Results 1  10
of
12
Parallel Algorithms for Integer Factorisation
"... The problem of finding the prime factors of large composite numbers has always been of mathematical interest. With the advent of public key cryptosystems it is also of practical importance, because the security of some of these cryptosystems, such as the RivestShamirAdelman (RSA) system, depends o ..."
Abstract

Cited by 41 (17 self)
 Add to MetaCart
The problem of finding the prime factors of large composite numbers has always been of mathematical interest. With the advent of public key cryptosystems it is also of practical importance, because the security of some of these cryptosystems, such as the RivestShamirAdelman (RSA) system, depends on the difficulty of factoring the public keys. In recent years the best known integer factorisation algorithms have improved greatly, to the point where it is now easy to factor a 60decimal digit number, and possible to factor numbers larger than 120 decimal digits, given the availability of enough computing power. We describe several algorithms, including the elliptic curve method (ECM), and the multiplepolynomial quadratic sieve (MPQS) algorithm, and discuss their parallel implementation. It turns out that some of the algorithms are very well suited to parallel implementation. Doubling the degree of parallelism (i.e. the amount of hardware devoted to the problem) roughly increases the size of a number which can be factored in a fixed time by 3 decimal digits. Some recent computational results are mentioned – for example, the complete factorisation of the 617decimal digit Fermat number F11 = 2211 + 1 which was accomplished using ECM.
Recent progress and prospects for integer factorisation algorithms
 In Proc. of COCOON 2000
, 2000
"... Abstract. The integer factorisation and discrete logarithm problems are of practical importance because of the widespread use of public key cryptosystems whose security depends on the presumed difficulty of solving these problems. This paper considers primarily the integer factorisation problem. In ..."
Abstract

Cited by 21 (1 self)
 Add to MetaCart
Abstract. The integer factorisation and discrete logarithm problems are of practical importance because of the widespread use of public key cryptosystems whose security depends on the presumed difficulty of solving these problems. This paper considers primarily the integer factorisation problem. In recent years the limits of the best integer factorisation algorithms have been extended greatly, due in part to Moore’s law and in part to algorithmic improvements. It is now routine to factor 100decimal digit numbers, and feasible to factor numbers of 155 decimal digits (512 bits). We outline several integer factorisation algorithms, consider their suitability for implementation on parallel machines, and give examples of their current capabilities. In particular, we consider the problem of parallel solution of the large, sparse linear systems which arise with the MPQS and NFS methods. 1
Factoring estimates for a 1024bit RSA modulus
 IN: PROC. ASIACRYPT 2003, LNCS 2894
, 2003
"... We estimate the yield of the number field sieve factoring algorithm when applied to the 1024bit composite integer RSA1024 and the parameters as proposed in the draft version [17] of the TWIRL hardware factoring device [18]. We present the details behind the resulting improved parameter choices f ..."
Abstract

Cited by 12 (6 self)
 Add to MetaCart
We estimate the yield of the number field sieve factoring algorithm when applied to the 1024bit composite integer RSA1024 and the parameters as proposed in the draft version [17] of the TWIRL hardware factoring device [18]. We present the details behind the resulting improved parameter choices from [18].
Faster index calculus for the medium prime case. application to 1175bit and 1425bit finite fields. Cryptology ePrint Archive, Report 2012/720, 2012. http: //eprint.iacr.org
"... Abstract. Many index calculus algorithms generate multiplicative relations between smoothness basis elements by using a process called Sieving. This process allows to filter potential candidate relations very quickly, without spending too much time to consider bad candidates. However, from an asympt ..."
Abstract

Cited by 8 (4 self)
 Add to MetaCart
Abstract. Many index calculus algorithms generate multiplicative relations between smoothness basis elements by using a process called Sieving. This process allows to filter potential candidate relations very quickly, without spending too much time to consider bad candidates. However, from an asymptotic point of view, there is not much difference between sieving and straightforward testing of candidates. The reason is that even when sieving, some small amount time is spend for each bad candidates. Thus, asymptotically, the total number of candidates contributes to the complexity. In this paper, we introduce a new technique: Pinpointing, which allows us to construct multiplicate relations much faster, thus reducing the asymptotic complexity of relations ’ construction. Unfortunately, we only know how to implement this technique for finite fields which contain a mediumsized subfield. When applicable, this method improves the asymptotic complexity of the index calculus algorithm in the cases where the sieving phase dominates. In practice, it gives a very interesting boost to the performance of stateoftheart algorithms. We illustrate the feasability of the method with a discrete logarithm record in medium prime finite fields of sizes 1175 bits and 1425 bits. 1
ON POLYNOMIAL SELECTION FOR THE GENERAL NUMBER FIELD SIEVE
"... Abstract. The general number field sieve (GNFS) is the asymptotically fastest algorithm for factoring large integers. Its runtime depends on a good choice of a polynomial pair. In this article we present an improvement of the polynomial selection method of Montgomery and Murphy which has been used i ..."
Abstract

