Factoring of Large Numbers using Number Field Sieve Matrix Step Chandana Anand, Arman Gungor, and...

42510011 0010 1010 1101 0001 0100 1011

Factoring of Large Numbers Factoring of Large Numbers using Number Field Sieve using Number Field Sieve

Matrix StepMatrix Step

Chandana Anand, Arman Gungor, and Kimberly A. Thomas

ECE 646 　 Fall 2006

4251

0011 0010 1010 1101 0001 0100 1011

ECE 646, Fall 2006 F-2: Factoring of Large Numbers Using Number Field Sieve

INTRODUCTION

• The ability to conduct secure electronic transactions is becoming more and more important everyday

• It is computationally difficult to factor a large number into its prime factors

• What happens if an algorithm that can achieve this in a reasonable amount of time is discovered?

4251

0011 0010 1010 1101 0001 0100 1011


INTRODUCTION

• Number Field Sieve (NFS) is the fastest known algorithm to factor numbers larger than 110 digits

• Its development in the past few years has facilitated factoring of integers that were once considered to be infeasible to factor with today’s technology

4251

0011 0010 1010 1101 0001 0100 1011


INTRODUCTION

• GNFS was used in factoring a 512-bit number in 1999 as part of the RSA Challenge

• It was estimated that had the RSA-129 challenge used the GNFS instead of the Multiple Polynomial Quadratic Sieve, it would have taken a quarter of the time

4251

0011 0010 1010 1101 0001 0100 1011


INTRODUCTION

RSA-155 Details (512-bits)

• Calendar time for the polynomial selection 9 weeks

• Sieving: 35.7 CPU-years in total, 3.7 months

• Matrix and Square Root Steps: 1.5 months

• Total Calendar Time: 7.4 months

4251

0011 0010 1010 1101 0001 0100 1011


INTRODUCTION

160 175-400 MHz SGI and Sun workstations

8 250 MHz SGI Origin 2000 processors

120 300-450 MHz Pentium II PCs

4 500 MHz Digital/Compaq boxes

• This CPU-effort is estimated to be equivalent to approximately 8000 MIPS years

4251

0011 0010 1010 1101 0001 0100 1011


GENERAL INFORMATION

• Number field sieve is a fast factorization method developed by Pollard et al.

• Number Field Sieve factors an integer n in expected time:

exp((c +o (1))(logn )1/3(loglogn )2/3) with c = 2(2/3)2/3 ~ 1.526

• Number Field Sieve can be thought of as an extension of the rational sieve where smooth numbers of order n are sought for, rarity of which makes the algorithm impractical

4251

0011 0010 1010 1101 0001 0100 1011


GENERAL INFORMATION

• Polynomial selection: Find two Z-irreducible polynomials f(x) and g(x) so that f(m)=0 (mod n) and g(x)=0 (mod n) for some known m

• Sieving: Here we find pairs of small integers, (a,b)

• Matrix step: Here we take the (a,b) pairs found in the last step and construct a large matrix

• Square root: Given the two squares from the previous steps and their prime factorizations, we must compute their square roots to finally factor n

4251

0011 0010 1010 1101 0001 0100 1011


GNFS Matrix Solving

• Involves finding the dependencies in a very large, very sparse matrix

– EXAMPLE:

• For the RSA-130 challenge, factoring a 130 digit number, the matrix had 3,516,502 rows and 3,504,823 columns with on average 39.4 non-zero entries per row.

• Storing the position of all 138,690,744 ones would take “only” 600 MB of memory vs over 1500 GB to store the entire matrix.

• Traditional matrix solving methods (e.g. Gaussian) are infeasible

4251

0011 0010 1010 1101 0001 0100 1011


Wiedemann Algorithm

• Intended to make GNFS Matrix step more computationally feasible– allows solving the matrix dependencies without

modifying the matrix, leaving the matrix sparse and easier to store and operate on

• Block Wiedemann

– multiplies the sparse matrix by 32 or 64 vectors at once

– takes advantage of the 32-bit or 64-bit architecture of modern computers

4251

0011 0010 1010 1101 0001 0100 1011


WLSS2• Block Wiedemann implementation created in

the mid-90s

• Composed of four steps, two of which may be run in a distributed manner

• Input: matrix file in an adjacency list format– 1000 1000 1

– 1f 2b 53 af c8 d4 f2 115 134 13e 13f 15a 185 19f 1b9 1ee207 25e 271 2b3 2e1 2f6 2fd 2ff 30c 336 362 3a3 3b3 3bc 3d3 3d7

