Analysis of Bernstein's Factorization Circuit

In [1], Bernstein proposed a circuit-based implementation of the matrix step of the number field sieve factorization algorithm. These circuits offer an asymptotic cost reduction under the measure "construction cost × run time". We evaluate the cost of these circuits, in agreement with [1], but argue that compared to previously known methods these circuits can factor integers that are 1.17 times larger, rather than 3.01 as claimed (and even this, only under the non-standard cost measure). We also propose an improved circuit design based on a new mesh routing algorithm, and show that for factorization of 1024-bit integers the matrix step can, under an optimistic assumption about the matrix size, be completed within a day by a device that costs a few thousand dollars. We conclude that from a practical standpoint, the security of RSA relies exclusively on the hardness of the relation collection step of the number field sieve.

[1]  Michael J. Wiener The Full Cost of Cryptanalytic Attacks , 2003, Journal of Cryptology.

[2]  Peter L. Montgomery,et al.  A Block Lanczos Algorithm for Finding Dependencies Over GF(2) , 1995, EUROCRYPT.

[3]  A. K. Lenstra,et al.  The Development of the Number Field Sieve , 1993 .

[4]  D. Coppersmith Solving homogeneous linear equations over GF (2) via block Wiedemann algorithm , 1994 .

[5]  Adi Shamir,et al.  An optimal sorting algorithm for mesh connected computers , 1986, STOC '86.

[6]  Doug Ierardi 2d-bubblesorting in average time O(√N lg N)* , 1994, SPAA '94.

[7]  Don Coppersmith Modifications to the Number Field Sieve , 2004, Journal of Cryptology.

[8]  Gilles Villard,et al.  Further analysis of Coppersmith's block Wiedemann algorithm for the solution of sparse linear systems (extended abstract) , 1997, ISSAC.

[9]  Arjen K. Lenstra,et al.  Selecting Cryptographic Key Sizes , 2000, Public Key Cryptography.

[10]  Douglas H. Wiedemann Solving sparse linear equations over finite fields , 1986, IEEE Trans. Inf. Theory.

[11]  Jeff Gilchrist,et al.  Factorization of a 512-Bit RSA Modulus , 2000, EUROCRYPT.

[12]  Arjen K. Lenstra,et al.  Algorithms in Number Theory , 1991, Handbook of Theoretical Computer Science, Volume A: Algorithms and Complexity.

[13]  Robert D. Silverman A Cost-Based Security Analysis of Symmetric and Asymmetric Key Lengths RSA Labs bulletin , 2000 .

[14]  Daniel J. Bernstein,et al.  Circuits for Integer Factorization: A Proposal , 2001 .

[15]  Arjen K. Lenstra,et al.  Unbelievable Security. Matching AES Security Using Public Key Systems , 2001, ASIACRYPT.

[16]  Miltos D. Grammatikakis,et al.  Packet Routing in Fixed-Connection Networks: A Survey , 1998, J. Parallel Distributed Comput..

[17]  Arjen K. Lenstra,et al.  Factoring Integers Using SIMD Sieves , 1994, EUROCRYPT.