Abstract
In [1], Bernstein proposed a circuit-based implementation of the matrix step of the number field sieve factorization algorithm. These circuits offer an asymptotic cost reduction under the measure “construction cost x run time”. We evaluate the cost of these circuits, in agreement with [1], but argue that compared to previously known methods these circuits can factor integers that are 1.17 times larger, rather than 3.01 as claimed (and even this, only under the non-standard cost measure). We also propose an improved circuit design based on a new mesh routing logarith, and show that for factorization of 1024-bit integers the matrix step can, under an optimistic assumption about the matrix size, be completed within a day by a device that costs a few thousand dollars. We conclude that from a practical standpoint, the security of RSA relies exclusively on the hardness of the relation collection step of the number field sieve.
Chapter PDF
References
D.J. Bernstein, Circuits for integer factorization: a proposal, manuscript, November 2001; available at http://cr.yp.to/papers.html#nfscircuit
D.J. Bernstein, Circuits for integer factorization, web page, July 2002; http://cr.yp.to/nfscircuit.html
S. Cavallar, B. Dodson, A.K. Lenstra, W. Lioen, P.L. Montgomery, B. Murphy, H.J.J. te Riele, et al., Factorization of a 512-bit RSA modulus, Proceedings Eurocrypt 2000, LNCS 1807, Springer-Verlag 2000, 1–17
D. Coppersmith, Modifications to the number field sieve, Journal of Cryptology 6 (1993) 169–180
D. Coppersmith, Solving homogeneous linear equations over GF(2) via block Wiedemann algorithm, Math. Comp. bf 62 (1994) 333–350
B. Dixon, A.K. Lenstra, Factoring integers using SIMD sieves, Proceedings Eurocrypt 1993, LNCS 765, Springer-Verlag 1994, 28–39
M. D. Grammatikakis, D. F. Hsu, M. Kraetzl, J. F. Sibeyn, Packet routing in fixed-connection networks: a survey, Journal of Parallel and Distributed Computing, 54(2):77–132, Nov. 1998
D. Ierardi, 2d-Bubblesorting in average time O(NlgN), Proceedings 6th ACM symposium on Parallel algorithms and architectures, 1994
A.K. Lenstra, Unbelievable security; matching AES security using public key systems, Proceedings Asiacrypt 2001, LNCS 2248, Springer-Verlag 2001, 67–86
A.K. Lenstra, H.W. Lenstra, Jr., Algorithms in number theory, chapter 12 in Handbook of theoretical computer science, Volume A, algorithms and complexity (J. van Leeuwen, ed.), Elsevier, Amsterdam (1990)
A.K. Lenstra, H.W. Lenstra, Jr., (eds.), The development of the number field sieve, Lecture Notes in Math. 1554, Springer-Verlag 1993
A.K. Lenstra, E.R. Verheul, Selecting cryptographic key sizes, J. of Cryptology, 14 (2001) 255–293; available at http://www.cryptosavvy.com
P.L. Montgomery, A block Lanczos algorithm for finding dependencies over GF(2), Proceedings Eurocrypt’95, LNCS 925, Springer-Verlag 1995, 106–120
NIST, Key management guideline-workshop document, Draft, October 2001; available at http://csrc.nist.gov/encryption/kms
R.D. Silverman, A cost-based security analysis of symmetric and asymmetric key lengths, Bulletin 13, RSA laboratories, 2000; available at http://www.rsasecurity.com/rsalabs/bulletins/index.html
C.P. Schnorr, A. Shamir, An Optimal Sorting Algorithm for Mesh Connected Computers, Proceedings 16th ACM Symposium on Theory of Computing, 255–263, 1986
G. Villard, Further analysis of Coppersmith’s block Wiedemann algorithm for the solution of sparse linear systems (extended abstract), Proceedings 1997 International Symposium on Symbolic and Algebraic Computation, ACM Press, 32–39, 1997
D. Wiedemann, Solving sparse linear equations over finite fields, IEEE Transactions on Information Theory, IT-32 (1986), 54–62
M.J. Wiener, The full cost of cryptanalytic attacks, accepted for publication in J. of Cryptology
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2002 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Lenstra, A.K., Shamir, A., Tomlinson, J., Tromer, E. (2002). Analysis of Bernstein’s Factorization Circuit. In: Zheng, Y. (eds) Advances in Cryptology — ASIACRYPT 2002. ASIACRYPT 2002. Lecture Notes in Computer Science, vol 2501. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-36178-2_1
Download citation
DOI: https://doi.org/10.1007/3-540-36178-2_1
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-00171-3
Online ISBN: 978-3-540-36178-7
eBook Packages: Springer Book Archive