• Output: list of candidate factors

4251

0011 0010 1010 1101 0001 0100 1011


WLSS2

• Program runs on enigma.gmu.edu without problem– did not try running distributed

• Found several inconsistencies between the program and its documentation

• Program has now “disappeared” from original Internet source

4251

0011 0010 1010 1101 0001 0100 1011


LiDIA

• LiDIA is a C++ library for computational number theory

• Allows operations on vectors and matrices such as:– u = A*v;

– v.shift_left(n,1);

• Also allows operations on vectors of vectors – required for implementation of Block Wiedemann

4251

0011 0010 1010 1101 0001 0100 1011


LiDIA Implementations• Wiedemann Implementation

– working on enigma.gmu.edu– needs further debugging– reprogramming of matrix creation – addition of matrix importation functionality

• Block Wiedemann Implemenation– in progress but needs further work on

initialization of the vectors of vectors

4251

0011 0010 1010 1101 0001 0100 1011


Next Steps• Matrix Creation and Input

– need to create a program to intelligently create matrices for testing

– need a standard matrix format to allow comparisons between WLSS2 and the LiDIA implementations

• One solution – add a function to LiDIA implementation to read WLSS2 style adjacency list

• Complete debugging of LiDIA Wiedemann implementation

• Complete implementation of LiDIA Block Wiedemann algorithm

4251

0011 0010 1010 1101 0001 0100 1011


Next Steps Continued

• Testing of WLSS2, Wiedemann implementation, Block Wiedemann implementation– Functionality testing – do all implementations

agree on the results of a given input matrix– Timing comparison

4251

0011 0010 1010 1101 0001 0100 1011


Block Wiedemann Algorithm

• Input to Block Wiedemann: Matrix A of size DxD, D є [107, 1011]

• Sparse matrix: Column density << D

• Most time consuming operations: Matrix-by-vector multiplications

• A.vi, A2.vi, ..... , Ak.vi

4251

0011 0010 1010 1101 0001 0100 1011


Matrix-by-Vector Multiplication

• Non-zero entries in the columns of A - packets that need to be routed to their destinations

• m x m mesh, m = √D: row indices of resultant matrix multiplication vector

• Mesh Cell i • value at index i of the vector v• packets in column i of the matrix A

4251

0011 0010 1010 1101 0001 0100 1011


Mesh Routing Architecture

• Lenstra et al proposed two versions of the routing based circuit• simple routing version • improved routing version

• The improved version was implemented by Dr. Gaj et al in reconfigurable hardware

• We implemented the emulation of this hardware in Java

4251

0011 0010 1010 1101 0001 0100 1011


Routing in the Mesh• Phase 1 – Odd row negotiates with the top even row

• Phase 2 – Odd column negotiates with right even row

• Phase 3 – Odd row negotiates with the bottom even row.

• Phase 4 – Odd column negotiates with left even column.

4251

0011 0010 1010 1101 0001 0100 1011


Compare-Exchange

• Both cells determine they will be closer to their destination after a swap

• The cell that is the farthest from its destination determines it will be closer to its destination after a swap

• The cell that is farthest will not be closer after the swap, but the cell with the smaller distance will be closer

• Neither will become closer to its destination

4251

0011 0010 1010 1101 0001 0100 1011


Implementation Routines

• Randomly populate the mesh

• Determine the destination row and column indices of a packet

• Perform the negotiations (4 times the size of the mesh)

• Determine exchange cases

• Update the partial results

4251

0011 0010 1010 1101 0001 0100 1011


Results• The mesh routing architecture was implemented for a mesh size

of 4x4.

• Compare-exchange operations were repeated 4*4 =16 times• On an average, routing was completed after all 4 phases of

Round 1 and 2 phases of the Round 2

• The architecture was then scaled for a mesh size of 12x12

• Compare-exchange operations were repeated 4*12 = 48 times

• Routing was completed at the end of all rounds

4251

0011 0010 1010 1101 0001 0100 1011


Results (contd..)

• The code was then modified to perform multiple vector multiplications in the 12x12 mesh

• Java threads were used to emulate the multiple matrix-by-vector multiplications taking place simultaneously in hardware• A new thread was spawned to process the matrix-by-

vector multiplication for each vector

• Each thread updates its own resultant vector

4251

0011 0010 1010 1101 0001 0100 1011


Future Work

• Development of a routine to examine the state of the mesh after each phase• To find number of phases that are actually

required to complete routing in the 12x12 mesh

Factoring of Large Numbers using Number Field Sieve Matrix Step Chandana Anand, Arman Gungor, and...

Documents

Transcript of Factoring of Large Numbers using Number Field Sieve Matrix Step Chandana Anand, Arman Gungor, and...