post-quantum rsa · 2017. 6. 27. · post-quantum rsa we built a great, great 1-terabyte rsa wall,...
TRANSCRIPT
Post-quantum RSA
We built a great, great 1-terabyte RSA wall,
and we had the university pay for the electricity
Daniel J. Bernstein
Joint work with:Nadia Heninger
Paul LouLuke Valenta
Post-quantum RSA Daniel J. Bernstein, Nadia Heninger, Paul Lou, Luke Valenta
The referees are questioning applicability . . .
I Reviewer 1: “The cryptosystem is an interesting thoughtexperiment, but I cannot believe it will be actually used”
I Reviewer 2: “I can’t see it ever being used. . . . the main resultis almost comical”
I Reviewer 3: “I’m not really convinced by the practicality of thescheme. . . . I can’t imagine exchanging 1 terabyte keys tosecure communications”
I Reviewer 4: “a paranoid post-quantum solution may be soughtat the great expense of performance”
I Reviewer 5: “not cheap”
Post-quantum RSA Daniel J. Bernstein, Nadia Heninger, Paul Lou, Luke Valenta
The referees are questioning applicability . . .
I Reviewer 1: “The cryptosystem is an interesting thoughtexperiment, but I cannot believe it will be actually used”
I Reviewer 2: “I can’t see it ever being used. . . . the main resultis almost comical”
I Reviewer 3: “I’m not really convinced by the practicality of thescheme. . . . I can’t imagine exchanging 1 terabyte keys tosecure communications”
I Reviewer 4: “a paranoid post-quantum solution may be soughtat the great expense of performance”
I Reviewer 5: “not cheap”
Post-quantum RSA Daniel J. Bernstein, Nadia Heninger, Paul Lou, Luke Valenta
The referees are questioning applicability . . .
I Reviewer 1: “The cryptosystem is an interesting thoughtexperiment, but I cannot believe it will be actually used”
I Reviewer 2: “I can’t see it ever being used. . . . the main resultis almost comical”
I Reviewer 3: “I’m not really convinced by the practicality of thescheme. . . . I can’t imagine exchanging 1 terabyte keys tosecure communications”
I Reviewer 4: “a paranoid post-quantum solution may be soughtat the great expense of performance”
I Reviewer 5: “not cheap”
Post-quantum RSA Daniel J. Bernstein, Nadia Heninger, Paul Lou, Luke Valenta
The referees are questioning applicability . . .
I Reviewer 1: “The cryptosystem is an interesting thoughtexperiment, but I cannot believe it will be actually used”
I Reviewer 2: “I can’t see it ever being used. . . . the main resultis almost comical”
I Reviewer 3: “I’m not really convinced by the practicality of thescheme. . . . I can’t imagine exchanging 1 terabyte keys tosecure communications”
I Reviewer 4: “a paranoid post-quantum solution may be soughtat the great expense of performance”
I Reviewer 5: “not cheap”
Post-quantum RSA Daniel J. Bernstein, Nadia Heninger, Paul Lou, Luke Valenta
The referees are questioning applicability . . .
I Reviewer 1: “The cryptosystem is an interesting thoughtexperiment, but I cannot believe it will be actually used”
I Reviewer 2: “I can’t see it ever being used. . . . the main resultis almost comical”
I Reviewer 3: “I’m not really convinced by the practicality of thescheme. . . . I can’t imagine exchanging 1 terabyte keys tosecure communications”
I Reviewer 4: “a paranoid post-quantum solution may be soughtat the great expense of performance”
I Reviewer 5: “not cheap”
Post-quantum RSA Daniel J. Bernstein, Nadia Heninger, Paul Lou, Luke Valenta
. . . so how do we respond?
I Appeal to the past:
“Make RSA Great Again!”
I Appeal to the future: “Moore’s law says it’ll be okay!”
I Double down: “Digital cash with RSA blind signatures!”
I FUD: “Maybe all the alternatives will be broken!”
I Put it in perspective: “It’s better than QKD!”
I The real answer: “Someone is wrong on the Internet.”
