Factors Found in 200-Digit RSA Challenge

diodesign writes "The two unique prime factors of a 200-digit number have been discovered by researchers at Bonn University (Germany) and the CWI (Netherlands). The number is the largest integer yet factored with a general purpose algorithm and was one of a series of such numbers issued as a challenge by security company RSA security in March 1991 in order to track the real-world difficulty of factoring such numbers, used in the public-key encryption algorithm RSA. RSA-200 beats the previous record number 11281+1 (176 digits, factored on May 2nd, 2005), and RSA-576 (174 digits, factored on December 3rd, 2003)."

Hooray!

[mfh]

Now the longest /. UID in history can be created!
Seriously though... any idea when our databases will enable INTs this high with indexing and normalization? I'd like to see a kind of infinite rid length at some point, and while database character types like varchar in mysql goes to 255, maybe it's really enough? (ducks from incoming Bill Gates quotes)

Re:Hooray!

[Veinor]

Mathematica, a mathematics package, can handle 2,100,000,000+ bit numbers (I don't have the exact figure), but I don't think that that's the sort of thing you're looking for.

Re:Hooray!

[Silverlancer]

Java's BigInteger class handles integers of any size--although its speed is nothing to be envied.

Re:Hooray!

[Tim+C]

Oracle's VARCHAR2 type goes up to 4000 chars, while the LOB types (BLOB, CLOB and NCLOB) support up to about 4GB.

For what it's worth though, think about what you're asking. If you have an integer id that increases sequentially from 1, you can already have a huge number of entries in the table before you start running out of ids for them. For any non-trivial table, chances are you're going to run out of disk space long before you run out of ids.

Re:Hooray!

[iMaple]

Wow , someone had the guts to mod a 56 UID as a troll (of course the fact that the post does not seem to be in anyway a troll, so the moderator was brave and stupid). Serioulsy whats so wrong with the parent post to mark it as a troll? It does not seem absurd to wish for unbounded length ints (BigInteger?).

Re:Hooray!

You'll run into a lot of problems if you make your index a LOB type. Tyring joining two primary key 4gb length fields across tables and report back.

What he was getting at was the keys ID are limited to 255 characters. You cant search lengths longer without using some kind of indexing service.

Re:Hooray!

That's not true. There is a definite limit to the size Java BigInteger can handle. Admittedly that size is pretty close to most other bignum packages.

Re:Hooray!

sounds like my girlfriend. she's "been around" as they say.

oh wait you said integers and not DIGITS.

Re:Hooray!

[corsec67]

I think a more deserving mod for that post by mfh would be "ironic", as he obviously doesn't care whether /. will allow large uids.

Re:Hooray!

[rainman_bc]

Do tell me what kind of mathematical operations you would plan to perform with that varchar field?

It's all find and dandy that you have a way to store it, but you really don't have much way to work with it do you?

Re:Hooray!

mfh bought his uid off ebay, its a well known fact

Re:Hooray!

[Surt]

You load it into memory and use any of a number of large number math libraries to multiply/divide/factor, whatever.

Re:Hooray!

[dodobh]

You can get 1 GB of varchar in PostgreSQL. Autoincrement goes upto 64 bit integers.

Re:Hooray!

"Now the longest /. UID in history can be created!"

Did yours overflow? ;-)

Prime Numbers

[JaxWeb]

Not really anything to do with this specifically, but this story does have something to do with primes so I will bring it up. I wrote something about prime numbers which might interest a few Slashdot readers.

Prime Numbers

Re:Prime Numbers

What did he do? Oops. Did a Yahoo search. Motorcycle accident.

You're right. He is a prime idiot.

Re:Prime Numbers

[Thud457]

Not really anything to do with this specifically, but this story does have something to do with goatse, so I will bring it up.

Prime numbers for you

Re:Prime Numbers

[pilkul]

Not a bad start, but you haven't covered all the fundamental topics yet. Don't forget the sieve of Erathosthenes and Mersenne and Fermat numbers. Also, you should mention the prime number theorem, Riemann hypothesis and Goldbach conjecture even if you can't really prove anything.

A few corrections as I read through. Your definition of divisibility lacks rigor and needlessly invokes the division algorithm. Try instead: let a,b be integers, then b divides a if there exists an integer c such that a=bc. That's more elementary and defines divisibility for 0 and negative integers. It's "divisor", not "divider". Euclid did not discover unique factorization, his book is a compilation of the lost work of earlier mathematicians. The positive whole numbers aren't the "countable numbers" (although the set is countable), they are the "natural" numbers.

By the way, if you like recreational mathematics I recommend you read "Proofs from the Book" and Conway's "Book of Numbers". Both are a bit hardcore but they are elementary and there's a lot of fun stuff in them.

Re:Prime Numbers

[JaxWeb]

Hey, thank you for the comments.

I wrote this for people who don't know mathematics, so I do not feel I should go into more complicated topics. The sieve of Erathosthenes would be do-able, but I don't really think there is much of interest to prove in it. Mersenne and Fermat numbers both get a bit complicated when they get interesting, so I will not include those either. They are interesting topics though, I agree.

I don't think I could explain the proof of the Prime Number Theorem, and I do not have enough knowledge of the Riemann Hypothesis to really talk about it. I don't know of anything interesting to prove about Goldbach's Conjecture, and I don't feel there is much to be gained from mentioning the problem has not been solved. This is more an introduction to proof than an introduction to prime numbers.

Yes, I understand my divisibility definition lacks rigor. I had the definition you mention on the 1st page after the introduction originally, but when I showed this to my sister she did not understand it well (although she went on to understand the first three proofs), so I removed it to stop people getting scared. I thought I'd corrected all "divider" to "divisors" - someone else mentioned this (I wasn't very sure, but when my spellcheck [mistakenly] told me 'divisors' wasn't a word, I believed it).

Yeah you are right about Euclid. I will correct that.

I meant "The counting numbers" in the English sense. Since this is not aimed for people who know maths, I shall not use the term "natural numbers". I will correct that mistake also.

Yes, I love Proofs from the Book. It is great! One of the best books I ever bought. Is "Book of Numbers" the one which has a list of interesting numbers? If so, it does not interest me so much.

Thank you for your comments. It is nice to get feedback! I plan to write a few more of these since this got quite a good response (out side of Slashdot, but I was trying my luck really posting it here). I have exams soon though so I won't be doing it yet.

-Jax (Age 16, UK, btw)

Re:Prime Numbers

[JaxWeb]

I've made those changes. I couldn't find the "counting numbers" bit. Hmm. The divisors bit was mainly in the "What" section I see - I must have forgotten to change those when I changed the rest.

Anyway, I've credited you as pilkul on my maths page, http://jax.hopto.org/maths/. Is that what you would like to be known as?

Thank you again for taking the time to read this.

Re:Prime Numbers

[pilkul]

Well, the useful and somewhat nonobvious part of the sieve of Erastosthenes is the fact that you only need to check divisibility by primes up to the square root. So it's very easy to tell whether a number less than 100 is prime: you only need to see whether 2,3,5,7 divide it.

