Presentation is loading. Please wait.

Presentation is loading. Please wait.

Factorization of a 768-bit RSA modulus 20103575 Jung Daejin 20103453 Lee Sangho.

Published byAmberly Montgomery Modified over 8 years ago

Similar presentations

Presentation on theme: "Factorization of a 768-bit RSA modulus 20103575 Jung Daejin 20103453 Lee Sangho."— Presentation transcript:

1 Factorization of a 768-bit RSA modulus 20103575 Jung Daejin 20103453 Lee Sangho

2 Contents RSAMotivateNFSConclusion

3 RSA Public Key Algorithm Key generation 1.Choose prime # p,q 2.N = pq 3.Φ (N) = (p-1)(q-1) 4.Choose e such that 1<e< Φ (N) and e and Φ (N) are coprime 5.Find d such that de ≡ 1 (mod Φ (N))

4 Abstract - 1 Congruence of squares (n : composite integer) GCD(x-y, n), GCD(x+y, n) -are non-trivial factors of n -the probability is at least ½

5 Abstract - 2 Congruence of smooth squares ◦ B-smooth if the prime factors of |v| are at most B. ◦ If r(v i ) = v i 2 mod n are B-smooth for many v we can find subset such that ◦ Then, ※ The more # of v, the more chance to factor n.

6 Abstract - 3 Motivation of NFS (1) ◦ v 1, v 2 with relation (a,b) (b1, b2 bound) ◦ Relation (a,b) (a,b: coprime integer. b>0) ◦ f 1 (X), f 2 (X) ∈ Z[X] (with degree d1, d2, monic/irreducible) ◦ f 1 (m) ≡ f 2 (m) ≡ 0 mod n ◦ v k = b d k f k (a/b) ∈ Z (k=1,2)

7 Abstract - 4 Motivation of NFS (2) ◦ Q( α k ) = Q[X]/(f k (X)) (k=1,2)  Theorem 2.2.2. Given a monic, irreducible polynomial f(x) with rational coefficients, a root θ ∈ C of f(x), and the associated ring Q ( θ ), the following hold: Q( θ ) = Q[X]/(f(X)) Q( θ ) is a field

8 Abstract - 5 Motivation of NFS (2) ◦ a-b α k ∈ Z[ α k ]  have norm v k  belong to first degree prime ideals in Q( α k ) of norms equal to the prime factors of v k ◦ These prime ideals have bijective pair (p, r mod p) (p: prime, f k (r) ≡ 0 mod p) ◦ A first degree prime ideal corresponding to such a pair (p, r mod p) has norm p and is generated by p and r- α k

9 Abstract - 6 Motivation of NFS (3) ◦ Φ k : Z[ α k ] -> Z/nZ (k=1,2) ◦ Φ 1 (a-b α 1 ) ≡ Φ 2 (a-b α 2 ) mod n ◦ Finding a linear dependency modulo 2 among vectors ◦ Subset S will be made such that ◦ Φ 1 ( τ 1 2 ) ≡ Φ 2 ( τ 2 2 ) mod n ◦ Φ 1 ( τ 1 ) = x, Φ 1 ( τ 2 ) = y, (x 2 ≡ y 2 mod n)

10 Abstract - 6 RSA Factoring challenge ◦ RSA-768  123018668453011775513049495838496272077285 356959533479219732245215172640050726365751 874520219978646938995647494277406384592519 255732630345373154826850791702612214291346 167042921431160222124047927473779408066535 1419597459856902143413.  768-bit / 232-digit  Award $50000 USD but Retracted

11 NFS - 1 4 Steps ◦ Polynomial selection step  Find 2 good quality polynomials to use. ◦ Sieving step  Sieve the possible relations ◦ Matrix step  Find the dependency with matrix built with relations. ◦ Square root step  Find the x,y with

12 NFS - 2 Polynomial selection step(1) ◦ Criteria  d 1 ∈ N order, m : slightly smaller than n 1/d 1 d 1 > 1, d 2 = 1 (best quality polynomials) leading coefficient of f 2 is 10 or 11 prime factors equal to 1 mod 6 with at most one other factor < 2 15.5. leading coefficient of f 1 is a multiple of 258060

13 NFS - 3 Polynomial selection step(2) ◦ BSI produced 3 polynomial / selected one of them ◦ Above polynomials fit it the criteria.

14 NFS - 4 Polynomial selection step(3) Parameter selection must be done ◦ Smoothness bounds / Sieving region S(Z X Z >0 ) Non-zero integer x is (b k, b l )-smooth if with the exception of 4 prime factors between b k, b l, all remaining prime factors of |x| are at most b k. (b l ≥ max(b 1,b 2 ))

15 NFS - 5 Polynomial selection step(4) b 1 =1110 8, b 2 =210 8, b l = 2 40 (High Performance ) b 1 =4.510 8, b 2 =10 8, b l = 2 40 (Low Performance) |a| ≤6.310 11 & 0<b<1.410 7 (above values are guided by experience)

16 NFS - 6 Sieving step(1) Lattice sieving ◦ More efficient(harder) than Line sieving Pair (prime, root) = (q,s) (where q | f k (s)mod q) ◦ Fix a pair Q, L Q is defined as integer linear combinations of the vectors (q,0), (s,1) ∈ Z 2 ◦ S Q = S ∩ L Q ◦ Special Prime q divides b d 1 f 1 (a/b) for each (a,b) ∈ S Q

17 NFS - 7 Sieving step(2) Lattice sieving ◦ For each pair P for f 1 for which prime is bounded by b 1, mark the points in their intersection L P ∩ S Q ◦ Repeat pairs Q until we find enough relations have been found In Practice, fix bounds I, J ◦ S Q ={iu+jv : i,j ∈ Z, -I/2 ≤i< I/2, -J/2 ≤j< J/2,} ( Author used I = 2 16, J = 2 15 )

18 NFS - 8 Sieving step(3) During the process ◦ 480 million pairs for special q between 450 million and 11.1 billion ◦ Removing duplications(27.4%) ◦ Uniqueing was done ◦ Removing Singletons with clique removal Result ◦ 2458248361 relations ◦ 1697618199 prime ideals ◦ (It took about 2 years)

19 NFS - 9 Matrix step(1) In this step, we find dependency in the relations To achieve optimal performance, we build a binary matrix(good one). n X n matrix was built (n=192,796,550)

20 NFS - 10 Matrix step(2) Wiedemann algorithm (1) ◦ Given non-singular matrix M over F 2, b ∈ F 2 d, to solve the system Mx=b (F:minimal polynomial of M with at most d degree) Then we can denote x as

21 NFS - 11 Matrix step(3) Wiedemann algorithm (2) (m i,j the jth coordinate of the vector M i b / t ≥0 / 1≤ j ≤ d ) 1.2d+1 consecutive terms of the linear recurrence 2.We can calculate F i ’s with Berlekamp-Massey algorithm 3.Then we can calculate solution with F i ’s (Total 119 days)

22 NFS - 12 Square root step The last step on NFS 460 linear dependencies modulo 2 => 460 independent chances of about ½ to factor RSA-768 With the algorithm proposed in “Square roots of products of algebraric numbers” (It took 1 hour 40 minutes)

23 Conclusion -1 Factor p & q p = 3347807169895689878604416984821269081770479498371 3768568912431388982883793878002287614711652531743 087737814467999489 q = 3674604366679959042824463379962795263227915816434 3087642676032283815739666511279233373417143396810 270092798736308917 384 - bit / 116 - digit (20:16 GMT on December 12, 2009)

24 Conclusion -2 Warning about RSA ◦ 1024-bit RSA modulus will be not broken within next five year. ◦ After that, all bets are off.

