New Strategies for Filtering the Number Field Sieve Matrix

Transcription

1 New Strategies for Filtering the Number Field Sieve Matrix Shailesh Patil Department of CSA Indian Institute of Science Bangalore India Gagan Garg Department of CSA Indian Institute of Science Bangalore India garg C. E. Veni Madhavan Department of CSA Indian Institute of Science Bangalore India Abstract Large sparse matrices over F 2 have to be handled after the sieving step of the number field sieve for factoring integers, typically the RSA challenge numbers. These matrices have to be preprocessed to reduce the dimension for enabling the subsequent stage of the linear algebra computations. We propose a new method for pre-processing (filtering) the number field sieve matrix on a single processor. In this method, the entire matrix is divided into bands of The bands are loaded into the memory one-by-one and processed. We also propose another method for parallel execution of the filtering step. In this method, the matrix is divided into blocks of rows and each block is processed by a different processor. These methods would serve as the most viable means for handling the number field sieve matrices arising in the future RSA challenges. I. INTRODUCTION The number field sieve is the fastest known algorithm for factoring large integers [2]. The five main steps of the number field sieve are: 1) Polynomial selection [8], [12] 2) Sieving [14] 3) Filtering [3], [5], [13], [15] 4) Finding linear dependence [5], [6], [11], [13], [15] 5) Computing a square root [7], [10] This paper presents two new methods for the filtering step. A. Motivation The output of the sieving step is a large sparse matrix over F 2. For example, for the RSA-512 factorization [4], the matrix generated by the sieving step had 131 million rows and 79 million Typically, the number of nonzero entries per row is 40. Since the index of a prime is stored, each entry would occupy 4 bytes. Hence, the total size of the matrix is bytes, which is around 20 GB. In the factorization of RSA-640 [1], the output matrix had relations. So the size of the sieve matrix is bytes, which is around 265 GB. Hence, we predict that the size of sieve matrix for RSA-704 factorization will be around 900 GB and for RSA-768 factorization around 3000 GB. This implies that the matrices corresponding to the future RSA challenge numbers [16] cannot be loaded into the memory of a single processor. Hence, there is a need for a method that can process matrices that are too large to be loaded into the memory of a single processor. B. Results of this paper In this paper, we present a novel method for filtering a large matrix on a single processor. In this method, the matrix is divided into bands of columns and one band is loaded into the memory at a time and processed. We present another novel method for filtering a matrix in parallel. In this method, the matrix is divided into blocks of rows and each block is processed by a different processor. C. Outline of the paper In the next section, we briefly describe the number field sieve algorithm. We also summarize the currently known methods for filtering. In section III, we describe our method for filtering a matrix on

2 a single processor. In section IV, we describe our method for filtering a matrix in parallel. Finally, we conclude with a short discussion in section V. II. BACKGROUND A. The number field sieve The main steps of the number field sieve algorithm for factoring integers are: 1) Determine m Z and an irreducible polynomial f(x) over Z s.t. f(m) 0 mod n. Let α be a complex root of f and let K = Q(α) be a number field with f as its minimal polynomial. Substitute each occurrence of α by (m mod n) to get a natural homomorphism φ : Z[α] Z n. 2) Generate S: a finite set of coprime integer pairs a,b s.t. (a bm) = X 2,X Z, (a bα) = γ 2,γ Z[α]. 3) Let φ(γ) = Y mod n. Then Y 2 φ(γ) 2 = φ(γ 2 ) = φ( φ(a bα) = a bα) = a bm = X 2 mod n. 4) If X ±Y mod n, we get a possible nontrivial factor of n from gcd(x ± Y,n). The first step is the polynomial selection step; step 2 is the sieving step; the steps of filtering and finding linear dependence have been combined together in step 3; the last step involves computation of a square root. We focus our attention on the filtering step. Let us denote the sieve output matrix by A. Each row of the matrix corresponds to an a,b pair s.t. a bm and a bα are smooth. An integer x is said to be y-smooth if all its prime divisors are y. In this case, y = FB, the factor base bound. The bound FB is usually different for the rational side and the algebraic side; for simplicity, we may assume that it is the same. Let us assume that the integer a bm factorizes as a bm = q F qβq, where F = {q 1,q 2,...,q k } is the factor base; q k FB and k is the number of primes in the factor