Advertisement

Scalable Hardware for Sparse Systems of Linear Equations, with Applications to Integer Factorization

  • Willi Geiselmann
  • Adi Shamir
  • Rainer Steinwandt
  • Eran Tromer
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3659)

Abstract

Motivated by the goal of factoring large integers using the Number Field Sieve, several special-purpose hardware designs have been recently proposed for solving large sparse systems of linear equations over finite fields using Wiedemann’s algorithm. However, in the context of factoring large (1024-bit) integers, these proposals were marginally practical due to the complexity of a wafer-scale design, or alternatively the difficulty of connecting smaller chips by a huge number of extremely fast interconnects.

In this paper we suggest a new special-purpose hardware device for the (block) Wiedemann algorithm, based on a pipelined systolic architecture reminiscent of the TWIRL device. The new architecture offers simpler chip layout and interconnections, improved efficiency, reduced cost, easy testability and greater flexibility in using the same hardware to solve sparse problems of widely varying sizes and densities. Our analysis indicates that standard fab technologies can be used in practice to carry out the linear algebra step of factoring 1024-bit RSA keys.

As part of our design but also of independent interest, we describe a new error-detection scheme adaptable to any implementation of Wiedemann’s algorithm. The new scheme can be used to detect computational errors with probability arbitrarily close to 1 and at negligible cost.

Keywords

Factorization number field sieve sparse systems of linear equations 

References

  1. 1.
    Shamir, A.: Factoring Large Numbers with the TWINKLE Device. In: Koç, Ç.K., Paar, C. (eds.) CHES 1999. LNCS, vol. 1717, pp. 2–12. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  2. 2.
    Lenstra, A.K., Shamir, A.: Analysis and Optimization of the TWINKLE Factoring Device. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 35–52. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  3. 3.
    Geiselmann, W., Steinwandt, R.: A Dedicated Sieving Hardware. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 254–266. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  4. 4.
    Shamir, A., Tromer, E.: Factoring Large Numbers with the TWIRL Device. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 1–26. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  5. 5.
    Geiselmann, W., Steinwandt, R.: Yet Another Sieving Device. In: Okamoto, T. (ed.) CT-RSA 2004. LNCS, vol. 2964, pp. 278–291. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  6. 6.
    Franke, J., Kleinjung, T., Paar, C., Pelzl, J., Priplata, C., Stahlke, C.: SHARK - A Realizable Special Hardware Sieving Device for Factoring 1024-bit Integers. In: SHARCS 2005 (2005)Google Scholar
  7. 7.
    Franke, J., Kleinjung, T., Paar, C., Pelzl, J., Priplata, C., Simka, M., Stahlke, C.: An Efficient Hardware Architecture for Factoring Integers with the Elliptic Curve Method. In: SHARCS 2005 (2005)Google Scholar
  8. 8.
    Bernstein, D.J.: Circuits for Integer Factorization: a Proposal. At the time of writing available electronically (2001), http://cr.yp.to/papers/nfscircuit.pdf
  9. 9.
    Lenstra, A.K., Shamir, A., Tomlinson, J., Tromer, E.: Analysis of Bernstein’s Factorization Circuit. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 1–26. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  10. 10.
    Geiselmann, W., Steinwandt, R.: Hardware for Solving Sparse Systems of Linear Equations over GF(2). In: Walter, C.D., Koç, Ç.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 51–61. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  11. 11.
    Geiselmann, W., Köpfer, H., Steinwandt, R., Tromer, E.: Improved Routing-Based Linear Algebra for the Number Field Sieve. In: Proceedings of ITCC 2005 – Track on Embedded Cryptographic Systems, pp. 636–641. IEEE Computer Society, Los Alamitos (2005)Google Scholar
  12. 12.
    Frey, G.: A First Step Towards Computations in Brauer Groups and Applications to data Security. Invited talk at WARTACRYPT 2004 (2004)Google Scholar
  13. 13.
    Frey, G.: On the Relation between Brauer Groups and Discrete Logarithms (2004) (unpublished manuscript)Google Scholar
  14. 14.
    Pomerance, C.: A Tale of Two Sieves. Notices of the ACM, 1473–1485 (1996)Google Scholar
  15. 15.
    Lenstra, A.K., Hendrik, W., Lenstra, J. (eds.): The development of the number field sieve. Lecture Notes in Mathematics, vol. 1554. Springer, Heidelberg (1993)MATHGoogle Scholar
  16. 16.
    Coppersmith, D.: Solving Homogeneous Linear Equations over GF(2) via Block Wiedemann Algorithm. Mathematics of Computation 62, 333–350 (1994)MATHCrossRefMathSciNetGoogle Scholar
  17. 17.
    Villard, G.: Further analysis of Coppersmith’s block Wiedemann algorithm for the solution of sparse linear systems. In: International Symposium on Symbolic and Algebraic Computation — ISAAC 1997, pp. 32–39. ACM, New York (1997)CrossRefGoogle Scholar
  18. 18.
    Cavallar, S., Dodson, B., Lenstra, A., Lioen, W., Montgomery, P., Murphy, B., te Riele, H., et al.: Factorization of a 512-bit RSA modulus. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 1–17. Springer, Heidelberg (2000)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Willi Geiselmann
    • 1
  • Adi Shamir
    • 2
  • Rainer Steinwandt
    • 1
    • 3
  • Eran Tromer
    • 2
  1. 1.IAKS, Arbeitsgruppe Systemsicherheit, Prof. Dr. Th. Beth, Fakultät für InformatikUniversität KarlsruheKarlsruheGermany
  2. 2.Department of Computer Science and Applied MathematicsWeizmann Institute of ScienceRehovotIsrael
  3. 3.On leave to Department of Mathematical SciencesFlorida Atlantic UniversityBoca RatonUSA

Personalised recommendations