From - Wed Sep 15 15:49:10 1999
Received: from relay.aibusiness.net (cheetah.aibusiness.net [206.96.248.28])
by corinto.argo.es (8.9.3/8.9.3) with SMTP id QAA07699
for ; Sun, 29 Aug 1999 16:49:54 +0200 (MET DST)
Received: (qmail 11868 invoked from network); 29 Aug 1999 14:49:00 -0000
Received: from chipsworld.llamas.net (mail@208.26.71.226)
by relay.aibusiness.net with SMTP; 29 Aug 1999 14:49:00 -0000
Received: from localhost (mail@localhost)
by chipsworld.llamas.net (8.9.2/8.9.3) with SMTP id KAA28746;
Sun, 29 Aug 1999 10:48:52 -0400 (EDT)
Received: by chipsworld.llamas.net (bulk_mailer v1.11); Sun, 29 Aug 1999 10:27:34 -0400
Received: (from majordomo@localhost)
by chipsworld.llamas.net (8.9.2/8.9.3) id KAA26768
for rc5-outbound; Sun, 29 Aug 1999 10:27:33 -0400 (EDT)
Received: from mailhub1.cuckoo.com (qmailr@wrangler.cuckoo.com [209.113.113.66])
by chipsworld.llamas.net (8.9.2/8.9.3) with SMTP id KAA26764
for ; Sun, 29 Aug 1999 10:27:30 -0400 (EDT)
Received: (qmail 32661 invoked by uid 65534); 29 Aug 1999 14:27:29 -0000
Received: from mail3.svr.pol.co.uk (mail3.svr.pol.co.uk [195.92.193.19])
by chipsworld.llamas.net (8.9.2/8.9.3) with ESMTP id UAA08124
for ; Sat, 28 Aug 1999 20:18:25 -0400 (EDT)
Received: from modem-118.vanadium.dialup.pol.co.uk ([62.136.11.118] helo=eris)
by mail3.svr.pol.co.uk with smtp (Exim 2.12 #2)
id 11Ksft-0008TG-00
for rc5@lists.distributed.net; Sun, 29 Aug 1999 01:18:22 +0100
X-Authentication-Warning: chipsworld.llamas.net: Processed from queue /var/spool/mqueue
X-Authentication-Warning: chipsworld.llamas.net: Processed by mail with -C /etc/sendmail.mj.cf
Message-ID: <003d01bef1b3$7974f2a0$4bb0fea9@eris>
From: "ian bashford"
To: rc5@lists.distributed.net
Subject: RE: [RC5] Group Cracks 512-bit RSA
Date: Sun, 29 Aug 1999 01:14:20 +0100
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.00.2314.1300
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300
Sender: owner-rc5@lists.distributed.net
X-Loop: lists.distributed.net
Reply-To: rc5@lists.distributed.net
Precedence: bulk
Content-Type: text/plain;
charset="Windows-1252"
Status: U
X-Mozilla-Status: 8011
X-Mozilla-Status2: 00000000
X-UIDL: 0eb6d50c3704dfd2fc560486f73fda2f
This is a brief explaination of how the 'code' was cracked.
-------------------------------------------------------------
Factorization of a 512-bits RSA key using the Number Field Sieve
----------------------------------------------------------------
On August 22, 1999, we found that the 512-bits number
RSA-155 =
1094173864157052742180970732204035761200373294544920599091384213147634\
9984288934784717997257891267332497625752899781833797076537244027146743\
531593354333897
can be written as the product of two 78-digit primes:
1026395928297411057720541965739916759007165678080380668033419335217907113077
79
*
1066034883801684548209272203600128786792079585759892915222706082371930628086
43
Primality of the factors was proved with the help of two different primality
proving codes. An Appendix gives the prime decompositions of p +- 1.
The number RSA-155 is taken from the RSA Challenge list
(see http://www.rsa.com/rsalabs/html/factoring.html).
This factorization was found using the Number Field Sieve (NFS) factoring
algorithm, and beats the 140-digit record RSA-140 that was set on
February 2, 1999, also with the help of NFS [RSA140].
The amount of computer time spent on this new factoring world record is
estimated to be equivalent to 8000 mips years.
For the old 140-digit NFS-record, this effort was estimated to be
2000 mips years. Extrapolation using the asymptotic complexity formula
for NFS would predict approximately 14000 mips years for RSA-155. The gain
is caused by an improved application of the polynomial search method used
for RSA-140.
For information about NFS, see [LL]. For additional information,
implementations and previous large NFS factorizations, see [DL, E1, E2,
GLM].
Polynomial selection
--------------------
The following two polynomials
F_1(x,y) = 11 93771 38320 x^5
- 80 16893 72849 97582 y *x^4
- 66269 85223 41185 74445 y^2*x^3
+ 1 18168 48430 07952 18803 56852 y^3*x^2
+ 745 96615 80071 78644 39197 43056 y^4*x
- 40 67984 35423 62159 36191 37084 05064 y^5
F_2(x,y) = x - 3912 30797 21168 00077 13134 49081 y
were selected with the help of a polynomial search method developed by
Peter Montgomery (Microsoft Research, USA and CWI) and Brian Murphy
(The Australian National University, Canberra), which was applied already
to RSA-140, and now, even more successfully, to RSA-155.
The polynomial F_1(x,y) was chosen to have a good combination of
two properties: being unusually small over its sieving region and
having unusually many roots modulo small primes (and prime powers).
The effect of the second property alone gives F_1(x,y) a smoothness
yield comparable to that of a polynomial chosen at random for an
integer of 137 decimal digits.
Measured in a different way: the pair (F_1, F_2) has a yield of relations
approximately 13.5 times that of a random polynomial selection for
RSA-155 (the corresponding figure for the polynomial selected for the
RSA-140 factorisation is 8).
The polynomial selection took approximately 100 MIPS years,
which is equivalent to 0.40 CPU years on a 250 MHz SGI Origin 2000
processor (most of the searches were done on such processors).
The original polynomial selection code was ported by Arjen Lenstra
to use his multiple precision arithmetic package LIP.
Brian Murphy, Peter Montgomery, Arjen Lenstra and Bruce Dodson
ran the polynomial searches for RSA-155 with this code. The above
polynomial emerged from Bruce Dodson's search.
Calendar time for the polynomial selection was approximately nine
weeks.
The Sieving
-----------
Sieving was done on about 160 175-400 MHz SGI and Sun workstations,
on 8 300 MHz SGI Origin 2000 processors, on about 120 300-450 MHz
Pentium II PCs, and on 4 500 MHz Digital/Compaq boxes.
The total amount of CPU-time spent on sieving was 35.7 CPU years
estimated to be equivalent to approximately 8000 mips years.
Calendar time for sieving was 3 1/2 months.
For the purpose of comparison, both lattice sieving and line sieving were
used.
Lattice sieving was introduced by Pollard [P] and the code used is based
on the implementation described in [GLM, Cetal].
For the lattice sieve, a factor base bound of 16 777 216 (2^24) was chosen,
both for the rational and for the algebraic side. Two large primes were
allowed on both sides.
Most of the line sieve was carried out with two large primes on both the
rational and the algebraic side. The rational factor base consisted of the
primes < 44 000 000 and the algebraic factor base of the primes < 110 000
000.
Some line sieving allowed three large primes instead of two on the algebraic
side. In that case the rational factor base consisted of the primes < 8 000
000
and the algebraic factor base of the primes < 25 000 000.
For both sieves the large prime bound 1 000 000 000 was used both
for the rational and for the algebraic primes.
A total of 124 722 179 relations were generated, 71% of them with lattice
sieving (L), 29% with line sieving (C). Among them, there were 39 187 441
duplicates, partially because of the simultaneous use of the two sievers.
Sieving was done at eleven different locations with the following
contributions:
(L: using lattice sieving code from Arjen K. Lenstra
C: using line sieving code from CWI)
20.1 % (3057 CPU days) Alec Muffett (L at Sun Microsystems Professional
Services, Camberley, UK)
17.5 % (2092 CPU days) Paul Leyland (L,C at Microsoft, Cambridge, UK)
14.6 % (1819) Peter L. Montgomery, Stefania Cavallar (C,L at CWI, Amsterdam)
13.6 % (2222) Bruce Dodson (L,C at Lehigh University, Bethlehem, PA, USA)
13.0 % (1801) Francois Morain and Gerard Guillerm
(L,C at Ecole Polytechnique, Palaiseau, France)
6.4 % (576) Joel Marchand (L,C at Ecole Polytechnique/CNRS, Palaiseau,
France)
5.0 % (737) Arjen K. Lenstra (L at Citibank, Parsippany, NJ, USA
and Univ. of Sydney, Australia)
4.5 % (252) Paul Zimmermann (C at Inria Lorraine and Loria, Nancy, France)
4.0 % (366) Jeff Gilchrist (L at Entrust Technologies Ltd., Ottawa,
Canada)
0.65 % (62) Karen Aardal (L at Utrecht University, The Netherlands)
0.56 % (47) Chris and Craig Putnam (L at ?)
Calendar time for the sieving was 3.7 months.
The relations were collected at CWI and required 3.7 Gbytes of disk space.
^^^
Filtering and linear algebra
----------------------------
The filtering of the data and the building of the matrix were carried out
at CWI and took one month.
The resulting matrix had 6 699 191 rows, 6 711 336 columns, and weight
417 132 631 (62.27 nonzeros per row).
With the help of Peter Montgomery's Cray implementation of the blocked
Lanczos algorithm (cf. [M95]) it took 224 CPU hours and 2 Gbytes of central
memory on the Cray C916 at the SARA Amsterdam Academic Computer Center to
find
64 dependencies among the rows of this matrix.
Calendar time for this job was 9 1/2 days.
Square root
-----------
On August 20-21, 1999, four different square root (cf. [M93]) jobs were
started in parallel on four different 300 MHz processors of CWI's SGI Origin
2000, each handling one dependency.
One job found the factorisation after 39.4 CPU-hours, the other three jobs
found the trivial factorization after 38.3, 41.9, and 61.6 CPU-hours
(different
CPU times are due to the use of different parameters in the four jobs).
Ian Bashford
----------------------------------------------------------------------------
-------------------------
ian.bashford@eris23.freeserve.co.uk
public key : ldap://certserver.pgp.com
0xEB2E6440 - DH
0x5FA959C9 - RSA
----------------------------------------------------------------------------
-------------------------
"Worrying is meditation carried out by realists"
--
To unsubscribe, send 'unsubscribe rc5' to majordomo@lists.distributed.net
rc5-digest subscribers replace rc5 with rc5-digest