Analysis of Bernstein's factorization circuit

A.K. Lenstra; A. Shamir; J. Tomlinson; E. Tromer

doi:10.1007/3-540-36178-2_1

Analysis of Bernstein's factorization circuit

A.K. Lenstra, A. Shamir, J. Tomlinson, E. Tromer

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

18 Citations (Scopus)

Abstract

In [1], Bernstein proposed a circuit-based implementation of the matrix step of the number field sieve factorization algorithm. These circuits offer an asymptotic cost reduction under the measure "construction cost x run time". We evaluate the cost of these circuits, in agreement with [1], but argue that compared to previously known methods these circuits can factor integers that are 1.17 times larger, rather than 3.01 as claimed (and even this, only under the non-standard cost measure). We also propose an improved circuit design based on a new mesh routing logarith, and show that for factorization of 1024-bit integers the matrix step can, under an optimistic assumption about the matrix size, be completed within a day by a device that costs a few thousand dollars. We conclude that from a practical standpoint, the security of RSA relies exclusively on the hardness of the relation collection step of the number field sieve.

Original language	English
Title of host publication	Advances in Cryptology - ASIACRYPT 2002 (Proceedings 8th International Conference on the Theory and Application of Cryptology and Information Security, Queenstown, New Zealand, December 1-5, 2002)
Editors	Y. Zheng
Place of Publication	Berlin
Publisher	Springer
Pages	1-26
ISBN (Print)	3-540-00171-9
DOIs	https://doi.org/10.1007/3-540-36178-2_1
Publication status	Published - 2002

Publication series

Name	Lecture Notes in Computer Science
Volume	2501
ISSN (Print)	0302-9743

Access to Document

10.1007/3-540-36178-2_1

Cite this

Lenstra, A. K., Shamir, A., Tomlinson, J., & Tromer, E. (2002). Analysis of Bernstein's factorization circuit. In Y. Zheng (Ed.), Advances in Cryptology - ASIACRYPT 2002 (Proceedings 8th International Conference on the Theory and Application of Cryptology and Information Security, Queenstown, New Zealand, December 1-5, 2002) (pp. 1-26). (Lecture Notes in Computer Science; Vol. 2501). Springer. https://doi.org/10.1007/3-540-36178-2_1

Lenstra, A.K. ; Shamir, A. ; Tomlinson, J. ; Tromer, E. / Analysis of Bernstein's factorization circuit. Advances in Cryptology - ASIACRYPT 2002 (Proceedings 8th International Conference on the Theory and Application of Cryptology and Information Security, Queenstown, New Zealand, December 1-5, 2002). editor / Y. Zheng. Berlin : Springer, 2002. pp. 1-26 (Lecture Notes in Computer Science).

@inproceedings{5819297e017244098a4550b6abef92af,

title = "Analysis of Bernstein's factorization circuit",

abstract = "In [1], Bernstein proposed a circuit-based implementation of the matrix step of the number field sieve factorization algorithm. These circuits offer an asymptotic cost reduction under the measure {"}construction cost x run time{"}. We evaluate the cost of these circuits, in agreement with [1], but argue that compared to previously known methods these circuits can factor integers that are 1.17 times larger, rather than 3.01 as claimed (and even this, only under the non-standard cost measure). We also propose an improved circuit design based on a new mesh routing logarith, and show that for factorization of 1024-bit integers the matrix step can, under an optimistic assumption about the matrix size, be completed within a day by a device that costs a few thousand dollars. We conclude that from a practical standpoint, the security of RSA relies exclusively on the hardness of the relation collection step of the number field sieve.",

author = "A.K. Lenstra and A. Shamir and J. Tomlinson and E. Tromer",

year = "2002",

doi = "10.1007/3-540-36178-2_1",

language = "English",

isbn = "3-540-00171-9",

series = "Lecture Notes in Computer Science",

publisher = "Springer",

pages = "1--26",

editor = "Y. Zheng",

booktitle = "Advances in Cryptology - ASIACRYPT 2002 (Proceedings 8th International Conference on the Theory and Application of Cryptology and Information Security, Queenstown, New Zealand, December 1-5, 2002)",

