comparing the difficulty of factorization and discrete
play

Comparing the Difficulty of Factorization and Discrete Logarithm: a - PowerPoint PPT Presentation

Oct 20, 2023 •142 likes •466 views

Comparing the Difficulty of Factorization and Discrete Logarithm: a 240-digit Experiment Solving RSA-240, DLP-240, RSA-250 Fabrice Boudot, Pierrick Gaudry, Aurore Guillevic, Nadia Heninger, Emmanuel Thom e, Paul Zimmermann ere de l FB:

  1. Comparing the Difficulty of Factorization and Discrete Logarithm: a 240-digit Experiment Solving RSA-240, DLP-240, RSA-250 Fabrice Boudot, Pierrick Gaudry, Aurore Guillevic, Nadia Heninger, Emmanuel Thom´ e, Paul Zimmermann ere de l’´ FB: Minist` Education Nationale, Universit´ e de Limoges PG+AG+ET+PZ: Universit´ e de Lorraine, CNRS, Inria, Nancy NH: University of California, San Diego August 21, 2020 – CRYPTO 2020 Comparing the Difficulty of Factorization and Discrete Logarithm: a 240-digit Experiment 1/23

  2. Plan Introduction The Number Field Sieve Collecting relations Linear algebra Software and computer resources Figures and Conclusion

  3. How does one choose key sizes? When setting up crypto, a major decision is the key size. Efficiency: want shorter keys. Security: want longer keys. A compromise is needed. An end user might. . . trust the manufacturer to do The Right Thing. check that it abides by recommendations by regulatory bodies (NIST, ANSSI, BSI, . . . ). Tricky questions for public-key crypto How does one assess the hardness of cryptanalysis, for key sizes that are (fortunately) out of its reach? How does one make this assessment convincing? Comparing the Difficulty of Factorization and Discrete Logarithm: a 240-digit Experiment 2/23

  4. We need hard facts Predictions can only be based on state-of-the-art software implementation performance. We need actual software that is fit for large sizes, together with convincing computational results. Explore algorithmic ideas that pay off only for large sizes. Explore scalability, try to address stumbling blocks. Harness large computing power, show that this is more than just theory. Make our work reproducible. Comparing the Difficulty of Factorization and Discrete Logarithm: a 240-digit Experiment 3/23

  5. IF versus FF-DLP We look at two important problems: IF: Integer Factorization; FF-DLP: Finite Field Discrete Logarithm Problem. The appreciation of their relative difficulty is hard to do because IF and FF-DLP records are usually done out of sync. Common belief: for similar key sizes, FF-DLP is a lot harder than IF. Comparing the Difficulty of Factorization and Discrete Logarithm: a 240-digit Experiment 4/23

  6. Plan Introduction The Number Field Sieve Collecting relations Linear algebra Software and computer resources Figures and Conclusion

  7. Summary of NFS The NFS algorithm (1990) proceeds through many steps. Example workflow in the IF case. linear square polynomial sieving filtering algebra root selection p , q N Computational requirements are diverse. Sieving (relation collection) is the most expensive. It can be massively distributed. (Sparse) Linear algebra comes second. It is somewhat cheaper, but needs expensive hardware. Comparing the Difficulty of Factorization and Discrete Logarithm: a 240-digit Experiment 5/23

  8. What kind of relations does NFS collect? Polynomial selection finds f with a known root m mod N . Let Q ( α ) be the number field defined by f . Bird’s eye view of strategy for factoring Search for pairs of integers ( a , b ) such that a − bm a − b α and (an integer) (an ideal in Q ( α )) are both smooth: they factor into small things. Pairs yield relations. Combine relations so that all multiplicities are even. We (almost) have squares on both sides. With further (easy) work, we find many equalities of squares: u 2 ≡ v 2 mod N leads to factors of N with probability at least 1 2 . Comparing the Difficulty of Factorization and Discrete Logarithm: a 240-digit Experiment 6/23

  9. NFS also works for FF-DLP NFS works similarly for the discrete logarithm. N becomes p . Note that Z / p Z is a field. Both sides are number fields. Not an issue. FF-DLP version of NFS is no longer a story of finding squares. We no longer seek even valuations and linear algebra over Z / 2 Z , but linear algebra over Z /ℓ Z , with ℓ a (large) prime factor of p − 1. It’s harder. But the general pattern remains unchanged. Comparing the Difficulty of Factorization and Discrete Logarithm: a 240-digit Experiment 7/23

  10. Plan Introduction The Number Field Sieve Collecting relations Linear algebra Software and computer resources Figures and Conclusion

  11. Collecting relations Relation collection is the most expensive step of NFS. Description of relation collection 1. How do we divide the work? 2. How do we find smooth a − bm and a − b α ? 3. How do we choose parameters so that the cost of linear algebra remains under control? Comparing the Difficulty of Factorization and Discrete Logarithm: a 240-digit Experiment 8/23

  12. 1. (many) needles in a (huge) haystack Searching a space of size (say) 2 65 takes long. Trivial strategy (loop over a , loop over b ) has unstable yield and does not work well. Better: constrain a factor q in one of the factorizations. Independent tasks per q . Yield is stable. The prescribed factor is one thing less to find! (old folklore; records have been doing this for decades.) ( ⇒ special- q sieving, lattice sieving, sieving by vectors.) Comparing the Difficulty of Factorization and Discrete Logarithm: a 240-digit Experiment 9/23

  13. 2. Finding smooth ( a , b ) We have fixed a q . We explore many ( a , b ) such that q appears somewhere. We want a − bm and a − b α to be smooth. Strategy depends on potential prime factors p . A prime should appear either often, or very rarely. below some bound, for p < B , strive to find all pairs ( a , b ) such that p appears in the factorization. We typically use a process called sieving. “large primes” (LPs) such that B ≤ p < L : allowed if we happen to find them. Limit to a few LPs per relation (e.g., 2, sometimes 3). Comparing the Difficulty of Factorization and Discrete Logarithm: a 240-digit Experiment 10/23

  14. The relations that we like to see 5 2 · 11 · 23 · 287093 · 870953 · 20179693 · 28306698811 · 47988583469 2 3 · 5 · 7 · 13 · 31 · 61 · 14407 · 26563253 · 86800081 · 269845309 · 802234039 · 1041872869 · 5552238917 · 12144939971 · 15856830239 2 3 · 3 · 5 · 13 · 19 · 23 · 31 · 59 · 239 · 3989 · 7951 · 2829403 · 31455623 · 225623753 · 811073867 · 1304127157 · 78955382651 · 129320018741 3 · 1609 · 77699 · 235586599 · 347727169 · 369575231 · 9087872491 2 4 · 5 · 13 · 31 · 59 · 823 · 2801 · 26539 · 2944817 · 3066253 · 87271397 · 108272617 · 386616343 · 815320151 · 1361785079 · 12322934353 5 · 1381 · 877027 · 15060047 · 19042511 · 11542780393 · 13192388543 2 3 · 5 2 · 173 · 971 · 613909489 · 929507779 · 1319454803 · 2101983503 2 7 · 3 2 · 5 · 29 · 1021 · 42589 · 190507 · 473287 · 31555663 · 654820381 · 802234039 · 19147596953 · 23912934131 · 52023180217 2 2 · 15193 · 232891 · 19514983 · 139295419 · 540260173 · 606335449 2 2 · 3 4 · 13 · 19 · 74897 · 1377667 · 55828453 · 282012013 · 802234039 · 3350122463 · 35787642311 · 37023373909 · 128377293101 2 2 · 5 4 · 439 · 1483 · 13121 · 21383 · 67751 · 452059523 · 33099515051 2 2 · 3 3 · 11 · 13 · 19 · 5023 · 3683209 · 98660459 · 802234039 · 1506372871 · 4564625921 · 27735876911 · 32612130959 · 45729461779 small primes: abundant → dense column in the matrix large primes: rare → sparse colum, limit to 2 or 3 on each side. Comparing the Difficulty of Factorization and Discrete Logarithm: a 240-digit Experiment 11/23

