factoring as a service
play

Factoring as a Service Luke Valenta, Shaanan Cohney, Alex Liao, - PowerPoint PPT Presentation

Mar 03, 2023 •11 likes •401 views

Factoring as a Service Luke Valenta, Shaanan Cohney, Alex Liao, Joshua Fried, Satya Bodduluri, Nadia Heninger University of Pennsylvania seclab.upenn.edu/projects/faas Textbook RSA [Rivest Shamir Adleman 1977] Public Key Private Key N = pq

  1. Factoring as a Service Luke Valenta, Shaanan Cohney, Alex Liao, Joshua Fried, Satya Bodduluri, Nadia Heninger University of Pennsylvania seclab.upenn.edu/projects/faas

  2. Textbook RSA [Rivest Shamir Adleman 1977] Public Key Private Key N = pq modulus p , q primes e encryption exponent d decryption exponent ( d = e − 1 mod ( p − 1)( q − 1))

  3. Factoring Problem: Factor N into p and q ◮ Lets an attacker compute the private key. ◮ The RSA assumption is not known to be equivalent to factoring ◮ Factoring is much harder than multiplication ◮ Best known algorithm: number field sieve

  4. How long does factoring take with the number field sieve? Answer 1 L (1 / 3 , 1 . 923) = exp(1 . 923(log N ) 1 / 3 (log log N ) 2 / 3 )

  5. How long does factoring take with the number field sieve? Answer 2 512-bit RSA: < 1 core-year 768-bit RSA: < 1,000 core-years 1024-bit RSA: ≈ 1,000,000 core-years 2048-bit RSA: Minimum recommended key size today.

  6. How long does factoring take with the number field sieve? Answer 3 512-bit RSA: 7 months — large academic effort [Cavallar et al., 1999] 768-bit RSA: 2.5 years — large academic effort [Kleinjung et al., 2009] 512-bit RSA: 2.5 months — single machine [Moody, 2009] 512-bit RSA: 72 hours — single Amazon EC2 machine [Harris, 2012] 512-bit RSA: 7 hours — Amazon EC2 cluster [Heninger, 2015] 512-bit RSA: < 4 hours — Amazon EC2 cluster [this work]

  7. Brief Primer on Amazon EC2 c4.8xlarge ◮ 36 virtualized cores ◮ two Intel Xeon E5-2666 v3 processor chips ◮ 60GB RAM

  8. Brief Primer on Amazon EC2 c4.8xlarge ◮ 36 virtualized cores ◮ two Intel Xeon E5-2666 v3 processor chips ◮ 60GB RAM Pricing ◮ guaranteed rate of $ 1.783/hr (on-demand) ◮ bid on unused capacity at fluctuating rate $ 0.35+ (spot)

  9. The Number Field Sieve Algorithm linear polynomial square sieving algebra selection root p N

  10. The Number Field Sieve Algorithm ◮ Polynomial selection Choose a good number field embarassingly parallel, 120 CPU-hours linear polynomial square sieving algebra selection root p N

  11. The Number Field Sieve Algorithm ◮ Polynomial selection Choose a good number field embarassingly parallel, 120 CPU-hours ◮ Sieving Factor small-ish integers to find algebraic relations embarassingly parallel, 2,800 CPU-hours linear polynomial square sieving algebra selection root p N

  12. The Number Field Sieve Algorithm ◮ Polynomial selection Choose a good number field embarassingly parallel, 120 CPU-hours ◮ Sieving Factor small-ish integers to find algebraic relations embarassingly parallel, 2,800 CPU-hours ◮ Linear algebra Build matrix from relations, reduce to find squares semi-parallel, 250 CPU-hours linear polynomial square sieving algebra selection root p N

  13. The Number Field Sieve Algorithm ◮ Polynomial selection Choose a good number field embarassingly parallel, 120 CPU-hours ◮ Sieving Factor small-ish integers to find algebraic relations embarassingly parallel, 2,800 CPU-hours ◮ Linear algebra Build matrix from relations, reduce to find squares semi-parallel, 250 CPU-hours ◮ Square root Take square roots and check if factor N mostly non-parallel, 10 CPU-minutes linear polynomial square sieving algebra selection root p N

  14. Making Sieving Fast ◮ Goal: Distribute many small tasks to a compute cluster

  15. Making Sieving Fast ◮ Goal: Distribute many small tasks to a compute cluster ◮ Problems: CADO-NFS job distribution has scaling issues

