circuits for integer factorization d j bernstein
play

Circuits for integer factorization D. J. Bernstein University of - PDF document

Oct 24, 2023 •160 likes •586 views

Circuits for integer factorization D. J. Bernstein University of Illinois at Chicago Exercise for the reader: Find a nontrivial factor of 6366223796340423057152171586. Exercise for the reader: Find a nontrivial factor of

  1. Circuits for integer factorization D. J. Bernstein University of Illinois at Chicago

  2. Exercise for the reader: Find a nontrivial factor of 6366223796340423057152171586.

  3. Exercise for the reader: Find a nontrivial factor of 6366223796340423057152171586. Small prime factors are easy to find. Larger primes are harder. “Elliptic-curve method” (ECM) scales surprisingly well. (1987 Lenstra) � 2 219 . ECM has found a prime (2005 Dodson; rather lucky; � 3 � 10 12 Opteron cycles) www.loria.fr/~zimmerma/records/p66

  4. For worst-case integers with two very large prime factors, ECM does not scale as well as “number-field sieve” (NFS). (1988 Pollard, et al.) Latest record: NFS has found � 2 332 two prime factors of “RSA-200” challenge. (2005 Bahr/Boehm/Franke/Kleinjung; � 5 � 10 18 Opteron cycles) How much more difficult � 2 512 is it to find prime factors n � 2 1024 ? of an integer www.loria.fr/~zimmerma/records/rsa200

  5. This talk focuses on scalability. Example: Trial division finds � y dividing n using primes y 1+ o (1) easy operations. o (1) means a function of y (Here y ! 1 ; that converges to 0 as =y or � 1 = log y or could be 1 y ) 5 = log log y .) 10 6 (log log log � method (1975 Pollard), assuming standard conjectures: y 0 : 5+ o (1) ; therefore much faster than trial division y is sufficiently large. once

  6. � y in n using p ECM finds primes o (1))log y log log y exp (2 + easy operations. (1987 Lenstra) � : Compare to trial division and y 1+ o (1) = exp((1 + o (1)) log y ); y 0 : 5+ o (1) = exp((0 : 5+ o (1)) log y ). Easily see from these formulas that ECM is much faster � than trial division and y is sufficiently large. once (What is “sufficiently large”? Many papers analyzing details.)

  7. � � p y = n Extreme case, : n using p ECM finds all primes in o (1))log n log log n exp (1 + n ! 1 . easy operations as NFS has better scalability: n using NFS finds all primes in L 1 : 901 ::: + o (1) easy operations n ! 1 , where L = as n ) 1 = 3 (log log n ) 2 = 3 ). exp((log (1 = 3, exponent 1 : 922 : : : : 1993 Buhler/Lenstra/Pomerance; 1 : 901 : : : : 1993 Coppersmith)

  8. These NFS operations take L 1 : 901 ::: + o (1) seconds on a standard serial computer L 0 : 950 ::: + o (1) e . costing “TWINKLE”: another circuit L 0 : 950 ::: + o (1) e costing that performs same operations in L 1 : 901 ::: + o (1) seconds. (2000 Lenstra/Shamir) A better-designed circuit costing L 0 : 950 ::: + o (1) e can perform same operations in L 1 : 426 ::: + o (1) seconds. (2001 Bernstein)

  9. Better parameter choices: n using Can find all primes in L 1 : 185 ::: + o (1) seconds with an NFS circuit costing L 0 : 790 ::: + o (1) e . (2001 Bernstein) Can vary circuit size, but L 1 : 976 ::: + o (1) e � seconds is best price-performance ratio in this class of algorithms. Also vary serial-computer size. Best price-performance ratio: L 2 : 760 ::: + o (1) e � seconds. (2002 Pomerance)

  10. n Conclusion: Circuit factors much more quickly than standard serial computer of the same size, n is large enough. once n � 2 1024 ? (What about Much more difficult analysis. Many estimates in new papers, < 1 year for < 10 9 e .) usually How is this possible? How can a circuit be so much faster than a standard serial computer?

  11. Computational complexity Start with simpler problem. How fast is sorting? n numbers. � � Input: array of 1 ; 2 ; : : : ; n 2 Each number in , represented in binary. n numbers, Output: array of in increasing order, represented in binary; same multiset as input. A machine is given the input and computes the output. How much time does it use?

