150 likes | 158 Views
This article discusses the history and implementation of congruence of squares methods in factoring large integers, such as RSA moduli. It covers special purpose and general purpose algorithms, as well as various techniques like quadratic sieve and general number field sieve. The article also provides data and statistics on factoring RSA challenge numbers using these methods.
E N D
Factoring RSA Moduli:Current State of the ArtJ. Jeffry HowbertCSEP 590TUWinter 2006 J. Jeffry Howbert
Algorithms for factoring large integers • special purpose algorithms • run time depends on size of integer, size and number of factors, whether integer has special form • run time exponential, except for elliptic curve method • general purpose algorithms • running time depends on size of integer only • run time subexponential • derived from congruence of squares method • only methods suitable for large RSA moduli J. Jeffry Howbert
History of congruence ofsquares methods (1) • difference of squares (Fermat, 1600s) • n = ( a + b )( a – b ) = a2 – b2 • find x = ( n + i )2 – n for successive i = 0, 1, 2, ... • test whether x is integer square • congruence of squares (Kraitchik, 1920s) • find b2 a2 mod n where b ! a mod n • calculate gcd( n, a + b ), gcd( n, a – b ) to get factors real power of method: • exploit congruences where b not an integer square J. Jeffry Howbert
History of congruence ofsquares methods (2) • congruence of squares (cont’d) • find two relations: b1 a12 mod n b2 a22 mod n where b1, b2 not integer squares, but b1 b2 is • then b1 b2 a12 a22 mod n gives a factorization • can be generalized to multiply more than two non-square relations • works best if non-square bi kept small improves odds they will factor fully into small primes J. Jeffry Howbert
History of congruence ofsquares methods (3) • process smooth relations in matrix with linear algebra (Morrison and Brillhart, 1975; Dixon) • choose factor base of small primes bounded by B • collect bi that factor fully over factor base (B-smooth): bi ai2 mod n where ai near n • convert smooth bi to vector representation of prime factor exponents, e.g.: bi = 756 = 22 33 50 71 vi = [ 2, 3, 0, 1 ] • only care whether exponents even, so reduce vectors mod 2: vi mod 2 = [ 2, 3, 0, 1 ] mod 2 = [ 0, 1, 0, 1 ] J. Jeffry Howbert
History of congruence ofsquares methods (4) • process smooth relations in matrix with linear algebra (cont’d) real power of method: • gather at least as many smooth relations as there are primes in factor base • place relations in matrix, use linear algebra to find linear combination of vi: vi = [ 0, 0, 0, ..., 0 ] guarantees solution J. Jeffry Howbert
History of congruence ofsquares methods (5) • quadratic sieve (Pomerance, 1981) • generate continuum of bi = ai2 – n ( ai near n ) • for each prime p in factor base: • extract square roots x1, x2 of n modulo p • flag all ai such that: ai = x1 + kp k = 0, 1, 2, ... ai = x2 + kp real power of method: bi 0 mod p for all flagged ai • for all flagged ai, divide corresponding bi by p • when sieving complete, bi which have been reduced to 1 by repeated division are smooth over factor base • tweaks: - multiple polynomials (MPQS) - combine partial relations J. Jeffry Howbert
History of congruence ofsquares methods (6) • general number field sieve (GNFS) (Pollard, others, starting 1988) • both sieving and matrix steps performed in algebraic number fields real power of method: • restricts search for smooth numbers to those of order n1/d, where d ~ 5 – 6 J. Jeffry Howbert
Congruence of squares methods: subexponential complexity • Dixon’s algorithm L( n )~ exp( ( 2 + o( 1 ) ) ( ln n )1/2 ( ln ln n )1/2 ) • Quadratic sieve – best for n up to 110 decimal digits L( n )~ exp( ( 1 + o( 1 ) ) ( ln n )1/2 ( ln ln n )1/2 ) • General number field sieve – best for n over 110 digits L( n )~ exp( ( ( 64/9 )1/3 + o( 1 ) ) ( ln n )1/3 ( ln ln n )2/3 ) J. Jeffry Howbert
Implementation of advanced congruence of squares methods(MPQS and GNFS) • sieving step very CPU intensive, but highly parallelizable • historically, large efforts distributed over many processors (communication even by email) • matrix step very memory intensive • historically done on central supercomputer • more recently performed on tightly linked clusters J. Jeffry Howbert
History of factoringRSA Challenge Numbers MPQS = multiple polynomial quadratic sieve GNFS = general number field sieve J. Jeffry Howbert
Data and resource statistics onRSA Challenge Numbers RSA-129completed 1994 by MPQS size factor base 524339 large prime bound 230 regular full relations 1.1 X 105 full relations derived from partial / double partial relations 4.6 X 105 amount of data 2 GB time for sieving step 5000 MIPS-years time for matrix step 45 hrs RSA-200completed 2005 by GNFS factor base bound (algebraic side) 3 X 108 factor base bound (rational side) 18 X 107 large prime bound 235 relations from lattice sieving 26 X 108 relations from line sieving 5 X 107 total relations (after duplicates) 22.6 X 108 matrix size (rows and columns) 64 X 106 non-zero entries in matrix 11 X 109 time for sieving step 55 2.2-GHz Opteron-years time for matrix step 20 2.2-GHz Opteron-years J. Jeffry Howbert
Your RSA keys:What are the risks? (1) • factoring new larger modulus n’ scales as: • L( n’ )GNFS / L( n )GNFS in time • ( L( n’ )GNFS / L( n )GNFS )1/2 in memory J. Jeffry Howbert
Your RSA keys:What are the risks? (2) • working for a year with today’s hardware and algorithms: • 768 bit integer would take 18,000 PCs, each with 5 GB memory • might see factorization with massive effort in 5-7 years • 1024 bit integer would take 50,000,000 PCs, each with 10 GB main memory, plus additional DRAM • acquisition cost of hardware c. US$ 100B!! • no factorization foreseeable for at least 15 years J. Jeffry Howbert
Your RSA keys:What are the risks? (3) BUT ... • fairly mature design proposals exist for special purpose hardware to perform sieving step • TWINKLE (electro-optics) • TWIRL (parallel processing pipelines) • mesh circuits (2D systolic arrays) • estimated that 200 TWIRL clusters could do sieving on 1024 bit integer in one year • US$ 10-20M one-time R&D costs • US$ 1.1M manufacturing costs • 5-6 orders of magnitude reduction in cost J. Jeffry Howbert