Slashdot Mirror
RSA-576 Factored
An anonymous reader writes "I thought Slashdot would have picked this up
several days ago, but apparently not. Although
you still won't see any mention of it on the
RSA challenge site, Mathworld is carrying the news that a team at the German Bundesamt fur Sicherheit in der Informationstechnik submitted a factorization of
RSA-576 on December 3. RSA-576 is the smallest challenge number that RSA Security offers a cash prize for, to the tune of $10,000"
I think that composite numbers everywhere will sleep just a little bit less securely tonight, knowing that the Bundesamt fur Sicherheit in der Informationstechnik is out there, somewhere, waiting for them.
Yup.
Irritable, left-wing and possibly humorous bumper stickers and t-shirts
I don't know... maybe...
u sib;r jbiq (shifted all the keys to the left.)
Seriously, though, all of these ciphers can be broken. It's just a task of minimizing the value to the cracker by making it take as long as possible to get the data, under the thought that it just won't be worth the time.
#define DRM chmod 000
Look! I did it too!
1 2 3 4 6 8 9 12 16 18 24 32 36 48 64 72 96 144 192 288 576
Does anyone know the relative computational difficulty of cracking RC5-72 vs. trying to factor one of the RSA numbers? Given the higher monetary payoff, I'm wondering if I wouldn't be better off implementing and running a prime factor sieve, rather than running the RC5 client (which only runs on my W2k workstation, because the distributed folks never rewrote the older cores that run on my pre-OSX Macs.)
It should go up exponentially, so that 1024 is much more than twice as hard. However, with Beowulf clusters and the new primability test, this is being offset quickly.
#define DRM chmod 000
Not sure if this is a troll, but I may as well offer a simple explanation.
The RSA public-key cryptosystem takes advantage of the theory that factoring composite numbers is a computationally difficult problem. I'm not going to get into specifics, but the depth of the problem is in that the composite number acts more or less as a public key, and encoded within that composite number (as one of the factors) is the private key.
Being able to factor an RSA number is big news because it says that an RSA encoded message with a number of that size (576) can be defeated. Whether or not this is economical to defeat (i.e. time and resources put into the factoring effort) is really the key to this exercise, but one can now assume that a properly funded entity (most likely government) has the ability to defeat RSA-576.
Hope this helps.
Well, there is no uncrackable code. The idea is to make it as hard as possible. For each message transmitted using one of those keys, a potential codebreaker would have to dedicate however much time this team of professional scientists on powerful computers would take.
As technology gets better, the level of encryption gets better with it. It's a constant battle. Of course, you're not going to want to make RSA your sole method of encryption and post the key all over the web if you're working on ridiculously top-secret government projects, but then again, you wouldn't want to rely solely on any type of encryption and you wouldn't be transmitting it openly over the Internet.
I think I speak for 99% of the population when I say...
"Oh."
GL
the 40th Mersenne prime has been discovered 2-3 weeks ago and just proven to be correct. See http://www.mersenne.org/history.htm for more info.
Well i_am_syco, articles are there for reading. They can even increase your knowledge, and one day you may even learn how to spell psycho properly.
"She's a West Texas girl, just like me" - G.W Bush Iraqis
I think I speak for 99% of the population when I say... "Oh."
...
I think I speak for the other 1% when I say
"Um."
-kgj
-kgj
When people talk about 128 bit encryption being hard to break they are talking about symmetric algorithms such as Blowfish. A 128 bit symmetric algorithm is still very, very tough to crack a key for.
This particular challenge is for the RSA algorithm which is an asymmetric algorithm. They require much longer keys to be secure. Right now most people recommend at least a 2048 bit key for RSA and plenty of people are using 4096 bit keys.
Comparativly, it should be a long, long time before anyone is worried about their current keys. Back in the day when PGP came out, it was fairly common for people to use a 512 bit key with RSA, but most used 1024. Those people could be concerned at this point that their old messages could be cracked.
Well, the computational complexity of the General Number Field Sieve is:
O(exp(c*log(n)^(1/3)*log(log(n))^(2/3)))
where the value of c is reflected by the specific flavor of the NFS you're using, but in each case c>1
I don't know the complexity of RC5, but I can imagine it's not exponential like the NFS.