base. Let us assume that the norm of the algebraic integer a bα factorizes as N(a bα) = q F qβq. This a,b pair generates one row of the sieve matrix. The matrix is over F 2. The columns in the matrix correspond to the primes in the factor base F. The i-th column corresponds to the i-th prime in the factor base F i.e. q i. The columns in the matrix are sorted in the increasing order of the prime size i.e. the entries to the left correspond to the smaller primes and the entries to the right correspond to the larger primes. The entry in the row corresponding to a,b has 1 in the column corresponding to the prime q if β q 1 mod 2; otherwise the entry is 0. This briefly describes the structure of the sieve matrix A. We describe the properties of the sieve matrix in detail in section III. In the following subsections, we summarize the currently known methods for filtering. B. Structured Gaussian Elimination The basic idea of Structured Gaussian Elimination [13] is to utilize the structural properties of the sieve matrix. The algorithm declares some columns as inactive. It then works only on the remaining active columns, preserving the sparsity of these active A column with one non-zero entry is called a singleton column and a column with two nonzero entries is called a doubleton column. The process of removing a singleton column and the corresponding row is called singleton removal. Similarly, a row with one non-zero entry in the active part of the matrix is called a singleton row. In the first step, the algorithm performs singleton removal and deletes the zero-weight columns and throws out excess rows. This is followed by Gaussian Elimination with pivots being singleton rows. When no more singleton rows and columns can be found, some additional columns are declared as inactive and the algorithm continues with Gaussian Elimination. All the steps of the Gaussian Elimination are stored. At the end, all these steps are repeated for the inactive part of the matrix. There are some disadvantages of this method. First, the reduction in the size of the matrix is not significant. Second, the fill-in in the inactive part of the matrix is high resulting in a more dense matrix.

3 C. Reduction via created catastrophes Pomerance and Smith [15] developed a heuristic specifically for matrices over F 2. This method is the same as Structured Gaussian Elimination except for one step. The situation in Structured Gaussian Elimination [13] where no more singleton rows and singletons columns can be found is called a catastrophe. In [15], Gaussian Elimination is performed on the active part until a catastrophe is encountered. After that, rows of weight 2 are used to eliminate the lighter of the two intersecting columns; the other column is replaced by its sum with the deleted column. Though this method gives better compression than the previous method, it has an additional disadvantage that the fill-in in the active part of the matrix is also high. D. Cavallar s approach Cavallar [3] proposed an alternate filtering strategy which reduces the fill-in. The main steps of her method are: 1) All the duplicate relations, zero-weight columns and singleton columns are removed. 2) A graph is built with relations being the vertices of the graph. Two vertices are connected if the corresponding relations can be merged in a two-way merge i.e. the relations appear in a doubleton column. The connected components of this graph are called cliques. 3) All the cliques are determined and each clique is given a rating. The rating favors small primes. 4) All the cliques are kept on a priority heap according to this rating. 5) Starting from the top, cliques from this heap are deleted. This is done until the number of excess relations drops below a certain threshold. Steps 2 to 5 are called clique algorithm. 6) k-way merge is performed for different values of k. A column of weight k is chosen as a merge candidate. The k relations in this column ( form the vertices of a graph and the k ) 2 merges form the edges of the graph. The weight of the edge between two vertices corresponds to the weight of the relation formed by adding the relations corresponding to the vertices. A minimum spanning tree on this graph gives the optimal merge. Thus, with a k-way merge, one column and one row are removed. All the algorithms mentioned above were designed for filtering the matrix on a single processor. But the size of the sieve matrix grows exponentially with the size of the number to be factored. For future RSA challenges [16], the storage requirements would cross 900 GB. For a matrix of this size or greater, it is not possible to filter the matrix by any of these methods. III. FILTERING MATRIX ON A SINGLE MACHINE In this section, we present a new method for filtering on a single processor. It is well known that the matrices of the sieve output are not random. These matrices exhibit the following structural properties: 1) The matrix is more sparse at one end than at the other end. The columns corresponding to the large primes are much more sparse than those corresponding to the small primes. 