Centrum voor Wiskunde en Informatica

Factorization of a 512--bit RSA modulus

S. Cavallar, W.M. Lioen, H.J.J. te Riele, B. Dodson, A.K. Lenstra, P.L. Montgomery, B. Murphy et al.

Modelling, Analysis and Simulation (MAS)

MAS-R0007 February 29, 2000 Report MAS-R0007 ISSN 1386-3703

CWI P.O. Box 94079 1090 GB Amsterdam The

CWI is the National Research Institute for Mathematics and Computer Science. CWI is part of the Stichting Mathematisch Centrum (SMC), the Dutch foundation for promotion of mathematics and computer science and their applications. Copyright © Stichting Mathematisch Centrum SMC is sponsored by the Netherlands Organization for P.O. Box 94079, 1090 GB Amsterdam (NL) Scientific Research (NWO). CWI is a member of Kruislaan 413, 1098 SJ Amsterdam (NL) ERCIM, the European Research Consortium for Telephone +31 20 592 9333 Informatics and Mathematics. Telefax +31 20 592 4199



Factorization of a bit RSA Mo dulus

Stefania Cavallar Walter Lio en and Herman te Riele

CWI PO Box GB Amsterdam The Netherlands

cavallarwalterhermancwinl

Bruce Do dson

Lehigh University Bethlehem PA USA

badLehighedu

Arjen K Lenstra

Citibank North Gate Road Mendham NJ USA

arjenlenstraciticorpcom

Peter L Montgomery

Las Colindas Road San Rafael CA USA

Microsoft Research and CWI

pmontgomcwinl

Brian Murphy

Computer Sciences Lab oratory The Australian National University Canb erra ACT Australia

murphycslabanueduau

Karen Aardal

Dept of Computer Science Utrecht UniversityPO Box TB Utrecht The Netherlands

aardalcsuunl

Je Gilchrist

Entrust Technologies Ltd Heron Road Suite E Ottawa ON KV A Canada

JeGilchristentrustcom

Gerard Guillerm

SITX Centre of IT resources Ecole Polytechnique Palaiseau France

GerardGuillermp olytechniquefr



Breakdown of individual contributions to this pro ject

Management Te Riele polynomial selection algorithm Montgomery Murphy polynomial selection com

putations Do dson Lenstra Montgomery Murphy sieving codes Lenstra Montgomery sieving Aardal

Cavallar Do dson Gilchrist Guillerm Lenstra Leyland Lio en Marchand Montgomery Morain Muett

Putnam Zimmermann ltering Cavallar Montgomery linear algebra Leyland Montgomery square root

Montgomery data col lection analysis of data and running the NFS code at CWI and SARACavallar Lio en

Montgomery technical support Lio en

Paul Leyland

Microsoft Research Ltd Cambridge UK

pleylandmicrosoftcom

Joel Marchand

Lab oratoire Gage Ecole PolytechniqueCNRS Palaiseau France

Jo elMarchandmedicisp olytechniquefr

Francois Morain

Lab oratoire dInformatique Ecole Polytechnique Palaiseau France

morainlixp olytechniquefr

Alec Muett

Sun Microsystems Professional Services Riverside WayWatchmo orPark Camb erleyUK

alecmuettuksuncom

Chris and Craig Putnam

Rangers Dr Hudson NH USA

craigputnamswiftmvcom

Paul Zimmermann

Inria Lorraine and Loria NancyFrance

PaulZimmermannloriafr

ABSTRACT

On August we completed the factorization of the bit digit numb er RSA with the

help of the Numb er Field Sieve factoring metho d NFS This is a new record for factoring general numb ers

Moreover bit RSA keys are frequently used for the protection of electronic commerceat least outside

the USAso this factorization represents a breakthrough in research on RSAbased systems

The previous record factoring the digit numb er RSA was established on February also

with the help of NFS by a subset of the team which factored RSA The amount of computing time sp ent

on RSA was ab out MIPS years roughly four times that needed for RSA this is ab out half of

what could b e exp ected from a straightforward extrap olation of the computing time sp ent on factoring RSA

and ab out a quarter of what would b e exp ected from a straightforward extrap olation of the computing

time sp ent on RSA The sp eedup is due to a new p olynomial selection metho d for NFS of Murphy and

Montgomery which was applied for the rst time to RSA and now with improvements to RSA

Mathematics Subject Classication Primary Y Secondary A

ACM Computing Classication System F

Keywords and Phrases publickey cryptosystems RSA factoring numb er eld sieve

Note The research of Cavallar Lio en Montgomery and Te Riele was carried out under project MAS

Computational numb er theory and data security

A slightly abridged version of this rep ort will app ear in the Pro ceedings of Euro crypt Bruges Brugge

Belgium May URL httpwwwesatkuleuvenacbecosiceurocrypt

Intro duction 

Introduction

After the birth in of the publickey cryptosystem RSA knowledge of the state

oftheart of factoring large numbers has become crucial for RSAbased cryptographic ap

plications Since then ma jor algorithmic progress was marked by the publication of the