My PGP key is still 1024 bits, and I don't break a sweat.
Stephan
Assymmetric encryption algorithms, like RSA, rely on a hard problem with two parts needed to reconstruct the solution. In the case of RSA, those two parts are a large composite number with precisely two prime factors, and one of the prime factors (without one of the prime factors, finding out the other prime factor is deucedly difficult). Basically to "crack" RSA you have to factor the large composite number into its two prime factors. With RSA, the keysize refers to the size, in bits, of the composite and prime numbers you're working with. The thing is that you don't have to search an entire 512-bit keyspace to crack a 512-bit RSA key, you just have to try every reasonably possible _prime_ number that might be a factor of that 512-bit composite. And actually, you don't even really have to do that, since there are substantially better techniques for factoring numbers than brute force, requiring less computational effort.
So that, my friend, is why comparing "128-bit" encryption to "512-bit" or "1024-bit" RSA or other assymmetric encryption techniques (which are similar but rely on numerical problems other than factoring large numbers) isn't terribly meaningful.
How could they *factor* ME without *my* own knowledge?! Somebody call the doctor... -RSA-576
In order to win the prize, you must submit your result to RSA, they don't actively seek out winners. That's why RSA's page hasn't been updated.
They can submit their answer here.
it's so you can read the screen when you look at it over your shoulder with a mirror.
I'm not suprised that someone has done it. Even the RSA site suggested 576 would fall soon. What I do find interesting is that it took 4 days for word to get out, and that the factorization was done in Germany. More interesting would be knowing what algorithm was used - is it new, or just further refinement of GNFS or MPQS with faster hardware?
Or my personal favorite....
Double ROT13.
Which incidently, is hereby covered under the DMCA, if you manage to decipher it will be fully procecutable under the fullest extent of the law.
Woop! Woop! Woop! Bush-ism alert! Bush-ism alert!
Perhaps you meant primality?
I know god exists. I read it on the internet, so it must be true.
They're busy multiplying the two 87-digit factors by hand, just to be sure.
Crap, there go my plans to factor it myself.
Ron Paul 2012
When 128-bit cyphers are described as "secure", they're almost certainly talking about symmetriccyphers - that is, the key you use to encrypt the message is the same as the key you use to decrypt the message. There are no known ways to break currently acceptable symmetric cyphers (such as 3-DES and AES) faster than brute force - that is, trying each key one at a time. If you have a 128-bit key, this will on average take (2^128 / 2 = 2^127 ~= 10^38) tries before you get the key. This will take billions of years to do, even using a massively parallel computer.
The other sort of encryption, the sort we are talking about here, is public-key encryption, where you use two different keys to scramable and descramble the message. The advantage of this method is you can create a key pair, and give one key to everyone who wants to send you a message (the public key), and while they can send you message securely, it is very difficult for them to figure out your private key (and thhus read messages other people have sent you).
The bad news with public-key encryption is that the algorithms are considerably weaker than with secret-key cyphers. You can mount considerably quicker attacks than just brute-forcing the keyspace. Therefore, you need longer keys for equivalent levels of security. With RSA, the most common method, figuring out your private key from your public key is done by trying to figure out the factor of a very, very large number that is the product of two very large prime numbers. This is still very difficult to do, but it is a simpler problem than brute-forcing an entire keyspace. These Germans have just demonstrated the ability to factor a larger such number than anyone else has done before.
Whilst this is interesting, from what (little) I understand of cryptography it's still a very long way from here to cracking 1024 bit RSA keys. In any case, as the hardware makes it easier for the attackers, it makes it practical to go with longer encryption keys, so faster hardware is neither a help nor hindrance to attackers. The one proviso is, of course, the security of data encrypted by older cyphers.
Any sufficiently advanced technology is indistinguishable from a rigged demo
--Andy Finkel (J. Klass?)
Sure, all codes (except one time pads and equivalents) can be broken. The difference is whether it takes a day to crack the code or it can be proven that it requires either a centuries-sought breakthrough in mathematics or all the computers in the world working for ten thousand years.
I don't know how you feel about it, but quantitative differences on those scales qualify as qualitative differences to me. Your 2048 bit PGP key simply isn't crackable by any reasonable standard. The reason people succeed at these challenges is because the bar has been set intentionally low.
They probably just looked in the back of the book.
No, that was an even problem. Only odd problems are in the back of the book.
They also set the bar at your "reasonable standard" - the factorization of a 2048-bit number brings in $200,000 USD.
a ct oring/numbers.html
http://www.rsasecurity.com/rsalabs/challenges/f
Stephan
It should go up exponentially, so that 1024 is much more than twice as hard. However, with Beowulf clusters and the new primability test, this is being offset quickly.
For the n-th time...
The new primality test has little practical value, because the previous testing algorithms, although probabilistic, are vastly faster in practice.
Primality testing also has little to do with factorization algorithms.
No because if you take a xor b where b is your message and a is the key then if all the person had was c (the output) then inorder to find b, they would have to xor it with every possible value of a. This would result in every possible combination of bits(do it on paper and you'll see). So the cracker would be left with a list of every possible way of representing a 2048(just an example) bit number essentially going from 0 to 2^2048. Convert this to ascii and you've got every possible combination of characters that can fit in 2048 bits. That means that any sentence that can be written in 2048 bits would appear in the cracker's lsit and therefore there would be too many logical outcomes and noway too tell which is right.i.e. you could have "The ships will attack on the east coast", "The ships will attack on the west coast", "The plane will attack on the west coast", "We made coffee for the Germans." ... or literally every posible combination.
RSA has been the defacto standard for public key exchange since it came around. PGP was based on it, and if I remember correctly that's all it supported for a long time. RSA is still a very strong algorithm and has a few benefits over ElGamal. The main reason that people wanted to switch from RSA to something else was that until September of 2000 RSA was covered under a patent and required royalties to use.
And I quoth from the article:
3980750 8642406493 7397125500 5503864911 9906436234 2526708406 3851895759 4638895726 1768583317
x
4727721 4610743530 2536223071 9730482246 3291469530 2097116459 8521711305 2071125636 3590397527
which can easily be multiplied to verify that they do indeed give the original number.
Does anyone have a calculator that can "easily" multiply these two numbers... Holy Cow!
OTP can't be cracked even with brute force, because there is no pattern in the encrypted result and each letter is coded independently of all the others.
To give you an example, think of a one-word message:
'GO' (= 0x47 Ox4F)
Here is a two-byte one-time pad:
Ox5E9C
Here is the result of the encryption:
0x474f xor 0x5E9H = 0x19d3
Now the OTP gives you back the unencrypted text if you have it:
0x19d3 xor 0x5E9C = 0x474f = 'GO'
Now, if you don't know the OTP and all you have is the encrypted text, then your only recourse is to try all the possibles OTPs with brute force. The problem is that amongst all the results, you will indeed have 'GO', but also 'NO', 'IT', '42', etc. All the possible two-letter words will be there, and there will be no way to find out which is the correct one.
This result trivially extends to messages of any length. Using brute force with OTPs only generates all the possible messages of a given lengths, giving no clue as to which is the correct one.
attracting only comments from old troll accounts?
No one knows anything about how you go about factoring huge composite numbers...
Mathematics has the problem that the general population has listened to claims that "math is hard" and has learnt to ignore any attempt at understanding mathematics beyond useless trivia and professional sports statistics.
To help make some sense of what they are discussing:
Some factoring theory and source code by Paul Herman and Ami Fischman.
From RSA Labs' FAQ - What are the best factoring methods in use today? a fairly technical but readable description of advanced factoring algorithms, and What improvements are likely in factoring capability?
not being the math wiz that most /.ers are I was wondering what this meant for me...I found the below statement on RSA's FAQs and it answered my question that I'm sure many here like me have..
***************
What does it mean when a Challenge Number is factored?
Users of the RSA public-key cryptosystem may wonder what the factoring of a challenge number implies about the security of their keys. Should they immediately replace their keys with larger ones? Should they stop using RSA altogether?
Clearly, the factoring of a challenge-number of specific length does not mean that the RSA cryptosystem is "broken." It does not even mean, necessarily, that keys of the same length as the factored challenge number must be discarded. It simply gives us an idea of the amount of work required to factor a modulus of a given size. This can be translated into an estimate of the cost of breaking a particular RSA key pair.
Suppose, for example, that in the year 2010 a factorization of RSA-768 is announced that requires 6 months of effort on 100,000 workstations. In this hypothetical situation, would all 768-bit RSA keys need to be replaced? The answer is no. If the data being protected needs security for significantly less than six months, and its value is considerably less than the cost of running 100,000 workstations for that period, then 768-bit keys may continue to be used.
Applications that require longer-term security or have data with a high financial value should migrate to longer keys before the factoring of the corresponding challenge number is announced. In either case, the results of the Factoring Challenge provide real data to help the cryptosystem user choose the appropriate key size.
RSA Laboratories' Frequently Asked Questions About Today's Cryptography provides more information on choosing RSA key lengths for various applications. RSA Laboratories Bulletin #13 discusses key length requirements for various cryptosystems.
***********************
And honsetly I think for most people the idea of someone devoting a cluster of computers just so they can read some documents you may have on your hard drive kindof egotistical for the end user...but hey we all know that the NSA breaks every key they can right?...even ones from people just trying to protect their data from average joe hackers...
Someone might find some way to factor primes instantly via quantum computing, and your one-time pad would not be affected.
That's definitely a good thing, because that instant prime-factorization algorithm has been around for centuries! Given a prime p, its factors are 1 and p.
Still, for some reason, it seems like there's a Microsoft conspiracy to keep this knowledge from reaching the masses. What do they have to hide?
"The obvious mathematical breakthrough would be development of an easy way to factor large prime numbers." Bill Gates, The Road Ahead, Viking Penguin (1995)
Algorithm for increasing karma:
1. Read first paragraph of article.
2. Find first occurence of technical term.
3. Look up definition of said technical term on google.
4. Cut and paste definition then post on relevent slashdot forum.
The best part is, you can do all this without actually knowing anything about the topic!
:wq
I don't know the complexity of RC5, but I can imagine it's not exponential like the NFS.
The complexity of RC5 is O(n). Encryption time is constant but key setup time is linear, so the whole process is linear.
However, that's not relevant. What you need to compare is the complexity of a brute-force search of an n-bit keyspace, which is O(2^n). Definitely exponential.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
In plain english, this means that OTP must be unique and truly random and have the same length as the message. While the encryption is uncrackable, the problem of transmitting proper OTPs remains.
Not to say that it couldn't be useful for some special cases, but for general purpose encryption, no.
Software should be free as in speech, but if we also get some free beer, all the better.
The problem of course is that you can't reuse one-time pads (thus the name) otherwise they are subject to certain attacks. So basically, if you deliver a one-time pad to someone, you are using some sort of secure delivery at one point in time to guarantee the ability to send a secure message at some time in the future.
However, quantum cryptography may be able to render the problems of delivering one-time pads obsolete (well, at least for applications where you can get a fiber link between two points or where you have a line-of-sight with the other party). Quantum cryptography is really just a means of giving Alice and Bob the same random string along with a method of detecting eavesdropping (basically, it won't work if someone eavesdrops).
But I don't believe in any of this quantum voodoo. I'm working on the ultimate in security. Curses. Just put a curse on your message so that it kills anyone other than its intended recipient and you can be as insecure in the transmission as you like. Remember, dead men tell no tales.
Man, have I really been rambling on for this long? Sorry, I've been drinking a bit.
My only political goal is to see to it that no political party achieves its goals.
Actually, if you assume that quantum computing becomes main stream and people have enough qbits to factor large numbers (It was only like a year ago that IBM built a 7 qbit computer and implemented Shor's algorithm to factor 15), then you have one time pads being very possible.
One of the nice things about quantum computing is that you can send a message to someone and tell if anybody intercepted it. Therefore, you can send one time pads until one gets through without being viewed. Once you have a one time pad, you can encrypt your message and send it fairly easaily using conventional means.
Of course, I don't know what will happen with things like authentication which rely on public key schemes. I don't believe that eliptic curve encryption methods have an easy attack from quantum computing, but I don't know enough to say that they can be used for anything but encryption.
Congratulations - you've invented symmetric key cryptography! Looked at from a far enough distance, any symmetric key crypto algorithm is basically a pseudo-random number generator that combines the pseudo-random number stream with the plaintext and the key is the seed to the random number generator.
Algorithm
a precise rule (or set of rules) specifying how to solve some problem
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.