address = "Germany",

}

Lenstra, AK, Shamir, A, Tomlinson, J & Tromer, E 2002, Analysis of Bernstein's factorization circuit. in Y Zheng (ed.), Advances in Cryptology - ASIACRYPT 2002 (Proceedings 8th International Conference on the Theory and Application of Cryptology and Information Security, Queenstown, New Zealand, December 1-5, 2002). Lecture Notes in Computer Science, vol. 2501, Springer, Berlin, pp. 1-26. https://doi.org/10.1007/3-540-36178-2_1

Analysis of Bernstein's factorization circuit. / Lenstra, A.K.; Shamir, A.; Tomlinson, J.; Tromer, E.

Advances in Cryptology - ASIACRYPT 2002 (Proceedings 8th International Conference on the Theory and Application of Cryptology and Information Security, Queenstown, New Zealand, December 1-5, 2002). ed. / Y. Zheng. Berlin : Springer, 2002. p. 1-26 (Lecture Notes in Computer Science; Vol. 2501).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

TY - GEN

T1 - Analysis of Bernstein's factorization circuit

AU - Lenstra, A.K.

AU - Shamir, A.

AU - Tomlinson, J.

AU - Tromer, E.

PY - 2002

Y1 - 2002

N2 - In [1], Bernstein proposed a circuit-based implementation of the matrix step of the number field sieve factorization algorithm. These circuits offer an asymptotic cost reduction under the measure "construction cost x run time". We evaluate the cost of these circuits, in agreement with [1], but argue that compared to previously known methods these circuits can factor integers that are 1.17 times larger, rather than 3.01 as claimed (and even this, only under the non-standard cost measure). We also propose an improved circuit design based on a new mesh routing logarith, and show that for factorization of 1024-bit integers the matrix step can, under an optimistic assumption about the matrix size, be completed within a day by a device that costs a few thousand dollars. We conclude that from a practical standpoint, the security of RSA relies exclusively on the hardness of the relation collection step of the number field sieve.

AB - In [1], Bernstein proposed a circuit-based implementation of the matrix step of the number field sieve factorization algorithm. These circuits offer an asymptotic cost reduction under the measure "construction cost x run time". We evaluate the cost of these circuits, in agreement with [1], but argue that compared to previously known methods these circuits can factor integers that are 1.17 times larger, rather than 3.01 as claimed (and even this, only under the non-standard cost measure). We also propose an improved circuit design based on a new mesh routing logarith, and show that for factorization of 1024-bit integers the matrix step can, under an optimistic assumption about the matrix size, be completed within a day by a device that costs a few thousand dollars. We conclude that from a practical standpoint, the security of RSA relies exclusively on the hardness of the relation collection step of the number field sieve.

U2 - 10.1007/3-540-36178-2_1

DO - 10.1007/3-540-36178-2_1

M3 - Conference contribution

SN - 3-540-00171-9

T3 - Lecture Notes in Computer Science

SP - 1

EP - 26

BT - Advances in Cryptology - ASIACRYPT 2002 (Proceedings 8th International Conference on the Theory and Application of Cryptology and Information Security, Queenstown, New Zealand, December 1-5, 2002)

A2 - Zheng, Y.

PB - Springer

CY - Berlin

ER -

Lenstra AK, Shamir A, Tomlinson J, Tromer E. Analysis of Bernstein's factorization circuit. In Zheng Y, editor, Advances in Cryptology - ASIACRYPT 2002 (Proceedings 8th International Conference on the Theory and Application of Cryptology and Information Security, Queenstown, New Zealand, December 1-5, 2002). Berlin: Springer. 2002. p. 1-26. (Lecture Notes in Computer Science). https://doi.org/10.1007/3-540-36178-2_1

Analysis of Bernstein's factorization circuit

Abstract

Publication series

Access to Document

Fingerprint

Cite this