# NFS with Four Large Primes: An Explosive Experiment

## Abstract

The purpose of this paper is to report the unexpected results that we obtained while experimenting with the multi-large prime variation of the general number field sieve integer factoring algorithm (NFS, cf. [8]). For traditional factoring algorithms that make use of at most two large primes, the completion time can quite accurately be predicted by extrapolating an almost quartic and entirely ‘smooth’ function that counts the number of useful combinations among the large primes [1]. For NFS such extrapolations seem to be impossible—the number of useful combinations suddenly ‘explodes’ in an as yet unpredictable way, that we have not yet been able to understand completely. The consequence of this explosion is that NFS is substantially faster than expected, which implies that factoring is somewhat easier than we thought.

## Keywords

Completion Time Partial Relation Partition Number Collision Resolution Independent Cycle## References

- 1.D. Atkins, M. Graff, A.K. Lenstra, and P.C. Leyland,
*THE MAGIC WORDS ARE SQUEAMISH OSSIFRAGE*, Asiacrypt’94, to appear.Google Scholar - 2.J. Buchmann, J. Loho, and J. Zayer,
*Triple-large-prime variation*, manuscript, 1993.Google Scholar - 3.J. Buchmann, J. Loho, and J. Zayer, An implementation of the general number field sieve, Advances in Cryptology, Crypto’93, Lecture Notes in Comput. Sci.
**773**(1994), 159–165.Google Scholar - 4.S. Contini and A. K. Lenstra,
*Implementations of blocked Lanczos and Wiedemann algorithms*, in preparation.Google Scholar - 5.T. Denny, B. Dodson, A. K. Lenstra, and M. S. Manasse,
*On the factorization of RSA-120*, Advances in Cryptology, Crypto’93, Lecture Notes in Comput. Sci.**773**(1994), 166–174.Google Scholar - 6.R. Golliver, A. K. Lenstra, and K. McCurley,
*Lattice sieving and trial division*, ANTS’94, Lecture Notes in Comput. Sci.**877**(1994), 18–27.Google Scholar - 7.B. A. LaMacchia and A. M. Odlyzko,
*Solving Large Sparse Linear Systems over Finite Fields*, Advances in Cryptology, Crypto’90, Lecture Notes in Comput. Sci.**537**(1991), 109–133.Google Scholar - 8.A. K. Lenstra and H. W. Lenstra, Jr. (eds),
*The development of the number field sieve*, Lecture Notes in Math.**1554**, Springer-Verlag, Berlin, 1993.zbMATHGoogle Scholar - 9.A. K. Lenstra and M. S. Manasse,
*Factoring with two large primes*, Math. Comp**63**(1994), 785–798.zbMATHCrossRefMathSciNetGoogle Scholar - 10.P. L. Montgomery,
*Square roots of products of algebraic numbers*, Proceedings of Symposia in Applied Mathematics, Mathematics of Computation 1943–1993, Vancouver, 1993, Walter Gautschi, ed.Google Scholar - 11.P. L. Montgomery,
*A block Lanczos algorithm for finding dependencies over GF(2)*, Advances in Cryptology, Eurocrypt’95, Lecture Notes in Comput. Sci.**921**(1995), 106–120.Google Scholar - 12.A. M. Odlyzko,
*Discrete Logarithms in Finite Fields and their Cryptographic Significance*, Advances in Cryptology, Eurocrypt’84, Lecture Notes in Comput. Sci.**209**, 224–314.Google Scholar - 13.C. Pomerance,
*The quadratic sieve factoring algorithm*, Advances in Cryptology, Eurocrypt’84, Springer, Lecture Notes in Comput. Sci.**209**, 169–182.Google Scholar - 14.C. Pomerance and J. W. Smith,
*Reduction of huge, sparse matrices over finite fields via created catastrophes*, Experiment. Math.**1**(1992) 89–94.zbMATHMathSciNetGoogle Scholar - 15.B. Silverman,
*The multiple polynomial quadratic sieve*, Math. Comp.**48**(1987), 329–339.zbMATHCrossRefMathSciNetGoogle Scholar