integer factoring in cryptography dr. jiun-ming chen [email protected]

Integer Factoring in Cryptography

Dr. Jiun-Ming Chen

[email protected]

2008.3.11 Math department at NTNU 2

Outline

1. Basics in Cryptography

2. Public-Key Cryptosystems

3. Quadratic Sieve

4. Number Field Sieve

5. Factoring RSA-512


Historical Cipher

Gāius Jūlius Caesar (100 BC – 44 BC) A Roman military and political leader and one o

f the most influential men in world history He played a critical role in the transformation o

f the Roman Republic into the Roman Empire

Caesar Cipher Example (Recall: A 0, B 1, C 2, …, Y 24, Z 25)

Plaintext: SPY (18 15 24) Ciphertext: VSB (21 18 1)

Encryption: c = p + 3 mod 26 Decryption: p = c 3 mod 26


Historical Cipher

Shift Cipher Each letter we identify with a number

A = 0, B = 1, C = 2, …, Z = 25 The key k is a number in the range 0 ~ 25

Encryption is adding k onto each letter modulo 26 Julius Caesar used the k = 3

HELLO becomes KHOOR We break a Shift cipher by using the statistics of

the underlying language


Historical Cipher

English Letter Frequencies

The most common bigrams are, in decreasing order TH, HE, IN, ER, AN, RE, ED, ON, ES, ST, EN, AT, TO, NT, HA

The most common trigrams are, in decreasing order THE, ING, AND, HER, ERE, ENT, THA, NTH, WAS, ETH, FOR

Useful cryptanalysis rarely mentioned in books: Conditional probability e.g., the letter with the highest frequency

right after the letter H?


Historical Cipher

Take the following example cipher textBPMZM WVKM EIA IV COTG LCKSTQVO

EQBP NMIBPMZA ITT ABCJJG IVL JZWEV

IVL BPM WBPMZ JQZLA AIQL QV AW UIVG EWZLA

OMB WCB WIN BWEV

OMB WCB, OMB WCB , OMB WCB WIN BWEV

IVL PM EMVB EQBP I YCIKS IVL I EILLTM IVL I YCIKS

QV I NTCZZG WN MQL MZLWEV

BPIB XWWZ TQBBTM COTG LCKS TQVO

EMVB EIVLMZQVO NIZ IVL VMIZ

JCB IB MDMZG XTIKM BPMG AIQL BW PQA NIKM

VWE OMB WCB, OMB WCB, OMB WCB WN PMZM

IVL PM EMVB EQBP I YCIKS IVL I EILLTM IVL I YCIKS

IVL I DMZG CVPIXXG BMIZ

We need to compare the frequency distribution of this text with standard English


Historical Cipher

Underlying Plain Text

Cipher Text

The shift of E seems to be either 4, 8,17,18 or 23 The shift of A seems to be either 1, 8,12,21 or 22


Historical Cipher

Hence the key is probably equal to 8 We can now decrypt the cipher text to reveal

There once was an ugly duckling

With feathers all stubby and brown

And the other birds said in so many words

Get out of town

Get out, get out, get out of town

And he went with a quack and a waddle and a quack

In a flurry of eiderdown

That poor little ugly duckling

Went wandering far and near

But at every place they said to his face

Now get out, get out, get out of here

And he went with a quack and a waddle and a quack

And a very unhappy tear


密碼系統運作基本原則密碼系統 (cryptosystem) 包括一套演算法

(algorithm) ，和所有可能的金鑰 (key) 、明文 (plaintext) 、以及密文 (ciphertext)

它的安全性 (security) 是基於其他人未知的私密金鑰，而非演算法演算法公開，利於制定標準互通應用


密碼系統的兩大類型傳統式

對稱金鑰 Symmetric Key

公開金鑰 (Public-Key, 1976~)

非對稱金鑰 Asymmetric Key


傳統對稱式密碼系統 Encrypt Encrypt 加密加密

↗ △ ↘

Plaintext 明文 Symmetric key Ciphertext 密文 ↖ ▽ ↙

Decrypt Decrypt 解密解密

DES (Data Encryption Standard) – 晶片金融卡AES (Advanced Encryption Standard)


私密金鑰　與　公開金鑰

　　　　　　　　　　　容易計算

私密金鑰公開金鑰 Private Key 　非常困難　　　 Public Key

　藉由數學工具達成此目的　　　　　　　


公開金鑰密碼系統Public Key Cryptosystem

　　　　　　　　 Public key

▽ Plaintext 明文 → Encrypt Encrypt 加密加密

　　　　　　 ↖ ↘ Decrypt Decrypt 解密解密　　← 　　Ciphertext 密文

　△ Private key 　　　　　

最廣泛使用的 PKC: RSA (Rivest – Shamir – Adleman 1977)

逐漸受重視的 PKC: ECC ( 橢圓曲線 Elliptic Curve Cryptosystem)


數位簽章 Digital Signature

Public key▽

Signature Signature → Verify Verify 驗章驗章 ↖ ↘

Sign Sign 簽章簽章 ← Message△

Private key

* 秘密性 (confidentiality) * 身份鑑別性 (Authentication)* 完整性 (Integrity) * 不可否認性 (Non-Repudiation)


New Standard: AES

Standard FIPS-197 approved by NIST in 2001 Official scope is limited:

US Federal Administration will use AES as Government standard from 26 May 2002

Documents that are “sensitive but not classified” Significance is huge: The successor of DES Block size: 128 bits (16 bytes) Key length: 128/192/256 bits (16/24/32 bytes) Strong algebraic structure


Outline



3. Quadratic Sieve




RSA

Key generation (RSA-1024) Generate large primes p and q of at least 512 bits Compute N = p q and (N) = (p) (q) = (p 1)(q 1)

Select random e with

1 < e < (N) and gcd(e, (N)) = 1

Using XGCD, compute the unique integer d with

1 < d < (N) and e d 1 (mod (N))

Public key : (N, e) which is published Private key : (d, p, q) which is kept secret


Encryption & Decryption

Encryption: If Bob wants to encrypt a message for Alice, he does the following Obtain Alice’s authentic public key (N, e) Represent the message as a number 0 < x < N

Compute y = x e mod N

Send the ciphertext y to Alice

Decryption: To recover x from y, Alice does the following

Use the private key d to recover x = y d mod N


Elliptic Curve y2 = x3 + ax + b

R is determined by the line passing through P and Q


Elliptic Curve y2 = x3 + ax + b

R is determined by the tangent line if P = Q The slope is derived by

implicit differentiation


Discrete Logarithm Problem

On Zp

Given a and g, find x such that gx a (mod p) On Elliptic Curve Groups

Given P and Q, find x such that xP = Q Both are very hard computational problems, e

specially the latter, “ECDLP” The security of RSA is based on the difficulty

of large integer factoring


Congruent Squares

To factor N = p q, try to find integers x and y such that x2 y2 (mod N)

If x y (mod N), then gcd(x y, N) and gcd(x + y, N) are non-trivial factors of N p q = N | (x2 y2) = (x + y) (x y)

This idea from Fermat inspired the factoring methods of Continued Fraction, Quadratic Sieve, and Number Field Sieve


Integer Factoring Algorithms Length of input = log2 N +1 log N

Trial Division Complexity:

Quadratic Sieve (1980’s)

Number Field Sieve (1990’s)

L(s) = s = 1: exponential time 0 < s < 1: sub-exponential time s = 0: polynomial time (Shor’s quantum algorithm)

)( log)2/1( NeO

)(1)log(log)(log ss NNceO

)(2/12/1 )log(log)))(log1(1( NNoeO

)(3/23/13/1 )log(log)))(log1()9/64(( NNoeO


RSA Challenge Numbers


RSA-640 Factored


RSA-640 Number


RSA-1024 Number


Outline



3. Quadratic Sieve




Smooth Numbers

F = { p1, p2 , p3……., pm } is a factor base consisting of prime numbers

A number is smooth over F if all of its prime factors are in F

We try to find smooth numbers ri = p1

e1 p2e2 p3

e3 …pmem

and record ei in the exponent vector

vi = (e1, e2 , e3……., em)


Smooth Numbers

Assume we have enough smooth numbers e.g. k smooth numbers with k > m

By linear algebra modulo 2, we can find ai (= 0 or 1 for each i ) such that

)2(mod )0....,0,0( iiva

square a becomes iair


Smooth Numbers

Example F = { 2, 3, 5, 7 } is a factor base Some smooth numbers over F :

r1 = 105 = 357, r2 = 140 = 2257,

r3 = 392 = 2372, r4 = 588 = 22372. Corresponding exponent vectors:

v1 = (0, 1, 1, 1), v2 = (2, 0, 1, 1),

v3 = (3, 0, 0, 2), v4 = (2, 1, 0, 2).