  15. The relations that we like to see 5 2 · 11 · 23 · 287093 · 870953 · 20179693 · 28306698811 · 47988583469 2 3 · 5 · 7 · 13 · 31 · 61 · 14407 · 26563253 · 86800081 · 269845309 · 802234039 · 1041872869 · 5552238917 · 12144939971 · 15856830239 2 3 · 3 · 5 · 13 · 19 · 23 · 31 · 59 · 239 · 3989 · 7951 · 2829403 · 31455623 · 225623753 · 811073867 · 1304127157 · 78955382651 · 129320018741 3 · 1609 · 77699 · 235586599 · 347727169 · 369575231 · 9087872491 2 4 · 5 · 13 · 31 · 59 · 823 · 2801 · 26539 · 2944817 · 3066253 · 87271397 · 108272617 · 386616343 · 815320151 · 1361785079 · 12322934353 5 · 1381 · 877027 · 15060047 · 19042511 · 11542780393 · 13192388543 2 3 · 5 2 · 173 · 971 · 613909489 · 929507779 · 1319454803 · 2101983503 2 7 · 3 2 · 5 · 29 · 1021 · 42589 · 190507 · 473287 · 31555663 · 654820381 · 802234039 · 19147596953 · 23912934131 · 52023180217 2 2 · 15193 · 232891 · 19514983 · 139295419 · 540260173 · 606335449 2 2 · 3 4 · 13 · 19 · 74897 · 1377667 · 55828453 · 282012013 · 802234039 · 3350122463 · 35787642311 · 37023373909 · 128377293101 2 2 · 5 4 · 439 · 1483 · 13121 · 21383 · 67751 · 452059523 · 33099515051 2 2 · 3 3 · 11 · 13 · 19 · 5023 · 3683209 · 98660459 · 802234039 · 1506372871 · 4564625921 · 27735876911 · 32612130959 · 45729461779 small primes: abundant → dense column in the matrix large primes: rare → sparse colum, limit to 2 or 3 on each side. Before linear algebra, the filtering step tries to do as many cheap combinations as it can, so as to get a smaller matrix. Comparing the Difficulty of Factorization and Discrete Logarithm: a 240-digit Experiment 11/23

  16. 3. Paying attention to the combination cost Relations with 2 LPs or less are a blessing. They easily participate in cheap combinations. If we have only 2-LP relations, filtering will get rid of most of them. We are left with a number of primes to combine that is roughly the number of primes below B . Caveat: two sides to deal with. We must pay attention to q as well! How does it compare to B ? Comparing the Difficulty of Factorization and Discrete Logarithm: a 240-digit Experiment 12/23

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Algorithms for integer factorization and discrete logarithms computation Algorithmes pour la

Algorithms for integer factorization and discrete logarithms computation Algorithmes pour la

Algorithms for integer factorization and discrete logarithms computation Algorithmes pour la factorisation dentiers et le calcul de logarithme discret Cyril Bouvier CARAMEL project-team, LORIA Universit de Lorraine / CNRS / Inria

470 views • 42 slides
Discrete Factorization Machines for Fast Feature-based Recommendation Han Liu 1 , Xiangnan He 2 ,

Discrete Factorization Machines for Fast Feature-based Recommendation Han Liu 1 , Xiangnan He 2 ,

Discrete Factorization Machines for Fast Feature-based Recommendation Han Liu 1 , Xiangnan He 2 , Fuli Feng 2 , Liqiang Nie 1 , Rui Liu 3 , Hanwang Zhang 4 1.Shandong University 2.National University of Singapore 3.University of Electronic

328 views • 17 slides
Integer factorization and discrete logarithm problems Pierrick Gaudry Caramel LORIA CNRS,

Integer factorization and discrete logarithm problems Pierrick Gaudry Caramel LORIA CNRS,

Integer factorization and discrete logarithm problems Pierrick Gaudry Caramel LORIA CNRS, Universit de Lorraine, Inria JNCF CIRM November 2014 1/81 Plan Presentation of the problems Cryptographic background Primality,

919 views • 88 slides
Comparing Problems Remember the concepts of Problem, Algorithm, and Program. Weve gotten

Comparing Problems Remember the concepts of Problem, Algorithm, and Program. Weve gotten

Comparing Problems Remember the concepts of Problem, Algorithm, and Program. Weve gotten pretty good at comparing algorithms. How do we compare problems? Sorted Array Search Sorting Integer Factorization Integer Multiplication Selection

449 views • 14 slides
Comparing Discrete and Piecewise Affine Models of Gene Regulatory Networks Shahrad Jamshidi,

Comparing Discrete and Piecewise Affine Models of Gene Regulatory Networks Shahrad Jamshidi,

Comparing Discrete and Piecewise Affine Models of Gene Regulatory Networks Shahrad Jamshidi, Heike Siebert, Alexander Bockmayr Article in Biosystems, 2013 PhD S. Jamshidi, April 2013 Porquerolles, June 2013 Piecewise Affine Differential

1.11k views • 85 slides
Calculus without Limits: The difficulty of limits the Theory The difficulty of defining R

Calculus without Limits: The difficulty of limits the Theory The difficulty of defining R

Calculus without Limits C. K. Raju Introduction The size of calculus texts Calculus without Limits: The difficulty of limits the Theory The difficulty of defining R Current pedagogy of the calculus: a critique Imitating the European

1.82k views • 133 slides
Calculus without Limits: The difficulty of limits the Theory The difficulty of defining R

Calculus without Limits: The difficulty of limits the Theory The difficulty of defining R

Calculus without Limits C. K. Raju Introduction Calculus without Limits: The difficulty of limits the Theory The difficulty of defining R Current pedagogy of the calculus: a critique The difficulty of set theory The integral C. K. Raju

1.36k views • 107 slides
Comparing Several Samples We are often interested in comparing measurements made under more than

Comparing Several Samples We are often interested in comparing measurements made under more than

ST 380 Probability and Statistics for the Physical Sciences Comparing Several Samples We are often interested in comparing measurements made under more than two different sets of conditions. Examples Strengths of concrete beams manufactured

436 views • 15 slides
Matrix Factorization and Factorization Machines for Recommender Systems Chih-Jen Lin Department

Matrix Factorization and Factorization Machines for Recommender Systems Chih-Jen Lin Department

Matrix Factorization and Factorization Machines for Recommender Systems Chih-Jen Lin Department of Computer Science National Taiwan University Talk at SDM workshop on Machine Learning Methods on Recommender Systems, May 2, 2015 Chih-Jen Lin

1.14k views • 54 slides
Compressed Factorization: Fast and Accurate Low-Rank Factorization of Compressively-Sensed Data

Compressed Factorization: Fast and Accurate Low-Rank Factorization of Compressively-Sensed Data

Compressed Factorization: Fast and Accurate Low-Rank Factorization of Compressively-Sensed Data Vatsal Sharan* , Kai Sheng Tai*, Peter Bailis &amp; Gregory Valiant Stanford University Poster 187 Learning(from(compressed(data

253 views • 8 slides
Comparing Two Samples We are often interested in comparing measurements made under two different

Comparing Two Samples We are often interested in comparing measurements made under two different

ST 380 Probability and Statistics for the Physical Sciences Comparing Two Samples We are often interested in comparing measurements made under two different sets of conditions. Examples Water quality measurements below an effluent outfall,

384 views • 22 slides
Factoring Done by:Rashed salmeen Grade:9ASP2 Prime factorization Prime factorization:is finding

Factoring Done by:Rashed salmeen Grade:9ASP2 Prime factorization Prime factorization:is finding

Factoring Done by:Rashed salmeen Grade:9ASP2 Prime factorization Prime factorization:is finding which prime numbers multiply together to make the original number. Examples: 27 18 2 9 3 9 3 3 3 3 18=2x3x3 27=3x3x3 greatest common

365 views • 11 slides
Business Statistics CONTENTS Comparing two samples Comparing two unrelated samples Comparing

Business Statistics CONTENTS Comparing two samples Comparing two unrelated samples Comparing

TWO S OR MEDIANS: COMPARISONS Business Statistics CONTENTS Comparing two samples Comparing two unrelated samples Comparing the means of two unrelated samples Comparing the medians of two unrelated samples Old exam question Further study

397 views • 38 slides
L101: Matrix Factorization In a nutshell Matrix factorization/completion you know? In NLP?

L101: Matrix Factorization In a nutshell Matrix factorization/completion you know? In NLP?