Post-quantum RSA Daniel J. Bernstein, Nadia Heninger, Paul Lou, Luke Valenta
. . . so how do we respond?
I Appeal to the past: “Make RSA Great Again!”
I Appeal to the future: “Moore’s law says it’ll be okay!”
I Double down: “Digital cash with RSA blind signatures!”
I FUD: “Maybe all the alternatives will be broken!”
I Put it in perspective: “It’s better than QKD!”
I The real answer: “Someone is wrong on the Internet.”
Post-quantum RSA Daniel J. Bernstein, Nadia Heninger, Paul Lou, Luke Valenta
. . . so how do we respond?
I Appeal to the past: “Make RSA Great Again!”
I Appeal to the future:
“Moore’s law says it’ll be okay!”
I Double down: “Digital cash with RSA blind signatures!”
I FUD: “Maybe all the alternatives will be broken!”
I Put it in perspective: “It’s better than QKD!”
I The real answer: “Someone is wrong on the Internet.”
Post-quantum RSA Daniel J. Bernstein, Nadia Heninger, Paul Lou, Luke Valenta
. . . so how do we respond?
I Appeal to the past: “Make RSA Great Again!”
I Appeal to the future: “Moore’s law says it’ll be okay!”
I Double down: “Digital cash with RSA blind signatures!”
I FUD: “Maybe all the alternatives will be broken!”
I Put it in perspective: “It’s better than QKD!”
I The real answer: “Someone is wrong on the Internet.”
Post-quantum RSA Daniel J. Bernstein, Nadia Heninger, Paul Lou, Luke Valenta
. . . so how do we respond?
I Appeal to the past: “Make RSA Great Again!”
I Appeal to the future: “Moore’s law says it’ll be okay!”
I Double down:
“Digital cash with RSA blind signatures!”
I FUD: “Maybe all the alternatives will be broken!”
I Put it in perspective: “It’s better than QKD!”
I The real answer: “Someone is wrong on the Internet.”
Post-quantum RSA Daniel J. Bernstein, Nadia Heninger, Paul Lou, Luke Valenta
. . . so how do we respond?
I Appeal to the past: “Make RSA Great Again!”
I Appeal to the future: “Moore’s law says it’ll be okay!”
I Double down: “Digital cash with RSA blind signatures!”
I FUD: “Maybe all the alternatives will be broken!”
I Put it in perspective: “It’s better than QKD!”
I The real answer: “Someone is wrong on the Internet.”
Post-quantum RSA Daniel J. Bernstein, Nadia Heninger, Paul Lou, Luke Valenta
. . . so how do we respond?
I Appeal to the past: “Make RSA Great Again!”
I Appeal to the future: “Moore’s law says it’ll be okay!”
I Double down: “Digital cash with RSA blind signatures!”
I FUD:
“Maybe all the alternatives will be broken!”
I Put it in perspective: “It’s better than QKD!”
I The real answer: “Someone is wrong on the Internet.”
Post-quantum RSA Daniel J. Bernstein, Nadia Heninger, Paul Lou, Luke Valenta
. . . so how do we respond?
I Appeal to the past: “Make RSA Great Again!”
I Appeal to the future: “Moore’s law says it’ll be okay!”
I Double down: “Digital cash with RSA blind signatures!”
I FUD: “Maybe all the alternatives will be broken!”
I Put it in perspective: “It’s better than QKD!”
I The real answer: “Someone is wrong on the Internet.”
Post-quantum RSA Daniel J. Bernstein, Nadia Heninger, Paul Lou, Luke Valenta
. . . so how do we respond?
I Appeal to the past: “Make RSA Great Again!”
I Appeal to the future: “Moore’s law says it’ll be okay!”
I Double down: “Digital cash with RSA blind signatures!”
I FUD: “Maybe all the alternatives will be broken!”
I Put it in perspective:
“It’s better than QKD!”
I The real answer: “Someone is wrong on the Internet.”
Post-quantum RSA Daniel J. Bernstein, Nadia Heninger, Paul Lou, Luke Valenta
. . . so how do we respond?
I Appeal to the past: “Make RSA Great Again!”
I Appeal to the future: “Moore’s law says it’ll be okay!”
I Double down: “Digital cash with RSA blind signatures!”
I FUD: “Maybe all the alternatives will be broken!”
I Put it in perspective: “It’s better than QKD!”
I The real answer: “Someone is wrong on the Internet.”
Post-quantum RSA Daniel J. Bernstein, Nadia Heninger, Paul Lou, Luke Valenta
. . . so how do we respond?
I Appeal to the past: “Make RSA Great Again!”
I Appeal to the future: “Moore’s law says it’ll be okay!”
I Double down: “Digital cash with RSA blind signatures!”
I FUD: “Maybe all the alternatives will be broken!”
I Put it in perspective: “It’s better than QKD!”
I The real answer:
“Someone is wrong on the Internet.”
Post-quantum RSA Daniel J. Bernstein, Nadia Heninger, Paul Lou, Luke Valenta
. . . so how do we respond?
I Appeal to the past: “Make RSA Great Again!”
I Appeal to the future: “Moore’s law says it’ll be okay!”
I Double down: “Digital cash with RSA blind signatures!”
I FUD: “Maybe all the alternatives will be broken!”
I Put it in perspective: “It’s better than QKD!”
I The real answer: “Someone is wrong on the Internet.”
Post-quantum RSA Daniel J. Bernstein, Nadia Heninger, Paul Lou, Luke Valenta
RSA scalability vs. Shor scalability
Conventional wisdom:
I Shor’s algorithm has the same scalability as legitimate usage ofRSA.
I “there’s not going to be a larger key-size where a classical userof RSA gains [a] significant advantage over a quantumcomputing attacker”
I “If you increase the key size, it’d still be just as easy to breakit as it is to encrypt”
What is the actual scalability of integer factorization?What is the actual scalability of legitimate usage of RSA?
Post-quantum RSA Daniel J. Bernstein, Nadia Heninger, Paul Lou, Luke Valenta
What is the fastest sorting algorithm?
def blindsort(x):
while not issorted(x):
permuterandomly(x)
def bubblesort(x):
for j in range(len(x)):
for i in reversed(range(j)):
x[i],x[i+1] = min(x[i],x[i+1]),max(x[i],x[i+1])
bubblesort takes poly time. Θ(n2) comparisons.Huge speedup over blindsort!Is this the end of the story? No, still not optimal.
Post-quantum RSA Daniel J. Bernstein, Nadia Heninger, Paul Lou, Luke Valenta
What is the fastest sorting algorithm?
def blindsort(x):
while not issorted(x):
permuterandomly(x)
def bubblesort(x):
for j in range(len(x)):
for i in reversed(range(j)):
x[i],x[i+1] = min(x[i],x[i+1]),max(x[i],x[i+1])
bubblesort takes poly time. Θ(n2) comparisons.Huge speedup over blindsort!
Is this the end of the story? No, still not optimal.
Post-quantum RSA Daniel J. Bernstein, Nadia Heninger, Paul Lou, Luke Valenta
What is the fastest sorting algorithm?
def blindsort(x):
while not issorted(x):
permuterandomly(x)
def bubblesort(x):
for j in range(len(x)):
for i in reversed(range(j)):
x[i],x[i+1] = min(x[i],x[i+1]),max(x[i],x[i+1])
bubblesort takes poly time. Θ(n2) comparisons.Huge speedup over blindsort!Is this the end of the story? No, still not optimal.
Post-quantum RSA Daniel J. Bernstein, Nadia Heninger, Paul Lou, Luke Valenta
What is the fastest factoring algorithm?
Shor’s algorithm?
I Poly time. Huge speedup over NFS!
I b2(log b)1+o(1) qubit operations to factor b-bit integer,using standard subroutines for fast integer arithmetic.
I Is this the end of the story? No, still not optimal.
Exercise to illustrate suboptimality of Shor’s algorithm:Find a prime divisor of
⌊103009π
⌋.
