1 / 12

Hardware-Based Implementations of Factoring Algorithms

Hardware-Based Implementations of Factoring Algorithms. (E. Tromer’s presentation). Factoring Estimates for a 1024-Bit RSA Modulus A. Lenstra, E. Tromer, A. Shamir, W. Kortsmit, B. Dodson, J. Hughes, and P. Leyland Springer On-line, Lecture Notes in CS 2894, pp. 55-74 (2003).

fathi
Télécharger la présentation

Hardware-Based Implementations of Factoring Algorithms

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Hardware-Based Implementationsof Factoring Algorithms (E. Tromer’s presentation) Factoring Estimates for a 1024-Bit RSA Modulus A. Lenstra, E. Tromer, A. Shamir, W. Kortsmit, B. Dodson, J. Hughes, and P. Leyland Springer On-line, Lecture Notes in CS 2894, pp. 55-74 (2003)

  2. Bicycle chain sieve [D. H. Lehmer, 1928]

  3. The Quadratic Sieve How to find Ssuch that is a square? Look at the factorization of f1(a): This is a square, because all exponents are even.

  4. Comparison: • Number Field Sieve (NFS): e(α+o(1))·(logn)1/3·(log logn)2/3 • Quadratic Sieve (QS): (log n)^(1/2)*(log log n)^(1/2) • L_a(n): Exp{ (c +o(1))* (log n)^a * (log log n)^(1-a)}, Then a = 0 polynomial, a=1 exponential.

  5. Output: indices where the sum of values exceeds a threshold. The Sieving Problem Input: a set of arithmetic progressions. Each progression has a prime interval p and value log p.

  6. Example: handling large primes • Primary consideration:efficient storage between contributions. • Each memory+processor unit handle many progressions.It computes and sends contributions across the bus, where they are added at just the right time. Timing is critical. Memory Processor Memory Processor

  7. Processor Handling large primes (cont.) • The memory used by past events can be reused. • Think of the processor as rotating around the cyclic memory: • By appropriate choice of parameters, we guarantee that new events are always written just behind the read head. • There is a tiny (1:1000) window of activity which is “twirling” around the memory bank. It is handled by an SRAM-based cache. The bulk of storage is handled in compact DRAM.

  8. Rational vs. algebraic sieves • We actually have two sieves: rational and algebraic. We are looking for the indices that accumulated enough value in both sieves. • The algebraic sieve has many more progressions, and thus dominates cost. • We cannot compensate by making s much larger, since the pipeline becomes very wide and the device exceeds the capacity of a wafer. rational algebraic

  9. Estimating NFS parameters • Predicting cost requires estimating the NFS parameters (smoothness bounds, sieving area, frequency of candidates etc.). • Methodology: [Lenstra,Dodson,Hughes,Leyland] • Find good NFS polynomials for the RSA-1024 and RSA-768 composites. • Analyze and optimize relation yield for these polynomials according to smoothness probability functions. • Hope that cycle yield, as a function of relation yield, behaves similarly to past experiments.

  10. 1024-bit NFS sieving parameters • Smoothness bounds: • Rational: 3.5£109 • Algebraic: 2.6£1010 • Region: • a2{-5.5£1014,…,5.5£1014} • b2{1,…,2.7£108} • Total: 3£1023 (£6/2)

  11. A R R R R R R R R TWIRL for 1024-bit composites • A cluster of 9 TWIRLScan process a sieve line (1015 indices) in 34 seconds. • To complete the sieving in 1 year, use 194 clusters. • Initial investment (NRE): ~$20M • After NRE, total cost of sieving for a given 1024-bit composite: ~10M $year(compared to ~1T $year).

  12. .

More Related