Quadratic Sieve in the Elliptic Curve algorithm in and the Number

Field Sieve in The largest factored dicult numbers were registered carefully

and rep orts of new records were invariably presented at cryptographic conferences Wemen

tion Euro crypt C Euro crypt C and C Crypto C

Asiacrypt C Asiacrypt C and Asiacrypt C The C

and C were factored with help of the Number Field Sieve NFS the other numb ers were

factored using the Quadratic Sieve QS For additional information implementations and

previous large NFS factorizations see

This pap er rep orts on the factorization of RSA by NFS and the implications for RSA

The numb er RSA was taken from the RSA Challenge list as a representative bit

RSA mo dulus Section discusses the implications of this pro ject for the practical use of

RSAbased cryptosystems Section has the details of our computations which resulted in

the factorization of RSA

Implications for the practice of RSA

RSA is widely used to day The b est size for an RSA key dep ends on the security needs

of the user and on how long hisher information needs to b e protected

The amount of CPU time sp ent to factor RSA was ab out MIPS years whichis

ab out four times that used for the factorization of RSA On the basis of the heuristic

complexity formula for factoring large N byNFS

exp o log N log log N

one would exp ect an increase in the computing time by a factor of ab out seven This sp eed

up has b een made p ossible by algorithmic improvements mainly in the p olynomial generation

step and to a lesser extent in the lter step of NFS

The complete pro ject to factor RSA to ok seven calendar months The p olynomial

generation step to ok ab out one month on several fast workstations The most timeconsuming

step the sieving was done on ab out fast PCs and workstations spread over twelvesites

in six countries This step to ok calendar months in which summed over all these

computers a total of years of CPUtime was consumed Filtering the relations and

building and reducing the matrix corresp onding to these relations to ok one calendar month

and was carried out on an SGI Origin computer The blo ck Lanczos step to nd



By Cxxx we denote a comp osite number having xxx decimal digits



One MIPS year is the equivalent of a computation during one full year at a sustained sp eed of one Million

Instructions Per Second



By computing time wemeanthesieve time which dominates the total amount of CPU time for NFS

However there is a tradeo b etween p olynomial search time and sieve time which indicates that a nontrivial

part of the total amount of computing time should b e sp ent to the p olynomial search time in order to minimize

the sieve time See Subsection Polynomial Search Time vs Sieving Time in Section When we use for

predicting CPU times we neglect the oterm which in fact is prop ortional to log N All logarithms

havebase e

Implications for the practice of RSA 

dep endencies in this matrix to ok ab out ten calendar days on one CPU of a Cray C

sup ercomputer The nal square ro ot step to ok ab out two days calendar time on an SGI

Origin computer

Based on our exp erience with factoring large numbers we estimate that within three

years the algorithmic and computer technology which we used to factor RSA will be

widespread at least in the scientic world so that by then bit RSA keys will certainly

not b e safe any more This makes these keys useless for authentication or for the protection

of data required to b e secure for a p erio d longer than a few days

bit RSA keys protect of to days Ecommerce on the Internet at least outside

the USAand are used in SSL Secure So cket Layer handshake proto cols Underlying this

undesirable situation are the old exp ort restrictions imp osed by the USA government on

pro ducts and applications using strong like RSA However on January

the US Department of Commerce Bureau of Exp ort Administration BXA issued new

encryption exp ort regulations which allow US companies to use larger than bit keys in

RSAbased pro ducts As a result one may replace bit keys by bit or even

bit keys thus creating much more favorable conditions for secure Internet communication

In order to make an extrap olation attempt we give a table of factoring records starting

with the landmark factorization in by Morrison and Brillhart of F with help

of the then new Continued Fraction CF metho d This table includes the complete list of

factored RSAnumbers although RSA and RSA were not absolute records at the

time they were factored Notice that RSA is still op en Some details on recent factoring

records are given in App endix to this pap er

Table Factoring records since

decimals date algorithm eort reference

or year MIPS years



Sep CF F

CF pp xlivxlv

QS Table I on p

QS p

QS

QS Table on p

QS

QS for C

RSA Apr QS

RSA Apr QS

RSA Jun QS

RSA Apr QS

RSA Apr NFS

RSA Feb NFS

RSA Aug NFS this pap er

Based on this table and on the factoring algorithms whichwe currently know weanticipate

that within ten years from now bit digit RSA keys will b ecome unsafe

Factoring RSA 

Let D b e the numb er of decimal digits in the largest general numb er factored by a given

date From the complexityformula for NFS assuming Mo ores law computing p ower

doubles every months Brent exp ects D to be roughly a linear function of the

calendar year Y From the data in Table he derives the linear formula

Y D

According to this formula a general bit number D will be factored by the year

and a general bit numb er D by the year

Directions for selecting cryptographic key sizes now and in the coming years are given in