One interesting and easy-to-prove thing to say about Mersenne and Fermat numbers is the following: let a,b be integers greater than 1, then a^b-1 is composite if it is not a Mersenne number, and a^b+1 is composite if it is not a Fermat number. AFAIK, this is the initial reason why these numbers were studied in the first place (and why Fermat falsely conjectured that all the Fermat numbers were prime).

The statement of the prime number theorem even without proof is rather important because it gives you a lot of feeling about the density of the primes. Since as numbers get big there are more and more possible divisors, it's obvious that the "probability" of a number being prime decreases. So my intuition led me to expect that after, say, a couple of billion, the density of the primes would drop to almost nothing. But this is far from the case: the PNT says that between one and two billion about 1 in 20 numbers are prime! The density of the primes becomes (say) one in a million only around the staggeringly huge number e^1000000.

Anyway, you're good at this stuff for someone still in high school. (Certainly better than I was in those days!) I'm sure you'll do very well if you decide to major in math at university. (BTW, I'm not a mathematician myself, just a senior undergraduate math major.) Note: tricky math is not quite as fun when you're forced to do it, though.

Re:Prime Numbers

[JaxWeb]

Maybe it would be worthwhile to write another article at some point talking about the various other parts of Prime Numbers that you have mentioned (and other things) in a more general way. However, I have exams at the moment and a few others I want to write at some point (One about why Pi comes up in some strange places, and one about the topic which made me love mathematics - Cantor's work. Both will focus on proofs).

I wouldn't say I am that good, but I want to do mathematics at university for sure. What was your favourite topic in mathematics, out of interest?

Yeah, nothing is quite as fun when you have to do it =(

Re:Prime Numbers

[pilkul]

Transfinite set theory seemed awe-inspiring and wonderful to me at first, but more and more I'm wondering whether it expresses any deep truths or is just a game of definitions in formal logic. In some sense, an uncountable set is one that contains an element (and thus necessarily, infinitely many such elements) that cannot be expressed (i.e. distinguished from all other elements of the set) using a finite number of symbols. (You'll notice that diagonalization proofs of uncountability rely on this property.) So since we'll never be able to ever "grasp" this element on its own, we can ask what good it is, if it in any meaningful sense exists, and can't we just get rid of it.

Indeed it's not clear that sets bigger than countably infinite are really needed in most of mathematics (with the important exception of measure theory and probability). Instead of real numbers in analysis you could use a countable set, the computable numbers (numbers that can be computed using a Turing machine --- this includes all specifically known transcendental numbers, such as e, pi, Liouville numbers etc) and it looks like all of the theory could be built. The main difference is that it would be a major pain to always have to associate a Turing machine with each number. So Cantor's theory might be viewed as basically a semantic convenience, a logical hack. I don't know though, I'm actually taking a set theory class next semester so my views on this might yet change.

My favorite topic is topology I think, though I've yet to explore it very deeply.

Re:Prime Numbers

[JaxWeb]

I nearly bought a (university text) book on Topology, but I cancelled it at the last minute when I found I did not have enough money for it, so I don't have any well formed opinions about it. It seems interesting though - I'll make sure I read some of it sometimes. Presently I've only read things explaining what it is, not how you do it.

I'm not too bothered about Transfinite Set Theory being a bit removed from things. I understand the opinion though. Anything which could change my life away from Computer Science to Mathematics must have some impact! (The theorem which got me was the proof that for any set A, the powerset, P(A), has more elements, even for infinite sets A)

When you have done your major, do you think you will keep with mathematics or do something else? (Like computer science, etc)

Re:Prime Numbers

[pilkul]

(The theorem which got me was the proof that for any set A, the powerset, P(A), has more elements, even for infinite sets A)

Yeah, that's what exactly what I was talking about (that's the "diagonalization argument" I mentioned).

When you have done your major, do you think you will keep with mathematics or do something else? (Like computer science, etc)

Nah, I think I'm not cut out for doing maths in grad school. Even though I may have the raw intelligence (maybe) I don't have the monomanical passion for mathematics to devote several years of my life to it. At the undergraduate level it's still possible to coast by at 50% power if you're bright (though don't get me wrong; it's still orders of magnitude more work than high school, which is more like 5% power) but that isn't enough in grad school. I'm planning to go work for a while (maybe go to China) and then possibly get a masters in something else. Anyway, don't let that dissuade you though, it's a good sign that you've started doing maths so early.

Re:Prime Numbers

[JaxWeb]

Thank you. Its been nice talking to you =)

Hmmm

Slashdot is a prime factor in how much time I waste day to day.

55 CPU years

[Inkieminstrel]

The article says it took 55 CPU years to factor the number, though they did it in parallel for about a year and a half. I'd hate to imagine the teams that we don't hear about who are, say, 30 CPU years into the problem who just found out it's already been done.

Re:55 CPU years

[0x461FAB0BD7D2]

Well, those teams could still pursue with their endeavors, hopefully beating the time used by these researchers.

This would mean that their algorithm and/or heuristics is/are superior, which would be beneficial to everyone, including these researchers who "won".

The good thing about research like this is that no one really loses.

Re:55 CPU years

[merlin_jim]

The article says it took 55 CPU years to factor the number, though they did it in parallel for about a year and a half. I'd hate to imagine the teams that we don't hear about who are, say, 30 CPU years into the problem who just found out it's already been done.

Shutup. I hate you all.

Oh well guess it's time to start looking at RSA-768...

Re:55 CPU years

[stecoop]

it took 55 CPU years to factor the number

That's not too bad. Look at how long the computer took to get the the question in Hitchhikers guide to the galaxy?

Re:55 CPU years

[croddy]

this fellow does it pretty fast

Re:55 CPU years

[14erCleaner]

The good thing about research like this is that no one really loses.

Actually, if somebody succeeds in finding a way to factor large numbers efficiently, it could cause a lot of disruption. For example, much practical online security relies on the difficulty of factoring, and if that suddenly becomes broken the disruptions could be severe (at least temporarily).

If it continues to take years to factor numbers, we're still safe. If it gets down to hours, watch out!

Re:55 CPU years

[TedCheshireAcad]

Another victory for the General Number Field Sieve (I think). The article was a little light on the details, but it mentioned they used a "general algorithm", which I'm assuming is the GNFS. The original paper may shed some light on the algorithm, for the algebraically inclined Slashdotter. (Link courtesty of Google Scholar)

Re:55 CPU years

[Surt]

Well, maybe those other teams will get lucky and find two other factors.

Re:55 CPU years

[Baron+Eekman]

I do not seem to recall; what question was that again?

I don't get it...

[neiffer]

I tried to do it on my TI-85 and I keep getting an error!

Re:I don't get it...

[ArielMT]

I tried to do it on my TI-85 and I keep getting an error!

Turn your calculator upside down on the step just before the error.

