Factorization of a 1061-bit number by the Special Number Field Sieve

Similar documents
The filtering step of discrete logarithm and integer factorization algorithms

The Quadratic Sieve Factoring Algorithm

Integer Factorization using the Quadratic Sieve

Primality Testing and Factorization Methods

Factoring integers and Producing primes

Optimization of the MPQS-factoring algorithm on the Cyber 205 and the NEC SX-2

Factorization of a 768-Bit RSA Modulus

Factorizations of a n ± 1, 13 a < 100

Factoring as a Service

' DEC SRC, 130 Lytton Avenue, Palo Alto, CA 94301, U.S.A

Public-Key Cryptanalysis 1: Introduction and Factoring

Factoring Algorithms

International Journal of Information Technology, Modeling and Computing (IJITMC) Vol.1, No.3,August 2013

CGHub Client Security Guide Documentation

The number field sieve

Runtime and Implementation of Factoring Algorithms: A Comparison

Arithmetic algorithms for cryptology 5 October 2015, Paris. Sieves. Razvan Barbulescu CNRS and IMJ-PRG. R. Barbulescu Sieves 0 / 28

The van Hoeij Algorithm for Factoring Polynomials

Factorization Methods: Very Quick Overview

Notes on Factoring. MA 206 Kurt Bryan

Factoring N = p r q for Large r

Two Integer Factorization Methods

How To Factoring

A Factoring and Discrete Logarithm based Cryptosystem

FACTORING WITH TWO LARGE PRIMES

2 Primality and Compositeness Tests

RSA Question 2. Bob thinks that p and q are primes but p isn t. Then, Bob thinks Φ Bob :=(p-1)(q-1) = φ(n). Is this true?

Update # 5 to Factorizations of b n ± 1

Faster deterministic integer factorisation

Determining the Optimal Combination of Trial Division and Fermat s Factorization Method

Factoring. Factoring 1

On the Cost of Factoring RSA-1024

Factoring a semiprime n by estimating φ(n)

Factoring Cubic Polynomials

Integer factorization is in P

March 29, S4.4 Theorems about Zeros of Polynomial Functions

The Mathematical Cryptography of the RSA Cryptosystem

Finding Small Roots of Bivariate Integer Polynomial Equations Revisited

Index Calculation Attacks on RSA Signature and Encryption

Cryptosystem. Diploma Thesis. Mol Petros. July 17, Supervisor: Stathis Zachos

An Efficient Hardware Architecture for Factoring Integers with the Elliptic Curve Method

by the matrix A results in a vector which is a reflection of the given

SECURITY IMPROVMENTS TO THE DIFFIE-HELLMAN SCHEMES

Study of algorithms for factoring integers and computing discrete logarithms

Mathematics of Computation, Vol. 41, No (Jul., 1983), pp

Breaking The Code. Ryan Lowe. Ryan Lowe is currently a Ball State senior with a double major in Computer Science and Mathematics and

Mathematics of Internet Security. Keeping Eve The Eavesdropper Away From Your Credit Card Information

RSA Attacks. By Abdulaziz Alrasheed and Fatima

MATH 168: FINAL PROJECT Troels Eriksen. 1 Introduction

Principles of Public Key Cryptography. Applications of Public Key Cryptography. Security in Public Key Algorithms

Implementing Network Security Protocols

A New Generic Digital Signature Algorithm

The Advanced Encryption Standard (AES)

Zeros of a Polynomial Function

An Overview of Integer Factoring Algorithms. The Problem

Paillier Threshold Encryption Toolbox

A Tool Kit for Finding Small Roots of Bivariate Polynomials over the Integers

Factoring Algorithms

1 Lecture: Integration of rational functions by decomposition

Basic Algorithms In Computer Algebra

CHAPTER SIX IRREDUCIBILITY AND FACTORIZATION 1. BASIC DIVISIBILITY THEORY

Computer Security: Principles and Practice

THE NUMBER OF REPRESENTATIONS OF n OF THE FORM n = x 2 2 y, x > 0, y 0

ECE 842 Report Implementation of Elliptic Curve Cryptography

Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur

Enhancing Advanced Encryption Standard S-Box Generation Based on Round Key

STUDY ON ELLIPTIC AND HYPERELLIPTIC CURVE METHODS FOR INTEGER FACTORIZATION. Takayuki Yato. A Senior Thesis. Submitted to

Factorization Algorithms for Polynomials over Finite Fields

A SOFTWARE COMPARISON OF RSA AND ECC

SECRET sharing schemes were introduced by Blakley [5]


Public Key Cryptography: RSA and Lots of Number Theory

Library (versus Language) Based Parallelism in Factoring: Experiments in MPI. Dr. Michael Alexander Dr. Sonja Sewera.

