Integer factorization records explained

Integer factorization is the process of determining which prime numbers divide a given positive integer. Doing this quickly has applications in cryptography. The difficulty depends on both the size and form of the number and its prime factors; it is currently very difficult to factorize large semiprimes (and, indeed, most numbers that have no small factors).

Numbers of a general form

The first enormous distributed factorisation was RSA-129, a 129-digit challenge number described in the Scientific American article of 1977 which first popularised the RSA cryptosystem. It was factorised between September 1993 and April 1994, using MPQS, with relations contributed by about 600 people through the internet, and the final stages of the calculation performed on a MasPar supercomputer at Bell Labs.

Between January and August 1999, RSA-155, a 155-digit challenge number prepared by the RSA company, was factorised using GNFS with relations again contributed by a large group, and the final stages of the calculation performed in just over nine days on the Cray C916 supercomputer at the SARA Amsterdam Academic Computer Center.

In January 2002, Franke et al. announced the factorisation of a 158-digit cofactor of 2953 + 1, using a couple of months on about 25 PCs at the University of Bonn, with the final stages done using a cluster of six Pentium-III PCs.

In April 2003, the same team factored the 160-digit RSA-160 using about a hundred CPUs at BSI, with the final stages of the calculation done using 25 processors of an SGI Origin supercomputer.

The 576-bit (174-digit) RSA-576 was factored by Franke, Kleinjung and members of the NFSNET collaboration in December 2003, using resources at BSI and the University of Bonn; soon afterwards, Aoki, Kida, Shimoyama, Sonoda and Ueda announced that they had factored a 164-digit cofactor of 21826 + 1.

A 176-digit cofactor of 11281 + 1 was factored by Aoki, Kida, Shimoyama and Ueda between February and May 2005 using machines at NTT and Rikkyo University in Japan.[1]

The 663-bit (200-digit) RSA-200 challenge number was factored by Franke, Kleinjung et al. between December 2003 and May 2005, using a cluster of 80 Opteron processors at BSI in Germany; the announcement was made on 9 May 2005.[2] They later (November 2005) factored the slightly smaller RSA-640 challenge number.

On December 12, 2009, a team including researchers from the CWI, the EPFL, INRIA and NTT in addition to the authors of the previous record factored RSA-768, a 232-digit semiprime.[3] They used the equivalent of almost 2000years of computing on a single core 2.2 GHz AMD Opteron.

In November 2019, the 795-bit (240-digit) RSA-240 was factored by Fabrice Boudot, Pierrick Gaudry, Aurore Guillevic, Nadia Heninger, Emmanuel Thomé and Paul Zimmermann.[4] [5]

In February 2020, the factorization of the 829-bit (250-digit) RSA-250 was completed.[6]

Numbers of a special form

12151 - 1, of 542 bits (163 digits), was factored between April and July 1993 by a team at CWI and Oregon State University.[7]

2773 + 1, of 774 bits (233 digits), was factored between April and November 2000 by 'The Cabal', with the matrix step done over 250 hours on the Cray also used for RSA-155.[8]

2809 - 1, of 809 bits (244 digits), had its factorisation announced at the start of January 2003. Sieving was done at the CWI, at the Scientific Computing Institute and the Pure Mathematics Department at Bonn University, and using private resources of J. Franke, T. Kleinjung and the family of F. Bahr. The linear algebra step was done by P. Montgomery at SARA in Amsterdam.[9]

6353 - 1, of 911 bits (275 digits), was factored by Aoki, Kida, Shimoyama and Ueda between September 2005 and January 2006 using SNFS.[10]

21039 - 1, of 1039 bits (313 digits) (though a factor of 23 bits was already known) was factored between September 2006 and May 2007 by a group including K. Aoki, J. Franke, T. Kleinjung, A. K. Lenstra and D. A. Osvik, using computers at NTT, EPFL and the University of Bonn.[11] [12]

21061 - 1, of 1061 bits (320 digits) was factored between early 2011 and 4 August 2012 by a group headed by Greg Childers at CSU Fullerton, using the nfs@home BOINC project for about 300 CPU-years of sieving; the linear algebra was run at the Trestles cluster at SDSC and the Lonestar cluster at TACC and needed additional 35 CPU-years.[13]

All unfactored parts of the numbers 2n - 1 with n between 1000 and 1200 were factored by a multiple-number-sieve approach in which much of the sieving step could be done simultaneously for multiple numbers, by a group including T. Kleinjung, J. Bos and A. K. Lenstra, starting in 2010.[14] To be precise, n = 1081 (326 digits) was completed on 11 March 2013; n = 1111 (335 digits) on 13 June 2013; n = 1129 (340 digits) on 20 September 2013; n = 1153 (348 digits) on 28 October 2013; n=1159 (349 digits) on 9 February 2014; n = 1177 (355 digits) on 29 May 2014, n = 1193 (360 digits) on 22 August 2014, and n = 1199 (361 digits) on 11 December 2014; the first detailed announcement was made in late August 2014. The total effort for the project is of the order of 7500 CPU-years on 2.2 GHz Opterons, with roughly 5700 years spent sieving and 1800 years on linear algebra.

Comparison to efforts by individuals

As of the end of 2007, thanks to the constant decline in memory prices, the ready availability of multi-core 64-bit computers, and the availability of the efficient sieving code (developed by Thorsten Kleinjung of the Bonn group) via ggnfs[15] and of robust open-source software such as msieve[16] for the finishing stages, special-form numbers of up to 750 bits (226 digits) and general-form numbers of up to about 520 bits (157 digits) can be factored in a few months on a few PCs by a single person without any special mathematical experience.[17] These bounds increase to about 950 bits (286 digits)[18] and 600 bits (181 digits)[19] if it were possible to secure the collaboration of a few dozen PCs for sieving; currently the amount of memory and the CPU power of a single machine for the finishing stage are equal barriers to progress.

In 2009, Benjamin Moody factored a 512-bit (155-digit) RSA key used to sign the TI-83 graphing calculator using software found on the internet; this eventually led to the Texas Instruments signing key controversy.

In September 2013, the 696-bit (210-digit) RSA-210 was factored by Ryan Propper[20] using institutional resources; between March 2013 and October 2014, another 210-digit number (the 117th term in the home prime sequence starting with 49) was completed by a user known as WraithX,[21] using $7600 worth of processing time on Amazon EC2 machines[22] for the sieving, and four months on a dual Xeon E5-2687W v1 for the linear algebra.

Records for efforts by quantum computers

The largest number reliably factored by Shor's algorithm is 21 which was factored in 2012.[23] 15 had previously been factored by several labs.

In April 2012, the factorization of 143 = 13 × 11 by a room-temperature (300 K) NMR adiabatic quantum computer was reported by a group led by Xinhua Peng.[24] In November 2014 it was discovered that the 2012 experiment had in fact also factored much larger numbers without knowing it. [25] [26] In April 2016 the 18-bit number 200,099 was factored using quantum annealing on a D-Wave 2X quantum processor.[27] Shortly after, 291 311 was factored using NMR at higher than room temperature.[28] In late 2019, Zapata computing claimed to have factored 1,099,551,473,989,[29] and in 2021 released a paper describing this computation.[30] In 2024, a new approach to embed prime factoring problems into quantum annealers has been proposed, leading to (i) the embedding of 21×12 prime factoring problems into a D-Wave Pegasus architecture; (ii) the factoring of 8,219,999 by using a quantum annealer without exploiting hybrid techniques. [31]

As such, claims of factoring with quantum computers have however been criticized for depending heavily on classical computation to reduce the number of qubits required.[32] [33] For example, the factorization of 1,099,551,473,989 relied on classical pre-processing to reduce the problem to a three-qubit quantum circuit.[30] Furthermore, the three numbers factored in this paper (200,099, 291,311, and 1,099,551,473,989) can easily be factored using Fermat's factorization method, requiring only 3, 1, and 1 iterations of the loop respectively.

See also

Notes and References

  1. Web site: Factorization of 176-digit number. 2007-05-23 . K. Aoki . Y. Kida . T. Shimoyama . H. Ueda .
  2. Web site: RSA200. 2007-05-23 . F. Bahr . M. Boehm . J. Franke . T. Kleinjung .
  3. Web site: Factorization of a 768-bit RSA modulus. 2013-04-11 . T. Kleinjung . K. Aoki . J. Franke . A. K. Lenstra . E. Thomé . J. W. Bos . P. Gaudry . A. Kruppa . P. L. Montgomery . D. A. Osvik . H. te Riele . A. Timofeev . P. Zimmermann .
  4. Web site: [Cado-NFS-discuss] 795-bit factoring and discrete logarithms . 2019-12-03 . 2019-12-02 . https://web.archive.org/web/20191202190004/https://lists.gforge.inria.fr/pipermail/cado-nfs-discuss/2019-December/001139.html . dead .
  5. F. Boudot et al, "Comparing the difficulty of factorization and discrete logarithm: a 240-digit experiment," June 10, 2020.
  6. Web site: LISTSERV - NMBRTHRY Archives - LISTSERV.NODAK.EDU.
  7. Web site: Record Number Field Sieve Factorisations. 2007-11-23. P. L. Montgomery .
  8. Web site: 233-digit SNFS factorization. 2007-11-23. The Cabal. dead. https://web.archive.org/web/20071128061126/http://ftp.cwi.nl/herman/SNFSrecords/SNFS-233. 2007-11-28.
  9. Web site: M809. 2007-11-23. J. Franke. dead. https://web.archive.org/web/20070823181923/http://ftp.cwi.nl/herman/SNFSrecords/SNFS-244. 2007-08-23.
  10. Web site: SNFS274. 2007-05-23 . K. Aoki . Y. Kida . T. Shimoyama . H. Ueda .
  11. Web site: Factorization of the 1039th Mersenne number . 2007-05-23 . K. Aoki . J. Franke . T. Kleinjung . A. K. Lenstra . D. A. Osvik .
  12. Web site: A kilobit special number field sieve factorization. Kazumaro Aoki . Jens Franke . Thorsten Kleinjung . Arjen Lenstra . Dag Arne Osvik . 2007-12-19 .
  13. Factorization of a 1061-bit number by the Special Number Field Sieve . Greg Childers. Cryptology ePrint Archive . 2012 .
  14. Web site: Mersenne Factorization Factory . Thorsten Kleinjung . Joppe W Bos . Arjen K Lenstra . 2015-01-18.
  15. Web site: GGNFS suite – Browse Files at SourceForge.net . sourceforge.net.
  16. Web site: Archived copy . 2007-11-23 . dead. https://web.archive.org/web/20071213020640/http://www.boo.net/~jasonp/qs.html . 2007-12-13 .
  17. Web site: mersenneforum.org – View Single Post – 2LM Table . www.mersenneforum.org.
  18. Web site: mersenneforum.org – View Single Post – A computation worthy of the name . www.mersenneforum.org.
  19. Web site: mersenneforum.org – View Single Post – 5^421-1 sieving (reservations closed) . www.mersenneforum.org.
  20. Web site: RSA-210 factored – mersenneforum.org . mersenneforum.org.
  21. Web site: mersenneforum.org – View Single Post – HP49(119)... . www.mersenneforum.org.
  22. Web site: Archived copy . 2020-03-04 . 2021-04-16 . https://web.archive.org/web/20210416220859/https://mersenneforum.org/showpost.php?p=389078&postcount=105 . dead .
  23. Martín-López . Enrique . Enrique Martín-López . Anthony Laing . Thomas Lawson . Roberto Alvarez . Xiao-Qi Zhou . Jeremy L. O'Brien . Experimental realization of Shor's quantum factoring algorithm using qubit recycling . Nature Photonics . 6 . 11 . 773–776 . 12 October 2012 . 10.1038/nphoton.2012.259 . 1111.4147 . 2012NaPho...6..773M . 46546101 .
  24. Web site: 143 is largest number yet to be factored by a quantum algorithm.
  25. Web site: New largest number factored on a quantum device is 56,153.
  26. Web site: The Mathematical Trick That Helped Smash The Record For The Largest Number Ever Factorised By A... . 2 December 2014 .
  27. 1604.05796 . Prime factorization using quantum annealing and computational algebraic geometry . Raouf . Dridi . Hedayat . Alghassi . 21 February 2017 . Scientific Reports . 7 . 43048 . 10.1038/srep43048 . 28220854 . 5318873. 2017NatSR...743048D .
  28. Li. Zhaokai. Dattani. Nike. Chen. Xi. Liu. Xiaomei. Wang. Hengyan. Tanburn. Richard. Chen. Hongwei. Peng. Xinhua. Du. Jiangfeng. High-fidelity adiabatic quantum computation using the intrinsic Hamiltonian of a spin system: Application to the experimental factorization of 291311. 25 June 2017. 1706.08061. quant-ph.
  29. Web site: Crane. Leah. Quantum computer sets new record for finding prime number factors. 2020-10-02. New Scientist. en-US.
  30. Analyzing the performance of variational quantum factoring on a superconducting quantum processor . Amir . Karamlou . William . Simon . 28 October 2021 . npj Quantum Information . 7. 156 . 10.1038/s41534-021-00478-z. 2012.07825 . 2021npjQI...7..156K . 229156747 .
  31. Effective prime factorization via quantum annealing by modular locally-structured embedding . Jingwen . Ding . Giuseppe . Spallitta . Roberto . Sebastiani . 12 February 2024 . Scientific Reports . 14. 1 . 3518 . 10.1038/s41598-024-53708-7. 38347002 . 10861481 . 2310.17574 . 2024NatSR..14.3518D .
  32. Web site: Gidney. Craig. Factoring the largest number ever with a quantum computer. 2022-07-18. Blog. en-US.
  33. Smolin. John A.. Oversimplifying quantum factoring. Nature. 2013 . 499 . 7457 . 163–165 . 10.1038/nature12290 . 23846653 . 1301.7007 . 2013Natur.499..163S . 118613892 . en-US.