Factorization of a 768-Bit RSA Modulus

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6223)


This paper reports on the factorization of the 768-bit number RSA-768 by the number field sieve factoring method and discusses some implications for RSA.


RSA number field sieve 


  1. 1.
    Adleman, L.M.: Factoring numbers using singular integers. In: STOC, pp. 64–71. ACM, New York (1991)Google Scholar
  2. 2.
    Aoki, K., Franke, J., Kleinjung, T., Lenstra, A.K., Osvik, D.A.: A kilobit special number field sieve factorization. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 1–12. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  3. 3.
    Bahr, F.: Liniensieben und Quadratwurzelberechnung für das Zahlkörpersieb, Diplomarbeit, University of Bonn (2005)Google Scholar
  4. 4.
    Bahr, F., Böhm, M., Franke, J., Kleinjung, T.: Factorization of RSA-200 (May 2005),
  5. 5.
    Buhler, J., Montgomery, P., Robson, R., Ruby, R.: Implementing the number field sieve. Technical report, Oregon State University (1994)Google Scholar
  6. 6.
    Cavallar, S.: Strategies in filtering in the number field sieve. In: Bosma, W. (ed.) ANTS 2000. LNCS, vol. 1838, pp. 209–232. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  7. 7.
    Cavallar, S., Dodson, B., Lenstra, A.K., Lioen, W.M., Montgomery, P.L., Murphy, B., te Riele, H.J.J., Aardal, K., Gilchrist, J., Guillerm, G., Leyland, P.C., Marchand, J., Morain, F., Muffett, A., Putnam, C., Putnam, C., Zimmermann, P.: Factorization of a 512-bit RSA modulus. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 1–18. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  8. 8.
    Coppersmith, D.: Solving linear equations over GF(2): block Lanczos algorithm. Linear Algebra and its Applications 192, 33–60 (1993)zbMATHCrossRefMathSciNetGoogle Scholar
  9. 9.
    Coppersmith, D.: Solving homogeneous linear equations over GF(2) via block Wiedemann algorithm. Math. Comput. 62(205), 333–350 (1994)zbMATHMathSciNetGoogle Scholar
  10. 10.
    Cowie, J., Dodson, B., Elkenbracht-Huizing, R.M., Lenstra, A.K., Montgomery, P.L., Zayer, J.: A world wide number field sieve factoring record: On to 512 bits. In: Kim, K.-c., Matsumoto, T. (eds.) ASIACRYPT 1996. LNCS, vol. 1163, pp. 382–394. Springer, Heidelberg (1996)CrossRefGoogle Scholar
  11. 11.
    Dixon, J.D.: Asymptotically fast factorization of integers. Math. Comp. 36, 255–260 (1981)zbMATHMathSciNetGoogle Scholar
  12. 12.
    Franke, J., Kleinjung, T.: Continued fractions and lattice sieving. In: Workshop record of SHARCS (2005),
  13. 13.
    Golliver, R.A., Lenstra, A.K., McCurley, K.S.: Lattice sieving and trial division. In: Huang, M.-D.A., Adleman, L.M. (eds.) ANTS 1994. LNCS, vol. 877, pp. 18–27. Springer, Heidelberg (1994)Google Scholar
  14. 14.
    Kleinjung, T.: Cofactorisation strategies for the number field sieve and an estimate for the sieving step for factoring 1024 bit integers. In: Workshop record of SHARCS (2005),
  15. 15.
    Kleinjung, T.: On polynomial selection for the general number field sieve. Math. Comp. 75, 2037–2047 (2006)zbMATHCrossRefMathSciNetGoogle Scholar
  16. 16.
    Kleinjung, T.: Polynomial selection. Presented at the CADO Workshop on Integer Factorization (2008),
  17. 17.
    Lenstra, A.K.: Computational methods in public key cryptology. In: Coding theory and cryptology. Lecture Notes Series, pp. 175–238. Institute for Mathematical Sciences, National University of Singapore (2002)Google Scholar
  18. 18.
    Lenstra, A.K., Lenstra Jr., H.W.: Algorithms in number theory. In: Handbook of Theoretical Computer Science, Volume A: Algorithms and Complexity, pp. 673–716. Elsevier, Amsterdam (1990)Google Scholar
  19. 19.
    Lenstra, A.K., Lenstra Jr., H.W.: The Development of the Number Field Sieve. LNM, vol. 1554. Springer, Heidelberg (1993)zbMATHGoogle Scholar
  20. 20.
    Lenstra, A.K., Lenstra Jr., H.W., Manasse, M.S., Pollard, J.M.: The factorization of the ninth Fermat number. Math. of Comp. 61(203), 319–349 (1993)zbMATHMathSciNetGoogle Scholar
  21. 21.
    Lenstra, A.K., Tromer, E., Shamir, A., Kortsmit, W., Dodson, B., Hughes, J., Leyland, P.C.: Factoring estimates for a 1024-bit RSA modulus. In: Laih, C.-S. (ed.) ASIACRYPT 2003. LNCS, vol. 2894, pp. 55–74. Springer, Heidelberg (2003)Google Scholar
  22. 22.
    Massey, J.: Shift-register synthesis and BCH decoding. IEEE Trans Information Theory 15, 122–127 (1969)zbMATHCrossRefMathSciNetGoogle Scholar
  23. 23.
    Montgomery, P.: Square roots of products of algebraic numbers,
  24. 24.
    Montgomery, P., Murphy, B.: Improved polynomial selection for the number field sieve. Technical report, the Fields institute, Toronto, Ontario, Canada (June 1999)Google Scholar
  25. 25.
    Morrison, M.A., Brillhart, J.: A method of factoring and the factorization of F 7. Math. of Comp. 29(129), 183–205 (1975)zbMATHMathSciNetGoogle Scholar
  26. 26.
    Murphy, B.: Modelling the yield of number field sieve polynominals. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 137–150. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  27. 27.
    National Institute of Standards and Technology. Discussion paper: the transitioning of cryptographic algorithms and key sizes,
  28. 28.
    National Institute of Standards and Technology. Special publication 800-57: Recommendation for key management part 1: General (revised),
  29. 29.
    Nguyen, P.Q.: A Montgomery-like square root for the number field sieve. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 151–168. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  30. 30.
    Pollard, J.M.: The lattice sieve. In: [19], pp. 43–49Google Scholar
  31. 31.
    Pomerance, C.: Analysis and comparison of some integer factoring algorithms. In: Lenstra Jr., H.W., Tijdeman, R. (eds.) Computational Methods in Number Theory, Math. Centrum Tract, Amsterdam, vol. 154, pp. 89–139 (1982)Google Scholar
  32. 32.
    Pomerance, C.: The quadratic sieve factoring algorithm. In: Beth, T., Cot, N., Ingemarsson, I. (eds.) EUROCRYPT 1984. LNCS, vol. 209, pp. 169–182. Springer, Heidelberg (1985)CrossRefGoogle Scholar
  33. 33.
    Pomerance, C.: A tale of two sieves (1996),
  34. 34.
    Rivest, R.L., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public key cryptosystems. Communications of the ACM 21, 120–126 (1978)zbMATHCrossRefMathSciNetGoogle Scholar
  35. 35.
    RSA the security division of EMC. The RSA challenge numbers. formerly on, now on
  36. 36.
    RSA the security division of EMC. The RSA factoring challenge FAQ,
  37. 37.
  38. 38.
    Thomé, E.: Subquadratic computation of vector generating polynomials and improvement of the block Wiedemann algorithm. Journal of Symbolic Computation 33(5), 757–775 (2002)zbMATHCrossRefMathSciNetGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  1. 1.EPFL IC LACALLausanneSwitzerland
  2. 2.NTTTokyoJapan
  3. 3.Dept. of Math.University of BonnBonnGermany
  4. 4.INRIA CNRS LORIA, Équipe CARAMEL - bâtiment AVillers-lès-Nancy CedexFrance
  5. 5.Microsoft Research, One Microsoft WayRedmondUSA
  6. 6.CWIAmsterdamThe Netherlands

Personalised recommendations