Another Attempt to Sieve With Small Chips Part II: Norm Factorization

Similar documents
A Simpler Sieving Device: Combining ECM and TWIRL

part 2: detecting smoothness part 3: the number-field sieve

ECM at Work. Joppe W. Bos 1 and Thorsten Kleinjung 2. 1 Microsoft Research, Redmond, USA

Edwards Curves and the ECM Factorisation Method

A Simpler Sieving Device: Combining ECM and TWIRL

Fully Deterministic ECM

Integer factorization, part 1: the Q sieve. part 2: detecting smoothness. D. J. Bernstein

Integer factorization, part 1: the Q sieve. D. J. Bernstein

1 The Fundamental Theorem of Arithmetic. A positive integer N has a unique prime power decomposition. Primality Testing. and. Integer Factorisation

Elliptic Curves Spring 2013 Lecture #12 03/19/2013

ECM at Work. Joppe W. Bos and Thorsten Kleinjung. Laboratory for Cryptologic Algorithms EPFL, Station 14, CH-1015 Lausanne, Switzerland 1 / 14

Implementing the Elliptic Curve Method of Factoring in Reconfigurable Hardware

Finding small factors of integers. Speed of the number-field sieve. D. J. Bernstein University of Illinois at Chicago

Discrete Math, Fourteenth Problem Set (July 18)

Algorithms. Shanks square forms algorithm Williams p+1 Quadratic Sieve Dixon s Random Squares Algorithm

Implementing the Elliptic Curve Method of Factoring in Reconfigurable Hardware

The factorization of RSA D. J. Bernstein University of Illinois at Chicago

Introduction to Arithmetic Geometry Fall 2013 Lecture #24 12/03/2013

COMP4109 : Applied Cryptography

Parametrizations for Families of ECM-Friendly Curves

1. Algebra 1.7. Prime numbers

Sieve-based factoring algorithms

ECM using Edwards curves

n The coefficients a i are real numbers, n is a whole number. The domain of any polynomial is R.

Analysis and Optimization of the TWINKLE Factoring Device

Industrial Strength Factorization. Lawren Smithline Cornell University

Security Level of Cryptography Integer Factoring Problem (Factoring N = p 2 q) December Summary 2

Lecture 6: Cryptanalysis of public-key algorithms.,

UNDERSTANDING THE COST OF GROVER'S ALGORITHM FOR FINDING A SECRET KEY

Chapter 4 Finite Fields

ECPP in PARI/GP. Jared Asuncion. 29 January Asuncion, J. ECPP in PARI/GP 29 January / 27

x 9 or x > 10 Name: Class: Date: 1 How many natural numbers are between 1.5 and 4.5 on the number line?

CPSC 467b: Cryptography and Computer Security

Discrete Logarithm Problem

a = a i 2 i a = All such series are automatically convergent with respect to the standard norm, but note that this representation is not unique: i<0

Algebra for error control codes

arxiv: v1 [math.nt] 31 Dec 2011

Factoring Algorithms Pollard s p 1 Method. This method discovers a prime factor p of an integer n whenever p 1 has only small prime factors.

DIVISIBILITY OF BINOMIAL COEFFICIENTS AT p = 2

Experience in Factoring Large Integers Using Quadratic Sieve

Discrete Structures Lecture Primes and Greatest Common Divisor

Speeding up characteristic 2: I. Linear maps II. The Å(Ò) game III. Batching IV. Normal bases. D. J. Bernstein University of Illinois at Chicago

Exercises Exercises. 2. Determine whether each of these integers is prime. a) 21. b) 29. c) 71. d) 97. e) 111. f) 143. a) 19. b) 27. c) 93.

The Elliptic Curve Method and Other Integer Factorization Algorithms. John Wright

RSA Cryptosystem and Factorization

Arithmetic in Integer Rings and Prime Fields

Prime Pythagorean triangles

LEGENDRE S THEOREM, LEGRANGE S DESCENT

Elliptic Curves Spring 2013 Lecture #8 03/05/2013

Hardware to Solve Sparse Systems of Linear Equations over GF(2)

3.4. ZEROS OF POLYNOMIAL FUNCTIONS

CRYPTOGRAPHIC COMPUTING

Exam 2 Review Chapters 4-5

University of Illinois at Chicago. Prelude: What is the fastest algorithm to sort an array?

