A kilobit special number field sieve factorization - Wiki-Wiki

Download Report

Transcript A kilobit special number field sieve factorization - Wiki-Wiki 

A kilobit special number field
sieve factorization
Kazumaro Aoki (NTT)
Jens Franke (University of Bonn)
Thorsten Kleinjung (University of Bonn)
Arjen Lenstra (EPFL & Alcatel Lucent Bell Laboratories)
Dag Arne Osvik (EPFL)
The basics
•
•
•
•
Subject: integer factorization
Example: 15 = 3  5
Assumption: integer factorization is hard
RSA:
– widely used cryptosystem
– security relies on hardness of integer factorization
– ‘k-bit RSA’ uses a composite number of k bits (modulus)
• Problem:
– how do we quantify the hardness of factoring?
• Here: try to get more insight in this problem
Some history
 1990: 512-bit RSA commonly used
• 1990:
– first 512-bit special number field sieve factorization (SNFS)
– no immediate threat to 512-bit RSA
– nevertheless: 512-bit RSA slowly phased out
• 1999:
– 1024-bit RSA commonly used
– 512-bit RSA broken, using number field sieve (NFS)
Some history
 1990: 512-bit RSA commonly used
• 1990:
– first 512-bit special number field sieve factorization (SNFS)
– no immediate threat to 512-bit RSA
– nevertheless: 512-bit RSA slowly phased out
• 1999:
– 1024-bit RSA commonly used
– 512-bit RSA broken, using number field sieve (NFS)
• 2007:
– here: first 1024-bit SNFS factorization (old record: 913 bits)
– breaking 1024-bit RSA 104 harder than 1024-bit SNFS
• 2010: NSA recommends phasing out 1024-bit RSA
SNFS and NFS
• Special number field sieve (SNFS) applies to
numbers of a ‘special’ form
– examples: 2512+1, 210391
• Number field sieve (NFS) applies to any number
• In general: RSA moduli do not have special form
 SNFS cannot be used to factor an RSA modulus
 NFS can be used to factor an RSA modulus
• So, why are we interested in SNFS at all?
Relevance of SNFS for RSA
 First step
– trivial for SNFS, substantial work for NFS
 All other steps virtually the same
• (SNFS faster than NFS on numbers of comparable size)
 Improvements for SNFS also affect NFS
 SNFS results indicator for future NFS possibilities
(S)NFS overview
1. Polynomial selection
2. Sieving
3. Filtering
4. Matrix
5. Square root
(S)NFS overview, for n =
1039
2
1
1. Polynomial selection
BAU: f(X) = 2X61, g(X) = X2173, common root 2173 mod n
2. Sieving
BAU: 190 Pentium D core years, 6 months on various clusters
3. Filtering
BAU: 4 Pentium D core years, less than a week on a cluster
4. Matrix
BAU: use single cluster
5. Square root
BAU: matter of hours per attempt (4 needed)
(S)NFS overview, for n =
1039
2
1
1. Polynomial selection
BAU: f(X) = 2X61, g(X) = X2173, common root 2173 mod n
2. Sieving
BAU: 190 Pentium D core years, 6 months on various clusters
3. Filtering
BAU: 4 Pentium D core years, less than a week on a cluster
4. Matrix
BAU: use single cluster NEW: use 4 separate clusters
-------------------------------
5. Square root
BAU: matter of hours per attempt (4 needed)
The (S)NFS matrix step
The problem:
–
–
find a linear dependency modulo 2 among the rows of a
huge sparse bit-matrix B
here: 66M  66M, on average 142 entries per row
Traditionally done using block Lanczos algorithm:
–
–
d  d bit-matrix B, k = 256, d  k bit-vector u0
for i = 0,1, …, d/k:
•
•
… compute ui+1 = Bui …
invert k  k bit-matrix
The (S)NFS matrix step
The problem:
–
–
find a linear dependency modulo 2 among the rows of a
huge sparse bit-matrix B
here: 66M  66M, on average 142 entries per row
Traditionally done using block Lanczos algorithm:
–
–
d  d bit-matrix B, k = 256, d  k bit-vector u0
for i = 0,1, …, d/k:
•
•
–
… compute ui+1 = Bui …
invert k  k bit-matrix
requires frequent communication among all processors
Matrix step the bottleneck of factorization efforts
The (S)NFS matrix step
The problem:
–
–
find a linear dependency modulo 2 among the rows of a
huge sparse bit-matrix B
here: 66M  66M, on average 142 entries per row
-----------------------------------------------------------------Traditionally
done using block Lanczos algorithm:
–
–
d  d bit-matrix B, k = 256, d  k bit-vector u0
for i = 0,1, …, d/k:
•
•
… compute ui+1 = Bui …
invert k  k bit-matrix
----------------------
Use block Wiedemann
– requires frequent communication among all processors
------------------------------------------------------------------Matrix step ------------------------------------------------the bottleneck of factorization efforts
can be distributed over multiple clusters
Block Wiedemann distribution
d  d bit-matrix B, k = 256, d  k bit-vector u0
Block Wiedemann essentially consists of
–
–
computation of ui+1 = Bui for i = 0, 1, 2 ,…
interrupted once by a Berlekamp-Massey step
Writing each 256-bit entry u of u0 as concatenation of
four 64-bit values v, w, x, y, the vector u0 can be
written as four separate vectors v0, w0, x0, and y0
 ui+1 = Bui for i = 0, 1, 2 ,… split into four distinct
computations vi+1 = Bvi, wi+1 = Bwi, xi+1 = Bxi, yi+1 = Byi
 allows distribution over four separate clusters
 Our 66M  66M matrix: 35 Pentium D core years
Remaining challenges
•
Try using more clusters
–
•
Improve performance of matrix  vector:
–
–
•
While still keeping Berlekamp-Massey feasible
currently two-thirds of time spent on communication
better mapping to cluster topology
Nevertheless: Wiedemann approach allows us to
process substantially larger matrices than before
(and than done in present paper)
Future work
•
Further improve matrix step
•
Enhance sieving step
•
Factor non-special number harder than 210391:
–
attempt for 768-bit RSA modulus underway
•
•
•
10 to 15 times harder than 210391
matrix more than 3 times bigger
If you have an idling cluster: let us know!
Concluding remark
210391=5080711558536666199362912607
4920465831594496864652701848863764
801005234631985328837475320758181
9464423827645704813703594695162939
7080073952098812083870379272909032
4679382343143884144834882534053344
7691122230281583276965253760914101
8910524199389933410971162435896206
5972167481161749004803659735573409
253205425523689
Concluding remark
210391=5080711558536666199362912607
4920465831594496864652701848863764
801005234631985328837475320758181
9464423827645704813703594695162939
7080073952098812083870379272909032
4679382343143884144834882534053344
7691122230281583276965253760914101
8910524199389933410971162435896206
5972167481161749004803659735573409
253205425523689
(with apologies for the small penultimate factor)
Additional concluding remark
1024-bit RSA 104  harder than 1024-bit SNFS
When can we expect 1024-bit RSA factorization?
No clue, but:
512-bit RSA done in 1999
Pessimistic estimate: 768-bit RSA by 2010
Compared to 768-bit RSA,1024-bit RSA looks 5  easier
than 768-bit RSA looked compared to 512-bit RSA