Integer factorization records

Integer factorization is the process of determining which prime numbers divide a given positive integer. Doing this quickly has applications in cryptography. The difficulty depends on both the size and form of the number and its prime factors; it is currently very difficult to factorize large semiprimes (and, indeed, most numbers which have no small factors).

Contents

Numbers of a general form

The first very large distributed factorisation was RSA129, a challenge number described in the Scientific American article of 1977 which first popularised the RSA cryptosystem. It was factorised between September 1993 and April 1994, using MPQS, with relations contributed by about 600 people from all over the Internet, and the final stages of the calculation performed on a MasPar supercomputer at Bell Labs.

Between January and August 1999, RSA-155, a challenge number prepared by the RSA company, was factorised using GNFS with relations again contributed by a large group, and the final stages of the calculation performed in just over nine days on the Cray C916 supercomputer at the SARA Amsterdam Academic Computer Center.

In January 2002, Franke et al. announced the factorisation of a 158-digit cofactor of 2953+1, using a couple of months on about 25 PCs at the University of Bonn, with the final stages done using a cluster of six Pentium-III PCs.

In April 2003, the same team factored RSA-160 using about a hundred CPUs at BSI, with the final stages of the calculation done using 25 processors of an SGI Origin supercomputer.

The 174-digit RSA-576 was factored by Franke, Kleinjung and members of the NFSNET collaboration in December 2003, using resources at BSI and the University of Bonn; soon afterwards, Aoki, Kida, Shimoyama, Sonoda and Ueda announced that they had factored a 164-digit cofactor of 21826+1.

A 176-digit cofactor of 11281+1 was factored by Aoki, Kida, Shimoyama and Ueda between February and May 2005 using machines at NTT and Rikkyo University in Japan.[1]

The RSA-200 challenge number was factored by Franke, Kleinjung et al. between December 2003 and May 2005, using a cluster of 80 Opteron processors at BSI in Germany; the announcement was made on 9 May 2005.[2] They later (November 2005) factored the slightly smaller RSA-640 challenge number.

On December 12, 2009, a team including researchers from the CWI, the EPFL, INRIA and NTT in addition to the authors of the previous record factored RSA-768, a 232-digit semiprime.[3] They used the equivalent of almost 2000 years of computing on a single core 2.2 GHz AMD Opteron.

Numbers of a special form

12151 − 1, of 542 bits (163 digits), was factored between April and July 1993 by a team at CWI and Oregon State University. [4]

2773 + 1, of 774 bits (233 digits), was factored between April and November 2000 by 'The Cabal', with the matrix step done over 250 hours on the Cray also used for RSA-155.[5]

2809 − 1, of 809 bits (244 digits), had its factorisation announced at the start of January 2003. Sieving was done at the CWI, at the Scientific Computing Institute and the Pure Mathematics Department at Bonn University, and using private resources of J. Franke, T. Kleinjung and the family of F. Bahr. The linear algebra step was done by P. Montgomery at SARA in Amsterdam. [6]

6353 − 1, of 911 bits (275 digits), was factored by Aoki, Kida, Shimoyama and Ueda between September 2005 and January 2006 using SNFS.[7]

21039 − 1, of 1039 bits (313 digits) (though a factor of 23 bits was already known) was factored between September 2006 and May 2007 by a group including K. Aoki, J. Franke, T. Kleinjung, A. K. Lenstra and D. A. Osvik, using computers at NTT, EPFL and the University of Bonn.[8][9]

Comparison to efforts by individuals

As of the end of 2007, thanks to the constant decline in memory prices, the ready availability of multi-core 64-bit computers, and the availability of the Bonn group (now mostly at Nancy)'s efficient sieving code via ggnfs[10] and robust open-source software such as msieve[11] for the finishing stages, special-form numbers of up to 750 bits and general-form numbers of up to about 520 bits can be factored in a few months on a few PCs by a single person without any special mathematical experience.[12] These bounds increase to about 950[13] and 600 [14] if it were possible to secure the collaboration of a few dozen PCs; currently the amount of memory and the CPU power of a single machine for the finishing stage are equal barriers to progress.

In 2009, Benjamin Moody factored a 512-bit RSA key used to sign the TI-83 graphing calculator using software found on the internet; this eventually led to the Texas Instruments signing key controversy.

References

  1. ^ K. Aoki, Y. Kida, T. Shimoyama, H. Ueda. "Factorization of 176-digit number". http://www.loria.fr/~zimmerma/records/11_281+. Retrieved 2007-05-23. 
  2. ^ F. Bahr, M. Boehm, J. Franke, T. Kleinjung. "RSA200". http://www.loria.fr/~zimmerma/records/rsa200. Retrieved 2007-05-23. 
  3. ^ T. Kleinjung, K. Aoki, J. Franke, A. K. Lenstra, E. Thomé, J. W. Bos, P. Gaudry, A. Kruppa, P. L. Montgomery, D. A. Osvik, H. te Riele, A. Timofeev, P. Zimmermann. "Factorization of a 768-bit RSA modulus". http://eprint.iacr.org/2010/006/rsa200. Retrieved 2010-01-08. 
  4. ^ P. L. Montgomery. "Record Number Field Sieve Factorisations". http://krum.rz.uni-mannheim.de/cabench/sieve-record.html. Retrieved 2007-11-23. 
  5. ^ 'The Cabal'. "233-digit SNFS factorization". http://ftp.cwi.nl/herman/SNFSrecords/SNFS-233. Retrieved 2007-11-23. 
  6. ^ J. Franke. "M809". http://ftp.cwi.nl/herman/SNFSrecords/SNFS-244. Retrieved 2007-11-23. 
  7. ^ K. Aoki, Y. Kida, T. Shimoyama, H. Ueda. "SNFS274". http://www.loria.fr/~zimmerma/records/6353. Retrieved 2007-05-23. 
  8. ^ K. Aoki, J. Franke, T. Kleinjung, A. K. Lenstra, D. A. Osvik. "Factorization of the 1039th Mersenne number". http://listserv.nodak.edu/cgi-bin/wa.exe?A2=ind0705&L=nmbrthry&T=0&P=1019. Retrieved 2007-05-23. 
  9. ^ Kazumaro Aoki and Jens Franke and Thorsten Kleinjung and Arjen Lenstra and Dag Arne Osvik. "A kilobit special number field sieve factorization". http://eprint.iacr.org/2007/205. Retrieved 2007-12-19. 
  10. ^ http://sourceforge.net/project/showfiles.php?group_id=140917
  11. ^ http://www.boo.net/~jasonp/qs.html
  12. ^ 518-bit example
  13. ^ 941-bit SNFS done in late 2009
  14. ^ 598-bit factorisation done over five months in late 2008

See also