RSA-576 Factorization Officially Announced

product byproduct writes "RSA Security finally has a news item about the December 2003 factorization of RSA-576. (See earlier Slashdot coverage). We now know what the computational cost was: the 174-digit number was factored "using approximately 100 workstations in a little more than three months"."

Lots of hardware...

[basil+montreal]

That's a ton of computer hardware to use on factoring... I wonder why they didn't just use a distributed system (like seti@home) to do this... at least it's free.

Re:Lots of hardware...

[ezzzD55J]

Because it's difficult to efficiently parallelize (distribute) the factorisation algorithm, especially the final step which so far has always happened on 1 machine. In fact, if you can paralellize the final step of the GNFS (general number field sieve is generally used for these factorisations), you have yourself a PhD. thesis (in math and/or CS), I remember reading in sci.crypt.

Re:Lots of hardware...

[jmdjmd]

You mean like the contribution of http://www.nfsnet.org/ ? And not everything can be done there - the final step (the matrix step after the sieving) isn't easily done in parallel. It was done on a Cray at the CWI for the previous challenge, and this one used a 16-computer high-speed LAN I think.

Re:Lots of hardware...

[Chilliwilli]

I'm sorry but factorisation problems and SETI really infuriate me. Firstly we can calculate how long something will take to compute with ease using simple the simple CS complexity analysis we all learnt at university.. then theres the SETI people.. not that I don't want to know whether there's life on other planets but to be honest there is so much we don't understand on our own planet that could have far greater reward for us all. Things I'm talking about might be research into climate, new fuels, medicines. The only distributed task I contribute to is folding@home because all others don't seem worth the extra energy and heat my PC will put out.

Re:Lots of hardware...

[KingOfBLASH]

Go to distributed.net and download their client. You can work on factoring RC5-74 (a 74 bit number from RSA). They've just finished up RC5-64 (A 64 bit number from RSA). If your computer finds the key, you get $1,000 and $8,000 goes to charity. They also have other distributed projects, like seti@home, including one to search for mathematical constructs known as Optimal Golumb Rulers. The best part is the client runs at the minimum priority, so you only give up cpu cycles if you don't need them. I've yet to notice any kind of lag because it was running on my machine.

Re:Lots of hardware...

[KingOfBLASH]

There are plenty of projects out there like that, you just have to search for them. I just posted a comment on the granparent about distributed.net, and I personally am working on a distributed computing project to debut in the summer looking for concatanated primes, The Catcon Project

Re:Lots of hardware...

[nkh]

The best part is the client runs at the minimum priority, so you only give up cpu cycles if you don't need them.

This is something I don't understand: I have either Seti or Folding (not at the same time) running on my Linux box in real-time priority and I can still compile, listen to Shoucast and do everything I want (even launch mplayer if you wish). Of course it's more difficult if you want to play a DirectX game, but I don't see the use of these programs running only at 1% of the CPU when you can do more because the CPU usage is constantly modified by the system.

Re:Lots of hardware...

[KingOfBLASH]

Well I start the distributed.net client at start up and turn it off at shutdown, with it set at the minimum priority. I can still play games and do CPU intensive things. If I do something moderately intensive, and the client were on normal priority, the kernel throttles back the CPU cycles the client can get. But if I do something that needs as much of the CPU as it can get, like a 3d accelerated game, the kernel will allocate time to both the game and the client, making the game slow and choppy. So, by setting it to minimum priority, even a game is never slow and choppy. I have almost stopped noticing that it is there.

Re:Lots of hardware...

[JDWTopGuy]

Correction: the RC5 contests are not factoring contests, they are brute-forcing contests.

Re:Lots of hardware...

[WuphonsReach]

... The only distributed task I contribute to is folding@home because all others don't seem worth the extra energy and heat my PC will put out.

Tell you what, when you pay for my PC and my electricity bill, then you can decide what distributed tasks I contribute CPU time to.

Yes, that's a bit of a rant, but it is up to the individual to make their own choices about which projects they contribute to. (Does this mean you also complained about all of those screensavers that burned CPU cycles displaying flying toasters instead of putting the machine to sleep?)

Re:Lots of hardware...

[Chilliwilli]

Yes I am!! First off it's not a money issue what so ever but an enviromental one. Screensavers are the most pointless things in existance in this day and age of power saving monitors. People are free to spend their money on what they want but as long as we all have to share this miniscule world we should all do our part in seeing that our currently limited energy resources are put to good use.

So Nah!

Re:It has to be asked...

[Sheetrock]

Especially in light of all the projects one could be donating computer cycles to, such as protein folding or SETI.

What does this tell us? That if you throw enough machines and/or money at a solvable cryptographic challenge you'll solve it?

Still safe for a while

[BuddieFox]

We should still be reasonably safe using the RSA-algorithm for a while more since the number is the equivalent of a 576-bit key. Most cryptography programs support upto 4096-bit keys, and the strength of a key increases exponentially for every bit if my memory does not fail me (correct me if it does).

Safe, that is unless someone invents quantum computers and makes them easy to produce.. :)

Re:Still safe for a while

[Ckwop]

Also remember the moore's law doesn't apply to factoring algorithms.. This is because for the GNFS the *memory* speed is what's important and that isn't growing nearly as quickly..

Not convinced? Look at the linear proportionality in this graph

Simon.

Re:Still safe for a while

[Ckwop]

Wow nice random word generator.. Can I have a go?

Seriosuly, It's utter rubbish. I mean please explain to me how you stack an S-box into a corner of a cryptographic chamber..

It's just a substitution you muppet.. And cryptography isn't all hardware speed.. I mean WEP

was broken with trivial computing power!

Simon.

Re:Still safe for a while

[thedanc]

Bear in mind, using bits to exponentially increase cryptographic strength only works until you reach the Berenstein factor, which is a practical limit on the number of S-boxes that can be stacked in any particular corner of the cryptographic chamber. After a certain point, which varies according to the chamber ceiling, it is possible albiet less space efficient to take advantage of parallel stacking to some extent.

Mods -- how could you let this get modded up? First, S-boxes are in DES, not RSA. Next, even if the random reference was to the correct cryptographic algorithm, the rest of the comment still makes no sense at all.

C'mon people, post if you have a clue, and only if you have a clue.

Re:Still safe for a while

You complete idiot. Linearity in the _length_ of the key vs. year means _exponentially_ faster-running factoring over time. But if you couldn't figure that out for yourself, you could at least look up your screen a couple of inches where they state:

For each specific algorithm, the progress follows Moore's law that states that the speed of computers double every 18 months.

