J. P. Buhler, H. W. Lenstra, C. Pomerance, Factoring integers with the number field sieve, preprint 1992  Home/Search   Document Not in Database   Summary   Related Articles   Check

....a 512bit RSA modulus. In this note we try to estimate the likely risks involved in continuing to use a 512 bit modulus over the next ten years. 2 Three projections Throughout this note we will make some basic assumptions. Foremost among them is that when using the generalized number field sieve [2] (which is at present the most effective algorithm for tackling larger RSA numbers) then the number of MIPS years (abbreviated to MY) required to factor a 512 bit RSA modulus is roughly 3 x 104 [3] Additionally we will assume that the computing power per dollar doubles every 18 months (a common ....

J.P. Buhler, H.W. Lenstra, and C. Pomerance. Factoring integers with the number field sieve. 1992. To appear.

....no special assumptions about the form of the number N to be factored. In contrast, the basic number field sieve is designed to work on numbers of the form r e Sigma s, where r and s are both small (and e is potentially large) The basic idea of the general number field sieve, as described in [BLP91], is that we will perform our sieving in a special field that we construct. First, we choose an irreducibile polynomial f 2 Z[x] of small, but not too small degree) and a zero of that polynomal ff. We then build the field Z[ff] subring of K = Q(ff) We then try to build a set S of pairs of ....

Buhler, Lenstra, and Pomerance. Factoring Integers with the Number Field Sieve. in The development of the number field sieve. pp50-- 94. Lecture Notes in Mathematics 1554. Springer-Verlag.

....polynomial values. Keywords: integer factorisation, number field sieve 1 Introduction Let N be a large postive integer. We refer to the multiple polynomial quadratic sieve (MPQS) and the number field sieve (NFS) algorithms for factoring N . Details of these algorithms can be found at [10] and [6] respectively . For the MPQS we take N to be the product of some small multiplier and the integer requiring factorisation. Also, we refer to an integer as B smooth when all its prime factors are less than B. For our purposes it suffices to understand the following about the number field sieve. ....

....form. For NFS, the smooth integers are required to be values associated with an irreducible polynomial F 2 ZZ[x] of degree d. In fact we consider f 2 ZZ[x; y] given by f = y d F (x=y) and search for B smooth values of jf j for some bound B and for coprime x; y 2 ZZ in a given range (see [6]) The area in which the number field sieve has the greatest capacity for improvement is the selection of f . A good polynomial is one whose values are more likely to be B smooth than random integers of the same size. Amongst polynomials, f 1 is better than f 2 if f 1 takes values more likely ....

[Article contains additional citation context not shown here]

J P Buhler, H W Lenstra Jr, C Pomerance, "Factoring Integers with the Number Field Sieve", The Development of the Number Field Sieve, LNM 1554 (1993) pp 50--94.

....the form n = c 1 r t c 2 s u , and the General NFS (GNFS) which is applicable for arbitrary numbers. The NFS factors integers n in heuristic time exp i (c o(1) logn) 1=3 (loglogn) 2=3 j as n 1. Here c = 32 9 ) 1=3 1:5 for the SNFS and c = 64 9 ) 1=3 1:9 for the GNFS [3]. These compare with the time exp i (1 o(1) logn) 1=2 (loglogn) 1=2 j taken by the Multiple Polynomial Quadratic Sieve (MPQS) 21] which still is the best generalpurpose factoring algorithm for integers with less than approximately 110 digits. This article describes several experiments ....

.... 1. First, a description of the NFS and an outline of the implementation will be given; secondly, several parts of the implementation will be described in more detail and finally the results of the factorization experiments will be stated. Detailed descriptions of the NFS can be found in [13] and [3]. 2. Description of the NFS 2 2. Description of the NFS Let n be the odd number to be factored. It is easy to check whether n is a prime number or a prime power [14, x2.5] and we assume that it is neither. Like MPQS, the NFS tries to find a solution of the equation v 2 j w 2 mod n. For at ....

J.P. Buhler, H.W. Lenstra, Jr., and C. Pomerance. Factoring integers with the number field sieve, pages 50--94 in [11].

....See [19] and [22] for discussions of this question. Until recently, the best algorithms for both problems had time estimates of the form L(n; 1=2) where for 0 fl 1 one defines L(n; fl) exp i O(n fl log 1 Gammafl n) j . Then with the invention of the number field sieve 7 for factoring [3], the time estimate for factoring was brought down to L(n; 1=3) Soon after, the number field sieve was also applied to the discrete log problem [12] bringing the time estimate for discrete log down to L(n; 1=3) as well. If we suppose that factorization and discrete log have roughly the same ....