The vulnerability of a bit RSA mo dulus was predicted long ago A rep ort p

recommends

For the most applications a modulus size of bit for RSA should achieve a

sucient level of security for tactical secrets for the next ten years This is

for longterm secrecy purposes for shortterm authenticity purposes bit might

suce in this century

Factoring RSA

We assume that the reader is familiar with NFS but for convenience we briey describ e

the metho d here Let N be the number we wish to factor known to be comp osite There

are four main steps in NFS p olynomial selection sieving linear algebra and square ro ot

The polynomial selection step selects two irreducible p olynomials f x and f x with a

common ro ot m mo d N The p olynomials haveasmany smo oth values as practically p ossible

over agiven factor base

The sieve step which is by far the most timeconsuming step of NFS nds pairs a b

with gcda b such that b oth

deg f deg f

 

b f abandb f ab

are smo oth over given factor bases ie factor completely over the factor bases Such a pair

a b is called a relation The purp ose of this step is to collect so many relations that several

subsets S of them can be found with the prop erty that a pro duct taken over S yields an

expression of the form

X Y mo d N

For approximately half of these subsets computing gcdX Y N yields a nontrivial factor

of N if N has exactly two distinct factors

The linear algebra step rst lters the relations found during sieving with the purp ose of

eliminating duplicate relations and relations containing a prime or prime ideal which do es

not o ccur elsewhere In addition certain relations are merged with the purp ose of eliminating

primes and prime ideals which o ccur exactly k times in k dierent relations for k

These merges result in socalled relationsets dened in Section which form the columns

of a very large sparse matrix over F With help of an iterative blo ck Lanczos algorithm a

few dep endencies are found in this matrix this is the most time and spaceconsuming part of the linear algebra step

Factoring RSA 

The square root step computes the square ro ot of an algebraic numb er of the form

Y

a b

abS

where is a ro ot of one of the p olynomials f xf x and where for RSA the numb ers

a b and the cardinality of the set S can all be exp ected to be many millions All a bs

have smo oth norms With the mapping m mo d N this leads to a congruence of the

form

In the next four subsections we describ e these four steps as carried out for the factorization

of RSA

Polynomial selection

This section has three parts The rst two parts are aimed at recalling the main details of

the p olynomial selection pro cedure and describing the particular p olynomials used for the

RSA factorization

Relatively sp eaking our selection for RSA is approximately times b etter than our

selection for RSA We made b etter use of our pro cedure for RSA than we did for

RSA in short by searching longer This p oses a new question for NFS factorizations

what is the optimal tradeo b etween increased p olynomial search time and the corresp onding

saving in sieve time The third part of this section gives preliminary consideration to this

question as it applies to RSA

The Procedure Our p olynomial selection pro cedure is outlined in Here we merely restate

the details Recall that we generate two p olynomials f and f using a basem metho d The

degree d of f is xed in advance for RSA we take d Given a potential a we

d

chooseaninteger m Na The p olynomial

d

d d

f xa x a x a

d d

descends from the basem representation of N initially adjusted so that ja j m for

i

i d

d

Sieving o ccurs over the homogeneous p olynomials F x y y f xy and F x y

x my The aim for p olynomial selection is to cho ose f and m such that the values F a b

and F a b are simultaneously smo oth at many coprime integer pairs a b in the sieving

region That is we seek F F with go o d yield Since F is linear we concentrate on the

choice of F

There are two factors which inuence the yield of F size and root propertiessoweseekF

with a go o d combination of size and ro ot prop erties By size we refer to the magnitude of the

values taken by F By ro ot prop erties we refer to the extenttowhich the distribution of the

n

ro ots of F mo dulo small p forp prime and n aects the likeliho o d of F values b eing

n

smo oth In short if F has many ro ots mo dulo small p the values taken by F b ehave

as if they are much smaller than they actually are That is on average the likeliho o d of

F values b eing smo oth is increased

Our search is a two stage pro cess In the rst stage we generate a large sample of good

p olynomials p olynomials with go o d combinations of size and ro ot prop erties In the second

Factoring RSA 

stage we identify without sieving the best p olynomials in the sample We concentrate on

skewed p olynomials that is p olynomials f xa x a whose rst few co ecients

a a and a are small compared to m and whose last few co ecients a a and a may

be large compared to m Usually ja j ja j ja j To comp ensate for the last few

co ecients b eing large wesieveover a skewed region ie a region that is much longer in x

than in y We take the region to b e a rectangle whose widthtoheight ratio is s

The rst stage of the pro cess generating a sample of p olynomials with go o d yield has the

following main steps d

Guess leading co ecient a usually with several small prime divisors for pro jective

d

ro ots

d d d

Determine initial m from a m N If the a approximation N a m m is

d d d

not close to an integer try another a Otherwise use to determine a starting f

d

Try to replace the initial f by a smaller one This numerical optimization step replaces

f xby

f x k cx d x k m

and m by m k sieving over a region with skewness s It adjusts four real parameters

c d k s rounding the optimal values except stointegers

Make adjustments to f which cause it to have exceptionally go o d ro ot prop erties with

out destroying the qualities inherited from ab ove The main adjustment is to consider

