A world wide number field sieve factoring record: on to 512 bits

We present data concerning the factorization of the 130-digit number RSA130 which we factored on April 10, 1996, using the number field sieve factoring method. This factorization beats the 129-digit record that was set on April 2, 1994, by the quadratic sieve method. The amount of computer time spent on our new record factorization is only a fraction of what was spent on the previous record. We also discuss a World Wide Web interface to our sieving program that we have developed to facilitate contributing to the sieving stage of future large scale factoring efforts. These developments have a serious impact on the security of RSA public key cryptosystems with small moduli. We present a conservative extrapolation to estimate the difficulty of factoring 512-bit number

Factorization of RSA-140 Using the Number Field Sieve

On February 2, 1999, we completed the factorization of the 140--digit number RSA--140 with the help of the Number Field Sieve factoring method (NFS). This is a new general factoring record. The previous record was established on April 10, 1996 by the factorization of the 130--digit number RSA--130, also with the help of NFS. The amount of computing time spent on RSA--140 was roughly twice that needed for RSA--130, about half of what could be expected from a straightforward extrapolation of the computing time spent on factoring RSA--130. The speed-up can be attributed to a new polynomial selection method for NFS which will be sketched in this paper

Factorization of RSA-140 using the Number Field Sieve

Colloque avec actes sans comité de lecture.International audienceOn February 2, 1999, we completed the factorization of the 140--digit number RSA--140 with the help of the Number Field Sieve factoring method (NFS). This is a new general factoring record. The previous record was established on April 10, 1996 by the factorization of the 130--digit number RSA--130, also with the help of NFS. The amount of computing time spent on RSA--140 was roughly twice that needed for RSA--130, about half of what could be expected from a straightforward extrapolation of the computing time spent on factoring RSA--130. The speed-up can be attributed to a new polynomial selection method for NFS which will be sketched in this paper. The implications of the new polynomial selection method for factoring a 512--bit RSA modulus are discussed and it is concluded that 512--bit (= 155--digit) RSA moduli are easily and realistically within reach of factoring efforts similar to the one presented here

Strategies in filtering in the number field sieve

textabstractA critical step when factoring large integers by the Number Field Sieve consists of finding dependencies in a huge sparse matrix over the field GF(2), using a Block Lanczos algorithm. Both size and weight (the number of non-zero elements) of the matrix critically affect the running time of Block Lanczos. In order to keep size and weight small the relations coming out of the siever do not flow directly into the matrix, but are filtered first in order to reduce the matrix size. This paper discusses several possible filter strategies and their use in the recent record factorizations of RSA-140, R211 and RSA-155

The Function Field Sieve is quite special

International audienceIn this paper, we describe improvements to the function field sieve (FFS) for the discrete logarithm problem in $GF(p^n)$, when $p$ is small. Our main contribution is a new way to build the algebraic function fields needed in the algorithm. With this new construction, the heuristic complexity is as good as the complexity of the construction proposed by Adleman and Huang~\cite{AdHu99}, i.e $L_{p^n}[{1}/{3},c] = \exp( (c+o(1)) \log(p^n)^{\frac{1}{3}} \log(\log(p^n))^{\frac{2}{3}})$ where $c=(32/9)^{\frac{1}{3}}$. With either of these constructions the FFS becomes an equivalent of the special number field sieve used to factor integers of the form $A^N\pm B$. From an asymptotic point of view, this is faster than older algorithm such as Coppersmith's algorithm and Adleman's original FFS. From a practical viewpoint, we argue that our construction has better properties than the construction of Adleman and Huang. We demonstrate the efficiency of the algorithm by successfully computing discrete logarithms in a large finite field of characteristic two, namely $GF(2^{521})$

Factorization of a 512-bit RSA Modulus

Colloque avec actes et comité de lecture. internationale.International audienceOn August 22, 1999, we completed the factorization of the 512--bit 155--digit number RSA--155 with the help of the Number Field Sieve factoring method (NFS). This is a new record for factoring general numbers. Moreover, 512--bit RSA keys are frequently used for the protection of electronic commerce---at least outside the USA---so this factorization represents a breakthrough in research on RSA--based systems. The previous record, factoring the 140--digit number RSA--140, was established on February 2, 1999, also with the help of NFS, by a subset of the team which factored RSA--155. The amount of computing time spent on RSA--155 was about 8400 MIPS years, roughly four times that needed for RSA--140; this is about half of what could be expected from a straightforward extrapolation of the computing time spent on factoring RSA--140 and about a quarter of what would be expected from a straightforward extrapolation from the computing time spent on RSA--130. The speed-up is due to a new polynomial selection method for NFS of Murphy and Montgomery which was applied for the first time to RSA--140 and now, with improvements, to RSA--155

Recent progress and prospects for integer factorisation algorithms

Abstract. The integer factorisation and discrete logarithm problems are of practical importance because of the widespread use of public key cryptosystems whose security depends on the presumed difficulty of solving these problems. This paper considers primarily the integer factorisation problem. In recent years the limits of the best integer factorisation algorithms have been extended greatly, due in part to Moore’s law and in part to algorithmic improvements. It is now routine to factor 100-decimal digit numbers, and feasible to factor numbers of 155 decimal digits (512 bits). We outline several integer factorisation algorithms, consider their suitability for implementation on parallel machines, and give examples of their current capabilities. In particular, we consider the problem of parallel solution of the large, sparse linear systems which arise with the MPQS and NFS methods.

Some Parallel Algorithms for Integer Factorisation

Algorithms for finding the prime factors of large composite numbers are of practical importance because of the widespread use of public key cryptosystems whose security depends on the presumed difficulty of the factorisation problem. In recent years the limits of the best integer factorisation algorithms have been extended greatly, due in part to Moore's law and in part to algorithmic improvements. It is now routine to factor 100-decimal digit numbers, and feasible to factor numbers of 155 decimal digits (512 bits). We describe several integer factorisation algorithms, consider their suitability for implementation on parallel machines, and give examples of their current capabilities