Uploads Contact
/
Login Upload
RSAkeysizedistribution RSAkeysizedistribution

RSAkeysizedistribution - PDF document

alexa-scheidler
alexa-scheidler . @alexa-scheidler
Follow
371 views
Uploaded On 2016-03-10
About Share Download

RSAkeysizedistribution - PPT Presentation

TLSNovember2011 RSAexponentdistribution TLSNovember2011 Searchingformoreentropyproblems Experiment1Acquiremanypublickeys2Lookforobviouskeygenerationproblems PublickeysLenstraHughesAugierB ID: 249964

TLS November2011 RSAexponentdistribution TLS November2011 Searchingformoreentropyproblems Experiment1.Acquiremanypublickeys.2.Lookforobviouskey-generationproblems. \Publickeys"[Lenstra Hughes Augier

Share:

Link:

Embed:

Download Presentation from below link

Download Pdf The PPT/PDF document "RSAkeysizedistribution" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.

Presentation Transcript

RSAkeysizedistribution TLS,November2011 RSAexponentdistribution TLS,November2011 Searchingformoreentropyproblems Experiment1.Acquiremanypublickeys.2.Lookforobviouskey-generationproblems. \Publickeys"[Lenstra,Hughes,Augier,Bos,Kleinjung,WachterCrypto2012]\MiningYourPsandQs:DetectionofWidespreadWeakKeysinNetworkDevices"[Heninger,Durumeric,Wustrow,HaldermanUsenixSecurity2012]Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to WhatcouldgowrongwithRSAandentropyproblems?ITwohostsshareN:!bothknowprivatekeyoftheother.ITwohostsshareRSAmoduliwithaprimefactorincommon!outsideobservercanfactorbothkeysbycalculatingtheGCDofpublicmoduli.N1=pq1N2=pq2gcd(N1;N2)=p Timetofactor768-bitRSAmodulus:twoyears TimetocalculateGCDfor1024-bitRSAmoduli:15s Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to Lookingforproblems:RSAcommondivisors Speed-bumpComputingpairwisegcd(Ni;Nj)forourdatasetwouldtake15s111062pairs30yearsofcomputationtime. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to Ecientall-pairsGCDsWeimplementedanecientalgorithmdueto[Bernstein2004]. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to Results RepeatedKeysI�60%ofTLSandSSHhostshavenon-uniquekeys.I�5%ofTLShostsand�10%ofSSHhostsservedefaultorlow-entropykeysI0:03%TLShostsand0:5%ofSSHhostsserveDebianweakkeys FactoredkeysI0:5%ofTLShostsand0:03%ofSSHhostskeysfactored Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to ThisisjustthetipoftheicebergMoreexamplesofbadrandomness! IPGPdatabase.[Lenstraetal.]2factoredRSAkeysoutof700,000.Why? ISmartcards.[2012Chou (slidesinChinese) ]Factored103TaiwanCitizenDigitalCerti cates(outof2.26million):smartcardcerti catesusedforpayingtaxesetc.Names,emailaddresses,nationalIDswerepublicbut103privatekeysarenowknown. Smartcardmanufacturer:\Giesecke&Devrient:CreatingCon dence." Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to ThisisjustthetipoftheicebergMoreexamplesofbadrandomness! IPGPdatabase.[Lenstraetal.]2factoredRSAkeysoutof700,000.Why? ISmartcards.[2012Chou (slidesinChinese) ]Factored103TaiwanCitizenDigitalCerti cates(outof2.26million):smartcardcerti catesusedforpayingtaxesetc.Names,emailaddresses,nationalIDswerepublicbut103privatekeysarenowknown. Smartcardmanufacturer:\Giesecke&Devrient:CreatingCon dence." Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to EvaluatingRSA'sriskFactoringkeysisbad,butDSA(andECDSA)areworseifyou'reworriedaboutentropyproblems.Badentropyfromasinglesignaturecancompromiseprivatekey.Ie.g.AperfectlygoodDSAkeyusedona2008Debiansystem!compromised.Ie.g.1%ofDSASSHhostkeyscompromisedfromsignatureswithbadrandomnessaftertwoscans.Wouldbeeasyto xinstandard.(Makenoncedeterministic:hashofmessage,secretsalt.)Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to Side-channelattacksTimingattacksIHardware[Kocher96]\TimingattacksonimplementationsofDie-Hellman,RSA,DSS,andothersystems."IRemotesoftware[BrumleyBoneh05]\Remotetimingattacksarepractical."CachetimingIInter-processsoftware[Percival05]\Cachemissingforfunandpro t."ICross-VMsoftware[ZhangJuelsReiterRistenpart12]\Cross-VMSideChannelsandTheirUsetoExtractPrivateKeys"FaultsI[Boneh,DeMillo,Lipton96],[Lenstra96]Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to Side-channelattacksSide-channelstructuresrelevanttoRSA:ExponentiationISquare-and-multiply:di erentexecutionpaths/instructiontiming/powerlevelsdependentonbitsofprivatekey.IDefense:Exponentblinding,squareandalwaysmultiply,neverbranch.CRTcoecientsIFaultattackscanproduceavaluevalidmodonlyoneprime.IDefense:Verifyoutput.PaddingoraclesIImplementationsdi erentiatingbetweencorrectandincorrectdecryption!chosen-ciphertextattacks.IDefense:Don'tdistinguishfailures.Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to PartialkeyrecoveryandrelatedattacksRSAparticularlysusceptibletopartialkeyrecoveryattacks. Theorem(Coppersmith/Howgrave-Graham)Wecan ndrootsxofpolynomialsfofdegreedmoddivisorsBofN,B=N ,whenjxjN 2=d. (NotethatRSAproblemisto ndrootsofxe�cmodN.) ICanfactorgiven1/2bitsofp.[Coppersmith96]ICanfactorgiven1/4bitsofd.[BonehDurfeeFrankel98]ICanfactorgiven1/2bitsofdp.[BlomerMay03]Alsoimpliesconstraintsonkeychoice:ICanfactorifdN0:292[BonehDurfee98] Messagesecurity:Leastsigni cantbitofmessageassecureasentiremessage.[AlexiChorGoldreichSchnorr88] Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to PartialkeyrecoveryandrelatedattacksRSAparticularlysusceptibletopartialkeyrecoveryattacks. Theorem(Coppersmith/Howgrave-Graham)Wecan ndrootsxofpolynomialsfofdegreedmoddivisorsBofN,B=N ,whenjxjN 2=d. (NotethatRSAproblemisto ndrootsofxe�cmodN.) ICanfactorgiven1/2bitsofp.[Coppersmith96]ICanfactorgiven1/4bitsofd.[BonehDurfeeFrankel98]ICanfactorgiven1/2bitsofdp.[BlomerMay03]Alsoimpliesconstraintsonkeychoice:ICanfactorifdN0:292[BonehDurfee98] Messagesecurity:Leastsigni cantbitofmessageassecureasentiremessage.