  16. Making Sieving Fast ◮ Goal: Distribute many small tasks to a compute cluster ◮ Problems: CADO-NFS job distribution has scaling issues ◮ Solution: Replace job distribution with Slurm

  17. Making Sieving Fast ◮ Goal: Distribute many small tasks to a compute cluster ◮ Problems: CADO-NFS job distribution has scaling issues ◮ Solution: Replace job distribution with Slurm ◮ More Problems: Cannot submit many small tasks to Slurm at once

  18. Making Sieving Fast ◮ Goal: Distribute many small tasks to a compute cluster ◮ Problems: CADO-NFS job distribution has scaling issues ◮ Solution: Replace job distribution with Slurm ◮ More Problems: Cannot submit many small tasks to Slurm at once ◮ More Solutions: Fix with batching logic

  19. Making Sieving Fast ◮ Goal: Distribute many small tasks to a compute cluster ◮ Problems: CADO-NFS job distribution has scaling issues ◮ Solution: Replace job distribution with Slurm ◮ More Problems: Cannot submit many small tasks to Slurm at once ◮ More Solutions: Fix with batching logic Now we can parallelize sieving away, right?!

  20. Reality Check ◮ You can’t actually launch that many spot instances at once ◮ Amazon runs pretty close to capacity ◮ On-demand instances are much more expensive Price spikes: launching a 50-node cluster

  21. Making Linear Algebra Fast Goal: divide up large matrix into smaller grids, which must communicate periodically. Problems: Solutions:

  22. Making Linear Algebra Fast Goal: divide up large matrix into smaller grids, which must communicate periodically. Problems: Solutions: CADO-NFS linear algebra Use Msieve’s implementation runtime increased with more instead; performs better for nodes 512-bit keys

  23. Making Linear Algebra Fast Goal: divide up large matrix into smaller grids, which must communicate periodically. Problems: Solutions: CADO-NFS linear algebra Use Msieve’s implementation runtime increased with more instead; performs better for nodes 512-bit keys High communication Use Amazon’s Enhanced requirements make networking a Networking for 10Gbit bandwidth bottleneck

  24. Making Linear Algebra Fast Goal: divide up large matrix into smaller grids, which must communicate periodically. Problems: Solutions: CADO-NFS linear algebra Use Msieve’s implementation runtime increased with more instead; performs better for nodes 512-bit keys High communication Use Amazon’s Enhanced requirements make networking a Networking for 10Gbit bandwidth bottleneck Inter-node latency is higher than Tune implementation parameters expected (150 µ s) instead

  25. Make Linear Algebra Easier by Making Sieving Harder Oversieving “generating excess relations” lbp 28; td 70 Linalg Time (hrs) lbp 28; td 120 1 . 5 1 30 35 40 45 Relations (M)

  26. Putting it All Together ◮ Spend more money to make factoring faster, but with diminishing returns ◮ Large clusters are prone to random node failures and instability 160 256,64 lbp 28; td 120 256,16 Cost (USD) 128,64 128,64 120 lbp 29; td 120 64,64 lbp 29; td 70 80 128,16 64,432,16 128,4 16,416,4 32,4 16,1 8,1 4,1 2,1 1,1 40 2 1 2 2 2 3 2 4 2 5 2 6 Time (hrs)

  27. The Cost of Research August 2015 EC2 bill Shoutout to our sponser: Thanks Amazon!

  28. Is anyone still using 512-bit RSA?

  29. Is anyone still using 512-bit RSA? [RSA export + FREAK attack] International Traffic in Arms Regulations [April 1, 1992 version] Category XIII--Auxiliary Military Equipment ... (1) Cryptographic (including key management) systems, equipment, assemblies, modules, integrated circuits, components or software with the capability of maintaining secrecy or confidentiality of information or information systems... Commerce Control List [current] a.1.b.1. Factorization of integers in excess of 512 bits (e.g., RSA); April 2015: FREAK attack [BDFKPSZZ 2015]: Implementation flaw; use fast 512-bit factorization to downgrade modern browsers to broken export-grade RSA. “. . . we observe that 512-bit factorization is currently solvable at most in weeks. . . ”

  30. Who is using 512-bit RSA? TLS measurements [scans.io] HTTPS March 2015: 8.9M (26.3%) HTTPS servers support RSA EXPORT September 2015: 2.6M (7.7%) HTTPS servers support RSA EXPORT

  31. Who is using 512-bit RSA? TLS measurements [scans.io] HTTPS March 2015: 8.9M (26.3%) HTTPS servers support RSA EXPORT September 2015: 2.6M (7.7%) HTTPS servers support RSA EXPORT SMTP missed the memo September 2015: 1.5M (30.8%) SMTP/StartTLS servers support RSA EXPORT

  32. DNSSEC: Domain Name System Security Extensions [Rapid7 + SURFnet datasets + our own scans] Key sizes are way too small 10 7 512 Number of keys 768 1024 10 5 1280 1536 2048 10 3 06/2014 09/2014 12/2014 03/2015 06/2015 09/2015

  33. DNSSEC: Domain Name System Security Extensions [Rapid7 + SURFnet datasets + our own scans] RFC 6781 [2012] “it is estimated that most zones can safely use 1024-bit keys for at least the next ten years.”

  34. DNSSEC: Domain Name System Security Extensions [Rapid7 + SURFnet datasets + our own scans] Keys are rotated infrequently 1 512 KSK 512 ZSK All KSK CDF All ZSK 0 . 5 RRSig 0 0 90 180 270 360 450 Duration (days)

  35. DKIM: Domain-Keys Identified Mail [Rapid7 + SURFNET + our own scans] Public Keys 512 bits 103 (0.9%) 384 bits 20 (0.2%) 128 bits 1 (0.0%) Parse error 591 (5.1%) Total 11,637

  36. DKIM: Domain-Keys Identified Mail [Rapid7 + SURFNET + our own scans] Public Keys 512 bits 103 (0.9%) 384 bits 20 (0.2%) 128 bits 1 (0.0%) Parse error 591 (5.1%) Total 11,637 128-bit key [REDACTED] bdb6389e41d8df6141acdda91a7c23c1

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Factors 2 12 Factors Factors 3 13 and Unique Unique 14 4 to 10 to 15 Greatest Common

Factors 2 12 Factors Factors 3 13 and Unique Unique 14 4 to 10 to 15 Greatest Common

Slide 1 / 128 Slide 2 / 128 Table of Contents Factors and GCF Factoring out GCF's Polynomials Factoring Trinomials x 2 + bx + c Factoring Using Special Patterns Factoring Trinomials ax 2 + bx + c Factoring 4 Term Polynomials

472 views • 22 slides
FACTORING WITH JUDGMENTS w w w . g u t i e r r e z g r o u p . c o m . c o What is it about?

FACTORING WITH JUDGMENTS w w w . g u t i e r r e z g r o u p . c o m . c o What is it about?

F A C T O R I N G W I T H J U D G M E N T S FACTORING WITH JUDGMENTS w w w . g u t i e r r e z g r o u p . c o m . c o What is it about? FACTORING It is precisely after the judgment is won by This out-of-the-box product uses the - the

199 views • 7 slides
Hardware- -Based Implementations Based Implementations Hardware of Factoring Algorithms of

Hardware- -Based Implementations Based Implementations Hardware of Factoring Algorithms of

Hardware- -Based Implementations Based Implementations Hardware of Factoring Algorithms of Factoring Algorithms Factoring Large Numbers with the TWIRL Device Factoring Large Numbers with the TWIRL Device Adi Shamir, Eran Tromer Adi

469 views • 42 slides
Factoring integers and Producing primes Francesco Pappalardi Universit` a Roma Tre Erbil,

Factoring integers and Producing primes Francesco Pappalardi Universit` a Roma Tre Erbil,

Erbil, Kurdistan 0 Factoring integers,..., RSA Lecture in Number Theory College of Sciences Department of Mathematics University of Salahaddin Debember 4, 2014 Factoring integers and Producing primes Francesco Pappalardi Universit` a Roma

749 views • 30 slides
Factoring into large primes with P-1, P+1 and ECM Alexander Kruppa LORIA CADO workshop Nancy,

Factoring into large primes with P-1, P+1 and ECM Alexander Kruppa LORIA CADO workshop Nancy,

Factoring into large primes with P-1, P+1 and ECM Alexander Kruppa LORIA CADO workshop Nancy, 9. October 2008 Using P-1, P+1 and ECM in NFS For large factoring projects, memory becomes a limiting resource. Large factor base bound B requires

385 views • 21 slides
Factoring integers, Producing primes and the RSA cryptosystem Francesco Pappalardi Universit` a

Factoring integers, Producing primes and the RSA cryptosystem Francesco Pappalardi Universit` a