  12. The answer depends on how the machine works. Possibility 1: The machine is a “1-tape Turing machine using selection sort.” Specifically: The machine has a 1-dimensional array n 1+ o (1) “cells.” containing o (1) bits. n Each cell stores Input and output are stored in these cells.

  13. The machine also has a “head” moving through array. o (1) cells. n Head contains Head can see the cell at its current array position; perform arithmetic etc.; move to adjacent array position. Selection sort: Head looks at each array position, picks up the largest number, moves it to the end of the array, picks up the second largest, etc.

  14. Moving to adjacent array position o (1) seconds. n takes Moving a number to end of array n 1+ o (1) seconds. takes Same for comparisons etc. Total sorting time: n 2+ o (1) seconds. Cost of machine: n 1+ o (1) e n 1+ o (1) cells. for Negligible extra cost for head.

  15. Possibility 2: The machine is a “2-dimensional RAM using merge sort.” n 1+ o (1) cells Machine has in a 2-dimensional array: n 0 : 5+ o (1) rows, n 0 : 5+ o (1) columns. Machine also has a head. Merge sort: Head recursively b n= 2 numbers; sorts first d n= 2 e numbers; sorts last merges the sorted lists.

  16. n 1+ o (1) jumps Merging requires to “random” array positions. n 0 : 5+ o (1) moves Average jump: to adjacent array positions. o (1) seconds. n Each move takes Total sorting time: n 1 : 5+ o (1) seconds. Cost of machine: once again n 1+ o (1) e .

  17. Possibility 3: The machine is a “pipelined 2-dimensional RAM using radix-2 sort.” n 1+ o (1) cells Machine has in a 2-dimensional array. Each cell in the array has network links to the 2 adjacent cells in the same column. Each cell in the bottom row has network links to the 2 adjacent cells in the bottom row.

  18. Machine also has a CPU attached to bottom-left cell. CPU can read/write any cell by sending request through network. While waiting for response, can send subsequent requests. CPU can read an entire row n 0 : 5+ o (1) cells of n 0 : 5+ o (1) seconds. in Sends all requests, then receives responses.

  19. Radix-2 sort: CPU shuffles array using bit 0, even numbers before odd. 7! 3 1 4 1 5 9 2 6 4 2 6 3 1 1 5 9. Then using bit 1: 4 1 1 5 9 2 6 3. Then using bit 2: 1 1 9 2 3 4 5 6. Then using bit 3: 1 1 2 3 4 5 6 9. etc.

  20. Each shuffle takes n 1+ o (1) seconds. o (1) shuffles. n Total sorting time: n 1+ o (1) seconds. Cost of machine: once again n 1+ o (1) e .

  21. Possibility 4: The machine is a “2-dimensional mesh using Schimmler sort.” n 1+ o (1) cells Machine has in a 2-dimensional array. Each cell has network links to the 4 adjacent cells. Machine also has a CPU attached to bottom-left cell. CPU broadcasts instructions to all of the cells, but cells do most of the processing.

  22. n 0 : 5+ o (1) cells Sort row of n 0 : 5+ o (1) seconds: in Sort each pair in parallel. 7! 3 1 4 1 5 9 2 6 1 3 1 4 5 9 2 6 Sort alternate pairs in parallel. 7! 1 3 1 4 5 9 2 6 1 1 3 4 5 2 9 6 Repeat until number of steps equals row length. Sort each row, in parallel, n 0 : 5+ o (1) seconds. in

  23. Schimmler sort: Recursively sort quadrants in parallel. Then four steps: � Sort each column in parallel. � Sort each row in parallel. � Sort each column in parallel. � Sort each row in parallel. With proper choice of left-to-right/right-to-left for each row, can prove that this sorts whole array.

