Integer Factoring Utilizing PC Cluster

Similar documents
Estimates for factoring 1024-bit integers. Thorsten Kleinjung, University of Bonn

Experience in Factoring Large Integers Using Quadratic Sieve

Factorisation of RSA-704 with CADO-NFS

Efficiency of RSA Key Factorization by Open-Source Libraries and Distributed System Architecture

Factorization of RSA-180

Mersenne factorization factory

ECM at Work. Joppe W. Bos 1 and Thorsten Kleinjung 2. 1 Microsoft Research, Redmond, USA

The number field sieve in the medium prime case

Cado-nfs, a Number Field Sieve implementation

ECE297:11 Lecture 12

I. Introduction. MPRI Cours Lecture IIb: Introduction to integer factorization. F. Morain. Input: an integer N; Output: N = k

Another Attempt to Sieve With Small Chips Part II: Norm Factorization

Lecture 6: Cryptanalysis of public-key algorithms.,

The factorization of RSA D. J. Bernstein University of Illinois at Chicago

ECM at Work. Joppe W. Bos and Thorsten Kleinjung. Laboratory for Cryptologic Algorithms EPFL, Station 14, CH-1015 Lausanne, Switzerland 1 / 14

Post-quantum RSA. We built a great, great 1-terabyte RSA wall, and we had the university pay for the electricity

Factoring Algorithms Pollard s p 1 Method. This method discovers a prime factor p of an integer n whenever p 1 has only small prime factors.

Security Level of Cryptography Integer Factoring Problem (Factoring N = p 2 q) December Summary 2

Discrete logarithms: Recent progress (and open problems)

Algorithms. Shanks square forms algorithm Williams p+1 Quadratic Sieve Dixon s Random Squares Algorithm

Breaking pairing-based cryptosystems using η T pairing over GF (3 97 )

1 The Fundamental Theorem of Arithmetic. A positive integer N has a unique prime power decomposition. Primality Testing. and. Integer Factorisation

ENHANCING THE PERFORMANCE OF FACTORING ALGORITHMS

Polynomial Selection for Number Field Sieve in Geometric View

Integer factorization, part 1: the Q sieve. part 2: detecting smoothness. D. J. Bernstein

Analysis and Optimization of the TWINKLE Factoring Device

Factoring. there exists some 1 i < j l such that x i x j (mod p). (1) p gcd(x i x j, n).

A Beginner s Guide To The General Number Field Sieve

Polynomial Selection. Thorsten Kleinjung École Polytechnique Fédérale de Lausanne

Sieve-based factoring algorithms

Integer factorization, part 1: the Q sieve. D. J. Bernstein

RSA Cryptosystem and Factorization

COMP4109 : Applied Cryptography

A Parallel GNFS Algorithm based on a Reliable Look-ahead Block Lanczos Method for Integer Factorization

On the strength comparison of ECC and RSA

Challenges in Solving Large Sparse Linear Systems over Finite Fields

CRYPTOGRAPHIC COMPUTING

Dixon s Factorization method

Factorization of Integers Notes for talks given at London South Bank University 20 February, 19 March, 2008 Tony Forbes

Good algebraic reading. MPRI Cours III. Integer factorization NFS. A) Definitions and properties

Edwards Curves and the ECM Factorisation Method

Fully Deterministic ECM

REMARKS ON THE NFS COMPLEXITY

Factorization of a 768-bit RSA modulus

Senior Math Circles Cryptography and Number Theory Week 2

Finding small factors of integers. Speed of the number-field sieve. D. J. Bernstein University of Illinois at Chicago

Version of block Lanczos-type algorithm for solving sparse linear systems

part 2: detecting smoothness part 3: the number-field sieve

The filtering step of discrete logarithm and integer factorization algorithms

ECE 646 Lecture 8. RSA: Genesis, operation & security. Factorization in Software & Hardware. Trap-door one-way function

Factoring integers, Producing primes and the RSA cryptosystem. December 14, 2005

A Parallel GNFS Algorithm with the Biorthogonal Block Lanczos Method for Integer Factorization

CSE 521: Design and Analysis of Algorithms I

GAMINGRE 8/1/ of 7

A heuristic quasi-polynomial algorithm for discrete logarithm in small characteristic

Speeding up characteristic 2: I. Linear maps II. The Å(Ò) game III. Batching IV. Normal bases. D. J. Bernstein University of Illinois at Chicago

