We present data concerning the factorization of the 120-digit number RSA-120, which we factored on July 9, 1993, using the quadratic sieve method. The factorization took approximately 825 MIPS years and was completed within three months real time. At the time of writing RSA-120 is the largest integer ever factored by a general purpose factoring algorithm. We also present some conservative extrapolations to estimate the difficulty of factoring even larger numbers, using either the quadratic sieve method or the number field sieve, and discuss the issue of the crossover point between these two methods.

Abstract. In this paper, we describe many improvements to the number field sieve. Our main contribution consists of a new way to compute individual logarithms with the number field sieve without solving a very large linear system for each logarithm. We show that, with these improvements, the number field sieve outperforms the gaussian integer method in the hundred digit range. We also illustrate our results by successfully computing discrete logarithms with GNFS in a large prime field. 1.

. We generalize and improve the schemes of [4]. We introduce analogues of exponentiation and discrete logarithms in the principle cycle of real quadratic orders. This enables us to implement many cryptographic protocols based on discrete logarithms, e.g. a variant of the signature scheme of ElGamal [8]. 1 Introduction 1.1 Motivation The security of many cryptographic protocols (see for example [7], [8], [12]) is based on the difficulty of solving the discrete logarithm problem (DL-problem) in the multiplicative group GF (p) of prime fields GF (p) of characteristic p ? 0. Recently, Gordon [9] has shown that under reasonable assumptions the discrete DL-problem in GF(p) can be solved in expected time L p [1=3; c] = exp((c + o(1)) \Delta (log p) 1=3 \Delta (log log p) 2=3 ) by means of the number field sieve (NFS), thereby lowering the best known asymptotically upper bound considerably. Experience with similar integer factoring algorithms shows that the NFS can be expected to ...

Abstract not found

. The difficulty in solving the discrete logarithm problem is of extreme cryptographic importance since it is widely used in signature schemes, message encryption, key exchange, authentication and so on ([15], [17], [21], [29] etc.). The General Number Field Sieve (GNFS) is the asymptotically fastest known method to compute discrete logs mod p [18]. With the first implementation of the GNFS for discrete logs by using Schirokauer's improvement [27] we were able to show its practicability [31]. In this report we write about a new record in computing discrete logarithms mod p and some experimental data collected while finishing the precomputation step for breaking K. McCurley's 129--digit challenge [10]. 1 Introduction Let p be a prime number and IF p (\Delta) be the cyclic multiplicative group of the prime field of p elements, which has order p \Gamma 1. Let a 2 IF p . In the case of b 2 hai, the multiplicative subgroup generated by a, there exist infinitely many x 2 IN 0 such th...

. There are many cryptographic protocols the security of which depends on the difficulty of solving the discrete logarithm problem ( [8], [9], [14], etc.). In [10] and [18] it was described how to apply the number field sieve algorithm to the discrete logarithm problem in prime fields. This resulted in the asymptotically fastest known discrete log algorithm for finite fields of p elements. Very little is known about the behaviour of this algorithm in practice. In this report we write about our practical experience with our implementation of their algorithm whose first version was completed in October 1994 at the Department of Computer Science at the Universitat des Saarlandes. 1 Introduction The importance of the Discrete Logarithm Problem has its roots in its cryptographic significance. Many protocols in cryptography, for example the Digital Signature Standard [14], are secure if the underlying Discrete Logarithm Problem is difficult to solve. A lot of algorithms have already been c...

We describe the computation which resulted in the title of this paper. Furthermore, we give an analysis of the data collected during this computation. From these data, we derive the important observation that in the final stages, the progress of the double large prime variation of the quadratic sieve integer factoring algorithm can more effectively be approximated by a quartic function of the time spent, than by the more familiar quadratic function. We also present, as an update to [15], some of our experiences with the management of a large computation distributed over the Internet. Based on this experience, we give some realistic estimates of the current readily available computational power of the Internet. We conclude that commonly-used 512-bit RSA moduli are vulnerable to any organization prepared to spend a few million dollars and to wait a few months.

Abstract. We present a new method of lattice sieving which we expect to be faster by a constant factor than the method of Pollard, and which has been used in recent GNFS records. We also explain how to efficiently split the sieving region among several computing nodes and analyze the asymptotic behaviour of the cost of sieving on a large parallel computer. The asymptotic behaviour of the cost parallelized sieving has recently been analyzed by D. Bernstein ([Ber]), who assumed that a two-dimensional mesh is used. We propose a parallelized lattice siever using a butterfly-like topology. The Bernstein cost function for this siever is superior to the cost function for the methods proposed by Bernstein, both asymptotically and for projects of a size comparable to current factorization records. For very large projects, of a size well above RSA1024, one may encounter problems realizing this topology in three-dimensional Euclidean space. We will explain in Remark 3 in the last section that this problem is unlikely to occur for projects of a feasible size. 1. The algorithm for lattice sieving