How RSA Would Break: Why Factoring Is the Slow Path and Coppersmith Is the Fast One
Everyone says you break RSA by factoring the modulus. That is the slowest path. A structural tour of the fast lane, the slow lane, and the quantum one.
Permalink1. The break never comes through the front door
Ask a room of engineers how RSA breaks, and almost everyone reaches for the same answer: someone factors the modulus. They are describing the slowest, least-likely path there is. The attacks that actually work never touch N at all, and the one attack that could break a flawlessly generated key has not been built yet, because it needs a computer that does not exist.
That is the whole argument of this article, and it runs against the common intuition hard enough to be worth stating plainly. RSA's security is usually explained as "factoring is hard, and your key is a big number nobody can factor." Both halves are true, and together they still point you at the wrong threat. Factoring your modulus is the one attack a bigger key genuinely slows down, which is exactly why it is the attack that will almost certainly never be the way your key falls.
Here is the organizing lens for everything that follows: a two-speed map with a third road. The slow lane attacks the hardness assumption directly by factoring N. It works on any key, needs no mistake on your part, and is asymptotically glacial.
The fast lane ignores N entirely and attacks the instantiation, the specific way this key and this message were built. It runs in polynomial time and is genuinely fast, but only when the parameters or the key generation leaked structure they should not have. And the third road, Shor's quantum algorithm, reopens the front door itself by changing the machine you compute on, breaking even a perfect key, if and only if someone builds the hardware.
The front door of RSA is bolted, and it opens only at a crawl: factoring is the slow path, not the likely one. The fast cracks come through side windows that a well-generated key never leaves open. And the single attack that opens the front door itself is quantum, on a machine that has not been built.
Diagram source
flowchart TD
A["Break RSA-2048"] --> B["Slow lane: factor N directly"]
A --> C["Fast lane: attack the instantiation"]
A --> D["Third road: change the machine"]
B --> B1["GNFS, sub-exponential, glacial"]
C --> C1["Coppersmith, Wiener, polynomial"]
D --> D1["Shor, polynomial, needs a quantum computer"]
B1 --> E{"Beats a correct key?"}
C1 --> E
D1 --> E
E -->|"slow lane, not in practice"| F["Correct key survives classically"]
E -->|"fast lane, only with a defect"| F
E -->|"third road, yes, on hardware that does not exist"| G["The one real structural threat"] One boundary before we begin, because it decides what counts as an answer. This is a structural story about the mathematics of the algorithm itself. The attacks that steal real data most often never touch RSA's math at all; they break the implementation or the protocol around it. Here we stay inside the equations, where the only question is whether the numbers themselves give way.
So if factoring is the slow path, what makes the fast one fast, and why does it never touch N? To see that, start where RSA started: with a bet nobody could prove they would win.
2. A wager on a problem no one has proven hard
In 1977, three researchers at MIT, Ron Rivest, Adi Shamir, and Leonard Adleman, answered an open call. A year earlier, Whitfield Diffie and Martin Hellman had described what public-key cryptography should do without giving a concrete way to do it: a lock anyone can snap shut but only the keyholder can open [5]. Rivest, Shamir, and Adleman supplied the lock [6].
That August, Martin Gardner's Mathematical Games column in Scientific American handed it to the public as a dare: a 129-digit number to factor, a modest cash prize, and the confident promise that reading the encrypted message would take far longer than any reader would live to see [7, 8].
The question worth holding onto is whether that confidence was earned or merely borrowed.
RSA itself is almost aggressively simple. Pick two large primes and multiply them into a public modulus . Publish N and a public exponent e. To encrypt a message m, compute ; to decrypt, compute , where the private exponent d is chosen so that and is Euler's totient [6]. Encryption is a modular exponentiation anyone can perform. Decryption is the same operation with a secret exponent that only the keyholder knows.
Everything rests on one hinge. To recover d, the obvious route is to compute , and to compute you need p and q, which means factoring N. So RSA is believed to be as hard to break as factoring is hard to do. Read that sentence twice, because the load-bearing word is "believed." Rivest, Shamir, and Adleman did not prove that breaking RSA requires factoring, and no one has proven it since. RSA is a wager that a specific problem is hard, staked on decades of failed attempts to make it easy rather than on a theorem.
A function that is easy to compute in the forward direction but hard to invert, unless you hold a secret piece of information (the trapdoor) that makes inversion easy. RSA's forward direction is modular exponentiation, its trapdoor is the factorization of N, and its entire security is the conjecture that without the trapdoor, inversion stays hard.
What makes the RSA story unusually honest is that the field turned this belief into a dated, public experiment. In March 1991, RSA Security launched the RSA Factoring Challenge: a published list of moduli, cash bounties, and an open invitation to factor them [9]. Every time a challenge number fell, the community learned precisely how far the sharpest available methods and machines could reach in a given year. The result is something most security assumptions never get: a fifty-year measured record of exactly how hard factoring has proven to be in practice.
Diagram source
timeline
title Fifty years of RSA cryptanalysis
1977 : RSA published : Gardner challenge
1985 : Hastad low-exponent broadcast
1990 : Wiener small-d attack : Number Field Sieve
1994 : Shor quantum factoring : RSA-129 factored
1996 : Coppersmith small-root method
1999 : Boneh-Durfee small-d lattice : Boneh survey
2009 : RSA-768 factored
2020 : RSA-250 factored
2025 : Shor estimate under one million qubits That timeline is also a map of everything this article covers, and it splits cleanly into the two speeds. Some entries, the Number Field Sieve, RSA-129, RSA-768, RSA-250, are the slow lane: brute assaults on the factoring problem itself, dated by when a bigger number finally fell. Others, Hastad, Wiener, Coppersmith, Boneh-Durfee, are the fast lane: polynomial-time attacks that never factor anything, dated by when someone noticed a new way for a careless instantiation to give itself away. Only one entry, Shor, belongs to neither lane, because it changes the machine.
If the whole system rests on one unproven assumption, the obvious move is to attack that assumption head-on and just factor N. Fifty years of the sharpest minds in computational number theory tried exactly that. Here is how far they got.
3. The slow lane: attacking factoring head-on
The direct attack writes itself: break RSA by factoring the modulus. The punchline is not triumph but frustration. Even the reigning champion algorithm is, at cryptographic sizes, glacial.
The ladder is a genealogy, and each rung earned its place by beating the one below it. At the bottom sits trial division and Fermat's method, fully exponential in the size of N and useless past a few dozen digits. Then come the special-purpose methods: John Pollard's p-1 method (1974), fast whenever p-1 happens to have only small prime factors [10], and his rho method (1975), which finds a small factor p in about steps using almost no memory [11]. These are lethal against unlucky primes but hopeless against a balanced modulus whose factors are both enormous.
The real lineage of general-purpose factoring begins with a single idea: instead of searching for a factor directly, manufacture a congruence of squares with , and read a factor off . Morrison and Brillhart's continued-fraction method, CFRAC (1975), was the first to collect many small relations and combine them into that square with linear algebra, and the first general method to run in sub-exponential time [12]. Carl Pomerance's Quadratic Sieve (1985) replaced slow per-number testing with a fast sieve and dominated the 1980s and early 1990s at heuristic cost [13]. Then, in 1990, the Number Field Sieve dropped the exponent from one half to one third, the single largest asymptotic improvement in the history of factoring, and the last one to date [14].
Factoring costs are written with . The exponent interpolates between two worlds: is fully exponential in the bit-length, is polynomial, and sits in between, "sub-exponential." Sub-exponential is genuinely faster than exponential, which is why big numbers can be factored at all, and genuinely slower than polynomial, which is why they cannot be factored at cryptographic sizes.
The fastest known classical algorithm for factoring a general large integer, with heuristic running time [14]. It builds a congruence of squares by collecting relations that are simultaneously smooth on a rational side and an algebraic side, then solves a very large linear system. Every RSA factoring record since the late 1990s has used a GNFS implementation [15].
An integer is B-smooth if every one of its prime factors is at most B. Smoothness is the lever every modern factoring algorithm pulls: the sieve hunts for values that are B-smooth, because only those factor completely over a fixed, small "factor base" of primes and can be fed into the linear algebra. The art of the Number Field Sieve is arranging for enough smooth relations to appear.
Definitions establish that GNFS is sub-exponential. The record trajectory shows what sub-exponential feels like against real keys, and it is the heart of this section's argument. Do not take "glacial" on faith. Watch the dates.
| Challenge | Modulus size | Year factored | Method and reported effort |
|---|---|---|---|
| RSA-129 | 426 bits (129 digits) | 1994 | Quadratic sieve, worldwide volunteer effort [8] |
| RSA-155 | 512 bits | 1999 | Number Field Sieve [16] |
| RSA-768 | 768 bits | 2009 | GNFS, nearly 2000 core-years [17] |
| RSA-250 | 829 bits | 2020 | GNFS, roughly 2700 core-years [1] |
Read the first and last rows together. From RSA-129 in 1994 to RSA-250 in 2020 is roughly 400 bits of progress in 26 years [15, 18]. A deployed RSA key is 2048 bits. The record is still more than 1,200 bits short of it, and RSA-250 alone burned about 2,700 core-years of computation on the open-source CADO-NFS software [1, 19]. A core-year is one processor core running flat out for a year, so 2,700 core-years is a large cluster running for months. The same team's peer-reviewed 240-digit experiment documents the sieving-and-linear-algebra methodology behind these records [20]. The gap is not a matter of waiting a few more years for a faster cluster, because the cost curve is sub-exponential, so each additional bit is more expensive than the last. You can compute just how much more expensive.
from math import log, exp
# Heuristic GNFS cost L_N[1/3, (64/9)^(1/3)] as a function of bit-length.
def L(bits, alpha=1/3, c=(64/9)**(1/3)):
lnN = bits * log(2) # ln N for a 'bits'-bit modulus
return exp(c * lnN**alpha * (log(lnN))**(1 - alpha))
cost_829 = L(829) # RSA-250, the current classical record
cost_2048 = L(2048) # a deployed key
print("GNFS constant (64/9)^(1/3) =", round((64/9)**(1/3), 4))
print("Relative L-cost at 829 bits: %.3e" % cost_829)
print("Relative L-cost at 2048 bits: %.3e" % cost_2048)
print("RSA-2048 is harder than RSA-250 by a factor of about: %.3e" % (cost_2048 / cost_829))
print()
print("RSA-250 already cost ~2700 core-years; scaling by that factor gives")
print("about %.1e core-years for RSA-2048 -- far beyond any foreseeable cluster."
% (2700 * cost_2048 / cost_829)) Press Run to execute.
The numbers that fall out are not "a thousand times harder" or "a million times harder." They are astronomical: the same sober L[1/3] curve that predicted RSA-250 puts a 2048-bit modulus permanently outside the reach of any classical machine anyone can foresee. This is the slow lane in one image. It works on every key, it needs no mistake by the defender, and it will almost certainly never reach a modern modulus.
Diagram source
flowchart TD
A["Trial division and Fermat: fully exponential"] --> B["Pollard p-1 (1974) and rho (1975): special-purpose"]
B --> C["CFRAC (1975): first sub-exponential"]
C --> D["Quadratic Sieve (1985): exponent one half"]
D --> E["Number Field Sieve (1990): exponent one third"]
E --> F["No asymptotic gain since 1990"]
A --> G["ECM (1987): niche, cost set by the smallest factor"] The ladder has texture worth pausing on. When RSA-129 fell in 1994, the recovered plaintext was a puzzle phrase the designers had hidden inside the challenge. The RSA-129 plaintext was "THE MAGIC WORDS ARE SQUEAMISH OSSIFRAGE" [8]. A widely repeated web summary claims it read "SEND MORE MONEY"; that is simply wrong. Pollard's p-1 method left a lasting mark on how primes were chosen: for years, key-generation guidance called for "strong primes," primes p where p-1 has a large prime factor, precisely so the p-1 attack could not bite. The strong-prime design rule is a direct descendant of Pollard's 1974 p-1 method [10]. Modern guidance mostly dropped the requirement once GNFS made the specific structure of p-1 irrelevant to the dominant attack, but the historical lineage is exact. And one rung of the ladder never went away, it just found a different job. Hendrik Lenstra's Elliptic Curve Method (1987) has a running time that depends on the size of the smallest factor, not the whole modulus [21]. That makes it superb at peeling small primes off a number and useless against a balanced RSA modulus whose two factors are each half the bits. It is a living tool, in the wrong weight class for this fight.
The slow lane also has a recurring failure mode that is not technical but sociological, and it is worth immunizing against before the fast lane tempts you.
"No, RSA Is Not Broken." -- Bruce Schneier, on the 2021 claim that short-vector lattice algorithms had destroyed the RSA cryptosystem [23].
So the front door is bolted, and it opens only at a crawl. Fifty years of the best available mathematics moved the record about 400 bits, and the cost curve guarantees the next 1,200 bits are not coming on any classical machine. A defender who only worries about factoring has been watching the wrong door. Because a locksmith's insight changes the whole game: what if you never had to open the front door at all? What if you never factored N?
4. The fast lane opens: Hastad and Wiener
The insight that reroutes the entire story is deceptively small: you do not have to factor N at all. Factoring is the hardest way to break RSA, not the easiest. If the way this particular key or this particular message was built leaks structure, the key can fall in polynomial time, and N stays untouched the whole time. Two attacks from the late 1980s and early 1990s proved the fast lane exists, and each one falls out of a single leaked parameter.
The first is Johan Hastad's low-exponent broadcast attack (introduced at CRYPTO '85 and generalized in his 1988 SIAM paper). Suppose a sender uses a tiny public exponent, say , and sends the same message m to several recipients, each with their own modulus , without randomized padding. Each recipient sees . An eavesdropper who collects three of these ciphertexts applies the Chinese Remainder Theorem to combine them into a single value congruent to modulo [25].
Since m is smaller than every , the true is smaller than the product , so the combined congruence is an equation over the integers: the combined value simply equals , with no modular wraparound. Take an ordinary integer cube root and you have the message. No factoring, no lattice, just arithmetic [25].
The precondition is loud, and it is the reason a good key is immune. Hastad needs a tiny exponent and the same message broadcast unpadded to several recipients. Use instead of 3, or pad each message with fresh randomness so no two ciphertexts encrypt the same integer, and the broadcast structure that made recoverable is gone. The attack does not get slower; it stops applying.
The second attack targets the other exponent. Michael Wiener's small private-exponent attack (1990) shows that shrinking d to speed up decryption is fatal. When the private exponent is small, specifically , the public ratio becomes an extraordinarily good rational approximation to the secret ratio that lurks in the key equation [26]. And there is a classical theorem of number theory that says the only fractions that approximate a real number that well are its continued-fraction convergents. So the attacker expands as a continued fraction, and the secret denominator d appears as one of the convergents' denominators, recovered from nothing but the public key (e, N) [26].
Any real number can be written as a nested fraction . Truncating that expansion after a few terms gives a sequence of rational approximations called convergents, and they are provably the best rational approximations for their denominator size. Wiener's attack turns key recovery into a search through the convergents of : one of their denominators is the secret exponent d.
Because the whole attack is a short walk through a list of fractions, it is genuinely fast, and it is easy to watch happen. The code below builds an RSA key with a deliberately small d, publishes only (e, N), and then recovers d from the public key alone.
from math import isqrt, gcd
# Build a deliberately weak RSA key with a very small private exponent d.
p = 999999937
q = 999999893
N = p * q
phi = (p - 1) * (q - 1)
# Wiener succeeds whenever d < (1/3) * N**(1/4). Take the largest such d.
bound = isqrt(isqrt(N)) // 3
d = next(x for x in range(bound, 2, -1) if gcd(x, phi) == 1)
e = pow(d, -1, phi) # matching public exponent
print("Public key: N =", N)
print(" e =", e)
print("Hidden small d =", d, " (Wiener bound about", bound, ")")
# The attacker sees only (e, N). Expand e/N as a continued fraction;
# each convergent's denominator is a candidate for d.
def convergents(num, den):
a = []
x, y = num, den
while y:
a.append(x // y)
x, y = y, x % y
h0, h1 = 0, 1
k0, k1 = 1, 0
for ai in a:
h0, h1 = h1, ai * h1 + h0
k0, k1 = k1, ai * k1 + k0
yield h1, k1 # (candidate k, candidate d)
for k_cand, d_cand in convergents(e, N):
if k_cand == 0:
continue
if (e * d_cand - 1) % k_cand == 0: # phi(N) must be an integer
phi_guess = (e * d_cand - 1) // k_cand
s = N - phi_guess + 1 # candidate p + q
disc = s * s - 4 * N # roots of x^2 - s*x + N
if disc >= 0 and isqrt(disc) ** 2 == disc:
print("Recovered d =", d_cand, " correct:", d_cand == d)
break Press Run to execute.
Once again the precondition is the whole story. Wiener needs a small d. A correctly generated key uses a full-size random d on the order of N itself, and there is no low-denominator convergent of to find, so the attack has nothing to grab.
5. Coppersmith's master key
In 1996, Don Coppersmith found the idea that turned the grab-bag into a theory. Stated plainly, it is one of the most useful facts in applied cryptography, and once you see it you cannot unsee it in any of the fast-lane attacks.
Here is the theorem. Take a polynomial of degree d, and suppose it has a root modulo N that is small, meaning . Then you can find in time polynomial in and d, using lattice reduction [27]. That is the whole master key. Not "factor N," not "guess the message," but: whenever an unknown quantity is small and sits inside a known algebraic structure, you can solve for it directly.
A lattice is the set of all integer combinations of some basis vectors, an infinite grid of points in space. The same lattice has many bases, some "long and skew," some "short and nearly perpendicular." The Lenstra-Lenstra-Lovasz (LLL) algorithm, from 1982, efficiently turns a bad basis into a reduced one whose vectors are short and close to orthogonal. Throughout this article LLL is a black box with one job: hand it a lattice, and it returns a surprisingly short vector in polynomial time [28].
The bridge from "small modular root" to "short lattice vector" is the contribution of Nick Howgrave-Graham (1997), whose reformulation is the version taught and coded today [29]. The trick is elegant. You do not attack directly. Instead you build a lattice out of shifted and scaled multiples of , all of which vanish at the same secret root modulo powers of N.
LLL finds a short combination of them, and shortness has a precise payoff: a polynomial with small enough coefficients that, at the small value , it cannot merely be congruent to zero modulo N; it must be exactly zero as an integer [29]. The modular problem has become an ordinary equation over the integers, and ordinary equations over the integers are easy to solve for their roots. That is the same "collapse to the integers" trick that let Hastad's cube root work, generalized into a machine.
Diagram source
flowchart LR
A["Known structure plus a small unknown"] --> B["Write it as f(x) with a small root mod N"]
B --> C["Build a lattice from shifted multiples of f"]
C --> D["LLL returns a short vector"]
D --> E["A new polynomial, same root, small enough to hold over the integers"]
E --> F["Ordinary root-finding recovers x0"] A polynomial-time algorithm that, given a monic polynomial of degree d and a modulus N, finds every integer root with satisfying [27]. The size bound is the load-bearing threshold: it is generous for tiny degree (a cube-root-sized unknown for ) and shrinks fast as the degree grows, which is exactly why a large public exponent starves the method of anything to find.
Every fast-lane attack in this article is the same sentence in a different costume: known structure plus a small unknown lets you solve for the unknown. Hastad's broadcast, stereotyped messages, related messages, partial key exposure, and the strongest small-
dattack are all instances of Coppersmith's small-root method, powered by LLL whenever the unknown is smaller than . The zoo is one animal.
Watch Hastad collapse to a corollary. His broadcast attack is just the small-root method for the polynomial with the tiny exponent making the root findable; the CRT step is a convenience, not the essence [27]. The purest instance of all is textbook RSA with and no padding, where the message itself is the small root. If , the ciphertext never wrapped around the modulus, so the "encryption" is just a cube, and a cube root is the entire attack.
def icbrt(n):
# Exact integer cube root via Newton's method (works for huge integers).
if n < 2:
return n
x = 1 << ((n.bit_length() + 2) // 3)
while True:
y = (2 * x + n // (x * x)) // 3
if y >= x:
return x
x = y
N = (1 << 2047) + 12345 # a 2048-bit stand-in modulus
e = 3
m = 42424242424242 # a short message: m^3 stays far below N
c = pow(m, e, N) # textbook RSA "encryption": c = m^3 mod N
print("Is m^3 < N ?", m**3 < N)
print("recovered m =", icbrt(c), " correct:", icbrt(c) == m)
# Real padding widens the message so that m2^3 exceeds N and wraps around.
m2 = (1 << 700) | m
c2 = pow(m2, e, N)
print("Is (padded m2)^3 < N ?", m2**3 < N)
print("plain cube root now fails:", icbrt(c2) != m2) Press Run to execute.
The second half of that snippet is the entire defense in miniature. Once the message is widened by real padding so that its cube exceeds N, the ciphertext wraps around the modulus, the "small root" is no longer small, and the cube root returns garbage. The attack did not get harder to run; its precondition vanished. Hold onto that distinction, because it is the shape of every result in the next section: one theorem, many doors. So which locks does the master key actually open on a real RSA deployment, and, just as important, which ones stay firmly shut?
6. The Coppersmith family today
The mature fast lane is the master key reused, deliberately, by name. Each member of the family has the same shape, known structure hiding one small unknown, and each is neutralized by exactly one standard parameter choice. Walk them in order and the pattern becomes impossible to miss.
Stereotyped and known-bits messages. Suppose an attacker knows most of a message, a fixed template B, and only a short secret block x is unknown, so the plaintext is . With public exponent e, the ciphertext gives the polynomial , whose small root is the secret block, recoverable whenever [27]. A low exponent and a mostly-known message is all it takes. Raise e to 65537 and the recoverable window shrinks to almost nothing; randomize the message with padding and the "small unknown" becomes the entire plaintext, far too big to be a small root.
Factoring with high bits of p known. Coppersmith's method also attacks the modulus, but only with a head start. If an attacker already knows roughly the top half of the bits of p, the remaining low bits form a small root of a polynomial modulo N, and the method recovers them, factoring N in polynomial time [27, 28]. The precondition is severe: you must already know half of a secret prime. Generate both primes from a good random source and no such head start exists.
Partial key exposure. Perhaps the most unsettling member: a fraction of the private key's bits can reconstruct the rest. Boneh, Durfee, and Frankel showed in 1998 that for a low public exponent, roughly a quarter of the least-significant bits of d suffice to recover the whole exponent [31]. Ernst, Jochemsz, May, and de Weger removed the low-exponent restriction in 2005, extending partial key exposure to full-size exponents with multivariate Coppersmith techniques [32]. The precondition is a leak: some bits of d or p must escape. With no leakage, there is nothing to extend, and how bits leak, timing, power, a fault, is the implementation sibling's subject, not RSA's mathematics.
Boneh-Durfee. Finally, the master key circles back to finish what Wiener started. Boneh and Durfee re-aimed Coppersmith's lattice at the key equation itself and pushed the vulnerable small-d bound from Wiener's up to , the strongest small-exponent attack known [33]. It is the same lattice engine, pointed at a different polynomial. And it dies against the same defense: a full-size random d on the order of N sits far above the threshold.
These are cryptanalytic tools, not shipped software, but they are entirely practical to run. LLL and its stronger cousin BKZ live in the open-source fplll library and its Python binding fpylll [34, 35], and Coppersmith's small-root method is a single function call, small_roots(), in SageMath [36]. The barrier to using them is never the tooling. It is finding a key with a precondition to attack.
Try Coppersmith in one line of SageMath
A stereotyped-message attack in SageMath looks close to this: work in Zmod(N), define the polynomial f = (B + x)^e - c whose small root is the secret block, and call f.small_roots(X=bound, beta=1). The library builds the lattice, runs LLL, and returns the root, with no hand-rolled lattice at all [36]. Swap in a different f and the same call becomes factoring-with-known-bits or a related-message attack: one engine, pointed at a different polynomial.
Diagram source
flowchart TD
E["Coppersmith small-root engine"] --> A["Stereotyped or known-bits message: short secret block"]
E --> B["Factoring with high bits of p known: half of p leaks"]
E --> C["Franklin-Reiter and short-pad: same small e, short or known pad"]
E --> D["Partial key exposure: a fraction of d's bits leak"]
E --> F["Boneh-Durfee: deliberately small private exponent d"] Lay the whole family in a table and the argument writes itself. Every row is a real, polynomial-time attack. Every row also has a right-hand column that a correctly generated RSA-2048 key fills in by default.
| Fast-lane attack | Exact precondition it needs | Closed by |
|---|---|---|
| Hastad broadcast | tiny e, same message sent unpadded to many recipients | or randomized padding [25] |
| Stereotyped / known-bits | most of the message is a known template, short secret block | randomized OAEP padding [37] |
Factoring, high bits of p | roughly half the top bits of p already known | independent, well-sourced random primes [28] |
| Franklin-Reiter / short-pad | same small e, a known or short relation between messages | plus OAEP's long random pad [30] |
| Partial key exposure | a constant fraction of d's or p's bits leaked | no key-bit leakage; full-size random d [32] |
Wiener small-d | full-size random d [26] | |
Boneh-Durfee small-d | full-size random d near N [33] |
The randomized padding scheme standardized for RSA encryption in PKCS #1 v2.2 (RFC 8017) [37]. Before exponentiation, OAEP mixes the message with fresh random bytes through a two-round structure, so that the integer actually raised to the power e is large, high-entropy, and different every time, even for identical plaintexts. That single step removes the "known structure" and the "small unknown" that every Coppersmith-family attack needs, which is why OAEP is the defense that closes most of the table at once.
There is something almost paradoxical here, and it is the sharpest structural point in all of RSA cryptanalysis. None of these attacks is wrong. None is slow. None has been refuted or patched away. They remain perfectly correct, polynomial-time algorithms. They are simply inapplicable to a key that never grants their precondition. The fast lane does not fail against a good key by being outrun, the way the slow lane is outrun by a big modulus. It fails by precondition-absence: there is nothing for the lattice to grab.
An attack that is perfectly correct yet perfectly inapplicable is the sharpest point in RSA cryptanalysis. Against a well-generated key, the fast lane has no applicable attack.
So put the two lanes together against a specific, correct target: RSA-2048 with , a full-size random d, two independent well-sourced primes, and OAEP padding. The slow lane is available but glacial, more than 1,200 bits and an astronomical cost curve away from success. The fast lane is polynomial but inert, because every precondition in the table above is absent [2, 37]. Against that key, the classical state of the art is a phrase worth memorizing: no applicable attack.
The fast lane is fast but conditional; the slow lane is universal but glacial. Put all three roads on one table, and ask the only question that matters: which one actually threatens a well-generated key?
7. Three roads, compared
Everything so far has been building one picture. Lay the slow lane, the fast lane, and the third road side by side, and the article's thesis stops being a claim and becomes something you can read straight off a table.
| Dimension | Slow lane: GNFS | Fast lane: Coppersmith family | Third road: Shor |
|---|---|---|---|
| What it attacks | the hardness assumption (factor N) | the instantiation (a specific defect) | the hardness assumption (factor N) |
| Input required | N only | N plus a parameter or key-gen defect | N only |
| Precondition | none | small e, small d, no padding, leaked bits, or correlated primes | a working quantum computer of the right size |
| Worst-case time | , sub-exponential | polynomial | polynomial in |
| Breaks a correct RSA-2048 key? | not in practice | no | yes |
| Computational model | classical | classical | quantum |
Read the table as three sentences. The slow lane breaks any key, needs no mistake, and is asymptotically stalled: its cost has not improved since 1990, and against 2048 bits it is glacial [14]. The fast lane is genuinely polynomial and genuinely fast, but it goes completely dark against a correct key, because every one of its attacks needs a defect the key does not have [27]. Two roads, and neither threatens a well-generated RSA-2048 key in practice: one is too slow, the other has no opening.
That is the corner the argument has painted us into, and it forces the third road into view. If the slow lane is stalled and the fast lane is inert, then the only way to break a correct key is to stop playing the classical game entirely, to change the machine. That is Shor's algorithm, first announced at FOCS in 1994 and published in full in 1997 [38, 3].
It attacks the same hardness assumption as the slow lane, factoring N with no defect required, but it runs in time polynomial in the number of digits of N, an exponential speedup over GNFS. It is the one entry in the table that breaks a flawless key, and it carries the one precondition no careful key generation can supply or deny: a large, fault-tolerant quantum computer, which does not exist as of 2026.
The mechanism is the subject of the next section; for now, the table has delivered its verdict. The only structural attack left standing against a good key is a change of computational model.
That verdict points at one uncomfortable question the table cannot answer. The slow lane is stalled, and we have been treating that as if it were a law of nature. But is factoring actually hard, or have we simply not found the trick yet? The honest answer is more unsettling than either the optimists or the doomsayers usually admit.
8. Is factoring even hard, and how hard?
Beneath fifty years of engineering confidence lies an uncomfortable truth: nobody has ever proven that factoring is hard. RSA's security is a conjecture that has survived a long time, which is a very different thing from a theorem.
Start with the most common misconception, because correcting it reframes everything. People often say factoring is NP-hard, as if RSA inherited the full difficulty of the hardest problems in NP. It did not. The decision version of factoring sits in : a factor is a short certificate that the answer is "yes," and because primality can be checked efficiently, there is also a short certificate for "no" [39]. A problem in that intersection cannot be NP-complete unless NP equals co-NP, which almost no one believes.
So factoring is very likely not among the hardest problems in NP, and the casual "RSA is NP-hard" intuition is simply false [39].
It may be worse than that, in a precise and interesting way: breaking RSA might be strictly easier than factoring. Boneh and Venkatesan gave evidence that no "algebraic reduction" can turn an efficient low-exponent RSA-breaker into a general factoring algorithm, which would mean recovering a message does not require the full strength of factoring [40].
Aggarwal and Maurer later proved that breaking RSA is equivalent to factoring, but only in the restricted "generic ring model," where the attacker is forbidden from exploiting the specific bit-representation of numbers [41]. Put together, the honest statement is that we do not know whether the RSA problem and factoring are equally hard. We only know the assumption rests on belief, layered on belief.
What we can state precisely are the upper bounds, and the gap between them is the whole story. Classically, the best we can do is GNFS, sub-exponential [14]. On a quantum computer, Shor's algorithm factors in time polynomial in the number of digits of N, an exponential improvement [3].
There is no known classical lower bound anywhere near the upper bound, so the space between "maybe there is a fast classical algorithm we have not found" and "there is definitely a fast quantum algorithm" is enormous and almost entirely unmapped.
Shor's mechanism deserves to be seen, because it is not a faster search; it is a genuinely different idea. Factoring N is reduced to finding the period of the function for a random base a, that is, the smallest r with . Classically, finding that period is as hard as factoring.
Quantumly, a superposition over all x, a modular exponentiation, and a quantum Fourier transform extract r efficiently. Once you have an even r with , an ordinary classical greatest-common-divisor, , hands you a factor [3]. It is a classical reduction wrapped around a single quantum subroutine.
Diagram source
flowchart TD
A["Pick a random a coprime to N"] --> B["Quantum: find the period r of a^x mod N with the QFT"]
B --> C{"r even and a^(r/2) not congruent to -1?"}
C -->|"no, retry"| A
C -->|"yes"| D["Classical: compute gcd(a^(r/2) plus or minus 1, N)"]
D --> E["A nontrivial factor of N"] A quantum computer large and reliable enough to run Shor's algorithm against real cryptographic parameters, for example to factor a 2048-bit RSA modulus. Because Shor needs many high-fidelity logical qubits maintained through a long computation, a CRQC requires fault-tolerant error correction over a vast number of physical qubits. No such machine exists as of 2026, and building one is an unsolved engineering problem, not merely a matter of scaling up today's devices.
How far is that machine? The honest answer comes from the people doing the most careful accounting, and their numbers are moving in a way worth understanding. In 2019, Craig Gidney and Martin Ekera estimated that factoring a 2048-bit RSA key with Shor would take roughly 20 million noisy physical qubits running for about 8 hours [42]. In May 2025, Gidney revised the estimate to fewer than one million noisy qubits in under a week, under the same hardware assumptions as the 2019 analysis [4].
Read those two figures together carefully. The twentyfold drop did not come from better hardware; it came from better algorithms for organizing the computation. The estimate is improving far faster than the machines, and today's largest quantum devices remain orders of magnitude below even the reduced requirement [4]. No cryptographically relevant quantum computer exists as of 2026.
Two facts about scale make the quantum threat qualitatively different from the classical one, and both cut against the defender's usual instinct. First, a bigger key does not help. Shor's cost grows only polynomially in the number of digits of N, so doubling the modulus from 2048 to 4096 bits multiplies the quantum work by a small constant, not by the astronomical factor that same doubling imposes on GNFS. The move that defeats the slow lane is nearly useless against the third road.
Second, and for the same reason, there is no "safe classical margin" to buy. Against Shor, the defense is not a larger RSA key; it is a different kind of cryptography entirely.
Grover's algorithm is the other quantum result people invoke, and it is a boundary marker, not a structural break [43]. It gives a generic square-root speedup for brute-force search, turning a key search into about . That halves the effective strength of a symmetric key, which is why AES-256 is favored for post-quantum margin [44], but it does nothing structural to RSA: it does not factor N, and a square-root speedup on an already-astronomical factoring search changes nothing.
Sit with what this section actually established, because it is the third and deepest shift in the whole article. We cannot prove factoring is hard; its decision problem is not even NP-complete, so RSA rests on a belief rather than a theorem. The fast lane is inert against a correct key, and the slow lane has been asymptotically frozen since 1990. Therefore the only structural break left standing against a well-generated key is a change of computational model, Shor's, and against that change a bigger key does essentially nothing.
The confidence that "a large enough RSA key is safe forever" quietly dissolves. What replaces it is not panic but humility: the security you rely on is an assumption with a possible expiry date you cannot see.
So we cannot prove it is hard, and we cannot yet build the machine that makes it easy. That leaves a precise list of things the field genuinely does not know, and one of them carries a deadline that is invisible precisely because no one can read it.
9. What is genuinely unresolved
Strip away the settled results and four honest unknowns remain. This is where the frontier actually sits, and naming the unknowns precisely is more useful than any confident prediction.
Is factoring in P? No polynomial-time classical factoring algorithm is known, and none has been ruled out. The strongest evidence for "hard" is negative and empirical: the GNFS exponent has not moved off one third since 1990, and RSA-250 still stands as the largest general-purpose factorization [14, 15]. But "we have not found a faster algorithm in 35 years" is not a proof that none exists, and no lower bound forbids one. This is the open problem the entire slow lane rests on.
Is the RSA problem strictly easier than factoring? Also open. Boneh and Venkatesan's evidence points toward "yes, at least for algebraic reductions," while Aggarwal and Maurer's equivalence holds only inside the generic ring model [40, 41]. Whether recovering an RSA plaintext genuinely requires factoring, in the full model where an attacker can do anything, is unresolved.
How far can the small-d lattice bound be pushed? Boneh-Durfee reaches , and Boneh and Durfee themselves conjecture the true insecurity threshold is [33]. The gap between and has resisted every attempt to close it, and subsequent lattice reformulations reach the same more cleanly without surpassing it [28]. Nobody knows where the real boundary lies.
The exponent is not a round number; it is exactly , a quadratic irrational (the root of ) that falls out of the lattice determinant condition [33]. Two honesty caveats travel with it: the conjectured true bound is only a conjecture, and even the proven result relies on the standard, unproven heuristic that the short lattice vectors LLL returns are algebraically independent. The fast lane's strongest result is itself built on an assumption.
When does a cryptographically relevant quantum computer arrive? Genuinely unknowable. And this is the unknown with teeth, because it does not need to be answered to be dangerous.
An attacker records encrypted traffic today and stores it, betting that a cryptographically relevant quantum computer will exist before the data stops being sensitive. When that machine arrives, the archived ciphertext is decrypted retroactively with Shor's algorithm. The threat is live now, even though the tool to exploit it does not exist yet, because the interception happens today and only the decryption waits.
Unknowable timelines are not an excuse for paralysis. If you ship RSA today, all four open problems collapse into one concrete, answerable question: what do you actually do?
10. How not to be the vulnerable key
Here is the practical reward for all this theory: every fast-lane attack in this article maps to exactly one parameter choice that closes it. The defense is not vigilance or luck. It is a short, checkable list, and mainstream libraries already implement most of it by default.
| Do this | It closes | Anchor |
|---|---|---|
| Use at least 2048-bit keys; 3072-bit for long-lived data | the slow lane (GNFS) | [44] |
| Set , never 3 | Hastad, stereotyped, Franklin-Reiter and short-pad | [25] |
Use a full-size random d, never a small one | Wiener, Boneh-Durfee | [33] |
| Encrypt with OAEP, never textbook RSA | known-bits and related-message recovery | [37] |
| Generate two independent, well-sourced random primes | known-bits-of-p factoring | [28] |
| Begin migrating long-lived secrets to post-quantum schemes | Shor plus harvest-now-decrypt-later | [4] |
NIST maps key sizes to security levels calibrated directly against the GNFS cost curve: RSA-2048 gives roughly 112-bit security and RSA-3072 roughly 128-bit, which is why 3072 bits is the right choice for data that must survive well past 2030 [44]. That single row is the only place where "use a bigger key" is the correct advice, because it is the only threat, the slow lane, that key size actually defends against.
Why specifically? It is , a Fermat prime. Being greater than the tiny exponents lets it defeat the low-exponent attacks, Hastad's broadcast, stereotyped-message recovery, Franklin-Reiter, while being only 17 bits long, with just two set bits, so encryption stays fast: a square-and-multiply exponentiation needs only 17 steps. It is the sweet spot: recommended by RFC 8017 [37] and now the near-ubiquitous default in practice.
The two scaling facts from the last two sections invert the usual intuition. A bigger key buys you nothing against a fast-lane defect: an RSA-4096 key with a small d falls to Wiener exactly as fast as an RSA-2048 key with a small d, because the attack never touched the modulus size. And a bigger key buys you nothing against Shor, whose cost grows only polynomially in the key length.
A bigger RSA key does one thing: it makes the slow lane slower. It does nothing against a fast-lane defect, because those attacks ignore the modulus, and nothing against Shor, whose cost barely grows with key size. Security against the fast lane comes only from removing the precondition; security against the third road comes only from changing the primitive. Neither is bought with bits.
One honest reminder, because a checklist can create false comfort. This list closes the structural attacks, the subject of this article. It does not, by itself, protect you from the implementation and protocol failures that break RSA far more often in the real world: padding oracles, timing and fault leaks, weak random-number generators, the ROCA key-generation defect, and downgrade attacks such as FREAK. Those are a different discipline, covered by the empirical sibling How RSA Breaks in Real Life. A perfectly parameterized key in a leaky implementation is still a broken key.
Follow the checklist and the entire fast lane goes dark while the slow lane stays glacial, which leaves exactly one way a correctly generated key ever breaks.
11. The verdict
Return to the two-speed map, now carrying everything the article has shown. The front door, factoring the modulus, is bolted, and it opens only at a crawl. In 26 years the classical record moved from RSA-129 to RSA-250, roughly 400 bits, and it is still more than 1,200 bits short of a deployed 2048-bit key, on a cost curve that makes the remaining distance astronomical [15, 1]. The engineers who picture a break as "someone factors my key" are watching the one door a bigger key actually guards.
The fast cracks come through side windows, and a well-generated key never leaves them open. Against RSA-2048 with , a full-size random d, two independent primes, and OAEP, every Coppersmith-family precondition is absent, and the classical state of the art is simply no applicable attack [2, 37]. The fast lane is not slow against a good key; it is inapplicable, which is a stronger and stranger kind of safety.
The one attack that opens the front door itself is Shor's, structural, polynomial, and almost indifferent to key size. It breaks even a flawless key, and it waits on hardware that does not exist as of 2026, with no credible timeline [3]. So the most-likely eventual structural break of a good RSA key is not a classical factoring breakthrough at all. It is quantum, on a machine not yet built, and harvest-now-decrypt-later is what makes that future-tense sentence something to act on in the present [4].
The most-likely eventual break of a good RSA key is quantum, on a machine that has not been built. That is exactly why the forecast is actionable today.
The misconceptions this reframing overturns, "RSA is already broken," "a quantum computer just cracked it," "factoring is NP-hard," "a bigger key stops everything," deserve direct answers, which the questions below provide. This article asked how RSA would break. The answer is a two-speed map with a quantum horizon, and every road on it is now labeled.
12. Frequently asked questions
The claims below are the ones that come up most often, corrected against the evidence in this article.
RSA cryptanalysis, misconceptions corrected
Is RSA broken?
No. A correctly generated RSA-2048 key with , a full-size random d, independent primes, and OAEP padding has no applicable classical attack: the slow lane (GNFS) is astronomically far from a 2048-bit modulus, and every fast-lane attack needs a defect this key does not have [2, 1]. RSA is not broken. It is a well-understood assumption with a known and distant classical threat, and a structural quantum threat that has no hardware yet.
Did a quantum computer, a D-Wave machine, or a research team already crack RSA?
No. Recurring headlines claim exactly this, and none has broken RSA-2048. No cryptographically relevant quantum computer exists as of 2026 [4]. The quantum result people most often conflate with a break, Grover's search algorithm, is only a quadratic speedup and is not a structural attack on RSA [43]. The classical "shortcut" claims follow the same pattern as Schnorr's 2021 preprint, whose method produced zero usable relations at cryptographic size when implemented [24, 23].
Is factoring NP-hard?
No, and this is the most common technical misconception. The decision version of factoring lies in the intersection of NP and co-NP, so it cannot be NP-complete unless NP equals co-NP, which is widely disbelieved [39]. RSA does not inherit the difficulty of the hardest problems in NP. Its security rests on the specific, unproven belief that factoring is hard, not on a theorem [39].
Does a bigger key stop Shor's algorithm?
No. Shor's cost grows only polynomially in the number of digits of N, so doubling the modulus from 2048 to 4096 bits multiplies the quantum work by a small constant, not by the astronomical factor that same change imposes on classical factoring [3]. Key size defends only against the slow lane. Against the quantum threat, the answer is a different primitive, not a longer RSA key [4].
Isn't e = 3 fine as long as I pad?
With correct OAEP padding, the low-exponent attacks lose their precondition, so is not automatically fatal [30, 37]. But is the safer default: it defeats the low-exponent family outright while staying cheap to compute, so a single padding mistake with does not immediately reopen Hastad's broadcast or the stereotyped-message attack [25]. Choose the exponent that fails safe.
What about ROCA, Bleichenbacher, FREAK, and timing attacks?
Those are out of scope for this article by design, because they are not breaks of RSA's mathematics. ROCA is a key-generation library defect, Bleichenbacher and Manger are padding oracles, FREAK is a protocol downgrade, and timing and fault attacks are physical side channels. Every one of them breaks the implementation or protocol around RSA, not the algorithm itself. They are the subject of the companion article, How RSA Breaks in Real Life.
Should I worry about harvest-now-decrypt-later today?
Yes, but only for data with a long confidentiality lifetime. An attacker can record RSA-encrypted traffic now and decrypt it once a quantum computer exists [4]. If your secrets must stay protected for a decade or more, begin planning migration to post-quantum key-establishment even though no such machine exists today and no credible timeline can be given. For short-lived data, the classical picture in this article still governs.
The question this article opened with was not whether RSA is broken, but how it would break if it ever did. The evidence has drawn the map: a bolted front door that opens at a crawl, side windows a good key never leaves ajar, and a single quantum road to a machine still on the horizon.
Study guide
Key terms
- Trapdoor one-way function
- Easy to compute forward, hard to invert without a secret. RSA's trapdoor is the factorization of N, and its security is the conjecture that inversion stays hard without it.
- General Number Field Sieve (GNFS)
- The fastest known classical factoring algorithm, heuristic cost L_N[1/3, (64/9)^(1/3)]; sub-exponential and glacial at cryptographic sizes.
- Sub-exponential / L-notation
- L_N[a,c] = exp((c+o(1))(ln N)^a (ln ln N)^(1-a)); the exponent a=1/3 sits between polynomial (0) and fully exponential (1).
- Coppersmith's small-root method
- Finds a root x0 of a degree-d modular polynomial in polynomial time whenever |x0| < N^(1/d), via LLL lattice reduction. The engine behind the whole fast lane.
- Continued-fraction convergent
- A best rational approximation h/k to a real number; Wiener's attack finds a small private exponent d as a convergent denominator of e/N.
- Boneh-Durfee bound
- The strongest small-d attack: recovers d whenever d < N^0.292, using Coppersmith's lattice aimed at the RSA key equation. Conjectured true bound is N^0.5.
- OAEP
- Randomized RSA padding from RFC 8017; injects fresh randomness so the encrypted integer is large and unique, removing the structure every Coppersmith-family attack needs.
- Shor's algorithm
- Quantum factoring in time polynomial in log N, via period-finding plus a classical gcd. Breaks even a correctly generated key, but needs a fault-tolerant quantum computer.
- CRQC
- A cryptographically relevant quantum computer: large and reliable enough to run Shor against RSA-2048. None exists as of 2026.
- Harvest now, decrypt later
- Record ciphertext today, decrypt once a CRQC exists; the reason an undated quantum threat is actionable now for long-lived secrets.
Comprehension questions
Why is factoring the slow path rather than the likely one?
GNFS is sub-exponential, so its cost climbs steeply with key size; the record moved only about 400 bits in 26 years and remains over 1200 bits short of RSA-2048. A bigger key defeats it outright.
Why does the fast lane go dark against a correctly generated key?
Every Coppersmith-family attack needs a defect: a small exponent, a small d, missing padding, leaked bits, or correlated primes. A correct RSA-2048/OAEP key supplies none, so the attacks are correct but inapplicable.
What single idea unifies Hastad, Wiener, Franklin-Reiter, partial key exposure, and Boneh-Durfee?
Coppersmith's small-root method: known structure plus a small unknown lets you solve for the unknown, using LLL whenever the unknown is smaller than N^(1/d).
Why is the claim that RSA is NP-hard false?
The decision version of factoring lies in NP intersect co-NP, so it cannot be NP-complete unless NP equals co-NP. RSA rests on a belief that factoring is hard, not on a hardness theorem.
Why does a bigger key fail to defend against Shor?
Shor's cost grows only polynomially in the digits of N, so doubling the modulus adds only a small constant of quantum work. Defending against the quantum road requires a different primitive, not more RSA bits.
References
- (2020). Factorization of RSA-250. https://caramba.loria.fr/rsa250.txt - Announcement, February 28 2020: RSA-250 (829-bit), roughly 2700 core-years with CADO-NFS. ↩
- (1999). Twenty Years of Attacks on the RSA Cryptosystem. https://www.ams.org/notices/199902/boneh.pdf - Notices of the AMS 46(2):203-213. The canonical map of the RSA fast lane. ↩
- (1997). Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer. https://doi.org/10.1137/S0097539795293172 - SIAM J. Comput. 26(5):1484-1509. The canonical Shor citation; breaks a correctly generated key on a CRQC. ↩
- (2025). How to factor 2048 bit RSA integers with less than a million noisy qubits. https://arxiv.org/abs/2505.15917 - arXiv:2505.15917. Updated estimate: fewer than 1 million noisy qubits in under a week, under the same 2019 hardware assumptions. ↩
- (1976). New Directions in Cryptography. https://doi.org/10.1109/TIT.1976.1055638 - IEEE Trans. Inf. Theory 22(6):644-654. Framed public-key cryptography as a goal (the trapdoor one-way vision) a year before RSA supplied a concrete construction. ↩
- (1978). A Method for Obtaining Digital Signatures and Public-Key Cryptosystems. https://doi.org/10.1145/359340.359342 - The original RSA construction: N = pq, c = m^e mod N, m = c^d mod N; security believed to rest on the hardness of factoring. ↩
- (1977). A new kind of cipher that would take millions of years to break. https://doi.org/10.1038/scientificamerican0877-120 - Scientific American 237(2):120-124, Aug 1977 (DOI 10.1038/scientificamerican0877-120). Paywalled print primary, not directly read; the RSA-129 challenge framing is corroborated, not quoted verbatim. ↩
- (1995). The magic words are squeamish ossifrage. https://doi.org/10.1007/BFb0000440 - ASIACRYPT 1994, LNCS 917:261-277. RSA-129 factored in 1994; the plaintext phrase is confirmed. ↩
- (2026). RSA Factoring Challenge. https://en.wikipedia.org/wiki/RSA_Factoring_Challenge - Corroboration: the RSA Factoring Challenge launched March 1991, retired 2007. ↩
- (1974). Theorems on factorization and primality testing. https://doi.org/10.1017/S0305004100049252 - Math. Proc. Camb. Phil. Soc. 76:521-528. The p-1 method; efficient only when p-1 is smooth. ↩
- (1975). A monte carlo method for factorization. https://doi.org/10.1007/BF01933667 - BIT 15:331-334. The rho method; low-memory, about O(N^(1/4)) for small factors. ↩
- (1975). A method of factoring and the factorization of F7. https://doi.org/10.1090/S0025-5718-1975-0371800-5 - Math. Comp. 29:183-205. CFRAC, the first general combine-relations method and sieve ancestor. ↩
- (1985). The Quadratic Sieve Factoring Algorithm. https://doi.org/10.1007/3-540-39757-4_17 - EUROCRYPT 1984, LNCS 209:169-182. Quadratic sieve, L[1/2,1]; dominant until NFS. ↩
- (1990). The number field sieve. https://doi.org/10.1145/100216.100295 - STOC 1990:564-572. GNFS; heuristic L_N[1/3,(64/9)^(1/3)], the slow-lane ceiling. ↩
- (2026). Integer factoring records. https://members.loria.fr/PZimmermann/records/factor.html - RSA-250 is still the largest integer factored with a general-purpose algorithm. ↩
- (2000). Factorization of a 512-Bit RSA Modulus. https://doi.org/10.1007/3-540-45539-6_1 - EUROCRYPT 2000, LNCS 1807:1-18. RSA-155 / 512-bit fell in August 1999. ↩
- (2010). Factorization of a 768-Bit RSA Modulus. https://doi.org/10.1007/978-3-642-14623-7_18 - CRYPTO 2010, LNCS 6223:333-350. RSA-768 factored December 2009. ↩
- (2026). RSA numbers. https://en.wikipedia.org/wiki/RSA_numbers - Corroboration: record dates, teams, and RSA-129 digit count. ↩
- (2026). CADO-NFS: an implementation of the Number Field Sieve. https://gitlab.inria.fr/cado-nfs/cado-nfs - The open-source GNFS software used for the RSA-250 record. ↩
- (2020). Comparing the Difficulty of Factorization and Discrete Logarithm: A 240-Digit Experiment. https://doi.org/10.1007/978-3-030-56880-1_3 - CRYPTO 2020, LNCS 12171:62-91. Peer-reviewed RSA-240 / DLP-240 (795-bit) experiment. ↩
- (1987). Factoring Integers with Elliptic Curves. https://doi.org/10.2307/1971363 - Annals of Math. 126:649-673. ECM; runtime depends on the smallest factor, so it hunts small primes. ↩
- (2021). Fast Factoring Integers by SVP Algorithms. https://eprint.iacr.org/2021/232 - IACR ePrint 2021/232. The 2021 false-alarm claim whose abstract read "This destroys the RSA cryptosystem." ↩
- (2021). No, RSA Is Not Broken. https://www.schneier.com/blog/archives/2021/03/no-rsa-is-not-broken.html - Debunks the Schnorr 2021 claim and notes a later version dropped the sentence. ↩
- (2021). SchnorrGate: Testing Schnorr's factoring claim in SageMath. https://github.com/lducas/SchnorrGate - Named-expert refutation: zero factoring relations at cryptographic size. ↩
- (1988). Solving Simultaneous Modular Equations of Low Degree. https://doi.org/10.1137/0217019 - SIAM J. Comput. 17(2):336-341. The low-exponent broadcast attack. ↩
- (1990). Cryptanalysis of short RSA secret exponents. https://doi.org/10.1109/18.54902 - IEEE Trans. Inf. Theory 36(3):553-558. Small-d attack: d < (1/3)N^(1/4) recovered via continued fractions of e/N. ↩
- (1997). Small Solutions to Polynomial Equations, and Low Exponent RSA Vulnerabilities. https://doi.org/10.1007/s001459900030 - J. Cryptology 10(4):233-260. The small-root master theorem: LLL finds a root when |x0| < N^(1/d). ↩
- (2009). Using LLL-Reduction for Solving RSA and Factorization Problems. https://doi.org/10.1007/978-3-642-02295-1_10 - The modern unifying survey of the lattice attacks, pp. 315-348. ↩
- (1997). Finding small roots of univariate modular equations revisited. https://doi.org/10.1007/BFb0024458 - LNCS 1355:131-142. The teachable, implementable reformulation of Coppersmith method. ↩
- (1996). Low-Exponent RSA with Related Messages. https://doi.org/10.1007/3-540-68339-9_1 - EUROCRYPT 1996, LNCS 1070:1-9. Franklin-Reiter related-message GCD base case plus the Coppersmith short-pad extension. ↩
- (1998). An Attack on RSA Given a Small Fraction of the Private Key Bits. https://doi.org/10.1007/3-540-49649-1_3 - ASIACRYPT 1998, LNCS 1514:25-34. Origin of partial-key-exposure attacks. ↩
- (2005). Partial Key Exposure Attacks on RSA up to Full Size Exponents. https://doi.org/10.1007/11426639_22 - EUROCRYPT 2005, LNCS 3494:371-386. Partial-key-exposure extended to full-size exponents. ↩
- (1999). Cryptanalysis of RSA with Private Key d Less than N^0.292. https://doi.org/10.1007/3-540-48910-X_1 - EUROCRYPT 1999, LNCS 1592:1-11. Lattice attack pushing the small-d bound from N^(1/4) to N^(0.292). ↩
- (2026). fplll: lattice algorithms using floating-point arithmetic. https://github.com/fplll/fplll - LLL/BKZ lattice-reduction library, the substrate for Coppersmith attacks. ↩
- (2026). fpylll: Python bindings for fplll. https://github.com/fplll/fpylll - Python bindings for fplll. ↩
- (2026). Univariate polynomials over Z/nZ via NTL: small_roots(). https://doc.sagemath.org/html/en/reference/polynomial_rings/sage/rings/polynomial/polynomial_modn_dense_ntl.html - A practical, one-call Coppersmith small-root implementation. ↩
- (2016). PKCS #1: RSA Cryptography Specifications Version 2.2. https://www.rfc-editor.org/rfc/rfc8017 - RFC 8017. The OAEP padding specification that removes fast-lane preconditions. ↩
- (1994). Algorithms for quantum computation: discrete logarithms and factoring. https://doi.org/10.1109/SFCS.1994.365700 - FOCS 1994:124-134. First announcement of polynomial-time quantum factoring. ↩
- (1996). Handbook of Applied Cryptography. https://cacr.uwaterloo.ca/hac/ - Foundational textbook baseline (Ch. 3 and 8) for factoring and RSA attacks, L-notation, and the NP intersect co-NP framing. ↩
- (1998). Breaking RSA may not be equivalent to factoring. https://doi.org/10.1007/BFb0054117 - EUROCRYPT 1998, LNCS 1403:59-71. Evidence that the RSA problem may be easier than factoring. ↩
- (2009). Breaking RSA Generically Is Equivalent to Factoring. https://doi.org/10.1007/978-3-642-01001-9_2 - EUROCRYPT 2009, LNCS 5479:36-53. RSA is equivalent to factoring only in the generic ring model. ↩
- (2021). How to factor 2048 bit RSA integers in 8 hours using 20 million noisy qubits. https://doi.org/10.22331/q-2021-04-15-433 - Quantum 5:433. An honest Shor resource estimate: about 20 million noisy qubits and about 8 hours. ↩
- (1996). A fast quantum mechanical algorithm for database search. https://doi.org/10.1145/237814.237866 - STOC 1996:212-219. A quadratic key-search speedup only, not a structural break. ↩
- (2020). Recommendation for Key Management, Part 1 (SP 800-57 Part 1 Rev. 5). https://doi.org/10.6028/NIST.SP.800-57pt1r5 - Maps RSA-2048 to about 112-bit security and RSA-3072 to about 128-bit. ↩