Ankie Piters, Marc Allaart, Wesley Sluis, Wytze Lenstra, KNMI
SNFS versus (G)NFS and the feasibility of factoring a 1024-bit number with SNFS Arjen K. Lenstra...
22
SNFS versus (G)NFS and the feasibility of ctoring a 1024-bit number with SNF Arjen K. Lenstra Citibank, New York Technische Universiteit Eindhoven
-
Upload
arron-russell -
Category
Documents
-
view
212 -
download
0
Transcript of SNFS versus (G)NFS and the feasibility of factoring a 1024-bit number with SNFS Arjen K. Lenstra...
SNFS versus (G)NFS
and the feasibility of
factoring a 1024-bit number with SNFS
Arjen K. Lenstra
Citibank, New YorkTechnische Universiteit Eindhoven
Factoring algorithms (to find factor p of n)
Special purpose methods
General purpose methods
Take advantage of special properties of p
Cannot take advantage of any properties of p
All based on the same approach
Relevant for RSA
Examples:
Examples:
Trial division, Pollard- (find tiny p, up to 10 or 20 digits)Pollard-p1 (finds p such that p1 has small factors)Elliptic curve method (ECM) (finds p up to 60? digits)
CFRAC, Dixon’s algorithmLinear sieve, Quadratic sieveNumber field sieve (NFS)Variant: SNFS, takes advantage of special form of n
, but possibly of n
th
is ta
lk
SNFS and NFS factorizations when # bits what how
199006 512 F9 = 2512+1 SNFS199406 534 (121511)/11 SNFS199407 384 p(11887) NFS199411 392 p(13171) NFS199604 429 RSA-130d NFS199809 615 12167+1 SNFS199902 462 RSA-140d NFS199904 698 (10211 1)/9 SNFS199908 512 RSA-155d NFS200011 773 2773+1 SNFS200201 522 c158d of 2953+1 NFS200301 809 M809 SNFS200303 529 RSA-160d NFS200312 576 RSA-576 NFS20?? 768 ?? NFS20?? 1024 ?? SNFS/NFS
1995 2000 2005 2010
600
700
800
900
1000
Special Number Field Sieve
Least squares prediction:1024-bit SNFS factorization by 2012
1995 2000 2005 2010
400
500
600
700
Number Field Sieve
Least squares predictions: 768-bit NFS factorization by 20151024-bit NFS factorization by 2028
Goal of this workshop:
Make sure that these predictions are
• too pessimistic from a factoring point of view
• too optimistic from a cryptographic point of view
Thus, we should be able to complete a
• 1024-bit SNFS factorization well before 2012
• 768-bit NFS factorization well before 2015
by 2005?
by 2010?
• 1024-bit NFS factorization well before 2028 ?
Problem: since 1989 nothing seems to be happening!Examples of NFS related things that did (or will) not happen:
• 1994, integers can quickly be factored on a quantum computerno one knows how to build one yet
• 1999, TWINKLE opto-electronic device to factor 512-bit moduli estimates too optimistic
• 2001, Bernstein’s factoring circuits:1536 bits for cost of 512 bits new interpretation of the cost function
• 200308, TWIRL hardware siever: 1024 bits in a year for US$10Mdoes not include research and development cost
• 2004, TWIRL hardware siever: 1024 bits in a year for < US$1M
For the moment:• stuck with existing algorithms and hardware ((G)NFS & PCs)• see if we can push them even further
How do general purpose factoring methods work?To factor n, attempt to find integers x, y, x y such that
x2 y2 mod n
If n divides x2 y2, then n divides (x y)(x + y), so
n = gcd(x y, n) gcd(x + y, n) may be a non-trivial factorization
Finding such x, y based on two-step Morrison-Brillhart approach:
1. Collect data
2. Combine data
, Relation collection
, Matrix step
: allows ‘obvious’ parallelization (internet) : often centralized (Cray, broadband network)
How to solve x2 y2 mod n?
