
The Factoring Dead Preparing for
the Cryptopocalypse Thomas Ptacek, Matasano Tom Ritter, iSEC Partners Javed Samuel, iSEC Partners Alex Stamos, Artemis Internet

Agenda Introduction The Math New
Advances The Impact

• There is a significant
disconnect between theory and reality in security. • Lots of great, continuous academic research in cryptography. • Few engineers get beyond Applied Cryptography before shipping code. • In the 2010's, it is no longer acceptable to just use standard libraries and claim ignorance. • We wanted to see if we could bridge this gap a bit. • We certainly are not the only ones to do so. Why are we here?

• Numerous attacks on the
currentTLS infrastructure. • BEAST 1 • CRIME 2 • Lucky 13 3 • RC4 Bias 4 • Even a new compression oracle attack here at BlackHat USA 2013! 5 • Were any of these attacks really unpredictable to people paying attention? (Hint: no6) RecentTLS Problems [1] http://vnhacker.blogspot.com/2011/09/beast.htm [2] https://www.isecpartners.com/blog/2012/september/detailsonthecrimeattack.aspx l [3] http://www.isg.rhul.ac.uk/tls/TLStiming.pdf [4] http://infoscience.epfl.ch/record/152526/files/RC4_1.pdf [5] http://www.blackhat.com/us13/briefings.html#Prado [6] John Kelsey. Compression and information leakage of plaintext. Fast Software Encryption, 9th International Workshop, February 2002!

• 1998 – EFF Deep
Crack defeats DES in 56 hours • 2005  Preimage attacks against MD5 discussed • 2008 Applebaum, Sotirov et. al. use MD5 attack against CA • 2011  CA/Browser Forum forbids MD5 • 2012  Somebody (cough) uses related attack against Microsoft for FLAME • SIM Card Attack at BlackHat 2013 using DES Comparison to AcademicTime Line

• Most systems are not
designed for cryptographic agility • Cryptography is an ecosystem • Few companies employ fulltime cryptographers • Hard for InfoSec practitioners to keep uptospeed • Lots of momentum in the professional consulting core. We have failed as an industry to address these structural problems. Why such a disconnect?

• Looking for the next
crypto black swan. • Our thesis: • Last six months has seen huge leaps in solving the DLP • These leaps have parallels to the past. • There is a small but real chance that both RSA and non ECC DH will soon become unusable. • Ecosystem currently cannot support a quick pivot to ECC We want this room to become the seed of change Why are we here?

Agenda Introduction The Math New
Advances The Impact

• Key part of modern
cryptosystems Why Asymmetric Cryptography?

• We need a “trapdoor”
function, something that is easy to do but hard to undo • We also need a way to cheat with more information • Rarely is the difficulty of this function proved, only assumed How does asymmetric crypto work?

• DiffieHellman  1976 
Secure key exchange • RSA  1977  Encryption, signing • Elliptic Curve Cryptography • Suite B  2007  Key exchange, signing and encryption • GOST  2010  Key exchange, signing and encryption What are the common primitives?

• First published byWhitfield Diffie
and Martin Hellman in 1976 • Establishes shared secret by exchanging data over a public network. • Security relies on the hardness of the discrete logarithm problem. Diffe HellmanOverview

• Solve the discrete logarithm
problem: • Suppose h = gx for some g in the finite field and secret integer x. • The discrete logarithm problem is to find the element x, when only g and h are known. • Also how you attack ElGamal and DSA How do I attack DH?

• Key Generation to compute
public and private key exponent (e, d) • Encryption by raising the message to public key exponent e • Decryption by raising the message to private key d • Security relies on the hardness of factoring. RSA Overview

• Factoring! • Find the
p & q such that p*q = N • Factoring an RSA modulus allows an attacker to compute the secret d and thus figure out the private key. How do I attack RSA?

