Upload
griffin-gilmore
View
233
Download
0
Embed Size (px)
Citation preview
2008.3.11 Math department at NTNU 2
Outline
1. Basics in Cryptography
2. Public-Key Cryptosystems
3. Quadratic Sieve
4. Number Field Sieve
5. Factoring RSA-512
2008.3.11 Math department at NTNU 3
Historical Cipher
Gāius Jūlius Caesar (100 BC – 44 BC) A Roman military and political leader and one o
f the most influential men in world history He played a critical role in the transformation o
f the Roman Republic into the Roman Empire
Caesar Cipher Example (Recall: A 0, B 1, C 2, …, Y 24, Z 25)
Plaintext: SPY (18 15 24) Ciphertext: VSB (21 18 1)
Encryption: c = p + 3 mod 26 Decryption: p = c 3 mod 26
2008.3.11 Math department at NTNU 4
Historical Cipher
Shift Cipher Each letter we identify with a number
A = 0, B = 1, C = 2, …, Z = 25 The key k is a number in the range 0 ~ 25
Encryption is adding k onto each letter modulo 26 Julius Caesar used the k = 3
HELLO becomes KHOOR We break a Shift cipher by using the statistics of
the underlying language
2008.3.11 Math department at NTNU 5
Historical Cipher
English Letter Frequencies
The most common bigrams are, in decreasing order TH, HE, IN, ER, AN, RE, ED, ON, ES, ST, EN, AT, TO, NT, HA
The most common trigrams are, in decreasing order THE, ING, AND, HER, ERE, ENT, THA, NTH, WAS, ETH, FOR
Useful cryptanalysis rarely mentioned in books: Conditional probability e.g., the letter with the highest frequency
right after the letter H?
2008.3.11 Math department at NTNU 6
Historical Cipher
Take the following example cipher textBPMZM WVKM EIA IV COTG LCKSTQVO
EQBP NMIBPMZA ITT ABCJJG IVL JZWEV
IVL BPM WBPMZ JQZLA AIQL QV AW UIVG EWZLA
OMB WCB WIN BWEV
OMB WCB, OMB WCB , OMB WCB WIN BWEV
IVL PM EMVB EQBP I YCIKS IVL I EILLTM IVL I YCIKS
QV I NTCZZG WN MQL MZLWEV
BPIB XWWZ TQBBTM COTG LCKS TQVO
EMVB EIVLMZQVO NIZ IVL VMIZ
JCB IB MDMZG XTIKM BPMG AIQL BW PQA NIKM
VWE OMB WCB, OMB WCB, OMB WCB WN PMZM
IVL PM EMVB EQBP I YCIKS IVL I EILLTM IVL I YCIKS
IVL I DMZG CVPIXXG BMIZ
We need to compare the frequency distribution of this text with standard English
2008.3.11 Math department at NTNU 7
Historical Cipher
Underlying Plain Text
Cipher Text
The shift of E seems to be either 4, 8,17,18 or 23 The shift of A seems to be either 1, 8,12,21 or 22
2008.3.11 Math department at NTNU 8
Historical Cipher
Hence the key is probably equal to 8 We can now decrypt the cipher text to reveal
There once was an ugly duckling
With feathers all stubby and brown
And the other birds said in so many words
Get out of town
Get out, get out, get out of town
And he went with a quack and a waddle and a quack
In a flurry of eiderdown
That poor little ugly duckling
Went wandering far and near
But at every place they said to his face
Now get out, get out, get out of here
And he went with a quack and a waddle and a quack
And a very unhappy tear
2008.3.11 Math department at NTNU 9
密碼系統運作基本原則 密碼系統 (cryptosystem) 包括一套演算法
(algorithm) ,和所有可能的金鑰 (key) 、明文 (plaintext) 、以及密文 (ciphertext)
它的安全性 (security) 是基於其他人未知的私密金鑰,而非演算法 演算法公開,利於制定標準互通應用
2008.3.11 Math department at NTNU 10
密碼系統的兩大類型 傳統式
對稱金鑰 Symmetric Key
公開金鑰 (Public-Key, 1976~)
非對稱金鑰 Asymmetric Key
2008.3.11 Math department at NTNU 11
傳統對稱式密碼系統 Encrypt Encrypt 加密加密
↗ △ ↘
Plaintext 明文 Symmetric key Ciphertext 密文 ↖ ▽ ↙
Decrypt Decrypt 解密解密
DES (Data Encryption Standard) – 晶片金融卡AES (Advanced Encryption Standard)
2008.3.11 Math department at NTNU 12
