Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Integer Factoring in Cryptography Dr. Jiun-Ming Chen [email protected] Outline 1. 2. 3. 4. 5. Basics in Cryptography Public-Key Cryptosystems Quadratic Sieve Number Field Sieve Factoring RSA-512 2008.3.11 Math department at NTNU 2 Historical Cipher Gāius Jūlius Caesar (100 BC – 44 BC) A Roman military and political leader and one of the most influential men in world history He played a critical role in the transformation of the Roman Republic into the Roman Empire Caesar Cipher Example 2008.3.11 (Recall: A 0, B 1, C 2, …, Y 24, Z 25) Plaintext: SPY (18 15 24) Ciphertext: VSB (21 18 1) Encryption: c = p + 3 mod 26 Decryption: p = c 3 mod 26 Math department at NTNU 3 Historical Cipher Shift Cipher Each letter we identify with a number The key k is a number in the range 0 ~ 25 2008.3.11 Encryption is adding k onto each letter modulo 26 Julius Caesar used the k = 3 A = 0, B = 1, C = 2, …, Z = 25 HELLO becomes KHOOR We break a Shift cipher by using the statistics of the underlying language Math department at NTNU 4 Historical Cipher English Letter Frequencies The most common bigrams are, in decreasing order The most common trigrams are, in decreasing order TH, HE, IN, ER, AN, RE, ED, ON, ES, ST, EN, AT, TO, NT, HA THE, ING, AND, HER, ERE, ENT, THA, NTH, WAS, ETH, FOR Useful cryptanalysis rarely mentioned in books: 2008.3.11 Conditional probability e.g., the letter with the highest frequency right after the letter H? Math department at NTNU 5 Historical Cipher Take the following example cipher text BPMZM WVKM EIA IV COTG LCKSTQVO EQBP NMIBPMZA ITT ABCJJG IVL JZWEV IVL BPM WBPMZ JQZLA AIQL QV AW UIVG EWZLA OMB WCB WIN BWEV OMB WCB, OMB WCB , OMB WCB WIN BWEV IVL PM EMVB EQBP I YCIKS IVL I EILLTM IVL I YCIKS QV I NTCZZG WN MQL MZLWEV BPIB XWWZ TQBBTM COTG LCKS TQVO EMVB EIVLMZQVO NIZ IVL VMIZ JCB IB MDMZG XTIKM BPMG AIQL BW PQA NIKM VWE OMB WCB, OMB WCB, OMB WCB WN PMZM IVL PM EMVB EQBP I YCIKS IVL I EILLTM IVL I YCIKS IVL I DMZG CVPIXXG BMIZ 2008.3.11 We need to compare the frequency distribution of this text with standard English Math department at NTNU 6 Historical Cipher Underlying Plain Text Cipher Text The shift of E seems to be either 4, 8,17,18 or 23 The shift of A seems to be either 1, 8,12,21 or 22 2008.3.11 Math department at NTNU 7 Historical Cipher Hence the key is probably equal to 8 We can now decrypt the cipher text to reveal There once was an ugly duckling With feathers all stubby and brown And the other birds said in so many words Get out of town Get out, get out, get out of town And he went with a quack and a waddle and a quack In a flurry of eiderdown That poor little ugly duckling Went wandering far and near But at every place they said to his face Now get out, get out, get out of here And he went with a quack and a waddle and a quack And a very unhappy tear 2008.3.11 Math department at NTNU 8 密碼系統運作基本原則 密碼系統 (cryptosystem) 包括一套演算法 (algorithm),和所有可能的金鑰 (key)、明文 (plaintext)、以及密文 (ciphertext) 它的安全性 (security) 是基於其他人未知的 私密金鑰,而非演算法 2008.3.11 演算法公開,利於制定標準互通應用 Math department at NTNU 9 密碼系統的兩大類型 傳統式 對稱金鑰 Symmetric Key 