Hyperelliptic org Hyperelliptic org

							       Actual and proposed
special purpose hardware devices
     for integer factorization
       (a historical perspective)


            Arjen K. Lenstra
       Lucent Technologies’ Bell Labs
Integer factorization

Given a composite n, find a non-trivial factor of n

     Example: given n = 15, find 3 or 5


Why?

   • until 1977: mostly for recreational purposes
   • since then, a somewhat better excuse:
       to figure out secure RSA key sizes
Special purpose hardware for
     integer factorization
Why?

• Before the 1950s: no choice
• 1950 - 1970s: access to computers too limited
• Later: computers believed to be too general or too slow
• Now:
   • software approaches stuck at around 600-bit integers
   • like to find out how hard factoring 1024-bit integers would be
Actual and proposed special purpose
    hardware devices for integer factorization
Actual and proposed special purpose
    hardware devices for integer factorization
• 1919, Carissan: Machine à Congruences
• 1930s, Lehmer: Bicycle Chain Sieve,
    Photo-Electric Number Sieve, and Movie Film Sieve
• 1970s, Smith/Wagstaff: Georgia Cracker
• 1980s, Pomerance/Smith/Tuler: Quasimodo
Actual and proposed special purpose
    hardware devices for integer factorization
• 1919, Carissan: Machine à Congruences
• 1930s, Lehmer: Bicycle Chain Sieve,
    Photo-Electric Number Sieve, and Movie Film Sieve
• 1970s, Smith/Wagstaff: Georgia Cracker
• 1980s, Pomerance/Smith/Tuler: Quasimodo

• 1999, Shamir: Twinkle
• 2002, Bernstein: Factoring Circuits
• 2003, Shamir/Tromer: Twirl
• 2004, Geiselmann/Steindwandt: YASD
• 2005, Franke/Kleinjung/Paar/Pelzl/Priplata/Stahlke: SHARK
(and several other matrix step proposals)
The early machines (Carissan, Lehmer)

To factor n, try to solve n = x2  y2 = (x + y)(x  y):
   look for x = i + [n] such that x2  n is a square (y2):

   • for a small set of small primes p:
       • manually find the x’s for which
            x2  n modulo p is a square
       • mark those x’s on a ‘wheel’ with p positions
   • turn all wheels simultaneously (i = 0,1,2,…) until there is
        a set of conditions (one per wheel) that ‘lines up’
   • hope that it leads to the desired solution y
   • if there is a solution, it will show up, but it may take a while
Carissan’s Machine à Congruences




• 14 concentric brass rings with p  59 studs per ring
• conditions ‘x2  n square mod p’ represented by caps on studs
• a cap under the arm triggers a switch
• 14 switches in series: alarm sounds if all 14 switches triggered
Some results
• primality proof of 708 158 977 in 10 minutes (of manual cranking)
• factorization, in 18 minutes:
    7 141 075 053 842 = 2  841 249  4 244 329

• around 1920: the only prototype disappeared in a drawer,
       not to be seen again until March 1992
• see: Jeff Shallit, Hugh Williams, François Morain,
       Discovery of a lost factoring machine,
       Mathematical Intelligencer 17 (1995) 41-47
Lehmer’s Bicycle Chain Sieve




• cruder (but faster: motorized!) version of same idea
• found that
    9 999 000 099 990 001 = 1 676 321  5 964 848 081
 Lehmer’s Photo-Electric Number Sieve




• ‘condition’ corresponds to a hole in a sprocket-wheel
• if holes line up: a (weak) light beam passes through, caught by
     photo-electric detector (‘the fair Rebecca’) & stops the machine
     (unless nearby ham radio operator was active)
• much faster than Carissan’s machine
Some results
• factorization, in 12 seconds:
    279  1 = 2 687  202 029 703  1 113 491 139 767
• factors of 293 + 1 , in ‘a few’ seconds:
    529 510 939 and 2 903 110 321

• see: D.N. Lehmer,
       Hunting big game in the theory of numbers,
       Scripta Mathematica 1 (1932-33) 229-235
       D.H. Lehmer,
       A photo-electric number sieve,
       Amer. Math. Monthly 40 (1933) 401-406
The later machines
All based on the 1970s Morrison-Brillhart approach:
to factor n, try to solve x2  y2 mod n as follows


1. Collect set V of integers v with v2  pP pe(v,p) mod n
   for some fixed set P and |V| > |P|
    Relation collection step ‘hard’ : Georgia Cracker, Quasimodo
                                 Twinkle, Twirl, YASD, SHARK
2. Find |V|  |P| linear dependencies mod 2 among the
   |P|-dimensional vectors (e(v,p))vV
     Matrix step    ‘easy’ : Factoring Circuits

3. Each dependency leads to pair x, y with x2  y2 mod n
   and thus to a chance to factor n by computing gcd(n, x  y)
The Georgia Cracker
• special purpose hardware to collect relations
  using CFRAC (continued fraction factoring method)
• no striking or particularly interesting features (no picture either)

• used to factor numbers from Cunningham tables,
  largest: a 62-digit factor of 3204 + 1, January 1986
• sitting on a shelf in Jeff Smith’s office:
  ‘it could be working again <1wk’
Quasimodo
• stands for Quadratic Sieve Motor
• special purpose hardware to collect relations
  using QS (quadratic sieve factoring method)
• interesting pipelined architecture
• supposedly very fast, when it was designed
• no longer so when it was actually built
• never properly debugged, never used to factor anything
• parts of only existing prototype used for other purposes
• never seen it, no pictures, unclear what survives, if anything
Intermezzo
Since the late 1980s:
• PCs become ubiquitous
• computing power for relation collection step can
  relatively easily be ‘arranged’
• as a result:
    • special purpose devices no longer worth the trouble,
      unless they offer something new or special
      (or lead to interesting funding possibilities)
    • relation collection step easiest
      (just sit back and relax until done, progress can be monitored)
    • matrix more cumbersome
      (get your hands on a big machine, worry about bits)
 Twinkle, 1999
• The first special purpose hardware factoring device since
  internet factoring became popular
• stands for The Weizmann INstitute Key Locating Engine
• special purpose optical sieving device to collect
  relations using QS or NFS (number field sieve)
• short history:
    • spring 1999: wild claims in press that
        512-bit RSA moduli can be broken very quickly
    • May 1999: Twinkle announced at EC99 rumpsession
    • August 1999: 512-bit RSA actually broken
        (but not using Twinkle)
    • May 2000: Twinkle buried at EC2000
Regular sieving
• initialize s[i] = 0 for all i in some large interval I
• for all p  P:
    • compute starting point rp
    • for all rp + kp  I with k  Z:
         replace s[rp + kp ] by s[rp + kp ] + logp
• further process all i  I for which s[i] is large enough

sieve s represented by space       sieve represented by time
                           Twinkle:
p  P processed in time            p  P processed in space

                          (just like Carissan and the Lehmer sieves)
Twinkle sieving
1. Build a wafer with for all p  P:
   • a cell with:
       • a counter c starting at 0
       • a register a containing rp, the starting point for p
       • an LED of strength proportional to logp
2. Put a photo-electric cell opposite the wafer

for i = 0, 1, 2, … in succession:
   • on all cells simultaneously:
        • if c = a: flash the LED and replace a by a + p
        • replace c by c + 1
     ( for cell p, light of intensity logp flashes at i = rp + kp)
   • if light intensity at photo-electric cell strong enough:
        many p’s flash at i, thus further process i
Analysis of Twinkle
• for 384-bit QS factorization: not clearly infeasible

• for anything interesting (such as, back then, 512-bit moduli):
    • wafer too large to be practical         multi-wafer designs
    • wafer may melt (part of audience did) run it at lower speed
    • processing of reports too expensive           add hardware

• idea in the mean time abandoned
• except for a rather crude prototype, device never built
Factoring circuits, 2002
At least two interesting aspects:
1. Claim that 3d-digit integers can be factored
   at the cost of d-digit integers using old method
2. A new method to do the matrix step

Influential, because:
• It caused confusion (almost panic), thus got a lot of attention
•   Triggered lots of new activity in this field
    (possibly even culminating in the present workshop)
•   Pushed a new, better cost function: time  equipment cost
Matrix step
Find dependency mod 2 among columns of sparse A:
  compute Aiv for some vector v and 1  i  m = dim(A)
  (plus additional fiddling around)
Traditional:
• Matrix-by-vector multiply in time w(A) = O(m)
• Repeat m times: total time O(m2)       }full cost O(m3)
   But: needs O(m) memory
Bernstein’s sorting method (or Shamir/Tromer routing variant):
• Store matrix in square mesh of  w(A) = O(m) processors
• Matrix-by-vector multiply in time O(m½) on mesh
• m times: total time O(m1½) (but O(m2½) operations)
                    full cost O(m2½)
Matrix step hardware proposals and claims
This workshop, and earlier:
   • several mesh proposals
   • systolic architecture(s)

Results and claims for 1024-bit moduli
   • strongly depend on dimension and density of the matrix
   • results of mostly speculative nature
   • matrix step still seems not as hard as relation collection
   • known: factor bases sizes that will most likely work
   • no real clue yet about dimension and density of the matrix
Relation collection in the NFS
A common version of the problem:
• integer m, polynomial f of degree d, smoothness bounds B1, B2
• find many coprime integers a and b > 0 such that
      |a  mb| is B1-smooth and |bdf(a/b)| is B2-smooth
Software approaches:
• line sieving: for b = 1, 2, … in succession process line of a’s
• special q: for many q’s, look at a,b with q | bdf(a/b):
     • do line sieving in index q sublattice (insane but common)
     • do lattice sieving as suggested by
         • Pollard’s ancient paper (not so bad)
         • Franke and Kleinjung’s SHARCS paper (looks promising)
• combine with or replace by non-sieving methods such as
      elliptic curve factoring or FFT&gcd based
Special purpose hardware to collect relations
My limited understanding of the situation (as of Feb 23):
• TWIRL: line siever (or KF lattice siever?) with ‘priority queues’,
      ‘challenging’ pipelined design
           1024-bit in about 1M$yr
• YASD: traditional liner siever,
      mesh based, no inter-chip connects,
           6.3 times slower than TWIRL
• SHARK: KF lattice siever with special cofactor hardware,
      modular, realizable ASIC design
           1024-bit in < 200M$yr
• ECCITY: replace all sieving by Elliptic Curve Factoring,
      ‘fills entire country with multicomputers, each of which
           has the size of a major city’ (at break-even point)
Putting 1-200M$yr into context
SHA-1 random collision attack:
• fewer than 269 SHA-1 applications
• SHA-1 application takes fewer than 900 cycles
• playstation 3 VGA card (16 vector 4.5GHz PE’s) costs US$50
• attacking SHA-1 on a single COTS card takes 2K centuries
     Attacking SHA-1 costs 10M$yr
       • same ballpark as 1024-bit RSA
       • same cards: crack DES in a day for about 200K
       • SHA1 attack cost: down from 20B$yr a few weeks ago…
       • at least a factor 200 gap between
            1024-bit RSA and 80-bit security
       • what about running ECM on those cards?
Conclusion
• design and evaluation of current special purpose hardware
  factoring devices still mostly in the mud slinging phase
• listen to the talks here and make up your own mind
• my pessimistic guesses:
   • none of the currently proposed devices will collect relations
     for an actual 1024-bit factorization anytime soon
   • special purpose factoring hardware will not have
     much impact on the security of RSA moduli until
     quantum computers are built
 (I hope I will be proved wrong)