CAIRN 2: An FPGA Implementation of the Sieving Step in the Number Field Sieve Method

  • Tetsuya Izu
  • Jun Kogure
  • Takeshi Shimoyama
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4727)


The hardness of the integer factorization problem assures the security of some public-key cryptosystems including RSA, and the number field sieve method (NFS), the most efficient algorithm for factoring large integers currently, is a threat for such cryptosystems. Recently, dedicated factoring devices attract much attention since it might reduce the computing cost of the number field sieve method. In this paper, we report implementational and experimental results of a dedicated sieving device “CAIRN 2” with Xilinx’s FPGA which is designed to handle up to 768-bit integers. Used algorithm is based on the line sieving, however, in order to optimize the efficiency, we adapted a new implementational method (the pipelined sieving). In addition, we actually factored a 423-bit integer in about 30 days with the developed device CAIRN 2 for the sieving step and usual PCs for other steps. As far as the authors know, this is the first FPGA implementation and experiment of the sieving step in NFS.


Integer factorization the number field sieve method (NFS) the sieving step implementation FPGA 


  1. [AKSU04]
    Aoki, K., Kida, Y., Shimoyama, T., Ueda, H.: GNFS Factoring Statistics of RSA-100, 110., 150. Cryptology ePrint archive 2004/095, IACR (2004)Google Scholar
  2. [AU03]
    Aoki, K., Ueda, H.: Sieving Using Bucket Sort. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 92–102. Springer, Heidelberg (2004)Google Scholar
  3. [Ber01]
    Bernstein, D.: Circuits for integer factorization: a proposal. preprint (2001)Google Scholar
  4. [BMGG04]
    Bajracharya, S., Misra, D., Gaj, K., El-Ghazawi, T.: Reconfigurable Hardware Implementation of Mesh Routing in the Number Field Sieve Factorization. In: FPT 2004, pp. 263–270. IEEE, Los Alamitos (2004)Google Scholar
  5. [Cun]
  6. [F+03]
    Franke, J., et al.: RSA-576. Email announcement (December 2003)Google Scholar
  7. [FKP+05]
    Franke, J., Kleinjung, T., Paar, C., Pelzl, J., Priplata, C., Stahlke, C.: SHARK: A Realizable Special Hardware Sieving Device for Factoring 1024-bit Integers. In: Rao, J.R., Sunar, B. (eds.) CHES 2005. LNCS, vol. 3659, pp. 119–130. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  8. [GJK+06]
    Geiselmann, W., Januszewski, F., Köpher, H., Pelzl, J., Steinwandt, R.: A Simpler Sieving Device: Combining ECM and TWIRL. In: Rhee, M.S., Lee, B. (eds.) ICISC 2006. LNCS, vol. 4296. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  9. [GKB+06]
    Gaj, K., Kwon, S., Baier, P., Kohlbrenner, P., Le, H., Khaleeluddin, M., Bachimanchi, R.: Implementing the Elliptic Curve Method of Factoring in Reconfigurable Hardware. In: Goubin, L., Matsui, M. (eds.) CHES 2006. LNCS, vol. 4249, pp. 119–133. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  10. [GS03]
    Geiselmann, W., Steinwandt, R.: A Dedicated Sieving Hardware. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 254–266. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  11. [GS04]
    Geiselmann, W., Steinwandt, R.: Yet Another Sieving Device. In: Okamoto, T. (ed.) CT-RSA 2004. LNCS, vol. 2964, pp. 278–291. Springer, Heidelberg (2004)Google Scholar
  12. [GS07]
    Geiselmann, W., Steinwandt, R.: Non-Wafer-Scale Sieving Hardware for the NFS: Another Attempt to Cope with 1024-bit. In: EUROCRYPT 2007. LNCS, vol. 4515, pp. 466–481. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  13. [IPFlex]
    IPFlex: DAPDNA Architecture. Available at
  14. [IKS05]
    Izu, T., Kogure, J., Shimoyama, T.: A Status Report: An Implementation of a Sieving Algorithm on a Dynamic Reconfigurable Processor (Extended Abstract). In: SHARCS 2005, ECRYPT (2005)Google Scholar
  15. [IKKN+06]
    Izu, T., Katoh, K., Kogure, J., Nishimura, S., Shimoyama, T.: An Implementation of a Sieving Algorithm in the Number Field Sieve on a Dynamic Reconfigurable Processor (Extended Abstract). In: JWIS 2006 (2006)Google Scholar
  16. [KM00]
    Kim, H.J., Mongione-Smith, W.: Factoring Large Numbers with Programmable Hardware. In: FPGA 2000, pp. 41–48. ACM Press, New York (2000)CrossRefGoogle Scholar
  17. [LL93]
    Lenstra, A., Lenstra, H.: The Development of the Number Field Sieve. Lecture Notes in Mathematics (LNM), vol. 1554. Springer, Heidelberg (1993)zbMATHGoogle Scholar
  18. [LLMP90]
    Lenstra, A., Lenstra, H., Manasse, M., Pollard, J.: The Number Field Sieve. In: STOC 1990, pp. 564–572. ACM Press, New York (1990)Google Scholar
  19. [LS00]
    Lenstra, A., Shamir, A.: Analysis and Optimization of the TWINKLE Factoring Device. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 35–52. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  20. [LTS+03]
    Lenstra, A., Tromer, E., Shamir, A., Kortsmit, W., Dodson, B., Hughes, J., Leyland, P.: Factoring Estimates for a 1024-bit RSA Modulus. In: Laih, C.-S. (ed.) ASIACRYPT 2003. LNCS, vol. 2894, pp. 55–74. Springer, Heidelberg (2003)Google Scholar
  21. [LSTT02]
    Lenstra, A., Shamir, A., Tomlinson, J., Tromer, E.: Analysis of Bernstein’s Circuit. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 1–26. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  22. [Ngu98]
    Nguyen, P.: A Montgomery-like Square Root for the Number Field Sieve. In: Buhler, J.P. (ed.) Algorithmic Number Theory. LNCS, vol. 1423, pp. 151–168. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  23. [Pol91]
    Pollard, J.: The Lattice Sieve, pp. 43–49 (1991) in [LL93]Google Scholar
  24. [Sha99]
    Shamir, A.: Factoring Large Numbers with the TWINKLE Device (Extended Abstract). In: Koç, Ç.K., Paar, C. (eds.) CHES 1999. LNCS, vol. 1717, pp. 2–12. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  25. [SPK+05]
    Šimka, M., Pelzl, J., Kleinjung, T., Franke, J., Priplata, C., Stahlke, C., Drutarovský, M., Fischer, V., Parr, C.: Hardware Factorization Based on Elliptic Curve Method. In: FCCM 2005, pp. 107–116. IEEE, Los Alamitos (2005)Google Scholar
  26. [ST03]
    Shamir, A., Tromer, E.: Factoring large numbers with the TWIRL device. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 1–26. Springer, Heidelberg (2003)Google Scholar
  27. [Xilinx]

Copyright information

© Springer-Verlag Berlin Heidelberg 2007

Authors and Affiliations

  • Tetsuya Izu
    • 1
  • Jun Kogure
    • 1
  • Takeshi Shimoyama
    • 1
  1. 1.FUJITSU Limited, 4-1-1 Kamikodanaka, Nakahara-ku, Kawasaki, 211-8588Japan

Personalised recommendations