Re:I don't get it...

[sam5550]

Try it on a TI-89. It will do it, in theory. TI themselves admit, however, that it may take longer than the life of the calculator, the user, and/or the planet to come up with the answer.

Re:I don't get it...

[SuperBigGulp]

I have a laptop computer from Ohio Arts, but every time I turn it upside down the screen goes blank. I also wish it had a keyboard...it isn't easy trying to factor large numbers with just the two knobs.

Re:I don't get it...

Uh I hate to tell you this... you don't have an etch-a-sketch on your lap and... well.. lets just say you cranked the knobs too far :-/

Re:I don't get it...

[Surt]

Stop messing with him, he doesn't even know we replaced his ti-85 with an etch-a-sketch!

Re:I don't get it...

[sentientbeing]

Thats one of them analogue computers. Doesnt work out primes but its great at differentiation.

Re:I don't get it...

I once tried to factor 2^128 + 1 on my TI-89.

After I waited for over an hour I stopped trying.

Re:I don't get it...

http://education.ti.com/us/product/tech/85/feature s/features.html It has been discontinued.

Did Michelle Deliop write this?

[winkydink]

May 9, 2005 The two unique prime factors of a 200 digit number have been discovered by researchers at Bonn University.

Note: we need a source on this. All we have now is an anonymous edit on Wikipedia from someone at Cal State Fullerton.

An anonymous edit in Wikipedia. Now there's a source for you!

Re:Did Michelle Deliop write this?

[Silverlancer]

Well it is pretty easy to test--just multiply the two factors. Its a bit hard to fake factors.

Re:Did Michelle Deliop write this?

That's old. Check it again.

Re:Did Michelle Deliop write this?

[Mazem]

Thats the beauty of math. It doesn't matter who you are, or what sources you have. If you're right, you're right.

Re:Did Michelle Deliop write this?

Well it is pretty easy to test--just multiply the two factors. Its a bit hard to fake factors.

er...no. It's pretty easy to come up with 2 numbers that multiply to a 20 digit number. That's in no way difficult. I can take any 2 numbers like (small prime)^(some power) + 1 and in a few minutes come up with a 200 digit product.

The INTERESTING question isn't whether "hey, these 2 numbers multiply to form some other number." The INTERESTING question is whether they IN FACT did what is stated--STARTED with the 200 digit number and factored it. This is in no way proved by multiplying the numbers back together. It would be strongly indicated if in fact this is truly a test puzzle pozed by RSA, but I don't see any evidence of that.

The other interesting question (although probably an order of magnitude less interesting) is whether the 2 factors themselves are prime... Again, asserted but not proven.

Re:Did Michelle Deliop write this?

[TedCheshireAcad]

In[1]:= 27997833911221327870829467638722601621070446786955 4285375600099293261284001076\ 09345671052955360856061822351910951365788637105954 4820065767750985805576135790\ 98734950144178863178946295187237869221823983 == 35324619344027701212726049781984643686711974001976 2502364930346877612125367942\ 3200058547956528088349 * 79258699544783330333470858414800596877379758573642 1996073433034145576787281815\ 2135381409304740185467

Out[1]= True

Mathematica agrees.

Re:Did Michelle Deliop write this?

[Kiryat+Malachi]

It is impossible to *fake factors*. The only question would be whether, as you said, they had factored a number, instead of producing a number from factors. Since the number *is* one of the original RSA numbers (RSA-200, from an older challenge which has since been superseded by the current RSA numbers), and it does pan out, pretty much a given that they did in fact factor RSA-200.

Re:Did Michelle Deliop write this?

[bearded_dragon]

It's pretty easy to come up with 2 numbers that multiply to a 20 digit number. That's in no way difficult. I can take any 2 numbers like (small prime)^(some power) + 1 and in a few minutes come up with a 200 digit product.

In case you did not know: Bonn university's mathematics faculty enjoys an excellent academic reputation.

Waste of time!

[Tom7]

I think these RSA challenges are a waste of computer power. It's trivial to compute how much computing resources it will take to factor numbers using an existing algorithm on paper, and you get a more accurate estimate than you get from sampling experimentally. I'm all for the development of new, faster algorithms and implementations, but the challenge should be for the development and demonstration of these algorithms, not the brute-force months-on-end search that ensues.

Re:Waste of time!

If someone claims to have found a better factoring method, then it's easier for RSA to check that p,q < n and p*q = n, than to read his algorithm and analysis and award a prize based on that. (Imagine how many crackpots would apply with 100 pages long "proofs").

Re:Waste of time!

Except that the majority of the factoring algorithms aren't just an algorithm. They change greatly with various parameters used to start, seed or otherwise define the algorithm.

Add to that little tricks such as using multiple algorithms for different parts of the solution area [because some algorithms work better under different conditions] and even the "paper" estimate becomes hazy.

That's ignoring the advances in computing processing, communication, and programming which have large practical effects on the actual implimentation.

Re:Waste of time!

[Vellmont]

It's trivial to compute how much computing resources it will take to factor numbers using an existing algorithm on paper, and you get a more accurate estimate than you get from sampling experimentally

You can certainly make a decent estimate of how long it will take, but you're never going to get a close approximation of the real-world performance of your implementation until you actually write the code and run it.

The other side is that theoretical calculations are nice, but there's nothing quite like actual verification. It's much easier for a programmer to justify using larger key lengths when someone has actually cracked smaller key lengths rather than using calculations based on estimates of computing power.

Re:Waste of time!

Well, it made slashdot headlines, didn't it?
Therefore it definitelly was a computing-power-waste.

(just that computing-power-wasting RSA-640 comes along with 20,000 junky dollars)

ps: someone already did the 1..2..3: Profit! Now we're waiting the overlords thingy

Re:Waste of time!

[awolk]

But if there are no real-world-implementations of the algorithms, what good are they?
Also, and more importantly, these challenges show just how good public-key cryptography is, and what is technically feasible to break.

Re:Waste of time!

[Tom7]

I said it's worthwhile to make good implementations. I think we should do this. Then, based on our understanding of the code's behavior (and probably some short-lived experiments), we can extrapolate to find the expected time to completion. This is also better for randomized algorithms that actually running it, since by running it we only get one point randomly sampled from the probability distribution. They clearly knew that the experiment would take approximately 1.5 years to run, otherwise they wouldn't run it.

What we should not do is, once we figure out how long something is going to take, to actually run it if the answer is totally pointless. This last step is a waste of time.

Re:Waste of time!

[Tom7]

I guess I didn't make myself clear. (clarification post) I whole-heartedly endorse the implementation of algorithms. But once we know it's going to take 1.5 years to run, we shouldn't bother actually running them for 1.5 years!

these challenges show just how good public-key cryptography is, and what is technically feasible to break.

We can know that by paper-and-pencil calculations, once we know how fast our implementation is. And we can know it 1.5 years sooner!

Re:Waste of time!

[Vellmont]

What we should not do is, once we figure out how long something is going to take, to actually run it if the answer is totally pointless. This last step is a waste of time.

A waste of who's time? The computers time? The only used an opteron for the sieving. It's never stated how many computers were used for the rest of the cracking. Once you've written the code, it's not much harder to actually perform the experiment. Like I said, actual cracked keys are far easier to justify to a programmer than theoretical calculations. Actual cracked keys can be trusted 100%. Calculations of performance from unknown researches can be trusted much less than that.

Re:Waste of time!

The problem is that, to actually verify this, you need a heck of a lot more than one data point. What we really need to know is not how long it takes to factor one particular number, but rather how long we should expect it to take to factor an arbitrary semiprime of similar length.

Certainly knowing how long it actually took to factor one specific example is nice, but that doesn't necessarilly tell us how long it will take to factor another--the algorithm might have "gotten lucky" and hit the right factors early in it's filtering, or might have gotten unlucky and hit it very late in it's scan of the problem space.

You need more than one data point here to make predictions of "how long it will take to factor an arbitrary number." Unfortunatly, given the pace, that's not feasible. But it's extremely dangerous to project from one datapoint that may or may not be "typical" (for some definition of typical).

To give an example--I take an algortihm that starts by trying primes of the form 2^n+1, then 3^n+1, etc. This will be fairly fast, but will not span the problem space (i.e. there is a decided possibility that my algortihm will never hit the number, because most primes cannot be represented by p^n+1.) However, if one of the factors of the semiprime "challenge" just happened to be 2^230+1, then I just "factored" this prime in minutes. The sky is falling! Keys are not safe!

Of course, using 2^230+1 would not be a good test case, and presumably RSA checked for this. My point here, however, is that every algorithm has some things it checks "first" and some things it checks "later". Sometimes you get lucky and your target it well suited to your algortihm, sometimes you don't.

You can work out a probability distribution of how long it takes to cover the whole problem space for a given algorithm, and you can use that to say "here's how long it will take on average" and "here's the maximum time it will take." These are useful numbers, which can be determined theoretically. You can also aproximate them empircally by taking some data points. But you need many data points.

To say "it took this trial 55 CPU-years" means little. To say "and that's how long it takes to factor a similar number" is like taking one draw at random from a normal distribution and assuming "that must be the mean." It's probably close, but it might not be, and it's certainly no guarantee.

In other words, I'm firmly in the camp of "a single empircal result is relatively meaningless."

Re:Waste of time!

[IceFoot]

Now all we need is someone to figure out how many kilowatt-hours of electricity it took, and how many tons of carbon dioxide that generated, and how much that warmed up the Earth's atmosphere...

Re:Waste of time!

[kurzweilfreak]

Yeah, all that computing power could be used on better things.... like posting on /. Or Quake 3. Or finishing Duke Nukem Forever! Don't they know there are hungry children all over the world! Won't someone please think of the children?!

Re:Waste of time!

[kurzweilfreak]

I, for one, welcome our overlord-joke predicting overlord... the AC! And there you are! Welcome!

Re:Waste of time!

[Tom7]

It took them a year and a half of computer time on, I believe, a cluster. I am arguing that that computational resource was wasted (plust the cost of powering and maintaining the cluster, etc.).

Like I said, actual cracked keys are far easier to justify to a programmer than theoretical calculations. Actual cracked keys can be trusted 100%. Calculations of performance from unknown researches can be trusted much less than that.

I strongly disagree. A theoretical analysis is better because you can prove that it works for all cases (not just the one you experimentally verify), and because you get a more accurate picture for a probabilistic algorithm.

Re:Waste of time!

Then, based on our understanding of the code's behavior (and probably some short-lived experiments), we can extrapolate to find the expected time to completion.

Hm, I would venture to say you are not familiar with the General Number Field Sieve, or you would not make such a comment. It is highly non-trivial to extrapolate a runtime of GNFS based on "short-lived experiments". GNFS is one of the most complex algorithms known to man. It consists mainly of four separate stages, each requiring tuned parameters and each parameter choice also affecting the optimal parameter choices for other stages:

1. polynomial search
2. sieving
3. linear algebra
4. square root

Each of these stages are a fertile area of research in and of themselves. Moreover, each depends on the result of the previous. A bad choice of polynomials in step 1 can easily add an order of magnitude to the runtimes of the later stages, and deciding how much time to spend here in hopes of happening across a better polynomial is still more an art than a science. And as an example of where simply applying theory is inadequate, the theoretical best choice of parameters in step 2 would make the matrix in step 3 too large to process (finding vectors in the nullspace of a huge bit matrix is not easily parallelizable). Not to mention that for current interesting-sized numbers, data management and pruning present unanticipated problems of their own that affect the feasibility of the entire project. In short, GNFS pushes the limits of currently available storage and processing, and where the line of possibility falls is heavily dependent not only on implementation and choice of runtime parameters but also on the year-to-year index of computing power.

Another reason to have actual data is that the power of theoretical analysis falls short here. None of the theoretical runtimes of the current 3 most competitive integer factorization algorithms (QS, ECM, NFS) have been rigorously proved. Only heuristic estimates exist, and it is good to have actual data to see how these heuristics measure up in practice, and tell us whether they need refinement. GNFS is so immensely complicated, with so many tweaks that one can make in each area, that the best way to judge their value is to run a complete factorization. Since all these algorithms are non-polynomial time, even a small change in one of the constants in the runtime estimate can have dire consequences on the size of currently "unsafe" key lengths.

Infinite Improbability...

[wcitech]

The air force has a practical use for this discovery, because when these numbers are fed into an infinite improbability drive, oncoming surface to air missles will be changed into a sperm whale and a harmless bowl of petunias.

Re:Infinite Improbability...

Oh no, not again.

Re:Infinite Improbability...

[Tedington]

what they need to do is try to use those cpu years to simulate the math done on a waiter's check pad in an italian bistro.... Bistromath! there's gotta be enough room here for another hitchhiker's guide reference

Re:Infinite Improbability...

[Lord+Kano]

Better that than a hot bowl of grits and some whale sperm.

LK

Re:Infinite Improbability...

[Haydn+Fenton]

42.

...Meh, I felt left out.

Re:Infinite Improbability...

As I recall that was both the flowers and the whale!

Re:Infinite Improbability...

[VoidWraith]

Just the flowers. The whale was coming to terms with its newfound existence.

yuk yuk

[psbrogna]

Now that's what I call "long division."

Damn you GNU factor v2.0.11

[GillBates0]

My plans for world domination have been foiled.

$ factor --version
factor (GNU sh-utils) 2.0.11

$ factor 10000000000000000000
10000000000000000000: 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5

$ factor 100000000000000000000
factor: `100000000000000000000' is not a valid positive integer
Try `factor --help' for more information.

On a positive note, I was short only by 179 digits.

Re:Damn you GNU factor v2.0.11

"life, n: The whim of several billion cells to be you for a while."

Your sig: actually it's the collagen.

Re:Damn you GNU factor v2.0.11

Time for an upgrade

$ factor --version
factor (GNU coreutils) 5.3.0de,

$ factor 100000000000000000000
factor: `100000000000000000000' is too large
Try `factor --help' for more information.

At least the error is truthful now :)

Re:primer: get rich quick

yes, that isn't even funny

Algorithmic difficulty

[G4from128k]

Factoring numbers looks harder than it is. At first glance, it looks like adding digits makes the factoring problem exponentially harder. The question is: what is the base of the exponent. A naive analysis suggests that adding one binary digit makes the number twice as big and thus makes the factoring problem twice as hard. Such analyses are where get estimates that proclaim it will take a computer the life of the universe to factor an X-digit number.

If adding one bit to the number, makes the problem twice as hard, then the base of the exponent for the executive time is 2. But what if the base is not 2, but is only 1.01? Then, adding 200 bits to the number only makes the problem 7 times harder (1.01 ^ 200). The scary part is that we can't prove that factoring has a lower limit to the base of the exponent. It could be 1.1, 1.01, or 1.001, or 1.0001. This means that any crypto based on prime factors has an unknown vulnerability in it.

For now, prime factoring is hard, tomorrow, it might not be.

Re:Algorithmic difficulty

[ch-chuck]

so there's still a chance that 'Sneakers' might come true?

Re:Algorithmic difficulty

[iammaxus]

The scary part is that we can't prove that factoring has a lower limit to the base of the exponent. It could be 1.1, 1.01, or 1.001, or 1.0001. This means that any crypto based on prime factors has an unknown vulnerability in it.

According to what you said, what you really mean is that it is possible that any crpto based on prime factorization has an unknown vulnerability. You can't say that for certain unless it is proven that there is no lower limit on the base exponent. (Again, I'm just using your post as a reference)

Re:Algorithmic difficulty

[Soul-Burn666]

Not to mention that the density of prime numbers reduces as you enlarge the numbers (iirc the number primes up to n is an order of log(n)).

Because of this, it is possible to reasonably factor numbers made of primes of up to 200-300 bits.

Re:Algorithmic difficulty

[DrFalkyn]

The base is superflous. Factoring is approximately linear in the key size as a number, but said to be 'exponential' in the number of digits in the key. The algorithms that exist must search the vast majority of the keyspace. Because we use a binary number system, that is why it is said that adding a single digit increases the running time by 2, because the keyspace has increased by a factor of two. The base has nothing to do with it.

Re:Algorithmic difficulty

[Woy]

"For now, prime factoring is hard, tomorrow, it might not be."

It must be tomorrow here, because i can do prime factoring in a heartbeat.

Re:Algorithmic difficulty

Perhaps the OP is referring to the base of the exponent not the base of representation. FactoringTime = O(B^n), where B is the base of the exponent and n is the number of digits? Maybe it would be clearer to say B is the order of growth and can be potentially small?

Re:Algorithmic difficulty

[fourtyfive]

Yep Those unkown vulnerabilities, they really make you vulnerable.

Re:Algorithmic difficulty

[SlashThat]

At first glance, it looks like adding digits makes the factoring problem exponentially harder. The question is: what is the base of the exponent.

This is an interesting analysis, but unfortunately completely wrong. The thing is that the Number Field Sieve algorithm's complexity is sub- exponential in number length. (To be precise, it's O(exp(c*log(n)^(1/3)*loglog(n)^(2/3)+o(1))) ).

A naive analysis suggests that adding one binary digit makes the number twice as big and thus makes the factoring problem twice as hard.

Well ... no. No one ever claimed that, at least nobody familiar with the subject. It is easily seen not to be the case both from basic complexity analysis and experimental data. Again, the algorithm's complexity is not exponential.

That said, it doesn't seem that the factoring problem will become any easier, at least not before Quantum computers are built. The factoring problem is considered "the holy grail" of cryptography for 3 decades now, and there were hardly any advances in the last 15 years, despite the huge interest in the problem.

Re:Algorithmic difficulty

[Surt]

Even worse, there's no strong evidence that the difficulty is even exponential in any base.

Re:Algorithmic difficulty

[Surt]

Moderators on crack alert: the parent post was moderated 'overrated' but in fact hadn't received any prior moderation. Also, the post is factual and ontopic.

Notation?

[man1ed]

Does anyone know what the notation "11281+1" means?

Re:Notation?

[iMaple]

Does anyone know what the notation "11281+1" means?

It means 11282 :) .
There seems to be a typo in the article post (A typo on slashdaot .. thats news ..I mean just one typo thats cool). Its probably due to some filter. It should say 11^281 +1

Re:Notation?

It's 1337-speak, isn't it?

Re:Notation?

[avalys]

I think it means [2^(11281)] + 1. But I could be wrong.

Re:Notation?

[petermgreen]

^ is kinda a dirty hack notation where you can't superscript

my guess is that someone copypasted it and in doing so lost the superscript (it should be noted that slashdot don't allow superscripting at least in comments)

Re:Notation?

[antispam_ben]

^ is kinda a dirty hack notation where you can't superscript

What's so dirty about that use as the power operator is that it comes from the BASIC programming language. For straight ASCII use (no superscripts), one could instead use ** from FORTRAN, but that's less well known.

Re:Notation?

[jZnat]

Aww, really? I thought it meant 1^1281 + 1. I was like "wtf 2 is a prime number, and that takes me all of no time to calculate."

Re:Notation?

Which simplifies to: 11^282.

Re:Notation?

[lachlan76]

I thought it was from TeX?

Re:Notation?

[knightri]

or 2^11282 +1

Re:Notation?

11282. Duh.

Re:Notation?

[SmittyTheBold]

No, you're either not very far through school or have forgotten the order of operations. Maybe writing it as "1 + 11^281" wil make things easier for you.

Re:so?

[CodeBuster]

It means that an incrementally more efficient algorithm has been discovered which allows a slightly larger prime to be factored in a reasonable amount of time. However, this does not represent the sort of breakthrough algorithm that blows the problem wide open and allows factoring of arbitrarily large primes in time polynomial to the size of the input (the length of the prime number to be factored in this case). Thus, this new algorithm does not scale elegantly as one increases the size of the inputs and therefore it does not represent the general solution to the prime number factorization problem. Your public key crypto systems are safe if the prime numbers are large enough...for now.

it's 11^281+1

Here's the factorization

How fast could he do it?

[publicenemy23]

I wonder how fast Daniel Tammet could factor this number. It's amazing that this man could be able to factor an RSA200 number in milliseconds while it takes combined computing power 50 years to do.

Truly, the mind boggles.

http://www.guardian.co.uk/weekend/story/0,,1409903 ,00.html

Re:so?

[yamla]

I can factor primes of any size in constant time. It does not matter how large they are. Let us take a prime number, we'll call it p. What are the factors? The factors are exactly 1 and p. There are no other integer factors of prime number p. :)

Yeah yeah but the question is

what ARE the freaking factors! Let's see those mofos, if they are as big as claimed!

