Arjen K. Lenstra

Factoring Polynomials with Rational Coefficients.

In this paper we present a polynomial-time algorithm to solve the following problem: given a non-zero polynomial fe Q(X) in one variable with rational coefficients, find the decomposition of f into irreducible factors in Q(X). It is well known that this is equivalent to factoring primitive polynomials feZ(X) into irreducible factors in Z(X). Here we call f~ Z(X) primitive if the greatest common divisor of its coefficients (the content of f) is 1. Our algorithm performs well in practice, cf. (8). Its running time, measured in bit operations, is O(nl2+n9(log(fD3).

Factorization of a 768-bit RSA modulus

This paper reports on the factorization of the 768-bit number RSA-768 by the number field sieve factoring method and discusses some implications for RSA.

Selecting Cryptographic Key Sizes

In this article we give guidelines for the determination of cryptographic key sizes. Our recommendations are based on a set of explicitly formulated hypotheses, combined with existing data points about the cryptosystems. This article is an abbreviated version of [15].

The XTR Public Key System

This paper introduces the XTR public key system. XTR is based on a new method to represent elements of a subgroup of a multiplicative group of a finite field. Application of XTR in cryptographic protocols leads to substantial savings both in communication and computational overhead without compromising security.

The number field sieve

The number field sieve is an algorithm to factor integers of the form re − s for small positive r and |s|. The algorithm depends on arithmetic in an algebraic number field. We describe the algorithm, discuss several aspects of its implementation, and present some of the factorizations obtained. A heuristic run time analysis indicates that the number field sieve is asymptotically substantially faster than any other known factoring method, for the integers that it applies to. The number field sieve can be modified to handle arbitrary integers. This variant is slower, but asymptotically it is still expected to beat all older factoring methods.

Factorization of RSA-140 Using the Number Field Sieve

We propose a mathematical problem, and show how to solve it elegantly. This problem is related with elliptic curve cryptosystems (ECC). The solving methods can be applied to a new paradigm of key generations of the ECC.

Chinese Remaindering Based Cryptosystems in the Presence of Faults

Abstract. We present some observations on public-key cryptosystems that use the Chinese remaindering algorithm. Our results imply that careless implementations of such systems could be vulnerable. Only one faulty signature, in some explained context, is enough to recover the secret key.

Factoring multivariate polynomials over finite fields

This paper describes an algorithm for the factorization of multivariate polynomials with coefficients in a finite field that is polynomial-time in the degrees of the polynomial to be factored. The algorithm makes use of a new basis reduction algorithm for lattices over a finite field.

VSH, an efficient and provable collision-resistant hash function

We introduce VSH, very smooth hash, a new S-bit hash function that is provably collision-resistant assuming the hardness of finding nontrivial modular square roots of very smooth numbers modulo an S-bit composite. By very smooth, we mean that the smoothness bound is some fixed polynomial function of S. We argue that finding collisions for VSH has the same asymptotic complexity as factoring using the Number Field Sieve factoring algorithm, i.e., subexponential in S. VSH is theoretically pleasing because it requires just a single multiplication modulo the S-bit composite per Ω(S) message-bits (as opposed to O(logS) message-bits for previous provably secure hashes). It is relatively practical. A preliminary implementation on a 1GHz Pentium III processor that achieves collision resistance at least equivalent to the difficulty of factoring a 1024-bit RSA modulus, runs at 1.1 MegaByte per second, with a moderate slowdown to 0.7MB/s for 2048-bit RSA security. VSH can be used to build a fast, provably secure randomised trapdoor hash function, which can be applied to speed up provably secure signature schemes (such as Cramer-Shoup) and designated-verifier signatures.

Factoring by electronic mail

In this paper we describe our distributed implementation of two factoring algorithms. the elliptic curve method (ecm) and the multiple polynomial quadratic sieve algorithm (mpqs). Since the summer of 1987. our erm-implementation on a network of MicroVAX processors at DECs Systems Research Center has factored several most and more wanted numbers from the Cun- ningham project. In the summer of 1988. we implemented the multiple polynomial quadratic sieve algorithm on rhe same network On this network alone. we are now able to factor any !@I digit integer, or to find 35 digit factors of numbers up to 150 digits long within one month. To allow an even wider distribution of our programs we made use of electronic mail networks For the distribution of the programs and for inter-processor communicatton. Even during the mitial stage of this experiment machines all over the United States and at various places in Europe and Ausnalia conhibuted 15 percent of the total factorization effort. At all the sites where our program is running we only use cycles that would otherwise have been idle. This shows that the enormous computational task of factoring 100 digit integers with the current algoritluns can be completed almost for free. Since we use a negligible fraction of the idle cycles of alI the machines on the worldwide elecnonic mail networks. we could factor 100 digit integers within a few days with a little more help.