Results 1 
9 of
9
On the factorization of RSA120
, 1994
"... We present data concerning the factorization of the 120digit number RSA120, which we factored on July 9, 1993, using the quadratic sieve method. The factorization took approximately 825 MIPS years and was completed within three months real time. At the time of writing RSA120 is the largest inte ..."
Abstract

Cited by 15 (3 self)
 Add to MetaCart
We present data concerning the factorization of the 120digit number RSA120, which we factored on July 9, 1993, using the quadratic sieve method. The factorization took approximately 825 MIPS years and was completed within three months real time. At the time of writing RSA120 is the largest integer ever factored by a general purpose factoring algorithm. We also present some conservative extrapolations to estimate the difficulty of factoring even larger numbers, using either the quadratic sieve method or the number field sieve, and discuss the issue of the crossover point between these two methods.
Improvements to the general number field sieve for discrete logarithms in prime fields
 Mathematics of Computation
, 2003
"... Abstract. In this paper, we describe many improvements to the number field sieve. Our main contribution consists of a new way to compute individual logarithms with the number field sieve without solving a very large linear system for each logarithm. We show that, with these improvements, the number ..."
Abstract

Cited by 14 (1 self)
 Add to MetaCart
Abstract. In this paper, we describe many improvements to the number field sieve. Our main contribution consists of a new way to compute individual logarithms with the number field sieve without solving a very large linear system for each logarithm. We show that, with these improvements, the number field sieve outperforms the gaussian integer method in the hundred digit range. We also illustrate our results by successfully computing discrete logarithms with GNFS in a large prime field. 1.
Cryptographic Protocols Based on Discrete Logarithms in Realquadratic Orders
 Advances in Cryptology — CRYPTO ’94, Lecture Notes in Computer Science
, 1994
"... . We generalize and improve the schemes of [4]. We introduce analogues of exponentiation and discrete logarithms in the principle cycle of real quadratic orders. This enables us to implement many cryptographic protocols based on discrete logarithms, e.g. a variant of the signature scheme of ElGamal ..."
Abstract

Cited by 12 (0 self)
 Add to MetaCart
. We generalize and improve the schemes of [4]. We introduce analogues of exponentiation and discrete logarithms in the principle cycle of real quadratic orders. This enables us to implement many cryptographic protocols based on discrete logarithms, e.g. a variant of the signature scheme of ElGamal [8]. 1 Introduction 1.1 Motivation The security of many cryptographic protocols (see for example [7], [8], [12]) is based on the difficulty of solving the discrete logarithm problem (DLproblem) in the multiplicative group GF (p) of prime fields GF (p) of characteristic p ? 0. Recently, Gordon [9] has shown that under reasonable assumptions the discrete DLproblem in GF(p) can be solved in expected time L p [1=3; c] = exp((c + o(1)) \Delta (log p) 1=3 \Delta (log log p) 2=3 ) by means of the number field sieve (NFS), thereby lowering the best known asymptotically upper bound considerably. Experience with similar integer factoring algorithms shows that the NFS can be expected to ...
Integer Factorization
, 2006
"... Factorization problems are the “The problem of distinguishing prime numbers from composite numbers, and of resolving the latter into their prime factors, is known to be one of the most important and useful in arithmetic,” Gauss wrote in his Disquisitiones Arithmeticae in 1801. “The dignity of the sc ..."
Abstract