Oh, gee, I guess I could of like RTFA'd or something. But I'm not new here so I don't have to.

ps. Do the factors run Linux? Or can you at least imagine a Be-yo-w0lf of them?

"general purpose algorithm"

[bradtes]

I guess using integer factoring algorithms are out of vogue, these days. I wonder how well A* works for factoring.

I don't want to spoil the ending but...

[fxer]

...the punchline is

3,532,461,934,402,770,121,272,604,978,198,464,36 8, 671,197,400,197,625,023,649,303,468,776,121,253,67 9,423,200,058,547,956,528,088,349
and
7,925,869, 954,478,333,033,347,085,841,480,059,687, 737,975,857,364,219,960,734,330,341,455,767,872,81 8,152,135,381,409,304,740,185,467

tip your waitresses! :)

Great!

[qualico]

Now I can use that number in my encryption! ..oh wait...nevermind.

there are two kinds of people...

[museumpeace]

trying to crack RSA challenges:

1. those with a university's budget and hardware and what might be called an academic interest or mild economic incentive. I'd put hackers and organized criminals in the same category as far as budget and power available. This crowd took 14 years to crack a 200 digit public key
2. NSA and its equivelents in UK, Russia, China [maybe Israel? they have some good academic papers on highly paralell factoring methods]. They had far greater incentive and in NSA's case, far greater resources for either assuring the security or compromizing the security of RSA PK encryption. Who thinks they would ever do a press release if/when they factored those numbers?

Re:there are two kinds of people...

[MoonBuggy]

Well the fact that the researchers from number 1 stated that the factorising took 55 CPU years (based on a 2.2GHz Opteron) pretty much sorts things out for the others. We can realistically assume that anyone with a few-million-$ reason could devote 100+ CPUs to this so basically you have to hope that your data will be outdated in 6 months or so.

Alternatively if you take advantage of Sun's rent-a-cluster for $1/CPU hour you'd get change from $500,000 and get your results faster too, but then you have to pay again for the next problem that needs cracking, so it's probably more economical to purchase a smaller cluster.

Re:there are two kinds of people...

You forgot to include Matt Damon from the "I'm a janitor who's smarter than you" movie...

like my post? yeah? well, how bout them apples?

If this was about hash collisions...

[SLi]

... people who miss the point would be saying "of course there are collisions in hashes". Well, now I'm going to say the obvious in the same tone.

Of course there are factors in a composite number. Nothing new to see here. Move along.

Down with redundant headlines!

[xoran99]

FWIW: ANY factorization of a number into two primes is unique, as any number is uniquely factored into primes.

For a second source, see Mathworld.

Re:Down with redundant headlines!

[WalksOnDirt]

Sure any factorization (over the integers) is unique, but the primes may not be. Of course, challenging people to factor a perfect square would have been incredibly stupid.

Easty to test

[n1vux]

Indeed, Factoring is in the class of problems that are seemingly hard to do (non-polynomial time on the best general algorithm known) but easy to check (polynomial time). The classic problems of this form are called NP-Hard, and many are NP-Complete. Factoring has not yet been proved NP-Hard or NP-Complete, but is assumed to be, and that is the basic assumption of RSA public-key cryptography. This result does not change that, it just encourages use to boost our key sizes if we hadn't lately.

And, using perl and Math::BigInt, I did, and it checked out. Also useful is to verify that the number really was RSA200, as other anonymous Wiki-troll-edits were changing the number like a flickering flame.

And the source of the original Anon-Wiki edit was an email from the academic ring-leader, available on FactorRecords on FactorWorld.

IAAAM,

Bill N1VUX
I Am An Apostate Mathematician
I prostitute my math degree sorting ones from zeroes

Nice troll Mr. G4

[RedLaggedTeut]

But what if the base is not 2, but is only 1.01? Then, adding 200 bits to the number only makes the problem 7 times harder (1.01 ^ 200).

Adding a bit always means base 2. Perhaps you meant to say "adding a digit"? Now apart from the basic prooblem that there is no such digit representing 1.01 (or .01), the difficulty of factoring is not changed by choosing a lower base. All your posts are saying to us is that the numbers get bigger quickly in comparision to the number of digits added if these digits are in a large base.

If anything, in fact factoring would get easier in a larger base, at least this would the complexity of the algorithm somewhere else, e.g. into hardware.

A least you proved that one doesn't need a computer program as a generator(slashdot reported) to generate bu77sh1t.

Re:Nice troll Mr. G4

[rainman_bc]

Funny - I was confused reading his post too - he said "adding 1 bit" and then added "10"....

For a second there I felt pretty stupid...

Wait... Still... Feeling it....

Re:Big Deal!

[TedCheshireAcad]

1 is not a prime, by definition. It's a unit in Z.

In case of slashdotting...

[yogikoudou]

16724902205674189924062532405987195011865623417058 38624194898511161373322036901579077581447915314162 33316185029961764895435784096438741492052893824186 34748863167742006935642845385934215347033952015248 38654524737808769009507415120245236569375482318908 91385329016453944852396245829396869448643253850391 29578740098099812344478336633091322424294126185031 95461020639580382504322147046425469557460237023925 7895971944584397735802737492745740663377625087
*
82104108125618699159943474273932626169108985640 757 98951021784218025560708638069925020925778024695479 05272050811384276761464353909054596949815350050102 64956210420148237495378879950904352760577792675338 09861686957469628183969612393002458845980662329952 59055317675563525138596467389235562362539328216440 57629375394405108792128049027997042269298724715762 81087
=
1373183179085072360991803081221605453568 9394940861 38633503175744029333463691497599775891271039813222 14612889654832954480313026331709896998734478866409 54061088718900747013230437024175890977537753044820 53879770359035444483009771679041261850399620871563 78478085509013132834229050557857195775362761165394 23517161087058209537342711916284343153793315772921 62024405324144769213177009601102418333770104802547 55641100754450710285369145298735881756671882078360 07988274898451058766181802945933899453735285648998 09876712503991589156397622368672870575936511116980 08550381035807994231519795820733136650344169737431 49983896672114738280970668757459100857664291802835 77251132434367465749578720038003823381742689259826 62162998498498894364219764010709838706874215365180 45839289602229200747351519281915187163885361482956 9

Base and brute force

[G4from128k]

The base is superflous. Factoring is approximately linear in the key size as a number, but said to be 'exponential' in the number of digits in the key.

Agreed. I was referring to the base of the exponent in the exponential formula for the factoring time. If the running time of the algorithm is t = A * B ^ N. A is a speed constant (decreasing with Moore's law). N is the number of bits in the number and B is the (perhaps misnamed) base of the exponent. For a brute-force algorithm, B = 2. For a better algorithm, B is less than 2. How much less than 2 is the issue.

The algorithms that exist must search the vast majority of the keyspace.