How to Factor N 1 and N 2 When p 1 = p 2 mod 2 t

On the factorization of RSA-120. T. Denny 1, B. Dodson 2, A. K. Lenstra 3, M. S. Manasse 4

Algorithms for integer factorization and discrete logarithms computation

Breaking pairing-based cryptosystems using η T pairing over GF (3 97 )

Problème du logarithme discret sur courbes elliptiques

Kim Bowman and Zach Cochran Clemson University and University of Georgia

A construction of 3-dimensional lattice sieve for number field sieve over GF(p n )

Another Generalization of Wiener s Attack on RSA

DAILY QUESTIONS 28 TH JUNE 18 REASONING - CALENDAR

Elliptic Curves Cryptography and factorization. Part VIII. Elliptic curves cryptography and factorization. Historical Remarks.

Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography

Running time predictions for square products, and large prime variations. Ernie Croot, Andrew Granville, Robin Pemantle, & Prasad Tetali

Factorization of RSA 140 Using the Number Field Sieve

SMOOTH NUMBERS AND THE QUADRATIC SIEVE. Carl Pomerance

Class invariants by the CRT method

Integer Factorization and Computing Discrete Logarithms in Maple

An Explosive Experiment

Industrial Strength Factorization. Lawren Smithline Cornell University

A GENERAL POLYNOMIAL SIEVE

RSA: Genesis, operation & security. Factoring in Software & Hardware.

Correctness, Security and Efficiency of RSA

Implementing the Elliptic Curve Method of Factoring in Reconfigurable Hardware

Fermat s Little Theorem. Fermat s little theorem is a statement about primes that nearly characterizes them.

Integer Factorization and Computing Discrete Logarithms in Maple

Lecture 1: Introduction to Public key cryptography

Cover and Decomposition Index Calculus on Elliptic Curves made practical

ON THE USE OF THE LATTICE SIEVE IN THE 3D NFS

University of Illinois at Chicago. Prelude: What is the fastest algorithm to sort an array?

Factoring Small to Medium Size Integers: An Experimental Comparison

Discrete Logarithms in GF (p) using the Number Field Sieve

Coding for loss tolerant systems

On Class Group Computations Using the Number Field Sieve

The RSA Cryptosystem: Factoring the public modulus. Debdeep Mukhopadhyay

ECPP in PARI/GP. Jared Asuncion. 29 January Asuncion, J. ECPP in PARI/GP 29 January / 27

On the complexity of computing discrete logarithms in the field F

Discrete Math, Fourteenth Problem Set (July 18)

Great Theoretical Ideas in Computer Science

PARAMETRIZATIONS FOR FAMILIES OF ECM-FRIENDLY CURVES

cse 311: foundations of computing Fall 2015 Lecture 12: Primes, GCD, applications

Basic Algorithms in Number Theory

Factorization of a 768-bit RSA modulus

Elliptic Curves Spring 2013 Lecture #12 03/19/2013

cse 311: foundations of computing Spring 2015 Lecture 12: Primes, GCD, applications

Lecture 11 - Basic Number Theory.

Transcription:

Integer Factoring Utilizing PC Cluster Kazumaro Aoki maro at isl ntt co jp c NTT p.1/47

Contents Background Integer Factoring Algorithms World Records On 1024-bit GNFS My Experiences c NTT p.2/47

Integer Factoring and Cryptology until 1977: mostly for recreational purposes since then, a somewhat better excuse: to figure out secure RSA key sizes A. Lenstra@SHARCS05 http://www.hyperelliptic.org/ tanja/sharcs/talks/ ArjenLenstra.ppt c NTT p.3/47

Integer Factoring Problem (IFP) Input: composite N Output: non-trivial factor p (1 < p < N, p N ) No known algorithm can efficiently find p. c NTT p.4/47

Complexity of IF method complexity effective range TD L p [1, 1] p 2 28 ECM L p [1/2, 1.414] p 2 130 MPQS L N [1/2, 1.020] N 2 320 SNFS L N [1/3, 1.526] N > 2 320 GNFS L N [1/3, 1.923] N > 2 320 MPGNFS L N [1/3, 1.902] N > 2 2000 (?) L x [s, c] = exp((c + o(1))(log x) s (log log x) 1 s ) c NTT p.5/47

