Results 1  10
of
15
Factorization of a 768bit RSA modulus
, 2010
"... This paper reports on the factorization of the 768bit number RSA768 by the number field sieve factoring method and discusses some implications for RSA. ..."
Abstract

Cited by 21 (6 self)
 Add to MetaCart
This paper reports on the factorization of the 768bit number RSA768 by the number field sieve factoring method and discusses some implications for RSA.
ECM on Graphics Cards
"... Abstract. This paper reports recordsetting performance for the ellipticcurve method of integer factorization: for example, 604.99 curves/second for ECM stage 1 with B1 = 8192 for 280bit integers on a single PC. The stateoftheart GMPECM software handles 171.42 curves/second for ECM stage 1 with ..."
Abstract

Cited by 13 (4 self)
 Add to MetaCart
Abstract. This paper reports recordsetting performance for the ellipticcurve method of integer factorization: for example, 604.99 curves/second for ECM stage 1 with B1 = 8192 for 280bit integers on a single PC. The stateoftheart GMPECM software handles 171.42 curves/second for ECM stage 1 with B1 = 8192 for 280bit integers using all four cores of a 2.4GHz Core 2 Quad Q6600. The extra speed takes advantage of extra hardware, specifically two NVIDIA GTX 280 graphics cards, using a new ECM implementation introduced in this paper. Our implementation uses Edwards curves, relies on new parallel addition formulas, and is carefully tuned for the highly parallel GPU architecture. On a single GTX 280 the implementation performs 22.66 million modular multiplications per second for a general 280bit modulus. GMPECM, using all four cores of a Q6600, performs 17.91 million multiplications per second. This paper also reports speeds on other graphics processors: for example,
On the security of 1024bit RSA and 160bit elliptic curve cryptography: version 2.1. Cryptology ePrint Archive, Report 2009/389
, 2009
"... Abstract. Meeting the requirements of NIST’s new cryptographic standards means phasing out usage of 1024bit RSA and 160bit elliptic curve cryptography (ECC) by the end of the year 2010. This writeup comments on the vulnerability of these systems to an open community attack effort and aims to asse ..."
Abstract

Cited by 9 (1 self)
 Add to MetaCart
Abstract. Meeting the requirements of NIST’s new cryptographic standards means phasing out usage of 1024bit RSA and 160bit elliptic curve cryptography (ECC) by the end of the year 2010. This writeup comments on the vulnerability of these systems to an open community attack effort and aims to assess the risk of their unavoidable continued usage beyond 2010 until the migration to the new standards has been completed. We conclude that for 1024bit RSA the risk is small at least until the year 2014, and that 160bit ECC over a prime field may safely be used for much longer – with the current state of the art in cryptanalysis we would be surprised if a public effort can make a dent in 160bit prime field ECC by the year 2020. Our assessment is based on the latest practical data of large scale integer factorization and elliptic curve discrete logarithm computation efforts.
Faster Multiplication in GF(2)[x]
"... Abstract. In this paper, we discuss an implementation of various algorithms for multiplying polynomials in GF(2)[x]: variants of the window methods, Karatsuba’s, ToomCook’s, Schönhage’s and Cantor’s algorithms. For most of them, we propose improvements that lead to practical speedups. ..."
Abstract

Cited by 5 (2 self)
 Add to MetaCart
Abstract. In this paper, we discuss an implementation of various algorithms for multiplying polynomials in GF(2)[x]: variants of the window methods, Karatsuba’s, ToomCook’s, Schönhage’s and Cantor’s algorithms. For most of them, we propose improvements that lead to practical speedups.
On Nonlinear Polynomial Selection and Geometric Progression (mod N) for Number Field Sieve. https://eprint.iacr.org/2011/292.pdf
"... The general number field sieve (GNFS) is asymptotically the fastest known factoring algorithm. One of the most important steps of GNFS is to select a good polynomial pair. A standard way of polynomial selection (being used in factoring RSA challenge numbers) is to select a nonlinear polynomial for a ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
The general number field sieve (GNFS) is asymptotically the fastest known factoring algorithm. One of the most important steps of GNFS is to select a good polynomial pair. A standard way of polynomial selection (being used in factoring RSA challenge numbers) is to select a nonlinear polynomial for algebraic sieving and a linear polynomial for rational sieving. There is another method called a nonlinear method which selects two polynomials of the same degree greater than one. In this paper, we generalize Montgomery’s method [7] using small geometric progression (GP) (mod N) to construct a pair of nonlinear polynomials. We introduce GP of length d + k with 1 ≤ k ≤ d − 1 and show that we can construct polynomials of degree d having common root (mod N), where the number of such polynomials and the size of the coefficients can be precisely determined.
Relation collection for the Function Field Sieve
"... Abstract—In this paper, we focus on the relation collection step of the Function Field Sieve (FFS), which is to date the best algorithm known for computing discrete logarithms in smallcharacteristic finite fields of cryptographic sizes. Denoting such a finite field by Fpn, where p is much smaller th ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
Abstract—In this paper, we focus on the relation collection step of the Function Field Sieve (FFS), which is to date the best algorithm known for computing discrete logarithms in smallcharacteristic finite fields of cryptographic sizes. Denoting such a finite field by Fpn, where p is much smaller than n, the main idea behind this step is to find polynomials of the form a(t) − b(t)x in Fp[t][x] which, when considered as principal ideals in carefully selected function fields, can be factored into products of lowdegree prime ideals. Such polynomials are called “relations”, and current recordsized discretelogarithm computations need billions of those. Collecting relations is therefore a crucial and extremely expensive step in FFS, and a practical implementation thereof requires heavy use of cacheaware sieving algorithms, along with efficient polynomial arithmetic over Fp[t]. This paper presents the algorithmic and arithmetic techniques which were put together as part of a new public implementation of FFS, aimed at medium to recordsized computations. Keywordsfunction field sieve; discrete logarithm; polynomial arithmetic; finitefield arithmetic. I.
Compressing and Disguising Elements in Discrete Logarithm Cryptography
, 2008
"... In the modern world, the ubiquity of digital communication is driven by the constantly evolving world of cryptography. Consequently one must efficiently implement asymmetric cryptography in environments which have limited resources at their disposal, such as smart–cards, ID cards, vehicular microchi ..."
Abstract
 Add to MetaCart
In the modern world, the ubiquity of digital communication is driven by the constantly evolving world of cryptography. Consequently one must efficiently implement asymmetric cryptography in environments which have limited resources at their disposal, such as smart–cards, ID cards, vehicular microchips and many more. It is the primary purpose of this thesis to investigate methods for reducing the bandwidth required by these devices. Part I of this thesis considers compression techniques for elliptic curve cryptography (ECC). We begin this by analysing how much data is actually required to establish domain parameters for ECC. Following the widely used cryptographic standards (for example: SEC 1), we show that naïvely implemented systems use extensively more data than is actually required and suggest a flexible and compact way to better implement these. This is especially of use in a multi–curve environment. We then investigate methods for reducing the inherent redundancy in the point representation of Koblitz systems; a by–product of the best known Pollard–ρ based attacks by Wiener & Zuccherato and Gallant, Lambert & Vanstone. We present methods which allow such systems to operate (with a high confidence) as efficiently as generic ones whilst maintaining all of their com
Comments on the Transition Paper
"... Hi, I am reading the document and was wondering what distinguishes "data authentication" from "entity authentication". For example, when IKE applies a signature it is certainly doing entity authentication but it is also signing data, for example, negotiated algorithms. As another example, is a signa ..."
Abstract
 Add to MetaCart
Hi, I am reading the document and was wondering what distinguishes "data authentication" from "entity authentication". For example, when IKE applies a signature it is certainly doing entity authentication but it is also signing data, for example, negotiated algorithms. As another example, is a signature in a certificate "entity authentication " or "data authentication"? A clue to what you mean by differentiating between the two cases seems to be the following text in page 5: "signature verification for entity authentication is performed immediately after signature generation; therefore. there is no requirement to retain a signature for later verification. " Would I be correct to say that the actual differeniation you are doing is between signatures with longterm verification needs and those with shortterm (or ephemeral) needs? This may still require an understanding of what is shortterm and longterm (*) but still
Natarajan Vijayarangan, TCS Innovation Labs.................................................................18
"... Hi, I am reading the document and was wondering what distinguishes "data authentication" ..."
Abstract
 Add to MetaCart
Hi, I am reading the document and was wondering what distinguishes "data authentication"