Lecture 13: Factoring Integers

LUC: A New Public Key System

The Sieve Re-Imagined: Integer Factorization Methods

FACTORING POLYNOMIALS IN THE RING OF FORMAL POWER SERIES OVER Z

Integer Factorization

Discrete Mathematics: Homework 7 solution. Due:

Mathematics Course 111: Algebra I Part IV: Vector Spaces

SOLVING POLYNOMIAL EQUATIONS BY RADICALS

Hill s Cipher: Linear Algebra in Cryptography

Some applications of LLL

Lecture 13 - Basic Number Theory.

Transcription:

Factorization of a 1061-bit number by the Special Number Field Sieve Greg Childers California State University Fullerton Fullerton, CA 92831 August 4, 2012 Abstract I provide the details of the factorization of the Mersenne number 2 1061 1 by the Special Number Field Sieve. Although this factorization is easier than the completed factorization of RSA-768, it represents a new milestone for factorization using publicly available software. 1 Introduction The Number Field Sieve (NFS) is currently the fastest classical algorithm for factoring a large integer into its prime cofactors [8]. Continued study of the practical implementations of the NFS is of significant interest for the security assessment of common public-key cryptosystems, chief among them being the RSA algorithm. The security of the RSA encryption algorithm relies on the fact that integer factorization is difficult. Improvements to the NFS algorithm are of significant practical importance, and factoring milestones are followed by the applied cryptography community. Significant milestones include the factoring of a 512-bit RSA modulus by the general NFS (GNFS) in 2000 [4], 2 1039 1 by the special NFS (SNFS) in 2007 [2], and a 768-bit RSA modulus in 2010 [7]. Using the SNFS, the complete factorization of the Mersenne number, 2 1061 1, has been determined. Prior this this effort, this number had no known factors. Although easier than the factorization of RSA-768, this represents a new largest factorization using SNFS, and the largest factorization to date using publicly available software. NFS is comprised of five basic steps: polynomial selection, sieving for relations, filtering of relations, linear algebra, and square root. Each of these steps will be detailed below. 1

2 Polynomial selection Polynomial selection consists of finding two polynomials that share a common root modulo the number being factored. For this SNFS factorization, selection of appropriate polynomials is trivial. The polynomials f(x) = x 6 2 and g(x) = x 2 177 share the common root 2 177 modulo 2 1061 1. 3 Sieving Sieving was by far the most computationally intensive step in this factorization. Although sieving is somewhat memory intensive, requiring one to two gigabytes per process, the individual sieving tasks do not need to interact. Taking advantage of the increasing amount of memory in today s typical home computer, I administer a distributed computing project to provide the capacity computing required for the sieving. Using the Berkeley Open Infrastructure for Network Computing (BOINC) [1], the NFS@Home project distributes the NFS sieving tasks to volunteer computers and collects the results [5]. The sieving binaries used are based on the gnfs-lasieve lattice sieve code written by Jens Franke and Thorsten Kleinjung [6] adapted for use in the BOINC framework. Factor base bounds of 250 million were used on both the algebraic and rational sides to reduce the amount of memory required for the computation. A large prime bound of 2 33 was used on both sides with up to two large primes allowed on the algebraic side and up to three large primes on the rational side. Sieving was performed over a rectangular region of size 2 16 2 15 using the gnfs-lasieve4i16e binary. These sieving parameters turned out to be suboptimal, requiring sieving over a significantly larger range of q than initially expected. Most of the special-q between 20 million and 1.45 billion on the rational side, and between 20 million and 1.07 billion on the algebraic side were sieved. The total computational effort expended on sieving was approximately 3 CPU-centuries and yielded 671, 385, 523 unique relations. 4 Filtering Filtering was performed using the MSIEVE software library [10]. Filtering started with the set of approximately 671 million unique relations. Following the singleton and clique removal steps, the matrix had approximate 282 million rows. Following the merge phase, a final matrix of 90.3 million rows and columns with an average weight of 125.27 per column was produced. Filtering required approximately 50 CPU-hours and 40 gigabytes of memory to complete, and the final matrix in binary form requires approximately 40 gigabytes of 2

storage. 5 Linear algebra The MSIEVE software library uses the block Lanczos algorithm [9] for the linear algebra. In collaboration with Jason Papadopoulos, the author of the MSIEVE library, and Ilya Popovyan [11], a parallel version of MSIEVE utilizing MPI has been written and continues to be optimized. The linear algebra was performed using a 24 24 MPI grid (576 total cores), and was split between the Trestles cluster at the San Diego Supercomputing Center and the Lonestar cluster at the Texas Advanced Computing Center due to allocation details. On both clusters the nodes use DDR3 memory, and communication between nodes within the cluster uses Infiniband interconnects. The linear algebra required approximately 35 CPU-years, and yielded 32 non-trivial dependencies. 6 Square root MSIEVE uses a straightforward, but memory-intensive, algorithm for the algebraic square root. This involves multiplying all the relations involved in a non-trivial dependency from the linear algebra modulo the monic algebraic polynomial f(x). Because of the size of the products, FFT-based multiplication is used. For 2 1061 1, this product completed in 9 CPU-hours, required 14 gigabytes of memory, and produced a fifth degree polynomial with coefficients 4.03 gigabits in size. The algebraic square root, calculated using q-adic Newton iteration, required 13.5 CPU-hours. Each dependency has a 50% chance of yielding the factors, and the factors were found on the second dependency. The square root step required a total of 45 CPU-hours. 7 Results The number 2 1061 1 is the product of 143-digit and 177-digit prime numbers, P 143 P 177, where P 143 = 468172263510722656207776706750069723016189792142528328750689763038394004 13682313921168154465151768472420980044715745858522803980473207943564433 3

