Download 1201671098 - Math. Dep. of NTNU

Integer Factoring
in Cryptography
Dr. Jiun-Ming Chen
[email protected]
Outline
1.
2.
3.
4.
5.
Basics in Cryptography
Public-Key Cryptosystems
Quadratic Sieve
Number Field Sieve
Factoring RSA-512
2008.3.11
Math department at NTNU
2
Historical Cipher

Gāius Jūlius Caesar (100 BC – 44 BC)



A Roman military and political leader and one
of the most influential men in world history
He played a critical role in the transformation
of the Roman Republic into the Roman Empire
Caesar Cipher

Example




2008.3.11
(Recall: A  0, B  1, C  2, …, Y  24, Z  25)
Plaintext: SPY (18 15 24)
Ciphertext: VSB (21 18 1)
Encryption: c = p + 3 mod 26
Decryption: p = c  3 mod 26
Math department at NTNU
3
Historical Cipher

Shift Cipher

Each letter we identify with a number


The key k is a number in the range 0 ~ 25


2008.3.11
Encryption is adding k onto each letter modulo 26
Julius Caesar used the k = 3


A = 0, B = 1, C = 2, …, Z = 25
HELLO becomes KHOOR
We break a Shift cipher by using the statistics of
the underlying language
Math department at NTNU
4
Historical Cipher

English Letter Frequencies

The most common bigrams are, in decreasing order


The most common trigrams are, in decreasing order


TH, HE, IN, ER, AN, RE, ED, ON, ES, ST, EN, AT, TO, NT, HA
THE, ING, AND, HER, ERE, ENT, THA, NTH, WAS, ETH, FOR
Useful cryptanalysis rarely mentioned in books:

2008.3.11
Conditional probability  e.g., the letter with the highest frequency
right after the letter H?
Math department at NTNU
5
Historical Cipher

Take the following example cipher text
BPMZM WVKM EIA IV COTG LCKSTQVO
EQBP NMIBPMZA ITT ABCJJG IVL JZWEV
IVL BPM WBPMZ JQZLA AIQL QV AW UIVG EWZLA
OMB WCB WIN BWEV
OMB WCB, OMB WCB , OMB WCB WIN BWEV
IVL PM EMVB EQBP I YCIKS IVL I EILLTM IVL I YCIKS
QV I NTCZZG WN MQL MZLWEV
BPIB XWWZ TQBBTM COTG LCKS TQVO
EMVB EIVLMZQVO NIZ IVL VMIZ
JCB IB MDMZG XTIKM BPMG AIQL BW PQA NIKM
VWE OMB WCB, OMB WCB, OMB WCB WN PMZM
IVL PM EMVB EQBP I YCIKS IVL I EILLTM IVL I YCIKS
IVL I DMZG CVPIXXG BMIZ

2008.3.11
We need to compare the frequency distribution of this text with
standard English
Math department at NTNU
6
Historical Cipher

Underlying Plain Text

Cipher Text

The shift of E seems to be either 4, 8,17,18 or 23
The shift of A seems to be either 1, 8,12,21 or 22

2008.3.11
Math department at NTNU
7
Historical Cipher


Hence the key is probably equal to 8
We can now decrypt the cipher text to reveal
There once was an ugly duckling
With feathers all stubby and brown
And the other birds said in so many words
Get out of town
Get out, get out, get out of town
And he went with a quack and a waddle and a quack
In a flurry of eiderdown
That poor little ugly duckling
Went wandering far and near
But at every place they said to his face
Now get out, get out, get out of here
And he went with a quack and a waddle and a quack
And a very unhappy tear
2008.3.11
Math department at NTNU
8
密碼系統運作基本原則


密碼系統 (cryptosystem) 包括一套演算法
(algorithm)，和所有可能的金鑰 (key)、明文
(plaintext)、以及密文 (ciphertext)
它的安全性 (security) 是基於其他人未知的
私密金鑰，而非演算法

2008.3.11
演算法公開，利於制定標準互通應用
Math department at NTNU
9
密碼系統的兩大類型

傳統式



對稱金鑰
Symmetric Key
公開金鑰 (Public-Key, 1976~)