Cited by 10 (1 self)
 Add to MetaCart
Factorization problems are the “The problem of distinguishing prime numbers from composite numbers, and of resolving the latter into their prime factors, is known to be one of the most important and useful in arithmetic,” Gauss wrote in his Disquisitiones Arithmeticae in 1801. “The dignity of the science itself seems to require that every possible means be explored for the solution of a problem so elegant and so celebrated.” But what exactly is the problem? It turns out that there are many different factorization problems, as we will discuss in this paper.
Computing Discrete Logarithms with the General Number Field Sieve
, 1996
"... . The difficulty in solving the discrete logarithm problem is of extreme cryptographic importance since it is widely used in signature schemes, message encryption, key exchange, authentication and so on ([15], [17], [21], [29] etc.). The General Number Field Sieve (GNFS) is the asymptotically fastes ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
. The difficulty in solving the discrete logarithm problem is of extreme cryptographic importance since it is widely used in signature schemes, message encryption, key exchange, authentication and so on ([15], [17], [21], [29] etc.). The General Number Field Sieve (GNFS) is the asymptotically fastest known method to compute discrete logs mod p [18]. With the first implementation of the GNFS for discrete logs by using Schirokauer's improvement [27] we were able to show its practicability [31]. In this report we write about a new record in computing discrete logarithms mod p and some experimental data collected while finishing the precomputation step for breaking K. McCurley's 129digit challenge [10]. 1 Introduction Let p be a prime number and IF p (\Delta) be the cyclic multiplicative group of the prime field of p elements, which has order p \Gamma 1. Let a 2 IF p . In the case of b 2 hai, the multiplicative subgroup generated by a, there exist infinitely many x 2 IN 0 such th...
An Implementation of the General Number Field Sieve to Compute Discrete Logarithms mod p
 Advances in Cryptology, EUROCRYPT '95, Lecture Notes in Computer Science
, 1994
"... . There are many cryptographic protocols the security of which depends on the difficulty of solving the discrete logarithm problem ( [8], [9], [14], etc.). In [10] and [18] it was described how to apply the number field sieve algorithm to the discrete logarithm problem in prime fields. This resulted ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
. There are many cryptographic protocols the security of which depends on the difficulty of solving the discrete logarithm problem ( [8], [9], [14], etc.). In [10] and [18] it was described how to apply the number field sieve algorithm to the discrete logarithm problem in prime fields. This resulted in the asymptotically fastest known discrete log algorithm for finite fields of p elements. Very little is known about the behaviour of this algorithm in practice. In this report we write about our practical experience with our implementation of their algorithm whose first version was completed in October 1994 at the Department of Computer Science at the Universitat des Saarlandes. 1 Introduction The importance of the Discrete Logarithm Problem has its roots in its cryptographic significance. Many protocols in cryptography, for example the Digital Signature Standard [14], are secure if the underlying Discrete Logarithm Problem is difficult to solve. A lot of algorithms have already been c...
CONTINUED FRACTIONS AND LATTICE SIEVING
"... Abstract. We present a new method of lattice sieving which we expect to be faster by a constant factor than the method of Pollard, and which has been used in recent GNFS records. We also explain how to efficiently split the sieving region among several computing nodes and analyze the asymptotic beha ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
Abstract. We present a new method of lattice sieving which we expect to be faster by a constant factor than the method of Pollard, and which has been used in recent GNFS records. We also explain how to efficiently split the sieving region among several computing nodes and analyze the asymptotic behaviour of the cost of sieving on a large parallel computer. The asymptotic behaviour of the cost parallelized sieving has recently been analyzed by D. Bernstein ([Ber]), who assumed that a twodimensional mesh is used. We propose a parallelized lattice siever using a butterflylike topology. The Bernstein cost function for this siever is superior to the cost function for the methods proposed by Bernstein, both asymptotically and for projects of a size comparable to current factorization records. For very large projects, of a size well above RSA1024, one may encounter problems realizing this topology in threedimensional Euclidean space. We will explain in Remark 3 in the last section that this problem is unlikely to occur for projects of a feasible size. 1. The algorithm for lattice sieving
The Magic Words Are Squeamish Ossifrage (Extended Abstract)
"... We describe the computation which resulted in the title of this paper. Furthermore, we give an analysis of the data collected during this computation. From these data, we derive the important observation that in the final stages, the progress of the double large prime variation of the quadratic siev ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
We describe the computation which resulted in the title of this paper. Furthermore, we give an analysis of the data collected during this computation. From these data, we derive the important observation that in the final stages, the progress of the double large prime variation of the quadratic sieve integer factoring algorithm can more effectively be approximated by a quartic function of the time spent, than by the more familiar quadratic function. We also present, as an update to [15], some of our experiences with the management of a large computation distributed over the Internet. Based on this experience, we give some realistic estimates of the current readily available computational power of the Internet. We conclude that commonlyused 512bit RSA moduli are vulnerable to any organization prepared to spend a few million dollars and to wait a few months.