P 177 = 527739642811233917558838216073534609312522896254707972010583175760467054 896492872702786549764052643493511382273226052631979775533936351462037464 331880467187717179256707148303247 The factorizations of P 143 ± 1 and P 177 ± 1 are P 143 1 = 2 4 3 13 29 1061 1717297 2130134834354231 5879064877797191 113382740713189708770977555625503236436481111748875743652757880942902 361172061775595195662710371631 P 143 + 1 = 2 71 229 307 180073 1695653 802019957507 60854868590560169873679751115717379719685541 314685977891584893863606411002767625028154365970917021388168776617403 P 177 1 = 2 3 2 1061 749005237 495208476776963 662644764100955663 2141325263036607091 775773368635591611966240530501981 676800431849058805522047060741035975900358261557169622681838442743694 28448480629 P 177 + 1 = 2 4 267493 140551319 4927926989 342953555423061833 519102134515219689762106622868417209328766160609019137855695907861330 547801183552702820127130029750936928186728766149200994319755504407 These factors will be published in the fourth edition of the Cunningham book [3] and are currently available in the factorization tables of the Cunningham project website [12]. 8 Acknowledgments This calculation could not have been performed without the free, publicly available lattice sieve of Franke and Kleinjung, MSIEVE by Jason Papadopoulos, and the BOINC infrastructure. Computational time on the Trestles and Lonestar clusters is provided by National Science Foundation XSEDE grant number TG-DMS100027. And finally, this effort would not have been possible without the over 1,000 individuals who donate time on their personal computers to the NFS@Home project. 4

References [1] D. P. Anderson. BOINC: a system for public-resource computing and storage. In 5th IEEE/ACM International Workshop on Grid Computing, pages 4 10, 2004. [2] K. Aoki, J. Franke, T. Kleinjung, A. K. Lenstra, and D. A. Osvik. A kilobit special number field sieve factorization. In Advances in Cryptology ASIACRYPT 2007. Springer, Berlin / Heidelberg, 2007. [3] J. Brillhart, D. H. Lehmer, J. L. Selfridge, B. Tuckerman, and S. S. Wagstaff, Jr. Factorizations of b n ± 1, b = 2, 3, 5, 6, 7, 10, 11, 12 Up to High Powers. American Mathematical Society, Providence, Rhode Island, third edition, 2002. Available online at http://www.ams.org/publications/online-books/conm22-index. [4] S. Cavallar, B. Dodson, A. K. Lenstra, W. M. Lioen, P. L. Montgomery, B. Murphy, H. J. J. te Riele, K. Aardal, J. Gilchrist, G. Guillerm, P. C. Leyland, J. Marchand, F. Morain, A. Muffett, C. Putnam, C. Putnam, and P. Zimmermann. Factorization of a 512-bit RSA modulus. In Advances in Cryptology EUROCRYPT 2000. Springer, Berlin / Heidelberg, 2000. [5] G. Childers. NFS@Home, 2012. http://escatter11.fullerton.edu/nfs/. [6] J. Franke and T. Kleinjung. Continued fractions and lattice sieving. Proceedings of SHARCS 2005, 2005. Source available for download from http://mersenneforum.org/showthread.php?p=169889. [7] T. Kleinjung, K. Aoki, J. Franke, A. Lenstra, E. Thomé, J. Bos, P. Gaudry, A. Kruppa, P. Montgomery, D. A. Osvik, H. te Riele, A. Timofeev, and P. Zimmermann. Factorization of a 768-bit RSA modulus. Cryptology eprint Archive, Report 2010/006, 2010. [8] A. K. Lenstra and H. W. Lenstra, Jr. The development of the number field sieve. In Lecture Notes in Mathematics, Volume 1554. Springer-Verlag, Berlin / Heidelberg, 1993. [9] P. L. Montgomery. A block Lanczos algorithm for finding dependencies over GF(2). In EUROCRYPT 95: Proceedings of the 14th annual international conference on theory and application of cryptographic techniques, pages 106 120, Berlin / Heidelberg, 1995. Springer-Verlag. [10] J. Papadopoulos. MSIEVE, 2012. http://sourceforge.net/projects/msieve/. [11] I. Popovyan. Efficient parallelization of Lanczos type algorithms. Cryptology eprint Archive, Report 2011/416, 2011. http://eprint.iacr.org/. [12] S. S. Wagstaff, Jr. The Cunningham Project, 2012. http://homes.cerias.purdue.edu/ ssw/cun/. 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information