At any rate, time to go buy a G5 I think, they are supposed to have pretty fast memory.

Re:Still safe for a while

[Threni]

> C'mon people, post if you have a clue, and only if you have a clue.

Yeah, like that request is going to work. I find people posting nonsense here and having it modded up as insightful amusing. It's just an extension of what happens elsewhere.

Re:Still safe for a while

[cortana]

For each specific algorithm, the progress follows Moore's law that states that the speed of computers double every 18 months.

Sorry for sounding like a dick, but Moore's Law states that the number of transistors per unit area doubles every eighteen months. This does not directly correspond to an increase in computer "speed".

Re:Still safe for a while

well why don't you do something constructive for a change and enlighten the authors of the article in question instead of me you useless slashdot faggot

Re:Still safe for a while

[andy666]

Yes, but more importantly, this shows the superiority of elliptic curve cryptography - compare this with the size of the recently cracked elliptic curve key.

Re:Still safe for a while

[tomstdenis]

Surperior in what sense? ECC is typically slower [though not by a wide margin] on desktop processors where multiplication is not that expensive.

Sure ECC has the size thing beat and is better suited for smaller machines, oh and is neater math, but that's about it ;-)

Tom

Re:Still safe for a while

[thogard]

no, but history has shown if you can get 2x the transistors you can solve more than 2x the problems at the same time.

If my package limit only allows 16,000 transistors but in 4.5 years you get 128,000 transistors, you can solve far more problems and that can give you far more preformace than Moore's law by its self.

Re:Still safe for a while

Ahh but you fail to factor for time warp field obsucrsion.

Re:Still safe for a while

[AmericanInKiev]

Sure it does.

Even if one did not INCREASE the number of total transistors - the fact that they are closer together means the clock propogation delay is reduced thus MHz can increase without loss of synchronicity.

electricity does not travel even as fast as the speed of light - that and heat dissapation are the primary barriors to Moore's law.

AIK

Re:Still safe for a while

[dmaxwell]

The rules are different for public key cryptography. You are correct in that every bit added to a symmetric crypto key doubles the keyspace. In public key crypto which RSA is one type of, it is necessary to add 10 bits to double the difficulty. That 10 bit number is somewhat fuzzy. It can be a little more or a little less depending on whether we are talking about elliptic curves or Diffie-Hellman and others.

Re:Still safe for a while

[El+Neepo]

WEP had a flaw in the protocol.

The flaw made it possible to inject unauthorized packets and reduce the time/space needed for brute forcing the key.

Re:Still safe for a while

[Martin+Blank]

That was exactly his point. Much is made of how long it takes to crack whatever random bit of encrypted text because almost everyone loves the idea of brute-forcing their way through a problem, but few people can even see -- let alone appreciate -- the elegance of the guy in the corner working quietly on whittling away at an algorithm. Anyone can attack a problem with raw computing power, but how many people can poke at methods of streamlining the computation to bring down the difficulty by a few orders of magnitude, eventually making some of the toughest algorithms beatable within their lifetime?

Personally, I think it speaks volumes that NSA isn't satisfied with 256-bit algorithms like AES and are pushing for 512- and even 1024-bit in certain government circles. Makes one wonder what weaknesses they've found that concern them.

Re:Still safe for a while

[andalay]

WEP had a flaw in the protocol.

The flaw made it possible to inject unauthorized packets and reduce the time/space needed for brute forcing the key.

Thanks for demonstrating a common misconception in cryptography: it is all about encryption and decryption. Its not. Its also about the algorithms and protocols you use in your applications. Encryption/decryption is a factor in the security but it is not the whole point of cryptography.

As a result, when people break SSL,WEP, it is as much a part of practical cryptography as factoring integers

Re:Still safe for a while

Not getting any sugah at night?

Re:Still safe for a while

Moderators have spent, as of this writing, three points moderating this post "-1, Redundant", but only one point moderating the original AC post up "+1, Informative". Idiots!

Re:It has to be asked...

[Chilliwilli]

Couldn't agree more.. but from what I see they didn't use a distributed client.

Re:It has to be asked...

[lewko]

No.

It tells us HOW MANY machines we need to throw at the challenge.

The whole key to protecting information is to make it cost more to recover the information than it is worth.

For example, if information is going to need to be kept secret for twenty years, projects like this help you learn based on current technology, how much crypto is sufficent (or overkill).

Security

[nuclear305]

Of course, the whole idea behind key strength is rather moot if the user gets careless with his keys/passphrase.

Unfortunately, crypto is only as strong as the user(weakest link)

While it's not always comforting to know these things can be factored, at least we can take comfort in knowing that *most* hackers/spooks don't exactly have a 100 node server farm laying around just dying to crack your keys.

Of course, unless you're the NSA and measure their servers by acres...

Re:Security

[CoolGopher]

we can take comfort in knowing that *most* hackers/spooks don't exactly have a 100 node server farm laying around just dying to crack your keys.

Of course, unless you're the NSA and measure their servers by acres...

Or if you grabbed the source for the latest windoze worm and modded it to bruteforce keys in addition to spreading...

I have a suspicion that doing that would give you a supercomputer that quite possibly ranked #1 on the supercomputer charts, and for free to boot*.

*) Comes with complimentary government provided lodging and meals.

Re:Security

> *) Comes with complimentary government provided lodging and meals.

Only if, as in the Unabombers case, your brother helpfully provides your details to the FBI. Lets face it - they're not going to catch anyone without any help, are they, as McVeigh, Unabomber, 9/11 etc have shown only too clearly.

Re:Security

[foidulus]

While it's not always comforting to know these things can be factored, at least we can take comfort in knowing that *most* hackers/spooks don't exactly have a 100 node server farm laying around just dying to crack your keys.
While that may be true, there is still a significant chance that, with less hardware, the hacker can always get "lucky" and be able to use less computing power to "guess" the factorization. For instance, a hacker could just start with a prime number that is an arbitrary distance from the square root and just use less computing power to keep on guessing(guessing distributes very well, but it is incredibly inneficient). The same calculations that show the maximum amount of time that guarentee them the key also show there is a good chance they could stumble upon it.

Re:Security

[thogard]

I think that RSA's weakest link is the "Euclidian algorithm" which has a few a few other options.
RSA keys aren't 1:1 and while my math isn't good enough to prove it, they are 1:many as this code shows how it works.