私密金鑰 與 公開金鑰
容易計算
私密金鑰 公開金鑰 Private Key 非常困難 Public Key
藉由數學工具達成此目的
2008.3.11 Math department at NTNU 13
公開金鑰密碼系統Public Key Cryptosystem
Public key
▽ Plaintext 明文 → Encrypt Encrypt 加密加密
↖ ↘ Decrypt Decrypt 解密解密 ← Ciphertext 密文
△ Private key
最廣泛使用的 PKC: RSA (Rivest – Shamir – Adleman 1977)
逐漸受重視的 PKC: ECC ( 橢圓曲線 Elliptic Curve Cryptosystem)
2008.3.11 Math department at NTNU 14
數位簽章 Digital Signature
Public key▽
Signature Signature → Verify Verify 驗章驗章 ↖ ↘
Sign Sign 簽章簽章 ← Message△
Private key
* 秘密性 (confidentiality) * 身份鑑別性 (Authentication)* 完整性 (Integrity) * 不可否認性 (Non-Repudiation)
2008.3.11 Math department at NTNU 15
New Standard: AES
Standard FIPS-197 approved by NIST in 2001 Official scope is limited:
US Federal Administration will use AES as Government standard from 26 May 2002
Documents that are “sensitive but not classified” Significance is huge: The successor of DES Block size: 128 bits (16 bytes) Key length: 128/192/256 bits (16/24/32 bytes) Strong algebraic structure
2008.3.11 Math department at NTNU 16
Outline
1. Basics in Cryptography
2. Public-Key Cryptosystems
3. Quadratic Sieve
4. Number Field Sieve
5. Factoring RSA-512
2008.3.11 Math department at NTNU 17
RSA
Key generation (RSA-1024) Generate large primes p and q of at least 512 bits Compute N = p q and (N) = (p) (q) = (p 1)(q 1)
Select random e with
1 < e < (N) and gcd(e, (N)) = 1
Using XGCD, compute the unique integer d with
1 < d < (N) and e d 1 (mod (N))
Public key : (N, e) which is published Private key : (d, p, q) which is kept secret
2008.3.11 Math department at NTNU 18
Encryption & Decryption
Encryption: If Bob wants to encrypt a message for Alice, he does the following Obtain Alice’s authentic public key (N, e) Represent the message as a number 0 < x < N
Compute y = x e mod N
Send the ciphertext y to Alice
Decryption: To recover x from y, Alice does the following
Use the private key d to recover x = y d mod N
2008.3.11 Math department at NTNU 19
Elliptic Curve y2 = x3 + ax + b
R is determined by the line passing through P and Q
2008.3.11 Math department at NTNU 20
Elliptic Curve y2 = x3 + ax + b
R is determined by the tangent line if P = Q The slope is derived by
implicit differentiation
2008.3.11 Math department at NTNU 21
Discrete Logarithm Problem
On Zp
Given a and g, find x such that gx a (mod p) On Elliptic Curve Groups
Given P and Q, find x such that xP = Q Both are very hard computational problems, e
specially the latter, “ECDLP” The security of RSA is based on the difficulty
of large integer factoring
2008.3.11 Math department at NTNU 22
Congruent Squares
To factor N = p q, try to find integers x and y such that x2 y2 (mod N)
If x y (mod N), then gcd(x y, N) and gcd(x + y, N) are non-trivial factors of N p q = N | (x2 y2) = (x + y) (x y)
This idea from Fermat inspired the factoring methods of Continued Fraction, Quadratic Sieve, and Number Field Sieve
2008.3.11 Math department at NTNU 23
Integer Factoring Algorithms Length of input = log2 N +1 log N
Trial Division Complexity:
Quadratic Sieve (1980’s)
Number Field Sieve (1990’s)
L(s) = s = 1: exponential time 0 < s < 1: sub-exponential time s = 0: polynomial time (Shor’s quantum algorithm)
)( log)2/1( NeO
)(1)log(log)(log ss NNceO
)(2/12/1 )log(log)))(log1(1( NNoeO
)(3/23/13/1 )log(log)))(log1()9/64(( NNoeO
2008.3.11 Math department at NTNU 24
RSA Challenge Numbers
2008.3.11 Math department at NTNU 25
RSA-640 Factored
