The MASM Forum Archive 2004 to 2012

RSA algorithm's security is dependend on the fact the there is no fast way to find the divisors of a number
N=pq , when p,q are primes.
I wish to know what fast means? Does it mean that there is no polynomial algorithm to do that?

realcr.

The fastest algorithm I am aware of is NFS (number field seive).

There are other algorithms that search an extremely large number range
that could be written in MASM but would have to start the search very
near a factor or the number for the function that leads to a factor.

The big integer routines that a few people in the forum have been writing
or one of your own, could be used to implement the simpler of the algorithms.

Trial division using integer numbers that are half the bit length of the RSA.
Using integer division or mod (mod result 0 means a factor is found).

Difference of two integer squares, one of the square roots of the integer squares
is half the bit length the other could be much shorter.
Using addition(optimized) or multiplication(unoptimed) and square root.

I have done both in ubasic and may recode them in MASM to see how fast they could get,
and if just the right starting point is picked, factor a RSA number. :U

Quote from: realcr on March 26, 2005, 06:58:55 PM
RSA algorithm's security is dependend on the fact the there is no fast way to find the divisors of a number
N=pq , when p,q are primes.
I wish to know what fast means? Does it mean that there is no polynomial algorithm to do that?

realcr.

It is polynomial, but even so it is too slow to factorise, say the 1024bit RSA number. I think it would take years to factorise the 1024bit RSA number using the current fastest alogrithm and hardware, but don't take my word, since I am not yet a mathematican.

'Fast' just means 'within a reasonable amount of time.'
What you choose reasonable to mean depends on the context.

A number seive is a reasonable method for finding primes (remove all multiples of 2,3,5,7,11,...(upto square-root of highest number required) -- whatever remain are primes.) But it's a general method. There are special methods that go a lot faster for special types of primes (Mersenne Primes: 2^n-1)

There are also faster general statistical methods which 'assure' that a number is prime after 'enough' tests (the more tests, the more sure you can be that it is prime; but it's not a definite test)

To see what 'fast' really means, see http://www.rsasecurity.com/rsalabs/challenges/factoring/
(576-bits has been factored)

An unoptimized direct translation of ubasic/pascal code of the Difference of two squares factoring
of a tiny (64 bit) RSA type number.

n   = RSA type number
srt = sqrt(n)

bsrt = srt+1  initially
bs   = bsrt*bsrt
while not done
  ls    = bs - n
  lsrt  = sqrt(ls)
  if ls isn't integer square
    bsrt++
  else
    done

lsrt is the integer sqrt of ls
bf = bsrt + lsrt
lf  = bsrt  - lsrt

[attachment deleted by admin]

I am working on this problem as we speak. RSA and factorization in general is a little easier than previously suspected. I am programming my custom sieve which I expect will be able to factor numbers faster than the number field sieve. It should also be fast enough to be able to prove primality faster than other primality methods. Right now I'm stuck on large integer multiplication, division, and square root taking(Anyone know how to do FFT multiplication?). Once I have those the rest of the program will be somewhat easy and high level. I'm not going to divulge the method just yet as I understand there is money at stake.  :dance:

I dont know exactly how this things work, but I like this things ;).

Quote from: aaustin on March 30, 2005, 11:02:30 PM
I am working on this problem as we speak. RSA and factorization in general is a little easier than previously suspected. I am programming my custom sieve which I expect will be able to factor numbers faster than the number field sieve. It should also be fast enough to be able to prove primality faster than other primality methods. Right now I'm stuck on large integer multiplication, division, and square root taking(Anyone know how to do FFT multiplication?). Once I have those the rest of the program will be somewhat easy and high level. I'm not going to divulge the method just yet as I understand there is money at stake.  :dance:

  GRIN  So why should we "help" you if money is at stake? ;)

  I've got fast code for all 3 of your slow operations.

The RSA problem is take a large integer number of various bit lengths, 1024 bit for example.
It is the product (multiplication) of two prime numbers (positive integers with only 1 and itself as factors)
each (exactly ?) half the bit length of the RSA number.

The issue is given the RSA what are the two factors.

For example  
35 = 5 * 7
100011 = 101 * 111

Austin if you want to prototype your algorithm (and verify that it works) before
implementing it in assembly, you can use the free  ubasic which has all the math operations
you mentioned and handles numbers 2600 digits long, it has a 32 bit version, it is written in assembly
language and is fairly efficient (some factoring algorithms have been written with it and are available).

I'm probably wrong here, but since any alorithm can be implemented in hardware, then in theory, if you wrote a factoring algorithm that would take years to execute in software and implemented it as a circuit, wouldn't it instantly return an answer?

Hard wiring a factoring algorithm will only make it some factor faster; say for instance, 100 to 1000 times faster. Since even the number field sieve would take 2^70 iterations on a single computer, this device would not necessarily be fast enough to factor the number in a reasonable amount of time.

What do you mean by reasonable?  Obviously, you won't be able to do it fast enough to jeapordize the security of RSA, but if you could do it in a couple of years, it would certainly be worth it to get that cash prize.

I think the key to factorising would to be figure out a even better algorithm (faster in general) than say number sieve factorising. Actually I am pretty much interested in this topic, but I have hit a dead end on figuring out a faster algorithm.

New algorithms along with faster hardware are what has greatly reduced factoring time.

The NFS replaced the QS, quadratic sieve. 
Distributed networks of x GHZ PC's with 100s of MB of RAM have replaced Cray supercomputers.

Quote from: Robert Bieber on April 04, 2005, 11:54:09 AM
What do you mean by reasonable?  Obviously, you won't be able to do it fast enough to jeapordize the security of RSA, but if you could do it in a couple of years, it would certainly be worth it to get that cash prize.

By reasonable, even a year or so would be reasonable. I quoted 2^70 iterations already using the GNFS. It would take several million computers a few hundred years to complete.

I've been working with the Quadratic Residue Sieve. It turns out that it's perfect for RSA numbers. If optimized, it should be able to factor an RSA number on a single PC in less than a year. It does require quite a lot of memory though. I'm writing my library to use 256MB.

Well I wish you luck, but 2^70 operations seems very small to me. Surely you'd be dealing with 2^200+ operations at least?

If you can really do it in a reasonable amount of time, just spend some money, get the most powerful beast of a computer you can, and then start solving the challenge numbers. 

I dont understand how these big numbers are used in encryption or why finding the two numbers which were multiplied together would 'crack' the encryption. Two prime numbers, 7907 and 7919, multiplied is 62,615,533. Now say I used the 62,615,533 in my encryption, how would knowing it was made from 7907 and 7919 help me beat the encryption?

BTW, if there was a formula to generate prime numbers exceptionally fast, would that help crack the RSA's encryption?

Quote from: Eóin on April 09, 2005, 02:21:09 PM
Well I wish you luck, but 2^70 operations seems very small to me. Surely you'd be dealing with 2^200+ operations at least?

2^70 iterations is actually very high. 2^200 would be a virtual impossibility even if all supercomputers in the world were used for millions of years. A single NFS iteration takes about 7 seconds on my 2.4GHz P4 with 640MB of RAM varying with number size. Even if 2^24 or 16 million computers were used, it would still take 7*2^46 seconds, which is many people's lifetimes.

Quote from: kunt0r on April 10, 2005, 12:48:28 AM
I dont understand how these big numbers are used in encryption or why finding the two numbers which were multiplied together would 'crack' the encryption. Two prime numbers, 7907 and 7919, multiplied is 62,615,533. Now say I used the 62,615,533 in my encryption, how would knowing it was made from 7907 and 7919 help me beat the encryption?

BTW, if there was a formula to generate prime numbers exceptionally fast, would that help crack the RSA's encryption?

It's not as simple as combining two prime numbers together. However, the strength of the algorithm relies on the fact that it is difficult to factor two very large numbers. A prime Generation formula will not affect the speed of factoring numbers except at very small sizes. For the large numbers that are used by RSA, you need a really fast algorithm for factoring numbers into their prime components. Supposedly this has not yet been discovered yet, so it is reasonable to assume it cannot be done. I don't believe this to be true which is why I'm working on a better sieve.

kunt0r, Basically it comes from  the math behind RSA.

A public key consists of two number e and m say. m is the product of our two large distinct primes, call them p and q. So we have m = pq.

Now a private key also consists of two numbers d and m. There are special conditions on  e and d but assuming they're satisfied we can implement RSA encryption as follows.

• Convert our plain text into a number, t.
• Calculate c = t^e mod m.
  This is our cipher number. It can be converted back into giberish text for the purposes of transmitting
• On the recieving end we do c^d mod m = t and get the plain text version back.

Why this works is too complicated to get into here, but the important thing is that if someone intercepts a message encrypted with e and m they can only decrypt if they know d.

The potential achilles heel of RSA is that there is a formula for calculating d, specificially d = e^-1 mod (p-1)(q-1).

So if someone figures out a way of factoring m into p and q then they'll be able to work out d from what they know in the public key and decrypt any message.

aaustin, out of interest what size number are you aiming to factor?

Ah it makes sense now, thanks.

Quote from: Eóin on April 10, 2005, 01:23:56 PM
aaustin, out of interest what size number are you aiming to factor?

I have no idea yet. I'm still working on the logistics of the sieve. Hopefully pretty large numbers, RSA size. I'm trying to simplify it as much as possible before I make it.

Quote from: Robert Bieber on April 02, 2005, 12:34:17 AM
I'm probably wrong here, but since any alorithm can be implemented in hardware, then in theory, if you wrote a factoring algorithm that would take years to execute in software and implemented it as a circuit, wouldn't it instantly return an answer?

You are right, but it would be practically impossible. Also, it would not be instant, because electricity travels "only" at 300,000,000 metres/second

Hmm, how impossible is practically impossible.  It would be pretty cool if the government could build such a device so as to be able to instantly decrypt RSA encrypted messages with just a public key.

You would have to custom-build your own silicon chip. Notice how the only people who do this are the people who then sell millions of these chips at relatively high prices - and so the design and manufacturing process is very expensive (several billion?). The only body who could make such a chip would be the government but I don't think the people would like the government to spend the taxpayers money on infringing the taxpayers' privacy.

To answer the original question, factoring is an NP class problem.

Quote from: AeroASM on April 23, 2005, 06:42:54 AM
You would have to custom-build your own silicon chip. Notice how the only people who do this are the people who then sell millions of these chips at relatively high prices - and so the design and manufacturing process is very expensive (several billion?). The only body who could make such a chip would be the government but I don't think the people would like the government to spend the taxpayers money on infringing the taxpayers' privacy.

Well, there's always the "black" part of the budget  :eek

One of the RSA challenges RSA-200 (a 200 digit integer) was factored a few days ago.

The older ones were named by length of the number in digits, the newer by length in bits.

It wasn't for a prize, but to demonstrate what resources are needed to factor
a hard number of that size.
The prize numbers are still unfactored, except the smallest.
Also most of the non prize numbers remain unfactored.

Used GNFS, started sieving end December 2003 finished October 2004,
started matrix step December 2004.

Estimated 55 Opteron 2.2 years for the lattice sieving.
Used a cluster of 80 Opteron 2.2 three months for the matrix step.

One of the effects of the challenges is get people to optimize existing
algorithms and to come up with new ones,
so start thinking,  one of the earlier challenges RSA-129, when it was isssued
it was thought it would take 40 quadrillion years, it was factored in 1994 in 8 months,
17 years after the challenge was issued because of a new algorithm MPQS along with
advances in processing speed.

Interesting subject. One of my motiivations for learning MASM is to optimize a C++ arbitrary-length integer class I wrote as part of a BS capstone project. The project itself is a parallel system for factoring. Right now there are a dozen or so P4 machines busy working on RSA-640, although the odds of actually finding the factors any time soon are exceedingly slim, since the agorithm employed is a modified form of Fermat's method.

To understand the two algorithms that are currently the fastest, the Quadratic Sieve and the Number Field Sieve, requires quite a bit of math background, more than I had going in, for sure. I suspect I won't comprehend all the nuances until after taking a graduate course in Number Theory. One reason that both algorithms are so useful is that they are almost perfectly parallelizable, so are eminently suitable for distribution to thousands of clients over the internet. They still run in sub-exponential time, however. To date, no polynomial time factoring algorithm exists. (At least not publicly--with the NSA being the largest employer of mathematicians in the U.S., you never know.)

If, however, as aaustin wrote, "RSA and factorization in general is a little easier than previously suspected," then we will no doubt see your successful factoring of the RSA challenge numbers in the next few months. ;-)

Since factoring is a problem I will be delving into further in grad school, I'll definitely keep up with the posts here.

Quote from: Posit on May 14, 2005, 08:06:31 PM
Interesting subject. One of my motiivations for learning MASM is to optimize a C++ arbitrary-length integer class I wrote as part of a BS capstone project. The project itself is a parallel system for factoring. Right now there are a dozen or so P4 machines busy working on RSA-640, although the odds of actually finding the factors any time soon are exceedingly slim, since the agorithm employed is a modified form of Fermat's method.

To understand the two algorithms that are currently the fastest, the Quadratic Sieve and the Number Field Sieve, requires quite a bit of math background, more than I had going in, for sure. I suspect I won't comprehend all the nuances until after taking a graduate course in Number Theory. One reason that both algorithms are so useful is that they are almost perfectly parallelizable, so are eminently suitable for distribution to thousands of clients over the internet. They still run in sub-exponential time, however. To date, no polynomial time factoring algorithm exists. (At least not publicly--with the NSA being the largest employer of mathematicians in the U.S., you never know.)

If, however, as aaustin wrote, "RSA and factorization in general is a little easier than previously suspected," then we will no doubt see your successful factoring of the RSA challenge numbers in the next few months. ;-)

Since factoring is a problem I will be delving into further in grad school, I'll definitely keep up with the posts here.

I'm still working on the optimized large integer math routines. I haven't even started the factoring algorithm as I don't really have much time for programming. Neither NFS nor MPQS is good for numbers of RSA size so they're not really worth learning. NFS in particular is bad because it requires primorials, which are slow to calculate or require lots of memory. It also requires extensive prime testing (which is a pain in the neck) and GNFS is actually flawed in extreme cases. I'm designing QRSeive specifically to not use lots of constant data (only temporary data) in the hopes it won't need virtual memory disk space.

Austin, have you tried your algorithm with 64-bit numbers to verify it works ?
It is much easier to work with values of that size for testing, much faster,
smaller memory requirements then scaling up to larger numbers once it's functional.

Posit, with assembly you may be able to get the entire program to reside in the CPU cache.
There have been multiple threads on optimizing, sometimes resulting in order of magnitude
speed increases from the original compiled code. Some from pairing instructions, some from
using SIMD instructions : MMX, 3DNOW, SSE, SSE2, and some by better encoding
and alignment of data.