1 / 22

SNFS versus (G)NFS and the feasibility of factoring a 1024-bit number with SNFS Arjen K. Lenstra

SNFS versus (G)NFS and the feasibility of factoring a 1024-bit number with SNFS Arjen K. Lenstra Citibank, New York Technische Universiteit Eindhoven. Special purpose methods General purpose methods. Take advantage of special properties of p Cannot take advantage of any properties of p.

guri
Télécharger la présentation

SNFS versus (G)NFS and the feasibility of factoring a 1024-bit number with SNFS Arjen K. Lenstra

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SNFS versus (G)NFS and the feasibility of factoring a 1024-bit number with SNFS Arjen K. Lenstra Citibank, New York Technische Universiteit Eindhoven

  2. Special purpose methods General purpose methods Take advantage of special properties of p Cannot take advantage of any properties of p , but possibly of n All based on the same approach Examples: Examples: Trial division, Pollard- (find tiny p, up to 10 or 20 digits) Pollard-p1 (finds p such that p1 has small factors) Elliptic curve method (ECM) (finds p up to  60? digits)  Relevant for RSA CFRAC, Dixon’s algorithm Linear sieve, Quadratic sieve Number field sieve (NFS)   this talk Variant: SNFS, takes advantage of special form of n Factoring algorithms (to find factor p of n)

  3. SNFS and NFS factorizations when  # bits what how 199006 512 F9 = 2512+1 SNFS 199406 534 (121511)/11 SNFS 199407 384 p(11887) NFS 199411 392 p(13171) NFS 199604 429 RSA-130d NFS 199809 615 12167+1 SNFS 199902 462 RSA-140d NFS 199904 698 (10211 1)/9 SNFS 199908 512 RSA-155d NFS 200011 773 2773+1 SNFS 200201 522 c158d of 2953+1 NFS 200301 809 M809 SNFS 200303 529 RSA-160d NFS 200312 576 RSA-576 NFS 20?? 768 ?? NFS 20?? 1024 ?? SNFS/NFS

  4. Special Number Field Sieve Least squares prediction: 1024-bit SNFS factorization by 2012

  5. Number Field Sieve Least squares predictions: 768-bit NFS factorization by 2015 1024-bit NFS factorization by 2028

  6. Goal of this workshop: • Make sure that these predictions are • too pessimistic from a factoring point of view • too optimistic from a cryptographic point of view • Thus, we should be able to complete a • 1024-bit SNFS factorization well before 2012 • 768-bit NFS factorization well before 2015 • by 2005? • by 2010? • 1024-bit NFS factorization well before 2028 ?

  7. Problem: since 1989 nothing seems to be happening! • Examples of NFS related things that did (or will) not happen: • 1994, integers can quickly be factored on a quantum computer • no one knows how to build one yet • 1999, TWINKLE opto-electronic device to factor 512-bit moduli • estimates too optimistic • 2001, Bernstein’s factoring circuits:1536 bits for cost of 512 bits • new interpretation of the cost function • 200308, TWIRL hardware siever: 1024 bits in a year for US$10M • does not include research and development cost • 2004, TWIRL hardware siever: 1024 bits in a year for < US$1M • For the moment: • stuck with existing algorithms and hardware ((G)NFS & PCs) • see if we can push them even further

  8. To factor n, attempt to find integers x, y, x  y such that • x2 y2 mod n If n divides x2y2, then n divides (xy)(x + y), so n = gcd(xy, n)  gcd(x + y, n)may be a non-trivial factorization • Finding such x, y based on two-step Morrison-Brillhart approach: • Collect data • Combine data , Relation collection , Matrix step : allows ‘obvious’ parallelization (internet) : often centralized (Cray, broadband network) How do general purpose factoring methods work?

  9. 1. Relation collection: collect integers v such that • v2 mod n factors into primes < B (i.e., is B-smooth)  Need to efficiently test many integers for smoothness • 2. Matrix step: select a subset of the v’s such that primes < B in • corresponding (v2 mod n)’s occur an even number of times  Need to find elements of null space of (B)(B) matrix How to solve x2 y2 mod n? • Matrix step not further discussed: based on reported ‘overcapacity’ • assume that current parallelized block Lanczos on • current (and future) small broadband networks will suffice

  10. How to find v’s such that v2mod n is smooth? • Examples • Dixon’s method: • pick v at random in {0,1,…, n1} • test v2 mod n {0,1,…, n1} for B-smoothness • repeat until > (B) different v’s have been found • Speed depends on B-smoothness probability of • numbers of size comparable to n • Quadratic sieve: • test (v + [n])2  n for B-smoothness for small v • repeat until > (B) different v’s have been found ( v < S(B)) • Speed depends on B-smoothness probability of • numbers of size comparable to 2S(B)n  no way to take advantage of special properties of p or n

  11. Smaller |v2mod n|: higher smoothness probability • Quadratic sieve: • test (v + [n])2  n for B-smoothness for small v • repeat until > (B) different v’s have been found ( v < S(B)) • Speed depends on B-smoothness probability of • numbers of size comparable to 2S(B)n (as opposed to n) • Number field sieve: • select d; select m close to n1/(d+1) • and f(X) Z[X] of degree d with f(m)  0 mod n • look at S = S(Br,Ba) integer pairs (a,b) to find co-prime ones • such that |a  bm| is Br-smooth and |bdf(a/b)| is Ba-smooth • S such that: expect to find > (Br) + (Ba) ‘good’ (a,b) pairs • Speed depends on simultaneous smoothness probability of • numbers of sizes comparable to n1/(d+1)S and fSd/2  for some n there may be an m and f with f exceptionally small