• An elliptic curve E
over R real numbers is defined by a Weierstrass equation eg y2 = x3  3x + 5 • Cryptographic schemes require fast and accurate arithmetic and use one of the following elliptic fields. • Prime Field Fp where p is a prime for software applications. • Binary Field F2m where m is a positive integer for hardware applications. Elliptic Curve Cryptography Overview

•
EllipticCurve Cryptography

ECC v RSA key sizes
NIST Recommended Key Sizes Symmetric DH or RSA ECC 56 512 112 80 1024 160 112 2048 224 128 3072 256 192 7680 384 256 15360 521

Agenda Introduction The Math New
Advances The Impact

• Generic algorithms (for any
G) • Example: PohligHellman • Shows that discrete logarithm can be solved by breaking up the groups into subgroups of prime order. • Generic algorithms are exponential time algorithms. • Specific algorithms which make use of group representation • Example: Index calculus algorithms • They leverage particular properties of the group • Result in subexponential running time Discrete LogarithmAlgorithms

L(1) – Exponential WayToo Slow
Exponential vs Polynomial L(0) – Polynomial Fast enough to scare you Linear running time plot Logarithmic running time plot

Exponential vs Polynomial L(0) L(1/2)
– 1979 L(1) – current fastest ECDLP algorithms

Exponential vs Polynomial L(0) L(1/2)
– 1979 L(1) – current fastest ECDLP algorithmsL(1/3) – 1984 Factoring and Discrete Logs stay here for the next 30 years

Exponential vs Polynomial L(0) L(1/2)
– 1979 L(1) – current fastest ECCDLP algorithmsL(1/3) – 1984 Factoring L(1/4) for Discrete Logs with restrictions on the types of group  2013

Exponential vs Polynomial L(0) L(1/2)
– 1979 L(1)  current fastest ECC algorithmsL(1/3) – 1984 Factoring L(1/4)  2013 L(0) for discrete logs with restrictions on the types of groups – 2013

• Rapid progress in DL
research in past 6 months • February 20, 2013: Joux published a L( 1/4 ) algorithm to solve DLP in small characteristic fields. • April 6, 2013: Barbulescu et al solve the DLP in of F2 809 using the Function Field Sieve algorithm (FFS) • June 18, 2013: Barbulescu, Gaudry, Joux,Thomé publish a quasipolynomial algorithm for DLP in finite fields of small characteristic. New Developments in 2013

• Uses judicious change of
variables to find multiplicative relations easier. • Uses a specific polynomial with linear factors to simplify the computation. • Uses a new descent algorithm to expresses arbitrary elements in the finite field. • Complexity is L( 1/4 + o(1)) which is considerably faster than any discrete logarithm algorithm published before. Joux’s New Discrete Log Algorithm (Feb 2013)

• Quasipolynomial algorithm for DL
in finite fields of small characteristic. • Improves Joux’s February 2013 algorithm using special matrix properties. • Fastest discrete logarithm has been improved significantly in the past 6 months after marginal progress in 25 years. • However; no clear jump to more practical implementations which use finite fields with larger characteristicYET! More Improvements June 2013, Barbulescu, Gaudry, Joux,Thomé

• Pairing based cryptography (PBC)
over small characteristics is no longer secure. • PBC can be used for identitybased encryption, keyword searchable encryption where traditional public key cryptography may be unsuitable. • Currently used mainly in academic circle. • Improves the Function Field Sieve (FFS) in most cases. • The function field sieve currently can be used to solve for small to medium characteristics fields. Implications of Discrete Log Progress

Why Should I Care?

• Function Field Sieve has
Four Steps • Choose a Polynomial • Relation Filtering • Linear Algebra • The Descent • In the last 6 months, all of them have been improved • More likely something can be used on something we care about • His record setting calculation, in May, took 550 Hours • 512 Bit RSA takes 652 Hours Function Field Sieve

• Joux has attacked fields
of a small characteristic • We use fields of a large characteristic • Joux’s… • Polynomial choice probably would not help • Sieving Improvements may help • Descent Algorithm needs tweaking, but definitely helps • Renewed interest could result in further improvements. Attacking DH, DSA, ElGamal

• Factoring advances tend to
lead to advances in Discrete Log • Discrete Log advances tend to lead to advances in Factoring • Degrees of difficulty of both problems are closely linked. Attacking RSA

• 1975 Pollard's Rho in
Factoring > 1978 Pollard's Rho in Discrete Log. • 1984 Quadratic Sieve Factoring > 1987 improvements in Discrete Log Index Calculus Algorithms. • 1993/4 Discrete Log Number & Function Field Sieves > 1994 General Number Field Sieve for Factoring. MutualAdvances over the years

Factoring 1. Polynomial Selection 2.
Sieving 3. Linear Algebra 4. Square Root Discrete Logs 1. Polynomial Selection 2. Sieving 3. Linear Algebra 4. The Descent Factoring vs Discrete Logs

