This is the nineteenth edition of a (usually) quarterly column that covers new developments in the theory of NP-completeness. The presentation is modeled on that used by M. R. Garey and myself in our book ‘‘Computers and Intractability: A Guide to the Theory of NP-Completeness,’ ’ W. H. Freeman & Co., New York, 1979 (hereinafter referred to as ‘‘[G&J]’’; previous columns will be referred to by their dates). A background equivalent to that provided by [G&J] is assumed, and, when appropriate, cross-references will be given to that book and the list of problems (NP-complete and harder) presented there. Readers who have results they would like mentioned (NP-hardness, PSPACE-hardness, polynomial-time-solvability, etc.) or open problems they would like publicized, should

Abstract not found

This paper reports on the factorization of the 768-bit number RSA-768 by the number field sieve factoring method and discusses some implications for RSA.

Let NF(n, k, r) denote the maximum number of columns in an n-row matrix with entries ina finite field F in which each column has at most r nonzero entries and every k columns arelinearly independent over F. We obtain near-optimal upper bounds for NF(n, k, r) in the case k> r. Namely, we show that NF(n, k, r) # n r2 + cr k where c ij 43 for large k. Our method is based on a novel reduction of the problem to the extremal problem for cycles in graphs, and yields a fast algorithm for finding short linear dependences. We present additional applications of this method to problems in extremal hypergraph theory and combinatorial number theory.

We describe the computation which resulted in the title of this paper. Furthermore, we give an analysis of the data collected during this computation. From these data, we derive the important observation that in the final stages, the progress of the double large prime variation of the quadratic sieve integer factoring algorithm can more effectively be approximated by a quartic function of the time spent, than by the more familiar quadratic function. We also present, as an update to [15], some of our experiences with the management of a large computation distributed over the Internet. Based on this experience, we give some realistic estimates of the current readily available computational power of the Internet. We conclude that commonly-used 512-bit RSA moduli are vulnerable to any organization prepared to spend a few million dollars and to wait a few months.

Partiellement soutenu par une bourse de la Conseil de recherches en sciences naturelles et en génie du Canada. 3 Supported in part by NSF Grant DMS-01-03635. In 1994, Carl Pomerance proposed the following problem: Select integers a1, a2,..., aJ at random from the interval [1, x], stopping when some (non-empty) subsequence, {ai: i ∈ I} where I ⊆ {1, 2,..., J}, has a square product (that is ∏ i∈I ai ∈ Z2). What can we say about the possible stopping times, J? A 1985 algorithm of Schroeppel can be used to show that this process stops after selecting (1 + ɛ)J0(x) integers aj with probability 1 − o(1) (where the function J0(x) is given explicitly in (1) below). Schroeppel’s algorithm actually finds the square product, and this has subsequently been adopted, with relatively minor modifications, by all factorers. In 1994 Pomerance showed that, with probability 1−o(1), the

A prohibitive barrier faced by elliptic curve users is the difficulty of computing the curves' cardinalities. Despite recent theoretical breakthroughs, point counting still remains very cumbersome and intensively time consuming.

In many integer factoring algorithms, one produces a sequence of integers (created in a pseudo-random way), and wishes to determine a subsequence whose product is a square. A good model for how this sequence is generated is the following process introduced by Pomerance in his 1994 invited ICM lecture: Select integers a1, a2,..., at random from the interval [1, x], until some subsequence products to a square. Estimating the expected stopping time of this process turns out to be a central problem in developing heuristic running time estimates for integer factoring algorithms. Also, if one knows how long the other parts of the algorithm take, one can use such stopping time estimates to determine the optimal choice of algorithm parameters that minimizes the running time. Here we determine this expected stopping time up to a constant factor, which improves previous estimates due to Pomerance (1994) and Schroeppel (1985), who showed that this stopping time lies in an interval [y0, y 1+o(1) 0], for an appropriate y0 = y0(x). Thus our result significantly tightens this interval to [y0, cy0], for a small positive constant c, and comes close to proving a sharp threshold for the montone property of having a square dependence in a random sequence of integers. Our proof uses the first and second moment methods and analytical estimates on smooth numbers.

These notes informally review the most common methods from computational number theory that have applications in public key cryptology.

Introduction L'apparition des syst`emes de chiffrement `a clefs publiques de fa¸con g'en'erale [DH76], et du syst`eme de chiffrement RSA en particulier [ARS78], a caus'e un regain d'int'eret pour la th'eorie des nombres et en particulier l'arithm'etique dans ses aspects calculatoires. Pour r'epondre `a des questions aussi simples que celles concernant la d'ecomposition des nombres en facteurs premiers, il a fallu donner des r'eponses algorithmiques prenant en compte la faisabilit'e des calculs ainsi que le temps imparti pour donner une r'eponse satisfaisante. Cela a provoqu'e l'essor de la th'eorie algorithmique des nombres. Cet expos'e est destin'e `a mettre en lumi`ere les progr`es accomplis depuis une dizaine d'ann'ees dans les domaines de la primalit'e des entiers (comment peut-on prouver qu'un entier de quelques centaines de chiffres d'ecimaux est premier) ; factorisation des entiers (quels sont les facteurs d'un nombre qui n'est pas premier) ; logarithme