An Evaluation of the Sieving Device YASD for 1024-bit Integers* · 2006. 4. 19. · An Evaluation of the Sieving Device YASD for 1024-bit Integers* Naoyuki Hirota (UEC), Tetsuya Izu

An Evaluation of the Sieving Device YASD for 1024-bit Integers*

Naoyuki Hirota (UEC), ○Tetsuya Izu (FUJITSU),Noboru Kunihiro (UEC), Kazuo Ohta (UEC)

SHARCS 2006, Cologne, GermanyApril 4, 2006

* A part of this work is financially supported by a consignment research from the National Institute of Information and Communications Technology (NICT), Japan.

1SHARCS 2006, Cologne, Germany

Integer Factoring in SecurityInteger Factoring in SecurityInteger factoring is hard in theory and practice

This property assures the RSA’s security

The best factoring algorithm: Number Field Sieve method (NFS)• World record: “RSA200”, a 663-bit integer (May 2005)

• Since NFS is sub-exponential time algorithm, factoring 1024-bit integer seems far away...

In some standards, it is strongly believed that factoring 1024-bit integers, RSA’s default key size, will be infeasible at least in

next 10 years


Number Field Sieve Method (NFS)Number Field Sieve Method (NFS)

Polynomial Selection

Relation Finding

Sieving

Mini-factoring

Linear Algebra

Square Root

Integer

Factor of the Integer

4 major steps in NFSPolynomial Selection

Relation Finding• Sieving

• Mini-factoring

Linear Algebra

Square Root

Time-consuming StepsRelation Finding

• Sieving

Linear Algebra


Dedicated Factoring HardwareDedicated Factoring Hardware

DesignDesign

Procedu

reP

rocedure

SievingSieving

Linear AlgebraLinear Algebra

TWINKLE (1999) TWIRL (2003)

Bernstein (2001) Lenstra (2002)

DSH (2003) YASD (2004)

SHARK (2005)


ComparisonComparison

1024-bit 768-bit

TWIRL Size: 15960mm2×8+66000mm2

Time: 194 years (by 1 set)Cost: 15000 USD/setFrequency: 1 GHz

Size: 1330mm2+4430mm2

Time: 2.3 years (by 1 set)Cost: 750 USD/setFrequency: 1 GHz

YASD Size: 2400mm2

Time: 34.5 years (by 1 set)Cost: 250 USD/setFrequency: 500 MHz

SHARK Size: ¼wafer+DRAMTime: 2300 years (by 1 set)Cost: 40000 USD/setFrequency: 1 GHz

Assumed 130 nm technology, full wafers with 300 mm diameter.Cost estimation excludes NRE, defects and power supply.

(Not evaluated)

Size: 42200mm2

Time: 10301 years (by 1 set)Cost: 3200 USD/setFrequency: 500 MHz

(Not evaluated)

Rough Estimation !Especially, we did not

consider wiring problem and mini-factoring problem...


ContentsContentsIntroductionDescription of YASDTime ParameterizationArea ParameterizationFormulas and Optimization

Generalized YASD

YASD for 768-bit Integers (YASD768)


Concluding Remarks


ContentsContentsIntroductionDescription of YASDTime ParameterizationArea ParameterizationFormulas and Optimizations

Generalized YASD



Concluding Remarks


YASD (Yet Another Sieving Device)YASD (Yet Another Sieving Device)

Dedicated Sieving DeviceProposed by Willi Geiselmann and Rainer Steinwandtin CT-RSA 2004

No implementational results have been reported

Idea : Use of the Clockwise Routing AlgorithmA mesh of processing nodes

Regular structure

Assumed 130 nm technology, wafer with 300 mm diameter and 500 MHz frequency

768-bit integer can be sieved in 600 days with 21 YASDs(here manufacturing cost is assumed to be 5000 USD)


What Does the Sieving Do?What Does the Sieving Do?

Packet

Packet Generator Memory Storage

Packet

Packet

Aim of the SievingTo send all packets generated in the factor base to their target memory storage

Factor Base(FB)

Packet control is crutial...


