circuits for integer factorization d j bernstein
play

Circuits for integer factorization D. J. Bernstein University of - PDF document

Oct 24, 2023 •160 likes •586 views

Circuits for integer factorization D. J. Bernstein University of Illinois at Chicago Exercise for the reader: Find a nontrivial factor of 6366223796340423057152171586. Exercise for the reader: Find a nontrivial factor of

  1. Circuits for integer factorization D. J. Bernstein University of Illinois at Chicago

  2. Exercise for the reader: Find a nontrivial factor of 6366223796340423057152171586.

  3. Exercise for the reader: Find a nontrivial factor of 6366223796340423057152171586. Small prime factors are easy to find. Larger primes are harder. “Elliptic-curve method” (ECM) scales surprisingly well. (1987 Lenstra) � 2 219 . ECM has found a prime (2005 Dodson; rather lucky; � 3 � 10 12 Opteron cycles) www.loria.fr/~zimmerma/records/p66

  4. For worst-case integers with two very large prime factors, ECM does not scale as well as “number-field sieve” (NFS). (1988 Pollard, et al.) Latest record: NFS has found � 2 332 two prime factors of “RSA-200” challenge. (2005 Bahr/Boehm/Franke/Kleinjung; � 5 � 10 18 Opteron cycles) How much more difficult � 2 512 is it to find prime factors n � 2 1024 ? of an integer www.loria.fr/~zimmerma/records/rsa200

  5. This talk focuses on scalability. Example: Trial division finds � y dividing n using primes y 1+ o (1) easy operations. o (1) means a function of y (Here y ! 1 ; that converges to 0 as =y or � 1 = log y or could be 1 y ) 5 = log log y .) 10 6 (log log log � method (1975 Pollard), assuming standard conjectures: y 0 : 5+ o (1) ; therefore much faster than trial division y is sufficiently large. once

  6. � y in n using p ECM finds primes o (1))log y log log y exp (2 + easy operations. (1987 Lenstra) � : Compare to trial division and y 1+ o (1) = exp((1 + o (1)) log y ); y 0 : 5+ o (1) = exp((0 : 5+ o (1)) log y ). Easily see from these formulas that ECM is much faster � than trial division and y is sufficiently large. once (What is “sufficiently large”? Many papers analyzing details.)

  7. � � p y = n Extreme case, : n using p ECM finds all primes in o (1))log n log log n exp (1 + n ! 1 . easy operations as NFS has better scalability: n using NFS finds all primes in L 1 : 901 ::: + o (1) easy operations n ! 1 , where L = as n ) 1 = 3 (log log n ) 2 = 3 ). exp((log (1 = 3, exponent 1 : 922 : : : : 1993 Buhler/Lenstra/Pomerance; 1 : 901 : : : : 1993 Coppersmith)

  8. These NFS operations take L 1 : 901 ::: + o (1) seconds on a standard serial computer L 0 : 950 ::: + o (1) e . costing “TWINKLE”: another circuit L 0 : 950 ::: + o (1) e costing that performs same operations in L 1 : 901 ::: + o (1) seconds. (2000 Lenstra/Shamir) A better-designed circuit costing L 0 : 950 ::: + o (1) e can perform same operations in L 1 : 426 ::: + o (1) seconds. (2001 Bernstein)

  9. Better parameter choices: n using Can find all primes in L 1 : 185 ::: + o (1) seconds with an NFS circuit costing L 0 : 790 ::: + o (1) e . (2001 Bernstein) Can vary circuit size, but L 1 : 976 ::: + o (1) e � seconds is best price-performance ratio in this class of algorithms. Also vary serial-computer size. Best price-performance ratio: L 2 : 760 ::: + o (1) e � seconds. (2002 Pomerance)

  10. n Conclusion: Circuit factors much more quickly than standard serial computer of the same size, n is large enough. once n � 2 1024 ? (What about Much more difficult analysis. Many estimates in new papers, < 1 year for < 10 9 e .) usually How is this possible? How can a circuit be so much faster than a standard serial computer?

  11. Computational complexity Start with simpler problem. How fast is sorting? n numbers. � � Input: array of 1 ; 2 ; : : : ; n 2 Each number in , represented in binary. n numbers, Output: array of in increasing order, represented in binary; same multiset as input. A machine is given the input and computes the output. How much time does it use?

  12. The answer depends on how the machine works. Possibility 1: The machine is a “1-tape Turing machine using selection sort.” Specifically: The machine has a 1-dimensional array n 1+ o (1) “cells.” containing o (1) bits. n Each cell stores Input and output are stored in these cells.

  13. The machine also has a “head” moving through array. o (1) cells. n Head contains Head can see the cell at its current array position; perform arithmetic etc.; move to adjacent array position. Selection sort: Head looks at each array position, picks up the largest number, moves it to the end of the array, picks up the second largest, etc.

  14. Moving to adjacent array position o (1) seconds. n takes Moving a number to end of array n 1+ o (1) seconds. takes Same for comparisons etc. Total sorting time: n 2+ o (1) seconds. Cost of machine: n 1+ o (1) e n 1+ o (1) cells. for Negligible extra cost for head.

  15. Possibility 2: The machine is a “2-dimensional RAM using merge sort.” n 1+ o (1) cells Machine has in a 2-dimensional array: n 0 : 5+ o (1) rows, n 0 : 5+ o (1) columns. Machine also has a head. Merge sort: Head recursively b n= 2 numbers; sorts first d n= 2 e numbers; sorts last merges the sorted lists.

  16. n 1+ o (1) jumps Merging requires to “random” array positions. n 0 : 5+ o (1) moves Average jump: to adjacent array positions. o (1) seconds. n Each move takes Total sorting time: n 1 : 5+ o (1) seconds. Cost of machine: once again n 1+ o (1) e .

  17. Possibility 3: The machine is a “pipelined 2-dimensional RAM using radix-2 sort.” n 1+ o (1) cells Machine has in a 2-dimensional array. Each cell in the array has network links to the 2 adjacent cells in the same column. Each cell in the bottom row has network links to the 2 adjacent cells in the bottom row.

  18. Machine also has a CPU attached to bottom-left cell. CPU can read/write any cell by sending request through network. While waiting for response, can send subsequent requests. CPU can read an entire row n 0 : 5+ o (1) cells of n 0 : 5+ o (1) seconds. in Sends all requests, then receives responses.

  19. Radix-2 sort: CPU shuffles array using bit 0, even numbers before odd. 7! 3 1 4 1 5 9 2 6 4 2 6 3 1 1 5 9. Then using bit 1: 4 1 1 5 9 2 6 3. Then using bit 2: 1 1 9 2 3 4 5 6. Then using bit 3: 1 1 2 3 4 5 6 9. etc.

  20. Each shuffle takes n 1+ o (1) seconds. o (1) shuffles. n Total sorting time: n 1+ o (1) seconds. Cost of machine: once again n 1+ o (1) e .

  21. Possibility 4: The machine is a “2-dimensional mesh using Schimmler sort.” n 1+ o (1) cells Machine has in a 2-dimensional array. Each cell has network links to the 4 adjacent cells. Machine also has a CPU attached to bottom-left cell. CPU broadcasts instructions to all of the cells, but cells do most of the processing.

  22. n 0 : 5+ o (1) cells Sort row of n 0 : 5+ o (1) seconds: in Sort each pair in parallel. 7! 3 1 4 1 5 9 2 6 1 3 1 4 5 9 2 6 Sort alternate pairs in parallel. 7! 1 3 1 4 5 9 2 6 1 1 3 4 5 2 9 6 Repeat until number of steps equals row length. Sort each row, in parallel, n 0 : 5+ o (1) seconds. in

  23. Schimmler sort: Recursively sort quadrants in parallel. Then four steps: � Sort each column in parallel. � Sort each row in parallel. � Sort each column in parallel. � Sort each row in parallel. With proper choice of left-to-right/right-to-left for each row, can prove that this sorts whole array.

  24. For example, assume that � 8 array is in cells: this 8 3 1 4 1 5 9 2 6 5 3 5 8 9 7 9 3 2 3 8 4 6 2 6 4 3 3 8 3 2 7 9 5 0 2 8 8 4 1 9 7 1 6 9 3 9 9 3 7 5 1 0 5 8 2 0 9 7 4 9 4 4 5 9 2

  25. Recursively sort quadrants, ! , bottom : top 1 1 2 3 2 2 2 3 3 3 3 3 4 5 5 6 3 4 4 5 6 6 7 7 5 8 8 8 9 9 9 9 1 1 0 0 2 2 1 0 4 4 3 2 5 4 4 3 7 6 5 5 9 8 7 7 9 9 8 8 9 9 9 9

  26. Sort each column in parallel: 1 1 0 0 2 2 1 0 1 1 2 2 2 2 2 3 3 3 3 3 4 4 4 3 3 4 3 3 5 5 5 6 4 4 4 5 6 6 7 7 5 6 5 5 9 8 7 7 7 8 8 8 9 9 9 9 9 9 8 8 9 9 9 9

  27. Sort each row in parallel, , ! : alternately 0 0 0 1 1 1 2 2 3 2 2 2 2 2 1 1 3 3 3 3 3 4 4 4 6 5 5 5 4 3 3 3 4 4 4 5 6 6 7 7 9 8 7 7 6 5 5 5 7 8 8 8 9 9 9 9 9 9 9 9 9 9 8 8

  28. Sort each column in parallel: 0 0 0 1 1 1 1 1 3 2 2 2 2 2 2 2 3 3 3 3 3 3 3 3 4 4 4 5 4 4 4 4 6 5 5 5 6 5 5 5 7 8 7 7 6 6 7 7 9 8 8 8 9 9 8 8 9 9 9 9 9 9 9 9

  29. Sort each row in parallel, or ! as desired: 0 0 0 1 1 1 1 1 2 2 2 2 2 2 2 3 3 3 3 3 3 3 3 3 4 4 4 4 4 4 4 5 5 5 5 5 5 5 6 6 6 6 7 7 7 7 7 8 8 8 8 8 8 9 9 9 9 9 9 9 9 9 9 9

  30. Sort one row n 0 : 5+ o (1) seconds. in All rows in parallel: n 0 : 5+ o (1) seconds. Total sorting time: n 0 : 5+ o (1) seconds. Cost of machine: once again n 1+ o (1) e . n 0 : 5+ o (1) on mesh: ( 1977 Thompson/Kung; this very simple algorithm: 1987 Schimmler)

  31. “VLSI algorithms” literature contains similar improvements in price-performance ratio (“ AT ”) for many computations. Consider, e.g., n -bit integers. multiplying two n 1+ o (1) Time on standard serial computer n 1+ o (1) bits of memory. with (1971 Sch¨ onhage/Strassen, using FFT; see also 2007 F¨ urer)

  32. Knuth: “we leave the domain of conventional computer : : : ” programming n 1+ o (1) Time on a 1-dimensional mesh n 1+ o (1) . of size (1965 Atrubin, elementary) n 0 : 5+ o (1) Time on a 2-dimensional mesh n 1+ o (1) . of size (1981 Brent/Kung, using FFT)

Recommend

Building circuits for integer factorization D. J. Bernstein Thanks to: University of Illinois

Building circuits for integer factorization D. J. Bernstein Thanks to: University of Illinois

Building circuits for integer factorization D. J. Bernstein Thanks to: University of Illinois at Chicago NSF DMS0140542 Alfred P. Sloan Foundation I want to work for NSA as an independent

706 views • 49 slides
Challenges in quantum algorithms for integer factorization D. J. Bernstein University of

Challenges in quantum algorithms for integer factorization D. J. Bernstein University of

1 Challenges in quantum algorithms for integer factorization D. J. Bernstein University of Illinois at Chicago Prelude: What is the fastest algorithm to sort an array? def blindsort(x): while not issorted(x): permuterandomly(x) 2 def

713 views • 50 slides
and 611 + for small : Integer factorization Sieving 1 612 2 2 3 3 D. J. Bernstein

and 611 + for small : Integer factorization Sieving 1 612 2 2 3 3 D. J. Bernstein

and 611 + for small : Integer factorization Sieving 1 612 2 2 3 3 D. J. Bernstein 2 2 613 3 3 614 2 4 2 2 615 3 5 Thanks to: 5 5 616 2 2 2 7 6 2 3 617 University of Illinois at Chicago 7 7 618 2 3 8 2 2 2

411 views • 29 slides
Integer Factorization Methods Modular Arithmetic Trial division, Pollards p 1 , Division

Integer Factorization Methods Modular Arithmetic Trial division, Pollards p 1 , Division

Integer Factorization Methods Integer 2014-04-11 Integer Factorization Methods Factorization Trial division, Pollards p 1 , Pollards , and Fermats method Methods Christopher Koch 1 C. Koch 1 Department of Computer Science and

681 views • 33 slides
Integer factorization: Exercise for the reader: a progress report Find a nontrivial factor of

Integer factorization: Exercise for the reader: a progress report Find a nontrivial factor of

Integer factorization: Exercise for the reader: a progress report Find a nontrivial factor of 6366223796340423057152171586. D. J. Bernstein Thanks to: University of Illinois at Chicago NSF DMS0140542 Alfred P. Sloan Foundation rization:

593 views • 55 slides
Random problems at the core of integer factorization algorithms Pierrick Gaudry Caramba

Random problems at the core of integer factorization algorithms Pierrick Gaudry Caramba

Random problems at the core of integer factorization algorithms Pierrick Gaudry Caramba LORIA, Nancy CNRS, Universit de Lorraine, Inria Journes ALEA, March 2016 1/31 Plan Introduction: crypto context Integer factorization 101 How

462 views • 33 slides
Integer Factorization Methods Modular Trial division, Pollards p 1 , Arithmetic Division

Integer Factorization Methods Modular Trial division, Pollards p 1 , Arithmetic Division

Integer Factorization Methods C. Koch Overview Integer Factorization Methods Modular Trial division, Pollards p 1 , Arithmetic Division Algorithm and Congruence Pollards , and Fermats method Residue classes mod n Integers

505 views • 33 slides
Challenges in def bubblesort(x): quantum algorithms for for j in range(len(x)): integer

Challenges in def bubblesort(x): quantum algorithms for for j in range(len(x)): integer

1 2 Challenges in def bubblesort(x): quantum algorithms for for j in range(len(x)): integer factorization for i in reversed(range(j)): x[i],x[i+1] = ( D. J. Bernstein min(x[i],x[i+1]), University of Illinois at Chicago max(x[i],x[i+1])

1.48k views • 118 slides
Factorization myths D. J. Bernstein Thanks to: University of Illinois at Chicago NSF

Factorization myths D. J. Bernstein Thanks to: University of Illinois at Chicago NSF

Factorization myths D. J. Bernstein Thanks to: University of Illinois at Chicago NSF DMS0140542 Alfred P. Sloan Foundation and 611 + for small : Sieving 1 612 2 2 3 3 2 2 613 3 3 614 2 4 2 2 615 3 5 5 5 616 2 2 2

488 views • 36 slides
Factorization myths D. J. Bernstein Thanks to: University of Illinois at Chicago NSF

Factorization myths D. J. Bernstein Thanks to: University of Illinois at Chicago NSF

Factorization myths D. J. Bernstein Thanks to: University of Illinois at Chicago NSF DMS0140542 Alfred P. Sloan Foundation and 611 + for small : Sieving 1 612 2 2 3 3 2 2 613 3 3 614 2 4 2 2 615 3 5 5 5 616 2 2 2

676 views • 32 slides
lecture 7 Sequential circuits 3 - integer multiplication and division - floating point

lecture 7 Sequential circuits 3 - integer multiplication and division - floating point

lecture 7 Sequential circuits 3 - integer multiplication and division - floating point arithmetic - finite state machines February 1, 2016 Integer multiplication (grade school) How to do (unsigned) integer multiplication in binary ?

402 views • 24 slides
Faster factorization into coprimes D. J. Bernstein Thanks to: University of Illinois at Chicago

Faster factorization into coprimes D. J. Bernstein Thanks to: University of Illinois at Chicago

Faster factorization into coprimes D. J. Bernstein Thanks to: University of Illinois at Chicago NSF DMS0140542 Alfred P. Sloan Foundation Problem: Convert (mod 299), (mod 799) into a single

555 views • 28 slides
Algorithms for integer factorization and discrete logarithms computation Algorithmes pour la

Algorithms for integer factorization and discrete logarithms computation Algorithmes pour la

Algorithms for integer factorization and discrete logarithms computation Algorithmes pour la factorisation dentiers et le calcul de logarithme discret Cyril Bouvier CARAMEL project-team, LORIA Universit de Lorraine / CNRS / Inria

470 views • 42 slides
The factorization of RSA-1024 D. J. Bernstein University of Illinois at Chicago Abstract: This

The factorization of RSA-1024 D. J. Bernstein University of Illinois at Chicago Abstract: This

The factorization of RSA-1024 D. J. Bernstein University of Illinois at Chicago Abstract: This talk discusses the most important tools for attackers breaking 1024-bit RSA keys today and tomorrow. The same tools will also be useful for

799 views • 47 slides
Isolating critical cases for reciprocals using integer factorization John Harrison Intel

Isolating critical cases for reciprocals using integer factorization John Harrison Intel

Isolating critical cases for reciprocals using integer factorization John Harrison Intel Corporation ARITH-16 Santiago de Compostela 17th June 2003 0 Background result before the final rounding Suppose we are interested in a floating-point

343 views • 19 slides
lecture 7 Integer multiplication (grade school) How to do (unsigned) integer multiplication in

lecture 7 Integer multiplication (grade school) How to do (unsigned) integer multiplication in

lecture 7 Integer multiplication (grade school) How to do (unsigned) integer multiplication in binary ? Sequential circuits 3 multiplicand - integer multiplication and division multiplier - floating point arithmetic product - finite

183 views • 3 slides
Integer factorization and discrete logarithm problems Pierrick Gaudry Caramel LORIA CNRS,

Integer factorization and discrete logarithm problems Pierrick Gaudry Caramel LORIA CNRS,

Integer factorization and discrete logarithm problems Pierrick Gaudry Caramel LORIA CNRS, Universit de Lorraine, Inria JNCF CIRM November 2014 1/81 Plan Presentation of the problems Cryptographic background Primality,

919 views • 88 slides
Batch binary Edwards D. J. Bernstein University of Illinois at Chicago NSF ITR0716498 p

Batch binary Edwards D. J. Bernstein University of Illinois at Chicago NSF ITR0716498 p

Batch binary Edwards D. J. Bernstein University of Illinois at Chicago NSF ITR0716498 p index calculus Classic F needs to check smoothness &lt; p . of many positive integers Smooth integer: integer &gt; y . with no prime divisors y

475 views • 8 slides
Sorting integer arrays: security, speed, and verification D. J. Bernstein 2 Bobs laptop

Sorting integer arrays: security, speed, and verification D. J. Bernstein 2 Bobs laptop

1 Sorting integer arrays: security, speed, and verification D. J. Bernstein 2 Bobs laptop screen: From: Alice Thank you for your submission. We received many interesting papers, and unfortunately your Bob assumes this message is

1.04k views • 60 slides
Nonunique Factorization in the Ring of Integer-Valued Polynomials Paul Baginski Fairfield

Nonunique Factorization in the Ring of Integer-Valued Polynomials Paul Baginski Fairfield

Nonunique Factorization in the Ring of Integer-Valued Polynomials Paul Baginski Fairfield University March 22, 2019 Paul Baginski Fairfield University Nonunique Factorization in the Ring of Integer-Valued Polynomials 2016 Fairfield

334 views • 30 slides
LU Factorization Marco Chiarandini Department of Mathematics &amp; Computer Science University

LU Factorization Marco Chiarandini Department of Mathematics &amp; Computer Science University

DM559 Linear and Integer Programming LU Factorization Marco Chiarandini Department of Mathematics &amp; Computer Science University of Southern Denmark [ Based on slides by Lieven Vandenberghe, UCLA ] Operation Count LU Factorization Outline

935 views • 34 slides
LU Factorization Marco Chiarandini Department of Mathematics &amp; Computer Science University

LU Factorization Marco Chiarandini Department of Mathematics &amp; Computer Science University

DM559 Linear and Integer Programming LU Factorization Marco Chiarandini Department of Mathematics &amp; Computer Science University of Southern Denmark [ Based on slides by Lieven Vandenberghe, UCLA ] Operation Count LU Factorization Outline

524 views • 38 slides
Quantum circuits for the CSIDH: optimizing quantum evaluation of isogenies Daniel J. Bernstein

Quantum circuits for the CSIDH: optimizing quantum evaluation of isogenies Daniel J. Bernstein

Quantum circuits for the CSIDH: optimizing quantum evaluation of isogenies Daniel J. Bernstein Tanja Lange Chloe Martindale Lorenz Panny quantum.isogeny.org Key bits where all known attacks take 2 operations (naive serial attack metric,

412 views • 16 slides
Quantum circuits for the CSIDH: optimizing quantum evaluation of isogenies Daniel J. Bernstein

Quantum circuits for the CSIDH: optimizing quantum evaluation of isogenies Daniel J. Bernstein

Quantum circuits for the CSIDH: optimizing quantum evaluation of isogenies Daniel J. Bernstein Tanja Lange Chloe Martindale Lorenz Panny quantum.isogeny.org Non-interactive key exchange Alice: secret a , public aG . Bob: secret b , public bG

499 views • 28 slides

More recommend