2) Along each column, the non-zero entries are distributed uniformly. 3) There are more singletons in the columns corresponding to the large primes than in the columns corresponding to the small primes. 4) For small values of k, more k-way merges take place in the sparser part of the matrix. Fig. 1. Band division of the matrix Our algorithm proceeds as follows: 1) Remove duplicate relations using hashing. 2) Start from the sparse end and load maximum possible number of columns into the memory

4 of the processor. This forms our first band. This is the active part of the matrix. 3) Remove all zero-weight columns and singleton columns from the active part of the matrix. Repeat this step till there are zeroweight columns or singleton columns in the active part of the matrix. 4) Load more columns into the memory. This forms our next band, as illustrated in Fig. 1. The active part of the matrix is the union of all the bands loaded till now. 5) Repeat steps 3 and 4 until no more columns can be loaded into the memory or no more singleton columns can be found. 6) Execute the clique algorithm to throw away excess relations from the active part of the matrix. 7) Repeat steps 3 to 6 until no more columns can be loaded into the memory. 8) If the entire matrix is loaded into the memory, proceed with k-way merge [3]. The columns in the rightmost band have the minimal weight. We encounter maximum number of singletons in this band. Hence, we load columns into the memory starting from the right side. When we remove a singleton column, the corresponding row is also deleted. Thus, some memory is freed and the dimension of the matrix is reduced. Moreover, deletion of a row reduces the weight of the columns intersecting with this row. This may give rise to more zero-weight columns and singleton columns in the active part of the matrix. Hence, we need to execute step 3 repeatedly. In order to execute the clique algorithm, we weigh the cliques such that a clique containing more low-frequency columns gets a higher weight. In k-way merge, a column of weight k is chosen as a merge candidate. The k relations in this column form the vertices of a graph. The edge connecting two vertices is assigned a weight, which is the weight of the row formed by adding the rows corresponding to these two vertices. Since the matrix is sparse, there is low probability that cancellations would take place while adding. Hence, we may assume that the weight of the edge is the same as the sum of the weights of the two rows. Hence, for smaller values of k, we can perform k way merge even when the entire matrix cannot be loaded into the memory. In most of the cases, the entire matrix gets loaded into memory of the processor by step 8. This is so because singleton column removal and deletion of excess rows leads to a substantial reduction in the size of the matrix. However, it is possible that the matrix is so large that even after reaching step 8, the entire matrix cannot be loaded into the memory of the processor. In this case, it is recommended that filtering is done in parallel. This is explained in the next section. A. The scheme IV. FILTERING IN PARALLEL We assume a master-slave model. We assume that there are t + 1 nodes. Each node has its own RAM and a hard-disk. Each node may have only one processor or it may be multi-processor. Let the nodes be named s 1,s 2,...,s t. Let these be the slaves and let M be the master. Denote the sieve output matrix by A. We assume that the matrix is represented as an adjacency list of non-zero entries. We assume that A has m rows and n The master M sends approximately m/t rows to each of the nodes s i. Let these block of rows be denoted by A 1,A 2,...,A t. We assume that the number of nodes t is such that the row block A i can be completely loaded into the memory of the node s i. A schematic diagram for filtering in parallel is shown in Fig. 2. The main steps of filtering are: 1) Removing duplicate relations. 2) Computing the transpose. 3) Removing zero-weight columns and singleton 4) Removing excess rows. 5) Reducing the dimensions of the matrix. We need to repeat steps 3, 4 and 5 until the desired level of compression is achieved. Each of these five steps are discussed in detail in the following subsections. B. Removing duplicate relations The first step in filtering is to remove duplicate relations. Experiments suggest that more than 30% of the rows are duplicated [3]. Hence, it is recommended that the duplicate relations are removed first as it reduces the matrix size substantially.