[AlexiChorGoldreichSchnorr88] Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to PartialkeyrecoveryandrelatedattacksRSAparticularlysusceptibletopartialkeyrecoveryattacks. Theorem(Coppersmith/Howgrave-Graham)Wecan ndrootsxofpolynomialsfofdegreedmoddivisorsBofN,B=N ,whenjxjN 2=d. (NotethatRSAproblemisto ndrootsofxe�cmodN.) ICanfactorgiven1/2bitsofp.[Coppersmith96]ICanfactorgiven1/4bitsofd.[BonehDurfeeFrankel98]ICanfactorgiven1/2bitsofdp.[BlomerMay03]Alsoimpliesconstraintsonkeychoice:ICanfactorifdN0:292[BonehDurfee98] Messagesecurity:Leastsigni cantbitofmessageassecureasentiremessage.[AlexiChorGoldreichSchnorr88] Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to Protocolissues.Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to Paddingschemes:Simplecryptanalyses Fixed-patternpaddingDe neapaddingscheme(Pjm).Coppersmith'stheorem:Withe=3,ifjmjN1=3thencanecientlycomputemassolutiontoc�(P2t+x)3modN [BrierClavierCoronNaccache01]Existentialforgeryofsignatureswithjmj�N1=3by ndingsolutionstorelation(P+m1)(P+m2)=(P+m3)(P+m4)modNusingcontinuedfractions.Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to TheagonyandecstasyofPKCS#1v1.5andOAEPPKCS#1:(0x000x02jpaddingstringj0x00jmessage) Cryptographers:PKCS#1isnotIND-CCA2secure! Practitioners:Thatisnotrelevantinpractice. 1994BellareRogaway:UseOAEP,it'sprovablysecureinrandomoraclemodel. 1996Bleichenbacher:\ChosenciphertextattacksagainstprotocolsbasedontheRSAencryptionstandardPKCS#1" 1998RFC2437:(1998)\RSAES-OAEPisrecommendedfornewapplications;RSAES-PKCS1-v1 5isincludedonlyforcompatibilitywithexistingapplications,andisnotrecommendedfornewapplications" Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to TheagonyandecstasyofPKCS#1v1.5andOAEPPKCS#1:(0x000x02jpaddingstringj0x00jmessage) Cryptographers:PKCS#1isnotIND-CCA2secure! Practitioners:Thatisnotrelevantinpractice. 1994BellareRogaway:UseOAEP,it'sprovablysecureinrandomoraclemodel. 1996Bleichenbacher:\ChosenciphertextattacksagainstprotocolsbasedontheRSAencryptionstandardPKCS#1" 1998RFC2437:(1998)\RSAES-OAEPisrecommendedfornewapplications;RSAES-PKCS1-v1 5isincludedonlyforcompatibilitywithexistingapplications,andisnotrecommendedfornewapplications" Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to TheagonyandecstasyofPKCS#1v1.5andOAEPPKCS#1:(0x000x02jpaddingstringj0x00jmessage) Cryptographers:PKCS#1isnotIND-CCA2secure! Practitioners:Thatisnotrelevantinpractice. 1994BellareRogaway:UseOAEP,it'sprovablysecureinrandomoraclemodel. 1996Bleichenbacher:\ChosenciphertextattacksagainstprotocolsbasedontheRSAencryptionstandardPKCS#1" 1998RFC2437:(1998)\RSAES-OAEPisrecommendedfornewapplications;RSAES-PKCS1-v1 5isincludedonlyforcompatibilitywithexistingapplications,andisnotrecommendedfornewapplications" Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to TheagonyandecstasyofPKCS#1v1.5andOAEPPKCS#1:(0x000x02jpaddingstringj0x00jmessage) Cryptographers:PKCS#1isnotIND-CCA2secure! Practitioners:Thatisnotrelevantinpractice. 1994BellareRogaway:UseOAEP,it'sprovablysecureinrandomoraclemodel. 1996Bleichenbacher:\ChosenciphertextattacksagainstprotocolsbasedontheRSAencryptionstandardPKCS#1" 1998RFC2437:(1998)\RSAES-OAEPisrecommendedfornewapplications;RSAES-PKCS1-v1 5isincludedonlyforcompatibilitywithexistingapplications,andisnotrecommendedfornewapplications" Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to TheagonyandecstasyofPKCS#1v1.5andOAEPPKCS#1:(0x000x02jpaddingstringj0x00jmessage) Cryptographers:PKCS#1isnotIND-CCA2secure! Practitioners:Thatisnotrelevantinpractice. 1994BellareRogaway:UseOAEP,it'sprovablysecureinrandomoraclemodel. 1996Bleichenbacher:\ChosenciphertextattacksagainstprotocolsbasedontheRSAencryptionstandardPKCS#1" 1998RFC2437:(1998)\RSAES-OAEPisrecommendedfornewapplications;RSAES-PKCS1-v1 5isincludedonlyforcompatibilitywithexistingapplications,andisnotrecommendedfornewapplications" Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to TheagonyandecstasyofPKCS#1v1.5andOAEPPKCS#1:(0x000x02jpaddingstringj0x00jmessage) Cryptographers:PKCS#1isnotIND-CCA2secure! Practitioners:Thatisnotrelevantinpractice. 1994BellareRogaway:UseOAEP,it'sprovablysecureinrandomoraclemodel. 1996Bleichenbacher:\ChosenciphertextattacksagainstprotocolsbasedontheRSAencryptionstandardPKCS#1" 1998RFC2437:(1998)\RSAES-OAEPisrecommendedfornewapplications;RSAES-PKCS1-v1 5isincludedonlyforcompatibilitywithexistingapplications,andisnotrecommendedfornewapplications" Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to TheagonyandecstasyofPKCS#1v1.5andOAEPPKCS#1:(0x000x02jpaddingstringj0x00jmessage) Cryptographers:PKCS#1isnotIND-CCA2secure! Practitioners:Thatisnotrelevantinpractice. 1994BellareRogaway:UseOAEP,it'sprovablysecureinrandomoraclemodel. 1996Bleichenbacher:\ChosenciphertextattacksagainstprotocolsbasedontheRSAencryptionstandardPKCS#1" 1998RFC2437:(1998)\RSAES-OAEPisrecommendedfornewapplications;RSAES-PKCS1-v1 5isincludedonlyforcompatibilitywithexistingapplications,andisnotrecommendedfornewapplications" Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to TheagonyandecstasyofPKCS#1v1.5andOAEP2001Shoup:There'saholeintheOAEPsecurityproof,butI xedit.TheproofusesCoppersmith'stheorem. 2008RFC5246:\formaximalcompatibilitywithearlierversionsofTLS,thisspecificationusestheRSAES-PKCS1-v1 5scheme" 2012BardouFocardiKawamotoSimionatoSteelTsay:BleichenbacherattackworksagainstRSASecureIDtokens,EstonianIDcards. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to TheagonyandecstasyofPKCS#1v1.5andOAEP2001Shoup:There'saholeintheOAEPsecurityproof,butI xedit.TheproofusesCoppersmith'stheorem. 2008RFC5246:\formaximalcompatibilitywithearlierversionsofTLS,thisspecificationusestheRSAES-PKCS1-v1 5scheme" 2012BardouFocardiKawamotoSimionatoSteelTsay:BleichenbacherattackworksagainstRSASecureIDtokens,EstonianIDcards. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to TheagonyandecstasyofPKCS#1v1.5andOAEP2001Shoup:There'saholeintheOAEPsecurityproof,butI xedit.TheproofusesCoppersmith'stheorem. 2008RFC5246:\formaximalcompatibilitywithearlierversionsofTLS,thisspecificationusestheRSAES-PKCS1-v1 5scheme" 2012BardouFocardiKawamotoSimionatoSteelTsay:BleichenbacherattackworksagainstRSASecureIDtokens,EstonianIDcards. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to Shoup's\SimpleRSA"C0=remodNrrandomk0jjk1=H(r)HhashfunctionC1=enck0(m)encasymmetriccipherT=mack1(C1)Output(C0;C1;T).Veryshortandecientsecurityproof.Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to Factoring,aka.breakingRSAifnothingelsewentwrong.Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to Preliminaries:UsingSageThefollowing2partsusesomecodesnippetstogiveexamplesusingthefreeopensourcemathematicssoftwareSage.http://www.sagemath.org/.SagelookslikePythonsage:2 *36 ^isexponentiation,notxor Ithaslotsofusefullibraries: sage:factor(15)3*5 sage:factor(x^2-1)(x-1)*(x+1) That'sit,justfactor(N) Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to Preliminaries:UsingSageThefollowing2partsusesomecodesnippetstogiveexamplesusingthefreeopensourcemathematicssoftwareSage.http://www.sagemath.org/.SagelookslikePython,butthereareafewdi erences:sage:2 ^38 ^isexponentiation,notxor Ithaslotsofusefullibraries: sage:factor(15)3*5 sage:factor(x^2-1)(x-1)*(x+1) That'sit,justfactor(N) Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to Preliminaries:UsingSageThefollowing2partsusesomecodesnippetstogiveexamplesusingthefreeopensourcemathematicssoftwareSage.http://www.sagemath.org/.SagelookslikePython,butthereareafewdi erences:sage:2 ^38 ^isexponentiation,notxor Ithaslotsofusefullibraries: sage:factor(15)3*5 sage:factor(x^2-1)(x-1)*(x+1) That'sit,justfactor(N) Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to EECM:EdwardsECM,BasicversionUseEllipticcurveintwistedEdwardsform:E:ax2+y2=1+dx2y2withpointP=(x;y);a;d6=0;a6=d.Generaterandomcurvebypickingrandomnonzeroa;x;y,computed=(ax2+y2�1)=x2y2.Multiplicationinp�1methodreplacedbyadditiononE:(x1;y1)+(x2;y2)=x1y2+x2y1 1+dx1y1x2y2;y1y2�ax1x2 1�dx1y1x2y1:Neutralelementinthisgroupis(0;1). ComputerP=(x;y)moduloNusingdouble-and-addmethod;avoiddivisionsbyusingprojectivecoordinates.Forformulasseehttp://hyperelliptic.org/EFD. Computegcd(x;N);this ndsprimespforwhichtheorderofPmodulopdividesr. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to ECM:productionversion IUsespecialcurveswithIsmallcoecientsforfastercomputation,e.g.(1=23;1=7)isapointon25x2+y2=1�24167x2y2;Iwithbetterchanceofsmoothorders;thiscurvehasaguaranteedfactorof12.ISplitcomputationinto2stages:Istage1asdescribedbeforewithsomewhatsmallertinr=lcm(range(1,t));Istage2checks(qir)Pforthenextfewprimesqi�t(computedinabatchedmanner).ISeehttp://eecm.cr.yp.to/forexplanations,goodcurves,code,references,etc. IMethodrunsverywellonGPUs;distributedcomputing.IECMisstillactiveresearcharea. ECMisveryecientatfactoringrandomnumbers(oncesmallfactorsareremoved). FavoritemethodtokillRSA-360. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to ECM:productionversion IUsespecialcurveswithIsmallcoecientsforfastercomputation,e.g.(1=23;1=7)isapointon25x2+y2=1�24167x2y2;Iwithbetterchanceofsmoothorders;thiscurvehasaguaranteedfactorof12.ISplitcomputationinto2stages:Istage1asdescribedbeforewithsomewhatsmallertinr=lcm(range(1,t));Istage2checks(qir)Pforthenextfewprimesqi�t(computedinabatchedmanner).ISeehttp://eecm.cr.yp.to/forexplanations,goodcurves,code,references,etc. IMethodrunsverywellonGPUs;distributedcomputing.IECMisstillactiveresearcharea. ECMisveryecientatfactoringrandomnumbers(oncesmallfactorsareremoved). FavoritemethodtokillRSA-360. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to FactoringbadchoicesofNProblemifonetakes'samesize'tooliterally:N=1000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000299999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999997921. Yes,thislookslikeveryclosetoapowerof10,actuallycloseto10340.Squarerootp Nisalmostaninteger,almost10170. Brute-forcesearchN%(10170-i) ndsfactorp=10170�33andthenq=N=p=10170+63. Inreallifewouldexpectthiswithpowerof2insteadof10. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to FactoringbadchoicesofNProblemifonetakes'samesize'tooliterally:N=1000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000299999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999997921. Yes,thislookslikeveryclosetoapowerof10,actuallycloseto10340.Squarerootp Nisalmostaninteger,almost10170. Brute-forcesearchN%(10170-i) ndsfactorp=10170�33andthenq=N=p=10170+63. Inreallifewouldexpectthiswithpowerof2insteadof10. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to FactoringbadchoicesofNProblemifonetakes'samesize'tooliterally:N=1000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000299999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999997921. Yes,thislookslikeveryclosetoapowerof10,actuallycloseto10340.Squarerootp Nisalmostaninteger,almost10170. Brute-forcesearchN%(10170-i) ndsfactorp=10170�33andthenq=N=p=10170+63. Inreallifewouldexpectthiswithpowerof2insteadof10. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to FactoringbadchoicesofNProblemifonetakes'samesize'tooliterally:N=1000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000299999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999997921. Yes,thislookslikeveryclosetoapowerof10,actuallycloseto10340.Squarerootp Nisalmostaninteger,almost10170. Brute-forcesearchN%(10170-i) ndsfactorp=10170�33andthenq=N=p=10170+63. Inreallifewouldexpectthiswithpowerof2insteadof10. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to Thisproblemhappensnotonlyforpandqtooclosetopowersof2or10.Userstartssearchforpwithsomeo setcasp=next prime(2512+c).Takesq=next prime(p).sage:N=115792089237316195423570985008721211221144628262713908746538761285902758367353sage:sqrt(N).numerical_approx(256).str(no_sci=2)'340282366920938463463374607431817146356.9999999999999999999999999999999999940' #veryclosetoaninteger sage:a=ceil(sqrt(N));a^2-N4096 #4096=64^2;thisisasquare! sage:N/(a-64)340282366920938463463374607431817146293 #aninteger!sage:N/340282366920938463463374607431817146293340282366920938463463374607431817146421 Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to Thisproblemhappensnotonlyforpandqtooclosetopowersof2or10.Userstartssearchforpwithsomeo setcasp=next prime(2512+c).Takesq=next prime(p).sage:N=115792089237316195423570985008721211221144628262713908746538761285902758367353sage:sqrt(N).numerical_approx(256).str(no_sci=2)'340282366920938463463374607431817146356.9999999999999999999999999999999999940' #veryclosetoaninteger sage:a=ceil(sqrt(N));a^2-N4096 #4096=64^2;thisisasquare! sage:N/(a-64)340282366920938463463374607431817146293 #aninteger!sage:N/340282366920938463463374607431817146293340282366920938463463374607431817146421 Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to Thisproblemhappensnotonlyforpandqtooclosetopowersof2or10.Userstartssearchforpwithsomeo setcasp=next prime(2512+c).Takesq=next prime(p).sage:N=115792089237316195423570985008721211221144628262713908746538761285902758367353sage:sqrt(N).numerical_approx(256).str(no_sci=2)'340282366920938463463374607431817146356.9999999999999999999999999999999999940' #veryclosetoaninteger sage:a=ceil(sqrt(N));a^2-N4096 #4096=64^2;thisisasquare! sage:N/(a-64)340282366920938463463374607431817146293 #aninteger!sage:N/340282366920938463463374607431817146293340282366920938463463374607431817146421 Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to Thisproblemhappensnotonlyforpandqtooclosetopowersof2or10.Userstartssearchforpwithsomeo setcasp=next prime(2512+c).Takesq=next prime(p).sage:N=115792089237316195423570985008721211221144628262713908746538761285902758367353sage:sqrt(N).numerical_approx(256).str(no_sci=2)'340282366920938463463374607431817146356.9999999999999999999999999999999999940' #veryclosetoaninteger sage:a=ceil(sqrt(N));a^2-N4096 #4096=64^2;thisisasquare! sage:N/(a-64)340282366920938463463374607431817146293 #aninteger!sage:N/340282366920938463463374607431817146293340282366920938463463374607431817146421 Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to Thisproblemhappensnotonlyforpandqtooclosetopowersof2or10.Userstartssearchforpwithsomeo setcasp=next prime(2512+c).Takesq=next prime(p).sage:N=115792089237316195423570985008721211221144628262713908746538761285902758367353sage:sqrt(N).numerical_approx(256).str(no_sci=2)'340282366920938463463374607431817146356.9999999999999999999999999999999999940' #veryclosetoaninteger sage:a=ceil(sqrt(N));a^2-N4096 #4096=64^2;thisisasquare! sage:N/(a-64)340282366920938463463374607431817146293 #aninteger!sage:N/340282366920938463463374607431817146293340282366920938463463374607431817146421 Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to Thisproblemhappensnotonlyforpandqtooclosetopowersof2or10.Userstartssearchforpwithsomeo setcasp=next prime(2512+c).Takesq=next prime(p).sage:N=115792089237316195423570985008721211221144628262713908746538761285902758367353sage:sqrt(N).numerical_approx(256).str(no_sci=2)'340282366920938463463374607431817146356.9999999999999999999999999999999999940' #veryclosetoaninteger sage:a=ceil(sqrt(N));a^2-N4096 #4096=64^2;thisisasquare! sage:N/(a-64)340282366920938463463374607431817146293 #aninteger!sage:N/340282366920938463463374607431817146293340282366920938463463374607431817146421 Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to FermatfactorizationWewroteN=a2�b2=(a+b)(a�b)andfactoreditusingN=(a�b).sage:N=115792089237316195448679392282006640413199890130332179010243714077028592474181sage:sqrt(N).numerical_approx(256).str(no_sci=2)'340282366920938463500268096066682468352.9999999471509747085563508368188422193' sage:a=ceil(sqrt(N));i=0sage:whilenotis_square((a+i)^2-N):....:i=i+1 #givesi=2 ....:#wasq=next_prime(p+2^66+974892437589) Thisalwaysworks eventually:N=((q+p)=2)2�((q�p)=2)2 butsearchingfor(q+p)=2startingwithdp Newillusuallyrunforaboutp Npsteps. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to FermatfactorizationWewroteN=a2�b2=(a+b)(a�b)andfactoreditusingN=(a�b).sage:N=115792089237316195448679392282006640413199890130332179010243714077028592474181sage:sqrt(N).numerical_approx(256).str(no_sci=2)'340282366920938463500268096066682468352.9999999471509747085563508368188422193' sage:a=ceil(sqrt(N));i=0sage:whilenotis_square((a+i)^2-N):....:i=i+1 #givesi=2 ....:#wasq=next_prime(p+2^66+974892437589) Thisalwaysworks eventually:N=((q+p)=2)2�((q�p)=2)2 butsearchingfor(q+p)=2startingwithdp Newillusuallyrunforaboutp Npsteps. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to FermatfactorizationWewroteN=a2�b2=(a+b)(a�b)andfactoreditusingN=(a�b).sage:N=115792089237316195448679392282006640413199890130332179010243714077028592474181sage:sqrt(N).numerical_approx(256).str(no_sci=2)'340282366920938463500268096066682468352.9999999471509747085563508368188422193' sage:a=ceil(sqrt(N));i=0sage:whilenotis_square((a+i)^2-N):....:i=i+1 #givesi=2 ....:#wasq=next_prime(p+2^66+974892437589) Thisalwaysworks eventually:N=((q+p)=2)2�((q�p)=2)2 butsearchingfor(q+p)=2startingwithdp Newillusuallyrunforaboutp Npsteps. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to FermatfactorizationWewroteN=a2�b2=(a+b)(a�b)andfactoreditusingN=(a�b).sage:N=115792089237316195448679392282006640413199890130332179010243714077028592474181sage:sqrt(N).numerical_approx(256).str(no_sci=2)'340282366920938463500268096066682468352.9999999471509747085563508368188422193' sage:a=ceil(sqrt(N));i=0sage:whilenotis_square((a+i)^2-N):....:i=i+1 #givesi=2 ....:#wasq=next_prime(p+2^66+974892437589) Thisalwaysworks eventually:N=((q+p)=2)2�((q�p)=2)2 butsearchingfor(q+p)=2startingwithdp Newillusuallyrunforaboutp Npsteps. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to FermatfactorizationWewroteN=a2�b2=(a+b)(a�b)andfactoreditusingN=(a�b).sage:N=115792089237316195448679392282006640413199890130332179010243714077028592474181sage:sqrt(N).numerical_approx(256).str(no_sci=2)'340282366920938463500268096066682468352.9999999471509747085563508368188422193' sage:a=ceil(sqrt(N));i=0sage:whilenotis_square((a+i)^2-N):....:i=i+1 #givesi=2 ....:#wasq=next_prime(p+2^66+974892437589) Thisalwaysworks eventually:N=((q+p)=2)2�((q�p)=2)2 butsearchingfor(q+p)=2startingwithdp Newillusuallyrunforaboutp Npsteps. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to FermatfactorizationWewroteN=a2�b2=(a+b)(a�b)andfactoreditusingN=(a�b).sage:N=115792089237316195448679392282006640413199890130332179010243714077028592474181sage:sqrt(N).numerical_approx(256).str(no_sci=2)'340282366920938463500268096066682468352.9999999471509747085563508368188422193' sage:a=ceil(sqrt(N));i=0sage:whilenotis_square((a+i)^2-N):....:i=i+1 #givesi=2 ....:#wasq=next_prime(p+2^66+974892437589) Thisalwaysworks eventually:N=((q+p)=2)2�((q�p)=2)2 butsearchingfor(q+p)=2startingwithdp Newillusuallyrunforaboutp Npsteps. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to Anexampleofthequadraticsieve(QS)Let'stryFermattofactorN=2759.Recallidea:ifa2�Nisasquareb2thenN=(a�b)(a+b).532�2759=50.Notexactlyasquare:50=252. 542�2759=157.Ummm,doesn'tlooklikeasquare. 552�2759=266. 562�2759=377. 572�2759=490.Hey,49isasquare...490=2572. 582�2759=605.Notexactlyasquare:605=5112. Fermatdoesn'tseemtobeworkingverywellforthisnumber. Buttheproduct50490605isasquare:225472112.QScomputesgcdf2759;535758�p 50490605g=31.Exercise:Squareproducthas50%chanceoffactoringpq. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to Anexampleofthequadraticsieve(QS)Let'stryFermattofactorN=2759.Recallidea:ifa2�Nisasquareb2thenN=(a�b)(a+b).532�2759=50.Notexactlyasquare:50=252. 542�2759=157.Ummm,doesn'tlooklikeasquare. 552�2759=266. 562�2759=377. 572�2759=490.Hey,49isasquare...490=2572. 582�2759=605.Notexactlyasquare:605=5112. Fermatdoesn'tseemtobeworkingverywellforthisnumber. Buttheproduct50490605isasquare:225472112.QScomputesgcdf2759;535758�p 50490605g=31.Exercise:Squareproducthas50%chanceoffactoringpq. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to Anexampleofthequadraticsieve(QS)Let'stryFermattofactorN=2759.Recallidea:ifa2�Nisasquareb2thenN=(a�b)(a+b).532�2759=50.Notexactlyasquare:50=252. 542�2759=157.Ummm,doesn'tlooklikeasquare. 552�2759=266. 562�2759=377. 572�2759=490.Hey,49isasquare...490=2572. 582�2759=605.Notexactlyasquare:605=5112. Fermatdoesn'tseemtobeworkingverywellforthisnumber. Buttheproduct50490605isasquare:225472112.QScomputesgcdf2759;535758�p 50490605g=31.Exercise:Squareproducthas50%chanceoffactoringpq. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to Anexampleofthequadraticsieve(QS)Let'stryFermattofactorN=2759.Recallidea:ifa2�Nisasquareb2thenN=(a�b)(a+b).532�2759=50.Notexactlyasquare:50=252. 542�2759=157.Ummm,doesn'tlooklikeasquare. 552�2759=266. 562�2759=377. 572�2759=490.Hey,49isasquare...490=2572. 582�2759=605.Notexactlyasquare:605=5112. Fermatdoesn'tseemtobeworkingverywellforthisnumber. Buttheproduct50490605isasquare:225472112.QScomputesgcdf2759;535758�p 50490605g=31.Exercise:Squareproducthas50%chanceoffactoringpq. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to Anexampleofthequadraticsieve(QS)Let'stryFermattofactorN=2759.Recallidea:ifa2�Nisasquareb2thenN=(a�b)(a+b).532�2759=50.Notexactlyasquare:50=252. 542�2759=157.Ummm,doesn'tlooklikeasquare. 552�2759=266. 562�2759=377. 572�2759=490.Hey,49isasquare...490=2572. 582�2759=605.Notexactlyasquare:605=5112. Fermatdoesn'tseemtobeworkingverywellforthisnumber. Buttheproduct50490605isasquare:225472112.QScomputesgcdf2759;535758�p 50490605g=31.Exercise:Squareproducthas50%chanceoffactoringpq. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to Anexampleofthequadraticsieve(QS)Let'stryFermattofactorN=2759.Recallidea:ifa2�Nisasquareb2thenN=(a�b)(a+b).532�2759=50.Notexactlyasquare:50=252. 542�2759=157.Ummm,doesn'tlooklikeasquare. 552�2759=266. 562�2759=377. 572�2759=490.Hey,49isasquare...490=2572. 582�2759=605.Notexactlyasquare:605=5112. Fermatdoesn'tseemtobeworkingverywellforthisnumber. Buttheproduct50490605isasquare:225472112.QScomputesgcdf2759;535758�p 50490605g=31.Exercise:Squareproducthas50%chanceoffactoringpq. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to Anexampleofthequadraticsieve(QS)Let'stryFermattofactorN=2759.Recallidea:ifa2�Nisasquareb2thenN=(a�b)(a+b).532�2759=50.Notexactlyasquare:50=252. 542�2759=157.Ummm,doesn'tlooklikeasquare. 552�2759=266. 562�2759=377. 572�2759=490.Hey,49isasquare...490=2572. 582�2759=605.Notexactlyasquare:605=5112. Fermatdoesn'tseemtobeworkingverywellforthisnumber. Buttheproduct50490605isasquare:225472112.QScomputesgcdf2759;535758�p 50490605g=31.Exercise:Squareproducthas50%chanceoffactoringpq. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to Anexampleofthequadraticsieve(QS)Let'stryFermattofactorN=2759.Recallidea:ifa2�Nisasquareb2thenN=(a�b)(a+b).532�2759=50.Notexactlyasquare:50=252. 542�2759=157.Ummm,doesn'tlooklikeasquare. 552�2759=266. 562�2759=377. 572�2759=490.Hey,49isasquare...490=2572. 582�2759=605.Notexactlyasquare:605=5112. Fermatdoesn'tseemtobeworkingverywellforthisnumber. Buttheproduct50490605isasquare:225472112.QScomputesgcdf2759;535758�p 50490605g=31.Exercise:Squareproducthas50%chanceoffactoringpq. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to QSmoresystematicallyTrylargerN.Easytogeneratemanydi erencesa2�N:N=314159265358979323X=[a^2-Nforainrange(sqrt(N)+1,sqrt(N)+500000)] Seewhichdi erencesareeasytofactor:P=list(primes(2,1000))F=easyfactorizations(P,X) Uselinearalgebramod2to ndasquare:M=matrix(GF(2),len(F),len(P),lambdai,j:P[j]inF[i][0])forKinM.left_kernel().basis():x=product([sqrt(f[2]+N)forf,kinzip(F,K)ifk==1])y=sqrt(product([f[2]forf,kinzip(F,K)ifk==1]))print[gcd(N,x-y),gcd(N,x+y)] Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to QSmoresystematicallyTrylargerN.Easytogeneratemanydi erencesa2�N:N=314159265358979323X=[a^2-Nforainrange(sqrt(N)+1,sqrt(N)+500000)] Seewhichdi erencesareeasytofactor:P=list(primes(2,1000))F=easyfactorizations(P,X) Uselinearalgebramod2to ndasquare:M=matrix(GF(2),len(F),len(P),lambdai,j:P[j]inF[i][0])forKinM.left_kernel().basis():x=product([sqrt(f[2]+N)forf,kinzip(F,K)ifk==1])y=sqrt(product([f[2]forf,kinzip(F,K)ifk==1]))print[gcd(N,x-y),gcd(N,x+y)] Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to QSmoresystematicallyTrylargerN.Easytogeneratemanydi erencesa2�N:N=314159265358979323X=[a^2-Nforainrange(sqrt(N)+1,sqrt(N)+500000)] Seewhichdi erencesareeasytofactor:P=list(primes(2,1000))F=easyfactorizations(P,X) Uselinearalgebramod2to ndasquare:M=matrix(GF(2),len(F),len(P),lambdai,j:P[j]inF[i][0])forKinM.left_kernel().basis():x=product([sqrt(f[2]+N)forf,kinzip(F,K)ifk==1])y=sqrt(product([f[2]forf,kinzip(F,K)ifk==1]))print[gcd(N,x-y),gcd(N,x+y)] Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to StrategiestoimplementeasyfactorizationsTrial-dividinga2�Nusingprimesin[1;y]costsy1+o(1).Fourmajordirectionsofimprovements:IEarlyaborts:e.g.,throwa2�Nawayifunfactoredpartisuncomfortablylargeafterprimesin[1;y0:5].1982Pomerance:optimizedearlyabortsreducecostoftrialdivisiontoy0+o(1)whilereducinge ectivenessbyfactory0:5+o(1). IBatchtrialdivision:sameastreeideafrombefore. I\Sieving":liketheSieveofEratosthenes.Example:usearithmeticprogressionsofawith1009dividinga2�N. Irho,p�1,p+1,ECM.Lowmemory,highparallelism. Sievingseemedveryimportant30yearsago.Todaymuchlessuse:wecaremoreaboutcommunicationcostandlatticeoptimization. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to StrategiestoimplementeasyfactorizationsTrial-dividinga2�Nusingprimesin[1;y]costsy1+o(1).Fourmajordirectionsofimprovements:IEarlyaborts:e.g.,throwa2�Nawayifunfactoredpartisuncomfortablylargeafterprimesin[1;y0:5].1982Pomerance:optimizedearlyabortsreducecostoftrialdivisiontoy0+o(1)whilereducinge ectivenessbyfactory0:5+o(1). IBatchtrialdivision:sameastreeideafrombefore. I\Sieving":liketheSieveofEratosthenes.Example:usearithmeticprogressionsofawith1009dividinga2�N. Irho,p�1,p+1,ECM.Lowmemory,highparallelism. Sievingseemedveryimportant30yearsago.Todaymuchlessuse:wecaremoreaboutcommunicationcostandlatticeoptimization. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to StrategiestoimplementeasyfactorizationsTrial-dividinga2�Nusingprimesin[1;y]costsy1+o(1).Fourmajordirectionsofimprovements:IEarlyaborts:e.g.,throwa2�Nawayifunfactoredpartisuncomfortablylargeafterprimesin[1;y0:5].1982Pomerance:optimizedearlyabortsreducecostoftrialdivisiontoy0+o(1)whilereducinge ectivenessbyfactory0:5+o(1). IBatchtrialdivision:sameastreeideafrombefore. I\Sieving":liketheSieveofEratosthenes.Example:usearithmeticprogressionsofawith1009dividinga2�N. Irho,p�1,p+1,ECM.Lowmemory,highparallelism. Sievingseemedveryimportant30yearsago.Todaymuchlessuse:wecaremoreaboutcommunicationcostandlatticeoptimization. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to StrategiestoimplementeasyfactorizationsTrial-dividinga2�Nusingprimesin[1;y]costsy1+o(1).Fourmajordirectionsofimprovements:IEarlyaborts:e.g.,throwa2�Nawayifunfactoredpartisuncomfortablylargeafterprimesin[1;y0:5].1982Pomerance:optimizedearlyabortsreducecostoftrialdivisiontoy0+o(1)whilereducinge ectivenessbyfactory0:5+o(1). IBatchtrialdivision:sameastreeideafrombefore. I\Sieving":liketheSieveofEratosthenes.Example:usearithmeticprogressionsofawith1009dividinga2�N. Irho,p�1,p+1,ECM.Lowmemory,highparallelism. Sievingseemedveryimportant30yearsago.Todaymuchlessuse:wecaremoreaboutcommunicationcostandlatticeoptimization. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to Interlude:SmoothnessHowmanyintegersin[1;y2]factorintoprimesin[1;y]? Easylowerbound:atleast0:5y2=(logy)2.(Therearey=logyprimesin[1;y].Considerproductsoftwosuchprimes.) Somewhatcarefulanalysis:constanttimesy2. Morecarefulanalysis:0:306y2. Howmanyintegersin[1;yu]factorintoprimesin[1;y]?Somewhatcarefulanalysis:u�uyu.Morecarefulanalysis:e.g.,0:27710�10yuforu=10. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to Interlude:SmoothnessHowmanyintegersin[1;y2]factorintoprimesin[1;y]? Easylowerbound:atleast0:5y2=(logy)2.(Therearey=logyprimesin[1;y].Considerproductsoftwosuchprimes.) Somewhatcarefulanalysis:constanttimesy2. Morecarefulanalysis:0:306y2. Howmanyintegersin[1;yu]factorintoprimesin[1;y]?Somewhatcarefulanalysis:u�uyu.Morecarefulanalysis:e.g.,0:27710�10yuforu=10. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to Interlude:SmoothnessHowmanyintegersin[1;y2]factorintoprimesin[1;y]? Easylowerbound:atleast0:5y2=(logy)2.(Therearey=logyprimesin[1;y].Considerproductsoftwosuchprimes.) Somewhatcarefulanalysis:constanttimesy2. Morecarefulanalysis:0:306y2. Howmanyintegersin[1;yu]factorintoprimesin[1;y]?Somewhatcarefulanalysis:u�uyu.Morecarefulanalysis:e.g.,0:27710�10yuforu=10. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to Interlude:SmoothnessHowmanyintegersin[1;y2]factorintoprimesin[1;y]? Easylowerbound:atleast0:5y2=(logy)2.(Therearey=logyprimesin[1;y].Considerproductsoftwosuchprimes.) Somewhatcarefulanalysis:constanttimesy2. Morecarefulanalysis:0:306y2. Howmanyintegersin[1;yu]factorintoprimesin[1;y]?Somewhatcarefulanalysis:u�uyu.Morecarefulanalysis:e.g.,0:27710�10yuforu=10. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to Interlude:SmoothnessHowmanyintegersin[1;y2]factorintoprimesin[1;y]? Easylowerbound:atleast0:5y2=(logy)2.(Therearey=logyprimesin[1;y].Considerproductsoftwosuchprimes.) Somewhatcarefulanalysis:constanttimesy2. Morecarefulanalysis:0:306y2. Howmanyintegersin[1;yu]factorintoprimesin[1;y]?Somewhatcarefulanalysis:u�uyu.Morecarefulanalysis:e.g.,0:27710�10yuforu=10. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to QSscalabilityQSisslowforsmallN...butscalesverywelltolargerN.Choosey=N1=u.Ifdi erencesa2�NwererandomintegersmodNthentheywouldfactorintoprimesin[1;y]withprobabilityu�u.(Actuallya2�Nisclosertop N;evenmorelikelytofactor.)Factorizationexponentvectorsproducelineardependenciesoncethereareuuy=logydi erences.Chooseuonscaleofp logN=loglogNtobalanceuuwithN1=u.Subexponentialcost!Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to Historyoftheworld,part11931Lehmer{Powers,1975Morrison{Brillhart,\CFRAC": ndsmallsquaresmodNusingp Ncontinuedfraction.1977Schroeppel\linearsieve": ndsquareproductsofab(ab�N)bysievingab�N;usea;binsmallrangearoundp N.Thisusesexp(O(p logNloglogN))operations.1982Pomerance,QS:a2�N. RetroactivelypluginECMorbatchtrialdivision,andfastlinearalgebra:eachmethodusesexp((1+o(1))p logNloglogN)operations. ApplyingECMdirectlytoNalsousesexp((1+o(1))p logNloglogN)operations. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to Historyoftheworld,part11931Lehmer{Powers,1975Morrison{Brillhart,\CFRAC": ndsmallsquaresmodNusingp Ncontinuedfraction.1977Schroeppel\linearsieve": ndsquareproductsofab(ab�N)bysievingab�N;usea;binsmallrangearoundp N.Thisusesexp(O(p logNloglogN))operations.1982Pomerance,QS:a2�N. RetroactivelypluginECMorbatchtrialdivision,andfastlinearalgebra:eachmethodusesexp((1+o(1))p logNloglogN)operations. ApplyingECMdirectlytoNalsousesexp((1+o(1))p logNloglogN)operations. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to Historyoftheworld,part11931Lehmer{Powers,1975Morrison{Brillhart,\CFRAC": ndsmallsquaresmodNusingp Ncontinuedfraction.1977Schroeppel\linearsieve": ndsquareproductsofab(ab�N)bysievingab�N;usea;binsmallrangearoundp N.Thisusesexp(O(p logNloglogN))operations.1982Pomerance,QS:a2�N. RetroactivelypluginECMorbatchtrialdivision,andfastlinearalgebra:eachmethodusesexp((1+o(1))p logNloglogN)operations. ApplyingECMdirectlytoNalsousesexp((1+o(1))p logNloglogN)operations. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to Historyoftheworld,part21982Schnorr,1987Seysen,1988A.Lenstra,1992H.Lenstra{Pomerance:anothermethodthatprovablyusesexp((1+o(1))p logNloglogN)operations.1988Pomerance{Smith{Tuler:\Overthelastfewyearstherehasdevelopedaremarkablesix-waytiefortheasymptoticallyfastestfactoringalgorithms....ItmightbetemptingtoconjecturethatL(N)isinfactthetruecomplexityoffactoring,butnooneseemstohaveanyideahowtoobtainevenheuristiclowerboundsforfactoring." 1985Odlyzko,commentingonthesameconjecture:\Itisthisauthor'sguessthatthisisnotthecase,andthatwearemissingsomeinsightthatwillletusbreakbelowtheL(p)barrier." Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to Historyoftheworld,part21982Schnorr,1987Seysen,1988A.Lenstra,1992H.Lenstra{Pomerance:anothermethodthatprovablyusesexp((1+o(1))p logNloglogN)operations.1988Pomerance{Smith{Tuler:\Overthelastfewyearstherehasdevelopedaremarkablesix-waytiefortheasymptoticallyfastestfactoringalgorithms....ItmightbetemptingtoconjecturethatL(N)isinfactthetruecomplexityoffactoring,butnooneseemstohaveanyideahowtoobtainevenheuristiclowerboundsforfactoring." 1985Odlyzko,commentingonthesameconjecture:\Itisthisauthor'sguessthatthisisnotthecase,andthatwearemissingsomeinsightthatwillletusbreakbelowtheL(p)barrier." Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to Thenumber- eldsieve(NFS)1988Pollard,independently1989Elkies,generalizedby1990Lenstra{Lenstra{Manasse{Pollard:Use(a+b )(a+bm)with m(modn).exp((2:08:::+o(1))(logN)1=3(loglogN)2=3).1991Adleman,1993Buhler{Lenstra{Pomerance:exp((1:92:::+o(1))(logN)1=3(loglogN)2=3).AdlemanestimatedQS/NFScuto asN21100.1993Coppersmith:exp((1:90:::+o(1))(logN)1=3(loglogN)2=3).1993Coppersmith,batchNFS(\factorizationfactory"):exp((1:63:::+o(1))(logN)1=3(loglogN)2=3)afteraprecomputationindependentofN.Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to SowhatdoesthismeanforRSA-1024?ComplicatedNFSanalysisandoptimization.Latestestimates:Attackerbreaksmy1024-bitkeybyscanning270pairs(a;b).PlanA:NSAisbuildinga226-wattcomputercenterinBlu dale.PlanB:TheCon ckerbotnetbrokeinto223machines.PlanC:ChinahasasupercomputercenterinTianjin. 257watts 256watts 244watts 230watts 226watts 226wattsofstandardGPUs:284 oating-pointmults/year.Latestestimates:Thisisenoughtobreak1024-bitRSA....andspecial-purposechipsshouldbeatleast10faster....andbatchNFSshouldbeevenfaster. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to SowhatdoesthismeanforRSA-1024?ComplicatedNFSanalysisandoptimization.Latestestimates:Attackerbreaksmy1024-bitkeybyscanning270pairs(a;b).PlanA:NSAisbuildinga226-wattcomputercenterinBlu dale.PlanB:TheCon ckerbotnetbrokeinto223machines.PlanC:ChinahasasupercomputercenterinTianjin. 257watts EarthreceivesfromtheSun 256watts Earth'ssurfacereceivesfromtheSun 244watts 230watts 226watts 226wattsofstandardGPUs:284 oating-pointmults/year.Latestestimates:Thisisenoughtobreak1024-bitRSA....andspecial-purposechipsshouldbeatleast10faster....andbatchNFSshouldbeevenfaster. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to SowhatdoesthismeanforRSA-1024?ComplicatedNFSanalysisandoptimization.Latestestimates:Attackerbreaksmy1024-bitkeybyscanning270pairs(a;b).PlanA:NSAisbuildinga226-wattcomputercenterinBlu dale.PlanB:TheCon ckerbotnetbrokeinto223machines.PlanC:ChinahasasupercomputercenterinTianjin. 257watts EarthreceivesfromtheSun 256watts Earth'ssurfacereceivesfromtheSun 244watts Currentworldpowerusage 230watts 226watts 226wattsofstandardGPUs:284 oating-pointmults/year.Latestestimates:Thisisenoughtobreak1024-bitRSA....andspecial-purposechipsshouldbeatleast10faster....andbatchNFSshouldbeevenfaster. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to SowhatdoesthismeanforRSA-1024?ComplicatedNFSanalysisandoptimization.Latestestimates:Attackerbreaksmy1024-bitkeybyscanning270pairs(a;b).PlanA:NSAisbuildinga226-wattcomputercenterinBlu dale.PlanB:TheCon ckerbotnetbrokeinto223machines.PlanC:ChinahasasupercomputercenterinTianjin. 