Trial Division (TD) Simply divide by 2, 3, 5,... Small divisors can be found by factor(n,2ˆ31-1) in PARI/GP. http://pari.math.u-bordeaux.fr/ c NTT p.6/47

Elliptic Curve Method (ECM) expect #E(GF(p)) is smooth by changing curves Excellent implementation in public: GMP-ECM http://gforge.inria.fr/projects/ecm/ x is y-smooth p x, p: prime p y c NTT p.7/47

Quadratic Sieve (QS) Construct x 2 y 2 (mod N) efficiently using index calculus method (gcd(x ± y, N) N ) fastest if N is less than 100 digits Good implementation in public: msieve http://www.boo.net/ jasonp/ qs.html c NTT p.8/47

Number Field Sieve (NFS) Developed at early 1990s Similar to MPQS, construct x 2 y 2 (mod N) using index calculus method The asymptotically fastest algorithm known for general-type integer factoring recent factoring records are done by (G)NFS an implementation in public: GGNFS http://www.math.ttu.edu/ cmonico/software/ggnfs/ c NTT p.9/47

Outline of NFS find many relations, (a, b) Z 2 s.t. ( b) deg f 1 f 1 ( a b ) = ( b) deg f 2 f 2 ( a b ) = find dependency in GF(2) {[e (a,b) p x 2 y 2 (mod N) p<b 1 p e q<b 2 q e (a,b) p (a,b) q,..., e (a,b),...]} q (a,b) c NTT p.10/47

Steps of NFS find x, y Z s.t. x 2 y 2 (mod N) 1. polynomial selection 2. sieving 3. filtering 4. linear algebra 5. square root c NTT p.11/47

Polynomial Selection for given N, d = deg f find f(x) Z[X], M Z s.t. f(m) 0 (mod N) GNFS: choose M N 1/(d+1), determine the d coefficients of f(x) by N = c i M i i=0 SNFS: determined automatically c i 1 from N c NTT p.12/47

Sieving find many (a, b) Z 2 (gcd(a, b) = 1) s.t. F (a, b) = ( b) d f( a/b) = p<b 1 p e p G(a, b) = a + bm = p<b 2 p e p choose (a, b) nearby origin point, because [a, b ] [F, G ] heaviest step in theory and experiments. sparsely connected distributed computing is possible, but considerably large memory is required. c NTT p.13/47

Filtering part of linear algebra step in theory removing duplicate relations find relation-sets that have non-trivial dependencies based on Gaussian elimination keeping sparse The matrix size is reduced one over tens. Example (GNFS176): 456M 329M (w: 9G?) 8.5M 8.5M (w: 1.7G) c NTT p.14/47

Linear Algebra Find linear dependency in sparse and huge GF(2)-matrix ( tens of million for WR) block Lanczos or block Wiedemann algorithm are frequently used. dominate NFS in theory It is not trivial to confirm the intermediate computation as correct. c NTT p.15/47

Square Root Number theoretic knowledges are required only for this step. Negligible complexity, but long program code. c NTT p.16/47

Records of GNFS composite # of bits YY/MM who RSA-200 663 05/05 Bonn et al. RSA-640 640 05/11 Bonn et al. c176 in 11 281 + 1 582 05/05 NTT et al. RSA-576 576 03/12 Bonn et al. c164 in 2 1826 + 1 545 03/12 NTT et al. RSA-160 530 03/04 Bonn From http://www.crypto-world.com/ FactorAnnouncements.html and others c NTT p.17/47

Records of SNFS composite # of bits YY/MM who c274 in 6 353 1 911(913) 06/01 NTT et al. c248 in 2 1642 + 1 822 04/03 NTT et al. 2 809 1 809 03/01 Bonn c244 in 5 349 1 809(811) 06/04 Kruppa+Bonn c239 in 2 811 1 793(811) 04/06 NFSNET c234 in 3 491 + 1 777(779) 04/09 NFSNET+CWI c227 in 2 773 + 1 774(753) 00/11 CWI et al. From http://www.crypto-world.com/ FactorAnnouncements.html and others c NTT p.18/47

