Integer factorization is the process of determining which prime numbers divide a given positive integer. Doing this quickly has applications in cryptography. The difficulty depends on both the size and form of the number and its prime factors; it is currently very difficult to factorize large semiprimes (and, indeed, most numbers that have no small factors).
The first enormous distributed factorisation was RSA-129, a 129-digit challenge number described in the Scientific American article of 1977 which first popularised the RSA cryptosystem. It was factorised between September 1993 and April 1994, using MPQS, with relations contributed by about 600 people through the internet, and the final stages of the calculation performed on a MasPar supercomputer at Bell Labs.
Between January and August 1999, RSA-155, a 155-digit challenge number prepared by the RSA company, was factorised using GNFS with relations again contributed by a large group, and the final stages of the calculation performed in just over nine days on the Cray C916 supercomputer at the SARA Amsterdam Academic Computer Center.
In January 2002, Franke et al. announced the factorisation of a 158-digit cofactor of 2953 + 1, using a couple of months on about 25 PCs at the University of Bonn, with the final stages done using a cluster of six Pentium-III PCs.
In April 2003, the same team factored the 160-digit RSA-160 using about a hundred CPUs at BSI, with the final stages of the calculation done using 25 processors of an SGI Origin supercomputer.
The 576-bit (174-digit) RSA-576 was factored by Franke, Kleinjung and members of the NFSNET collaboration in December 2003, using resources at BSI and the University of Bonn; soon afterwards, Aoki, Kida, Shimoyama, Sonoda and Ueda announced that they had factored a 164-digit cofactor of 21826 + 1.
A 176-digit cofactor of 11281 + 1 was factored by Aoki, Kida, Shimoyama and Ueda between February and May 2005 using machines at NTT and Rikkyo University in Japan. [1]
The 663-bit (200-digit) RSA-200 challenge number was factored by Franke, Kleinjung et al. between December 2003 and May 2005, using a cluster of 80 Opteron processors at BSI in Germany; the announcement was made on 9 May 2005. [2] They later (November 2005) factored the slightly smaller RSA-640 challenge number.
On December 12, 2009, a team including researchers from the CWI, the EPFL, INRIA and NTT in addition to the authors of the previous record factored RSA-768, a 232-digit semiprime. [3] They used the equivalent of almost 2000 years of computing on a single core 2.2 GHz AMD Opteron.
In November 2019, the 795-bit (240-digit) RSA-240 was factored by Fabrice Boudot, Pierrick Gaudry, Aurore Guillevic, Nadia Heninger, Emmanuel Thomé and Paul Zimmermann. [4] [5]
In February 2020, the factorization of the 829-bit (250-digit) RSA-250 was completed. [6]
12151 − 1, of 542 bits (163 digits), was factored between April and July 1993 by a team at CWI and Oregon State University. [7]
2773 + 1, of 774 bits (233 digits), was factored between April and November 2000 by 'The Cabal', with the matrix step done over 250 hours on the Cray also used for RSA-155. [8]
2809 − 1, of 809 bits (244 digits), had its factorisation announced at the start of January 2003. Sieving was done at the CWI, at the Scientific Computing Institute and the Pure Mathematics Department at Bonn University, and using private resources of J. Franke, T. Kleinjung and the family of F. Bahr. The linear algebra step was done by P. Montgomery at SARA in Amsterdam. [9]
6353 − 1, of 911 bits (275 digits), was factored by Aoki, Kida, Shimoyama and Ueda between September 2005 and January 2006 using SNFS. [10]
21039 − 1, of 1039 bits (313 digits) (though a factor of 23 bits was already known) was factored between September 2006 and May 2007 by a group including K. Aoki, J. Franke, T. Kleinjung, A. K. Lenstra and D. A. Osvik, using computers at NTT, EPFL and the University of Bonn. [11] [12]
21061 − 1, of 1061 bits (320 digits) was factored between early 2011 and 4 August 2012 by a group headed by Greg Childers at CSU Fullerton, using the nfs@home BOINC project for about 300 CPU-years of sieving; the linear algebra was run at the Trestles cluster at SDSC and the Lonestar cluster at TACC and needed additional 35 CPU-years. [13]
All unfactored parts of the numbers 2n − 1 with n between 1000 and 1200 were factored by a multiple-number-sieve approach in which much of the sieving step could be done simultaneously for multiple numbers, by a group including T. Kleinjung, J. Bos and A. K. Lenstra, starting in 2010. [14] To be precise, n = 1081 (326 digits) was completed on 11 March 2013; n = 1111 (335 digits) on 13 June 2013; n = 1129 (340 digits) on 20 September 2013; n = 1153 (348 digits) on 28 October 2013; n=1159 (349 digits) on 9 February 2014; n = 1177 (355 digits) on 29 May 2014, n = 1193 (360 digits) on 22 August 2014, and n = 1199 (361 digits) on 11 December 2014; the first detailed announcement was made in late August 2014. The total effort for the project is of the order of 7500 CPU-years on 2.2 GHz Opterons, with roughly 5700 years spent sieving and 1800 years on linear algebra.
As of the end of 2007, thanks to the constant decline in memory prices, the ready availability of multi-core 64-bit computers, and the availability of the efficient sieving code (developed by Thorsten Kleinjung of the Bonn group) via ggnfs [15] and of robust open-source software such as msieve [16] for the finishing stages, special-form numbers of up to 750 bits (226 digits) and general-form numbers of up to about 520 bits (157 digits) can be factored in a few months on a few PCs by a single person without any special mathematical experience. [17] These bounds increase to about 950 bits (286 digits) [18] and 600 bits (181 digits) [19] if it were possible to secure the collaboration of a few dozen PCs for sieving; currently the amount of memory and the CPU power of a single machine for the finishing stage are equal barriers to progress.
In 2009, Benjamin Moody factored a 512-bit (155-digit) RSA key used to sign the TI-83 graphing calculator using software found on the internet; this eventually led to the Texas Instruments signing key controversy.
In September 2013, the 696-bit (210-digit) RSA-210 was factored by Ryan Propper [20] using institutional resources; between March 2013 and October 2014, another 210-digit number (the 117th term in the home prime sequence starting with 49) was completed by a user known as WraithX, [21] using $7600 worth of processing time on Amazon EC2 machines [22] for the sieving, and four months on a dual Xeon E5-2687W v1 for the linear algebra.
The largest number reliably factored[ clarification needed ] by Shor's algorithm is 21 which was factored in 2012. [23] 15 had previously been factored by several labs.
In April 2012, the factorization of 143 = 13 × 11 by a room-temperature (300 K) NMR adiabatic quantum computer was reported by a group led by Xinhua Peng. [24] In November 2014 it was discovered that the 2012 experiment had in fact also factored much larger numbers without knowing it. [ clarification needed ] [25] [26] In April 2016 the 18-bit number 200,099 was factored using quantum annealing on a D-Wave 2X quantum processor. [27] Shortly after, 291 311 was factored using NMR at higher than room temperature. [28] In late 2019, Zapata computing claimed to have factored 1,099,551,473,989, [29] and in 2021 released a paper describing this computation. [30] In 2024, a new approach to embed prime factoring problems into quantum annealers has been proposed, leading to (i) the embedding of 21×12 prime factoring problems into a D-Wave Pegasus architecture; (ii) the factoring of 8,219,999 by using a quantum annealer without exploiting hybrid techniques. [31]
As such, claims of factoring with quantum computers have however been criticized for depending heavily on classical computation to reduce the number of qubits required. [32] [33] For example, the factorization of 1,099,551,473,989 relied on classical pre-processing to reduce the problem to a three-qubit quantum circuit. [30] Furthermore, the three numbers factored in this paper (200,099, 291,311, and 1,099,551,473,989) can easily be factored using Fermat's factorization method, requiring only 3, 1, and 1 iterations of the loop respectively.
In cryptography, key size or key length refers to the number of bits in a key used by a cryptographic algorithm.
In number theory, integer factorization is the decomposition of a positive integer into a product of integers. Every positive integer greater than 1 is either the product of two or more integer factors greater than 1, in which case it is called a composite number, or it is not, in which case it is called a prime number. For example, 15 is a composite number because 15 = 3 · 5, but 7 is a prime number because it cannot be decomposed in this way. If one of the factors is composite, it can in turn be written as a product of smaller factors, for example 60 = 3 · 20 = 3 · (5 · 4). Continuing this process until every factor is prime is called prime factorization; the result is always unique up to the order of the factors by the prime factorization theorem.
A prime number is a natural number greater than 1 that is not a product of two smaller natural numbers. A natural number greater than 1 that is not prime is called a composite number. For example, 5 is prime because the only ways of writing it as a product, 1 × 5 or 5 × 1, involve 5 itself. However, 4 is composite because it is a product (2 × 2) in which both numbers are smaller than 4. Primes are central in number theory because of the fundamental theorem of arithmetic: every natural number greater than 1 is either a prime itself or can be factorized as a product of primes that is unique up to their order.
RSA (Rivest–Shamir–Adleman) is a public-key cryptosystem, one of the oldest widely used for secure data transmission. The initialism "RSA" comes from the surnames of Ron Rivest, Adi Shamir and Leonard Adleman, who publicly described the algorithm in 1977. An equivalent system was developed secretly in 1973 at Government Communications Headquarters (GCHQ), the British signals intelligence agency, by the English mathematician Clifford Cocks. That system was declassified in 1997.
In mathematics, factorization (or factorisation, see English spelling differences) or factoring consists of writing a number or another mathematical object as a product of several factors, usually smaller or simpler objects of the same kind. For example, 3 × 5 is an integer factorization of 15, and (x – 2)(x + 2) is a polynomial factorization of x2 – 4.
In number theory, the general number field sieve (GNFS) is the most efficient classical algorithm known for factoring integers larger than 10100. Heuristically, its complexity for factoring an integer n (consisting of ⌊log2n⌋ + 1 bits) is of the form
The Lenstra elliptic-curve factorization or the elliptic-curve factorization method (ECM) is a fast, sub-exponential running time, algorithm for integer factorization, which employs elliptic curves. For general-purpose factoring, ECM is the third-fastest known factoring method. The second-fastest is the multiple polynomial quadratic sieve, and the fastest is the general number field sieve. The Lenstra elliptic-curve factorization is named after Hendrik Lenstra.
Daniel Julius Bernstein is an American mathematician, cryptologist, and computer scientist. He is a visiting professor at CASA at Ruhr University Bochum, as well as a research professor of Computer Science at the University of Illinois at Chicago. Before this, he was a visiting professor in the department of mathematics and computer science at the Eindhoven University of Technology.
The RSA Factoring Challenge was a challenge put forward by RSA Laboratories on March 18, 1991 to encourage research into computational number theory and the practical difficulty of factoring large integers and cracking RSA keys used in cryptography. They published a list of semiprimes known as the RSA numbers, with a cash prize for the successful factorization of some of them. The smallest of them, a 100-decimal digit number called RSA-100 was factored by April 1, 1991. Many of the bigger numbers have still not been factored and are expected to remain unfactored for quite some time, however advances in quantum computers make this prediction uncertain due to Shor's algorithm.
In mathematics, the RSA numbers are a set of large semiprimes that were part of the RSA Factoring Challenge. The challenge was to find the prime factors of each number. It was created by RSA Laboratories in March 1991 to encourage research into computational number theory and the practical difficulty of factoring large integers. The challenge was ended in 2007.
"The Magic Words are Squeamish Ossifrage" was the solution to a challenge ciphertext posed by the inventors of the RSA cipher in 1977. The problem appeared in Martin Gardner's Mathematical Games column in the August 1977 issue of Scientific American. It was solved in 1993–94 by a large, joint computer project co-ordinated by Derek Atkins, Michael Graff, Arjen Lenstra and Paul Leyland. More than 600 volunteers contributed CPU time from about 1,600 machines over six months. The coordination was done via the Internet and was one of the first such projects.
Pollard's p − 1 algorithm is a number theoretic integer factorization algorithm, invented by John Pollard in 1974. It is a special-purpose algorithm, meaning that it is only suitable for integers with specific types of factors; it is the simplest example of an algebraic-group factorisation algorithm.
The quadratic sieve algorithm (QS) is an integer factorization algorithm and, in practice, the second-fastest method known. It is still the fastest for integers under 100 decimal digits or so, and is considerably simpler than the number field sieve. It is a general-purpose factorization algorithm, meaning that its running time depends solely on the size of the integer to be factored, and not on special structure or properties. It was invented by Carl Pomerance in 1981 as an improvement to Schroeppel's linear sieve.
In number theory, a branch of mathematics, the special number field sieve (SNFS) is a special-purpose integer factorization algorithm. The general number field sieve (GNFS) was derived from it.
Hermanus Johannes Joseph te Riele (born 5 January 1947) is a Dutch mathematician at CWI in Amsterdam with a specialization in computational number theory. He is known for proving the correctness of the Riemann hypothesis for the first 1.5 billion non-trivial zeros of the Riemann zeta function with Jan van de Lune and Dik Winter, for disproving the Mertens conjecture with Andrew Odlyzko, and for factoring large numbers of world record size. In 1987, he found a new upper bound for π(x) − Li(x).
In mathematics, the rational sieve is a general algorithm for factoring integers into prime factors. It is a special case of the general number field sieve. While it is less efficient than the general algorithm, it is conceptually simpler. It serves as a helpful first step in understanding how the general number field sieve works.
In mathematics, a strong prime is a prime number with certain special properties. The definitions of strong primes are different in cryptography and number theory.
Arjen Klaas Lenstra is a Dutch mathematician, cryptographer and computational number theorist. He is a professor emeritus from the École Polytechnique Fédérale de Lausanne (EPFL) where he headed of the Laboratory for Cryptologic Algorithms.
Discrete logarithm records are the best results achieved to date in solving the discrete logarithm problem, which is the problem of finding solutions x to the equation given elements g and h of a finite cyclic group G. The difficulty of this problem is the basis for the security of several cryptographic systems, including Diffie–Hellman key agreement, ElGamal encryption, the ElGamal signature scheme, the Digital Signature Algorithm, and the elliptic curve cryptography analogues of these. Common choices for G used in these algorithms include the multiplicative group of integers modulo p, the multiplicative group of a finite field, and the group of points on an elliptic curve over a finite field.
{{cite web}}
: CS1 maint: archived copy as title (link){{cite web}}
: CS1 maint: archived copy as title (link)