Factoring 1. Polynomial Selection 2.
Sieving 3. Linear Algebra 4. Square Root Discrete Logs 1. Polynomial Selection 2. Sieving 3. Linear Algebra 4. The Descent Factoring vs Discrete Logs NotThat Slow Constant Time

Factoring 1. Polynomial Selection 2.
Sieving 3. Linear Algebra 4. Square Root Discrete Logs 1. Polynomial Selection 2. Sieving 3. Linear Algebra 4. The Descent Factoring vs Discrete Logs Easy to Parallelize NotThat Slow Constant Time

Factoring 1. Polynomial Selection 2.
Sieving 3. Linear Algebra 4. Square Root Discrete Logs 1. Polynomial Selection 2. Sieving 3. Linear Algebra 4. The Descent Factoring vs Discrete Logs Slow & Difficult to Parallelize Easy to Parallelize NotThat Slow Constant Time

Factoring 1. Polynomial Selection 2.
Sieving 3. Linear Algebra 4. Square Root Discrete Logs 1. Polynomial Selection 2. Sieving 3. Linear Algebra 4. The Descent Factoring vs Discrete Logs Very SlowVery Fast Slow & Difficult to Parallelize Easy to Parralellize NotThat Slow Constant Time

• No obvious technique right
now from Joux’s improved discrete logarithm algorithm that applies directly to factoring. • But I’m not a mathematician, I just play one on stage – I wouldn’t bet the farm on that • Public colloquium and publications seem to indicate that NSA/NIST may also already be very concerned. Attacking RSA

• MSIEVE • http://sourceforge.net/projects/msieve/ •
CADONFS • http://cadonfs.gforge.inria.fr/ • GGNFS • http://www.math.ttu.edu/~cmonico/software/ggnfs/ • Tutorials • http://github.com/tomrittervg/cloudandcontrol Public Implementations &Tutorials

• ECC is still standing
 still requires exponential time algorithms • If Joux or others hits upon a general purpose discrete logarithm algorithm as fast his special purpose one... • DiffieHellman, DSA, and ElGamal are toast • If that leaps to factoring  RSA is toast • Technically not dead, but… • RSA key sizes may have to go up to 16,384 bits • Wildly impractical for actual use, never mind that nothing supports keysizes that large Implications

Agenda Introduction The Math New
Advances The Impact

• Widespread active and passive
attacks against live and recordedTLS. • PFS not necessarily the panacea • Failure of codesigning and update mechanisms • How do you fix your software • Failure of PGP, S/MIME and most endtoend encryption • Almost total failure of trust in the Internet What Happens If DH or RSA Fails Now?

• We need to move
to ECC, rather quickly • Alex says that ECC is perfectly secure,YAY! • Not really • <30 years of research versus 400: • Uses some of the same ideas • Right now it’s all we have • Longterm, we need more research into alternatives • RSA was 1977, RC4 was 1984. Give Rivest a break. So, what now?

• Lots of push from
academia and government into ECC • DH/RSA are here and they are easily understood • Legal risks have slowed ECC adoption • ECC had compatibility problems, but NIST has specified 15 standard curves Why has ECC uptake been so slow?

• In 2005, the NSA
released the Suite B set of interoperable standards • Suite B specifies: • The encryption algorithm (AES256) • The key exchange algorithm (Elliptic Curve DH) • The digital signature algorithm (Elliptic Curve DSA) • The hashing algorithms (SHA256 and SHA384) Hmm, what’s missing? Overview of Suite B

• The patent issue for
elliptic curve cryptosystems is the opposite of that for RSA and DiffieHellman. • RSA and DiffieHellman had patents for the cryptosystems but not the implementation. • Several important ECC patents owned by Certicom (Blackberry) • Efficient GF(2n) multiplication in normal basis representation. • Technique of validating key exchange messages to prevent a maninthemiddle attack. • Technique for compressing elliptic curve point representations. ECC Patents

• NSA purchased from Certicom
(now Blackberry) a license that covers all of their intellectual property in a restricted field of use. • License is limited to implementations that were for national security uses and certified under FIPS 1402 or were approved by NSA. • Commercial vendors may receive a license from NSA provided their products fit within the field of use of NSA’s license. • Commercial vendors may contact Blackberry for a license for the same 26 patents. ECC and Suite B

MaybeCerticom is cool about this?