Cited by 6 (1 self)
 Add to MetaCart
Abstract. The general number field sieve (GNFS) is the asymptotically fastest algorithm for factoring large integers. Its runtime depends on a good choice of a polynomial pair. In this article we present an improvement of the polynomial selection method of Montgomery and Murphy which has been used in recent GNFS records. 1. The polynomial selection method of Montgomery and Murphy In this section we briefly discuss the problem of polynomial selection for GNFS. We also sketch the polynomial selection method of Montgomery and Murphy. The first step in GNFS (see [3]) for factoring an integer N consists in the choice of two coprime polynomials f1 and f2 sharing a common root modulo N. If we denote the corresponding homogenized polynomials by F1, resp.F2, the next (and most time consuming) step in GNFS consists in finding many pairs (a, b) ∈ Z2 of coprime integers for which both values Fi(a, b), i =1, 2, are products of primes below some smoothness bounds Bi, i =1, 2 (we will refer to these pairs as sieve reports). This is usually done by a sieving procedure which identifies (most of) these pairs in some region A⊂Z2. In the case of line sieving A is of the form [−A, A] × [1,B] ∩ Z2 for some A and B. For lattice sieving the form of this region is more complicated, but we could use a rectangle as above as an approximation. The sieving region A and the smoothness bounds Bi, i =1, 2, are chosen such that one finds approximately π(B1)+π(B2) sieve reports (π(x) denotes the number of primes below x). The time spent for sieving mainly depends on the size of the region A, i.e., 2AB. So we are left with two problems for the polynomial selection phase: how to find such polynomial pairs and, having found more than one, how to select a polynomial pair which minimizes sieving time. Both problems are addressed in several articles ([4], [5], [6]). We give a short description of the results of these articles. Let ρ(x) be Dickman’s function which roughly is the probability that the largest prime factor of a natural number n is at most n 1 x. A first approximation for the number of sieve reports is given by 6 π 2
Rotations and Translations of Number Field Sieve Polynomials
"... Abstract. We present an algorithm that finds polynomials with many roots modulo many primes by rotating candidate Number Field Sieve polynomials using the Chinese Remainder Theorem. We also present an algorithm that finds a polynomial with small coefficients among all integral translations of X of a ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
Abstract. We present an algorithm that finds polynomials with many roots modulo many primes by rotating candidate Number Field Sieve polynomials using the Chinese Remainder Theorem. We also present an algorithm that finds a polynomial with small coefficients among all integral translations of X of a given polynomial in ZZ[X]. These algorithms can be used to produce promising candidate Number Field Sieve polynomials. 1
On Nonlinear Polynomial Selection and Geometric Progression (mod N) for Number Field Sieve. https://eprint.iacr.org/2011/292.pdf
"... The general number field sieve (GNFS) is asymptotically the fastest known factoring algorithm. One of the most important steps of GNFS is to select a good polynomial pair. A standard way of polynomial selection (being used in factoring RSA challenge numbers) is to select a nonlinear polynomial for a ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
The general number field sieve (GNFS) is asymptotically the fastest known factoring algorithm. One of the most important steps of GNFS is to select a good polynomial pair. A standard way of polynomial selection (being used in factoring RSA challenge numbers) is to select a nonlinear polynomial for algebraic sieving and a linear polynomial for rational sieving. There is another method called a nonlinear method which selects two polynomials of the same degree greater than one. In this paper, we generalize Montgomery’s method [7] using small geometric progression (GP) (mod N) to construct a pair of nonlinear polynomials. We introduce GP of length d + k with 1 ≤ k ≤ d − 1 and show that we can construct polynomials of degree d having common root (mod N), where the number of such polynomials and the size of the coefficients can be precisely determined.
The ThreeLargePrimes Variant of the Number Field Sieve
"... The Number Field Sieve (NFS) is the asymptotically fastest known factoring algorithm for large integers. This method was proposed by John Pollard [20] in 1988. Since then several variants have been implemented with the objective of improving the siever which is the most time consuming part of this ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
The Number Field Sieve (NFS) is the asymptotically fastest known factoring algorithm for large integers. This method was proposed by John Pollard [20] in 1988. Since then several variants have been implemented with the objective of improving the siever which is the most time consuming part of this method (but fortunately, also the easiest to parallelise). Pollard's original method allowed one large prime. After that the twolargeprimes variant led to substantial improvements [11]. In this paper we investigate whether the threelargeprimes variant may lead to any further improvement. We present theoretical expectations and experimental results. We assume the reader to be familiar with the NFS.
ffl Some Statistics for NFS Factorizations
, 2002
"... 3 Finite Fields In computational number theory and cryptographic applications, we often have to work over finite fields. A finite field F is a finite set with operations "+ " and "\Theta " which satisfy the usual associative, commutative and distributive laws: ..."
Abstract
 Add to MetaCart
3 Finite Fields In computational number theory and cryptographic applications, we often have to work over finite fields. A finite field F is a finite set with operations "+ " and "\Theta " which satisfy the usual associative, commutative and distributive laws:
Polynomial Selection for Number Field Sieve in Geometric View
"... Abstract. Polynomial selection is the first important step in number field sieve. A good polynomial not only can produce more relations in the sieving step, but also can reduce the matrix size. In this paper, we propose to use geometric view in the polynomial selection. In geometric view, the coeffi ..."
Abstract
 Add to MetaCart
Abstract. Polynomial selection is the first important step in number field sieve. A good polynomial not only can produce more relations in the sieving step, but also can reduce the matrix size. In this paper, we propose to use geometric view in the polynomial selection. In geometric view, the coefficients ’ interaction on size and the number of real roots are simultaneously considered in polynomial selection. We get two simple criteria. The first is that the leading coefficient should not be too large or some good polynomials will be omitted. The second is that the coefficient of degree d − 2 should be negative and it is better if the coefficients of degree d − 1 and d − 3 have opposite sign. Using these new criteria, the computation can be reduced while we can get good polynomials. Many experiments on large integers show the effectiveness of our conclusion.