In this paper we describe our distributed implementation of two factoring algorithms. the elliptic curve method (ecm) and the multiple polynomial quadratic sieve algorithm (mpqs). Since the summer of 1987. our erm-implementation on a network of MicroVAX processors at DEC’s Systems Research Center has factored several most and more wanted numbers from the Cun-ningham project. In the summer of 1988. we implemented the multiple polynomial quadratic sieve algorithm on rhe same network On this network alone. we are now able to factor any!@I digit integer, or to find 35 digit factors of numbers up to 150 digits long within one month. To allow an even wider distribution of our programs we made use of electronic mail networks For the distribution of the programs and for inter-processor communicatton. Even during the mitial stage of this experiment machines all over the United States and at various places in Europe and Ausnalia conhibuted 15 percent of the total factorization effort. At all the sites where our program is running we only use cycles that would otherwise have been idle. This shows that the enormous computational task of factoring 100 digit integers with the current algoritluns can be completed almost for free. Since we use a negligible fraction of the idle cycles of alI the machines on the worldwide elecnonic mail networks. we could factor 100 digit integers within a few days with a little more help.

Lenstra’s integer factorization algorithm is asymptotically one of the fastest known algorithms, and is also ideally suited for parallel computation. We suggest a way in which the algorithm can be speeded up by the addition of a second phase. Under some plausible assumptions, the speedup is of order log(p), where p is the factor which is found. In practice the speedup is significant. We mention some refinements which give greater speedup, an alternative way of implementing a second phase, and the connection with Pollard’s “p − 1” factorization algorithm. 1

The problem of finding the prime factors of large composite numbers has always been of mathematical interest. With the advent of public key cryptosystems it is also of practical importance, because the security of some of these cryptosystems, such as the Rivest-Shamir-Adelman (RSA) system, depends on the difficulty of factoring the public keys. In recent years the best known integer factorisation algorithms have improved greatly, to the point where it is now easy to factor a 60-decimal digit number, and possible to factor numbers larger than 120 decimal digits, given the availability of enough computing power. We describe several algorithms, including the elliptic curve method (ECM), and the multiple-polynomial quadratic sieve (MPQS) algorithm, and discuss their parallel implementation. It turns out that some of the algorithms are very well suited to parallel implementation. Doubling the degree of parallelism (i.e. the amount of hardware devoted to the problem) roughly increases the size of a number which can be factored in a fixed time by 3 decimal digits. Some recent computational results are mentioned – for example, the complete factorisation of the 617-decimal digit Fermat number F11 = 2211 + 1 which was accomplished using ECM.

The purpose of this paper is to report the unexpected results that we obtained while experimenting with the multi-large prime varia-tion of the general number field sieve integer factoring algorithm (NFS, cf. [8]). For traditional factoring algorithms that make use of at most two large primes, the completion time can quite accurately be predicted by extrapolating an almost quartic and entirely ‘smooth ’ function that counts the number of useful combinations among the large primes [l]. For NFS such extrapolations seem to be impossible-the number of useful combinations suddenly ‘explodes ’ in an as yet unpredictable way, that we have not yet been able to understand completely. The consequence of this explosion is that NFS is substantially faster than expected, which implies that factoring is somewhat easier than we thought.

Abstract. The integer factorisation and discrete logarithm problems are of practical importance because of the widespread use of public key cryptosystems whose security depends on the presumed difficulty of solving these problems. This paper considers primarily the integer factorisation problem. In recent years the limits of the best integer factorisation algorithms have been extended greatly, due in part to Moore’s law and in part to algorithmic improvements. It is now routine to factor 100-decimal digit numbers, and feasible to factor numbers of 155 decimal digits (512 bits). We outline several integer factorisation algorithms, consider their suitability for implementation on parallel machines, and give examples of their current capabilities. In particular, we consider the problem of parallel solution of the large, sparse linear systems which arise with the MPQS and NFS methods. 1

. We describe the complete factorization of the tenth and eleventh Fermat numbers. The tenth Fermat number is a product of four prime factors with 8, 10, 40 and 252 decimal digits. The eleventh Fermat number is a product of five prime factors with 6, 6, 21, 22 and 564 decimal digits. We also note a new 27-decimal digit factor of the thirteenth Fermat number. This number has four known prime factors and a 2391-decimal digit composite factor. All the new factors reported here were found by the elliptic curve method (ECM). The 40-digit factor of the tenth Fermat number was found after about 140 Mflop-years of computation. We discuss aspects of the practical implementation of ECM, including the use of special-purpose hardware, and note several other large factors found recently by ECM. 1. Introduction For a nonnegative integer n, the n-th Fermat number is F n = 2 2 n + 1. It is known that F n is prime for 0 n 4, and composite for 5 n 23. Also, for n 2, the factors of F n are of th...

I have been afforded the rare opportunity of working as a student of Richard Brent. Over the last three years, Richard has provided encouragement, guidance and suggestions from which I have learnt a great deal and for which I am extremely grateful. Richard was also considerate enough to take up a chair in Computing Science at Oxford University in 1998. That gave me an excuse to visit him there, about which I will say more later. I also owe a great deal to Peter Montgomery (CWI, Amsterdam and Microsoft Research, USA). Peter's influence on current research in this field is far more extensive than most people realise. I have had the benefit of many long discussions with Peter, and a great deal of patient instruction from him. Several key sections of this thesis are developed from ideas originating from discussions with Peter. My research experience has been enriched and broadened through close collaboration with the Computational Number Theory and Data Security group at CWI in Amsterdam. I thank Herman te Riele, the head of the group, for fostering that collaboration and supporting two visits by me to CWI.

this document, authentication will generally refer to the use of digital signatures, which play a function for digital documents similar to that played by handwritten signatures for printed documents: the signature is an unforgeable piece of data asserting that a named person wrote or otherwise agreed to the document to which the signature is attached. The recipient, as well as a third party, can verify both that the document did indeed originate from the person whose signature is attached and that the document has not been altered since it was signed. A secure digital signature system thus consists of two parts: a method of signing a document such that forgery is infeasible, and a method of verifying that a signature was actually generated by whomever it represents. Furthermore, secure digital signatures cannot be repudiated; i.e., the signer of a document cannot later disown it by claiming it was forged.

Since nobody can guarantee that the computation of discrete logarithms in elliptic curves or IF p remains intractible for the future it is important to study cryptosystems based on alternative groups. A promising candidate, which was proposed by Buchmann and Williams [8], is the class group Cl(\Delta) of an imaginary quadratic order O \Delta . This ring is isomorphic to the endomorphism ring of a non-supersingular elliptic curve over a finite field. While in the meantime there was found a subexponential algorithm for the computation of discrete logarithms in Cl(\Delta) [16], this algorithm only has running time L \Delta [ 1 2 ; c] and is far less efficient than the number field sieve with L p [ 1 3 ; c] to compute logarithms in IF p . Thus one may choose the parameters smaller to obtain the same level of security. It is an open question whether there is an L \Delta [ 1 3 ; c] algorithm to compute discrete logarithms in arbitrary Cl(\Delta). Recently there were proposed cry...

Abstract. We present a new algorithm for computing the ideal class group of an imaginary quadratic order which is based on the multiple polynomial version of the quadratic sieve factoring algorithm. Although no formal analysis is given, we conjecture that our algorithm has sub-exponential complexity, and computational experience shows that it is significantly faster in practice than existing algorithms. 1.