YASD distributedly holds FB and memory storage in a mesh

Main Main Main Main

MainMainMainMain

Main Main Main Main

MainMainMainMain

Mesh StructureMesh Structure

Packet

Packet

PacketPacket

Packet

2m nodes

2m nodes

Each node has Main, Memory, and Mesh parts

Z=2k registers in a mesh

Packet

Packet

Packet

Packet

Packet


Clockwise Transposition RoutingClockwise Transposition Routing

Next phase

Next phaseEach node repeats the comparisons and exchanges

Next phase

Next phase

The routing terminates in at most 2M steps experimentally


Evaluation of YASD768Evaluation of YASD768Optimized Parameters

k=24, m=8

Chip Size49mm×49mm ≒ 2400 mm2

Time1 subinterval is sieved in 40,000 clocks

All area is sieved in 12,500 days/set

Since 21 chips are obtained from 1 wafer, about 600 days are required for the sieving

Assumptions130 nm technology

Frequency 500 MHz



Generalized YASD



Concluding Remarks


Required Time for RoutingRequired Time for RoutingIn Theory

Routing time in a 2m×2m mesh is at most 2×2m

In YASDAbove estimation cannot be applied directly, since packets are always sent from Main parts and to Memory parts

Thus we use a simplified model


Time ParameterizationsTime Parameterizations

]years[360024365

143

22

10500 6

)()(

××××

××

×= k

NroutingN HbHaTime

Time

)242.0(2

2222 22 =×

+

=∑∑

<<<< −−

ααmBp

k

Bp

k

routingr

mka

mk ppTime

Time for Routing

Time for Sieving



Generalized YASD



Concluding Remarks


Details of YASD768Details of YASD768

# of Tr # of DRAM

Main Part 2750 55000

Memory Part 1250 11500

Mesh Part 1100

Total (in 1 node) 5100 66500Tr ：2.8 [μm2]

DRAM：0.3 [μm2]

Since we have 256 × 256 nodes(5100×2.8+66500×0.3)×256×256 = 2243.3 mm2

≒ 2400


[Role] Storing factor base, generating packets, sending packets to Mesh Parts

[Logic] Memory，adder，buffers between Main-Mesh Parts，circuits for initialization

[Role] Adding log values to corresponding registers, storing sums and footprints

[Logic] Adder, buffers between Memory-Mesh Parts, circuits for final output,memory

[Role] Comparing and exchanging packets[Logic] Register，comparator

zt

Z

Lmem

logp

Roles and LogicsRoles and Logics


PAC ： bit length of a packetHdff ： #Tr of 1-bit D-F/FM ： bit length of coordinate

values for repserenting a nodeHcomp ： #Tr for 1-bit comparator


compdffmesh HMHPACTr ⋅+⋅=2

Mesh PartMesh Part


3.12

2

500)22(2

footprint2 ×+⋅=

+×−−+×

=

LFLZDRAM

HMPACLH

Tr

Mmemmem

latch

memaddmem

Hadd ： #Tr for 1-bit adder2m ： mesh sizePAC ： bit length of a packetHlatch ： #Tr for 1-bit latchzt ： target register

zt

Z

Lmem

logp


[Logic] Adder, buffer between Memory-Mesh Parts, circuit for final output,memory

Memory PartMemory Part




1.12

10002

),max(

2 ××=

+×

+×=

Mfbmain

latch

paddmain

NLDRAM

HPAC

kLHTr

Main PartMain PartHadd ： #Tr for 1-bit adderLp ： bit length of a max prime2k ： length of a subintervalPAC ： bit length of a packetHlatch ： #Tr of 1-bit latch



[Logic] Adder, buffers between Memory-Mesh Parts, circuits for final output,memory




compdffmesh HMHPACTr ⋅+⋅=2

3.12

2

500)22(2

footprint2 ×+⋅=

+×−−+×

=

LFLZDRAM

HMPACLH

Tr

Mmemmem

latch

memaddmem

1.12

10002

),max(

2 ××=

+×

+×=

Mfbmain

latch

paddmain

NLDRAM

HPAC

kLHTr

DRAMDRAM


ContentsContentsIntroductionDescription of YASDParametarizationFormulas and Optimizations

