Slashdot Mirror
RSA-576 Factorization Officially Announced
product byproduct writes "RSA Security finally has a news item about the December 2003 factorization of RSA-576. (See earlier Slashdot coverage). We now know what the computational cost was: the 174-digit number was factored "using approximately 100 workstations in a little more than three months"."
That's a ton of computer hardware to use on factoring... I wonder why they didn't just use a distributed system (like seti@home) to do this... at least it's free.
What does this tell us? That if you throw enough machines and/or money at a solvable cryptographic challenge you'll solve it?
Try not. Do or do not, there is no try.
-- Dr. Spock, stardate 2822-3.
We should still be reasonably safe using the RSA-algorithm for a while more since the number is the equivalent of a 576-bit key. Most cryptography programs support upto 4096-bit keys, and the strength of a key increases exponentially for every bit if my memory does not fail me (correct me if it does).
:)
Safe, that is unless someone invents quantum computers and makes them easy to produce..
No.
It tells us HOW MANY machines we need to throw at the challenge.
The whole key to protecting information is to make it cost more to recover the information than it is worth.
For example, if information is going to need to be kept secret for twenty years, projects like this help you learn based on current technology, how much crypto is sufficent (or overkill).
Do you or your partner snore? - Visit www.snoring.com.au
Of course, the whole idea behind key strength is rather moot if the user gets careless with his keys/passphrase.
Unfortunately, crypto is only as strong as the user(weakest link)
While it's not always comforting to know these things can be factored, at least we can take comfort in knowing that *most* hackers/spooks don't exactly have a 100 node server farm laying around just dying to crack your keys.
Of course, unless you're the NSA and measure their servers by acres...
A primer on distributed computing
I encrypt everything on my hard-drive using one-way compact encryption, it only cost me $100 and converts every file into 0 bytes that can't be de-crypted by anyone... not even me. Now THAT is proper security.
I previously used 2^(10e20) bit encryption which would have taken several universes to crack. Unfortunately it took one earth life to encrypt a 1 Mb file so I had to revert to the super-secure method above.
And Yes I do have a tin-foil hat... why do you ask ? Oh and the application that does the one way encryption. Well I work on Windows but I get this Unix utility called Cygwin and the guy sold me a program that does the encryption. I had a look at what was in encrypt.sh and what it says is
cat
Amazing how simple UNIX makes encryption... but then I use Windows so its all beyond me.
An Eye for an Eye will make the whole world blind - Gandhi
That makes it 240000 computer hours ... too cheap ..
Think about this :
...
It's a weekend job if I can sneak this in as along with the next upgrade.
:)
"Toy Story 2" had about 800,000 computer hours worth of rendering.
"The Hulk" had 2.5 Million computer hours
My office has nearly 400 fast machines , imagine this running them makes it 25 days . Running that every weekend makes it 12 weeks or 3 months
DDoS time is over with all networks being careful about... the next big windows worm will be a distributed processing program
Quidquid latine dictum sit, altum videtur
It begs the question, how many workstations, for how many months, would it take to find out
How many licks does it take to get to the center of a Tootsie Pop?
I'm afraid the world will never know.
-Patrick
"They never stop thinking about new ways to harm our country and our people, and neither do we."
... to waste 3 months and 100 computers trying to read my RSA-576 encrypted information, they are welcome
Free Firefox news reader.
If you knew that factoring big numbers was important to breaking encryption, and would be for quite a long time wouldn't you simply have started a huge factoring effort decades ago? I know I would have.
Factoring what? You won't know the number you need factored until you intercept or steal the encrypted data.
You could, I suppose, start multiplying every pair of primes together and try and organise a database of the results but the storage - even if you just store some sort of clue to the primes used - would be staggering, even for just 1024-bit RSA.
Surely a complexity calculation would suffice? After running a few iterations of the solver
Because there's no motive to optimise the solver. Open up the project, offer a prize and you'll get many eyes looking for the absolute best solution - then you can study the complexity of that.
Not true, because if you can factorise the modulus in the public key (which is generally easy to get), you can generate the private key.
:-)
Yeah, that was misleading - I was just trying to say you need a target for your arbitrary factor effort. In my mind I'd figured you'd have to have the encrypted message to know what private key it was encrypted for - although I realise now that's not necessarily true (and neither's the reverse). But it could be for real tinfoil-hat types
There's no good reason, either, why a public key can't be kept as confidential as a private key or a symmetric cipher key - it's just that once you publish it to a few people there are more points of failure. And if you don't have the public key (in GPG's implementation at least) you don't have anything to try and factorise because it's not bundled with the encrypted data.
You won't know the number you need factored until you intercept or steal the encrypted data.
You don't have to steal anything. The number to factor (the modulus) is given away as part of the public key.
organise a database of the results but the storage - even if you just store some sort of clue to the primes used - would be staggering, even for just 1024-bit RSA.
For 1024-bit numbers, the factors will be on the order of 512-bits. The density of primes is rougly 1/ln(n), and ln(2^512) is about 355, so you should expect around every 355 numbers to be prime. That's only 3e151 numbers, not to mention that you'd have to figure every product of the two, which is 0.5*(3e151)^2, or 7e302 numbers.
Staggering doesn't begin to describe how many of these things you'd have to store.
There's a far easier way to crack the the key
Uh, oh, someone is bad at math...
I don't think VA's unknown numbered G5 park is about 2^448th more powerful than 100 PC(?) nodes. I don't think it's possible.
Or, I simply have been trolled :)
On the other hand, let me check my sig again...
"Ten years from now, they could do it in a few seconds." -- The Racketeer of the Hellfire Club, 1993, Phrack 42
Does anyone know what the predicted lifetime of the 576 bit key was?