College of Science for Women 0 Factoring integers,..., RSA Lecture in Number Theory College of Science for Women Baghdad University March 31, 2014 Factoring integers, Producing primes and the RSA cryptosystem Francesco Pappalardi

2.06k views • 192 slides
Integer factoring and compositeness witnesses Jacek Pomykaa &amp; Maciej Radziejewski June 26,

Integer factoring and compositeness witnesses Jacek Pomykaa &amp; Maciej Radziejewski June 26,

Integer factoring and compositeness witnesses Jacek Pomykaa &amp; Maciej Radziejewski June 26, 2019 Integer factoring and compositeness witnesses 1 Objective: Factorization of a large integer n Oracles Techniques How many hard numbers are

514 views • 22 slides
Shors Algorithm for Factoring: Background Quantum Algorithms In 1994, Peter Shor came up with O

Shors Algorithm for Factoring: Background Quantum Algorithms In 1994, Peter Shor came up with O

Shors Algorithm for Factoring: Background Quantum Algorithms In 1994, Peter Shor came up with O ( n 3 ) -time algorithm DPV Chapter 10 for factoring n -bit integers on a quantum algorithm. Why is this a big deal? O ( e n 1/3 ( log n )

712 views • 5 slides
POLYNOMIAL CONSTRAINED FACTORING IN P-NARX IDENTIFICATION KIA N A KA R A M I, D A V ID W ES

POLYNOMIAL CONSTRAINED FACTORING IN P-NARX IDENTIFICATION KIA N A KA R A M I, D A V ID W ES

Nonlinear System Identification Benchmarks POLYNOMIAL CONSTRAINED FACTORING IN P-NARX IDENTIFICATION KIA N A KA R A M I, D A V ID W ES TW IC K April, 2019 NARX MODEL T he No nline ar Auto re g re ssive e Xo g e no us I nput Mo de l

253 views • 23 slides
Factoring Polynomials over Local Fields II Sebastian Pauli Department of Mathematics and

Factoring Polynomials over Local Fields II Sebastian Pauli Department of Mathematics and

Factoring Polynomials over Local Fields II Sebastian Pauli Department of Mathematics and Statistics University of North Carolina at Greensboro Sebastian Pauli (UNC Greensboro) Factoring Polynomials over Local Fields II 1 / 20 Polynomial

765 views • 44 slides
Computability Theory at Work: Factoring Polynomials and Finding Roots Russell Miller Queens

Computability Theory at Work: Factoring Polynomials and Finding Roots Russell Miller Queens

Computability Theory at Work: Factoring Polynomials and Finding Roots Russell Miller Queens College &amp; CUNY Graduate Center New York, NY MAA MathFest Portland, OR 7 August 2014 Russell Miller (CUNY) Factoring and Finding Roots MathFest

489 views • 30 slides
Factoring and RSA Nadia Heninger University of Pennsylvania September 18, 2017 *Some slides

Factoring and RSA Nadia Heninger University of Pennsylvania September 18, 2017 *Some slides

Factoring and RSA Nadia Heninger University of Pennsylvania September 18, 2017 *Some slides joint with Dan Bernstein and Tanja Lange Textbook RSA [Rivest Shamir Adleman 1977] Public Key Private Key N = pq modulus p , q primes e encryption

1.39k views • 95 slides
The complexity of factoring univariate polynomials over the rationals Mark van Hoeij Florida

The complexity of factoring univariate polynomials over the rationals Mark van Hoeij Florida

The complexity of factoring univariate polynomials over the rationals Mark van Hoeij Florida State University ISSAC2013 June 26, 2013 Papers [Zassenhaus 1969]. Usually fast, but can be exp-time. [LLL 1982]. Lattice reduction (LLL

766 views • 43 slides
Factoring RSA Modulus using Prime Reconstruction from Random Known Bits S. Maitra, S. Sarkar and

Factoring RSA Modulus using Prime Reconstruction from Random Known Bits S. Maitra, S. Sarkar and

Factoring RSA Modulus using Prime Reconstruction from Random Known Bits S. Maitra, S. Sarkar and S. Sen Gupta Cryptology Research Group, ASU Indian Statistcal Institute, Kolkata May 3, 2010 Background Slide 2 of 31 RSA Framework Key-Gen

607 views • 58 slides
The state of factoring algorithms and other cryptanalytic threats to RSA Daniel J. Bernstein

The state of factoring algorithms and other cryptanalytic threats to RSA Daniel J. Bernstein