1. Relation collection: collect integers v such that
v2 mod n factors into primes < B (i.e., is B-smooth)
Need to efficiently test many integers for smoothness
2. Matrix step: select a subset of the v’s such that primes < B in
corresponding (v2 mod n)’s occur an even number of times
Need to find elements of null space of (B)(B) matrix
Matrix step not further discussed: based on reported ‘overcapacity’ assume that current parallelized block Lanczos oncurrent (and future) small broadband networks will suffice
How to find v’s such that v2mod n is smooth?
Examples
Dixon’s method:• pick v at random in {0,1,…, n1} • test v2 mod n {0,1,…, n1} for B-smoothness• repeat until > (B) different v’s have been found
Speed depends on B-smoothness probability ofnumbers of size comparable to n
Quadratic sieve:• test (v + [n])2 n for B-smoothness for small v• repeat until > (B) different v’s have been found ( v < S(B))
Speed depends on B-smoothness probability ofnumbers of size comparable to 2S(B)n
no way to take advantage of special properties of p or n
Smaller |v2mod n|: higher smoothness probabilityQuadratic sieve:
• test (v + [n])2 n for B-smoothness for small v• repeat until > (B) different v’s have been found ( v < S(B))
Speed depends on B-smoothness probability ofnumbers of size comparable to 2S(B)n (as opposed to n)
Number field sieve:• select d; select m close to n1/(d+1)
and f(X) Z[X] of degree d with f(m) 0 mod n• look at S = S(Br,Ba) integer pairs (a,b) to find co-prime ones
such that |a bm| is Br-smooth and |bdf(a/b)| is Ba-smooth• S such that: expect to find > (Br) + (Ba) ‘good’ (a,b) pairs
Speed depends on simultaneous smoothness probability ofnumbers of sizes comparable to n1/(d+1)S and fSd/2
for some n there may be an m and f with f exceptionally small
‘Good’ cases for Number Field Sieve• select d; select m close to n1/(d+1)
and f(X) Z[X] of degree d with f(m) 0 mod n• look at S = S(Br,Ba) integer pairs (a,b) to find co-prime ones
such that |a bm| is Br-smooth and |bdf(a/b)| is Ba-smooth• S such that: expect to find > (Br) + (Ba) ‘good’ (a,b) pairs
Speed depends on simultaneous smoothness probability ofnumbers of sizes comparable to n1/(d+1)S and fSd/2
for some n there may be an m and f with f exceptionally small
For those n for which f is bounded by a constant: SNFS applies to n
Example: n = 2512+1• n divides 2515+8• m = 2103 and f(X) = X5+8, then f(m) 0 mod n
In general, f cannot be expected to be bounded by a constant,f will be of size comparable to m (i.e., n1/(d+1)): NFS applies to n
SNFS versus NFS
SNFS: speed depends on simultaneous smoothness probability ofnumbers of sizes comparable to n1/(d+1)S and Sd/2
NFS: speed depends on simultaneous smoothness probability ofnumbers of sizes comparable to n1/(d+1)S and n1/(d+1)Sd/2
SNFS overall heuristic asymptotic expected runtime is
exp((1.53+o(1))(log n)1/3(loglogn)2/3), n
NFS overall heuristic asymptotic expected runtime is
exp((1.92+o(1))(log n)1/3(loglogn)2/3), n
for 1024-bit n and d = 6, difference n1/(d+1) is 147-bit number (45 digit)S = 1020: smoothness of pairs of sizes (55d,60d) versus (55d,105d)
Determining Br, Ba, and S(Br, Ba) for nTraditionally based on combination of