I mean, when they say that we should be using 4096bit keys today, how long do they predict that it will take to crack that key? (taking into account Moores law and perhaps linear growth over time of the number of clients contributing CPU cycles). Is it possible to guestimate?
I happen to know him a little, as one of my friends is his student, and another one was. If you think mathematicians are crazy, Franke is more than that. When you talk to him, he will usually just continue to stare at the piece of paper he has directly in front of his eyes (Nobody knows why he isn't wearing glasses.) and think of that as a normal way of communicating. His office consists of 3 huge desks (plus a computer desk); on each of them there is huge bunch of completely unorganized papers lying around, mixed with empty yoghurt cans.
His mathematical skill is enormous, he has done research in quite a lot of different areas of mathematics (analysis, algebraic geometry, algebraic topology, category theory), but he never bothers at all with making his results well-known. (In fact, at least one time he actually had to be persuaded to even publish his result, which got immediately accepted in Inventionaes, the most highly regarded journal in pure mathematics.) He even couldn't be bothered to apply for a much better-payed position at another university in Germany when he was almost urged to do so.
Anyone who knows him will burst out laughing when he reads that he supposedly said "I'm very proud of all these individuals from around the world and their efforts to solve this first factoring challenge." and all this other stuff in that paragraph of the article. I bet the author of this press release desperately tried to get some phrases longer than 5 words out of his mouth, gave up, and then decided to just make up all the quotes.
Now with his mathematical skills, number factoring is (in his own opinion) a rather dull activity. The reason he is doing this is that he expects an economic breakdown soon, and he thinks of his knowledge in number-factoring as an assurance against the coming job crisis. (Of course, his position is guaranteed by the German state until his retirement.)
But if you manage to get along with him, he is actually quite nice and extremely helpful.
They say that Google is preparing an IPO, but sometimes I wonder what they need the money for. They already had enough money for 10,000-100,000 servers, after all. If they doubled or quintupled that acreage of computer-farm, would your search-results come to you down the Internet pipe so much faster that you'd be glad the did?
And they had the money to hire the experts needed to manage that cluster like a single supercomputer. Sure, they probably got some of that initial funding from ordinary venture capitalists, but what if some Govt. outfit helped, on the grounds of requesting access for occasional factoring purposes? After that IPO gets invested in a bigger farm, not even 2048-bit keys may be safe.
It took longer for them to come up with the press release than it did for their code to be broken. Lookin' good, RSA!
Must-not-watch TV!
Like RC5 for example. If you break the RC5-64 key, everyone is happy. Then they want to break the RC-72 key.
Wow.. it takes ages and ages.. and what does it *really* proof?
Yes, it is breakable too.. wow. I'd rather have a few new medicins available, thank you :)
What I'm trying to say: there is plenty of computer power available on this world.. but not nearly near enough! There are far more important and interesting things to do with it then breaking some non-sense line of text!
Yes. They are correct.
9 9064362342526708406385189575946388957261768583317" );3 2914695302097116459852171130520711256363590397527" );
9 41 73827007633564229888597152346654853190606065047430 45317388011303396716199692321205734031879550656996 221305168759307650257059
BigInteger p1 = new BigInteger("3980750864240649373971255005503864911
BigInteger p2 = new BigInteger("4727721461074353025362230719730482246
BigInteger p = p1.multiply(p2);
System.out.println(p);
18819881292060796383869723946165043980716356337
- CPU speed has been doubling pretty fast, every 1.5-2 years.
- Memory size (or at least, size/price ratio) has been growing pretty fast.
- Disk capacity has been booming faster than CPU speed, though disk seek times have been changing much more slowly.
- Memory speed has been lagging - I forget the exact numbers, but some of the hashcash folks did some research and found the speed doubled every N years, maybe 3-4. Certainly not the same curve as CPU speed.
If the real constraint in GNFS is storing and retrieving data, not multiplication speed, then you could easily get an environment where memory speed increases are the gating factor for your Moore's Law growth, no CPU speed increases, so your K-bit key is good for 2-3 times as many years as you'd expect.On the other hand, factoring is a problem where the increases in Algorithm Speed have been just as critical as increases in Computer Speed. So maybe GNFS has reached the point where it's computer-speed-bound, but next year's Super-Duper-Number-Field-Sieve may be several times more efficient than GNFS, just like GNFS was several times more efficient than NFS in the ranges that are now interesting. Sometimes this happens just because mathematicians keep doing new work, and sometimes it happens because computer capacity (e.g. memory size) grows enough from Moore's Law that algorithms which weren't practical in the past become practical. There were factoring tools that weren't useful when most computers had 128MB of RAM, but work fine now, and there may be tools that aren't practical when most computers have less than 4GB of RAM, but five years from now your SonyNintendo box will have enough RAM to run Sieve@Home.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
>Most cryptography programs support upto 4096-bit keys, and the strength of a key increases exponentially for every bit if my memory does not fail me (correct me if it does).
First, adding one bit to the size of a number only doubles the range of possible numbers.
Second, even that doesn't apply to RSA because not every number is a possible key (not even close!). A key is the product of two large primes. Numbers like that are thin on the ground.
Third, there's no value in making your crypto harder to crack until you've made the rest of your system as secure as your crypto. Ask yourself which is cheaper -- brute-forcing a DES key, or breaking into your home and training a hidden camera on your screen?
That any key can be cracked if enough computing power is thrown at it. Remember NSA does this as their job, now how many keys have been cracked? All or real close to it.
Professional Politicians are not the solution, they ARE the problem.