Post-quantum RSA Daniel J. Bernstein, Nadia Heninger, Paul Lou, Luke Valenta
What is the fastest factoring algorithm?
Shor’s algorithm?
I Poly time. Huge speedup over NFS!
I b2(log b)1+o(1) qubit operations to factor b-bit integer,using standard subroutines for fast integer arithmetic.
I Is this the end of the story? No, still not optimal.
Exercise to illustrate suboptimality of Shor’s algorithm:Find a prime divisor of
⌊103009π
⌋.
Post-quantum RSA Daniel J. Bernstein, Nadia Heninger, Paul Lou, Luke Valenta
⌊103009π
⌋3141592653589793238462643383279502884197169399375105820974944592307816406286208998628034825342117067982148086513282306647093844609550582231725359408128481117450284102701938521105559644622948954930381964428810975665933446128475648233786783165271201909145648566923460348610454326648213393607260249141273724587006606315588174881520920962829254091715364367892590360011330530548820466521384146951941511609433057270365759591953092186117381932611793105118548074462379962749567351885752724891227938183011949129833673362440656643086021394946395224737190702179860943702770539217176293176752384674818467669405132000568127145263560827785771342757789609173637178721468440901224953430146549585371050792279689258923542019956112129021960864034418159813629774771309960518707211349999998372978049951059731732816096318595024459455346908302642522308253344685035261931188171010003137838752886587533208381420617177669147303598253490428755468731159562863882353787593751957781857780532171226806613001927876611195909216420198938095257201065485863278865936153381827968230301952035301852968995773622599413891249721775283479131515574857242454150695950829533116861727855889075098381754637464939319255060400927701671139009848824012858361603563707660104710181942955596198946767837449448255379774726847104047534646208046684259069491293313677028989152104752162056966024058038150193511253382430035587640247496473263914199272604269922796782354781636009341721641219924586315030286182974555706749838505494588586926995690927210797509302955321165344987202755960236480665499119881834797753566369807426542527862551818417574672890977772793800081647060016145249192173217214772350141441973568548161361157352552133475741849468438523323907394143334547762416862518983569485562099219222184272550254256887671790494601653466804988627232791786085784383827967976681454100953883786360950680064225125205117392984896084128488626945604241965285022210661186306744278622039194945047123713786960956364371917287467764657573962413890865832645995813390478027590099465764078951269468398352595709825822620522489407726719478268482601476990902640136394437455305068203496252451749399651431429809190659250937221696461515709858387410597885959772975498930161753928468138268683868942774155991855925245953959431049972524680845987273644695848653836736222626099124608051243884390451244136549762780797715691435997700129616089441694868555848406353422072225828488648158456028506016842739452267467678895252138522549954666727823986456596116354886230577456498035593634568174324112515076069479451096596094025228879710893145669136867228748940560101503308617928680920874760917824938589009714909675985261365549781893129784821682998948722658804857564014270477555132379641451523746234364542858444795265867821051141354735739523113427166102135969536231442952484937187110145765403590279934403742007310578539062198387447808478489683321445713868751943506430218453191048481005370614680674919278191197939952061419663428754440643745123718192179998391015919561814675142691239748940907186494231961567945208
Post-quantum RSA Daniel J. Bernstein, Nadia Heninger, Paul Lou, Luke Valenta
When can we beat Shor’s algorithm?
Costs for various algorithms (log factors suppressed):
I b2 ops for Shor’s algorithm.Assume best case: qubit ops as cheap as bit ops.
I by ops for trial division to find primes q ≤ y .Beats Shor’s algorithm for y below b.
I b + y ops to first compute∏
q≤y q, then gcd.
Beats Shor’s algorithm for y below b2.
I b√y ops for rho method to find primes q ≤ y .
Not helpful here.
Post-quantum RSA Daniel J. Bernstein, Nadia Heninger, Paul Lou, Luke Valenta
When can we beat Shor’s algorithm?
Costs for various algorithms (log factors suppressed):
I b2 ops for Shor’s algorithm.Assume best case: qubit ops as cheap as bit ops.
I by ops for trial division to find primes q ≤ y .Beats Shor’s algorithm for y below b.
