Transcript Factoring of Large Numbers using Number Field Sieve Matrix Step

Factoring of Large Numbers
using Number Field Sieve
Matrix Step
0011 0010 1010 1101 0001 0100 1011
1
Chandana Anand, Arman Gungor, and Kimberly A.
Thomas
ECE 646 Fall 2006
2
4
INTRODUCTION
0011 0010 1010 1101 0001 0100 1011
• The ability to conduct secure electronic
transactions is becoming more and more
important everyday
• It is computationally difficult to factor a
large number into its prime factors
• What happens if an algorithm that can
achieve this in a reasonable amount of time
is discovered?
1
ECE 646, Fall 2006
2
4
F-2: Factoring of Large Numbers Using Number Field Sieve
INTRODUCTION
0011 0010 1010 1101 0001 0100 1011
• Number Field Sieve (NFS) is the fastest
known algorithm to factor numbers larger
than 110 digits
• Its development in the past few years has
facilitated factoring of integers that were
once considered to be infeasible to factor
with today’s technology
1
ECE 646, Fall 2006
2
4
F-2: Factoring of Large Numbers Using Number Field Sieve
INTRODUCTION
0011 0010 1010 1101 0001 0100 1011
• GNFS was used in factoring a 512-bit
number in 1999 as part of the RSA
Challenge
• It was estimated that had the RSA-129
challenge used the GNFS instead of the
Multiple Polynomial Quadratic Sieve, it
would have taken a quarter of the time
1
ECE 646, Fall 2006
2
4
F-2: Factoring of Large Numbers Using Number Field Sieve
INTRODUCTION
0011 0010 1010 1101 0001 0100 1011
•
•
•
•
RSA-155 Details (512-bits)
Calendar time for the polynomial selection
9 weeks
Sieving: 35.7 CPU-years in total, 3.7
months
Matrix and Square Root Steps: 1.5 months
Total Calendar Time: 7.4 months
ECE 646, Fall 2006
1
2
4
F-2: Factoring of Large Numbers Using Number Field Sieve
INTRODUCTION
0011 0010 1010 1101 0001 0100 1011
160
8
120
4
175-400 MHz SGI and Sun workstations
250 MHz SGI Origin 2000 processors
300-450 MHz Pentium II PCs
500 MHz Digital/Compaq boxes
1
2
4
• This CPU-effort is estimated to be equivalent
to approximately 8000 MIPS years
ECE 646, Fall 2006
F-2: Factoring of Large Numbers Using Number Field Sieve
GENERAL INFORMATION
0011 0010 1010 1101 0001 0100 1011
• Number field sieve is a fast factorization method
developed by Pollard et al.
• Number Field Sieve factors an integer n in
expected time:
1
2
exp((c +o (1))(logn )1/3(loglogn )2/3) with c = 2(2/3)2/3 ~ 1.526
4
• Number Field Sieve can be thought of as an
extension of the rational sieve where smooth
numbers of order n are sought for, rarity of which
makes the algorithm impractical
ECE 646, Fall 2006
F-2: Factoring of Large Numbers Using Number Field Sieve
GENERAL INFORMATION
0011 0010 1010 1101 0001 0100 1011
• Polynomial selection: Find two Z-irreducible
polynomials f(x) and g(x) so that f(m)=0 (mod n)
and g(x)=0 (mod n) for some known m
• Sieving: Here we find pairs of small integers,
(a,b)
• Matrix step: Here we take the (a,b) pairs found in
the last step and construct a large matrix
• Square root: Given the two squares from the
previous steps and their prime factorizations, we
must compute their square roots to finally factor n
1
ECE 646, Fall 2006
2
4
F-2: Factoring of Large Numbers Using Number Field Sieve
GNFS Matrix Solving
0011 0010
1010 1101
0001 0100
1011
• Involves
finding
the dependencies
in a very large, very
sparse matrix
– EXAMPLE:
• For the RSA-130 challenge, factoring a 130 digit
number, the matrix had 3,516,502 rows and
3,504,823 columns with on average 39.4 non-zero
entries per row.
• Storing the position of all 138,690,744 ones would
take “only” 600 MB of memory vs over 1500 GB to
store the entire matrix.
