## Strategies in Filtering in the Number Field Sieve (2000)

Venue: | In preparation |

Citations: | 13 - 2 self |

### BibTeX

@INPROCEEDINGS{Cavallar00strategiesin,

author = {S. Cavallar and Stefania Cavallar},

title = {Strategies in Filtering in the Number Field Sieve},

booktitle = {In preparation},

year = {2000},

pages = {209--231},

publisher = {Springer}

}

### OpenURL

### Abstract

A critical step when factoring large integers by the Number Field Sieve [8] consists of finding dependencies in a huge sparse matrix over the field F2 , using a Block Lanczos algorithm. Both size and weight (the number of non-zero elements) of the matrix critically affect the running time of Block Lanczos. In order to keep size and weight small the relations coming out of the siever do not flow directly into the matrix, but are filtered first in order to reduce the matrix size. This paper discusses several possible filter strategies and their use in the recent record factorizations of RSA-140, R211 and RSA-155. 2000 Mathematics Subject Classification: Primary 11Y05. Secondary 11A51. 1999 ACM Computing Classification System: F.2.1. Keywords and Phrases: Number Field Sieve, factoring, filtering, Structured Gaussian elimination, Block Lanczos, RSA. Note: Work carried out under project MAS2.2 "Computational number theory and data security". This report will appear in the proceed...

### Citations

264 |
Algebraic number theory
- Lang
- 1970
(Show Context)
Citation Context ...e need to reserve a surplus of relations for the small prime ideals: Per polynomial, the number of prime ideals below filtmin is approximately (filtmin), i.e., the number of primes below filtmin, see =-=[14]-=-. Consequently, we require a surplus of approximately (2 \Gamma (g f \Delta g g ) \Gamma1 ) \Delta (filtmin) relations. If the required surplus is not reached we need to sieve more relations. Clique a... |

256 |
Sorting and Searching, volume 3 of The Art of Computer Programming
- Knuth
- 1998
(Show Context)
Citation Context ...s own special I , other prime ideals that are used as special prime ideals as well. The simultaneous use of line-by-line and lattice siever also causes overlap. Duplicates are tracked down by hashing =-=[12]. Since it-=- is easier and cheaper to use a number instead of a relation as a hash table entry, we "identify" a relation with a number. The user specifies how many relations he expects to be in the inpu... |

151 |
The Stanford GraphBase: A Platform for Combinatorial Computing
- Knuth
- 1993
(Show Context)
Citation Context ...1:7 6.9 singletons (7) 28.5 28.2 26.5 32.5 relations left (8)=(3)+(4)\Gamma(7) 26.8 28.5 21.3 53.2 prime ideals left (9) 21.5 22.6 18.5 42.6 excess (10)=(8)\Gamma(9) 5.2 6.0 2.8 10.6 clique relations =-=(11)-=- 17.6 18.7 7.4 0 34.1 33.0 29.6 22.9 relations left (12)=(8)\Gamma(11) 9.2 9.8 13.9 21.3 19.1 20.2 23.6 30.3 prime ideals left (13) 7.8 8.1 12.2 18.5 17.4 18.2 20.6 25.3 excess (=keep) (14)=(12)\Gamma... |

87 |
On the history of the minimum spanning tree problem
- Graham, Hell
- 1985
(Show Context)
Citation Context ...0.2 prime ideals (5) 54.2 54.7 49.5 78.8 excess (6)=(3)+(4)\Gamma(5) 1.1 2.0 \Gamma1:7 6.9 singletons (7) 28.5 28.2 26.5 32.5 relations left (8)=(3)+(4)\Gamma(7) 26.8 28.5 21.3 53.2 prime ideals left =-=(9)-=- 21.5 22.6 18.5 42.6 excess (10)=(8)\Gamma(9) 5.2 6.0 2.8 10.6 clique relations (11) 17.6 18.7 7.4 0 34.1 33.0 29.6 22.9 relations left (12)=(8)\Gamma(11) 9.2 9.8 13.9 21.3 19.1 20.2 23.6 30.3 prime i... |

81 |
Algebraische Zahlentheorie
- Neukirch
- 1991
(Show Context)
Citation Context ...p)=c 2 = p deg(g) , respectively. Approximately 1=(g f \Delta g g ) of the primes offer a free relation, where g f and g g are the orders of the Galois groups of the polynomials f and g, respectively =-=[10]-=-. The free relation (p; 0) is added to the relation table only if all prime ideals of norm p appear in the relation table. Next, a frequency table is built for all occurring prime ideals which is adju... |

73 | Solving large sparse linear systems over finite fields
- LaMacchia, Odlyzko
- 1990
(Show Context)
Citation Context ...r methods in the literature We would like to mention two articles about similar filter strategies. These are "Solving Large Sparse Linear Systems Over Finite Fields" of LaMacchia and Odlyzko=-= from 1990[13] and "-=-;Reduction of Huge, Sparse Matrices over Finite Fields Via Created Catastrophes" of Pomerance and Smith from 1992[19]. Their strategies are similar to each other but differ in some points. Both w... |

58 |
Factoring integers with the number field sieve
- Buhler, Lenstra, et al.
- 1993
(Show Context)
Citation Context ...onds to the matrix obtained when dropping the prime ideals of norm below 40. 12 number being factored RSA-140 R211 RSA-155 experiment A B A B A B C D raw relations (1) 65.7 68.5 57.6 130.8 duplicates =-=(2)-=- 10.6 11.9 10.6 45.3 non-duplicates (3)=(1)\Gamma(2) 55.1 56.6 47.0 85.5 free relations (4) 0.1 0.1 0.8 0.2 prime ideals (5) 54.2 54.7 49.5 78.8 excess (6)=(3)+(4)\Gamma(5) 1.1 2.0 \Gamma1:7 6.9 singl... |

52 |
A Block Lanczos Algorithm for Finding Dependencies over
- Montgomery
- 1995
(Show Context)
Citation Context ...ons than this bound. Influence of merging on Block Lanczos's running time. Given an m \Theta n matrix, n ? m, of total weight w, the running time estimate of Block Lanczos is given by O(wn) + O(n 2 ) =-=[16]-=-. Both terms grow with n, so we will focus on reducing n. If we manage to reduce n by a certain factor while w does not grow by more than this factor, we will get a running time reduction, independent... |

32 | Factorization of a 512-bit RSA Modulus
- Cavallar, Dodson, et al.
- 2000
(Show Context)
Citation Context ...ieve (NFS) is the asymptotically fastest algorithm known for factoring large integers. It holds the records in factoring special numbers (R211 [3]) as well as general numbers (RSA-140 [4] and RSA-155 =-=[5]-=-). One disadvantage is that it produces considerably larger matrices than other methods, such as the Quadratic Sieve [1]. Therefore it is more and more important to find ways to limit the matrix size.... |

22 |
Reduction of huge, sparse matrices over finite fields via created catastrophes
- Pomerance, Smith
- 1992
(Show Context)
Citation Context ...e Sparse Linear Systems Over Finite Fields" of LaMacchia and Odlyzko from 1990[13] and "Reduction of Huge, Sparse Matrices over Finite Fields Via Created Catastrophes" of Pomerance and =-=Smith from 1992[19]-=-. Their strategies are similar to each other but differ in some points. Both were designed to reduce the initial data to a substantially smaller matrix. This matrix was allowed to be fairly dense sinc... |

18 |
Square roots of products of algebraic numbers
- Montgomery
- 1994
(Show Context)
Citation Context ... gcd(X \Gamma Y; N) we may find a divisor of N . The major obstruction in this series of congruences is that we need to find fl 2 Q(ff) from fl 2 (and ffi from ffi 2 , respectively). See Montgomery's =-=[15]-=- or Phong Nguyen's [17] papers for a description of their square root algorithms. How to find the set S? We write F (x; y) = f(x=y)y deg(f) and G(x; y) = g(x=y)y deg(g) for the homogeneous form of f(x... |

16 |
The lattice sieve
- Pollard
(Show Context)
Citation Context ...r restarted. In case of a line-by-line siever [8, section 6] the resumed jobs start with the last b sieved by the previous job; this is the only way that duplicates arise. In case of a lattice siever =-=[18]-=- the job starts with the special prime ideal I sieved last, and will generate duplicates, or it can do so because a relation may contain, apart from its own special I , other prime ideals that are use... |

13 | An implementation of the number field sieve
- Elkenbracht-Huizing
- 1996
(Show Context)
Citation Context ...e Number Field Sieve Stefania Cavallar CWI P.O. Box 94079, 1090 GB Amsterdam, The Netherlands Stefania.Cavallar@cwi.nl ABSTRACT A critical step when factoring large integers by the Number Field Sieve =-=[8]-=- consists of finding dependencies in a huge sparse matrix over the field F2 , using a Block Lanczos algorithm. Both size and weight (the number of non-zero elements) of the matrix critically affect th... |

12 | A Montgomery-like square root for the number field sieve
- Nguyen
- 1998
(Show Context)
Citation Context ...may find a divisor of N . The major obstruction in this series of congruences is that we need to find fl 2 Q(ff) from fl 2 (and ffi from ffi 2 , respectively). See Montgomery's [15] or Phong Nguyen's =-=[17]-=- papers for a description of their square root algorithms. How to find the set S? We write F (x; y) = f(x=y)y deg(f) and G(x; y) = g(x=y)y deg(g) for the homogeneous form of f(x) and g(x), respectivel... |

5 |
Jörg Zayer, A World Wide Number Field Sieve Factoring Record: On to 512
- Cowie, Dodson, et al.
- 1996
(Show Context)
Citation Context ...elations (1) 65.7 68.5 57.6 130.8 duplicates (2) 10.6 11.9 10.6 45.3 non-duplicates (3)=(1)\Gamma(2) 55.1 56.6 47.0 85.5 free relations (4) 0.1 0.1 0.8 0.2 prime ideals (5) 54.2 54.7 49.5 78.8 excess =-=(6)-=-=(3)+(4)\Gamma(5) 1.1 2.0 \Gamma1:7 6.9 singletons (7) 28.5 28.2 26.5 32.5 relations left (8)=(3)+(4)\Gamma(7) 26.8 28.5 21.3 53.2 prime ideals left (9) 21.5 22.6 18.5 42.6 excess (10)=(8)\Gamma(9) 5.... |

4 |
Factoring large integers with the quadratic sieve
- Boender
(Show Context)
Citation Context ... special numbers (R211 [3]) as well as general numbers (RSA-140 [4] and RSA-155 [5]). One disadvantage is that it produces considerably larger matrices than other methods, such as the Quadratic Sieve =-=[1]. Therefor-=-e it is more and more important to find ways to limit the matrix size. This can be achieved by using good sieving parameters and by "intelligent" filtering. In this paper we describe the ext... |

1 |
211-digit SNFS factorization. Available from ftp://ftp.cwi.nl/pub/herman/NFSrecords/SNFS-211
- Cavallar, Dodson, et al.
- 1999
(Show Context)
Citation Context ...erlands, July 2--7, 2000. Introduction The Number Field Sieve (NFS) is the asymptotically fastest algorithm known for factoring large integers. It holds the records in factoring special numbers (R211 =-=[3]-=-) as well as general numbers (RSA-140 [4] and RSA-155 [5]). One disadvantage is that it produces considerably larger matrices than other methods, such as the Quadratic Sieve [1]. Therefore it is more ... |

1 |
Solving large sparse systems of linear equations over finite prime fields. Transparencies of a lecture of the Cryptography Group at CWI
- Denny
- 1995
(Show Context)
Citation Context ...ibution from the large prime ideals but only estimate the contribution from the small prime ideals. In 1995, Thomas Denny proposed a Structured Gaussian elimination preliminary step for Block Lanczos =-=[7]-=-. He estimated C = 1 for his own Block Lanczos program. We therefore also included C = 1 in Tables 2 and 3. 4. Experimental results The experiments were done with two versions of our program filter. B... |