25 Thank you!! Q & A

Download ppt "Factorization of a 768-bit RSA modulus 20103575 Jung Daejin 20103453 Lee Sangho."

Similar presentations

Splash Screen.

Splash Screen.
Mathematics of Cryptography Part II: Algebraic Structures

Mathematics of Cryptography Part II: Algebraic Structures
Cryptography and Network Security

Cryptography and Network Security
Integer Factorization By: Josh Tuggle & Kyle Johnson.

Integer Factorization By: Josh Tuggle & Kyle Johnson.
Notation Intro. Number Theory Online Cryptography Course Dan Boneh

Notation Intro. Number Theory Online Cryptography Course Dan Boneh
RSA & F ACTORING I NTEGERS BY: MIKE NEUMILLER & BRIAN YARBROUGH.

RSA & F ACTORING I NTEGERS BY: MIKE NEUMILLER & BRIAN YARBROUGH.
Announcements: 1. Term project groups and topics due tomorrow midnight Waiting for posts from most of you. Questions? This week: Primality testing, factoring.

Announcements: 1. Term project groups and topics due tomorrow midnight Waiting for posts from most of you. Questions? This week: Primality testing, factoring.
A Creative Way of Breaking RSA Azeem Jiva. Overview ● What is RSA? – Public Key Algorithm – Is it secure? ● Ways to break RSA – Discover the Public Key.

A Creative Way of Breaking RSA Azeem Jiva. Overview ● What is RSA? – Public Key Algorithm – Is it secure? ● Ways to break RSA – Discover the Public Key.
Announcements: 1. Pass in Homework 5 now. 2. Term project groups and topics due by Friday 1.Can use discussion forum to find teammates 3. HW6 posted, due.

Announcements: 1. Pass in Homework 5 now. 2. Term project groups and topics due by Friday 1.Can use discussion forum to find teammates 3. HW6 posted, due.
The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.

The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.
Factoring 1 Factoring Factoring 2 Factoring  Security of RSA algorithm depends on (presumed) difficulty of factoring o Given N = pq, find p or q and.

Factoring 1 Factoring Factoring 2 Factoring  Security of RSA algorithm depends on (presumed) difficulty of factoring o Given N = pq, find p or q and.
Lattice Based Attacks on RSA. 2004/9/22Lattice Based Attacks on RSA2 Outline Lattices and Lattice reduction Lattice Based Attacks on RSA Hastad ’ s Attack.

Lattice Based Attacks on RSA. 2004/9/22Lattice Based Attacks on RSA2 Outline Lattices and Lattice reduction Lattice Based Attacks on RSA Hastad ’ s Attack.
and Factoring Integers

and Factoring Integers
Introduction Polynomials

Introduction Polynomials
Introduction to Modern Cryptography Lecture 3 (1) Finite Groups, Rings and Fields (2) AES - Advanced Encryption Standard.

Introduction to Modern Cryptography Lecture 3 (1) Finite Groups, Rings and Fields (2) AES - Advanced Encryption Standard.
Factoring Algorithms Ref: D. Stinson, Cryptography - Theory and Practice, 2001.

Factoring Algorithms Ref: D. Stinson, Cryptography - Theory and Practice, 2001.
Finite fields.

Finite fields.
2.4 – Zeros of Polynomial Functions

2.4 – Zeros of Polynomial Functions
1 NTRU: A Ring-Based Public Key Cryptosystem Jeffrey Hoffstein, Jill Pipher, Joseph H. Silverman LNCS 1423, 1998.

1 NTRU: A Ring-Based Public Key Cryptosystem Jeffrey Hoffstein, Jill Pipher, Joseph H. Silverman LNCS 1423, 1998.
Tallinn University of Technology Quantum computer impact on public key cryptography Roman Stepanenko.

Tallinn University of Technology Quantum computer impact on public key cryptography Roman Stepanenko.

Similar presentations

Ads by Google