Factorization of a 768-bit RSA modulus Paul Zimmermann (joint work with T. Kleinjung. K. Aoki, J. Franke, A. Lenstra, E. Thomé, J. Bos, P. Gaudry, A. Kruppa, P. Montgomery, D. A. Osvik, H. te Riele and A. Timofeev) /* EPI CARAMEL */ C,A, /* Cryptologie, Arithmétique : */ R,a, /* Matériel et Logiciel */ M,E, L,i= 5,e, d[5],Q[999 ]={0};main(N ){for (;i--;e=scanf("%" "d",d+i));for(A =*d; ++i<A ;++Q[ i*i% A],R= i[Q]? R:i); for(;i --;) for(M =A;M --;N +=!M*Q [E%A ],e+= Q[(A +E*E- R*L* L%A) %A]) for( E=i,L=M,a=4;a;C= i*E+R*M*L,L=(M*E +i*L) %A,E=C%A+a --[d]);printf ("%d" "\n", (e+N* N)/2 /* cc caramel.c; echo f3 f2 f1 f0 p | ./a.out */ -A);} Workshop on Tools for Cryptanalysis, 23 June 2010 Paul Zimmermann (joint work with T. Kleinjung. K. Aoki, J. Franke, A.Factorization Lenstra, E. Thomé, of a 768-bit J. Bos, RSA P. modulusGaudry, A. Kruppa, P. Montgomery, D. A. Osvik, H. te Riele and A. Timofeev) Ninth Algorithmic Number Theory Symposium ANTS IX Nancy, France July 19–23, 2010 http://ants9.org/ Anne-Lise Charbonnier Pierrick Gaudry Paul Zimmermann LOCAL ORGANIZATION Jérémie Detrey Emmanuel Thomé Henri Darmon, McGill University Gabriele Nebe, RWTH Aachen Fritz Grunewald, HHU Düsseldorf Carl Pomerance, Dartmouth College INVITED SPEAKERS Jean-François Mestre, Univ. Paris 7 Oded Regev, Tel-Aviv University Nigel Boston Kevin Hare Takakazu Satoh John Cremona Thorsten Kleinjung Igor Shparlinski PROGRAM COMMITTEE Claus Fieker Kamal Khuri-Makdisi Alice Silverberg Guillaume Hanrot, chair François Morain, chair Frederik Vercauteren Paul Zimmermann (joint work with T. Kleinjung. K. Aoki, J. Franke, A.Factorization Lenstra, E. Thomé, of a 768-bit J. Bos, RSA P. modulusGaudry, A. Kruppa, P. Montgomery, D. A. Osvik, H. te Riele and A. Timofeev) Summary of the talk On December 12, 2009 we factored RSA-768. “Wall-clock time” 2+ years. Total about 1700 (single core) cpu years. 13 times more than breaking Trivium (cf Paul Stankovski’s talk). 10 times less than (expected time) to break ECC2K-130 (cf Junfeng Fan’s talk). Paul Zimmermann (joint work with T. Kleinjung. K. Aoki, J. Franke, A.Factorization Lenstra, E. Thomé, of a 768-bit J. Bos, RSA P. modulusGaudry, A. Kruppa, P. Montgomery, D. A. Osvik, H. te Riele and A. Timofeev) The RSA Factoring Challenge Started in last millenium (1991), ended in 2007. Encourage research in integer factoring. Give an idea of which key size are still safe, and for how long. First series (decimal): RSA-100, ..., RSA-200, ..., RSA-500 Second series (binary): RSA-576, 640, 704, 768, 896, 1024, 1536, 2048. (50,000USD were offered for RSA-768, 200,000USD for RSA-2048.) Paul Zimmermann (joint work with T. Kleinjung. K. Aoki, J. Franke, A.Factorization Lenstra, E. Thomé, of a 768-bit J. Bos, RSA P. modulusGaudry, A. Kruppa, P. Montgomery, D. A. Osvik, H. te Riele and A. Timofeev) The Number Field Sieve (NFS) Invented by Pollard in 1988 Algorithm of choice to factor RSA