Table :Windows and OSX ECC
Support ECC Support on Operating Systems OS Library ECDH ECDSA Others Version OSX/IOS ssl36800 Yes Yes None 10.6 OSX/IOS smime 36873 Yes Yes None 10.6 Windows CNG Yes Yes None Vista Windows TLS Yes Yes None Vista Windows Suite B Yes Yes None Vista SP1, Windows 7

Android ECC Support ECC Support
on Android OS Library ECDH ECDSA Others Version Android Bouncy Castle Yes Yes None 4.0 Android TLS Yes Yes None 3.2.4 Android CyaSSL Yes Yes None 2.4.6 Android NSS Yes Yes NTRU 3.11

Programming Languages ECC Support ECC
Support on Programing Languages Programming Language Library ECDH ECDSA Others Version Python PyECC Yes Yes ECIES 2.4 C OpenSSL Yes Yes None 3.2.4 Java SE6 Bouncy Castle Yes Yes None Java 6 Java SE7 Native Yes Yes ECIES, ECDSA, ECHR Java 7 Ruby OpenSSL Yes Yes None 1.8

• Windows Code Signing •
Default is RSA • ECC is supported through CSPs but not default • AndroidCode Signing • Both DSA and RSA are currently supported. • iOS code Signing • Uses CMS • Supports ECDH and ECDSA. Code Signing

• TLSv1.2 is the first
to include ECC options • Only TLS_RSA_WITH_AES_128_CBC_SHA is required • BeforeTLS 1.2, CA and Cert had to match. • With 1.2 you can crosssign • Can use DH_DSS, DH_RSA, ECDH_ECDSA, and ECDH_RSA with either ECC or RSA • TLS 1.1 supports ECDH(E) for PFS Transport Encryption

• ECC roots exist, buying
a cert is not so easy • There would significant work required in the transition form RSA to ECC certificates. • Thawte Root Certificate6  Root CA is not used today. Intended for use in the future for SSL certificates. • Verisign/Symantec Root Certificate7  ECC root certificate for 5 years; just begun offering commercial certificate this year. • Entrust ECC Certificate8  No global root certificate currently available today.Will use a Public ECC256 Root. • Comodo9  384 bit ECC Root certificate. PKI Infrastructure

• Current Root KSK generated
in 2010 (algorithm 8) • Standard specifies rotated “when necessary” or at five years • IANA,Verisign, ICANN SSAC looking at options • ECC being considered • Helps with Zone File size • Interesting enough, check out .ru DNSSEC

• BlackBerry uses ECC extensively
• OpenVPN uses OpenSSL which includes ECC support, doesn’t seem to work • IPSEC  Cisco, Shiva and Nortel gateways support ECDH IKE. • OpenSSH has ECC support, not the default. Other Popular Applications

What do you do now?

• Make ECC easy to
use • See NaCl’s box() and unbox() • Update documentation to push developers away from RSA • Get aggressive about compatibility testing • Eat your own dogfood If you are a… OS or language vendor

• TLS 1.2 needs to
be a P1 feature • Only IE 11 and Chrome 29 support (both prerelease) • Push at CA/B Forum for standardized process for cross signed certificates If you are… a browser vendor

• You need to supportTLS
1.2 on endpoints • Build systems with pluggable primitives • Versioning • Handshake and negotiation • If this sounds too hard useTLS 1.2 • Use ECC for any new cryptosystems • Retrofit old mechanisms using wrapping • ECC signed binary inside of legacy RSA signature If you are a… software maker

• Make it easy to
buy an ECC cert • Change documentation to include ECC CSR instructions • The CA/Browser Forum should promulgate standards pushing this If you are a… CertificateAuthority

• Make the world a
safer place… • License the ECC patents openly to any implementation of Suite B, regardless of use If you are… BlackBerry

• Use ECC certificates where
possible • Bug vendors forTLS 1.2 and ECC support • Turn on ECDHE PFS today! • Survey your exposure, so when the cryptopocalypse comes you are like this guy: If you are… just a normal company

• Current cryptosystems depend on
discrete logarithm and factoring which has seen some major new developments in the past 6 months. • We need to move to stronger cryptosystems that leverage more difficult mathematical problems such as ECC. • There is a huge amount of work to be done, so please get started now. Summary