Records of ECM composite log 2 p YY/MM who c214 in 10 381 + 1 222 06/08 Dodson c180 in 3 466 + 1 219 05/04 Dodson c311 in 10 311 1 212 05/09 Aoki et al. c175 in 3 533 + 1 209 05/11 Kruppa c187 in 2 2034 + 1 205 05/04 Dodson c162 in 2 905 + 1 201 06/09 Dodson c242 in 2 1099 + 1 197 05/10 Dodson c162 in 10 233 1 194 05/02 Dodson From http://www.loria.fr/ zimmerma/records/top100.html c NTT p.19/47

On 1024-bit GNFS After proposing the special hardware device, for example, TWINKLE, many estimations were made. o(1) = 0 approximation in L N [1/3, 1.923] is very dangerous. We know the complexity increase about 3 times every 10 digits for N 2 512. It means o(1) 0.279. People want to know the complexity to factor 1024-bit RSA modulus using simple scale: X-bit security c NTT p.20/47

On Pentium 4 [2.53GHz] Platform RC5-72: 3,549,150 keys/sec (v2.9001-478) RSA-150(496-bit) sieve: 20,597,260 seconds 46-bit security 3 times every 10 digits 72-bit security 1024-bit IF at least a factor 200 gap between 1024-bit RSA and 80-bit security A. Lenstra@SHARCS05 c NTT p.21/47

My Experiences Big factorings: GNFS164, SNFS248, GNFS176, ECM311, SNFS274 Joint work with Kida, Shimoyama, Sonoda, and Ueda Partly supported by CRYPTREC project. c NTT p.22/47

How to choose candidate composites? RSA challenge: 576, 640, 702,... bits old RSA challenge: every 10 digits Cunningham project: b e ± 1 (2 b 12) (described as b, e±) partition number, near repunit,... ECM (removing small factor) GNFS vs SNFS (special type composite) c NTT p.23/47

GNFS164 (1) c164 in 2,1826L Our first attempt to make a world record. At that time, the world record is 160 digits. The polynomial selection step was started mid-oct 2003, in parallel with GMP-ECM with B1=43M. A candidate, c165 in 2,2030L, was factored by ECM (44 digits factor). Franke team already finished sieving for RSA-576 at Sep 2003. c NTT p.24/47

GNFS164 (2) Sieving: late Oct to early Dec Filtering: late Nov to early Dec Lenstra announced at Asiacrypt (Nov 30 - Dec 4): a workshop for IF will be held Dec 12 Linear algebra: Dec 3 to Dec 15 c NTT p.25/47

GNFS164 (3) RSA-576 factoring announcement was posted on sci.crypt Dec 4. Our factoring was completed Dec 18. c NTT p.26/47

SNFS248: c248 in 2,1642M (1) We change the target from GNFS to SNFS. At that time, the world record is 244 digits. We found 56 digits factor by ECM (3rd largest at that time) Dec 17 in the first candidate (ECM started Dec 5, 2003). Sieving: mid-dec 2003 to early Feb 2004 in parallel with GMP-ECM with B1=43M (finished Jan 10). NFSNET was already started sieving for c239 in 2,811-. c NTT p.27/47

SNFS248 (2) Filtering: early Feb 2004 Linear algebra (CRYPTREC cluster): Feb 11 to Feb 24 c NTT p.28/47

SNFS248 (3) Square root: Feb 25, but failed Failure reason: 324 relations with gcd(a, b) 1 are included Go back to filtering step Feb 28: CRYPTREC cluster deadline 2nd Filtering: late Feb 2004 2nd Linear algebra (Rikkyo Univ): Mar 1 to Mar 20 (including HW trouble, and manual operation mistakes) c NTT p.29/47

SNFS248 (4) Our linear algebra code said: rank > # of rows half day examination RAM using memtest86 3rd Linear algebra (Rikkyo Univ): Mar 16 to Mar 25 c NTT p.30/47

SNFS248 (5) Our linear algebra code said: rank > # of rows 4th Linear algebra (NTT): Mar 19 to Mar 29 (estimation) c NTT p.31/47

NFSNET 2_811M Daily Reports 2.5e+06 2_811M Relations Collected Daily 2e+06 1.5e+06 relations 1e+06 500000 0 0 20 40 60 80 100 120 140 160 180 days passed From http://www.nfsnet.org/stats2/ statsreporter.cgi?template=relations.html& project=2 811M c NTT p.32/47

SNFS248 (6) Mar 27 (Sat): one of PC crashes (disk trouble) 4th Linear algebra (NTT): Mar 29 (restart) to Apr 2 (estimation) c NTT p.33/47