Smooth Numbers

1 v1 + 1 v2 + 0 v3 + 1 v4 = (4, 2, 2, 4)

(0, 0, 0, 0) (mod 2) We get a square: r1 r2 r4 = 24

32 52

74

Recall: The goal is to find x2 y2 (mod N) The question then becomes finding many

smooth numbers over a factor base F


Quadratic Sieve

To factor N, define g(x) = x2 N x is an integer between and

note that g : Z → ZN preserves multiplications

We want to find enough smooth g(xi)

p | g(xi) implies p | g(xi + p) If p | (xi

2 N), then 0 xi2 N

xi2 N + 2pxi + p2 (xi + p)2 N (mod p)

“Sieve” g(xi) with every prime p in factor base

N N2


Quadratic Sieve

Record g(xi) in an array G for each xi

If p | g(xi),

G[ xi ] := G[ xi ] + log p integer addition for speed

After sieving, check the smoothness of g(xi) whose G[

xi ] chosen threshold

2 3 5 7 4 9

g(m+71)

g(m+72)

g(m+73)

g(m+74)

g(m+75)

g(m+76)

g(m+77)

g(m+78)

g(m+79)

g(m+80)

g(m+81)

g(m+82)

g(m+83)

g(m+84)

g(m+85)


Quadratic Sieve

Use linear algebra to find appropriate xi’s such that g(xi) = y

2, then x = xi satisfies x

2

= xi2 g(xi) = y

2 (mod N) The problem of QS is that x

2 N goes up quickly, hence the chance of smoothness decreases fast

Q: Can we find another algebraic structure with a homomorphism to Zn ? A: Number Field Q( ) with the number field sieve


Outline



3. Quadratic Sieve




SNFS and GNFS

Special Number Field Sieve (SNFS) Number of nice algebraic form Record: 21039

1 (1039th Mersenne number)

313 digits / 1039 bits, May 2007 “A Kilobit Special Number Field Sieve Factorization”, Asiacrypt 2007

General Number Field Sieve (GNFS) No known nice algebraic form Record: RSA-200

200 digits / 663 bits, 2005


Invention of SNFS

John Pollard had the interesting idea to factor the 7th Fermat number F7 = 227

+ 1 by doing very clever computations in the number field Q( ) = Q [x] / < x3

+ 2 > It was clear immediately that his idea could be

used to factor any number of the form r e s for small r and s


Invention of GNFS

Subsequently, many people contributed to making the basic algorithm work for integers without such a special form

General numbers can be factored with the same algorithm The first step (polynomial selection) becomes

much harder The algorithm runs with much “worse”

parameters than for numbers of special form


Polynomial Selection

Find an irreducible polynomial f (x) such that f (m) ≡ 0 (mod N)

We can write N in the base of m first:

N = cd m d + … + c1 m + c0

and take f (x) = cd x d + … + c1 x + c0

A lot of research and deep theory has been developed to make f (x) “better”


Number Field

Let be a complex root of f (x) Q( ) is a finite field extension of Q

Q( ) is the number field associated to

Q( ) can be viewed as a vector space over Q, with a basis {1, ,

2, …. d1} d is the degree of f (x)

[ Q( ) : Q ] = d


Ring Homomorphism

A map h: A → B is a homomorphism ifh(x + y) = h(x) + h(y) and h(x y) = h(x) h(y) for all x, y A

Define a ring homomorphism

φ: Z[ ] → ZN by φ( ) m (mod N) φ is a homomorphism because

f ( ) = 0 and f (m) 0 (mod N) φ( a b ) a bm (mod N)


Squares in Both Sides

Suppose there is a set S consisting of relatively prime pairs (a, b) satisfying both:

(which is called the algebraic side)

(which is called the rational side)

][ somefor ) ( 2

),(

Ζb-aSba

somefor ) ( 2

),(

Ζyyma - bSba


Squares in Both Sides

Let x = φ( ), then we have

x

2 = φ( )2 = φ( 2)

= φ( (a b ))

(a b m)

= y 2 (mod N) Therefore we factor N with probability ½


Four Major Steps

1. Polynomial Selection Choose a polynomial f (x) with a root m (mod

N) and good properties

2. Sieving Find enough pairs (a, b) such that a bm and a

b are both smooth Each smooth pair (a, b) is called a relation


Four Major Steps

3. Matrix Reduction Form a very large matrix after finding and

simplifying enough relations Solve the system of linear equations to obtain

the required set S such that

][ somefor ) ( 2

),(

Ζb-aSba

somefor ) ( 2

),(

Ζyyma - bSba


Four Major Steps

4. Square Root So far we have y

2 and 2

Compute their square roots y and Recall: x =φ( ) Many methods to compute Z [ ] , but all of

them are sophisticated Finally we get the congruent squares

x2 y2 (mod N)