I b + y ops to first compute∏
q≤y q, then gcd.
Beats Shor’s algorithm for y below b2.
I b√y ops for rho method to find primes q ≤ y .
Not helpful here.
Post-quantum RSA Daniel J. Bernstein, Nadia Heninger, Paul Lou, Luke Valenta
When can we beat Shor’s algorithm?
Costs for various algorithms (log factors suppressed):
I b2 ops for Shor’s algorithm.Assume best case: qubit ops as cheap as bit ops.
I by ops for trial division to find primes q ≤ y .Beats Shor’s algorithm for y below b.
I b + y ops to first compute∏
q≤y q, then gcd.
Beats Shor’s algorithm for y below b2.
I b√y ops for rho method to find primes q ≤ y .
Not helpful here.
Post-quantum RSA Daniel J. Bernstein, Nadia Heninger, Paul Lou, Luke Valenta
When can we beat Shor’s algorithm?
Costs for various algorithms (log factors suppressed):
I b2 ops for Shor’s algorithm.Assume best case: qubit ops as cheap as bit ops.
I by ops for trial division to find primes q ≤ y .Beats Shor’s algorithm for y below b.
I b + y ops to first compute∏
q≤y q, then gcd.
Beats Shor’s algorithm for y below b2.
I b√y ops for rho method to find primes q ≤ y .
Not helpful here.
Post-quantum RSA Daniel J. Bernstein, Nadia Heninger, Paul Lou, Luke Valenta
When does ECM beat Shor’s algorithm?b exp((log y)1/2+o(1)) ops for ECM to find primes q ≤ y .Beats Shor’s algorithm for log y below (log b)2+o(1).
I Choose ECM parameter z withz ∈ exp((α + o(1))
√log y log log y).
I Each prime q ≤ y is found by 1/C of all curveswhere C ∈ exp((1/2α + o(1))
√log y log log y).
I ECM searches through C 1+o(1) curves.Choose α = 1/
√2. Cost: exp((
√2 + o(1))
√log y log log y).
I New: Use a Grover search through C 1+o(1) curves.Choose α = 1/2. Cost: exp((1 + o(1))
√log y log log y).
Post-quantum RSA Daniel J. Bernstein, Nadia Heninger, Paul Lou, Luke Valenta
When does ECM beat Shor’s algorithm?b exp((log y)1/2+o(1)) ops for ECM to find primes q ≤ y .Beats Shor’s algorithm for log y below (log b)2+o(1).
I Choose ECM parameter z withz ∈ exp((α + o(1))
√log y log log y).
I Each prime q ≤ y is found by 1/C of all curveswhere C ∈ exp((1/2α + o(1))
√log y log log y).
I ECM searches through C 1+o(1) curves.Choose α = 1/
√2. Cost: exp((
√2 + o(1))
√log y log log y).
I New: Use a Grover search through C 1+o(1) curves.Choose α = 1/2. Cost: exp((1 + o(1))
√log y log log y).
Post-quantum RSA Daniel J. Bernstein, Nadia Heninger, Paul Lou, Luke Valenta
When does ECM beat Shor’s algorithm?b exp((log y)1/2+o(1)) ops for ECM to find primes q ≤ y .Beats Shor’s algorithm for log y below (log b)2+o(1).
I Choose ECM parameter z withz ∈ exp((α + o(1))
√log y log log y).
I Each prime q ≤ y is found by 1/C of all curveswhere C ∈ exp((1/2α + o(1))
√log y log log y).
I ECM searches through C 1+o(1) curves.Choose α = 1/
√2. Cost: exp((
√2 + o(1))
√log y log log y).
I New: Use a Grover search through C 1+o(1) curves.Choose α = 1/2. Cost: exp((1 + o(1))
√log y log log y).
Post-quantum RSA Daniel J. Bernstein, Nadia Heninger, Paul Lou, Luke Valenta
When does ECM beat Shor’s algorithm?b exp((log y)1/2+o(1)) ops for ECM to find primes q ≤ y .Beats Shor’s algorithm for log y below (log b)2+o(1).