5 Fig. 2. Schematic diagram of filtering in parallel Duplicate removal is done as follows: 1) Each node s i computes the hash of all the rows in the row block A i. 2) Each node s i determines the duplicate rows that it has and deletes them. 3) The nodes s i send the hash list of the remaining rows to the master M. 4) The master M merges the hash lists and determines the duplicate rows. 5) The list of the duplicate rows is broadcast to the nodes s i. 6) The nodes s i delete the duplicate rows. The next step is computing the transpose of the matrix. The transpose is required for the removal of zero-weight columns and the singleton C. Computing the transpose The transpose is computed as follows: 1) Each node s i loads A i into its memory. 2) Each node s i computes the transpose A T i. We now remove zero-weight columns and singleton D. Removing zero-weight and singleton columns This is done as follows: 1) Each node s i computes the weight of all the columns in the row block A i. 2) Each node s i sends the column indices of weight 0 columns and weight 1 columns to the master M. 3) The master M merges this information to determine zero-weight columns and singleton 4) The master M broadcasts the list of zeroweight columns and singleton columns to all the nodes s i. 5) The nodes s i delete the zero-weight columns and the singleton For each singleton column deleted, the corresponding row is also deleted. 6) Steps 1 to 5 are repeated until no more zeroweight columns and singleton columns are found. In order to reduce the network traffic, each node s i divides the columns of A i into bands and executes steps 1 and 2 only for this band. After the zero-weight columns and singleton columns from this band have been removed, all the nodes s i move to the next band and process both these bands together. This reduces the network traffic since we are now communicating the information of only a part of the matrix. Since the number of singleton columns is much more in the sparse part of the matrix, it is advised to start from the right-most band. In subsection IV-A, we assumed that A i can be completely loaded into the memory of the node s i. However, if this is not possible, each node s i follows the algorithm described in section III. After removing the zero-weight columns and the singleton columns, the number of rows are more than the number of Hence, we need to remove excess rows. E. Removing excess rows We may either remove the heaviest rows or use the clique algorithm. Removing the heaviest rows proceeds as follows: 1) Each node s i sends the weight of all the rows in A i to the master M.

6 2) The master M merges this information and determines the heaviest rows. 3) The master M broadcasts this list to all the nodes s i. 4) Each node s i deletes the rows that are in A i. 5) Zero-weight columns and singleton columns are deleted as described in subsection IV-D. The clique algorithm proceeds as follows: 1) The nodes s i send the column indices of the columns of weight 0,1,2 to the master M. 2) The master M merges this information and determines the columns of weight 2 i.e., the doubleton 3) The master M broadcasts this list of doubleton columns to the nodes s i. 4) Each node s i determines the rows that intersect with these doubletons 5) Each node s i sends the corresponding rows to the master M. 6) The master M builds the graph and determines the cliques. 