The problem of finding the prime factors of large composite numbers has always been of mathematical interest. With the advent of public key cryptosystems it is also of practical importance, because the security of some of these cryptosystems, such as the Rivest-Shamir-Adelman (RSA) system, depends on the difficulty of factoring the public keys. In recent years the best known integer factorisation algorithms have improved greatly, to the point where it is now easy to factor a 60-decimal digit number, and possible to factor numbers larger than 120 decimal digits, given the availability of enough computing power. We describe several algorithms, including the elliptic curve method (ECM), and the multiple-polynomial quadratic sieve (MPQS) algorithm, and discuss their parallel implementation. It turns out that some of the algorithms are very well suited to parallel implementation. Doubling the degree of parallelism (i.e. the amount of hardware devoted to the problem) roughly increases the size of a number which can be factored in a fixed time by 3 decimal digits. Some recent computational results are mentioned – for example, the complete factorisation of the 617-decimal digit Fermat number F11 = 2211 + 1 which was accomplished using ECM.

. In this article we survey recent developments concerning the discrete logarithm problem. Both theoretical and practical results are discussed. We emphasize the case of finite fields, and in particular, recent modifications of the index calculus method, including the number field sieve and the function field sieve. We also provide a sketch of the some of the cryptographic schemes whose security depends on the intractibility of the discrete logarithm problem. 1 Introduction Let G be a cyclic group generated by an element t. The discrete logarithm problem in G is to compute for any b 2 G the least non-negative integer e such that t e = b. In this case, we write log t b = e. Our purpose, in this paper, is to survey recent work on the discrete logarithm problem. Our approach is twofold. On the one hand, we consider the problem from a purely theoretical perspective. Indeed, the algorithms that have been developed to solve it not only explore the fundamental nature of one of the basic s...

Abstract. In this paper, we describe many improvements to the number field sieve. Our main contribution consists of a new way to compute individual logarithms with the number field sieve without solving a very large linear system for each logarithm. We show that, with these improvements, the number field sieve outperforms the gaussian integer method in the hundred digit range. We also illustrate our results by successfully computing discrete logarithms with GNFS in a large prime field. 1.

We describe in this article how we have been able to extend the record for computations of discrete logarithms in characteristic 2 from the previous record over F 2 503 to a newer mark of F 2 607 , using Coppersmith's algorithm. This has been made possible by several practical improvements to the algorithm. Although the computations have been carried out on fairly standard hardware, our opinion is that we are nearing the current limits of the manageable sizes for this algorithm, and that going substantially further will require deeper improvements to the method.

) Thomas F. Denny Universitat des Saarlandes FB 14 Informatik Postfach 15 11 50 66041 Saarbrucken Germany Volker Muller Department of C & O University of Waterloo Waterloo, Ontario Canada N2L 3G1 4th December 1995 Abstract In this paper we will present an algorithm which reduces the weight (the number of non zero elements) of the matrices that arise from the number field sieve (NFS) for factoring integers [9] and computing discrete logarithm in IF p , where p is a prime ([3], [13]). In the so called Quadruple Large Prime Variation of NFS a graph algorithm computes sets of partial relations (relations with up to 4 large primes) that can each be combined to ordinary relations. The cardinality of these sets is not as low as possible due to time and place requirements. The algorithm presented in this paper reduces the cardinality of these sets up to 30 %. The resulting system of linear equations is therefore more sparse as before, which leads to significant improvements in the runni...

Abstract not found

Abstract not found

Using simple examples and informal discussions this article surveys the key ideas and major advances of the last quarter century in integer factorization.

We describe the computation which resulted in the title of this paper. Furthermore, we give an analysis of the data collected during this computation. From these data, we derive the important observation that in the final stages, the progress of the double large prime variation of the quadratic sieve integer factoring algorithm can more effectively be approximated by a quartic function of the time spent, than by the more familiar quadratic function. We also present, as an update to [15], some of our experiences with the management of a large computation distributed over the Internet. Based on this experience, we give some realistic estimates of the current readily available computational power of the Internet. We conclude that commonly-used 512-bit RSA moduli are vulnerable to any organization prepared to spend a few million dollars and to wait a few months.

Partiellement soutenu par une bourse de la Conseil de recherches en sciences naturelles et en génie du Canada. 3 Supported in part by NSF Grant DMS-01-03635. In 1994, Carl Pomerance proposed the following problem: Select integers a1, a2,..., aJ at random from the interval [1, x], stopping when some (non-empty) subsequence, {ai: i ∈ I} where I ⊆ {1, 2,..., J}, has a square product (that is ∏ i∈I ai ∈ Z2). What can we say about the possible stopping times, J? A 1985 algorithm of Schroeppel can be used to show that this process stops after selecting (1 + ɛ)J0(x) integers aj with probability 1 − o(1) (where the function J0(x) is given explicitly in (1) below). Schroeppel’s algorithm actually finds the square product, and this has subsequently been adopted, with relatively minor modifications, by all factorers. In 1994 Pomerance showed that, with probability 1−o(1), the