A Kilobit Special Number Field Sieve Factorization

  • Kazumaro Aoki
  • Jens Franke
  • Thorsten Kleinjung
  • Arjen K. Lenstra
  • Dag Arne Osvik
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4833)


We describe how we reached a new factoring milestone by completing the first special number field sieve factorization of a number having more than 1024 bits, namely the Mersenne number 21039− 1. Although this factorization is orders of magnitude ‘easier’ than a factorization of a 1024-bit RSA modulus is believed to be, the methods we used to obtain our result shed new light on the feasibility of the latter computation.


  1. 1.
    Aoki, K., Kida, Y., Shimoyama, T., Ueda, H.: http://www.crypto-world.com/announcements/SNFS274.txt
  2. 2.
    Aoki, K., Shimoyama, T.: R311 is factored by ECM, Proceedings of SCIS 2004, no.2E1-1, Hiroshima, Japan, Technical Group on Information Security (IEICE) (in Japanese)Google Scholar
  3. 3.
    Bahr, F.: Liniensieben und Quadratwurzelberechnung für das Zahlkörpersieb, University of Bonn (2005)Google Scholar
  4. 4.
    Cavallar, S.: Strategies for filtering in the number field sieve. In: Bosma, W. (ed.) ANTS IV. LNCS, vol. 1838, pp. 209–231. Springer, Heidelberg (2000)Google Scholar
  5. 5.
    Cavallar, S., Dodson, B., Lenstra, A.K., Leyland, P., Montgomery, P.L., Murphy, B., te Riele, H., Zimmermann, P., et al.: Factoring a 512-bit RSA modulus. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 1–18. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  6. 6.
    Coppersmith, D.: Solving linear equations over GF(2): block Lanczos algorithm. Linear algebra and its applications 192, 33–60 (1993)MATHCrossRefMathSciNetGoogle Scholar
  7. 7.
    Coppersmith, D.: Solving homogeneous linear equations over GF(2) via block Wiedemann algorithm. Math. of Comp. 62, 333–350 (1994)MATHCrossRefMathSciNetGoogle Scholar
  8. 8.
    Franke, J., Kleinjung, T.: Continued fractions and lattice sieving. In: Proceedings SHARCS 2005, http://www.ruhr-uni-bochum.de/itsc/tanja/SHARCS/talks/FrankeKleinjung.pdf
  9. 9.
    Kleinjung, T.: Cofactorisation strategies for the number field sieve and an estimate for the sieving step for factoring 1024-bit integers. In: Proceedings SHARCS 2006, http://www.hyperelliptic.org/tanja/SHARCS/talks06/thorsten.pdf.
  10. 10.
    Lenstra, A.K., Lenstra, H.W.: The development of the number field sieve. LNM, vol. 1554. Springer, Heidelberg (1993)MATHGoogle Scholar
  11. 11.
    Lenstra, A.K., Verheul, E.R.: Selecting cryptographic key sizes, J. of Cryptology 14, 255–293 (2001)MATHMathSciNetGoogle Scholar
  12. 12.
    Lenstra, H.W.: Factoring integers with elliptic curves, Ann. of Math. 126, 649–673 (1987)MathSciNetGoogle Scholar
  13. 13.
    Montgomery, P.L.: A block Lanczos algorithm for finding dependencies over GF(2). In: Guillou, L.C., Quisquater, J.-J. (eds.) EUROCRYPT 1995. LNCS, vol. 921, pp. 106–120. Springer, Heidelberg (1995)Google Scholar
  14. 14.
    Montgomery, P.L.: Square roots of products of algebraic numbers, http://ftp.cwi.nl/pub/pmontgom/sqrt.ps.gz
  15. 15.
    Nguyen, P.: A Montgomery-like square root for the number field sieve. In: Buhler, J.P. (ed.) ANTS III. LNCS, vol. 1423, pp. 151–168. Springer, Heidelberg (1998)Google Scholar
  16. 16.
    Pomerance, C.: A tale of two sieves, http://www.ams.org/notices/199612/pomerance.pdf
  17. 17.
  18. 18.
    Thomé, E.: Subquadratic computation of vector generating polynomials and improvement of the block Wiedemann algorithm. Journal of symbolic computation 33, 757–775 (2002)MATHCrossRefMathSciNetGoogle Scholar
  19. 19.

Copyright information

© Springer-Verlag Berlin Heidelberg 2007

Authors and Affiliations

  • Kazumaro Aoki
    • 1
  • Jens Franke
    • 2
  • Thorsten Kleinjung
    • 2
  • Arjen K. Lenstra
    • 3
    • 4
  • Dag Arne Osvik
    • 3
  1. 1.NTT, 3-9-11 Midori-cho, Musashino-shi, Tokyo, 180-8585Japan
  2. 2.University of Bonn, Department of Mathematics, Beringstraße 1, D-53115 BonnGermany
  3. 3.EPFL IC LACAL, INJ 330, Station 14, 1015-LausanneSwitzerland
  4. 4.Alcatel-Lucent Bell Laboratories, Murray Hill, NJUSA

Personalised recommendations