Batch NFS

• Published in: Selected Areas in Cryptography -- SAC 2014 Vol. 8781; pp. 38 - 58
• Main Authors: Bernstein, Daniel J., Lange, Tanja
• Format: Book Chapter
• Language: English
• Published: Switzerland Springer International Publishing AG 2014; Springer International Publishing
• Series: Lecture Notes in Computer Science
• Subjects: Algorithms & data structures; Batching; Computer security; Data encryption; Early aborts; Elliptic curves; Integer factorization; Number-field sieve; Price-performance ratio; Smooth numbers
• ISBN: 9783319130507; 3319130501
• ISSN: 0302-9743; 1611-3349
• DOI: 10.1007/978-3-319-13051-4_3

This paper shows, assuming standard heuristics regarding the number-field sieve, that a “batch NFS” circuit of area \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$L^{1.181\ldots +o(1)}$$\end{document} factors \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$L^{0.5+o(1)}$$\end{document} separate \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$B$$\end{document}-bit RSA keys in time \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$L^{1.022\ldots +o(1)}$$\end{document}. Here \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$L=\exp ((\log 2^B)^{1/3}(\log \log 2^B)^{2/3})$$\end{document}. The circuit’s area-time product (price-performance ratio) is just \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$L^{1.704\ldots +o(1)}$$\end{document} per key. For comparison, the best area-time product known for a single key is \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$L^{1.976\ldots +o(1)}$$\end{document}. This paper also introduces new “early-abort” heuristics implying that “early-abort ECM” improves the performance of batch NFS by a superpolynomial factor, specifically \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\exp ((c+o(1))(\log 2^B)^{1/6}(\log \log 2^B)^{5/6})$$\end{document} where \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$c$$\end{document} is a positive constant.