the state of factoring algorithms and other cryptanalytic
play

The state of factoring algorithms and other cryptanalytic threats - PowerPoint PPT Presentation

Sep 30, 2023 •217 likes •1.53k views

The state of factoring algorithms and other cryptanalytic threats to RSA Daniel J. Bernstein University of Illinois at Chicago Technische Universiteit Eindhoven Nadia Heninger Microsoft Research New England Tanja Lange Technische

  1. Side-channel attacks Side-channel structures relevant to RSA: Exponentiation ◮ Square-and-multiply: different execution paths/instruction timing/power levels dependent on bits of private key. ◮ Defense: Exponent blinding, square and always multiply, never branch. CRT coefficients ◮ Fault attacks can produce a value valid mod only one prime. ◮ Defense: Verify output. Padding oracles ◮ Implementations differentiating between correct and incorrect decryption → chosen-ciphertext attacks. ◮ Defense: Don’t distinguish failures. Bernstein, Heninger, Lange: Cryptanalytic threats to RSA http://facthacks.cr.yp.to

  2. Partial key recovery and related attacks RSA particularly susceptible to partial key recovery attacks. Theorem (Coppersmith/Howgrave-Graham) We can find roots x of polynomials f of degree d mod divisors B of N, B = N β , when | x | ≤ N β 2 / d . (Note that RSA problem is to find roots of x e − c mod N .) Bernstein, Heninger, Lange: Cryptanalytic threats to RSA http://facthacks.cr.yp.to

  3. Partial key recovery and related attacks RSA particularly susceptible to partial key recovery attacks. Theorem (Coppersmith/Howgrave-Graham) We can find roots x of polynomials f of degree d mod divisors B of N, B = N β , when | x | ≤ N β 2 / d . (Note that RSA problem is to find roots of x e − c mod N .) ◮ Can factor given 1/2 bits of p . [Coppersmith 96] ◮ Can factor given 1/4 bits of d . [Boneh Durfee Frankel 98] ◮ Can factor given 1/2 bits of d p . [Bl¨ omer May 03] Also implies constraints on key choice: ◮ Can factor if d < N 0 . 292 [Boneh Durfee 98] Bernstein, Heninger, Lange: Cryptanalytic threats to RSA http://facthacks.cr.yp.to

  4. Partial key recovery and related attacks RSA particularly susceptible to partial key recovery attacks. Theorem (Coppersmith/Howgrave-Graham) We can find roots x of polynomials f of degree d mod divisors B of N, B = N β , when | x | ≤ N β 2 / d . (Note that RSA problem is to find roots of x e − c mod N .) ◮ Can factor given 1/2 bits of p . [Coppersmith 96] ◮ Can factor given 1/4 bits of d . [Boneh Durfee Frankel 98] ◮ Can factor given 1/2 bits of d p . [Bl¨ omer May 03] Also implies constraints on key choice: ◮ Can factor if d < N 0 . 292 [Boneh Durfee 98] Message security: Least significant bit of message as secure as entire message. [Alexi Chor Goldreich Schnorr 88] Bernstein, Heninger, Lange: Cryptanalytic threats to RSA http://facthacks.cr.yp.to

  5. Protocol issues. Bernstein, Heninger, Lange: Cryptanalytic threats to RSA http://facthacks.cr.yp.to

  6. Padding schemes: Simple cryptanalyses Fixed-pattern padding Define a padding scheme ( P | m ). Coppersmith’s theorem: With e = 3, if | m | < N 1 / 3 then can efficiently compute m as solution to c − ( P · 2 t + x ) 3 mod N [Brier Clavier Coron Naccache 01] Existential forgery of signatures with | m | > N 1 / 3 by finding solutions to relation ( P + m 1 )( P + m 2 ) = ( P + m 3 )( P + m 4 ) mod N using continued fractions. Bernstein, Heninger, Lange: Cryptanalytic threats to RSA http://facthacks.cr.yp.to

  7. The agony and ecstasy of PKCS#1v1.5 and OAEP PKCS#1: (0 x 00 0 x 02 | padding string | 0 x 00 | message) Bernstein, Heninger, Lange: Cryptanalytic threats to RSA http://facthacks.cr.yp.to

  8. The agony and ecstasy of PKCS#1v1.5 and OAEP PKCS#1: (0 x 00 0 x 02 | padding string | 0 x 00 | message) Cryptographers: PKCS#1 is not IND-CCA2 secure! Bernstein, Heninger, Lange: Cryptanalytic threats to RSA http://facthacks.cr.yp.to

  9. The agony and ecstasy of PKCS#1v1.5 and OAEP PKCS#1: (0 x 00 0 x 02 | padding string | 0 x 00 | message) Cryptographers: PKCS#1 is not IND-CCA2 secure! Practitioners: That is not relevant in practice. Bernstein, Heninger, Lange: Cryptanalytic threats to RSA http://facthacks.cr.yp.to

  10. The agony and ecstasy of PKCS#1v1.5 and OAEP PKCS#1: (0 x 00 0 x 02 | padding string | 0 x 00 | message) Cryptographers: PKCS#1 is not IND-CCA2 secure! Practitioners: That is not relevant in practice. 1994 Bellare Rogaway: Use OAEP, it’s provably secure in random oracle model. Bernstein, Heninger, Lange: Cryptanalytic threats to RSA http://facthacks.cr.yp.to

  11. The agony and ecstasy of PKCS#1v1.5 and OAEP PKCS#1: (0 x 00 0 x 02 | padding string | 0 x 00 | message) Cryptographers: PKCS#1 is not IND-CCA2 secure! Practitioners: That is not relevant in practice. 1994 Bellare Rogaway: Use OAEP, it’s provably secure in random oracle model. 1996 Bleichenbacher: “Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS#1” Bernstein, Heninger, Lange: Cryptanalytic threats to RSA http://facthacks.cr.yp.to

  12. The agony and ecstasy of PKCS#1v1.5 and OAEP PKCS#1: (0 x 00 0 x 02 | padding string | 0 x 00 | message) Cryptographers: PKCS#1 is not IND-CCA2 secure! Practitioners: That is not relevant in practice. 1994 Bellare Rogaway: Use OAEP, it’s provably secure in random oracle model. 1996 Bleichenbacher: “Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS#1” 1998 RFC 2437: (1998) “ RSAES-OAEP is recommended for new applications; RSAES-PKCS1-v1 5 is included only for compatibility with existing applications, and is not recommended for new applications ” Bernstein, Heninger, Lange: Cryptanalytic threats to RSA http://facthacks.cr.yp.to