integer pairs j j with j and j small compared to a and a resp ectively for which

the p olynomial

f xj x j x m

n

has exceptionally good ro ot prop erties mo dulo many small p Such pairs j j are

identied using a sievelike pro cedure For each promising j j pair we revise the

translation k and skewness s by rep eating the numerical optimization on these values

alone

In the second stage of the pro cess we rate without sieving the yields of the p olynomial

pairs F F pro duced from the rst stage We use a parameter which quanties the eect of

the ro ot prop erties of each p olynomial We factor this parameter into estimates of smo othness

probabilities for F and F across a region of skewness s

At the conclusion of these two stages we p erform short sieving exp eriments on the top

ranked candidates

Factoring RSA 

Results Four of us sp ent ab out MIPS years on nding go o d p olynomials for RSA

The following pair found byDodsonwas used to factor RSA

F x y x

x y

x y

x y

x y

y

F x y x y

with s

For the purp ose of comparison we give statistics for the ab ove pair similar to those wegave

for the RSA p olynomials in Denote by a the largest ja j for i d The

max i

unskewed analogue F x y of F has a compared to the typical

max

case for RSA of a The unskewed analogue of F has a

max max

Hence F values have shrunk by approximately a factor of whilst F values have grown

by a factor of approximately F has real ro ots xy near and

With resp ect to the ro ot prop erties of F we have a

Also F x y has ro ots xy mo dulo the six primes from to and an additional

ro ots mo dulo the primes from to As a result of its ro ot prop erties F values have

smo othness probabilities similar to those of random integers which are smaller by a factor of

ab out

Polynomial Search Time vs Sieving Time The yield of the pair of p olynomials that we

used for RSA is approximately times that of a skewed pair of average yield for

RSA ab out half of which comes from ro ot prop erties and the other half from size

The corresp onding gure for the RSA pair is approximately ab out a factor of four of

whichwas due to ro ot prop erties and the remaining factor of to size From this we deduce

that relatively sp eaking our RSA selection is approximately times b etter than

our RSA selection

Note that this is consistent with the observed dierences in sieve time As noted ab ove

straightforward extrap olation of the asymptotic NFS runtime estimate suggests that

sieving for RSA should have taken approximately times the eort of RSA The

actual gure is approximately The dierence can b e approximately reconciled by the fact

that the RSA p olynomial pair is relatively ab out times b etter than the RSA

pair

Another relevant comparison is to the RSA factorization RSA of course was

factorized without our improved p olynomial selection metho ds The p olynomial pair used

for RSA has a yield approximately times that of a random unskewed selection or

RSA Extrap olation of the NFS asymptotic runtime estimate suggests that RSA

should havetaken ab out times the eort of RSA whereas the accepted dierence is a

factor of The dierence is close to b eing reconciled by the RSA p olynomial selection

b eing approximately times b etter than the RSA selection Finally to characterize

Factoring RSA 

the overall improvement accounted for by our techniques we note that the RSA selection

is approximately times b etter relatively than the RSA selection

Since the ro ot prop erties of the nonlinear p olynomials for RSA and RSA are

similar most of the dierence between them comes ab out b ecause the RSA selection

is relatively smaller than the RSA selection This in turns comes ab out b ecause we

conducted a longer search for RSA than we did for the RSA search so it was more

likely that wewould nd go o d size and go o d ro ot prop erties coinciding in the same p olyno

mials In fact wespent approximately MIPS years on the RSA search compared to

MIPS years for RSA

Continuing to search for p olynomials is worthwhile only as long as the saving in sieve

time exceeds the extra cost of the p olynomial search We have analyzed the go o dness

distribution of all p olynomials generated during the RSA search Mo dulo some crude

approximations the results app ear in Table The table shows the exp ected b enet obtained

from times the p olynomial search eort we actually invested MY for some useful

The second column gives the change in search time corresp onding to the altered search

eort The third column gives the exp ected change in sieve time calculated from the change

in yield according to our go o dness distribution Hence whilst the absolute b enet may

Table Eect of varying the p olynomial search time on the sieve time

change in search change in sieve

time in MY time in MY

not have b een great it would probably have been worthwhile investing up to ab out twice

the eort than we did for the RSA p olynomial search We conclude that in the absence

of further improvements it is worthwhile using our metho d to nd p olynomials whose yields

are approximately times b etter than a random selection

Sieving

Two sieving metho ds were used simultaneously lattice sieving and line sieving This is

probably more ecient than using a single sieve despite the large p ercentage of duplicates

found ab out see Section both sievers deteriorate as the sp ecial q resp y see

b elow increase so we exploited the most fertile parts of b oth In addition using two sievers

oers more exibility in terms of memory lattice sieving is p ossible on smaller machines the

line siever needs more memory but discovers each relation only once

The lattice siever xes a prime q called the sp ecial q which divides F x y for some

known nonzero pair x y and nds x y pairs for which b oth F x y q and F x y are

smo oth This is carried out for many sp ecial q s Lattice sieving was intro duced by Pollard

and the co de we used is the implementation written by Arjen Lenstra and describ ed in

with some additions to handle skewed sieving regions eciently

Factoring RSA 

The line siever xes a value of y from y up to some b ound and nds values

of x in a given interval for which b oth F x y and F x y are smo oth The line siever

co de was written byPeter Montgomery with help from Arjen Lenstra Russell Ruby Marije

ElkenbrachtHuizing and Stefania Cavallar

For the lattice sieving b oth the rational and the algebraic factor base b ounds were chosen

to be The number of primes was ab out one million in each factor base

Two large primes were allowed on each side in addition to the sp ecial q input The reason

that we used these factor base b ounds is that we used the lattice sieving implementation from

which do es not allow larger factor base b ounds That implementation was written for

the factorization of RSA and was never intended to b e used for larger numb ers suchas

RSA let alone RSA We exp ect that a rewrite of the lattice siever that would allow

larger factor base b ounds would giveamuch b etter lattice sieving p erformance for RSA

Most of the line sieving was carried out with two large primes on b oth the rational and

the algebraic side The rational factor base consisted of primes and

the algebraic factor base consisted of prime ideals of norm including

the seven primes which divide the leading co ecientof F x y Some line sieving allowed

three large primes instead of two on the algebraic side In that case the rational factor base

consisted of primes and the algebraic factor base of prime ideals

of norm including the seven primes which divide the leading co ecient of

F x y

For both sievers the large prime b ound was used both for the rational and

for the algebraic primes

The lattice siever was run for most sp ecial q s in the interval Each sp ecial q

has at least one ro ot r suchthat f r modq For example the equation f x modq

has ve ro ots for q namely x but no ro ots for q The total

number of sp ecial q ro ot pairs q r in the interval equals ab out M

Lattice sieving ranged over a rectangle of bypoints per special q ro ot pair Taking

into accountthatwe did not sieveover p oints x y where b oth x and y are even this gives

a total of sieving points With lattice sieving a total of M relations were

generated at the exp ense of years of CPU time Averaged over all the CPUs on which

the lattice siever was run this gives an average of CPU seconds p er relation In order to

give an impression of the yield of the lattice siever for dierent sp ecial q s Table shows

for some selected intervals of lengths and the number of sp ecial q ro ot pairs

the number of relations found and the yield in terms of number of relations divided by the

number of sp ecial q ro ot pairs The yield clearly deteriorates with increasing values of the

sp ecial q

For the line sieving with two large primes on b oth sides sieving ranged over the regions

jxj y

jxj y

jxj y



The somewhat weird choice of the line sieving intervals was made b ecause more contributors chose line sieving than originally estimated

Factoring RSA 

Table Yield of the lattice siever for selected intervals v w of sp ecial q primes

v w specialq relations relations p er

ro ot pairs sp ecial q ro ot pair

and for the line sieving with three large primes instead of two on the algebraic side the

sieving range was

jxj y

Not counting the p oints where b oth x and y are even this gives a total of p oints

sieved by the line siever With line sieving a total of M relations were generated at the

exp ense of years of CPU time Averaged over all the CPUs on which the line siever was

run it needed CPU seconds to generate one relation In order to give an impression of

the yield of the line siever for dierent values of y Table gives for some selected sieving

regions the numb er of relations p er y value For y between and this yield clearly

deteriorates with increasing y but for the larger range of y between and this

b ehavior is less obvious

Sieving was done at twelve dierent lo cations where a total of M relations were gen

erated M by lattice sieving and M by line sieving Each incoming le was checked

at the central site for duplicates this reduced the total numb er of useful incoming relations

to M Of these M were found bythe lattice siever and M by the

line siever The breakdown of the M relations in among the twelve dierent sites

is given in Table

Calendar time for the sieving was months Sieving was done on ab out SGI and Sun

workstations MHz on eight R pro cessors MHz on ab out Pentium

I I PCs MHz and on four DigitalCompaq b oxes MHz The total amountof

CPUtime sp ent on sieving was CPU years

We estimate the equivalentnumb er of MIPS years as follows For eachcontributor Table

gives the number of million relations generated rounded to two decimals the number of

CPU days d sieved for this and the estimated average sp eed s in million instructions p er

s s

seconds MIPS of the pro cessors on which these relations were generated In the last column

we give the corresp onding number of MIPS years d s For the time counting on PCs

s s

we notice that on PCs one usually get real times whichmay b e higher than the CPU times

Summarizing gives a total of MIPS years for lattice and for line sieving

For comparison RSA to ok ab out MIPS years and RSA ab out MIPS



Lenstra sieved at two sites viz Citibank and Univ of Sydney

Factoring RSA 

Table Yield of the line siever for selected sieving regions

xrange y range relations

Table Breakdown of sieving contributions

number of Lattice Contributor

CPU days Line

sieved

La Alec Muett

La Li Paul Leyland

La Li Peter L Montgomery Stefania Cavallar

La Li Bruce Do dson

La Li Francois Morain and Gerard Guillerm

La Li Joel Marchand

La Arjen K Lenstra

Li Paul Zimmermann

La Je Gilchrist

La Karen Aardal

La Chris and Craig Putnam

years

A measure of the quality of the sieving may be the average number of points sieved to

generate one relation Table gives this quantity for RSA and for RSA for the

lattice siever and for the line siever This illustrates that the sieving p olynomials were b etter

for RSA than for RSA esp ecially for the line sieving In addition the increase of

the linear factor base b ound from M for RSA to M for RSA accounts for

some of the change in yield For RSA the factor bases were much bigger for line sieving

Factoring RSA 

Table MIPSyears sp ent on lattice La and line Li sieving

Contributor relations CPUdays average sp eed MIPSyears

sieved of pro cessors

in MIPS

Muett La M

Leyland La M

Leyland Li M

CWI La M

CWI Li LP M

CWI Li LP M

Do dson La M

Do dson Li M

Morain La M

Morain Li M

Marchand La M

Marchand Li M

Lenstra La M

Zimmermann Li M

Gilchrist La M

Aardal La M

Putnam La M

than for lattice sieving This explains the increase of eciency of the line siever compared

with the lattice siever from RSA to RSA

Table Average number of points sieved p er relation

lattice siever line siever

RSA

RSA

Filtering and nding dependencies

The ltering of the data and the building of the matrix were carried out at CWI and to ok

one calendar month

Filtering Here we describ e the lter strategy which we used for RSA An essential

dierence with the lter strategy used for RSA is that we applied k way merges dened

b elow with k for RSA but only and way merges for RSA

First wegivetwo denitions A relationset is one relation or a collection of twoormore

relations generated by a merge A k way merge k istheactionofcombining k relation

sets with a common prime ideal into k relationsets with the purp ose of eliminating that

common prime ideal This is done such that the weight increase is minimal by means of a

minimum spanning tree algorithm

Factoring RSA 

Among the M relations collected from the twelve dierent sites M duplicates were

found generated by lattice sieving as well as M duplicates caused by the simultaneous

use of the lattice and the line siever

During the rst lter round only prime ideals with norm M were considered In

a later stage of the ltering this Mb ound was reduced to M in order to improve the

p ossibilities for merging relations We added M free relations for prime ideals of norm

M cf Section pp From the resulting M relations M singletons

were deleted ie those relations with a prime ideal of norm M which do es not o ccur in

any other undeleted relation

Wewere left with M relations containing M dierent prime ideals of norm M

If we assume that each prime and each prime ideal with norm M occurs at least once

then we needed to reserve at least excess relations for the primes and the

prime ideals of norm smaller than M where x is the number of primes b elow x The

factor comes from the two p olynomials and the correction factor takes account of

the presence of free relations where is the order of the Galois group of the algebraic

p olynomial With the required excess is ab out M relations whereas we

had M M M excess relations at our disp osal

In the next merging step M relations were removed which would have formed the

heaviest relationsets when p erforming way merges reducing the excess from M to

ab out M relations So wewere still allowed to discard ab out M M M relations

The remaining M nonfree relations having M prime ideals of norm M were

used as input for the merge step which eliminated prime ideals o ccurring in up to eight

dierent relationsets During this step we lo oked at prime ideals of norm M Here our

approach diers from what we did for RSA where only primes o ccurring twice or thrice

were eliminated Applying the new lter strategy to RSA would have resulted in a

smaller M instead of M columns but only heavier matrix than the one actually

used for the factorization of RSA and would have saved on the blo ckLanczos run

time The k k relations were combined into the lightest p ossible k relationsets

and the corresp onding prime ideal row in the matrix was balanced ie all entries of

the rowwere made The overall eect was a reduction of the matrix size by one rowand

one column while increasing the matrix weight when k as describ ed below We did

not p erform all p ossible merges We limited the program to only do merges which caused a

weight increase of at most original relations The merges were done in ascending order of

weight increase

Since each k way merge causes an increase of the matrix weight of ab out k times

the weight of the lightest relationset these merges were not always executed for higher

values of k For example and way merges were not executed if all the relationsets

were alreadycombined relations We decided to discard relationsets whichcontained more

than relations and to stop merging and discarding after K relations were discarded

At this p ointwe should have slightly more columns than rows and did not want to lose any

more columns The maximum discard threshold was reached during the th pass through

the M prime ideals of norm M when we allowed the maximum weight increase to



The M free relations are not counted in these M relations b ecause the free relations are generated

during each lter run

Factoring RSA 

be ab out relations This means that no merges with weight increase of relations were

executed The lter program stopp ed with M relation sets

For more details and exp eriments with RSA and other numb ers see

Finding dependencies From the matrix left after the lter step we omitted the small primes

thus reducing the weight by The resulting matrix had rows

columns and weight nonzeros per row With the help of Peter Mont

gomerys Cray implementation of the blo ck Lanczos algorithm cf it to ok CPU

hours and Gbytes of central memory on the Cray C at the SARA Amsterdam Academic

Computer Center to nd dep endencies among the rows of this matrix Calendar time for

this job was days

In order to extract from these dep endencies some dep endencies for the matrix including

the primes quadratic character checks were used as describ ed in x x and

last paragraph of Section on pp This yielded a dense homoge

neous system whichwas solved by Gaussian elimination That system turned out to have

indep endent solutions which represent linear combinations of the original dep endencies