257watts EarthreceivesfromtheSun 256watts Earth'ssurfacereceivesfromtheSun 244watts Currentworldpowerusage 230watts Botnetrunning223typicalCPUs 226watts 226wattsofstandardGPUs:284 oating-pointmults/year.Latestestimates:Thisisenoughtobreak1024-bitRSA....andspecial-purposechipsshouldbeatleast10faster....andbatchNFSshouldbeevenfaster. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to SowhatdoesthismeanforRSA-1024?ComplicatedNFSanalysisandoptimization.Latestestimates:Attackerbreaksmy1024-bitkeybyscanning270pairs(a;b).PlanA:NSAisbuildinga226-wattcomputercenterinBlu dale.PlanB:TheCon ckerbotnetbrokeinto223machines.PlanC:ChinahasasupercomputercenterinTianjin. 257watts EarthreceivesfromtheSun 256watts Earth'ssurfacereceivesfromtheSun 244watts Currentworldpowerusage 230watts Botnetrunning223typicalCPUs 226watts Onedinkylittlecomputercenter 226wattsofstandardGPUs:284 oating-pointmults/year.Latestestimates:Thisisenoughtobreak1024-bitRSA....andspecial-purposechipsshouldbeatleast10faster....andbatchNFSshouldbeevenfaster. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to SowhatdoesthismeanforRSA-1024?ComplicatedNFSanalysisandoptimization.Latestestimates:Attackerbreaksmy1024-bitkeybyscanning270pairs(a;b).PlanA:NSAisbuildinga226-wattcomputercenterinBlu dale.PlanB:TheCon ckerbotnetbrokeinto223machines.PlanC:ChinahasasupercomputercenterinTianjin. 257watts EarthreceivesfromtheSun 256watts Earth'ssurfacereceivesfromtheSun 244watts Currentworldpowerusage 230watts Botnetrunning223typicalCPUs 226watts Onedinkylittlecomputercenter 226wattsofstandardGPUs:284 oating-pointmults/year.Latestestimates:Thisisenoughtobreak1024-bitRSA....andspecial-purposechipsshouldbeatleast10faster....andbatchNFSshouldbeevenfaster. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to QuantumcomputersOkay,you'reusingRSA-3072....andthentheattackerbuildsabigquantumcomputer.Imagineextremecase:qubitopsareaboutascheapasbitops. Majorimpact,part1:1996Grover.Speedsupsearchingspossiblerootsofffromsiterationsofftop siterationsoff.Example(2010Bernstein):ThisspeedsupECM! Majorimpact,part2:1994Shor.FactorsNusingoneexponentiationmoduloN. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to QuantumcomputersOkay,you'reusingRSA-3072....andthentheattackerbuildsabigquantumcomputer.Imagineextremecase:qubitopsareaboutascheapasbitops. Majorimpact,part1:1996Grover.Speedsupsearchingspossiblerootsofffromsiterationsofftop siterationsoff.Example(2010Bernstein):ThisspeedsupECM! Majorimpact,part2:1994Shor.FactorsNusingoneexponentiationmoduloN. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to QuantumcomputersOkay,you'reusingRSA-3072....andthentheattackerbuildsabigquantumcomputer.Imagineextremecase:qubitopsareaboutascheapasbitops. Majorimpact,part1:1996Grover.Speedsupsearchingspossiblerootsofffromsiterationsofftop siterationsoff.Example(2010Bernstein):ThisspeedsupECM! Majorimpact,part2:1994Shor.FactorsNusingoneexponentiationmoduloN. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to Post-quantumRSAConventionalwisdom:Shor'salgorithmsupersedesallpreviousfactorizationmethods.Infact,itbreaksRSAasquicklyasRSAdecrypts,sowehavenohopeofsecurityfromscalingRSAkeysizes. Thisisn'ttrue!Use\multi-primeRSA." Oops,1997/1998Tandempatent. Fortunately,alreadyin1983RSApatent:\thepresentinventionmayuseamodulusnwhichisaproductofthreeormoreprimes." ConcreteanalysissuggeststhatRSAwith2314096-bitprimesprovides�2100securityvs.allknownquantumattacks.Key tsonaharddrive;encryption+decryptiontakeonlyaweek. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to Post-quantumRSAConventionalwisdom:Shor'salgorithmsupersedesallpreviousfactorizationmethods.Infact,itbreaksRSAasquicklyasRSAdecrypts,sowehavenohopeofsecurityfromscalingRSAkeysizes. Thisisn'ttrue!Use\multi-primeRSA." Oops,1997/1998Tandempatent. Fortunately,alreadyin1983RSApatent:\thepresentinventionmayuseamodulusnwhichisaproductofthreeormoreprimes." ConcreteanalysissuggeststhatRSAwith2314096-bitprimesprovides�2100securityvs.allknownquantumattacks.Key tsonaharddrive;encryption+decryptiontakeonlyaweek. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to Post-quantumRSAConventionalwisdom:Shor'salgorithmsupersedesallpreviousfactorizationmethods.Infact,itbreaksRSAasquicklyasRSAdecrypts,sowehavenohopeofsecurityfromscalingRSAkeysizes. Thisisn'ttrue!Use\multi-primeRSA." Oops,1997/1998Tandempatent. Fortunately,alreadyin1983RSApatent:\thepresentinventionmayuseamodulusnwhichisaproductofthreeormoreprimes." ConcreteanalysissuggeststhatRSAwith2314096-bitprimesprovides�2100securityvs.allknownquantumattacks.Key tsonaharddrive;encryption+decryptiontakeonlyaweek. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to Post-quantumRSAConventionalwisdom:Shor'salgorithmsupersedesallpreviousfactorizationmethods.Infact,itbreaksRSAasquicklyasRSAdecrypts,sowehavenohopeofsecurityfromscalingRSAkeysizes. Thisisn'ttrue!Use\multi-primeRSA." Oops,1997/1998Tandempatent. Fortunately,alreadyin1983RSApatent:\thepresentinventionmayuseamodulusnwhichisaproductofthreeormoreprimes." ConcreteanalysissuggeststhatRSAwith2314096-bitprimesprovides�2100securityvs.allknownquantumattacks.Key tsonaharddrive;encryption+decryptiontakeonlyaweek. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to Post-quantumRSAConventionalwisdom:Shor'salgorithmsupersedesallpreviousfactorizationmethods.Infact,itbreaksRSAasquicklyasRSAdecrypts,sowehavenohopeofsecurityfromscalingRSAkeysizes. Thisisn'ttrue!Use\multi-primeRSA." Oops,1997/1998Tandempatent. Fortunately,alreadyin1983RSApatent:\thepresentinventionmayuseamodulusnwhichisaproductofthreeormoreprimes." ConcreteanalysissuggeststhatRSAwith2314096-bitprimesprovides�2100securityvs.allknownquantumattacks.Key tsonaharddrive;encryption+decryptiontakeonlyaweek. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to

Related Contents


Next Show more