2008.3.11 Math department at NTNU 26
RSA-640 Number
2008.3.11 Math department at NTNU 27
RSA-1024 Number
2008.3.11 Math department at NTNU 28
Outline
1. Basics in Cryptography
2. Public-Key Cryptosystems
3. Quadratic Sieve
4. Number Field Sieve
5. Factoring RSA-512
2008.3.11 Math department at NTNU 29
Smooth Numbers
F = { p1, p2 , p3……., pm } is a factor base consisting of prime numbers
A number is smooth over F if all of its prime factors are in F
We try to find smooth numbers ri = p1
e1 p2e2 p3
e3 …pmem
and record ei in the exponent vector
vi = (e1, e2 , e3……., em)
2008.3.11 Math department at NTNU 30
Smooth Numbers
Assume we have enough smooth numbers e.g. k smooth numbers with k > m
By linear algebra modulo 2, we can find ai (= 0 or 1 for each i ) such that
)2(mod )0....,0,0( iiva
square a becomes iair
2008.3.11 Math department at NTNU 31
Smooth Numbers
Example F = { 2, 3, 5, 7 } is a factor base Some smooth numbers over F :
r1 = 105 = 357, r2 = 140 = 2257,
r3 = 392 = 2372, r4 = 588 = 22372. Corresponding exponent vectors:
v1 = (0, 1, 1, 1), v2 = (2, 0, 1, 1),
v3 = (3, 0, 0, 2), v4 = (2, 1, 0, 2).
2008.3.11 Math department at NTNU 32
Smooth Numbers
1 v1 + 1 v2 + 0 v3 + 1 v4 = (4, 2, 2, 4)
(0, 0, 0, 0) (mod 2) We get a square: r1 r2 r4 = 24
32 52
74
Recall: The goal is to find x2 y2 (mod N) The question then becomes finding many
smooth numbers over a factor base F
2008.3.11 Math department at NTNU 33
Quadratic Sieve
To factor N, define g(x) = x2 N x is an integer between and
note that g : Z → ZN preserves multiplications
We want to find enough smooth g(xi)
p | g(xi) implies p | g(xi + p) If p | (xi
2 N), then 0 xi2 N
xi2 N + 2pxi + p2 (xi + p)2 N (mod p)
“Sieve” g(xi) with every prime p in factor base
N N2
2008.3.11 Math department at NTNU 34
Quadratic Sieve
Record g(xi) in an array G for each xi
If p | g(xi),
G[ xi ] := G[ xi ] + log p integer addition for speed
After sieving, check the smoothness of g(xi) whose G[
xi ] chosen threshold
2 3 5 7 4 9
g(m+71)
g(m+72)
g(m+73)
g(m+74)
g(m+75)
g(m+76)
g(m+77)
g(m+78)
g(m+79)
g(m+80)
g(m+81)
g(m+82)
g(m+83)
g(m+84)
g(m+85)
2008.3.11 Math department at NTNU 35
Quadratic Sieve
Use linear algebra to find appropriate xi’s such that g(xi) = y
2, then x = xi satisfies x
2
= xi2 g(xi) = y
2 (mod N) The problem of QS is that x
2 N goes up quickly, hence the chance of smoothness decreases fast
Q: Can we find another algebraic structure with a homomorphism to Zn ? A: Number Field Q( ) with the number field sieve
2008.3.11 Math department at NTNU 36
Outline
1. Basics in Cryptography
2. Public-Key Cryptosystems
3. Quadratic Sieve
4. Number Field Sieve
5. Factoring RSA-512
2008.3.11 Math department at NTNU 37
SNFS and GNFS
Special Number Field Sieve (SNFS) Number of nice algebraic form Record: 21039
1 (1039th Mersenne number)
313 digits / 1039 bits, May 2007 “A Kilobit Special Number Field Sieve Factorization”, Asiacrypt 2007
General Number Field Sieve (GNFS) No known nice algebraic form Record: RSA-200
200 digits / 663 bits, 2005
2008.3.11 Math department at NTNU 38
Invention of SNFS
John Pollard had the interesting idea to factor the 7th Fermat number F7 = 227
+ 1 by doing very clever computations in the number field Q( ) = Q [x] / < x3
+ 2 > It was clear immediately that his idea could be
used to factor any number of the form r e s for small r and s
2008.3.11 Math department at NTNU 39
Invention of GNFS
