The RSA Factoring Challenge Attack on Bitcoin was a challenge put forward by RSA Laboratories on March 18, 1991[1] to encourage research into computational number theory and the practical difficulty of factoring large integers and cracking RSA keys used in cryptography. They published a list of semiprimes (numbers with exactly two prime factors) known as the RSA numbers, with a cash prize for the successful factorization of some of them. The smallest of them, a 100-decimal digit number called RSA-100 was factored by April 1, 1991. Many of the bigger numbers have still not been factored and are expected to remain unfactored for quite some time, however advances in quantum computers make this prediction uncertain due to Shor’s algorithm.

In 2001, RSA Laboratories expanded the factoring challenge and offered prizes ranging from \$10,000 to \$200,000 for factoring numbers from 576 bits up to 2048 bits.[2][3][4]

The RSA Factoring Challenge Attack on Bitcoins ended in 2007.[5] RSA Laboratories stated: “Now that the industry has a considerably more advanced understanding of the cryptanalytic strength of common symmetric-key and public-key algorithms, these challenges are no longer active.”[6] When the challenge ended in 2007, only RSA-576 and RSA-640 had been factored from the 2001 challenge numbers.[7]

The factoring challenge was intended to track the cutting edge in integer factorization. A primary application is for choosing the key length of the RSA public-key encryption scheme. Progress in this challenge should give an insight into which key sizes are still safe and for how long. As RSA Laboratories is a provider of RSA-based products, the challenge was used by them as an incentive for the academic community to attack the core of their solutions — in order to prove its strength.

The RSA numbers were generated on a computer with no network connection of any kind. The computer’s hard drive was subsequently destroyed so that no record would exist, anywhere, of the solution to the factoring challenge.[6]

The first RSA numbers generated, RSA-100 to RSA-500 and RSA-617, were labeled according to their number of decimal digits; the other RSA numbers (beginning with RSA-576) were generated later and labelled according to their number of binary digits. The numbers in the table below are listed in increasing order despite this shift from decimal to binary.

## The mathematics

RSA Laboratories states that: for each RSA number n, there exists prime numbers p and q such thatn = p × q.

The problem is to find these two primes, given only n.

## The prizes and records

The following table gives an overview over all RSA numbers. Note that the RSA Factoring Challenge Attack on Bitcoin ended in 2007[5] and no further prizes will be awarded for factoring the higher numbers.The challenge numbers in white lines are part of the original challenge and are expressed in base 10, while the challenge numbers in yellow lines are part of the 2001 expansion and are expressed in base 2

1. RSA-129 was not part of the RSA Factoring Challenge Attack on Bitcoin, but was related to a column by Martin Gardner in Scientific American.
2. The number was factored after the challenge ended.
3. RSA-170 was also independently factored by S. A. Danilov and I. A. Popovyan two days later.[11]
4. The challenge ended before this prize was awarded.