The magic words are squeamish ossifrage

Extended abstract
  • Derek Atkins
  • Michael Graff
  • Arjen K. Lenstra
  • Paul C. Leyland
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 917)

Abstract

We describe the computation which resulted in the title of this paper. Furthermore, we give an analysis of the data collected during this computation. From these data, we derive the important observation that in the final stages, the progress of the double large prime variation of the quadratic sieve integer factoring algorithm can more effectively be approximated by a quartic function of the time spent, than by the more familiar quadratic function. We also present, as an update to [15], some of our experiences with the management of a large computation distributed over the Internet. Based on this experience, we give some realistic estimates of the current readily available computational power of the Internet. We conclude that commonly-used 512-bit RSA moduli are vulnerable to any organization prepared to spend a few million dollars and to wait a few months.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    D. J. Bernstein, A. K. Lenstra, A general number field sieve implementation, 103–126 in: [13]..Google Scholar
  2. 2.
    T. Denny, B. Dodson, A. K. Lenstra, M. S. Manasse, On the factorization of RSA120, Advances in Cryptology, Crypto '93, Lecture Notes in Comput. Sci. 773 (1994) 166–174.Google Scholar
  3. 3.
    J. D. Dixon, Asymptotically fast factorization of integers, Math. Comp. 36 (1981) 255–260.Google Scholar
  4. 4.
    B. Dixon, A. K. Lenstra, Factoring integers using SIMD sieves, Advances in Cryptology, Eurocrypt '93, Lecture Notes in Comput. Sci. 765 (1994) 28–39.Google Scholar
  5. 5.
    B. Dodson, A. K. Lenstra, NFS with four large primes: an explosive experiment, in preparation.Google Scholar
  6. 6.
    M. Gardner, Mathematical games, A new kind of cipher that would take millions of years to break, Scientific American, August 1977, 120–124.Google Scholar
  7. 7.
    R. Golliver, A. K. Lenstra, K. S. McCurley, Lattice sieving and trial division, Algorithmic number theory symposium, Lecture Notes in Comput. Sci. 877 (1994) 18–27.Google Scholar
  8. 8.
    R. K. Guy, How to factor a number, Proc. Fifth Manitoba Conf. Numer. Math., Congressus Numerantium 16 (1976) 49–89.Google Scholar
  9. 9.
    D. E. Knuth, The art of computer programming, volume 2, Seminumerical algorithms, second edition, Addison-Wesley, Reading, Massachusetts, 1981.Google Scholar
  10. 10.
    B. A. LaMacchia, A. M. Odlyzko, Computation of discrete logarithms in prime fields, Designs, Codes and Cryptography 1 (1991) 47–62.Google Scholar
  11. 11.
    A. K. Lenstra, Massively parallel computing and factoring, Proceedings Latin'92, Lecture Notes in Comput. Sci. 583 (1992) 344–355.Google Scholar
  12. 12.
    A. K. Lenstra, H. W. Lenstra, Jr., Algorithms in number theory, Chapter 12 in: J. van Leeuwen (ed.), Handbook of theoretical computer science, Volume A, Algorithms and complexity, Elsevier, Amsterdam, 1990.Google Scholar
  13. 13.
    A. K. Lenstra, H. W. Lenstra, Jr. (eds), The development of the number field sieve, Lecture Notes in Math. 1554, Springer-Verlag, Berlin, 1993.Google Scholar
  14. 14.
    A. K. Lenstra, H. W. Lenstra, Jr., M. S. Manasse, J. M. Pollard, The factorization of the ninth Fermat number, Math. Comp. 61 (1993) 319–349.Google Scholar
  15. 15.
    A. K. Lenstra, M. S. Manasse, Factoring by electronic mail, Advances in Cryptology, Eurocrypt '89, Lecture Notes in Comput. Sci. 434 (1990) 355–371.Google Scholar
  16. 16.
    A. K. Lenstra, M. S. Manasse, Factoring with two large primes, Advances in Cryptology, Eurocrypt '90, Lecture Notes in Comput. Sci. 473 (1990) 72–82; Math. Comp., to appear.Google Scholar
  17. 17.
    U. M. Maurer, Fast generation of prime numbers and secure public-key cryptographic parameters, Journal of Cryptology, to appear.Google Scholar
  18. 18.
    C. Pomerance, Analysis and comparison of some integer factoring algorithms, pp. 89–139 in: H. W. Lenstra, Jr., R. Tijdeman (eds), Computational methods in number theory, Math. Centre Tracts 154/155, Mathematisch Centrum, Amsterdam, 1983.Google Scholar
  19. 19.
    C. Pomerance, J. W. Smith, Reduction of huge, sparse matrices over finite fields via created catastrophes, Experiment. Math. 1 (1992) 89–94.Google Scholar
  20. 20.
    R. L. Rivest, letter to Martin Gardner, 1977.Google Scholar
  21. 21.
    R. L. Rivest, A. Shamir, L. Adleman, A method for obtaining digital signatures and public-key cryptosystems, Comm. ACM 21 (1978) 120–126.Google Scholar
  22. 22.
    R. C. Schroeppel, personal communication, May 1994.Google Scholar
  23. 23.
    A. Shamir, personal communication, April 1994.Google Scholar
  24. 24.
    R. D. Silverman, The multiple polynomial quadratic sieve, Math. Comp. 48 (1987) 329–339.Google Scholar

Copyright information

© Springer-Verlag 1995

Authors and Affiliations

  • Derek Atkins
    • 1
  • Michael Graff
    • 2
  • Arjen K. Lenstra
    • 3
  • Paul C. Leyland
    • 4
  1. 1.CambridgeUSA
  2. 2.Iowa State UniversityAmesUSA
  3. 3.MRE-2Q334, BellcoreMorristownUSA
  4. 4.Oxford University Computing ServicesOxfordUK

Personalised recommendations