Observations

Each step is very complicated algebraic number theory large effort to implement

Sieving is the most time consuming The sieving time can be reduced by

selecting a good polynomial f (x) i.e. finding a better polynomial can speed up

the Number Field Sieve


Outline



3. Quadratic Sieve




Open Source GGNFS

pol51opt

makefb

sieve

matbuild

gnfs-lasieve4I matsolve

sqrtprocrels

enough FF

Already have polynomial file

NO YES

Factored!

pol51m0

No polynomial file


Speakers contributedto the NFS workshop:

1. 楊柏因博士2. 黃柏嶧博士3. 歐陽奕 ( 臺大電機 )

4. 余守壹 ( 臺大資訊 ) 5. 陳嘉欣 ( 臺大電機 )

6. 林志宏 ( 臺大資訊 )

7. 王柏翰 ( 臺大資訊 )


RSA-512 Factoring

1999: 300 PCs, workstations, and supercomputers 6 months 17 experts all over the world

2008: 2 supercomputers 5 days!

Let’s play on the supercomputers at NTU …


超級電腦介紹超級電腦為何跑得快？

一顆超強 CPU ？？ Of course not… 很多顆正常 CPU ，想辦法合作

程式要平行化！不能只是 single thread


程式平行化

兩大平行化模式 MPI (Message Passing Interface)

用網路溝通溝通速度慢多台一起跑 ( 幾百台 ok!)

OpenMP (Open Multi-Processing) Multi-thread 溝通速度快有極限 (p595 上頂多用 64 顆 CPU)


台大計中超級電腦 - 1

SMP 大型主機 (Symmetric Multi-Processing) IBM p595 CPU: power5+ 1.9G 64 顆 CPU core 256GB memory 公告金額是 1990 萬

簡化：一台大電腦， 64 顆 CPU ， 256GB RAM


台大計中超級電腦 - 2

HP cluster 由四台前端與 106 台後端所組成每一台後端

dual CPU with dual core (4CPUs) 4GB memory

網路採用 Voltaire 288 DDR switch 公告金額是 1990 萬

簡化： 106 台電腦用網路連起來


奇怪… 價錢一樣… CPU 量差那麼多？

IBM p595: 64 CPUs HP cluster: 106 4 = 424 CPUs

兩台根本不一樣 p595 ：一台大電腦， 64 顆 CPU ， 256GB RAM HP ： 106 台電腦用網路連起來


p595 強項 64 顆 CPU access 同一塊記憶體

非常適合 OpenMP 加速 SMP 大型主機

RAM 超大， 256GB 適合跑需要很多記憶體的程式

銀行使用金額 synchronize ，無法分開算


p595 弱點也只有 64 顆 CPU…

無法再更加速… 可以跑 MPI 程式，但 CPU 太少…

個別 CPU 速度慢才 1.9GHz 工作站的電腦跑的可能還比較快


HP cluster 強項 / 弱項 424 顆 core

MPI 超適合

106 台電腦記憶體獨立 OpenMP 非常不適合

最多 4 個 threads 無法使用大量記憶體


沒有萬能的超級電腦依需求的不同而使用不一樣的電腦

OpenMP: 可能用 p595 較好 MPI: 可能用 HP cluster 較好


程式平行化

非常 Problem Specific

有些問題很容易平行化 Sieve

有些問題較難平行化，或平行化程度有限 Block Lanczos


Block Lanczos 平行化 Iterative Algorithm

前一個 iteration 和後面有 dependency

很多小函式呼叫很多次用 MPI 可能吃虧用 OpenMP


剛用一台新電腦… p595

作業系統： AIX 5.3 編譯器： xlc

遇到許多問題… Makefile 寫法不同，需大改 ( 兩個小時 ) 無限迴圈…

xlc 預設 char 是 unsigned char ( 一天 )


剛用一台新電腦…

遇到許多問題… malloc(0) 回傳 NULL ( 一個小時 ) Lattice sieve 跑出來是錯的 .. ( 一個禮拜 )

放棄…因為有 HP cluster 可以用了！

防不勝防的問題… 先熟讀編譯器 manual

預設參數最佳化參數


Thanks for Your Attention!