numbers n = pq, with p and q of the same size = = Complexity ec(log n)1 3(log log n)2 3 Previous record: RSA-200, 200 digits (Bahr, Böhm, Franke, Kleinjung, 2005). Paul Zimmermann (joint work with T. Kleinjung. K. Aoki, J. Franke, A.Factorization Lenstra, E. Thomé, of a 768-bit J. Bos, RSA P. modulusGaudry, A. Kruppa, P. Montgomery, D. A. Osvik, H. te Riele and A. Timofeev) History of factorization records by GNFS RSA768 220 200 RSA200 digits 180 11,281+ RSA576 160 RSA160 2,953+ RSA155 140 RSA140 RSA130 1998 2000 2002 2004 2006 2008 2010 year Paul Zimmermann (joint work with T. Kleinjung. K. Aoki, J. Franke, A.Factorization Lenstra, E. Thomé, of a 768-bit J. Bos, RSA P. modulusGaudry, A. Kruppa, P. Montgomery, D. A. Osvik, H. te Riele and A. Timofeev) The Number Field Sieve polynomial selection (40 cpu years) sieving (1500 cpu years) filtering (duplicates, singletons, cliques) merging linear algebra (155 cpu years) characters square root gcd Paul Zimmermann (joint work with T. Kleinjung. K. Aoki, J. Franke, A.Factorization Lenstra, E. Thomé, of a 768-bit J. Bos, RSA P. modulusGaudry, A. Kruppa, P. Montgomery, D. A. Osvik, H. te Riele and A. Timofeev) Tiny NFS factorization Let us factor n = 5105929 by NFS. Polynomial selection F(x; y) = 173x2 − 70xy − 63y 2; G(x; y) = x − 172y f (x) = F(x; 1) and g(x) = G(x; 1) have a common root µ = 172 mod n Res(f (x); g(x)) = 5105929 Paul Zimmermann (joint work with T. Kleinjung. K. Aoki, J. Franke, A.Factorization Lenstra, E. Thomé, of a 768-bit J. Bos, RSA P. modulusGaudry, A. Kruppa, P. Montgomery, D. A. Osvik, H. te Riele and A. Timofeev) Notations All record NFS factorizations so far used a linear polynomial g(x). The f (x) side is called the algebraic side. Let d be the degree of f (x). The g(x) side is called the rational side. Paul Zimmermann (joint work with T. Kleinjung. K. Aoki, J. Franke, A.Factorization Lenstra, E. Thomé, of a 768-bit J. Bos, RSA P. modulusGaudry, A. Kruppa, P. Montgomery, D. A. Osvik, H. te Riele and A. Timofeev) Sieving for n = 5105929 F(x; y) = 173x2 − 70xy − 63y 2; G(x; y) = x − 172y Find F(a; b) and G(a; b) smooth enough for a; b coprime a,b F(a,b) G(a,b) -573, 1213 22 · 3 · 52 · 23 · 432 −1 · 7 · 112 · 13 · 19 -108, 247 32 · 53 · 37 −1 · 25 · 113 -19, 39 22 · 53 · 37 −1 · 7 · 312 -9, 4 33 · 52 · 23 −1 · 17 · 41 7, 8 3 · 52 · 7 −1 · 372 7, 12 −1 · 52 · 7 · 37 −1 · 112 · 17 108, 127 32 · 53 · 37 −1 · 23 · 11 · 13 · 19 419, 529 −1 · 22 · 3 · 53 · 432 −1 · 41 · 472 Paul Zimmermann (joint work with T. Kleinjung. K. Aoki, J. Franke, A.Factorization Lenstra, E. Thomé, of a 768-bit J. Bos, RSA P. modulusGaudry, A. Kruppa, P. Montgomery, D. A. Osvik, H. te Riele and A. Timofeev) Concept of ideal Rational side: p divides G(a; b) = bg(a=b) when a=b is a root of g(x) mod p. Exactly one root for each p. Algebraic side: p divides F(a; b) = bd f (a=b) when a=b is root of f (x) mod p. f (x) might have from 0 to d roots mod p. Let r be such a root, we denote (p; r) the corresponding ideal to identify it uniquely. Paul Zimmermann (joint work with T. Kleinjung. K. Aoki, J. Franke, A.Factorization Lenstra, E. Thomé, of a 768-bit J. Bos, RSA P. modulusGaudry, A. Kruppa, P. Montgomery, D. A. Osvik, H. te Riele and A. Timofeev) Filtering 1 keep only one copy of duplicate relations (same a; b) 2 delete singletons (ideal (p; r) occurring in only one relation) 3 repeat Step 2 until no singleton remains 4 if (many) more relations than ideals, delete “cliques” 5 merge relations with common ideal (p; r), if this ideal occurs a few times Paul Zimmermann (joint work with T. Kleinjung. K. Aoki, J. Franke, A.Factorization Lenstra, E. Thomé, of a 768-bit J. Bos, RSA P. modulusGaudry, A. Kruppa, P. Montgomery, D. A. Osvik, H. te Riele and A. Timofeev) Linear algebra Build a sparse matrix containing for each relation, the exponents of ideals occurring in that relation, reduced mod 2 > m relations for m ideals −! a linear dependency exists Lanczos and Wiedemann black-box algorithms: perform only matrix-vectors multiplications Mx, where M is the initial matrix. “Block” versions. In our tiny example, just multiply the 8 relations: Y F(a; b) = (−1)2 · 26 · 310 · 520 · 72 · 232 · 374 · 434 Y G(a; b) = (−1)8 ·28 ·72 ·118 ·132 ·172 ·192 ·312 ·372 ·412 ·472 Paul Zimmermann (joint work with T. Kleinjung. K. Aoki, J. Franke, A.Factorization Lenstra, E. Thomé, of a 768-bit J. Bos, RSA P. modulusGaudry, A. Kruppa, P. Montgomery, D. A. Osvik, H. te Riele and A. Timofeev) Square root For each dependency (usually we find 20 − 30): Rational side: multiply together a − µb for each (a; b) in the dependency, µ being the common root of f (x) and g(x) mod n: Y a − µb = u2 with u = 15218777599577552. (a;b)2S Algebraic side: multiply together a − xb mod f (x): Y 2000923159288345989145312500 a − xb = x 1738 (a;b)2S 6641450250967901510957812500 + mod f ; 1738 whose square root mod f is: 1 v(x) = (−759208295625x + 109567198125): 1733 Paul Zimmermann (joint work with T. Kleinjung. K. Aoki, J. Franke, A.Factorization Lenstra, E. Thomé, of a 768-bit J. Bos, RSA P. modulusGaudry, A. Kruppa, P. Montgomery, D. A. Osvik, H. te Riele and A. Timofeev) Square root (cont’d) n = 5105929 u = 15218777599577552 ≡ 701937 mod n 1 v(x) = (−759208295625x + 109567198125): 1733 which gives: v(µ) = 4220991 mod n: gcd(u + v(µ); n) = gcd(701937 + 4220991; 5105929) = 2011 Paul Zimmermann (joint work with T. Kleinjung. K. Aoki, J. Franke, A.Factorization Lenstra, E. Thomé, of a 768-bit J. Bos, RSA P. modulusGaudry, A. Kruppa, P. Montgomery, D. A. Osvik, H. te Riele and A. Timofeev) Factorisation of RSA-768 NTT: Kazumaro Aoki EPFL: Joppe Bos, Thorsten Kleinjung, Arjen Lenstra, Dag Arne Osvik Bonn: Jens Franke CWI: Peter Montgomery, Herman te Riele, Andrey Timofeev INRIA: Pierrick Gaudry, Alexander Kruppa, Emmanuel Thomé, PZ Paul Zimmermann (joint work with T.