• Traditional matrix solving methods (e.g. Gaussian) are
infeasible
1
ECE 646, Fall 2006
2
4
F-2: Factoring of Large Numbers Using Number Field Sieve
Wiedemann Algorithm
0011 0010 1010 1101 0001 0100 1011
• Intended to make GNFS Matrix step more
computationally feasible
– allows solving the matrix dependencies without
modifying the matrix, leaving the matrix sparse and
easier to store and operate on
• Block Wiedemann
1
2
4
– multiplies the sparse matrix by 32 or 64 vectors at once
– takes advantage of the 32-bit or 64-bit architecture of
modern computers
ECE 646, Fall 2006
F-2: Factoring of Large Numbers Using Number Field Sieve
WLSS2
• Block Wiedemann implementation created in
the mid-90s
• Composed of four steps, two of which may be
run in a distributed manner
• Input: matrix file in an adjacency list format
0011 0010 1010 1101 0001 0100 1011
1
2
4
– 1000 1000 1
– 1f 2b 53 af c8 d4 f2 115 134 13e 13f 15a 185 19f 1b9
1ee207 25e 271 2b3 2e1 2f6 2fd 2ff 30c 336 362 3a3
3b3 3bc 3d3 3d7
• Output: list of candidate factors
ECE 646, Fall 2006
F-2: Factoring of Large Numbers Using Number Field Sieve
WLSS2
0011 0010 1010 1101 0001 0100 1011
• Program runs on enigma.gmu.edu without
problem
– did not try running distributed
1
2
• Found several inconsistencies between the
program and its documentation
• Program has now “disappeared” from
original Internet source
ECE 646, Fall 2006
4
F-2: Factoring of Large Numbers Using Number Field Sieve
LiDIA
0011 0010 1010 1101 0001 0100 1011
• LiDIA is a C++ library for computational
number theory
• Allows operations on vectors and matrices
such as:
– u = A*v;
– v.shift_left(n,1);
1
2
4
• Also allows operations on vectors of vectors
– required for implementation of Block Wiedemann
ECE 646, Fall 2006
F-2: Factoring of Large Numbers Using Number Field Sieve
LiDIA Implementations
0011 0010 1010 1101 0001 0100 1011
• Wiedemann Implementation
–
–
–
–
working on enigma.gmu.edu
needs further debugging
reprogramming of matrix creation
addition of matrix importation functionality
1
– in progress but needs further work on
initialization of the vectors of vectors
ECE 646, Fall 2006
2
4
• Block Wiedemann Implemenation
F-2: Factoring of Large Numbers Using Number Field Sieve
Next Steps
• Matrix Creation and Input
0011 0010 1010 1101 0001 0100 1011
– need to create a program to intelligently create matrices
for testing
– need a standard matrix format to allow comparisons
between WLSS2 and the LiDIA implementations
• One solution – add a function to LiDIA
implementation to read WLSS2 style adjacency list
1
ECE 646, Fall 2006
2
4
• Complete debugging of LiDIA Wiedemann
implementation
• Complete implementation of LiDIA Block
Wiedemann algorithm
F-2: Factoring of Large Numbers Using Number Field Sieve
Next Steps Continued
0011 0010 1010 1101 0001 0100 1011
• Testing of WLSS2, Wiedemann
implementation, Block Wiedemann
implementation
1
2
– Functionality testing – do all implementations
agree on the results of a given input matrix
– Timing comparison
ECE 646, Fall 2006
4
F-2: Factoring of Large Numbers Using Number Field Sieve
Block Wiedemann Algorithm
0011 0010 1010 1101 0001 0100 1011
•
Input to Block Wiedemann: Matrix A of size
DxD, D є [107, 1011]
•
Sparse matrix: Column density << D
•
Most time consuming operations: Matrix-byvector multiplications
•
A.vi, A2.vi, ..... , Ak.vi
ECE 646, Fall 2006
1
2
4
F-2: Factoring of Large Numbers Using Number Field Sieve
Matrix-by-Vector Multiplication
0011 0010 1010 1101 0001 0100 1011
• Non-zero entries in the columns of A - packets that
need to be routed to their destinations
1
• m x m mesh, m = √D: row indices of resultant
matrix multiplication vector
• Mesh Cell i
• value at index i of the vector v
• packets in column i of the matrix A
ECE 646, Fall 2006
2
4
F-2: Factoring of Large Numbers Using Number Field Sieve
Mesh Routing Architecture
0011 0010 1010 1101 0001 0100 1011
• Lenstra et al proposed two versions of the routing
based circuit
• simple routing version
• improved routing version
1
2
4
• The improved version was implemented by Dr. Gaj
et al in reconfigurable hardware
• We implemented the emulation of this hardware in
Java
ECE 646, Fall 2006
F-2: Factoring of Large Numbers Using Number Field Sieve
Routing in the Mesh
0011 0010 1010 1101 0001 0100 1011
• Phase 1 – Odd row negotiates with the top even
row
• Phase 2 – Odd column negotiates with right even
row
1
2
4
• Phase 3 – Odd row negotiates with the bottom
even row.
• Phase 4 – Odd column negotiates with left even
column.
ECE 646, Fall 2006
F-2: Factoring of Large Numbers Using Number Field Sieve
Compare-Exchange
0011 0010 1010 1101 0001 0100 1011
• Both cells determine they will be closer to their
destination after a swap
• The cell that is the farthest from its destination
determines it will be closer to its destination after
a swap
• The cell that is farthest will not be closer after the
swap, but the cell with the smaller distance will be
closer
• Neither will become closer to its destination
1
ECE 646, Fall 2006
2
4
F-2: Factoring of Large Numbers Using Number Field Sieve
Implementation Routines
0011 0010 1010 1101 0001 0100 1011
• Randomly populate the mesh
• Determine the destination row and column
indices of a packet
• Perform the negotiations (4 times the size of
the mesh)
• Determine exchange cases
• Update the partial results
1
ECE 646, Fall 2006
2
4
F-2: Factoring of Large Numbers Using Number Field Sieve
Results
0011 0010 1010 1101 0001 0100 1011
• The mesh routing architecture was implemented for a mesh
size of 4x4.
• Compare-exchange operations were repeated 4*4 =16
times
• On an average, routing was completed after all 4
phases of Round 1 and 2 phases of the Round 2
1
2
4
• The architecture was then scaled for a mesh size of 12x12
• Compare-exchange operations were repeated 4*12 =
48 times
• Routing was completed at the end of all rounds
ECE 646, Fall 2006
F-2: Factoring of Large Numbers Using Number Field Sieve
Results (contd..)
0011 0010 1010 1101 0001 0100 1011
• The code was then modified to perform multiple
vector multiplications in the 12x12 mesh
1
2
• Java threads were used to emulate the multiple
matrix-by-vector multiplications taking place
simultaneously in hardware
4
• A new thread was spawned to process the matrix-byvector multiplication for each vector
• Each thread updates its own resultant vector
ECE 646, Fall 2006
F-2: Factoring of Large Numbers Using Number Field Sieve
Future Work
0011 0010 1010 1101 0001 0100 1011
• Development of a routine to examine the
state of the mesh after each phase
1
2
• To find number of phases that are actually
required to complete routing in the 12x12 mesh
ECE 646, Fall 2006
4
F-2: Factoring of Large Numbers Using Number Field Sieve