• JasonP • Antonie Joux
• Dan Boneh • RyanWinkelmaier (iSEC Partners intern) ThankYou
Asymmetric cryptographic is an essential part of all modern cryptosystems.It has allowed us to move from the old Enigma machines used by WWII cryptographers to TLS which is used to secure communication over the internet.I am sure that we have all used TLS and we have asymmetric cryptography to thank for this.
Asymmetric cryptography relies on certain information being computationally hard to compute without a secret. Asymetrix cryptosystems contain public component which can be known by everyone including an adversary. However, it must not be possible to compute the private or secret key from this information. This would completely break the cryptosystem.These mathematical functions are currently computationally difficult but not provably hard. An efficient algorithm may exist and just has not been found. Our cryptosystems rely on that efficient algorithm not being discovered. We will take a closer look at some of these mathematical functions now.
BothDiffie Hellman and RSA were first published in the late 1970’s and are used in almost all of today’s cryptosystems.They are used for a variety of purposes such as secure key exchange, encryption and signing.Elliptic Curve Cryptography was first published in the 1980’s and there was been significant academic interest in Elliptic Curve cryptography but limited use in industry. ECC is performed over a specified curve unlike Diffie Hellman and RSA which are performed over the set of integers.In the recent few years, the NSA published Suite B recommendations and the Russian’s declassified GOST recommendation which recommend use Elliptic curve cryptography. Like Diffie Hellman and RSA, ECC can be used for key exchange, signing and encryption.
Now we will take a closer look at the Diffie Hellman key exchange protocol. This was first published by Diffie and Hellman in 1976.As some of you may know, Diffie Hellman allows one to establish a shared secret by exchanging data over a public untrusted network.This shared secret can then be used in a symmetric cryptosystem.The security of the Diffie Hellman key exchange completely relies on the computational hardness of the discrete logarithm problem.
How does one break Diffie Hellman. Simple, you solve the discrete logarithm problem.Suppose you have h = g^x. The discrete logarithm problem is to find the element x when only g and h are known.This seemingly simple problem is the basis of the Diffie Hellman key exchange protocol.To reiterate an efficient discrete logarithm algorithm will completely break DH.Also, since both ElGamal and DSA rely on slight modifications of the DLP an efficient generic DL algorithms will break them as well.
The first phase in RSA is to compute an RSA modulus from 2 large primes.From that RSA modulus, a public key exponent (e) and public key (d) are computed that satisfy a particular mathematical relation.This public key is used to encrypt any message sent to the receiver. This is done by raising the message to the recipient's public key e.The recipient of the message then raises the ciphertext to their private key d.As with Diffie Hellman, the security of RSA relies on a mathematical problem.In this the mathematical problem is factoring.
We attack RSA by attacking the underlying mathematical function which in this case is factoring.Factoring as we can remember from grade school mathematics is a seemingly simple task eg. 35 = 5 * 7…. This is true for small numbers at least. However, there currently exists no efficient algorithm to factor an arbitrary number.Factoring an RSA modulus would allow us to compute the two constituent primes of that modulus and with the user’s public key we would then be able to compute the user’s private key.We can simply use the same mathematical relation which was used to generate it in the first place.To reiterate an efficient factoring algorithm will completely break RSA.
Now let us switch gears a bit and discuss Elliptic Curve Cryptography. As mentioned earlier ECC was first published in the 1980’s and there has continued Work in the field over the past 30 years.An elliptic curve E over the real numbers R is defined by a Weierstrass equation. I have shown an example on the slide.This funky looking curve is special and allows us to build even secure cryptosystems.Generally either a prime field or binary field is used depending on the application.
As with both Diffie Hellman and RSA, ECC also depends on a fundamental mathematical problem.In this case ECC is secure due to the hardness of the Elliptic curve discrete logarithm problem (ECDLP). This should not to be confused with the discrete logarithm problem we just saw.The underlying mathematical problem is given two points on the elliptic curve, P and Q, compute the integer d such that Q = dP.In the diagram on the screen I have shown the simple case where d=2.The key pair (d; Q) can be used for a variety of cryptosystems including signature and encryption/decryption.As with Diffie Hellman and RSA, if an efficient algorithm for solving the underlying mathematical problem then the entire cryptosystem is broken.