The square root step

On August four dierent square ro ot cf jobs were started in parallel on

four dierent MHz pro cessors of an SGI Origin each handling one dep endency

One job found the factorization after CPUhours the other three jobs found the trivial

factorization after and CPUhours dierent CPU times are due to the use

of dierent parameters in the four jobs

We found that the digit number

RSA

            n

           

can b e written as the pro duct of two digit primes

p

           

and

q

             

Primality of the factors was proved with the help of two dierent primality proving co des

The factorizations of p andq are given by

p  

           



p  

           

Factoring RSA 

q  

                



q   

           

Acknowledgements Acknowledgements are due to the Dutch National Computing Fa

cilities Foundation NCF for the use of the Cray C sup ercomputer at SARA and to in

alphab etical order

the Australian National UniversityCanb erra

Centre Charles Hermite NancyFrance

Citibank Parsippany NJ USA

CWI Amsterdam The Netherlands

Ecole PolytechniqueCNRS Palaiseau France

Entrust Technologies Ltd Ottawa Canada

Lehigh University Bethlehem PA USA

the Magma Group of John Cannon at the University of Sydney

the Medicis Center at Ecole Polytechnique Palaiseau France

Microsoft ResearchCambridge UK

the Putnams Hudson NH USA

Sun Microsystems Professional Services Camberley UK and

Utrecht University The Netherlands for the use of their computing resources



References

LM Adleman Factoring numb ers using singular integers In Proc rd Annual ACM

Symp on Theory of Computing STOC pages ACM New York

D Atkins M Gra AK Lenstra and PC Leyland THE MAGIC WORDS ARE

SQUEAMISH OSSIFRAGE In J Pieprzyk and R SafaviNaini editors Advances in

Cryptology Asiacrypt volume of Lecture Notes in Computer Science pages

SpringerVerlag Berlin

Th Beth M Frisch and GJ Simmons editors PublicKey Cryptography State of the

Art and Future Directionsvolume of Lecture Notes in Computer Science Springer

Verlag Berlin Rep ort on workshop at Ob erwolfach GermanyJuly

Wieb Bosma and MarcPaul van der Hulst Primality proving with cyclotomy PhD

thesis Decemb er

Richard P Brent Some parallel algorithms for integer factorisation Proc Europar

Toulouse Sept volume of Lecture Notes in Computer Science pages

SpringerVerlag Berlin

J Brillhart DH Lehmer JL Selfridge B Tuckerman and SS Wagsta Jr Factor

n

izations of b b up to high powersvolume of Contemporary

Mathematics American Mathematical So ciety second edition

JP Buhler HW Lenstra Jr and Carl Pomerance Factoring integers with the number

eld sieve Pages in

S Cavallar B Do dson A Lenstra P Leyland W Lio en PLMontgomery B Murphy

H te Riele and P Zimmermann Factorization of RSA using the numb er eld sieve

In Lam Kwok Yan Eiji Okamoto and Xing Chaoping editors Advances in Cryptology

Asiacrypt Singapore November volume of Lecture Notes in Computer

Science pages SpringerVerlag Berlin

S Cavallar Strategies for ltering in the Number Field Sieve Preprint to app ear

in the Pro ceedings of ANTSIV Algorithmic Number Theory Symposium IV Leiden

References 

The Netherlands July Lecture Notes in Computer Science SpringerVerlag

Berlin

H Cohen and AK Lenstra Implementation of a new primality test Mathematics of

Computation

James Cowie Bruce Do dson RMarije ElkenbrachtHuizing Arjen K Lenstra Peter

L Montgomery and Jorg Zayer A world wide number eld sieve factoring record on

to bits In Kwang jo Kim and Tsutomu Matsumoto editors Advances in Cryptology

Asiacrypt volume of Lecture Notes in Computer Science pages

SpringerVerlag Berlin

JA Davis DB Holdridge and GJ Simmons Status rep ort on factoring at the Sandia

National Lab oratories In T Beth N Cot and I Ingemarsson editors Advances in

Cryptology Eurocrypt volume of Lecture Notes in Computer Science pages

SpringerVerlag Berlin

T Denny B Do dson AK Lenstra and MS Manasse On the factorization of RSA

In DR Stinson editor Advances in Cryptology Crypto volume of Lecture

Notes in Computer Science pages SpringerVerlag Berlin

B Dixon and AK Lenstra Factoring using SIMD Sieves In Tor Helleseth editor

Advances in Cryptology Eurocrypt volume of Lecture Notes in Computer Science

pages SpringerVerlag Berlin

B Do dson and A K Lenstra NFS with four large primes an explosive exp eriment

In D Copp ersmith editor Advances in Cryptology Crypto volume of Lecture

Notes in Computer Science pages SpringerVerlag Berlin

Marije ElkenbrachtHuizing Factoring integers with the number eld sieve PhD thesis

