Andrew Odlyzko. The future of integer factorization. Cryptobytes, 1(2):5--12, 1995.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....assumption as possible. A natural approach is to rely on a well studied problem where many algorithms have been tried and their complexity is well understood. The most established candidate in these respects, and certainly the one with the best pedigree, is the problem of factoring integers (see [22] for the state of the art of factoring) The focus of this paper is an efficient construction of pseudorandom functions (see definition below) whose security is based on the intractability of factoring. In particular, we are able to An extended abstract appeared in the 32 annual ACM ....

.... Delta Q) 2 fP; Qg] ffl(n) In spite of the extensive research directed towards the construction of efficient integer factoring algorithms, the best algorithms currently known for factoring an integer N , have (heuristic) running time L(N) e 1:92(log N) 1=3 (log log N) 2=3 (cf. [22]) This (together with the fact that Blum integers are a non negligible fraction of all n bit integers) leads us to the following assumption. Assumption 4.1 (Factoring FIG Blum Integers) Let A be any probabilistic polynomial time machine. There is no positive constant ff such that A ff ....

A. M. Odlyzko, The future of integer factorization, RSA CyptoBytes, 2(1), 1995, pp. 5--12.

....running time for smaller input parameters. If x 1 and x 2 are inputs for an algorithm with expected running time L x [e, c] and t 1 is the running time of the algorithm when executed with x 1 , then the running time t 2 of the algorithm with input x 2 can be estimated by the equation (3) cf. [21] or [18] However, this holds only if the sizes of x 1 and x 2 do not di#er too much; otherwise it can t be ignored that o(1) 0. Thus, if x 2 is much larger than x 1 , then t 2 will be a significant overestimate. For more precise estimates taking into account the o(1) term, see [13] We stick ....

Odlyzko, A. M. The future of integer factorization. CryptoBytes 1, 2 (1995). http://www.rsa.com/rsalabs/pubs/cryptobytes/.

....a larger modulus o#ers further security, at the expense, however, of a larger computational e#ort. A good compromise is to use an unbalanced RSA modulus [28] that is, a modulus n = pq where p, q are primes and q p (e.g. 500 bits and = 4500 bits) The best factorization algorithms [24] cannot take advantage of these special moduli and they thus seem as secure as moduli constructed from the product of two 2500 bit primes. Shamir [28] observed that if the plaintext m being encrypted is smaller than p, then, from the corresponding ciphertext c = m mod n, it can be recovered as ....

Andrew Odlyzko. The future of integer factorization. Cryptobytes, 1(2):5--12, 1995.

....some basic assumptions. Foremost among them is that when using the generalized number field sieve [2] which is at present the most effective algorithm for tackling larger RSA numbers) then the number of MIPS years (abbreviated to MY) required to factor a 512 bit RSA modulus is roughly 3 x 104 [3]. Additionally we will assume that the computing power per dollar doubles every 18 months (a common assumption) and that a 10 MIPS machine (or the parts thereof) can currently be bought for U.S. 500. In this note we have taken no account of potential algorithmic improvement. However, it is worth ....

....(or the parts thereof) can currently be bought for U.S. 500. In this note we have taken no account of potential algorithmic improvement. However, it is worth noting that a number with special form and a length of 162 decimal digits was recently factored using the special number field sieve [3]. While a number of 162 decimal digits is longer than one of 512 bits, this factorization required a particularly modest 200 MY. If anywhere near this kind of algorithm performance can be delivered on numbers without this special form, then 512 bit RSA numbers will be truly weak. 2.1 Dollar ....

[Article contains additional citation context not shown here]

A. Odlyzko. The future of integer factorization. a CryptoBytes, 1(2), Summer 1995. To appear.

....against that of DSS thcn E1Gamal cnckyption and RSA signaturc then RSA encryption . Note that, although not shown in the table, other combinatious such s Schnorr signaturc then RSA encryption and RSA signaturc thcn E1Gamal encryption may also be used iu practice. As discussed in [21], with the current state of the art, computing discrete logarithm on GF(p) and factoring a composite n of the same size are equally difficult. This simplifies our comparison of the efficiency of a cryptographic scheme based on RSA against that bscd on discrete logarithm, we can ssumc that the ....

....Encryption 4.1 How the Parameters are Chosen Advances in fast computers help an attacker in incrcasing his capability to break a cryptosystcIn. To compcnsatc titis, larger security parameters, including Ina[ I1,I1, Iql and IKH. I must be used in the futnrc. Front an analysis by Odlyzko [21] on the hardness of discrete logarithm, one can see titat unless there is an algorithmic breakthrough in solving the factorization or discrete logarithnl 175 security parameters advantage in advantage in IPI( I, 1 I,bl) IqJ, IKH. I comp. cost comm. overhead 768, 152, 80 0 84.9 1024, ....

[Article contains additional citation context not shown here]

Odlyzko, A.: The future of integer factorization. CryptoBytes 1 (1995) 5-12.

....a larger modulus o#ers further security, at the expense, however, of a larger computational e#ort. A good compromise is to use an unbalanced RSA modulus [28] that is, a modulus n = pq where p, q are primes and q p (e.g. 500 bits and = 4500 bits) The best factorization algorithms [24] cannot take advantage of these special moduli and they seem thus as secure as moduli constructed from the product of two 2500 bit primes. Shamir [28] observed that if the plaintext m being encrypted is smaller than p, then, from the corresponding ciphertext c = m mod n, it can be recovered as ....

