Conference PaperPDF Available

MPQS with three large primes

DOI:10.1007/3-540-45455-1_35
  • Conference: Algorithmic Number Theory, 5th International Symposium, ANTS-V, Sydney, Australia, July 7-12, 2002, Proceedings
Authors:
Paul Leyland at Brnikat Ltd
Paul Leyland
  • Brnikat Ltd
Arjen K. Lenstra
Arjen K. Lenstra
Arjen K. Lenstra
  • This person is not on ResearchGate, or hasn't claimed this research yet.
Bruce Dodson at Lehigh University
Bruce Dodson
Alec Muffett
Alec Muffett
Alec Muffett
  • This person is not on ResearchGate, or hasn't claimed this research yet.
Show all 5 authorsHide
Download full-text PDF
Read full-text
Download citation

Abstract

We report the factorization of a 135-digit integer by the triple-large-prime variation of the multiple polynomial quadratic sieve. Previous workers [6][10] had suggested that using more than two large primes would be counterproductive, because of the greatly increased number of false reports from the sievers. We provide evidence that, for this number and our implementation, using three large primes is approximately 1.7 times as fast as using only two. The gain in efficiency comes from a sudden growth in the number of cycles arising from relations which contain three large primes. This effect, which more than compensates for the false reports, was not anticipated by the authors of [6] [10] but has become quite familiar from factorizations obtained using the number field sieve. We characterize the various types of cycles present, and give a semi-quantitative description of their rather mysterious behaviour.
Content uploaded by Paul Leyland
Author content
All content in this area was uploaded by Paul Leyland on Apr 08, 2014
Content may be subject to copyright.
y = 2.7665x - 33.608
R2 = 0.9626
0
2
4
6
8
10
12
14
12.5 13 13.5 14 14.5 15 15.5 16 16.5
y = 2.078x - 23.921
R2 = 0.9997
0
2
4
6
8
10
12
12 12.5 13 13.5 14 14.5 15 15.5 16 16.5 17
y = 3.4969x - 46.804
R2 = 0.9984
0
2
4
6
8
10
12
14
14 14.5 15 15.5 16 16.5
y = 7.3207x - 107.95
R2 = 0.9646
0
2
4
6
8
10
12
14
16
18
14.9 15.1 15.3 15.5 15.7 15.9 16.1 16.3 16.5
-0.5
0
0.5
1
1.5
2
2.5
3
14.9 15.1 15.3 15.5 15.7 15.9 16.1 16.3 16.5
0
20
40
60
80
100
120
140
0 2000000 4000000 6000000 8000000 10000000 12000000 14000000
... [13]), for a total speed-up of a factor between 4 and 6. An experiment with the triple large prime variation [12] seemed to speed things up by another factor of around 1.7. Factorers had believed (see, e.g. ...
... On the other hand, in practical implementations of the number field sieve, one obtains a j with more than two large prime factors relatively cheaply and, after a slow start, the number of pseudosquares obtained suddenly increases very rapidly (see [6]). This is what led the authors of [12] to their recent surprising and successful experiment with the triple large prime variation for the quadratic sieve. (See Willemien Ekkelkamp's contribution to these proceedings [7] for further discussion of multiple prime variation speed-ups to the number field sieve.) ...
Running Time Predictions for Factoring Algorithms
Conference Paper
  • May 2008
In 1994, Carl Pomerance proposed the following problem: Select integers a1,a2,...,aJ at random from the interval [1,x], stopping when some (non-empty) subsequence, { ai : i ∈ I} where I ⊆ { 1,2,...,J}, has a square product (that is \(\prod_{i\in I} a_i\in \mathbb Z^2\)). What can we say about the possible stopping times, J? A 1985 algorithm of Schroeppel can be used to show that this process stops after selecting (1 + ε)J 0(x) integers a j with probability 1 − o(1) (where the function J 0(x) is given explicitly in (1) below. Schroeppel’s algorithm actually finds the square product, and this has subsequently been adopted, with relatively minor modifications, by all factorers. In 1994 Pomerance showed that, with probability 1 − o(1), the process will run through at least \(J_0(x)^{1-o(1)}\) integers a j , and asked for a more precise estimate of the stopping time. We conjecture that there is a “sharp threshold” for this stopping time, that is, with probability 1 − o(1) one will first obtain a square product when (precisely) \(\{e^{-\gamma}+o(1)\} J_0(x)\) integers have been selected. Herein we will give a heuristic to justify our belief in this sharp transition.
... Keeping partial relations only involving one large prime is the single large prime variant, whereas keeping those involving one or two is the double large prime variant which was first described by Lenstra and Manasse [17]. We do not consider the case of more large primes, but it is a possibility that has been studied in the context of factorization [10]. Partial relations may be identified as follows. ...
Practical Improvements to Class Group and Regulator Computation of Real Quadratic Fields
Conference Paper
Full-text available
  • Jul 2010
We present improvements to the index-calculus algorithm for the computation of the ideal class group and regulator of a real quadratic field. Our improvements consist of applying the double large prime strategy, an improved structured Gaussian elimination strategy, and the use of Bernstein's batch smoothness algorithm. We achieve a significant speed-up and are able to compute the ideal class group structure and the regulator corresponding to a number field with a 110-decimal digit discriminant.
... For the largest experiment, we have been able to reduce the linear algebra wall-clock time to 1.9 days this way, with room for further improvement since we have not yet ported the asymptotically fast algorithm presented in [24] briefly on the growth of the LP-graph in the context of the simplified algorithm. Previous works dealing with double large prime variants [17, 18] have coined terms such as " explosive growth " or " phase transition " for describing the growth of this graph. Such behaviour is indeed shown by the equations obtained. ...
A double large prime variation for small genus hyperelliptic index calculus
Article
Full-text available
In this article, we examine how the index calculus approach for computing discrete logarithms in small genus hyperelliptic curves can be improved by introducing a double large prime variation. Two algorithms are presented. The first algorithm is a rather natural adaptation of the double large prime variation to the intended context. On heuristic and experimental grounds, it seems to perform quite well but lacks a complete and precise analysis. Our second algorithm is a considerably simplified variant, which can be analyzed easily. The resulting complexity improves on the fastest known algorithms. Computer experiments show that for hyperelliptic curves of genus three, our first algorithm surpasses Pollard's Rho method even for rather small field sizes.
... Keeping partial relations only involving one large prime is the single large prime variant, whereas keeping two of them is the double large prime variant which was first described by Lenstra and Manasse [12]. In this paper we do not consider the case of more large primes, but it is a possibility that has been studied in the context of factorization [14]. Partial relations may be identified as follows. ...
Improvements in the computation of ideal class groups of imaginary quadratic number fields
Article
We investigate improvements to the algorithm for the computation of ideal class group described by Jacobson in the imaginary quadratic case. These improvements rely on the large prime strategy and a new method for performing the linear algebra phase. We achieve a significant speed-up and are able to compute 110-decimal digits discriminant ideal class group in less than a week.
CS 2003-2004 Faculty Information
Article
Impossible Differential Attack
Article
  • Jan 2005
Experiments on the Linear Algebra Step in the Number Field Sieve
Conference Paper
  • Oct 2007
This paper shows experimental results of the linear algebra step in the number field sieve on parallel environment with implementation techniques. We developed an efficient algorithm that shares the sum of vectors in each node, and the network structure among the nodes only requires to include a ring. We also investigated the construction of a network for the linear algebra step. The construction can be realized through switches and network interface cards, whose prices are not expensive. Moreover, we investigated the implementation of the linear algebra step using various parameters. The implementation described in this paper was used for the integer factoring of a 176 digit number by GNFS and a 274 digit number by SNFS.
Factoring with Two Large Primes
Article
Full-text available
We describe a modification to the well-known large prime variant of the multiple polynomial quadratic sieve factoring algorithm [Eurocrypt ’90, Lect. Notes Comput. Sci. 473, 72–82 (1991; Zbl 0779.11061)]. In practice this leads to a speed-up factor of 2 to 2.5. We discuss several implementation-related aspects, and we include some examples. Our new variation is also of practical importance for the number field sieve factoring algorithm.
Factorization of RSA-140 Using the Number Field Sieve
Conference Paper
Full-text available
On February 2, 1999, we completed the factorization of the 140-digit number RSA-140 with the help of the Number Field Sieve factoring method (NFS). This is a new general factoring record. The previous record was established on April 10, 1996 by the factorization of the 130-digit number RSA-130, also with the help of NFS. The amount of computing time spent on RSA-140 was roughly twice that needed for RSA-130, about half of what could be expected from a straightforward extrapolation of the computing time spent on factoring RSA-130. The speed-up can be attributed to a new polynomial selection method for NFS which will be sketched in this paper. The implications of the new polynomial selection method for factoring a 512-bit RSA modulus are discussed and it is concluded that 512-bit (= 155-digit) RSA moduli are easily and realistically within reach of factoring efforts similar to the one presented here.
NFS with Four Large Primes: An Explosive Experiment
Conference Paper
Full-text available
  • Aug 1995
The purpose of this paper is to report the unexpected results that we obtained while experimenting with the multi-large prime variation of the general number field sieve integer factoring algorithm (NFS, cf. [8]). For traditional factoring algorithms that make use of at most two large primes, the completion time can quite accurately be predicted by extrapolating an almost quartic and entirely ‘smooth’ function that counts the number of useful combinations among the large primes [1]. For NFS such extrapolations seem to be impossible—the number of useful combinations suddenly ‘explodes’ in an as yet unpredictable way, that we have not yet been able to understand completely. The consequence of this explosion is that NFS is substantially faster than expected, which implies that factoring is somewhat easier than we thought.
Factoring by Electronic Mail.
Conference Paper
Full-text available
  • Apr 1989
In this paper we describe our distributed implementation of two factoring algorithms, the elliptic curve method (ecm) and the multiple polynomial quadratic sieve algorithm (mpqs). Since the summer of 1987, our ecm-implementation on a network of MicroVAX processors at DEC’s Systems Research Center has factored several most and more wanted numbers from the Cunningham project. In the summer of 1988, we implemented the multiple polynomial quadratic sieve algorithm on the same network. On this network alone, we are now able to factor any 100 digit integer, or to find 35 digit factors of numbers up to 150 digits long within one month. To allow an even wider distribution of our programs we made use of electronic mail networks for the distribution of the programs and for inter-processor communication. Even during the initial stage of this experiment, machines all over the United States and at various places in Europe and Australia contributed 15 percent of the total factorization effort. At all the sites where our program is running we only use cycles that would otherwise have been idle. This shows that the enormous computational task of factoring 100 digit integers with the current algorithms can be completed almost for free. Since we use a negligible fraction of the idle cycles of all the machines on the worldwide electronic mail networks, we could factor 100 digit integers within a few days with a little more help.
The Magic Words are Squeamish Ossifrage
Conference Paper
Full-text available
  • Jan 1994
Prime Numbers
Book
  • Jan 2001
Analysis and comparison of some integer factoring algorithms
Article
  • Jan 1982
Prime Numbers: A Computational Perspective
Article
Strategies in Filtering in the Number Field Sieve
Conference Paper
A critical step when factoring large integers by the Number Field Sieve [8] consists of finding dependencies in a huge sparse matrix over the field F2 , using a Block Lanczos algorithm. Both size and weight (the number of non-zero elements) of the matrix critically affect the running time of Block Lanczos. In order to keep size and weight small the relations coming out of the siever do not flow directly into the matrix, but are filtered first in order to reduce the matrix size. This paper discusses several possible filter strategies and their use in the recent record factorizations of RSA-140, R211 and RSA-155. 2000 Mathematics Subject Classification: Primary 11Y05. Secondary 11A51. 1999 ACM Computing Classification System: F.2.1. Keywords and Phrases: Number Field Sieve, factoring, filtering, Structured Gaussian elimination, Block Lanczos, RSA. Note: Work carried out under project MAS2.2 "Computational number theory and data security". This report will appear in the proceed...
A Block Lanczos Algorithm for Finding Dependencies Over GF(2).
Conference Paper
  • May 1995
Some integer factorization algorithms require several vectors in the null space of a sparse m × n matrix over the field GF(2). We modify the Lanczos algorithm to produce a sequence of orthogonal subspaces of GF(2)n, each having dimension almost N, where N is the computer word size, by applying the given matrix and its transpose to N binary vectors at once. The resulting algorithm takes about n/(N − 0.76) iterations. It was applied to matrices larger than 106 × 106 during the factorizations of 105-digit and 119-digit numbers via the general number field sieve.