Abstract
The security of the RSA cryptosystem depends on the difficulty of factoring large integers. The best current factoring algorithm is the Number Field Sieve (NFS), and its most difficult part is the sieving step. In 1999 a large distributed computation involving hundreds of workstations working for many months managed to factor a 512-bit RSA key, but 1024-bit keys were believed to be safe for the next 15-20 years. In this paper we describe a new hardware implementation of the NFS sieving step (based on standard 0.13μm, 1GHz silicon VLSI technology) which is 3-4 orders of magnitude more cost effective than the best previously published designs (such as the optoelectronic TWINKLE and the mesh-based sieving). Based on a detailed analysis of all the critical components (but without an actual implementation), we believe that the NFS sieving step for 512-bit RSA keys can be completed in less than ten minutes by a $10K device. For 1024-bit RSA keys, analysis of the NFS parameters (backed by experimental data where possible) suggests that sieving step can be completed in less than a year by a $10 M device. Coupled with recent results about the cost of the NFS matrix step, this raises some concerns about the security of this key size.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Bahr, F., Franke, J., Kleinjung, T., Lochter, M., Böhm, M.: RSA-160, e-mail announcement (April 2003), http://www.loria.fr/~zimmerma/records/rsa160
Bernstein, D.J.: How to find small factors of integers, manuscript (2000), http://cr.yp.to/papers.html
Bernstein, D.J.: Circuits for integer factorization: a proposal, manuscript (2001), http://cr.yp.to/papers.html
Brent, R.P.: Recent progress and prospects for integer factorisation algorithms. In: Du, D.-Z., Eades, P., Sharma, A.K., Lin, X., Estivill-Castro, V. (eds.) COCOON 2000. LNCS, vol. 1858, pp. 3–22. Springer, Heidelberg (2000)
Cavallar, S., Dodson, B., Lenstra, A.K., Lioen, W., Montgomery, P.L., Murphy, B., te Riele, H.J.J., et al.: Factorization of a 512-bit RSA modulus. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 1–17. Springer, Heidelberg (2000)
Coppersmith, D.: Modifications to the number field sieve. Journal of Cryptology 6, 169–180 (1993)
Geiselmann, W., Steinwandt, R.: A dedicated sieving hardware. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 254–266. Springer, Heidelberg (2002)
Geiselmann, W., Steinwandt, R.: Hardware to solve sparse systems of linear equations over GF(2). In: Walter, C.D., Koç, Ç.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 51–61. Springer, Heidelberg (2003) (to be published)
International Technology Roadmap for Semiconductors (2001), http://public.itrs.net/
Kim, H.J., Magione-Smith, W.H.: Factoring large numbers with programmable hardware. In: proc. FPGA 2000, ACM, New York (2000)
Lambert, R.: Computational aspects of discrete logarithms, Ph.D. Thesis, University of Waterloo (1996)
Lenstra, A.K., Lenstra Jr., H.W. (eds.): The development of the number field sieve. Lecture Notes in Math. vol. 1554. Springer, Heidelberg (1993)
Lenstra, A.K., Dodson, B.: NFS with four large primes: an explosive experiment. In: Coppersmith, D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 372–385. Springer, Heidelberg (1995)
Lenstra, A.K., Dodson, B., Hughes, J., Leyland, P.: Factoring estimates for 1024-bit RSA modulus (to be published)
Lenstra, A.K., Shamir, A.: Analysis and Optimization of the TWINKLE Factoring Device. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 35–52. Springer, Heidelberg (2000)
Lenstra, A.K., Shamir, A., Tomlinson, J., Tromer, E.: Analysis of Bernstein’s factorization circuit. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 1–26. Springer, Heidelberg (2002)
Murphy, B.: Polynomial selection for the number field sieve integer factorization algorithm, Ph. D. thesis, Australian National University (1999)
National Institute of Standards and Technology, Key management guidelines, Part 1: General guidance (draft) (January 2003), http://csrc.nist.gov/CryptoToolkit/tkkeymgmt.html
Shamir, A.: Factoring large numbers with the TWINKLE device (extended abstract). In: Koç, Ç.K., Paar, C. (eds.) CHES 1999. LNCS, vol. 1717, pp. 2–12. Springer, Heidelberg (1999)
RSA Security, The new RSA factoring challenge, web page (Jan. 2003), http://www.rsasecurity.com/rsalabs/challenges/factoring/
Silverman, R.D.: A cost-based security analysis of symmetric and asymmetric key lengths, Bulletin 13, RSA Security (2000), http://www.rsasecurity.com/rsalabs/bulletins/bulletin13.html
Web page for this paper, http://www.wisdom.weizmann.ac.il/~tromer/twirl
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2003 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Shamir, A., Tromer, E. (2003). Factoring Large Numbers with the TWIRL Device. In: Boneh, D. (eds) Advances in Cryptology - CRYPTO 2003. CRYPTO 2003. Lecture Notes in Computer Science, vol 2729. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-45146-4_1
Download citation
DOI: https://doi.org/10.1007/978-3-540-45146-4_1
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-40674-7
Online ISBN: 978-3-540-45146-4
eBook Packages: Springer Book Archive