RSA-576 Factored

An anonymous reader writes "I thought Slashdot would have picked this up several days ago, but apparently not. Although you still won't see any mention of it on the RSA challenge site, Mathworld is carrying the news that a team at the German Bundesamt fur Sicherheit in der Informationstechnik submitted a factorization of RSA-576 on December 3. RSA-576 is the smallest challenge number that RSA Security offers a cash prize for, to the tune of $10,000"

Is 576bit big?

[The+Real+Chrisjc]

Wow, I havn't really read in to it, but is that very big? I mean, they were talking about not too long ago that 128bit encryption is "almost impossiable" to break. If this is 576bit encryption, and they've broken it, doesn't this mean that 1024bit is looking slightly weak? Whats the 'difficulty' of breaking this key on a relative scale?

Chris

Re:Is 576bit big?

[cgranade]

It should go up exponentially, so that 1024 is much more than twice as hard. However, with Beowulf clusters and the new primability test, this is being offset quickly.

Re:Is 576bit big?

[Ageless]

When people talk about 128 bit encryption being hard to break they are talking about symmetric algorithms such as Blowfish. A 128 bit symmetric algorithm is still very, very tough to crack a key for.

This particular challenge is for the RSA algorithm which is an asymmetric algorithm. They require much longer keys to be secure. Right now most people recommend at least a 2048 bit key for RSA and plenty of people are using 4096 bit keys.

Comparativly, it should be a long, long time before anyone is worried about their current keys. Back in the day when PGP came out, it was fairly common for people to use a 512 bit key with RSA, but most used 1024. Those people could be concerned at this point that their old messages could be cracked.

Re:Is 576bit big?

You can't compare the key sizes of symmetric key algorithms (like DES or AES or Blowfish) with the key sizes of public key algorithms (like RSA or ElGamal). 128 bits for symmetric key algorithms is still practically impossible to break but 128 bits for RSA is now pretty easy to break. The difficulty of breaking these algorithms is thought to be exponential so adding an extra bit doubles the amount of time it takes to break the algorithm -- if this is true, then 1024 bits should still be safe (it will take 2^448 times longer than 576 bits assuming the same hardware and software).

Re:Is 576bit big?

[FU_Fish]

You may be comparing two different types of encryption. For block algorithms such as DES and AES, 128 bit is still fairly reasonable, however not for RSA (and other public key algorithms). Currently, 1024 bit RSA is considered reasonably secure and 576 is, as we can clearly see, quite insecure. I won't go into the details of why different algorithms need such drastically different key sizes here, but if you'd like to know more, the Crypto-FAQ is a good place to start.

Re:Is 576bit big?

[Ageless]

RSA has been the defacto standard for public key exchange since it came around. PGP was based on it, and if I remember correctly that's all it supported for a long time. RSA is still a very strong algorithm and has a few benefits over ElGamal. The main reason that people wanted to switch from RSA to something else was that until September of 2000 RSA was covered under a patent and required royalties to use.

Re:Is 576bit big?

[Just+Some+Guy]

However, with Beowulf clusters and the new primability test, this is being offset quickly.

No, the biggest Beowulf won't put a dent in the bit length. Consider a 1024-bit prime being tested by a gigantic 65536- (2^16) node cluster. You've now reduced the problem so that each machine has a mere 1008-bit (1024-16) search space. Put another way, parallelization is relatively useless against exponential algorithms.

Hmmm. Complexity vs. Cash

[silentbozo]

Does anyone know the relative computational difficulty of cracking RC5-72 vs. trying to factor one of the RSA numbers? Given the higher monetary payoff, I'm wondering if I wouldn't be better off implementing and running a prime factor sieve, rather than running the RC5 client (which only runs on my W2k workstation, because the distributed folks never rewrote the older cores that run on my pre-OSX Macs.)

Re:Mersenne Primes

[millette]

the 40th Mersenne prime has been discovered 2-3 weeks ago and just proven to be correct. See http://www.mersenne.org/history.htm for more info.

Re:Hmmm. Complexity vs. Cash

[Ninja+Programmer]

Factoring composite is probably somewhat easier in the sense that it doesn't require more hardware/brute force computational power, however, its probably harder in the sense that you need to be very famillar with the very latest in factoring algorithms and essentially be skilled and willing enough to implement the very leading edge known algorithms.

In other words, factoring RC5-72 requires Moore's law, plus a massively growing audience of people willing to participate. But even with the most optimistic projections, RC5-72 will not fall for decades. Factoring something like RSA-574 requires that you be up on the latest in computational mathematics as it relates to number theory. If you think you can bone up on the latest in factoring techniques in less than 10 years, then you probably have a better shot at the RSA prizes.

Germany?

[gr8_phk]

I'm not suprised that someone has done it. Even the RSA site suggested 576 would fall soon. What I do find interesting is that it took 4 days for word to get out, and that the factorization was done in Germany. More interesting would be knowing what algorithm was used - is it new, or just further refinement of GNFS or MPQS with faster hardware?

Re:Germany?

[akruppa]

Specifically, they very likely used the NFS lattice siever written by Prof. Jens Franke, Thorsten Kleinjung and Friedrich Bahr. It's the fastest siever I know of, partially thanks to decend assembler optimization for different cpu types. Oh, and it's distributed under the GPL! The latest version is not on the net as far as I am aware, but an older version, and MPQS code, can be found at ftp://ftp.math.uni-bonn.de/people/franke/mpqs4linu x

And Franke has worked with the BSI before, the RSA-160 announcement here
mentiones that the sieving was done at the BSI, while for RSA-576 apparantly only parts of the post-processing were (perhaps the linear algebra?)

Alex

Re:Easily Multiplied Numbers !!??

[Ageless]

I'm sure Slashcode will eat this Java source for lunch, but here we go.

import java.math.*;

public class Calculator
{
public static void main(String[] args)
{
BigInteger x = new

BigInteger("398075086424064937397125500550386491 19 9064362342526708406385189575946388957261768583317" );
BigInteger y = new

BigInteger("472772146107435302536223071973048224 63 2914695302097116459852171130520711256363590397527" );
BigInteger z = x.multiply(y);
System.out.println(z.toString());
}
}

[c:\temp]\j2sdk1.4.2_01\bin\javac Calculator.java

[c:\temp]java Calculator
18819881292060796383869723946165043980 716356337941 73827007633564229888597152346654853190606065047430 45317388011303396716199692321205734031879550656996 221305168759307650257059

Latest Cryptography Breakthrough

Here is the latest cipher with perfect secrecy, with an added assumption on the memory limits of the adversary.

Shamir's TWINKLE and TWIRL machines

[billstewart]

Beowulf clusters aren't any threat to 1024-bit RSA - you're not going to put enough machines in a room to do the job, nor are you likely to put enough on the continent. On the other hand, for smart cards and cash machines and "export-approved" software with 512-bit keys in them, they're starting to really kick ass.

The real threat is Shamir's TWIRL and TWINKLE optical factorization-assistance gadgets. They aren't necessarily a threat to 1024-bit keys, but they're a definite threat to 768-bit keys, and it's time to start thinking seriously about threat models before embedding 1024-bit limitations in hardware. That's probably big enough that only national governments are likely to be funding, rather than bank robbers and other Mafiosi.

Re:Shamir's TWINKLE and TWIRL machines

[tomstdenis]

Actually you'd be surprised. RSA-1024 will require [at least] 2^43 bits of ram and roughly 2^87 time to complete. There is enough room in my bedroom to put such a computer.

The problem is the 2^87 time [oh and the insane heat it would make...!] [for those out of a clue 2^43 bits is 1TB of memory]

Tom

Global Warming

Factoring RSA-2048 might considerably contribute to global warming due to computer activity. Got anybody an idea how big the temperature rise will be assuming the efficiency given by the RSA-576 challenge?

I still remember homework about a driver being stopped because he ignored a red traffic light. He claimed the light was green because of Doppler shift caused by high speed of the car. The amount of fuel required to reach this speed was by far higher than the total consumption by mankind.

Re:Symmetric vs. public-key cyphers...

[randombit]

There are no known ways to break currently acceptable symmetric cyphers (such as 3-DES and AES) faster than brute force

Just a quibble: you can actually break both 3DES and AES faster than brute force. In the cast of 3DES, there is a time/memory tradeoff, and AES has some key schedule weaknesses (though in the case of AES, you need to collect nearly the entire codebook before you can proceed with the attack (at least the one I'm thinking of)). Basically, you're right in practice, just not in theory; none of the (publicly known) attacks on 3DES or AES are remotely close to being practical in any sense of the word.

In any case, as the hardware makes it easier for the attackers, it makes it practical to go with longer encryption keys, so faster hardware is neither a help nor hindrance to attackers.

Actually, the win is probably for the defenders. Double the length of an RSA key, the encryptor has to do 3-4 times as much work, but the person trying to factor it faces an increase that is much, much larger.