From - Wed Sep 15 15:49:10 1999 Received: from relay.aibusiness.net (cheetah.aibusiness.net [206.96.248.28]) by corinto.argo.es (8.9.3/8.9.3) with SMTP id QAA07699 for ; Sun, 29 Aug 1999 16:49:54 +0200 (MET DST) Received: (qmail 11868 invoked from network); 29 Aug 1999 14:49:00 -0000 Received: from chipsworld.llamas.net (mail@208.26.71.226) by relay.aibusiness.net with SMTP; 29 Aug 1999 14:49:00 -0000 Received: from localhost (mail@localhost) by chipsworld.llamas.net (8.9.2/8.9.3) with SMTP id KAA28746; Sun, 29 Aug 1999 10:48:52 -0400 (EDT) Received: by chipsworld.llamas.net (bulk_mailer v1.11); Sun, 29 Aug 1999 10:27:34 -0400 Received: (from majordomo@localhost) by chipsworld.llamas.net (8.9.2/8.9.3) id KAA26768 for rc5-outbound; Sun, 29 Aug 1999 10:27:33 -0400 (EDT) Received: from mailhub1.cuckoo.com (qmailr@wrangler.cuckoo.com [209.113.113.66]) by chipsworld.llamas.net (8.9.2/8.9.3) with SMTP id KAA26764 for ; Sun, 29 Aug 1999 10:27:30 -0400 (EDT) Received: (qmail 32661 invoked by uid 65534); 29 Aug 1999 14:27:29 -0000 Received: from mail3.svr.pol.co.uk (mail3.svr.pol.co.uk [195.92.193.19]) by chipsworld.llamas.net (8.9.2/8.9.3) with ESMTP id UAA08124 for ; Sat, 28 Aug 1999 20:18:25 -0400 (EDT) Received: from modem-118.vanadium.dialup.pol.co.uk ([62.136.11.118] helo=eris) by mail3.svr.pol.co.uk with smtp (Exim 2.12 #2) id 11Ksft-0008TG-00 for rc5@lists.distributed.net; Sun, 29 Aug 1999 01:18:22 +0100 X-Authentication-Warning: chipsworld.llamas.net: Processed from queue /var/spool/mqueue X-Authentication-Warning: chipsworld.llamas.net: Processed by mail with -C /etc/sendmail.mj.cf Message-ID: <003d01bef1b3$7974f2a0$4bb0fea9@eris> From: "ian bashford" To: rc5@lists.distributed.net Subject: RE: [RC5] Group Cracks 512-bit RSA Date: Sun, 29 Aug 1999 01:14:20 +0100 MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2314.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Sender: owner-rc5@lists.distributed.net X-Loop: lists.distributed.net Reply-To: rc5@lists.distributed.net Precedence: bulk Content-Type: text/plain; charset="Windows-1252" Status: U X-Mozilla-Status: 8011 X-Mozilla-Status2: 00000000 X-UIDL: 0eb6d50c3704dfd2fc560486f73fda2f This is a brief explaination of how the 'code' was cracked. ------------------------------------------------------------- Factorization of a 512-bits RSA key using the Number Field Sieve ---------------------------------------------------------------- On August 22, 1999, we found that the 512-bits number RSA-155 = 1094173864157052742180970732204035761200373294544920599091384213147634\ 9984288934784717997257891267332497625752899781833797076537244027146743\ 531593354333897 can be written as the product of two 78-digit primes: 1026395928297411057720541965739916759007165678080380668033419335217907113077 79 * 1066034883801684548209272203600128786792079585759892915222706082371930628086 43 Primality of the factors was proved with the help of two different primality proving codes. An Appendix gives the prime decompositions of p +- 1. The number RSA-155 is taken from the RSA Challenge list (see http://www.rsa.com/rsalabs/html/factoring.html). This factorization was found using the Number Field Sieve (NFS) factoring algorithm, and beats the 140-digit record RSA-140 that was set on February 2, 1999, also with the help of NFS [RSA140]. The amount of computer time spent on this new factoring world record is estimated to be equivalent to 8000 mips years. For the old 140-digit NFS-record, this effort was estimated to be 2000 mips years. Extrapolation using the asymptotic complexity formula for NFS would predict approximately 14000 mips years for RSA-155. The gain is caused by an improved application of the polynomial search method used for RSA-140. For information about NFS, see [LL]. For additional information, implementations and previous large NFS factorizations, see [DL, E1, E2, GLM]. Polynomial selection -------------------- The following two polynomials F_1(x,y) = 11 93771 38320 x^5 - 80 16893 72849 97582 y *x^4 - 66269 85223 41185 74445 y^2*x^3 + 1 18168 48430 07952 18803 56852 y^3*x^2 + 745 96615 80071 78644 39197 43056 y^4*x - 40 67984 35423 62159 36191 37084 05064 y^5 F_2(x,y) = x - 3912 30797 21168 00077 13134 49081 y were selected with the help of a polynomial search method developed by Peter Montgomery (Microsoft Research, USA and CWI) and Brian Murphy (The Australian National University, Canberra), which was applied already to RSA-140, and now, even more successfully, to RSA-155. The polynomial F_1(x,y) was chosen to have a good combination of two properties: being unusually small over its sieving region and having unusually many roots modulo small primes (and prime powers). The effect of the second property alone gives F_1(x,y) a smoothness yield comparable to that of a polynomial chosen at random for an integer of 137 decimal digits. Measured in a different way: the pair (F_1, F_2) has a yield of relations approximately 13.5 times that of a random polynomial selection for RSA-155 (the corresponding figure for the polynomial selected for the RSA-140 factorisation is 8). The polynomial selection took approximately 100 MIPS years, which is equivalent to 0.40 CPU years on a 250 MHz SGI Origin 2000 processor (most of the searches were done on such processors). The original polynomial selection code was ported by Arjen Lenstra to use his multiple precision arithmetic package LIP. Brian Murphy, Peter Montgomery, Arjen Lenstra and Bruce Dodson ran the polynomial searches for RSA-155 with this code. The above polynomial emerged from Bruce Dodson's search. Calendar time for the polynomial selection was approximately nine weeks. The Sieving ----------- Sieving was done on about 160 175-400 MHz SGI and Sun workstations, on 8 300 MHz SGI Origin 2000 processors, on about 120 300-450 MHz Pentium II PCs, and on 4 500 MHz Digital/Compaq boxes. The total amount of CPU-time spent on sieving was 35.7 CPU years estimated to be equivalent to approximately 8000 mips years. Calendar time for sieving was 3 1/2 months. For the purpose of comparison, both lattice sieving and line sieving were used. Lattice sieving was introduced by Pollard [P] and the code used is based on the implementation described in [GLM, Cetal]. For the lattice sieve, a factor base bound of 16 777 216 (2^24) was chosen, both for the rational and for the algebraic side. Two large primes were allowed on both sides. Most of the line sieve was carried out with two large primes on both the rational and the algebraic side. The rational factor base consisted of the primes < 44 000 000 and the algebraic factor base of the primes < 110 000 000. Some line sieving allowed three large primes instead of two on the algebraic side. In that case the rational factor base consisted of the primes < 8 000 000 and the algebraic factor base of the primes < 25 000 000. For both sieves the large prime bound 1 000 000 000 was used both for the rational and for the algebraic primes. A total of 124 722 179 relations were generated, 71% of them with lattice sieving (L), 29% with line sieving (C). Among them, there were 39 187 441 duplicates, partially because of the simultaneous use of the two sievers. Sieving was done at eleven different locations with the following contributions: (L: using lattice sieving code from Arjen K. Lenstra C: using line sieving code from CWI) 20.1 % (3057 CPU days) Alec Muffett (L at Sun Microsystems Professional Services, Camberley, UK) 17.5 % (2092 CPU days) Paul Leyland (L,C at Microsoft, Cambridge, UK) 14.6 % (1819) Peter L. Montgomery, Stefania Cavallar (C,L at CWI, Amsterdam) 13.6 % (2222) Bruce Dodson (L,C at Lehigh University, Bethlehem, PA, USA) 13.0 % (1801) Francois Morain and Gerard Guillerm (L,C at Ecole Polytechnique, Palaiseau, France) 6.4 % (576) Joel Marchand (L,C at Ecole Polytechnique/CNRS, Palaiseau, France) 5.0 % (737) Arjen K. Lenstra (L at Citibank, Parsippany, NJ, USA and Univ. of Sydney, Australia) 4.5 % (252) Paul Zimmermann (C at Inria Lorraine and Loria, Nancy, France) 4.0 % (366) Jeff Gilchrist (L at Entrust Technologies Ltd., Ottawa, Canada) 0.65 % (62) Karen Aardal (L at Utrecht University, The Netherlands) 0.56 % (47) Chris and Craig Putnam (L at ?) Calendar time for the sieving was 3.7 months. The relations were collected at CWI and required 3.7 Gbytes of disk space. ^^^ Filtering and linear algebra ---------------------------- The filtering of the data and the building of the matrix were carried out at CWI and took one month. The resulting matrix had 6 699 191 rows, 6 711 336 columns, and weight 417 132 631 (62.27 nonzeros per row). With the help of Peter Montgomery's Cray implementation of the blocked Lanczos algorithm (cf. [M95]) it took 224 CPU hours and 2 Gbytes of central memory on the Cray C916 at the SARA Amsterdam Academic Computer Center to find 64 dependencies among the rows of this matrix. Calendar time for this job was 9 1/2 days. Square root ----------- On August 20-21, 1999, four different square root (cf. [M93]) jobs were started in parallel on four different 300 MHz processors of CWI's SGI Origin 2000, each handling one dependency. One job found the factorisation after 39.4 CPU-hours, the other three jobs found the trivial factorization after 38.3, 41.9, and 61.6 CPU-hours (different CPU times are due to the use of different parameters in the four jobs). Ian Bashford ---------------------------------------------------------------------------- ------------------------- ian.bashford@eris23.freeserve.co.uk public key : ldap://certserver.pgp.com 0xEB2E6440 - DH 0x5FA959C9 - RSA ---------------------------------------------------------------------------- ------------------------- "Worrying is meditation carried out by realists" -- To unsubscribe, send 'unsubscribe rc5' to majordomo@lists.distributed.net rc5-digest subscribers replace rc5 with rc5-digest