公開金鑰 (Public-Key, 1976~) 2008.3.11 非對稱金鑰 Asymmetric Key Math department at NTNU 10 傳統對稱式密碼系統 Encrypt 加密 △ ↘ Plaintext 明文 Symmetric key ↖ ▽ ↙ Decrypt 解密 ↗ Ciphertext 密文 DES (Data Encryption Standard) – 晶片金融卡 AES (Advanced Encryption Standard) 2008.3.11 Math department at NTNU 11 私密金鑰 與 公開金鑰 容易計算 私密金鑰 Private Key 非常困難 公開金鑰 Public Key 藉由數學工具達成此目的 2008.3.11 Math department at NTNU 12 公開金鑰密碼系統 Public Key Cryptosystem Public key Plaintext 明文 → ↖ ▽ Encrypt 加密 ↘ Decrypt 解密 ← Ciphertext 密文 △ Private key 最廣泛使用的 PKC: RSA (Rivest – Shamir – Adleman 1977) 逐漸受重視的 PKC: ECC (橢圓曲線 Elliptic Curve Cryptosystem) 2008.3.11 Math department at NTNU 13 數位簽章 Digital Signature Public key Signature → ↖ ▽ Verify 驗章 ↘ Sign 簽章 ← Message △ Private key * 秘密性 (confidentiality) * 完整性 (Integrity) 2008.3.11 * 身份鑑別性 (Authentication) * 不可否認性 (Non-Repudiation) Math department at NTNU 14 New Standard: AES 2008.3.11 Standard FIPS-197 approved by NIST in 2001 Official scope is limited: US Federal Administration will use AES as Government standard from 26 May 2002 Documents that are “sensitive but not classified” Significance is huge: The successor of DES Block size: 128 bits (16 bytes) Key length: 128/192/256 bits (16/24/32 bytes) Strong algebraic structure Math department at NTNU 15 Outline 1. 2. 3. 4. 5. Basics in Cryptography Public-Key Cryptosystems Quadratic Sieve Number Field Sieve Factoring RSA-512 2008.3.11 Math department at NTNU 16 RSA Key generation (RSA-1024) 2008.3.11 Generate large primes p and q of at least 512 bits Compute N = p q and (N) = (p) (q) = (p 1)(q 1) Select random e with 1 < e < (N) and gcd(e, (N)) = 1 Using XGCD, compute the unique integer d with 1 < d < (N) and e d 1 (mod (N)) Public key : (N, e) which is published Private key : (d, p, q) which is kept secret Math department at NTNU 17 Encryption & Decryption Encryption: If Bob wants to encrypt a message for Alice, he does the following Decryption: To recover x 2008.3.11 Obtain Alice’s authentic public key (N, e) Represent the message as a number 0 < x < N Compute y = x e mod N Send the ciphertext y to Alice from y, Alice does the following Use the private key d to recover x = y d mod N Math department at NTNU 18 Elliptic Curve y2 = x3 + ax + b 2008.3.11 Math department at NTNU R is determined by the line passing through P and Q 19 Elliptic Curve y2 = x3 + ax + b R is determined by the tangent line if P = Q 2008.3.11 Math department at NTNU The slope is derived by implicit differentiation 20 Discrete Logarithm Problem On Zp On Elliptic Curve Groups Given a and g, find x such that gx a (mod p) Given P and Q, find x such that xP = Q Both are very hard computational problems, especially the latter, “ECDLP” The security of RSA is based on the difficulty of large integer factoring 2008.3.11 Math department at NTNU 21 Congruent Squares To factor N = p q, try to find integers x and y such that x2 y2 (mod N) If x y (mod N), then gcd(x y, N) and gcd(x + y, N) are non-trivial factors of N p q = N | (x2 y2) = (x + y) (x y) This idea from Fermat inspired the factoring methods of Continued Fraction, Quadratic Sieve, and Number Field Sieve 2008.3.11 Math department at NTNU 22 Integer Factoring Algorithms Length of input = log2 N +1 log N Trial Division Quadratic Sieve (1980’s) Number Field Sieve (1990’s) Complexity: O(e L(s) = 2008.3.11 O(e O(e O(e (1 / 2 ) log N (1o (1))(log N )1 / 2 (log log N )1 / 2 (( 64 / 9)1 / 3 o (1))(log N )1 / 3 (log log N ) 2 / 3 c (log N ) s (loglog N )1s ) s = 1: exponential time 0 < s < 1: sub-exponential time s = 0: polynomial time (Shor’s quantum algorithm) Math department at NTNU 23 ) ) ) RSA Challenge Numbers 2008.3.11 Math department at NTNU 24 RSA-640 Factored 2008.3.11 Math department at NTNU 25 RSA-640 Number 2008.3.11 Math department at NTNU 26 RSA-1024 Number 2008.3.11 Math department at NTNU 27 Outline 1. 2. 3. 4. 5. Basics in Cryptography Public-Key Cryptosystems Quadratic Sieve Number Field Sieve Factoring RSA-512 2008.3.11 Math department at NTNU 28 Smooth Numbers F = { p1, p2 , p3……., pm } is a factor base consisting of prime numbers A number is smooth over F if all of its prime factors are in F We try to find smooth numbers ri = p1e1 p2e2 p3e3 …pmem and record ei in the exponent vector vi = (e1, e2 , e3……., em) 2008.3.11 Math department at NTNU 29 Smooth Numbers Assume we have enough smooth numbers e.g. k smooth numbers with k > m By linear algebra modulo 2, we can find ai (= 0 or 1 for each i ) such that a v (0,0....,0) (mod 2) a ri becomes a square i i i 2008.3.11 Math department at NTNU 30 Smooth Numbers Example F = { 2, 3, 5, 7 } is a factor base Some smooth numbers over F : r1 = 105 = 357, r2 = 140 = 2257, r3 = 392 = 2372, r4 = 588 = 22372. Corresponding exponent vectors: v1 = (0, 1, 1, 1), v2 = (2, 0, 1, 1), v3 = (3, 0, 0, 2), v4 = (2, 1, 0, 2). 2008.3.11 Math department at NTNU 31 Smooth Numbers 2008.3.11 1 v1 + 1 v2 + 0 v3 + 1 v4 = (4, 2, 2, 4) (0, 0, 0, 0) (mod 2) We get a square: r1 r2 r4 = 24 32 52 74 Recall: The goal is to find x2 y2 (mod N) The question then becomes finding many smooth numbers over a factor base F Math department at NTNU 32 Quadratic Sieve To factor N, define g(x) = x2 N x is an integer between N and 2 N note that g : Z → ZN preserves multiplications We want to find enough smooth g(xi) p | g(xi) implies p | g(xi + p) 2008.3.11 If p | (xi2 N), then 0 xi2 N xi2 N + 2pxi + p2 (xi + p)2 N (mod p) “Sieve” g(xi) with every prime p in factor base Math department at NTNU 33 Quadratic Sieve Record g(xi) in an array G for each xi If p | g(xi), G[xi ] := G[xi ] + log p integer addition for speed After sieving, check the smoothness of g(xi) whose G[xi ] chosen threshold 2 g(m+71) g(m+75) 4 9 g(m+74) g(m+76) g(m+77) g(m+79) g(m+78) g(m+80) g(m+81) g(m+83) g(m+82) g(m+85) Math department at NTNU 7 g(m+84) 2008.3.11 5 g(m+72) g(m+73) 3 34 Quadratic Sieve Use linear algebra to find appropriate xi’s such that g(xi) = y 2, then x = xi satisfies x 2 = xi2 g(xi) = y 2 (mod N) The problem of QS is that x 2 N goes up quickly, hence the chance of smoothness decreases fast Q: Can we find another algebraic structure with a homomorphism to Zn ? 2008.3.11 A: Number Field Q( ) with the number field sieve Math department at NTNU 35 Outline 1. 2. 3. 4. 5. Basics in Cryptography Public-Key Cryptosystems Quadratic Sieve Number Field Sieve Factoring RSA-512 2008.3.11 Math department at NTNU 36 SNFS and GNFS Special Number Field Sieve (SNFS) Number of nice algebraic form Record: 21039 1 (1039th Mersenne number) 313 digits / 1039 bits, May 2007 “A Kilobit Special Number Field Sieve Factorization”, Asiacrypt 2007 General Number Field Sieve (GNFS) No known nice algebraic form Record: RSA-200 2008.3.11 200 digits / 663 bits, 2005 Math department at NTNU 37 Invention of SNFS John Pollard had the interesting idea to factor 7 2 the 7th Fermat number F7 = 2 + 1 by doing very clever computations in the number field Q( ) = Q[x] / < x3 + 2 > It was clear immediately that his idea could be used to factor any number of the form r e s for small r and s 2008.3.11 Math department at NTNU 38 Invention of GNFS Subsequently, many people contributed to making the basic algorithm work for integers without such a special form General numbers can be factored with the same algorithm 2008.3.11 The first step (polynomial selection) becomes much harder The algorithm runs with much “worse” parameters than for numbers of special form Math department at NTNU 39 Polynomial Selection Find an irreducible polynomial f(x) such that f(m) ≡ 0 (mod N) We can write N in the base of m first: N = cd m d + … + c1 m + c0 and take f(x) = cd x d + … + c1 x + c0 A lot of research and deep theory has been developed to make f(x) “better” 2008.3.11 Math department at NTNU 40 Number Field Let be a complex root of f(x) Q( ) is a finite field extension of Q Q( ) is the number field associated to Q( ) can be viewed as a vector space over Q, with a basis {1, , 2, …. d1} 2008.3.11 d is the degree of f(x) [Q( ) : Q ] = d Math department at NTNU 41 Ring Homomorphism A map h: A → B is a homomorphism if h(x + y) = h(x) + h(y) and h(x y) = h(x) h(y) for all x, y A Define a ring homomorphism φ: Z[ ] → ZN by φ( ) m (mod N) 2008.3.11 φ is a homomorphism because f( ) = 0 and f(m) 0 (mod N) φ( a b ) a bm (mod N) Math department at NTNU 42 Squares in Both Sides Suppose there is a set S consisting of relatively prime pairs (a, b) satisfying both: (a - b ) ( a ,b )S 2 for some Ζ [ ] (which is called the algebraic side) 2 ( a b m ) y for some y Ζ ( a ,b )S 2008.3.11 (which is called the rational side) Math department at NTNU 43 Squares in Both Sides Let x = φ( ), then we have x 2 = φ( )2 = φ( 2) = φ( (a b )) (a bm) = y 2 (mod N) Therefore we factor N with probability ½ 2008.3.11 Math department at NTNU 44 Four Major Steps Polynomial Selection 1. Choose a polynomial f(x) with a root m (mod N) and good properties Sieving 2. 2008.3.11 Find enough pairs (a, b) such that a bm and a b are both smooth Each smooth pair (a, b) is called a relation Math department at NTNU 45 Four Major Steps Matrix Reduction 3. Form a very large matrix after finding and simplifying enough relations Solve the system of linear equations to obtain the required set S such that 2 ( a b m ) y for some y Ζ ( a ,b )S (a - b ) 2 for some Ζ [ ] ( a ,b )S 2008.3.11 Math department at NTNU 46 Four Major Steps Square Root 4. So far we have y 2 and 2 Compute their square roots y and 2008.3.11 Recall: x =φ( ) Many methods to compute Z [ ] , but all of them are sophisticated Finally we get the congruent squares x2 y2 (mod N) Math department at NTNU 47 Observations Each step is very complicated algebraic number theory large effort to implement Sieving is the most time consuming The sieving time can be reduced by selecting a good polynomial f(x) 2008.3.11 i.e. finding a better polynomial can speed up the Number Field Sieve Math department at NTNU 48 Outline 1. 2. 3. 4. 5. Basics in Cryptography Public-Key Cryptosystems Quadratic Sieve Number Field Sieve Factoring RSA-512 2008.3.11 Math department at NTNU 49 Open Source GGNFS No polynomial file pol51m0 gnfs-lasieve4I matsolve pol51opt procrels sqrt makefb matbuild sieve enough FF Already have polynomial file NO 2008.3.11 Math department at NTNU Factored! YES 50 Speakers contributed to the NFS workshop: 1. 2. 3. 4. 5. 6. 7. 2008.3.11 Math department at NTNU 楊柏因 博士 黃柏嶧 博士 歐陽奕 (臺大電機) 余守壹 (臺大資訊) 陳嘉欣 (臺大電機) 林志宏 (臺大資訊) 王柏翰 (臺大資訊) 51 RSA-512 Factoring 1999: 2008: 300 PCs, workstations, and supercomputers 6 months 17 experts all over the world 2 supercomputers 5 days! Let’s play on the supercomputers at NTU … 2008.3.11 Math department at NTNU 52 超級電腦介紹 超級電腦為何跑得快? 一顆超強CPU?? Of course not… 很多顆正常CPU,想辦法合作 程式要平行化! 2008.3.11 不能只是 single thread Math department at NTNU 53 程式平行化 兩大平行化模式 MPI (Message Passing Interface) OpenMP (Open Multi-Processing) 2008.3.11 用網路溝通 溝通速度慢 多台一起跑 (幾百台ok!) Multi-thread 溝通速度快 有極限 (p595上頂多用64顆CPU) Math department at NTNU 54 台大計中超級電腦 - 1 SMP 大型主機 (Symmetric Multi-Processing) IBM p595 CPU: power5+ 1.9G 64 顆 CPU core 256GB memory 公告金額是 1990 萬 簡化:一台大電腦,64顆CPU,256GB RAM 2008.3.11 Math department at NTNU 55 台大計中超級電腦 - 2 HP cluster 由四台前端與106台後端所組成 每一台後端 dual CPU with dual core (4CPUs) 4GB memory 網路採用 Voltaire 288 DDR switch 公告金額是 1990 萬 簡化:106台電腦用網路連起來 2008.3.11 Math department at NTNU 56 奇怪… 價錢一樣…CPU量差那麼多? IBM p595: 64 CPUs HP cluster: 106 4 = 424 CPUs 兩台根本不一樣 2008.3.11 p595:一台大電腦,64顆CPU,256GB RAM HP:106台電腦用網路連起來 Math department at NTNU 57 p595強項 64顆CPU access同一塊記憶體 RAM超大,256GB 非常適合OpenMP加速 SMP 大型主機 適合跑需要很多記憶體的程式 銀行使用 2008.3.11 金額synchronize,無法分開算 Math department at NTNU 58 p595弱點 也只有64顆CPU… 無法再更加速… 可以跑MPI程式,但CPU太少… 個別CPU速度慢 2008.3.11 才1.9GHz 工作站的電腦跑的可能還比較快 Math department at NTNU 59 HP cluster 強項 / 弱項 424顆core MPI超適合 106台電腦記憶體獨立 OpenMP非常不適合 2008.3.11 最多4個threads 無法使用大量記憶體 Math department at NTNU 60 沒有萬能的超級電腦 依需求的不同而使用不一樣的電腦 2008.3.11 OpenMP: 可能用p595較好 MPI: 可能用HP cluster較好 Math department at NTNU 61 程式平行化 非常Problem Specific 有些問題很容易平行化 Sieve 有些問題較難平行化,或平行化程度有限 2008.3.11 Block Lanczos Math department at NTNU 62 Block Lanczos平行化 Iterative Algorithm 前一個iteration和後面有dependency 很多小函式呼叫很多次 2008.3.11 用MPI可能吃虧 用OpenMP Math department at NTNU 63 剛用一台新電腦… p595 作業系統:AIX 5.3 編譯器: xlc 遇到許多問題… Makefile寫法不同,需大改 (兩個小時) 無限迴圈… 2008.3.11 xlc 預設 char 是 unsigned char (一天) Math department at NTNU 64 剛用一台新電腦… 遇到許多問題… malloc(0) 回傳 NULL (一個小時) Lattice sieve跑出來是錯的.. (一個禮拜) 放棄…因為有HP cluster可以用了! 防不勝防的問題… 先熟讀編譯器manual 2008.3.11 預設參數 最佳化參數 Math department at NTNU 65 Thanks for Your Attention! 2008.3.11 Math department at NTNU 66