Shor s Algorithm. Elisa Bäumer, Jan-Grimo Sobez, Stefan Tessarini May 15, 2015

The number field sieve in the medium prime case

Estimates for factoring 1024-bit integers. Thorsten Kleinjung, University of Bonn

Thanks to: University of Illinois at Chicago NSF DMS Alfred P. Sloan Foundation

PRACTICE PROBLEMS: SET 1

Factoring. there exists some 1 i < j l such that x i x j (mod p). (1) p gcd(x i x j, n).

Chapter 1. Number of special form. 1.1 Introduction(Marin Mersenne) 1.2 The perfect number. See the book.

4 Powers of an Element; Cyclic Groups

Definition For a set F, a polynomial over F with variable x is of the form

A Guide to Arithmetic

Chapter 8. Introduction to Number Theory

CPSC 467: Cryptography and Computer Security

Sect Introduction to Rational Expressions

Simultaneous Diophantine Approximation with Excluded Primes. László Babai Daniel Štefankovič

CSE 521: Design and Analysis of Algorithms I

basics of security/cryptography

Horizontal and Vertical Asymptotes from section 2.6

Commutative Rings and Fields

RSA Implementation. Oregon State University

Number Theory A focused introduction

Cado-nfs, a Number Field Sieve implementation

On the polynomial x(x + 1)(x + 2)(x + 3)

Hyperelliptic-curve cryptography. D. J. Bernstein University of Illinois at Chicago

Modular Multiplication in GF (p k ) using Lagrange Representation

2 Arithmetic. 2.1 Greatest common divisors. This chapter is about properties of the integers Z = {..., 2, 1, 0, 1, 2,...}.

COMP239: Mathematics for Computer Science II. Prof. Chadi Assi EV7.635

GENERATION OF RANDOM PICARD CURVES FOR CRYPTOGRAPHY. 1. Introduction

Congruences, graphs and modular forms

ELLIPTIC CURVES AND INTEGER FACTORIZATION

Arithmetic, Algebra, Number Theory

Frequency Domain Finite Field Arithmetic for Elliptic Curve Cryptography

Math 109 HW 9 Solutions

Cryptography and Security Midterm Exam

Scalar multiplication in compressed coordinates in the trace-zero subgroup

Chuck Garner, Ph.D. May 25, 2009 / Georgia ARML Practice

Lecture 11 - Basic Number Theory.

Senior Math Circles Cryptography and Number Theory Week 2

= 1 2x. x 2 a ) 0 (mod p n ), (x 2 + 2a + a2. x a ) 2

REMARKS ON THE NFS COMPLEXITY

Computer Architecture 10. Residue Number Systems

k, then n = p2α 1 1 pα k

Algorithm for Concordant Forms

LECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS

The next sequence of lectures in on the topic of Arithmetic Algorithms. We shall build up to an understanding of the RSA public-key cryptosystem.

Residue Number Systems Ivor Page 1

Transcription:

Another Attempt to Sieve With Small Chips Part II: Norm Factorization Rainer Steinwandt Florida Atlantic University (joint work with Willi Geiselmann, Fabian Januszewski, Hubert Köpfer and Jan Pelzl)

Setting the Scene Sieving step of the NFS: yields (a,b)-pairs such that two integers N a/r (a,b) have good chances to be smooth. homogeneous polynomials Challenge: special purpose designs like TWIRL produce (a,b)-candidates at a high rate fast smoothness test (+ factoring)

Motivation One Solution (e.g., TWIRL): log big prime factors during sieving adds to the anyway non-trivial complexity of a device like TWIRL Alternative idea: Could an ECM device do all the smoothness tests + factorizations in real time, hence eliminating the need for logging primes?