  24. For example, assume that � 8 array is in cells: this 8 3 1 4 1 5 9 2 6 5 3 5 8 9 7 9 3 2 3 8 4 6 2 6 4 3 3 8 3 2 7 9 5 0 2 8 8 4 1 9 7 1 6 9 3 9 9 3 7 5 1 0 5 8 2 0 9 7 4 9 4 4 5 9 2

  25. Recursively sort quadrants, ! , bottom : top 1 1 2 3 2 2 2 3 3 3 3 3 4 5 5 6 3 4 4 5 6 6 7 7 5 8 8 8 9 9 9 9 1 1 0 0 2 2 1 0 4 4 3 2 5 4 4 3 7 6 5 5 9 8 7 7 9 9 8 8 9 9 9 9

  26. Sort each column in parallel: 1 1 0 0 2 2 1 0 1 1 2 2 2 2 2 3 3 3 3 3 4 4 4 3 3 4 3 3 5 5 5 6 4 4 4 5 6 6 7 7 5 6 5 5 9 8 7 7 7 8 8 8 9 9 9 9 9 9 8 8 9 9 9 9

  27. Sort each row in parallel, , ! : alternately 0 0 0 1 1 1 2 2 3 2 2 2 2 2 1 1 3 3 3 3 3 4 4 4 6 5 5 5 4 3 3 3 4 4 4 5 6 6 7 7 9 8 7 7 6 5 5 5 7 8 8 8 9 9 9 9 9 9 9 9 9 9 8 8

  28. Sort each column in parallel: 0 0 0 1 1 1 1 1 3 2 2 2 2 2 2 2 3 3 3 3 3 3 3 3 4 4 4 5 4 4 4 4 6 5 5 5 6 5 5 5 7 8 7 7 6 6 7 7 9 8 8 8 9 9 8 8 9 9 9 9 9 9 9 9

  29. Sort each row in parallel, or ! as desired: 0 0 0 1 1 1 1 1 2 2 2 2 2 2 2 3 3 3 3 3 3 3 3 3 4 4 4 4 4 4 4 5 5 5 5 5 5 5 6 6 6 6 7 7 7 7 7 8 8 8 8 8 8 9 9 9 9 9 9 9 9 9 9 9

  30. Sort one row n 0 : 5+ o (1) seconds. in All rows in parallel: n 0 : 5+ o (1) seconds. Total sorting time: n 0 : 5+ o (1) seconds. Cost of machine: once again n 1+ o (1) e . n 0 : 5+ o (1) on mesh: ( 1977 Thompson/Kung; this very simple algorithm: 1987 Schimmler)

  31. “VLSI algorithms” literature contains similar improvements in price-performance ratio (“ AT ”) for many computations. Consider, e.g., n -bit integers. multiplying two n 1+ o (1) Time on standard serial computer n 1+ o (1) bits of memory. with (1971 Sch¨ onhage/Strassen, using FFT; see also 2007 F¨ urer)

  32. Knuth: “we leave the domain of conventional computer : : : ” programming n 1+ o (1) Time on a 1-dimensional mesh n 1+ o (1) . of size (1965 Atrubin, elementary) n 0 : 5+ o (1) Time on a 2-dimensional mesh n 1+ o (1) . of size (1981 Brent/Kung, using FFT)

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Building circuits for integer factorization D. J. Bernstein Thanks to: University of Illinois

Building circuits for integer factorization D. J. Bernstein Thanks to: University of Illinois

Building circuits for integer factorization D. J. Bernstein Thanks to: University of Illinois at Chicago NSF DMS0140542 Alfred P. Sloan Foundation I want to work for NSA as an independent

706 views • 49 slides
Challenges in quantum algorithms for integer factorization D. J. Bernstein University of

Challenges in quantum algorithms for integer factorization D. J. Bernstein University of

1 Challenges in quantum algorithms for integer factorization D. J. Bernstein University of Illinois at Chicago Prelude: What is the fastest algorithm to sort an array? def blindsort(x): while not issorted(x): permuterandomly(x) 2 def

713 views • 50 slides
and 611 + for small : Integer factorization Sieving 1 612 2 2 3 3 D. J. Bernstein

and 611 + for small : Integer factorization Sieving 1 612 2 2 3 3 D. J. Bernstein

and 611 + for small : Integer factorization Sieving 1 612 2 2 3 3 D. J. Bernstein 2 2 613 3 3 614 2 4 2 2 615 3 5 Thanks to: 5 5 616 2 2 2 7 6 2 3 617 University of Illinois at Chicago 7 7 618 2 3 8 2 2 2

411 views • 29 slides
Integer Factorization Methods Modular Arithmetic Trial division, Pollards p 1 , Division

Integer Factorization Methods Modular Arithmetic Trial division, Pollards p 1 , Division