I Choose ECM parameter z withz ∈ exp((α + o(1))
√log y log log y).
I Each prime q ≤ y is found by 1/C of all curveswhere C ∈ exp((1/2α + o(1))
√log y log log y).
I ECM searches through C 1+o(1) curves.Choose α = 1/
√2. Cost: exp((
√2 + o(1))
√log y log log y).
I New: Use a Grover search through C 1+o(1) curves.Choose α = 1/2. Cost: exp((1 + o(1))
√log y log log y).
Post-quantum RSA Daniel J. Bernstein, Nadia Heninger, Paul Lou, Luke Valenta
Post-quantum RSA (PQRSA)
Make RSA fast again (see paper for asymptotics):
I Build public key N as product of many small primes.
I New: Batch generation of primes.
I Take exponent 3. (Could 2 be better? Not clear.)
I Use CRT for decryption.
Security ≥2100 qubit ops against all known attacks:
I Take b = 243 bits in N .
I Take 212 bits in each prime.
I Use proper padding to stop chosen-ciphertext attacks.
Post-quantum RSA Daniel J. Bernstein, Nadia Heninger, Paul Lou, Luke Valenta
Implementing PQRSAOpenSSL doesn’t support large key sizes
0http://fm4dd.com/openssl/certexamples.htmPost-quantum RSA Daniel J. Bernstein, Nadia Heninger, Paul Lou, Luke Valenta
Implementing PQRSAOpenSSL doesn’t support large key sizes
0http://fm4dd.com/openssl/certexamples.htmPost-quantum RSA Daniel J. Bernstein, Nadia Heninger, Paul Lou, Luke Valenta
Implementing PQRSA
We implemented RSA key generation, encryption, decryptionin C with modified version of GMP library:
I Change mpz struct internal typing from int to int64 t.
I Extend upper bound on memory allocation for mpz t.
I Extend output and input functions to accomodate new mpzstruct type.
Post-quantum RSA Daniel J. Bernstein, Nadia Heninger, Paul Lou, Luke Valenta
Key generation
I 1TB multi-prime RSA key uses2 billion 4096-bit primes
I Use batch algorithm to findprimes
I 1,975,000 core-hours
I Four months on 1,400-corecluster
Post-quantum RSA Daniel J. Bernstein, Nadia Heninger, Paul Lou, Luke Valenta
Key generation
I 1TB multi-prime RSA key uses2 billion 4096-bit primes
I Use batch algorithm to findprimes
I 1,975,000 core-hours
I Four months on 1,400-corecluster
Post-quantum RSA Daniel J. Bernstein, Nadia Heninger, Paul Lou, Luke Valenta
Key generation
I 1TB multi-prime RSA key uses2 billion 4096-bit primes
I Use batch algorithm to findprimes
I 1,975,000 core-hours
I Four months on 1,400-corecluster
Post-quantum RSA Daniel J. Bernstein, Nadia Heninger, Paul Lou, Luke Valenta
Key generation (continued...)
I Construct multi-prime RSA modulus from generated primes
I Use product-tree algorithm
I Four days multithreaded on single machine
I Max usage of 3.2TB RAM and 2.5TB swap
I First terabyte RSA key ever created! (At least in public.)
Post-quantum RSA Daniel J. Bernstein, Nadia Heninger, Paul Lou, Luke Valenta
Key generation (continued...)
I Construct multi-prime RSA modulus from generated primes
I Use product-tree algorithm
I Four days multithreaded on single machine
I Max usage of 3.2TB RAM and 2.5TB swap
I First terabyte RSA key ever created! (At least in public.)
Post-quantum RSA Daniel J. Bernstein, Nadia Heninger, Paul Lou, Luke Valenta
Encryption
I Use RSA-KEMI Generate random 1TB element with AES-256-CTR mode
I Theoreticians might complain: “Hey, is this indifferentiable?”I Are there any fast alternatives with indifferentiability proofs?I Does indifferentiability matter?
I Hash element to construct shared secret for key exchange
I To compute 3rd power: Use multiply-and-reduce algorithminstead of GMP’s modular exponentiation
I 256GB encryption in 100 hours on a single machine
Post-quantum RSA Daniel J. Bernstein, Nadia Heninger, Paul Lou, Luke Valenta
Encryption
I Use RSA-KEMI Generate random 1TB element with AES-256-CTR mode
I Theoreticians might complain: “Hey, is this indifferentiable?”I Are there any fast alternatives with indifferentiability proofs?I Does indifferentiability matter?
I Hash element to construct shared secret for key exchange
I To compute 3rd power: Use multiply-and-reduce algorithminstead of GMP’s modular exponentiation
I 256GB encryption in 100 hours on a single machine
Post-quantum RSA Daniel J. Bernstein, Nadia Heninger, Paul Lou, Luke Valenta
Recent improvements
Reviewer 2: “in a world where most people are anxious to shaveclock cycles, a cryptosystem with one-week encryption times isn’tgoing to fly”
Recent work from Josh Fried:
I Cluster-distributed parallelized FFT
I Completed 1TB encryption in about 4 hours with 896 cores
I Expect 1TB key generation (after primegen) to complete inabout 5 hours with 896 cores
Post-quantum RSA Daniel J. Bernstein, Nadia Heninger, Paul Lou, Luke Valenta
Recent improvements
Reviewer 2: “in a world where most people are anxious to shaveclock cycles, a cryptosystem with one-week encryption times isn’tgoing to fly”
Recent work from Josh Fried:
I Cluster-distributed parallelized FFT
I Completed 1TB encryption in about 4 hours with 896 cores
I Expect 1TB key generation (after primegen) to complete inabout 5 hours with 896 cores
Post-quantum RSA Daniel J. Bernstein, Nadia Heninger, Paul Lou, Luke Valenta
Ongoing work
Decryption:
I Precompute di = e−1 mod (pi − 1) and mi = C di mod pi
I Run CRT on pairs of mi ,mj , i 6= j and multiply pi , pj to createa node in the next level of the tree
I 16GB decryption in about 132 hours on single machine
I In progress: decryption with interpolator (save lg n factor overCRT-tree)
Try to unify quantum-factoring landscape:
I Gal Dor suggests some bits of Shor, followed by Grover.
Post-quantum RSA Daniel J. Bernstein, Nadia Heninger, Paul Lou, Luke Valenta
Ongoing work
Decryption:
I Precompute di = e−1 mod (pi − 1) and mi = C di mod piI Run CRT on pairs of mi ,mj , i 6= j and multiply pi , pj to create
a node in the next level of the tree
I 16GB decryption in about 132 hours on single machine
I In progress: decryption with interpolator (save lg n factor overCRT-tree)
Try to unify quantum-factoring landscape:
I Gal Dor suggests some bits of Shor, followed by Grover.
Post-quantum RSA Daniel J. Bernstein, Nadia Heninger, Paul Lou, Luke Valenta
Ongoing work
Decryption:
I Precompute di = e−1 mod (pi − 1) and mi = C di mod piI Run CRT on pairs of mi ,mj , i 6= j and multiply pi , pj to create
a node in the next level of the tree
I 16GB decryption in about 132 hours on single machine
I In progress: decryption with interpolator (save lg n factor overCRT-tree)
Try to unify quantum-factoring landscape:
I Gal Dor suggests some bits of Shor, followed by Grover.
Post-quantum RSA Daniel J. Bernstein, Nadia Heninger, Paul Lou, Luke Valenta
Ongoing work
Decryption:
I Precompute di = e−1 mod (pi − 1) and mi = C di mod piI Run CRT on pairs of mi ,mj , i 6= j and multiply pi , pj to create
a node in the next level of the tree
I 16GB decryption in about 132 hours on single machine
I In progress: decryption with interpolator (save lg n factor overCRT-tree)
Try to unify quantum-factoring landscape:
I Gal Dor suggests some bits of Shor, followed by Grover.
Post-quantum RSA Daniel J. Bernstein, Nadia Heninger, Paul Lou, Luke Valenta