2008.3.11
非對稱金鑰
Asymmetric Key
Math department at NTNU
10
傳統對稱式密碼系統
Encrypt 加密
△
↘
Plaintext 明文
Symmetric key
↖
▽
↙
Decrypt 解密
↗
Ciphertext 密文
DES (Data Encryption Standard) – 晶片金融卡
AES (Advanced Encryption Standard)
2008.3.11
Math department at NTNU
11
私密金鑰
與
公開金鑰
容易計算
私密金鑰
Private Key
非常困難
公開金鑰
Public Key
藉由數學工具達成此目的
2008.3.11
Math department at NTNU
12
公開金鑰密碼系統
Public Key Cryptosystem
Public key
Plaintext 明文 →
↖
▽
Encrypt 加密
↘
Decrypt 解密 ← Ciphertext 密文
△
Private key
最廣泛使用的 PKC: RSA (Rivest – Shamir – Adleman 1977)
逐漸受重視的 PKC: ECC (橢圓曲線 Elliptic Curve Cryptosystem)
2008.3.11
Math department at NTNU
13
數位簽章 Digital Signature
Public key
Signature
→
↖
▽
Verify 驗章
↘
Sign 簽章 ←
Message
△
Private key
* 秘密性 (confidentiality)
* 完整性 (Integrity)
2008.3.11
* 身份鑑別性 (Authentication)
* 不可否認性 (Non-Repudiation)
Math department at NTNU
14
New Standard: AES






2008.3.11
Standard FIPS-197 approved by NIST in 2001
Official scope is limited:
 US Federal Administration will use AES as
Government standard from 26 May 2002
 Documents that are “sensitive but not classified”
Significance is huge: The successor of DES
Block size: 128 bits (16 bytes)
Key length: 128/192/256 bits (16/24/32 bytes)
Strong algebraic structure
Math department at NTNU
15
Outline
1.
2.
3.
4.
5.
Basics in Cryptography
Public-Key Cryptosystems
Quadratic Sieve
Number Field Sieve
Factoring RSA-512
2008.3.11
Math department at NTNU
16
RSA

Key generation (RSA-1024)






2008.3.11
Generate large primes p and q of at least 512 bits
Compute N = p q and  (N) =  (p)  (q) = (p  1)(q  1)
Select random e with
1 < e <  (N) and gcd(e,  (N)) = 1
Using XGCD, compute the unique integer d with
1 < d <  (N) and e d  1 (mod  (N))
Public key : (N, e) which is published
Private key : (d, p, q) which is kept secret
Math department at NTNU
17
Encryption & Decryption

Encryption: If Bob wants to encrypt a message for Alice, he
does the following





Decryption: To recover x

2008.3.11
Obtain Alice’s authentic public key (N, e)
Represent the message as a number 0 < x < N
Compute y = x e mod N
Send the ciphertext y to Alice
from y, Alice does the following
Use the private key d to recover x = y d mod N
Math department at NTNU
18
Elliptic Curve y2 = x3 + ax + b

2008.3.11
Math department at NTNU
R is determined by
the line passing
through P and Q
19
Elliptic Curve y2 = x3 + ax + b

R is determined by the
tangent line if P = Q

2008.3.11
Math department at NTNU
The slope is derived by
implicit differentiation
20
Discrete Logarithm Problem

On Zp


On Elliptic Curve Groups



Given a and g, find x such that gx  a (mod p)
Given P and Q, find x such that xP = Q
Both are very hard computational problems,
especially the latter, “ECDLP”
The security of RSA is based on the difficulty
of large integer factoring
2008.3.11
Math department at NTNU
21
Congruent Squares


To factor N = p q, try to find integers x and y such
that x2  y2 (mod N)
If x   y (mod N), then gcd(x  y, N) and
gcd(x + y, N) are non-trivial factors of N


p q = N | (x2  y2) = (x + y) (x  y)
This idea from Fermat inspired the factoring
methods of Continued Fraction, Quadratic Sieve,
and Number Field Sieve
2008.3.11
Math department at NTNU
22
Integer Factoring Algorithms

Length of input = log2 N +1  log N

Trial Division

Quadratic Sieve (1980’s)