Integer Factorization Methods Integer 2014-04-11 Integer Factorization Methods Factorization Trial division, Pollards p 1 , Pollards , and Fermats method Methods Christopher Koch 1 C. Koch 1 Department of Computer Science and

681 views • 33 slides
Integer factorization: Exercise for the reader: a progress report Find a nontrivial factor of

Integer factorization: Exercise for the reader: a progress report Find a nontrivial factor of

Integer factorization: Exercise for the reader: a progress report Find a nontrivial factor of 6366223796340423057152171586. D. J. Bernstein Thanks to: University of Illinois at Chicago NSF DMS0140542 Alfred P. Sloan Foundation rization:

593 views • 55 slides
Random problems at the core of integer factorization algorithms Pierrick Gaudry Caramba

Random problems at the core of integer factorization algorithms Pierrick Gaudry Caramba

Random problems at the core of integer factorization algorithms Pierrick Gaudry Caramba LORIA, Nancy CNRS, Universit de Lorraine, Inria Journes ALEA, March 2016 1/31 Plan Introduction: crypto context Integer factorization 101 How

462 views • 33 slides
Integer Factorization Methods Modular Trial division, Pollards p 1 , Arithmetic Division

Integer Factorization Methods Modular Trial division, Pollards p 1 , Arithmetic Division

Integer Factorization Methods C. Koch Overview Integer Factorization Methods Modular Trial division, Pollards p 1 , Arithmetic Division Algorithm and Congruence Pollards , and Fermats method Residue classes mod n Integers

505 views • 33 slides
Challenges in def bubblesort(x): quantum algorithms for for j in range(len(x)): integer

Challenges in def bubblesort(x): quantum algorithms for for j in range(len(x)): integer

1 2 Challenges in def bubblesort(x): quantum algorithms for for j in range(len(x)): integer factorization for i in reversed(range(j)): x[i],x[i+1] = ( D. J. Bernstein min(x[i],x[i+1]), University of Illinois at Chicago max(x[i],x[i+1])

1.48k views • 118 slides
Factorization myths D. J. Bernstein Thanks to: University of Illinois at Chicago NSF

Factorization myths D. J. Bernstein Thanks to: University of Illinois at Chicago NSF

Factorization myths D. J. Bernstein Thanks to: University of Illinois at Chicago NSF DMS0140542 Alfred P. Sloan Foundation and 611 + for small : Sieving 1 612 2 2 3 3 2 2 613 3 3 614 2 4 2 2 615 3 5 5 5 616 2 2 2

488 views • 36 slides
Factorization myths D. J. Bernstein Thanks to: University of Illinois at Chicago NSF

Factorization myths D. J. Bernstein Thanks to: University of Illinois at Chicago NSF

Factorization myths D. J. Bernstein Thanks to: University of Illinois at Chicago NSF DMS0140542 Alfred P. Sloan Foundation and 611 + for small : Sieving 1 612 2 2 3 3 2 2 613 3 3 614 2 4 2 2 615 3 5 5 5 616 2 2 2

676 views • 32 slides
lecture 7 Sequential circuits 3 - integer multiplication and division - floating point

lecture 7 Sequential circuits 3 - integer multiplication and division - floating point

lecture 7 Sequential circuits 3 - integer multiplication and division - floating point arithmetic - finite state machines February 1, 2016 Integer multiplication (grade school) How to do (unsigned) integer multiplication in binary ?

402 views • 24 slides
Faster factorization into coprimes D. J. Bernstein Thanks to: University of Illinois at Chicago

Faster factorization into coprimes D. J. Bernstein Thanks to: University of Illinois at Chicago

Faster factorization into coprimes D. J. Bernstein Thanks to: University of Illinois at Chicago NSF DMS0140542 Alfred P. Sloan Foundation Problem: Convert (mod 299), (mod 799) into a single

555 views • 28 slides
Algorithms for integer factorization and discrete logarithms computation Algorithmes pour la

Algorithms for integer factorization and discrete logarithms computation Algorithmes pour la

Algorithms for integer factorization and discrete logarithms computation Algorithmes pour la factorisation dentiers et le calcul de logarithme discret Cyril Bouvier CARAMEL project-team, LORIA Universit de Lorraine / CNRS / Inria

470 views • 42 slides
The factorization of RSA-1024 D. J. Bernstein University of Illinois at Chicago Abstract: This