Andrew Odlyzko. The future of integer factorization. Cryptobytes, 1(2):5--12, 1995.

....lengths and predictions for how long it will be before keys of certain lengths will be considered insecure. The most detailed of these papers are by Silverman [4] and by Lenstra and Verheul [1] and the contrast in their respective predictions is startling. Other papers by Wiener [5] and Odlyzko [3] take the middle ground. 2 Best Current Algorithms The security of most public key cryptosystems are based upon either the difficulty of factoring large integers, or the difficulty of solving a discrete logarithm problem. The best known algorithm for solving these problems is the Number Field ....

Andrew Odlyzko. The future of integer factorization. RSA Laboratories Cryptobytes, Summer 1995. see http://www.rsasecurity. com/rsalabs/cryptobytes/index.html.

....Key length In order to select an appropriate key length, we need to be able to estimate for how long information encrypted under a key of a given length remains secure. Articles giving such estimates have been written by Silverman [113] by Lenstra and Verheul [79] by Wiener [118] and by Odlyzko [91]. To make such predictions, we need to decide to what extent we account for unexpected 76 algorithmic improvements, whether we should consider factors such as the availability of distributed computing and how to estimate future increases in computing power. Lenstra and Verheul [79] is very ....

A. Odlyzko. The future of integer factorization. Technical report, RSA Laboratories Cryptobytes, Summer 1995. http://www.rsasecurity.com/rsalabs/cryptobytes/index.html.

....They can, however, easily be changed without affecting the overall approach, thereby making this article useful also for those who object to our choices and the resulting key size recommendations. Other papers containing key size recommendations are [3] and [5] symmetric key cryptosystems) [24] (RSA) and [15] RSA and elliptic curve cryptosystems) Although the choice of key sizes usually gets the most attention, nearly all failures are, in our experience, not due to inadequate key sizes but to protocol or password deficiencies. To illustrate this, the cryptographic key sizes used by ....

.... estimate is based on the Pentium based figures that a single DES block encryption with a fixed key requires 360 Pentium clock cycles (cf. 7] or 500 Pentium clock cycles with a variable key (cf. 2] Furthermore, our estimate lies between two DEC VAX 11 780 estimates that can be found in [8] and [24]. It follows that our Mips Years convention is sufficiently accurate. Half a million Mips Years is roughly 13,500 months on a PC. This is equivalent to 4 months on 3,500 PCs, because an exhaustive key search can be evenly divided over any number of processors. For a proper security analysis one ....

[Article contains additional citation context not shown here]

A.M. Odlyzko, The future of integer factorization, RSA Laboratories Cryptobytes, v. 1, no. 2 (1995), 5-12; also at www.research.att.com/~amo/doc/crypto.html or www.rsa.com/rsalabs/pubs/cryptobytes.

....assumption as possible. A natural approach is to rely on a well studied problem where many algorithms have been tried and their complexity is well understood. The most established candidate in these respects, and certainly the one with the best pedigree, is the problem of factoring integers (see [21] for the state of the art of factoring) The focus of this paper is an efficient construction of pseudorandom functions (see definition below) whose security is based on the intractability of factoring. In particular, we are able to construct efficient length preserving pseudorandom functions ....

A. M. Odlyzko, The future of integer factorization, RSA CyptoBytes, 2(1), 1995, pp. 5--12.

No context found.

Andrew Odlyzko. The future of integer factorization. Cryptobytes, 1(2):5--12, 1995.

No context found.

Andrew Odlyzko. The future of integer factorization. Cryptobytes, 1(2):5-12, 1995.

No context found.

Andrew Odlyzko. The future of integer factorization. Cryptobytes, 1(2):5--12, 1995.

No context found.

Andrew Odlyzko. The future of integer factorization. Cryptobytes, 1(2):5--12, 1995.

No context found.

A. Odlyzko. The future of Integer Factorization. CryptoBytes, Vol. 1, No. 2, pp. 5-12, 1995. On-line version in http://www.research.att.com/ amo/doc/future.of.factoring.ps

No context found.

A. M. Odlyzko, "The future of integer factorization," CryptoBytes, RSA Laboratories, vol. 1, pp. 5--12, Summer 1995.

No context found.

Odlyzko, A. M. The future of integer factorization. CryptoBytes 1, 2 (1995). http://www.rsa.com/rsalabs/pubs/cryptobytes/.

No context found.

Andrew Odlyzko. The future of integer factorization. Cryptobytes, 1(2):5-12, 1995.

No context found.

Andrew Odlyzko. The future of integer factorization. Cryptobytes, 1(2):5--12, 1995.

No context found.

Andrew Odlyzko. The future of integer factorization. Cryptobytes, 1(2):5--12, 1995.

No context found.

Andrew Odlyzko. The future of integer factorization. Cryptobytes, 1(2):5--12, 1995.

No context found.

A. M. Odlyzko, The future of integer factorization, CryptoBytes 1, 2 (1995), 5--12. Available from http://www.rsa.com/rsalabs/pubs/cryptobytes .

No context found.

Andrew Odlyzko. The future of integer factorization. Cryptobytes, 1(2):5--12, 1995.

No context found.

Andrew Odlyzko. The future of integer factorization. Cryptobytes, 1(2):5-12, 1995.

No context found.

A. M. Odlyzko, The future of integer factorization, CryptoBytes 1, 2 (1995), 5--12. Available from http://www.rsa.com/rsalabs/pubs/cryptobytes .

First 50 documents

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC