R. D. Silverman. The multiple polynomial quadratic sieve. Math. Comp., 48:757--780, 1987.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....for factoring or solving the discrete logarithm problem when RSA was first proposed. The introduction of cryptosystems based on factoring and the discrete logarithm problem prompted developments in finding solutions to both problems. These improvements were the development of the , described in [Sil87], and a further improvement with the [BLP94] The running time of these algorithms grows subexponentially in the size of the problem and for the size of RSA moduli that are typical today they are far superior for solving the problem than is the exponential Pollard Rho method [FR95] quadratic ....

R.D. Silverman. The multiple polynomial quadratic sieve. 48: 329339, 1987. Mathematics of Computation,

....polynomial quadratic sieve (MPQS) method to complete the factorization. In some cases we prefer to use the number field sieve (NFS) if it is predicted to be faster than MPQS . We do not describe ECM, MPQS or NFS here. The reader should refer to [16, 17, 19] for a general description of ECM, to [2, 23] for MPQS, and to [15, 13, 21] for NFS. A recent survey is [7] The particular implementations of ECM by Brent and Montgomery are described in [6, 18] Table 3 shows the number of factors found by several methods in the preparation of Updates 1 3. For ECM and MPQS these only include penultimate ....

R. D. Silverman, The multiple polynomial quadratic sieve, Math. Comp. 48 (1987), 329-- 339. The Tables For technical reasons, in this CWI Report we only give the example Tables 13\Gamma, 13+, 99\Gamma, and 99+. For pointers to online versions of the Tables 13\Gamma; 13+; 14\Gamma; : : : ; 98+; 99\Gamma; 99+, see x3.

....factorisation of general integers. The family is characterised by the factorisation strategy adopted by its members. The number field sieve is the newest and best performing member of the family. Its immediate predecessor is an algorithm called the multiple polynomial quadratic sieve (MPQS) 65] [74]. Several impressive factorisations of RSA moduli were performed using MPQS before the number field sieve came into being. By way of background to the number field sieve we now explain the factorisation strategy of algorithms in the family, concentrating on MPQS and the number field sieve. For a ....

R D Silverman, "The Multiple Polynomial Quadratic Sieve", Math. Comp. 48 (1987) pp 329--339.

....is widely used in industry for various cryptographic purposes. To date, there is no known polynomial time algorithm to factor integers. It is not known whether or not such an algorithm exists. There do however exist subexponential time algorithms to factor integers such as the Quadratic Sieve [48, 36], the Number Field Sieve [25] and the Elliptic Curve Method [26] In section 6.5, we will show how Silverman s Algorithm can be used to factor integers. The key fact that this algorithm uses is that factoring becomes easy if a multiple of OE(n) is known. I will present here a subalgorithm to ....

R. Silverman. The Multiple Polynomial Quadratic Sieve. Mathematics of Computation, 48:329--340, 1987.

....considered, in practice the e ect of the rather large i s is quite noticeable: the larger i gets, the smaller the yield becomes. Davis and Holdridge were the rst to propose the use of more polynomials [34] A somewhat more practical but similar solution was independently suggested by Montgomery [92, 107]. As a result a virtually unlimited amount of equally useful polynomials can be generated, each playing the role of f(X) in the description above. As soon as one would be sieving too far away from the origin (i = 0) sieving continues with a newly selected polynomial. See [64, 92, 107] for ....

....by Montgomery [92, 107] As a result a virtually unlimited amount of equally useful polynomials can be generated, each playing the role of f(X) in the description above. As soon as one would be sieving too far away from the origin (i = 0) sieving continues with a newly selected polynomial. See [64, 92, 107] for details. Self initializing For each polynomial all roots modulo all primes # B have to be computed. In practice this is a time consuming task. In [95] it is shown how large sets of polynomials can be generated in such a way that the most time consuming part of the root computation has to ....

R.D. Silverman, The multiple polynomial quadratic sieve, Math. Comp. 46 (1987) 327-339.

....smooth polynomial values. Keywords: integer factorisation, number field sieve 1 Introduction Let N be a large postive integer. We refer to the multiple polynomial quadratic sieve (MPQS) and the number field sieve (NFS) algorithms for factoring N . Details of these algorithms can be found at [10] and [6] respectively . For the MPQS we take N to be the product of some small multiplier and the integer requiring factorisation. Also, we refer to an integer as B smooth when all its prime factors are less than B. For our purposes it suffices to understand the following about the number field ....

R D Silverman, "The Multiple Polynomial Quadratic Sieve", Math. Comp. 48 (1987) pp 329--339.

....Lenstra s algorithm finds a prime factor p of a large composite integer N in expected time T 1 (p) exp q (2 o(1) ln p ln ln p ; 1:1) where o(1) means a term which tends to zero as p 1. Previously algorithms with running time exp i p (1 o(1) ln N ln ln N j were known [27]. However, since p 2 N , Lenstra s algorithm is comparable in the worst case and often much better, since it often happens that 2 ln p ln N . The Brent Pollard rho algorithm [5] is similar to Lenstra s algorithm in that its expected running time depends on p, in fact it is of order p 1=2 . ....

....might be devoted to factorizing a number in the not too far distant future (there are about 3 Theta 10 13 microseconds in a year) Thus, from Table 1, it will be feasible to find prime factors p with up to about 50 decimal digits by the algorithms based on elliptic curves. Other algorithms [27] may be even more effective on numbers which are the product of two roughly equal primes. This implies that the composite numbers N on which the RSA publickey cryptosystem [25, 26] is based should have at least 100 decimal digits if the cryptosystem is to be reasonably secure. 11 Acknowledgements ....

R. D. Silverman, The multiple polynomial quadratic sieve, preprint, Mitre Corp., Bedford Mass., 1985.

....values of various polynomials so that many n s could be factored simultaneously by sieving. Pomerance s quadratic sieve is a simpli cation of Schroeppel s linear sieve. Each method seems to always succeed in time y 2 o(1) with y as above. See [140] 79] 168] 62] 141] 65] 63] [165], 46] 150] 64] 155] 106] 13] 144] 156] 166] 133] 66] 9] 11] 27] and [52] The algorithm in this paper can be used to indirectly speed up sieving, as described above. Furthermore, a reduction in the sieve array size allows a reduction in the size of n; see, e.g. 52] ....

Robert D. Silverman, The multiple polynomial quadratic sieve, Mathematics of Computation 48 (1987), 329-339. MR 88c:11079.

....of n if X 6j SigmaY (mod n) If X and Y are randomly chosen subject to (1.1) then this yields a proper factor of n in at least 50 of the tries. This principle is the basis for the best known 1. Introduction 2 general factorization methods, namely, the multi polynomial quadratic sieve (MPQS [Bre89, Pom85, PST88, Sil87, RLW89]) and the number field sieve (NFS [LL93] In this paper we discuss and compare the single large prime variation (PMPQS) and the double large prime variation (PPMPQS) of MPQS, and we factor many numbers in the 66 88 decimal digits range, mainly with PPMPQS, both on SGI workstations, and on a ....

R.D. Silverman. The Multiple Polynomial Quadratic Sieve. Math. Comp., 48:329--339, 1987. Appendix 20

....stage and very little time sieving. This is wasteful. So somewhere there is a nice value of M , not too small nor too large, which optimizes the speed of the algorithm for the number being factored. Silverman gives a table of good parameters (values for F and M) for numbers up to 66 digits [25]. Realize that the reason why we couldn t choose M too small was because we would be wasting too much time on the initialization stage. However, if the initialization stage took no time, then certainly a much smaller M would be better, since this would give smaller residues at no cost, and ....

....had 7 primes dividing the leading coefficients, selected anywhere from the 170th prime in the factor base to the 380th. We used F = 60,000 for the upper bound for factor base primes. This value was determined from much experimentation in the past, and it is consistent with Silverman s choice [25]. Table D.1 (in appendix D) shows our experiments with different values for BLOCKSIZE for our first 60 digit number. We fixed M = 600,000 and ran our mpqs program until we had 100 smooth relations. The best timings occurred with BLOCKSIZE values in the range of 100,000 to 200,000. Table D.2 ....

R. D. Silverman, "The multiple polynomial quadratic sieve," Math. Comp., 48 (1987), pp. 329-339.

....Algorithms 5 A. The run time depends mainly on the size of N, and is not strongly dependent onthesizeoff . Examples are . Lehman s algorithm [28] which has worst case run time O(N 1 3 ) The Continued Fraction algorithm [39] and the Multiple Polynomial Quadratic Sieve (MPQS) algorithm [46,59], which under plausible assumptions have expected run time O(exp( # c ln N ln ln N) where c is a constant (depending on details of the algorithm) For MPQS, c # 1. The Number Field Sieve (NFS) algorithm [29,30] which under plausible assumptions has expected run time O(exp(c(ln N) 1 3 ....

....be found. If not, we need to obtain a di#erent linear dependency and try again. In quadratic sieve algorithms the numbers w i are the values of one (or more) quadratic polynomials with integer coe#cients. This makes it easy to factor the w i by sieving. For details of the process, we refer to [11,32,35,46,49,52,59]. The best quadratic sieve algorithm (MPQS) can, under plausible assumptions, factor a number N in time #(exp(c(ln N ln ln N) 1 2 ) where c # 1. The constants involved are such that MPQS is usually faster than ECM if N is the product of two primes which both exceed N 1 3 . This is because ....

[Article contains additional citation context not shown here]

R. D. Silverman, The multiple polynomial quadratic sieve, Math. Comp. 48 (1987), 329--339.

....a large (positive) integer y that can make use of our results. Other approaches to factoring are quite different (e.g. Pollard methods (see [33, 32] the elliptic curve method (see [26,28,24] the general number field sieve (see [7, 6, 16] and the multiple polynomial quadratic sieve(see[34]) We wish to find a solution to y = X i2N X j2N 2 i j x 1 i x 2 j (20) in 0,1 variables x 1 i #x 2 j , where wechoose n to be just less than the number of bits needed to encode y. In fact, we can make n even smaller, but always at least the number of bits needed to encode d p ....

Robert D. Silverman. The multiple polynomial quadratic sieve. Mathematics of Computation, 48(177):329--339,1987.

No context found.

R. D. Silverman, The multiple polynomial quadratic sieve, Math. Comp. 48 (1987), 329-339. viii

....polynomial quadratic sieve (MPQS) method to complete the factorization. In some cases we prefer to use the number eld sieve (NFS) if it is predicted to be faster than MPQS 4 . We do not describe ECM, MPQS or NFS here. The reader should refer to [16, 17, 19] for a general description of ECM, to [2, 23] for MPQS, and to [15, 13, 21] for NFS. A recent survey is [7] The particular implementations of ECM by Brent and Montgomery are described in [6, 18] Table 3 shows the number of factors found by several methods in the preparation of Updates 1 3. For ECM and MPQS these only include penultimate ....

R. D. Silverman, The multiple polynomial quadratic sieve, Math. Comp. 48 (

No context found.

R. D. Silverman. The multiple polynomial quadratic sieve. Math. Comp., 48:757--780, 1987.

No context found.

R. D. Silverman, The multiple polynomial quadratic sieve, Math. Comp. 48 (1987), 329--339.

No context found.

R. D. Silverman, "The multiple polynomial quadratic sieve", Mathematics of Computation 48 (1987), 329-339. v

No context found.

R. D. Silverman, "The multiple polynomial quadratic sieve", Mathematics of Computation 48 (1987), 329-339. v

No context found.

R. D. Silverman, The multiple polynomial quadratic sieve, Math. Comp. 48 (1987), 329--339. MR 88c:11079

No context found.

R. D. Silverman, The multiple polynomial quadratic sieve, Math. Comp. 48 (1987), 329--339.

No context found.

R. D. Silverman, The multiple polynomial quadratic sieve, Math. Comp. 48 (1987), 329--339.

No context found.

R.D. Silverman. The multiple polynomial quadratic sieve. Math. Comp., 48:329--339, 1987.

No context found.

R.D. Silverman. The multiple polynomial quadratic sieve. Math. Comp., 48:329--339, 1987.

No context found.

Robert D. Silverman. The multiple polynomial quadratic sieve. Mathematics of Computation, 48:329--339, 1987.

No context found.

Robert D. Silverman. The multiple polynomial quadratic sieve. Mathematics of Computation, 48:329--339, 1987.

First 50 documents  Next 50

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC