TLSNovember2011 RSAexponentdistribution TLSNovember2011 Searchingformoreentropyproblems Experiment1Acquiremanypublickeys2Lookforobviouskeygenerationproblems PublickeysLenstraHughesAugierB ID: 249964
Download Pdf The PPT/PDF document "RSAkeysizedistribution" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
RSAkeysizedistribution TLS,November2011 RSAexponentdistribution TLS,November2011 Searchingformoreentropyproblems Experiment1.Acquiremanypublickeys.2.Lookforobviouskey-generationproblems. \Publickeys"[Lenstra,Hughes,Augier,Bos,Kleinjung,WachterCrypto2012]\MiningYourPsandQs:DetectionofWidespreadWeakKeysinNetworkDevices"[Heninger,Durumeric,Wustrow,HaldermanUsenixSecurity2012]Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to WhatcouldgowrongwithRSAandentropyproblems?ITwohostsshareN:!bothknowprivatekeyoftheother.ITwohostsshareRSAmoduliwithaprimefactorincommon!outsideobservercanfactorbothkeysbycalculatingtheGCDofpublicmoduli.N1=pq1N2=pq2gcd(N1;N2)=p Timetofactor768-bitRSAmodulus:twoyears TimetocalculateGCDfor1024-bitRSAmoduli:15s Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to Lookingforproblems:RSAcommondivisors Speed-bumpComputingpairwisegcd(Ni;Nj)forourdatasetwouldtake15s111062pairs30yearsofcomputationtime. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to Ecientall-pairsGCDsWeimplementedanecientalgorithmdueto[Bernstein2004]. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to Results RepeatedKeysI60%ofTLSandSSHhostshavenon-uniquekeys.I5%ofTLShostsand10%ofSSHhostsservedefaultorlow-entropykeysI0:03%TLShostsand0:5%ofSSHhostsserveDebianweakkeys FactoredkeysI0:5%ofTLShostsand0:03%ofSSHhostskeysfactored Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to ThisisjustthetipoftheicebergMoreexamplesofbadrandomness! IPGPdatabase.[Lenstraetal.]2factoredRSAkeysoutof700,000.Why? ISmartcards.[2012Chou (slidesinChinese) ]Factored103TaiwanCitizenDigitalCerticates(outof2.26million):smartcardcerticatesusedforpayingtaxesetc.Names,emailaddresses,nationalIDswerepublicbut103privatekeysarenowknown. Smartcardmanufacturer:\Giesecke&Devrient:CreatingCondence." Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to ThisisjustthetipoftheicebergMoreexamplesofbadrandomness! IPGPdatabase.[Lenstraetal.]2factoredRSAkeysoutof700,000.Why? ISmartcards.[2012Chou (slidesinChinese) ]Factored103TaiwanCitizenDigitalCerticates(outof2.26million):smartcardcerticatesusedforpayingtaxesetc.Names,emailaddresses,nationalIDswerepublicbut103privatekeysarenowknown. Smartcardmanufacturer:\Giesecke&Devrient:CreatingCondence." Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to EvaluatingRSA'sriskFactoringkeysisbad,butDSA(andECDSA)areworseifyou'reworriedaboutentropyproblems.Badentropyfromasinglesignaturecancompromiseprivatekey.Ie.g.AperfectlygoodDSAkeyusedona2008Debiansystem!compromised.Ie.g.1%ofDSASSHhostkeyscompromisedfromsignatureswithbadrandomnessaftertwoscans.Wouldbeeasytoxinstandard.(Makenoncedeterministic:hashofmessage,secretsalt.)Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to Side-channelattacksTimingattacksIHardware[Kocher96]\TimingattacksonimplementationsofDie-Hellman,RSA,DSS,andothersystems."IRemotesoftware[BrumleyBoneh05]\Remotetimingattacksarepractical."CachetimingIInter-processsoftware[Percival05]\Cachemissingforfunandprot."ICross-VMsoftware[ZhangJuelsReiterRistenpart12]\Cross-VMSideChannelsandTheirUsetoExtractPrivateKeys"FaultsI[Boneh,DeMillo,Lipton96],[Lenstra96]Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to Side-channelattacksSide-channelstructuresrelevanttoRSA:ExponentiationISquare-and-multiply:dierentexecutionpaths/instructiontiming/powerlevelsdependentonbitsofprivatekey.IDefense:Exponentblinding,squareandalwaysmultiply,neverbranch.CRTcoecientsIFaultattackscanproduceavaluevalidmodonlyoneprime.IDefense:Verifyoutput.PaddingoraclesIImplementationsdierentiatingbetweencorrectandincorrectdecryption!chosen-ciphertextattacks.IDefense:Don'tdistinguishfailures.Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to PartialkeyrecoveryandrelatedattacksRSAparticularlysusceptibletopartialkeyrecoveryattacks. Theorem(Coppersmith/Howgrave-Graham)WecanndrootsxofpolynomialsfofdegreedmoddivisorsBofN,B=N,whenjxjN2=d. (NotethatRSAproblemistondrootsofxecmodN.) ICanfactorgiven1/2bitsofp.[Coppersmith96]ICanfactorgiven1/4bitsofd.[BonehDurfeeFrankel98]ICanfactorgiven1/2bitsofdp.[BlomerMay03]Alsoimpliesconstraintsonkeychoice:ICanfactorifdN0:292[BonehDurfee98] Messagesecurity:Leastsignicantbitofmessageassecureasentiremessage.[AlexiChorGoldreichSchnorr88] Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to PartialkeyrecoveryandrelatedattacksRSAparticularlysusceptibletopartialkeyrecoveryattacks. Theorem(Coppersmith/Howgrave-Graham)WecanndrootsxofpolynomialsfofdegreedmoddivisorsBofN,B=N,whenjxjN2=d. (NotethatRSAproblemistondrootsofxecmodN.) ICanfactorgiven1/2bitsofp.[Coppersmith96]ICanfactorgiven1/4bitsofd.[BonehDurfeeFrankel98]ICanfactorgiven1/2bitsofdp.[BlomerMay03]Alsoimpliesconstraintsonkeychoice:ICanfactorifdN0:292[BonehDurfee98] Messagesecurity:Leastsignicantbitofmessageassecureasentiremessage.[AlexiChorGoldreichSchnorr88] Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to PartialkeyrecoveryandrelatedattacksRSAparticularlysusceptibletopartialkeyrecoveryattacks. Theorem(Coppersmith/Howgrave-Graham)WecanndrootsxofpolynomialsfofdegreedmoddivisorsBofN,B=N,whenjxjN2=d. (NotethatRSAproblemistondrootsofxecmodN.) ICanfactorgiven1/2bitsofp.[Coppersmith96]ICanfactorgiven1/4bitsofd.[BonehDurfeeFrankel98]ICanfactorgiven1/2bitsofdp.[BlomerMay03]Alsoimpliesconstraintsonkeychoice:ICanfactorifdN0:292[BonehDurfee98] Messagesecurity:Leastsignicantbitofmessageassecureasentiremessage.[AlexiChorGoldreichSchnorr88] Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to Protocolissues.Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to Paddingschemes:Simplecryptanalyses Fixed-patternpaddingDeneapaddingscheme(Pjm).Coppersmith'stheorem:Withe=3,ifjmjN1=3thencanecientlycomputemassolutiontoc(P2t+x)3modN [BrierClavierCoronNaccache01]ExistentialforgeryofsignatureswithjmjN1=3byndingsolutionstorelation(P+m1)(P+m2)=(P+m3)(P+m4)modNusingcontinuedfractions.Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to TheagonyandecstasyofPKCS#1v1.5andOAEPPKCS#1:(0x000x02jpaddingstringj0x00jmessage) Cryptographers:PKCS#1isnotIND-CCA2secure! Practitioners:Thatisnotrelevantinpractice. 1994BellareRogaway:UseOAEP,it'sprovablysecureinrandomoraclemodel. 1996Bleichenbacher:\ChosenciphertextattacksagainstprotocolsbasedontheRSAencryptionstandardPKCS#1" 1998RFC2437:(1998)\RSAES-OAEPisrecommendedfornewapplications;RSAES-PKCS1-v1 5isincludedonlyforcompatibilitywithexistingapplications,andisnotrecommendedfornewapplications" Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to TheagonyandecstasyofPKCS#1v1.5andOAEPPKCS#1:(0x000x02jpaddingstringj0x00jmessage) Cryptographers:PKCS#1isnotIND-CCA2secure! Practitioners:Thatisnotrelevantinpractice. 1994BellareRogaway:UseOAEP,it'sprovablysecureinrandomoraclemodel. 1996Bleichenbacher:\ChosenciphertextattacksagainstprotocolsbasedontheRSAencryptionstandardPKCS#1" 1998RFC2437:(1998)\RSAES-OAEPisrecommendedfornewapplications;RSAES-PKCS1-v1 5isincludedonlyforcompatibilitywithexistingapplications,andisnotrecommendedfornewapplications" Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to TheagonyandecstasyofPKCS#1v1.5andOAEPPKCS#1:(0x000x02jpaddingstringj0x00jmessage) Cryptographers:PKCS#1isnotIND-CCA2secure! Practitioners:Thatisnotrelevantinpractice. 1994BellareRogaway:UseOAEP,it'sprovablysecureinrandomoraclemodel. 1996Bleichenbacher:\ChosenciphertextattacksagainstprotocolsbasedontheRSAencryptionstandardPKCS#1" 1998RFC2437:(1998)\RSAES-OAEPisrecommendedfornewapplications;RSAES-PKCS1-v1 5isincludedonlyforcompatibilitywithexistingapplications,andisnotrecommendedfornewapplications" Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to TheagonyandecstasyofPKCS#1v1.5andOAEPPKCS#1:(0x000x02jpaddingstringj0x00jmessage) Cryptographers:PKCS#1isnotIND-CCA2secure! Practitioners:Thatisnotrelevantinpractice. 1994BellareRogaway:UseOAEP,it'sprovablysecureinrandomoraclemodel. 1996Bleichenbacher:\ChosenciphertextattacksagainstprotocolsbasedontheRSAencryptionstandardPKCS#1" 1998RFC2437:(1998)\RSAES-OAEPisrecommendedfornewapplications;RSAES-PKCS1-v1 5isincludedonlyforcompatibilitywithexistingapplications,andisnotrecommendedfornewapplications" Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to TheagonyandecstasyofPKCS#1v1.5andOAEPPKCS#1:(0x000x02jpaddingstringj0x00jmessage) Cryptographers:PKCS#1isnotIND-CCA2secure! Practitioners:Thatisnotrelevantinpractice. 1994BellareRogaway:UseOAEP,it'sprovablysecureinrandomoraclemodel. 1996Bleichenbacher:\ChosenciphertextattacksagainstprotocolsbasedontheRSAencryptionstandardPKCS#1" 1998RFC2437:(1998)\RSAES-OAEPisrecommendedfornewapplications;RSAES-PKCS1-v1 5isincludedonlyforcompatibilitywithexistingapplications,andisnotrecommendedfornewapplications" Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to TheagonyandecstasyofPKCS#1v1.5andOAEPPKCS#1:(0x000x02jpaddingstringj0x00jmessage) Cryptographers:PKCS#1isnotIND-CCA2secure! Practitioners:Thatisnotrelevantinpractice. 1994BellareRogaway:UseOAEP,it'sprovablysecureinrandomoraclemodel. 1996Bleichenbacher:\ChosenciphertextattacksagainstprotocolsbasedontheRSAencryptionstandardPKCS#1" 1998RFC2437:(1998)\RSAES-OAEPisrecommendedfornewapplications;RSAES-PKCS1-v1 5isincludedonlyforcompatibilitywithexistingapplications,andisnotrecommendedfornewapplications" Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to TheagonyandecstasyofPKCS#1v1.5andOAEPPKCS#1:(0x000x02jpaddingstringj0x00jmessage) Cryptographers:PKCS#1isnotIND-CCA2secure! Practitioners:Thatisnotrelevantinpractice. 1994BellareRogaway:UseOAEP,it'sprovablysecureinrandomoraclemodel. 1996Bleichenbacher:\ChosenciphertextattacksagainstprotocolsbasedontheRSAencryptionstandardPKCS#1" 1998RFC2437:(1998)\RSAES-OAEPisrecommendedfornewapplications;RSAES-PKCS1-v1 5isincludedonlyforcompatibilitywithexistingapplications,andisnotrecommendedfornewapplications" Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to TheagonyandecstasyofPKCS#1v1.5andOAEP2001Shoup:There'saholeintheOAEPsecurityproof,butIxedit.TheproofusesCoppersmith'stheorem. 2008RFC5246:\formaximalcompatibilitywithearlierversionsofTLS,thisspecificationusestheRSAES-PKCS1-v1 5scheme" 2012BardouFocardiKawamotoSimionatoSteelTsay:BleichenbacherattackworksagainstRSASecureIDtokens,EstonianIDcards. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to TheagonyandecstasyofPKCS#1v1.5andOAEP2001Shoup:There'saholeintheOAEPsecurityproof,butIxedit.TheproofusesCoppersmith'stheorem. 2008RFC5246:\formaximalcompatibilitywithearlierversionsofTLS,thisspecificationusestheRSAES-PKCS1-v1 5scheme" 2012BardouFocardiKawamotoSimionatoSteelTsay:BleichenbacherattackworksagainstRSASecureIDtokens,EstonianIDcards. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to TheagonyandecstasyofPKCS#1v1.5andOAEP2001Shoup:There'saholeintheOAEPsecurityproof,butIxedit.TheproofusesCoppersmith'stheorem. 2008RFC5246:\formaximalcompatibilitywithearlierversionsofTLS,thisspecificationusestheRSAES-PKCS1-v1 5scheme" 2012BardouFocardiKawamotoSimionatoSteelTsay:BleichenbacherattackworksagainstRSASecureIDtokens,EstonianIDcards. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to Shoup's\SimpleRSA"C0=remodNrrandomk0jjk1=H(r)HhashfunctionC1=enck0(m)encasymmetriccipherT=mack1(C1)Output(C0;C1;T).Veryshortandecientsecurityproof.Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to Factoring,aka.breakingRSAifnothingelsewentwrong.Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to Preliminaries:UsingSageThefollowing2partsusesomecodesnippetstogiveexamplesusingthefreeopensourcemathematicssoftwareSage.http://www.sagemath.org/.SagelookslikePythonsage:2 *36 ^isexponentiation,notxor Ithaslotsofusefullibraries: sage:factor(15)3*5 sage:factor(x^2-1)(x-1)*(x+1) That'sit,justfactor(N) Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to Preliminaries:UsingSageThefollowing2partsusesomecodesnippetstogiveexamplesusingthefreeopensourcemathematicssoftwareSage.http://www.sagemath.org/.SagelookslikePython,butthereareafewdierences:sage:2 ^38 ^isexponentiation,notxor Ithaslotsofusefullibraries: sage:factor(15)3*5 sage:factor(x^2-1)(x-1)*(x+1) That'sit,justfactor(N) Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to Preliminaries:UsingSageThefollowing2partsusesomecodesnippetstogiveexamplesusingthefreeopensourcemathematicssoftwareSage.http://www.sagemath.org/.SagelookslikePython,butthereareafewdierences:sage:2 ^38 ^isexponentiation,notxor Ithaslotsofusefullibraries: sage:factor(15)3*5 sage:factor(x^2-1)(x-1)*(x+1) That'sit,justfactor(N) Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to EECM:EdwardsECM,BasicversionUseEllipticcurveintwistedEdwardsform:E:ax2+y2=1+dx2y2withpointP=(x;y);a;d6=0;a6=d.Generaterandomcurvebypickingrandomnonzeroa;x;y,computed=(ax2+y21)=x2y2.Multiplicationinp1methodreplacedbyadditiononE:(x1;y1)+(x2;y2)=x1y2+x2y1 1+dx1y1x2y2;y1y2ax1x2 1dx1y1x2y1:Neutralelementinthisgroupis(0;1). ComputerP=(x;y)moduloNusingdouble-and-addmethod;avoiddivisionsbyusingprojectivecoordinates.Forformulasseehttp://hyperelliptic.org/EFD. Computegcd(x;N);thisndsprimespforwhichtheorderofPmodulopdividesr. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to ECM:productionversion IUsespecialcurveswithIsmallcoecientsforfastercomputation,e.g.(1=23;1=7)isapointon25x2+y2=124167x2y2;Iwithbetterchanceofsmoothorders;thiscurvehasaguaranteedfactorof12.ISplitcomputationinto2stages:Istage1asdescribedbeforewithsomewhatsmallertinr=lcm(range(1,t));Istage2checks(qir)Pforthenextfewprimesqit(computedinabatchedmanner).ISeehttp://eecm.cr.yp.to/forexplanations,goodcurves,code,references,etc. IMethodrunsverywellonGPUs;distributedcomputing.IECMisstillactiveresearcharea. ECMisveryecientatfactoringrandomnumbers(oncesmallfactorsareremoved). FavoritemethodtokillRSA-360. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to ECM:productionversion IUsespecialcurveswithIsmallcoecientsforfastercomputation,e.g.(1=23;1=7)isapointon25x2+y2=124167x2y2;Iwithbetterchanceofsmoothorders;thiscurvehasaguaranteedfactorof12.ISplitcomputationinto2stages:Istage1asdescribedbeforewithsomewhatsmallertinr=lcm(range(1,t));Istage2checks(qir)Pforthenextfewprimesqit(computedinabatchedmanner).ISeehttp://eecm.cr.yp.to/forexplanations,goodcurves,code,references,etc. IMethodrunsverywellonGPUs;distributedcomputing.IECMisstillactiveresearcharea. ECMisveryecientatfactoringrandomnumbers(oncesmallfactorsareremoved). FavoritemethodtokillRSA-360. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to FactoringbadchoicesofNProblemifonetakes'samesize'tooliterally:N=1000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000299999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999997921. Yes,thislookslikeveryclosetoapowerof10,actuallycloseto10340.Squarerootp Nisalmostaninteger,almost10170. Brute-forcesearchN%(10170-i)ndsfactorp=1017033andthenq=N=p=10170+63. Inreallifewouldexpectthiswithpowerof2insteadof10. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to FactoringbadchoicesofNProblemifonetakes'samesize'tooliterally:N=1000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000299999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999997921. Yes,thislookslikeveryclosetoapowerof10,actuallycloseto10340.Squarerootp Nisalmostaninteger,almost10170. Brute-forcesearchN%(10170-i)ndsfactorp=1017033andthenq=N=p=10170+63. Inreallifewouldexpectthiswithpowerof2insteadof10. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to FactoringbadchoicesofNProblemifonetakes'samesize'tooliterally:N=1000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000299999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999997921. Yes,thislookslikeveryclosetoapowerof10,actuallycloseto10340.Squarerootp Nisalmostaninteger,almost10170. Brute-forcesearchN%(10170-i)ndsfactorp=1017033andthenq=N=p=10170+63. Inreallifewouldexpectthiswithpowerof2insteadof10. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to FactoringbadchoicesofNProblemifonetakes'samesize'tooliterally:N=1000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000299999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999997921. Yes,thislookslikeveryclosetoapowerof10,actuallycloseto10340.Squarerootp Nisalmostaninteger,almost10170. Brute-forcesearchN%(10170-i)ndsfactorp=1017033andthenq=N=p=10170+63. Inreallifewouldexpectthiswithpowerof2insteadof10. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to Thisproblemhappensnotonlyforpandqtooclosetopowersof2or10.Userstartssearchforpwithsomeosetcasp=next prime(2512+c).Takesq=next prime(p).sage:N=115792089237316195423570985008721211221144628262713908746538761285902758367353sage:sqrt(N).numerical_approx(256).str(no_sci=2)'340282366920938463463374607431817146356.9999999999999999999999999999999999940' #veryclosetoaninteger sage:a=ceil(sqrt(N));a^2-N4096 #4096=64^2;thisisasquare! sage:N/(a-64)340282366920938463463374607431817146293 #aninteger!sage:N/340282366920938463463374607431817146293340282366920938463463374607431817146421 Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to Thisproblemhappensnotonlyforpandqtooclosetopowersof2or10.Userstartssearchforpwithsomeosetcasp=next prime(2512+c).Takesq=next prime(p).sage:N=115792089237316195423570985008721211221144628262713908746538761285902758367353sage:sqrt(N).numerical_approx(256).str(no_sci=2)'340282366920938463463374607431817146356.9999999999999999999999999999999999940' #veryclosetoaninteger sage:a=ceil(sqrt(N));a^2-N4096 #4096=64^2;thisisasquare! sage:N/(a-64)340282366920938463463374607431817146293 #aninteger!sage:N/340282366920938463463374607431817146293340282366920938463463374607431817146421 Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to Thisproblemhappensnotonlyforpandqtooclosetopowersof2or10.Userstartssearchforpwithsomeosetcasp=next prime(2512+c).Takesq=next prime(p).sage:N=115792089237316195423570985008721211221144628262713908746538761285902758367353sage:sqrt(N).numerical_approx(256).str(no_sci=2)'340282366920938463463374607431817146356.9999999999999999999999999999999999940' #veryclosetoaninteger sage:a=ceil(sqrt(N));a^2-N4096 #4096=64^2;thisisasquare! sage:N/(a-64)340282366920938463463374607431817146293 #aninteger!sage:N/340282366920938463463374607431817146293340282366920938463463374607431817146421 Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to Thisproblemhappensnotonlyforpandqtooclosetopowersof2or10.Userstartssearchforpwithsomeosetcasp=next prime(2512+c).Takesq=next prime(p).sage:N=115792089237316195423570985008721211221144628262713908746538761285902758367353sage:sqrt(N).numerical_approx(256).str(no_sci=2)'340282366920938463463374607431817146356.9999999999999999999999999999999999940' #veryclosetoaninteger sage:a=ceil(sqrt(N));a^2-N4096 #4096=64^2;thisisasquare! sage:N/(a-64)340282366920938463463374607431817146293 #aninteger!sage:N/340282366920938463463374607431817146293340282366920938463463374607431817146421 Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to Thisproblemhappensnotonlyforpandqtooclosetopowersof2or10.Userstartssearchforpwithsomeosetcasp=next prime(2512+c).Takesq=next prime(p).sage:N=115792089237316195423570985008721211221144628262713908746538761285902758367353sage:sqrt(N).numerical_approx(256).str(no_sci=2)'340282366920938463463374607431817146356.9999999999999999999999999999999999940' #veryclosetoaninteger sage:a=ceil(sqrt(N));a^2-N4096 #4096=64^2;thisisasquare! sage:N/(a-64)340282366920938463463374607431817146293 #aninteger!sage:N/340282366920938463463374607431817146293340282366920938463463374607431817146421 Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to Thisproblemhappensnotonlyforpandqtooclosetopowersof2or10.Userstartssearchforpwithsomeosetcasp=next prime(2512+c).Takesq=next prime(p).sage:N=115792089237316195423570985008721211221144628262713908746538761285902758367353sage:sqrt(N).numerical_approx(256).str(no_sci=2)'340282366920938463463374607431817146356.9999999999999999999999999999999999940' #veryclosetoaninteger sage:a=ceil(sqrt(N));a^2-N4096 #4096=64^2;thisisasquare! sage:N/(a-64)340282366920938463463374607431817146293 #aninteger!sage:N/340282366920938463463374607431817146293340282366920938463463374607431817146421 Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to FermatfactorizationWewroteN=a2b2=(a+b)(ab)andfactoreditusingN=(ab).sage:N=115792089237316195448679392282006640413199890130332179010243714077028592474181sage:sqrt(N).numerical_approx(256).str(no_sci=2)'340282366920938463500268096066682468352.9999999471509747085563508368188422193' sage:a=ceil(sqrt(N));i=0sage:whilenotis_square((a+i)^2-N):....:i=i+1 #givesi=2 ....:#wasq=next_prime(p+2^66+974892437589) Thisalwaysworks eventually:N=((q+p)=2)2((qp)=2)2 butsearchingfor(q+p)=2startingwithdp Newillusuallyrunforaboutp Npsteps. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to FermatfactorizationWewroteN=a2b2=(a+b)(ab)andfactoreditusingN=(ab).sage:N=115792089237316195448679392282006640413199890130332179010243714077028592474181sage:sqrt(N).numerical_approx(256).str(no_sci=2)'340282366920938463500268096066682468352.9999999471509747085563508368188422193' sage:a=ceil(sqrt(N));i=0sage:whilenotis_square((a+i)^2-N):....:i=i+1 #givesi=2 ....:#wasq=next_prime(p+2^66+974892437589) Thisalwaysworks eventually:N=((q+p)=2)2((qp)=2)2 butsearchingfor(q+p)=2startingwithdp Newillusuallyrunforaboutp Npsteps. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to FermatfactorizationWewroteN=a2b2=(a+b)(ab)andfactoreditusingN=(ab).sage:N=115792089237316195448679392282006640413199890130332179010243714077028592474181sage:sqrt(N).numerical_approx(256).str(no_sci=2)'340282366920938463500268096066682468352.9999999471509747085563508368188422193' sage:a=ceil(sqrt(N));i=0sage:whilenotis_square((a+i)^2-N):....:i=i+1 #givesi=2 ....:#wasq=next_prime(p+2^66+974892437589) Thisalwaysworks eventually:N=((q+p)=2)2((qp)=2)2 butsearchingfor(q+p)=2startingwithdp Newillusuallyrunforaboutp Npsteps. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to FermatfactorizationWewroteN=a2b2=(a+b)(ab)andfactoreditusingN=(ab).sage:N=115792089237316195448679392282006640413199890130332179010243714077028592474181sage:sqrt(N).numerical_approx(256).str(no_sci=2)'340282366920938463500268096066682468352.9999999471509747085563508368188422193' sage:a=ceil(sqrt(N));i=0sage:whilenotis_square((a+i)^2-N):....:i=i+1 #givesi=2 ....:#wasq=next_prime(p+2^66+974892437589) Thisalwaysworks eventually:N=((q+p)=2)2((qp)=2)2 butsearchingfor(q+p)=2startingwithdp Newillusuallyrunforaboutp Npsteps. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to FermatfactorizationWewroteN=a2b2=(a+b)(ab)andfactoreditusingN=(ab).sage:N=115792089237316195448679392282006640413199890130332179010243714077028592474181sage:sqrt(N).numerical_approx(256).str(no_sci=2)'340282366920938463500268096066682468352.9999999471509747085563508368188422193' sage:a=ceil(sqrt(N));i=0sage:whilenotis_square((a+i)^2-N):....:i=i+1 #givesi=2 ....:#wasq=next_prime(p+2^66+974892437589) Thisalwaysworks eventually:N=((q+p)=2)2((qp)=2)2 butsearchingfor(q+p)=2startingwithdp Newillusuallyrunforaboutp Npsteps. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to FermatfactorizationWewroteN=a2b2=(a+b)(ab)andfactoreditusingN=(ab).sage:N=115792089237316195448679392282006640413199890130332179010243714077028592474181sage:sqrt(N).numerical_approx(256).str(no_sci=2)'340282366920938463500268096066682468352.9999999471509747085563508368188422193' sage:a=ceil(sqrt(N));i=0sage:whilenotis_square((a+i)^2-N):....:i=i+1 #givesi=2 ....:#wasq=next_prime(p+2^66+974892437589) Thisalwaysworks eventually:N=((q+p)=2)2((qp)=2)2 butsearchingfor(q+p)=2startingwithdp Newillusuallyrunforaboutp Npsteps. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to Anexampleofthequadraticsieve(QS)Let'stryFermattofactorN=2759.Recallidea:ifa2Nisasquareb2thenN=(ab)(a+b).5322759=50.Notexactlyasquare:50=252. 5422759=157.Ummm,doesn'tlooklikeasquare. 5522759=266. 5622759=377. 5722759=490.Hey,49isasquare...490=2572. 5822759=605.Notexactlyasquare:605=5112. Fermatdoesn'tseemtobeworkingverywellforthisnumber. Buttheproduct50490605isasquare:225472112.QScomputesgcdf2759;535758p 50490605g=31.Exercise:Squareproducthas50%chanceoffactoringpq. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to Anexampleofthequadraticsieve(QS)Let'stryFermattofactorN=2759.Recallidea:ifa2Nisasquareb2thenN=(ab)(a+b).5322759=50.Notexactlyasquare:50=252. 5422759=157.Ummm,doesn'tlooklikeasquare. 5522759=266. 5622759=377. 5722759=490.Hey,49isasquare...490=2572. 5822759=605.Notexactlyasquare:605=5112. Fermatdoesn'tseemtobeworkingverywellforthisnumber. Buttheproduct50490605isasquare:225472112.QScomputesgcdf2759;535758p 50490605g=31.Exercise:Squareproducthas50%chanceoffactoringpq. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to Anexampleofthequadraticsieve(QS)Let'stryFermattofactorN=2759.Recallidea:ifa2Nisasquareb2thenN=(ab)(a+b).5322759=50.Notexactlyasquare:50=252. 5422759=157.Ummm,doesn'tlooklikeasquare. 5522759=266. 5622759=377. 5722759=490.Hey,49isasquare...490=2572. 5822759=605.Notexactlyasquare:605=5112. Fermatdoesn'tseemtobeworkingverywellforthisnumber. Buttheproduct50490605isasquare:225472112.QScomputesgcdf2759;535758p 50490605g=31.Exercise:Squareproducthas50%chanceoffactoringpq. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to Anexampleofthequadraticsieve(QS)Let'stryFermattofactorN=2759.Recallidea:ifa2Nisasquareb2thenN=(ab)(a+b).5322759=50.Notexactlyasquare:50=252. 5422759=157.Ummm,doesn'tlooklikeasquare. 5522759=266. 5622759=377. 5722759=490.Hey,49isasquare...490=2572. 5822759=605.Notexactlyasquare:605=5112. Fermatdoesn'tseemtobeworkingverywellforthisnumber. Buttheproduct50490605isasquare:225472112.QScomputesgcdf2759;535758p 50490605g=31.Exercise:Squareproducthas50%chanceoffactoringpq. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to Anexampleofthequadraticsieve(QS)Let'stryFermattofactorN=2759.Recallidea:ifa2Nisasquareb2thenN=(ab)(a+b).5322759=50.Notexactlyasquare:50=252. 5422759=157.Ummm,doesn'tlooklikeasquare. 5522759=266. 5622759=377. 5722759=490.Hey,49isasquare...490=2572. 5822759=605.Notexactlyasquare:605=5112. Fermatdoesn'tseemtobeworkingverywellforthisnumber. Buttheproduct50490605isasquare:225472112.QScomputesgcdf2759;535758p 50490605g=31.Exercise:Squareproducthas50%chanceoffactoringpq. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to Anexampleofthequadraticsieve(QS)Let'stryFermattofactorN=2759.Recallidea:ifa2Nisasquareb2thenN=(ab)(a+b).5322759=50.Notexactlyasquare:50=252. 5422759=157.Ummm,doesn'tlooklikeasquare. 5522759=266. 5622759=377. 5722759=490.Hey,49isasquare...490=2572. 5822759=605.Notexactlyasquare:605=5112. Fermatdoesn'tseemtobeworkingverywellforthisnumber. Buttheproduct50490605isasquare:225472112.QScomputesgcdf2759;535758p 50490605g=31.Exercise:Squareproducthas50%chanceoffactoringpq. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to Anexampleofthequadraticsieve(QS)Let'stryFermattofactorN=2759.Recallidea:ifa2Nisasquareb2thenN=(ab)(a+b).5322759=50.Notexactlyasquare:50=252. 5422759=157.Ummm,doesn'tlooklikeasquare. 5522759=266. 5622759=377. 5722759=490.Hey,49isasquare...490=2572. 5822759=605.Notexactlyasquare:605=5112. Fermatdoesn'tseemtobeworkingverywellforthisnumber. Buttheproduct50490605isasquare:225472112.QScomputesgcdf2759;535758p 50490605g=31.Exercise:Squareproducthas50%chanceoffactoringpq. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to Anexampleofthequadraticsieve(QS)Let'stryFermattofactorN=2759.Recallidea:ifa2Nisasquareb2thenN=(ab)(a+b).5322759=50.Notexactlyasquare:50=252. 5422759=157.Ummm,doesn'tlooklikeasquare. 5522759=266. 5622759=377. 5722759=490.Hey,49isasquare...490=2572. 5822759=605.Notexactlyasquare:605=5112. Fermatdoesn'tseemtobeworkingverywellforthisnumber. Buttheproduct50490605isasquare:225472112.QScomputesgcdf2759;535758p 50490605g=31.Exercise:Squareproducthas50%chanceoffactoringpq. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to QSmoresystematicallyTrylargerN.Easytogeneratemanydierencesa2N:N=314159265358979323X=[a^2-Nforainrange(sqrt(N)+1,sqrt(N)+500000)] Seewhichdierencesareeasytofactor:P=list(primes(2,1000))F=easyfactorizations(P,X) Uselinearalgebramod2tondasquare:M=matrix(GF(2),len(F),len(P),lambdai,j:P[j]inF[i][0])forKinM.left_kernel().basis():x=product([sqrt(f[2]+N)forf,kinzip(F,K)ifk==1])y=sqrt(product([f[2]forf,kinzip(F,K)ifk==1]))print[gcd(N,x-y),gcd(N,x+y)] Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to QSmoresystematicallyTrylargerN.Easytogeneratemanydierencesa2N:N=314159265358979323X=[a^2-Nforainrange(sqrt(N)+1,sqrt(N)+500000)] Seewhichdierencesareeasytofactor:P=list(primes(2,1000))F=easyfactorizations(P,X) Uselinearalgebramod2tondasquare:M=matrix(GF(2),len(F),len(P),lambdai,j:P[j]inF[i][0])forKinM.left_kernel().basis():x=product([sqrt(f[2]+N)forf,kinzip(F,K)ifk==1])y=sqrt(product([f[2]forf,kinzip(F,K)ifk==1]))print[gcd(N,x-y),gcd(N,x+y)] Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to QSmoresystematicallyTrylargerN.Easytogeneratemanydierencesa2N:N=314159265358979323X=[a^2-Nforainrange(sqrt(N)+1,sqrt(N)+500000)] Seewhichdierencesareeasytofactor:P=list(primes(2,1000))F=easyfactorizations(P,X) Uselinearalgebramod2tondasquare:M=matrix(GF(2),len(F),len(P),lambdai,j:P[j]inF[i][0])forKinM.left_kernel().basis():x=product([sqrt(f[2]+N)forf,kinzip(F,K)ifk==1])y=sqrt(product([f[2]forf,kinzip(F,K)ifk==1]))print[gcd(N,x-y),gcd(N,x+y)] Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to StrategiestoimplementeasyfactorizationsTrial-dividinga2Nusingprimesin[1;y]costsy1+o(1).Fourmajordirectionsofimprovements:IEarlyaborts:e.g.,throwa2Nawayifunfactoredpartisuncomfortablylargeafterprimesin[1;y0:5].1982Pomerance:optimizedearlyabortsreducecostoftrialdivisiontoy0+o(1)whilereducingeectivenessbyfactory0:5+o(1). IBatchtrialdivision:sameastreeideafrombefore. I\Sieving":liketheSieveofEratosthenes.Example:usearithmeticprogressionsofawith1009dividinga2N. Irho,p1,p+1,ECM.Lowmemory,highparallelism. Sievingseemedveryimportant30yearsago.Todaymuchlessuse:wecaremoreaboutcommunicationcostandlatticeoptimization. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to StrategiestoimplementeasyfactorizationsTrial-dividinga2Nusingprimesin[1;y]costsy1+o(1).Fourmajordirectionsofimprovements:IEarlyaborts:e.g.,throwa2Nawayifunfactoredpartisuncomfortablylargeafterprimesin[1;y0:5].1982Pomerance:optimizedearlyabortsreducecostoftrialdivisiontoy0+o(1)whilereducingeectivenessbyfactory0:5+o(1). IBatchtrialdivision:sameastreeideafrombefore. I\Sieving":liketheSieveofEratosthenes.Example:usearithmeticprogressionsofawith1009dividinga2N. Irho,p1,p+1,ECM.Lowmemory,highparallelism. Sievingseemedveryimportant30yearsago.Todaymuchlessuse:wecaremoreaboutcommunicationcostandlatticeoptimization. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to StrategiestoimplementeasyfactorizationsTrial-dividinga2Nusingprimesin[1;y]costsy1+o(1).Fourmajordirectionsofimprovements:IEarlyaborts:e.g.,throwa2Nawayifunfactoredpartisuncomfortablylargeafterprimesin[1;y0:5].1982Pomerance:optimizedearlyabortsreducecostoftrialdivisiontoy0+o(1)whilereducingeectivenessbyfactory0:5+o(1). IBatchtrialdivision:sameastreeideafrombefore. I\Sieving":liketheSieveofEratosthenes.Example:usearithmeticprogressionsofawith1009dividinga2N. Irho,p1,p+1,ECM.Lowmemory,highparallelism. Sievingseemedveryimportant30yearsago.Todaymuchlessuse:wecaremoreaboutcommunicationcostandlatticeoptimization. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to StrategiestoimplementeasyfactorizationsTrial-dividinga2Nusingprimesin[1;y]costsy1+o(1).Fourmajordirectionsofimprovements:IEarlyaborts:e.g.,throwa2Nawayifunfactoredpartisuncomfortablylargeafterprimesin[1;y0:5].1982Pomerance:optimizedearlyabortsreducecostoftrialdivisiontoy0+o(1)whilereducingeectivenessbyfactory0:5+o(1). IBatchtrialdivision:sameastreeideafrombefore. I\Sieving":liketheSieveofEratosthenes.Example:usearithmeticprogressionsofawith1009dividinga2N. Irho,p1,p+1,ECM.Lowmemory,highparallelism. Sievingseemedveryimportant30yearsago.Todaymuchlessuse:wecaremoreaboutcommunicationcostandlatticeoptimization. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to Interlude:SmoothnessHowmanyintegersin[1;y2]factorintoprimesin[1;y]? Easylowerbound:atleast0:5y2=(logy)2.(Therearey=logyprimesin[1;y].Considerproductsoftwosuchprimes.) Somewhatcarefulanalysis:constanttimesy2. Morecarefulanalysis:0:306y2. Howmanyintegersin[1;yu]factorintoprimesin[1;y]?Somewhatcarefulanalysis:uuyu.Morecarefulanalysis:e.g.,0:2771010yuforu=10. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to Interlude:SmoothnessHowmanyintegersin[1;y2]factorintoprimesin[1;y]? Easylowerbound:atleast0:5y2=(logy)2.(Therearey=logyprimesin[1;y].Considerproductsoftwosuchprimes.) Somewhatcarefulanalysis:constanttimesy2. Morecarefulanalysis:0:306y2. Howmanyintegersin[1;yu]factorintoprimesin[1;y]?Somewhatcarefulanalysis:uuyu.Morecarefulanalysis:e.g.,0:2771010yuforu=10. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to Interlude:SmoothnessHowmanyintegersin[1;y2]factorintoprimesin[1;y]? Easylowerbound:atleast0:5y2=(logy)2.(Therearey=logyprimesin[1;y].Considerproductsoftwosuchprimes.) Somewhatcarefulanalysis:constanttimesy2. Morecarefulanalysis:0:306y2. Howmanyintegersin[1;yu]factorintoprimesin[1;y]?Somewhatcarefulanalysis:uuyu.Morecarefulanalysis:e.g.,0:2771010yuforu=10. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to Interlude:SmoothnessHowmanyintegersin[1;y2]factorintoprimesin[1;y]? Easylowerbound:atleast0:5y2=(logy)2.(Therearey=logyprimesin[1;y].Considerproductsoftwosuchprimes.) Somewhatcarefulanalysis:constanttimesy2. Morecarefulanalysis:0:306y2. Howmanyintegersin[1;yu]factorintoprimesin[1;y]?Somewhatcarefulanalysis:uuyu.Morecarefulanalysis:e.g.,0:2771010yuforu=10. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to Interlude:SmoothnessHowmanyintegersin[1;y2]factorintoprimesin[1;y]? Easylowerbound:atleast0:5y2=(logy)2.(Therearey=logyprimesin[1;y].Considerproductsoftwosuchprimes.) Somewhatcarefulanalysis:constanttimesy2. Morecarefulanalysis:0:306y2. Howmanyintegersin[1;yu]factorintoprimesin[1;y]?Somewhatcarefulanalysis:uuyu.Morecarefulanalysis:e.g.,0:2771010yuforu=10. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to QSscalabilityQSisslowforsmallN...butscalesverywelltolargerN.Choosey=N1=u.Ifdierencesa2NwererandomintegersmodNthentheywouldfactorintoprimesin[1;y]withprobabilityuu.