112
2, FEBRUARY 2009
A Study on Parallel RSA Factorization
Yi-Shiung Yeh, Ting-Yu Huang, Han-Yu Lin and Yu-Hao Chang
Department of Computer Science, National Chiao Tung University, Hsinchu, Taiwan, Republic of China
Email: {ysyeh, tingyu}@csie.nctu.edu.tw, {hanyu.cs94g, uhchang.csie93g}@nctu.edu.tw
Abstract—The RSA cryptosystem is one of the widely used
public key systems. The security of it is based on the
intractability of factoring a large composite integer into two
component primes, which is referred to as the RSA
assumption. So far, the Quadratic Sieve (QS) is the fastest
and general-purpose method for factoring composite
numbers having less than about 110 digits. In this paper, we
present our study on a variant of the QS, i.e., the Multiple
Polynomial Quadratic Sieve (MPQS) for simulating the
parallel RSA factorization. The parameters of our enhanced
methods (such as the size of the factor base and the length
of the sieving interval) are benefit to reduce the overall
running time and the computation complexity is actually
lower. The experimental result shows that it only takes 6.6
days for factoring larger numbers of 100 digits using the
enhanced MPQS by 32 workstations.
Index Terms—RSA, factorization, cryptosystem, Multiple
Polynomial Quadratic Sieve
I. INTRODUCTION
The RSA cryptosystem [13] is one of the most popular
and widely used systems in practice. Instead of relying
on the discrete logarithm problem [2, 7], the security of
the RSA cryptosystem is based on the intractability of
factoring a large composite integer, say, 2048 bits, into
two large component primes, which is referred to as the
RSA assumption. That is, given a RSA modulus n = pq
where p and q are two large primes of the same size, say,
1024 bits, the probability for any probabilistic
polynomial-time (PPT) algorithm P(˜) to successfully
factor n into p and q is at most 1/P(˜) which is negligible.
It can be seen that the straightforward trial division
method which divides n by each prime less than or equal
to n until p or q is found is time-consuming and
would be infeasible when n is large enough, though, it is
guaranteed to find p and q.
So far, several efficient factorization algorithms have
been proposed such as Pollard’s probabilistic methods
[9], (U and p – 1 methods,) the Continued Fraction
Method, the Elliptic Curve Method, the Number Field
Sieve (NFS) [6], the Quadratic Sieve (QS) [10] and its
variant, the Multiple Polynomial Quadratic Sieve (MPQS)
[11, 12, 14]. Generally speaking, the QS is still faster
than the NFS for numbers with no more than 110 digits
and thus may be the better alternative for factoring large
integers between 50 and 110 digits. In this paper, we
focus on the MPQS and design an experimental
© 2009 ACADEMY PUBLISHER
JOURNAL OF COMPUTERS, VOL. 4, NO.
environment to simulate the parallel RSA factorization.
With optimized parameters in the sieving procedure, the
computation complexity of our method is lower than that
of the original one, which contributes to the reduction of
the overall running time.
The rest of this paper is organized as follows. Section
2 recalls some security notions of the RSA cryptosystem.
Section 3 introduces some related factoring algorithms
including the Dixon’s Random Squares algorithm, the
QS and its variant, the MPQS. We simulate the parallel
RSA factorization using an enhanced MPQS in Sections
4. Finally, a conclusion with the significance of our
experimental results is given in Section 5.
II. SECURITY NOTIONS OF THE RSA CRYPTOSYSTEM
This section reviews some security notions with
respect to the RSA cryptosystem. That is, the RSA
problem and the RSA assumption.
(i) RSA Problem:
Let n = pq where p and q are two large primes, e an
integer satisfying gcd(e, (p  1)(q  1)) = 1 and d an
e
integer such that ed = 1 mod (p  1)(q  1). Given c { m
(mod n) as the input, output the unique integer mZn
d
satisfying m { c (mod n).
(ii) RSA Assumption:
Let G be the RSA key generator which takes the
k
security parameter 1 as its input and outputs (n, e, d).
Given a RSA instance (n, e, c), the advantage for any
probabilistic polynomial-time (PPT) adversary A, every
positive polynomial P(˜) and all sufficiently large k to
solve the RSA problem is at most 1/P(k), i.e.,
e
Pr[A(n, e, c) = m, c m m mod n, m m Zn, (n, e, d) m G]
d 1/P(k).
III. REVIEW OF RELATED FACTORING ALGORITHMS
To facilitate the readers with better understanding in
the article, we first introduce some factoring algorithms
including the Dixon’s Random Squares algorithm, the
QS and the MPQS which is one of the most useful
variants of the QS and widely employed in practice.
A. Dixon’s Random Squares Algorithm
The method is proposed by Dixon [3] in 1981 and
works very well on parallel processors. Let x and y be
JOURNAL OF COMPUTERS, VOL. 4, NO. 2, FEBRUARY 2009 113