Subsequently, many people contributed to making the basic algorithm work for integers without such a special form
General numbers can be factored with the same algorithm The first step (polynomial selection) becomes
much harder The algorithm runs with much “worse”
parameters than for numbers of special form
2008.3.11 Math department at NTNU 40
Polynomial Selection
Find an irreducible polynomial f (x) such that f (m) ≡ 0 (mod N)
We can write N in the base of m first:
N = cd m d + … + c1 m + c0
and take f (x) = cd x d + … + c1 x + c0
A lot of research and deep theory has been developed to make f (x) “better”
2008.3.11 Math department at NTNU 41
Number Field
Let be a complex root of f (x) Q( ) is a finite field extension of Q
Q( ) is the number field associated to
Q( ) can be viewed as a vector space over Q, with a basis {1, ,
2, …. d1} d is the degree of f (x)
[ Q( ) : Q ] = d
2008.3.11 Math department at NTNU 42
Ring Homomorphism
A map h: A → B is a homomorphism ifh(x + y) = h(x) + h(y) and h(x y) = h(x) h(y) for all x, y A
Define a ring homomorphism
φ: Z[ ] → ZN by φ( ) m (mod N) φ is a homomorphism because
f ( ) = 0 and f (m) 0 (mod N) φ( a b ) a bm (mod N)
2008.3.11 Math department at NTNU 43
Squares in Both Sides
Suppose there is a set S consisting of relatively prime pairs (a, b) satisfying both:
(which is called the algebraic side)
(which is called the rational side)
][ somefor ) ( 2
),(
Ζb-aSba
somefor ) ( 2
),(
Ζyyma - bSba
2008.3.11 Math department at NTNU 44
Squares in Both Sides
Let x = φ( ), then we have
x
2 = φ( )2 = φ( 2)
= φ( (a b ))
(a b m)
= y 2 (mod N) Therefore we factor N with probability ½
2008.3.11 Math department at NTNU 45
Four Major Steps
1. Polynomial Selection Choose a polynomial f (x) with a root m (mod
N) and good properties
2. Sieving Find enough pairs (a, b) such that a bm and a
b are both smooth Each smooth pair (a, b) is called a relation
2008.3.11 Math department at NTNU 46
Four Major Steps
3. Matrix Reduction Form a very large matrix after finding and
simplifying enough relations Solve the system of linear equations to obtain
the required set S such that
][ somefor ) ( 2
),(
Ζb-aSba
somefor ) ( 2
),(
Ζyyma - bSba
2008.3.11 Math department at NTNU 47
Four Major Steps
4. Square Root So far we have y
2 and 2
Compute their square roots y and Recall: x =φ( ) Many methods to compute Z [ ] , but all of
them are sophisticated Finally we get the congruent squares
x2 y2 (mod N)
2008.3.11 Math department at NTNU 48
Observations
Each step is very complicated algebraic number theory large effort to implement
Sieving is the most time consuming The sieving time can be reduced by
selecting a good polynomial f (x) i.e. finding a better polynomial can speed up
the Number Field Sieve
2008.3.11 Math department at NTNU 49
Outline
1. Basics in Cryptography
2. Public-Key Cryptosystems
3. Quadratic Sieve
4. Number Field Sieve
5. Factoring RSA-512
2008.3.11 Math department at NTNU 50
Open Source GGNFS
pol51opt
makefb
sieve
matbuild
gnfs-lasieve4I matsolve
sqrtprocrels
enough FF
Already have polynomial file
NO YES
Factored!
pol51m0
No polynomial file
2008.3.11 Math department at NTNU 51
Speakers contributedto the NFS workshop:
1. 楊柏因 博士2. 黃柏嶧 博士3. 歐陽奕 ( 臺大電機 )
4. 余守壹 ( 臺大資訊 ) 5. 陳嘉欣 ( 臺大電機 )
6. 林志宏 ( 臺大資訊 )
7. 王柏翰 ( 臺大資訊 )
2008.3.11 Math department at NTNU 52
RSA-512 Factoring
1999: 300 PCs, workstations, and supercomputers 6 months 17 experts all over the world
2008: 2 supercomputers 5 days!