Re:Security

[Xilman]

Actually, the chance is negligible if you try that algorithm. Guesswork just doesn't cut it, unless you like betting at odds of 10^170 to one against.

Responding to the parent post: rather a lot of hackers have easy access to 100 node farms. It's not difficult any more to find 100 cpus, especially for an algorithm such as GNFS which doesn't need especially fast communications between them. The final stages are more of a bottleneck than the sieving, but far from impossible for reasonably clueful people.

Paul

Re:Security

[tfb]

I've always been amused by the people who boast about how their laptop (usually) drive is encrypted using some million-bit filesystem and is therefore `secure' even if someone steals the machine.

Of course, they don't remember the million bits, oh no, they have a passphrase, which is something they can reliably type blind and remember, probably some few 10s of effective bits (as it's probably English).

So how secure is this data, again?

Re:Security

[Beryllium+Sphere(tm)]

I highly recommend Diceware for advice on and tools for generating passphrases.
A Diceware passphrase has 12.9 bits of entropy per word, assuming you can throw dice randomly.

Re:Security

"Of course, unless you're the NSA and measure their servers by acres."

Or Google.

Re:Security

[ConsumedByTV]

While I agree with the sentiment of this remark, I have to disagree with some implementations.

Yes, it's not going to be difficult to attack the users passphrase if it's stupid. However you make an assumption that most people who encrypt their harddrive keep their keys on the laptop.

I don't.

With loop-aes, you have pretty good abstraction.

So you can have a set of gpg keys, a file encrypted to a given public key, and the data to be decrypted, all in different places.

In theory, it can be done over a network, a usb keychain, a serial cable, whatever you want.

In the end, if they have all three, yes, the password is the last link obviously.

The key is to make sure that those three aren't in the same place at the same time, once the system is on, the keys are loaded into memory and aren't needed. Remove the usb key with your gpg secret key. Remove the usb key or detach from the server that has the actual encrypted gpg file that holds the actual disk encryption keys.

You need all three to attack the users password at that point. Assuming that you decide it's not worth cracking the gpg encrypted file (4096bit), that it's not worth cracking the passphrase (war and peace in leet speak), you can attack the disk file itself.

Each encrypted partition has 64 different keys that are all
61 different characters long.
Example:
kd11Zki1oKre4iSwXaMX+C/wH+t7RXBtG 3Q0rog5pYAHHVm0tb CWDYp0MgII

So yea, it's possible to crack that, but I highly doubt that you will.

So stealing my laptop takes away my hardware, and my encrypted disks. It doesn't mean you have an easy way into my data.

Check out the loop-aes project for practical examples of this in Gnu/Linux.

It's not perfect, but it's better than the stupid cryptoloop crap where you can't ever change your password because that requires writing all the data to the disk again (with the new key).

More about distributed computing...

[BillGodfrey]

Stuff to read...

A primer on distributed computing

The advantage of one way encryption...

[MosesJones]

I encrypt everything on my hard-drive using one-way compact encryption, it only cost me $100 and converts every file into 0 bytes that can't be de-crypted by anyone... not even me. Now THAT is proper security.

I previously used 2^(10e20) bit encryption which would have taken several universes to crack. Unfortunately it took one earth life to encrypt a 1 Mb file so I had to revert to the super-secure method above.

And Yes I do have a tin-foil hat... why do you ask ? Oh and the application that does the one way encryption. Well I work on Windows but I get this Unix utility called Cygwin and the guy sold me a program that does the encryption. I had a look at what was in encrypt.sh and what it says is

cat /dev/null > $1

Amazing how simple UNIX makes encryption... but then I use Windows so its all beyond me.

Re:The advantage of one way encryption...

Lamest attempt at taking down a truly funny post I have ever seen. Funny earns no karma! Though as all the funny+troll posts show it really should.

Re:It has to be asked...

[ezzzD55J]

For example, if information is going to need to be kept secret for twenty years, projects like this help you learn based on current technology, how much crypto is sufficent (or overkill).

True, although that only really matters for asymmetric (public/private, such as RSA) algorithms; for symmetric algorithms, you may as well use 256 bit keys, because it's just as fast as 128 bit keys, and minor breaks are unlikely to ever make attacks practical.

Hundred computers * 3 months

[Gopal.V]

That makes it 240000 computer hours ... too cheap .. Think about this :

"Toy Story 2" had about 800,000 computer hours worth of rendering.
"The Hulk" had 2.5 Million computer hours
My office has nearly 400 fast machines , imagine this running them makes it 25 days . Running that every weekend makes it 12 weeks or 3 months ... It's a weekend job if I can sneak this in as along with the next upgrade.

DDoS time is over with all networks being careful about... the next big windows worm will be a distributed processing program :)

Re:Hundred computers * 3 months

[duffbeer703]

Think about the commercial application of cyrpto... would anyone invest Pixars IT budget to steal a few credit card numbers?

Even with military-style secrets, timing is key. If a US war plan is intercepted by a foreign intelligence service, only to be decrypted months later, that data is pretty useless.

Re:Hundred computers * 3 months

[Short+Circuit]

would anyone invest Pixars IT budget to steal a few credit card numbers?

It depends on the credit limits of the cards, and whether or not the holder knows the data's been accessed..

Re:Hundred computers * 3 months

[phoenix.bam!]

I'd imagine intelligence agencies would have a lot mroe than 100 machines working on cracking the US military plans...

Re:It has to be asked...

[Chilliwilli]

Surely a complexity calculation would suffice? After running a few iterations of the solver surely they could just calculate how long the key space would take to cover and divide by two.. why the need to run it until completion?

Factoring in advance

If you knew that factoring big numbers was important to breaking encryption, and would be for quite a long time wouldn't you simply have started a huge factoring effort decades ago? I know I would have.

Re:Factoring in advance

[RupW]

If you knew that factoring big numbers was important to breaking encryption, and would be for quite a long time wouldn't you simply have started a huge factoring effort decades ago? I know I would have.

Factoring what? You won't know the number you need factored until you intercept or steal the encrypted data.

You could, I suppose, start multiplying every pair of primes together and try and organise a database of the results but the storage - even if you just store some sort of clue to the primes used - would be staggering, even for just 1024-bit RSA.

Re:Factoring in advance

[ezzzD55J]

Factoring what? You won't know the number you need factored until you intercept or steal the encrypted data.

Not true, because if you can factorise the modulus in the public key (which is generally easy to get), you can generate the private key.. That's the whole point to this factorisation business :)

Re:Factoring in advance

[RupW]

Not true, because if you can factorise the modulus in the public key (which is generally easy to get), you can generate the private key.

Yeah, that was misleading - I was just trying to say you need a target for your arbitrary factor effort. In my mind I'd figured you'd have to have the encrypted message to know what private key it was encrypted for - although I realise now that's not necessarily true (and neither's the reverse). But it could be for real tinfoil-hat types :-)

There's no good reason, either, why a public key can't be kept as confidential as a private key or a symmetric cipher key - it's just that once you publish it to a few people there are more points of failure. And if you don't have the public key (in GPG's implementation at least) you don't have anything to try and factorise because it's not bundled with the encrypted data.

Re:Factoring in advance

[tadmas]

You won't know the number you need factored until you intercept or steal the encrypted data.

You don't have to steal anything. The number to factor (the modulus) is given away as part of the public key.

organise a database of the results but the storage - even if you just store some sort of clue to the primes used - would be staggering, even for just 1024-bit RSA.

For 1024-bit numbers, the factors will be on the order of 512-bits. The density of primes is rougly 1/ln(n), and ln(2^512) is about 355, so you should expect around every 355 numbers to be prime. That's only 3e151 numbers, not to mention that you'd have to figure every product of the two, which is 0.5*(3e151)^2, or 7e302 numbers.

Staggering doesn't begin to describe how many of these things you'd have to store.

Re:Factoring in advance

How would you store it?
There is less than 10^100 atoms in the universe.

Re:Factoring in advance

not to mention that you'd have to figure every product of the two, which is 0.5*(3e151)^2, or 7e302 numbers

Err, while division is indeed a bit slower than multiplication it might pay off in this very case..

Re:Factoring in advance

This is exactly what the Cunningham attempts to do to a certain point. I imagine once it achieves its goal it will turn an eye to larger numbers.

http://www.cerias.purdue.edu/homes/ssw/cun/

40 Licks

[thpdg]

It begs the question, how many workstations, for how many months, would it take to find out
How many licks does it take to get to the center of a Tootsie Pop?
I'm afraid the world will never know.

Re:40 Licks

The response from the master machine was "Ask Mr. Owl."

Re:40 Licks

Theh-Ree.

Re:40 Licks

[bryane]

1

2

3

CRUNCH

3

Unless...

[RKBA]

Unless someone comes up with a better factorization algorithm. In fact, if anyone knows of a software package that can solve a system of 640 boolean equations in 640 boolean unknowns, I can give you the factorization of the RSA-640 challenge number. :-)

Re:Unless...

[ezzzD55J]

As it happens, satisfiability algorithms can solve systems of 640 variables quite easily. No, it's true they can't solve 640-bit factorisations yet, or they would have :). The difficulty of satisfiability systems for randomly generated problems lies much more in the ratio of clauses to variables than number of variables alone.

If anyone wants...

[Phidoux]

... to waste 3 months and 100 computers trying to read my RSA-576 encrypted information, they are welcome

128 bits for symmetric cryptography

I remember an article written some time ago
from a Dutch (I think) guy. He was stating that
for symmetric cryptography (i.e not RSA,
Diffie-Hellmann and the likes) a 128 bit long
key is enough. He was making the assumption
that cracking a 128 bits key (again, for a
symmetric algorithm) would produce, even with
processors 1000 more efficient heat-dissipation
wise than current chips, so much heat that the
Netherlands would be under sea level due to ice
melting.

However, I cannot remember where I read it, and
can't find it with Google. Can someone please
provide a pointer for this article? Now that
I'm more savvy with cryptography, I'd like to
double check if the paper indeed make sense or
if it is just a bunch of BS.

Re:It has to be asked...

[cybervarun]

In a sense, yes.
If we all remember our RSA encryption methods, or in fact any encryption method, they are all breakable, it's just a matter of enough computing power to do it. With RSA all you have to do is factor the big prime number pq into p and q and then you know phi = (p-1)(q-1) and from there you can get the decryption exponent no problem.

Encryption was designed to be just unbreakable enough, not totally unbreakable. 576-bits is a small one compared to what is often used for critical data these days, and every RSA factorization prize will be taken. But trust me it will be a lang time before you see the next ones show up, since eachadditional bit makes the problem a much harder one.

It'll be like this at least until quantum computing makes it all obsolete :) Every so often you will see that another RSA

Re:It has to be asked...

[RupW]

Surely a complexity calculation would suffice? After running a few iterations of the solver

Because there's no motive to optimise the solver. Open up the project, offer a prize and you'll get many eyes looking for the absolute best solution - then you can study the complexity of that.

Safe from whom?

[dcavanaugh]

OK, it took 1000 machines and 3 months for this particular example. The task is not impossible, and there are people who really can get their hands on 1000 machines.

If the goal is personal security, I agree that the average credit card hacker is not going to make the investment. On the other hand, the NSA has the hardware resources to attack on a grand scale, with perhaps even better algorithms.

It will be a while before RIAA and MPAA can hijack NSA resources to pursue P2P users, so I guess we ARE still safe for a while.

Re:Safe from whom?

[tolan-b]

it took 1000 machines

100

Virginia Tech

[artlu]

If you think about it, this means that VA could do 1024 bit in 1month. Gotta love the G5 supercomputer!
artlu

Re:Virginia Tech

[Chexum]

Uh, oh, someone is bad at math...

I don't think VA's unknown numbered G5 park is about 2^448th more powerful than 100 PC(?) nodes. I don't think it's possible.

Or, I simply have been trolled :)

On the other hand, let me check my sig again...

Re:Virginia Tech

shutup

Re:Virginia Tech

That'd be you, sir. That the algorithm is superpolynomial doesn't mean that every bit doubles the effort needed.

half agree

[essreenim]

I think that distributed computing is wonderful. It allows us to divide and conquer which is what the developed world should be about.

I agree that the analysis could just as effectively be done using bif-O notation and all that, but I still dont think we should knock it.
If you have a problem with people factoring RSA keys, then just dont take interest - go somewhere else.

Personally, I would like to distributed computing used to find out more about the origins of our universe etc..

Re:half agree

[essreenim]

That would be big-O

Re:half agree

[GTRacer]

Big-O! Big-Ooo Biiig-Ooo Big-O! Bwaaaaaaa Ba Bwaa bwaaa...

GTRacer
- R. Dorothy can take my mod points any day

Why waste all the CPU power?

[tangent3]

There's a far easier way to crack the the key

Re:Why waste all the CPU power?

[the+MaD+HuNGaRIaN]

if(location.equalsIgnoreCase("Soviet Russia")){
SecrtetKey.crack(sessioin.getRemoteUser());
}

Re: i'm super-intelligent like HAL9000.

With my PC, I can crack RSA-4096 using Quantic Computing, hehehe, the algorithms are so very difficult and unknown by the people.

open4free (c) (R) (tm)

Re:It has to be asked...

factor the big prime number pq into p and q

Well, as Bill Gates has told us, that would indeed an tremendous mathmatical advance.

I have a solution right now, assuming the big prime pq where p != 1: p = pq, q = 1.

Sorry. I'm sure you just mistyped it, but I couldn't resist.

Re:It has to be asked...

[Xilman]

Couldn't agree more.. but from what I see they didn't use a distributed client.

Not entirely true. The article states that three of the contributors were part of NFSNET which does have a distributed client.

Paul

Anyone know what the predicted strenght was?

[pmcevoy]

Does anyone know what the predicted lifetime of the 576 bit key was?

I mean, when they say that we should be using 4096bit keys today, how long do they predict that it will take to crack that key? (taking into account Moores law and perhaps linear growth over time of the number of clients contributing CPU cycles). Is it possible to guestimate?

Jens Franke

[greppling]

(As far as I understand, he and Thorsten Kleinjung wrote most of the software used, and did most of the work in the project, while the other institutions were rather donating computing time.)

I happen to know him a little, as one of my friends is his student, and another one was. If you think mathematicians are crazy, Franke is more than that. When you talk to him, he will usually just continue to stare at the piece of paper he has directly in front of his eyes (Nobody knows why he isn't wearing glasses.) and think of that as a normal way of communicating. His office consists of 3 huge desks (plus a computer desk); on each of them there is huge bunch of completely unorganized papers lying around, mixed with empty yoghurt cans.

His mathematical skill is enormous, he has done research in quite a lot of different areas of mathematics (analysis, algebraic geometry, algebraic topology, category theory), but he never bothers at all with making his results well-known. (In fact, at least one time he actually had to be persuaded to even publish his result, which got immediately accepted in Inventionaes, the most highly regarded journal in pure mathematics.) He even couldn't be bothered to apply for a much better-payed position at another university in Germany when he was almost urged to do so.

Anyone who knows him will burst out laughing when he reads that he supposedly said "I'm very proud of all these individuals from around the world and their efforts to solve this first factoring challenge." and all this other stuff in that paragraph of the article. I bet the author of this press release desperately tried to get some phrases longer than 5 words out of his mouth, gave up, and then decided to just make up all the quotes.

Now with his mathematical skills, number factoring is (in his own opinion) a rather dull activity. The reason he is doing this is that he expects an economic breakdown soon, and he thinks of his knowledge in number-factoring as an assurance against the coming job crisis. (Of course, his position is guaranteed by the German state until his retirement.)

But if you manage to get along with him, he is actually quite nice and extremely helpful.

Re:Jens Franke

[Xilman]

I happen to know him a little, as one of my friends is his student, and another one was. If you think mathematicians are crazy, Franke is more than that. When you talk to him, he will usually just continue to stare at the piece of paper he has directly in front of his eyes (Nobody knows why he isn't wearing glasses.) and think of that as a normal way of communicating.

I also know Jens quite well (we are on first-name terms) and he seems sane enough to me. Perhaps I have hung around with mathematicians too much!

But if you manage to get along with him, he is actually quite nice and extremely helpful.

Seconded. Thorsten Kleinjung is also one of the good guys and very helpful.

Paul

Re: it's not trivial.

They are not 640 variables, they are more.
I *believe* that they are O(k*n^2) or possiblely worst-case O(k*n^3) boolean variables for SAT.

For n = 640 bits, n^3 = 262'144'000 boolean variables, you will need a cheap little-expensive 64-bit supercomputer like Opteron 148 with a lot of RAM!!!.

open4free (c) (R) (tm)

Nothing compared to Distributed RC5-72.

More than 160000 PII 266MHz computers working 24 hours a day, 7 days a week, 365 days a year!

RC5-64 is so solved, they are solving how to crack RC5-72.

RC5-72:http://www.distributed.net/rc5/

open4free (c) (tm) (R)

Next Time, Hire Google

[VernonNemitz]

They say that Google is preparing an IPO, but sometimes I wonder what they need the money for. They already had enough money for 10,000-100,000 servers, after all. If they doubled or quintupled that acreage of computer-farm, would your search-results come to you down the Internet pipe so much faster that you'd be glad the did?

And they had the money to hire the experts needed to manage that cluster like a single supercomputer. Sure, they probably got some of that initial funding from ordinary venture capitalists, but what if some Govt. outfit helped, on the grounds of requesting access for occasional factoring purposes? After that IPO gets invested in a bigger farm, not even 2048-bit keys may be safe.

Re:FWIW

And I'd like to also add "petty."

So, has any Slashdot reader checked the results?

[dpbsmith]

Does the numeral posted here actually equal the product of the numerals posted here?

The last digit looks OK, anyway. :-)

No, don't bother to flame me for laziness... I already know...

There was a time when I would have tried to do that on paper by hand, just to keep in practice. These days, not only am I too lazy to try that, but I don't currently have any software system at hand that implements indefinite-sized integer arithmetic... and I'm too lazy to implement one.

soooo....

[MasTRE]

It took longer for them to come up with the press release than it did for their code to be broken. Lookin' good, RSA!

Re:So, has any Slashdot reader checked the results

[nebaz]

java does this. It works on most platforms. See java.math.BigInteger

Re:It has to be asked...

[StarfishOne]

IMHO projects like Folding@Home, TSC, United Devices, Lifemapper or ClimatePrediction.net are far more important then breaking a piece of encrypted material.

Like RC5 for example. If you break the RC5-64 key, everyone is happy. Then they want to break the RC-72 key.

Wow.. it takes ages and ages.. and what does it *really* proof?

Yes, it is breakable too.. wow. I'd rather have a few new medicins available, thank you :)

What I'm trying to say: there is plenty of computer power available on this world.. but not nearly near enough! There are far more important and interesting things to do with it then breaking some non-sense line of text!

Re:So, has any Slashdot reader checked the results

bc and dc are Unix utilities that compute arbitrarily precise integers, basically limited by your memory and patience. (Obviously, they can't do the same thing for real numbers). The GNU versions, I believe, are based on the GNU MP (multiple precision) library, which is an incompatible replacement for the original Berkeley MP library.

Anyway, as for using it, bc is probably easier to use, as it implements a standard calculator interface. See man bc for details. I usually use bc -l when I want to work with fractional values. dc is the original utility, but it uses reverse polish notation (RPN), so it may or may not be intuitive to you. I believe bc is usually implemented as a frontend to dc.

If you're stuck with Windows or Mac, a quick Google will turn up some applications that implement arbitrary precision math. You can also probably find a Java applet to do it, since big number support is built righti n.

As to why I would know all this, multiplying really big numbers with exact integer precision is something that comes up often enough to warrant a little informal searching. :)

Re:So, has any Slashdot reader checked the results

[bowronch]

with a little help from lisp I did this... It checked out... /. is adding some white space to the numbers that isnt reall there...

i i i i i i i ooooo o ooooooo ooooo ooooo
I I I I I I I 8 8 8 8 8 o 8 8
I \ `+' / I 8 8 8 8 8 8
\ `-+-' / 8 8 8 ooooo 8oooo
`-__|__-' 8 8 8 8 8
| 8 o 8 8 o 8 8
------+------ ooooo 8oooooo ooo8ooo ooooo 8

Copyright (c) Bruno Haible, Michael Stoll 1992, 1993
Copyright (c) Bruno Haible, Marcus Daniels 1994-1997
Copyright (c) Bruno Haible, Pierpaolo Bernardi, Sam Steingold 1998
Copyright (c) Bruno Haible, Sam Steingold 1999-2003

[1]> (defun test-rsa ()
(let ((number
;; copied from page
1881988129206079638386972394616504398071635633794 17382700763356422988859715234665485319060606504743 04531738801130339671619969232120573403187955065699 6221305168759307650257059)
(prod
(* 39807508642406493739712550055038649119906436234252 6708406385189575946388957261768583317
47277214610743530253622307197304822463291469530209 7116459852171130520711256363590397527)))
(if (= number prod)
(format t "Equal")
(format t "Not Equal"))))

TEST-RSA
[2]> (test-rsa)
Equal
NIL
[3]>

Re:So, has any Slashdot reader checked the results

[camliner]

http://www.google.com/search?sourceid=navclient&ie =UTF-8&oe=UTF-8&q=39807508642406493739712550055038 64911990643623425267084063851895759463889572617685 83317+%2A+4727721461074353025362230719730482246329 14695302097116459852171130520711256363590397527 And google confirms the first few numbers...

Moron of the day award for you

[^BR]

Cracking RC5 has nothing to do with factorization.

RC5 is a symetric crypto algorithm and winning the challenge is not a matter of smart algorithms like in the factorization case but of brute force, because one "just gave to" try all keys (statistically speaking you're likely to try about half of them, i.e. 2^71 keys) until one decipher the challenge in something meaningful. (in the case at hand recognizing something meaningful is easy as part of the text in the message is already known, in the real world it is not always the case). This is a really easy problem to distribute (just allocate some key space to each volunteer and have them report back once they're done if they found it or not), unlike the GNFS algorithm where you must have a big computer with very fast RAM to hold a giant matrix in the last phase, something you can't get at Best Buy.

Please go chase some car on the highway, it'll clean the gene pool.

Re:Moron of the day award for you

[KingOfBLASH]

Hmmmm, you are right about the GNFS algorithm. However, if you must insist on a policy of eugenics, I request you start with lower life forms and work your way up the chain.

Re:So, has any Slashdot reader checked the results

[Ant2]

Yes. They are correct.

BigInteger p1 = new BigInteger("39807508642406493739712550055038649119 9064362342526708406385189575946388957261768583317" );
BigInteger p2 = new BigInteger("47277214610743530253622307197304822463 2914695302097116459852171130520711256363590397527" );
BigInteger p = p1.multiply(p2);
System.out.println(p);

188198812920607963838697239461650439807163563379 41 73827007633564229888597152346654853190606065047430 45317388011303396716199692321205734031879550656996 221305168759307650257059

RSA Labs had a press release way earlier

[^BR]

It just took some time to get to the marketoid...

Factorization of RSA-576

Re:So, has any Slashdot reader checked the results

import java.math.BigInteger;

public class biginteger
{

public static void main(String[] args)
{
String num1 = "3980750864240649373971255005503864911990643623425 26708406385189575946388957261768583317";
String num2 = "4727721461074353025362230719730482246329146953020 97116459852171130520711256363590397527";
BigInteger firstfactor = new BigInteger(num1);
BigInteger secondfactor = new BigInteger(num2);

System.out.println(firstfactor.multiply(secondfact or));

}
}

this should do it..

ugh... 4.5 months - for this?

[Tired_Blood]

There is very little info to the article.

My summary: they used about 100 workstations and it took 3 months. General credits to those involved.

That's it. Oh yeah, and a quote.

My interest is in how an individual's effort would have compared to their's. 100 machines is a little too vague - and is only really useful in the initial sieving process anyway. The last stage hasn't been implemented in a distributed fashion yet, so it can only be done on one.

Perhaps an estimate that can be roughly referenced by other computers. Does anyone have a link to this info or a better article (preferably in english)?

Maybe I'm asking for too much. Or maybe it'll be another four and a half months before we see any real detail.

Re:ugh... 4.5 months - for this?

[Ararat]

Jeeze, what planet (or university) are you from? Someplace where Google or Copernic is outlawed?

Mind you, this is a formal announcement, not an article. The technical details are for the researchers to announce, that's not RSA's reponsibility. And while the inital report of a factoring success -- and mention of any new technique -- usually spreads quickly over the Net (watch the Yahoo Prime Numbers group), academic papers take longer. And when you're dealing with experts at this level, they'll take their own bloody sweet time -- because they will have already chatted with the handful of peers who can appreciate what they did differently this time.

(Even coordinating a "joint annoucement" among an international group of top academicians, and their respective corporations and universities, typically takes -- trust me -- the patience of Job;-)

And what are you demanding, anyway: a detailed explanation of how Franke et al tweaked their algorithm for lattice sieving? A report on their new implementation of the block Lanczos algorithm for sparse matrices over F2? You say you want an estimate of how your individual efforts might be compared to (sic) their's? Pleeeeeeese!

(You are also wrong to declare that the "last stage" -- the post-processing the siever output -- hasn't been implemented in a distributed fashion. Frankel and friends wrote parallel implementations for both the filtering and the Lanczos step, and they had them running them on a LINUX cluster at IAM in Bonn a couple of years ago.)

This is not really a hardware game yet. The difference between my LAN and the 100 workstations they used to crack RSA174 is neither the number nor speed of the CPUs they used -- rather, it's the touch of obsessive genius involved in constantly refining their algorithms, and adapting them to more distributed computing efforts. There's a reason that all these record-breaking factoring efforts involve the same dozen or so famous gentlemen!! Not even the NSA bothers to compete with them in basic research on factoring!

For a little perspective, visit NSFnet to study up on their G(S)NFS implementation, which was built, at least in part, around the effort to factor this RSA Challenge number.

There still isn't any efficient G(S)NSF implementation that an individual can use on his own computers to factor numbers over 100 digits.

Below 100 digits, however, there is Satoshi Tomabechi's PPSIQS.

See also Chris Monico's GGNFS, which has reportedly been used to successfully factor numbers up to 50 digits or so.

Please put a leash on your hubris. Demanding that genius be translated into vernacular (and quickly!) is unreasonable, as well as futile.

_Ararat

Re:ugh... 4.5 months - for this?

[Tired_Blood]

First: considering that this site is supposed to be "News for Nerds" what news did the article provide? At a minimum it generated a forum to request further, more detailed information.

Second: Not unlike countless others, you misread one of my posts. I honestly can't see where I asked for theory. I am looking for how hard it was to solve this problem.

Wasn't that the point of the challenge? To quote the website: "to encourage research into computational number theory and the practical difficulty of factoring large integers."

So, with one of the problems solved, how difficult was it? 100 workstations and 3 months doesn't tell us much. Were all 100 working 100% on their given tasks for the full 3 months? Is it really 3 months, or was that number generously rounded up? How fast are the 100 machines? How do those 100 compare to the same number used to solve a previous value a few years ago? That last one is probably the most important question, because you can't compare between challenges without some honest reference.
And 100 is just an approximation - this announcement is just too vague!

As an example, something similar to this would have satisfied me. Please note that for that project, the delay between the date of submission and their detailed announcement is 1.5 months.

Please put a leash on your hubris.
I do. Perhaps you read frustration, and the expression of it, as arrogance. I've had difficulty finding such details, which is why I asked for assistance on the matter.

Although not quite what I was requesting, thanks for the links. It appears that Google has already provided a couple of them to me in the past. I've found this article to be an excellent primer - provides some history on (and some basics in) the effort of integer factorization. Most importantly it's not nearly as intimidating as the vast majority of publications I've encountered on the subject.

Re:ugh... 4.5 months - for this?

[Ararat]

"I honestly can't see where I asked for theory. I am looking for how hard it was to solve this problem," sez TB.

I sympathize with your interest in some straightforward measure that would allow you to compare one factoring project with some previous project. I really do.

Unfortunately, I think you are confusing your irritation with the tardy "formal announcement" of the joint project's success -- the basis for the /. "article" -- with your frustration that the prime researchers (Jens Franke and Thorsten Kleinjung at Bonn University) haven't seen fit to write a report on the labor, work, hardware, and/or software innovations involved in this project -- any report, let alone a paper that would allow you to compare their achievement with other factoring efforts to determine what progress has been made in the state of the art.

Instead, it seems that they, along with a handful of others, just are the state of the art. ;-)

(From what I'm told by folks who participated in the RSA576 factoring effort, btw, the primary researchers haven't yet even collected the stats that would be required for a formal paper on the project, so I don't think you will see an academic paper on RSA576 anytime soon.)

I really don't know what to make of that, other than to repeat what I said earlier: while there has been a lot standardization in the software typically used in these big NFS projects, much of the progress in this field seems to still be tied to the continuous and gradual improvement in the software and the hardware , and the way the two interact. What stays stable? Anyone who tried to offer comparisons between these factoring projects would probably have to develop some new team-independent "work-unit" metric. (And developing metrics is always a fairly political process too, for good or ill.)

Have you noticed how these guys always look ahead to the next number they want to factor and guesstimate that their next project will be, say, somewhere between 50 and 100 percent more difficult, more demanding? Nothing precise in those projections either, is there?

It seems to me that, in at least one stage, these projects typically involve the search for a solution that is pseudo-randomly located somewhere in a search-space of tens of millions -- so they are always burdened with the role that luck inevitably plays in whether they stumble upon the solution early or late in their search.

When luck can maybe double your work-load -- whatever the statistical probabilities are supposed to be -- it becomes difficult to give a lot of weight to any metric that measures (in machines, hours, cycles, "work units") the actual work involved in factoring one number -- and harder still to use that result as a gage of how much work will actually be required in the next project.

I too would like to be able to get a handle on the state of the art, I suppose, but I fear that the only people able to really discuss it would be talking about technical advances -- details down in the applied theory, if not the theory, per se -- that I suspect neither you nor I could really comprehend or appreciate.

This thread has been passed by, but I didn't want to leave you without a response, since I had sort of growled at you earlier. I know /. will at least drop you a note that a response has been posted here.

_Ararat

Memory speed vs. CPU speed increases

[billstewart]

You missed his point, though perhaps he could have expressed it more clearly. Many applications are CPU-bound, some are memory-size-bound, some are memory-speed-bound.

• CPU speed has been doubling pretty fast, every 1.5-2 years.
• Memory size (or at least, size/price ratio) has been growing pretty fast.
• Disk capacity has been booming faster than CPU speed, though disk seek times have been changing much more slowly.
• Memory speed has been lagging - I forget the exact numbers, but some of the hashcash folks did some research and found the speed doubled every N years, maybe 3-4. Certainly not the same curve as CPU speed.

If the real constraint in GNFS is storing and retrieving data, not multiplication speed, then you could easily get an environment where memory speed increases are the gating factor for your Moore's Law growth, no CPU speed increases, so your K-bit key is good for 2-3 times as many years as you'd expect.

On the other hand, factoring is a problem where the increases in Algorithm Speed have been just as critical as increases in Computer Speed. So maybe GNFS has reached the point where it's computer-speed-bound, but next year's Super-Duper-Number-Field-Sieve may be several times more efficient than GNFS, just like GNFS was several times more efficient than NFS in the ranges that are now interesting. Sometimes this happens just because mathematicians keep doing new work, and sometimes it happens because computer capacity (e.g. memory size) grows enough from Moore's Law that algorithms which weren't practical in the past become practical. There were factoring tools that weren't useful when most computers had 128MB of RAM, but work fine now, and there may be tools that aren't practical when most computers have less than 4GB of RAM, but five years from now your SonyNintendo box will have enough RAM to run Sieve@Home.

See also dmaxwell's correction

[Beryllium+Sphere(tm)]

>Most cryptography programs support upto 4096-bit keys, and the strength of a key increases exponentially for every bit if my memory does not fail me (correct me if it does).

First, adding one bit to the size of a number only doubles the range of possible numbers.

Second, even that doesn't apply to RSA because not every number is a possible key (not even close!). A key is the product of two large primes. Numbers like that are thin on the ground.

Third, there's no value in making your crypto harder to crack until you've made the rest of your system as secure as your crypto. Ask yourself which is cheaper -- brute-forcing a DES key, or breaking into your home and training a hidden camera on your screen?

Re:See also dmaxwell's correction

[JDWTopGuy]

First, adding one bit to the size of a number only doubles the range of possible numbers.

Dear genius:

That *is* exponential. It's 2 to the power of (number of bits). Add another bit, exponential growth. YMMV, HAND.

-Mr. Big Fat Jerk

Thank you

[RKBA]

Thank you, the website you mention looks very interesting - I'll definitely check it out (particularly the pseudo-boolean solvers). Actually, I already have the system of equations that would yield a factorization (it turns out they're quite easy to generate using Maple). All I need is a way to solve them. Although the equations only involve the "^" and "&" (bitwise XOR and AND) operators, they are quite lengthy and occupy about 135 MB of hard drive space!!! Since the ratio of clauses to variables is HUGE, I won't get my hopes up too high however. ;-)

Re:So, has any Slashdot reader checked the results

[provolt]

Yes it does.

Use Pari/GP. It's even GLP.

Re:It has to be asked...

[Beryllium+Sphere(tm)]

>The whole key to protecting information is to make it cost more to recover the information than it is worth.

That post deserved its +5 Insightful but here's a quibble anyway.

The idea of making information more expensive to crack than it's worth depends on your being attacked by people with economic motives.

If the attackers are true hackers they'll do it for the challenge. The more elaborate and clever your security, the harder they'll work. The "solve a puzzle-win a prize" motivation pulls people harder than the prize does.

If it were trivial I would have already solved it

[RKBA]

Yes, there are in fact precisely 640 variables (a320,...,a0 and b320,...,b0 where a0=b0=1, and a*b=n). There are of course 36,869 carry terms and a huge number of intermediate terms, but each of these can be expressed as a function of the bits that comprise the two 321 bit factors.

These Contests Shape Standards

[Ararat]

ANSI X9F1 -- the influential working group that develops US standards for the financial services industry on data security -- has reportedly decided, at least informally, that 2010 will be the year at which they will require an upgrade from 80-bit to 112-bit crypto security.

NIST generally follows the lead of X9 in these matters.

80-bit ciphers are generally understood, on the basis of equivalent resistance to brute force attacks -- the state of the art, as measured by the results in RSA Security's industry-defining crypto contests for both symmetric and RSA public key cryptosystems, and Certicom's ECC equivalents -- to encompass 1024-bit RSA (and DSA), as well as SHA1, Skipjack, and 160-bit ECC.

112-bit crypto strength is understood to be found in three-key triple-DES, SHA-224, RSA-2048, 224-bit ECC, and other standard cryptosystems with even longer keys.

This means that any data encrypted today, which must remain secure beyond 2010, should be using at least 112-bit crypto.

(While there are obviously levels of cryptographic security that lie between these 80-bit and 112-bit ciphers, ANSI X9 and NIST are trying to structure the technical debate in order to simplify their ultimate recommendations on effective security measures.)

_Ararat

Goes to show

[BCW2]

That any key can be cracked if enough computing power is thrown at it. Remember NSA does this as their job, now how many keys have been cracked? All or real close to it.

Re:So, has any Slashdot reader checked the results

Too bad your post wasn't modded up, I was about to re-type what you said. They make a BC version for windows as well. Can't find the link right now but search for "BC.exe". Also, PHP has a "bc" function.

Why bother?

[Tom7]

We now know what the computational cost was...

We also could have spared ourselves the computer-months of CPU time and just computed the computational cost using a few miliseconds of calculator time.

The only time such an exercise is successful is when a new code-breaking technique is developed to solve the problem, not when brute force wins.

Key and Information Lifetimes

[stuffduff]

While I don't have the answer I can offer some perspective on the question. You see that the day the key was made, there was a certain state of the art in mflops or some such thing that would represent the speed of arithmetic operations that the fastest processor could do at that time. A determination was probably made that said "In order to perform all the factor tests on a machine running X mflops it will take Y days."

But the universe refuses to maintain the 'state' in which it was in and several factors were conspiring against that estimate from the start. The estimate was based on a single processor running at a single speed with a single algorythm. Unfortunately, the evolution of the hardware, the creation of stable multi processor systems and cheap clusters, and the development of new algorythms have all conspired to have that estimate drop like a rock until it has now hit zero!

What's more important in IMHO is the life of the information protected by the key. As long as the information needs to be kept secret the key's factorial combinations should remain incalculable. In the mean time we can only say that the key's ability to protect the data is 'less than X,' where X is the current time it takes to calculate the factors of the key.

Not according to the article

According to the marketroid article, RSA Labs announced it "today". So are you saying that the RSA marketroids are both slow and lying?

Re:So, has any Slashdot reader tryed python?

[jtoj]

[txr@brasa txr]$ python2
Python 2.2.3 (#1, Oct 15 2003, 23:33:35)
[GCC 3.3.1 20030930 (Red Hat Linux 3.3.1-6)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> 39807508642406493739712550055038649119906436234252 6708406385189575946388957261768583317 * 47277214610743530253622307197304822463291469530209 7116459852171130520711256363590397527
18819881292 06079638386972394616504398071635633794173827007633 56422988859715234665485319060606504743045317388011 30339671619969232120573403187955065699622130516875 9307650257059L
>>>

Re:It has to be asked...

[lewko]

The idea of making information more expensive to crack than it's worth depends on your being attacked by people with economic motives.

I understand what you are saying, however it's besides the point. In protecting anything you need to assess what (or who) exactly the threat is, including their motivation, be it social, political or financial for example. Even if, in your scenario, its a bunch of challenge-happy hackers, then you merely protect your information according to this different threat. This may or may not involve crypto.

My reference to making information "more expensive" could also have be phrased: "making protected information way too much bother to crack before people lost interest and chased poodles with puffy tails instead while someone beat the information out of you".