The state of factoring algorithms and other cryptanalytic threats to RSA Daniel J. Bernstein University of Illinois at Chicago Technische Universiteit Eindhoven Nadia Heninger Microsoft Research New England Tanja Lange Technische

1.53k views • 130 slides
Non-Resource Factoring Presentation Introduction to SNI Capital Advisors SNI Capital is a

Non-Resource Factoring Presentation Introduction to SNI Capital Advisors SNI Capital is a

SNI CAPITAL ADVISORS Non-Resource Factoring Presentation Introduction to SNI Capital Advisors SNI Capital is a leading financial/business consulting firm having a strong global presence directly or indirectly through its network partners &amp;

313 views • 10 slides
Dominig ar Foll Senior Software Architect Intel Open Source Fosdem 2017, Brussel, Be

Dominig ar Foll Senior Software Architect Intel Open Source Fosdem 2017, Brussel, Be

Dominig ar Foll Senior Software Architect Intel Open Source Fosdem 2017, Brussel, Be dominig.arfoll@fridu.net 1/30 A harden Embedded Linux Applicable to any Industrial IoT Linux 2/30 3/30 4/30 Top 25 Git Commituers in 2016 Commits Name

1.37k views • 30 slides
Development in the Civil Infrastructure Platform Yoshitake Kobayashi Open Source Summit Japan,

Development in the Civil Infrastructure Platform Yoshitake Kobayashi Open Source Summit Japan,

SLTS Kernel and Base-Layer Development in the Civil Infrastructure Platform Yoshitake Kobayashi Open Source Summit Japan, Tokyo, June 2, 2017 Our Civilization is Run by Linux Open Source Summit Japan 2017 2

1.03k views • 46 slides
Verification of security protocols: from confidentiality to privacy Stphanie Delaune Univ

Verification of security protocols: from confidentiality to privacy Stphanie Delaune Univ

Verification of security protocols: from confidentiality to privacy Stphanie Delaune Univ Rennes, CNRS, IRISA, France Thursday, June 28th, 2018 Research at IRISA (Rennes) 800 members (among which about 400 reasearchers) EMSEC team

1.05k views • 86 slides
OUR ROAD TO IOT: SECURE DEVICE GRID 5 October 2015 Kresten Krab Thorup @drkrab

OUR ROAD TO IOT: SECURE DEVICE GRID 5 October 2015 Kresten Krab Thorup @drkrab

OUR ROAD TO IOT: SECURE DEVICE GRID 5 October 2015 Kresten Krab Thorup @drkrab Introduction IoT and SSL/TLS landscape Secure Device Grid design Lessons Learned ABOUT THE SPEAKER Kresten Krab Thorup, Ph.D. Trifork CTO - since 1999

948 views • 56 slides
logi.CAD3 logi.CLOUD An expe ri en ce rep or t on migratj ng a n i nd ust r ia l -gra de

logi.CAD3 logi.CLOUD An expe ri en ce rep or t on migratj ng a n i nd ust r ia l -gra de

logi.CAD3 logi.CLOUD An expe ri en ce rep or t on migratj ng a n i nd ust r ia l -gra de ID E t o the Cl o ud u si ng t he Ec li pse e cosys tem Agenda of this Talk Introductjon (7 Minutes) Goal Company focus (products,

682 views • 37 slides
Firewalls Network Security: Firewalls, A system or combination of systems VPNs, and

Firewalls Network Security: Firewalls, A system or combination of systems VPNs, and

Firewalls Network Security: Firewalls, A system or combination of systems VPNs, and Honeypots that enforces a boundary between two CS 239 or more networks - NCSA Firewall Functional Summary Computer Security Usually, a

271 views • 10 slides
F Classification: Public AGENDA Introductions Scheme Comparisons Coronavirus

F Classification: Public AGENDA Introductions Scheme Comparisons Coronavirus

Classification: Public F Classification: Public AGENDA Introductions Scheme Comparisons Coronavirus Business Interruption Loan Scheme (CBILS) Coronavirus Large Business Interruption Loan Scheme (CLBILS) Covid

436 views • 20 slides
Demilitarization IND 105 Lesson 14 DEMILITARIZATION TLO 14 - Given the need to dispose of

Demilitarization IND 105 Lesson 14 DEMILITARIZATION TLO 14 - Given the need to dispose of

Demilitarization IND 105 Lesson 14 DEMILITARIZATION TLO 14 - Given the need to dispose of contract Government property requiring demilitarization, describe the process of demilitarization. ELOs: 1. Identify contractual requirements for

510 views • 36 slides

More recommend