  13. The agony and ecstasy of PKCS#1v1.5 and OAEP PKCS#1: (0 x 00 0 x 02 | padding string | 0 x 00 | message) Cryptographers: PKCS#1 is not IND-CCA2 secure! Practitioners: That is not relevant in practice. 1994 Bellare Rogaway: Use OAEP, it’s provably secure in random oracle model. 1996 Bleichenbacher: “Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS#1” 1998 RFC 2437: (1998) “ RSAES-OAEP is recommended for new applications; RSAES-PKCS1-v1 5 is included only for compatibility with existing applications, and is not recommended for new applications ” Bernstein, Heninger, Lange: Cryptanalytic threats to RSA http://facthacks.cr.yp.to

  14. The agony and ecstasy of PKCS#1v1.5 and OAEP 2001 Shoup: There’s a hole in the OAEP security proof, but I fixed it. The proof uses Coppersmith’s theorem. Bernstein, Heninger, Lange: Cryptanalytic threats to RSA http://facthacks.cr.yp.to

  15. The agony and ecstasy of PKCS#1v1.5 and OAEP 2001 Shoup: There’s a hole in the OAEP security proof, but I fixed it. The proof uses Coppersmith’s theorem. 2008 RFC5246: “ for maximal compatibility with earlier versions of TLS, this specification uses the RSAES-PKCS1-v1 5 scheme ” Bernstein, Heninger, Lange: Cryptanalytic threats to RSA http://facthacks.cr.yp.to

  16. The agony and ecstasy of PKCS#1v1.5 and OAEP 2001 Shoup: There’s a hole in the OAEP security proof, but I fixed it. The proof uses Coppersmith’s theorem. 2008 RFC5246: “ for maximal compatibility with earlier versions of TLS, this specification uses the RSAES-PKCS1-v1 5 scheme ” 2012 Bardou Focardi Kawamoto Simionato Steel Tsay: Bleichenbacher attack works against RSA SecureID tokens, Estonian ID cards. Bernstein, Heninger, Lange: Cryptanalytic threats to RSA http://facthacks.cr.yp.to

  17. Shoup’s “Simple RSA” C 0 = r e mod N r random k 0 || k 1 = H ( r ) H hash function C 1 = enc k 0 ( m ) enc a symmetric cipher T = mac k 1 ( C 1 ) Output ( C 0 , C 1 , T ). Very short and efficient security proof. Bernstein, Heninger, Lange: Cryptanalytic threats to RSA http://facthacks.cr.yp.to

  18. Factoring, aka. breaking RSA if nothing else went wrong. Bernstein, Heninger, Lange: Cryptanalytic threats to RSA http://facthacks.cr.yp.to

  19. Preliminaries: Using Sage The following 2 parts use some code snippets to give examples using the free open source mathematics software Sage. http://www.sagemath.org/ . Sage looks like Python sage: 2*3 6 Bernstein, Heninger, Lange: Cryptanalytic threats to RSA http://facthacks.cr.yp.to

  20. Preliminaries: Using Sage The following 2 parts use some code snippets to give examples using the free open source mathematics software Sage. http://www.sagemath.org/ . Sage looks like Python, but there are a few differences: ˆ is exponentiation, not xor sage: 2^3 8 Bernstein, Heninger, Lange: Cryptanalytic threats to RSA http://facthacks.cr.yp.to

  21. Preliminaries: Using Sage The following 2 parts use some code snippets to give examples using the free open source mathematics software Sage. http://www.sagemath.org/ . Sage looks like Python, but there are a few differences: ˆ is exponentiation, not xor sage: 2^3 8 It has lots of useful libraries: sage: factor(15) 3 * 5 Bernstein, Heninger, Lange: Cryptanalytic threats to RSA http://facthacks.cr.yp.to

  22. Preliminaries: Using Sage The following 2 parts use some code snippets to give examples using the free open source mathematics software Sage. http://www.sagemath.org/ . Sage looks like Python, but there are a few differences: ˆ is exponentiation, not xor sage: 2^3 8 It has lots of useful libraries: sage: factor(15) 3 * 5 That’s it, just factor(N) Bernstein, Heninger, Lange: Cryptanalytic threats to RSA http://facthacks.cr.yp.to

  23. Preliminaries: Using Sage The following 2 parts use some code snippets to give examples using the free open source mathematics software Sage. http://www.sagemath.org/ . Sage looks like Python, but there are a few differences: ˆ is exponentiation, not xor sage: 2^3 8 It has lots of useful libraries: sage: factor(15) sage: factor(x^2-1) 3 * 5 (x - 1) * (x + 1) Bernstein, Heninger, Lange: Cryptanalytic threats to RSA http://facthacks.cr.yp.to

  24. Trial division Factoring easy-to-factor numbers: Bernstein, Heninger, Lange: Cryptanalytic threats to RSA http://facthacks.cr.yp.to

  25. Trial division Factoring easy-to-factor numbers: sage: N=1701411834604692317316873037158841057535 Bernstein, Heninger, Lange: Cryptanalytic threats to RSA http://facthacks.cr.yp.to

  26. Trial division Factoring easy-to-factor numbers: sage: N=1701411834604692317316873037158841057535 is obviously divisible by 5. sage: N/5 # / is exact division 340282366920938463463374607431768211507 Searching for p by trial division takes time about p / log( p ) (number of primes up to p ) trial divisions. Computers can test quickly for divisibility by a precomputed set of primes (using % or gcd with product). Can batch this computation for many moduli N using product and remainder trees. Bernstein, Heninger, Lange: Cryptanalytic threats to RSA http://facthacks.cr.yp.to

  27. Pollard rho Do random walk modulo N , hope for collision modulo factor p . E.g. using Floyd’s cycle finding algorithm N=698599699288686665490308069057420138223871 a=98357389475943875; c=10 # some random values a1=(a^2+c) % N ; a2=(a1^2+c) % N while gcd(N,a2-a1)==1: a1=(a1^2+c) %N a2=(((a2^2+c)%N)^2+c)%N gcd(N,a2-a1) Bernstein, Heninger, Lange: Cryptanalytic threats to RSA http://facthacks.cr.yp.to

  28. Pollard rho Do random walk modulo N , hope for collision modulo factor p . E.g. using Floyd’s cycle finding algorithm N=698599699288686665490308069057420138223871 a=98357389475943875; c=10 # some random values a1=(a^2+c) % N ; a2=(a1^2+c) % N while gcd(N,a2-a1)==1: a1=(a1^2+c) %N a2=(((a2^2+c)%N)^2+c)%N gcd(N,a2-a1) # output is 2053 Pollard’s rho method runs till a prime p divides a 1 − a 2 and N . By the birthday paradox expect collisions modulo p after √ p steps. Bernstein, Heninger, Lange: Cryptanalytic threats to RSA http://facthacks.cr.yp.to

  29. Pollard rho Do random walk modulo N , hope for collision modulo factor p . E.g. using Floyd’s cycle finding algorithm N=698599699288686665490308069057420138223871 a=98357389475943875; c=10 # some random values a1=(a^2+c) % N ; a2=(a1^2+c) % N while gcd(N,a2-a1)==1: a1=(a1^2+c) %N a2=(((a2^2+c)%N)^2+c)%N gcd(N,a2-a1) # output is 2053 Pollard’s rho method runs till a prime p divides a 1 − a 2 and N . By the birthday paradox expect collisions modulo p after √ p steps. Each step is more expensive than trial division, so don’t use this to find 5 but to find 2053. Bernstein, Heninger, Lange: Cryptanalytic threats to RSA http://facthacks.cr.yp.to

  30. Pollard’s p − 1 method If a r ≡ 1 mod p then p | gcd( a r − 1 , N ). Bernstein, Heninger, Lange: Cryptanalytic threats to RSA http://facthacks.cr.yp.to

  31. Pollard’s p − 1 method If a r ≡ 1 mod p then p | gcd( a r − 1 , N ). Don’t know p , pick very smooth number r , hoping for ord( a ) p to divide it. Bernstein, Heninger, Lange: Cryptanalytic threats to RSA http://facthacks.cr.yp.to

  32. Pollard’s p − 1 method If a r ≡ 1 mod p then p | gcd( a r − 1 , N ). Don’t know p , pick very smooth number r , hoping for ord( a ) p to divide it. N=44426601460658291157725536008128017297890787 4637194279031281180366057 r=lcm(range(1,2^22)) # this takes a while ... s=Integer(pow(2,r,N)) gcd(s-1,N) Bernstein, Heninger, Lange: Cryptanalytic threats to RSA http://facthacks.cr.yp.to

  33. Pollard’s p − 1 method If a r ≡ 1 mod p then p | gcd( a r − 1 , N ). Don’t know p , pick very smooth number r , hoping for ord( a ) p to divide it. N=44426601460658291157725536008128017297890787 4637194279031281180366057 r=lcm(range(1,2^22)) # this takes a while ... s=Integer(pow(2,r,N)) gcd(s-1,N) # output is 1267650600228229401496703217601 This method finds larger factors than the rho method (in the same time) but only works for special primes. Bernstein, Heninger, Lange: Cryptanalytic threats to RSA http://facthacks.cr.yp.to

  34. Pollard’s p − 1 method If a r ≡ 1 mod p then p | gcd( a r − 1 , N ). Don’t know p , pick very smooth number r , hoping for ord( a ) p to divide it. N=44426601460658291157725536008128017297890787 4637194279031281180366057 r=lcm(range(1,2^22)) # this takes a while ... s=Integer(pow(2,r,N)) gcd(s-1,N) # output is 1267650600228229401496703217601 This method finds larger factors than the rho method (in the same time) but only works for special primes. Here p − 1 = 2 6 · 3 2 · 5 2 · 17 · 227 · 491 · 991 · 36559 · 308129 · 4161791 has only small factors (aka. p − 1 is smooth ). Outdated recommendation: avoid such primes, use only “strong primes”. ECM (next pages) finds all primes. Bernstein, Heninger, Lange: Cryptanalytic threats to RSA http://facthacks.cr.yp.to

  35. ECM – Math description Pollard’s p − 1 method uses multiplicative group of integers modulo p ; finds p if ord( a ) p divides r for some but not all primes p . Bernstein, Heninger, Lange: Cryptanalytic threats to RSA http://facthacks.cr.yp.to

  36. ECM – Math description Pollard’s p − 1 method uses multiplicative group of integers modulo p ; finds p if ord( a ) p divides r for some but not all primes p . Lenstra’s Elliptic Curve Method uses the group of points on an elliptic curve modulo p . Let P be a point on the curve. If the order of P (under computations modulo p ) divides r for some but not all primes p , can find p using an appropriate gcd with rP and N . Bernstein, Heninger, Lange: Cryptanalytic threats to RSA http://facthacks.cr.yp.to

  37. ECM – Math description Pollard’s p − 1 method uses multiplicative group of integers modulo p ; finds p if ord( a ) p divides r for some but not all primes p . Lenstra’s Elliptic Curve Method uses the group of points on an elliptic curve modulo p . Let P be a point on the curve. If the order of P (under computations modulo p ) divides r for some but not all primes p , can find p using an appropriate gcd with rP and N . Computations work as in p − 1 method: the curve is given modulo N ; all arithmetic is done modulo N . Bernstein, Heninger, Lange: Cryptanalytic threats to RSA http://facthacks.cr.yp.to

  38. ECM – Math description Pollard’s p − 1 method uses multiplicative group of integers modulo p ; finds p if ord( a ) p divides r for some but not all primes p . Lenstra’s Elliptic Curve Method uses the group of points on an elliptic curve modulo p . Let P be a point on the curve. If the order of P (under computations modulo p ) divides r for some but not all primes p , can find p using an appropriate gcd with rP and N . Computations work as in p − 1 method: the curve is given modulo N ; all arithmetic is done modulo N . Hasse’s theorem: the order of an elliptic curve modulo p is in [ p + 1 − 2 √ p , p + 1 + 2 √ p ]. Bernstein, Heninger, Lange: Cryptanalytic threats to RSA http://facthacks.cr.yp.to

  39. ECM – Math description Pollard’s p − 1 method uses multiplicative group of integers modulo p ; finds p if ord( a ) p divides r for some but not all primes p . Lenstra’s Elliptic Curve Method uses the group of points on an elliptic curve modulo p . Let P be a point on the curve. If the order of P (under computations modulo p ) divides r for some but not all primes p , can find p using an appropriate gcd with rP and N . Computations work as in p − 1 method: the curve is given modulo N ; all arithmetic is done modulo N . Hasse’s theorem: the order of an elliptic curve modulo p is in [ p + 1 − 2 √ p , p + 1 + 2 √ p ]. There are lots of smooth numbers in this interval. Bernstein, Heninger, Lange: Cryptanalytic threats to RSA http://facthacks.cr.yp.to

  40. ECM – Math description Pollard’s p − 1 method uses multiplicative group of integers modulo p ; finds p if ord( a ) p divides r for some but not all primes p . Lenstra’s Elliptic Curve Method uses the group of points on an elliptic curve modulo p . Let P be a point on the curve. If the order of P (under computations modulo p ) divides r for some but not all primes p , can find p using an appropriate gcd with rP and N . Computations work as in p − 1 method: the curve is given modulo N ; all arithmetic is done modulo N . Hasse’s theorem: the order of an elliptic curve modulo p is in [ p + 1 − 2 √ p , p + 1 + 2 √ p ]. There are lots of smooth numbers in this interval. Lenstra: Good distribution in the interval. Bernstein, Heninger, Lange: Cryptanalytic threats to RSA http://facthacks.cr.yp.to

  41. ECM – Math description Pollard’s p − 1 method uses multiplicative group of integers modulo p ; finds p if ord( a ) p divides r for some but not all primes p . Lenstra’s Elliptic Curve Method uses the group of points on an elliptic curve modulo p . Let P be a point on the curve. If the order of P (under computations modulo p ) divides r for some but not all primes p , can find p using an appropriate gcd with rP and N . Computations work as in p − 1 method: the curve is given modulo N ; all arithmetic is done modulo N . Hasse’s theorem: the order of an elliptic curve modulo p is in [ p + 1 − 2 √ p , p + 1 + 2 √ p ]. There are lots of smooth numbers in this interval. Lenstra: Good distribution in the interval. ECM has the power to change the group; if E 1 does not work, go for E 2 , E 3 , . . . till a point has smooth order modulo a p . Bernstein, Heninger, Lange: Cryptanalytic threats to RSA http://facthacks.cr.yp.to

  42. EECM: Edwards ECM, Basic version Use Elliptic curve in twisted Edwards form: E : ax 2 + y 2 = 1 + dx 2 y 2 with point P = ( x , y ); a , d � = 0 , a � = d . Generate random curve by picking random nonzero a , x , y , compute d = ( ax 2 + y 2 − 1) / x 2 y 2 . Multiplication in p − 1 method replaced by addition on E : � x 1 y 2 + x 2 y 1 , y 1 y 2 − ax 1 x 2 � ( x 1 , y 1 ) + ( x 2 , y 2 ) = . 1 + dx 1 y 1 x 2 y 2 1 − dx 1 y 1 x 2 y 1 Neutral element in this group is (0 , 1). Bernstein, Heninger, Lange: Cryptanalytic threats to RSA http://facthacks.cr.yp.to

  43. EECM: Edwards ECM, Basic version Use Elliptic curve in twisted Edwards form: E : ax 2 + y 2 = 1 + dx 2 y 2 with point P = ( x , y ); a , d � = 0 , a � = d . Generate random curve by picking random nonzero a , x , y , compute d = ( ax 2 + y 2 − 1) / x 2 y 2 . Multiplication in p − 1 method replaced by addition on E : � x 1 y 2 + x 2 y 1 , y 1 y 2 − ax 1 x 2 � ( x 1 , y 1 ) + ( x 2 , y 2 ) = . 1 + dx 1 y 1 x 2 y 2 1 − dx 1 y 1 x 2 y 1 Neutral element in this group is (0 , 1). Compute rP = (¯ x , ¯ y ) modulo N using double-and-add method; avoid divisions by using projective coordinates . For formulas see http://hyperelliptic.org/EFD . Bernstein, Heninger, Lange: Cryptanalytic threats to RSA http://facthacks.cr.yp.to

  44. EECM: Edwards ECM, Basic version Use Elliptic curve in twisted Edwards form: E : ax 2 + y 2 = 1 + dx 2 y 2 with point P = ( x , y ); a , d � = 0 , a � = d . Generate random curve by picking random nonzero a , x , y , compute d = ( ax 2 + y 2 − 1) / x 2 y 2 . Multiplication in p − 1 method replaced by addition on E : � x 1 y 2 + x 2 y 1 , y 1 y 2 − ax 1 x 2 � ( x 1 , y 1 ) + ( x 2 , y 2 ) = . 1 + dx 1 y 1 x 2 y 2 1 − dx 1 y 1 x 2 y 1 Neutral element in this group is (0 , 1). Compute rP = (¯ x , ¯ y ) modulo N using double-and-add method; avoid divisions by using projective coordinates . For formulas see http://hyperelliptic.org/EFD . Compute gcd(¯ x , N ); this finds primes p for which the order of P modulo p divides r . Bernstein, Heninger, Lange: Cryptanalytic threats to RSA http://facthacks.cr.yp.to

  45. ECM: production version ◮ Use special curves with ◮ small coefficients for faster computation, e.g. (1 / 23 , 1 / 7) is a point on 25 x 2 + y 2 = 1 − 24167 x 2 y 2 ; ◮ with better chance of smooth orders; this curve has a guaranteed factor of 12. ◮ Split computation into 2 stages: ◮ stage 1 as described before with somewhat smaller t in r=lcm(range(1,t)) ; ◮ stage 2 checks ( q i r ) P for the next few primes q i > t (computed in a batched manner). ◮ See http://eecm.cr.yp.to/ for explanations, good curves, code, references, etc. Bernstein, Heninger, Lange: Cryptanalytic threats to RSA http://facthacks.cr.yp.to

  46. ECM: production version ◮ Use special curves with ◮ small coefficients for faster computation, e.g. (1 / 23 , 1 / 7) is a point on 25 x 2 + y 2 = 1 − 24167 x 2 y 2 ; ◮ with better chance of smooth orders; this curve has a guaranteed factor of 12. ◮ Split computation into 2 stages: ◮ stage 1 as described before with somewhat smaller t in r=lcm(range(1,t)) ; ◮ stage 2 checks ( q i r ) P for the next few primes q i > t (computed in a batched manner). ◮ See http://eecm.cr.yp.to/ for explanations, good curves, code, references, etc. ◮ Method runs very well on GPUs; distributed computing. ◮ ECM is still active research area. ECM is very efficient at factoring random numbers (once small factors are removed). Bernstein, Heninger, Lange: Cryptanalytic threats to RSA http://facthacks.cr.yp.to

  47. ECM: production version ◮ Use special curves with ◮ small coefficients for faster computation, e.g. (1 / 23 , 1 / 7) is a point on 25 x 2 + y 2 = 1 − 24167 x 2 y 2 ; ◮ with better chance of smooth orders; this curve has a guaranteed factor of 12. ◮ Split computation into 2 stages: ◮ stage 1 as described before with somewhat smaller t in r=lcm(range(1,t)) ; ◮ stage 2 checks ( q i r ) P for the next few primes q i > t (computed in a batched manner). ◮ See http://eecm.cr.yp.to/ for explanations, good curves, code, references, etc. ◮ Method runs very well on GPUs; distributed computing. ◮ ECM is still active research area. ECM is very efficient at factoring random numbers (once small factors are removed). Favorite method to kill RSA-360. Bernstein, Heninger, Lange: Cryptanalytic threats to RSA http://facthacks.cr.yp.to

  48. Factoring bad choices of N Problem if one takes ’same size’ too literally: N = 1000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000000000000029 9999999999999999999999999999999999999999999999999999999999 9999999999999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999997921. Bernstein, Heninger, Lange: Cryptanalytic threats to RSA http://facthacks.cr.yp.to

  49. Factoring bad choices of N Problem if one takes ’same size’ too literally: N = 1000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000000000000029 9999999999999999999999999999999999999999999999999999999999 9999999999999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999997921. Yes, this looks like very close to a power of 10, actually close to √ 10 340 . Square root N is almost an integer, almost 10 170 . Bernstein, Heninger, Lange: Cryptanalytic threats to RSA http://facthacks.cr.yp.to

  50. Factoring bad choices of N Problem if one takes ’same size’ too literally: N = 1000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000000000000029 9999999999999999999999999999999999999999999999999999999999 9999999999999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999997921. Yes, this looks like very close to a power of 10, actually close to √ 10 340 . Square root N is almost an integer, almost 10 170 . Brute-force search N % (10 170 -i) finds factor p = 10 170 − 33 and then q = N / p = 10 170 + 63. Bernstein, Heninger, Lange: Cryptanalytic threats to RSA http://facthacks.cr.yp.to

  51. Factoring bad choices of N Problem if one takes ’same size’ too literally: N = 1000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000000000000029 9999999999999999999999999999999999999999999999999999999999 9999999999999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999997921. Yes, this looks like very close to a power of 10, actually close to √ 10 340 . Square root N is almost an integer, almost 10 170 . Brute-force search N % (10 170 -i) finds factor p = 10 170 − 33 and then q = N / p = 10 170 + 63. In real life would expect this with power of 2 instead of 10. Bernstein, Heninger, Lange: Cryptanalytic threats to RSA http://facthacks.cr.yp.to

  52. This problem happens not only for p and q too close to powers of 2 or 10. User starts search for p with some offset c as p = next prime (2 512 + c ). Takes q = next prime ( p ). sage: N=115792089237316195423570985008721211221144628 262713908746538761285902758367353 sage: sqrt(N).numerical_approx(256).str(no_sci=2) ’340282366920938463463374607431817146356.999999999999 9999999999999999999999940’ Bernstein, Heninger, Lange: Cryptanalytic threats to RSA http://facthacks.cr.yp.to

  53. This problem happens not only for p and q too close to powers of 2 or 10. User starts search for p with some offset c as p = next prime (2 512 + c ). Takes q = next prime ( p ). sage: N=115792089237316195423570985008721211221144628 262713908746538761285902758367353 sage: sqrt(N).numerical_approx(256).str(no_sci=2) ’340282366920938463463374607431817146356.999999999999 9999999999999999999999940’ # very close to an integer Bernstein, Heninger, Lange: Cryptanalytic threats to RSA http://facthacks.cr.yp.to

  54. This problem happens not only for p and q too close to powers of 2 or 10. User starts search for p with some offset c as p = next prime (2 512 + c ). Takes q = next prime ( p ). sage: N=115792089237316195423570985008721211221144628 262713908746538761285902758367353 sage: sqrt(N).numerical_approx(256).str(no_sci=2) ’340282366920938463463374607431817146356.999999999999 9999999999999999999999940’ # very close to an integer sage: a=ceil(sqrt(N)); a^2-N 4096 Bernstein, Heninger, Lange: Cryptanalytic threats to RSA http://facthacks.cr.yp.to

  55. This problem happens not only for p and q too close to powers of 2 or 10. User starts search for p with some offset c as p = next prime (2 512 + c ). Takes q = next prime ( p ). sage: N=115792089237316195423570985008721211221144628 262713908746538761285902758367353 sage: sqrt(N).numerical_approx(256).str(no_sci=2) ’340282366920938463463374607431817146356.999999999999 9999999999999999999999940’ # very close to an integer sage: a=ceil(sqrt(N)); a^2-N 4096 # 4096=64^2; this is a square! Bernstein, Heninger, Lange: Cryptanalytic threats to RSA http://facthacks.cr.yp.to

  56. This problem happens not only for p and q too close to powers of 2 or 10. User starts search for p with some offset c as p = next prime (2 512 + c ). Takes q = next prime ( p ). sage: N=115792089237316195423570985008721211221144628 262713908746538761285902758367353 sage: sqrt(N).numerical_approx(256).str(no_sci=2) ’340282366920938463463374607431817146356.999999999999 9999999999999999999999940’ # very close to an integer sage: a=ceil(sqrt(N)); a^2-N 4096 # 4096=64^2; this is a square! sage: N/(a-64) 340282366920938463463374607431817146293 Bernstein, Heninger, Lange: Cryptanalytic threats to RSA http://facthacks.cr.yp.to

  57. This problem happens not only for p and q too close to powers of 2 or 10. User starts search for p with some offset c as p = next prime (2 512 + c ). Takes q = next prime ( p ). sage: N=115792089237316195423570985008721211221144628 262713908746538761285902758367353 sage: sqrt(N).numerical_approx(256).str(no_sci=2) ’340282366920938463463374607431817146356.999999999999 9999999999999999999999940’ # very close to an integer sage: a=ceil(sqrt(N)); a^2-N 4096 # 4096=64^2; this is a square! sage: N/(a-64) 340282366920938463463374607431817146293 # an integer! sage: N/340282366920938463463374607431817146293 340282366920938463463374607431817146421 Bernstein, Heninger, Lange: Cryptanalytic threats to RSA http://facthacks.cr.yp.to

  58. Fermat factorization We wrote N = a 2 − b 2 = ( a + b )( a − b ) and factored it using N / ( a − b ). sage: N=11579208923731619544867939228200664041319989 0130332179010243714077028592474181 sage: sqrt(N).numerical_approx(256).str(no_sci=2) ’340282366920938463500268096066682468352.99999994715 09747085563508368188422193’ Bernstein, Heninger, Lange: Cryptanalytic threats to RSA http://facthacks.cr.yp.to

  59. Fermat factorization We wrote N = a 2 − b 2 = ( a + b )( a − b ) and factored it using N / ( a − b ). sage: N=11579208923731619544867939228200664041319989 0130332179010243714077028592474181 sage: sqrt(N).numerical_approx(256).str(no_sci=2) ’340282366920938463500268096066682468352.99999994715 09747085563508368188422193’ sage: a=ceil(sqrt(N)); i=0 sage: while not is_square((a+i)^2-N): ....: i=i+1 Bernstein, Heninger, Lange: Cryptanalytic threats to RSA http://facthacks.cr.yp.to

  60. Fermat factorization We wrote N = a 2 − b 2 = ( a + b )( a − b ) and factored it using N / ( a − b ). sage: N=11579208923731619544867939228200664041319989 0130332179010243714077028592474181 sage: sqrt(N).numerical_approx(256).str(no_sci=2) ’340282366920938463500268096066682468352.99999994715 09747085563508368188422193’ sage: a=ceil(sqrt(N)); i=0 sage: while not is_square((a+i)^2-N): ....: i=i+1 # gives i=2 Bernstein, Heninger, Lange: Cryptanalytic threats to RSA http://facthacks.cr.yp.to

  61. Fermat factorization We wrote N = a 2 − b 2 = ( a + b )( a − b ) and factored it using N / ( a − b ). sage: N=11579208923731619544867939228200664041319989 0130332179010243714077028592474181 sage: sqrt(N).numerical_approx(256).str(no_sci=2) ’340282366920938463500268096066682468352.99999994715 09747085563508368188422193’ sage: a=ceil(sqrt(N)); i=0 sage: while not is_square((a+i)^2-N): ....: i=i+1 # gives i=2 ....: # was q=next_prime(p+2^66+974892437589) This always works Bernstein, Heninger, Lange: Cryptanalytic threats to RSA http://facthacks.cr.yp.to

  62. Fermat factorization We wrote N = a 2 − b 2 = ( a + b )( a − b ) and factored it using N / ( a − b ). sage: N=11579208923731619544867939228200664041319989 0130332179010243714077028592474181 sage: sqrt(N).numerical_approx(256).str(no_sci=2) ’340282366920938463500268096066682468352.99999994715 09747085563508368188422193’ sage: a=ceil(sqrt(N)); i=0 sage: while not is_square((a+i)^2-N): ....: i=i+1 # gives i=2 ....: # was q=next_prime(p+2^66+974892437589) This always works eventually: N = (( q + p ) / 2) 2 − (( q − p ) / 2) 2 Bernstein, Heninger, Lange: Cryptanalytic threats to RSA http://facthacks.cr.yp.to

  63. Fermat factorization We wrote N = a 2 − b 2 = ( a + b )( a − b ) and factored it using N / ( a − b ). sage: N=11579208923731619544867939228200664041319989 0130332179010243714077028592474181 sage: sqrt(N).numerical_approx(256).str(no_sci=2) ’340282366920938463500268096066682468352.99999994715 09747085563508368188422193’ sage: a=ceil(sqrt(N)); i=0 sage: while not is_square((a+i)^2-N): ....: i=i+1 # gives i=2 ....: # was q=next_prime(p+2^66+974892437589) This always works eventually: N = (( q + p ) / 2) 2 − (( q − p ) / 2) 2 √ but searching for ( q + p ) / 2 starting with ⌈ N ⌉ will usually run for √ about N ≈ p steps. Bernstein, Heninger, Lange: Cryptanalytic threats to RSA http://facthacks.cr.yp.to

  64. An example of the quadratic sieve (QS) Let’s try Fermat to factor N = 2759. Recall idea: if a 2 − N is a square b 2 then N = ( a − b )( a + b ). 53 2 − 2759 = 50. Not exactly a square: 50 = 2 · 5 2 . Bernstein, Heninger, Lange: Cryptanalytic threats to RSA http://facthacks.cr.yp.to

  65. An example of the quadratic sieve (QS) Let’s try Fermat to factor N = 2759. Recall idea: if a 2 − N is a square b 2 then N = ( a − b )( a + b ). 53 2 − 2759 = 50. Not exactly a square: 50 = 2 · 5 2 . 54 2 − 2759 = 157. Ummm, doesn’t look like a square. Bernstein, Heninger, Lange: Cryptanalytic threats to RSA http://facthacks.cr.yp.to

  66. An example of the quadratic sieve (QS) Let’s try Fermat to factor N = 2759. Recall idea: if a 2 − N is a square b 2 then N = ( a − b )( a + b ). 53 2 − 2759 = 50. Not exactly a square: 50 = 2 · 5 2 . 54 2 − 2759 = 157. Ummm, doesn’t look like a square. 55 2 − 2759 = 266. Bernstein, Heninger, Lange: Cryptanalytic threats to RSA http://facthacks.cr.yp.to

  67. An example of the quadratic sieve (QS) Let’s try Fermat to factor N = 2759. Recall idea: if a 2 − N is a square b 2 then N = ( a − b )( a + b ). 53 2 − 2759 = 50. Not exactly a square: 50 = 2 · 5 2 . 54 2 − 2759 = 157. Ummm, doesn’t look like a square. 55 2 − 2759 = 266. 56 2 − 2759 = 377. Bernstein, Heninger, Lange: Cryptanalytic threats to RSA http://facthacks.cr.yp.to

  68. An example of the quadratic sieve (QS) Let’s try Fermat to factor N = 2759. Recall idea: if a 2 − N is a square b 2 then N = ( a − b )( a + b ). 53 2 − 2759 = 50. Not exactly a square: 50 = 2 · 5 2 . 54 2 − 2759 = 157. Ummm, doesn’t look like a square. 55 2 − 2759 = 266. 56 2 − 2759 = 377. 57 2 − 2759 = 490. Hey, 49 is a square . . . 490 = 2 · 5 · 7 2 . Bernstein, Heninger, Lange: Cryptanalytic threats to RSA http://facthacks.cr.yp.to

  69. An example of the quadratic sieve (QS) Let’s try Fermat to factor N = 2759. Recall idea: if a 2 − N is a square b 2 then N = ( a − b )( a + b ). 53 2 − 2759 = 50. Not exactly a square: 50 = 2 · 5 2 . 54 2 − 2759 = 157. Ummm, doesn’t look like a square. 55 2 − 2759 = 266. 56 2 − 2759 = 377. 57 2 − 2759 = 490. Hey, 49 is a square . . . 490 = 2 · 5 · 7 2 . 58 2 − 2759 = 605. Not exactly a square: 605 = 5 · 11 2 . Bernstein, Heninger, Lange: Cryptanalytic threats to RSA http://facthacks.cr.yp.to

  70. An example of the quadratic sieve (QS) Let’s try Fermat to factor N = 2759. Recall idea: if a 2 − N is a square b 2 then N = ( a − b )( a + b ). 53 2 − 2759 = 50. Not exactly a square: 50 = 2 · 5 2 . 54 2 − 2759 = 157. Ummm, doesn’t look like a square. 55 2 − 2759 = 266. 56 2 − 2759 = 377. 57 2 − 2759 = 490. Hey, 49 is a square . . . 490 = 2 · 5 · 7 2 . 58 2 − 2759 = 605. Not exactly a square: 605 = 5 · 11 2 . Fermat doesn’t seem to be working very well for this number. Bernstein, Heninger, Lange: Cryptanalytic threats to RSA http://facthacks.cr.yp.to

  71. An example of the quadratic sieve (QS) Let’s try Fermat to factor N = 2759. Recall idea: if a 2 − N is a square b 2 then N = ( a − b )( a + b ). 53 2 − 2759 = 50. Not exactly a square: 50 = 2 · 5 2 . 54 2 − 2759 = 157. Ummm, doesn’t look like a square. 55 2 − 2759 = 266. 56 2 − 2759 = 377. 57 2 − 2759 = 490. Hey, 49 is a square . . . 490 = 2 · 5 · 7 2 . 58 2 − 2759 = 605. Not exactly a square: 605 = 5 · 11 2 . Fermat doesn’t seem to be working very well for this number. But the product 50 · 490 · 605 is a square: 2 2 · 5 4 · 7 2 · 11 2 . √ QS computes gcd { 2759 , 53 · 57 · 58 − 50 · 490 · 605 } = 31. Exercise: Square product has 50% chance of factoring pq . Bernstein, Heninger, Lange: Cryptanalytic threats to RSA http://facthacks.cr.yp.to

  72. QS more systematically Try larger N . Easy to generate many differences a 2 − N : N = 314159265358979323 X = [a^2-N for a in range(sqrt(N)+1,sqrt(N)+500000)] Bernstein, Heninger, Lange: Cryptanalytic threats to RSA http://facthacks.cr.yp.to

  73. QS more systematically Try larger N . Easy to generate many differences a 2 − N : N = 314159265358979323 X = [a^2-N for a in range(sqrt(N)+1,sqrt(N)+500000)] See which differences are easy to factor: P = list(primes(2,1000)) F = easyfactorizations(P,X) Bernstein, Heninger, Lange: Cryptanalytic threats to RSA http://facthacks.cr.yp.to

  74. QS more systematically Try larger N . Easy to generate many differences a 2 − N : N = 314159265358979323 X = [a^2-N for a in range(sqrt(N)+1,sqrt(N)+500000)] See which differences are easy to factor: P = list(primes(2,1000)) F = easyfactorizations(P,X) Use linear algebra mod 2 to find a square: M = matrix(GF(2),len(F),len(P),lambda i,j:P[j] in F[i][0]) for K in M.left_kernel().basis(): x = product([sqrt(f[2]+N) for f,k in zip(F,K) if k==1]) y = sqrt(product([f[2] for f,k in zip(F,K) if k==1])) print [gcd(N,x - y),gcd(N,x + y)] Bernstein, Heninger, Lange: Cryptanalytic threats to RSA http://facthacks.cr.yp.to

Recommend

Hardware- -Based Implementations Based Implementations Hardware of Factoring Algorithms of

Hardware- -Based Implementations Based Implementations Hardware of Factoring Algorithms of

Hardware- -Based Implementations Based Implementations Hardware of Factoring Algorithms of Factoring Algorithms Factoring Large Numbers with the TWIRL Device Factoring Large Numbers with the TWIRL Device Adi Shamir, Eran Tromer Adi

469 views • 42 slides
Multiple Encryption New Cryptanalytic Algorithms and Applications Orr Dunkelman Computer

Multiple Encryption New Cryptanalytic Algorithms and Applications Orr Dunkelman Computer

Multiple NewMITM Dissection Summary Multiple Encryption New Cryptanalytic Algorithms and Applications Orr Dunkelman Computer Science Department University of Haifa 4th July, 2013 Orr Dunkelman Multiple Encryption 1/ 35 Multiple

1.49k views • 110 slides
Shors Algorithm for Factoring: Background Quantum Algorithms In 1994, Peter Shor came up with O

Shors Algorithm for Factoring: Background Quantum Algorithms In 1994, Peter Shor came up with O

Shors Algorithm for Factoring: Background Quantum Algorithms In 1994, Peter Shor came up with O ( n 3 ) -time algorithm DPV Chapter 10 for factoring n -bit integers on a quantum algorithm. Why is this a big deal? O ( e n 1/3 ( log n )

712 views • 5 slides
8. Factoring polynomials over finite fields CS-E4500 Advanced Course on Algorithms Spring 2018

8. Factoring polynomials over finite fields CS-E4500 Advanced Course on Algorithms Spring 2018

8. Factoring polynomials over finite fields CS-E4500 Advanced Course on Algorithms Spring 2018 Peteri Kaski Department of Computer Science Aalto University Lecture schedule Tue 16 Jan: 1. Polynomials and integers Tue 23 Jan: 2. The fast

661 views • 41 slides
Quantum algorithms for computing short discrete logarithms and factoring RSA integers PQCrypto

Quantum algorithms for computing short discrete logarithms and factoring RSA integers PQCrypto

Quantum algorithms for computing short discrete logarithms and factoring RSA integers PQCrypto 2017, 8th International Workshop, Utrecht, June 26-28, 2017 Martin Eker 1 , 2 Johan Hstad 1 1 KTH Royal Institute of Technology, SE-100 44

728 views • 31 slides
Factoring Integers by CVP Algorithms for the Prime Number Lattice Claus P . Schnorr Department

Factoring Integers by CVP Algorithms for the Prime Number Lattice Claus P . Schnorr Department

Factoring Integers by CVP Algorithms for the Prime Number Lattice Claus P . Schnorr Department of Computer Science and Mathematics Goethe-University Frankfurt Main Quantum Cryptanalysis, Schloss Dagstuhl 1.-6. Oct. 2017 The prime number

379 views • 14 slides
Factors 2 12 Factors Factors 3 13 and Unique Unique 14 4 to 10 to 15 Greatest Common

Factors 2 12 Factors Factors 3 13 and Unique Unique 14 4 to 10 to 15 Greatest Common

Slide 1 / 128 Slide 2 / 128 Table of Contents Factors and GCF Factoring out GCF's Polynomials Factoring Trinomials x 2 + bx + c Factoring Using Special Patterns Factoring Trinomials ax 2 + bx + c Factoring 4 Term Polynomials

472 views • 22 slides
FACTORING WITH JUDGMENTS w w w . g u t i e r r e z g r o u p . c o m . c o What is it about?

FACTORING WITH JUDGMENTS w w w . g u t i e r r e z g r o u p . c o m . c o What is it about?

F A C T O R I N G W I T H J U D G M E N T S FACTORING WITH JUDGMENTS w w w . g u t i e r r e z g r o u p . c o m . c o What is it about? FACTORING It is precisely after the judgment is won by This out-of-the-box product uses the - the

199 views • 7 slides
Factoring rook polynomials Bruce Sagan Department of Mathematics, Michigan State University East

Factoring rook polynomials Bruce Sagan Department of Mathematics, Michigan State University East

Factoring rook polynomials Bruce Sagan Department of Mathematics, Michigan State University East Lansing, MI 48824-1027 www.math.msu.edu/sagan March 14, 2014 Basics The FactorizationTheorem An application Exercises and References Outline

1.11k views • 79 slides
Out of Oddity New Cryptanalytic Techniques against Symmetric Primitives Optimized for

Out of Oddity New Cryptanalytic Techniques against Symmetric Primitives Optimized for

Out of Oddity New Cryptanalytic Techniques against Symmetric Primitives Optimized for Integrity Proof Systems Tim Beyne, Anne Canteaut, Itai Dinur, Maria Eichlseder, Gregor Leander, Ga etan Leurent, L eo Perrin, Mar a Naya

488 views • 34 slides
Factoring rook polynomials Bruce Sagan Department of Mathematics, Michigan State University East

Factoring rook polynomials Bruce Sagan Department of Mathematics, Michigan State University East

Factoring rook polynomials Bruce Sagan Department of Mathematics, Michigan State University East Lansing, MI 48824-1027 www.math.msu.edu/sagan January 23, 2017 Basics The FactorizationTheorem An application m -level rook placements

209 views • 20 slides
Factoring Linear Recurrence Operators Mark van Hoeij 1 Florida State University Bra sov

Factoring Linear Recurrence Operators Mark van Hoeij 1 Florida State University Bra sov

Factoring Linear Recurrence Operators Mark van Hoeij 1 Florida State University Bra sov Romania May 13, 2019 1 Supported by NSF 1618657 1 / 17 Recurrence operators with rational function coefficients Let a i ( n ) Q ( n ) be rational

541 views • 17 slides
The complexity of factoring univariate polynomials over the rationals Mark van Hoeij Florida

The complexity of factoring univariate polynomials over the rationals Mark van Hoeij Florida

The complexity of factoring univariate polynomials over the rationals Mark van Hoeij Florida State University ISSAC2013 June 26, 2013 Papers [Zassenhaus 1969]. Usually fast, but can be exp-time. [LLL 1982]. Lattice reduction (LLL

766 views • 43 slides
Stream Ciphers: Cryptanalytic Techniques Thomas Johansson Department of Electrical and

Stream Ciphers: Cryptanalytic Techniques Thomas Johansson Department of Electrical and

Stream Ciphers: Cryptanalytic Techniques Thomas Johansson Department of Electrical and Information Technology. Lund University, Sweden ECRYPT Summer school 2007 (Lund University) Stream Ciphers: Cryptanalytic Techniques Summer school 2007 1

706 views • 57 slides
Few Other Cryptanalytic Techniques Debdeep Mukhopadhyay Assistant Professor Department of

Few Other Cryptanalytic Techniques Debdeep Mukhopadhyay Assistant Professor Department of

Few Other Cryptanalytic Techniques Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Boomerang Attack Square Attack D.

305 views • 16 slides
Factoring the Characteristic Polynomial Joshua Hallam and Bruce Sagan Department of Mathematics

Factoring the Characteristic Polynomial Joshua Hallam and Bruce Sagan Department of Mathematics

Factoring the Characteristic Polynomial Joshua Hallam and Bruce Sagan Department of Mathematics Michigan State University East Lansing, MI 48824-1027 www.math.msu.edu/ sagan June 21, 2014 Motivating Example Quotient Posets The Standard

1.73k views • 147 slides
Factoring the Characteristic Polynomial Joshua Hallam and Bruce Sagan Department of Mathematics

Factoring the Characteristic Polynomial Joshua Hallam and Bruce Sagan Department of Mathematics

Factoring the Characteristic Polynomial Joshua Hallam and Bruce Sagan Department of Mathematics Michigan State University East Lansing, MI 48824-1027 www.math.msu.edu/ sagan February 20, 2019 Motivating Example Quotient Posets The

673 views • 20 slides
Factoring integers and Producing primes Francesco Pappalardi Universit` a Roma Tre Erbil,

Factoring integers and Producing primes Francesco Pappalardi Universit` a Roma Tre Erbil,

Erbil, Kurdistan 0 Factoring integers,..., RSA Lecture in Number Theory College of Sciences Department of Mathematics University of Salahaddin Debember 4, 2014 Factoring integers and Producing primes Francesco Pappalardi Universit` a Roma

749 views • 30 slides
The Next Generation of Cryptanalytic Hardware FPGAs (Field Programmable Gate Arrays) allow custom

The Next Generation of Cryptanalytic Hardware FPGAs (Field Programmable Gate Arrays) allow custom

The Next Generation of Cryptanalytic Hardware FPGAs (Field Programmable Gate Arrays) allow custom silicon to be implemented easily. The result is a chip that can be built specifically for cracking passwords. This presentation focuses on

784 views • 55 slides
Factoring into large primes with P-1, P+1 and ECM Alexander Kruppa LORIA CADO workshop Nancy,

Factoring into large primes with P-1, P+1 and ECM Alexander Kruppa LORIA CADO workshop Nancy,

Factoring into large primes with P-1, P+1 and ECM Alexander Kruppa LORIA CADO workshop Nancy, 9. October 2008 Using P-1, P+1 and ECM in NFS For large factoring projects, memory becomes a limiting resource. Large factor base bound B requires

385 views • 21 slides
Energy-Efficient ARM64 Cluster with Cryptanalytic Applications 80 Cores That Do Not Cost You an

Energy-Efficient ARM64 Cluster with Cryptanalytic Applications 80 Cores That Do Not Cost You an

Energy-Efficient ARM64 Cluster with Cryptanalytic Applications 80 Cores That Do Not Cost You an ARM and a Leg Latincrypt 2017, 21st September 2017 1/19 Thom Wiggers Outline Introduction Building a cheap cluster The Cortex-A53 Breaking ECC

741 views • 70 slides
Some cryptanalytic results on Stream ciphers with short internal states Subhadeep Banik EPF,

Some cryptanalytic results on Stream ciphers with short internal states Subhadeep Banik EPF,

Some cryptanalytic results on Stream ciphers with short internal states Subhadeep Banik EPF, Lausanne Invited Talk to ASK 2019 14th December 2019 Outline Introduction Sprout (FSE15) Previous Work Attack by Esgin/Kara (SAC 2015)

597 views • 46 slides
Factoring integers, Producing primes and the RSA cryptosystem Francesco Pappalardi Universit` a

Factoring integers, Producing primes and the RSA cryptosystem Francesco Pappalardi Universit` a

College of Science for Women 0 Factoring integers,..., RSA Lecture in Number Theory College of Science for Women Baghdad University March 31, 2014 Factoring integers, Producing primes and the RSA cryptosystem Francesco Pappalardi

2.06k views • 192 slides
A Side-Channel Assisted Cryptanalytic Attack Against QcBits Mlissa Rossi Mike Hamburg

A Side-Channel Assisted Cryptanalytic Attack Against QcBits Mlissa Rossi Mike Hamburg

A Side-Channel Assisted Cryptanalytic Attack Against QcBits Mlissa Rossi Mike Hamburg Michael Hutter Mark E. Marson Possible path for post-quantum security Error-correcting codes Quantum computers may threaten the mathematical

892 views • 66 slides

More recommend