|Previous||Table of Contents||Next|
See  for a good introduction to these different factoring algorithms, except for the NFS. The best discussion of the NFS is . Other, older references are [505, 1602, 1258]. Information on parallel factoring can be found in .
If n is the number being factored, the fastest QS variants have a heuristic asymptotic run time of:
The NFS is much faster, with a heuristic asymptotic time estimate of:
In 1970, the big news was the factoring of a 41-digit hard number . (A hard number is one that does not have any small factors and is not of a special form that allows it to be factored more easily.) Ten years later, factoring hard numbers twice that size took a Cray computer just a few hours .
In 1988, Carl Pomerance designed a modular factoring machine, using custom VLSI chips . The size of the number you would be able to factor depends on how large a machine you can afford to build. He never built it.
In 1993, a 120-digit hard number was factored using the quadratic sieve; the calculation took 825 mips-years and was completed in three months real time . Other results are .
Todays factoring attempts use computer networks [302, 955]. In factoring a 116-digit number, Arjen Lenstra and Mark Manasse used 400 mips-yearsthe spare time on an array of computers around the world for a few months.
In March 1994, a 129-digit (428-bit) number was factored using the double large prime variation of the multiple polynomial QS  by a team of mathematicians led by Lenstra. Volunteers on the Internet carried out the computation: 600 people and 1600 machines over the course of eight months, probably the largest ad hoc multiprocessor ever assembled. The calculation was the equivalent of 4000 to 6000 mips-years. The machines communicated via electronic mail, sending their individual results to a central repository where the final steps of analysis took place. This computation used the QS and five-year-old theory; it would have taken one-tenth the time using the NFS . According to : We conclude that commonly used 512-bit RSA moduli are vulnerable to any organization prepared to spend a few million dollars and to wait a few months. They estimate that factoring a 512-bit number would be 100 times harder using the same technology, and only 10 times harder using the NFS and current technology .
To keep up on the state of the art of factoring, RSA Data Security, Inc. set up the RSA Factoring Challenge in March 1991 . The challenge consists of a list of hard numbers, each the product of two primes of roughly equal size. Each prime was chosen to be congruent to 2 modulo 3. There are 42 numbers in the challenge, one each of length 100 digits through 500 digits in steps of 10 digits (plus one additional number, 129 digits long). At the time of writing, RSA-100, RSA-110, RSA-120, and RSA-129 have been factored, all using the QS. RSA-130 might be next (using the NFS), or the factoring champions might skip directly to RSA-140.
This is a fast-moving field. It is difficult to extrapolate factoring technology because no one can predict advances in mathematical theory. Before the NFS was discovered, many people conjectured that the QS was asymptotically as fast as any factoring method could be. They were wrong.
Near-term advances in the NFS are likely to come in the form of bringing down the constant: 1.923. Some numbers of a special form, like Fermat numbers, have a constant more along the lines of 1.5 [955, 954]. If the hard numbers used in public-key cryptography had that kind of constant, 1024-bit numbers could be factored today. One way to lower the constant is to find better ways of representing numbers as polynomials with small coefficients. The problem hasnt been studied very extensively yet, but it is probable that advances are coming .
For the most current results from the RSA Factoring Challenge, send e-mail to firstname.lastname@example.org.
Square Roots Modulo n
If n is the product of two primes, then the ability to calculate square roots mod n is computationally equivalent to the ability to factor n [1283, 35, 36, 193]. In other words, someone who knows the prime factors of n can easily compute the square roots of a number mod n, but for everyone else the computation has been proven to be as hard as computing the prime factors of n.
Public-key algorithms need prime numbers. Any reasonably sized network needs lots of them. Before discussing the mathematics of prime number generation, I will answer a few obvious questions.
But if factoring numbers is so hard, how can generating prime numbers be easy? The trick is that the yes/no question, Is n prime? is a much easier question to answer than the more complicated question, What are the factors of n?
|Previous||Table of Contents||Next|