Number Field Sieve (1990’s)
Complexity:
O(e

L(s) =



2008.3.11
O(e
O(e
O(e
(1 / 2 ) log N
(1o (1))(log N )1 / 2 (log log N )1 / 2
(( 64 / 9)1 / 3 o (1))(log N )1 / 3 (log log N ) 2 / 3
c (log N ) s (loglog N )1s
)
s = 1: exponential time
0 < s < 1: sub-exponential time
s = 0: polynomial time (Shor’s quantum algorithm)
Math department at NTNU
23
)
)
)
RSA Challenge Numbers
2008.3.11
Math department at NTNU
24
RSA-640 Factored
2008.3.11
Math department at NTNU
25
RSA-640 Number
2008.3.11
Math department at NTNU
26
RSA-1024 Number
2008.3.11
Math department at NTNU
27
Outline
1.
2.
3.
4.
5.
Basics in Cryptography
Public-Key Cryptosystems
Quadratic Sieve
Number Field Sieve
Factoring RSA-512
2008.3.11
Math department at NTNU
28
Smooth Numbers



F = { p1, p2 , p3……., pm } is a factor base
consisting of prime numbers
A number is smooth over F if all of its prime
factors are in F
We try to find smooth numbers
ri = p1e1 p2e2 p3e3 …pmem
and record ei in the exponent vector
vi = (e1, e2 , e3……., em)
2008.3.11
Math department at NTNU
29
Smooth Numbers

Assume we have enough smooth numbers


e.g. k smooth numbers with k > m
By linear algebra modulo 2, we can find ai
(= 0 or 1 for each i ) such that
 a v  (0,0....,0) (mod 2)
a
  ri becomes a square
i i
i
2008.3.11
Math department at NTNU
30
Smooth Numbers

Example
 F = { 2, 3, 5, 7 } is a factor base
 Some smooth numbers over F :
r1 = 105 = 357, r2 = 140 = 2257,
r3 = 392 = 2372, r4 = 588 = 22372.
 Corresponding exponent vectors:
v1 = (0, 1, 1, 1), v2 = (2, 0, 1, 1),
v3 = (3, 0, 0, 2), v4 = (2, 1, 0, 2).
2008.3.11
Math department at NTNU
31
Smooth Numbers




2008.3.11
1 v1 + 1 v2 + 0 v3 + 1 v4 = (4, 2, 2, 4)
 (0, 0, 0, 0) (mod 2)
We get a square: r1 r2 r4 = 24  32  52  74
Recall: The goal is to find x2  y2 (mod N)
The question then becomes finding many
smooth numbers over a factor base F
Math department at NTNU
32
Quadratic Sieve

To factor N, define g(x) = x2  N




x is an integer between N and 2 N
note that g : Z → ZN preserves multiplications
We want to find enough smooth g(xi)
p | g(xi) implies p | g(xi + p)


2008.3.11
If p | (xi2  N), then 0  xi2  N
 xi2  N + 2pxi + p2  (xi + p)2  N (mod p)
“Sieve” g(xi) with every prime p in factor base
Math department at NTNU
33
Quadratic Sieve


Record g(xi) in an array G
for each xi
If p | g(xi),
G[xi ] := G[xi ] + log p


integer addition for speed
After sieving, check the
smoothness of g(xi) whose
G[xi ]  chosen threshold
2
g(m+71)

g(m+75)
4
9



g(m+74)


g(m+76)
g(m+77)

g(m+79)



g(m+78)

g(m+80)
g(m+81)


g(m+83)




g(m+82)
g(m+85)
Math department at NTNU

7



g(m+84)
2008.3.11
5

g(m+72)
g(m+73)
3


34
Quadratic Sieve



Use linear algebra to find appropriate xi’s
such that  g(xi) = y 2, then x =  xi
satisfies x 2 =  xi2   g(xi) = y 2 (mod N)
The problem of QS is that x 2  N goes up
quickly, hence the chance of smoothness
decreases fast
Q: Can we find another algebraic structure
with a homomorphism to Zn ?

2008.3.11
A: Number Field Q( ) with the number field sieve
Math department at NTNU
35
Outline
1.
2.
3.
4.
5.
Basics in Cryptography
Public-Key Cryptosystems
Quadratic Sieve
Number Field Sieve
Factoring RSA-512
2008.3.11
Math department at NTNU
36
SNFS and GNFS

Special Number Field Sieve (SNFS)



Number of nice algebraic form
Record: 21039  1 (1039th Mersenne number)

313 digits / 1039 bits, May 2007

“A Kilobit Special Number Field Sieve Factorization”, Asiacrypt 2007
General Number Field Sieve (GNFS)


No known nice algebraic form
Record: RSA-200

2008.3.11
200 digits / 663 bits, 2005
Math department at NTNU
37
Invention of SNFS


John Pollard had the interesting idea to factor
7
2
the 7th Fermat number F7 = 2 + 1 by doing
very clever computations in the number field
Q( ) = Q[x] / < x3 + 2 >
It was clear immediately that his idea could be
used to factor any number of the form r e  s
for small r and s
2008.3.11
Math department at NTNU
38
Invention of GNFS


Subsequently, many people contributed to
making the basic algorithm work for integers
without such a special form
General numbers can be factored with the
same algorithm


2008.3.11
The first step (polynomial selection) becomes
much harder
The algorithm runs with much “worse”
parameters than for numbers of special form
Math department at NTNU
39
Polynomial Selection



Find an irreducible polynomial f(x) such that
f(m) ≡ 0 (mod N)
We can write N in the base of m first:
N = cd m d + … + c1 m + c0
and take f(x) = cd x d + … + c1 x + c0
A lot of research and deep theory has been
developed to make f(x) “better”
2008.3.11
Math department at NTNU
40
Number Field

Let  be a complex root of f(x)



Q( ) is a finite field extension of Q
Q( ) is the number field associated to 
Q( ) can be viewed as a vector space
over Q, with a basis {1, ,  2, ….  d1}


2008.3.11
d is the degree of f(x)
[Q( ) : Q ] = d
Math department at NTNU
41
Ring Homomorphism


A map h: A → B is a homomorphism if
h(x + y) = h(x) + h(y) and
h(x  y) = h(x)  h(y) for all x, y  A
Define a ring homomorphism
φ: Z[ ] → ZN by φ( )  m (mod N)


2008.3.11
φ is a homomorphism because
f( ) = 0 and f(m)  0 (mod N)
φ( a  b  )  a  bm (mod N)
Math department at NTNU
42
Squares in Both Sides

Suppose there is a set S consisting of
relatively prime pairs (a, b) satisfying both:
 (a - b  )  
( a ,b )S
2
for some   Ζ [ ]
(which is called the algebraic side)
2
(
a
b
m
)

y
for some y  Ζ

( a ,b )S
2008.3.11
(which is called the rational side)
Math department at NTNU
43
Squares in Both Sides


Let x = φ( ), then we have
x 2 = φ( )2 = φ( 2)
= φ(  (a  b  ))
  (a  bm)
= y 2 (mod N)
Therefore we factor N with probability  ½
2008.3.11
Math department at NTNU
44
Four Major Steps
Polynomial Selection
1.

Choose a polynomial f(x) with a root m (mod N)
and good properties
Sieving
2.


2008.3.11
Find enough pairs (a, b) such that a  bm and
a  b  are both smooth
Each smooth pair (a, b) is called a relation
Math department at NTNU
45
Four Major Steps
Matrix Reduction
3.


Form a very large matrix after finding and
simplifying enough relations
Solve the system of linear equations to obtain
the required set S such that
2
(
a
b
m
)

y
for some y  Ζ

( a ,b )S
 (a - b  )  
2
for some   Ζ [ ]
( a ,b )S
2008.3.11
Math department at NTNU
46
Four Major Steps
Square Root
4.


So far we have y 2 and  2
Compute their square roots y and 



2008.3.11
Recall: x =φ( )
Many methods to compute   Z [ ] , but all of
them are sophisticated
Finally we get the congruent squares
x2  y2 (mod N)
Math department at NTNU
47
Observations

Each step is very complicated




algebraic number theory
large effort to implement
Sieving is the most time consuming
The sieving time can be reduced by
selecting a good polynomial f(x)

2008.3.11
i.e. finding a better polynomial can speed up
the Number Field Sieve
Math department at NTNU
48
Outline
1.
2.
3.
4.
5.
Basics in Cryptography
Public-Key Cryptosystems
Quadratic Sieve
Number Field Sieve
Factoring RSA-512
2008.3.11
Math department at NTNU
49
Open Source GGNFS
No polynomial file
pol51m0
gnfs-lasieve4I
matsolve
pol51opt
procrels
sqrt
makefb
matbuild
sieve
enough FF
Already have
polynomial file
NO
2008.3.11
Math department at NTNU
Factored!
YES
50
Speakers contributed
to the NFS workshop:
1.
2.
3.
4.
5.
6.
7.
2008.3.11
Math department at NTNU
楊柏因 博士
黃柏嶧 博士
歐陽奕 (臺大電機)
余守壹 (臺大資訊)
陳嘉欣 (臺大電機)
林志宏 (臺大資訊)
王柏翰 (臺大資訊)
51
RSA-512 Factoring

1999:




2008:



300 PCs, workstations, and supercomputers
6 months
17 experts all over the world
2 supercomputers
5 days!
Let’s play on the supercomputers at NTU …
2008.3.11
Math department at NTNU
52
超級電腦介紹

超級電腦為何跑得快？



一顆超強CPU？？ Of course not…
很多顆正常CPU，想辦法合作
程式要平行化！

2008.3.11
不能只是 single thread
Math department at NTNU
53
程式平行化

兩大平行化模式

MPI (Message Passing Interface)




OpenMP (Open Multi-Processing)



2008.3.11
用網路溝通
溝通速度慢
多台一起跑 (幾百台ok!)
Multi-thread
溝通速度快
有極限 (p595上頂多用64顆CPU)
Math department at NTNU
54
台大計中超級電腦 - 1

SMP 大型主機 (Symmetric Multi-Processing)





IBM p595
CPU: power5+ 1.9G
64 顆 CPU core 256GB memory
公告金額是 1990 萬
簡化：一台大電腦，64顆CPU，256GB RAM
2008.3.11
Math department at NTNU
55
台大計中超級電腦 - 2

HP cluster


由四台前端與106台後端所組成
每一台後端





dual CPU with dual core (4CPUs)
4GB memory
網路採用 Voltaire 288 DDR switch
公告金額是 1990 萬
簡化：106台電腦用網路連起來
2008.3.11
Math department at NTNU
56
奇怪…

價錢一樣…CPU量差那麼多？



IBM p595: 64 CPUs
HP cluster: 106  4 = 424 CPUs
兩台根本不一樣


2008.3.11
p595：一台大電腦，64顆CPU，256GB RAM
HP：106台電腦用網路連起來
Math department at NTNU
57
p595強項

64顆CPU access同一塊記憶體



RAM超大，256GB


非常適合OpenMP加速
SMP 大型主機
適合跑需要很多記憶體的程式
銀行使用

2008.3.11
金額synchronize，無法分開算
Math department at NTNU
58
p595弱點

也只有64顆CPU…



無法再更加速…
可以跑MPI程式，但CPU太少…
個別CPU速度慢


2008.3.11
才1.9GHz
工作站的電腦跑的可能還比較快
Math department at NTNU
59
HP cluster 強項 / 弱項

424顆core


MPI超適合
106台電腦記憶體獨立

OpenMP非常不適合


2008.3.11
最多4個threads
無法使用大量記憶體
Math department at NTNU
60
沒有萬能的超級電腦

依需求的不同而使用不一樣的電腦


2008.3.11
OpenMP: 可能用p595較好
MPI: 可能用HP cluster較好
Math department at NTNU
61
程式平行化

非常Problem Specific

有些問題很容易平行化


Sieve
有些問題較難平行化，或平行化程度有限

2008.3.11
Block Lanczos
Math department at NTNU
62
Block Lanczos平行化

Iterative Algorithm


前一個iteration和後面有dependency
很多小函式呼叫很多次


2008.3.11
用MPI可能吃虧
用OpenMP
Math department at NTNU
63
剛用一台新電腦…

p595



作業系統：AIX 5.3
編譯器： xlc
遇到許多問題…


Makefile寫法不同，需大改 (兩個小時)
無限迴圈…

2008.3.11
xlc 預設 char 是 unsigned char (一天)
Math department at NTNU
64
剛用一台新電腦…

遇到許多問題…


malloc(0) 回傳 NULL (一個小時)
Lattice sieve跑出來是錯的.. (一個禮拜)



放棄…因為有HP cluster可以用了！
防不勝防的問題…
先熟讀編譯器manual


2008.3.11
預設參數
最佳化參數
Math department at NTNU
65
Thanks for Your Attention!
2008.3.11
Math department at NTNU
66