The factorization of RSA-1024 D. J. Bernstein University of Illinois at Chicago Abstract: This

The factorization of RSA-1024 D. J. Bernstein University of Illinois at Chicago Abstract: This talk discusses the most important tools for attackers breaking 1024-bit RSA keys today and tomorrow. The same tools will also be useful for

799 views • 47 slides
Isolating critical cases for reciprocals using integer factorization John Harrison Intel

Isolating critical cases for reciprocals using integer factorization John Harrison Intel

Isolating critical cases for reciprocals using integer factorization John Harrison Intel Corporation ARITH-16 Santiago de Compostela 17th June 2003 0 Background result before the final rounding Suppose we are interested in a floating-point

343 views • 19 slides
lecture 7 Integer multiplication (grade school) How to do (unsigned) integer multiplication in

lecture 7 Integer multiplication (grade school) How to do (unsigned) integer multiplication in

lecture 7 Integer multiplication (grade school) How to do (unsigned) integer multiplication in binary ? Sequential circuits 3 multiplicand - integer multiplication and division multiplier - floating point arithmetic product - finite

183 views • 3 slides
The Volcano Optimizer Generator Generator: Object-oriented and scientific Extensibility and

The Volcano Optimizer Generator Generator: Object-oriented and scientific Extensibility and

The Volcano Optimizer The Volcano Optimizer Generator Generator: Object-oriented and scientific Extensibility and database systems Allowing query optimization to be Efficient Search more tuned towards the application = Presentation:

288 views • 4 slides
Project planning Topics covered Software pricing Plan-driven development Project

Project planning Topics covered Software pricing Plan-driven development Project

Project planning Topics covered Software pricing Plan-driven development Project scheduling Agile planning Estimation techniques COCOMO cost modeling Project Planning 2 Project planning Project planning involves

564 views • 55 slides
Introduction to Functional Programming Introduction to Functional Programming Practice Strategy

Introduction to Functional Programming Introduction to Functional Programming Practice Strategy

Introduction to Functional Programming Introduction to Functional Programming Practice Strategy 2018/19 What makes programming functional? Introduction to Functional Programming Imperative code Practice Strategy 2018/19 function

364 views • 14 slides
Caml Trader: Adventures of a functional programmer on Wall Street Yaron M. Minsky Managing

Caml Trader: Adventures of a functional programmer on Wall Street Yaron M. Minsky Managing

Caml Trader: Adventures of a functional programmer on Wall Street Yaron M. Minsky Managing Director Jane Street Capital CUFP Talk, September 2006 How I got here... Finished PhD in Distributed Systems at Cornell No finance background

435 views • 15 slides
More class design with C++ Class operations are typically implemented as member functions

More class design with C++ Class operations are typically implemented as member functions

Member or non-member function? More class design with C++ Class operations are typically implemented as member functions Declared inside class definition Can directly access private members Usually the task involves only one

428 views • 4 slides
11.2 Overloading Operators Overloading Operators In the Money class, function add was

11.2 Overloading Operators Overloading Operators In the Money class, function add was

11.2 Overloading Operators Overloading Operators In the Money class, function add was used to add two objects of type Money In this section we see how to use the ' + ' operator to make the following code legal: Money

771 views • 43 slides
#4: Functions and Scope SAMS SENIOR NON-CS TRACK Last Time Use variables to hold and update data

#4: Functions and Scope SAMS SENIOR NON-CS TRACK Last Time Use variables to hold and update data

#4: Functions and Scope SAMS SENIOR NON-CS TRACK Last Time Use variables to hold and update data Use input and output to write code that supports user interaction Ex3-1 Feedback Excellent work- everyone got most of the problems right! Today's

616 views • 29 slides
Utility Theory CMPUT 654: Modelling Human Strategic Behaviour S&amp;LB 3.1 Recap: Course

Utility Theory CMPUT 654: Modelling Human Strategic Behaviour S&amp;LB 3.1 Recap: Course

Utility Theory CMPUT 654: Modelling Human Strategic Behaviour S&amp;LB 3.1 Recap: Course Essentials Course webpage: jrwright.info/bgtcourse/ Contacting me: Discussion board: piazza.com/ualberta.ca/fall2019/cmput654/ for public

543 views • 25 slides

More recommend