No, only brute force algorithms must search the vast majority of the keyspace. Can anyone prove that all possible algorithms have to do this? If, not, then factoring may be easier than we think or want.

The base has nothing to do with it.

Agreed, sorry for the confusion.

Re:Base and brute force

[DrFalkyn]

No, only brute force algorithms must search the vast majority of the keyspace. Can anyone prove that all possible algorithms have to do this? If, not, then factoring may be easier than we think or want.

It is difficult if not impossible to prove that an algorithm has minimum algorithmic complexity. Your 'proof' must invetiably rely on certain assumptions which you might have good reason to believe but which there is no hard mathmatical basis for being correct. For an example, there is a proof that the general case sorting problem is O(n ln n). The 'proof' however lies on certain assumptions which may or may not be true. There are good reasons to believe that the factoring problem is sufficiently general to not have a polynomial time algorithm, because after centuries of mathematical investigation into the behavior of prime numbers no one has been able to derive any shortcuts to factor a number other than successively testing primes.

There are also always heuristical and approximate methods which may be 'good enough' however. The Miller-Rabin primality test for instance, is a heuristic algoirthm which is only right a certain percentage of the time, but you can run several iterations of it to reduce the error rate below that of your hardware.

Returning to the sorting problem example, in the general case sorting is O(n ln n), but there are several algorithms which run in linear time on certain keyspaces.

Re:Big Deal!

1 is not a prime (it is a unit). I appreciate the joke though :-)

Real Discovery!

[kenp2002]

I have found a way to crack any code in a matter of minutes. It's simple!!! It works plenty of times!!

Find out where the subject lives that encrypted the data. (1-3 days)

Break into their home. (10 minutes)

Look under their keyboard (1 minute)

Read their private and public key off the notecard taped under the keyboard. (2 minutes.)
Optionally: Steal the notecard and leave a fake one with the wrong key written down.
Laugh maniacally... Done!!!

To date when doing security sweeps at my various clients sites, 80% of staff have their password somewhere in their cube. 50% had their PGP keys under the keyboard, 10% had pen drives marked "Passwords" handing off a thumb tack on their cube wall. Who cares about better encyption, physical security (or perhaps mental security is a better choice) is where we need to focus.

And remember network admins! Have you users spade or neutered :)

Re:Real Discovery!

Look under their keyboard

How about just breaking into their home and holding their family for ransom instead?

Re:Real Discovery!

[shani]

This might not work. According to The Music of the Primes Rivest (the 'R' in RSA) threw away the prime numbers in one of the RSA challenges.

Factoring Alorithms

[bobbuck]

Didn't someone publish an algorithm for factoring that ran on O(n^(1/4))?

In Other Words: A 664-bit Number Has Been Factored

WHY THE HELL does the article mention the size of this number in digits ? Why don't they give us the size in bits ? This would have allowed a much easier comparison with the size of RSA keys (512 bits, 1024 bits, etc). To me it sounds like if a research group announced the invention of a new optical fiber supporting a throughput of N Library of Congress per second, without giving the actual value in Gigabit per second !

So, for the (apparently) little number of scientists out there, a 200 decimal digits number is equivalent to a 664-bit number:

$ python -c 'import math;print math.log(10**200, 2)'
664.385618977

In other words, the factorization of this RSA-200 number is equivalent to having broken a 664-bits RSA key. So 512-bit RSA keys are definitely at risk, they should be extended to 1024 bits (or more).

Re:primer: get rich quick

[PerlDudeXL]

you can get rich by solving famous mathematical problems:

http://www.claymath.org/millennium/

I'm sure there are other prices for cracking crypto-problems and/or factoring large integers.

Re: Number Field Sieve

[G4from128k]

This is an interesting analysis, but unfortunately completely wrong. The thing is that the Number Field Sieve algorithm's complexity is sub- exponential in number length. (To be precise, it's O(exp(c*log(n)^(1/3)*loglog(n)^(2/3)+o(1))) ).

Thanks for the info! What is the value of c? Does it have a lower bound? This is what I am talking about. All of these t = O(???) equations have constants in them that may be lower than people think.

That said, it doesn't seem that the factoring problem will become any easier, at least not before Quantum computers are built. The factoring problem is considered "the holy grail" of cryptography for 3 decades now, and there were hardly any advances in the last 15 years, despite the huge interest in the problem

True. But can future progress be extrapolated from past progress? I suspect that technical progress probably acts like a punctuated equilibrium system. A new advance creates massive innovation and progress that then hits some asymptotic limit until the next innovation hits.

Verify yourself!

[graf0z]

To verify the factorization just type

echo "3532461934402770121272604978198464368671197400197 6\
25023649303468776121253679423200058547956528088349 *\
79258699544783330333470858414800596877379758573642 \
19960734330341455767872818152135381409304740185467 " | bc

After deleting the spaces slashcode mysteriously puts in, you should get RSA-200.

Btw: Not 11^281+1 itself (which has obviously >281 decimal digits) was the previous world record, but a 176-digit factor of 11^281+1 called "c176":

echo "8428398995380842661984668205419427509438600\
88703946121840940131686719691460399191375953 *\
11981208699381274324213719517435209389491006\
236671100986363096780488054684807819312870741" | bc

/graf0z.

Interesting that they chose not to crack RSA-640

This goes to show that Kleinjung, et al are more interested in the science than the money. Either that or this says something about the worthlessness of the US dollar :) They could have won $20,000 USD if they had chosen to factor the smaller RSA-640 (193 decimal digits) number.

Re: Number Field Sieve

[WalksOnDirt]

The c factor is 64/9, from the wikipedia link in the article.

Re:so?

[tbjw]

which allows a slightly larger prime to be factored

I believe Bill Gates once made this mistake too. Primes are trivially easy to factorise, it's composites that are hard.

Could google do it?

[joggle]

I wonder how quickly the google cluster in the US could factor these numbers. Days, perhaps, if they used all of their computers?

Re:primer: get rich quick

[owlstead]

I'm sure there are other prices for cracking crypto-problems and/or factoring large integers.

Yeah, they are called bank accounts, credit card numbers, military secrets...the list goes on.

Repeatability

[Kozar_The_Malignant]

The time to do it once may or may not be meaningful. Do it six more times and average the results.

largest integer yet factored?

[Stankatz]

"The number is the largest integer yet factored with a general purpose algorithm[...]" The largest integer yet factored that we know about. I wouldn't be surprised if the NSA or other intelligence agencies have the ability to factor even larger numbers. BTW, I've developed a constant-time algorithm for factoring prime numbers of any magnitude. Let me know if you're interested.

Re:largest integer yet factored?

[megrims]

I'm interested in this constant-time factorization algorithm. Tell me more. :)

Re:largest integer yet factored?

[Erpo]

BTW, I've developed a constant-time algorithm for factoring prime numbers of any magnitude. Let me know if you're interested.

I'm interested in this constant-time factorization algorithm. Tell me more. :)

He's playing with you. Given a prime number, x, of any magnitude, the factors are 1 and x. People like to say "factor prime numbers" when they really mean "factor products of primes".

