## People who used CADO-NFS

- Daniel J. Bernstein and Tanja Lange used cado-nfs for the Safecurves page.
- Nadia Heninger gave a rump session talk at Crypto 2013, where she presented a project called Factoring as a service that uses CADO-NFS to factor integers on Amazon EC2.
- Zachary Harris used CADO-NFS for his demonstration that Google was using a way too small RSA key for email authentication.
- Samuel S. Wagstaff used CADO-NFS for factoring the numerator
of the
Bernoulli number
`B_240`

. - Min Yang et al. have used CADO-NFS in an article where they study the polynomial selection step in NFS.
- John B. Cosgrave and Karl Dilcher used CADO-NFS for the experiments in their article ``The Gauss-Wilson theorem for quarter-intervals''.
- Florian Bouyer and Marco Streng used CADO-NFS in their article ``Examples of CM curves of genus two defined over the reflex field''.
- Fabien Perigaud and Cédric Pernet from Cassidian Cybersecurity reverse-engineered a ransomware, which in the end boiled down to factor numbers with CADO-NFS. See the corresponding blog post.
- Karthikeyan Bhargavan and coauthors from the INRIA Prosecco team, and Nadia Heninger from University of Pennsylvania, used CADO-NFS to factor ephemeral 512-bit keys in the context of the FREAK attack. In push-button mode, cado-nfs factors 512-bit keys on Amazon EC2 in 7 hours and for 70 dollars (and it's certainly possible to bring it down somewhat).
- The Logjam vulnerability has been revealed in 2015. The proof-of-concepts were done using the discrete log features of CADO-NFS, in particular for quickly breaking 512-bit DH keys for which the group was known in advance.
- N. L. Zamarashkin, D. A. Zheltkov, and S. A. Matveev have factored RSA-232 using CADO-NFS (except for the linear algebra part).

If you used CADO-NFS and wish to be added to this list, send an email.

Last modification: Tue 06 Apr 2021 05:30:37 PM CEST

© 2006– The CADO-NFS Development Team. ; valid XHTML 1.0, valid CSS

© 2006– The CADO-NFS Development Team. ; valid XHTML 1.0, valid CSS