A Simpler Sieving Device: Combining ECM and TWIRL

  • Willi Geiselmann
  • Fabian Januszewski
  • Hubert Köpfer
  • Jan Pelzl
  • Rainer Steinwandt
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4296)


A main obstacle in manufacturing the TWIRL device for realizing the sieving step of the Number Field Sieve is the sophisticated chip layout. Especially the logic for logging and recovering large prime factors found during sieving adds significantly to the layout complexity. We describe a device building on the Elliptic Curve Method (ECM) that for parameters of interest enables the replacement of the complete logging part in TWIRL by an off-wafer postprocessing. The postprocessing is done in real time, leaving the total sieving time basically unchanged.

The proposed device is an optimized ECM implementation building on curves chosen to cope with factor sizes as expected in the output of TWIRL. According to our preliminary analysis, for the relation collection step expected for a 1024-bit factorization our design is realizable with current fab technology at very moderate cost. The proposed ECM engine also finds the vast majority of the needed cofactor factorizations. In summary, we think the proposed device to enable a significant decrease of TWIRL’s layout complexity and therewith its cost.


RSA NFS ECM cryptanalytic hardware 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Oliver, A., Atkin, L., Morain, F.: Finding suitable curves for the elliptic curve method of factorization. Mathematics of Computation 60(201), 399–405 (1993)CrossRefMathSciNetGoogle Scholar
  2. 2.
    Bernstein, D.J.: Circuits for Integer Factorization: a Proposal (2001), At the time of writing available electronically at:
  3. 3.
    Brent, R.P.: Factorization of the tenth and eleventh Fermat Numbers. Computer Science Laboratory, Australian National Univ., Canberra, Report TR-CS-96-02:1–25 (1996)Google Scholar
  4. 4.
    Franke, J., Kleinjung, T., Paar, C., Pelzl, J., Priplata, C., Stahlke, C.: SHARK: A Realizable Special Hardware Sieving Device for Factoring 1024-Bit Integers. In: Rao, J.R., Sunar, B. (eds.) CHES 2005. LNCS, vol. 3659, pp. 119–130. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  5. 5.
    Geiselmann, W., Köpfer, H., Steinwandt, R., Tromer, E.: Improved Routing-Based Linear Algebra for the Number Field Sieve. In: Proceedings of ITCC 2005 – Track on Embedded Cryptographic Systems. IEEE Computer Society Press, Los Alamitos (2005)Google Scholar
  6. 6.
    Geiselmann, W., Shamir, A., Steinwandt, R., Tromer, E.: Scalable Hardware for Sparse Systems of Linear Equations, with Applications to Integer Factorization. In: Rao, J.R., Sunar, B. (eds.) CHES 2005. LNCS, vol. 3659, pp. 131–146. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  7. 7.
    Geiselmann, W., Steinwandt, R.: A Dedicated Sieving Hardware. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 254–266. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  8. 8.
    Geiselmann, W., Steinwandt, R.: Hardware for Solving Sparse Systems of Linear Equations over GF(2). In: Walter, C.D., Koç, Ç.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 51–61. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  9. 9.
    Geiselmann, W., Steinwandt, R.: Yet Another Sieving Device. In: Okamoto, T. (ed.) CT-RSA 2004. LNCS, vol. 2964, pp. 278–291. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  10. 10.
    Izu, T., Kunihiro, N., Ohta, K., Shimoyama, T.: Analysis on the Clockwise Transposition Routing for Dedicated Factoring Devices. In: Song, J.-S., Kwon, T., Yung, M. (eds.) WISA 2005. LNCS, vol. 3786, pp. 232–242. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  11. 11.
    Januszewski, F.: Ein dedizierter Faktorisierungsalgorithmus auf Basis elliptischer Kurven. Diplomarbeit, Universität Karlsruhe (Germany), Fakultät für Informatik, Institut für Algorithmen und Kognitive Systeme (2005)Google Scholar
  12. 12.
    RSA Laboratories. The RSA Challenge Numbers,
  13. 13.
    Lenstra, A.K., Lenstra Jr., H.W. (eds.): The development of the number field sieve. Lecture Notes in Mathematics, vol. 1554. Springer, Heidelberg (1993)zbMATHGoogle Scholar
  14. 14.
    Lenstra, A.K., Shamir, A., Tomlinson, J., Tromer, E.: Analysis of Bernstein’s Factorization Circuit. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 1–26. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  15. 15.
    Lenstra, A.K., Tromer, E., Shamir, A., Kortsmit, W., Dodson, B., Hughes, J., Leyland, P.C.: Factoring Estimates for a 1024-Bit RSA Modulus. In: Laih, C.-S. (ed.) ASIACRYPT 2003. LNCS, vol. 2894, pp. 55–74. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  16. 16.
    Lenstra, H.W.: Factoring Integers with Elliptic Curves. Annals of Mathematics 126(2), 649–673 (1987)CrossRefMathSciNetGoogle Scholar
  17. 17.
    Menezes, A.J., van Oorschot, P.C., Vanstone, S.A.: Handbook of Applied Cryptography. CRC Press, Boca Raton (1997)zbMATHGoogle Scholar
  18. 18.
    Montgomery, P.L.: Modular Multiplication without Trial Division. Mathematics of Computation 44(170), 519–521 (1985)zbMATHCrossRefMathSciNetGoogle Scholar
  19. 19.
    Montgomery, P.L.: Speeding up the Pollard and elliptic curve methods of factorization. Mathematics of Computation 48, 243–264 (1987)zbMATHCrossRefMathSciNetGoogle Scholar
  20. 20.
    Pelzl, J., Šimka, M., Kleinjung, T., Franke, J., Priplata, C., Stahlke, C., Drutarovský, M., Fischer, V., Paar, C.: Area-Time Efficient Hardware Architecture for Factoring Integers with the Elliptic Curve Method. IEE Proceedings Information Security 152(1), 67–78 (2005)CrossRefGoogle Scholar
  21. 21.
    Pollard, J.M.: A Monte Carlo Method for Factorization. Nordisk Tidskrift for Informationsbehandlung (BIT) 15, 331–334 (1975)zbMATHMathSciNetGoogle Scholar
  22. 22.
    Pomerance, C.: A Tale of Two Sieves. Notices of the ACM, 1473–1485 (December 1996)Google Scholar
  23. 23.
    Shamir, A., Tromer, E.: Factoring Large Numbers with the TWIRL Device. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 1–26. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  24. 24.
    Tenca, A.F., Koç, Ç.K.: A Scalable Architecture for Modular Multiplication Based on Montgomery’s Algorithm. IEEE Trans. Comput. 52(9), 1215–1221 (2003)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Willi Geiselmann
    • 1
  • Fabian Januszewski
    • 2
  • Hubert Köpfer
    • 1
  • Jan Pelzl
    • 3
  • Rainer Steinwandt
    • 4
  1. 1.Institut für Algorithmen und Kognitive Systeme, Fakultät für InformatikUniversität Karlsruhe (TH)KarlsruheGermany
  2. 2.Mathematisches Institut II, Fakultät für MathematikUniversität Karlsruhe (TH)KarlsruheGermany
  3. 3.Horst Görtz Institute for IT-SecurityRuhr University of BochumBochumGermany
  4. 4.Department of Mathematical SciencesFlorida Atlantic UniversityBoca RatonUSA

Personalised recommendations