Fact-checked by Grok 2 weeks ago

RSA numbers

RSA numbers are a set of large integers, each the product of exactly two distinct prime factors of roughly equal size, created specifically for the to test the computational difficulty of . These numbers, ranging from 100 digits (RSA-100) to about 620 digits (such as RSA-2048), were published by RSA Laboratories beginning in March 1991 as a public contest to encourage advances in factoring algorithms and to evaluate the practical security of the public-key , which relies on the of factoring such semiprimes for its strength. The challenge offered escalating cash prizes—from $1,000 for RSA-100 up to $200,000 for the largest like RSA-2048 (with $100,000 for RSA-1024)—awarded to the first individuals or teams to fully factor each number into its primes, fostering global collaboration among cryptographers and mathematicians. Over the years, many numbers were successfully factored using increasingly efficient methods like the general number field sieve, with notable milestones including RSA-129 (factored in 1994 after eight months of distributed computation), RSA-155 (1999, using 300 workstations), and RSA-768 (2009, a 232-digit number requiring over 2,000 CPU-years of effort). These factorizations highlighted exponential improvements in factoring capabilities, informing key length recommendations for (e.g., 2048 bits or more for long-term ). However, larger challenges like RSA-1024 remain unfactored as of November 2025, underscoring the ongoing viability of sufficiently large RSA moduli against classical computing attacks. The was discontinued in 2007 by RSA Laboratories, which noted that the cryptographic community had achieved a more advanced understanding of factoring threats, making the contest's original goals—such as benchmarking algorithm progress—less aligned with current needs. Despite its end, the legacy of the RSA numbers endures in cryptographic research, serving as benchmarks for new factoring techniques and influencing standards from organizations like NIST, while also motivating studies into quantum-resistant alternatives amid emerging threats from algorithms like Shor's.

Introduction

Definition and Properties

RSA numbers constitute a collection of 54 specific semiprimes, each defined as the product of exactly two distinct large prime numbers and published by Laboratories for cryptographic evaluation purposes. These numbers are denoted as RSA-n, where for smaller numbers n approximates the number of digits (ranging from 100 to ), and for larger numbers n indicates the approximate (from 512 to 2048 bits, corresponding to roughly 155 to 617 digits), in increments designed to test escalating computational challenges; for instance, RSA-100 possesses precisely 100 digits. Unlike arbitrary semiprimes, which may arise from primes of disparate magnitudes, RSA numbers were deliberately selected to embody challenging instances tailored for assessing algorithms. Each RSA number N satisfies the equation N = p \times q, where p and q are distinct primes chosen to be of roughly equal , approximately \log_2 N / 2 bits each, thereby balancing the factors to heighten resistance against . This construction ensures \log_{10} N \approx n for the decimal-labeled numbers, aligning the label n with the decimal magnitude of N. Such balanced semiprimes optimize difficulty for the general number field sieve (GNFS), the predominant for factoring large composites, as the complexity scales subexponentially with the size of N and is exacerbated when the prime factors are comparably sized. The curation of these distinguishes them from general semiprimes by prioritizing maximal hardness over randomness, focusing on configurations that mirror the moduli used in practical cryptosystems.

Purpose and Significance

The , through its selection of specially constructed semiprime numbers known as RSA numbers, served to benchmark advancements in by inviting global researchers to attempt their , thereby underscoring the computational infeasibility of breaking large semiprimes that underpin the security of for practical key sizes. This public contest, initiated by RSA Laboratories, not only stimulated collaborative efforts in algorithm development but also provided that factoring numbers with hundreds of digits remains prohibitively expensive with classical computing resources, reinforcing the viability of for secure communications. The significance of these challenges is evident in the measured progress of factoring capabilities over time, which has directly informed recommendations for RSA key lengths in cryptographic standards. For instance, the 100-digit RSA-100 was factored in mere days using early methods in , whereas the 250-digit RSA-250 required approximately 2700 core-years of computation on modern hardware and was only solved in 2020, illustrating in difficulty that supports the continued security of 2048-bit RSA keys against classical attacks as of 2025. As of 2025, 23 of the 54 RSA challenge numbers have been factored using classical methods, with no new records achieved since RSA-250, highlighting the plateau in classical factoring efficiency for larger instances. Beyond benchmarking, the challenge profoundly impacted the evolution of factoring algorithms, particularly driving refinements to the General Number Field Sieve (GNFS), the state-of-the-art method for large-integer , through iterative improvements tested on these targets. This progress influenced cryptographic guidelines, such as those from NIST, which continue to endorse 2048-bit moduli for applications requiring security through at least 2030, while also spurring post-challenge into classical-quantum threats. The enduring legacy of the RSA numbers persists in ongoing efforts to assess encryption resilience, even amid advancing capabilities that pose long-term risks to 's foundational hardness assumption.

History of the RSA Factoring Challenge

Origins in 1977

In 1977, Ronald Rivest, , and , working at , developed the public-key cryptosystem and sought to illustrate its security against factoring attacks by creating a practical challenge. They generated a 129-digit , later designated RSA-129, by multiplying two large primes using computational resources available on early computers such as the PDP-10. To publicize the challenge, they encrypted the message "The magic words are Squeamish Ossifrage" with this and provided the along with the public exponent in Martin Gardner's "Mathematical Games" column in the August 1977 issue of . This publication served as the debut of the method to a broader audience and posed the problem of factoring RSA-129 to decrypt the message, estimating that it would require millions of years with 1977-era technology. The challenge was part of the trio's effort to demonstrate the one-way nature of the algorithm, where encryption is straightforward but decryption without the private key—derived from factoring the semiprime—remains computationally infeasible for sufficiently large numbers. Rivest, Shamir, and Adleman had formalized their approach in an internal memorandum dated April 4, 1977, which they shared with Gardner, leading to the feature. Although they generated RSA-129 specifically for this demonstration, it marked the origin of what would become a series of factoring challenges, with only this 129-digit example publicized at the time to emphasize the cryptosystem's robustness. RSA-129 withstood attempts at factorization for 17 years, underscoring the initial security claims, until a breakthrough in April 1994. A distributed team including Derek Atkins, Arjen Lenstra, and others employed the multiple polynomial quadratic sieve algorithm across roughly 1,600 workstations connected via the early , completing the factorization after about eight months of coordinated effort. This achievement not only revealed the hidden message but also highlighted the evolving capabilities of collaborative computing in research.

Launch and Evolution (1991–2007)

The was formally launched on March 18, 1991, by RSA Laboratories to encourage research into and assess the security implications of for . The initial setup published a list of 42 numbers, designated RSA-100, RSA-110, ..., RSA-500, along with RSA-617, where the labels indicated the approximate number of decimal digits, and cash prizes were offered to incentivize solutions. The challenge evolved over the subsequent years to incorporate larger numbers as factoring techniques and computational resources advanced, ensuring it remained a relevant for cryptographic strength. In , additional landmark numbers such as RSA-160 were added to the list, followed by expansions including RSA-576 and progressing to RSA-1024 by the early . Prizes were structured to scale with the difficulty, offering $100 for factoring RSA-100 and escalating to $200,000 for the 1024-bit RSA-1024. Operational rules required that proposed factors be submitted to [email protected] for verification by RSA Laboratories, with successful solutions confirmed through independent checks to ensure validity. Quantum-based factoring methods were not initially considered viable, given their theoretical stage and lack of practical implementation during this period. By 2007, the challenge had expanded to encompass 54 numbers in total, incorporating non-consecutive sizes such as RSA-768 to better align with evolving key length standards in cryptography.

Discontinuation and Legacy

In April 2007, RSA Security discontinued the formal , citing the industry's considerably more advanced understanding of the cryptanalytic threats to RSA encryption as rendering the contest obsolete, alongside a strategic shift toward commercial priorities. While no new prizes were offered thereafter, the organization continued to accept and verify submitted factorizations for the purpose of maintaining records on progress. The challenge's legacy endures in its profound influence on cryptographic research, particularly through advancements in the General Number Field Sieve (GNFS) algorithm, which became the gold standard for factoring large semiprimes during and after the contest's active phase. These developments, driven by competitive efforts to solve the posted numbers, provided critical benchmarks for assessing the practical security of -based systems and informed the broader transition to quantum-resistant cryptography. For instance, the demonstrated progress in classical factoring underscored the vulnerability of RSA to future quantum algorithms like Shor's, accelerating initiatives such as the project, which finalized initial standards in 2024 to replace factoring-dependent schemes. Even after discontinuation, the RSA numbers inspired continued private and collaborative factorization attempts, with two notable post-2007 successes: the 232-digit , factored in 2009 using an optimized GNFS implementation across resources, and the 250-digit RSA-250, completed in February 2020 via the open-source CADO-NFS software on high-performance clusters. As of 2025, claims—such as a 2024 report of factoring a general 2048-bit RSA using D-Wave's hardware—remain unverified for specific challenge instances like RSA-2048, with experts emphasizing that no scalable, general-purpose quantum breakthrough has materialized. Community-driven efforts persist through dedicated platforms like the Mersenne Forum, where open-source tools such as msieve enable ongoing experimentation and collaboration on large-integer .

Mathematical Background

Semiprimes in Cryptography

Semiprimes play a central role in the RSA cryptosystem, where the security hinges on the computational difficulty of factoring a large semiprime N into its two prime factors p and q. The RSA algorithm, developed by Rivest, Shamir, and Adleman, is an asymmetric encryption scheme that uses a public key (e, N) for encryption and a private key d for decryption. To generate the keys, two large primes p and q are selected such that N = p \times q, and the public exponent e is chosen to be coprime to Euler's totient function \phi(N) = (p-1)(q-1). The private exponent d is then computed as the modular inverse of e modulo \phi(N), satisfying d \cdot e \equiv 1 \pmod{\phi(N)}. The encryption of a message m is performed as c = m^e \mod N, and decryption recovers m = c^d \mod N, relying on the (or when \gcd(m, N) = 1), ensuring the congruence holds for $0 \leq m < N. For semiprimes specifically, p and q are chosen to be large primes of approximately equal to maximize the factoring difficulty; if one prime is significantly smaller, trial division could efficiently reveal it, while unequal sizes make more effective by exploiting the difference |p - q|. The totient \phi(N) is crucial for key computation but kept secret, as knowing it would allow solving for p and q via the quadratic equation derived from \phi(N) = (p-1)(q-1) = N - p - q + 1. The overall security of RSA rests on the hardness of factoring such balanced semiprimes, with the most efficient classical method being the general number field sieve (GNFS). The heuristic asymptotic complexity of GNFS for factoring an N-bit semiprime is O\left(\exp\left(c (\log N)^{1/3} (\log \log N)^{2/3}\right)\right), where c = (64/9)^{1/3} \approx 1.923, making it infeasible for sufficiently large N (e.g., 2048 bits or more) with current computational resources.

Generation of RSA Numbers

The RSA numbers for the factoring were created by selecting two large prime numbers p and q of approximately equal at random and computing their product N = p \times q to form a . This method ensures N is a challenging instance for algorithms, as the primes are balanced with |p - q| kept relatively small compared to their magnitude. In the early days of RSA development, such as for the 1977 example , primes were generated using custom software with early probabilistic primality testing methods, such as the Solovay-Strassen test. By the time the formal launched in 1991, generation relied on probabilistic primality tests, such as the Miller-Rabin algorithm, which provide high confidence (error probability less than $2^{-100}) in identifying primes efficiently for numbers up to hundreds of digits. These tests involve repeated witness checks to verify compositeness or probable primality without exhaustive division. The 1991 challenge numbers, ranging from RSA-100 to RSA-500, were produced using RSA Data Security's RSA DSP product—a PC-compatible hardware board featuring a DSP chip for accelerated computations. This tool generated the primes randomly and verified their primality probabilistically, completing the entire set in just 30 minutes; the primes were specifically chosen congruent to 2 modulo 3 to support encryption with public exponent 3. To maintain secrecy, the factors were discarded immediately after multiplication, with no records kept even by RSA Laboratories, ensuring the challenge's integrity. The numbers were designed as "hard" cases, avoiding special forms like Fermat numbers or those with small or smooth factors that could ease . Upon submission of purported factors for a solved RSA number, RSA Laboratories verified primality using rigorous probabilistic or deterministic methods before awarding prizes, confirming the product equaled the challenge number. The full list of challenge numbers was published in decimal form in 1991 to standardize the problems and facilitate global participation.

Factored RSA Numbers (100–250 Digits)

RSA-100

RSA-100 is the smallest number in the , consisting of 100 decimal digits and equivalent to a 330-bit . Its full decimal value is: 
1522605027922533360535618378132637429718068114961380688657908494580122963258952897654000350692006139
The was launched by RSA Laboratories in March 1991 to promote advances in . RSA-100 was the first number in this formal challenge to be successfully factored, earning a prize of $100 under the challenge's reward structure. The factorization of RSA-100 was announced on April 1, 1991, by Arjen K. Lenstra using the algorithm. This computation, performed on a , reportedly required only a few days of runtime. The prime factors are:
  • p = 37975227936943673922808872755445627854565536638199
  • q = 40094690950920881030683735292761468389214899724061
where n = p × q.

RSA-110

RSA-110 is a 110-digit number generated as part of the to test the difficulty of for cryptographic purposes. Its full decimal value is: 
35794234179725868774991807832568455403003778024228226193532908190484670252364677411513516111204504060317568667
This number was designed to be the product of two large prime numbers of roughly equal size, making it resistant to known factoring methods at the time of its publication in 1991. The factorization of RSA-110 was completed in April 1992 by Arjen K. Lenstra and Mark S. Manasse using the multiple polynomial quadratic sieve (MPQS) algorithm, a variant of the quadratic sieve that employs several polynomials to optimize the sieving phase. The computation required approximately one month of effort on a distributed network of workstations coordinated via electronic mail, marking an early example of large-scale distributed computing for factorization. The prime factors are:
  • Smaller prime: 1642968817386096924230411099713335315203099899839921
  • Larger prime: 2179836019895099689627535814410170495145499987151907
Their product yields the original semiprime, confirming the complete factorization. This achievement earned the team a prize from RSA Laboratories under the challenge's reward structure and demonstrated the practicality of MPQS for numbers up to about 110 digits, paving the way for factoring larger RSA challenge numbers. The success of this factorization highlighted the evolution of sieving methods in the quadratic sieve family, where the use of multiple polynomials significantly reduced the computational overhead compared to single-polynomial variants.

RSA-120

RSA-120 is a 120-digit constructed as the product of two roughly equal-sized primes for the to test the difficulty of .
Its full decimal value is: 
227010481295437363334259960947493668895875336466084780038173258247009162675779735389791151574049166747880487470296548479
The number was successfully factored on , , by a team including Thomas Denny, Bruce Dodson, Arjen K. Lenstra, and Mark S. Manasse, marking a significant milestone in practical large-scale factorization efforts. The factorization utilized the algorithm, implemented across distributed workstations at institutions such as the University of , , Bellcore, DEC Systems Research Center, and the Centrum voor Wiskunde en Informatica, along with Bellcore's MasPar computer. The complete prime factors are:
  • Smaller factor: 327414555693498015751146303749141488063642403240171463406883 (60 digits)
  • Larger factor: 693342667110830181197325401899700641361965863127336680673013 (60 digits)
These can be verified as [p](/page/P′′) \times [q](/page/Q) = RSA-120. The effort required approximately three months of wall-clock time and equated to roughly 825 MIPS-years of computational power, highlighting the scalability of the for semiprimes around 400 bits in length at the time. This achievement built on prior factorizations, such as that of RSA-110, by optimizing sieving, linear algebra, and dependency searches across heterogeneous hardware.

RSA-129

RSA-129 is a 129-digit number that served as an early challenge in , published in August 1977 by in to illustrate the RSA algorithm's security. The number was generated by Rivest, Shamir, and Adleman as the product of two large primes and used to encrypt a short message, with the claim that factoring it would require an impractically long time using 1977-era technology—estimated at 40 quadrillion years. The full decimal representation of RSA-129 is: 
114381625757888867669235779976146612010218296721242362562561842935706935245733897830597123563958705058989075147599290026879543541
In April 1994, exactly 17 years after its publication, RSA-129 was factored through a massive effort coordinated by Derek Atkins, , and Joe Silverman, involving over 600 volunteers from more than 20 countries who contributed from approximately 1,600 machines. The factorization employed the double large prime variation of the multiple polynomial (MPQS) , with the sieving phase alone requiring about 5000 MIPS-years of computation over 8 months, followed by 45 hours of matrix reduction on a 16K MasPar MP-1 . The resulting prime factors are: 
p = 3490529510847650949147849619903898133417764638493387843990820577 (64 digits)
q = 32769132993266709549961988190834461413177642967992942539798288533 (65 digits)
No formal prize was awarded for this factorization, as RSA-129 predated the official RSA Factoring Challenge launched in 1991.

RSA-130

RSA-130 is a 130-digit semiprime number generated as part of the RSA Factoring Challenge to test the limits of integer factorization algorithms. The number is: 
1807082088687404805951656164405905566278102516769401349170127021450056662540244048387341127590812303371781887966563182013214880557
```[](https://t5k.org/notes/rsa130.html)

This [semiprime](/page/Semiprime) was factored on April 10, 1996, by a team led by Paul Leyland using the general number field sieve (GNFS).[](https://t5k.org/notes/rsa130.html) The prime factors are:
39685999459597454290161126162883786067576449112810064832555157243 

and
45534498646735972188403686897274408864356301263205069600999044599 

The factorization effort required approximately three months of computation on 100 workstations, highlighting the growing feasibility of [GNFS](/page/GNFS) for large-scale [semiprime](/page/Semiprime)s at the time.[](https://t5k.org/notes/rsa130.html) This achievement marked an early maturation of the [GNFS](/page/GNFS) method for numbers of this size.[](https://t5k.org/notes/rsa130.html)

### RSA-140

RSA-140 is a 140-digit [semiprime](/page/Semiprime) number selected as part of the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge), published by RSA Laboratories in 1991 to demonstrate the difficulty of factoring large semiprimes in [public-key cryptography](/page/Public-key_cryptography). The number is given by:
21290246318258757547497882016271517497806703963277216278233383215381949984056497895911366573853021918316783107387995317230889569230873441936471 

This challenge number was fully factored on February 2, 1999, by an international team led by Herman te Riele at the Centrum Wiskunde & Informatica (CWI) in the Netherlands. The team consisted of Stefania Cavallar, Bruce Dodson, Arjen Lenstra, Paul Leyland, Walter Lioen, Peter L. Montgomery, Brian Murphy, and Paul Zimmermann. They employed the General Number Field Sieve (GNFS), the most advanced method available at the time for factoring large composite numbers without special form.[](https://ir.cwi.nl/pub/10352/10352D.pdf)

The prime factors of RSA-140 are:

- $ p = 3398717423028438554530123627613875835633986495969597423490929302771479 $

- $ q = 6264200187401285096151654948264442219302037178623509019111660653946049 $

These 70-digit primes were discovered after an extensive sieving phase and linear algebra [computation](/page/Computation), marking a new record for the largest general [integer](/page/Integer) factored using GNFS at that time. The effort required approximately 8.9 CPU-years on various workstations and PCs, equivalent to about 2000 MIPS-years of computational power, highlighting the escalating resources needed for factoring as [RSA](/page/RSA) challenge sizes increased.[](https://ir.cwi.nl/pub/10352/10352D.pdf)

### RSA-150

RSA-150 is a 150-digit [semiprime](/page/Semiprime) composed of two distinct prime factors, generated by [RSA](/page/RSA) Laboratories as part of their factoring challenge to test the difficulty of [integer factorization](/page/Integer_factorization) relevant to [public-key cryptography](/page/Public-key_cryptography). Its full decimal value is:
155089812478348440509606754370011861770654545830995430655466945774312632703463465954363335027577729025391453996787414027003501631772186840890795964683 

This number was factored on April 16, [2004](/page/2004), by Kazumaro Aoki, Yasumasa Kida, and colleagues using the general number field sieve (GNFS) algorithm, specifically employing a lattice sieve for relation collection.[](https://eprint.iacr.org/2004/095.pdf) The computation utilized [Pentium 4](/page/Pentium_4) processors running at 2.53 GHz under [FreeBSD](/page/FreeBSD), with sieving efforts scaled to equivalent time on a single machine totaling approximately 20.6 million seconds (about 238 days or 7.8 months).[](https://eprint.iacr.org/2004/095.pdf) The linear algebra phase, performed with the Block Lanczos method on 16 such PCs, required an additional 101 hours and 31 minutes.[](https://eprint.iacr.org/2004/095.pdf)

The two 75-digit prime factors are:

- 348009867102283695483970451047593424831012817350385456889559637548278410717
- 445647744903640741533241125787086176005442536297766153493419724532460296199

Their product verifies as [RSA-150](/page/RSA-150).[](https://eprint.iacr.org/2004/095.pdf) This factorization, achieved years after larger RSA numbers like [RSA-155](/page/RSA-155), underscored the advancing practicality of [GNFS](/page/GNFS) for numbers around 500 bits while still requiring substantial but accessible computational effort.[](https://mathworld.wolfram.com/RSANumber.html)

### RSA-155

RSA-155 is a 155-digit [semiprime](/page/Semiprime) number selected as part of the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge) to test the security of [RSA](/page/RSA) [encryption](/page/Encryption) against [integer factorization](/page/Integer_factorization) attacks. The full decimal value of RSA-155 is:

10941738641570527421809707322040357612003732945449205990913842131476349984288934784717997257891267332497625752899781833797076537244027146743531593354333897

This number, equivalent to 512 bits in length, was designed to represent a challenging yet feasible target for contemporary factoring algorithms at the time of its publication.[](https://ir.cwi.nl/pub/10351/10351D.pdf)

The factorization of RSA-155 was completed on August 22, 1999, by a collaborative team associated with the Cunningham project, led by Herman te Riele at the Centrum Wiskunde & Informatica (CWI) in the [Netherlands](/page/Netherlands).[](https://ir.cwi.nl/pub/10351/10351D.pdf) The effort utilized the General Number Field Sieve (GNFS), the most advanced method available for factoring large semiprimes, involving polynomial selection, sieving for relations, linear algebra over finite fields, and square root computation.[](https://ir.cwi.nl/pub/10351/10351D.pdf) The team consisted of researchers including Stefania Cavallar, Bruce Dodson, Arjen K. Lenstra, Walter Lioen, Peter L. Montgomery, Brian Murphy, and others from institutions across [Europe](/page/Europe) and [North America](/page/North_America).[](https://ir.cwi.nl/pub/10351/10351D.pdf) This distributed computation spanned approximately 5.5 calendar months, with sieving performed on around 300 workstations and PCs at 12 sites in six countries, highlighting the influence of coordinated volunteer and institutional [distributed computing](/page/Distributed_computing) projects on large-scale cryptographic challenges.[](https://ir.cwi.nl/pub/10351/10351D.pdf)

The complete factorization yielded two prime factors of roughly equal length:  
$p = 102639592829741105772054196573991675900716567808038066803341933521790711307779$  
$q = 106603488380168454820927220360012878679207958575989291522270608237193062808643$  
Verification confirms that $p \times q$ equals RSA-155.[](https://ir.cwi.nl/pub/10351/10351D.pdf) The total computational effort required approximately 8400 MIPS-years, a measure reflecting the scale of processing power equivalent to thousands of MIPS (millions of [instructions per second](/page/Instructions_per_second)) machines running for a year, underscoring the significant resources needed even for this size in 1999.[](https://ir.cwi.nl/pub/10351/10351D.pdf) This achievement demonstrated the practical vulnerability of 512-bit [RSA](/page/RSA) keys and influenced recommendations for increasing key sizes in cryptographic standards.[](https://ir.cwi.nl/pub/10351/10351D.pdf)

### RSA-160

RSA-160 is a 160-digit [semiprime](/page/Semiprime) generated by RSA Laboratories as part of their factoring challenge to test the difficulty of [integer factorization](/page/Integer_factorization) for cryptographic applications. Its full decimal value is 2152741102718889701896015201312825429257773588845675980170497676778133145218859135673011059773491059602497907111585214302079314665202840140619946994927570407753.[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html)

This number was successfully factored on April 1, 2003, by a team consisting of Frank Bahr, Jens Franke, Thorsten Kleinjung, Michael Lochter, and Martin Böhme from the [University of Bonn](/page/University_of_Bonn) and the Bundesamt für Sicherheit in der Informationstechnik (BSI).[](https://members.loria.fr/pzimmermann/records/factor-previous.html) The factorization employed the general number field sieve (GNFS), the state-of-the-art algorithm for factoring large semiprimes at the time, involving extensive sieving on approximately 100 CPUs at BSI followed by linear algebra steps on a cluster of 25 processors at the [University of Bonn](/page/University_of_Bonn).[](https://members.loria.fr/pzimmermann/records/factor-previous.html)

The two prime factors are 45427892858481394071686190649738831656137145778469793250959984709250004157335359 and 47388090603832016196633832303788951973268922921040957944741354648812028493909367.[](https://www.cs.unibo.it/~babaoglu/courses/security/lucidi/pdf/critto-RSA.pdf) This achievement demonstrated continued [acceleration](/page/Acceleration) in factoring capabilities during the mid-2000s, building on prior successes like RSA-155 four years earlier.[](https://members.loria.fr/pzimmermann/records/factor-previous.html)

### RSA-170

RSA-170 is a 170-digit [semiprime](/page/Semiprime) composed of two distinct prime factors, originally published as part of the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge) to test the limits of [integer factorization](/page/Integer_factorization) algorithms. The number is:
26062623684139844921529879266674432197085925380486406416164785191859999628542069361450283931914514618683512198164805919882053057222974116478065095809832377336510711545759 

This value was generated by RSA Laboratories in the early [1990s](/page/1990s), with a checksum of 463921 to verify [integrity](/page/Integrity) during [transmission](/page/Transmission).[](https://gist.github.com/aburan28/d7a63343e76107e36bc66239b2e5169d)

The factorization of RSA-170 was completed on December 29, 2009, by researchers Dominik Bonenberger and Martin Krone at Ostfalia University of Applied Sciences (Fachhochschule [Braunschweig](/page/Braunschweig)/Wolfenbüttel) using the general number field sieve ([GNFS](/page/Algorithm)) algorithm.[](https://www.researchgate.net/publication/228392310_Factorization_of_RSA-170) The effort took approximately six weeks of computation, marking it as the smallest remaining unfactored challenge number from the original list at the time.[](https://www.researchgate.net/publication/228392310_Factorization_of_RSA-170) Polynomial selection—a critical and computationally intensive phase of GNFS—was uniquely performed entirely on a [graphics processing unit](/page/Graphics_processing_unit) ([GPU](/page/Hardware_acceleration)), demonstrating early [integration](/page/Integration) of consumer-grade hardware acceleration in large-scale [factorization](/page/Factorization).[](https://www.researchgate.net/publication/228392310_Factorization_of_RSA-170)

RSA-170 factors into two primes, each with 85 decimal digits, as detailed in the original publication.[](https://www.researchgate.net/publication/228392310_Factorization_of_RSA-170)

This achievement underscored advances in accessible computing for cryptographic research, as the computation relied on standard PCs augmented with GPU support rather than specialized supercomputers.[](https://eprint.iacr.org/2010/270.pdf)

### RSA-180

RSA-180 is a 180-digit semiprime number published by RSA Laboratories as part of their factoring challenge to test the security of RSA encryption. Its full decimal value is:
191147927718986609689229466631454649812986246276667354864188503638807260703436799058776201365135161278134258296128109200046702912984568752800330221777752773957404540495707851421041 

This number was factored into its two prime components using the general number field sieve (GNFS) algorithm, the most efficient known method for factoring large semiprimes at the time. The factorization was completed on May 9, 2010, by Sergei A. Danilov and Igor A. Popovyan from [Moscow State University](/page/Moscow_State_University).[](https://eprint.iacr.org/2010/270)

The prime factors are:

- Smaller prime: 400780082329750877952581339104100572526829317815807176564882178998497572771950624613470377 (90 digits)  
- Larger prime: 476939688738611836995535477357070857939902076027788232031989775824606225595773435668861833 (90 digits)  

Verification confirms their product equals RSA-180.[](https://eprint.iacr.org/2010/270)

The computation relied on [open-source software](/page/Open-source_software), including the GGNFS suite for sieving and msieve for linear algebra and [square root](/page/Square_root) steps. It was performed across two platforms: 24 virtual processors on three [Intel Core](/page/Intel_Core) i7 4 GHz PCs (each with 6 GB RAM) and 100 virtual processors on the SKIF MSU "Chebyshev" supercomputer. The total effort spanned approximately three months, starting in [January](/page/January) 2010 following the factorization of RSA-170, with polynomial selection taking 12–13 days, sieving 26–63 days, linear algebra 24–33 days, and [square root](/page/Square_root) extraction 10–19 hours per platform. This demonstrated that mid-sized RSA challenges could be solved affordably using commodity hardware and free tools, at an estimated cost of around &#36;3,000 for equivalent processing power.[](https://eprint.iacr.org/2010/270)

### RSA-190

RSA-190 is a 190-digit [semiprime](/page/Semiprime) number from the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge), designed to test the difficulty of [integer factorization](/page/Integer_factorization) for cryptographic purposes. The full [decimal](/page/Decimal) value is 1907556405060696491061450432646028861081179759533184460647975622318915025587184175754054976155121593293492260464152630093238509246603207417124726121580858185985938946945490481721756401423481.[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html)

This number was factored on November 8, 2010, by Igor A. Popovyan from [Moscow State University](/page/Moscow_State_University), [Russia](/page/Russia), and Alexei Timofeev from the Centrum Wiskunde & Informatica (CWI), [Netherlands](/page/Netherlands), using the general number field sieve (GNFS) [algorithm](/page/Algorithm).[](https://mersenneforum.org/showthread.php?t=14177) The factorization effort took several months of [computation](/page/Computation) on a cluster of personal computers, marking an achievement in [distributed computing](/page/Distributed_computing) for large-scale [number theory](/page/Number_theory) problems during the early [2010s](/page/2010s).[](https://shi-bai.github.io/factor/rsa190.html)

The prime factors of RSA-190 are two large primes of approximately equal size: one with 314 bits (94 decimal digits) and the other with 315 bits (95 decimal digits), confirming its structure as a product suitable for [RSA](/page/RSA) encryption challenges. This factorization contributed to advancing records in the early [2000s](/page/2000s) era of GNFS implementations, though subsequent efforts focused on even larger composites.[](https://crypto.stackexchange.com/questions/117954/are-most-rsa-integers-unbalanced)

### RSA-200

RSA-200 is a 200-decimal-digit [semiprime](/page/Semiprime) [integer](/page/Integer) constructed as the product of two 100-digit primes, published by [RSA](/page/RSA) Laboratories in [1991](/page/1991) as part of their factoring challenge to advance research in [computational number theory](/page/Computational_number_theory). Its full decimal value is:
27997833911221327870829467638722601621070446786955428537560009929326128400107609345671052955360856061822351910951365788637105954482006576775098580557613579098734950144178663178946295187237869221823983 

[](https://mathworld.wolfram.com/news/2005-05-10/rsa-200/)

This number was factored on May 9, 2005, by a team led by Jens Franke from the [University of Bonn](/page/University_of_Bonn) and the Max Planck Institute for Computer Science, in collaboration with Friedrich Bahr and Martin Böhm from the German Federal Agency for Information Technology Security (BSI), Thorsten Kleinjung, and contributors Peter L. Montgomery and Herman te Riele from the Centrum Wiskunde & Informatica (CWI) in [Amsterdam](/page/Amsterdam). The factorization employed the general number field sieve (GNFS), the state-of-the-art algorithm for factoring large semiprimes at the time, involving phases of polynomial selection, sieving for relations, and linear algebra over finite fields.[](http://www.hyperelliptic.org/tanja/SHARCS/talks06/Jens_Franke.pdf)

The two prime factors are:

- $ p = 3532461934402770121272604978198464368671197400197625023649303468776121253679423200058547956528088349 $
- $ q = 7925869954478333033347085841480059687737975857364219960734330341455767872818152135381409304740185467 $

Verification confirms $ p \times q $ equals RSA-200. The effort demanded approximately 75 years of computation on a single 2.2 GHz [AMD](/page/AMD) [Opteron](/page/Opteron) CPU, with the sieving phase requiring an estimated 55 CPU-years using [lattice](/page/Lattice) and line sieving techniques across distributed resources, and the matrix-step linear [algebra](/page/Algebra) consuming 3 months on a dedicated [cluster](/page/Cluster) of 80 such processors. This marked a significant advancement in large-scale [integer factorization](/page/Integer_factorization), highlighting the scalability of GNFS through collaborative computing.[](https://mathworld.wolfram.com/news/2005-05-10/rsa-200/)[](http://www.hyperelliptic.org/tanja/SHARCS/talks06/Jens_Franke.pdf)

### RSA-210

RSA-210 is a [semiprime](/page/Semiprime) with exactly 210 [decimal](/page/Decimal) digits, constructed as the product of two large prime numbers as part of the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge) issued by RSA Laboratories to advance research in [integer factorization](/page/Integer_factorization). The full [decimal](/page/Decimal) value of RSA-210 is:

245246644900278211976517663573088018467026787678332759743414451715061600830038587216952208399332071549103626827191679864079776723243005600592035631246561218465817904100131859299619933817012149335034875870551067[](https://gitlab.inria.fr/cado-nfs/cado-nfs/-/raw/master/parameters/polynomials/rsa210.poly)

This number corresponds to 696 bits in length and was designed to test the limits of [factorization](/page/Factorization) algorithms at the time of its publication.

RSA-210 was successfully factored on September 26, 2013, by Ryan Propper, marking a significant [achievement](/page/Achievement) in the challenge. The [factorization](/page/Factorization) employed the general number field [sieve](/page/Sieve) (GNFS), the leading [algorithm](/page/Algorithm) for factoring large [semiprimes](/page/Semiprime), implemented using software such as msieve and ggnfs.

The effort required approximately [one year](/page/One_Year) of dedicated computation on institutional resources, highlighting the resource-intensive nature of GNFS for numbers of this size and the optimizations in polynomial selection and sieving that made it feasible.[](https://www.mersenneforum.org/showpost.php?p=354259) The prime factors, both approximately 105 digits long, were announced in Propper's report on the Mersenne forum, confirming the complete breakdown of the [semiprime](/page/Semiprime).[](https://www.mersenneforum.org/showpost.php?p=354259)

### RSA-220

RSA-220 is a 220-digit [semiprime](/page/Semiprime) number from the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge), designed to test the limits of [integer factorization](/page/Integer_factorization) algorithms. It consists of the product of two distinct prime numbers, each approximately 110 digits long, and was published by RSA Laboratories in [1991](/page/1991) as part of their effort to advance [computational number theory](/page/Computational_number_theory). The full [decimal representation](/page/Decimal_representation) of RSA-220 is:
226013852620340578494165404861019751350803891571977671832119776810944564181796667660859312130658257750631562886676970448070001811149711863002112487928199487482066070131066586646083327982803560379205391980139946496955261 

The [factorization](/page/Factorization) of RSA-220 was announced on May 10, 2016, by a team including Shi Bai, Pierrick Gaudry, Alexander Kruppa, Emmanuel Thomé, and Paul Zimmermann, marking it as the third-largest integer factored using the general number field sieve (GNFS) at the time. They employed the CADO-NFS software suite, an open-source implementation of GNFS optimized for large-scale computations. The sieving phase alone required approximately 370 CPU-years on 2 GHz [Intel](/page/Intel) [Xeon](/page/Xeon) E5-2650 processors, highlighting the significant computational resources needed for such a task.

The prime factors are:

- $ p = 68636564122675662743823714992884378001308422399791648446212449933215410614414642667938213644208420192054999687 $

- $ q = 32929074394863498120493015492129352919164551965362339524626860511692903493094652333824866390738191765712603 $

These factors were verified to multiply to the original RSA-220 number, confirming the successful [factorization](/page/Factorization).

### RSA-230

RSA-230 is a 230-digit [semiprime](/page/Semiprime) from the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge), designed as the product of two distinct prime numbers each with 115 decimal digits. The number is:
17969491597941066732916128449573246156367561808012600070888918835531726460341490933493372247868650755230855864199929221814436684722874052065257937495694348389263171152522525654410980819170611742509702440718010364831638288518852689 

[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-04-en.pdf)

This challenge number was successfully factored on August 15, 2018, by Samuel S. Gross at [Noblis](/page/Noblis), Inc., employing the general number field sieve (GNFS) via the Cado-NFS software suite. The computation leveraged contributions from the Cado-NFS development team and was performed on hardware at Noblis facilities in [Reston, Virginia](/page/Reston,_Virginia).[](https://sympa.inria.fr/sympa/arc/cado-nfs/2018-08/msg00001.html)[](https://www.researchgate.net/publication/351881092_The_Factorization_of_RSA230)

The resulting prime factors are:

- Smaller factor: 3968132623150957588532439049887341769533966621957829426966084093049516953598120833228447171744337427374763106901
- Larger factor: 4528450358010492026612439739120166758911246047493700040073956759261590397250033699357694507193523000343088601688589

Verification confirms that their product equals the original RSA-230 number.[](https://sympa.inria.fr/sympa/arc/cado-nfs/2018-08/msg00001.html)

### RSA-232

RSA-232 is a 232-digit [semiprime](/page/Semiprime) number selected as part of the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge) to test the difficulty of [integer factorization](/page/Integer_factorization), equivalent to a 768-bit [RSA](/page/RSA) [modulus](/page/Modulus).[](https://eprint.iacr.org/2010/006.pdf) The full decimal expansion of RSA-232 is:
1230186684530117755130494958384962720772853569595334792197322452151726400507263657518745202199786469389956474942774063845925192557326303453731548268507917026122142913461670429214311602221240479274737794080665351419597459856902143413 

This number was generated as the product of two large prime numbers of approximately equal size, designed to resist efficient [factorization](/page/Factorization) and thereby highlight the [security](/page/Security) of [RSA](/page/RSA) [encryption](/page/Encryption) based on the hardness of this problem.[](https://eprint.iacr.org/2010/006.pdf)

Although the official [RSA Factoring Challenge](/page/RSA_Factoring_Challenge) had been discontinued in 2006, RSA-232 was successfully factored on December 12, 2009, using the general number field sieve (GNFS) algorithm by an international team including Thorsten Kleinjung, Kazumaro Aoki, Jens Franke, Arjen K. Lenstra, Emmanuel Thomé, and others.[](https://eprint.iacr.org/2010/006.pdf) The computation required the equivalent of approximately 2000 core-years on a single 2.2 GHz [AMD](/page/AMD) [Opteron](/page/Opteron) processor, distributed across hundreds of machines over two years, marking a significant computational achievement and establishing a record for factoring a general [integer](/page/Integer) of this size at the time.[](https://eprint.iacr.org/2010/006.pdf) The prime factors are two large primes of approximately 116 decimal digits each, as detailed in the factorization report.[](https://eprint.iacr.org/2010/006.pdf)

Due to the challenge's prior discontinuation, no monetary prize was awarded, but the team received honorary recognition for advancing [the state of the art](/page/The_State_of_the_Art) in [factorization](/page/Factorization) methods and providing insights into the practical limits of [RSA](/page/RSA) key lengths.[](https://eprint.iacr.org/2010/006.pdf) This [factorization](/page/Factorization) demonstrated that 768-bit [RSA](/page/RSA) moduli were vulnerable to determined academic efforts, influencing recommendations to migrate to at least 1024-bit keys for cryptographic security.[](https://eprint.iacr.org/2010/006.pdf)

### RSA-240

RSA-240 is a 240-decimal-digit [semiprime](/page/Semiprime) number from the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge), designed as the product of two distinct primes of roughly equal length to test the limits of [integer factorization](/page/Integer_factorization) algorithms.[](https://eprint.iacr.org/2020/697) Its full decimal value is:
124620366781718784065835044608106590434820374651678805754818788883289666801188210855036039570272508747509864768438458621054865537970253930571891217684318286362846948405301614416430468066875699415246993185704183030512549594371372159029236099 

This number, equivalent to 795 bits in binary, served as a benchmark for the computational difficulty of factoring large semiprimes relevant to [public-key cryptography](/page/Public-key_cryptography).[](https://eprint.iacr.org/2020/697)

The factorization of RSA-240 was achieved in November 2019 by an international team consisting of Fabrice Boudot, Pierrick Gaudry, Aurore Guillevic, Nadia Heninger, Emmanuel Thomé, and Paul Zimmermann.[](https://eprint.iacr.org/2020/697) They employed the general number field sieve (GNFS), the state-of-the-art [algorithm](/page/Algorithm) for factoring large integers, marking it as a significant classical [computing](/page/Computing) record at the time.[](https://eprint.iacr.org/2020/697) The prime factors are:

- $ p = 509435952285839914555051023580843714132648382024111473186660296521821206469746700620316443478873837606252372049619334517 $

- $ q = 244624208838318150567813139024002896653802092578931401452041221336558477095178155258218897735030590669041302045908071447 $

Verification confirms that $ p \times q $ equals RSA-240.[](https://eprint.iacr.org/2020/697)

The effort required 900 core-years of computation on clusters of Intel Xeon Gold 6130 CPUs running at 2.1 GHz, with 794 core-years dedicated to collecting relations and 83 core-years to solving the linear algebra step using the block Wiedemann algorithm.[](https://eprint.iacr.org/2020/697) This workload utilized the CADO-NFS software suite and distributed sieving across multiple supercomputers, including those at INRIA and the University of Washington.[](https://eprint.iacr.org/2020/697)

### RSA-250

RSA-250 is a [semiprime](/page/Semiprime) [integer](/page/Integer) consisting of 250 [decimal](/page/Decimal) digits, constructed as the product of two large prime numbers for the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge) initiated by [RSA](/page/RSA) Laboratories in 1991. Its full [decimal](/page/Decimal) value is 214032465024074496126442307283933356300861471514475501779775492088141802344714013664334551909580467961099285187247091458768739626192155736304745477052085119056493106687691590019759405693457452230589325976697471681738069364894699871578494975937497937.[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-07-en.pdf)

This 829-bit number was factored on February 28, 2020, by an international team including Fabrice Boudot, Pierrick Gaudry, Aurore Guillevic, Nadia Heninger, Emmanuel Thomé, and Paul Zimmermann, using the General Number Field Sieve (GNFS) algorithm implemented in the CADO-NFS software.[](https://caramba.loria.fr/rsa250.txt) The factorization yielded two prime factors, each with 125 decimal digits:  
$p = 64135289477071580278790190170577389084825014742943447208116859632024532344630238623598752668347708737661925585694639798853367$  
$q = 33372027594978156556226010605355114227940760344767554666784520987023841729210037080257448673296881877565718986258036932062711$.[](https://caramba.loria.fr/rsa250.txt)

The effort involved approximately 2700 core-years of computation, with 2450 core-years for sieving and 250 core-years for linear algebra, performed on clusters of Intel Xeon Gold 6130 processors at 2.1 GHz, utilizing resources from Grid'5000 and PRACE supercomputers.[](https://caramba.loria.fr/rsa250.txt) This achievement surpassed the prior record of factoring RSA-240 in 2019 and established a new benchmark for classical integer factorization of RSA challenge numbers.[](https://members.loria.fr/PZimmermann/records/factor.html)

As of November 2025, the [factorization](/page/Factorization) of RSA-250 remains the largest such record using classical algorithms.[](https://members.loria.fr/PZimmermann/records/factor.html)

## Unfactored RSA Numbers (260–500 Digits)

### RSA-260

RSA-260 is a [semiprime](/page/Semiprime) composed of two large prime [factors](/page/Factor), forming a [260](/page/2-6-0)-digit number from the original [RSA Factoring Challenge](/page/RSA_Factoring_Challenge) initiated by [RSA](/page/RSA) Laboratories in 1991. The number is given by:
2211282552952966643528108525502623092761208950247001539441374831912882294140200198651272972656974659908590033031400051170742204560859276357953757185954298838958709229238491006703034124620545784566413664540684214361293017694020846391065875914794251435144458199 

[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-08-en.pdf)

This challenge number, like others in the series, was designed to test the practical limits of [integer factorization](/page/Integer_factorization) algorithms and assess the security of RSA-based cryptosystems. RSA-260 equates to approximately 862 bits in [length](/page/Length), placing it beyond the current [record](/page/Record) for classical [factorization](/page/Factorization).[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-08-en.pdf)

As of November 2025, RSA-260 remains unfactored, with no major public attempts reported since the successful [factorization](/page/Factorization) of the smaller RSA-250 in 2020. Following RSA-250, which required about 2,700 core-years of computation using the general number field sieve (GNFS), RSA-260 is estimated to demand over 10,000 core-years with state-of-the-art GNFS implementations due to its increased size.[](https://sympa.inria.fr/sympa/arc/cado-nfs/2020-02/msg00001.html)[](https://www.schneier.com/blog/archives/2020/04/rsa-250_factore.html)

### RSA-270

RSA-270 is a [semiprime](/page/Semiprime) integer consisting of exactly two distinct prime factors, constructed as part of the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge) to test the limits of [integer factorization](/page/Integer_factorization) algorithms. Its value in decimal form is:
233108530344407544527637656910680524145619812480305449042948611968495918245135782867888369318577116418213919268572658314913060672626911354027609793166341626693946596196427744273886601876896313468704059066746903123910748277606548649151920812699309766587514735456594993207 

This number spans 270 decimal digits and corresponds to approximately 893 bits in binary length.[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html)

As of November 2025, RSA-270 remains unfactored, with no publicly known decomposition into its prime components despite advances in the general number field sieve algorithm.[](https://members.loria.fr/PZimmermann/records/factor.html) Factoring it is projected to demand computational resources exceeding practical classical feasibility within current technological constraints, underscoring the escalating difficulty of semiprime factorization as key sizes increase.[](https://www.schneier.com/blog/archives/2020/04/rsa-250_factore.html)

The size of RSA-270 places it in a regime relevant to the security assessment of legacy [1024-bit](/page/1024) RSA keys, which typically involve moduli around 308 decimal digits ([1024](/page/1024) bits) and are now deprecated due to vulnerability to state-sponsored attacks. While smaller than [1024-bit](/page/1024) moduli, the unfactored status of RSA-270 illustrates persistent barriers in classical [computing](/page/Computing) for numbers approaching this scale, influencing transitions to [post-quantum cryptography](/page/Post-quantum_cryptography).

### RSA-280

RSA-280 is a [semiprime](/page/Semiprime) number consisting of 280 decimal digits, specifically the product of two large prime numbers, created by RSA Laboratories as part of their discontinued [RSA Factoring Challenge](/page/RSA_Factoring_Challenge) to test the limits of [integer factorization](/page/Integer_factorization) algorithms.[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html) This number serves as a mid-range challenge in the series of unfactored RSA numbers, highlighting the computational difficulty of factoring [semiprimes](/page/Semiprime) at this scale, which corresponds to approximately 928 bits and underscores ongoing [security](/page/Security) considerations for [RSA](/page/RSA)-based cryptosystems using keys around 1000 bits.

The full decimal representation of RSA-280 is:
1790707753365795418841729699379193276395981524363782327873718589639655966058578374254964039644910359346857311359948708984278578450069871685344678652553655035251602806563637363071753327728754995053415389279785107516999221971781597724733184279534477239566789173532366357270583106789 

[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html)

As of 2025, RSA-280 remains unfactored, with no verified progress toward its complete factorization reported in the literature or computational records. Its persistence as an open challenge illustrates the practical infeasibility of factoring such numbers using classical computing resources available today, though advances in algorithms like the general number field sieve continue to push boundaries for similar sizes.[](https://mysterytwister.org/challenges/level-3/rsa-factoring-challenge-rsa-280)

### RSA-290

RSA-290 is a [semiprime](/page/Semiprime) number consisting of the product of two large prime factors, specifically designed as part of the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge) to test the limits of [integer factorization](/page/Integer_factorization) algorithms. Its complete decimal expansion, which spans exactly 290 digits, is as follows:
30502351862940031577691995198949664002982179597487683486715266186733160876943419156362946151249328917515864630224371171221716993844781534383325603218163254920110064990807393285889718524383600251199650576597076902947432221039432760575157628357292075495937664206199565578681309135044121854119 

[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-12-en.pdf)

This number equates to approximately 960 bits in [binary](/page/Binary) length, providing a significant scale for assessing [factorization](/page/Factorization) difficulty.[](https://gist.github.com/aburan28/d7a63343e76107e36bc66239b2e5169d)

As of November 2025, RSA-290 remains unfactored, with no public record of its prime factors being discovered.[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-12-en.pdf)[](https://gist.github.com/aburan28/d7a63343e76107e36bc66239b2e5169d)

Factoring RSA-290 using the General Number Field Sieve (GNFS), the most advanced classical [algorithm](/page/Algorithm) for such tasks, would require computational resources that grow exponentially with the digit length, far exceeding current global capabilities and estimated to demand thousands of core-years on high-performance hardware even with optimized implementations.[](https://personal.math.vt.edu/brown/doc/briggs_gnfs_thesis.pdf)

This enduring challenge underscores the foundational security assumptions of [RSA](/page/RSA) [cryptography](/page/Cryptography) against classical attacks.

### RSA-300

RSA-300 is a 300-digit [semiprime](/page/Semiprime) number generated as part of the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge), consisting of the product of two large prime numbers of approximately equal length.[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-13-en.pdf)

The full decimal representation of RSA-300 is:
27693155678034421390286890616472330922376083639839532540050367228093758247149473946190060218756255124317186573105075074546238828171212746300721613469564396741836389979086904304472476001839015983033451909174663464663867829125664459895575157178816900228792711267471958357574416714366499722090015674047 

[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-13-en.pdf)

This number equates to approximately 995 bits in [binary](/page/Binary) length, symbolizing the [security](/page/Security) level of 1000-bit [RSA](/page/RSA) keys in cryptographic contexts.[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-13-en.pdf) As of November 2025, RSA-300 remains unfactored, with no public announcement of its prime factors despite advances in [factorization](/page/Factorization) algorithms.[](https://aiimpacts.org/progress-in-general-purpose-factoring/)

RSA-300 was included in the original set of challenges published by RSA Laboratories in [1991](/page/1991), with subsequent expansions of the challenge in [1997](/page/1997) and hosting by MysteryTwister in [2012](/page/2012) permitting continued pursuit of its [factorization](/page/Factorization).[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-13-en.pdf)[](https://www.ontko.com/pub/rayo/primes/rsa_fact.html) Its unfactored status underscores the ongoing difficulty of factoring large semiprimes, serving as a [benchmark](/page/Benchmark) for [computational number theory](/page/Computational_number_theory) research.[](https://aiimpacts.org/progress-in-general-purpose-factoring/)

### RSA-309

RSA-309 is a 309-digit [semiprime](/page/Semiprime) number created as part of the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge) by RSA Laboratories to test the limits of [integer factorization](/page/Integer_factorization) algorithms. It is the product of two large primes of roughly equal [bit length](/page/Bit-length), totaling approximately [1024](/page/1024) bits, and serves as a [benchmark](/page/Benchmark) for [computational number theory](/page/Computational_number_theory) research. Unlike many challenge numbers with round digit counts, RSA-309's irregular 309-digit size highlights variations in the challenge set, making it unique among the listed RSA numbers.[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-14-en.pdf)

This number remains unfactored, with no known complete [factorization](/page/Factorization) despite advances in methods like the general number field sieve. Its unfactored status underscores the practical difficulty of factoring large semiprimes, which underpins the security of [RSA](/page/RSA) cryptosystems. The challenge for RSA-309 was hosted by MysteryTwister C3 after RSA withdrew the official prizes in 2007, but the number continues to stand as an [open problem](/page/Open_problem).[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-14-en.pdf)

The full decimal representation of RSA-309 is:
133294399882575758380143779458803658621711224322668460285458826191727627667054255404674269333491950155273493343140718228407463573528003686665212740575911870128339157499072351179666739658503429931021985160714113146720277365006623692721807916355914275519065334791400296725853788916042959771420436564784273910949 

[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-14-en.pdf)

### RSA-310

RSA-310 is a 310-digit [semiprime](/page/Semiprime) number generated as part of the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge) by RSA Laboratories to test the difficulty of [integer factorization](/page/Integer_factorization). It follows sequentially after RSA-309 in the series of unfactored RSA numbers within the 300-digit range.[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html)

The full decimal value of RSA-310 is:
1848210397825850670380148517702559371400899745254512521925707445580334710601412527675708297932857843901388104766898429433126419139462696524583464983724651631481888473364151368736236317783587518465017087145416734026424615690611620116380982484120857688483676576094865930188367141388795454378671343386258291687641 

This number was added to the challenge on February 7, 1997.[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html)

As of November 2025, RSA-310 remains unfactored, with no known prime factors despite ongoing cryptographic research efforts.[](https://mysterytwister.org/challenges/level-3/rsa-factoring-challenge-rsa-310)

### RSA-320

RSA-320 is a 320-digit [semiprime](/page/Semiprime) number, constructed as the product of two distinct prime factors each of roughly equal length, as part of the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge) launched by RSA Laboratories in 1991 to advance research in [integer factorization](/page/Integer_factorization). The complete decimal expansion of RSA-320 is:
21368106964100717960120874145003772958637679383727933523150686203631965523578837094085435000951700943373838321997220564166302488321590128061531285010636857163897899811712284013921068534616772684717323224436400485097837112174432182703436548357540610175031371364893034379963672249152120447044722997996160892591129924218437 

[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html)

This number remains unfactored as of November 2025, with the largest factored [RSA challenge](/page/RSA_Factoring_Challenge) number being [RSA-250](/page/RSA_Factoring_Challenge) in 2020.[](https://members.loria.fr/PZimmermann/records/factor.html)

[RSA-320](/page/RSA_Factoring_Challenge) is equivalent to approximately 1060 bits in [length](/page/Length).[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html)

### [RSA-330](/page/RSA_Factoring_Challenge)

[RSA-330](/page/RSA_Factoring_Challenge) is a [semiprime](/page/Semiprime) consisting of the product of two large prime numbers, specifically designed as part of the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge) to test the difficulty of [integer factorization](/page/Integer_factorization). It has exactly 330 [decimal](/page/Decimal) digits and corresponds to approximately 1,094 bits in [length](/page/Length).[](https://dev.mysterytwister.org/media/challenges/pdf/mtc3-rsa-18-en.pdf)

As of November 2025, RSA-330 remains unfactored, with no publicly announced complete prime factorization despite ongoing efforts in [computational number theory](/page/Computational_number_theory).

The full decimal value of RSA-330 is:
1218708633106058693138173980143325249157710686226055220408666600017481383238135245680242590355588072280526111079089882303717632638856140900933377863089063482816790040500611272743217217997642701713779260695142499528183938370835463646848392611493197684493965410209096652097898623126096049837099237793042170186244655244698696759267 

[](https://dev.mysterytwister.org/media/challenges/pdf/mtc3-rsa-18-en.pdf)

### RSA-340

RSA-340 is a 340-decimal-digit [semiprime](/page/Semiprime) number created by RSA Laboratories as part of their [1991](/page/1991) Factoring [Challenge](/page/Challenge) to promote advances in [computational number theory](/page/Computational_number_theory) and [integer factorization](/page/Integer_factorization) algorithms.[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-19-en.pdf) The challenge involved generating large composite numbers, each the product of two primes of roughly equal size, with RSA-340 specifically designed to test the limits of factoring techniques at the time, equivalent to approximately 1,128 bits in binary representation.[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-19-en.pdf)

The exact value of RSA-340 is:
269098706229469511199648465800836187593130873035749649023967242993321569499527585887712232633088366497151127567319979467796084132324069344335320488985859176676580752231563884394807622076177586625973975236127522811136600110415063000469112815210681204287228569773514510502696683064954000365992261839969427699046485739966698956947129133275233 

[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-19-en.pdf)

As of the latest verified records, RSA-340 remains unfactored, making it one of the larger unsolved challenges from the original set of 54 numbers (ranging from 100 to 617 digits).[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-19-en.pdf) Its persistence as an open problem underscores the ongoing difficulty of factoring large semiprimes, with implications for the security of RSA-based cryptosystems relying on such hardness assumptions. No successful factorization has been publicly reported, despite the challenge's prizes being discontinued in 2006 and the remaining unsolved instances hosted by authorized parties like MysteryTwister.[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-19-en.pdf)

### RSA-350

RSA-350 is a [semiprime](/page/Semiprime) with exactly 350 [decimal](/page/Decimal) digits, generated by RSA Laboratories as part of the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge) to advance research in [computational number theory](/page/Computational_number_theory) and [integer factorization](/page/Integer_factorization).

The complete decimal representation of RSA-350 is:
26507199951735394734498120973736811015297864642115831624674545482293445855043495841191504413349124560193160478146528433707807716865391982823061751419151606849655575049676468644737917071142487312863146816801954812702917123189212728868259282632393834443989482096498000219878377420094983472636679089765013603382322972552204068806061829535529820731640151 

[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html)

This number remains unfactored as of November 2025, exceeding the current record for factored [RSA challenge numbers](/page/RSA_Factoring_Challenge), which stands at [RSA-250](/page/RSA) (250 digits) achieved in 2020 using the general number field sieve algorithm.[](https://eprint.iacr.org/2020/697)

### [RSA-360](/page/RSA)

[RSA-360](/page/RSA) is one of the [semiprime](/page/Semiprime) challenge numbers introduced as part of the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge) by RSA Laboratories to advance research in [integer factorization](/page/Integer_factorization). It consists of exactly 360 [decimal](/page/Decimal) digits and is the product of two distinct prime factors of comparable size, making it a significant [benchmark](/page/Benchmark) for [computational number theory](/page/Computational_number_theory).[](https://dev.mysterytwister.org/media/challenges/pdf/mtc3-rsa-21-en.pdf)

The full decimal expansion of RSA-360 is:
21868202023431726314664063722857926546491585648283840652171218663742277454487764963889680817334211643637752157994969516984539482486678141304751672197524005235057624723878512933800275740689262997074821273466378195217074591660916893583723599627878328022574217570113025262651842635656234268345652253987471761591019113926725623095606566457918240614767013806590649 

This number, equivalent to approximately 1,194 bits in [binary](/page/Binary), has not been factored to date, with the largest successfully factored RSA challenge number being RSA-250 (250 digits) as of November 2025.[](https://dev.mysterytwister.org/media/challenges/pdf/mtc3-rsa-21-en.pdf)

### RSA-370

RSA-370 is a [semiprime](/page/Semiprime) [integer](/page/Integer) from the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge), consisting of exactly 370 decimal digits and formed as the product of two large, distinct prime factors, each roughly half the bit length of the composite. It was generated in [1997](/page/1997) as part of a series of challenge numbers to test the limits of [integer factorization](/page/Integer_factorization) algorithms, with the primes selected to be congruent to 2 [modulo](/page/Modulo) 3 for added difficulty in certain methods. The number's [checksum](/page/Checksum) is 660901, verifying its integrity.[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html)

The complete decimal representation of RSA-370 is:
1888287707234383972842703127997127272470910519387718062380985523004987076701721281993726195254903980001896112258671262466144228850274568145436317048469073794495250347974943216943521462713202965796237266310948224934556725414915442700993152879235272779266578292207161032746297546080025793864030543617862620878802244305286292772467355603044265985905970622730682658082529621 

This value corresponds to approximately 1,227 bits, making it significantly larger than previously factored challenge numbers like RSA-250 (250 digits, factored in [2020](/page/2020)).[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html)

RSA-370 remains unfactored as of 2025, consistent with the status of all RSA challenge numbers beyond 250 digits, where the largest solved is [RSA-250](/page/250) (250 digits). Its resistance to factorization underscores ongoing challenges in [computational number theory](/page/Computational_number_theory) and the security of [RSA](/page/RSA)-based [cryptography](/page/Cryptography) for key sizes up to around 1,000 bits.

### RSA-380

RSA-380 is a semiprime consisting of the product of two distinct prime numbers, each of roughly equal size, and was generated as part of the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge) initiated by RSA Laboratories in 1991 to advance research in [computational number theory](/page/Computational_number_theory) and highlight the practical challenges of [integer factorization](/page/Integer_factorization) in [public-key cryptography](/page/Public-key_cryptography). The number has precisely 380 decimal digits and an approximate [bit length](/page/Bit-length) of 1,261, making it significantly larger than previously factored challenge numbers. Its full decimal value is:
30135004431202116003565860241012769924921679977958392035283632366105785657918270750937407901898070219843622821090980641477056850056514799336625349678549218794180711634478735831265177285887805862071748980072533360656419736316535822377792634235019526468475796787118257207337327341698664061454252865816657556977260763553328252421574633011335112031733393397168350585519524478541747311 

This value was computed using specialized hardware from [RSA Data Security](/page/Data_security) and published in the official challenge list.[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html)

As of November 2025, RSA-380 remains unfactored, with no verified discovery of its prime factors despite advances in algorithms like the general number field sieve. The largest RSA challenge number factored to date is RSA-250, achieved in [2020](/page/2020) by an international team using extensive computational resources over several years, underscoring that numbers beyond 250 digits, such as RSA-380, continue to resist classical factoring methods.[](https://jacobsschool.ucsd.edu/news/release/2991) Its persistence as an [open problem](/page/Open_problem) emphasizes the security margins provided by larger key sizes in [RSA](/page/RSA) cryptosystems, where factoring difficulty scales exponentially with digit length.

### RSA-390

RSA-390 is a 390-digit [semiprime](/page/Semiprime) number generated as the product of two distinct primes of roughly equal size, each contributing approximately 195 [decimal](/page/Decimal) digits to the total length. It was introduced by RSA Laboratories in 1991 as one of the challenge numbers in the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge), intended to highlight the computational difficulty of [integer factorization](/page/Integer_factorization) for cryptographic purposes.[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-24-en.pdf)

The exact value of RSA-390 is:
26804019411823884545010370793466560653669417490828526787298224243977091782504623002472848967604282562331676313645413672467684996118812899734451228212989163008475948506342360491163909958518683309401995768755037783497780340065362869553449043674372818702534140581406315236881249848600505622302828534189804007954474358650330462487514752974123986970880843210371763922883127855444022091083492089 

This number corresponds to approximately 1294 bits in binary representation.[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-24-en.pdf)

RSA-390 remains unfactored, with no known complete [factorization](/page/Factorization) reported as of November 2025; it is one of the 38 unsolved challenges from the original set hosted by the MysteryTwister [C3](/page/C3) since [2012](/page/2012) with permission from [RSA](/page/RSA).[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-24-en.pdf)

### RSA-400

RSA-400 is a 400-digit [semiprime](/page/Semiprime) number constructed as the product of two large prime numbers of approximately equal length, specifically designed as part of the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge) to test the boundaries of [integer factorization](/page/Integer_factorization) algorithms.[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html) The full decimal representation of RSA-400 is:
2014096878945207511726700485783442547915321782072704356103039129009966793396141985086509455102260403208695558793091390340438867513766123418942845301603261911930567685648626153212566300102683464717478365971313989431406854640516317519403149294308737302321684840956395183222117468443578509847947119995373645360710979599471328761075043464682551112058642299370598078702810603300890715874500584758146849481 

This number equates to roughly 1,327 bits in [binary](/page/Binary), establishing it as a substantial computational challenge beyond the capabilities of classical factoring methods available at the time of its publication in 1994.[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html)

RSA-400 remains unfactored as of 2025, with the largest successfully factored number in the RSA challenge series being RSA-250, achieved in [2020](/page/2020) using extensive [distributed computing](/page/Distributed_computing) resources equivalent to 2,700 core-years.[](https://jacobsschool.ucsd.edu/news/release/2991) Its unfactored status underscores the 400-digit threshold as a critical [milestone](/page/Milestone) in assessing the [security](/page/Security) of RSA-based cryptosystems, where [factorization](/page/Factorization) difficulty scales exponentially with digit length, deterring practical attacks on keys of this size or larger.

### RSA-410

RSA-410 is a [semiprime](/page/Semiprime) number consisting of exactly 410 [decimal](/page/Decimal) digits, generated as part of the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge) to test the limits of [integer factorization](/page/Integer_factorization) algorithms in the context of [public-key cryptography](/page/Public-key_cryptography). The number is defined as the product of two large prime factors and was intended to demonstrate the computational infeasibility of factoring such large composites with classical methods at the time of its release. Its full [decimal](/page/Decimal) expansion is:
19653601479938761414239452741787457079262692944398807468279711209925174217701079138139324539033381077755540830342989643633394137538983355218902490897764441296847433275460853182355059915490590169155909870689251647778520385568812706350693720915645943335281565012939241331867051414851378568457417661501594376063244163040088180887087028771717321932252992567756075264441680858665410918431223215368025334985424358839 

This number corresponds to approximately 1360 bits in [binary](/page/Binary) representation.[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html)

As of November 2025, RSA-410 remains unfactored, with no public announcement of its prime factors despite advances in [factorization](/page/Factorization) techniques since the challenge's inception in the [1990s](/page/1990s). The [RSA Factoring Challenge](/page/RSA_Factoring_Challenge), which included RSA-410, was officially discontinued by RSA Laboratories in 2007, but the unsolved numbers like this one continue to serve as benchmarks for cryptographic security research.[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html)

### RSA-420

RSA-420 is a [semiprime](/page/Semiprime) number with exactly 420 decimal digits, generated as the product of two distinct large prime factors by RSA Laboratories for their factoring challenge initiated in 1991.[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-27-en.pdf) This challenge aimed to advance research in [computational number theory](/page/Computational_number_theory) by demonstrating the difficulty of factoring large integers, with RSA-420 serving as one of the more formidable entries due to its size, equivalent to approximately 1,393 bits.[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html)

The complete decimal expansion of RSA-420 is:
20913663024765107316525564231633307370096536266052450547985229599412927302581898373570076188752609749648953525484925466394800509169219344906273145413634242186266197097846022969248579454916155633686388106962365337549155747268356466658384680996435419155013602317010591744105651749369012554532024258150373034059528878269258139126839427564311148202923131937053527161657901326732705143817744164107601735413785886836578207979 

[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-27-en.pdf)[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html)

RSA-420 remains unfactored as of 2025, with no publicly announced prime factors despite ongoing interest in integer factorization algorithms.[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html) Its persistence as an open challenge underscores the practical security of sufficiently large RSA moduli against classical computing methods.

### RSA-430

RSA-430 is a semiprime number with exactly 430 decimal digits, created by RSA Laboratories as part of the RSA Factoring Challenge to test the limits of integer factorization algorithms. It is the product of two large, distinct prime factors of roughly equal size, each contributing approximately 215 decimal digits, and was generated in the early 1990s using proprietary software from RSA Data Security, Inc. The factors were discarded after computation, leaving only the composite number publicly available for the challenge.[](https://gist.github.com/aburan28/d7a63343e76107e36bc66239b2e5169d)

The full decimal representation of RSA-430 is as follows:
3534635645620271361541209209607897224734887106182307093292005188843884213420695035531516325888970426873310130582000012467805106432116010499008974138677724241907444538851271730464985654882214412422106879451855659755824580313513382070785777831859308900851761495284515874808406228585310317964648830289141496328996622685469256041007506727884038380871660866837794704723632316890465023570092246473915442026549955865931709542468648109541 

This value corresponds to a bit length of approximately 1,427 bits.[](https://gist.github.com/aburan28/d7a63343e76107e36bc66239b2e5169d)

RSA-430 remains unfactored as of November 2025, with no public record of its prime factors being discovered despite ongoing research in [number theory](/page/Number_theory) and computational methods. For context, the largest successfully factored RSA challenge number is RSA-250 (829 bits), achieved in 2020 using extensive [distributed computing](/page/Distributed_computing) resources.[](https://articles.59.ca/doku.php?id=em:20482030) The immense size of RSA-430 places it far beyond current classical factoring capabilities, highlighting the continued security implications for [RSA](/page/RSA)-based [cryptography](/page/Cryptography) with keys of similar or larger lengths.[](https://postquantum.com/post-quantum/breaking-rsa-quantum-hype/)

### RSA-440

RSA-440 is a 440-[decimal](/page/Decimal)-digit [semiprime](/page/Semiprime) number generated as part of the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge) initiated by [RSA](/page/RSA) Laboratories in 1991 to promote research in [computational number theory](/page/Computational_number_theory) and the difficulty of factoring large integers.[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html) It consists of the product of two distinct prime numbers, each approximately 220 [decimal](/page/Decimal) digits in length, and serves as a [benchmark](/page/Benchmark) for advanced factoring algorithms.[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html)

The explicit decimal representation of RSA-440 is:
26014282119556025900707884873713205505398108045952352894235085896633912708374310252674800592426746319007978890065337573160541942868114065643853327229484502994233222617112392660635752325773689366745234119224790516838789368452481803077294973049597108473379738051456732631199164835297036074054327529666307812234597766390750441445314408171802070904072739275930410299359006059619305590701939627725296116299946059898442103959412221518213407370491 

This value corresponds to a 1,460-bit [integer](/page/Integer) in [binary](/page/Binary), highlighting its immense scale for classical [computing](/page/Computing) resources.[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html)

As of November 2025, RSA-440 remains unfactored, with no publicly known prime factors despite ongoing interest in its decomposition using methods like the general number field [sieve](/page/Sieve).[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html) Its persistence as an unsolved challenge underscores the practical [security](/page/Security) implications for [RSA](/page/RSA) cryptosystems employing keys of comparable or larger sizes.[](https://mysterytwister.org/challenges/level-3/rsa-factoring-challenge-rsa-440)

### RSA-450

RSA-450 is a [semiprime](/page/Semiprime) number consisting of exactly 450 decimal digits, designed by RSA Laboratories as part of their factoring challenge to demonstrate the computational difficulty of factoring large integers relevant to [public-key cryptography](/page/Public-key_cryptography). The number, which is the product of two distinct prime factors of roughly equal size (approximately 225 digits each), was publicly released in the early [1990s](/page/1990s) to spur advancements in [factorization](/page/Factorization) techniques such as the general number field sieve.[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-30-en.pdf)

The full decimal representation of RSA-450 is:
198463423714283662349723072186113142778946286925886208987853800987159869256900787915916842423672625297046526736867114939854460034942655873583931553781158032447061155145160770580926824366573211993981662614635734812647448360573856313224749171552699727811551490561895325344395743588150359341484236709604618276434347948498243152515106628556992696242074513657383842554978233909962839183287667419172988072221996532403300258906083211160744508191024837057033 

This number corresponds to approximately 1,493 bits in [binary](/page/Binary), making it significantly more challenging to factor than smaller [RSA](/page/RSA) challenge numbers like RSA-440 due to the exponential increase in computational resources required.[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-30-en.pdf)

As of November 2025, RSA-450 remains unfactored, with no known prime factors published, underscoring the ongoing [security](/page/Security) implications for [RSA](/page/RSA)-based [encryption](/page/Encryption) systems using moduli of comparable size.[](https://mysterytwister.org/challenges/level-3/rsa-factoring-challenge-rsa-450)

### RSA-460

RSA-460 is a [semiprime](/page/Semiprime) number consisting of exactly 460 decimal digits, constructed as the product of two large prime numbers of comparable size, as part of the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge) initiated by [RSA](/page/RSA) Laboratories in 1991 to advance research in [integer factorization](/page/Integer_factorization).[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html) The challenge aimed to test the limits of [computational number theory](/page/Computational_number_theory) by offering prizes for factoring such numbers, with RSA-460 representing a significant escalation in difficulty due to its length, equivalent to approximately 1,526 bits.[](https://mason.gmu.edu/~kgaj/ECE297/viewgraphs/lecture12_RSA_security_3.pdf)

The full decimal expansion of RSA-460 is:
1786856020404004433262103789212844585886400086993882955081051578507634807524146407881981216968139444577147633460848868774625431829282860339614956262303635645546753552581286559710032014178315212224644686666427660441466419337888368932452217321354860484353296131403821175862890998598653858373835628654351880480636223164308238684873105235011577671552114945370886842810830301698313339004163655154668570049008475016448080768256389182668489641536264864604484300734909 

This value was published in the official list of challenge numbers, with a [checksum](/page/Checksum) of 396,755 [modulo](/page/Modulo) 991,889 to verify integrity.[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html)

As of November 2025, RSA-460 remains unfactored, joining the majority of larger challenge numbers that have resisted all known classical factoring algorithms despite ongoing efforts in the field.[](https://www.pulsus.com/scholarly-articles/principles-of-prime-numbers--part-inew-definition-of-prime-numbers-with-modnt-number-system--induction.pdf) Its unfactored status underscores the practical [security](/page/Security) of RSA-based [encryption](/page/Encryption) systems using moduli of similar or greater size, as factoring it would require computational resources far beyond current capabilities.[](https://www.researchgate.net/publication/294548386_Square_roots_of_un-factored_RSA_Challenge_numbers)

### RSA-470

RSA-470 is a [semiprime](/page/Semiprime) number consisting of 470 decimal digits, generated as part of the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge) to test [computational number theory](/page/Computational_number_theory) algorithms.[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html)

Its full decimal value is:
17051473784681185209081599238887028025183255852149159683588918369809675398036897711442383602526314519192366612270595815510311970886116763177669964411814095748660238871306469830461919135901638237924444074122866545522954536883748558744552128950445218096208188788876324395049362376806579941053305386217595984047709603954312447692725276887594590658792939924609261264788572032212334726855302571883565912645432522077138010357669555555071044090857089539320564963576770285413369 

[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html)

As of November 2025, RSA-470 remains unfactored, with the largest successfully factored RSA challenge number being RSA-250 (250 digits) in 2020.[](https://members.loria.fr/PZimmermann/records/factor.html)

### RSA-480

RSA-480 is a 480-digit [semiprime](/page/Semiprime) number generated as part of the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge) initiated by RSA Laboratories to advance research in [computational number theory](/page/Computational_number_theory) and [integer factorization](/page/Integer_factorization).[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-34-en.pdf) It consists of the product of two large prime numbers of approximately equal size, designed to test the limits of factoring algorithms at the time of its publication.[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-34-en.pdf)

The exact decimal value of RSA-480 is:
302657075295090869739730250315591803589112283576939858395529632634305976144571441696598170401251852159138533455982172343712313383247732107268535247763784105186549246199888070331088462855743520880671299302895546822695492968577380706795842802200829411198422297326020823369315258921162990168697393348736236081296604185145690639952829781767901497605213955485328141965346769742597479306858645849268328985687423881853632604706175564461719396117318298679820785491875674946700413680932103 

[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-34-en.pdf)

Despite advances in factoring techniques since the challenge's inception in [1991](/page/1991), RSA-480 remains unfactored as of [2025](/page/2025), underscoring the computational difficulty of factoring large [semiprime](/page/Semiprime)s and its relevance to the security of [RSA](/page/RSA) cryptosystems.[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-34-en.pdf)

### RSA-490

RSA-490 is a [semiprime](/page/Semiprime) number consisting of the product of two large prime factors, specifically designed as part of the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge) initiated by RSA Laboratories in [1991](/page/1991) to promote advances in [integer factorization](/page/Integer_factorization) algorithms. This challenge number has exactly 490 [decimal](/page/Decimal) digits and corresponds to approximately 1,626 bits in [binary](/page/Binary) representation, making it significantly larger than earlier challenge numbers like RSA-100 or RSA-200. The primes used to form RSA-490 were generated randomly using the [RSA DSP](/page/DSP) (a [Motorola 56000](/page/Motorola_56000) [DSP](/page/DSP) chip), selected to be congruent to 2 [modulo](/page/Modulo) 3, and verified via probabilistic primality testing; the factors were discarded after computation, ensuring they were unknown even to RSA personnel.[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html)

The full decimal expansion of RSA-490 is:
1860239127076846517198369354026076875269515930592839150201028353837031025971373852216474332794920643399906822553185507255460678213880084116286603739332465781718042017172224499540303152935478714013629615010650024865526886634157459758925793594165651020789220067311416926076949777767604906107061937873540601594274731617619377537419071307115490065850326946551649682856865437718319058695376406980449326388934924579147508558589808491904883853150769224537555274811376719096144119390052199027715691 

A checksum of 649001 was provided alongside the number to verify accuracy during transmission or transcription.[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html)

As of 2025, RSA-490 remains unfactored, with no known complete prime factorization despite ongoing research in [computational number theory](/page/Computational_number_theory). The largest successfully factored RSA challenge number to date is RSA-250 (250 digits), achieved in 2020 using the general number field sieve, underscoring the immense computational resources required for numbers of RSA-490's scale.[](https://eprint.iacr.org/2020/697)

### RSA-500

RSA-500 is a 500-digit [semiprime](/page/Semiprime) number generated by RSA Laboratories as part of the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge), serving as the largest entry in the initial series of challenge numbers spaced at 10-digit intervals from RSA-100 to RSA-500.[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-36-en.pdf) This number was created on May 19, 1994, by multiplying two large prime factors, with the primes discarded after computation to ensure the challenge's integrity.[](http://www.ontko.com/pub/rayo/primes/rsa_fact.html) The full decimal representation of RSA-500 is:
18971941337486266563305347433172025272371835919534283031845811230624504588707687605943212347625766427494554764419515427586743205659317254669946604982419730160103812521528540068803151640161162396312837062979326593940508107758169447860417214110246410380402787011098086642148000255604546876251377453934182215494821277335671735153472656328448001134940926442438440198910908603252678814785060113207728717281994244511323201949222955423789860663107489107472242561739680319169243814676235712934292299974411361 

The [RSA Factoring Challenge](/page/RSA_Factoring_Challenge), initiated in 1991, aimed to advance research in [computational number theory](/page/Computational_number_theory) by offering prizes for factoring these semiprimes, with RSA-500 marking the upper limit of the early decimal-digit-labeled series before the challenge shifted to larger, specially selected numbers.[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-36-en.pdf) As of [2012](/page/2012), RSA-500 remained among the 38 unsolved challenges out of the original 54, hosted by the MysteryTwister C3 team with permission from RSA Inc. after the official contest ended in 2007.[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-36-en.pdf) It remains unfactored as of November 2025.[](https://mathworld.wolfram.com/RSANumber.html)

## Larger Challenge RSA Numbers

### RSA-576

RSA-576 is a 576-bit [semiprime](/page/Semiprime) number, equivalent to 174 decimal digits, selected as part of the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge) to test the difficulty of [integer factorization](/page/Integer_factorization) for cryptographic purposes.[](https://mathworld.wolfram.com/news/2003-12-05/rsa/) The full decimal representation of RSA-576 is:
188198812920607963838697239461650439807163563379417382700763356422988859715234665485319060606504743045317388011303396716199692321205734031879550656996221305168759307650257059 

This number was designed to have exactly two distinct prime factors of equal length, making it particularly resistant to factorization attacks at the time of its publication. It served as the smallest in a series of larger binary-sized RSA challenge numbers, shifting from the earlier decimal-digit naming convention used for RSA-100 through RSA-500.[](https://mathworld.wolfram.com/RSANumber.html)

RSA-576 was successfully factored on December 3, 2003, by a team led by Jens Franke and including Thorsten Kleinjung from the [University of Bonn](/page/University_of_Bonn), along with collaborators such as [Peter Montgomery](/page/Montgomery), Herman te Riele, and others from institutions including CWI in the [Netherlands](/page/Netherlands).[](https://mathworld.wolfram.com/news/2003-12-05/rsa/)[](https://www.cwi.nl/en/news/cwi-contributes-to-crack-rsa-576/) The factorization employed the general number field [sieve](/page/Sieve) (GNFS), the most advanced method available for large semiprimes, involving extensive sieving, linear [algebra](/page/Algebra), and square root computations distributed across multiple [high-performance computing](/page/High-performance_computing) resources. The effort required the equivalent of approximately 2000 core-years on a single 2.2 GHz AMD [Opteron](/page/Opteron) processor, highlighting the scale of computation needed and the collaborative nature of modern cryptanalytic projects.[](https://eprint.iacr.org/2010/006.pdf) For this achievement, the team claimed the &#36;10,000 prize offered by RSA Laboratories.[](https://mathworld.wolfram.com/RSANumber.html)

The two 87-decimal-digit prime factors are:

- $ p = 398075086424064937397125500550386491199064362342526708406385189575946388957261768583317 $

- $ q = 472772146107435302536223071973048224632914695302097116459852171130520711256363590397527 $

[](https://www.math.ucsd.edu/~crypto/Projects/ToniSmith/crypto.html) Their product yields the original [RSA-576](/page/RSA), demonstrating the vulnerability of 576-bit RSA moduli to sufficiently resourced GNFS attacks by the early 2000s. This factorization underscored the need for longer key lengths in RSA-based systems, influencing subsequent recommendations for at least [1024](/page/1024) bits or more.[](https://mathworld.wolfram.com/news/2003-12-05/rsa/)

### RSA-617

RSA-617 is a [semiprime](/page/Semiprime) number consisting of exactly 617 decimal digits, constructed as the product of two large prime factors for the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge) initiated by RSA Laboratories. This challenge aimed to demonstrate the computational infeasibility of factoring such large composites, which underpin the security of [RSA](/page/RSA) [encryption](/page/Encryption). Unlike many challenge numbers with round digit counts, RSA-617's irregular length of 617 digits was selected to highlight the progressive increase in factoring difficulty beyond standard milestones.

The full decimal representation of RSA-617 is:
22701801293785014193580405120204586741061235962766583907094021879215171483119139894870133091111044901683400949483846818299518041763507948922590774925466088171879259465921026597046700449819899096862039460017743094473811056991294128542891880855362707407670722593737772666973440977361243336397308051763091506836310795312607239520365290032105848839507981452307299417185715796297454995023505316040919859193718023307414880446217922800831766040938656344571034778553457121080530736394535923932651866030515041060966437313323672831539323500067937107541955437362433248361242525945868802353916766181532375855504886901432221349733 

This value corresponds to approximately 2048 bits in binary length.

RSA-617 was introduced to the challenge list on February 7, 1997, as one of the earliest large-scale examples using decimal-digit labeling. As of November 2025, it remains unfactored, with no publicly verified prime factors discovered despite advances in factoring algorithms.

### RSA-640

RSA-640 is a semiprime consisting of the product of two large prime numbers, specifically designed for the RSA Factoring Challenge to test the limits of integer factorization algorithms. It measures 640 bits in length, equivalent to approximately 193 decimal digits, and was introduced by RSA Laboratories in 2001 as part of an expanded set of challenges emphasizing bit-length measurements over decimal digits for alignment with cryptographic key sizes.[](https://www.hpcwire.com/2004/04/30/mathematicians-collaborate-to-solve-rsa-factoring-challenge/)[](https://mathworld.wolfram.com/RSANumber.html)

The full decimal representation of RSA-640 is:
310741824049004372135075003588856793003734602284271365766565781783653985251078433309690383714056711121296929535013698338786149082748318007632320827664 

Although initially presented as unfactored with a &#36;20,000 prize, RSA-640 was successfully factored in November 2005 using the general number field sieve by a team led by Jens Franke and Thorsten Kleinjung, in collaboration with researchers from the University of Bonn and other institutions; this marked a significant milestone in demonstrating the vulnerability of 640-bit RSA moduli at the time.[](https://listserv.nodak.edu/cgi-bin/wa.exe?A2=NMBRTHRY;3e3c5c3b.0511)[](https://mathworld.wolfram.com/news/2005-11-08/rsa-640/)

### RSA-704

RSA-704 is a [semiprime](/page/Semiprime) number with 704 bits, equivalent to 212 decimal digits, generated as part of the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge) initiated by RSA Laboratories in 1991 to advance research in [integer factorization](/page/Integer_factorization). The number was designed as the product of two large prime factors of roughly equal size to test the limits of contemporary factoring algorithms. Its full decimal representation is:
74037563479561712828046796097429573142593188889231289084936232638972765034028266276891996419625117843995894330502127585370118968098286733173273108930900552505116877063299072396380786710086096962537934650563796359 

RSA-704 was successfully factored on July 1, 2012, marking it as the second-largest integer factored using the general number field sieve (GNFS) at the time, following RSA-768. The factorization was achieved by Shi Bai, Emmanuel Thomé, and Paul Zimmermann using the open-source CADO-NFS implementation of GNFS. The effort involved extensive computational resources, including approximately 12 core-years for polynomial selection, 500 CPU-years for sieving on Intel Xeon processors, and 1,800 hours of wall-clock time for linear algebra on the Grid'5000 cluster.[](https://eprint.iacr.org/2012/369.pdf)[](https://inria.hal.science/hal-00760322v1/document)

The prime factors of RSA-704 are:

- $ p = 9091213529597818878440658302600437485892608310328358720428512168960411528640933367824950788367956756806141 $

- $ q = 8143859259110045265727809126284429335877899002167627883200914172429324360133004116702003240828777970252499 $

This breakthrough demonstrated the scalability of CADO-NFS for large-scale factorizations and contributed to improvements in the software for subsequent challenges.[](https://eprint.iacr.org/2012/369.pdf)

### RSA-768

RSA-768 is a 768-bit [semiprime](/page/Semiprime) number consisting of 232 decimal digits, selected as a representative [modulus](/page/Modulus) for the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge) to test [computational number theory](/page/Computational_number_theory) advances.[](https://eprint.iacr.org/2010/006.pdf) Its full decimal value is:
1230186684530117755130494958384962720772853569595334792197322452151726400507263657518745202199786469389956474942774063845925192557326303453731548268507917026122142913461670429214311602221240479274737794080665351419597459856902143413 

This number served as a benchmark for 768-bit RSA key sizes, which were once considered secure for cryptographic applications but have since been deemed insufficient due to advances in factoring algorithms.[](https://eprint.iacr.org/2010/006.pdf)

On December 12, 2009, RSA-768 was factored by Thorsten Kleinjung, Kazumaro Aoki, Jens Franke, Arjen Lenstra, Emmanuel Thomé, Joppe Bos, Pierrick Gaudry, Luke Brent, Jean-Luc Beuchat, Henry Cohn, Nadia Heninger, and the authors of the Cunningham tables, using the general number field sieve (GNFS).[](https://eprint.iacr.org/2010/006.pdf) The factorization revealed two prime factors, each approximately 384 bits long:

- $ p = 33478071698956898786044169848212690817704794983713768568912431388982883793878002287614711652531743087737814467999489 $
- $ q = 36746043666799590428244633799627952632279158164343087642676032283815739666511279233373417143396810270092798736308917 $

The sieving phase required approximately 1500 core-years of computation on a 2.2 GHz AMD Opteron processor, equivalent to about two years of wall-clock time across hundreds of machines, marking a significant milestone in the practical limits of integer factorization.[](https://eprint.iacr.org/2010/006.pdf)

### RSA-896

RSA-896 is a [semiprime](/page/Semiprime) number from the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge), published by [RSA](/page/RSA) Laboratories in 1991 as part of a series of cryptographic challenges designed to test [integer factorization](/page/Integer_factorization) algorithms.[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-10-en.pdf) It consists of two large prime factors and serves as an intermediate challenge between smaller factored numbers like RSA-768 and larger unfactored ones.

The number has a bit length of 896 bits, equivalent to approximately 270 decimal digits, making it significantly more computationally intensive to factor than predecessors using classical methods such as the general number field sieve.[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-10-en.pdf) As of 2025, RSA-896 remains unfactored, with RSA-250 holding the record as the largest solved challenge from the series, factored in 2020 after extensive computation on distributed systems.

The full decimal representation of RSA-896 is:
412023436986659543855531365332575948179811699844327982845455626433876445565248426198098870423161841879261420247188869492560931776375033421130982397485150944909106910269861031862704114880866970564902903653658867433731720813104105190864254793282601391257624033946373269391 

[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-10-en.pdf) This value was generated to ensure balanced prime factors close in size, optimizing its resistance to [factorization](/page/Factorization) attacks typical of [RSA](/page/RSA) [key generation](/page/Key_generation).[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-10-en.pdf) The [challenge](/page/Challenge), originally offering a &#36;75,000 prize, was discontinued by [RSA](/page/RSA) in 2007, with remaining unsolved instances like RSA-896 hosted by third-party platforms for academic interest.[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-10-en.pdf)

### RSA-1024

RSA-1024 is a semiprime number consisting of the product of two distinct prime factors, each approximately 512 bits in length, published by RSA Laboratories as part of their factoring challenge to benchmark advances in computational number theory.[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-15-en.pdf) The exact value of RSA-1024 in decimal form is:
135066410865995223349603216278805969938881475605667027524485143851526510604859533933940287150571909441798207282164471551373680419703964191743046496589274256239341020864383202110372958725762358509643110564073501508187510676594629205563685529475213500852879416377328533906109750544334999811150056977236890927563 

This number comprises 309 decimal digits and corresponds to a 1024-bit modulus.[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-15-en.pdf)

As of November 2025, RSA-1024 remains unfactored, with the largest publicly factored RSA challenge number being RSA-250 (829 bits) from 2020.[](https://www.theregister.com/2001/07/25/rsa_poses_200_000_crypto/) In the original RSA Factoring Challenge, launched in 1991 and expanded in 2001, a prize of &#36;200,000 was offered for its complete factorization, making it the highest-value target at the time before the challenge was withdrawn in 2007.[](https://www.cnet.com/tech/tech-industry/rsa-launches-crypto-cracking-challenge/)

The 1024-bit size of RSA-1024 aligns with the modulus length that served as a de facto standard for [RSA](/page/RSA) public-key [encryption](/page/Encryption) in protocols like TLS from the early 2000s until around 2013, when it began to be phased out in favor of longer keys due to advancing computational capabilities.[](https://www.encryptionconsulting.com/soon-to-be-deprecated-are-you-still-using-rsa-1024-bit-keys-for-windows/) Using the general number field sieve, the state-of-the-art classical algorithm for such factorizations, breaking RSA-1024 is estimated to require on the order of 500,000 core-years of computation on modern hardware.[](https://crypto.stackexchange.com/questions/109810/how-could-a-1024-bits-rsa-modulus-be-most-economically-factored-within-months-to)

### RSA-1536

RSA-1536 is a 1536-bit [semiprime](/page/Semiprime) constructed as the product of two distinct large prime numbers, introduced by RSA Laboratories as part of their factoring challenge to advance [research](/page/Research) in [computational number theory](/page/Computational_number_theory) and highlight the difficulty of factoring large integers.[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-32-en.pdf) This number spans approximately 463 decimal digits, reflecting the immense scale required for contemporary cryptographic security.[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-32-en.pdf)

The explicit decimal value of RSA-1536 is as follows:
1847699703211741474306835620200164403018549338663410171471785774910651696711161249859337684305435744585616061544571794052229717732524660960646946071249623720442022269756756687378427562389508764678440933285157496578843415088475528298186726451339863364931908084671990431874381283363502795470282653297802934916155811881049844908319545009848393775227257052578591944993870073695755688436933812779613089230392569695253261620823676490316036551371447913932347169566988069 

[](https://mysterytwister.org/media/challenges/pdf/mtc3-rsa-32-en.pdf)

Despite significant progress in [factorization](/page/Factorization) techniques, such as the number field sieve, RSA-1536 remains unfactored as of November 2025.[](https://mathworld.wolfram.com/RSANumber.html) Its persistence underscores the computational barriers to breaking [RSA](/page/RSA)-based [encryption](/page/Encryption) at this scale, where no known classical algorithm can efficiently decompose it into its prime factors.[](https://mathworld.wolfram.com/RSANumber.html)

RSA-1536 serves as a [benchmark](/page/Benchmark) for evolving cryptographic standards, illustrating the transition to larger key sizes beyond [1024](/page/1024) bits to ensure long-term security against advancing computational power.[](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf) Specifically, 1536-bit RSA moduli are endorsed for [digital signature](/page/Digital_signature) generation in legacy systems until 2030, providing a [balance of performance](/page/Balance_of_performance) and resistance to factorization attacks.[](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf)

### RSA-2048

RSA-2048 is a 2048-bit [semiprime](/page/Semiprime) number, constructed as the product of two distinct 1024-bit prime numbers, and serves as the largest challenge in the [RSA Factoring Challenge](/page/RSA_Factoring_Challenge) series. It consists of exactly 617 [decimal](/page/Decimal) digits and remains unfactored using classical [computing](/page/Computing) methods as of November 2025. Unlike smaller RSA challenge numbers, no cash prize was associated with its factorization, as the overall challenge program was discontinued by RSA Laboratories in 2007 without awarding prizes for numbers beyond RSA-768.[](https://blog.cloudflare.com/pq-2025/)

The full decimal representation of RSA-2048 is:
25195908475657893494027183240048398571429282126204032027777137836043662020707595556264018525880784406918290641249515082189298559149176184502808489120072844992687392807287776735971418347270261896375014971824691165077613379859095700097330459748808428401797429100642458691817195118746121515172654632282216869987549182422433637259085141865462043576798423387184774447920739934236584823824281198163815010674810451660377306056201619676256133844143603833904414952634432190114657544454178424020924616515723350778707749817125772467962926386356373289912154831438167899885040445364023527381951378636564391212010397122822120720357 

[](https://dev.mysterytwister.org/media/challenges/pdf/mtc3-rsa-38-en.pdf)

As of 2025, RSA-2048 represents the current standard key size for RSA encryption in many cryptographic protocols, with the National Institute of Standards and Technology (NIST) recommending its continued use for providing at least 112 bits of security through 2030, prior to a planned deprecation in favor of post-quantum alternatives.[](https://www.sectigo.com/resource-library/root-causes-447-nist-deprecates-rsa-2048-and-ecc-256) Recent quantum computing experiments, such as a 2024 D-Wave study demonstrating factorization of specially constructed 2048-bit semiprimes where factors differ by only two bits, have not succeeded in factoring the specific RSA-2048 number, and such claims remain unverified for this challenge instance.[](https://www.hstoday.us/subject-matter-areas/cybersecurity/no-chinese-did-not-crack-rsa-with-quantum-yet/)[](https://www.sciopen.com/article/10.26599/TST.2024.9010028)

References

  1. [1]
    RSA Number -- from Wolfram MathWorld
    RSA numbers are difficult to-factor composite numbers having exactly two prime factors (ie, so-called semiprimes) that were listed in the Factoring Challenge ...
  2. [2]
    [PDF] Selected Innovation Prizes and Reward Programs
    RSA Factoring Challenge (1991). On March 18, 1991, RSA Laboratories announced the RSA Factoring. Challenge. Now owned by EMC, RSA Laboratories was founded by ...
  3. [3]
    RSA-200 Factored - MathWorld News
    RSA Laboratories sponsors the RSA Factoring Challenge to encourage research ... RSA challenge and its associated cash awards have since been discontinued.
  4. [4]
    RSA numbers and factoring - Applied Mathematics Consulting
    Aug 23, 2018 · The expected time required to factor a semiprime (product of two primes) using the general number field sieve is O( exp(c log(n)1/3 log log(n)2 ...
  5. [5]
    New RSA factoring challenge solved
    Dec 3, 2019 · A new RSA challenge problem has been solved. What does the result say about the strength of RSA encryption?Missing: discontinued | Show results with:discontinued
  6. [6]
    New record set for cryptographic challenge | Computer Science
    Mar 12, 2020 · To encourage research into integer factorization, the "RSA Factoring Challenges" were created in 1991. These challenges consisted of challenge ...Missing: announcement | Show results with:announcement
  7. [7]
    Factoring RSA 100 then and now - Applied Mathematics Consulting
    Aug 4, 2025 · Comparing the time required to factor the first of the RSA challenge numbers in 1991 and in 2025.
  8. [8]
    RSA-250 Factored - Schneier on Security -
    Apr 8, 2020 · ... years, using Intel Xeon Gold 6130 CPUs as a reference (2.1GHz):. RSA-250 sieving: 2450 physical core-years. RSA-250 matrix: 250 physical core- ...
  9. [9]
    Progress in general purpose factoring - AI Impacts
    In mathematics, the RSA numbers are a set of large semiprimes (numbers with exactly two prime factors) that are part of the RSA Factoring Challenge….RSA ...
  10. [10]
    Breaking RSA Encryption: Quantum Hype Meets Reality (2022-2025)
    Apr 2, 2025 · As of April 2025, RSA-2048 remains unbroken, and by all credible accounts, still far beyond the reach of both quantum and classical techniques. ...
  11. [11]
    [PDF] A new kind of cipher that would take millions of years to break
    It was based on an MIT memo by Ron Rivest, Adi Shamir and Leonard Adleman from April 1977, which they sent to Gardner. He was so impressed that he broke his ...
  12. [12]
    [PDF] A Method for Obtaining Digital Signatures and Public-Key ...
    This method provides an implementation of a “public-key cryptosystem,” an elegant concept invented by. Diffie and Hellman [1]. Their article motivated our ...
  13. [13]
    factor RSA-129 - MIT
    To find the factorization of RSA-129, we used the double large prime variation of the multiple polynomial quadratic sieve factoring method. The sieving step ...Missing: 1994 | Show results with:1994
  14. [14]
    [PDF] Cryptography in the digital age
    On March 18, 1991 RSA Laboratories developed the RSA Factoring Challenge to monitor the progress in the development of integer factorization methods. RSA ...
  15. [15]
    [PDF] RSA Factoring Challenge: RSA-500 - MysteryTwister
    In 1991 RSA Inc [1] published. 54 challenges with various key lengths for the modulus N (100 to. 617 decimal digits). These RSA cipher challenges [2] were the ...Missing: launch 18
  16. [16]
    [PDF] Frequently A s ked Questions about To d ay 's Cry p t o g ra p h y
    This document is Version 4.1 of RSA Laboratories' Frequently Asked Questions About Today's Cryptography, a minor editorial update of Version 4.0 from 1998.Missing: feels | Show results with:feels
  17. [17]
    Win $200,000 In RSA's Factoring Challenge - Slashdot
    Last year the RSA 512 bit number was factored. It required about 9 months on ~400 Alphas and Pentium IIs, plus (and this is the kicker), about 4 weeks on a ...
  18. [18]
    RSA Challenge List
    ### RSA Factoring Challenge Summary
  19. [19]
    [PDF] RSA Factoring Challenge: RSA-1024 - MysteryTwister
    RSA FACTORING CHALLENGE: RSA-1024. Author: RSA Inc. January 2012. Page 2 ... By now (status. January 2012), 16 of initially 54 challenges have been solved.
  20. [20]
    Why has the RSA factoring challenge been withdrawn?
    Oct 11, 2011 · Wikipedia states that RSA challenge has been withdrawn. Does it mean that an efficient factoring algorithm is "just around the corner"? or are there some other ...Does Schnorr's 2021 factoring method show that the RSA ...What are those RSA Challenges, DES Challenges and RSA ...More results from crypto.stackexchange.comMissing: discontinued | Show results with:discontinued
  21. [21]
    [PDF] Factorization of a 768-bit RSA modulus - Cryptology ePrint Archive
    Dec 12, 2009 · The factorization problem and the steps taken to solve it using NFS are described in Section 2. The factorization is presented in Section 2.5.
  22. [22]
    What Is Post-Quantum Cryptography? | NIST
    Aug 13, 2024 · Post-quantum cryptography is a defense against potential cyberattacks from quantum computers. PQC algorithms are based on mathematical techniques that can be ...
  23. [23]
    Integer Factoring Records
    ... RSA-250 (250 decimal digits), which was factored on February 28, 2020 by Fabrice Boudot, Pierrick Gaudry, Aurore Guillevic, Nadia Heninger, Emmanuel Thomé ...
  24. [24]
    A First Successful Factorization of RSA-2048 Integer by D-Wave ...
    Dec 30, 2024 · This marks the first successful factorization of RSA-2048 by D-Wave quantum computer, regardless of employing mathematical or quantum techniques.
  25. [25]
    No, Chinese Did Not Crack RSA With Quantum (Yet) - HSToday
    Jul 2, 2025 · April 2025: Wang Chao's group announced factoring a 90-bit RSA number on a D-Wave quantum computer – the largest quantum-assisted factorization ...
  26. [26]
    MersenneForum/msieve: Git clone of jasonp's Msieve project - GitHub
    I'm trying to break my ex-girlfriend's RSA key with Msieve, and it's not working. What's wrong? A. The quadratic sieve really is not appropriate for factoring ...
  27. [27]
    [PDF] factoring integers with the number field sieve - jp buhler, hw lenstra ...
    J.P. BUHLER, H. W. LENSTRA, JR., CARL POMERANCE the heuristic complexity of the number field sieve, where 91/32.080084; and it was only at the expense of ...
  28. [28]
    The RSA Factor Challenge Numbers
    The checksum of each number is the residue of that number modulo 991889 (a six-digit prime number). Challenge Numbers: The ``RSA List'' RSA-100 ...Missing: 2025 | Show results with:2025
  29. [29]
    [PDF] GNFS Factoring Statistics of RSA-100, 110, ..., 1501
    Apr 16, 2004 · We implemented GNFS and factored 100- to 150-digits number on the same environment. This manuscript describes the statistics of these factorings ...
  30. [30]
    RSA numbers - EPFL Graph Search
    In mathematics, the RSA numbers are a set of large semiprimes (numbers with exactly two prime factors) that were part of the RSA Factoring Challenge.
  31. [31]
    [PDF] History of Cryptographic Key Sizes - Hal-Inria
    Oct 28, 2021 · Following RSA-130, several records followed, most often picked from the RSA challenge list. All were factored with GNFS. This provided a nice ...
  32. [32]
    [PDF] Factoring Integers Using SIMD Sieves - Infoscience
    This record was broken by our factorization of the 110-digit RSA-challenge number. As will be explained in Section 3, QS consists of two main steps: the sieving.
  33. [33]
    On the factorization of RSA-120 - SpringerLink
    We present data concerning the factorization of the 120-digit number RSA-120, which we factored on July 9, 1993, using the quadratic sieve method.Missing: details | Show results with:details
  34. [34]
    Factorization of RSA-130 (12 Apr 1996) - The Prime Pages
    With a rational factor base of 250,001 elements (the primes <= 3,497,867) and an algebraic factor base of 750,001 elements (ideals of norm <= 11,380,951), the ...Missing: semiprime | Show results with:semiprime
  35. [35]
    [PDF] Factorization of RSA-140 Using the Number Field Sieve *
    Abstract. On February 2, 1999, we completed the factorization of the. 140-digit number RSA-140 with the help of the Number Field Sieve.Missing: GNFS | Show results with:GNFS
  36. [36]
    [PDF] Factorization of a 512-Bit RSA Modulus* - CWI Amsterdam
    Let N be the number we wish to factor, known. Page 5. Factorization of a 512-Bit RSA Modulus ... Cavallar, B. Dodson, A. Lenstra, P. Leyland, W. Lioen, P. L ...
  37. [37]
    previous records
    General numbers: The previous record was RSA-160 (160 digits), which was factored into two 80-digit factors by F. Bahr, J. Franke, T. Kleinjung, M. Lochter and ...Missing: GNFS | Show results with:GNFS
  38. [38]
    [PDF] Cybersecurity: Public-key Cryptography and the RSA Algorithm
    ... = 45427892858481394071686190649738831656137145778469793250959984709250004157335359 ×.
  39. [39]
    Factorization of RSA-170 - ResearchGate
    This number is the product of two 85 digit primes and was factored by the General Number Field Sieve in approximately six weeks.
  40. [40]
    [PDF] Factorization of RSA-180 - Cryptology ePrint Archive
    Apr 13, 2010 · We started with the smallest unfactored RSA number for that moment, RSA-170, written in 170 decimal digits. The factorization was finished ...Missing: value | Show results with:value
  41. [41]
    Factorization of RSA-180
    ### RSA-180 Information
  42. [42]
    https://mersenneforum.org/showthread.php?t=14177
  43. [43]
    RSA190 (not completed yet) - Shi Bai
    RSA190 (not completed yet). Comments. "the number was factored by I.Popovyan from MSU, Russia and A. Timofeev from CWI, Netherlands and took a few months ...Missing: 2010 | Show results with:2010
  44. [44]
    Are most RSA integers unbalanced? - Cryptography Stack Exchange
    Oct 16, 2025 · RSA-190 is product of two primes of 314 bits and 315 bits. RSA-129 is unequal in decimal digits. Is there an assumption RSA integers are N=pq ...Encryption of large files RSA - Cryptography Stack ExchangeHow can I obtain the raw decimal value of an RSA key's modulus?More results from crypto.stackexchange.com
  45. [45]
    [PDF] On RSA 200 and larger projects - Hyperelliptic org
    Relatively recent records for NFS factorization are: • C176, GNFS: K ... • C200 (RSA200), GNFS: Bahr Boehm Franke Kleinjung CWI on. May 9, 2005. • 911 ...Missing: details | Show results with:details
  46. [46]
    None
    - **File Content Summary**: Polynomial file for factoring RSA-210.
  47. [47]
    https://www.mersenneforum.org/showpost.php?p=354259
  48. [48]
    [PDF] RSA Factoring Challenge: RSA-220 - MysteryTwister
    Author: RSA Inc. 2 / 5. Page 3. RSA-220. For solving the RSA-220 challenge it is necessary to factor the following decimal number with 220 decimal digits: N ...Missing: details | Show results with:details
  49. [49]
    [PDF] RSA Factoring Challenge: RSA-230 - MysteryTwister
    Author: RSA Inc. 2 / 5. Page 3. RSA-230. For solving the RSA-230 challenge it is necessary to factor the following decimal number with 230 decimal digits: N ...Missing: value | Show results with:value
  50. [50]
    [Cado-nfs-discuss] The Factorization of RSA230 - arc
    Aug 17, 2018 · ... 2018 at 2:14:37 PM EDT, we completed the factorization of RSA230 at Noblis, Inc. Details will be forthcoming, but for now allow me to ...
  51. [51]
    (PDF) The Factorization of RSA230 - ResearchGate
    Aug 17, 2018 · PDF | The Factorization of RSA230 from the RSA Challenge. | Find, read and cite all the research you need on ResearchGate.Missing: J. Franke
  52. [52]
    Comparing the difficulty of factorization and discrete logarithm: a 240 ...
    Jun 10, 2020 · We report on two new records: the factorization of RSA-240, a 795-bit number, and a discrete logarithm computation over a 795-bit prime field.
  53. [53]
    [PDF] RSA Factoring Challenge: RSA-250 - MysteryTwister
    When RSA Inc stopped the contest in. 2007, the money for 8 prizes was already payed. By now (status. January 2012), 16 of initially 54 challenges have been ...Missing: discontinuation April
  54. [54]
    RSA-250 - Caramba, Nancy
    Subject: Factorization of RSA-250 Date: February 28, 2020 For the past three months, ever since the DLP-240 record announced in December 2019 [1], ...
  55. [55]
    [PDF] RSA Factoring Challenge: RSA-260 - MysteryTwister
    In 1991 RSA Inc [1] published. 54 challenges with various key lengths for the modulus N (100 to. 617 decimal digits). These RSA cipher challenges [2] were the ...
  56. [56]
    [Cado-nfs-discuss] Factorization of RSA-250 - Serveur de listes INRIA
    Feb 28, 2020 · using the open-source CADO-NFS software [2]. The total computation time was roughly 2700 core-years, using Intel Xeon Gold 6130 CPUs as a ...Missing: factoring | Show results with:factoring
  57. [57]
    RSA Factoring Challenge: RSA-280 Level 3 - MysteryTwister
    Feb 7, 2012 · This challenge descends from the RSA Laboratories contest to ... This challenge is about factoring a number with 280 decimal digits.Missing: unfactored | Show results with:unfactored
  58. [58]
    [PDF] RSA Factoring Challenge: RSA-290 - MysteryTwister
    RSA-290. For solving the RSA-290 challenge it is necessary to factor the following decimal number with 290 decimal digits: N ...
  59. [59]
    [PDF] An Introduction to the General Number Field Sieve - Virginia Tech
    Apr 17, 1998 · The General Number Field Sieve (GNFS) is the fastest known method for factoring “large” integers, where large is generally taken to mean over ...
  60. [60]
    [PDF] RSA Factoring Challenge: RSA-300 - MysteryTwister
    In 1991 RSA Inc [1] published. 54 challenges with various key lengths for the modulus N (100 to. 617 decimal digits). These RSA cipher challenges [2] were the ...Missing: unfactored | Show results with:unfactored
  61. [61]
    https://www.ontko.com/pub/rayo/primes/rsa_fact.html
  62. [62]
    [PDF] RSA Factoring Challenge: RSA-309 - MysteryTwister
    Author: RSA Inc. 2 / 5. Page 3. RSA-309. For solving the RSA-309 challenge it is necessary to factor the following decimal number with 309 decimal digits: N ...Missing: value | Show results with:value
  63. [63]
    RSA Factoring Challenge: RSA-310 Level 3 - MysteryTwister
    Feb 7, 2012 · This challenge is about factoring a number with 310 decimal digits. 0 solves. Discuss challenge ...Missing: list | Show results with:list
  64. [64]
    [PDF] RSA Factoring Challenge: RSA-330 - MysteryTwister
    617 decimal digits). These RSA cipher ... For solving the RSA-330 challenge it is necessary to factor the following decimal number with 330 decimal digits:.
  65. [65]
    [PDF] RSA Factoring Challenge: RSA-340 - MysteryTwister
    In 1991 RSA Inc [1] published. 54 challenges with various key lengths for the modulus N (100 to. 617 decimal digits). These RSA cipher challenges [2] were the ...
  66. [66]
    RSA Factoring Challenge: RSA-360 - MysteryTwister
    Author: RSA Inc. 2 / 5. Page 3. RSA-360. For solving the RSA-360 challenge it is necessary to factor the following decimal number with 360 decimal digits: N ...
  67. [67]
    New record set for cryptographic challenge
    ... RSA Factoring Challenges" were created in 1991. These challenges consisted of challenge integers of varying sizes, named for the number of integer digits.Missing: generated | Show results with:generated
  68. [68]
    [PDF] RSA Factoring Challenge: RSA-390 - MysteryTwister
    Author: RSA Inc. 2 / 5. Page 3. RSA-390. For solving the RSA-390 challenge it is necessary to factor the following decimal number with 390 decimal digits: N ...Missing: unfactored | Show results with:unfactored
  69. [69]
    [PDF] RSA Factoring Challenge: RSA-420 - MysteryTwister
    Author: RSA Inc. 2 / 5. Page 3. RSA-420. For solving the RSA-420 challenge it is necessary to factor the following decimal number with 420 decimal digits: N ...
  70. [70]
    2048 Bit RSA and the Year 2030 - The Call of the Open Sidewalk
    Nov 22, 2024 · 2048 bit RSA should be considered potentially insecure after the year 2030 and that the minimum length considered secure should be then be 3072 bits.
  71. [71]
    RSA Factoring Challenge: RSA-440 Level 3 - MysteryTwister
    Feb 7, 2012 · This challenge is about factoring a number with 440 decimal digits. 0 solves. Discuss challenge ...Missing: value | Show results with:value
  72. [72]
    [PDF] RSA Factoring Challenge: RSA-450 - MysteryTwister
    For solving the RSA-450 challenge it is necessary to factor the following decimal number with 450 decimal digits: N = ...
  73. [73]
    RSA Factoring Challenge: RSA-450 Level 3 - MysteryTwister
    Feb 7, 2012 · This challenge is about factoring a number with 450 decimal digits. 0 solves. Discuss challenge ...
  74. [74]
    [PDF] ECE297:11 Lecture 12 - RSA - GMU
    1977-1993 increase of about 1500 times. Internet. Factoring methods. General ... RSA-100. RSA-110. RSA-120. RSA-130. RSA-140. RSA-150. RSA-160. RSA-170. RSA-180.
  75. [75]
    [PDF] Part I-New definition of prime numbers with modNt number system ...
    May 3, 2024 · RSA-100 has 100 decimal digits (330 bits). Its factorization was announced on April 1, 1991. The value and factorization of RSA-100 are as ...
  76. [76]
    Square roots of un-factored RSA Challenge numbers - ResearchGate
    Feb 15, 2016 · Square roots of un-factored RSA Challenge numbers. January 2016. DOI:10.13140/RG ... 270: One of the factors of RSA-270 will be less than.
  77. [77]
    [PDF] RSA Factoring Challenge: RSA-480 - MysteryTwister
    Author: RSA Inc. 2 / 5. Page 3. RSA-480. For solving the RSA-480 challenge it is necessary to factor the following decimal number with 480 decimal digits: N ...
  78. [78]
    RSA-576 Factored - MathWorld News
    RSA numbers are special types of composite numbers particularly chosen to be difficult to factor, and they are identified by the number of digits they contain.<|control11|><|separator|>
  79. [79]
    Quantum Cryptography - UCSD Math
    May 24, 2004 · ... RSA-576, was the 174 digit number. 1881 9881292060 7963838697 2394616504 3980716356 3379417382 7007633564 2298885971 5234665485 3190606065 ...
  80. [80]
    CWI contributes to crack RSA-576
    Dec 24, 2003 · Factoring the number is equivalent to cracking a key of 576 bits in the widely used RSA crypto system. The security of this crypto system is ...Missing: decimal J.
  81. [81]
    Mathematicians Collaborate To Solve RSA Factoring Challenge
    Apr 30, 2004 · The worldwide team of eight solved the challenge using approximately 100 workstations in a little more than three months, and earned a cash ...Missing: feels | Show results with:feels
  82. [82]
    https://listserv.nodak.edu/cgi-bin/wa.exe?A2=NMBRTHRY;3e3c5c3b.0511
  83. [83]
    RSA-640 Factored - MathWorld Headline News
    As the following table shows, RSA-704 to RSA-2048 remain open, carrying awards from $30,000 to $200,000 to whoever is clever and persistent enough to track them ...
  84. [84]
    [PDF] RSA Factoring Challenge: RSA-704 - MysteryTwister
    RSA-704. Author: RSA Inc ... For solving the RSA-704 challenge it is necessary to factor the following decimal number with 212 decimal digits (704 bit):.
  85. [85]
    None
    ### Summary of RSA-704 Factorization
  86. [86]
    [PDF] FACTORISATION OF RSA-704 WITH CADO-NFS - HAL Inria
    Jul 1, 2012 · We report on the factorization of RSA-704 (212 decimal digits), which is the 2nd largest integer factorization with the General Number Field ...
  87. [87]
    [PDF] RSA Factoring Challenge: RSA-896 - MysteryTwister
    RSA Inc initially advertised prize money for the solution of 14 of these challenges [3]. When RSA Inc stopped the contest in. 2007, the money for 8 prizes was ...<|control11|><|separator|>
  88. [88]
    RSA poses $200000 crypto challenge - The Register
    RSA Security is running a factoring challenge that offers would-be code breakers a prize of up to $200,000 for finding the two numbers of ...Missing: expanded | Show results with:expanded
  89. [89]
    RSA launches crypto-cracking challenge - CNET
    Internet security firm RSA Security is challenging individuals to test the strength of its algorithms in its latest crypto Factoring Challenge, with a cash ...
  90. [90]
    RSA 1024 Bit Keys For Windows Soon To Be Deprecated
    Apr 19, 2024 · Since 2013, internet standards and regulatory bodies have prohibited using 1024-bit keys, recommending 2048 bits or longer RSA keys. Microsoft ...Why is this change better for all? · How can you ensure that your...
  91. [91]
    How could a 1024‒bits RSA modulus be most economically ...
    Feb 19, 2024 · A ballpark estimate is that factoring a 1024-bit key would be about 200 times harder than RSA-250, or around 500,000 core-years of computation.What is the fastest integer factorization to break RSA?Why has the RSA factoring challenge been withdrawn?More results from crypto.stackexchange.com
  92. [92]
    [PDF] RSA Factoring Challenge: RSA-1536 - MysteryTwister
    The RSA-1536 challenge requires factoring a 1536-bit number (463 decimal digits) to solve. The solution is one of its prime factors.
  93. [93]
    [PDF] Transitioning the Use of Cryptographic Algorithms and Key Lengths
    Mar 2, 2019 · RSA: See FIPS 186-239 and FIPS 186-4,40 which include modulus lengths of. 1024, 1280, 1536 and 1792 bits, may continue to be used for signature.
  94. [94]
    State of the post-quantum Internet in 2025 - The Cloudflare Blog
    Oct 28, 2025 · Global Risk Institute expert survey results from 2024 on the likelihood of a quantum computer breaking RSA-2048 within different timelines.Missing: factorization | Show results with:factorization
  95. [95]
    [PDF] RSA Factoring Challenge: RSA-2048 - MysteryTwister
    RSA FACTORING CHALLENGE: ... For solving the RSA-2048 challenge it is necessary to factor the following decimal number with 617 decimal digits (2048 bit):.
  96. [96]
    Root Causes 447: NIST Deprecates RSA-2048 and ECC 256 - Sectigo
    Dec 13, 2024 · As part of its post-quantum cryptography (PQC) initiative NIST has released a draft deprecating RSA-2048 and ECC 256 by 2030 and disallowing them by 2035.