Circuit Design Projects in Integer Factorization

1. Circuit Design Projects in Integer Factorization Burt Kaliski, RSA Security March 29, 2006

2. The Factoring Problem Let N be the product of two or more primes The factoring problem is to find the prime factors of N Example: N = 1363 factors = 29 * 47 Factoring is considered a hard computational problem in that its complexity grows rapidly as the size of N increases

3. Why It�s Important Factoring is important because it�s the basis for security of a widely used encryption algorithm, the RSA cryptosystem A user, �Alice,� has two keys in this cryptosystem: a public key, consisting of a modulus N and an exponent e a private key, consisting of the factors p, q of N Anyone can encrypt a message m for Alice by computing c = me mod N Only Alice can decrypt c to recover m by computing m = cd mod n Here, d is easy to compute given p and q, but hard given only N

4. Goals of this Talk In this talk, we�ll look at some of the methods for factoring We�ll also look at some hardware circuits that can be used in a large-scale factoring effort These could be the basis for a VLSI design project

5. Basic Method: Trial Division At least one of the prime factors of N must be ? sqrt(N) Try all possible primes until a factor is found: 2, 3, 5, 7, 11, � Expected time for this method: sqrt(N) / ln N divisions This is impractical even for modest sized N 100-digit N would take nearly 2160 operations, not counting the time to enumerate the primes

6. Better Method: Relation Finding Let x, y be random integers such that x2 ? y2 (mod N) Then with probability �, (x-y) and (x+y) each share a prime factor with N Factors can be found by computing GCD Find x, y that have this relationship How?

7. Finding Relations Let x be a random integer and let a, b, c, � be non-negative integers such that x2 ? 2a 3b 5c ? ? ? (mod N) This is called a relation. The right hand side is the factorization of z = x2 mod N Find many such relations. Then collect a subset such that the sum of exponents for every prime is even � this is called the matrix step. The x and y such that x2 ? y2 (mod N) come from the product of the subset. But first, how to factor z = x2 mod N?

8. Relation Finding Principles Principle 1: We don�t need to factor every z, just many Principle 2: If x is near sqrt(N), then z = x2 � N will be O(sqrt(N)), so easier to factor Principle 3: z will be even easier to factor if all its factors are �small�, e.g., ? some small bound B Such z are called �B-smooth� Approach: Generate many random x starting near sqrt(N); compute z = x2 � N; try to factor z up to bound B; output z if B-smooth

9. Example: N = 1363, B = 5 x = 37 z = 1369 mod N = 6 = 2 * 3 x = 38 z = 1444 mod N = 81 = 34 x = 39 z = 1521 mod N = 158 = 2 * [too large] x = 40 z = 1600 mod N = 237 = 3 * [too large] x = 41 z = 1681 mod N = 318 = 2 * 3 * [too large] x = 42 z = 1764 mod N = 401 = [too large] x = 43 z = 1849 mod N = 486 = 2 * 35

10. Solving the Relations Three relations were found: 372 ? 2 * 3 (mod N) 382 ? 34 (mod N) 432 ? 2 * 35 (mod N) Two subsets can be combined to produce even exponents: 372 * 432 ? 22 * 36 ? (37 * 43)2 ? (2 * 33)2 ? 2282 ? 542 GCD (228+54, 1363) = 47; GCD (228-54, 1363) = 29 382 ? (32)2 ? 382 ? 92 GCD (38+9, 1363) = 47; GCD (38-9, 1363) = 29 Factors of N = 1363 are 29 and 47

11. A Brief History of Factoring Methods Antiquity: Trial division Search for p dividing N Renaissance: Fermat�s method Search for x, y such that x2 � y2 = N directly 1970s: Pollard�s rho method Construct a �cycle� that reveals a factor of N x0 = 2, xi+1 = xi2 + 1 mod N For some i, j, GCD (xi � xj, N) may reveal the factor

12. A Brief History (cont�d) 1970s: Pollard�s p-1 method Compute an exponential that reveals a factor: z = 2M mod N where M = 2a * 3b * 5c * � up to bound B If p is B-smooth, then GCD (z-1, M) may reveal the factor 1980s: Lenstra�s Elliptic Curve Method A more general recurrence based on elliptic curve arithmetic that works by any factor

13. A Brief History (cont�d) 1970s: Dixon�s method Find relations by factoring x2 � N, then solve relations 1980s: Pomerance et al.�s Quadratic Sieve Find relations by sieving x against small primes ? 1990s: Pollard et al.�s Number Field Sieve The fastest method known for finding relations 2000s: Shamir and Tromer�s TWIRL circuit The fastest circuit design known for finding relations ? Many other methods as well: Morrison & Brillhart�s Continued Fraction, Shanks� SQUFOF, Silverman�s MPQS, other circuits by Shamir, Bernstein

14. A Brief Future (?) 1990s: Shor�s algorithm Breaks the factoring problem using a quantum computer Factoring would be almost as easy as multiplying � if such a computer could be built

15. The RSA Factoring Challenge Since 1991, RSA Laboratories has been offering prizes for the factorization of large numbers The current record in this challenge is RSA-200, a 200-digit number factored in May 2005 by a team led by Jens Franke of the University of Bonn � the prize was US $10,000 This number took an equivalent of �55 years work for a single 2.2 GHz Opteron-based computer� for sieving and the matrix step took about three months on 80 such computers The progress of the challenge has closely tracked estimates of the difficulty of factoring

16. A Relation-Finding Circuit