Now we show the NIST recommended key sizes for symmetric algorithms, Diffie Hellman and ECC.As can be seen NIST recommends significantly smaller key sizes for ECC. This is due to the increased computational difficulty in solving the ECDLP as opposedto factoring or the regular DLP.Furthermore given current research advances even key sizes in the same rows are not computationally equivalent.
Now we will move on the next section and look at some of the new advances in the academic world.And why we need to be very concerned about this new research progress.
There are two types of discrete logarithm algorithms namely generic algorithms and specific algorithms.Generic algorithms work with a divide and conquer approach by breaking up groups into smaller groups They are very slow and take exponential time. We will discuss the complexity of algorithms in the next slide. Specific algorithms make use of particular group representations and can be much faster. Examples such as the index calculus algorithm currently result in mainly subexponential algorithms.They work by leveraging certain properties of the group.
Now let us take a look at algorithmic complexity and why that matters. Algorithmic complexity is simply how fast does a given algorithm run.Discrete Logarithm and Factoring generally use L notation in the literature to indicate their complexity. L(0) indicates that an algorithm is polynomial while L(1) is a fully exponential algorithm. Anything in between is subexponential.On the linear running time plot we can see that Exponential time algorithm dominates all other algorithms which can barely be seen on xaxis.The difference in running time can be me more clearly seen in the logarithmic plot where the running time of the exponential continues to grow while for polynomial time it plateaus.
Sporadic progress in DL research for 30+ years1979: Alderman published a subexponential L( 1/2 ) algorithm to solve the DLP. Note that this is not half the running the time of an L(1) algorithm.The fastest ECDLP logarithm has been fully exponential for the last 30 years and while there has been progress at the margins there have been no major breakthroughs.
A few later there was a further improvement in academia when an L(1/3) algorithm was published.1984: Odlyzko published a L( 1/3 ) algorithm to solve DLP in finite fields.And then there was little progress in the algorithmic complexity over the past 30 years. There were some improvements at the margin to the constants but there was no substantial progress until this year.
Then suddenly in February 2013 we had a paper released by Antonine Joux where he published an L(1/4) algorithm for Discrete logarithms. Note this is not a generic algorithm and only applies to cases with certain restrictions on the types of group..
And then within a few months Antonine Joux and some other researchers improved these algorithm to be quasipolynomial L(0).Again this only applies to discrete logarithm with particular properties.
As we just saw there has rapid progress in the discrete logarithm field in the past 6 months. While these algorithms are currently limited to only certain circumstances namely small characteristics fields.Now for the math nerds…The characteristics of a field is the number of multiplicative identity elements in a sum needed to compute the additiive identity of the field. Generally practical cryptosystems use large characteristic field.These recent developments will bring more attention to the discrete logarithm problem and this will spur researchers into looking more closely problem most likely resulting in even further improvement in the near future.
Let us know take a brief look at some of the mathematics used in the new discrete logarithm algorithm.The main thing to note is that no new fundamental mathematical technique was required. This did not require the invention of a new branch of mathematics.Instead he used several mathematical tricks to speed up the running time of the algorithm significantly. It is remarkable that such techniques were not seen earlierBy any previous researchers in the area.Some of these techniques include a clever change of variables; a specific polynomial to simplify the computation. And a new descent algorithm to express arbitrary elements in the finite field.This resulted in a discrete logarithm that is much faster than anything published earlier.
And then given these insights, in less than 6 months, other researchers including Joux were able to help and improve this algorithm even further with some more special mathematics. They used special matrix properties which sped up the slowest step and resulted in a quasipolynomial algorithm for discrete logarithm in certain circumstances.This is a big deal since there was marginal progress for 25+ years but then in 6 months there has been significant progress in discrete logarithm research.Note that is no obvious jump to more practical implementations yet. However, with the renewed interest in the field in academia we could so much more progress in the immediate future.
Some of the current implications of this discrete logarithm research right now is that pairing based cryptography which is used mainly in academic circles is no longer secure when done over small characteristics. There are limited practical implementations of pairing based cryptography though there is a pairing based crypto library maintained by the Stanford cryptography group.Also the function field sieve which will be discussed in more detail by Tom Ritter in the next section is improved by these new developments. The function field sieve is used mainly for small to medium characteristics field.