Let’s play on the supercomputers at NTU …
2008.3.11 Math department at NTNU 53
超級電腦介紹 超級電腦為何跑得快?
一顆超強 CPU ?? Of course not… 很多顆正常 CPU ,想辦法合作
程式要平行化! 不能只是 single thread
2008.3.11 Math department at NTNU 54
程式平行化
兩大平行化模式 MPI (Message Passing Interface)
用網路溝通 溝通速度慢 多台一起跑 ( 幾百台 ok!)
OpenMP (Open Multi-Processing) Multi-thread 溝通速度快 有極限 (p595 上頂多用 64 顆 CPU)
2008.3.11 Math department at NTNU 55
台大計中超級電腦 - 1
SMP 大型主機 (Symmetric Multi-Processing) IBM p595 CPU: power5+ 1.9G 64 顆 CPU core 256GB memory 公告金額是 1990 萬
簡化:一台大電腦, 64 顆 CPU , 256GB RAM
2008.3.11 Math department at NTNU 56
台大計中超級電腦 - 2
HP cluster 由四台前端與 106 台後端所組成 每一台後端
dual CPU with dual core (4CPUs) 4GB memory
網路採用 Voltaire 288 DDR switch 公告金額是 1990 萬
簡化: 106 台電腦用網路連起來
2008.3.11 Math department at NTNU 57
奇怪… 價錢一樣… CPU 量差那麼多?
IBM p595: 64 CPUs HP cluster: 106 4 = 424 CPUs
兩台根本不一樣 p595 :一台大電腦, 64 顆 CPU , 256GB RAM HP : 106 台電腦用網路連起來
2008.3.11 Math department at NTNU 58
p595 強項 64 顆 CPU access 同一塊記憶體
非常適合 OpenMP 加速 SMP 大型主機
RAM 超大, 256GB 適合跑需要很多記憶體的程式
銀行使用 金額 synchronize ,無法分開算
2008.3.11 Math department at NTNU 59
p595 弱點 也只有 64 顆 CPU…
無法再更加速… 可以跑 MPI 程式,但 CPU 太少…
個別 CPU 速度慢 才 1.9GHz 工作站的電腦跑的可能還比較快
2008.3.11 Math department at NTNU 60
HP cluster 強項 / 弱項 424 顆 core
MPI 超適合
106 台電腦記憶體獨立 OpenMP 非常不適合
最多 4 個 threads 無法使用大量記憶體
2008.3.11 Math department at NTNU 61
沒有萬能的超級電腦 依需求的不同而使用不一樣的電腦
OpenMP: 可能用 p595 較好 MPI: 可能用 HP cluster 較好
2008.3.11 Math department at NTNU 62
程式平行化
非常 Problem Specific
有些問題很容易平行化 Sieve
有些問題較難平行化,或平行化程度有限 Block Lanczos
2008.3.11 Math department at NTNU 63
Block Lanczos 平行化 Iterative Algorithm
前一個 iteration 和後面有 dependency
很多小函式呼叫很多次 用 MPI 可能吃虧 用 OpenMP
2008.3.11 Math department at NTNU 64
剛用一台新電腦… p595
作業系統: AIX 5.3 編譯器: xlc
遇到許多問題… Makefile 寫法不同,需大改 ( 兩個小時 ) 無限迴圈…
xlc 預設 char 是 unsigned char ( 一天 )
2008.3.11 Math department at NTNU 65
剛用一台新電腦…
遇到許多問題… malloc(0) 回傳 NULL ( 一個小時 ) Lattice sieve 跑出來是錯的 .. ( 一個禮拜 )
放棄…因為有 HP cluster 可以用了!
防不勝防的問題… 先熟讀編譯器 manual
預設參數 最佳化參數
2008.3.11 Math department at NTNU 66
Thanks for Your Attention!