  12. ‘Good’ cases for Number Field Sieve • select d; select m close to n1/(d+1) • and f(X) Z[X] of degree d with f(m)  0 mod n • look at S = S(Br,Ba) integer pairs (a,b) to find co-prime ones • such that |a  bm| is Br-smooth and |bdf(a/b)| is Ba-smooth • S such that: expect to find > (Br) + (Ba) ‘good’ (a,b) pairs • Speed depends on simultaneous smoothness probability of • numbers of sizes comparable to n1/(d+1)S and fSd/2  for some n there may be an m and f with f exceptionally small For those n for which f is bounded by a constant: SNFS applies to n • Example: n = 2512+1 • n divides 2515+8 • m = 2103 and f(X) = X5+8, then f(m)  0 mod n • In general, f cannot be expected to be bounded by a constant, • f will be of size comparable to m (i.e., n1/(d+1)): NFS applies to n

  13. SNFS versus NFS • SNFS: speed depends on simultaneous smoothness probability of • numbers of sizes comparable to n1/(d+1)S and Sd/2 • NFS: speed depends on simultaneous smoothness probability of • numbers of sizes comparable to n1/(d+1)S and n1/(d+1)Sd/2 • SNFS overall heuristic asymptotic expected runtime is • exp((1.53+o(1))(log n)1/3(loglogn)2/3), n  • NFS overall heuristic asymptotic expected runtime is • exp((1.92+o(1))(log n)1/3(loglogn)2/3), n  for 1024-bit n and d = 6, difference n1/(d+1) is 147-bit number (45 digit) S = 1020: smoothness of pairs of sizes (55d,60d) versus (55d,105d)

  14. Determining Br, Ba, and S(Br, Ba) for n • Traditionally based on combination of • guesswork (‘extrapolation’) • experience • experiments • for 1024-bit n: • possibly unreliable • unavailable (?) • infeasible • Alternative approach for TWIRL analysis (Asiacrypt 2003): • Let P(x,B) denote probability that |x| is B-smooth and • E(Br,Ba,A,B,m,f,t) = 0.6|a|  A0<bBP(abm,Br)P(bdf(a/b)/t,Ba) • (‘expected yield’, approximated using numerical integration) • For several degrees d: • Find ‘ok-ish’ m, dth degree f (with correction t), skewness s • For several Br and Ba determineS(Br,Ba) as least S such that • E(Br,Ba,A,B,m,f,t)  ((Br) + (Ba))/c • for B = (S/2s), A = sB, and ‘reasonable’ c (say, 20) • Pick d for which ‘best’ feasible Br and Ba were found

  15.  product of smoothness probabilities a b • Realistic estimates for Br and Ba and • upper bounds for factoring effort • Rectangular region is not at all optimal: crown shaped regions Results

  16. Example of non-rectangular region crown contains points with smoothness probability E16

  17. Resulting parameter choices • 1024-bit SNFS (pessimistic estimate): • Br 6.7E7, Ba 1.3E8, (Br) + (Ba)  1.2E7, S  6.4E17 • 1024-bit NFS: • Br 3.5E9, Ba 2.6E10, (Br) + (Ba)  1.7E9, S  3E23 • Comparing 1024-bit SNFS and 1024-bit NFS: • Factor base sizes: about 140 times larger • Sieving: about 5E5 times harder • Matrix: about 140 times more rows •  Potential feasibility of 1024-bit SNFS does not imply • feasibility of 1024-bit NFS

  18. Feasibility of 1024-bit SNFS • 512-bit NFS: • Br 1.7E6, Ba 1.7E6, (Br) + (Ba)  2.1E6, S  E15 • 1024-bit SNFS (pessimistic estimate): • Br 6.7E7, Ba 1.3E8, (Br) + (Ba)  1.2E7, S  6.4E17 • Comparing 512-bit NFS and 1024-bit SNFS • Factor base sizes: about 6 times larger • Sieving: about 700 times harder • Matrix: about 6 times more rows 512-bit NFS was (very) feasible in 1999  based on Moore’s law 1024-bit SNFS feasible by 2005

  19. Feasibility of 768-bit NFS • 1024-bit SNFS: • Br 6.7E7, Ba 1.3E8, (Br) + (Ba)  1.2E7, S  6.4E17 • 768-bit NFS • Br E8, Ba E9, (Br) + (Ba)  5.6E7, S  3E20 • Comparing 1024-bit SNFS and 768-bit NFS • Factor base sizes: about 5 times larger • Sieving: about 500 times harder • Matrix: about 5 times more rows •  If 1024-bit SNFS is feasible, then based on Moore’s law • 768-bit NFS should be feasible about 5 years later

  20. Comparing 768-bit NFS and 1024-bit NFS • 768-bit NFS • Br E8, Ba E9, (Br) + (Ba)  5.6E7, S  3E20 • 1024-bit NFS: • Br 3.5E9, Ba 2.6E10, (Br) + (Ba)  1.7E9, S  3E23 • Comparing 768-bit NFS and 1024-bit NFS • Factor base sizes: about 30 times larger • Sieving: at least 1000 times harder • Matrix: about 30 times more rows •  Once 768-bit NFS is feasible it will be a while (7 years?) before 1024-bit NFS is feasible (unless someone builds TWIRL)

  21. Summary of 512, 768, 1024 estimates • 512 NFS • 1024 SNFS • 768 NFS 1024 NFS 6  factor base size 700  effort 5  factor base size 500  effort 140  factor base size 5E5  effort 30  factor base size 1000  effort (suboptimal choices: much smaller effort with larger factor bases)

  22. Conclusion • Factoring 1024-bit ‘special’ numbers is within reach • We should prove it is • Factoring 768-bit RSA moduli will soon be feasible • using tomorrow’s hardware • We should get ready • Factoring 1024-bit RSA moduli still looks infeasible • using currently available hardware • but it may be expected before 2020

More Related