2 2 &
two integers satisfying x !{ ry (mod n) and x { y (mod z ( z1 , z 2 ,..., z m )  ( Z 2 ) m as zj = 1 if ra j  U and zj = 0
2 2
n). Then we can derive (x + y)(x – y) = x – y { 0 (mod
n). It can be seen that gcd(x + y, n) and gcd(x – y, n) must if ra j  U, for 1 d j d m. Note that ( Z 2 ) m denotes the
be non-trivial factors of n with the probability of at least m-dimensional vector space over the finite field Z2 of 2
1/2. Therefore, n is successfully factored. To find such x
2 2
and y fulfilling x { y (mod n), the algorithm begins by elements. Since – f (ri ) is a perfect square and
2 ri U
choosing several random integers ri’s such that ri > n,
2 m
and proceeds to compute f(ri) = ri mod n. It is obvious zj
2 2
that f(ri) { ri (mod n) and f(ri) z ri for all the ri’s. Let – f (ri ) – ( f (ra j
))
ri U j 1
the setʳS contain these ri’s, and we have – f (ri ) y2
m § b ·
zj
ri S ¨
–– pk ek , j ¸
¨ ¸
for some y, and x – ri . Derived from the equality j 1© k 1 ¹
ri S
b § m ·
¨ ¸
x – ri , we know that –– ¨¨ pk ek , j z j ¸¸
ri S k 1© j 1 ¹
2 m
§ · ¦ ek , j z j
¨ ¸ b
x2 { ¨ –ri ¸ (mod n)
¨ r S ¸ – pk
j 1
,
©i ¹
k 1
{ – ri 2 (mod n) m
ri S we know ¦ ek , j z j { 0 (mod 2), for 1 d k d b. This
j 1
{ – f (ri )(mod n) homogeneous linear system can be written in the form of
ri S
matrix as
{ y2 (mod n).
ª e1,1 e1,2  e1, m º ª z1 º ª0º
Note that – f (ri ) y 2 for some y holds if and «e »« » « »
« 2,1 e2, 2  e2, m » « z 2 » { «0» (mod 2). (1)
ri S
«     »«  » « »
« »« » « »
only if each prime factor of – f (ri ) is used for even
¬«eb,1 eb,2  eb, m ¼» ¬ z m ¼ ¬0¼
ri S
To solve Eq. (1), we can use the algorithms such as the
times. Such notion benefits us to find the set S. Suppose Gauss-Jordan Elimination [4], the Block Lanczos
we have known the complete factorization of each f(ri), it algorithm [1] and the Wiedemann algorithm [8]. If a
would be easy to check whether the product of some &
solution s of Eq. (1) is found, the set S can thus be
specific f(ri)’s is a square. Yet, it is clearly difficult to constructed according to it. As a matter of fact, the
factor every f(ri). Thus, we just retain and use those crucial part is how to efficiently find enough ri’s such
f(ri)’s which can be “easily” factored. For simplicity, we that f(ri) is smooth over E, rather than solving the
first give the definitions of a factor base and being homogeneous linear system over a finite field.
smooth over a factor base.
B. Quadratic Sieve
Definition 1. factor base and being smooth over a
factor base The QS is a well-known factoring algorithm proposed
by Pomerance [10] in 1981. When factoring large
A factor base E is a nonempty set of prime integers. integers between 50 and 110 digits, the QS is
An integer D is said to be smooth over the factor base E if undoubtedly the best choice and has been widely used in
all the prime factors of D occur in E. practice for a long time. In fact, the QS use similar
The algorithm uses a factor base E composed of b factoring ideas to the Dixon’s Random Squares algorithm
smallest primes, i.e., E = {p1, p2, …, pb}. Let the set W = except for two major differences. One is that the function
2 2
{ ra1 , ra2 , …, ra m } such that f( ra j ) is smooth over E of f(ri) = ri mod n is replaced with f(ri) = ri – n. The
b other is that the QS chooses all the ri’s as successive
and f (ra j ) – pk e k, j where ek, j t 0, 1 d j d m and 1 integers in the form of ri = ¬ ¼
n + i, for i  N. Such
k 1 slight modifications can lead to dramatically faster
d k d b. We attempt to find a set S satisfying running time. More details are described as follows.
– f (ri ) y 2 for some y from W. Observe that every Setting up the factor base:
ri S To set up the factor base E = {p1, p2, …, pb}, the QS
subset U Ž W can be mapped to a vector uses any pk satisfying that there exists at least one ri such

© 2009 ACADEMY PUBLISHER

114 JOURNAL OF COMPUTERS, VOL. 4, NO. 2, FEBRUARY 2009

that f(ri) is divisible by pk. Consequently, for each pk  E,

we have
f( ¬ n¼ + l) is smooth over E if and only if M[l] = 1.
Therefore, we can find out all the ri’s such that f(ri) is
pk | f(ri), for some ri
2 smooth over E within the sieving interval.
œ pk | (ri – n) By using this technique, every division executed is
2
œ ri { n (mod pk) “meaningful”. That is to say, f(ri) is divided by pk if and
œ n is a quadratic residue modulo pk only if f(ri) is divisible by pk for every prime pk  E.
§ n · Moreover, the divisions that divide an integer by its
œ ¨¨ ¸¸ 1
prime factor are much faster than the others. It can be
© pk ¹
seen that useless divisions are discarded, so as to
§ n · dramatically speed up the running time.
where ¨¨ ¸¸ stands for the Legendre symbol. To
© pk ¹ C. Multiple Polynomial Quadratic Sieve
efficiently compute the Legendre symbol, we can use the The MPQS was proposed by Montgomery [14], which
well-known Square-and-Multiply algorithm [16] and is one of the variants of the QS. It uses several
thus decide which odd prime pk should be put into E. polynomial functions gh(ri)’s, for h  N to ensure the
Sieving procedure: proper size of ri. Once the values of one polynomial get
To determine whether f(ri) is smooth over E for all the “too” large, we discard it and choose a new one. Such
ri’s, we first choose a prime of E and decide which f(ri)’s procedure makes each gh(ri) smaller as well as the
are divisible by it. For instance, it is easy to see that a sieving interval and the factor base. More details are
2
specific f(ri) = ri – n is divisible by two if and only if ri described as follows.
is odd. For a fixed odd prime pk  E, we have to find all Selection of polynomials:
2 The MPQS uses the polynomial functions in the form
the ri’s with pk | (ri – n). Then we know 2
2 of gh(ri) = ah ri + 2bh ri + ch where ah is a perfect square,
pk | (ri – n) 2 2
2
œ ri { n (mod pk) say ah = dh , 0 d bh < ah such that bh { n (mod ah), and
2 2
œ ri is a solution to the congruence r { n (mod pk). the coefficient ch satisfying bh – ah ch = n. Then we
have
Since n is a quadratic residue modulo pk and pk is an odd
2 ah ˜ gh(ri)
prime, the congruence r { n (mod pk) has exactly two 2
= (ah ri) + 2(ah ri) bh + ah ch
solutions in Z p k , say so,1 and so,2. In addition, these 2 2
= (ah ri) + 2(ah ri) bh + (bh – n)
two solutions are negatives of each other modulo pk, 2
= (ah ri + bh) – n
namely so,2 = pk – so,1. Let so  {so,1, so,2}. It is obvious 2
œ ah ˜ gh(ri) { (ah ri + bh) (mod n)
that ri = so + tpk, for t  Z. To compute so,1 and so,2, the ~ 2
œ gh(ri) { [ d h (ah ri + bh)] (mod n)
Shanks-Tonelli algorithm [15] is applicable and thus all ~ 1
the ri’s satisfying that ri = so + tpk, for t  Z can be where d h = dh mod n (assume dh and n are relatively
found. prime). Thus, gh(ri) is congruent to a perfect square
In practice, we just pick an interval called sieving modulo n. As to setting up the factor base, the MPQS
interval and consider the ri’s in this interval. Let the still uses the same procedure as that of the QS.
sieving interval be >¬ ¼ ¬ ¼ @
n  1, n  G and ri = ¬ ¼n + Selection of the coefficients:
i, for 1 d i d G, G t b. Allocate an one-dimension array M Let the sieving interval be [G, G] of length 2G. Now
of size G and store all the f(ri)’s in the array. Since all the consider
2
ri’s are successive, every ri can be mapped to the index gh(ri) = ah ri + 2bh ri + ch
§ 2
of the array element which saves the corresponding f(ri) ¨ 2 § bh · § bh · ·¸ bh 2  ah ch
= ah ¨ ri  2ri ¨¨ ¸¸  ¨¨ ¸¸ ¸  ah
such as M[ri – ¬ n ¼] = f(ri). Then we proceed to select ¨
© © ah ¹ © ah ¹ ¸¹ ah
those ri’s fulfilling ¬ n ¼ + 1 d ri = so + tpk d ¬ n ¼ + G, 2
§ b · n
for t  Z and the corresponding M[ri – ¬ n ¼ ]’s are = ah ¨¨ ri  h ¸¸  .
© ah ¹ ah
repeatedly divided by pk until their quotients are not To make | gh(ri) | to be as small as possible on the sieving
divisible by pk. This procedure is performed for every interval, we attempt to have the minimum and maximum
odd prime pk  E. Similarly, for every odd ri, f(ri) is values of gh(ri) over [G, G] be roughly the same in
repeatedly divided by two until it is not divisible. (Even absolute values, but be opposite in sign. That is,
c
we can easily divide f(ri) by 2 if there are c 0’s in the tail b ( a hG ) 2  n
n
of the binary representation of f(ri).) In the end, all the g h ( h ) | g h (G )
ah ah ah
M[l]’s are scanned for which M[l] = 1, for 1 d l d G.

© 2009 ACADEMY PUBLISHER

JOURNAL OF COMPUTERS, VOL. 4, NO. 2, FEBRUARY 2009 115

2 IV. ENHANCED MULTIPLE POLYNOMIAL QUADRATIC

Ÿ n | (ahG)  n
SIEVE
Ÿ a hG | 2 n
For that the sieving procedure is obviously the most
2n
Ÿ ah | time-consuming part of the MPQS, we can make some
G modifications to optimize the running time. Suppose that
3 2
2n g(ri) = 504 = 2 u 3 u 7 and E = {2, 3, 7, 13}. We know
Ÿ dh | ,
G 504
that g(ri) is smooth over E because 1 . On
which helps finding a proper dh. For convenience, we 2 u 32 u 7
3
the other hand, we can also conclude the same result
2n 3 2
choose dh as a prime close to such that according to the fact that 504 is divisible by 2 , 3 , 7 and
G
log(504) – [3log(2) + 2log(3) + log(7)] = 0. This idea is
§ n · fairly simple and anyone can see that logarithmic
¨¨ ¸¸ 1 and dh { 3 (mod 4). Once dh has been chosen,
© dh ¹ operations spend less time than the trial division (of large
2 2 numbers). In general, the factor base E should be large as
we proceed to solve r { n (mod dh ) with the assistance 1
2 ( o (1)) ln(n ) ln(ln(n ))
of the Hensel’s Lemma [5] by first solving r { n (mod e 2 .
2 2
dh). Let f(r) = r – n and sh be a solution of r { n (mod Thus, the running time of original MPQS is
§ n · (1 o (1)) ln(n ) ln(ln(n ))
dh). Since dh is chosen as a prime with ¨¨ ¸¸ 1 and dh e , where each “step” executed is trial
© dh ¹ division. Moreover, the numbers g(ri) are all smaller than
{ 3 (mod 4), we know that n ( d k 1) / 2 { 1 (mod dh) and 1
 o (1)
dh 1 approximately n2 . Division of an l-bit integer by
is an integer. Besides, an m-bit integer can be done in lm bit-operations. From
4
above, we can determine the amount of bit-operations to
(n ( d h 1) / 4 ) 2 { n ( d h 1) / 2 (mod d h ) perform the original MPQS as
{ nn ( d h 1) / 2 (mod dh) § 1
 o (1) ·¸
(1 o (1)) ln( n ) ln(ln(n )) ¨ 2
{ n (mod dh). e ¨ ln( n )¸
¨ ¸
That is, (n ( d h 1) / 4 mod dh) is a modular square root of © ¹
2 § § ( 1 o(1)) ln(n) ln(ln(n)) ··
r { n (mod dh). Set sh = n ( d h 1) / 4 mod dh and ¨ ¨ 2 ¸¸
¨ ln¨ e ¸¸
~ § f (sh ) · ~ ¨ ¨ ¸¸
compute th =  f c( s h )¨¨ ¸¸ mod dh where f ' ( s h ) © © ¹¹
© dh ¹ 2
~ (1 o (1)) ln( n ) ln(ln(n )) § 1 ·
is an inverse of f'(sh) modulo dh, i.e., f ' ( s h ) = (2sh)
1 =e ¨  o(1) ¸ ln(n) ln(n) ln(ln(n)) .
© 2 ¹
mod dh. Consequently, we can derive sh' = sh + th dh mod On the other hand, enhanced MPQS spends the same
2 2 2
dh which is the solution of r { n (mod dh ) and bh is set steps as original MPQS, but each step is logarithmic
to be one of the modular square roots. subtraction. Assume that m t l, subtraction of an l-bit
Sieving procedure integer from an m-bit integer can be done in m
bit-operations. Therefore, enhanced MPQS performs the
Same as the QS, we have to solve the congruence gh(r) amount of bit-operations as
{ 0 (mod pk) for each odd prime pk in the factor base E. § 1
(1 o (1)) ln( n ) ln(ln(n )) ¨  o (1) ·¸
Since the MPQS uses several polynomial functions e ln¨ ln(n 2 )¸
gh(ri)’s, we need to do this work repeatedly for each ¨ ¸
2 © ¹
polynomial. Fortunately, the congruence ah r + 2bh r +
= e (1 o(1)) ln(n) ln(ln(n)) ¨ ln(ln(n))  ln(  o(1)) ·¸.
§ 1
ch { 0 (mod pk) can be easily solved by using the
© 2 ¹
standard formula for solving a quadratic polynomial.
That is, A. Basic Ideas
1 2 1/2
r = (2ah) [2bh r ((2bh) – 4ah ch) ] mod pk Recall that in the sieving procedure of the MPQS, we
1 1 2 1/2
= 2 ah [2bh r 2(bh – ah ch) ] mod pk can find all the ri’s with g(ri) divisible by each odd prime
1 1/2
= ah [bh r n ] mod pk. pk in the factor base E. However, we do not know the
1
Since gcd(ah, pk) = 1, we can always find (ah mod pk). exponent of pk in the prime power factorization of g(ri).
Further, by using the Shanks-Tonelli algorithm [15], the A flat-out way would be performing the trial division,
1/2 which is considered to be inefficient for that the size of |
square roots of n modulo pk (n mod pk) can be
efficiently computed. Therefore, the sieving procedure of g(ri) | are almost as large as n . If the exponent of pk
the MPQS just works the same as the QS, except that the
MPQS uses multiple polynomials instead of a single one.

© 2009 ACADEMY PUBLISHER

116 JOURNAL OF COMPUTERS, VOL. 4, NO. 2, FEBRUARY 2009

(in the factorization of g(ri)) can be derived without any (ut 1  wt 1 pk t 1 ) 2  n

trial division, it will lead to a speed-up.
Assume that we can find the solutions of the pk t
2 t
congruence g(r) = ar + 2br + c { 0 (mod pk ) for any 2ut 1wt 1 pk t 1  ( wt 1 pk t 1 ) 2  ((ut 1 ) 2  n)
t
positive integer t, and So, t = {ri | g(ri) { 0 (mod pk )}. pk t
t+1
Note that if g(ri) is divisible by pk , it is also divisible
2ut 1wt 1 pk t 1  g (ut 1 )
by pkt and we know that So, t + 1 Ž So, t , for t  N. Let ( wt 1 ) 2 pk t  2 
Do, t = So, t – So, t + 1 pk t
t
= {ri | g(ri) = wpk , gcd(w, pk) = 1}. 2ut 1wt 1  qt 1
( wt 1 ) 2 pk t  2  .
If Do, t can be found for a particular t, we can find all the pk
t
g(ri)’s which are divisible exactly by pk but not divisible 2ut 1wt 1  qt 1
t + 1 In fact, qt { (mod pk) when t t 3.
by pk . Namely, we can find all the g(ri)’s whose pk
t
prime power factorization pk appears.
C. Enhanced Sieving Procedure
t
B. Square Roots of n Modulo pk Consider the congruence g(r) = ar + 2br + c { 0 (mod
2
2 t t
First consider how to solve g(r) = r – n { 0 (mod pk ) pk )for any positive integer t. Suppose that gcd(a, pk) = 1
§ n · and we can solve the congruence as
for any positive integer t. Since ¨¨ ¸¸ 1 for every odd 1 2 1/2 t
© pk ¹ r = (2a) [2b r ((2b)  4ac) ] mod pk
–1 1 2 1/2 t
prime pk  E, there are two square roots of n modulo pk
t = 2 a [–2b r 2(b  ac) ] mod pk
1 1/2 t
for any positive integer t. In addition, they are also = a [b r n ] mod pk
t 1 (t) t
negatives of each other modulo pk . When t = 1, the = a [b r nk ] mod pk
(t) t
square roots of n modulo pk can be efficiently computed where nk denotes the square root of n modulo pk . Let
by the Shanks-Tonelli algorithm. When t t 2, the t 1 (t)
the two solutions modulo pk be so(t,1) = a [b + nk ]
Hensel’s Lemma is applicable. Let ut  1 be a solution of 1 (t)
t1 and so(t,)2 = a [b  nk ]. By the Hensel’s Lemma, we
g(r) { 0 (mod pk ) and we can derive
(t)
ut  1 !{ 0 (mod pk), can efficiently compute nk . As to the derivation of So, t
t
g'(ut  1) = 2 ut  1 !{ 0 (mod pk). = {r | g(r) is divisible by pk }, it is obvious that
t
Thus, ut = (ut  1 + wt  1 pk
t  1
) is a solution of the So, t = {r | g(r) { 0 (mod pk )}
t
congruence g(r) { 0 (mod pk ), given by wt  1 { = {so(t )  wp k t | so(t )  {so(t,1) , so(t,)2 }, w  Z } .
§ g (u ) · Once So, t and So, t + 1 are derived, Do, t = So, t – So, t + 1 is
 g~ c(ut 1 )¨ t 1 ¸
(mod pk) where g~ c(ut 1 ) is an found. Similarly, if we want to find Do,1,
¨ p t 1 ¸
© k ¹
Do,2, …, Do,t o 1 , we has to derive So,1, So,2, …, S o,t o
inverse of g'(ut  1) modulo pk. Now look into the
(t ) (t ) (t )
t
solution ut + 1 = (ut + wt pk ) of the congruence g(r) { 0 by first computing so,1o and so,o2 for that so,1o { so(t,1)
t+1
(mod pk ), and we have t (t ) t
(mod pk ) and so,o2 { so(t,)2 (mod pk ), for t d to. It can be
g'(ut) = 2ut
t1
= 2(ut  1 + wt  1 pk ) seen that nk (t o ) only depends on n, pk and to. Thus, we
{ 2ut  1 (mod pk) can compute (and store) it for each pk in E when setting
{ g'(ut  1) (mod pk). up E, so as to eliminate the necessity to use the Hensel’s
Therefore, g~ c(ut ) g~ c(ut 1 ) and we can further extend
(t ) (t )
Lemma for computing so,1o and so,o2 of new
this result to conclude that g~ c(ut ) g~ c(u1 ) , for any t t 1 polynomials. More details are described below.
(where u1 is a solution of the congruence g(r) { 0 (mod Let the sieving interval be [1  G, G], ri = i  G and all
g (ut 1 ) the g(ri)’s which correspond to the ri’s within this range
pk)). Let qt 1 , and we can compute qt as
pk t 1 are divisible by pk at most to times. As mentioned earlier,
follows: to determine whether a given g(ri) is divisible by pk
(t )
g (ut ) exactly t times, for any t d to, we can evaluate so,1o and
qt
pk t (t )
so,o2 for each odd prime pk  E to find So,1, So,2, …,
2
ut  n S o,t o . Afterward, we can decide which g(ri) is smooth
pk t over E without performing any trial division. To see this,

© 2009 ACADEMY PUBLISHER

JOURNAL OF COMPUTERS, VOL. 4, NO. 2, FEBRUARY 2009 117

suppose that g(ri) is divisible by pj exactly ei, j times with The experimental results are contributive to the analyses
ei, j t 0, for each pj  E. Then we have of the strength of the RSA assumption against the
modern computer technology and should be taken into
g(ri) is smooth over E consideration on future cryptographic implementations
b
ei , j based on the RSA cryptosystem.
œ g (ri ) –pj
j 1 TABLE 1.
b EXPERIMENTAL RESULTS FOR ESTIMATED RUNNING TIME
œ log( g (ri )) ¦ ei, j log( p j ) Original MPQS Enhanced MPQS
j 1 log10(n) / log2(n)
by one PC by 32 workstations
b
œ log( g (ri ))  ¦ ei, j log( p j ) 0. 50 / 166 0.16 (hours) N.A.
j 1
80 / 266 22 (hours) 1.4 (hours)
The result can be applied to the sieving procedure as
follows. First, an array of size 2G is allocated, and let the 82 / 272 36 (hours) 3.4 (hours)
array elements be M[1], M[2], …, M[2G]. Assign the
85 / 282 72 (hours) 6.7 (hours)
logarithm of g(ri) for each ri to M[i], i.e., M[ri + G] =
90 / 299 210 (hours) 11.3 (hours)
log(g(ri)). For every ri  So, t and 1 – G d ri d G, log(pk) is
subtracted from M[ri + G] where t d to. This procedure is 100 / 332 80 (days) 6.6 (days)
performed for every odd prime pk  E. Similarly, if g(ri) 110 / 365 N.A. 49 (days)
is divisible by 2 at most t' times, t' log(2) must be
subtracted from M[ri + G]. As a matter of fact, t' can be REFERENCES
easily determined by scanning g(ri) from the least
[1] O. Bretscher, Linear Algebra with Applications, 3rd Ed.,
significant bit towards the most significant bit until the
Prentice Hall, 2004.
first 1 bit is found. In the end, all the M[i]’s are scanned [2] W. Diffie and M. Hellman, “New directions in
for which M[i] = 0 and thus we know which g(ri) is cryptography,” IEEE Transactions on Information Theory,
smooth over E. Vol. IT-22, No. 6, 1976, pp. 644-654.
[3] J.D. Dixon, “Asymptotically fast factorization of
D. Parallel Sieving integers,” Mathematics of Computation, Vol. 36, No. 153,
In order to make the MPQS more practical, we use 32 1981, pp. 255-260.
workstations to parallelize the sieving procedure. Each [4] S.H. FriedBerg, A.J. Insel and L.E. Spence, Linear
workstation is equipped with AMD Athlon XP 2700+ Algebra, 4th Ed., Prentice Hall, 2002.
[5] R. Kumanduri and C. Romero, Number Theory with
CPU (running at 2.2 GHz on average), 2 GB memory
Computer Applications, 1st Ed., Prentice Hall, 1997.
and 512 MB disk space total. The installed operating [6] A.K. Lenstra and H.W. Lenstra (eds.), The development of
system is RedHat Linux 9.0. We divide the sieving the number field sieve, Lecture Notes in Mathematics, Vol.
interval into several subintervals, and each workstation 1554, Springer-Verlag, 1993.
using different quadratic polynomial functions sieves [7] A. Menezes, P. Oorschot and S. Vanstone, Handbook of
over a different subinterval. That is, the jth workstation applied cryptography, CRC Press, Inc., 1997.
uses the coefficient dh satisfying that dh is prime and dh = [8] P.L. Montgomery, “A block Lanczos Algorithm for finding
dependencies over GF(2),” Advances in Cryptology 
4(kt + j) + 3 where t is the number of total workstations,
EUROCRYPT’95, Springer-Verlag, 1995, pp. 106-120.
1 d j d t, and k  Z. The only constraint is that t can not [9] J.M. Pollard, “Theorems on factorization and primality
be a multiple of 3. The execution time of factoring larger testing,” Proceedings of the Cambridge Philosophical
numbers in the range of 80-100 digits is shown as Table Society, Vol. 76, No. 2, 1974, pp. 521-528.
1. [10] C. Pomerance, “The quadratic sieve factoring algorithm”,
Although the estimated running time by using 32 Advances in Cryptology  EUROCRYPT’84,
workstations is not 32 times faster than that by using one Springer-Verlag, 1985, pp. 169-182.
PC, the parameters of our enhanced method (such as the [11] C. Pomerance, Cryptology and Computational Number
size of the factor base and the length of the sieving Theory; Factoring, AMS, Providence, RI, 1990.
[12] H. Riesel, Prime Numbers and Computer Methods for
interval) are benefit to reduce the overall running time
Factorization, 2nd Ed., Boston, 1994.
and the computation complexity is actually lower. [13] R. Rivest, A. Shamir and L. Adleman, “A method for
obtaining digital signatures and public-key
V. CONCLUSIONS cryptosystems,” Communications of the ACM, Vol. 21, No.
2, 1978, pp. 120-126.
In this paper, we have presented our study on the [14] R. Silverman, “The multiple polynomial quadratic sieve,”
MPQS for simulating the parallel RSA factorization. By Mathematics of Computation, Vol. 48, No. 177, 1987, pp.
optimizing the size of the factor base and the length of 329-339.
the sieving interval, the computation complexity of our [15] D.R. Stinson, Cryptography: Theory and Practice, 2nd Ed.,
enhanced version is lower as compared with the original CRC Press, 2002.
MPQS, which helps reducing the overall running time. [16] D.H. Wiedemann, “Solving sparse linear equations over

© 2009 ACADEMY PUBLISHER

118 JOURNAL OF COMPUTERS, VOL. 4, NO. 2, FEBRUARY 2009

finite fields”, IEEE Transactions on Information Theory,

Vol. IT-32, No. 1, 1986, pp. 54-62.

Yi-Shiung Yeh received his M.S. and Ph.D. degrees in

Department of Electrical Engineering and Computer Science
from University of Wisconsin-Milwaukee, U.S.A. in 1980 and
1986, respectively. He died as a professor in the department of
Computer Science, National Chiao Tung University, Taiwan in
2007. His research interests include Data security & Privacy,
Information & Coding Theory, Game Theory, Reliability, and
Performance.

Ting-Yu Huang received his B.S. degree in electrical

engineering from National Central University, Taiwan in 1990,
and his M.S. degree in computer science and information
engineering from National Chiao Tung University, Taiwan in
2001. Now he is a doctoral candidate in the Department of
Computer Science of National Chiao Tung University, Taiwan.
His research interests include Cryptanalysis and
Communication Protocols.

Han-Yu Lin received his B.A. degree in economics from the

Fu-Jen University, Taiwan in 2001, and his M.S. degree in
information management from the Huafan University, Taiwan
in 2003. Now he is a doctoral student in the Department of
Computer Science of National Chiao Tung University, Taiwan.
His research interests include Cryptography and Network
Security.

Yu-Hao Chang received his B.S. degree in computer science

and information engineering from National Central University,
Taiwan in 2004, and his M.S. degree in computer science from
National Chiao Tung University, Taiwan in 2006. His research
interests include System Performance and Information &
Coding Theory.

© 2009 ACADEMY PUBLISHER