J. P. Buhler, H. W. Lenstra, Jr., and C. Pomerance, Factoring integers with the number 10 field sieve, to appear.

....3 Factoring In this section, we outline an approach to factoring a large (positive) integer y that can make use of our results. Other approaches to factoring are quite different (e.g. Pollard methods (see [33, 32] the elliptic curve method (see [26,28,24] the general number field sieve (see [7, 6, 16]) and the multiple polynomial quadratic sieve(see[34] We wish to find a solution to y = X i2N X j2N 2 i j x 1 i x 2 j (20) in 0,1 variables x 1 i #x 2 j , where wechoose n to be just less than the number of bits needed to encode y. In fact, we can make n even smaller, but ....

Joe P. Buhler, Hendrick W. Lenstra, Jr., and Carl Pomerance. Factoring integers with the number field sieve. In The development of the number field sieve, pages 50--94. Springer, Berlin, 1993.

.... q has to be large enough that it can t be factored with O( Delta 1=6 o(1) methods, see e.g. 24] Delta and q have to be large enough that they can t be found with the elliptic curve method [17] Delta q has to be large enough that it can t be factored with the number field sieve [6] (signature setup only) Delta has to be small enough that the computation of h( Delta) is possible. bit length ave. time (sec) Delta q Delta q Enc Dec Decq DecR 768 192 288 4.45 2.23 0.34 0.10 832 192 320 5.55 2.77 0.40 0.13 896 192 352 6.69 3.39 0.53 0.16 960 192 384 7.90 3.98 0.43 ....

J.P. Buhler, H.W. Lenstra, Jr., and C. Pomerance. Factoring integers with the number fields sieve. In A.K. Lenstra and H.W. Lenstra, Jr., editors, The Developement of the Number Field Sieve, volume 1554 of Lecture Notes in Math., pages 50--94. Springer, Berlin, 1993.

....Factoring In this section, we outline an approach to factoring a large (positive) integer y that can make use of our results. Other approaches to factoring are quite different (e.g. Pollard methods (see [33, 32] the elliptic curve method (see [26, 28, 24] the general number field sieve (see [7, 6, 16]) and the multiple polynomial quadratic sieve (see [34] We wish to find a solution to y = X i2N X j2N 2 i j x 1 i x 2 j (20) in 0,1 variables x 1 i ; x 2 j , where we choose n to be just less than the number of bits needed to encode y. In fact, we can make n even smaller, but ....

Joe P. Buhler, Hendrick W. Lenstra, Jr., and Carl Pomerance. Factoring integers with the number field sieve. In The development of the number field sieve, pages 50--94. Springer, Berlin, 1993.

....q that have been chosen. Indeed, these conditions are necessary. If enough characters q have been chosen then one may expect that the conditions are sufficient as well. This leads to a large algebraic number fl that is given as a product of many small ones, and that is a square in Z[ff] see [3]) 1) fl = f 0 (ff) 2 Delta Y (a;b)2S (a bff) fi 2 with fi 2 Z[ff] We also know that the image of fl under , fl) f 0 (m) 2 Delta Y (a;b)2S (a bm) mod n; satisfies f 0 (m) 2 Delta Y (a;b)2S (a bm) f 0 (m) 2 Delta Y py p 2ep = v 2 ; where ....

....Y py p fp ; where the f p are non negative integers that can be determined from the prime ideal decomposition of fi. Furthermore, since fi 2 Z[ff] there exists a polynomial B 2 Z[X] of degree at most d Gamma 1 such that fi = B(ff) We shall compute this polynomial. The method suggested in [3] is as follows. First, look for an odd prime q such that the polynomial f remains irreducible modulo q. Then, compute fl mod q by performing all multiplications in the product (1) modulo q. We view fl mod q as an element of the finite field F q d , and we can easily compute the square roots of ....

[Article contains additional citation context not shown here]

J. P. Buhler, H. W. Lenstra, Jr., Carl Pomerance, Factoring integers with the number field sieve, this volume, pp. 48--89.

....is superior to these; its asymptotic running time is O(exp( p 2 ln p ln ln p) The ECM is often used in practice to find factors of randomly generated numbers; it is not strong enough to factor a large RSA modulus. The best general purpose factoring algorithm today is the number field sieve [16], which runs in time approximately O(exp(1:9(ln n) 1=3 (ln ln n) 2=3 ) It has only recently been implemented [15] and is not yet practical enough to perform the most desired factorizations. Instead, the most widely used general purpose algorithm is the multiple polynomial quadratic sieve ....

J.P. Buhler, H.W. Lenstra, and C. Pomerance. Factoring integers with the number field sieve. 1992. To appear.

No context found.

J. P. Buhler, H. W. Lenstra, Jr., C. Pomerance, Factoring integers with the number field sieve, [14], 50--94.

....on the security needs of the user and on how long his her information needs to be protected. The amount of CPU time spent to factor RSA 155 was about 8400 MIPS years 2 which is about four times that used for the factorization of RSA 140. On the basis of the heuristic complexity formula [7] for factoring large N by NFS: exp i (1:923 o(1) log N) 1=3 (log log N) 2=3 j ; 2.1) one would expect an increase in the computing time by a factor of about seven. 3 This speedup has been made possible by algorithmic improvements, mainly in the polynomial generation step [28, 31, ....

