Factoring Breakthrough?

An anonymous reader sent in: "In this post to the Cryptography Mailing List, someone who knows more about math than I do claimed "effectively all PGP RSA keys shorter than 2k bits are insecure, and the 2kbit keys are not nearly as secure as we thought they were." Apparently Dan Bernstein of qmail fame figured out how to factor integers faster on the same cost hardware. Should we be revoking our keys and creating larger ones? Is this "the biggest news in crypto in the last decade," as the original poster claims, or only ginger-scale big?"

For the PostScript-impaired

[Hew]

Try viewing the postscript file using the online viewer here instead.

Re:For the PostScript-impaired

[killmenow]

Or view it as this PDF.

Now let's see how well RR's server can handle the /. effect. :^)

Re:For the PostScript-impaired

[Cy+Guy]

Or you can (try to) view in plain text via the Google archive here. Here's the Preface:

Preface
This paper is an excerpt from a grant proposal that I submitted to NSF DMS at the beginning of October 2001.

The same techniques can be applied to other congruence-combination algorithms for factoring, discrete logarithms, class groups, etc. See [3] for a bibliography.

Priority dates. I realized on 13 September 2000 that special-purpose hardware would change the exponent in the cost of integer factorization. I announced the exponent reduction from 3 + o(1) to 2:5 + o(1) for real (two-dimensional) circuits in a seminar at Butler University on 23 March 2001, a rump-session presentation at Eurocrypt 2001 on 7 May 2001, and a talk at the Algorithms and Number Theory conference at Dagstuhl on 14 May 2001. I realized on 9 August 2001 that the sieving exponent could easily be reduced from 2:5 + o(1) to 2 + o(1).

Re:For the PostScript-impaired

[flufffy]

plus, it'll avoid the /.ing of tonga ...

Re:For the PostScript-impaired

[Old+Wolf]

Since RR.com is the most common source (in my xperience) of DDoS attacks, I'd guess they could easily handle a slashdotting.

Re:Ginger scale big?

[medicthree]

don't tell me you haven't converted your judgments of magnitude to the ginger scale. everybody's doing it.

not surprising...

[lyapunov]

Cryptography is going to be a perpetual game of "measure, counter-measure" as computing power increases and people develop more clever ways of doing things.

Does anybody have good sources about this? Ones based on historical encryption and decryption that lead into modern times would be ideal.

Re:not surprising...

[monkeydo]

You are right, and this is a major stumbling block to widespread acceptance of encryption in the civilian world. The military and other organizations with a strong need to keep secrets are used to playing these games, but corporate America just isn't. Current applications aren't flexible enough to plug-and-play cryptography, changing crypto systems often means a complete redeployment of the application, or worse yet a new application.

Imagine the conversation with the CIO when you tell him he has to throw out his 1 year old meesaging platform because some guy figured out how to factor very large numbers effeciently and your current platform doesn't support eliptical curve cryptography.

Re:not surprising...

[Plutor]

Read the book The Code Book by Simon Singh. It's a fantastic mix of technical cryptography and historical perspectives.

Re:not surprising...

[lyapunov]

Thanks. I will check it out.

Re:not surprising...

[cduffy]

Imagine the conversation with the CIO when you tell him he has to throw out his 1 year old meesaging platform because some guy figured out how to factor very large numbers effeciently and your current platform doesn't support eliptical curve cryptography.

I can't conceive of a design so bad one would have to throw the whole thing out to change the cryptosystem -- absolutely cannot. If someone did manage to write such a poorly designed piece of software, the app would conceivably require rewriting on other grounds as well.

Re:not surprising...

[monkeydo]

Lotus Notes, Microsoft Exchange

Most large companies use one or the other for messaging. Both make it fairly easy to encrypt all of your traffic, but neither has good support for third party encryption. Your best hope right now would be some third party plugin on the client, but that makes it less likely to be used. It also make administration in a large environment very difficult.

We aren't just talking about changing algorithms here. If this "discovery" is all they are claiming it could very well mean that all public key crypto is insecure. Companies like Cisco, Verisign, and MS have encouraged enterprise customers to spend a lot of money on PKI as an enabling technology for everything from secure email to remote access. That may be down the drain if in fact, "Everything you know about public key cryptography is wrong."

Re:not surprising...

[Old+Wolf]

Not entirely. Cryptography has a mathematical basis (unlike things like CPU speed, which has a technological basis, so is subject to Moore's Law). RSA rests squarely on the (presumed) fact that factorising a large prime number has a time complexity of O(n^3). Today's discovery doesn't change this, it just "inches" towards the best possible case of O(n^3). It would be a gigantic and revolutionary step for mathematics if even an O(n^2 log n) algorithm were found, and it is by no means inevitable.

Re:not surprising...

[tomstdenis]

This is wrong on several levels.

1. RSA's security comes from the inability to find the e'th root modulo a composite. Its *conjectured* to be as secure as factoring is hard but thats not what the security comes from. The security comes from the inability to find the decryption function from the encryption function.

2. Current factoring algorithms take via the GNFS

e^(1.923 * (ln(n)^1/3 * ln(ln(n))^2/3))

Time not n^3 time as you suggest.

Finally, the new result appears to just be a more efficient implementation of the GNFS, its not a new algorithm.

Given all that the new results certainly are worth taking a look at.

Tom

Re:not surprising...

[cduffy]

Plugins exist to add support for 3rd-party crypto to Exchange; I'd expect that if such isn't immediately possible for Notes, a sufficiently large customer could push it in quickly. Even adding some frontend hacks is a long way from having to "throw out [a] 1 year old messaging platform".

On another note... This "discovery" doesn't make all public key crypto insecure, just significantly less secure; triple your key lengths and yer fine.

Were they even secure yesterday?

[Carmody]

The NSA factors numbers, and their work is top-secret. When I read stories like this, I wonder if people are just discovering things that the NSA has known about for years. If the NSA could factor 2 Kbit keys, would they tell people? Probably not.

So when you ask "Are our keys secure" the logical follow-up question is, "From who?"

From me? Yes. I probably couldn't factor a 1000 digit number.

From your boss? Yes. You could use rot-13 and your boss would probably be baffeled.

From your boss' lawyers? From the police? Here is where we get into the gray area; where the article becomes relevant

From the government? I think you were kidding yourself when you thought it was secure in the first place. I find it easy to believe that the NSA is far ahead of the public in the encryption arms-race.

Re:Were they even secure yesterday?

You could use rot-13 and your boss would probably be baffeled.

Especially if you misspell everything!

Re:Were they even secure yesterday?

[monkeydo]

From the referenced post:

Note that there have been rumors of an RSA cracker built by a
three-letter agency in custom silicon before this, but until
analyzing Bernstein's paper I had always dismissed them as
ridiculous paranoid fantasies. Now it looks like such a device
is entirely feasible and, in fact, likely.


There has always been speculation that the NSA could break RSA, but it was dissmised as paranoid by most "in the know." Most of the mathematicians didn't believe that they were that much ahead of the rest of us. Now that this technique is known it explains how the spooks may be able to break crypto everyone else believed was "unbreakable" if they had previously made this discovery.

Re:Were they even secure yesterday?

[JordoCrouse]

From the government? I think you were kidding yourself when you thought it was secure in the first place. I find it easy to believe that the NSA is far ahead of the public in the encryption arms-race.

Exactly! One of the most lucid posts I have ever seen on /. The alphabet soup agencies spend millions of dollars and hire the most brilliant minds in the world (not just the US), and their whole existance is based on the premise that they need to be able to find out what every human on earth is doing at any point in time.

I have never thought that I could put one by the government, and I have never encrypted my documents because I was worried that some spook might read it. If they want my password, credit card number or DNA bad enough, they're going to get it no matter what I do. I encrypt my data because I'm more worried about script kiddies and regular old fashioned crooks.

Re:Were they even secure yesterday?

[Syberghost]

Remember what happened with DES. The NSA said "make these changes. We can't tell you why." IBM made the changes.

20 years later, when differential cryptography was "discovered", it turned out those changes made it more resistant to differential cryptography...

Re:Were they even secure yesterday?

[Steve+B]

No data security is really secure against a government focused on you -- if they can't break the crypto, they'll Trojan the machine, plant a spy camera to capture the passphrase, or squeeze the information out of you and/or your correspondents.

The realistic target is making it cost too much to target you. (Note that cost != money -- the usual government policy in that regard is "spend all you want; we'll tax more". Real costs to governments are man-hours of specially trained personnel, risk of exposure and embarassment, or risk of exposure and loss of ability to use the same trick again.)

Re:Were they even secure yesterday?

[Fulcrum+of+Evil]

From the government?

Forget encryption. Piss them off and they'll come after you directly.

Re:Were they even secure yesterday?

Security doesn't equal encryption.
Your stuff may be easily available even if it was protected by 4096-bit keys - and taking advantage of this is where they are even better at (than in breaking the laws of physics or something).

Re:Were they even secure yesterday?

[rbeattie]

20 years later, when differential cryptography was "discovered", it turned out those changes made it more resistant to differential cryptography...

Wait, I don't understand that. Is this good or bad? Resistant meaning that you couldn't use DES for this type of new and better cryptography or the opposite that the DES was made stronger by the NSA changes... I'm confused.

-Russ

Re:Were they even secure yesterday?

[Zathrus]

Ok, I'm paraphrasing stuff I previously read on /.

Which, of course, means that this is the absolute truth, so please repeat it as such.

DES has a large space of possible keys to use. At some point in time (I don't know that it was 20 years prior to the general knowledge about differential cryptography, but it was numerous years prior at lest) the NSA quietly told everyone that a certain portion of that keyspace should not be used. Ever. They didn't say why. They just said that it shouldn't be used for secure applications.

Eventually someone discovered differential crypto. It revealed that the keyspace that the NSA said not to use for DES was very, very weak and could be cracked rather trivally. The rest of the keyspace was still secure though (within the scope of the original security on DES at least).

