A kilobit special number field sieve factorization - Wiki-Wiki
Download
Report
Transcript A kilobit special number field sieve factorization - Wiki-Wiki
A kilobit special number field
sieve factorization
Kazumaro Aoki (NTT)
Jens Franke (University of Bonn)
Thorsten Kleinjung (University of Bonn)
Arjen Lenstra (EPFL & Alcatel Lucent Bell Laboratories)
Dag Arne Osvik (EPFL)
The basics
•
•
•
•
Subject: integer factorization
Example: 15 = 3 5
Assumption: integer factorization is hard
RSA:
– widely used cryptosystem
– security relies on hardness of integer factorization
– ‘k-bit RSA’ uses a composite number of k bits (modulus)
• Problem:
– how do we quantify the hardness of factoring?
• Here: try to get more insight in this problem
Some history
1990: 512-bit RSA commonly used
• 1990:
– first 512-bit special number field sieve factorization (SNFS)
– no immediate threat to 512-bit RSA
– nevertheless: 512-bit RSA slowly phased out
• 1999:
– 1024-bit RSA commonly used
– 512-bit RSA broken, using number field sieve (NFS)
Some history
1990: 512-bit RSA commonly used
• 1990:
– first 512-bit special number field sieve factorization (SNFS)
– no immediate threat to 512-bit RSA
– nevertheless: 512-bit RSA slowly phased out
• 1999:
– 1024-bit RSA commonly used
– 512-bit RSA broken, using number field sieve (NFS)
• 2007:
– here: first 1024-bit SNFS factorization (old record: 913 bits)
– breaking 1024-bit RSA 104 harder than 1024-bit SNFS
• 2010: NSA recommends phasing out 1024-bit RSA
SNFS and NFS
• Special number field sieve (SNFS) applies to
numbers of a ‘special’ form
– examples: 2512+1, 210391
• Number field sieve (NFS) applies to any number
• In general: RSA moduli do not have special form
SNFS cannot be used to factor an RSA modulus
NFS can be used to factor an RSA modulus
• So, why are we interested in SNFS at all?
Relevance of SNFS for RSA
First step
– trivial for SNFS, substantial work for NFS
All other steps virtually the same
• (SNFS faster than NFS on numbers of comparable size)
Improvements for SNFS also affect NFS
SNFS results indicator for future NFS possibilities
(S)NFS overview
1. Polynomial selection
2. Sieving
3. Filtering
4. Matrix
5. Square root
(S)NFS overview, for n =
1039
2
1
1. Polynomial selection
BAU: f(X) = 2X61, g(X) = X2173, common root 2173 mod n
2. Sieving
BAU: 190 Pentium D core years, 6 months on various clusters
3. Filtering
BAU: 4 Pentium D core years, less than a week on a cluster
4. Matrix
BAU: use single cluster
5. Square root
BAU: matter of hours per attempt (4 needed)
(S)NFS overview, for n =
1039
2
1
1. Polynomial selection
BAU: f(X) = 2X61, g(X) = X2173, common root 2173 mod n
2. Sieving
BAU: 190 Pentium D core years, 6 months on various clusters
3. Filtering
BAU: 4 Pentium D core years, less than a week on a cluster
4. Matrix
BAU: use single cluster NEW: use 4 separate clusters
-------------------------------
5. Square root
BAU: matter of hours per attempt (4 needed)
The (S)NFS matrix step
The problem:
–
–
find a linear dependency modulo 2 among the rows of a
huge sparse bit-matrix B
here: 66M 66M, on average 142 entries per row
Traditionally done using block Lanczos algorithm:
–
–
d d bit-matrix B, k = 256, d k bit-vector u0
for i = 0,1, …, d/k:
•
•
… compute ui+1 = Bui …
invert k k bit-matrix
The (S)NFS matrix step
The problem:
–
–
find a linear dependency modulo 2 among the rows of a
huge sparse bit-matrix B
here: 66M 66M, on average 142 entries per row
Traditionally done using block Lanczos algorithm:
–
–
d d bit-matrix B, k = 256, d k bit-vector u0
for i = 0,1, …, d/k:
•
•
–
… compute ui+1 = Bui …
invert k k bit-matrix
requires frequent communication among all processors
Matrix step the bottleneck of factorization efforts
The (S)NFS matrix step
The problem:
–
–
find a linear dependency modulo 2 among the rows of a
huge sparse bit-matrix B
here: 66M 66M, on average 142 entries per row
-----------------------------------------------------------------Traditionally
done using block Lanczos algorithm:
–
–
d d bit-matrix B, k = 256, d k bit-vector u0
for i = 0,1, …, d/k:
•
•
… compute ui+1 = Bui …
invert k k bit-matrix
----------------------
Use block Wiedemann
– requires frequent communication among all processors
------------------------------------------------------------------Matrix step ------------------------------------------------the bottleneck of factorization efforts
can be distributed over multiple clusters
Block Wiedemann distribution
d d bit-matrix B, k = 256, d k bit-vector u0
Block Wiedemann essentially consists of
–
–
computation of ui+1 = Bui for i = 0, 1, 2 ,…
interrupted once by a Berlekamp-Massey step
Writing each 256-bit entry u of u0 as concatenation of
four 64-bit values v, w, x, y, the vector u0 can be
written as four separate vectors v0, w0, x0, and y0
ui+1 = Bui for i = 0, 1, 2 ,… split into four distinct
computations vi+1 = Bvi, wi+1 = Bwi, xi+1 = Bxi, yi+1 = Byi
allows distribution over four separate clusters
Our 66M 66M matrix: 35 Pentium D core years
Remaining challenges
•
Try using more clusters
–
•
Improve performance of matrix vector:
–
–
•
While still keeping Berlekamp-Massey feasible
currently two-thirds of time spent on communication
better mapping to cluster topology
Nevertheless: Wiedemann approach allows us to
process substantially larger matrices than before
(and than done in present paper)
Future work
•
Further improve matrix step
•
Enhance sieving step
•
Factor non-special number harder than 210391:
–
attempt for 768-bit RSA modulus underway
•
•
•
10 to 15 times harder than 210391
matrix more than 3 times bigger
If you have an idling cluster: let us know!
Concluding remark
210391=5080711558536666199362912607
4920465831594496864652701848863764
801005234631985328837475320758181
9464423827645704813703594695162939
7080073952098812083870379272909032
4679382343143884144834882534053344
7691122230281583276965253760914101
8910524199389933410971162435896206
5972167481161749004803659735573409
253205425523689
Concluding remark
210391=5080711558536666199362912607
4920465831594496864652701848863764
801005234631985328837475320758181
9464423827645704813703594695162939
7080073952098812083870379272909032
4679382343143884144834882534053344
7691122230281583276965253760914101
8910524199389933410971162435896206
5972167481161749004803659735573409
253205425523689
(with apologies for the small penultimate factor)
Additional concluding remark
1024-bit RSA 104 harder than 1024-bit SNFS
When can we expect 1024-bit RSA factorization?
No clue, but:
512-bit RSA done in 1999
Pessimistic estimate: 768-bit RSA by 2010
Compared to 768-bit RSA,1024-bit RSA looks 5 easier
than 768-bit RSA looked compared to 512-bit RSA