J.P. Buhler, H.W. Lenstra, Jr., and Carl Pomerance. Factoring integers with the number field sieve. Pages 50--94 in [20].

....using 512 bit RSA keys. Allegedly, 512 bit RSA keys protect 95 of today s E commerce on the Internet [24] The amount of CPU time spent to factor RSA 140 is estimated to be only twice that used for the factorization of RSA 130, whereas on the basis of the heuristic complexity formula [3] for factoring large N by NFS: O exp (1.923 o(1) log N) 1 3 (log log N) 2 3 , one would expect an increase in the computing time by a factor close to four. This has been made possible by algorithmic improvements (mainly in the polynomial generation step [18] and to a lesser ....

J.P. Buhler, H.W. Lenstra, Jr., and Carl Pomerance. Factoring integers with the number field sieve. Pages 50--94 in [13].

....on the security needs of the user and on how long his her information needs to be protected. The amount of CPU time spent to factor RSA 155 was about 8400 MIPS years 2 which is about four times that used for the factorization of RSA 140. On the basis of the heuristic complexity formula [7] for factoring large N by NFS: exp i (1:923 o(1) log N) 1=3 (log log N) 2=3 j ; 1) one would expect an increase in the computing time by a factor of about seven. 3 This speed up has been made possible by algorithmic improvements, mainly in the polynomial generation step [28, 31, 32] ....

J.P. Buhler, H.W. Lenstra, Jr., and Carl Pomerance. Factoring integers with the number field sieve. Pages 50--94 in [20].

.... handle numbers of the form r e Gamma s for small positive r and jsj: this was successfully applied to the Fermat number F 9 = 2 512 1 (see [11] This version of the algorithm is now called the special number field sieve (SNFS) 10] in contrast with the general number field sieve (GNFS) [3] which can handle arbitrary integers. GNFS factors integers n in heuristic time exp i (c g o(1) ln 1=3 n ln 2=3 ln n j with c g = 64=9) 1=3 1:9. Let n be the composite integer we wish to factor. We assume that n is not a prime power. Let Zn denote the ring Z=nZ. Like many factoring ....

....required to multiply two jSj bit integers. The algorithm appears to be impractical for the sets S now in use, and it requires an odd degree. Montgomery s strategy [15, 14, 7] can be viewed as a mix of UFD and bruteforce methods. It bears some resemblance to the square root algorithm sketched in [3] (pages 75 76) It works for all values of d, and does not make any particular assumption (apart from the existence of inert primes) about the number field. 3 Algebraic preliminaries Our number field is K = Q(ff) Q(ff) where ff is an algebraic number and ff = c d ff is an algebraic integer. ....

[Article contains additional citation context not shown here]

Buhler, J. P., Lenstra, H. W., and Pomerance, C. Factoring integers with the number field sieve. pages 50-94 in [8].

No context found.

J. P. Buhler, H. W. Lenstra, C. Pomerance, Factoring integers with the number field sieve, preprint 1992

No context found.

J. P. Buhler, H. W. Lenstra, Jr., C. Pomerance, Factoring integers with the number field sieve, The development of the number field sieve, Lecture Notes in Mathematics 1554, Springer-Verlag, pp. 50--94, 1993

No context found.

J. P. Buhler, H. W. Lenstra, C. Pomerance, Factoring integers with the number field sieve, in [19], 1992

No context found.

J. P. Buhler, H. W. Lenstra, C. Pomerance, Factoring integers with the number field sieve, in [11], 1992

No context found.

J. P. Buhler, H. W. Lenstra, Jr., and C. Pomerance. Factoring integers with the number field sieve. In A. K. Lenstra and H. W. Lenstra, Jr., editors, The development of the number field sieve, number 1554 in Lecture Notes in Mathematics, pages 50--94. Springer, 1993.

No context found.

J.P. Buhler, H.W. Lenstra, and C. Pomerance. Factoring integers with the number field sieve. 1992. To appear.

No context found.

J.P. Buhler, H.W. Lenstra, and C. Pomerance. Factoring integers with the number field sieve. 1992. To appear.

No context found.

Joe P. Buhler, Hendrik W. Lenstra, Jr., and Carl Pomerance. Factoring integers with the number field sieve. In Arjen K. Lenstra and Hendrik W. Lenstra, Jr., editors, The development of the number field sieve, number 1554 in Lecture Notes in Mathematics, pages 50--94. Springer-Verlag, 1993.

No context found.

J. P. Buhler, H. W. Lenstra, C. Pomerance, Factoring integers with the number field sieve, in [19], 1992

First 50 documents

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC