Factorization of a 768-bit RSA modulus - Page 3

TimSorbet · 2010-01-07, 19:45

Quote:

Originally Posted by FactorEyes

Then I'm lost.

Why even run 1 ECM curve on such a number?

Well, there's always a very, very slight chance that an ECM curve might find one of the factors. You're probably more likely to be struck by lightning while winning 5 lotteries, but it's possible.

Edit: Out of curiosity, how long, and how much memory, would it take to find one of these factors by P-1 or P+1, knowing what their factorizations are? P-1 bounds could be B1=1e30 and B2=1e47 or B1=360 and B2=1e113, P+1 bounds could be B1=1e44 and B2=1e71 or B1=1e21 and B2=1e90.
BTW here are FactorDB links for a few of the related numbers here:
N: http://factordb.com/search.php?id=9946820
p: http://factordb.com/search.php?id=91768521
p-1: http://factordb.com/search.php?id=91919514
p+1: http://factordb.com/search.php?id=91919521
q: http://factordb.com/search.php?id=91768522
q-1: http://factordb.com/search.php?id=91919525
q+1: http://factordb.com/search.php?id=91919527

xilman · 2010-01-07, 19:49

Quote:

Originally Posted by FactorEyes

Then I'm lost.

Why even run 1 ECM curve on such a number?

Remember the Golden Rule: Never ascribe to malice that which is adequately explained by incompetence.

If I were a betting man, I would put much more money on incompetence by the ECM people than on malice(*) by Bob (or incompetence, for that matter!). My instincts were proven correct in this case.

The best response to those who propose to run ECM on RSA moduli is: do you feel lucky, punk?

Paul

(*)I freely admit to malice when creating the RSA modulus in The Code Book challenge. It was a source of some amusement, and re-assurance, that noone tried P-1 with sufficiently large limits on the modulus.

Batalov · 2010-01-07, 20:00

Congratulations on the fantastic job!

jasonp · 2010-01-07, 20:03

Congratulations to everyone involved; we were long overdue for a GNFS record, and this moves the state of the art far in front of what's reasonably possible with individual contributors.

Msieve can now handle arbitrary numbers of large primes per relation, up to 48 bits each (this size keeps down the expansion in the size of the hashtable used in the singleton removal phase). It's also limited to 4 billion relations, but this is 10x larger than what anyone has tried.

Edit: Andi, I think GNFS-232 is well within the range where a degree 6 polynomial is a better idea than degree 5

10metreh · 2010-01-07, 20:09

An amazing achievement!

This shows that HP49:100 is a possibility if we have a degree 6 poyfinder and a block Wiedemann implementation; is there a chance that any of the software used could become available to the public?

mdettweiler · 2010-01-07, 20:12

Quote:

Originally Posted by akruppa

Yield:
64 334 489 730 relations
(38% INRIA, 30% EPFL, 15% NTT, 8% Bonn, 3.5% CWI, 5.5% others)

Quote:

Originally Posted by jasonp

It's also limited to 4 billion relations, but this is 10x larger than what anyone has tried.

Eh? Does not compute.

If 4 billion relations is 10x larger than what anyone has tried, how come this job produced 64 billion? (Or am I missing something here?)

henryzz · 2010-01-07, 20:16

Quote:

Originally Posted by mdettweiler

Eh? Does not compute.

If 4 billion relations is 10x larger than what anyone has tried, how come this job produced 64 billion? (Or am I missing something here?)

tried using msieve

mdettweiler · 2010-01-07, 20:18

Quote:

Originally Posted by henryzz

tried using msieve

Ah, that makes sense, since this job wasn't done using msieve. Speaking of which, as 10metreh said, is it planned to make the software used available to the public?

Andi47 · 2010-01-07, 21:06

Quote:

Originally Posted by jasonp

Edit: Andi, I think GNFS-232 is well within the range where a degree 6 polynomial is a better idea than degree 5

I think so too, but how to FIND a sextic polynomial?

bsquared · 2010-01-07, 22:16

Fantastic! Cheers to all involved!

The paper mentions that a deliberate decision was made to not BOINCify or otherwise open up the sieving stage of the computation; mostly I gather from the desire to set a reasonably precise completion date and from a data management standpoint. I wonder how much could be gained if they opened it up, assuming the resources (administration/data management) were available? If not BOINC then at least a more widespread invitation to contribute. It seems like there would be lots of interest from the community to contribute to a record factorization, but maybe that's just the euphoria talking.

Anyway, congrats again!

bdodson · 2010-01-07, 23:29

Quote:

Originally Posted by bsquared

... I wonder how much could be gained if they opened it up, assuming the resources (administration/data management) were available? If not BOINC then at least a more widespread invitation to contribute. It seems like there would be lots of interest from the community to contribute to a record factorization, ...

Arjen reports having looked at this thread. I'm fairly certain that no
serious consideration was given to opening up this computation to the
public. Neither BSI nor NTT are inclined toward having their interests
reported before they're ready. -Bruce

2010-01-07, 20:03	#26
jasonp Tribal Bullet Oct 2004 DE3₁₆ Posts	Congratulations to everyone involved; we were long overdue for a GNFS record, and this moves the state of the art far in front of what's reasonably possible with individual contributors. Msieve can now handle arbitrary numbers of large primes per relation, up to 48 bits each (this size keeps down the expansion in the size of the hashtable used in the singleton removal phase). It's also limited to 4 billion relations, but this is 10x larger than what anyone has tried. Edit: Andi, I think GNFS-232 is well within the range where a degree 6 polynomial is a better idea than degree 5 Last fiddled with by jasonp on 2010-01-07 at 20:06

2010-01-07, 20:09	#27
10metreh Nov 2008 2·3³·43 Posts	An amazing achievement! This shows that HP49:100 is a possibility if we have a degree 6 poyfinder and a block Wiedemann implementation; is there a chance that any of the software used could become available to the public? Last fiddled with by 10metreh on 2010-01-07 at 20:10 Reason: i before e except after c (grrr...)

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Modulus function on a linear convolution	lukerichards	Number Theory Discussion Group	4	2018-04-06 12:57
Extracting the Modulus from publickeyblob RSA 512	26B	Homework Help	2	2014-11-30 07:31
It's possible to calculate an unknown RSA modulus?	D2MAC	Math	8	2010-12-26 16:32
Fixed leading bits in RSA modulus, vs NFS	fgrieu	Factoring	7	2009-09-23 11:45
Factoring with Highly Composite Modulus	mgb	Math	3	2006-09-09 10:35

2010-01-07, 20:00	#25
Batalov "Serge" Mar 2008 Phi(4,2^7658614+1)/2 3×7×479 Posts	Congratulations on the fantastic job!

2010-01-07, 22:16	#32
bsquared "Ben" Feb 2007 3733₁₀ Posts	Fantastic! Cheers to all involved! The paper mentions that a deliberate decision was made to not BOINCify or otherwise open up the sieving stage of the computation; mostly I gather from the desire to set a reasonably precise completion date and from a data management standpoint. I wonder how much could be gained if they opened it up, assuming the resources (administration/data management) were available? If not BOINC then at least a more widespread invitation to contribute. It seems like there would be lots of interest from the community to contribute to a record factorization, but maybe that's just the euphoria talking. Anyway, congrats again!