L101: Matrix Factorization In a nutshell Matrix factorization/completion you know? In NLP? Word embeddings Topic models Information extraction FastText Why complete the matrix? Label Features Label Label Label Label

420 views • 20 slides
Business Statistics CONTENTS Comparing two s Comparing more than two s Analysis of

Business Statistics CONTENTS Comparing two s Comparing more than two s Analysis of

SEVERAL S: COMPARISON Business Statistics CONTENTS Comparing two s Comparing more than two s Analysis of variance Testing significance of ANOVA Performing ANOVA The statistical model Equal variances Old exam question Further

532 views • 30 slides
Comparing players in simple games Haris Aziz 1 1 Department of Computer Science &amp; DiMAP

Comparing players in simple games Haris Aziz 1 1 Department of Computer Science &amp; DiMAP

Introduction Player types Complexity of Desirability ordering Power indices Conclusion Comparing players in simple games Haris Aziz 1 1 Department of Computer Science &amp; DiMAP (Discrete Mathematics &amp; its Applications) University of

1.16k views • 99 slides
cl a simple form of computation used widely one way to find patterns 1 current A A

cl a simple form of computation used widely one way to find patterns 1 current A A

Finite-State Machines (Automata) lecture 12 cl a simple form of computation used widely one way to find patterns 1 current A A B C D D B B C D A next C 2 Application Fields Industry real-time control,

723 views • 36 slides
Solving Single-digit Sudoku Subproblems David Eppstein Int. Conf. Fun with Algorithms, June 2012

Solving Single-digit Sudoku Subproblems David Eppstein Int. Conf. Fun with Algorithms, June 2012

Solving Single-digit Sudoku Subproblems David Eppstein Int. Conf. Fun with Algorithms, June 2012 Sudoku An ab ab array of cells, partitioned into a b blocks, partially filled in with numbers from 1 to ab . Must fill in remaining cells

521 views • 17 slides
Uncertainty Modeling without Subspace Methods for Text-Dependent Speaker Recognition Patrick

Uncertainty Modeling without Subspace Methods for Text-Dependent Speaker Recognition Patrick

Speaker Recognition Task and Features Two Backends Experiments Uncertainty Modeling without Subspace Methods for Text-Dependent Speaker Recognition Patrick Kenny, Themos Stafylakis, Md. Jahangir Alam and Marcel Kockmann Odyssey Speaker and

235 views • 19 slides
Errors Scientific Notation In scientific notation , a number can be expressed in the form =

Errors Scientific Notation In scientific notation , a number can be expressed in the form =

Errors Scientific Notation In scientific notation , a number can be expressed in the form = 10 ! where is a coefficient in the range 1 &lt; 10 and is the exponent. 1165.7 = 0.0004728 = Binary numbers We will

532 views • 34 slides
Image Classification with DIGITS Twin Karmakharm Certified Instructor, NVIDIA Deep Learning

Image Classification with DIGITS Twin Karmakharm Certified Instructor, NVIDIA Deep Learning

Image Classification with DIGITS Twin Karmakharm Certified Instructor, NVIDIA Deep Learning Institute NVIDIA Corporation 1 DEEP LEARNING INSTITUTE DLI Mission Helping people solve challenging problems using AI and deep learning.

827 views • 78 slides
Lecture 10: Representing Numbers, Gray Codes Base Basics For a base b , the highest value of any

Lecture 10: Representing Numbers, Gray Codes Base Basics For a base b , the highest value of any

Lecture 10: Representing Numbers, Gray Codes Base Basics For a base b , the highest value of any digit is b 1 Computer scientists often use non-decimal bases binary 2 Storing flags in a byte: 01100101 octal 8 Unix permission bits: 0755

333 views • 14 slides
Combinatorics Reading: EC 5.15.4 Peter J. Haas INFO 150 Fall Semester 2019 Lecture 13 1/

Combinatorics Reading: EC 5.15.4 Peter J. Haas INFO 150 Fall Semester 2019 Lecture 13 1/

Combinatorics Reading: EC 5.15.4 Peter J. Haas INFO 150 Fall Semester 2019 Lecture 13 1/ 27 Combinatorics Introduction Representing Sets Organization in Counting Combinatorial Equivalence Counting Lists and Permutations Counting With

749 views • 55 slides
NUMBER GAMES ANSWER KEY, SMMG SPRING 2020 RICHARD WONG Abstract. We will explore and play with

NUMBER GAMES ANSWER KEY, SMMG SPRING 2020 RICHARD WONG Abstract. We will explore and play with

NUMBER GAMES ANSWER KEY, SMMG SPRING 2020 RICHARD WONG Abstract. We will explore and play with some of the weird and interesting facts and formulas surrounding these cool types of numbers called pandigital numbers and Friedman numbers. In

655 views • 3 slides

More recommend