Integer Factorization

Integer Factorization Lecture given at the Joh. Gutenberg-Universität, Mainz, July 23, 1992 by ÖYSTEIN J. RÖDSETH University of Bergen, Department of Mathematics, Allégt. 55, N-5007 Bergen, Norway 1 Introduction The security of many cryptosystems relies on the assumption that factoring of large composite integers is a computationally infeasible problem. The most famous example is the RSA public key crypto-system [40], whose security depends on our inability to factor an integer n which is the product of two large primes. So the study of integer factoring algorithms and the design of faster factoring algorithms is a subject of great importance in cryptology. But Dickson s History [14] shows that these problems have also attracted the interest of some of the great mathematicians of the past such as Fermat, Euler, Legendre, and Gauss. In this short lecture I shall present some of the ideas behind the best factoring algorithms currently in use on computing devices. Most of the useful factoring algorithms fall into one of two classes. The first class is known as combination of congruences. This class contains algorithms such as Shank s Square Forms Factorization (SQUFOF) [42], Morrison and Brillhart s Continued Fraction Algorithm (CFRAC) [32], Pomerance s Quadratic Sieve (QS) [37], Montgomery s Multiple Polynomial Quadratic Sieve (MPQS) (see [37]), Pollard et. al. s Number Field Sieve (NFS) [26]. (See also [1], [28], [38].) 1

The second class is groups of smooth order ; cf. [38]. (An integer is smooth if it has only small prime factors.) Among the members of this class are Pollard s p 1 method [35], Williams p + 1 method [50], Bach and Shallit s Cyclotomic Polynomial Method [4], Schnorr and Lenstra s Class Group Method [41], H. W. Lenstra s Elliptic Curve Method (ECM) [3], [29], [30]. (See also [19], [48].) For the algorithms in the first class the run time depends mainly on the size of n, the number being factored, and is not strongly dependent on the size of the factor found. In the second class the run time depends mainly on the size of f, the factor found; cf. [7]. Suppose that we want to find a proper factor in a large integer n (having perhaps 100 decimal digits); i.e. a factor f such that 1 < f < n. Usually we begin by searching for small factors (perhaps up to 10 5 ) by trial division; see [51] for some short cuts. If no such factor is found, we then make one or more pseudoprime tests until we either discover that n is composite or are strongly convinced that it must be prime. In the latter case we may perhaps wish to look for a proof of primality. But let us here assume that we have the former case. We can then run Pollard s p 1 method and Williams p + 1 method for a while (and perhaps also the Pollard Rho [36]). If still no factor is found, we choose between (MP)QS, ECM, and NFS. Each of (MP)QS and ECM majorizes the other in certain situations. If the number n is the product of two primes roughly equal in magnitude, then the best method is MPQS. Otherwise ECM is the method of choice. If the number n arose in some random or natural concept, then most likely it is not of the form pq with p q. Therefore ECM should be tried first. If this method has been tried fruitlessly for some time, we can try MPQS. If we are factoring n so as to cryptoanalyze the RSA cryptosystem with modulus n, we might immediately go to MPQS, skipping ECM completely. The NFS is a quite new factoring method. It is remarkably fast for n of special form; i. e. if n = F (m) for an integer m and some low degree polynomial F (x) with small integer coefficients. There is also a version for general n, but this version is slower than that for n of special form. Heuristic running time estimates show, however, that the general NFS probably is faster than QS for large n, and computations of Silverman [46] indicate that the crossover point is somewhere between 140 and 150 decimal digits. But we don t know for certain if the general NFS in its current form(s) is of any practical value; cf. [1]. 2

2 Combination of congruences Fermat factored numbers n by representing them as n = x 2 y 2, x, y Z. (1) For if (1) holds, then n = ab for a = x y and b = x + y. On the other hand, if n is odd and n = ab for some a, b Z, then (1) holds with x = (a + b)/2 and y = (a b)/2. This method works if n has a factor very close to n; for examples see [8, p. 59], [39, p. 154]. Instead of searching for integers x, y satisfying (1), Kraitchik [20], [21], [22] followed an idea of Legendre (cf. [39]) and tried to find nontrivial (i. e. x ±y) solutions to the congruence x 2 y 2 (mod n). (2) If such a pair x, y is found, then we compute d = gcd(x y, n) by the Euclidean algorithm (which is very fast; see [18]). Now, if n is composite, there should be a fairly good chance that the prime divisors of n are distributed among the divisors of both x y and x + y, so that d is possibly a proper divisor of n. For n composite and x, y a random solution to (2), suppose that we have at least a 50% chance that d is a proper divisor of n. For 10 solutions we then have a better than 99.9% chance that at least one of them will lead to a factorization of n; cf. [38]. Of course, in practice we don t find random solutions to (2), but still this scheme should look very promising. Next, consider the factor base {p 0, p 1, p 2,..., p k }, where p 0 = 1 and the other p i are primes some smoothness bound B. For integers r, let g(r) r 2 (mod n). We wish to find integers r such that g(r) factors completely over the factor base, and this is most likely to happen if g(r) is small. Therefore we require that g(r) n/2. Suppose that it is possible to find integers r j, j = 0, 1,..., k + 10, such that g(r j ) factorizes completely over the factor base, i. e. g(r j ) = k i=0 p a ij i for j = 0, 1,..., k + 10, and where the a ij are non-negative integers. (These identities are called relations.) We now consider the system Aε = 0 over the finite field F 2 consisting of the two elements 0 and 1, and where A denotes the (k + 1) (k + 11) matrix A = (a ij mod 2) and ε is the column vector of the unknowns ε 0, ε 1,..., ε k+10. This system of linear equations has at least 10 linearly independent solutions. (For the solution of large linear systems over F 2, see [23].) Let ε 0, ε 1,..., ε k+10 {0, 1} be one of these solutions. Then we have k+10 j=0 a ij ε j = 2e i, i = 0, 1,..., k, 3

for non-negative integers e i, and We also have so that k+10 j=0 k+10 j=0 g(r j ) ε j = g(r j ) ε j x = k i=0 k+10 k j=0 i=0 k+10 j=0 p a ijε j i = r 2ε j j p e k+10 i i, y = k i=0 p 2e i i. (mod n), is a solution to (2). Also, if rj 2 > n/2 for all j, then x ±y. There are many important tricks to enhance the performance of the algorithms in this class. Among these are the use of a multiplier, the large and small prime variations, and the double large prime variation. Let us here just look at the large prime variation: For some r we are testing, suppose that g(r) factors over the factor base except for some factor q, which is not divisible by any of the primes in the factor base, g(r) = q If this happens with the same factor q for two different values of r, include q in the factor base and proceed as before. (Note that if q p 2, where p is the largest prime in the factor base and the factor base contains all the primes B, then q is also a prime.) 2.1 The quadratic sieve k i=0 p a i i. In the basic quadratic sieve algorithm we use the polynomial g(r) = r 2 n. Since we want g(r) to be small, we consider values of r in a neighbourhood of one of the zeros ± n. Let us choose the zero + n, and consider j=0 f(i) = g(r) for r = i + n and M i M, for some positive integer M. If also M < 0.22 n, then g(r) < n/2 < r 2. Further, if an odd prime p divides f(i) = g(r) for some integer i and p n, then n is a quadratic residue mod p. Hence we only include 1, 2, and odd primes p satisfying (n/p) = 1 in our factor base. (This observation seems to be due to Gauss, cf. [39, p. 160]. By quadratic resiprosity or Euler s Criterion, it is very fast to decide whether or not n is a quadratic residue mod a prime p. For a 100-decimal digit integer n a typical factor base would contain 50,000 elements.) 4 r ε j j

Next, we try to find integers i in the interval M i M, such that f(i) factors completely over our factor base (by trial division). But this is like looking for needles in a haystack. So this is where we set up the sieve. Before we start looking for the needles, we remove a lot of hay which at most contains only a few needles. We start with a vector (x M, x M+1,..., x M ), where x i = log f(i) for all i. (Only low precision calculations required.) For each of the odd primes in the factor base we compute the solutions t 1, t 2 to the congruence f(t) 0 (mod p). (Fast probabilistic polynomial time algorithms for solving quadratic congruences mod p are given in [2], [24], [34]; see also [43].) Then we subtract log p from the coordinate x i whenever i t 1 or t 2 (mod p). The prime 2 requires special treatment [12]. We may, for instance, assume that n 1 (mod 8), which is no restriction since we can assume n odd, and if necessary replace n by pn, for some (large) prime p 3, 5, or, 7 (mod 8). Then 8 divides f(i) whenever i + n is odd, and we subtract log 8 from all the corresponding coordinates x i. After this procedure, if i is one of of the needles we are searching for, and f(i) is not divisible by a high power of some prime in the factor base, then the corresponding coordinate x i should be close to 0. (The coordinate would be exactly 0 if there were no round-off errors for our logs and if the special value f(i) were not divisible by the square of an odd prime from the factor base, and if also 8 divided f(i) exactly if f(i) were even.) Thus after sieving, a scan of the vector and a report of any coordinate whose value is below some preset threshold will point out to us (not all, but most of) the special values of i we are searching for. There may also be a few false reports, but with a proper choice of threshold, this is not a big problem; see [45]. 2.2 The multiple polynomial quadratic sieve An f(i) is most likely to factor over the factor base when f(i) is small; that is when i is close to zero. The idea is now to take shorter intervals for i, but use several different quadratic polynomials in i. For integers a, b, c we look at Then F (i) = ai 2 + 2bi + c, n = b 2 ac, a 0. af (i) = (ai + b) 2 n, and the rest goes as before. In particular we can use the same factor base as above. Some recommendations for the choice of a can be found in [38]. In particular, it is best to use an odd a with known prime factorization. Then it is easy to 5

determine an integer b satisfying b 2 n (mod a), b < a 2, and we put c = (b 2 n)/a. The parabola y = F (x) attains its minimum at the point x = b/a, which is now between 1/2 and 1/2. As before, we only want to consider values of i for which F (i) is small. Once more we therefore let M i M, and we choose the optimal situation F (±M) F ( b/a). For a prescribed M, this is accomplished by setting a 2n/M. This scheme is of course excellent suited for parallelization. Run different polynomials on different nodes to produce columns for the matrix A. Then solve the system of linear equations mod 2 etc. on the host computer (perhaps a 16K MasPar). But even with only one processor the multiple polynomial variation of the QS algorithm works so well that we optimize performance by switching polynomials as fast as possible; cf. [38]. 2.3 The number field sieve The main idea behind the NFS is roughly as follows. First choose a non-negative integer d. If there are integers e, r, s such that n = r e s with r, e > 0 and r, s small, let k = e/d, m = r k, c = sr kd e, and put F (x) = x d c. Otherwise, choose an integer m but close to n 1/d. Write n as n = c 0 + c 1 m + c d m d, with non-negative integers c i < m, and put F (x) = c 0 + c 1 x + + c d x d. Since n F (m), and also n = F (m) in the second case, a non-trivial factorization of the polynomial F (x) will probably give us a proper factor of n. So let us assume that F (x) is irreducible in Z[x], and put K = Q(α) for some zero α of F (x). A homomorphism φ : Z[α] Z/nZ is defined by putting φ(α) = m and letting the restriction of φ to Z be the natural homomorphism. Next, put p 0 = 1, and let p 1 < p 2 < < p k be rational primes the smoothness bound B. Also, let γ 1, γ 2,..., γ M Z[α]. We now try to find pairs of coprime rational integers a j, b j such that a j + mb j = k i=0 p a ij i, a j + αb j = M i=1 γ a k+i,j i, 0 a ij Z, j = 0, 1,..., L. Suppose that L > k + M. As in Section 2, we then find ɛ i {0, 1}, not all zero, such that Now it is easily seen that L a ij ɛ j = 2e i, 0 e i Z, i = 0, 1,..., k + M. j=0 x = k i=0 p e i i, y = 6 M φ(γ i ) e k+i i=1

is a solution to (2). In applications, K has class number 1 and each γ has norm ±p i for some i = 0, 1,..., k. Also, sieve methods corresponding to the one in Section 2.1 are used to find pairs of coprime rational integers a, b such that both a + mb and the norm of a + αb factor over our factor base {p 0,..., p k }; for details see [26]. 3 Groups of smooth order Also in this case we want to find an integer X such that X 0 (mod n) and X 0 (mod p) for some prime factor p of n. For then we have that gcd(x, n) is a proper divisor of n. The method of using groups of smooth order for the determination of candidates for X is best illustrated by the Pollard p 1 method below. Futher we shall also look at the elliptic curve method which can be considered as obtained from the Pollard p 1 by replacing the multiplicative group F p by the group of points on a random elliptic curve over F p. 3.1 The Pollard p 1 Suppose that p 1 k! for some prime factor p n and some preset choice of k. (Perhaps k = 10 5 or k = 10 6. Instead of k! some people prefer to use lcm{1, 2,..., k} or some slightly more complicated expression; also in the ECM below. In any case, the success of the methods in this class also depends on a lucky choice of k, which must be not too small and not too large; usually we have to try several values of k.) Let a be an integer prime to n. From Fermat s little theorem we have a p 1 1 (mod p), so that a k! 1 (mod p). Putting X = a k! 1, we have p d = gcd(x, n), so if X 0 (mod n), then d is a proper divisor of n. Here it is, of course, important that d can be computed without knowing p. 3.2 The elliptic curve method Let F be a field of characteristic 2, 3. For a, b F, put and suppose that 0. Then the set = 4a 3 27b 2, E a,b (F ) = {(x, y) F 2 y 2 = x 3 + ax + b} {O}, 7

where O is the so-called point at infinity, is called an elliptic curve (on Weierstrass normal form) over F with parameters a and b. There is a well-known way (the chord and tangent method ; see [3], [17], [44], [47]) of defining a point addition that makes E a,b (F ) into an Abelian group with identity O. To see how this is done, let us first consider the case F = R, the field of real numbers. Then we have a mental picture of what the curve E = E a,b (R) looks like, and we think of O as lying infinitely far off in the direction of the y-axis. Consider a line that meets E in two points P and Q. (If P = Q, we take the tangent at the point P = Q.) Suppose that this line is not parallel to the y-axis. Then it follows by simple algebra that this line meets E in a unique third point R = (x, y). We then define P + Q = (x, y). If the axiliary line is parallel to the y-axis, then we put P + Q = O. Finally we put P + O = O + P = P for any P E. Now, it is not hard to see that the elliptic curve E is an Abelian group under this point addition. So, the rules are as follows. and if P = (x 1, y 1 ), Q = (x 2, y 2 ), then P + O = O + P = P for all P E, P + Q = O if x 1 = x 2 and y 1 = y 2, P + Q = (λ 2 x 1 x 2, λ 3 + λ(2x 1 + x 2 ) y 1 ) otherwise, where λ is the slope of the line joining P and Q, λ = y 1 y 2 x 1 x 2 if x 1 x 2, 3x 2 1 + a 2y 1 if P = Q and y 1 0. (3) Now, let us return to the integer n we want to factor. Let a, b Z satisfy gcd(6, n) = 1. (4) We then get an elliptic curve mod n E a,b (n) by replacing the field F above by the ring Z/nZ. We also use the formulas above to define a pseudo-addition on E a,b (n). Now, equality means congruence mod n. Further, for the inverses of x 1 x 2 and y 1 to be defined in (3), the conditions x 1 x 2 and y 1 0 have to be replaced by gcd(x 1 x 2, n) = 1 and gcd(y 1, n) = 1, respectively. When n is composite, this does not make E a,b (n) into a group, for the addition is not defined for all pair of points. However, if we find two points P = (x 1, y 1 ) and Q = (x 2, y 2 ) for which the sum is not defined, then gcd(x, n) > 1 for X = x 1 x 2 or X = y 1, and we have a possible proper factor of n. 8

Hence we want to find two points in E a,b (n) for which the sum is not defined. Usually we start by choosing integers a, x, y in the interval ( n/2, n/2), and determine b Z such that b y 2 x 3 ax (mod n), b < n/2. Check if (4) holds. If (4) doesn t hold, we have a possible proper factor of n. If the gcd in (4) equals n, try a new set of values of a, x, y. Now suppose that (4) holds. For R = (x, y) and some preset choice of k, we then try to compute k!r = R + R + + R (k! terms) by the binary method. If this attempt fails, then we have probably discovered a proper divisor of n. To see why the chances are good that the process fails for some choice of a, x, y, we consider a prime factor p of n. So far we have performed our calculations mod n. But then these calculations are also valid mod p. The elliptic curve E a,b (p) = E a,b (F p ) is a finite Abelian group (of rank 1 or 2; cf. [10]). A celebrated theorem of Hasse [16] is that p + 1 2 p < #E a,b (p) < p + 1 + 2 p, and by a theorem of Deuring [13] we have that every integer in this interval is attained as #E a,b (p) for some choice of a, b F p with 0. Suppose that m k! for some integer m in the interval p + 1 2 p < m < p + 1 + 2 p. Then the idea is to randomly choose a, x, y until we find a curve satisfying #E a,b (p) = m. By Deuring s theorem there is a possibility of of success, and by results of Birch [5], Waterhouse [49] and others on the distribution of the orders #E a,b (p), the chances are particularly good if m lies in the interval p p < m < p + p. (Also in Pollard s p 1 we needed an m k!, but then we had only one possible choice for m, namely m = p 1.) So, let us assume that #E a,b (p) k!. Also suppose that we succeeded in computing k!r and that k!r O in E a,b (n). In this computation, let P + Q = k!r be the last addition for which P = (x 1, y 1 ) and Q = (x 2, y 2 ) both are O. Then P + Q = k!r = O in E a,b (p), and so that x 1 x 2 y 1 y 2 (mod p), p gcd(x 1 x 2, n) p gcd(y 1 + y 2, n). Hence P + Q is not defined in E a,b (n); a contradiction. Thus we either have k!r = O in E a,b (n), or our attempt to compute k!r in E a,b (n) will eventually lead us to two points for which the sum is not defined, and then we have probably also found a proper factor of n. In summary, the steps in the ECM are: Choose a and R = (x, y). Try to compute k!r in E a,b (n). If this doesn t give a proper factor of n, we try other points R. After many unsuccessful attempts, we try another a. Here we also see 9

that the ECM can be distributed over any number of machines, since it consists of a number of independent factorization trials. For an interesting implementation of the ECM on a 16K MasPar, see [15]. There are, of course, various tricks to speed up the performance of the ECM. We can use a different parametrization (instead of the Weierstrass form), we can use homogeneous coordinates, and we have the so-called second step ; cf. [31], [38]. 4 Running time As usual, by running time we mean the number of bit operations required to perform a task. The running time estimates for many factoring algorithms are not rigorously proved, but relies usually on some (unproved but commonly accepted) hypothesis concerning the distribution of divisors in integers. In particular, this is so for the running time estimates given below for (MP)QS, NFS, and ECM. A polynomial time algorithm for factoring n, is one which runs in time O((log n) c ) for some constant c. However, no such algorithm is known. The (MP)QS and ECM run in time O(n σ ) for any σ > 0; cf. [7]. The heuristic expected run time estimates are, however, better than this. Put L x [r, c] = exp((c + ɛ)(log x) r (log log x) 1 r ), where ɛ 0 as x. Note that for c and r fixed, then as x, L x [r, c] grows faster than any power of log x and more slowly than x σ for any σ > 0. The expected run time of the (MP)QS to factor n is L n [1/2, 1] (cf. [33], [37]) and that of the ECM is O((log n) 2 L p [1/2, 2]), where p is the smallest prime factor of n; cf. [29]. Further, a suitable version of the NFS seems to factor an n of special form in expected time L n [1/3, c], where c = 2(2/3) 2/3 1.526, while the general NFS also runs in time L n [1/3, c], but with a bigger value for c (c = 2 2/3 2.08 [26], c 1.92 [1], c 1.90 [11]). 5 Numerical examples The Cunningham Project [9] is the standard reference for explicit numerical results of the various factorization algorithms. In particuler, CFRAC and Pollard s p 1 have factored hundreds of numbers in this project. Here we shall only mention a few of the most recent results. Brent [6] completed the factorization of the eleventh Fermat number 2 211 + 1. Actually he factored the c 606 = F 11 /(319489 974849) as p 21 p 22 p 564. (We use c i to denote a composite integer with i decimal digits, and p i now denotes a prime with i decimal digits.) Here the p 21 and the p 22 were found using the ECM, and then 10

the remaining 564-decimal digit cofactor was proved prime. The factorization took less than 2 hours on a Fujitsu VP 100 vector processor. Using the MPQS and a worldwide distibuted network of work stations communicating with the host computer by electronic mail, Lenstra and Manasse [27] have factored numbers having up to 106 decimal digits (a divisor c 106 of 2 353 + 1, which it took them four months to factor); the last of the numbers factored was c 103 = (2 361 + 1)/(3 174763), which factored as p 43 p 61. Using an improved version of the MPQS and 80 Firefly stations (each with 5 processors), Lenstra and Manasse [28] factored a c 107 in 50 days, using a factor base of 65,000 elements. Lenstra and Manasse [28] further used MPQS and their electronic mail network to factor two c 111 using a factor base of 80,000 elements. One of the numbers factored was c 111 = (2 484 + 1)/(p 2 p 3 p 6 p 10 p 10 ), which factored as p 50 p 61 (in two months). In the latter half of 1990, they increased the factorbase to 120,000 elements in an attempt to factor a c 116 ; cf. [38]. It took 400 MIP years to complete this job; cf. [25]. In the spring of 1990 Lenstra et. al. used their NFS [26] and the electronic mail network to factorize the ninth Fermat number F 9 = 2 29 + 1. Actually, they factored the c 148 = F 9 /2424833, which factored as p 49 p 99. In comparison, the largest prime factors ever dicovered by the ECM is a p 40 by Dixon and A. K. Lenstra, and a p 42 by Rusin; cf. [15]. Also, a c 148 is far too big for the current implementations of the MPQS. Finally, RSA crytposystems are being used nowadays with keys of 512 bits; that is, the modulus is a c 155. But factoring a c 155 is not as impossible as many people would like it to be; cf. [25], [27]. It is, however, recommended to use a modulus pq, where each of the primes p and q has approximately 100 decimal digits. References [1] L. Adleman, Factoring numbers using singular integers, Proc. 23rd Ann. ACM Symp. on Theory of Computing, New Orleans 1991, pp. 64 71. [2] L. Adleman, K. Manders and G. Miller, On taking square roots in finite fields, Proc. 20th Ann. Symp. Foundations Comp. Sci. (1979), pp. 175 178. [3] E. Bach, Lenstra s algorithm for factoring with elliptic curves, Exposé, Comp. Sci. Dept., Univ. Wisconsin, Madison 1985. [4] E. Bach and J. Shallit, Factoring with cyclotomic polynomials, Math. Comp. 52 (1989) 201 219. [5] B. J. Birch, How the number of points of an elliptic curve over a fixed prime field varies, J. London Math. Soc. 43 (1968) 57 60. 11

[6] R. P. Brent, Factorization of the eleventh Fermat number, AMS Abstracts 10 (1989) 89T-11-73. [7] R. P. Brent, Parallel algorithms for integer factorisation, in: J. H. Loxton (ed.), Number Theory and Cryptography, London Math. Soc. Lecture Note Series 154, Cambridge Univ. Press 1990, pp. 26 37. [8] D. M. Bressoud, Factorization and Primality Testing, Springer-Verlag, New York 1989. [9] J. Brillhart, D. H. Lehmer, J. L. Selfridge, B. Tuckerman and S. S. Wagstaff, Jr., Factorizations of b n ± 1 for b = 2, 3, 5, 6, 7, 11, 12 up to high powers, second edition, Amer. Math. Soc., Providence 1988. [10] J. W. S. Cassels, Diophantine equations with special reference to elliptic curves, J. London Math. Soc. 41 (1966) 193 291. [11] D. Coppersmith, Modifications to the number field sieve, IBM Research Report #RC 16264, Nov. 1990, updated Mar. 1991. [12] J. A. Davis, D. B. Holdrige and G. J. Simmons, Status report on factoring, in: T. Beth, N. Cot and I. Ingemarsson (eds.), Advances in Cryptology EUROCRYPT 84, Lecture Notes in Comput. Sci. vol. 209, Springer-Verlag 1985, pp. 183 215. [13] M. Deuring, Die Typen der Multiplikatorenringe elliptischer Funktionenkörper, Abh. Math. Sem. Hansischen Univ. 14 (1941) 197 272. [14] L. E. Dickson, History of the Theory of Numbers, vol. 1 (reprint), Chelsea, New York 1952. [15] B. Dixon and A. K. Lenstra, Massively parallel elliptic curve factoring, Extended Abstracts of EUROCRYPT 92, Budapest 1992, pp. 169 179. [16] H. Hasse, Abstrakte Begründung der komplexen Multiplikation und riemannsche Vermutung in Funktionenkörpern, Abh. Math. Sem. Hamburg 10 (1934) 325 348. [17] K. Ireland and M. Rosen, A Clasical Introduction to Number Theory, 2nd ed., Graduate Texts in Mathematics no. 84, Springer-Verlag, New York 1990. [18] D. E. Knuth, The Art of Computer Programming, vol. 2, Seminumerical Algorithms, Second ed., Addison-Wesley, Reading, MA 1981. [19] N. Koblitz, A Course in Number Theory and Cryptography, Graduate Texts In Mathematics no. 114, Springer-Verlag, New York 1987. 12

[20] M. Kraitchik, Théorie des Nombres, Gauthier-Villars, Paris 1922, pp. 132 160. [21] M. Kraitchik, Théorie des Nombres. Tome II, Gauthier-Villars, Paris 1926, pp. 195 208. [22] M. Kraitchik, Recherches sur la théorie des nombres. Tome II, Factorisation, Gauthier-Villars, Paris 1929. [23] B. A. LaMacchia and A. M. Odlyzko, Solving large sparse linear systems over finite fields, in: A. J. Menezes and S. A. Vanstone (eds.), Advances in Cryptology CRYPTO 90, Springer-Verlag, Berlin 1991, pp. 109 133. [24] D. H. Lehmer, Computer technology applied to the theory of numbers, in: W. J. LeVeque (ed.), Studies in Number Theory, Prentice-Hall Inc., N. J. 1969, 117 151. [25] A. K. Lenstra, in: Public-Key Cryptography: State of the Art and Future Directions, E.I.S.S.-Workshop, Tagungsbericht 28a/1991, Math. Forschungsinstitut Oberwolfach 1991. [26] A. K. Lenstra, H. W. Lenstra, Jr., M. S. Manasse and J. M. Pollard, The number field sieve, Proc. 22nd Ann. ACM Symp. on Theory of Computing, Baltimore 1990, pp. 564 572. [27] A. K. Lenstra and M. S. Manasse, Factoring by electronic mail, in: J.-J. Quisquater and J. Vandewalle (eds.), Advances in Cryptology EUROCRYPT 89, Lecture Notes in Comput. Sci. vol. 434, Springer-Verlag, Berlin 1990, pp. 355 371. [28] A. K. Lenstra and M. S. Manasse, Factoring with two large primes, in: I. B. Damgård (ed.), Advances in Cryptology EUROCRYPT 90, Lecture Notes in Comput. Sci. vol. 473, Springer-Verlag, Berlin 1991, pp. 72 82. [29] H. W. Lenstra, Jr., Factoring integers with elliptic curves, Ann. of Math. 126 (1987) 649 673. [30] H. W. Lenstra, Jr., Elliptic curves and number-theoretic algorithms, in: A. M. Gleason (ed.), Proc. Int l. Cong. Math., vol. 1, Amer. Math. Soc. 1987, pp. 99 120. [31] P. L. Montgomery, Speeding up the Pollard and elliptic curve methods of factorization, Math. Comp. 48 (1987) 243 264. [32] M. A. Morrison and J. Brillhart, A method of factoring and the factorization of F 7, Math. Comp. 29 (1975) 183 205. 13

[33] P. C. van Oorschot, A comparison of practical public key cryptosystems based on integer factorization and discrete logarithms, in: G. J. Simmons (ed.), Contemporary Cryptology, IEEE Press, New York 1992. [34] R. C. Peralta, A simple and fast probabilistic algorithm for computing square roots modulo a prime number, IEEE Trans. Inform. Theory 32 (1986) 846 847. [35] J. M. Pollard, Theorems on factorization and primality testing, Proc. Camb. Phil. Soc. 76 (1974) 521 528. [36] J. M. Pollard, A Monte Carlo method for factorization, BIT 15 (1975) 331 334. [37] C. Pomerance, Analysis and comparison of some integer factoring algorithms, in: H. W. Lenstra, Jr. and R. Tijdeman (eds.), Computational Methods in Number Theory, Part I, Math. Centre Tract no. 154, Math. Centrum, Amsterdam 1982. [38] C. Pomerance, Factoring, in: C. Pomerance (ed.), Cryptology and Computational Number Theory, Proc. Symp. Applied Math., vol. 42, Amer. Math. Soc. 1990, pp. 27 47. [39] H. Riesel, Prime Numbers and Computer Methods for Factorization, Birkhauser, Boston 1985. [40] R. Rivest, A. Shamir and L. M. Adleman, A method for obtaining digital signatures and public key cryptosystems, Comm. ACM 21 (1978) 120 128. [41] C. P. Schnorr and H. W. Lenstra, Jr., A Monte Carlo factoring algorithm with linear storage, Math. Comp. 43 (1984) 289 311. [42] D. Shanks, Class number, a theory of factorization, and genera, Proc. Symp. Pure Math., vol. 20, Amer. Math. Soc. 1971, pp. 415 440. [43] R. Schoof, Elliptic curves over finite fields and the computation of square roots mod p, Math. Comp. 44 (1985) 483 494. [44] J. H. Silverman, The Arithmetic of Elliptic Curves, Graduate Texts in Mathematics no. 106, Springer-Verlag, New York 1986. [45] R. D. Silverman, The multiple polynomial quadratic sieve, Math. Comp. 48 (1987) 329 339. [46] R. D. Silverman, Computational experience with the general Number Field Sieve, Tagungsbericht 29/1991 Computational Number Theory, Math. Forschungsinstitut Oberwolfach 1991. 14

[47] J. T. Tate, The arithmetic of elliptic curves, Invent. Math. 23 (1974) 179 206. [48] S. S. Wagstaff, Jr. and J. W. Smith, Methods of factoring large integers, in: D. V. Chudnovsky, G. V. Chudnovsky, H. Cohn and M. B. Nathanson (eds.), Number Theory, Lecture Notes in Mathematics no. 1240, Springer-Verlag, Berlin 1987, pp. 281 303. [49] W. C. Waterhouse, Abelian varieties over finite fields, Ann. Sci. Ecole Norm. Sup. (4) 2 (1969) 521 560. [50] H. C. Williams, A p+1 method of factoring, Math. Comp. 39 (1982) 225 234. [51] H. C. Williams, Factoring on a computer, Math. Intelligencer 6 (1984) 29 36. 15