Slashdot Mirror
Factoring Breakthrough?
An anonymous reader sent in: "In this post to the Cryptography Mailing List, someone who knows more about math than I do claimed "effectively all PGP RSA keys shorter than 2k bits are insecure, and the 2kbit keys are not nearly as secure as we thought they were." Apparently Dan Bernstein of qmail fame figured out how to factor integers faster on the same cost hardware. Should we be revoking our keys and creating larger ones? Is this "the biggest
news in crypto in the last decade," as the original poster claims, or only ginger-scale big?"
Try viewing the postscript file using the online viewer here instead.
/cj
What's the impact of this news on the security of the newly accepted AES (DES replacement)?
Tastes Like Chicken
don't tell me you haven't converted your judgments of magnitude to the ginger scale. everybody's doing it.
Cryptography is going to be a perpetual game of "measure, counter-measure" as computing power increases and people develop more clever ways of doing things.
Does anybody have good sources about this? Ones based on historical encryption and decryption that lead into modern times would be ideal.
Either give it away or get top dollar, but never sell yourself cheap.
basically what DJB has done is found ways to incorporate extra hardware to eliminate redundant operations when performing number field sieve (NFS). he's implemented NFS in a non-linear way, which results in a threefold increase in speed from linear NFS implementation.
it's a wonder no one thought of it before. oh, wait, i think a three-letter agency might have...
better update those keys!
The NSA factors numbers, and their work is top-secret. When I read stories like this, I wonder if people are just discovering things that the NSA has known about for years. If the NSA could factor 2 Kbit keys, would they tell people? Probably not.
So when you ask "Are our keys secure" the logical follow-up question is, "From who?"
From me? Yes. I probably couldn't factor a 1000 digit number.
From your boss? Yes. You could use rot-13 and your boss would probably be baffeled.
From your boss' lawyers? From the police? Here is where we get into the gray area; where the article becomes relevant
From the government? I think you were kidding yourself when you thought it was secure in the first place. I find it easy to believe that the NSA is far ahead of the public in the encryption arms-race.
God is real unless declared integer
It's always been my dream to figure out how to factor big, big numbers. But I always pondered, if I did figure it out, would I tell? ie, How many companies/gov'ts would kill for that exclusive info?
I use a 4096-bit GPG key. It may take a day to encrypt a message, but at least the encryption can't be broken (yet).
--
Beauty is in the eye of the beholder... Oh, no. It's just an eyelash.
http://cr.yp.to/papers.html
Raised by monkeys.
Overruled, I'll allow it.
I think that given that the NSA has allowed stronger encryption to be exported supports the idea that "they" have much more powerful algorithms than "they" have let on.
this is indeed astonishing. I too thought the rumors of the big RSA cracker at the NSA was a rumor. I guess it's not. This is huge. it not only makes pgp's current implementations useless, but it also makes decrypting all that "secure" RSA-based ssl and ssh traffic eminently readable (probably not realtime though, it probably took a day to break all that traffic the nsa logs for you)
the tinfoil hat set is going to go nuts.
/me changes everything to blowfish and aes
'scuse me, must run, out of tinfoil!
Circut for integer factorization?
Reminds me of a certain movie...
--J(K) DOS is like Unix in exactly the same way that a pinto is like an aircraft carrier.
I haven't hit a top limit on the GPG key yet. I had an obnoxiously long 4096 bit one I was testing with for a while and PGP was able to encrypt messages to it but was unable to import the private key. Oh well, time to move to an obnoxiously obnoxious 8096 bit one.
Suddenly the 128 bit netscape encryption isn't looking so good (Not that it was before...)
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Shouldn't we all hang on until crypto experts validate this? Is it theoretical? How much does the attack cost? etc. etc.
I wouldn't start sending those revocation certificates just yet.
e4 e5
I read somewhere that the RSA public key algorithm was invented at GCHQ, and kept secret, years before RSA invented it.
Best Slashdot Co
Orthodox Christians believe God is irrational (triune: an irrational number meaning 3 yet 1, 1 yet 3). Got Faith?
-- @rjamestaylor on Ello
I saw an article once (not sure if it was here or not) about someone using random pictures from a lava lamp to encrypt whatever he wanted. Last i heard was everyone that tried to break the encryption failed... the only way to decode it was to use the orignal picture that was taken of the lave lamp. If anyone else has heard about this or has any other information if this worked or not I would love to hear about it.
There is no impact. AES is a symmetric system that is not based on factoring. This apparent discovery only affects algorithms that are based on the difficulty factoring large numbers.
All editorial writers ever do is come down from the hill after the battle is over and shoot the wounded.
The PGP version the article mentions that had
larger keys (at the expense of compatibility)
was PGP 6.x-CKT (Cyber Knights Templar). AFAIK
they stopped development on their branch a good
while ago, maybe google can dig something up.
"Holy shit. The math works. Bernstein has found ways using additional hardware to eliminate redundancies and inefficiencies which appear in any linear implementation of the Number Field Sieve. We just never noticed that they were inefficiencies an redundancies because we kept thinking in terms of linear implementations. This is probably the bigest news in crypto in the last decade."
Yeah, this is big news. It also sheds new light on the relaxation of the export constraints. The NSA has dedicated hardware performing this same procesing, and probably for the last 5-10 years...
"Note that there have been rumors of an RSA cracker built by a three-letter agency in custom silicon before this, but until analyzing Bernstein's paper I had always dismissed as ridiculous paranoid fantasies. Now it looks like such a device is entirely feasible and, in fa ct very likely."
Time to make new keys...
This is cool news. Glad to see discoveries like these published instead of hushed up.
So is this saying that x number of linear-algebra circuits will factor a large number x times faster?
So how much hardware are we talking about to factor a 2k bit key in a day? week? month? year?
Someone w/ the math break this down for us.
-M
0xF824782C the finger print for my (soon to be obsolete?) key.
I find it funny and interesting that because the NSA and other TLA agengies are *so* tight lipped we assume their skills and abilities are far ahead of current "joe-sixpack" tech.
I suppose this very well could be the case, but it sure lends itself to great conspiracy theories.
I suppose the TLA agengies don't really need strong crypto to invade on my privacy. They just need a court order.
Sure I use a 2048bit key (soon to be 4096bit I guess), but will that really stop them from making me give up the goods if faced with jail when they come asking for my data?
Nope, because I have nothing really to hide. Maybe I keep my cache of pr0n encrypted so my fiancee doesn't discover it, but I will sure-as-shooting give that information up to keep me out of jail.
I'm to pretty for jail!
Once they get a real quantum coputer working (if the NSA hasn't got one tucked away already) most of the encryption schemes known today will be able to be broken in less than a second - big factors are no match for quantum.
I don't mean to say that this isn't true, but doesn't something like this come up every few months? Some one thinks they broke some highly respected crypto system, then an expert shows that it is invalid or only valid for a small percentage of keys.
Protecting against the http://cr.yp.to/papers.html#nfscircuit speedup means switching from n-bit keys to f(n)-bit keys. I'd like to emphasize that, at this point, very little is known about the function f. It's clear that f(n) is approximately (3.009...)n for _very large_ sizes n, but I don't know whether f(n) is larger than n for _useful_ sizes n.
Bernstein's paper is excerpted from a grant proposal where he is requesting funds to answer the question of whether the design is applicable to useful key sizes. At this point it is far too early to assume that 1024 to 2048 bit keys can be attacked by his proposed machine more efficiently than with known methods.
The paper talks about constructing a computer optimized for factoring large numbers. Part of the RSA public key is the product of two large prime numbers. If you can factor that, you can get the private key, and then do whatever.
AES is a symmetric key algorithm -- the same key is used for both encrypting and decrypting. Factoring numbers has nothing to do with any part of the algorithm, so this has no impact at all.
That said, most of the stuff encrypted these days with AES uses a public key algorithm to send along the AES key. If the public key is broken, then out pops the AES key and the message is cracked. So, just because you're using AES doesn't mean you are safe. You have to ask if there is any public key key exchange, and if so, what it is. El-gamal, DSA, Diffie-Hellman are OK, RSA is just weaker than we thought it was.
Anyone care to guess what the implications for SSH key exchange is?
Temkin
I checked the math.
Everything appears correct.
However, the application of discrete calculus on page 4 is a bit strange --- I'm not too sure that Euler's theorem could be applied like that.
--BW
The poster seems to think speeding the calculation by 3x means reducing the strength of 300bits to that of 100bits. I know this is plain wrong but I'm not sure of the correct value.
TWW
"Encyclopedia" is to "Wikipedia" what "Library" is to "Some people at a bus stop"
I love how one persons perception of a paper is suddenly a news worthy event. Espically a usenet post. Creating dedicated hardware to do anything isn't really a big deal. ASIC designs (custom ICs) can be created by anyone with a little VLSI know how, in fact students can make their own ASIC chips in 2months for about $3k. The fact that someone figured out that, hey, I can implement this directly in hardware and optimize it a bit, isn't anything new. Up until about 2 years ago everyone made their own ASICs to get their 4x-400x speed increase with custom memory, caching schemes, etc.. Having a working prototype might be interesting. But, just saying you've got the basic idea down is really laughable.
Is he going to pay someone $5000 if they can prove him wrong? (qmail joke)
I was under the impression that you could theoretically build an infinite number of quantum computers and that they could never break a random sample static encrypted data stream.
And random image encryption should be pretty much the same story.
How does this effect PGP?
You could view this post script file online here, or you could use the Windows, OS/2 or Linux viewers available here.
Every rule has an exception, and this is the only rule with no exceptions! Huh? -- Spatch
Because he's gay we should question his math? That's not relevant at all. And learn to spell. Sorry, couldn't help that. Guess that wasn't relevant either.
That would basicly be like a one time pad would'nt it? It's my understanding that one-time pads are secure, but the problem is in the distribution of the key.
This isn't really a big deal, nor is it surprising.
Basically, what DJB has done is translated the GNFS from its normal implementation on serial computers (where there is a great deal of available memory, but only one operation is performed at once) into a parallel implementation, where the number of processors more closely matches the available memory.
The "decreased cost" is misleading here, since it is calculated on the assumption that sieving would have been done by a single processor with access to a huge memory... this quite simply was never the case.
There is nothing here to suggest that factoring can be performed using any fewer FLOPS; all that is demonstrated is that by using several processors, each with a smaller memory, you can do better than with a single processor and a giant memory. Which we already knew.
To summarize: DON'T PANIC!
Tarsnap: Online backups for the truly paranoid
I've seen a lot of comments about how this means that all SSL and PGP encryption is transparent, etc.
Please, get a grip.
Most "transient" connections still use 512 bit keys. If this effectively reduces the key size by 3, that's still 170 bits. That's far larger than the RSA key that took years to crack a few years back.
Technology improves, algorithms improve, and the TLAs can certainly afford to build cracking engines, but it will probably still take a substantial amount of time to crack a key. (Substantial = days.) Well worth the effort if you're looking at suspected terrorists or double agents inside of the FBI, but hardly worth it for anyone reading this comment.
What we *do* need to worry about is the effect on long-term keys. E.g., root CA keys often have 20-year lifetimes, something that now seems foolish with 1k bit keys.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
So the trick is to find a shortcut or a flaw in the algorithm that allows you to get the data without searching all the keys.
In the case of RSA, the shortcut is factoring the product of two primes. It's way way easier to factor a 128-bit product than it is to search through a 128-bit keyspace. So RSA bumped the size of the product up and up and up until it was as impossibly hard to factor it as it was to search a 128-bit keyspace.
Other algorithms have other shortcuts, too. Remember when a weakness was found in the session key choosing algorithm for Netscape? The keyspace was reduced from 128 bits to 24 bits or something like that, and then a search could be made on it.
Anything you can do to avoid trying all the keys is the name of the game. Unless you're some kind of quantum computer freak. ;-)
I think you all over estimate the NSA. I can think of only one historical instance when the NSA was thought to know something that the general public didn't about cryptograpy. It was then proven later that the discovery happened almost simultaneously in the public and private sectors. I am, of course talking about the Diffie-Hellman Public-key invention itself. To give the NSA a 10 year advance in this technology is a little ridiculous (as someone suggested in an earlier post).
0 50 3.html
http://cypherpunks.venona.com/date/1994/01/msg0
When PGP five came out, from RSA, a company owned by a defense contractor, without export restrictions to speak of, with a different algorithm, it was obvious that PGP had been broken by the TLAs if you were paying even scant attention.
If your personal security has, in any way, been resting on any derivative of the RSA algorithm since that time you forgot the most important part of playing the security game: PAY ATTENTION TO WHAT IS HAPPENING.
The environment is not static: "security" comes from being in the part of the environment which is currently "safe", and from nothing else. Look up the term "revolution in military affairs" for more details.
That is all
.deen uoy noitpyrcne eht all is sihT
so when can i get a distributed.net client that makes use of this?
http://www.google.com/search?q=cache:cr.yp.to/pape rs/fastgcd.ps
is now viewed as technically sound? :)
"Sometimes a woman is a kind of religion, she can save your soul & set you free from all your sins" - Bad Examples
But then again, quantum cryptography may be even closer than working quantum computers, which means secure private key cryptography, meaning you can factor all you want, you aren't gonna find anything unless you get that private key.
Note that there have been rumors of an RSA cracker built by a three-letter agency in custom silicon before this, but until analyzing Bernstein's paper I had always dismissed them as ridiculous paranoid fantasies. Now it looks like such a device is entirely feasible and, in fact, likely.
Now let me guess...
It's disguised to look like an answering machine, right?
-S
--- What parts of "shall make no law", "shall not be infringed", and "shall not be violated" don't you understand?
If so, then it comes out Bill Gates was right !
It's a good thing I've been using 4k keys for years. Excessive? It would seem not.
Just reading the paper now, there is something I dont understand.
:-), versus the O(m) for the parallel machine.
Top of page 5, talking about the cost of parallel computation. He claims that for the mesh sorting example, there is a genuine reduction in the cost, by comparing a machine with m^2 processors (which can sort m^2 numbers in O(m) time), with a single machine with m^2 memory.
Ok, as far as this goes, this is OK, the single machine will take O(m^2) time to sort m^2 numbers (actually O(m log m), but lets round it up
The fallacy, as I see it, is that he is assuming a single machine with m^2 memory will cost the same amount of money as m^2 machines. Therefore the cost (money * time) is m^4 versus m^3.
Surely this is wrong? The cost of a computer is not purely memory. If you spend X times more on a computer, you expect X times more memory AND X times more computation.
I havn't finished reading the rest of the article yet, but this point seems to be basis for the 'improvement' ?
See also my Australian mirror at: http://www.glasswings.com.au/cr.yp.to/papers.html# nfscircuit
Share and enjoy,
*** Xanni ***
http://www.glasswings.com/
Well, to answer my own question, on Freshmeat there appear to be one or two.
Have fun!
299,792,458 m/s...not just a good idea, its the law!
Galileo: "The Earth revolves around the Sun!"
Score: -1 100% Flamebait
The post about the article claims a threefold decrease in effective key length. This is much greater than a three fold increase in speed.
If factoring a number is proportional to the size of a number, then a number that would take 280 years to factor might take 46 days.
It also says that the technique might not be effective on keys as short as the ones currently used.. so the speedup may be theoretical.
# (/.);;
- : float -> float -> float =
The real reason a symmetric algorithm is used for the bulk of an SSL session is that it is much less computationally intensive than an asymmetric algorithm with a similar degree of security.
Note that these algorithms are independently pluggable, so a more secure or larger key size asymmetric algorithm could be used alongside the same old 128 bit RC4.
The big problem here is for systems using browser managed certificates for authentication would have to be upgraded and new certs issued. This is not the most common usage of SSL, but where it is in place the systems tend to be large and expensive.
revetahW
Right on. The result of parallelising computational tasks that are currently done in serial has been known for ages. The whole concept of a quantum computing key search has been to try all the keys at once. This is essentially implementing that concept using non-quantum hardware - to a certain extent.
This is a big deal in the sense that we may be moving toward the point where our ability to process in parallel can crack any keys generated by computers without that capability. But it is analagous to my abilty to encrypt using a computer what you would be unable to decrypt using as handheld calculator. If both sides are equipped with the same computing technology, the security remains intact.
... create random noise to be used in a 'one time key' / 'one pad key'. Totally unbreakable. Especially if the message is short.
I remember the post you are referencing. There are cameras that photograph a number of lava lamps. Thru a couple of data munging operations, out pops a length of completely random data.
This was posted on some crypto/compression list awhile back about compressing totally random data. The guy was able to do so by underspecification of the problem. It was slashdotted, I believe.
Anyways, the same thing can be applied to picking up atmospheric noise/wind. Anything that cant be predicted or known at any other location should work for random data, thus you could use to encrypt. It is a "One Time Key" - no way to recreate the data without the data.
http://cr.yp.to/papers.html
Is it just me, or did I totally miss Tonga's rise to a leadership position in the crypto community? I didn't see it on their website...
"CNN and Network World detailed how the NSA openly strong arms companies, "leaning on software, switch and router vendors" to make them "add a government-approved back door into network gear." Companies working with the NSA, however unwillingly, include Netscape, Sun, and Microsoft. Chris Tolles of Sun says, "Everyone in Silicon Valley, including us, has to have specific staff -- highly paid experts -- to deal with them." If everyone's dealing with them, are any products secure?
Taher Elgamal, who wrote Netscape's so called "data-recovery plan" as demanded by the spooks, said they didn't have a choice. Exports are about half the income for these businesses. In practice companies need NSA's permission to export security products, except for "export grade" junk. NSA only gives permission if the security is crippled in some way.
Duncan Campbell reported in Interception Capabilities 2000 that NSA succeeded in compromising browsers from both Microsoft and Netscape, as well as Lotus Notes. The browsers' security was openly gutted by NSA's insistence on reducing key sizes to whatever the NSA can easily crack at the time. In the case of Lotus Notes the keys appeared to be longer, but just enough of each key was secretly given to the NSA.
According to Network World the NSA "forced MasterCard International, Inc. to dumb down the Secure Electronic Transaction (SET) credit-card encryption standard." NSA insisted that most of every transaction not be encrypted at all. When someone steals a lot of money using SET we'll know why.
Sabotaging friends and foes isn't new for the NSA. It's life long behavior. In Crypto AG: The NSA's Trojan Whore you'll find the intriguing but very disturbing story of how 50 years ago NSA rigged the crypto systems sold by Crypto AG so that NSA could read the supposedly secret messages. Customers of Crypto AG include embassies, military, banks, and rogue nations such as the Vatican. "
I pasted that selection from this Cryptome article. Secure from who? It is probably hard to crack for private persons, but the NSA apparently can crack it since they force companies to install backdoors. If you search around Cryptome you will learn that the NSA forces companies to use crypto that is weaker than most companies want to use, so that it is easier for them to crack.
If I recall correctly the banking industry uses 512 bit RSA keys. If with this hardware its computationally equivalent to a 512/3 or 170 bit key then I imagine that the bankers are getting very very nervous.
I hope that the banks can update their infrastructure fast enough or we are going to have massive problems as soon as someone builds a illicit factoring machine.
The TLAs will just install a wiretapper on your keyboard anyways.
I was always partial to the maryann scale, myself.
I feel fantastic, and I'm still alive.
No, someone has been spreading around an erroneous interpretation of the paper. From the abstract:
"This reduction of total cost from L^(2.852...+o(1)) to L^(1.976...+o(1) means that a ((3.009...+o(1))d)-digit factorization with the new machine has the same cost as a d-digit factorization with previous machines."
In plain terms: A factorization of a number that has 3 times as many digits will have the same cost as a the number did before.
Hope this clarifies why this is a breakthrough (that may be important).
Bernstein's results are asymptotic. That is, he states that a key of length n is about a secure on his special hardware as a key of length 3n on standard hardware. But this is an approximation for very large n. It is completely possible that for n near the length commonly used, his hardware could actually take longer than other equiptment.
Bernstein's result isn't the RSA killer you hotheads are making it out to be. It's a very cool result, but it's not the biggest and the baddest in the last decade.
...it's not clear this has any impact on crypto security today. There are lots of O(1)'s and nobody can be sure just how big they are for the real keys that are used today. Still, it can't do any harm to keep on your toes and make your keylength as long as your hardware will allow.
-- SIGFPE
While browsing low modded posts I found an intriguing post titled: "RSA cracked. Get over it.". It looks like someone somewhere can factor large integers and posted the proof anonymously on Slashdot on November 2nd, 2001.
quoting link...mod down please
It's amazing how many events are the biggest news of the decade when they occur (or are publicized), but somehow 10 years later they're long forgotten.
A friend of mine worked for Cray Computer Corporation until the untimely death of Seymour Cray. The last machine they were working on was a monster, that might make more sense in terms of today's developments.
In the early nineties, CCC was working on the Cray 3, a new gallium arsenide computer. It was to have a cycle time of about 1ns (shockingly fast back then.) It was cooled by a high-pressure very high-speed mist of Flourinert suspended in helium. It was built as a series of wedges much like the Cray 1 and 2, although somewhat smaller. They built working prototype wedges, and were debugging them, while looking over their collective shoulders at the ground being gained on them by arrays of microprocessors.
One thing led to another, and it was clear that the Cray 3 would never be a commercial success. They were then given a contract to build what was called the Cray 4. The Cray 4 was a one-off machine using PIM (processor in memory) chips. These were 1-bit computers, but there were 262,144 of them in the box. The idea was that the gallium arsenide chips, wiring, and cooling system that made up the Cray 3 were just the networking system for these PIM chips, which would do the actual work.
Anyway, Cray died, and then CCC quickly died, and I don't believe that the machine was ever finished.
thad
I love Mondays. On a Monday, anything is possible.
If you notice, the paper he published was part of a proposal for a research grant to see if this is even possible. Right now, this is all theory and conjecture. DJB is trying to get financing to pay for this little research project. My guess is that in a post Sept. 11 world, the government will most likely look at this project as dangerous and borderline terroristic. I don't see it getting off the ground.
Well i couldn't get to the original site, but i see that NEC's citeseer has it.
aes and des do not rely much on factoring. however, the transmission of keys, which must be done before people can communicate using any sort of private key encryption(AES, DES, take you pick) is usually done with public key encyption.
other words: this doesnt help people break aes, but it does make it easier for them to intercept the key ahead of time
Factoring 170-bit numbers is childs play. Anyone can do it.
170-bit symmetric crypto would be a whole different matter.
How many sides are on a dPhil?
It doesn't mean much now, it's built for the future.
Why do you think the Gov't Agencies have been interested in machines that are essentially huge banks of FPGAs? I know of such machines that existed in certain places for at least 12 years now. A few years back there was a huge push for commoditized embedded (VME/etc) cards that were just cards packed with FPGAs with a general purpose CPU on it to drive them.
This certainly doesn't look like 3 times, but 3.009 digits. So a 59 bit key instead of a 56 bit key. I'm still confident that a 2048 bit key just doesn't make sense to attack directly.
Anyone who cannot cope with mathematics is not fully human.
Any impact on DSA, as used by ssh and GnuPG ?
morcego
Does this mean the RSA Factoring Challenge Prizes will all be claimed very soon?
a ct oring/numbers.html
http://www.rsasecurity.com/rsalabs/challenges/f
You guys could of atleast posted this:d p49LAC: cr.yp.to/papers/nfscircuit.ps+&hl=en
http://www.google.com/search?q=cache:HNDY5
(as djbs koobera-server seems to be under hard pressure)
Here you will find mirrors of the original file as well as the document in pdf-format etc:
http://citeseer.nj.nec.com/462633.html
Heh. Not so long ago, there was a thread around here about Swordfish. Some smart alec came along and claimed that it was not realistic at all, just the usual Hollywood-overdone glamour, because it featured the best (still alive) hacker in the world cracking a 128-bit encryption system in about one minute...
The scary thing about the whole cryptography field is that the maths behind most cryptographic algorithms is really very simple (in "professional mathematician" terms, at least). You can obviously never know when a new technique is going to be uncovered within mathematical research that will undo years of "secure" communications in a heartbeat.
Hey, there are guys alive who can do incredible arithmetic feats in their head. Many of them can't explain how they do it, they just see things differently to the rest of us. What happens if someone comes along who can "just see" a large number as the product of a couple of prime factors...?
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
My brother figured out this factoring problem a long time ago. I'd say he spent about 30 years in the basement working on it. He only came out for coffee and cigarettes. I told him he should post it on the Internet, but he doesn't seem to know what that is. Come to think of it, he doesn't seem to know much about the outside world anymore.
The comment is 3-FOLD, not a factor of 3. 3-fold is an exponential change - it means the strength is roughly the CUBE ROOT of what it formerly was. e.g.: 512^(1/3)=*8* bit security equivalent. How long does it take to crack 8-bit encryption? Not very long. Scale to 2048-bit: 2048^(1/3)=~12.7-bit equivalent. Ok, let's go whole-hog ... 16384-bit key... 16384^(1/3)=25.4-bit equivalent ... does this begin to make sense as how major a breakthrough this is?
That's not quite what I meant, since P is a (possibly improper) subset of NP. Factoring has never been shown to be not P (i.e. not solvable by a polynomial-time algorithm.)
http://www.ipgpp.com/ for the lazy among you. PGP 6.5.8ckt Build 06 is the last version, i believe.
/Pedro
Seems you are right about the NSA employing more mathematicians than anyone else in the world. They believe this too. From a page on their web site:
NSA employs the country's premier codemakers and codebreakers. It is said to be the largest employer of mathematicians in the United States and perhaps the world. Its mathematicians contribute directly to the two missions of the Agency: designing cipher systems that will protect the integrity of U.S. information systems and searching for weaknesses in adversaries' systems and codes.
will come when Bernstein puts a restrictive license on his algorithm that nobody can get binaries of it except from him. And of course, don't forget the obligatory mailing list carrying 30% messages of merit and 70% messages of people bitching about djb and his licensing.
Yes, sorry, in fact you are right (I got lost in writing something ironic). As far as I know it is just *feared* that factoring is not P.
:)
Sorry!
The needed approaches are radically different depending on whether you're trying to keep secrets from highly-skilled groups with plenty of resources (e.g. government agencies investigating you in particular), skilled groups with some resources (corporate espionage, small countries), snoopy ISPs (e.g. Comcast), skilled interested parties (IS groups), the casually curious (repair techs), and the unskilled (your grandmother). At the top end, you have to do all sorts of things that make using computers much more of a pain in the ass to keep them from adding keyboard sniffers, monitoring emissions, etc. At the low end, you have to learn how to hide files (using a .prefix or "hidden" flag, who cares) to keep your grandmother from being shocked by all that hot monkey lovin' in your porn archive. In between there are tradeoffs - how important is the information (do you need to keep it at all?), how important is it that it not be seen by others, how much inconvenience are you willing to go to to ensure that nobody else sees it?
Keep in mind that encryption isn't security. Encryption isn't even close to security. Encryption is a tool.
fencepost
just a little off
The methods described in the paper can be used to improve the cost of cracking EC discrete logs as well. The author, in a recent Usenet posting, points out that the paper's methods are likely to reduce the cost/effort of EC key cracking as well ... perhaps even more than RSA key
factoring.
The paper, combined with other other EC strength concerns suggests that EC is not the technology to turn to at the moment.
In other words, if this paper has you concerned about the security of RSA keys by factoring, then you should be even more concerned about the safety of Elliptic Curves as well.
But as others, including the author, have stated (in large friendly letters): DONT PANIC! It is not known if the ideas expressed in the paper are applicable to key sizes that are in common use.
chongo (was here)
Every year he prepared a fully texed solution of Putnam Math competition and post it to the newsgroup sci.math. I found his solution to Putnam 1995 B6 better than the ones given by Kiran Kedlaya and Dave Rusin (two other guys who post Putnam solution on the internet). However I prefer Kiran's solution because they are in Pdf format, easier to read because I'm too lazy to download a tex viewer.
Backwards writing
That recent usenet post is speaking about benefits of specialized hardware in brute-force approach, not about algorithmic breakthrough.
Pacifism is objectively pro-Fascist..."he that is not with me is against me." - George Orwell
I wonder if Orwell appreciated the irony of trying to transmute a political opinion to fact by putting the word "objectively" in it.
0 1 - just my two bits
Does this violate the DMCA in some way?
This is not news. Its been well known at least since the 1970's.
This applies to factorising and block cyphers, which probably explains why ICL built a military version of the DAP.
Why does everyone asume TLA agencies know the most? If you knew how to factorise products of large primes, who would you tell? (If you want to live to tell the tale!)
Sent from my ASR33 using ASCII
actually, the CIA hasnt told us, but they have known about this decryption method for sometime now... how do you think they knew you didn't take a shit this morning?
-- Betting on the survival of the media industry is a serious risk. I advise investing elsewhere.
According to dictionary.com Link Thus the entire security of RSA depends on the difficulty of factoring; an easy method for factoring large prime numbers would break RSA. So it looks like we've been going about it all wrong. We should be concentrating on factoring large prime numbers. :)
--"Karma is justice without the satisfaction"
Good thing I have a 4k key.
It's also a good thing that I'm a total loser and don't have friends sending me anything in the first place.
Good history. Excellent for the layman. On Amazon
only infrmatn esentil to understandn mst b tranmitd
The paper suggests a way to improve some of the steps required (such as some of the linear algebra work) to factor using the Number Field Sieve (NFS) for large keys.
The paper does NOT give a method to improve the speed of cracking EC keys.
Special purpose hardware could reduce the cost of cracking an RSA key. However: The same could be said of cracking an EC key. Using different special purpose hardware and different performance tuning, one should be able speed up cracking of EC keys as well.
So ... If the existence of ideas to improve
the speed of cracking sufficiently large RSA
keys scares you and you worry about that
might come next,
then you should be even more worried about EC.
Why? Not because of the exact idea outlined in the paper. The paper does not apply to EC. Because EC is subject to special purpose hardware improvements: perhaps even more than RSA.
chongo (was here)
He's observed that current factoring algorithms use asymptotically more memory than CPU. For a sufficiently big problem, all of the cost of the machine goes into buying memory, which spends most of its life waiting for the CPU to get around to it.
It's the same idea that motivated the Connection Machine.
He's observing that if you use the right (low-memory) algorithms, you can trade off memory for CPU and get something for which the total cost, memory+CPU, grows more slowly with problem size.
But it's not clear that's we've reached the CPU bottleneck yet. RAM is really cheap these days, so it's quite possibly premature to worry about the growth rate of that term.
Remember, the paper is part of a grant application. "I have this neat idea, and I'd like to study how practical it is."
More concretely, if all his ideas pan out, he can factor a 3*n+k-bit number for the same cost*time that GNFS can factor an n+k-bit number. What's k? Nobody knows! That's what he wants to study. If it's 1024, there are no immediate security issues. If it's 128, we need to deal with it.
(The claim in the abstract, (3.009...+o(1))*n, is more accurate, but the casual reader might not notice that o(1) can be significant and negative for currently interesting problem sizes.)
So while it deserves careful attention, let me add, in large, friendly letters: Don't Panic .
Why does everyone asume TLA agencies know the most? If you knew how to factorise products of large primes, who would you tell? (If you want to live to tell the tale!)
t s_of_large_prime_numbers .
I'm glad you asked. I just finished my latest CVS checkin over at Source Forge. Please check it out! If you have any questions or bug fixes, please let me know: http://sourceforge.net/projects/factor_the_produc
cpeterso
128 bit keys almost always refers to a /symmetric/ algorithm - this is things like AES, Twofish, IDEA, etc. And for good symmetric ciphers, 128 bits of key is fairly secure - to brute force, you have to try out all 2^128 possible keys, which is a very hard problem (assuming, of course, that there aren't other problems with the cipher).
/assymetric/ ciphers - public key cryptosystems, and in particular RSA. RSA keys are made up of two large primes multiplied together (IIRC - it's been a while since I read this part of Applied Cryptography): finding the two primes breaks the key, and so its security is based on the difficulty of factoring really large numbers into prime constituents.
This article is referring to
The research referred to here is a way to speed up the factoring of large numbers, apparently by a factor of about 3 - it doesn't break the algorithm, it just speeds up a brute force attack. If it took 3000 years to break a 2048 bit RSA key before, now it'd take 1000 years. Barring more such discoveries . . .
Don't panic is a very good response to this - it's a serioius discovery, and it changes the risk factors involved with using RSA crypto, but it doesn't throw everything out the window.
Finally, I'd really suggest reading at least the interesting bits of Applied Cryptography, by Bruce Schneier. It explains a lot of this stuff, and gives you a good framework within which to put this kind of thing.
himi
My very own DeCSS mirror.
PGP 5 binaries were released by PGP, Inc, and accompanied by a full source release. Put the tinfoil hat back on.
-----
PGP Key ID 0xCB8FF658
I don't think it'll be an issue.
All it does is speed up a brute force attack.
/did/ break RSA completely - ie, by indicating that factoring is in fact a P problem rather than NP complete - then it would have made infinitely more of a splash than it did. That kind of breakthrough is Nobel Prize type stuff.
If it
himi
My very own DeCSS mirror.
It doesn't speed up the factoring by a factor of three, it increases the keylength it can break by a factor of three . . . In other words, this version of the NFS algorithm runs in the cube root time of previous versions.
/doesn't/ break RSA, it merely speeds up the attack.
This is more significant than a simple three times speedup, but it still doesn't change the fact that it
himi
My very own DeCSS mirror.
I'm happy to rumormonger with you all for a little while...
I hear things from various people that I shouldn't hear, not often, but occasionally. These are people who are rather credible - not totally, but rather. I feel pretty confident in this particular "rumor," because I've heard basically the same set of facts from three different people with three different kinds of intelligence community experience.
What I hear is that your assertion is true. The NSA has had the ability to break RSA cyphertext "for some time." Even extremely large key sizes are said to be vulnerable, and they can do it "reasonably quickly."
This, of course, flies in the face of all accepted non-defense conventional wisdom in the field - at least until today - but, as I said, three sources. So I believe it.
This may be the result of harrowing secret advances in factoring techniques, or it may simply be brute force. This is an agency that has historically measured its computing power in acreage.
So, "reasonably quickly." The other part of this "rumor" is that reasonable is not reasonable enough to do RSA decryption on a large scale, and hence, while they can break open a particular piece of data, they haven't necessarily integrated RSA see-thru into their global signals intelligence regimine. That, for the uneducated/head-in-the-sand types, is Echelon - and yes, the NSA does listen to, and data-mine, almost all of the world's information traffic.
Final piece of this particular story: the NSA is apparently fastiduous about not sharing this technology, even with other federal agencies. Kevin Mitnick's infamous laptop, rife with PGP-encrypted documents, was impenetrable to the FBI, and despite numerous, desperate appeals for help, the NSA refused to assist them in decrypting the data. That suggests the NSA is abiding by their charter, which basically forbids them from becoming involved in domestic law enforcement (i.e. they're not supposed to spy on Americans) - a necessity if you consider consitutional guarantees about "search and siezure" applicable (by no means a universally held view, unfortunately).
We're on the road to Tycho.
Wasn't somebody doing something similar at the recent RSA conference...Blasting through multiple rounds of DES and factoring RSA keys on smart cards with some magic boxes?
You're using her as bait, Master!
suck on that!
H4 H4 H4!
i already use 2kbit rsa for my webmail. so i can read my spam securely. whee.
No you dope, they changed from RSA to DH, changed the file format, introduced bugs like the one which allowed an unsigned key to be added to your keyring (causing all outgoing trafic to a given key to be decryptable with the unsigned key also) and so on: basically backdoored the shit out of it in ways which were sufficiently sneaky not to be obvious.
Dimwit.
I recompiled PGP back in 1994, after looking through the source code and finding a variable called (I kid you not) "MAX_KEY_LENGTH=1024".
I changed it to 8080 or some such strange number, and it ran just fine.
On a 386-33 it was *slow* to generate the keys, and of course no one was compatable, but it was trivially easy to do.
I wonder why the keysize limits on GPG still demand only 2048 or smaller. Why bother?
Bob-
The Ludwig von Mises Institute. The reasoning individuals economics
cr.yp.to is not slashdotted. All the qmail, ucspi stuff comes up instantly. The crypto-links
all come up 'file does not exist', publicfile's version of 404. The files have been removed or 'chmod o-r''d. If they are not back up in a few days I will be greatly saddened.
I think you have it backwards.
Public apathy is the greatest problem with keeping government under control. There are many groups specifically designed to raise public awareness (ACLU, Greenpeace, you name it...). Why? Because they know that when the public gets pissed, things can change. Citizens in the U.S. can vote and this is the bottom line for keeping Congress and the President in check. When people get pushed around too much, they want a change. Look at the last senator race in WA - Slade Gorton, a LONG time incumbent got kicked to the curb.
On the other hand, you have no say about what a corporation does. You have to rely indirectly on the government to keep them in check, or "vote" with your dollars.
Unfortunately, economics sometimes make things worse. For example, let's say people stop buying products from a manufacturing company (oh let's say GE) and they need to cut costs. Maybe it's cheaper for them to dump in the Hudson river instead of cleaning up responsibly.
Worse yet, is when corporations redirect their money towards things that go against the grain of public interest. They usually don't tell you about these things. Did you ever realize that some of the money you spend on Ben & Jerry's ice cream gets donated to the anti-gun lobby in the U.S.? Maybe that suits you, maybe it doesn't, but the fact is that they aren't TELLING you about it. When it comes to a senator or representative's voting record, though, it is open for the public to see.
Or go one step further to multinational corporations who may not even be based in the U.S. Sony is one such beast. Their participation in the MPAA lobby has resulted in some horrific laws being passed in the U.S.
Corporations are definitely something to be wary of. Government may be corrupt, but at least you still have a method of participation in it.
1 u133r |33+ n54 #4>0r
\/\/3 53+ U5 uP Jo0R k3y5?!11??!1
4|| j0or pR1/\/\35 4R3 83|OnG +O U5!!!!!11
Actually, to factor a 50-digit composite number on modern hardware would take under a minute. Go to http://indigo.ie/~mscott/ for a program that does it; the link for a precompiled Windows version is on the bottom of the page.
> No you dope, they changed from RSA to DH
For good reason. If you don't KNOW the reason, then you're not exactly equipped to comment.
> introduced bugs like the one which allowed an unsigned key to be added to your keyring
Bugs which were discovered by peer review -- discovery made possible by the Open Source code release.
> backdoored the shit out of it in ways which were sufficiently sneaky not to be obvious
Your inability to actually name any of these ways shoots you down far more eloquently than I ever could. Put the tinfoil hat back on, sit down, and STFU.
-----
PGP Key ID 0xCB8FF658
'¥F×ÁÄg_̱é==^{íií/ðLÇW"FgÑçRHC~èÛq' 'x!OEÅ'õ(TM)úNa÷yi(p}Wúsñ±òn^0ÆéÁ`EÇ[@ß@'Ê CÔúk&¾Ê'-zb|ïXY0ÜOîGÈrfè½x(M3®%'à½ÂS pËsQ£z7óó®0ÏÕFÝrS'Q7aüÐ p8Ã$î'ÉNsÕxvcûûêPÒT'TÐdÐ8MsØÔJݼ`Ö[ÊqÎ 61oer'f},©ÐíÖÆÕÀÁòr EA3×íN29JâçÛ¥G--zÇZléÁ½l©f'í|=noÚhmZ0ÚvpLÌ sâg@L@îAsKõôfv,já(ãÐs>ESuÄLûõj ëíðqDoeo...½RÐÑÅa] 'ÈjõooWæ\#$ØÇM0Âr¼
I hope everyone's been paying attention to the whole Enron/GlobalCrossing/etc. affair--seems to me this thing is just getting bigger every day. One thing about the NSA being so secretive is that all they are doing is getting/gathering data. They can't really do anything with it. And I don't think they would, if they could. They are professionals just like the rest of us. It's who they give the information to that's scary.
Cool! Amazing Toys.
I'm a person who has quite an interest in crypto and often a good understanding of the base concepts behind crypto systems, but I don't understand much of the math that goes into proofs like this. Thus, I'd like to put some questions out to those who are more experienced than I am.
First, does this work? Have people independently verified that DJB is correct? (I went looking for some peer review via Google and didn't turn up anything that looked conclusive.)
Secondly, what's vulnerable? As I understand it, what DJB has discovered is a more efficient method of factoring numbers (on custom hardware) such that keys three times longer can be factored in roughly the same time. RSA is based on the product of two relatively prime numbers, so it's vulnerable. Aren't most public key systems based on this principle, though? How vulnerable is, for example, DSA to this new factoring technique?
--Phil (This article went up yesterday; hope someone's still around to read my post...)
355/113 -- Not the famous irrational number PI, but an incredible simulation!
Interestingly, much of the hardware design done to accomodate cryptographic work is finding a new life in bioinformatics, where some of the same problems exist (pattern matching, sieves on huge amounts of data, etc.).
No, what was being done at the RSA conference was completely different, wonderfully practical, and available today. It's a way of cracking RSA and DES implementations in smart cards using Differential Power Analysis and Differential Fault Analysis.
There was a company at the conference that was cracking these codes by very carefully watching the power levels on the input traces to the chip. By careful analysis, you can see exactly what is happening, what numbers are being sent to the various S-Boxes in DES for instance. From this, you can determine the DES keys. They said that single DES took a couple of minutes, triple-DES only three times as long. They claimed to be able to crack RSA as well.
Differential Fault Analysis involves giving the wrong voltages to the chip, and seeing how, and when, it fails. Again, this provides clues to what numbers are being processed within the chip.
Neither of these flaws point to problems with the algorithm, but to problems with its implementation. In fact, creating inexpensive physical hardware to do secure cryptography may be impossible.
What was remarkable at the RSA conference is that most of the other booths at the trade show were selling these same smart cards, in abject denial of their flaws.
thad
I love Mondays. On a Monday, anything is possible.
262,144 didn't make a lot of sense to me, so I figured it as a power of 2 -- 2^18th. Odd. It also counts for 512^2, or 4 banks of 2^16th. Only somewhat more logical... but it still doesn't make much sense to me.
The choice of number seems... unusual. Is there some special signifigance or particular reason for that number? Any ideas on how this particular approach would be applied? (Am I missing something, or was it just that point where the economy of scale was most favorable?)
"...America's great minds of today, teaching America's great minds of tomorrow. Poor bastards." -- A Beautiful Min
But it'd be a discovery at the same kind of level that /would/ win one in a field where a Nobel was offered. Which is what I meant - "Nobel Prize type stuff" doesn't mean it'd win a Nobel Prize, just that it's roughly equivalent.
himi
My very own DeCSS mirror.
My boss said he heard that rot-13 might be crackable! So I told him to switch to triple-rot13.
now we need to go OSS in diesel cars