(Actuallya2Nisclosertop N;evenmorelikelytofactor.)Factorizationexponentvectorsproducelineardependenciesoncethereareuuy=logydierences.Chooseuonscaleofp logN=loglogNtobalanceuuwithN1=u.Subexponentialcost!Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to Historyoftheworld,part11931Lehmer{Powers,1975Morrison{Brillhart,\CFRAC":ndsmallsquaresmodNusingp Ncontinuedfraction.1977Schroeppel\linearsieve":ndsquareproductsofab(abN)bysievingabN;usea;binsmallrangearoundp N.Thisusesexp(O(p logNloglogN))operations.1982Pomerance,QS:a2N. RetroactivelypluginECMorbatchtrialdivision,andfastlinearalgebra:eachmethodusesexp((1+o(1))p logNloglogN)operations. ApplyingECMdirectlytoNalsousesexp((1+o(1))p logNloglogN)operations. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to Historyoftheworld,part11931Lehmer{Powers,1975Morrison{Brillhart,\CFRAC":ndsmallsquaresmodNusingp Ncontinuedfraction.1977Schroeppel\linearsieve":ndsquareproductsofab(abN)bysievingabN;usea;binsmallrangearoundp N.Thisusesexp(O(p logNloglogN))operations.1982Pomerance,QS:a2N. RetroactivelypluginECMorbatchtrialdivision,andfastlinearalgebra:eachmethodusesexp((1+o(1))p logNloglogN)operations. ApplyingECMdirectlytoNalsousesexp((1+o(1))p logNloglogN)operations. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to Historyoftheworld,part11931Lehmer{Powers,1975Morrison{Brillhart,\CFRAC":ndsmallsquaresmodNusingp Ncontinuedfraction.1977Schroeppel\linearsieve":ndsquareproductsofab(abN)bysievingabN;usea;binsmallrangearoundp N.Thisusesexp(O(p logNloglogN))operations.1982Pomerance,QS:a2N. RetroactivelypluginECMorbatchtrialdivision,andfastlinearalgebra:eachmethodusesexp((1+o(1))p logNloglogN)operations. ApplyingECMdirectlytoNalsousesexp((1+o(1))p logNloglogN)operations. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to Historyoftheworld,part21982Schnorr,1987Seysen,1988A.Lenstra,1992H.Lenstra{Pomerance:anothermethodthatprovablyusesexp((1+o(1))p logNloglogN)operations.1988Pomerance{Smith{Tuler:\Overthelastfewyearstherehasdevelopedaremarkablesix-waytiefortheasymptoticallyfastestfactoringalgorithms....ItmightbetemptingtoconjecturethatL(N)isinfactthetruecomplexityoffactoring,butnooneseemstohaveanyideahowtoobtainevenheuristiclowerboundsforfactoring." 1985Odlyzko,commentingonthesameconjecture:\Itisthisauthor'sguessthatthisisnotthecase,andthatwearemissingsomeinsightthatwillletusbreakbelowtheL(p)barrier." Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to Historyoftheworld,part21982Schnorr,1987Seysen,1988A.Lenstra,1992H.Lenstra{Pomerance:anothermethodthatprovablyusesexp((1+o(1))p logNloglogN)operations.1988Pomerance{Smith{Tuler:\Overthelastfewyearstherehasdevelopedaremarkablesix-waytiefortheasymptoticallyfastestfactoringalgorithms....ItmightbetemptingtoconjecturethatL(N)isinfactthetruecomplexityoffactoring,butnooneseemstohaveanyideahowtoobtainevenheuristiclowerboundsforfactoring." 1985Odlyzko,commentingonthesameconjecture:\Itisthisauthor'sguessthatthisisnotthecase,andthatwearemissingsomeinsightthatwillletusbreakbelowtheL(p)barrier." Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to Thenumber-eldsieve(NFS)1988Pollard,independently1989Elkies,generalizedby1990Lenstra{Lenstra{Manasse{Pollard:Use(a+b)(a+bm)withm(modn).exp((2:08:::+o(1))(logN)1=3(loglogN)2=3).1991Adleman,1993Buhler{Lenstra{Pomerance:exp((1:92:::+o(1))(logN)1=3(loglogN)2=3).AdlemanestimatedQS/NFScutoasN21100.1993Coppersmith:exp((1:90:::+o(1))(logN)1=3(loglogN)2=3).1993Coppersmith,batchNFS(\factorizationfactory"):exp((1:63:::+o(1))(logN)1=3(loglogN)2=3)afteraprecomputationindependentofN.Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to SowhatdoesthismeanforRSA-1024?ComplicatedNFSanalysisandoptimization.Latestestimates:Attackerbreaksmy1024-bitkeybyscanning270pairs(a;b).PlanA:NSAisbuildinga226-wattcomputercenterinBludale.PlanB:TheConckerbotnetbrokeinto223machines.PlanC:ChinahasasupercomputercenterinTianjin. 257watts 256watts 244watts 230watts 226watts 226wattsofstandardGPUs:284 oating-pointmults/year.Latestestimates:Thisisenoughtobreak1024-bitRSA....andspecial-purposechipsshouldbeatleast10faster....andbatchNFSshouldbeevenfaster. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to SowhatdoesthismeanforRSA-1024?ComplicatedNFSanalysisandoptimization.Latestestimates:Attackerbreaksmy1024-bitkeybyscanning270pairs(a;b).PlanA:NSAisbuildinga226-wattcomputercenterinBludale.PlanB:TheConckerbotnetbrokeinto223machines.PlanC:ChinahasasupercomputercenterinTianjin. 257watts EarthreceivesfromtheSun 256watts Earth'ssurfacereceivesfromtheSun 244watts 230watts 226watts 226wattsofstandardGPUs:284 oating-pointmults/year.Latestestimates:Thisisenoughtobreak1024-bitRSA....andspecial-purposechipsshouldbeatleast10faster....andbatchNFSshouldbeevenfaster. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to SowhatdoesthismeanforRSA-1024?ComplicatedNFSanalysisandoptimization.Latestestimates:Attackerbreaksmy1024-bitkeybyscanning270pairs(a;b).PlanA:NSAisbuildinga226-wattcomputercenterinBludale.PlanB:TheConckerbotnetbrokeinto223machines.PlanC:ChinahasasupercomputercenterinTianjin. 257watts EarthreceivesfromtheSun 256watts Earth'ssurfacereceivesfromtheSun 244watts Currentworldpowerusage 230watts 226watts 226wattsofstandardGPUs:284 oating-pointmults/year.Latestestimates:Thisisenoughtobreak1024-bitRSA....andspecial-purposechipsshouldbeatleast10faster....andbatchNFSshouldbeevenfaster. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to SowhatdoesthismeanforRSA-1024?ComplicatedNFSanalysisandoptimization.Latestestimates:Attackerbreaksmy1024-bitkeybyscanning270pairs(a;b).PlanA:NSAisbuildinga226-wattcomputercenterinBludale.PlanB:TheConckerbotnetbrokeinto223machines.PlanC:ChinahasasupercomputercenterinTianjin. 257watts EarthreceivesfromtheSun 256watts Earth'ssurfacereceivesfromtheSun 244watts Currentworldpowerusage 230watts Botnetrunning223typicalCPUs 226watts 226wattsofstandardGPUs:284 oating-pointmults/year.Latestestimates:Thisisenoughtobreak1024-bitRSA....andspecial-purposechipsshouldbeatleast10faster....andbatchNFSshouldbeevenfaster. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to SowhatdoesthismeanforRSA-1024?ComplicatedNFSanalysisandoptimization.Latestestimates:Attackerbreaksmy1024-bitkeybyscanning270pairs(a;b).PlanA:NSAisbuildinga226-wattcomputercenterinBludale.PlanB:TheConckerbotnetbrokeinto223machines.PlanC:ChinahasasupercomputercenterinTianjin. 257watts EarthreceivesfromtheSun 256watts Earth'ssurfacereceivesfromtheSun 244watts Currentworldpowerusage 230watts Botnetrunning223typicalCPUs 226watts Onedinkylittlecomputercenter 226wattsofstandardGPUs:284 oating-pointmults/year.Latestestimates:Thisisenoughtobreak1024-bitRSA....andspecial-purposechipsshouldbeatleast10faster....andbatchNFSshouldbeevenfaster. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to SowhatdoesthismeanforRSA-1024?ComplicatedNFSanalysisandoptimization.Latestestimates:Attackerbreaksmy1024-bitkeybyscanning270pairs(a;b).PlanA:NSAisbuildinga226-wattcomputercenterinBludale.PlanB:TheConckerbotnetbrokeinto223machines.PlanC:ChinahasasupercomputercenterinTianjin. 257watts EarthreceivesfromtheSun 256watts Earth'ssurfacereceivesfromtheSun 244watts Currentworldpowerusage 230watts Botnetrunning223typicalCPUs 226watts Onedinkylittlecomputercenter 226wattsofstandardGPUs:284 oating-pointmults/year.Latestestimates:Thisisenoughtobreak1024-bitRSA....andspecial-purposechipsshouldbeatleast10faster....andbatchNFSshouldbeevenfaster. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to QuantumcomputersOkay,you'reusingRSA-3072....andthentheattackerbuildsabigquantumcomputer.Imagineextremecase:qubitopsareaboutascheapasbitops. Majorimpact,part1:1996Grover.Speedsupsearchingspossiblerootsofffromsiterationsofftop siterationsoff.Example(2010Bernstein):ThisspeedsupECM! Majorimpact,part2:1994Shor.FactorsNusingoneexponentiationmoduloN. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to QuantumcomputersOkay,you'reusingRSA-3072....andthentheattackerbuildsabigquantumcomputer.Imagineextremecase:qubitopsareaboutascheapasbitops. Majorimpact,part1:1996Grover.Speedsupsearchingspossiblerootsofffromsiterationsofftop siterationsoff.Example(2010Bernstein):ThisspeedsupECM! Majorimpact,part2:1994Shor.FactorsNusingoneexponentiationmoduloN. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to QuantumcomputersOkay,you'reusingRSA-3072....andthentheattackerbuildsabigquantumcomputer.Imagineextremecase:qubitopsareaboutascheapasbitops. Majorimpact,part1:1996Grover.Speedsupsearchingspossiblerootsofffromsiterationsofftop siterationsoff.Example(2010Bernstein):ThisspeedsupECM! Majorimpact,part2:1994Shor.FactorsNusingoneexponentiationmoduloN. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to Post-quantumRSAConventionalwisdom:Shor'salgorithmsupersedesallpreviousfactorizationmethods.Infact,itbreaksRSAasquicklyasRSAdecrypts,sowehavenohopeofsecurityfromscalingRSAkeysizes. Thisisn'ttrue!Use\multi-primeRSA." Oops,1997/1998Tandempatent. Fortunately,alreadyin1983RSApatent:\thepresentinventionmayuseamodulusnwhichisaproductofthreeormoreprimes." ConcreteanalysissuggeststhatRSAwith2314096-bitprimesprovides2100securityvs.allknownquantumattacks.Keytsonaharddrive;encryption+decryptiontakeonlyaweek. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to Post-quantumRSAConventionalwisdom:Shor'salgorithmsupersedesallpreviousfactorizationmethods.Infact,itbreaksRSAasquicklyasRSAdecrypts,sowehavenohopeofsecurityfromscalingRSAkeysizes. Thisisn'ttrue!Use\multi-primeRSA." Oops,1997/1998Tandempatent. Fortunately,alreadyin1983RSApatent:\thepresentinventionmayuseamodulusnwhichisaproductofthreeormoreprimes." ConcreteanalysissuggeststhatRSAwith2314096-bitprimesprovides2100securityvs.allknownquantumattacks.Keytsonaharddrive;encryption+decryptiontakeonlyaweek. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to Post-quantumRSAConventionalwisdom:Shor'salgorithmsupersedesallpreviousfactorizationmethods.Infact,itbreaksRSAasquicklyasRSAdecrypts,sowehavenohopeofsecurityfromscalingRSAkeysizes. Thisisn'ttrue!Use\multi-primeRSA." Oops,1997/1998Tandempatent. Fortunately,alreadyin1983RSApatent:\thepresentinventionmayuseamodulusnwhichisaproductofthreeormoreprimes." ConcreteanalysissuggeststhatRSAwith2314096-bitprimesprovides2100securityvs.allknownquantumattacks.Keytsonaharddrive;encryption+decryptiontakeonlyaweek. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to Post-quantumRSAConventionalwisdom:Shor'salgorithmsupersedesallpreviousfactorizationmethods.Infact,itbreaksRSAasquicklyasRSAdecrypts,sowehavenohopeofsecurityfromscalingRSAkeysizes. Thisisn'ttrue!Use\multi-primeRSA." Oops,1997/1998Tandempatent. Fortunately,alreadyin1983RSApatent:\thepresentinventionmayuseamodulusnwhichisaproductofthreeormoreprimes." ConcreteanalysissuggeststhatRSAwith2314096-bitprimesprovides2100securityvs.allknownquantumattacks.Keytsonaharddrive;encryption+decryptiontakeonlyaweek. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to Post-quantumRSAConventionalwisdom:Shor'salgorithmsupersedesallpreviousfactorizationmethods.Infact,itbreaksRSAasquicklyasRSAdecrypts,sowehavenohopeofsecurityfromscalingRSAkeysizes. Thisisn'ttrue!Use\multi-primeRSA." Oops,1997/1998Tandempatent. Fortunately,alreadyin1983RSApatent:\thepresentinventionmayuseamodulusnwhichisaproductofthreeormoreprimes." ConcreteanalysissuggeststhatRSAwith2314096-bitprimesprovides2100securityvs.allknownquantumattacks.Keytsonaharddrive;encryption+decryptiontakeonlyaweek. Bernstein,Heninger,Lange:CryptanalyticthreatstoRSA http://facthacks.cr.yp.to