Leiden UniversityMay

RM ElkenbrachtHuizing An implementation of the numb er eld sieve Experimental

Mathematics

Frequently Asked Questions about todays Cryptography Question see

httpwwwrsacomrsalabsfaqhtmlhtml

R Golliver AK Lenstra and KS McCurley Lattice sieving and trial division

In Leonard M Adleman and MingDeh Huang editors Algorithmic Number Theory

ANTSI Ithaca NY USA May volume of Lecture Notes in Computer Sci

ence pages SpringerVerlag Berlin

AK Lenstra and HW Lenstra Jr editors The Development of the Number Field

Sievevolume of Lecture Notes in Mathematics SpringerVerlag Berlin

AK Lenstra HW Lenstra Jr MS Manasse and JM Pollard The factorization of

the Ninth Fermat number Mathematics of Computation July

AK Lenstra and MS Manasse Factoring by Electronic Mail In JJ Quisquater and

J Vandewalle editors Advances in Cryptology Eurocrypt volume of Lecture

Notes in Computer Science pages SpringerVerlag Berlin

AK Lenstra and MS Manasse Factoring with two large primes In IB Damgard

References 

editor Advances in Cryptology Eurocrypt volume of Lecture Notes in Computer

Science pages SpringerVerlag Berlin

Arjen K Lenstra and Eric R Verheul Selecting Cryptographic Key Sizes In H Imai and

Y Zheng editors Public Key Cryptography volume of Lecture Notes in Computer

Science pages SpringerVerlag Berlin

HW Lenstra Jr Factoring with elliptic curves Ann Math

Peter L Montgomery Square ro ots of pro ducts of algebraic numb ers In Walter Gautschi

editor Mathematics of Computation a HalfCentury of Computational Math

ematics pages Pro ceedings of Symp osia in Applied Mathematics American

Mathematical So ciety

Peter L Montgomery A blo ck Lanczos algorithm for nding dep endencies over GF

In Louis C Guillou and JeanJacques Quisquater editors Advances in Cryptology Eu

rocrypt volume of Lecture Notes in Computer Science pages Springer

Verlag Berlin

Peter L Montgomery and Brian Murphy Improved Polynomial Selection for the Number

Field Sieve Extended Abstract for the Conference on the Mathematics of PublicKey

Cryptography June The Fields Institute Toronto Ontario Canada

Michael A Morrison and John Brillhart The factorization of F Bul l Amer Math

Soc

Michael A Morrison and John Brillhart A metho d of factoring and the factorization of

F Mathematics of Computation January

B Murphy Mo delling the Yield of Number Field Sieve Polynomials J Buhler edi

tor Algorithmic Number Theory Third International Symposium ANTSIII Portland

Oregon USA June volume of Lecture Notes in Computer Science pages

SpringerVerlag Berlin

Brian Antony Murphy Polynomial Selection for the Numb er Field SieveInteger Factori

sation Algorithm PhD thesis The Australian National University July

JM Pollard The lattice sieve Pages in

Carl Pomerance The Quadratic Sieve Factoring Algorithm In T Beth N Cot and

I Ingemarsson editors Advances in Cryptology Eurocrypt volume of Lecture

Notes in Computer Science pages SpringerVerlag New York

Herman te Riele Walter Lio en and Dik Winter Factoring with the quadratic sieve on

large vector computers J Comp Appl Math

RL Rivest A Shamir and L Adleman A metho d for obtaining digital signatures and

publickey cryptosystems Comm ACM

RSA Challenge Administrator In order to obtain information ab out the RSA

Factoring Challenge send electronic mail to challengeinfocom The status

of the factored numb ers on the RSA Challenge List can be obtained by sending

electronic mail to challengehonorrollsmajordomorsasecuritycom Also visit

httpwwwrsacomrsalabshtmlfactoringhtml

References

A Shamir Factoring large numbers with the TWINKLE device In CK Ko c and C

Paar editors Cryptographic Hardware and Embedded Systems CHES volume of

Lecture Notes in Computer Science SpringerVerlag Berlin

Rob ert D Silverman The multiple p olynomial quadratic sieve Mathematics of Compu

tation

Rob ert D Silverman Private communication

URL httpwwwbxadocgovEncryptionDefaulthtm

Details of recent absolute and SNFS factoring records 

Details of recent absolute and SNFS factoring records

Table Absolute factoring records

digits

metho d QS GNFS GNFS GNFS

co de Gardner RSA RSA RSA

factor date Apr Apr Feb Aug

size of p q

sievetime

in MIPS years

total sieve time

in CPU years

calendar time

for sieving in days

matrix size M M M M

rowweight

Cray CPU hours na

group Internet Internet CABAL CABAL

Table Sp ecial Numb er Field Sieve factoring records

digits

co de NEC

factor date Jun Feb Sep Sep April

size of p q

a

total sieve time

in CPU years

calendar time

for sieving in days

matrix size K M M M

rowweight dense

b

Cray CPU hours

group Internet NFSNET CWI CWI CABAL

a

MIPS years

b

carried out on a Connection Machine