Analysis of bernstein’s factorization circuit

Abstract

In [1], Bernstein proposed a circuit-based implementation ofthe matrix step of the number field sieve factorization algorithm. Thesecircuits offer an asymptotic cost reduction under the measure “constructioncost × run time”.We evaluate the cost of these circuits, in agreementwith [1], but argue that compared to previously known methods thesecircuits can factor integers that are 1.17 times larger, rather than 3.01as claimed (and even this, only under the non-standard cost measure).We also propose an improved circuit design based on a new mesh routingalgorithm, and show that for factorization of 1024-bit integers thematrix step canV, under an optimistic assumption about the matrix size,be completed within a day by a device that costs a few thousand dollars.We conclude that from a practical standpoint, the security of RSA reliesexclusively on the hardness of the relation collection step of the numberfield sieve.