Advertisement

Factoring Large Numbers with the TWIRL Device

  • Adi Shamir
  • Eran Tromer
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2729)

Abstract

The security of the RSA cryptosystem depends on the difficulty of factoring large integers. The best current factoring algorithm is the Number Field Sieve (NFS), and its most difficult part is the sieving step. In 1999 a large distributed computation involving hundreds of workstations working for many months managed to factor a 512-bit RSA key, but 1024-bit keys were believed to be safe for the next 15-20 years. In this paper we describe a new hardware implementation of the NFS sieving step (based on standard 0.13μm, 1GHz silicon VLSI technology) which is 3-4 orders of magnitude more cost effective than the best previously published designs (such as the optoelectronic TWINKLE and the mesh-based sieving). Based on a detailed analysis of all the critical components (but without an actual implementation), we believe that the NFS sieving step for 512-bit RSA keys can be completed in less than ten minutes by a $10K device. For 1024-bit RSA keys, analysis of the NFS parameters (backed by experimental data where possible) suggests that sieving step can be completed in less than a year by a $10 M device. Coupled with recent results about the cost of the NFS matrix step, this raises some concerns about the security of this key size.

Keywords

Clock Cycle Delivery Line Largish Progression Emission Triplet Smallish Progression 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

References

  1. 1.
    Bahr, F., Franke, J., Kleinjung, T., Lochter, M., Böhm, M.: RSA-160, e-mail announcement (April 2003), http://www.loria.fr/~zimmerma/records/rsa160
  2. 2.
    Bernstein, D.J.: How to find small factors of integers, manuscript (2000), http://cr.yp.to/papers.html
  3. 3.
    Bernstein, D.J.: Circuits for integer factorization: a proposal, manuscript (2001), http://cr.yp.to/papers.html
  4. 4.
    Brent, R.P.: Recent progress and prospects for integer factorisation algorithms. In: Du, D.-Z., Eades, P., Sharma, A.K., Lin, X., Estivill-Castro, V. (eds.) COCOON 2000. LNCS, vol. 1858, pp. 3–22. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  5. 5.
    Cavallar, S., Dodson, B., Lenstra, A.K., Lioen, W., Montgomery, P.L., Murphy, B., te Riele, H.J.J., et al.: Factorization of a 512-bit RSA modulus. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 1–17. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  6. 6.
    Coppersmith, D.: Modifications to the number field sieve. Journal of Cryptology 6, 169–180 (1993)zbMATHCrossRefMathSciNetGoogle Scholar
  7. 7.
    Geiselmann, W., Steinwandt, R.: A dedicated sieving hardware. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 254–266. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  8. 8.
    Geiselmann, W., Steinwandt, R.: Hardware to solve sparse systems of linear equations over GF(2). In: Walter, C.D., Koç, Ç.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 51–61. Springer, Heidelberg (2003) (to be published)CrossRefGoogle Scholar
  9. 9.
    International Technology Roadmap for Semiconductors (2001), http://public.itrs.net/
  10. 10.
    Kim, H.J., Magione-Smith, W.H.: Factoring large numbers with programmable hardware. In: proc. FPGA 2000, ACM, New York (2000)Google Scholar
  11. 11.
    Lambert, R.: Computational aspects of discrete logarithms, Ph.D. Thesis, University of Waterloo (1996)Google Scholar
  12. 12.
    Lenstra, A.K., Lenstra Jr., H.W. (eds.): The development of the number field sieve. Lecture Notes in Math. vol. 1554. Springer, Heidelberg (1993)zbMATHGoogle Scholar
  13. 13.
    Lenstra, A.K., Dodson, B.: NFS with four large primes: an explosive experiment. In: Coppersmith, D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 372–385. Springer, Heidelberg (1995)Google Scholar
  14. 14.
    Lenstra, A.K., Dodson, B., Hughes, J., Leyland, P.: Factoring estimates for 1024-bit RSA modulus (to be published)Google Scholar
  15. 15.
    Lenstra, A.K., Shamir, A.: Analysis and Optimization of the TWINKLE Factoring Device. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 35–52. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  16. 16.
    Lenstra, A.K., Shamir, A., Tomlinson, J., Tromer, E.: Analysis of Bernstein’s factorization circuit. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 1–26. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  17. 17.
    Murphy, B.: Polynomial selection for the number field sieve integer factorization algorithm, Ph. D. thesis, Australian National University (1999)Google Scholar
  18. 18.
    National Institute of Standards and Technology, Key management guidelines, Part 1: General guidance (draft) (January 2003), http://csrc.nist.gov/CryptoToolkit/tkkeymgmt.html
  19. 19.
    Shamir, A.: Factoring large numbers with the TWINKLE device (extended abstract). In: Koç, Ç.K., Paar, C. (eds.) CHES 1999. LNCS, vol. 1717, pp. 2–12. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  20. 20.
    RSA Security, The new RSA factoring challenge, web page (Jan. 2003), http://www.rsasecurity.com/rsalabs/challenges/factoring/
  21. 21.
    Silverman, R.D.: A cost-based security analysis of symmetric and asymmetric key lengths, Bulletin 13, RSA Security (2000), http://www.rsasecurity.com/rsalabs/bulletins/bulletin13.html
  22. 22.

Copyright information

© Springer-Verlag Berlin Heidelberg 2003

Authors and Affiliations

  • Adi Shamir
    • 1
  • Eran Tromer
    • 1
  1. 1.Department of Computer Science and Applied MathematicsWeizmann Institute of ScienceRehovotIsrael

Personalised recommendations