Seriously, though. If you come up with a constant time algorithm for factoring products of primes, watch out. I never seriously considered it, but I'm a math student who happened to find this problem interesting so I asked a few questions of my professors and other knowledgeable people. The consensus seems to be that finding a solution to this problem could be very bad for your health.

Re:largest integer yet factored?

Unless it's "the factors of x are 1 and x" then I call bullshit.

Addition can't be done in constant time.

Even if you use x computers, the time to check will still not be constant.

Re:largest integer yet factored?

[megrims]

Ah yes, the specific wording game. In that case, nevermind. Although, I read somewhere about a year ago that it was possible to factorize n in polynomial time using quantum computers. Although I'm not sure where I read it. So I can't verify it. Anyway, nothing I ever wrote at the time was fast enough to bother with. (Not using a Quantum Computer, of course.)

Re:largest integer yet factored?

[Stankatz]

He's playing with you.

OK, Mr. Skeptic, here's the algorithm:
For any prime number x, it's factors are 1 and x. I haven't worked out all the details yet, but I think I'm really on to something here. ;)

Re:largest integer yet factored?

You are thinking of the Shor Algorithm.

Re:largest integer yet factored?

[Erpo]

OK, Mr. Skeptic, here's the algorithm:

Did you read my post?

who cares?

why is this important at all? seriously.

Waste of time intentional

[elgatozorbas]

Of course it is a waste of time. This is the exact goal of such a challenge. It is good PR for RSA if it takes long, they want to show the world their encryption can only be broken using LOTS of computer power. If someone finds a new FAST algorithm, obviously he will win the contest (in a spectacular time, because it is fast) and RSA will need to think of a better encryption.

Re:Waste of time intentional

[kurzweilfreak]

Or he could be hunted down, shot, and all evidence to the algorithm destroyed or buried by the RSA. Foil hats to the ready, geeks!

Yes, most people know by now...

[Stealth+Potato]

But it's not really a very good reason to moderate his comments as "Troll" regardless of the content. Moderators should look at the contents of a comment when moderating, not at the poster's UID or whether or not he bought it off eBay. :-)

The point of the mod system is to highlight comments that are worth reading, not to be a tool for those who hold grudges against specific people.

Hmmm

Except that according to the french Mathametician Peniot (sp) ANY set is finite with respect to whole intergers. Now with that in mind anyone know if the work done by the indians and Peniot theorum have any impact on how hard (easy?) it is determine a RSA key of x digits?

largest integer yet factored (a pedant writes..)

[Eric+MB+Lard+MD]

I'd like to claim a new record. This number only had 200 digits. I've just factored a number with 2000 digits. The number is 10^2000. I'll leave the factorisation as an exercise.

AKS Primality Test

[hritcu]

In August 2002, Agrawal et al. discovered a deterministic algorithm (AKS ) for determining if a number is prime that runs in polynomial time (large polynomial though).

This means that prime testing is not NP-Hard or NP-Complete as many thought (not proved though!) it was. The same can happen to factorization. There is no guarantee that one day some smart guy will come up with a revolutionary idea that would lead many cryptosystems into oblivion. Who knows?

Re:AKS Primality Test

[n1vux]

Is N Composite or Prime has been traditionally considered easier than actual factoring.

The page you link says "While this had long been believed possible", which means your "as many thought" is incorrect; see also the AKS news. They also say "this algorithm is still impractical".

Re:largest integer yet factored (a pedant writes..

[Erpo]

I've just factored a number with 2000 digits. The number is 10^2000.

That number has 2001 digits.
</pedant>

Re:largest integer yet factored (a pedant writes..

[DiamondGeezer]

That would be 2001 digits (even more pedantically)

Re:Interesting that they chose not to crack RSA-64

[God!+Awful+2]

You don't do stuff like this for the money!! 55 CPU years probably costs $20k in the first place. (Unless they leased out a zombie-net or something.)

-a

Prime Factoring

[hritcu]

Prime Factorization = The factorization of a number into its constituent primes, also called prime decomposition.

Factoring ~= Factorization

Can you really do prime factoring in a heartbeat then?

Re:largest integer yet factored (a pedant writes..

don't be so stupid, the point of this was to show that it was factored by prime numbers. read

CWI?

[Bacchuss]

Why do I first think of the "Centrum voor Werk en Inkomen" (Centre for Work and Income) and only later of the "Centrum voor Wiskunde en Informatica" (Centre for Mathematics and Information Technology) :-(

200 digits?

[the_olo]

I'd prefer a more useful unit of measurement. How long is it in bits?

Re:200 digits?

[clap_hands]

There's a useful table containing both measurements for all the RSA numbers (old and new) here.

RSA-200 is 663 bits long. It's interesting to contrast it with RSA-640 (640 bits long). RSA-640 is shorter, so should be easier to factor. And unlike RSA-200, RSA-640 carries a cash prize of US$20,000 for its factorisation. So, a puzzling question is why did the team take on RSA-200 rather than RSA-640?

Re:200 digits?

[Xilman]

So, a puzzling question is why did the team take on RSA-200 rather than RSA-640?

Because dealing with prize money causes acute rectal discomfort and is more trouble than it's worth.

Although I played no role in this factorization, I've participated in several others, including RSA-129 (which got the whole business rolling) and RSA-576 with Kleinjung et al. In every case, the prize money was a disincentive.

Paul

Re:200 digits?

[clap_hands]

> Because dealing with prize money causes acute rectal discomfort and is more trouble than it's worth.

Oh, interesting -- how come? The difficulty in working out the share of everyone involved in the effort?

Re:200 digits?

[Xilman]

Oh, interesting -- how come? The difficulty in working out the share of everyone involved in the effort?

Partly that. Partly dealing with foreign currency exchanges, bank charges, differing taxation regimes, corporate and university policies, postal charges to get chec{k,que}s out to participants, ...

Paul

Re:largest integer yet factored (a pedant writes..

Surprisingly, it happens that the number also has 2000 digits.

Those unique factors . . .

[hawk]

hey, he points out that these are "unique prime factors." Clearly a knowledgeable source, distinguishing between unique primes and those cheap redundant non-unique prime factors . . .

:)

hawk

Re:200 digits? - bits

Got a calulator handy? Just divide by the log (base 10) of two.

Wanna do it in your head? Just multiply by about 3.3. I get 660ish.

(Slap the monkey.)

Re: Dollars for cycles?

If you estimate $5/ month in power bill just for the computers to be kept running, then 55 CPU-years = 660 months = $3,300 right there. The computers can maybe be had for free around a business or university, but you still have to add the rent cost for warehousing/ ventilating the cluster.

Hackers

[salmonz]

Now if hackers took over SETI, the last 24 hour progress was 795.926 years CPU time.

Total CPU time on SETI@home - 2,286,333 years.

You forgot the last step

[cheesemp]

Leave the house before the owner returns!