Objective More ambitious hope: Could an ECM device even replace a complete algebraic TWIRL device? More modest goal here: Is an ECM post-processing for a 1024-bit TWIRL feasible? TWIRL s diary logic could be avoided and performance would suffice for the device from Willi s talk

NFS Parameters No asymptotic claim, values as for TWIRL: Sieving region: -A<a A, 0<b B with A=5.5 10 14, B=2.7 10 8 Rational side: Algebraic side: - deg(n r )=1 - deg(n a )=5 - smoothness bound: - smoothness bound: 3.5 10 9 2.6 10 10 - two large primes - two large primes 4 10 11 6 10 11

Required Performance Expected TWIRL output (1 GHz): 655 (a,b)-candidates per second (a few more at the beginning) Numbers to be tested and factored: N r (a,b): no more than 216 bit N a (a,b): no more than 350 bit Design goal: ECM engine to cope with 1000 such (a,b)-pairs per second

Elliptic Curve Method Basic idea to factor n: (a) Pick random elliptic curve E(Z/nZ) & P E (b) For some k=p 1 e 1 p r e r, compute k P (c) hope that n has prime divisors p,q: k P = O in E(Z/pZ) and k P O in E(Z/qZ) gcd computation yields divisor of n Here: prime bound 402 (r=79, e i =blog pi (530)c)

Choice of Curves Atkin/Morain 93: For S:=(12:40) Q 2 on E: Y 2 =X 3-8X-32 we have ord(s) =, and each r S yields a curve E r with 16 #E r. can t do better (Mazur 76) Note: Unlike E, we can transform the curves E r into Montgomery/Chudnovsky form By 2 =x 3 +Ax 2 +x

Precomputation 84 curves E r should suffice estimated loss of good (a,b)-candidates <0.5%: Precompute & store 84 rational βs from which needed curves & points mod n can be derived: numerators & denominators 17 kbit mod n reduction for new curve in parallel to ECM computation on available curves Montgomery ladder for point multiplication

2 nd Phase of ECM Here: Improved Standard Continuation (Montgomery/Brent): (Large) primes considered: 402<q<9680 For each q we have r,s: q=2(st±r) + 1?? Check q Q = O via (2st+1) Q = ±2r Q t=30 With ν Q = (X ν : - :Z ν ), test all qs at once via gcd(π r,s (X 2r Z 2st+1 X 2st+1 Z 2r ), n) 1?

Composite Divisors Here: Identified factors of n are not necessarily prime Use product tree to split T 0,0 := Π r,s (X 2r Z 2st+1 X 2st+1 Z 2r ) T 1,0 := T 1,1 := Π (X 2r Z 2st+1 X 2st+1 Z 2r ) T 0,0 /T 1,0 some r,s

Product Tree depth 3 sufficient for our purposes allows recovery of multiple divisors at once serves as primality test most encountered divisors will be prime (preceding trial division for factors <10 5 ) 9592 primes, 108 prime powers, pipelined structure with 10 division circuits

Structure of a Factorization Unit

Rational & Algebraic Factorization Rational side: -norm comput. evaluate affine polynomial - av. factor size after trial division: 200 bit (a,b)-candidates passing rational tests (along with factors) Algebraic side: - norm comput. 5 mult. + 5 add. - basic structure as on the rational side, identical set of elliptic curves - operands are larger, but fewer candidates

Area Estimate Existing work on fast arithmetic applies (Montgomery, Tenca/Koç, Pelzl et al., ) - With 0.13μm CMOS, one ECM cluster (6 ECM units + reduction unit): 4.92 mm 2 (rational) 5.76 mm 2 (algebraic) - Trial division pipeline: 0.17 mm 2 (rational) 0.21 mm 2 (algebraic) - Central control unit: 1 mm 2

Coping with TWIRL for chips of size 147 mm 2 ( Pentium 4) we can group 29 rational or 25 algebraic ECM clusters on one chip... Software simulations for factoring norms: Rational side: on average 61 curves ( 0.8 s per norm) Algebraic side: 240 MHz on average 70 curves ( 2 s per norm) 5 rational + 6 algebraic chips should suffice

Conclusions for a 1024-bit TWIRL, logging the prime factors does not seem to be necessary: post-processing with ECM seems realistic coping with the (a,b)-candidates output by the device in Willi s talk should be doable

More details: ICISC 06 proceedings, pp. 118-135 (Springer LNCS 4296)

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback