This section introduces the summary of Reference [12].
The security of many public-key cryptographic primitives whose security is based on the difficulty of the integer factoring problem is evaluated based on the running time of the general number field sieve method (GNFS). Recently, methods of using dedicated hardware were proposed to run GNFS more efficiently (see [3, 12]). Although References [11, 16, 18] have also proposed idea to use dedicated hardware for integer factoring, [3] claims its superiority to those preceding studies.
The heavy computation part in GNFS is divided into "relation collection step" and "matrix step". In [3], approach to dedicated hardware for both steps is proposed. Particularly for the matrix step, a specific improvement method using a certain sorting algorithm is described. In [3], applicability of a routing algorithm to the matrix step is also mentioned. Then, in [12], specific dedicated hardware based on routing for this step was proposed.
94 Chapter 2 Evaluation of Public-key Cryptographic Techniques
In [3] and [12], effectiveness of the use of dedicated hardware for the matrix calculation step was estimated under the measure "throughput cost" (construction cost × run time) required for GNFS. As claimed in [12], it is appropriate to asymptotically estimate that the throughput cost for factoring 1.17n-bit composite numbers by the standard GNFS is equivalent to the throughput cost for factoring n-bit
composite numbers by the circuit-based GNFS.
Although it may be necessary to discuss more on using the throughput cost as a measure, the estimation results show that the approaches in [3] and [12] are reasonable.
In [12], they propose a method to realize more compact hardware than the dedicated hardware in [3], and claim that the matrix step for a 1024-bit composite number can be performed within a few hours if the dedicated hardware of approx. US$5,000 (except for the cost of mask) is used. However, they noted that the evaluation described above was based on an "optimistic" assumption. In other words, the size of the sparse matrix ("small matrix") assumed for the estimate is the value obtained when the asymptotic throughput cost function is optimized. Caring about this point is necessary when considering the actual GNFS for 1024-bit composite numbers.
Furthermore, in [12], the matrix size ("large matrix") for 1024-bit composite numbers was estimated using the standard asymptotic function for the actual matrix size in [6] that was successful in factoring a 512-bit composite number by GNFS. The actual throughput cost was also estimated in this way. Presently, since the relation collection step throughout GNFS is a bottleneck, these evaluated values seem to be the significant criteria (for details, see [12]).
Of course, technical difficulties still exist for realization of dedicated hardware described in [12]. Compared with quantum computers, feasibility of this dedicated hardware seems to be higher at present. In [12], it is mentioned that the security of 1024-bit RSA relies exclusively on the hardness of the relation collection step in GNFS, and that the 1024-bit RSA is still secure at that point of time.
As a related study, [8] was presented.
References
[1] M. Agrawal, N. Kayal, N. Saxena, "PRIMES is in P," August 2002. http://www.cse.iitk.ac.in/news/primality.pdf
[2] F. Bahr, J. Franke, T. Kleinjung, "Factorization of 158-digit cofactor of 2953+1," January 21, 2002.
http://www.crypto-world.com/announcements/c158.txt
[3] D.J. Bernstein, "Circuits for integer factorization: a proposal," preprint, available at http://cr.yp.to/papers.html#nfscircuit
[4] D. Boneh, G. Durfee, N. Howgrave-Graham, "Factoring N = prq for large r," Proc. Crypto'99, LNCS 1666, Springer-Verlag, pp.326–337, 1999.
[5] R. P. Brent, "Recent progress and prospects for integer factorisation algorithms," Proc. COCOON 2000, LNCS 1858, Springer-Verlag, pp.3–22, 2000.
[6] S. Cavallar, B. Dodson, A.K. Lenstra, W. Lioen, P.L. Montgometry, B. Murphy, H.J.J. te Riele, et.al., "Factorization of a 512-bit RSA modulus", Proc. Eurocrypt 2000, LNCS 1807,
Springer-Verlag, pp.1–17, 2000.
[7] D. Coppersmith, "Modifications to the number field sieve," J. Cryptology, vol.6, pp.169–180, 1993.
2.4 Evaluation of the Difficulty of Number-Theoretic Problems 95
[8] W. Geiselmann, R. Steinwandt, "A Dedicated Sieving Hardware," to appear in Proc. PKC 2003.
[9] H. W. Lenstra, Jr., "Factoring integers with elliptic curves," Annals of Mathematics, vol.126, pp.649–673, 1987.
[10] A. K. Lenstra, H. W. Lenstra, Jr., M. S. Manasse, J. M. Pollard, "The number field sieve," Proc. 22nd STOC, pp.564–572, 1990.
[11] A.K. Lenstra, A. Shamir, "Analysis and optimization of the TWINKLE factoring device," Proc. Eurocrypt 2000, LNCS 1807, Springer-Verlag, pp.35–52, 2000.
[12] A.K. Lenstra, A. Shamir, J. Tomlinson, E. Tromer, "Analysis of Bernstein's Factorization Circuit," Proc. Asiacrypt 2002, LNCS 2501, Springer-Verlag, pp.1– 26, 2002.
[13] A. K. Lenstra, E. Verheul, "Selecting cryptographic key sizes," Proc. PKC 2000, LNCS 1751, Springer-Verlag, pp.446–465, 2000.
[14] The ECMNET Project
http://www.loria.fr/~zimmerma/records/ecmnet.html
[15] E. Okamoto, R. Peralta, "Faster factoring of integers of a special form," IEICE Trans. Fundamentals, vol.E79-A, pp.489–493, 1996.
[16] C. Pomerance, J. W. Smith, R. Tuler, "A pipeline architecture for factoring large integers with the quadratic sieve algorithm," SIAM Journal on Computing, vol.17, pp.387–403, 1988. [17] RSA Security Inc, "Has the RSA algorithm been compromised as a result of Bernstein's
Paper?" April 8, 2002.
http://www.rsasecurity.com/rsalabs/technotes/bernstein.html
[18] A. Shamir, "Factoring large numbers with the TWINKLE device," Cryptographic Hardware and Embedded Systems (CHES '99), LNCS 1717, Springer- Verlag, pp.2–12, 1999. [19] A. Shamir, "Fatoring large numbers with the TWIRL device," presented at Asiacrypt 2002
Rump Session, December 3, 2002.
[20] A. Shamir, E. Tromer, "Factoring large numbers with the TWIRL device (preliminary draft)," Preliminary draft available at http://www.wisdom.weizmann. ac.il/~tromer/
[21] P. W. Shor, "Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer," SIAM J. Computing, vol.26, no.5, pp.1484–1509, 1997.
[22] L. M. K. Vandersypen, M. Steffen, G. Breyta, C. S. Yannoni, M. H. Sherwood, I. L. Chuang, "Experimental realization of Shor's quantum factoring algorithm using nuclear magnetic resonance," Nature, Vol.414, pp.883–887, 20/27 December 2001.
2.4.2 Discrete logarithm problem
CRYPTREC conducted full evaluation on the current situation of the discrete logarithm problem (hereafter abbreviated to DLP) in order to conduct detailed evaluations of cryptographic schemes whose primitives' security is based on the difficulty of DLP of a finite group. Based on the evaluation results, typical attacking algorithms, key size that is considered to be practically secure, and its prospects are summarized in this section. The matters that may affect the difficulty of the problem itself are described at the end of this section.