SNFS248 (7) Apr 2 (Fri) 1:20am: power stop by lightening strike 4th Linear algebra (NTT): Apr 3 (restart) to Apr 3 midnight 33 dependencies are found Square root: Apr 3 to Apr 4 (midnight) 1st solution: gcd(n, x + y) = gcd(n, x y) = 1 c NTT p.34/47

SNFS248 (8) When computing square root using 2nd dependencies, we found a factor by gcd(n, x y/2) after factoring we found the reason (a parameter is doubled) c NTT p.35/47

Hardware failures in 3 years 40 servers including 32 2U P4[2.53GHz] servers. 15% HD were broken, but 90% were repaired by automatic reallocation of bad sectors. 2 power units were broken. 4 memory modules were broken. 8 CPUs sometimes produced incorrect result. 2 CPU fans were stopped. 1 motherboard was broken. 1 of 4 HUBs was broken. c NTT p.36/47

GNFS176: c176 in 11,281+ Our first world record of GNFS Feb 2, 2005 to Apr 22, 2005 poly sel sieving linear alg 3.5 year @ P4[3.2GHz] 9.7 year @ P4[3.2GHz] 5 day @ 36 P4[2.8GHz-3.2GHz] w/ GbE The record was only kept in a week. RSA-200 factoring was announced May 2005. c NTT p.37/47

# of PCs Used in Each Step Step distributed # of PCs for computing GNFS176 1 poly. sel. easy 52 2 sieve easy 400 3 filtering rel. easy 2 4 linear alg. tight conn. 36 5 square root rel. easy 36 c NTT p.38/47

Details of Our Program Running time spent GNFS176 poly. sel. 20d pol51m0b pol51opt 2h mkprime sieve 27d ltsieve filtering 4h classifyrel uniqrel, 32to64 3h getlp countlp lptxt2bin 2h sfctr 8h scmpi 1h compff mkprematrixbin 2d splitpm + smerge lin. alg. 1h shufflematrix mkmatrixbin 1h cut224mat splitmatrix 5d planczos256 1h solve224mat rff gaussext 1h anneal 1h papprox 1h pcouveignes, rsqrt c NTT p.39/47

Program Lines Step # of lines ratio polynomial selection 5626 10% sieve 16943 30% filtering 17607 32% linear algebra 7352 13% square root 8150 15% total 55678 100% as of October 2005 c NTT p.40/47

ECM311: 10,311- kilo-bit SNFS candidate 2nd largest factor found by ECM at that time: R311 = p64 p247 We call the idle CPU time in NTT for Step 1, and Step 2 was done by our occupied PCs. 7.91 year @ Opteron[2.0GHz] w/ 4GB RAM (89 calendar days) c NTT p.41/47

SNFS274: c274 in 6,353- SNFS record 911 bits number sieving tried to start Sep 11, 2005 (actually started Sep 10) factoring expected to complete Jan 19, 2006 (actually Jan 23) sieving linear alg 16.6 year @ P4[3.2GHz] (=17.3 year @ A64[2.0GHz]) 34.64 day @ 25 P4[3.2GHz] w/ GbE c NTT p.42/47

Our contributed optimization Use of bucket sort for sieving step (Asiacrypt 2004) Variable sieving range for lattice sieve Sum share algorithm for linear algebra step (reinvention of wheel?) Network construction for PC cluster (reinvention of wheel?) c NTT p.43/47

Sum Sharing before: length l vector in n nodes after: sum of all vectors shared in all nodes A full-duplex ring network can realize in 2(n 1) l n, where length 1 vector can transfer in time 1. c NTT p.44/47

Network Construction: 16 nodes HUB HUB }{{} 16 with 16-port HUB. each node has 1 NIC. c NTT p.45/47

Network Construction: 36 nodes 1-1- 12 12 13 13 1-1- 12 12 13 13 12 12 2-2- 23 23 12 12 2-2- 23 23 13 13 23 23 3-3- 13 13 23 23 3-3- using 3 20-port HUBs. each node has 2 NICs. c NTT p.46/47

Final Remarks I feel that PC cluster is the best solution to factor big integer for < 500,000 USD budget (not including human resources). It is very difficult to keep all nodes available. Keep the factors coming! Sam Wagstaff (Cunningham table maintainer) c NTT p.47/47

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback