RSA numbers

1522605027922533360535618378132637429718068114961380688657908494580122963258952897654000350692006139

1522605027922533360535618378132637429718068114961380688657908494580122963258952897654000350692006139

35794234179725868774991807832568455403003778024228226193532908190484670252364677411513516111204504060317568667

35794234179725868774991807832568455403003778024228226193532908190484670252364677411513516111204504060317568667

227010481295437363334259960947493668895875336466084780038173258247009162675779735389791151574049166747880487470296548479

227010481295437363334259960947493668895875336466084780038173258247009162675779735389791151574049166747880487470296548479

114381625757888867669235779976146612010218296721242362562561842935706935245733897830597123563958705058989075147599290026879543541

114381625757888867669235779976146612010218296721242362562561842935706935245733897830597123563958705058989075147599290026879543541

p = 3490529510847650949147849619903898133417764638493387843990820577 (64 digits) q = 32769132993266709549961988190834461413177642967992942539798288533 (65 digits)

p = 3490529510847650949147849619903898133417764638493387843990820577 (64 digits) q = 32769132993266709549961988190834461413177642967992942539798288533 (65 digits)

1807082088687404805951656164405905566278102516769401349170127021450056662540244048387341127590812303371781887966563182013214880557 ```[](https://t5k.org/notes/rsa130.html) This [semiprime](/page/Semiprime) was factored on April 10, 1996, by a team led by Paul Leyland using the general number field sieve (GNFS).[](https://t5k.org/notes/rsa130.html) The prime factors are:

1807082088687404805951656164405905566278102516769401349170127021450056662540244048387341127590812303371781887966563182013214880557 ```[](https://t5k.org/notes/rsa130.html) This [semiprime](/page/Semiprime) was factored on April 10, 1996, by a team led by Paul Leyland using the general number field sieve (GNFS).[](https://t5k.org/notes/rsa130.html) The prime factors are:

and

and

The factorization effort required approximately three months of computation on 100 workstations, highlighting the growing feasibility of GNFS for large-scale [semiprime](/page/Semiprime)s at the time.[](https://t5k.org/notes/rsa130.html) This achievement marked an early maturation of the GNFS method for numbers of this size.[](https://t5k.org/notes/rsa130.html) ### RSA-140 RSA-140 is a 140-digit [semiprime](/page/Semiprime) number selected as part of the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge), published by RSA Laboratories in 1991 to demonstrate the difficulty of factoring large semiprimes in [public-key cryptography](/page/Public-key_cryptography). The number is given by:

The factorization effort required approximately three months of computation on 100 workstations, highlighting the growing feasibility of GNFS for large-scale [semiprime](/page/Semiprime)s at the time.[](https://t5k.org/notes/rsa130.html) This achievement marked an early maturation of the GNFS method for numbers of this size.[](https://t5k.org/notes/rsa130.html) ### RSA-140 RSA-140 is a 140-digit [semiprime](/page/Semiprime) number selected as part of the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge), published by RSA Laboratories in 1991 to demonstrate the difficulty of factoring large semiprimes in [public-key cryptography](/page/Public-key_cryptography). The number is given by:

This challenge number was fully factored on February 2, 1999, by an international team led by Herman te Riele at the Centrum Wiskunde & Informatica (CWI) in the Netherlands. The team consisted of Stefania Cavallar, Bruce Dodson, Arjen Lenstra, Paul Leyland, Walter Lioen, Peter L. Montgomery, Brian Murphy, and Paul Zimmermann. They employed the General Number Field Sieve (GNFS), the most advanced method available at the time for factoring large composite numbers without special form.[](https://ir.cwi.nl/pub/10352/10352D.pdf) The prime factors of RSA-140 are: - $ p = 3398717423028438554530123627613875835633986495969597423490929302771479 $ - $ q = 6264200187401285096151654948264442219302037178623509019111660653946049 $ These 70-digit primes were discovered after an extensive sieving phase and linear algebra [computation](/page/Computation), marking a new record for the largest general [integer](/page/Integer) factored using GNFS at that time. The effort required approximately 8.9 CPU-years on various workstations and PCs, equivalent to about 2000 MIPS-years of computational power, highlighting the escalating resources needed for factoring as RSA challenge sizes increased.[](https://ir.cwi.nl/pub/10352/10352D.pdf) ### RSA-150 RSA-150 is a 150-digit [semiprime](/page/Semiprime) composed of two distinct prime factors, generated by RSA Laboratories as part of their factoring challenge to test the difficulty of [integer factorization](/page/Integer_factorization) relevant to [public-key cryptography](/page/Public-key_cryptography). Its full decimal value is:

This challenge number was fully factored on February 2, 1999, by an international team led by Herman te Riele at the Centrum Wiskunde & Informatica (CWI) in the Netherlands. The team consisted of Stefania Cavallar, Bruce Dodson, Arjen Lenstra, Paul Leyland, Walter Lioen, Peter L. Montgomery, Brian Murphy, and Paul Zimmermann. They employed the General Number Field Sieve (GNFS), the most advanced method available at the time for factoring large composite numbers without special form.[](https://ir.cwi.nl/pub/10352/10352D.pdf) The prime factors of RSA-140 are: - $ p = 3398717423028438554530123627613875835633986495969597423490929302771479 $ - $ q = 6264200187401285096151654948264442219302037178623509019111660653946049 $ These 70-digit primes were discovered after an extensive sieving phase and linear algebra [computation](/page/Computation), marking a new record for the largest general [integer](/page/Integer) factored using GNFS at that time. The effort required approximately 8.9 CPU-years on various workstations and PCs, equivalent to about 2000 MIPS-years of computational power, highlighting the escalating resources needed for factoring as RSA challenge sizes increased.[](https://ir.cwi.nl/pub/10352/10352D.pdf) ### RSA-150 RSA-150 is a 150-digit [semiprime](/page/Semiprime) composed of two distinct prime factors, generated by RSA Laboratories as part of their factoring challenge to test the difficulty of [integer factorization](/page/Integer_factorization) relevant to [public-key cryptography](/page/Public-key_cryptography). Its full decimal value is:

This number was factored on April 16, [2004](/page/2004), by Kazumaro Aoki, Yasumasa Kida, and colleagues using the general number field sieve (GNFS) algorithm, specifically employing a lattice sieve for relation collection.[](https://eprint.iacr.org/2004/095.pdf) The computation utilized [Pentium 4](/page/Pentium_4) processors running at 2.53 GHz under [FreeBSD](/page/FreeBSD), with sieving efforts scaled to equivalent time on a single machine totaling approximately 20.6 million seconds (about 238 days or 7.8 months).[](https://eprint.iacr.org/2004/095.pdf) The linear algebra phase, performed with the Block Lanczos method on 16 such PCs, required an additional 101 hours and 31 minutes.[](https://eprint.iacr.org/2004/095.pdf) The two 75-digit prime factors are: - 348009867102283695483970451047593424831012817350385456889559637548278410717 - 445647744903640741533241125787086176005442536297766153493419724532460296199 Their product verifies as RSA-150.[](https://eprint.iacr.org/2004/095.pdf) This factorization, achieved years after larger RSA numbers like RSA-155, underscored the advancing practicality of GNFS for numbers around 500 bits while still requiring substantial but accessible computational effort.[](https://mathworld.wolfram.com/RSANumber.html) ### RSA-155 RSA-155 is a 155-digit [semiprime](/page/Semiprime) number selected as part of the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge) to test the security of RSA [encryption](/page/Encryption) against [integer factorization](/page/Integer_factorization) attacks. The full decimal value of RSA-155 is: 10941738641570527421809707322040357612003732945449205990913842131476349984288934784717997257891267332497625752899781833797076537244027146743531593354333897 This number, equivalent to 512 bits in length, was designed to represent a challenging yet feasible target for contemporary factoring algorithms at the time of its publication.[](https://ir.cwi.nl/pub/10351/10351D.pdf) The factorization of RSA-155 was completed on August 22, 1999, by a collaborative team associated with the Cunningham project, led by Herman te Riele at the Centrum Wiskunde & Informatica (CWI) in the [Netherlands](/page/Netherlands).[](https://ir.cwi.nl/pub/10351/10351D.pdf) The effort utilized the General Number Field Sieve (GNFS), the most advanced method available for factoring large semiprimes, involving polynomial selection, sieving for relations, linear algebra over finite fields, and square root computation.[](https://ir.cwi.nl/pub/10351/10351D.pdf) The team consisted of researchers including Stefania Cavallar, Bruce Dodson, Arjen K. Lenstra, Walter Lioen, Peter L. Montgomery, Brian Murphy, and others from institutions across [Europe](/page/Europe) and [North America](/page/North_America).[](https://ir.cwi.nl/pub/10351/10351D.pdf) This distributed computation spanned approximately 5.5 calendar months, with sieving performed on around 300 workstations and PCs at 12 sites in six countries, highlighting the influence of coordinated volunteer and institutional [distributed computing](/page/Distributed_computing) projects on large-scale cryptographic challenges.[](https://ir.cwi.nl/pub/10351/10351D.pdf) The complete factorization yielded two prime factors of roughly equal length: $p = 102639592829741105772054196573991675900716567808038066803341933521790711307779$ $q = 106603488380168454820927220360012878679207958575989291522270608237193062808643$ Verification confirms that $p \times q$ equals RSA-155.[](https://ir.cwi.nl/pub/10351/10351D.pdf) The total computational effort required approximately 8400 MIPS-years, a measure reflecting the scale of processing power equivalent to thousands of MIPS (millions of [instructions per second](/page/Instructions_per_second)) machines running for a year, underscoring the significant resources needed even for this size in 1999.[](https://ir.cwi.nl/pub/10351/10351D.pdf) This achievement demonstrated the practical vulnerability of 512-bit RSA keys and influenced recommendations for increasing key sizes in cryptographic standards.[](https://ir.cwi.nl/pub/10351/10351D.pdf) ### RSA-160 RSA-160 is a 160-digit [semiprime](/page/Semiprime) generated by RSA Laboratories as part of their factoring challenge to test the difficulty of [integer factorization](/page/Integer_factorization) for cryptographic applications. Its full decimal value is 2152741102718889701896015201312825429257773588845675980170497676778133145218859135673011059773491059602497907111585214302079314665202840140619946994927570407753.[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html) This number was successfully factored on April 1, 2003, by a team consisting of Frank Bahr, Jens Franke, Thorsten Kleinjung, Michael Lochter, and Martin Böhme from the [University of Bonn](/page/University_of_Bonn) and the Bundesamt für Sicherheit in der Informationstechnik (BSI).[](https://members.loria.fr/pzimmermann/records/factor-previous.html) The factorization employed the general number field sieve (GNFS), the state-of-the-art algorithm for factoring large semiprimes at the time, involving extensive sieving on approximately 100 CPUs at BSI followed by linear algebra steps on a cluster of 25 processors at the [University of Bonn](/page/University_of_Bonn).[](https://members.loria.fr/pzimmermann/records/factor-previous.html) The two prime factors are 45427892858481394071686190649738831656137145778469793250959984709250004157335359 and 47388090603832016196633832303788951973268922921040957944741354648812028493909367.[](https://www.cs.unibo.it/~babaoglu/courses/security/lucidi/pdf/critto-RSA.pdf) This achievement demonstrated continued [acceleration](/page/Acceleration) in factoring capabilities during the mid-2000s, building on prior successes like RSA-155 four years earlier.[](https://members.loria.fr/pzimmermann/records/factor-previous.html) ### RSA-170 RSA-170 is a 170-digit [semiprime](/page/Semiprime) composed of two distinct prime factors, originally published as part of the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge) to test the limits of [integer factorization](/page/Integer_factorization) algorithms. The number is:

This number was factored on April 16, [2004](/page/2004), by Kazumaro Aoki, Yasumasa Kida, and colleagues using the general number field sieve (GNFS) algorithm, specifically employing a lattice sieve for relation collection.[](https://eprint.iacr.org/2004/095.pdf) The computation utilized [Pentium 4](/page/Pentium_4) processors running at 2.53 GHz under [FreeBSD](/page/FreeBSD), with sieving efforts scaled to equivalent time on a single machine totaling approximately 20.6 million seconds (about 238 days or 7.8 months).[](https://eprint.iacr.org/2004/095.pdf) The linear algebra phase, performed with the Block Lanczos method on 16 such PCs, required an additional 101 hours and 31 minutes.[](https://eprint.iacr.org/2004/095.pdf) The two 75-digit prime factors are: - 348009867102283695483970451047593424831012817350385456889559637548278410717 - 445647744903640741533241125787086176005442536297766153493419724532460296199 Their product verifies as RSA-150.[](https://eprint.iacr.org/2004/095.pdf) This factorization, achieved years after larger RSA numbers like RSA-155, underscored the advancing practicality of GNFS for numbers around 500 bits while still requiring substantial but accessible computational effort.[](https://mathworld.wolfram.com/RSANumber.html) ### RSA-155 RSA-155 is a 155-digit [semiprime](/page/Semiprime) number selected as part of the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge) to test the security of RSA [encryption](/page/Encryption) against [integer factorization](/page/Integer_factorization) attacks. The full decimal value of RSA-155 is: 10941738641570527421809707322040357612003732945449205990913842131476349984288934784717997257891267332497625752899781833797076537244027146743531593354333897 This number, equivalent to 512 bits in length, was designed to represent a challenging yet feasible target for contemporary factoring algorithms at the time of its publication.[](https://ir.cwi.nl/pub/10351/10351D.pdf) The factorization of RSA-155 was completed on August 22, 1999, by a collaborative team associated with the Cunningham project, led by Herman te Riele at the Centrum Wiskunde & Informatica (CWI) in the [Netherlands](/page/Netherlands).[](https://ir.cwi.nl/pub/10351/10351D.pdf) The effort utilized the General Number Field Sieve (GNFS), the most advanced method available for factoring large semiprimes, involving polynomial selection, sieving for relations, linear algebra over finite fields, and square root computation.[](https://ir.cwi.nl/pub/10351/10351D.pdf) The team consisted of researchers including Stefania Cavallar, Bruce Dodson, Arjen K. Lenstra, Walter Lioen, Peter L. Montgomery, Brian Murphy, and others from institutions across [Europe](/page/Europe) and [North America](/page/North_America).[](https://ir.cwi.nl/pub/10351/10351D.pdf) This distributed computation spanned approximately 5.5 calendar months, with sieving performed on around 300 workstations and PCs at 12 sites in six countries, highlighting the influence of coordinated volunteer and institutional [distributed computing](/page/Distributed_computing) projects on large-scale cryptographic challenges.[](https://ir.cwi.nl/pub/10351/10351D.pdf) The complete factorization yielded two prime factors of roughly equal length: $p = 102639592829741105772054196573991675900716567808038066803341933521790711307779$ $q = 106603488380168454820927220360012878679207958575989291522270608237193062808643$ Verification confirms that $p \times q$ equals RSA-155.[](https://ir.cwi.nl/pub/10351/10351D.pdf) The total computational effort required approximately 8400 MIPS-years, a measure reflecting the scale of processing power equivalent to thousands of MIPS (millions of [instructions per second](/page/Instructions_per_second)) machines running for a year, underscoring the significant resources needed even for this size in 1999.[](https://ir.cwi.nl/pub/10351/10351D.pdf) This achievement demonstrated the practical vulnerability of 512-bit RSA keys and influenced recommendations for increasing key sizes in cryptographic standards.[](https://ir.cwi.nl/pub/10351/10351D.pdf) ### RSA-160 RSA-160 is a 160-digit [semiprime](/page/Semiprime) generated by RSA Laboratories as part of their factoring challenge to test the difficulty of [integer factorization](/page/Integer_factorization) for cryptographic applications. Its full decimal value is 2152741102718889701896015201312825429257773588845675980170497676778133145218859135673011059773491059602497907111585214302079314665202840140619946994927570407753.[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html) This number was successfully factored on April 1, 2003, by a team consisting of Frank Bahr, Jens Franke, Thorsten Kleinjung, Michael Lochter, and Martin Böhme from the [University of Bonn](/page/University_of_Bonn) and the Bundesamt für Sicherheit in der Informationstechnik (BSI).[](https://members.loria.fr/pzimmermann/records/factor-previous.html) The factorization employed the general number field sieve (GNFS), the state-of-the-art algorithm for factoring large semiprimes at the time, involving extensive sieving on approximately 100 CPUs at BSI followed by linear algebra steps on a cluster of 25 processors at the [University of Bonn](/page/University_of_Bonn).[](https://members.loria.fr/pzimmermann/records/factor-previous.html) The two prime factors are 45427892858481394071686190649738831656137145778469793250959984709250004157335359 and 47388090603832016196633832303788951973268922921040957944741354648812028493909367.[](https://www.cs.unibo.it/~babaoglu/courses/security/lucidi/pdf/critto-RSA.pdf) This achievement demonstrated continued [acceleration](/page/Acceleration) in factoring capabilities during the mid-2000s, building on prior successes like RSA-155 four years earlier.[](https://members.loria.fr/pzimmermann/records/factor-previous.html) ### RSA-170 RSA-170 is a 170-digit [semiprime](/page/Semiprime) composed of two distinct prime factors, originally published as part of the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge) to test the limits of [integer factorization](/page/Integer_factorization) algorithms. The number is:

This value was generated by RSA Laboratories in the early [1990s](/page/1990s), with a checksum of 463921 to verify [integrity](/page/Integrity) during transmission.[](https://gist.github.com/aburan28/d7a63343e76107e36bc66239b2e5169d) The factorization of RSA-170 was completed on December 29, 2009, by researchers Dominik Bonenberger and Martin Krone at Ostfalia University of Applied Sciences (Fachhochschule [Braunschweig](/page/Braunschweig)/Wolfenbüttel) using the general number field sieve ([GNFS](/page/Algorithm)) algorithm.[](https://www.researchgate.net/publication/228392310_Factorization_of_RSA-170) The effort took approximately six weeks of computation, marking it as the smallest remaining unfactored challenge number from the original list at the time.[](https://www.researchgate.net/publication/228392310_Factorization_of_RSA-170) Polynomial selection—a critical and computationally intensive phase of GNFS—was uniquely performed entirely on a [graphics processing unit](/page/Graphics_processing_unit) ([GPU](/page/Hardware_acceleration)), demonstrating early integration of consumer-grade hardware acceleration in large-scale [factorization](/page/Factorization).[](https://www.researchgate.net/publication/228392310_Factorization_of_RSA-170) RSA-170 factors into two primes, each with 85 decimal digits, as detailed in the original publication.[](https://www.researchgate.net/publication/228392310_Factorization_of_RSA-170) This achievement underscored advances in accessible computing for cryptographic research, as the computation relied on standard PCs augmented with GPU support rather than specialized supercomputers.[](https://eprint.iacr.org/2010/270.pdf) ### RSA-180 RSA-180 is a 180-digit semiprime number published by RSA Laboratories as part of their factoring challenge to test the security of RSA encryption. Its full decimal value is:

This value was generated by RSA Laboratories in the early [1990s](/page/1990s), with a checksum of 463921 to verify [integrity](/page/Integrity) during transmission.[](https://gist.github.com/aburan28/d7a63343e76107e36bc66239b2e5169d) The factorization of RSA-170 was completed on December 29, 2009, by researchers Dominik Bonenberger and Martin Krone at Ostfalia University of Applied Sciences (Fachhochschule [Braunschweig](/page/Braunschweig)/Wolfenbüttel) using the general number field sieve ([GNFS](/page/Algorithm)) algorithm.[](https://www.researchgate.net/publication/228392310_Factorization_of_RSA-170) The effort took approximately six weeks of computation, marking it as the smallest remaining unfactored challenge number from the original list at the time.[](https://www.researchgate.net/publication/228392310_Factorization_of_RSA-170) Polynomial selection—a critical and computationally intensive phase of GNFS—was uniquely performed entirely on a [graphics processing unit](/page/Graphics_processing_unit) ([GPU](/page/Hardware_acceleration)), demonstrating early integration of consumer-grade hardware acceleration in large-scale [factorization](/page/Factorization).[](https://www.researchgate.net/publication/228392310_Factorization_of_RSA-170) RSA-170 factors into two primes, each with 85 decimal digits, as detailed in the original publication.[](https://www.researchgate.net/publication/228392310_Factorization_of_RSA-170) This achievement underscored advances in accessible computing for cryptographic research, as the computation relied on standard PCs augmented with GPU support rather than specialized supercomputers.[](https://eprint.iacr.org/2010/270.pdf) ### RSA-180 RSA-180 is a 180-digit semiprime number published by RSA Laboratories as part of their factoring challenge to test the security of RSA encryption. Its full decimal value is:

This number was factored into its two prime components using the general number field sieve (GNFS) algorithm, the most efficient known method for factoring large semiprimes at the time. The factorization was completed on May 9, 2010, by Sergei A. Danilov and Igor A. Popovyan from [Moscow State University](/page/Moscow_State_University).[](https://eprint.iacr.org/2010/270) The prime factors are: - Smaller prime: 400780082329750877952581339104100572526829317815807176564882178998497572771950624613470377 (90 digits) - Larger prime: 476939688738611836995535477357070857939902076027788232031989775824606225595773435668861833 (90 digits) Verification confirms their product equals RSA-180.[](https://eprint.iacr.org/2010/270) The computation relied on [open-source software](/page/Open-source_software), including the GGNFS suite for sieving and msieve for linear algebra and [square root](/page/Square_root) steps. It was performed across two platforms: 24 virtual processors on three [Intel Core](/page/Intel_Core) i7 4 GHz PCs (each with 6 GB RAM) and 100 virtual processors on the SKIF MSU "Chebyshev" supercomputer. The total effort spanned approximately three months, starting in [January](/page/January) 2010 following the factorization of RSA-170, with polynomial selection taking 12–13 days, sieving 26–63 days, linear algebra 24–33 days, and [square root](/page/Square_root) extraction 10–19 hours per platform. This demonstrated that mid-sized RSA challenges could be solved affordably using commodity hardware and free tools, at an estimated cost of around $3,000 for equivalent processing power.[](https://eprint.iacr.org/2010/270) ### RSA-190 RSA-190 is a 190-digit [semiprime](/page/Semiprime) number from the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge), designed to test the difficulty of [integer factorization](/page/Integer_factorization) for cryptographic purposes. The full [decimal](/page/Decimal) value is 1907556405060696491061450432646028861081179759533184460647975622318915025587184175754054976155121593293492260464152630093238509246603207417124726121580858185985938946945490481721756401423481.[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html) This number was factored on November 8, 2010, by Igor A. Popovyan from [Moscow State University](/page/Moscow_State_University), [Russia](/page/Russia), and Alexei Timofeev from the Centrum Wiskunde & Informatica (CWI), [Netherlands](/page/Netherlands), using the general number field sieve (GNFS) [algorithm](/page/Algorithm).[](https://mersenneforum.org/showthread.php?t=14177) The factorization effort took several months of [computation](/page/Computation) on a cluster of personal computers, marking an achievement in [distributed computing](/page/Distributed_computing) for large-scale [number theory](/page/Number_theory) problems during the early [2010s](/page/2010s).[](https://shi-bai.github.io/factor/rsa190.html) The prime factors of RSA-190 are two large primes of approximately equal size: one with 314 bits (94 decimal digits) and the other with 315 bits (95 decimal digits), confirming its structure as a product suitable for RSA encryption challenges. This factorization contributed to advancing records in the early [2000s](/page/2000s) era of GNFS implementations, though subsequent efforts focused on even larger composites.[](https://crypto.stackexchange.com/questions/117954/are-most-rsa-integers-unbalanced) ### RSA-200 RSA-200 is a 200-decimal-digit [semiprime](/page/Semiprime) [integer](/page/Integer) constructed as the product of two 100-digit primes, published by RSA Laboratories in [1991](/page/1991) as part of their factoring challenge to advance research in [computational number theory](/page/Computational_number_theory). Its full decimal value is:

This number was factored into its two prime components using the general number field sieve (GNFS) algorithm, the most efficient known method for factoring large semiprimes at the time. The factorization was completed on May 9, 2010, by Sergei A. Danilov and Igor A. Popovyan from [Moscow State University](/page/Moscow_State_University).[](https://eprint.iacr.org/2010/270) The prime factors are: - Smaller prime: 400780082329750877952581339104100572526829317815807176564882178998497572771950624613470377 (90 digits) - Larger prime: 476939688738611836995535477357070857939902076027788232031989775824606225595773435668861833 (90 digits) Verification confirms their product equals RSA-180.[](https://eprint.iacr.org/2010/270) The computation relied on [open-source software](/page/Open-source_software), including the GGNFS suite for sieving and msieve for linear algebra and [square root](/page/Square_root) steps. It was performed across two platforms: 24 virtual processors on three [Intel Core](/page/Intel_Core) i7 4 GHz PCs (each with 6 GB RAM) and 100 virtual processors on the SKIF MSU "Chebyshev" supercomputer. The total effort spanned approximately three months, starting in [January](/page/January) 2010 following the factorization of RSA-170, with polynomial selection taking 12–13 days, sieving 26–63 days, linear algebra 24–33 days, and [square root](/page/Square_root) extraction 10–19 hours per platform. This demonstrated that mid-sized RSA challenges could be solved affordably using commodity hardware and free tools, at an estimated cost of around $3,000 for equivalent processing power.[](https://eprint.iacr.org/2010/270) ### RSA-190 RSA-190 is a 190-digit [semiprime](/page/Semiprime) number from the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge), designed to test the difficulty of [integer factorization](/page/Integer_factorization) for cryptographic purposes. The full [decimal](/page/Decimal) value is 1907556405060696491061450432646028861081179759533184460647975622318915025587184175754054976155121593293492260464152630093238509246603207417124726121580858185985938946945490481721756401423481.[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html) This number was factored on November 8, 2010, by Igor A. Popovyan from [Moscow State University](/page/Moscow_State_University), [Russia](/page/Russia), and Alexei Timofeev from the Centrum Wiskunde & Informatica (CWI), [Netherlands](/page/Netherlands), using the general number field sieve (GNFS) [algorithm](/page/Algorithm).[](https://mersenneforum.org/showthread.php?t=14177) The factorization effort took several months of [computation](/page/Computation) on a cluster of personal computers, marking an achievement in [distributed computing](/page/Distributed_computing) for large-scale [number theory](/page/Number_theory) problems during the early [2010s](/page/2010s).[](https://shi-bai.github.io/factor/rsa190.html) The prime factors of RSA-190 are two large primes of approximately equal size: one with 314 bits (94 decimal digits) and the other with 315 bits (95 decimal digits), confirming its structure as a product suitable for RSA encryption challenges. This factorization contributed to advancing records in the early [2000s](/page/2000s) era of GNFS implementations, though subsequent efforts focused on even larger composites.[](https://crypto.stackexchange.com/questions/117954/are-most-rsa-integers-unbalanced) ### RSA-200 RSA-200 is a 200-decimal-digit [semiprime](/page/Semiprime) [integer](/page/Integer) constructed as the product of two 100-digit primes, published by RSA Laboratories in [1991](/page/1991) as part of their factoring challenge to advance research in [computational number theory](/page/Computational_number_theory). Its full decimal value is:

[](https://mathworld.wolfram.com/news/2005-05-10/rsa-200/) This number was factored on May 9, 2005, by a team led by Jens Franke from the [University of Bonn](/page/University_of_Bonn) and the Max Planck Institute for Computer Science, in collaboration with Friedrich Bahr and Martin Böhm from the German Federal Agency for Information Technology Security (BSI), Thorsten Kleinjung, and contributors Peter L. Montgomery and Herman te Riele from the Centrum Wiskunde & Informatica (CWI) in [Amsterdam](/page/Amsterdam). The factorization employed the general number field sieve (GNFS), the state-of-the-art algorithm for factoring large semiprimes at the time, involving phases of polynomial selection, sieving for relations, and linear algebra over finite fields.[](http://www.hyperelliptic.org/tanja/SHARCS/talks06/Jens_Franke.pdf) The two prime factors are: - $ p = 3532461934402770121272604978198464368671197400197625023649303468776121253679423200058547956528088349 $ - $ q = 7925869954478333033347085841480059687737975857364219960734330341455767872818152135381409304740185467 $ Verification confirms $ p \times q $ equals RSA-200. The effort demanded approximately 75 years of computation on a single 2.2 GHz [AMD](/page/AMD) [Opteron](/page/Opteron) CPU, with the sieving phase requiring an estimated 55 CPU-years using lattice and line sieving techniques across distributed resources, and the matrix-step linear [algebra](/page/Algebra) consuming 3 months on a dedicated cluster of 80 such processors. This marked a significant advancement in large-scale [integer factorization](/page/Integer_factorization), highlighting the scalability of GNFS through collaborative computing.[](https://mathworld.wolfram.com/news/2005-05-10/rsa-200/)[](http://www.hyperelliptic.org/tanja/SHARCS/talks06/Jens_Franke.pdf) ### RSA-210 RSA-210 is a [semiprime](/page/Semiprime) with exactly 210 [decimal](/page/Decimal) digits, constructed as the product of two large prime numbers as part of the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge) issued by RSA Laboratories to advance research in [integer factorization](/page/Integer_factorization). The full [decimal](/page/Decimal) value of RSA-210 is: 245246644900278211976517663573088018467026787678332759743414451715061600830038587216952208399332071549103626827191679864079776723243005600592035631246561218465817904100131859299619933817012149335034875870551067[](https://gitlab.inria.fr/cado-nfs/cado-nfs/-/raw/master/parameters/polynomials/rsa210.poly) This number corresponds to 696 bits in length and was designed to test the limits of [factorization](/page/Factorization) algorithms at the time of its publication. RSA-210 was successfully factored on September 26, 2013, by Ryan Propper, marking a significant achievement in the challenge. The [factorization](/page/Factorization) employed the general number field [sieve](/page/Sieve) (GNFS), the leading [algorithm](/page/Algorithm) for factoring large [semiprimes](/page/Semiprime), implemented using software such as msieve and ggnfs. The effort required approximately [one year](/page/One_Year) of dedicated computation on institutional resources, highlighting the resource-intensive nature of GNFS for numbers of this size and the optimizations in polynomial selection and sieving that made it feasible.[](https://www.mersenneforum.org/showpost.php?p=354259) The prime factors, both approximately 105 digits long, were announced in Propper's report on the Mersenne forum, confirming the complete breakdown of the [semiprime](/page/Semiprime).[](https://www.mersenneforum.org/showpost.php?p=354259) ### RSA-220 RSA-220 is a 220-digit [semiprime](/page/Semiprime) number from the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge), designed to test the limits of [integer factorization](/page/Integer_factorization) algorithms. It consists of the product of two distinct prime numbers, each approximately 110 digits long, and was published by RSA Laboratories in [1991](/page/1991) as part of their effort to advance [computational number theory](/page/Computational_number_theory). The full [decimal representation](/page/Decimal_representation) of RSA-220 is:

[](https://mathworld.wolfram.com/news/2005-05-10/rsa-200/) This number was factored on May 9, 2005, by a team led by Jens Franke from the [University of Bonn](/page/University_of_Bonn) and the Max Planck Institute for Computer Science, in collaboration with Friedrich Bahr and Martin Böhm from the German Federal Agency for Information Technology Security (BSI), Thorsten Kleinjung, and contributors Peter L. Montgomery and Herman te Riele from the Centrum Wiskunde & Informatica (CWI) in [Amsterdam](/page/Amsterdam). The factorization employed the general number field sieve (GNFS), the state-of-the-art algorithm for factoring large semiprimes at the time, involving phases of polynomial selection, sieving for relations, and linear algebra over finite fields.[](http://www.hyperelliptic.org/tanja/SHARCS/talks06/Jens_Franke.pdf) The two prime factors are: - $ p = 3532461934402770121272604978198464368671197400197625023649303468776121253679423200058547956528088349 $ - $ q = 7925869954478333033347085841480059687737975857364219960734330341455767872818152135381409304740185467 $ Verification confirms $ p \times q $ equals RSA-200. The effort demanded approximately 75 years of computation on a single 2.2 GHz [AMD](/page/AMD) [Opteron](/page/Opteron) CPU, with the sieving phase requiring an estimated 55 CPU-years using lattice and line sieving techniques across distributed resources, and the matrix-step linear [algebra](/page/Algebra) consuming 3 months on a dedicated cluster of 80 such processors. This marked a significant advancement in large-scale [integer factorization](/page/Integer_factorization), highlighting the scalability of GNFS through collaborative computing.[](https://mathworld.wolfram.com/news/2005-05-10/rsa-200/)[](http://www.hyperelliptic.org/tanja/SHARCS/talks06/Jens_Franke.pdf) ### RSA-210 RSA-210 is a [semiprime](/page/Semiprime) with exactly 210 [decimal](/page/Decimal) digits, constructed as the product of two large prime numbers as part of the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge) issued by RSA Laboratories to advance research in [integer factorization](/page/Integer_factorization). The full [decimal](/page/Decimal) value of RSA-210 is: 245246644900278211976517663573088018467026787678332759743414451715061600830038587216952208399332071549103626827191679864079776723243005600592035631246561218465817904100131859299619933817012149335034875870551067[](https://gitlab.inria.fr/cado-nfs/cado-nfs/-/raw/master/parameters/polynomials/rsa210.poly) This number corresponds to 696 bits in length and was designed to test the limits of [factorization](/page/Factorization) algorithms at the time of its publication. RSA-210 was successfully factored on September 26, 2013, by Ryan Propper, marking a significant achievement in the challenge. The [factorization](/page/Factorization) employed the general number field [sieve](/page/Sieve) (GNFS), the leading [algorithm](/page/Algorithm) for factoring large [semiprimes](/page/Semiprime), implemented using software such as msieve and ggnfs. The effort required approximately [one year](/page/One_Year) of dedicated computation on institutional resources, highlighting the resource-intensive nature of GNFS for numbers of this size and the optimizations in polynomial selection and sieving that made it feasible.[](https://www.mersenneforum.org/showpost.php?p=354259) The prime factors, both approximately 105 digits long, were announced in Propper's report on the Mersenne forum, confirming the complete breakdown of the [semiprime](/page/Semiprime).[](https://www.mersenneforum.org/showpost.php?p=354259) ### RSA-220 RSA-220 is a 220-digit [semiprime](/page/Semiprime) number from the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge), designed to test the limits of [integer factorization](/page/Integer_factorization) algorithms. It consists of the product of two distinct prime numbers, each approximately 110 digits long, and was published by RSA Laboratories in [1991](/page/1991) as part of their effort to advance [computational number theory](/page/Computational_number_theory). The full [decimal representation](/page/Decimal_representation) of RSA-220 is:

The [factorization](/page/Factorization) of RSA-220 was announced on May 10, 2016, by a team including Shi Bai, Pierrick Gaudry, Alexander Kruppa, Emmanuel Thomé, and Paul Zimmermann, marking it as the third-largest integer factored using the general number field sieve (GNFS) at the time. They employed the CADO-NFS software suite, an open-source implementation of GNFS optimized for large-scale computations. The sieving phase alone required approximately 370 CPU-years on 2 GHz [Intel](/page/Intel) [Xeon](/page/Xeon) E5-2650 processors, highlighting the significant computational resources needed for such a task. The prime factors are: - $ p = 68636564122675662743823714992884378001308422399791648446212449933215410614414642667938213644208420192054999687 $ - $ q = 32929074394863498120493015492129352919164551965362339524626860511692903493094652333824866390738191765712603 $ These factors were verified to multiply to the original RSA-220 number, confirming the successful [factorization](/page/Factorization). ### RSA-230 RSA-230 is a 230-digit [semiprime](/page/Semiprime) from the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge), designed as the product of two distinct prime numbers each with 115 decimal digits. The number is:

The [factorization](/page/Factorization) of RSA-220 was announced on May 10, 2016, by a team including Shi Bai, Pierrick Gaudry, Alexander Kruppa, Emmanuel Thomé, and Paul Zimmermann, marking it as the third-largest integer factored using the general number field sieve (GNFS) at the time. They employed the CADO-NFS software suite, an open-source implementation of GNFS optimized for large-scale computations. The sieving phase alone required approximately 370 CPU-years on 2 GHz [Intel](/page/Intel) [Xeon](/page/Xeon) E5-2650 processors, highlighting the significant computational resources needed for such a task. The prime factors are: - $ p = 68636564122675662743823714992884378001308422399791648446212449933215410614414642667938213644208420192054999687 $ - $ q = 32929074394863498120493015492129352919164551965362339524626860511692903493094652333824866390738191765712603 $ These factors were verified to multiply to the original RSA-220 number, confirming the successful [factorization](/page/Factorization). ### RSA-230 RSA-230 is a 230-digit [semiprime](/page/Semiprime) from the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge), designed as the product of two distinct prime numbers each with 115 decimal digits. The number is:

[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-04-en.pdf) This challenge number was successfully factored on August 15, 2018, by Samuel S. Gross at [Noblis](/page/Noblis), Inc., employing the general number field sieve (GNFS) via the Cado-NFS software suite. The computation leveraged contributions from the Cado-NFS development team and was performed on hardware at Noblis facilities in [Reston, Virginia](/page/Reston,_Virginia).[](https://sympa.inria.fr/sympa/arc/cado-nfs/2018-08/msg00001.html)[](https://www.researchgate.net/publication/351881092_The_Factorization_of_RSA230) The resulting prime factors are: - Smaller factor: 3968132623150957588532439049887341769533966621957829426966084093049516953598120833228447171744337427374763106901 - Larger factor: 4528450358010492026612439739120166758911246047493700040073956759261590397250033699357694507193523000343088601688589 Verification confirms that their product equals the original RSA-230 number.[](https://sympa.inria.fr/sympa/arc/cado-nfs/2018-08/msg00001.html) ### RSA-232 RSA-232 is a 232-digit [semiprime](/page/Semiprime) number selected as part of the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge) to test the difficulty of [integer factorization](/page/Integer_factorization), equivalent to a 768-bit RSA modulus.[](https://eprint.iacr.org/2010/006.pdf) The full decimal expansion of RSA-232 is:

[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-04-en.pdf) This challenge number was successfully factored on August 15, 2018, by Samuel S. Gross at [Noblis](/page/Noblis), Inc., employing the general number field sieve (GNFS) via the Cado-NFS software suite. The computation leveraged contributions from the Cado-NFS development team and was performed on hardware at Noblis facilities in [Reston, Virginia](/page/Reston,_Virginia).[](https://sympa.inria.fr/sympa/arc/cado-nfs/2018-08/msg00001.html)[](https://www.researchgate.net/publication/351881092_The_Factorization_of_RSA230) The resulting prime factors are: - Smaller factor: 3968132623150957588532439049887341769533966621957829426966084093049516953598120833228447171744337427374763106901 - Larger factor: 4528450358010492026612439739120166758911246047493700040073956759261590397250033699357694507193523000343088601688589 Verification confirms that their product equals the original RSA-230 number.[](https://sympa.inria.fr/sympa/arc/cado-nfs/2018-08/msg00001.html) ### RSA-232 RSA-232 is a 232-digit [semiprime](/page/Semiprime) number selected as part of the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge) to test the difficulty of [integer factorization](/page/Integer_factorization), equivalent to a 768-bit RSA modulus.[](https://eprint.iacr.org/2010/006.pdf) The full decimal expansion of RSA-232 is:

This number was generated as the product of two large prime numbers of approximately equal size, designed to resist efficient [factorization](/page/Factorization) and thereby highlight the [security](/page/Security) of RSA [encryption](/page/Encryption) based on the hardness of this problem.[](https://eprint.iacr.org/2010/006.pdf) Although the official [RSA Factoring Challenge](/page/RSA_Factoring_Challenge) had been discontinued in 2006, RSA-232 was successfully factored on December 12, 2009, using the general number field sieve (GNFS) algorithm by an international team including Thorsten Kleinjung, Kazumaro Aoki, Jens Franke, Arjen K. Lenstra, Emmanuel Thomé, and others.[](https://eprint.iacr.org/2010/006.pdf) The computation required the equivalent of approximately 2000 core-years on a single 2.2 GHz [AMD](/page/AMD) [Opteron](/page/Opteron) processor, distributed across hundreds of machines over two years, marking a significant computational achievement and establishing a record for factoring a general [integer](/page/Integer) of this size at the time.[](https://eprint.iacr.org/2010/006.pdf) The prime factors are two large primes of approximately 116 decimal digits each, as detailed in the factorization report.[](https://eprint.iacr.org/2010/006.pdf) Due to the challenge's prior discontinuation, no monetary prize was awarded, but the team received honorary recognition for advancing [the state of the art](/page/The_State_of_the_Art) in [factorization](/page/Factorization) methods and providing insights into the practical limits of RSA key lengths.[](https://eprint.iacr.org/2010/006.pdf) This [factorization](/page/Factorization) demonstrated that 768-bit RSA moduli were vulnerable to determined academic efforts, influencing recommendations to migrate to at least 1024-bit keys for cryptographic security.[](https://eprint.iacr.org/2010/006.pdf) ### RSA-240 RSA-240 is a 240-decimal-digit [semiprime](/page/Semiprime) number from the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge), designed as the product of two distinct primes of roughly equal length to test the limits of [integer factorization](/page/Integer_factorization) algorithms.[](https://eprint.iacr.org/2020/697) Its full decimal value is:

This number was generated as the product of two large prime numbers of approximately equal size, designed to resist efficient [factorization](/page/Factorization) and thereby highlight the [security](/page/Security) of RSA [encryption](/page/Encryption) based on the hardness of this problem.[](https://eprint.iacr.org/2010/006.pdf) Although the official [RSA Factoring Challenge](/page/RSA_Factoring_Challenge) had been discontinued in 2006, RSA-232 was successfully factored on December 12, 2009, using the general number field sieve (GNFS) algorithm by an international team including Thorsten Kleinjung, Kazumaro Aoki, Jens Franke, Arjen K. Lenstra, Emmanuel Thomé, and others.[](https://eprint.iacr.org/2010/006.pdf) The computation required the equivalent of approximately 2000 core-years on a single 2.2 GHz [AMD](/page/AMD) [Opteron](/page/Opteron) processor, distributed across hundreds of machines over two years, marking a significant computational achievement and establishing a record for factoring a general [integer](/page/Integer) of this size at the time.[](https://eprint.iacr.org/2010/006.pdf) The prime factors are two large primes of approximately 116 decimal digits each, as detailed in the factorization report.[](https://eprint.iacr.org/2010/006.pdf) Due to the challenge's prior discontinuation, no monetary prize was awarded, but the team received honorary recognition for advancing [the state of the art](/page/The_State_of_the_Art) in [factorization](/page/Factorization) methods and providing insights into the practical limits of RSA key lengths.[](https://eprint.iacr.org/2010/006.pdf) This [factorization](/page/Factorization) demonstrated that 768-bit RSA moduli were vulnerable to determined academic efforts, influencing recommendations to migrate to at least 1024-bit keys for cryptographic security.[](https://eprint.iacr.org/2010/006.pdf) ### RSA-240 RSA-240 is a 240-decimal-digit [semiprime](/page/Semiprime) number from the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge), designed as the product of two distinct primes of roughly equal length to test the limits of [integer factorization](/page/Integer_factorization) algorithms.[](https://eprint.iacr.org/2020/697) Its full decimal value is:

This number, equivalent to 795 bits in binary, served as a benchmark for the computational difficulty of factoring large semiprimes relevant to [public-key cryptography](/page/Public-key_cryptography).[](https://eprint.iacr.org/2020/697) The factorization of RSA-240 was achieved in November 2019 by an international team consisting of Fabrice Boudot, Pierrick Gaudry, Aurore Guillevic, Nadia Heninger, Emmanuel Thomé, and Paul Zimmermann.[](https://eprint.iacr.org/2020/697) They employed the general number field sieve (GNFS), the state-of-the-art [algorithm](/page/Algorithm) for factoring large integers, marking it as a significant classical [computing](/page/Computing) record at the time.[](https://eprint.iacr.org/2020/697) The prime factors are: - $ p = 509435952285839914555051023580843714132648382024111473186660296521821206469746700620316443478873837606252372049619334517 $ - $ q = 244624208838318150567813139024002896653802092578931401452041221336558477095178155258218897735030590669041302045908071447 $ Verification confirms that $ p \times q $ equals RSA-240.[](https://eprint.iacr.org/2020/697) The effort required 900 core-years of computation on clusters of Intel Xeon Gold 6130 CPUs running at 2.1 GHz, with 794 core-years dedicated to collecting relations and 83 core-years to solving the linear algebra step using the block Wiedemann algorithm.[](https://eprint.iacr.org/2020/697) This workload utilized the CADO-NFS software suite and distributed sieving across multiple supercomputers, including those at INRIA and the University of Washington.[](https://eprint.iacr.org/2020/697) ### RSA-250 RSA-250 is a [semiprime](/page/Semiprime) [integer](/page/Integer) consisting of 250 [decimal](/page/Decimal) digits, constructed as the product of two large prime numbers for the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge) initiated by RSA Laboratories in 1991. Its full [decimal](/page/Decimal) value is 214032465024074496126442307283933356300861471514475501779775492088141802344714013664334551909580467961099285187247091458768739626192155736304745477052085119056493106687691590019759405693457452230589325976697471681738069364894699871578494975937497937.[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-07-en.pdf) This 829-bit number was factored on February 28, 2020, by an international team including Fabrice Boudot, Pierrick Gaudry, Aurore Guillevic, Nadia Heninger, Emmanuel Thomé, and Paul Zimmermann, using the General Number Field Sieve (GNFS) algorithm implemented in the CADO-NFS software.[](https://caramba.loria.fr/rsa250.txt) The factorization yielded two prime factors, each with 125 decimal digits: $p = 64135289477071580278790190170577389084825014742943447208116859632024532344630238623598752668347708737661925585694639798853367$ $q = 33372027594978156556226010605355114227940760344767554666784520987023841729210037080257448673296881877565718986258036932062711$.[](https://caramba.loria.fr/rsa250.txt) The effort involved approximately 2700 core-years of computation, with 2450 core-years for sieving and 250 core-years for linear algebra, performed on clusters of Intel Xeon Gold 6130 processors at 2.1 GHz, utilizing resources from Grid'5000 and PRACE supercomputers.[](https://caramba.loria.fr/rsa250.txt) This achievement surpassed the prior record of factoring RSA-240 in 2019 and established a new benchmark for classical integer factorization of RSA challenge numbers.[](https://members.loria.fr/PZimmermann/records/factor.html) As of November 2025, the [factorization](/page/Factorization) of RSA-250 remains the largest such record using classical algorithms.[](https://members.loria.fr/PZimmermann/records/factor.html) ## Unfactored RSA Numbers (260–500 Digits) ### RSA-260 RSA-260 is a [semiprime](/page/Semiprime) composed of two large prime factors, forming a [260](/page/2-6-0)-digit number from the original [RSA Factoring Challenge](/page/RSA_Factoring_Challenge) initiated by RSA Laboratories in 1991. The number is given by:

This number, equivalent to 795 bits in binary, served as a benchmark for the computational difficulty of factoring large semiprimes relevant to [public-key cryptography](/page/Public-key_cryptography).[](https://eprint.iacr.org/2020/697) The factorization of RSA-240 was achieved in November 2019 by an international team consisting of Fabrice Boudot, Pierrick Gaudry, Aurore Guillevic, Nadia Heninger, Emmanuel Thomé, and Paul Zimmermann.[](https://eprint.iacr.org/2020/697) They employed the general number field sieve (GNFS), the state-of-the-art [algorithm](/page/Algorithm) for factoring large integers, marking it as a significant classical [computing](/page/Computing) record at the time.[](https://eprint.iacr.org/2020/697) The prime factors are: - $ p = 509435952285839914555051023580843714132648382024111473186660296521821206469746700620316443478873837606252372049619334517 $ - $ q = 244624208838318150567813139024002896653802092578931401452041221336558477095178155258218897735030590669041302045908071447 $ Verification confirms that $ p \times q $ equals RSA-240.[](https://eprint.iacr.org/2020/697) The effort required 900 core-years of computation on clusters of Intel Xeon Gold 6130 CPUs running at 2.1 GHz, with 794 core-years dedicated to collecting relations and 83 core-years to solving the linear algebra step using the block Wiedemann algorithm.[](https://eprint.iacr.org/2020/697) This workload utilized the CADO-NFS software suite and distributed sieving across multiple supercomputers, including those at INRIA and the University of Washington.[](https://eprint.iacr.org/2020/697) ### RSA-250 RSA-250 is a [semiprime](/page/Semiprime) [integer](/page/Integer) consisting of 250 [decimal](/page/Decimal) digits, constructed as the product of two large prime numbers for the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge) initiated by RSA Laboratories in 1991. Its full [decimal](/page/Decimal) value is 214032465024074496126442307283933356300861471514475501779775492088141802344714013664334551909580467961099285187247091458768739626192155736304745477052085119056493106687691590019759405693457452230589325976697471681738069364894699871578494975937497937.[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-07-en.pdf) This 829-bit number was factored on February 28, 2020, by an international team including Fabrice Boudot, Pierrick Gaudry, Aurore Guillevic, Nadia Heninger, Emmanuel Thomé, and Paul Zimmermann, using the General Number Field Sieve (GNFS) algorithm implemented in the CADO-NFS software.[](https://caramba.loria.fr/rsa250.txt) The factorization yielded two prime factors, each with 125 decimal digits: $p = 64135289477071580278790190170577389084825014742943447208116859632024532344630238623598752668347708737661925585694639798853367$ $q = 33372027594978156556226010605355114227940760344767554666784520987023841729210037080257448673296881877565718986258036932062711$.[](https://caramba.loria.fr/rsa250.txt) The effort involved approximately 2700 core-years of computation, with 2450 core-years for sieving and 250 core-years for linear algebra, performed on clusters of Intel Xeon Gold 6130 processors at 2.1 GHz, utilizing resources from Grid'5000 and PRACE supercomputers.[](https://caramba.loria.fr/rsa250.txt) This achievement surpassed the prior record of factoring RSA-240 in 2019 and established a new benchmark for classical integer factorization of RSA challenge numbers.[](https://members.loria.fr/PZimmermann/records/factor.html) As of November 2025, the [factorization](/page/Factorization) of RSA-250 remains the largest such record using classical algorithms.[](https://members.loria.fr/PZimmermann/records/factor.html) ## Unfactored RSA Numbers (260–500 Digits) ### RSA-260 RSA-260 is a [semiprime](/page/Semiprime) composed of two large prime factors, forming a [260](/page/2-6-0)-digit number from the original [RSA Factoring Challenge](/page/RSA_Factoring_Challenge) initiated by RSA Laboratories in 1991. The number is given by:

[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-08-en.pdf) This challenge number, like others in the series, was designed to test the practical limits of [integer factorization](/page/Integer_factorization) algorithms and assess the security of RSA-based cryptosystems. RSA-260 equates to approximately 862 bits in [length](/page/Length), placing it beyond the current record for classical [factorization](/page/Factorization).[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-08-en.pdf) As of November 2025, RSA-260 remains unfactored, with no major public attempts reported since the successful [factorization](/page/Factorization) of the smaller RSA-250 in 2020. Following RSA-250, which required about 2,700 core-years of computation using the general number field sieve (GNFS), RSA-260 is estimated to demand over 10,000 core-years with state-of-the-art GNFS implementations due to its increased size.[](https://sympa.inria.fr/sympa/arc/cado-nfs/2020-02/msg00001.html)[](https://www.schneier.com/blog/archives/2020/04/rsa-250_factore.html) ### RSA-270 RSA-270 is a [semiprime](/page/Semiprime) integer consisting of exactly two distinct prime factors, constructed as part of the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge) to test the limits of [integer factorization](/page/Integer_factorization) algorithms. Its value in decimal form is:

[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-08-en.pdf) This challenge number, like others in the series, was designed to test the practical limits of [integer factorization](/page/Integer_factorization) algorithms and assess the security of RSA-based cryptosystems. RSA-260 equates to approximately 862 bits in [length](/page/Length), placing it beyond the current record for classical [factorization](/page/Factorization).[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-08-en.pdf) As of November 2025, RSA-260 remains unfactored, with no major public attempts reported since the successful [factorization](/page/Factorization) of the smaller RSA-250 in 2020. Following RSA-250, which required about 2,700 core-years of computation using the general number field sieve (GNFS), RSA-260 is estimated to demand over 10,000 core-years with state-of-the-art GNFS implementations due to its increased size.[](https://sympa.inria.fr/sympa/arc/cado-nfs/2020-02/msg00001.html)[](https://www.schneier.com/blog/archives/2020/04/rsa-250_factore.html) ### RSA-270 RSA-270 is a [semiprime](/page/Semiprime) integer consisting of exactly two distinct prime factors, constructed as part of the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge) to test the limits of [integer factorization](/page/Integer_factorization) algorithms. Its value in decimal form is:

This number spans 270 decimal digits and corresponds to approximately 893 bits in binary length.[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html) As of November 2025, RSA-270 remains unfactored, with no publicly known decomposition into its prime components despite advances in the general number field sieve algorithm.[](https://members.loria.fr/PZimmermann/records/factor.html) Factoring it is projected to demand computational resources exceeding practical classical feasibility within current technological constraints, underscoring the escalating difficulty of semiprime factorization as key sizes increase.[](https://www.schneier.com/blog/archives/2020/04/rsa-250_factore.html) The size of RSA-270 places it in a regime relevant to the security assessment of legacy [1024-bit](/page/1024) RSA keys, which typically involve moduli around 308 decimal digits ([1024](/page/1024) bits) and are now deprecated due to vulnerability to state-sponsored attacks. While smaller than [1024-bit](/page/1024) moduli, the unfactored status of RSA-270 illustrates persistent barriers in classical [computing](/page/Computing) for numbers approaching this scale, influencing transitions to [post-quantum cryptography](/page/Post-quantum_cryptography). ### RSA-280 RSA-280 is a [semiprime](/page/Semiprime) number consisting of 280 decimal digits, specifically the product of two large prime numbers, created by RSA Laboratories as part of their discontinued [RSA Factoring Challenge](/page/RSA_Factoring_Challenge) to test the limits of [integer factorization](/page/Integer_factorization) algorithms.[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html) This number serves as a mid-range challenge in the series of unfactored RSA numbers, highlighting the computational difficulty of factoring [semiprimes](/page/Semiprime) at this scale, which corresponds to approximately 928 bits and underscores ongoing [security](/page/Security) considerations for RSA-based cryptosystems using keys around 1000 bits. The full decimal representation of RSA-280 is:

This number spans 270 decimal digits and corresponds to approximately 893 bits in binary length.[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html) As of November 2025, RSA-270 remains unfactored, with no publicly known decomposition into its prime components despite advances in the general number field sieve algorithm.[](https://members.loria.fr/PZimmermann/records/factor.html) Factoring it is projected to demand computational resources exceeding practical classical feasibility within current technological constraints, underscoring the escalating difficulty of semiprime factorization as key sizes increase.[](https://www.schneier.com/blog/archives/2020/04/rsa-250_factore.html) The size of RSA-270 places it in a regime relevant to the security assessment of legacy [1024-bit](/page/1024) RSA keys, which typically involve moduli around 308 decimal digits ([1024](/page/1024) bits) and are now deprecated due to vulnerability to state-sponsored attacks. While smaller than [1024-bit](/page/1024) moduli, the unfactored status of RSA-270 illustrates persistent barriers in classical [computing](/page/Computing) for numbers approaching this scale, influencing transitions to [post-quantum cryptography](/page/Post-quantum_cryptography). ### RSA-280 RSA-280 is a [semiprime](/page/Semiprime) number consisting of 280 decimal digits, specifically the product of two large prime numbers, created by RSA Laboratories as part of their discontinued [RSA Factoring Challenge](/page/RSA_Factoring_Challenge) to test the limits of [integer factorization](/page/Integer_factorization) algorithms.[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html) This number serves as a mid-range challenge in the series of unfactored RSA numbers, highlighting the computational difficulty of factoring [semiprimes](/page/Semiprime) at this scale, which corresponds to approximately 928 bits and underscores ongoing [security](/page/Security) considerations for RSA-based cryptosystems using keys around 1000 bits. The full decimal representation of RSA-280 is:

[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html) As of 2025, RSA-280 remains unfactored, with no verified progress toward its complete factorization reported in the literature or computational records. Its persistence as an open challenge illustrates the practical infeasibility of factoring such numbers using classical computing resources available today, though advances in algorithms like the general number field sieve continue to push boundaries for similar sizes.[](https://mysterytwister.org/challenges/level-3/rsa-factoring-challenge-rsa-280) ### RSA-290 RSA-290 is a [semiprime](/page/Semiprime) number consisting of the product of two large prime factors, specifically designed as part of the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge) to test the limits of [integer factorization](/page/Integer_factorization) algorithms. Its complete decimal expansion, which spans exactly 290 digits, is as follows:

[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html) As of 2025, RSA-280 remains unfactored, with no verified progress toward its complete factorization reported in the literature or computational records. Its persistence as an open challenge illustrates the practical infeasibility of factoring such numbers using classical computing resources available today, though advances in algorithms like the general number field sieve continue to push boundaries for similar sizes.[](https://mysterytwister.org/challenges/level-3/rsa-factoring-challenge-rsa-280) ### RSA-290 RSA-290 is a [semiprime](/page/Semiprime) number consisting of the product of two large prime factors, specifically designed as part of the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge) to test the limits of [integer factorization](/page/Integer_factorization) algorithms. Its complete decimal expansion, which spans exactly 290 digits, is as follows:

[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-12-en.pdf) This number equates to approximately 960 bits in binary length, providing a significant scale for assessing [factorization](/page/Factorization) difficulty.[](https://gist.github.com/aburan28/d7a63343e76107e36bc66239b2e5169d) As of November 2025, RSA-290 remains unfactored, with no public record of its prime factors being discovered.[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-12-en.pdf)[](https://gist.github.com/aburan28/d7a63343e76107e36bc66239b2e5169d) Factoring RSA-290 using the General Number Field Sieve (GNFS), the most advanced classical [algorithm](/page/Algorithm) for such tasks, would require computational resources that grow exponentially with the digit length, far exceeding current global capabilities and estimated to demand thousands of core-years on high-performance hardware even with optimized implementations.[](https://personal.math.vt.edu/brown/doc/briggs_gnfs_thesis.pdf) This enduring challenge underscores the foundational security assumptions of RSA [cryptography](/page/Cryptography) against classical attacks. ### RSA-300 RSA-300 is a 300-digit [semiprime](/page/Semiprime) number generated as part of the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge), consisting of the product of two large prime numbers of approximately equal length.[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-13-en.pdf) The full decimal representation of RSA-300 is:

[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-12-en.pdf) This number equates to approximately 960 bits in binary length, providing a significant scale for assessing [factorization](/page/Factorization) difficulty.[](https://gist.github.com/aburan28/d7a63343e76107e36bc66239b2e5169d) As of November 2025, RSA-290 remains unfactored, with no public record of its prime factors being discovered.[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-12-en.pdf)[](https://gist.github.com/aburan28/d7a63343e76107e36bc66239b2e5169d) Factoring RSA-290 using the General Number Field Sieve (GNFS), the most advanced classical [algorithm](/page/Algorithm) for such tasks, would require computational resources that grow exponentially with the digit length, far exceeding current global capabilities and estimated to demand thousands of core-years on high-performance hardware even with optimized implementations.[](https://personal.math.vt.edu/brown/doc/briggs_gnfs_thesis.pdf) This enduring challenge underscores the foundational security assumptions of RSA [cryptography](/page/Cryptography) against classical attacks. ### RSA-300 RSA-300 is a 300-digit [semiprime](/page/Semiprime) number generated as part of the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge), consisting of the product of two large prime numbers of approximately equal length.[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-13-en.pdf) The full decimal representation of RSA-300 is:

[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-13-en.pdf) This number equates to approximately 995 bits in binary length, symbolizing the [security](/page/Security) level of 1000-bit RSA keys in cryptographic contexts.[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-13-en.pdf) As of November 2025, RSA-300 remains unfactored, with no public announcement of its prime factors despite advances in [factorization](/page/Factorization) algorithms.[](https://aiimpacts.org/progress-in-general-purpose-factoring/) RSA-300 was included in the original set of challenges published by RSA Laboratories in [1991](/page/1991), with subsequent expansions of the challenge in [1997](/page/1997) and hosting by MysteryTwister in [2012](/page/2012) permitting continued pursuit of its [factorization](/page/Factorization).[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-13-en.pdf)[](https://www.ontko.com/pub/rayo/primes/rsa_fact.html) Its unfactored status underscores the ongoing difficulty of factoring large semiprimes, serving as a benchmark for [computational number theory](/page/Computational_number_theory) research.[](https://aiimpacts.org/progress-in-general-purpose-factoring/) ### RSA-309 RSA-309 is a 309-digit [semiprime](/page/Semiprime) number created as part of the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge) by RSA Laboratories to test the limits of [integer factorization](/page/Integer_factorization) algorithms. It is the product of two large primes of roughly equal [bit length](/page/Bit-length), totaling approximately [1024](/page/1024) bits, and serves as a benchmark for [computational number theory](/page/Computational_number_theory) research. Unlike many challenge numbers with round digit counts, RSA-309's irregular 309-digit size highlights variations in the challenge set, making it unique among the listed RSA numbers.[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-14-en.pdf) This number remains unfactored, with no known complete [factorization](/page/Factorization) despite advances in methods like the general number field sieve. Its unfactored status underscores the practical difficulty of factoring large semiprimes, which underpins the security of RSA cryptosystems. The challenge for RSA-309 was hosted by MysteryTwister C3 after RSA withdrew the official prizes in 2007, but the number continues to stand as an [open problem](/page/Open_problem).[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-14-en.pdf) The full decimal representation of RSA-309 is:

[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-13-en.pdf) This number equates to approximately 995 bits in binary length, symbolizing the [security](/page/Security) level of 1000-bit RSA keys in cryptographic contexts.[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-13-en.pdf) As of November 2025, RSA-300 remains unfactored, with no public announcement of its prime factors despite advances in [factorization](/page/Factorization) algorithms.[](https://aiimpacts.org/progress-in-general-purpose-factoring/) RSA-300 was included in the original set of challenges published by RSA Laboratories in [1991](/page/1991), with subsequent expansions of the challenge in [1997](/page/1997) and hosting by MysteryTwister in [2012](/page/2012) permitting continued pursuit of its [factorization](/page/Factorization).[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-13-en.pdf)[](https://www.ontko.com/pub/rayo/primes/rsa_fact.html) Its unfactored status underscores the ongoing difficulty of factoring large semiprimes, serving as a benchmark for [computational number theory](/page/Computational_number_theory) research.[](https://aiimpacts.org/progress-in-general-purpose-factoring/) ### RSA-309 RSA-309 is a 309-digit [semiprime](/page/Semiprime) number created as part of the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge) by RSA Laboratories to test the limits of [integer factorization](/page/Integer_factorization) algorithms. It is the product of two large primes of roughly equal [bit length](/page/Bit-length), totaling approximately [1024](/page/1024) bits, and serves as a benchmark for [computational number theory](/page/Computational_number_theory) research. Unlike many challenge numbers with round digit counts, RSA-309's irregular 309-digit size highlights variations in the challenge set, making it unique among the listed RSA numbers.[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-14-en.pdf) This number remains unfactored, with no known complete [factorization](/page/Factorization) despite advances in methods like the general number field sieve. Its unfactored status underscores the practical difficulty of factoring large semiprimes, which underpins the security of RSA cryptosystems. The challenge for RSA-309 was hosted by MysteryTwister C3 after RSA withdrew the official prizes in 2007, but the number continues to stand as an [open problem](/page/Open_problem).[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-14-en.pdf) The full decimal representation of RSA-309 is:

[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-14-en.pdf) ### RSA-310 RSA-310 is a 310-digit [semiprime](/page/Semiprime) number generated as part of the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge) by RSA Laboratories to test the difficulty of [integer factorization](/page/Integer_factorization). It follows sequentially after RSA-309 in the series of unfactored RSA numbers within the 300-digit range.[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html) The full decimal value of RSA-310 is:

[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-14-en.pdf) ### RSA-310 RSA-310 is a 310-digit [semiprime](/page/Semiprime) number generated as part of the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge) by RSA Laboratories to test the difficulty of [integer factorization](/page/Integer_factorization). It follows sequentially after RSA-309 in the series of unfactored RSA numbers within the 300-digit range.[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html) The full decimal value of RSA-310 is:

This number was added to the challenge on February 7, 1997.[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html) As of November 2025, RSA-310 remains unfactored, with no known prime factors despite ongoing cryptographic research efforts.[](https://mysterytwister.org/challenges/level-3/rsa-factoring-challenge-rsa-310) ### RSA-320 RSA-320 is a 320-digit [semiprime](/page/Semiprime) number, constructed as the product of two distinct prime factors each of roughly equal length, as part of the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge) launched by RSA Laboratories in 1991 to advance research in [integer factorization](/page/Integer_factorization). The complete decimal expansion of RSA-320 is:

This number was added to the challenge on February 7, 1997.[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html) As of November 2025, RSA-310 remains unfactored, with no known prime factors despite ongoing cryptographic research efforts.[](https://mysterytwister.org/challenges/level-3/rsa-factoring-challenge-rsa-310) ### RSA-320 RSA-320 is a 320-digit [semiprime](/page/Semiprime) number, constructed as the product of two distinct prime factors each of roughly equal length, as part of the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge) launched by RSA Laboratories in 1991 to advance research in [integer factorization](/page/Integer_factorization). The complete decimal expansion of RSA-320 is:

[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html) This number remains unfactored as of November 2025, with the largest factored [RSA challenge](/page/RSA_Factoring_Challenge) number being [RSA-250](/page/RSA_Factoring_Challenge) in 2020.[](https://members.loria.fr/PZimmermann/records/factor.html) [RSA-320](/page/RSA_Factoring_Challenge) is equivalent to approximately 1060 bits in [length](/page/Length).[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html) ### [RSA-330](/page/RSA_Factoring_Challenge) [RSA-330](/page/RSA_Factoring_Challenge) is a [semiprime](/page/Semiprime) consisting of the product of two large prime numbers, specifically designed as part of the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge) to test the difficulty of [integer factorization](/page/Integer_factorization). It has exactly 330 [decimal](/page/Decimal) digits and corresponds to approximately 1,094 bits in [length](/page/Length).[](https://dev.mysterytwister.org/media/challenges/pdf/mtc3-rsa-18-en.pdf) As of November 2025, RSA-330 remains unfactored, with no publicly announced complete prime factorization despite ongoing efforts in [computational number theory](/page/Computational_number_theory). The full decimal value of RSA-330 is:

[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html) This number remains unfactored as of November 2025, with the largest factored [RSA challenge](/page/RSA_Factoring_Challenge) number being [RSA-250](/page/RSA_Factoring_Challenge) in 2020.[](https://members.loria.fr/PZimmermann/records/factor.html) [RSA-320](/page/RSA_Factoring_Challenge) is equivalent to approximately 1060 bits in [length](/page/Length).[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html) ### [RSA-330](/page/RSA_Factoring_Challenge) [RSA-330](/page/RSA_Factoring_Challenge) is a [semiprime](/page/Semiprime) consisting of the product of two large prime numbers, specifically designed as part of the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge) to test the difficulty of [integer factorization](/page/Integer_factorization). It has exactly 330 [decimal](/page/Decimal) digits and corresponds to approximately 1,094 bits in [length](/page/Length).[](https://dev.mysterytwister.org/media/challenges/pdf/mtc3-rsa-18-en.pdf) As of November 2025, RSA-330 remains unfactored, with no publicly announced complete prime factorization despite ongoing efforts in [computational number theory](/page/Computational_number_theory). The full decimal value of RSA-330 is:

[](https://dev.mysterytwister.org/media/challenges/pdf/mtc3-rsa-18-en.pdf) ### RSA-340 RSA-340 is a 340-decimal-digit [semiprime](/page/Semiprime) number created by RSA Laboratories as part of their [1991](/page/1991) Factoring Challenge to promote advances in [computational number theory](/page/Computational_number_theory) and [integer factorization](/page/Integer_factorization) algorithms.[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-19-en.pdf) The challenge involved generating large composite numbers, each the product of two primes of roughly equal size, with RSA-340 specifically designed to test the limits of factoring techniques at the time, equivalent to approximately 1,128 bits in binary representation.[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-19-en.pdf) The exact value of RSA-340 is:

[](https://dev.mysterytwister.org/media/challenges/pdf/mtc3-rsa-18-en.pdf) ### RSA-340 RSA-340 is a 340-decimal-digit [semiprime](/page/Semiprime) number created by RSA Laboratories as part of their [1991](/page/1991) Factoring Challenge to promote advances in [computational number theory](/page/Computational_number_theory) and [integer factorization](/page/Integer_factorization) algorithms.[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-19-en.pdf) The challenge involved generating large composite numbers, each the product of two primes of roughly equal size, with RSA-340 specifically designed to test the limits of factoring techniques at the time, equivalent to approximately 1,128 bits in binary representation.[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-19-en.pdf) The exact value of RSA-340 is:

[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-19-en.pdf) As of the latest verified records, RSA-340 remains unfactored, making it one of the larger unsolved challenges from the original set of 54 numbers (ranging from 100 to 617 digits).[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-19-en.pdf) Its persistence as an open problem underscores the ongoing difficulty of factoring large semiprimes, with implications for the security of RSA-based cryptosystems relying on such hardness assumptions. No successful factorization has been publicly reported, despite the challenge's prizes being discontinued in 2006 and the remaining unsolved instances hosted by authorized parties like MysteryTwister.[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-19-en.pdf) ### RSA-350 RSA-350 is a [semiprime](/page/Semiprime) with exactly 350 [decimal](/page/Decimal) digits, generated by RSA Laboratories as part of the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge) to advance research in [computational number theory](/page/Computational_number_theory) and [integer factorization](/page/Integer_factorization). The complete decimal representation of RSA-350 is:

[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-19-en.pdf) As of the latest verified records, RSA-340 remains unfactored, making it one of the larger unsolved challenges from the original set of 54 numbers (ranging from 100 to 617 digits).[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-19-en.pdf) Its persistence as an open problem underscores the ongoing difficulty of factoring large semiprimes, with implications for the security of RSA-based cryptosystems relying on such hardness assumptions. No successful factorization has been publicly reported, despite the challenge's prizes being discontinued in 2006 and the remaining unsolved instances hosted by authorized parties like MysteryTwister.[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-19-en.pdf) ### RSA-350 RSA-350 is a [semiprime](/page/Semiprime) with exactly 350 [decimal](/page/Decimal) digits, generated by RSA Laboratories as part of the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge) to advance research in [computational number theory](/page/Computational_number_theory) and [integer factorization](/page/Integer_factorization). The complete decimal representation of RSA-350 is:

[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html) This number remains unfactored as of November 2025, exceeding the current record for factored [RSA challenge numbers](/page/RSA_Factoring_Challenge), which stands at RSA-250 (250 digits) achieved in 2020 using the general number field sieve algorithm.[](https://eprint.iacr.org/2020/697) ### RSA-360 RSA-360 is one of the [semiprime](/page/Semiprime) challenge numbers introduced as part of the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge) by RSA Laboratories to advance research in [integer factorization](/page/Integer_factorization). It consists of exactly 360 [decimal](/page/Decimal) digits and is the product of two distinct prime factors of comparable size, making it a significant benchmark for [computational number theory](/page/Computational_number_theory).[](https://dev.mysterytwister.org/media/challenges/pdf/mtc3-rsa-21-en.pdf) The full decimal expansion of RSA-360 is:

[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html) This number remains unfactored as of November 2025, exceeding the current record for factored [RSA challenge numbers](/page/RSA_Factoring_Challenge), which stands at RSA-250 (250 digits) achieved in 2020 using the general number field sieve algorithm.[](https://eprint.iacr.org/2020/697) ### RSA-360 RSA-360 is one of the [semiprime](/page/Semiprime) challenge numbers introduced as part of the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge) by RSA Laboratories to advance research in [integer factorization](/page/Integer_factorization). It consists of exactly 360 [decimal](/page/Decimal) digits and is the product of two distinct prime factors of comparable size, making it a significant benchmark for [computational number theory](/page/Computational_number_theory).[](https://dev.mysterytwister.org/media/challenges/pdf/mtc3-rsa-21-en.pdf) The full decimal expansion of RSA-360 is:

This number, equivalent to approximately 1,194 bits in binary, has not been factored to date, with the largest successfully factored RSA challenge number being RSA-250 (250 digits) as of November 2025.[](https://dev.mysterytwister.org/media/challenges/pdf/mtc3-rsa-21-en.pdf) ### RSA-370 RSA-370 is a [semiprime](/page/Semiprime) [integer](/page/Integer) from the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge), consisting of exactly 370 decimal digits and formed as the product of two large, distinct prime factors, each roughly half the bit length of the composite. It was generated in [1997](/page/1997) as part of a series of challenge numbers to test the limits of [integer factorization](/page/Integer_factorization) algorithms, with the primes selected to be congruent to 2 [modulo](/page/Modulo) 3 for added difficulty in certain methods. The number's [checksum](/page/Checksum) is 660901, verifying its integrity.[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html) The complete decimal representation of RSA-370 is:

This number, equivalent to approximately 1,194 bits in binary, has not been factored to date, with the largest successfully factored RSA challenge number being RSA-250 (250 digits) as of November 2025.[](https://dev.mysterytwister.org/media/challenges/pdf/mtc3-rsa-21-en.pdf) ### RSA-370 RSA-370 is a [semiprime](/page/Semiprime) [integer](/page/Integer) from the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge), consisting of exactly 370 decimal digits and formed as the product of two large, distinct prime factors, each roughly half the bit length of the composite. It was generated in [1997](/page/1997) as part of a series of challenge numbers to test the limits of [integer factorization](/page/Integer_factorization) algorithms, with the primes selected to be congruent to 2 [modulo](/page/Modulo) 3 for added difficulty in certain methods. The number's [checksum](/page/Checksum) is 660901, verifying its integrity.[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html) The complete decimal representation of RSA-370 is:

This value corresponds to approximately 1,227 bits, making it significantly larger than previously factored challenge numbers like RSA-250 (250 digits, factored in [2020](/page/2020)).[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html) RSA-370 remains unfactored as of 2025, consistent with the status of all RSA challenge numbers beyond 250 digits, where the largest solved is [RSA-250](/page/250) (250 digits). Its resistance to factorization underscores ongoing challenges in [computational number theory](/page/Computational_number_theory) and the security of RSA-based [cryptography](/page/Cryptography) for key sizes up to around 1,000 bits. ### RSA-380 RSA-380 is a semiprime consisting of the product of two distinct prime numbers, each of roughly equal size, and was generated as part of the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge) initiated by RSA Laboratories in 1991 to advance research in [computational number theory](/page/Computational_number_theory) and highlight the practical challenges of [integer factorization](/page/Integer_factorization) in [public-key cryptography](/page/Public-key_cryptography). The number has precisely 380 decimal digits and an approximate [bit length](/page/Bit-length) of 1,261, making it significantly larger than previously factored challenge numbers. Its full decimal value is:

This value corresponds to approximately 1,227 bits, making it significantly larger than previously factored challenge numbers like RSA-250 (250 digits, factored in [2020](/page/2020)).[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html) RSA-370 remains unfactored as of 2025, consistent with the status of all RSA challenge numbers beyond 250 digits, where the largest solved is [RSA-250](/page/250) (250 digits). Its resistance to factorization underscores ongoing challenges in [computational number theory](/page/Computational_number_theory) and the security of RSA-based [cryptography](/page/Cryptography) for key sizes up to around 1,000 bits. ### RSA-380 RSA-380 is a semiprime consisting of the product of two distinct prime numbers, each of roughly equal size, and was generated as part of the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge) initiated by RSA Laboratories in 1991 to advance research in [computational number theory](/page/Computational_number_theory) and highlight the practical challenges of [integer factorization](/page/Integer_factorization) in [public-key cryptography](/page/Public-key_cryptography). The number has precisely 380 decimal digits and an approximate [bit length](/page/Bit-length) of 1,261, making it significantly larger than previously factored challenge numbers. Its full decimal value is:

This value was computed using specialized hardware from [RSA Data Security](/page/Data_security) and published in the official challenge list.[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html) As of November 2025, RSA-380 remains unfactored, with no verified discovery of its prime factors despite advances in algorithms like the general number field sieve. The largest RSA challenge number factored to date is RSA-250, achieved in [2020](/page/2020) by an international team using extensive computational resources over several years, underscoring that numbers beyond 250 digits, such as RSA-380, continue to resist classical factoring methods.[](https://jacobsschool.ucsd.edu/news/release/2991) Its persistence as an [open problem](/page/Open_problem) emphasizes the security margins provided by larger key sizes in RSA cryptosystems, where factoring difficulty scales exponentially with digit length. ### RSA-390 RSA-390 is a 390-digit [semiprime](/page/Semiprime) number generated as the product of two distinct primes of roughly equal size, each contributing approximately 195 [decimal](/page/Decimal) digits to the total length. It was introduced by RSA Laboratories in 1991 as one of the challenge numbers in the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge), intended to highlight the computational difficulty of [integer factorization](/page/Integer_factorization) for cryptographic purposes.[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-24-en.pdf) The exact value of RSA-390 is:

This value was computed using specialized hardware from [RSA Data Security](/page/Data_security) and published in the official challenge list.[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html) As of November 2025, RSA-380 remains unfactored, with no verified discovery of its prime factors despite advances in algorithms like the general number field sieve. The largest RSA challenge number factored to date is RSA-250, achieved in [2020](/page/2020) by an international team using extensive computational resources over several years, underscoring that numbers beyond 250 digits, such as RSA-380, continue to resist classical factoring methods.[](https://jacobsschool.ucsd.edu/news/release/2991) Its persistence as an [open problem](/page/Open_problem) emphasizes the security margins provided by larger key sizes in RSA cryptosystems, where factoring difficulty scales exponentially with digit length. ### RSA-390 RSA-390 is a 390-digit [semiprime](/page/Semiprime) number generated as the product of two distinct primes of roughly equal size, each contributing approximately 195 [decimal](/page/Decimal) digits to the total length. It was introduced by RSA Laboratories in 1991 as one of the challenge numbers in the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge), intended to highlight the computational difficulty of [integer factorization](/page/Integer_factorization) for cryptographic purposes.[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-24-en.pdf) The exact value of RSA-390 is:

This number corresponds to approximately 1294 bits in binary representation.[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-24-en.pdf) RSA-390 remains unfactored, with no known complete [factorization](/page/Factorization) reported as of November 2025; it is one of the 38 unsolved challenges from the original set hosted by the MysteryTwister C3 since [2012](/page/2012) with permission from RSA.[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-24-en.pdf) ### RSA-400 RSA-400 is a 400-digit [semiprime](/page/Semiprime) number constructed as the product of two large prime numbers of approximately equal length, specifically designed as part of the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge) to test the boundaries of [integer factorization](/page/Integer_factorization) algorithms.[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html) The full decimal representation of RSA-400 is:

This number corresponds to approximately 1294 bits in binary representation.[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-24-en.pdf) RSA-390 remains unfactored, with no known complete [factorization](/page/Factorization) reported as of November 2025; it is one of the 38 unsolved challenges from the original set hosted by the MysteryTwister C3 since [2012](/page/2012) with permission from RSA.[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-24-en.pdf) ### RSA-400 RSA-400 is a 400-digit [semiprime](/page/Semiprime) number constructed as the product of two large prime numbers of approximately equal length, specifically designed as part of the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge) to test the boundaries of [integer factorization](/page/Integer_factorization) algorithms.[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html) The full decimal representation of RSA-400 is:

This number equates to roughly 1,327 bits in binary, establishing it as a substantial computational challenge beyond the capabilities of classical factoring methods available at the time of its publication in 1994.[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html) RSA-400 remains unfactored as of 2025, with the largest successfully factored number in the RSA challenge series being RSA-250, achieved in [2020](/page/2020) using extensive [distributed computing](/page/Distributed_computing) resources equivalent to 2,700 core-years.[](https://jacobsschool.ucsd.edu/news/release/2991) Its unfactored status underscores the 400-digit threshold as a critical [milestone](/page/Milestone) in assessing the [security](/page/Security) of RSA-based cryptosystems, where [factorization](/page/Factorization) difficulty scales exponentially with digit length, deterring practical attacks on keys of this size or larger. ### RSA-410 RSA-410 is a [semiprime](/page/Semiprime) number consisting of exactly 410 [decimal](/page/Decimal) digits, generated as part of the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge) to test the limits of [integer factorization](/page/Integer_factorization) algorithms in the context of [public-key cryptography](/page/Public-key_cryptography). The number is defined as the product of two large prime factors and was intended to demonstrate the computational infeasibility of factoring such large composites with classical methods at the time of its release. Its full [decimal](/page/Decimal) expansion is:

This number equates to roughly 1,327 bits in binary, establishing it as a substantial computational challenge beyond the capabilities of classical factoring methods available at the time of its publication in 1994.[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html) RSA-400 remains unfactored as of 2025, with the largest successfully factored number in the RSA challenge series being RSA-250, achieved in [2020](/page/2020) using extensive [distributed computing](/page/Distributed_computing) resources equivalent to 2,700 core-years.[](https://jacobsschool.ucsd.edu/news/release/2991) Its unfactored status underscores the 400-digit threshold as a critical [milestone](/page/Milestone) in assessing the [security](/page/Security) of RSA-based cryptosystems, where [factorization](/page/Factorization) difficulty scales exponentially with digit length, deterring practical attacks on keys of this size or larger. ### RSA-410 RSA-410 is a [semiprime](/page/Semiprime) number consisting of exactly 410 [decimal](/page/Decimal) digits, generated as part of the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge) to test the limits of [integer factorization](/page/Integer_factorization) algorithms in the context of [public-key cryptography](/page/Public-key_cryptography). The number is defined as the product of two large prime factors and was intended to demonstrate the computational infeasibility of factoring such large composites with classical methods at the time of its release. Its full [decimal](/page/Decimal) expansion is:

This number corresponds to approximately 1360 bits in binary representation.[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html) As of November 2025, RSA-410 remains unfactored, with no public announcement of its prime factors despite advances in [factorization](/page/Factorization) techniques since the challenge's inception in the [1990s](/page/1990s). The [RSA Factoring Challenge](/page/RSA_Factoring_Challenge), which included RSA-410, was officially discontinued by RSA Laboratories in 2007, but the unsolved numbers like this one continue to serve as benchmarks for cryptographic security research.[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html) ### RSA-420 RSA-420 is a [semiprime](/page/Semiprime) number with exactly 420 decimal digits, generated as the product of two distinct large prime factors by RSA Laboratories for their factoring challenge initiated in 1991.[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-27-en.pdf) This challenge aimed to advance research in [computational number theory](/page/Computational_number_theory) by demonstrating the difficulty of factoring large integers, with RSA-420 serving as one of the more formidable entries due to its size, equivalent to approximately 1,393 bits.[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html) The complete decimal expansion of RSA-420 is:

This number corresponds to approximately 1360 bits in binary representation.[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html) As of November 2025, RSA-410 remains unfactored, with no public announcement of its prime factors despite advances in [factorization](/page/Factorization) techniques since the challenge's inception in the [1990s](/page/1990s). The [RSA Factoring Challenge](/page/RSA_Factoring_Challenge), which included RSA-410, was officially discontinued by RSA Laboratories in 2007, but the unsolved numbers like this one continue to serve as benchmarks for cryptographic security research.[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html) ### RSA-420 RSA-420 is a [semiprime](/page/Semiprime) number with exactly 420 decimal digits, generated as the product of two distinct large prime factors by RSA Laboratories for their factoring challenge initiated in 1991.[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-27-en.pdf) This challenge aimed to advance research in [computational number theory](/page/Computational_number_theory) by demonstrating the difficulty of factoring large integers, with RSA-420 serving as one of the more formidable entries due to its size, equivalent to approximately 1,393 bits.[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html) The complete decimal expansion of RSA-420 is:

[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-27-en.pdf)[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html) RSA-420 remains unfactored as of 2025, with no publicly announced prime factors despite ongoing interest in integer factorization algorithms.[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html) Its persistence as an open challenge underscores the practical security of sufficiently large RSA moduli against classical computing methods. ### RSA-430 RSA-430 is a semiprime number with exactly 430 decimal digits, created by RSA Laboratories as part of the RSA Factoring Challenge to test the limits of integer factorization algorithms. It is the product of two large, distinct prime factors of roughly equal size, each contributing approximately 215 decimal digits, and was generated in the early 1990s using proprietary software from RSA Data Security, Inc. The factors were discarded after computation, leaving only the composite number publicly available for the challenge.[](https://gist.github.com/aburan28/d7a63343e76107e36bc66239b2e5169d) The full decimal representation of RSA-430 is as follows:

[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-27-en.pdf)[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html) RSA-420 remains unfactored as of 2025, with no publicly announced prime factors despite ongoing interest in integer factorization algorithms.[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html) Its persistence as an open challenge underscores the practical security of sufficiently large RSA moduli against classical computing methods. ### RSA-430 RSA-430 is a semiprime number with exactly 430 decimal digits, created by RSA Laboratories as part of the RSA Factoring Challenge to test the limits of integer factorization algorithms. It is the product of two large, distinct prime factors of roughly equal size, each contributing approximately 215 decimal digits, and was generated in the early 1990s using proprietary software from RSA Data Security, Inc. The factors were discarded after computation, leaving only the composite number publicly available for the challenge.[](https://gist.github.com/aburan28/d7a63343e76107e36bc66239b2e5169d) The full decimal representation of RSA-430 is as follows:

This value corresponds to a bit length of approximately 1,427 bits.[](https://gist.github.com/aburan28/d7a63343e76107e36bc66239b2e5169d) RSA-430 remains unfactored as of November 2025, with no public record of its prime factors being discovered despite ongoing research in [number theory](/page/Number_theory) and computational methods. For context, the largest successfully factored RSA challenge number is RSA-250 (829 bits), achieved in 2020 using extensive [distributed computing](/page/Distributed_computing) resources.[](https://articles.59.ca/doku.php?id=em:20482030) The immense size of RSA-430 places it far beyond current classical factoring capabilities, highlighting the continued security implications for RSA-based [cryptography](/page/Cryptography) with keys of similar or larger lengths.[](https://postquantum.com/post-quantum/breaking-rsa-quantum-hype/) ### RSA-440 RSA-440 is a 440-[decimal](/page/Decimal)-digit [semiprime](/page/Semiprime) number generated as part of the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge) initiated by RSA Laboratories in 1991 to promote research in [computational number theory](/page/Computational_number_theory) and the difficulty of factoring large integers.[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html) It consists of the product of two distinct prime numbers, each approximately 220 [decimal](/page/Decimal) digits in length, and serves as a benchmark for advanced factoring algorithms.[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html) The explicit decimal representation of RSA-440 is:

This value corresponds to a bit length of approximately 1,427 bits.[](https://gist.github.com/aburan28/d7a63343e76107e36bc66239b2e5169d) RSA-430 remains unfactored as of November 2025, with no public record of its prime factors being discovered despite ongoing research in [number theory](/page/Number_theory) and computational methods. For context, the largest successfully factored RSA challenge number is RSA-250 (829 bits), achieved in 2020 using extensive [distributed computing](/page/Distributed_computing) resources.[](https://articles.59.ca/doku.php?id=em:20482030) The immense size of RSA-430 places it far beyond current classical factoring capabilities, highlighting the continued security implications for RSA-based [cryptography](/page/Cryptography) with keys of similar or larger lengths.[](https://postquantum.com/post-quantum/breaking-rsa-quantum-hype/) ### RSA-440 RSA-440 is a 440-[decimal](/page/Decimal)-digit [semiprime](/page/Semiprime) number generated as part of the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge) initiated by RSA Laboratories in 1991 to promote research in [computational number theory](/page/Computational_number_theory) and the difficulty of factoring large integers.[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html) It consists of the product of two distinct prime numbers, each approximately 220 [decimal](/page/Decimal) digits in length, and serves as a benchmark for advanced factoring algorithms.[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html) The explicit decimal representation of RSA-440 is:

This value corresponds to a 1,460-bit [integer](/page/Integer) in binary, highlighting its immense scale for classical [computing](/page/Computing) resources.[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html) As of November 2025, RSA-440 remains unfactored, with no publicly known prime factors despite ongoing interest in its decomposition using methods like the general number field [sieve](/page/Sieve).[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html) Its persistence as an unsolved challenge underscores the practical [security](/page/Security) implications for RSA cryptosystems employing keys of comparable or larger sizes.[](https://mysterytwister.org/challenges/level-3/rsa-factoring-challenge-rsa-440) ### RSA-450 RSA-450 is a [semiprime](/page/Semiprime) number consisting of exactly 450 decimal digits, designed by RSA Laboratories as part of their factoring challenge to demonstrate the computational difficulty of factoring large integers relevant to [public-key cryptography](/page/Public-key_cryptography). The number, which is the product of two distinct prime factors of roughly equal size (approximately 225 digits each), was publicly released in the early [1990s](/page/1990s) to spur advancements in [factorization](/page/Factorization) techniques such as the general number field sieve.[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-30-en.pdf) The full decimal representation of RSA-450 is:

This value corresponds to a 1,460-bit [integer](/page/Integer) in binary, highlighting its immense scale for classical [computing](/page/Computing) resources.[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html) As of November 2025, RSA-440 remains unfactored, with no publicly known prime factors despite ongoing interest in its decomposition using methods like the general number field [sieve](/page/Sieve).[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html) Its persistence as an unsolved challenge underscores the practical [security](/page/Security) implications for RSA cryptosystems employing keys of comparable or larger sizes.[](https://mysterytwister.org/challenges/level-3/rsa-factoring-challenge-rsa-440) ### RSA-450 RSA-450 is a [semiprime](/page/Semiprime) number consisting of exactly 450 decimal digits, designed by RSA Laboratories as part of their factoring challenge to demonstrate the computational difficulty of factoring large integers relevant to [public-key cryptography](/page/Public-key_cryptography). The number, which is the product of two distinct prime factors of roughly equal size (approximately 225 digits each), was publicly released in the early [1990s](/page/1990s) to spur advancements in [factorization](/page/Factorization) techniques such as the general number field sieve.[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-30-en.pdf) The full decimal representation of RSA-450 is:

This number corresponds to approximately 1,493 bits in binary, making it significantly more challenging to factor than smaller RSA challenge numbers like RSA-440 due to the exponential increase in computational resources required.[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-30-en.pdf) As of November 2025, RSA-450 remains unfactored, with no known prime factors published, underscoring the ongoing [security](/page/Security) implications for RSA-based [encryption](/page/Encryption) systems using moduli of comparable size.[](https://mysterytwister.org/challenges/level-3/rsa-factoring-challenge-rsa-450) ### RSA-460 RSA-460 is a [semiprime](/page/Semiprime) number consisting of exactly 460 decimal digits, constructed as the product of two large prime numbers of comparable size, as part of the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge) initiated by RSA Laboratories in 1991 to advance research in [integer factorization](/page/Integer_factorization).[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html) The challenge aimed to test the limits of [computational number theory](/page/Computational_number_theory) by offering prizes for factoring such numbers, with RSA-460 representing a significant escalation in difficulty due to its length, equivalent to approximately 1,526 bits.[](https://mason.gmu.edu/~kgaj/ECE297/viewgraphs/lecture12_RSA_security_3.pdf) The full decimal expansion of RSA-460 is:

This number corresponds to approximately 1,493 bits in binary, making it significantly more challenging to factor than smaller RSA challenge numbers like RSA-440 due to the exponential increase in computational resources required.[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-30-en.pdf) As of November 2025, RSA-450 remains unfactored, with no known prime factors published, underscoring the ongoing [security](/page/Security) implications for RSA-based [encryption](/page/Encryption) systems using moduli of comparable size.[](https://mysterytwister.org/challenges/level-3/rsa-factoring-challenge-rsa-450) ### RSA-460 RSA-460 is a [semiprime](/page/Semiprime) number consisting of exactly 460 decimal digits, constructed as the product of two large prime numbers of comparable size, as part of the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge) initiated by RSA Laboratories in 1991 to advance research in [integer factorization](/page/Integer_factorization).[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html) The challenge aimed to test the limits of [computational number theory](/page/Computational_number_theory) by offering prizes for factoring such numbers, with RSA-460 representing a significant escalation in difficulty due to its length, equivalent to approximately 1,526 bits.[](https://mason.gmu.edu/~kgaj/ECE297/viewgraphs/lecture12_RSA_security_3.pdf) The full decimal expansion of RSA-460 is:

This value was published in the official list of challenge numbers, with a [checksum](/page/Checksum) of 396,755 [modulo](/page/Modulo) 991,889 to verify integrity.[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html) As of November 2025, RSA-460 remains unfactored, joining the majority of larger challenge numbers that have resisted all known classical factoring algorithms despite ongoing efforts in the field.[](https://www.pulsus.com/scholarly-articles/principles-of-prime-numbers--part-inew-definition-of-prime-numbers-with-modnt-number-system--induction.pdf) Its unfactored status underscores the practical [security](/page/Security) of RSA-based [encryption](/page/Encryption) systems using moduli of similar or greater size, as factoring it would require computational resources far beyond current capabilities.[](https://www.researchgate.net/publication/294548386_Square_roots_of_un-factored_RSA_Challenge_numbers) ### RSA-470 RSA-470 is a [semiprime](/page/Semiprime) number consisting of 470 decimal digits, generated as part of the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge) to test [computational number theory](/page/Computational_number_theory) algorithms.[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html) Its full decimal value is:

This value was published in the official list of challenge numbers, with a [checksum](/page/Checksum) of 396,755 [modulo](/page/Modulo) 991,889 to verify integrity.[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html) As of November 2025, RSA-460 remains unfactored, joining the majority of larger challenge numbers that have resisted all known classical factoring algorithms despite ongoing efforts in the field.[](https://www.pulsus.com/scholarly-articles/principles-of-prime-numbers--part-inew-definition-of-prime-numbers-with-modnt-number-system--induction.pdf) Its unfactored status underscores the practical [security](/page/Security) of RSA-based [encryption](/page/Encryption) systems using moduli of similar or greater size, as factoring it would require computational resources far beyond current capabilities.[](https://www.researchgate.net/publication/294548386_Square_roots_of_un-factored_RSA_Challenge_numbers) ### RSA-470 RSA-470 is a [semiprime](/page/Semiprime) number consisting of 470 decimal digits, generated as part of the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge) to test [computational number theory](/page/Computational_number_theory) algorithms.[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html) Its full decimal value is:

[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html) As of November 2025, RSA-470 remains unfactored, with the largest successfully factored RSA challenge number being RSA-250 (250 digits) in 2020.[](https://members.loria.fr/PZimmermann/records/factor.html) ### RSA-480 RSA-480 is a 480-digit [semiprime](/page/Semiprime) number generated as part of the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge) initiated by RSA Laboratories to advance research in [computational number theory](/page/Computational_number_theory) and [integer factorization](/page/Integer_factorization).[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-34-en.pdf) It consists of the product of two large prime numbers of approximately equal size, designed to test the limits of factoring algorithms at the time of its publication.[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-34-en.pdf) The exact decimal value of RSA-480 is:

[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html) As of November 2025, RSA-470 remains unfactored, with the largest successfully factored RSA challenge number being RSA-250 (250 digits) in 2020.[](https://members.loria.fr/PZimmermann/records/factor.html) ### RSA-480 RSA-480 is a 480-digit [semiprime](/page/Semiprime) number generated as part of the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge) initiated by RSA Laboratories to advance research in [computational number theory](/page/Computational_number_theory) and [integer factorization](/page/Integer_factorization).[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-34-en.pdf) It consists of the product of two large prime numbers of approximately equal size, designed to test the limits of factoring algorithms at the time of its publication.[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-34-en.pdf) The exact decimal value of RSA-480 is:

[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-34-en.pdf) Despite advances in factoring techniques since the challenge's inception in [1991](/page/1991), RSA-480 remains unfactored as of [2025](/page/2025), underscoring the computational difficulty of factoring large [semiprime](/page/Semiprime)s and its relevance to the security of RSA cryptosystems.[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-34-en.pdf) ### RSA-490 RSA-490 is a [semiprime](/page/Semiprime) number consisting of the product of two large prime factors, specifically designed as part of the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge) initiated by RSA Laboratories in [1991](/page/1991) to promote advances in [integer factorization](/page/Integer_factorization) algorithms. This challenge number has exactly 490 [decimal](/page/Decimal) digits and corresponds to approximately 1,626 bits in binary representation, making it significantly larger than earlier challenge numbers like RSA-100 or RSA-200. The primes used to form RSA-490 were generated randomly using the RSA DSP (a [Motorola 56000](/page/Motorola_56000) DSP chip), selected to be congruent to 2 [modulo](/page/Modulo) 3, and verified via probabilistic primality testing; the factors were discarded after computation, ensuring they were unknown even to RSA personnel.[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html) The full decimal expansion of RSA-490 is:

[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-34-en.pdf) Despite advances in factoring techniques since the challenge's inception in [1991](/page/1991), RSA-480 remains unfactored as of [2025](/page/2025), underscoring the computational difficulty of factoring large [semiprime](/page/Semiprime)s and its relevance to the security of RSA cryptosystems.[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-34-en.pdf) ### RSA-490 RSA-490 is a [semiprime](/page/Semiprime) number consisting of the product of two large prime factors, specifically designed as part of the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge) initiated by RSA Laboratories in [1991](/page/1991) to promote advances in [integer factorization](/page/Integer_factorization) algorithms. This challenge number has exactly 490 [decimal](/page/Decimal) digits and corresponds to approximately 1,626 bits in binary representation, making it significantly larger than earlier challenge numbers like RSA-100 or RSA-200. The primes used to form RSA-490 were generated randomly using the RSA DSP (a [Motorola 56000](/page/Motorola_56000) DSP chip), selected to be congruent to 2 [modulo](/page/Modulo) 3, and verified via probabilistic primality testing; the factors were discarded after computation, ensuring they were unknown even to RSA personnel.[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html) The full decimal expansion of RSA-490 is:

A checksum of 649001 was provided alongside the number to verify accuracy during transmission or transcription.[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html) As of 2025, RSA-490 remains unfactored, with no known complete prime factorization despite ongoing research in [computational number theory](/page/Computational_number_theory). The largest successfully factored RSA challenge number to date is RSA-250 (250 digits), achieved in 2020 using the general number field sieve, underscoring the immense computational resources required for numbers of RSA-490's scale.[](https://eprint.iacr.org/2020/697) ### RSA-500 RSA-500 is a 500-digit [semiprime](/page/Semiprime) number generated by RSA Laboratories as part of the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge), serving as the largest entry in the initial series of challenge numbers spaced at 10-digit intervals from RSA-100 to RSA-500.[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-36-en.pdf) This number was created on May 19, 1994, by multiplying two large prime factors, with the primes discarded after computation to ensure the challenge's integrity.[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html) The full decimal representation of RSA-500 is:

A checksum of 649001 was provided alongside the number to verify accuracy during transmission or transcription.[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html) As of 2025, RSA-490 remains unfactored, with no known complete prime factorization despite ongoing research in [computational number theory](/page/Computational_number_theory). The largest successfully factored RSA challenge number to date is RSA-250 (250 digits), achieved in 2020 using the general number field sieve, underscoring the immense computational resources required for numbers of RSA-490's scale.[](https://eprint.iacr.org/2020/697) ### RSA-500 RSA-500 is a 500-digit [semiprime](/page/Semiprime) number generated by RSA Laboratories as part of the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge), serving as the largest entry in the initial series of challenge numbers spaced at 10-digit intervals from RSA-100 to RSA-500.[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-36-en.pdf) This number was created on May 19, 1994, by multiplying two large prime factors, with the primes discarded after computation to ensure the challenge's integrity.[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html) The full decimal representation of RSA-500 is:

The [RSA Factoring Challenge](/page/RSA_Factoring_Challenge), initiated in 1991, aimed to advance research in [computational number theory](/page/Computational_number_theory) by offering prizes for factoring these semiprimes, with RSA-500 marking the upper limit of the early decimal-digit-labeled series before the challenge shifted to larger, specially selected numbers.[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-36-en.pdf) As of [2012](/page/2012), RSA-500 remained among the 38 unsolved challenges out of the original 54, hosted by the MysteryTwister C3 team with permission from RSA Inc. after the official contest ended in 2007.[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-36-en.pdf) It remains unfactored as of November 2025.[](https://mathworld.wolfram.com/RSANumber.html) ## Larger Challenge RSA Numbers ### RSA-576 RSA-576 is a 576-bit [semiprime](/page/Semiprime) number, equivalent to 174 decimal digits, selected as part of the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge) to test the difficulty of [integer factorization](/page/Integer_factorization) for cryptographic purposes.[](https://mathworld.wolfram.com/news/2003-12-05/rsa/) The full decimal representation of RSA-576 is:

The [RSA Factoring Challenge](/page/RSA_Factoring_Challenge), initiated in 1991, aimed to advance research in [computational number theory](/page/Computational_number_theory) by offering prizes for factoring these semiprimes, with RSA-500 marking the upper limit of the early decimal-digit-labeled series before the challenge shifted to larger, specially selected numbers.[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-36-en.pdf) As of [2012](/page/2012), RSA-500 remained among the 38 unsolved challenges out of the original 54, hosted by the MysteryTwister C3 team with permission from RSA Inc. after the official contest ended in 2007.[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-36-en.pdf) It remains unfactored as of November 2025.[](https://mathworld.wolfram.com/RSANumber.html) ## Larger Challenge RSA Numbers ### RSA-576 RSA-576 is a 576-bit [semiprime](/page/Semiprime) number, equivalent to 174 decimal digits, selected as part of the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge) to test the difficulty of [integer factorization](/page/Integer_factorization) for cryptographic purposes.[](https://mathworld.wolfram.com/news/2003-12-05/rsa/) The full decimal representation of RSA-576 is:

This number was designed to have exactly two distinct prime factors of equal length, making it particularly resistant to factorization attacks at the time of its publication. It served as the smallest in a series of larger binary-sized RSA challenge numbers, shifting from the earlier decimal-digit naming convention used for RSA-100 through RSA-500.[](https://mathworld.wolfram.com/RSANumber.html) RSA-576 was successfully factored on December 3, 2003, by a team led by Jens Franke and including Thorsten Kleinjung from the [University of Bonn](/page/University_of_Bonn), along with collaborators such as Peter Montgomery, Herman te Riele, and others from institutions including CWI in the [Netherlands](/page/Netherlands).[](https://mathworld.wolfram.com/news/2003-12-05/rsa/)[](https://www.cwi.nl/en/news/cwi-contributes-to-crack-rsa-576/) The factorization employed the general number field [sieve](/page/Sieve) (GNFS), the most advanced method available for large semiprimes, involving extensive sieving, linear [algebra](/page/Algebra), and square root computations distributed across multiple [high-performance computing](/page/High-performance_computing) resources. The effort required the equivalent of approximately 2000 core-years on a single 2.2 GHz AMD [Opteron](/page/Opteron) processor, highlighting the scale of computation needed and the collaborative nature of modern cryptanalytic projects.[](https://eprint.iacr.org/2010/006.pdf) For this achievement, the team claimed the $10,000 prize offered by RSA Laboratories.[](https://mathworld.wolfram.com/RSANumber.html) The two 87-decimal-digit prime factors are: - $ p = 398075086424064937397125500550386491199064362342526708406385189575946388957261768583317 $ - $ q = 472772146107435302536223071973048224632914695302097116459852171130520711256363590397527 $ [](https://www.math.ucsd.edu/~crypto/Projects/ToniSmith/crypto.html) Their product yields the original RSA-576, demonstrating the vulnerability of 576-bit RSA moduli to sufficiently resourced GNFS attacks by the early 2000s. This factorization underscored the need for longer key lengths in RSA-based systems, influencing subsequent recommendations for at least [1024](/page/1024) bits or more.[](https://mathworld.wolfram.com/news/2003-12-05/rsa/) ### RSA-617 RSA-617 is a [semiprime](/page/Semiprime) number consisting of exactly 617 decimal digits, constructed as the product of two large prime factors for the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge) initiated by RSA Laboratories. This challenge aimed to demonstrate the computational infeasibility of factoring such large composites, which underpin the security of RSA [encryption](/page/Encryption). Unlike many challenge numbers with round digit counts, RSA-617's irregular length of 617 digits was selected to highlight the progressive increase in factoring difficulty beyond standard milestones. The full decimal representation of RSA-617 is:

This number was designed to have exactly two distinct prime factors of equal length, making it particularly resistant to factorization attacks at the time of its publication. It served as the smallest in a series of larger binary-sized RSA challenge numbers, shifting from the earlier decimal-digit naming convention used for RSA-100 through RSA-500.[](https://mathworld.wolfram.com/RSANumber.html) RSA-576 was successfully factored on December 3, 2003, by a team led by Jens Franke and including Thorsten Kleinjung from the [University of Bonn](/page/University_of_Bonn), along with collaborators such as Peter Montgomery, Herman te Riele, and others from institutions including CWI in the [Netherlands](/page/Netherlands).[](https://mathworld.wolfram.com/news/2003-12-05/rsa/)[](https://www.cwi.nl/en/news/cwi-contributes-to-crack-rsa-576/) The factorization employed the general number field [sieve](/page/Sieve) (GNFS), the most advanced method available for large semiprimes, involving extensive sieving, linear [algebra](/page/Algebra), and square root computations distributed across multiple [high-performance computing](/page/High-performance_computing) resources. The effort required the equivalent of approximately 2000 core-years on a single 2.2 GHz AMD [Opteron](/page/Opteron) processor, highlighting the scale of computation needed and the collaborative nature of modern cryptanalytic projects.[](https://eprint.iacr.org/2010/006.pdf) For this achievement, the team claimed the $10,000 prize offered by RSA Laboratories.[](https://mathworld.wolfram.com/RSANumber.html) The two 87-decimal-digit prime factors are: - $ p = 398075086424064937397125500550386491199064362342526708406385189575946388957261768583317 $ - $ q = 472772146107435302536223071973048224632914695302097116459852171130520711256363590397527 $ [](https://www.math.ucsd.edu/~crypto/Projects/ToniSmith/crypto.html) Their product yields the original RSA-576, demonstrating the vulnerability of 576-bit RSA moduli to sufficiently resourced GNFS attacks by the early 2000s. This factorization underscored the need for longer key lengths in RSA-based systems, influencing subsequent recommendations for at least [1024](/page/1024) bits or more.[](https://mathworld.wolfram.com/news/2003-12-05/rsa/) ### RSA-617 RSA-617 is a [semiprime](/page/Semiprime) number consisting of exactly 617 decimal digits, constructed as the product of two large prime factors for the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge) initiated by RSA Laboratories. This challenge aimed to demonstrate the computational infeasibility of factoring such large composites, which underpin the security of RSA [encryption](/page/Encryption). Unlike many challenge numbers with round digit counts, RSA-617's irregular length of 617 digits was selected to highlight the progressive increase in factoring difficulty beyond standard milestones. The full decimal representation of RSA-617 is:

This value corresponds to approximately 2048 bits in binary length. RSA-617 was introduced to the challenge list on February 7, 1997, as one of the earliest large-scale examples using decimal-digit labeling. As of November 2025, it remains unfactored, with no publicly verified prime factors discovered despite advances in factoring algorithms. ### RSA-640 RSA-640 is a semiprime consisting of the product of two large prime numbers, specifically designed for the RSA Factoring Challenge to test the limits of integer factorization algorithms. It measures 640 bits in length, equivalent to approximately 193 decimal digits, and was introduced by RSA Laboratories in 2001 as part of an expanded set of challenges emphasizing bit-length measurements over decimal digits for alignment with cryptographic key sizes.[](https://www.hpcwire.com/2004/04/30/mathematicians-collaborate-to-solve-rsa-factoring-challenge/)[](https://mathworld.wolfram.com/RSANumber.html) The full decimal representation of RSA-640 is:

This value corresponds to approximately 2048 bits in binary length. RSA-617 was introduced to the challenge list on February 7, 1997, as one of the earliest large-scale examples using decimal-digit labeling. As of November 2025, it remains unfactored, with no publicly verified prime factors discovered despite advances in factoring algorithms. ### RSA-640 RSA-640 is a semiprime consisting of the product of two large prime numbers, specifically designed for the RSA Factoring Challenge to test the limits of integer factorization algorithms. It measures 640 bits in length, equivalent to approximately 193 decimal digits, and was introduced by RSA Laboratories in 2001 as part of an expanded set of challenges emphasizing bit-length measurements over decimal digits for alignment with cryptographic key sizes.[](https://www.hpcwire.com/2004/04/30/mathematicians-collaborate-to-solve-rsa-factoring-challenge/)[](https://mathworld.wolfram.com/RSANumber.html) The full decimal representation of RSA-640 is:

Although initially presented as unfactored with a $20,000 prize, RSA-640 was successfully factored in November 2005 using the general number field sieve by a team led by Jens Franke and Thorsten Kleinjung, in collaboration with researchers from the University of Bonn and other institutions; this marked a significant milestone in demonstrating the vulnerability of 640-bit RSA moduli at the time.[](https://listserv.nodak.edu/cgi-bin/wa.exe?A2=NMBRTHRY;3e3c5c3b.0511)[](https://mathworld.wolfram.com/news/2005-11-08/rsa-640/) ### RSA-704 RSA-704 is a [semiprime](/page/Semiprime) number with 704 bits, equivalent to 212 decimal digits, generated as part of the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge) initiated by RSA Laboratories in 1991 to advance research in [integer factorization](/page/Integer_factorization). The number was designed as the product of two large prime factors of roughly equal size to test the limits of contemporary factoring algorithms. Its full decimal representation is:

Although initially presented as unfactored with a $20,000 prize, RSA-640 was successfully factored in November 2005 using the general number field sieve by a team led by Jens Franke and Thorsten Kleinjung, in collaboration with researchers from the University of Bonn and other institutions; this marked a significant milestone in demonstrating the vulnerability of 640-bit RSA moduli at the time.[](https://listserv.nodak.edu/cgi-bin/wa.exe?A2=NMBRTHRY;3e3c5c3b.0511)[](https://mathworld.wolfram.com/news/2005-11-08/rsa-640/) ### RSA-704 RSA-704 is a [semiprime](/page/Semiprime) number with 704 bits, equivalent to 212 decimal digits, generated as part of the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge) initiated by RSA Laboratories in 1991 to advance research in [integer factorization](/page/Integer_factorization). The number was designed as the product of two large prime factors of roughly equal size to test the limits of contemporary factoring algorithms. Its full decimal representation is:

RSA-704 was successfully factored on July 1, 2012, marking it as the second-largest integer factored using the general number field sieve (GNFS) at the time, following RSA-768. The factorization was achieved by Shi Bai, Emmanuel Thomé, and Paul Zimmermann using the open-source CADO-NFS implementation of GNFS. The effort involved extensive computational resources, including approximately 12 core-years for polynomial selection, 500 CPU-years for sieving on Intel Xeon processors, and 1,800 hours of wall-clock time for linear algebra on the Grid'5000 cluster.[](https://eprint.iacr.org/2012/369.pdf)[](https://inria.hal.science/hal-00760322v1/document) The prime factors of RSA-704 are: - $ p = 9091213529597818878440658302600437485892608310328358720428512168960411528640933367824950788367956756806141 $ - $ q = 8143859259110045265727809126284429335877899002167627883200914172429324360133004116702003240828777970252499 $ This breakthrough demonstrated the scalability of CADO-NFS for large-scale factorizations and contributed to improvements in the software for subsequent challenges.[](https://eprint.iacr.org/2012/369.pdf) ### RSA-768 RSA-768 is a 768-bit [semiprime](/page/Semiprime) number consisting of 232 decimal digits, selected as a representative modulus for the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge) to test [computational number theory](/page/Computational_number_theory) advances.[](https://eprint.iacr.org/2010/006.pdf) Its full decimal value is:

RSA-704 was successfully factored on July 1, 2012, marking it as the second-largest integer factored using the general number field sieve (GNFS) at the time, following RSA-768. The factorization was achieved by Shi Bai, Emmanuel Thomé, and Paul Zimmermann using the open-source CADO-NFS implementation of GNFS. The effort involved extensive computational resources, including approximately 12 core-years for polynomial selection, 500 CPU-years for sieving on Intel Xeon processors, and 1,800 hours of wall-clock time for linear algebra on the Grid'5000 cluster.[](https://eprint.iacr.org/2012/369.pdf)[](https://inria.hal.science/hal-00760322v1/document) The prime factors of RSA-704 are: - $ p = 9091213529597818878440658302600437485892608310328358720428512168960411528640933367824950788367956756806141 $ - $ q = 8143859259110045265727809126284429335877899002167627883200914172429324360133004116702003240828777970252499 $ This breakthrough demonstrated the scalability of CADO-NFS for large-scale factorizations and contributed to improvements in the software for subsequent challenges.[](https://eprint.iacr.org/2012/369.pdf) ### RSA-768 RSA-768 is a 768-bit [semiprime](/page/Semiprime) number consisting of 232 decimal digits, selected as a representative modulus for the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge) to test [computational number theory](/page/Computational_number_theory) advances.[](https://eprint.iacr.org/2010/006.pdf) Its full decimal value is:

This number served as a benchmark for 768-bit RSA key sizes, which were once considered secure for cryptographic applications but have since been deemed insufficient due to advances in factoring algorithms.[](https://eprint.iacr.org/2010/006.pdf) On December 12, 2009, RSA-768 was factored by Thorsten Kleinjung, Kazumaro Aoki, Jens Franke, Arjen Lenstra, Emmanuel Thomé, Joppe Bos, Pierrick Gaudry, Luke Brent, Jean-Luc Beuchat, Henry Cohn, Nadia Heninger, and the authors of the Cunningham tables, using the general number field sieve (GNFS).[](https://eprint.iacr.org/2010/006.pdf) The factorization revealed two prime factors, each approximately 384 bits long: - $ p = 33478071698956898786044169848212690817704794983713768568912431388982883793878002287614711652531743087737814467999489 $ - $ q = 36746043666799590428244633799627952632279158164343087642676032283815739666511279233373417143396810270092798736308917 $ The sieving phase required approximately 1500 core-years of computation on a 2.2 GHz AMD Opteron processor, equivalent to about two years of wall-clock time across hundreds of machines, marking a significant milestone in the practical limits of integer factorization.[](https://eprint.iacr.org/2010/006.pdf) ### RSA-896 RSA-896 is a [semiprime](/page/Semiprime) number from the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge), published by RSA Laboratories in 1991 as part of a series of cryptographic challenges designed to test [integer factorization](/page/Integer_factorization) algorithms.[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-10-en.pdf) It consists of two large prime factors and serves as an intermediate challenge between smaller factored numbers like RSA-768 and larger unfactored ones. The number has a bit length of 896 bits, equivalent to approximately 270 decimal digits, making it significantly more computationally intensive to factor than predecessors using classical methods such as the general number field sieve.[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-10-en.pdf) As of 2025, RSA-896 remains unfactored, with RSA-250 holding the record as the largest solved challenge from the series, factored in 2020 after extensive computation on distributed systems. The full decimal representation of RSA-896 is:

This number served as a benchmark for 768-bit RSA key sizes, which were once considered secure for cryptographic applications but have since been deemed insufficient due to advances in factoring algorithms.[](https://eprint.iacr.org/2010/006.pdf) On December 12, 2009, RSA-768 was factored by Thorsten Kleinjung, Kazumaro Aoki, Jens Franke, Arjen Lenstra, Emmanuel Thomé, Joppe Bos, Pierrick Gaudry, Luke Brent, Jean-Luc Beuchat, Henry Cohn, Nadia Heninger, and the authors of the Cunningham tables, using the general number field sieve (GNFS).[](https://eprint.iacr.org/2010/006.pdf) The factorization revealed two prime factors, each approximately 384 bits long: - $ p = 33478071698956898786044169848212690817704794983713768568912431388982883793878002287614711652531743087737814467999489 $ - $ q = 36746043666799590428244633799627952632279158164343087642676032283815739666511279233373417143396810270092798736308917 $ The sieving phase required approximately 1500 core-years of computation on a 2.2 GHz AMD Opteron processor, equivalent to about two years of wall-clock time across hundreds of machines, marking a significant milestone in the practical limits of integer factorization.[](https://eprint.iacr.org/2010/006.pdf) ### RSA-896 RSA-896 is a [semiprime](/page/Semiprime) number from the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge), published by RSA Laboratories in 1991 as part of a series of cryptographic challenges designed to test [integer factorization](/page/Integer_factorization) algorithms.[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-10-en.pdf) It consists of two large prime factors and serves as an intermediate challenge between smaller factored numbers like RSA-768 and larger unfactored ones. The number has a bit length of 896 bits, equivalent to approximately 270 decimal digits, making it significantly more computationally intensive to factor than predecessors using classical methods such as the general number field sieve.[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-10-en.pdf) As of 2025, RSA-896 remains unfactored, with RSA-250 holding the record as the largest solved challenge from the series, factored in 2020 after extensive computation on distributed systems. The full decimal representation of RSA-896 is:

[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-10-en.pdf) This value was generated to ensure balanced prime factors close in size, optimizing its resistance to [factorization](/page/Factorization) attacks typical of RSA [key generation](/page/Key_generation).[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-10-en.pdf) The challenge, originally offering a $75,000 prize, was discontinued by RSA in 2007, with remaining unsolved instances like RSA-896 hosted by third-party platforms for academic interest.[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-10-en.pdf) ### RSA-1024 RSA-1024 is a semiprime number consisting of the product of two distinct prime factors, each approximately 512 bits in length, published by RSA Laboratories as part of their factoring challenge to benchmark advances in computational number theory.[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-15-en.pdf) The exact value of RSA-1024 in decimal form is:

[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-10-en.pdf) This value was generated to ensure balanced prime factors close in size, optimizing its resistance to [factorization](/page/Factorization) attacks typical of RSA [key generation](/page/Key_generation).[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-10-en.pdf) The challenge, originally offering a $75,000 prize, was discontinued by RSA in 2007, with remaining unsolved instances like RSA-896 hosted by third-party platforms for academic interest.[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-10-en.pdf) ### RSA-1024 RSA-1024 is a semiprime number consisting of the product of two distinct prime factors, each approximately 512 bits in length, published by RSA Laboratories as part of their factoring challenge to benchmark advances in computational number theory.[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-15-en.pdf) The exact value of RSA-1024 in decimal form is:

This number comprises 309 decimal digits and corresponds to a 1024-bit modulus.[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-15-en.pdf) As of November 2025, RSA-1024 remains unfactored, with the largest publicly factored RSA challenge number being RSA-250 (829 bits) from 2020.[](https://www.theregister.com/2001/07/25/rsa_poses_200_000_crypto/) In the original RSA Factoring Challenge, launched in 1991 and expanded in 2001, a prize of $200,000 was offered for its complete factorization, making it the highest-value target at the time before the challenge was withdrawn in 2007.[](https://www.cnet.com/tech/tech-industry/rsa-launches-crypto-cracking-challenge/) The 1024-bit size of RSA-1024 aligns with the modulus length that served as a de facto standard for RSA public-key [encryption](/page/Encryption) in protocols like TLS from the early 2000s until around 2013, when it began to be phased out in favor of longer keys due to advancing computational capabilities.[](https://www.encryptionconsulting.com/soon-to-be-deprecated-are-you-still-using-rsa-1024-bit-keys-for-windows/) Using the general number field sieve, the state-of-the-art classical algorithm for such factorizations, breaking RSA-1024 is estimated to require on the order of 500,000 core-years of computation on modern hardware.[](https://crypto.stackexchange.com/questions/109810/how-could-a-1024-bits-rsa-modulus-be-most-economically-factored-within-months-to) ### RSA-1536 RSA-1536 is a 1536-bit [semiprime](/page/Semiprime) constructed as the product of two distinct large prime numbers, introduced by RSA Laboratories as part of their factoring challenge to advance [research](/page/Research) in [computational number theory](/page/Computational_number_theory) and highlight the difficulty of factoring large integers.[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-32-en.pdf) This number spans approximately 463 decimal digits, reflecting the immense scale required for contemporary cryptographic security.[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-32-en.pdf) The explicit decimal value of RSA-1536 is as follows:

This number comprises 309 decimal digits and corresponds to a 1024-bit modulus.[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-15-en.pdf) As of November 2025, RSA-1024 remains unfactored, with the largest publicly factored RSA challenge number being RSA-250 (829 bits) from 2020.[](https://www.theregister.com/2001/07/25/rsa_poses_200_000_crypto/) In the original RSA Factoring Challenge, launched in 1991 and expanded in 2001, a prize of $200,000 was offered for its complete factorization, making it the highest-value target at the time before the challenge was withdrawn in 2007.[](https://www.cnet.com/tech/tech-industry/rsa-launches-crypto-cracking-challenge/) The 1024-bit size of RSA-1024 aligns with the modulus length that served as a de facto standard for RSA public-key [encryption](/page/Encryption) in protocols like TLS from the early 2000s until around 2013, when it began to be phased out in favor of longer keys due to advancing computational capabilities.[](https://www.encryptionconsulting.com/soon-to-be-deprecated-are-you-still-using-rsa-1024-bit-keys-for-windows/) Using the general number field sieve, the state-of-the-art classical algorithm for such factorizations, breaking RSA-1024 is estimated to require on the order of 500,000 core-years of computation on modern hardware.[](https://crypto.stackexchange.com/questions/109810/how-could-a-1024-bits-rsa-modulus-be-most-economically-factored-within-months-to) ### RSA-1536 RSA-1536 is a 1536-bit [semiprime](/page/Semiprime) constructed as the product of two distinct large prime numbers, introduced by RSA Laboratories as part of their factoring challenge to advance [research](/page/Research) in [computational number theory](/page/Computational_number_theory) and highlight the difficulty of factoring large integers.[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-32-en.pdf) This number spans approximately 463 decimal digits, reflecting the immense scale required for contemporary cryptographic security.[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-32-en.pdf) The explicit decimal value of RSA-1536 is as follows:

[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-32-en.pdf) Despite significant progress in [factorization](/page/Factorization) techniques, such as the number field sieve, RSA-1536 remains unfactored as of November 2025.[](https://mathworld.wolfram.com/RSANumber.html) Its persistence underscores the computational barriers to breaking RSA-based [encryption](/page/Encryption) at this scale, where no known classical algorithm can efficiently decompose it into its prime factors.[](https://mathworld.wolfram.com/RSANumber.html) RSA-1536 serves as a benchmark for evolving cryptographic standards, illustrating the transition to larger key sizes beyond [1024](/page/1024) bits to ensure long-term security against advancing computational power.[](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf) Specifically, 1536-bit RSA moduli are endorsed for [digital signature](/page/Digital_signature) generation in legacy systems until 2030, providing a [balance of performance](/page/Balance_of_performance) and resistance to factorization attacks.[](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf) ### RSA-2048 RSA-2048 is a 2048-bit [semiprime](/page/Semiprime) number, constructed as the product of two distinct 1024-bit prime numbers, and serves as the largest challenge in the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge) series. It consists of exactly 617 [decimal](/page/Decimal) digits and remains unfactored using classical [computing](/page/Computing) methods as of November 2025. Unlike smaller RSA challenge numbers, no cash prize was associated with its factorization, as the overall challenge program was discontinued by RSA Laboratories in 2007 without awarding prizes for numbers beyond RSA-768.[](https://blog.cloudflare.com/pq-2025/) The full decimal representation of RSA-2048 is:

[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-32-en.pdf) Despite significant progress in [factorization](/page/Factorization) techniques, such as the number field sieve, RSA-1536 remains unfactored as of November 2025.[](https://mathworld.wolfram.com/RSANumber.html) Its persistence underscores the computational barriers to breaking RSA-based [encryption](/page/Encryption) at this scale, where no known classical algorithm can efficiently decompose it into its prime factors.[](https://mathworld.wolfram.com/RSANumber.html) RSA-1536 serves as a benchmark for evolving cryptographic standards, illustrating the transition to larger key sizes beyond [1024](/page/1024) bits to ensure long-term security against advancing computational power.[](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf) Specifically, 1536-bit RSA moduli are endorsed for [digital signature](/page/Digital_signature) generation in legacy systems until 2030, providing a [balance of performance](/page/Balance_of_performance) and resistance to factorization attacks.[](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf) ### RSA-2048 RSA-2048 is a 2048-bit [semiprime](/page/Semiprime) number, constructed as the product of two distinct 1024-bit prime numbers, and serves as the largest challenge in the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge) series. It consists of exactly 617 [decimal](/page/Decimal) digits and remains unfactored using classical [computing](/page/Computing) methods as of November 2025. Unlike smaller RSA challenge numbers, no cash prize was associated with its factorization, as the overall challenge program was discontinued by RSA Laboratories in 2007 without awarding prizes for numbers beyond RSA-768.[](https://blog.cloudflare.com/pq-2025/) The full decimal representation of RSA-2048 is:

[](https://dev.mysterytwister.org/media/challenges/pdf/mtc3-rsa-38-en.pdf) As of 2025, RSA-2048 represents the current standard key size for RSA encryption in many cryptographic protocols, with the National Institute of Standards and Technology (NIST) recommending its continued use for providing at least 112 bits of security through 2030, prior to a planned deprecation in favor of post-quantum alternatives.[](https://www.sectigo.com/resource-library/root-causes-447-nist-deprecates-rsa-2048-and-ecc-256) Recent quantum computing experiments, such as a 2024 D-Wave study demonstrating factorization of specially constructed 2048-bit semiprimes where factors differ by only two bits, have not succeeded in factoring the specific RSA-2048 number, and such claims remain unverified for this challenge instance.[](https://www.hstoday.us/subject-matter-areas/cybersecurity/no-chinese-did-not-crack-rsa-with-quantum-yet/)[](https://www.sciopen.com/article/10.26599/TST.2024.9010028)

[](https://dev.mysterytwister.org/media/challenges/pdf/mtc3-rsa-38-en.pdf) As of 2025, RSA-2048 represents the current standard key size for RSA encryption in many cryptographic protocols, with the National Institute of Standards and Technology (NIST) recommending its continued use for providing at least 112 bits of security through 2030, prior to a planned deprecation in favor of post-quantum alternatives.[](https://www.sectigo.com/resource-library/root-causes-447-nist-deprecates-rsa-2048-and-ecc-256) Recent quantum computing experiments, such as a 2024 D-Wave study demonstrating factorization of specially constructed 2048-bit semiprimes where factors differ by only two bits, have not succeeded in factoring the specific RSA-2048 number, and such claims remain unverified for this challenge instance.[](https://www.hstoday.us/subject-matter-areas/cybersecurity/no-chinese-did-not-crack-rsa-with-quantum-yet/)[](https://www.sciopen.com/article/10.26599/TST.2024.9010028)