7) The master M broadcasts the list of rows and columns to be deleted to the nodes s i. 8) The nodes s i delete the appropriate rows and 9) Zero-weight columns and singleton columns are deleted as described in subsection IV-D. F. Reducing the dimension of the matrix For small values of k, we perform k-way merge in parallel. The main steps are: 1) The nodes s i send the column indices of the columns of weight 0,1,2,...,k to the master node M. 2) The master M merges this information to determine the columns of weight k. 3) The master M broadcasts this list to the nodes s i. 4) Each node s i determines the rows that intersect with these 5) Each node s i sends the corresponding rows to the master M. 6) The master M builds the graph and computes its minimum spanning tree. 7) The master M broadcasts the index of the row and the column to be deleted to the nodes s i. It also broadcasts the index of the k 1 rows that need to be replaced, and the new k 1 rows that correspond to the edges of the minimum spanning tree. 8) Each node s i performs the appropriate row replacements and deletes one column and one row. 9) Zero-weight columns and singleton columns are deleted as described in subsection IV-D. For higher values of k, the procedure becomes highly communication intensive. Hence, it becomes very slow and it is recommended that k-way merge is done on a single node. V. CONCLUSION AND FUTURE WORK From the above discussion, it is clear that the steps of 1) duplicates removal, 2) zero-weight column and singleton column removal, and 3) throwing out excess rows of the matrix can be efficiently done in parallel. These steps involve little communication. k-way merge for small values of k can also be done in parallel. However, for larger values of k, it is recommended that k-way merge is done on a single node. We are currently sieving for RSA-640. After the sieving is over, we would proceed with filtering. The step of sieving requires some more months of computation. Our present estimates warrant the use of the proposed heuristics. We would provide experimental results in a more detailed paper subsequently. ACKNOWLEDGMENTS The first author would like to thank V. Suresh and H. V. Kumar Swamy for their useful comments on the first draft of the paper. REFERENCES [1] F. Bahr, M. Boehm, J. Franke, T. Kleinjung, Factorization of RSA-640, at [2] J. P. Buhler, H. W. Lenstra Jr., and C. Pomerance, Factoring integers with the number field sieve, in [9], pp [3] S. Cavallar, Strategies in filtering in the number field sieve, in Algorithmic Number Theory - ANTS-IV, LNCS 1838, pp , Springer-Verlag, Berlin, [4] S. Cavallar, B. Dodson, A.K. Lenstra, W. Lioen, P.L. Montgomery, B. Murphy, H. te Riele, K. Aardal, J. Gilchrist, G. Guillerm, P. Leyland, J. Marchand, F. Morain, A. Muffett, C. and C. Putnam, and P. Zimmermann, Factorization of a 512-bit RSA modulus, in Advances in Cryptology - Eurocrypt 2000, LNCS 1807 pp Springer-Verlag 2000.

7 [5] S. Cavallar, On the number field sieve integer factorization algorithm, PhD thesis, [6] D. Coppersmith, Solving homogeneous linear equations over GF(2) via block Wiedemann algorithm, in Mathematics of Computation, bf Vol 62, pp , [7] J. Couveignes, Computing a square root for the number field sieve, in [9], pp [8] T. Kleinjung, On polynomial selection for the general number field sieve, in Mathematics of Computation, Vol 75, pp , [9] A. K. Lenstra and H. W. Lenstra Jr. (eds.), The development of the number field sieve, Lecture notes in Math. vol. 1554, Springer-Verlag, Berlin and Heidelberg, [10] P. L. Montgomery, Square roots of products of algebraic numbers, in Mathematics of Computation : a Half-Century of Computational Mathematics 1994, W. Gautschi, Ed., Proceedings of Symposia in Applied Mathematics, American Mathematical Society, pp [11] P. L. Montgomery, A block Lanczos algorithm for finding dependencies over GF(2), in Advances in Cryptology - Eurocrypt 1995, LNCS 921 pp Springer-Verlag [12] B. A. Murphy, Polynomial selection for the number field sieve integer factorization algorithm, PhD thesis, [13] A. M. Odlyzko, Discrete logarithm over finite fields and their cryptographic significance, in Advances in Cryptology - Eurocrypt 1984, LNCS 209, pp , Springer-Verlag [14] J. M. Pollard, The lattice sieve, in [9], pp [15] C. Pomerance and J. W. Smith, Reduction of large, sparse matrices over a finite field via created catastrophes, in Experimental Mathematics, Vol 1. No. 2, pp , [16] The RSA Challenge Numbers