region: a 2 {-5.5 £ 10 14,…,5.5 £ 10 14 } b 2 {1,…,2.7 £ 10 8 } Total: 3 £ 10 23 ( £ 6/  2 )

11 11 TWIRL for 1024-bit composites A cluster of 9 TWIRLS can process a sieve line (10 15 indices) in 34 seconds. To complete the sieving in 1 year, use 194 clusters. Initial investment (NRE): ~$20M After NRE, total cost of sieving for a given 1024-bit composite: ~10M $  year (compared to ~1T $  year). A R R R R R R R R

12 12.

Download ppt "1 Hardware-Based Implementations of Factoring Algorithms Factoring Estimates for a 1024-Bit RSA Modulus A. Lenstra, E. Tromer, A. Shamir, W. Kortsmit,"

Similar presentations

AKS Implementation of a Deterministic Primality Algorithm

AKS Implementation of a Deterministic Primality Algorithm
I/O Management and Disk Scheduling

I/O Management and Disk Scheduling
Hash Tables CS 310 – Professor Roch Weiss Chapter 20 All figures marked with a chapter and section number are copyrighted © 2006 by Pearson Addison-Wesley.

Hash Tables CS 310 – Professor Roch Weiss Chapter 20 All figures marked with a chapter and section number are copyrighted © 2006 by Pearson Addison-Wesley.
CSCI 4717/5717 Computer Architecture

CSCI 4717/5717 Computer Architecture
Factoring of Large Numbers using Number Field Sieve Matrix Step Chandana Anand, Arman Gungor, and Kimberly A. Thomas ECE 646 Fall 2006.

Factoring of Large Numbers using Number Field Sieve Matrix Step Chandana Anand, Arman Gungor, and Kimberly A. Thomas ECE 646 Fall 2006.
Michael Alves, Patrick Dugan, Robert Daniels, Carlos Vicuna

Michael Alves, Patrick Dugan, Robert Daniels, Carlos Vicuna
Lecture 11-12 Implementations. The efficiency of a particular cryptographic scheme based on any one of the algebraic structures will depend on a number.

Lecture Implementations. The efficiency of a particular cryptographic scheme based on any one of the algebraic structures will depend on a number.
Parallel Database Systems

Parallel Database Systems
RSA & F ACTORING I NTEGERS BY: MIKE NEUMILLER & BRIAN YARBROUGH.

RSA & F ACTORING I NTEGERS BY: MIKE NEUMILLER & BRIAN YARBROUGH.
Memory Hierarchy. Smaller and faster, (per byte) storage devices Larger, slower, and cheaper (per byte) storage devices.

Memory Hierarchy. Smaller and faster, (per byte) storage devices Larger, slower, and cheaper (per byte) storage devices.
Factoring 1 Factoring Factoring 2 Factoring  Security of RSA algorithm depends on (presumed) difficulty of factoring o Given N = pq, find p or q and.

Factoring 1 Factoring Factoring 2 Factoring  Security of RSA algorithm depends on (presumed) difficulty of factoring o Given N = pq, find p or q and.
Foundations of Network and Computer Security J J ohn Black Lecture #13 Sep 26 th 2007 CSCI 6268/TLEN 5831, Fall 2007.

Foundations of Network and Computer Security J J ohn Black Lecture #13 Sep 26 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
1 Factoring Large Numbers with the TWIRL Device Adi Shamir, Eran Tromer.

1 Factoring Large Numbers with the TWIRL Device Adi Shamir, Eran Tromer.
Foundations of Network and Computer Security J J ohn Black Lecture #12 Sep 23 rd 2009 CSCI 6268/TLEN 5550, Fall 2009.

Foundations of Network and Computer Security J J ohn Black Lecture #12 Sep 23 rd 2009 CSCI 6268/TLEN 5550, Fall 2009.
1 Hardware-Based Implementations of Factoring Algorithms Factoring Large Numbers with the TWIRL Device Adi Shamir, Eran Tromer Analysis of Bernstein’s.

1 Hardware-Based Implementations of Factoring Algorithms Factoring Large Numbers with the TWIRL Device Adi Shamir, Eran Tromer Analysis of Bernstein’s.
Foundations of Network and Computer Security J J ohn Black Lecture #10 Sep 29 th 2005 CSCI 6268/TLEN 5831, Fall 2005.

Foundations of Network and Computer Security J J ohn Black Lecture #10 Sep 29 th 2005 CSCI 6268/TLEN 5831, Fall 2005.
1 Special Purpose Hardware for Factoring: the NFS Sieving Step Adi Shamir Eran Tromer Weizmann Institute of Science.

1 Special Purpose Hardware for Factoring: the NFS Sieving Step Adi Shamir Eran Tromer Weizmann Institute of Science.
Faculty of Computer Science © 2006 CMPUT 229 Accelerating Performance The RISC Revolution.

Faculty of Computer Science © 2006 CMPUT 229 Accelerating Performance The RISC Revolution.
Techniques for Efficient Processing in Runahead Execution Engines Onur Mutlu Hyesoon Kim Yale N. Patt.

Techniques for Efficient Processing in Runahead Execution Engines Onur Mutlu Hyesoon Kim Yale N. Patt.
These slides are additional material for TIES4451 Lecture 5 TIES445 Data mining Nov-Dec 2007 Sami Äyrämö.

These slides are additional material for TIES4451 Lecture 5 TIES445 Data mining Nov-Dec 2007 Sami Äyrämö.

Similar presentations

Ads by Google