What he's saying is that the NSA knew about this a long, long time before anyone else had figured out why. It is not unreasonable to believe that they've figured out other "magic" to make crypto either harder or easier to crack, despite claims otherwise.

The NSA exists to protect US national secrets. Crypto is their business. Knowing how to crack crypto tells you how safe your own crypto is. They have a very large, very undisclosed budget. Contrary to popular belief, not everyone in the government is incompetent. You may put together your own conclusions from there. Please wait in line for your aluminum foil beanie though.

Re:Were they even secure yesterday?

[Ralph+Wiggam]

For the first time I know of, the NSA is actually the good guys in a Slashdot post.

The NSA recommended changes to DES that made it a better, less crackable, scheme. Years later, when a new type of code breaking was publicly discovered, people looked back and noticed the changes the NSA had made were directly influenced by this "new" type of code breaking. The bottom line is that the NSA is, and always has been, leaps and bounds ahead of all non-classified "state of the art" cryptography.

Could the original poster give a link? I would love to read the story.

-B

Re:Were they even secure yesterday?

[HiredMan]

Wait, I don't understand that. Is this good or bad? Resistant meaning that you couldn't use DES for this type of new and better cryptography or the opposite that the DES was made stronger by the NSA changes... I'm confused.

It's good - the NSA changes (S-Box design specifically) DID make DES stronger.

But if you read between the lines it means that the NSA knew about Differential Crypt _at least_ as early as the early1970s while the public didn't know about it until many years later.

We went through this "good/bad" debate on /. here as part of this thread on quantum computing.

=tkk

Re:Were they even secure yesterday?

[Suppafly]

> God is real unless declared integer

...so the doctrine of the Trinity was just the result of NSA factoring an integer God? ;)


No its an old joke that goes back to fortran where variables named a-h were reals (floats) and i-z were integers unless you specifically declared them otherwise.

Re:Were they even secure yesterday?

[broter]

I found a brief mention of it here in the Differential Cryptanalysis section. Also, in "Applied Cryptography, 2nd ed." (Schneier) on page 290, it quote IBM's Don Coppersmith as saying:

• The design took advantage of certain cryptanalytic techniques, most prominently the technique of "differential cryptanalysis," which were not known in the published literature. After discussions with NSA, it was decided that disclosure of the design consideration would reveal the technique of differential cryptanalysis, a powerful technique that can be used against many ciphers. This in turn would weaken the competitive advantage the United States enjoyed over other countries in the field of cryptography.

I've heard about it in other places, but I can't remember where at the moment.

Re:Were they even secure yesterday?

[gweihir]

Wait, I don't understand that. Is this good or bad?

It supposedly improved DES. But it also implies that the NSA might have knowen about differential cryptoanalysis 20 years before public research discoverd it. The implication is that they might know a lot of other things that are not yet knowen in the public crypto research community. On the other hand, they might only have had a hunch, or there might have been other weaknesses in the old design (they changed the s-boxes, as far as I remember), that they could find and the effect on differential cryptoanalysis is accidental.

But there is also another limiting factor: If they can break, e.g. AES or RSA far easier than the public suspects, they don't want the public to know! After all when it is knowen a cipher is insecure, people will stop using it or improce its security. This is analog to not exposing a highly placed intelligence source.

If you plan a major terrorist attack and use email for the related communication, you might have to worry. Otherwise, as long as you use cipthers that are belived to be secure for the near future by current published research, you should not need to worry.

Re:Were they even secure yesterday?

[perky]

The NSA exists to protect US national secrets.
and to perform industrial espionage on behalf of US corporations.

Re:Were they even secure yesterday?

[jonathan_ingram]

Here is the paper showing that DES is secure from differential cryptanalysis, but many related schemes were insecure:

Biham, Shamir - Differential Analysis of DES-Like Cryptosystems.

It contains one of my favourite passages in a crypto paper: "Cryptanalysis of GDES... The special case of q=8 and n=16, which is suggested in [16,18] as a faster and more secure alternative to DES is breakable with just six ciphertexts in a fraction of a second on a personal computer." [and that was a personal computer from 1991 :)].

Re:Were they even secure yesterday?

[baka_boy]

I think that government agencies are more interested in having the potential to know whay any single person or group is doing, rather than literally needing to know what everyone is doing, all of the time.

What worries me is the possibility that corporations could have effectively the same amount of power, with none of the public scrutiny, accountability, or mission to "protect" (at least in theory) those they watch. As you say, individuals can (and do) protect their privacy in dealings with each other, with or without the threat of government intervention. Massive corporations, OTOH, are effectively immune to any power less than the largest national governments.

Re:Were they even secure yesterday?

[jovlinger]

But on the other hand, IIRC, the NSA also "requested" that the key length be reduced from 64 to 56 bits.

The reason being that their budget could allow them to bruteforce such a key if they really wanted to, while it took until just a few years ago for that to be feasible for a well funded public entity, and until last year for this to be affordable to Joe Public (affordable = ~ US$2K for a machine to do it in about a day)

Re:Were they even secure yesterday?

[AnotherBlackHat]

The NSA factors numbers, and their work is top-secret. When I read stories like this, I wonder if people are just discovering things that the NSA has known about for years. If the NSA could factor 2 Kbit keys, would they tell people? Probably not.

The trouble with this game is that you can just as easily play it the other way. Does the NSA ever do anything besides suck money out of congress and take credit for things they never did? (Oh, the NSA has know that for years...)

This may be a significant advance in factoring, but I notice that rsa-576still hasn't been factored.
Until someone does that, I'm not going to lose any sleep over 1024 bit keys.

-- 10 bits, 3 digits, it's all the same.

Re:Were they even secure yesterday?

[Old+Wolf]

Which part of the keyspace, exactly?

Are you saying that if DES keys are generated randomly, they might fall into the bad keyspace and be insecure?
Does this go for 3DES too?

Re:Were they even secure yesterday?

[Captn+Pepe]

Close, but not quite. Part of the DES algorithm includes a step in which hardcoded bit-pattern substitutions are made; the tables describing these substitutions are called S-boxes (for their appearance in a flowchart, I believe).

Anyway, the NSA discovered that the S-boxes could be used to tune the algorithm's resistance to differential cryptanalysis. In 1991, Adi Shamir et al discovered that the resistance of DES to this procedure makes it almost exactly as hard to break DES this way as by brute force, indicating that the S-boxes had been tweaked for this (improbable) result.

I'm afraid I can't find an online reference for this at the moment; you could probably search for Shamir's papers on differential cryptanalysis, and it is also summarized in Schneier's Applied Cryptography.

Re:Were they even secure yesterday?

[crawling_chaos]

And foreign agencies don't??!!

When I was contracting at a Fortune 50 ten years ago, there was a strict company policy that no company confidential information was to pass through the French public telephone network. They had it on very good authority that the French equivalent of the NSA was handing information to French companies to enable them to underbid.

Where did they get this information? I don't know, but I've always surmised that the NSA found out about it while bugging the French.

Get off your high horse. The NSA is no more evil than the spook agencies of every other country in the world. It's just better funded.

Re:Were they even secure yesterday?

[JabberWokky]

Quite a few of us love the NSA and what they do. They watch the neighbors quite nicely, and don't generally poke around in our own closets. I'm sure that there's plenty of domestic intercept done in order to get the job done, but by and large, they ignore it. They are also the badass muthaf-ers of the math and computation community. Picture Samuel Jackson and Robert De Niro with slipsticks and mainframes. I am also absolutely sure that several people in their employ read Slashdot... not for some nefarious purpose, but simply because they're into Legos and Star Wars too.

--
Evan "Geeks like us" E.

Re:Were they even secure yesterday?

[marphod]

This is not, however, a 'break' in RSA. There is neither a theoretical flaw in RSA (or other factoring-based encryption methods), nor has factoring been shown to be an P problem.

This is an increase in algorithmic speed. Its a jump on moore's law, but this is hardly unexpected.

In order for there to be a break of RSA or another factoring-based algorithm, the there needs to be a flaw shown in the algorithm, that makes solving it easier than factoring large primes, or factoring primes needs to be shown to be a low-cost non-hard problem.

Re:Were they even secure yesterday?

[cicadia]

The alphabet soup agencies spend millions of dollars and hire the most brilliant minds in the world (not just the US)

I don't know about the rest of the Three Letter Agencies, but the most important of them for this topic will only hire Americans.

From the NSA's employment FAQ,

3. Do I have to be a U.S. citizen to work at the NSA?
Yes. Only U.S. citizens are eligible for NSA Employment.

The most brilliant minds outside of the US need not apply.

Re:Were they even secure yesterday?

[Paul+Crowley]

That's not quite right.

The mysterious tweak was not restricting a portion of the keyspace; it was the choice of "S-boxes". In DES, the S-boxes are a set of 8 functions that take 6-bit inputs and return 4-bit outputs. They're not specified algorithmically; the standard just says "S-box 1: 0 -> 14, 1 -> 4..." and so on: eight tables, each of which contains 64 4-bit numbers. The S-boxes are central to DES's security; the only other operations in the cipher are bit shuffles and XOR.

When DES was launched, people noticed pretty quickly that these tables had not been filled randomly; they did not pass randomness tests. But IBM (who designed DES) and the NSA (who approved it) were tight-lipped; not only about their design, but about the whole design of DES. Naturally, people suspected a back door.

When differential cryptanalysis was discovered, it was shown that the S-boxes had been specifically hardened against it, and that this was the souce of the pattern seen. Don Coppersmith of IBM had independently discovered DC, calling it the T-attack (T for "tickle"), and had worked out how to defend DES against it.

However, when Mitsuru Matsui discovered linear cryptanalysis, it was found that DES was not specifically hardened against it, and indeed the best academic attack against DES is a linear attack. Since the NSA approved DES, perhaps they did not know about linear cryptanalysis either.

Of course the real NSA back door was always the 56-bit key, and the best practical attack is still brute-force key search.

Re:Were they even secure yesterday?

[rho]

What worries me is the possibility that corporations could have effectively the same amount of power, with none of the public scrutiny, accountability, or mission to "protect" (at least in theory) those they watch.

What public scrutiny? Do you know what the NSA is doing? Do you thing your drunk, philandering senator knows? Or even cares?

This is a dangerous attitude--whereas a corporation could learn all about you, the worst they'll do with the information is use it to sell you more bric-a-brac, and if you discover that they're invading your privacy, you can at least sue them.

If the government is gathering this data, it can use it to take, with force, everything you own because you smoked a joint in 1963. Plus, if you find out the government is invading your privacy, you can only... well... you can only grease up your sphincter to help with the penetration. And, depending on how you find out what the government is doing, they can shoot you.

Corporations do bad things, but the worst things are done by governments, not corporations. Even the worst things done by corporations are done by the government at the corporations' behest (vis. DMCA).

Re:Were they even secure yesterday?

[Lord+Ender]

The US Government has always been willing to fight for the interests of US businesses overseas. There is nothing wrong with this in princible, that's what governments do. It is even mentioned in the constitution that the government should have power to protect US merchang ships from pirates. This is protecting business interests overseas with military action, btw. In fact, the war of 1812 was mainly about protecting US business interests abroad with military force. English military ships were routinely stopping or stealing from US trade vessels. The US decided to go to war over this. What's the big deal? Protecting the interests of our businesses is in the interests of all of us.

Of course that doesn't mean everything the government has done to benifit our businesses was moral (depending on your definition), but in princible, it is the right thing to do. We can't just let whoever wants to hijack our businesses metaphorical trade vessels as soon as they leave our ports.

Re:Were they even secure yesterday?

[cicadia]

True, they would just have to agree to become a US citizen first.

Allegiance to the flag, defend the constitution, fealty to the president, and all that

Re:Were they even secure yesterday?

[drix]

On the other hand... it has been claimed that OBL et al were using good old PGP (probably version 2.6.2i) to encrypt their communications, and then sending them out over public forums and/or e-mail. Here we have an Al Qaida training manual with instructions for using PGP (unfortunately it must be fed through clumsy translator, but search the page for "PGP" and you'll get the gist.) It's well known that we were listening to Al Qaeda satellite phone conversations, spying on them with drones, etc., so I'd be more than willing to be that we were intercepting a fairly large portion of their e-mails, Usenet posts, and Yahoo! forums messages, or whatever else they were using. And I'd be more than willing to bet that said communications contained a least a few morsels about 9/11, and probably many many more.

Yet, by all accounts, this one caught the intelligence community completely by surprise. They literally had no idea that anything at all out of the ordinary was going on on September 10.

Let's get to the point: there's no way the NSA has the capacity to break strong crypto at will. Here was their golden opportunity, the situation for which the NSA was formed in the first place ... and they blew it. I suppose the paranoid could argue that passed to opportunity up for fear of showing their hand. I doubt that; that really stretches the limits of plausibility for me. Let's face it: for a large enough keysize nobody is going to be decrypting your communications who isn't supposed to be. Of course, when the FBI can implant a hardware keylogger on your PC pretty much at will, I suppose that's kind of a moot point.

Re:Were they even secure yesterday?

[acb]

Some have claimed that the NSA is 200 years ahead of the rest of the world in mathematics. Even if this is an exaggeration, it's something to think about.

Re:Were they even secure yesterday?

[JDizzy]

yup, so how do we fight against hardware key loggers? If I found one in my PC, what could I do about it? Post pictures on Slashdot, hope the goverment doesn't get mad that I stole their hardware? I duno.

Re:Were they even secure yesterday?

[osolemirnix]

However, the fun starts when companies become multi-national. I find it quite amusing to watch how the FTC and it's other national counterparts struggle when they try to apply their national viewpoint logic to international mergers.

NSA liaison officer 1: Dude, so is Daimler-Chrysler still an american company now, or what? They're asking for some info on those frenchies.

NSA liaison officer 2: Aehm, dunno man. But I thought the germans are the bad guys. Oh wait no, that was back in WW2. I think now they're our friends.

Re:Were they even secure yesterday?

[perky]

Why don't /. add a new negative moderation - Critical of the American way or of something done in or primarily by Americans. That way you wouldn't have to mod me a troll or as flamebait when I mention that the NSA doesn' exist soley for the protection of American national security. Essentially you don't like it that America isn't loved and adored by the rest of the world and admired for the polluting, bullying, obese nation that it is. As a result you mod down rather than reply. Think about it: is the above post really a troll? Is it flame bait?

I thought the USians here might have a more enlightened opinion about their nation essentially breaking laws for the protection of US multinationals. I thought you might think it was morally dubious, especially given the amount of you that hate government interference in your own lives. But I guess that it doesn't matter if they are spying on foreigners. After all, it's their own fault for not being American.

Re:Were they even secure yesterday?

[Syberghost]

Yeah, the US is so hated and reviled. That's why we have to heavily restrict immigration every year...

If the US had unrestricted borders we'd have 3 billion people living here. The US is hated and reviled by a very vocal minority, most of whom are jealous that our television is so much cooler than theirs.

Re:Were they even secure yesterday?

[Bartmoss]

And you don't think they could naturalize a foreigner if they wanted to hire them?

Re:Were they even secure yesterday?

[Syberghost]

Hmm... I am pretty sure that the IBM researchers stated quite clearly that the NSA did not directly interfere with the DES development (in particular, the S-boxes).

Yep, at the time, they sure did.

Then later some of them admitted they were lying, including Dan Coopersmith.

Re:Were they even secure yesterday?

[cperciva]

This may be a significant advance in factoring, but I notice that rsa-576 still hasn't been factored.

That's not security; that's apathy. RSA-576 is quite factorable right now, as soon as anyone gets around to it. The largest cause for it still standing unfactored is that GNFS requires rather more background knowledge than something like cracking DES.

If either RSA-576 or RSA-640 are both still standing three years from now I'll be very surprised; I'd be surprised if even RSA-704 is unfactored three years from now.

Whew - I'm safe

[Dolph]

I use a 4096-bit GPG key. It may take a day to encrypt a message, but at least the encryption can't be broken (yet).

Re:Whew - I'm safe

[Hieronymus+Howard]

can't be broken (yet).

Not until we get quantum computers, that will break it almost instantly :-)

Re:Whew - I'm safe

[Tackhead]

> I use a 4096-bit GPG key. It may take a day to encrypt a message, but at least the encryption can't be broken (yet).

Ah, but what of the Great Unwashed, who figured "PGP? Too complicated! I can't be bothered! They'll just decrypt it anyways."

If this math turns out to be real, the Great Unwashed was right for anyone with less than a 4096-bit key ;-)

HTML Version of Paper

[BigBadAssMonkey]

http://cr.yp.to/papers.html

Re:AES?

[Hizonner]

The Rijndael/AES cryptosystem does not depend on the difficulty of factoring. This is a big deal mostly for RSA.

Too many secrets...

[KodaK]

Circut for integer factorization?

Reminds me of a certain movie...

Hmm....

[Greyfox]

I wonder how long the NSA has know about this. I'm betting a decade...

I haven't hit a top limit on the GPG key yet. I had an obnoxiously long 4096 bit one I was testing with for a while and PGP was able to encrypt messages to it but was unable to import the private key. Oh well, time to move to an obnoxiously obnoxious 8096 bit one.

Suddenly the 128 bit netscape encryption isn't looking so good (Not that it was before...)

Re:Hmm....

[jkujawa]

The 128 bits Netscape uses are for a symetric key. It takes considerably less bits for a symetric key to be secure, than an asymetric key. (I forget the equivalency, but ISTR that 128 bits symetric is roughly equivalent of 2048 bits asymetric.)
And the symetric keys netscape uses don't depend on factoring primes to be secure ...
Although the key exchange that netscape uses to send the session key probably does.

Re:Hmm....

[Hieronymus+Howard]

The 128 bit DES key is then encrypted using RSA (I think). Not sure how many bits the RSA key is.

HH

Re:Hmm....

[Old+Wolf]

During the SSL handshake, the server and client say which keysizes they want to support, and it then uses the most secure one available. Usually it turns out to be 512bit or 1024bit. I think Verisign will not even issue SSL certificates for higher than 1024bit RSA.

Re:Hmm....

[sludg-o]

And the symetric keys netscape uses don't depend on factoring primes
to be secure ...

Good, because here's a script I wrote that factors any prime number in constant time:

#/usr/local/bin/perl5 -w

print "Please enter a prime number";

chomp($prime = <STDIN>) ;

print "The factors of $prime are $prime and 1";

exit(0);

Of course, you really DO need to input a prime for it to work.

Just wait...

[JohnBE]

Shouldn't we all hang on until crypto experts validate this? Is it theoretical? How much does the attack cost? etc. etc.

I wouldn't start sending those revocation certificates just yet.

Re:Just wait...

[nomadic]

Crypto experts? Don't you realize the average slashdot poster is an expert on all technical and mathematical subjects, no matter how esoteric? Come on, get with the program...

Re:Just wait...

[TheAwfulTruth]

And miss foaming at the mouth at the earliest oppourtunity? Hardly! :) But yeah, like Mr. infinate compression in Fl. Prove it or shut up. In fact I wish these people would actually construct a working model before opening thei mouths. Would save us all a lot of time.

Re:Just wait...

[JohnBE]

Another point I'd like to raise is that major international companies are as well funded as government and maybe have as much influence. If a big international were to intercept and decode a rivals mail it could give them an advantage (or even customers mail, if the customer's info is of enough value). The other point is that as equipment becomes cheaper and faster the attack will be within reach of so many more people.

Re:Just wait...

[JohnBE]

That may be the case, but peer review is very important in these matters.

Re:Just wait...

[JohnBE]

It also depends on the context of the messages transmitted, troop movements are good when they are moving, but not as helpfull to your troops when the information is old. [Not to say that the message structure isn't helpfull] So how long the attack takes is also very important (in some circumstances, not as important in others)

One-time pads are feasible but difficult to manage and of course have other limitations. Although they have been the mainstay of numbers stations etc. for the last 40 years.

Re:Just wait...

[Xerithane]

The difference is Bernstein supplies the math. By that logic, Einstein should have never released the theory of relativity, because he couldn't prove it at the time.. Good idea!

Known about for years

[wiredog]

I read somewhere that the RSA public key algorithm was invented at GCHQ, and kept secret, years before RSA invented it.

Re:Known about for years

[gowen]

Correct, it was invented in 1973 by Ellis, Cocks and Williamson at GCHQ.

Re:Known about for years

[disappear]

Not exactly. They developed the _idea_ of public key cryptography, but couldn't figure out quite how to do it.

Re:Known about for years

[Jon+Chatow]

From what I can remeber of the reporting at the time this was 'uncovered', (i.e. under the 30 year rule of the FOIA it was de-classified), the people who came up with the idea were ordered to stop playing around with such off-topic ideas and get back to 'serious' work (presumably breaking the Russian's latest code, or whatever).ICBR, though.

Doesn't affect AES

[Cadre]

There is no impact. AES is a symmetric system that is not based on factoring. This apparent discovery only affects algorithms that are based on the difficulty factoring large numbers.

To quote another:

[PureFiction]

"Holy shit. The math works. Bernstein has found ways using additional hardware to eliminate redundancies and inefficiencies which appear in any linear implementation of the Number Field Sieve. We just never noticed that they were inefficiencies an redundancies because we kept thinking in terms of linear implementations. This is probably the bigest news in crypto in the last decade."

Yeah, this is big news. It also sheds new light on the relaxation of the export constraints. The NSA has dedicated hardware performing this same procesing, and probably for the last 5-10 years...

"Note that there have been rumors of an RSA cracker built by a three-letter agency in custom silicon before this, but until analyzing Bernstein's paper I had always dismissed as ridiculous paranoid fantasies. Now it looks like such a device is entirely feasible and, in fa ct very likely."

Time to make new keys...

Re:No wonder NSA was okay with 128 bit encryption.

[fremen]

Using 128 bits is fine for symmetric key algorithms like IDEAS and Blowfish. It's not ok for public/private key algorithms like RSA. You're comparing Apples to Oranges.

Don't Panic

[SiliconEntity]

I am a co-author of RFC 2440, the OpenPGP standard. It's important to put this result into perspective. Dan Bernstein is the first to say that it is too early to tell whether his design for a factoring machine would be practical for keys of the size in commmon use today. See for example this recent Usenet posting, where he says,

Protecting against the http://cr.yp.to/papers.html#nfscircuit speedup means switching from n-bit keys to f(n)-bit keys. I'd like to emphasize that, at this point, very little is known about the function f. It's clear that f(n) is approximately (3.009...)n for _very large_ sizes n, but I don't know whether f(n) is larger than n for _useful_ sizes n.

Bernstein's paper is excerpted from a grant proposal where he is requesting funds to answer the question of whether the design is applicable to useful key sizes. At this point it is far too early to assume that 1024 to 2048 bit keys can be attacked by his proposed machine more efficiently than with known methods.

Re:Don't Panic

[remande]

Would this allow a machine built ten years from today to crack keys of today's size? If so, this will become a risk for those who use crypto to store sensitive information for long periods of time.

Re:Don't Panic

[osgeek]

It seems like betting on long-term strength of a particular type of cryptography is about as useful as predicting the imminent demise of Moore's law.

Re:AES?

[Ronin+Developer]

None at all when considered by itself. AES (ala Rijndael) does not depend upon prime numbers. Hence, it is not subject to factoring. It is a symmetric cipher with key lengths up to 256 bits.

Where it could be susceptible, however, is during a key negotiation session (say via Diffie-Hellman Key Exchange) or a naive approach of simply encoding the session key using the recepients RSA key.

Where I would be truly frightened is in the realm of digital signatures where somebody could forge a digital signature simply by knowing the sender's public key and factoring it. With digital signatures almost as legally binding as handwritten signatures, identity theft may increase using these methods.

The resulting impact may be less acceptance of digital signatures and more reliance on antiquated methods.

RD

Re:Really Unique Crypto

[Eccles]

Isn't this just a creative variation on the one-time pad technique?

And all of these, really, are just techniques that split up the message, and then assume the decrypters can only get one part. So essentially you could do this with any encryption algorithm, just send part by the internet, and part by carrier pigeon, attack stoat, etc.

Re:OMFG

[mindstrm]

This is about a threefold increase in factoring speed.. not an order of magnitude.

The NSA can afford huge hardware.. REALLY huge hardware, for breaking crypto... was there ever any doubt?

Re:it's a cool method

[Ed+Avis]

Only a threefold increase in speed? That would make hardly any difference, you'd get a threefold speed increase just by waiting a few years for Moore's law to deliver.

My understanding is that keys of three times the length can be cracked in about the same time - which is an _exponential_ increase in speed.

1.5 bits lost?

[nagora]

If this new method speeds the calculation by a factor of three, and each extra bit in the keys doubles the amount of time needed then surely this "breakthough" amounts to everyone losing less than 1.5 bits of security, doen't it?

The poster seems to think speeding the calculation by 3x means reducing the strength of 300bits to that of 100bits. I know this is plain wrong but I'm not sure of the correct value.

TWW

Reward

[suso]

Is he going to pay someone $5000 if they can prove him wrong? (qmail joke)

Post script viewers...

[Spatch3]

You could view this post script file online here, or you could use the Windows, OS/2 or Linux viewers available here.

Speaking as a computing DPhil...

[cperciva]

This isn't really a big deal, nor is it surprising.

Basically, what DJB has done is translated the GNFS from its normal implementation on serial computers (where there is a great deal of available memory, but only one operation is performed at once) into a parallel implementation, where the number of processors more closely matches the available memory.

The "decreased cost" is misleading here, since it is calculated on the assumption that sieving would have been done by a single processor with access to a huge memory... this quite simply was never the case.

There is nothing here to suggest that factoring can be performed using any fewer FLOPS; all that is demonstrated is that by using several processors, each with a smaller memory, you can do better than with a single processor and a giant memory. Which we already knew.

To summarize: DON'T PANIC!

Re:Speaking as a computing DPhil...

[The+Pim]

The "decreased cost" is misleading here, since it is calculated on the assumption that sieving would have been done by a single processor with access to a huge memory... this quite simply was never the case.

There is nothing here to suggest that factoring can be performed using any fewer FLOPS; all that is demonstrated is that by using several processors, each with a smaller memory, you can do better than with a single processor and a giant memory. Which we already knew.

Hold on. A parallel implementation would normally just give an N times speedup. But the Berstein method (reportedly) does much better than that: it reduces the base of the exponential complexity by about a third (in the asymptotic case). This is far more significant than "merely" parallelizing the algorithm.

Re:Speaking as a computing DPhil...

[Alsee]

To summarize: DON'T PANIC!

If you are trying to protect your data from organizations that can throw of hundreds of thousands of $ at custom hardware, then "Bzzzt! Wrong answer!".

The analysis is based on keylength per $ of hardware. It theoretically triples the keylength you can attack per $ spent. He's not talking about simply throwing more CPU's in your typical box.

Example with random figures:
Old method: $1,000,000 + 1 day break 1000 bit key

New method: Custom hardware is more expensive, buy "smaller" machine that lose 100 bits cracking ability, but new method triples the attackable length: $1,000,000 + 1 day break 2700 bit key.

The only question is where does the cost-benefit ratio kick in? Is it at 500 bit keys? 1,000 bit keys? or 5,000 bit keys?

Government security angencies have custom codebreaking hardware. We just need someone outside the government to figure out and announce the price tag. Then we'll know what's currently breakable. Shouldn't take long.

P.S.
His anaylsis was related to one (important) catagory of encryption. He also notes that it will work against other catagories of encryption, and prossible even more effectively.

-

Re:Speaking as a computing DPhil...

[cperciva]

Hold on. A parallel implementation would normally just give an N times speedup.

Only for a fixed amount of parallelism. DJB is supposing that as the problem gets larger he is increasing the number of FPUs at the same rate as the amount of memory. Which is eminently reasonable, and hardly new.

Re:Speaking as a computing DPhil...

[cperciva]

The analysis is based on keylength per $ of hardware. It theoretically triples the keylength you can attack per $ spent.

It triples the keylength at the same cost, compared to a serial machine with a huge address space. But nobody was ever considering loading down a Pentium 4 with a few petabytes of memory; instead, people would stick a few gigabytes of memory on each of 10^6 Pentium 4 processors.

All DJB has done is reinvent the idea of scaling processors at the same time as scaling memory when attacking large problems.

Government security angencies have custom codebreaking hardware. We just need someone outside the government to figure out and announce the price tag. Then we'll know what's currently breakable.

If you use an RSA modulus smaller than 768 bits, I will laugh at you. If you use an RSA modulus smaller than 1280 bits, the Russian mafia will laugh at you. If you use an RSA modulus smaller than 1536 bits, the NSA will laugh at you.

Above those points, you're safe, because even if memory were free the cost of the necessary FPUs would be too high.

Re:Speaking as a computing DPhil...

[The+Pim]

DJB is supposing that as the problem gets larger he is increasing the number of FPUs at the same rate as the amount of memory.

Ok, I read as much as I could of the paper now (was slashdotted). I understand the simple examples: The idea is that, if your memory grows as N, then you can grow your number of processors as N "for free". But a factor of N, or any polynomial, doesn't help you with problems of exponential complexity, right? (I assume the memory required grows polynomially in these algorithms. Am I wrong?) So there much be some other trick I didn't grasp.

Re:Speaking as a computing DPhil...

[cperciva]

I assume the memory required grows polynomially in these algorithms. Am I wrong?

Yes, you are wrong. The memory traditionally "necessary" grows with the same O( exp(c (ln n)^(1/3) (ln ln n)^(2/3)) ) rate as everything else (except with a different constant c).

Re:Speaking as a computing DPhil...

[The+Pim]

Thanks. Now that I get the basic idea, you're right that it's not so exceptional (though neat).

Re:Speaking as a computing DPhil...

[Alsee]

cost of the necessary FPUs would be too high.

To repeat myself:
"He's not talking about simply throwing more CPU's in your typical box."

As a matter of fact, I don't think it even uses an FPU at all. No floating point math.

I read the paper, and actually understood some of it. One of the things the custom hardware is doing is sorting data in linear time. X data items sorted in X clock tics.

You want to attack a key 10 times longer? Slap 10 more chips on the end and still sort in linear time.

I think some of the improvements he suggests can improve cracking speed on a generic single processor desktop box.

He is talking about algorithmic improvements. Changing the order O() of an algorithm can swamp out the effect of more or faster processors.

-

Re:Speaking as a computing DPhil...

[cperciva]

I have no idea how Mr. Computing DPhil arrived at the idea of putting vastly more memory than necessary into a single-processor computer: for example, using a million gigabytes of memory to sort a billion numbers. He is incorrect in claiming that such silly computers are the base for comparison in my paper.

I never suggested that you were comparing against a machine with excessive amounts of memory; I suggested that you were comparing against a single processor which addressed the same amount of memory as would normally be distributed among thousands. In the case of "using a million gigabytes of memory", that was in order to sort a million gigabytes of data; by splitting the petabyte of memory into a million pieces and attaching a cpu to each, one speeds up the sorting by a factor of a million.

Perhaps my argument could best be summarized as this: You're saving memory, but you're not saving MIPS. This technique of yours may make machines cheaper to build because you need less memory per processor, but you still need just as many processors (in fact, slightly more, the way you've described it).

You still need just as many floating-point operations, and the cost of those floating-point operations is enough to put anything beyond 1536 bits out of reach of the NSA for now.

Re:Speaking as a computing DPhil...

[cperciva]

Each processor can easily sort its own numbers, but how do you merge the 16 lists?

Using a parallel merge-exchange, perhaps?

Seriously, I've always avoided non-oblivious algorithms as much as possible; I'll admit that you can play games to reduce the communication and memory costs; but even without any memory or communication costs, you still have to pay for your FLOPs.

Re:Speaking as a computing DPhil...

[cperciva]

and time proportional to n^(1/3+o(1)) for signals to traverse the wires

Please. We can pipeline the bits; latency is not a critical issue here. I'll conceed that I hadn't considered the asymptotic cost of long wires, but I didn't claim to either. Using a million processors *does* increase the cost, but we still get a linear speedup.

The bottom line is that traditional computers [...] are not the right way to do extremely large factorizations.

And I never disputed that. Indeed, I'd say that, for a fixed (large) budget, custom silicon can probably perform factorizations 10^5 times faster than a system built out of commodity hardware.

But as long as the your FPUs constitute a fraction of the total price tag bounded away from zero, and you require the same number of FLOPs, you only get a constant factor improvement.

Get a grip, people!

[coyote-san]

I've seen a lot of comments about how this means that all SSL and PGP encryption is transparent, etc.

Please, get a grip.

Most "transient" connections still use 512 bit keys. If this effectively reduces the key size by 3, that's still 170 bits. That's far larger than the RSA key that took years to crack a few years back.

Technology improves, algorithms improve, and the TLAs can certainly afford to build cracking engines, but it will probably still take a substantial amount of time to crack a key. (Substantial = days.) Well worth the effort if you're looking at suspected terrorists or double agents inside of the FBI, but hardly worth it for anyone reading this comment.

What we *do* need to worry about is the effect on long-term keys. E.g., root CA keys often have 20-year lifetimes, something that now seems foolish with 1k bit keys.

Re:Get a grip, people!

[QuMa]

please learn the difference between symmetrical and asymmetrical encryption

The trick is to find the shortcut

[beej]

Any key can be cracked--you just have to search through all of them. Phew! Now, for 128 bits, that's a lots of numbers to search. For 2048 bits, it's more than you can possibly imagine.

So the trick is to find a shortcut or a flaw in the algorithm that allows you to get the data without searching all the keys.

In the case of RSA, the shortcut is factoring the product of two primes. It's way way easier to factor a 128-bit product than it is to search through a 128-bit keyspace. So RSA bumped the size of the product up and up and up until it was as impossibly hard to factor it as it was to search a 128-bit keyspace.

Other algorithms have other shortcuts, too. Remember when a weakness was found in the session key choosing algorithm for Netscape? The keyspace was reduced from 128 bits to 24 bits or something like that, and then a search could be made on it.

Anything you can do to avoid trying all the keys is the name of the game. Unless you're some kind of quantum computer freak. ;-)

Re:Really Unique Crypto

[2Bits]

Well, of course, if the picture is unique, this is the one-time-pad encryption. In order to decrypt, you have to use the same picture (i.e. the same key).

One-time-pad is so-far the most secure, but it is not very practical in daily use. And make sure you don't use the same key more than once, otherwise, it falls into the same weakness as other encryption.

Re:AES?

[Snafoo]

AES is secure, as is DES, as is almost any other symmetric cryptographic protocol. AES, for instance, is based on Galois Fields (and associated chicanery), whereas DES is based on drop-dead simple permutations that are so elegant and inexpensive that I find it difficult to resist *not* implementing them on an 8-bit PIC (although someone else has of course beaten me to the punch!). Neither one is reducible to anything like factoring.

Many public-key algorithms, and many public-key-based authentication protocols, however, *are* reducible to factoring, even if they don't appear to involve such darkness the first time you read them.AFAIK, for public key algs the deep magic is either factoring or the knapsack problem; however, almost all of the latter kind have been proven insecure. One notable exception of the latter variety is the Diffie-Hellman (sp?) algorithm, which is incidentally also the first public-key alg ever invented, and the underlying muscle behind the NSA's DSA signature scheme (although ElGamal did some strengthening work and got to rename the bugger ;). However, don't make the switch to DH just yet -- IIRC, the ciphertext is effectively doubled in length (over RSA). So you can either make a bigger RSA, or you can make a bigger message every time you encrypt -- either way, you email just got longer :)

Re:OT: Your sig

[TheGreenLantern]

No no, God is in the square root of the second time dimension. The proof is here.

I don't care about n-bit encryption

[weird+mehgny]

.deen uoy noitpyrcne eht all is sihT

dnetc

[AdTropis]

so when can i get a distributed.net client that makes use of this?

Re:OMFG

No, this is NOT a threefold increase in factoring speed. This is a threefold decrease in bit strength.

Suppose I have a 1024-bit key. The new algorithm makes it essentially take the same time to break as a 341-bit key using the old algorithm.

Since each bit makes it take twice as long, this means that the new algorithm is 2^683 times faster at cracking the code. This is a bit different than 3 times...

not less than a second...

[agilen]

Quantum computers, using Shor's algorithm, will be able to factor numbers in polynomial time, as opposed to the exponential time that a traditional computer takes. It may still take a quantum computer a week to factor a key, but it may take a traditional computer a hundred years to factor that same key.

But then again, quantum cryptography may be even closer than working quantum computers, which means secure private key cryptography, meaning you can factor all you want, you aren't gonna find anything unless you get that private key.

cr.yp.to mirror

[Xanni]

See also my Australian mirror at: http://www.glasswings.com.au/cr.yp.to/papers.html# nfscircuit Share and enjoy, *** Xanni ***

Re:NSA, et. al.

[dvdeug]

I suppose the TLA agengies don't really need strong crypto to invade on my privacy. They just need a court order.

It's interesting. The TLA agencies which most likely can crack large encryption (NSA, CIA) have no authority to get a court order - they have no authority within the US. Also, it seems unlikely they'd reveal that they have this advanced technology for a mere murder trial or the like - more important to keep it hidden from their foreign enemies.

will that really stop them from making me give up the goods if faced with jail when they come asking for my data?

The US can't force you to give up your encryption keys - it would be a violation of your 5th amendment rights to keep silent, or at least your 1st amendment rights. Unless it was evidence to be used to convict someone else, then they could subpoena it.

There are alternatives

[Glock27]

Are there open-source elliptic curve cryptosystems available? It is thought that these are more difficult to brute-force than crypto based on factors.

Well, to answer my own question, on Freshmeat there appear to be one or two.

Have fun!

299,792,458 m/s...not just a good idea, its the law!

Re:There are alternatives

[frankie]

elliptic curve cryptosystems available? It is thought that these are more difficult to brute-force

Well, I know an easy example, but you're going to be disappointed. WEP encryption uses elliptic curve cryptography. However, WEP's weakness is due to bad implementation rather than a general failure of elliptic theory.

Re:There are alternatives

[chongo]

Yes, there are alternatives. However I would not jump into Elliptic Curve (EC) crypto at this point.

Brute force EC does not require the memory size and bandwidth needed for things such as factoring in the Number Field Sieve (NFS). See:

Robert D. Silverman's paper

for more details. In short: Given two equivalently hard keys, one EC and one RSA, the EC key will require memory and less memory/CPU bandwidth and will be cracked for less cost using the state of the art methods we known today. NOTE: These art includes: THINKLE and NFS improvements including those discussed in the paper (on which this discussion thread hangs).

Worse for EC: It is an active field of research. Every so often somebody publishes yet another eliptic curve special class that can be cracked much faster than brute force. In some cases it is very hard to determine if a given EC belongs to a weak key class. While these are mostly theoritical, the smart cryptologist will view them as troubling for EC key securiy at best.

Re:There are alternatives

[chongo]

Sorry for the confusion! Allow me to clarify:

A common mistake that some people make is to assume that one only needs to count CPU cycles. The so-called "MIPS years" measurements.

Consider two keys that require the same number of CPU cycles to crack, one Elliptic Curve (EC) and one RSA. The EC key crack requires only a modest amount of memory, even for large EC keys. The RSA key (by factoring) requires a larger and larger working sets as the key size increases.

Consider the cracking a 256 bit EC key and the cracking of a 1620 bit RSA key by factoring:

Both efforts require about the same number of CPU operations.

The EC crack requires only a modest amount of memory (a handful of Megabytes) and can be performed in parallel over many machines with nil communication between them.

The RSA crack requires a working set of about 120 TBytes (120*1024 GBytes)! On a single machine, you will need ~2^47 bytes of ram in order to not to swap to death. Worse yet, you are evaluating a Matrix. You could try and split it over many machines but them the communication between them (as you perform row/col matrix ops) will kill you.

So when I said two equivalently hard keys I should had said: two keys that require the same number of CPU operations to crack.

Two keys can require the same number of CPU ops to crack. However, a 256 bit EC key needs only a modest amount of memory and can be cracked on many machines running in parallel. A 1620 bit RSA requires a HUGE 120 TByte matrix sitting in a single address space where swapping and/or inter-processor communication become a major problem.

Re:There are alternatives

[chongo]

So you are saying EC is vulnerable due to that it requires "only" 2^128 ops to crack and it can even be parallelized?

No, that is not what I am saying. EC is more vulerable than RSA for a given key size where the CPU ops to perform the best known cracking algorithm are the same.

CPU-op equivalent EC searches require only a modest amount of memory and can be run in parallel with nil communcation requirements. CPU-op equivalent RSA searches require large working sets with matrix operations that do not lend themselves to parallel operations once the initial sieve is performed.

Even if you deploy a TWINKLE device in an RSA key crack that reduces the initial loading of the matrix to nil, the working set size of the matrix, the swap and/or system communication requirements become non-trivial for an CPU-op equivalent RSA key.

Re:OMFG

[Hieronymus+Howard]

Even if the NSA has *really* big hardware, even 1024 bits is a serious challenge. About 5 years ago, it was estimated that with current hardware, 1024 bits could not be cracked before heat-death of the Sun occurs. Even with today's hardware and (perhaps) improved factoring algorithms, it's still a pretty big challenge. The NSA is only going to devote serious computing power to very, very few things (e.g. terrorism).

Unless they've already got quantum computers. IBM's best effort so far is cracking a 4 bit(!) number using quantum, but expect huge budgets to be devoted to quantum factorising now.

HH

Re:NSA, et. al.

[Strange+Ranger]

"(NSA, CIA) have no authority to get a court order

They no longer need it if you are suspected of any "terrorist activities". whatever that means.

"The US can't force you to give up your encryption keys "

See above and see Patriot Act and Homeland Security Act. They can force you if its for the good of the state, oops, I mean if its for the "security" of the state.

Yes, key exchange is asymmetric.

[brad.hill]

The symmetric key used by SSL (usually for the RC4 algorithm) is negotiated using an asymmetric public key cryposystem. (usually RSA) If that can be broken easily, the keys to the symmetric algorithm are right there.

The real reason a symmetric algorithm is used for the bulk of an SSL session is that it is much less computationally intensive than an asymmetric algorithm with a similar degree of security.

Note that these algorithms are independently pluggable, so a more secure or larger key size asymmetric algorithm could be used alongside the same old 128 bit RC4.

The big problem here is for systems using browser managed certificates for authentication would have to be upgraded and new certs issued. This is not the most common usage of SSL, but where it is in place the systems tend to be large and expensive.

Re:it's a cool method

[Mr+Z]

Or more correctly, the new algorithm operates in the cube-root of the time of the original. (I'm pretty sure factoring is still an exponential search problem. Would someone who knows this algo better than I comment?)

At any rate, it's not quite as impressive as if an exponential search had been made polynomial. Rather, the exponent in the exponential search's runtime has been divided by 3. (Still a very big deal.)

In terms of big-Oh, it went from O(x^N) to O(x^(N/3)).

--Joe

It was used to ...

[purduephotog]

... create random noise to be used in a 'one time key' / 'one pad key'. Totally unbreakable. Especially if the message is short.
I remember the post you are referencing. There are cameras that photograph a number of lava lamps. Thru a couple of data munging operations, out pops a length of completely random data.

This was posted on some crypto/compression list awhile back about compressing totally random data. The guy was able to do so by underspecification of the problem. It was slashdotted, I believe.

Anyways, the same thing can be applied to picking up atmospheric noise/wind. Anything that cant be predicted or known at any other location should work for random data, thus you could use to encrypt. It is a "One Time Key" - no way to recreate the data without the data.

Re:It was used to ...

[HeschelsGyrus]

The folks over at Random.org use atmospheric noise to generate true random integers. I use their numbers all the time, although not for anything as complicated as cryptography...

Re:It was used to ...

[mother_superius]

unless atmospheric noise has minute patterns, of course...

Re:Quamtum Computing

[SIGFPE]

That square root thing is only for the most naive type of search using Grover's algorithm. It doesn't apply to many other kinds of searches. For example integer factorisation is much faster that sqrt time using Shor's algorithm. It may be there's also a sub-sqrt time algorithm for AES if someone actually looks for it - and AFAIK nobody has.

Re:NSA, et. al.

[Tackhead]

> I find it funny and interesting that because the NSA and other TLA agengies are *so* tight lipped we assume their skills and abilities are far ahead of current "joe-sixpack" tech.

For the past 50 years, that's been the case.

> I suppose this very well could be the case, but it sure lends itself to great conspiracy theories.

For the past 50 years, that's also been the case ;-)

Most of us older /.ers grew up believing that the mods to the S-boxes in DES were probably backdoors. Turns out they were to secure the algorithm against differential cryptanalysis, which didn't get discovered outside of NSA until recently.

NSA is still reputed to be the largest employer of mathematicians on the planet. They're reputed to have more supercomputing power than any organization on the planet. Both allegations are reasonably well-substantiated.

> I suppose the TLA agencies don't really need strong crypto to invade on my privacy. They just need a court order.

Correct. NSA's got two missions - secure American computing and communications, and 0wn every one else's ;-)

Not only is it easier to get a court order to make you give up your keys (or to eavesdrop/keylog you while you enter them), it's a hell of a lot safer.

The funniest part of Cryptonomicon is where the Brits are busy sending bombers to "see" German shipping but not bomb it. (If they just bombed the Germans, the Germans would realize that their crypto had been broken.) One of the protagonist's jobs, as an information theorist, was to figure out just how often they could get away with "just bombing them" and how often they had to make it look like they "got lucky" with a chance overflight or other observation.

The hardest part of crypto isn't breaking your opponent's codes, nor is it securing your own secrets. It's securing the big secret, namely not acting in a way that proves you've broken your opponent's codes.

Knowing your enemy's "A" team plans to attack tomorrow at dawn is good, but if you take out the "A" team 5 minutes before dawn, you run the risk of losing your ability to monitor the "B" team.

Who cares

[wk633]

The TLAs will just install a wiretapper on your keyboard anyways.

Re:Ginger scale big?

[Thing+1]

don't tell me you haven't converted your judgments of magnitude to the ginger scale. everybody's doing it.

I was always partial to the maryann scale, myself.

Re:OMFG

[egomaniac]

No, it isn't. RTFA.

For very large keys, where the definition of "very large" is not yet known, this is a 3x decrease in the (for lack of a better term) 'effective key length'.

In other words, it might be possible to crack a 1536 bit key in the amount of time it currently takes to crack a 512 bit key.

Since the 1536 bit key is 1024 bits longer, that means that it *should* take 2^1024 (1.79e308) times as long to crack.

So, for that specific example, assuming that this works it's actually cracking the key 179 million trillion trillion trillion trillion trillion trillion trillion trillion trillion trillion trillion trillion trillion trillion trillion trillion trillion trillion trillion trillion trillion trillion trillion trillion trillion times faster.

Sounds like a few orders of magnitude to me.

Re:1.5 bits lost? - not quite

[oomcow]

No, someone has been spreading around an erroneous interpretation of the paper. From the abstract:

"This reduction of total cost from L^(2.852...+o(1)) to L^(1.976...+o(1) means that a ((3.009...+o(1))d)-digit factorization with the new machine has the same cost as a d-digit factorization with previous machines."

In plain terms: A factorization of a number that has 3 times as many digits will have the same cost as a the number did before.

Hope this clarifies why this is a breakthrough (that may be important).

Looking through the paper...

[SIGFPE]

...it's not clear this has any impact on crypto security today. There are lots of O(1)'s and nobody can be sure just how big they are for the real keys that are used today. Still, it can't do any harm to keep on your toes and make your keylength as long as your hardware will allow.

Re:AES?

[Archie+Steel]

That's true, but don't most AES/DES implementations depend on public-key encryption for key exchange? IIRC, the disadvantage of symmetric key schemes is that both parties need to have the same private key. While these can be easily exchanged using public-key encryption, that part might have suddenly become the weak link in the process...

NSA-sponsored Cray 4 development now makes sense.

[Thagg]

A friend of mine worked for Cray Computer Corporation until the untimely death of Seymour Cray. The last machine they were working on was a monster, that might make more sense in terms of today's developments.

In the early nineties, CCC was working on the Cray 3, a new gallium arsenide computer. It was to have a cycle time of about 1ns (shockingly fast back then.) It was cooled by a high-pressure very high-speed mist of Flourinert suspended in helium. It was built as a series of wedges much like the Cray 1 and 2, although somewhat smaller. They built working prototype wedges, and were debugging them, while looking over their collective shoulders at the ground being gained on them by arrays of microprocessors.

One thing led to another, and it was clear that the Cray 3 would never be a commercial success. They were then given a contract to build what was called the Cray 4. The Cray 4 was a one-off machine using PIM (processor in memory) chips. These were 1-bit computers, but there were 262,144 of them in the box. The idea was that the gallium arsenide chips, wiring, and cooling system that made up the Cray 3 were just the networking system for these PIM chips, which would do the actual work.

Anyway, Cray died, and then CCC quickly died, and I don't believe that the machine was ever finished.

thad

Mirror of paper on citeseer

[Andrew+Lockhart]

Well i couldn't get to the original site, but i see that NEC's citeseer has it.

Re:One word: Asymptotics.

[PureFiction]

True, perhaps I worded my reply too strongly.

But I am not content with possibilities and maybes. He has shown an effective way to greatly increase the capability of simple hardware to attack large integer factorization. This alone is enough to make me nervous. Do you really want to bet your security on possibilities?

I already use a 4096bit ElGamal key. I would suggest others do the same.

And regarding the rather tame developments in the crypto field (this is becoming old, well explored territory, not much new happens these days) I still think this is signifigant.

Re:it's a cool method

[gweihir]

In terms of big-Oh, it went from O(x^N) to O(x^(N/3)).

Exactly. That means we have to make N three times as large as we thought we had to. This is not a catastrophe, except in high-security applications. But these should use something like "make absolute sure its enough bits and then quadruple the number" anyway...

Re:Over-estimate

[afidel]

What about the S-box modifications to RSA that the NSA did that strengthened it from differential cryptoanalysis. That was 20 years before the public sector re-invented differential cryptoanalysis.

Re:512 bit keys obsolete

[carleton]

Wrong... in 1999, a group in Australia factored the RSA-140 challenge (140 decimal digits). This effort took roughly 3 months of calendar time using roughtly 300 computers (300MHz PC's and slower megahertz wise suns/sgi) for the seiving portion (parallizable) and then 1 cray (don't know specs) for the final step (which took less that 1 month). The RSA-155 challenge (512 bits) is estimated to only be 7.2 times harder CPU wise (versus the 1024 bit one, which is estimated at 40 million times harder). If I understand how this enhancement works, the algorithm is still not polynomial, but it should cut down the growth from 140 digits to 155 digits.

DSA ?

[morcego]

Any impact on DSA, as used by ssh and GnuPG ?

Re:AES?

[inri]

Diffie-Helman is not based on the knapsack problem (which is roughly: given a bunch of sack of various sizes (say, all of size 100) and a bunch of objects, what's the most efficient way of packing the objects into the (least number of) sacks?); DH is based on the discrete logarithm.

Note: people are interested in the knapsack problem because it is NP-complete to solve in general; the problem is that many (many!) specific cases are very easy to crack, and it's hard to tell a priori if you are generating such an example (a similar thing occurs in factor, in that there are some numbers that are much easier to factor than they may appear).

The discrete logarithm is as follow: recall that computing the logarithm (base b=10, say) of a number n is determining a number a such that 10^a=n. If you're working over the real numbers, this is easy to solve, and any calculator can do it quickly. On the other hand, suppose you are working in the integers modulo a prime p (imagine you're on a clock with p hours); then it's still possible to raise an integer b to a power a, getting a number n, and this is very quick. Say, given p=7 and b=5, and a=4, we get that 5^4 = 25*25 = 4*4 = 2 (modulo 7), so the discrete log base 5 mod 7 of 2 is 4. This is what Diffie-Helman relies on. Note that there are variants that work in different groups than this (a group is a mathematical object where you can add and subtract, roughly), particularly with elliptic curves, and these last are much touted as being possibly more secure than RSA or DH.

Re:512 bit keys obsolete

[fava]

If the only way to factor a number was trial division then you would be correct. However the modern algorythms for factoring are much better than that, perhaps you are confusing symetric cryptography such as DES or AES with RSA.

I am unable to find a table online but in 83 a cray factored a 71 digit number in 0.1 Mips-year (1 million instructions per second for 1 year) Since the numbers are talking about are much smaller (50 digits vs 71 digits) and cpu's are much faster (> 1 billion ips) it would not be unresonable that a 50 digit prime could be factored in a few hours on a machine with suffecient memory.

Re:OMFG

[FreeUser]

This is about a threefold increase in factoring speed.. not an order of magnitude.

No. This is wrong. Read the paper.

For large keys, this method reduces the difficulty of factoring keys by a factor of ~3.009, i.e. the diffuclty of factoring a 90,000 byte key is now comparable to factoring a 30,0000 byte key using traditional methods.

It is unknown if this applies to smaller keys currently in widespread use, i.e. if your 2048 key will now have a factorization cost equivelent to that of a 683 byte key using traditional methods. That is what they guy wants funding for ... to find out.

So yes, this makes cracking keys orders of magnitude easier and faster.

You never know...

[Anonymous+Brave+Guy]

Reminds me of a certain movie...

Heh. Not so long ago, there was a thread around here about Swordfish. Some smart alec came along and claimed that it was not realistic at all, just the usual Hollywood-overdone glamour, because it featured the best (still alive) hacker in the world cracking a 128-bit encryption system in about one minute...

The scary thing about the whole cryptography field is that the maths behind most cryptographic algorithms is really very simple (in "professional mathematician" terms, at least). You can obviously never know when a new technique is going to be uncovered within mathematical research that will undo years of "secure" communications in a heartbeat.

Hey, there are guys alive who can do incredible arithmetic feats in their head. Many of them can't explain how they do it, they just see things differently to the rest of us. What happens if someone comes along who can "just see" a large number as the product of a couple of prime factors...?

Re:You never know...

[KodaK]

What happens if someone comes along who can "just see" a large number as the product of a couple of prime factors...?

He gets a high paying job with the NSA.

Or a nice dark cell.

Straight from the NSA web site (nsa.gov)

[alcohollins]

Seems you are right about the NSA employing more mathematicians than anyone else in the world. They believe this too. From a page on their web site:

NSA employs the country's premier codemakers and codebreakers. It is said to be the largest employer of mathematicians in the United States and perhaps the world. Its mathematicians contribute directly to the two missions of the Agency: designing cipher systems that will protect the integrity of U.S. information systems and searching for weaknesses in adversaries' systems and codes.

A big part of a security solution is knowing WHO.

[Fencepost]

Knowing who you're trying to keep secrets from is a big part of deciding how (and whether) to secure any data.

The needed approaches are radically different depending on whether you're trying to keep secrets from highly-skilled groups with plenty of resources (e.g. government agencies investigating you in particular), skilled groups with some resources (corporate espionage, small countries), snoopy ISPs (e.g. Comcast), skilled interested parties (IS groups), the casually curious (repair techs), and the unskilled (your grandmother). At the top end, you have to do all sorts of things that make using computers much more of a pain in the ass to keep them from adding keyboard sniffers, monitoring emissions, etc. At the low end, you have to learn how to hide files (using a .prefix or "hidden" flag, who cares) to keep your grandmother from being shocked by all that hot monkey lovin' in your porn archive. In between there are tradeoffs - how important is the information (do you need to keep it at all?), how important is it that it not be seen by others, how much inconvenience are you willing to go to to ensure that nobody else sees it?

Keep in mind that encryption isn't security. Encryption isn't even close to security. Encryption is a tool.

Alternatives such as EC may be vulerable as well

[chongo]

Some have suggested that people should move away from RSA crypto and start using Elliptic Curve (EC) crypto. In fact the paper, if appicable to "useful" key sizes, suggest that the opposite is true.

The methods described in the paper can be used to improve the cost of cracking EC discrete logs as well. The author, in a recent Usenet posting, points out that the paper's methods are likely to reduce the cost/effort of EC key cracking as well ... perhaps even more than RSA key factoring.

The paper, combined with other other EC strength concerns suggests that EC is not the technology to turn to at the moment.

In other words, if this paper has you concerned about the security of RSA keys by factoring, then you should be even more concerned about the safety of Elliptic Curves as well.

But as others, including the author, have stated (in large friendly letters): DONT PANIC! It is not known if the ideas expressed in the paper are applicable to key sizes that are in common use.

Re:+4??!? LEARN CRYPTO BASICS BEFORE MODDING

[Alsee]

Factoring 170-bit numbers is childs play. Anyone can do it.

::Alsee whips out pencil and paper and starts scribbling furiously::

-

Re:Really Unique Crypto

[Jon+Chatow]

Umm, yes. Actually, there was a great big huge flaw in this - the lamps had harmonics at 60Hx (well, duh), and apparently the random genereation was based on the change in the picture at a particular point and another a time after it... Oh well, never mind, back to the this-mainframe-has-a-cosmic-ray-detector ideas...

Well duh

[CodeMonky]

According to dictionary.com Link Thus the entire security of RSA depends on the difficulty of factoring; an easy method for factoring large prime numbers would break RSA. So it looks like we've been going about it all wrong. We should be concentrating on factoring large prime numbers. :)

Re:Alternatives such as EC may be vulerable as wel

[chongo]

To clarify and avoid confusion:

The paper suggests a way to improve some of the steps required (such as some of the linear algebra work) to factor using the Number Field Sieve (NFS) for large keys.

The paper does NOT give a method to improve the speed of cracking EC keys.

Special purpose hardware could reduce the cost of cracking an RSA key. However: The same could be said of cracking an EC key. Using different special purpose hardware and different performance tuning, one should be able speed up cracking of EC keys as well.

So ... If the existence of ideas to improve the speed of cracking sufficiently large RSA keys scares you and you worry about that might come next, then you should be even more worried about EC.

Why? Not because of the exact idea outlined in the paper. The paper does not apply to EC. Because EC is subject to special purpose hardware improvements: perhaps even more than RSA.

... and because while two keys, one EC one RSA may require the same number of CPU cycles to crack, the key crack requires only a modest amount of memory, even for large EC keys. The RSA key (by factoring) requires a larger and larger working sets as the key size increases.

It's an interesting idea, but...

Looked at another way, he hasn't changed anything.

He's observed that current factoring algorithms use asymptotically more memory than CPU. For a sufficiently big problem, all of the cost of the machine goes into buying memory, which spends most of its life waiting for the CPU to get around to it.

It's the same idea that motivated the Connection Machine.

He's observing that if you use the right (low-memory) algorithms, you can trade off memory for CPU and get something for which the total cost, memory+CPU, grows more slowly with problem size.

But it's not clear that's we've reached the CPU bottleneck yet. RAM is really cheap these days, so it's quite possibly premature to worry about the growth rate of that term.

Remember, the paper is part of a grant application. "I have this neat idea, and I'd like to study how practical it is."

More concretely, if all his ideas pan out, he can factor a 3*n+k-bit number for the same cost*time that GNFS can factor an n+k-bit number. What's k? Nobody knows! That's what he wants to study. If it's 1024, there are no immediate security issues. If it's 128, we need to deal with it.

(The claim in the abstract, (3.009...+o(1))*n, is more accurate, but the casual reader might not notice that o(1) can be significant and negative for currently interesting problem sizes.)

So while it deserves careful attention, let me add, in large, friendly letters: Don't Panic .

Re:NSA, et. al.

[Jon+Chatow]

Indeed - the RIPA (Regulation of Investigatory Powers Act) of 2000 has sections under which one can be imprisoned on failing to 'hand over' keys to the authorities on request; the burden of proof of lack of ability to hand over said keys lies with the defendent; to quote:

53
(1) A person to whom a section 49 notice has been given is guilty of an offence if he knowingly fails, in accordance with the notice, to make the disclosure required by virtue of the giving of the notice.
(2) In proceedings against any person for an offence under this section, if it is shown that that person was in possession of a key to any protected information at any time before the time of the giving of the section 49 notice, that person shall be taken for the purposes of those proceedings to have continued to be in possession of that key at all subsequent times, unless it is shown that the key was not in his possession after the giving of the notice and before the time by which he was required to disclose it.[emphasis mine]

The act also makes it an offence to give notice that one has been given notice to divulge a key.

However, it should be noted that although this act came in to force in 2000, the code of conduct has yet to be released by the HO (presumably because they're having difficulty working out when to release it so as to best avoid a fuss in the media; maybe they should consider hiring Jo Moore), so no-one will have been prosecuted under this act yet (assumedly).

Oh, BTW, IANAL and all that #include stddsclmr etc...

Wrong cryptosystems

[himi]

128 bit keys almost always refers to a /symmetric/ algorithm - this is things like AES, Twofish, IDEA, etc. And for good symmetric ciphers, 128 bits of key is fairly secure - to brute force, you have to try out all 2^128 possible keys, which is a very hard problem (assuming, of course, that there aren't other problems with the cipher).

This article is referring to /assymetric/ ciphers - public key cryptosystems, and in particular RSA. RSA keys are made up of two large primes multiplied together (IIRC - it's been a while since I read this part of Applied Cryptography): finding the two primes breaks the key, and so its security is based on the difficulty of factoring really large numbers into prime constituents.

The research referred to here is a way to speed up the factoring of large numbers, apparently by a factor of about 3 - it doesn't break the algorithm, it just speeds up a brute force attack. If it took 3000 years to break a 2048 bit RSA key before, now it'd take 1000 years. Barring more such discoveries . . .

Don't panic is a very good response to this - it's a serioius discovery, and it changes the risk factors involved with using RSA crypto, but it doesn't throw everything out the window.

Finally, I'd really suggest reading at least the interesting bits of Applied Cryptography, by Bruce Schneier. It explains a lot of this stuff, and gives you a good framework within which to put this kind of thing.

himi

Dan and the government

[rcw-work]

Dan Bernstein is fairly used to the government looking upon his work as illegal.

I don't think it'll be an issue.

This does /not/ break RSA.

[himi]

All it does is speed up a brute force attack.

If it /did/ break RSA completely - ie, by indicating that factoring is in fact a P problem rather than NP complete - then it would have made infinitely more of a splash than it did. That kind of breakthrough is Nobel Prize type stuff.

himi

Re:This does /not/ break RSA.

[Miniluv]

No, it's not Nobel Prize type stuff. Alfred Nobel hated mathematics, which is why there still isn't a Nobel Prize in math and prime factorization isn't a physics or economics problem which is where the math geeks usually get their prizes from.

Re:This does /not/ break RSA.

[bakes]

Solving factoring wins a Nobel Prize? Is that why it's called NP-complete?

Inaccurate summary of the research . . .

[himi]

It doesn't speed up the factoring by a factor of three, it increases the keylength it can break by a factor of three . . . In other words, this version of the NFS algorithm runs in the cube root time of previous versions.

This is more significant than a simple three times speedup, but it still doesn't change the fact that it /doesn't/ break RSA, it merely speeds up the attack.

himi

I love sharing scuttlebutt

[DaveWood]

I'm happy to rumormonger with you all for a little while...

I hear things from various people that I shouldn't hear, not often, but occasionally. These are people who are rather credible - not totally, but rather. I feel pretty confident in this particular "rumor," because I've heard basically the same set of facts from three different people with three different kinds of intelligence community experience.

What I hear is that your assertion is true. The NSA has had the ability to break RSA cyphertext "for some time." Even extremely large key sizes are said to be vulnerable, and they can do it "reasonably quickly."

This, of course, flies in the face of all accepted non-defense conventional wisdom in the field - at least until today - but, as I said, three sources. So I believe it.

This may be the result of harrowing secret advances in factoring techniques, or it may simply be brute force. This is an agency that has historically measured its computing power in acreage.

So, "reasonably quickly." The other part of this "rumor" is that reasonable is not reasonable enough to do RSA decryption on a large scale, and hence, while they can break open a particular piece of data, they haven't necessarily integrated RSA see-thru into their global signals intelligence regimine. That, for the uneducated/head-in-the-sand types, is Echelon - and yes, the NSA does listen to, and data-mine, almost all of the world's information traffic.

Final piece of this particular story: the NSA is apparently fastiduous about not sharing this technology, even with other federal agencies. Kevin Mitnick's infamous laptop, rife with PGP-encrypted documents, was impenetrable to the FBI, and despite numerous, desperate appeals for help, the NSA refused to assist them in decrypting the data. That suggests the NSA is abiding by their charter, which basically forbids them from becoming involved in domestic law enforcement (i.e. they're not supposed to spy on Americans) - a necessity if you consider consitutional guarantees about "search and siezure" applicable (by no means a universally held view, unfortunately).

Something similar at the recent RSA conference???

[Robber+Baron]

Wasn't somebody doing something similar at the recent RSA conference...Blasting through multiple rounds of DES and factoring RSA keys on smart cards with some magic boxes?

PGP with really big RSA keys

[Bob_Robertson]

I recompiled PGP back in 1994, after looking through the source code and finding a variable called (I kid you not) "MAX_KEY_LENGTH=1024".

I changed it to 8080 or some such strange number, and it ran just fine.

On a 386-33 it was *slow* to generate the keys, and of course no one was compatable, but it was trivially easy to do.

I wonder why the keysize limits on GPG still demand only 2048 or smaller. Why bother?

Bob-

Questions for Those that Understand

[Phil+Gregory]

I'm a person who has quite an interest in crypto and often a good understanding of the base concepts behind crypto systems, but I don't understand much of the math that goes into proofs like this. Thus, I'd like to put some questions out to those who are more experienced than I am.

First, does this work? Have people independently verified that DJB is correct? (I went looking for some peer review via Google and didn't turn up anything that looked conclusive.)

Secondly, what's vulnerable? As I understand it, what DJB has discovered is a more efficient method of factoring numbers (on custom hardware) such that keys three times longer can be factored in roughly the same time. RSA is based on the product of two relatively prime numbers, so it's vulnerable. Aren't most public key systems based on this principle, though? How vulnerable is, for example, DSA to this new factoring technique?

--Phil (This article went up yesterday; hope someone's still around to read my post...)

Re:Something similar at the recent RSA conference?

[Thagg]

No, what was being done at the RSA conference was completely different, wonderfully practical, and available today. It's a way of cracking RSA and DES implementations in smart cards using Differential Power Analysis and Differential Fault Analysis.

There was a company at the conference that was cracking these codes by very carefully watching the power levels on the input traces to the chip. By careful analysis, you can see exactly what is happening, what numbers are being sent to the various S-Boxes in DES for instance. From this, you can determine the DES keys. They said that single DES took a couple of minutes, triple-DES only three times as long. They claimed to be able to crack RSA as well.

Differential Fault Analysis involves giving the wrong voltages to the chip, and seeing how, and when, it fails. Again, this provides clues to what numbers are being processed within the chip.

Neither of these flaws point to problems with the algorithm, but to problems with its implementation. In fact, creating inexpensive physical hardware to do secure cryptography may be impossible.

What was remarkable at the RSA conference is that most of the other booths at the trade show were selling these same smart cards, in abject denial of their flaws.

thad

Re: Number of PIM... modules?

[Raetsel]

262,144 didn't make a lot of sense to me, so I figured it as a power of 2 -- 2^18th. Odd. It also counts for 512^2, or 4 banks of 2^16th. Only somewhat more logical... but it still doesn't make much sense to me.

The choice of number seems... unusual. Is there some special signifigance or particular reason for that number? Any ideas on how this particular approach would be applied? (Am I missing something, or was it just that point where the economy of scale was most favorable?)

It wouldn't /win/ a Nobel Prize . . .

[himi]

But it'd be a discovery at the same kind of level that /would/ win one in a field where a Nobel was offered. Which is what I meant - "Nobel Prize type stuff" doesn't mean it'd win a Nobel Prize, just that it's roughly equivalent.

himi

My boss said rot-13 might be crackable!

[Skapare]

My boss said he heard that rot-13 might be crackable! So I told him to switch to triple-rot13.

Re:SSH Implications????

[Skapare]

Depends. Are you already using an 8k bit key?