RSA Factoring Challenge

Last updated

The RSA Factoring Challenge was a challenge put forward by RSA Laboratories on March 18, 1991 [1] to encourage research into computational number theory and the practical difficulty of factoring large integers and cracking RSA keys used in cryptography. They published a list of semiprimes (numbers with exactly two prime factors) known as the RSA numbers, with a cash prize for the successful factorization of some of them. The smallest of them, a 100-decimal digit number called RSA-100 was factored by April 1, 1991. Many of the bigger numbers have still not been factored and are expected to remain unfactored for quite some time, however advances in quantum computers make this prediction uncertain due to Shor's algorithm.

Contents

In 2001, RSA Laboratories expanded the factoring challenge and offered prizes ranging from $10,000 to $200,000 for factoring numbers from 576 bits up to 2048 bits. [2] [3] [4]

The RSA Factoring Challenges ended in 2007. [5] RSA Laboratories stated: "Now that the industry has a considerably more advanced understanding of the cryptanalytic strength of common symmetric-key and public-key algorithms, these challenges are no longer active." [6] When the challenge ended in 2007, only RSA-576 and RSA-640 had been factored from the 2001 challenge numbers. [7]

The factoring challenge was intended to track the cutting edge in integer factorization. A primary application is for choosing the key length of the RSA public-key encryption scheme. Progress in this challenge should give an insight into which key sizes are still safe and for how long. As RSA Laboratories is a provider of RSA-based products, the challenge was used by them as an incentive for the academic community to attack the core of their solutions in order to prove its strength.

The RSA numbers were generated on a computer with no network connection of any kind. The computer's hard drive was subsequently destroyed so that no record would exist, anywhere, of the solution to the factoring challenge. [6]

The first RSA numbers generated, RSA-100 to RSA-500 and RSA-617, were labeled according to their number of decimal digits; the other RSA numbers (beginning with RSA-576) were generated later and labelled according to their number of binary digits. The numbers in the table below are listed in increasing order despite this shift from decimal to binary.

The mathematics

RSA Laboratories states that: for each RSA number n, there exist prime numbers p and q such that

n = p × q.

The problem is to find these two primes, given only n.

The prizes and records

The following table gives an overview over all RSA numbers. Note that the RSA Factoring Challenge ended in 2007 [5] and no further prizes will be awarded for factoring the higher numbers.

The challenge numbers in white lines are part of the original challenge and are expressed in base 10, while the challenge numbers in yellow lines are part of the 2001 expansion and are expressed in base 2
RSA numberDecimal digitsBinary digitsCash prize offeredFactored onFactored by
RSA100 100330US$1,000 [8] April 1, 1991 [9] Arjen K. Lenstra
RSA110 110364US$4,429 [8] April 14, 1992 [9] Arjen K. Lenstra and M.S. Manasse
RSA120 120397US$5,898 [8] July 9, 1993 [10] T. Denny et al.
RSA129 [lower-alpha 1] 129426US$100April 26, 1994 [9] Arjen K. Lenstra et al.
RSA130 130430US$14,527 [8] April 10, 1996 Arjen K. Lenstra et al.
RSA140 140463US$17,226February 2, 1999 Herman te Riele et al.
RSA150 150496 April 16, 2004 Kazumaro Aoki et al.
RSA155 155512US$9,383 [8] August 22, 1999 Herman te Riele et al.
RSA160 160530 April 1, 2003 Jens Franke et al., University of Bonn
RSA170 [lower-alpha 2] 170563 December 29, 2009D. Bonenberger and M. Krone [lower-alpha 3]
RSA576 174576US$10,000December 3, 2003 Jens Franke et al., University of Bonn
RSA180 [lower-alpha 2] 180596 May 8, 2010S. A. Danilov and I. A. Popovyan, Moscow State University [11]
RSA190 [lower-alpha 2] 190629 November 8, 2010A. Timofeev and I. A. Popovyan
RSA640 193640US$20,000November 2, 2005 Jens Franke et al., University of Bonn
RSA200 [lower-alpha 2]  ?200663 May 9, 2005 Jens Franke et al., University of Bonn
RSA210 [lower-alpha 2] 210696September 26, 2013 [12] Ryan Propper
RSA704 [lower-alpha 2] 212704US$30,000July 2, 2012Shi Bai, Emmanuel Thomé and Paul Zimmermann
RSA220 [lower-alpha 2] 220729 May 13, 2016S. Bai, P. Gaudry, A. Kruppa, E. Thomé and P. Zimmermann
RSA230 [lower-alpha 2] 230762 August 15, 2018Samuel S. Gross, Noblis, Inc.
RSA232 [lower-alpha 2] 232768 February 17, 2020 [13] N. L. Zamarashkin, D. A. Zheltkov and S. A. Matveev.
RSA768 [lower-alpha 2] 232768US$50,000December 12, 2009 Thorsten Kleinjung et al. [14]
RSA240 [lower-alpha 2] 240795 Dec 2, 2019 [15] F. Boudot, P. Gaudry, A. Guillevic, N. Heninger, E. Thomé and P. Zimmermann
RSA250 [lower-alpha 2] 250829 Feb 28, 2020 [16] F. Boudot, P. Gaudry, A. Guillevic, N. Heninger, E. Thomé and P. Zimmermann
RSA260 260862 
RSA270 270895 
RSA896 270896US$75,000 [lower-alpha 4]
RSA280 280928 
RSA290 290962 
RSA300 300995 
RSA309 3091024 
RSA1024 3091024US$100,000 [lower-alpha 4]
RSA310 3101028 
RSA320 3201061 
RSA330 3301094 
RSA340 3401128 
RSA350 3501161 
RSA360 3601194 
RSA370 3701227 
RSA380 3801261 
RSA390 3901294 
RSA400 4001327 
RSA410 4101360 
RSA420 4201393 
RSA430 4301427 
RSA440 4401460 
RSA450 4501493 
RSA460 4601526 
RSA1536 4631536US$150,000 [lower-alpha 4]
RSA470 4701559 
RSA480 4801593 
RSA490 4901626 
RSA500 5001659 
RSA617 6172048 
RSA2048 6172048US$200,000 [lower-alpha 4]
  1. RSA-129 was not part of the RSA Factoring Challenge, but was related to a column by Martin Gardner in Scientific American .
  2. 1 2 3 4 5 6 7 8 9 10 11 12 The number was factored after the challenge ended.
  3. RSA-170 was also independently factored by S. A. Danilov and I. A. Popovyan two days later. [11]
  4. 1 2 3 4 The challenge ended before this prize was awarded.

See also

Notes

  1. Kaliski, Burt (18 Mar 1991). "Announcement of "RSA Factoring Challenge"" . Retrieved 8 March 2021.[ dead link ]
  2. Leyden, John (25 Jul 2001). "RSA poses $200,000 crypto challenge". The Register. Retrieved 8 March 2021.
  3. RSA Laboratories. "The New RSA Factoring Challenge". Archived from the original on 2001-07-14.
  4. RSA Laboratories. "The RSA Challenge Numbers". Archived from the original on 2001-08-05.
  5. 1 2 RSA Laboratories. "RSA Factoring Challenge". Archived from the original on 2013-09-21. Retrieved 2008-08-05.
  6. 1 2 RSA Laboratories. "The RSA Factoring Challenge FAQ". Archived from the original on 2013-09-21. Retrieved 2008-08-05.
  7. RSA Laboratories. "The RSA Challenge Numbers". Archived from the original on 2013-09-21. Retrieved 2008-08-05.
  8. 1 2 3 4 5 "Status/news report on RSA data security factoring challenge (as of 3/30/00)". 30 January 2002.
  9. 1 2 3 RSA Honor Roll
  10. Denny, T.; Dodson, B.; Lenstra, A. K.; Manasse, M. S. (1994). On the factorization of RSA-120. Advances in Cryptology – CRYPTO' 93. Lecture Notes in Computer Science. Vol. 773. pp. 166–174. doi: 10.1007/3-540-48329-2_15 . ISBN   978-3-540-57766-9.
  11. 1 2 Danilov, S. A.; Popovyan, I. A. (9 May 2010). "Factorization of RSA-180" (PDF). Cryptology ePrint Archive.
  12. RSA-210 factored, mersenneforum.org
  13. INM RAS news
  14. Kleinjung, Thomas (18 Feb 2010). "Factorization of a 768-bit RSA modulus" (PDF).{{cite journal}}: Cite journal requires |journal= (help)
  15. Thomé, Emmanuel (December 2, 2019). "795-bit factoring and discrete logarithms". cado-nfs-discuss (Mailing list).
  16. Zimmermann, Paul (February 28, 2020). "Factorization of RSA-250". cado-nfs-discuss (Mailing list).

Related Research Articles

In cryptography, key size or key length refers to the number of bits in a key used by a cryptographic algorithm.

Elliptic-curve cryptography (ECC) is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. ECC allows smaller keys compared to non-EC cryptography to provide equivalent security.

In number theory, integer factorization is the decomposition of a positive integer into a product of integers. Every positive integer greater than 1 is either the product of two or more integer factors, in which case it is called a composite number, or it is not, in which case it is called a prime number. For example, 15 is a composite number because 15 = 3 · 5, but 7 is a prime number because it cannot be decomposed in this way. If one of the factors is composite, it can in turn be written as a product of smaller factors, for example 60 = 3 · 20 = 3 · (5 · 4). Continuing this process until every factor is prime is called prime factorization; the result is always unique up to the order of the factors by the prime factorization theorem.

<span class="mw-page-title-main">Prime number</span> Number divisible only by 1 or itself

A prime number is a natural number greater than 1 that is not a product of two smaller natural numbers. A natural number greater than 1 that is not prime is called a composite number. For example, 5 is prime because the only ways of writing it as a product, 1 × 5 or 5 × 1, involve 5 itself. However, 4 is composite because it is a product (2 × 2) in which both numbers are smaller than 4. Primes are central in number theory because of the fundamental theorem of arithmetic: every natural number greater than 1 is either a prime itself or can be factorized as a product of primes that is unique up to their order.

RSA (Rivest–Shamir–Adleman) is a public-key cryptosystem, one of the oldest widely used for secure data transmission. The initialism "RSA" comes from the surnames of Ron Rivest, Adi Shamir and Leonard Adleman, who publicly described the algorithm in 1977. An equivalent system was developed secretly in 1973 at Government Communications Headquarters (GCHQ), the British signals intelligence agency, by the English mathematician Clifford Cocks. That system was declassified in 1997.

In number theory, the general number field sieve (GNFS) is the most efficient classical algorithm known for factoring integers larger than 10100. Heuristically, its complexity for factoring an integer n (consisting of ⌊log2n⌋ + 1 bits) is of the form

In mathematics, the RSA numbers are a set of large semiprimes that were part of the RSA Factoring Challenge. The challenge was to find the prime factors of each number. It was created by RSA Laboratories in March 1991 to encourage research into computational number theory and the practical difficulty of factoring large integers. The challenge was ended in 2007.

"The Magic Words are Squeamish Ossifrage" was the solution to a challenge ciphertext posed by the inventors of the RSA cipher in 1977. The problem appeared in Martin Gardner's Mathematical Games column in the August 1977 issue of Scientific American. It was solved in 1993–94 by a large, joint computer project co-ordinated by Derek Atkins, Michael Graff, Arjen Lenstra and Paul Leyland. More than 600 volunteers contributed CPU time from about 1,600 machines over six months. The coordination was done via the Internet and was one of the first such projects.

The quadratic sieve algorithm (QS) is an integer factorization algorithm and, in practice, the second-fastest method known. It is still the fastest for integers under 100 decimal digits or so, and is considerably simpler than the number field sieve. It is a general-purpose factorization algorithm, meaning that its running time depends solely on the size of the integer to be factored, and not on special structure or properties. It was invented by Carl Pomerance in 1981 as an improvement to Schroeppel's linear sieve.

In computer science, arbitrary-precision arithmetic, also called bignum arithmetic, multiple-precision arithmetic, or sometimes infinite-precision arithmetic, indicates that calculations are performed on numbers whose digits of precision are limited only by the available memory of the host system. This contrasts with the faster fixed-precision arithmetic found in most arithmetic logic unit (ALU) hardware, which typically offers between 8 and 64 bits of precision.

In cryptography and number theory, TWIRL is a hypothetical hardware device designed to speed up the sieving step of the general number field sieve integer factorization algorithm. During the sieving step, the algorithm searches for numbers with a certain mathematical relationship. In distributed factoring projects, this is the step that is parallelized to a large number of processors.

TWINKLE is a hypothetical integer factorization device described in 1999 by Adi Shamir and purported to be capable of factoring 512-bit integers. It is also a pun on the twinkling LEDs used in the device. Shamir estimated that the cost of TWINKLE could be as low as $5000 per unit with bulk production. TWINKLE has a successor named TWIRL which is more efficient.

In cryptography, the RSA problem summarizes the task of performing an RSA private-key operation given only the public key. The RSA algorithm raises a message to an exponent, modulo a composite number N whose factors are not known. Thus, the task can be neatly described as finding the eth roots of an arbitrary number, modulo N. For large RSA key sizes, no efficient method for solving this problem is known; if an efficient method is ever developed, it would threaten the current or eventual security of RSA-based cryptosystems—both for public-key encryption and digital signatures.

In mathematics, a strong prime is a prime number with certain special properties. The definitions of strong primes are different in cryptography and number theory.

Integer factorization is the process of determining which prime numbers divide a given positive integer. Doing this quickly has applications in cryptography. The difficulty depends on both the size and form of the number and its prime factors; it is currently very difficult to factorize large semiprimes.

<span class="mw-page-title-main">Peter Montgomery (mathematician)</span> American mathematician (1947–2020)

Peter Lawrence Montgomery was an American mathematician who worked at the System Development Corporation and Microsoft Research. He is best known for his contributions to computational number theory and mathematical aspects of cryptography, including the Montgomery multiplication method for arithmetic in finite fields, the use of Montgomery curves in applications of elliptic curves to integer factorization and other problems, and the Montgomery ladder, which is used to protect against side-channel attacks in elliptic curve cryptography.

<span class="mw-page-title-main">Paul Zimmermann (mathematician)</span> French mathematician

Paul Zimmermann is a French computational mathematician, working at INRIA.

<span class="mw-page-title-main">Texas Instruments signing key controversy</span> Refers to Texas Instruments response to a project to factorize cryptographic keys.

The Texas Instruments signing key controversy resulted from Texas Instruments' (TI) response to a project to factorize the 512-bit RSA cryptographic keys needed to write custom firmware to TI devices.

Discrete logarithm records are the best results achieved to date in solving the discrete logarithm problem, which is the problem of finding solutions x to the equation given elements g and h of a finite cyclic group G. The difficulty of this problem is the basis for the security of several cryptographic systems, including Diffie–Hellman key agreement, ElGamal encryption, the ElGamal signature scheme, the Digital Signature Algorithm, and the elliptic curve cryptography analogues of these. Common choices for G used in these algorithms include the multiplicative group of integers modulo p, the multiplicative group of a finite field, and the group of points on an elliptic curve over a finite field.

In post-quantum cryptography, ring learning with errors (RLWE) is a computational problem which serves as the foundation of new cryptographic algorithms, such as NewHope, designed to protect against cryptanalysis by quantum computers and also to provide the basis for homomorphic encryption. Public-key cryptography relies on construction of mathematical problems that are believed to be hard to solve if no further information is available, but are easy to solve if some information used in the problem construction is known. Some problems of this sort that are currently used in cryptography are at risk of attack if sufficiently large quantum computers can ever be built, so resistant problems are sought. Homomorphic encryption is a form of encryption that allows computation on ciphertext, such as arithmetic on numeric values stored in an encrypted database.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.