Generalized YASD



Concluding Remarks


Formulas for Generalized YASDFormulas for Generalized YASD

)(17

)(

22

)(

21

2log

)(

1083.1

224.022

]m[))6.153.1(23.033.0(

2)73201126.896.2014.190{(

22

Nrouting

N

m

Br

p

kBa

p

kN

routing

memk

fb

mmem

memmainmeshmemmainN

TimeHbHaTime

ppTime

FkLnL

LLkm

DRAMDRAMTrTrTrArea

mkmk

×××

=

×⎟⎟⎠

⎞⎜⎜⎝

⎛+=

++×++

×++++=

++++=

∑∑−− >>

+ μ


768-bit 1024-bit

LpLlogLmem Bit length of Σ int(log(p)) 10 11n # of primes 7.97×107 1.32×109

F # of footprints 0.496×2k 0.818×2k

Hadd 1-bit adder 40 TrLfb average bit length of a prime 38 42

Hdff 1-bit D-F/F 8 TrHlatchHcomp

Bit length of max prime 30 32Bit length of int(log(p)) 6 8

1-bit latch 4 Tr1-bit comparator 20 Tr

Circuit ParametersCircuit Parameters


768-bit 1024-bit

Br 108 3.5×109

Ba 109 2.6×1010

2Ha 3.4×1013 1.1×1015

Hb 8.9×106 2.7×108

Sieving ParametersSieving Parameters


Formulas for YASD768Formulas for YASD768

( )

]years[2

2loglog294.53453),(

224.02loglog294.5),(

]m[1099.92)74.13645.0(2)6.89776.2014.190{(),(

2)768(

2)768(

28

2)768(

m

mk

mmk

routing

k

m

mkTime

mkTime

kkmmkArea

−

−

−×=

×−=

×+×++

×++=

μ

Optimized Parameters (w.r.t AT-product): k=24, m=8

]years[34)8,24(]mm[2500)8,24(

)768(

2)768(

=

=

TimeArea


AT Products of YASD768AT Products of YASD768


Formulas for YASD1024Formulas for YASD1024

( )

]years[2

2loglog227.6339041),(

224.02loglog227.6),(

]m[1083.12)36.1906.1(2)8.92686.2014.190{(),(

2)1024(

2)1024(

210

2)1024(

m

mk

mmk

routing

k

m

mkTime

mkTime

kkmmkArea

−

−

−×=

×−=

×+×++

×++=

μ

Optimized Parameters (w.r.t AT-product): k=27,m=10

]years[10301)10,27(]mm[42200)10,27(

)1024(

2)1024(

=

=

TimeArea





0

10

20

30

40

m=5 m=6 m=7 m=8 m=9 m=10 m=11 m=12 m=13 m=14

k=30

k=29

k=28

k=27

k=26

k=25

k=24

k=23

Optimalk=27m=10


Optimized YASD1024Optimized YASD1024Optimized Parameters: k=27, m=10

Area: 42200 mm2

Time: 10301 years (by 1set)

Cost: 3200 USD (excluding NRE, defects and power supply)

Even if we use 600 wafers (like TWIRL1024),more than 17 years are required

Since we did not consider the wiring problem and the mini-factoring problem, YASD1024 will require more area and time.


Concluding RemarksConcluding RemarksEstablished general formulas for generalized YASD

Area

Time

Evaluated the performance of YASD1024k=27, m=10

Area: 42200 mm2

Time: 10301 years (1set)

Cost: 3200 USD (excluding NRE, defects and power supply)

Future WorksConsider the wiring problem

Application of ECM to the mini-factoring part


Documents

An Evaluation of the Sieving Device YASD for 1024-bit Integers* · 2006. 4. 19. · An Evaluation of the Sieving Device YASD for 1024-bit Integers* Naoyuki Hirota (UEC), Tetsuya Izu