And now I’ll pass it to Tom Ritter who will discuss how this may apply to factoring.All right, so that’s a lot of Math, let’s talk about how this impacts or doesn’t impact the _algorithms_ we use today, before we talk about how it impacts the _applications_ we use today
The Function Field Sieve, which is what’s used for solving Discrete Logs, has four steps. In the last six months, all of them have been improved. That means it’s way more likely that something will be applicable to an algorithm we care about.And it’s worthwhile to note that the computation times that people are setting records with are not supercomputerworthy. Less than a month on a single core. 652 figure:460 hours for seiving8 core days = 192 hours for linear algebra
So Joux has attacked fields of a small characteristic. But we use fields of a large characteristic in Diffie Hellman, DSA, and ElGamal. Joux’s specific improvements are hit or miss on applying to these types of fields. The polynomial selection probably doesn’t, the sieving might, and the descent algorithm needs some tweaking and further work – but it will definitely lead to improvements.And of course, the simple fact that everyone in the Academic Community is really excited about this stuff means we’ll probably see even more improvements down the pipe.
So what about RSA? Everybody uses RSA, and we use it everywhere. And traditionally, Discrete Logs and Factoring have been very closely linked. When we improve one, we tend to improve the other in short order.
And we’ve seen this over the years. The dates that Javed threw out – those have seen advances right next to each other on the other algorithm. In the 70s, in the 80s, and in the 90s. And while I hate to think we’re going to call this decade the ‘10s, we’ll probably see a reflective paper nonetheless.
But WHY are these two algorithms so closely related? Well, they have about the same steps. They both select a polynomial, sieve for relations, perform a big linear algebra step, and then solve for the specific number you want factor or compute the discrete log of.So if that’s how they’re similar, let me explain how they’re different.
In Factoring, the polynomial selection takes some time, but it’s not that slow.In Discrete Logs, Joux has chosen his polynomial as a constant, based off the type of Group he’s working in.
The Relationship Sieving in both takes time – but it’s trivial to parallelize. In the era of EC2 and Google Compute Engine – any problem that’s embarrassingly parallel and doesn’t require the energy output of the sun tends to just have cores thrown at it.
Now the Linear Algebra for both of them is Slow, and difficult to parallelize. It requires a lot of memory, and a lot of memory bandwidth, plus a lot of CPU time. It’s also harder for Discrete Logs than it is for Factring.
And the most notable difference is that the last step is way more difficult for Discrete Logs. The Descent is extremely painful for Discrete Logs, but the analogous step, the Square Root takes minutes for Factoring.So they’re very closely related, but they’re not exactly homogeneous between the two.
So coming back to RSA – there’s no obvious technique fromJoux’s work to directly apply to the General Number Field Sieve, and factoring RSA public keys.That said, if there’s even a 5% chance, that’s basically a 5% chance to throw every single Certificate Authority, every single SSL session, every single software update mechanism into complete and utter disarray.And based on NIST’s publications and colloquiums it seems like they’re concerned about this too.
And it’s worthwhile to note that running the General Number Field Sieve, and factoring 512bit, and even 768bit, RSA keys is within you, the audience members’ grasps. The software used to do it is public and open source, and there are tutorials on how to factor 512bit keys in under 30 hours.
So right now, ECC is in pretty good shape. But we have to keep in mind that ECC has been around and studied for 30 years, while RSA and DH or more importantly, factoring and discrete logs, have been studied for hundreds.if Joux or others hit upon a general purpose discrete log algorithm – Diffie Hellman and other algorithms we rely on are toastAnd if it leaps to factoring, RSA will be toast to.And if give you an idea what I mean when I say toast, I mean key sizes might have to go from 2048 to 16,384. Besides being wildly impractical for any actual use because it’s way too slow – there’s like, no software that supports keysizes that large.So let me hand it over to Alex to talk about how screwed we all are.
Resources:http://www.lix.polytechnique.fr/~smith/NTAC/XJune2013.pdfhttp://www.lix.polytechnique.fr/~smith/NTAC/lix_20130619.pdfhttp://www.lix.polytechnique.fr/cryptologie/workshop2013https://ellipticnews.wordpress.com/2013/06/21/quasipolynomialtimealgorithmfordiscretelogarithminfinitefieldsofsmallmediumcharacteristic/http://ellipticnews.wordpress.com/2013/05/22/jouxkillspairingsincharacteristic2/http://bristolcrypto.blogspot.com.br/2013/02/discretelogarithms.htmlhttps://twitter.com/pbarreto