• guesswork (‘extrapolation’)• experience• experiments
Alternative approach for TWIRL analysis (Asiacrypt 2003):• Let P(x,B) denote probability that |x| is B-smooth and
E(Br,Ba,A,B,m,f,t) = 0.6|a| A0<bBP(abm,Br)P(bdf(a/b)/t,Ba)
(‘expected yield’, approximated using numerical integration)• For several degrees d:
• Find ‘ok-ish’ m, dth degree f (with correction t), skewness s• For several Br and Ba determine S(Br,Ba) as least S such that
E(Br,Ba,A,B,m,f,t) ((Br) + (Ba))/c
for B = (S/2s), A = sB, and ‘reasonable’ c (say, 20)• Pick d for which ‘best’ feasible Br and Ba were found
for 1024-bit n: possibly unreliable unavailable (?) infeasible
Results
a
b
product of smoothness probabilities
• Rectangular region is not at all optimal: crown shaped regions
• Realistic estimates for Br and Ba and upper bounds for factoring effort
-41012 -21012 0 21012 410120
2109
4109
6109
8109
11010
Example of non-rectangular region
crown contains points with smoothness probability E16
Resulting parameter choices
1024-bit SNFS (pessimistic estimate):Br 6.7E7, Ba 1.3E8, (Br) + (Ba) 1.2E7, S 6.4E17
1024-bit NFS:Br 3.5E9, Ba 2.6E10, (Br) + (Ba) 1.7E9, S 3E23
Comparing 1024-bit SNFS and 1024-bit NFS:
Factor base sizes: about 140 times larger
Sieving: about 5E5 times harder
Matrix: about 140 times more rows
Potential feasibility of 1024-bit SNFS does not implyfeasibility of 1024-bit NFS
Feasibility of 1024-bit SNFS
512-bit NFS:Br 1.7E6, Ba 1.7E6, (Br) + (Ba) 2.1E6, S E15
1024-bit SNFS (pessimistic estimate):Br 6.7E7, Ba 1.3E8, (Br) + (Ba) 1.2E7, S 6.4E17
Comparing 512-bit NFS and 1024-bit SNFS
Factor base sizes: about 6 times larger
Sieving: about 700 times harder
Matrix: about 6 times more rows
512-bit NFS was (very) feasible in 1999 based on Moore’s law 1024-bit SNFS feasible by 2005
Feasibility of 768-bit NFS
1024-bit SNFS:Br 6.7E7, Ba 1.3E8, (Br) + (Ba) 1.2E7, S 6.4E17
768-bit NFSBr E8, Ba E9, (Br) + (Ba) 5.6E7, S 3E20
Comparing 1024-bit SNFS and 768-bit NFS
Factor base sizes: about 5 times larger
Sieving: about 500 times harder
Matrix: about 5 times more rows
If 1024-bit SNFS is feasible, then based on Moore’s law 768-bit NFS should be feasible about 5 years later
Comparing 768-bit NFS and 1024-bit NFS
768-bit NFSBr E8, Ba E9, (Br) + (Ba) 5.6E7, S 3E20
1024-bit NFS:Br 3.5E9, Ba 2.6E10, (Br) + (Ba) 1.7E9, S 3E23
Comparing 768-bit NFS and 1024-bit NFS
Factor base sizes: about 30 times larger
Sieving: at least 1000 times harder
Matrix: about 30 times more rows
Once 768-bit NFS is feasible it will be a while (7 years?)before 1024-bit NFS is feasible
(unless someone builds TWIRL)
Summary of 512, 768, 1024 estimates 512 NFS
1024 SNFS
768 NFS 1024 NFS
6 factor base size700 effort
30 factor base size1000 effort
140 factor base size 5E5 effort
5 factor base size500 effort
(suboptimal choices: much smaller effort with larger factor bases)
Conclusion
• Factoring 1024-bit ‘special’ numbers is within reach
We should prove it is
• Factoring 768-bit RSA moduli will soon be feasibleusing tomorrow’s hardware
We should get ready
• Factoring 1024-bit RSA moduli still looks infeasibleusing currently available hardware
but it may be expected before 2020
