Slashdot Mirror

← Back to Stories (view on slashdot.org)

Factors Found in 200-Digit RSA Challenge

Posted by Zonk on from the really-big-numbers dept.

diodesign writes "The two unique prime factors of a 200-digit number have been discovered by researchers at Bonn University (Germany) and the CWI (Netherlands). The number is the largest integer yet factored with a general purpose algorithm and was one of a series of such numbers issued as a challenge by security company RSA security in March 1991 in order to track the real-world difficulty of factoring such numbers, used in the public-key encryption algorithm RSA. RSA-200 beats the previous record number 11281+1 (176 digits, factored on May 2nd, 2005), and RSA-576 (174 digits, factored on December 3rd, 2003)."

38 of 184 comments (clear)

  1. Hooray! by mfh · · Score: 2, Interesting

    Now the longest /. UID in history can be created!
    Seriously though... any idea when our databases will enable INTs this high with indexing and normalization? I'd like to see a kind of infinite rid length at some point, and while database character types like varchar in mysql goes to 255, maybe it's really enough? (ducks from incoming Bill Gates quotes)

    --
    The dangers of knowledge trigger emotional distress in human beings.
  2. Prime Numbers by JaxWeb · · Score: 2, Interesting

    Not really anything to do with this specifically, but this story does have something to do with primes so I will bring it up. I wrote something about prime numbers which might interest a few Slashdot readers.

    Prime Numbers

    --
    - Jax
    1. Re:Prime Numbers by Thud457 · · Score: 2, Funny
      Not really anything to do with this specifically, but this story does have something to do with goatse, so I will bring it up.

      Prime numbers for you

      --

      the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff

  3. Hmmm by Anonymous Coward · · Score: 3, Funny

    Slashdot is a prime factor in how much time I waste day to day.

  4. 55 CPU years by Inkieminstrel · · Score: 4, Insightful

    The article says it took 55 CPU years to factor the number, though they did it in parallel for about a year and a half. I'd hate to imagine the teams that we don't hear about who are, say, 30 CPU years into the problem who just found out it's already been done.

    1. Re:55 CPU years by 0x461FAB0BD7D2 · · Score: 4, Insightful

      Well, those teams could still pursue with their endeavors, hopefully beating the time used by these researchers.

      This would mean that their algorithm and/or heuristics is/are superior, which would be beneficial to everyone, including these researchers who "won".

      The good thing about research like this is that no one really loses.

    2. Re:55 CPU years by merlin_jim · · Score: 3, Funny

      The article says it took 55 CPU years to factor the number, though they did it in parallel for about a year and a half. I'd hate to imagine the teams that we don't hear about who are, say, 30 CPU years into the problem who just found out it's already been done.

      Shutup. I hate you all.

      Oh well guess it's time to start looking at RSA-768...

      --
      I am disrespectful to dirt! Can you see that I am serious?!
    3. Re:55 CPU years by stecoop · · Score: 2, Funny

      it took 55 CPU years to factor the number

      That's not too bad. Look at how long the computer took to get the the question in Hitchhikers guide to the galaxy?

    4. Re:55 CPU years by 14erCleaner · · Score: 2, Interesting
      The good thing about research like this is that no one really loses.

      Actually, if somebody succeeds in finding a way to factor large numbers efficiently, it could cause a lot of disruption. For example, much practical online security relies on the difficulty of factoring, and if that suddenly becomes broken the disruptions could be severe (at least temporarily).

      If it continues to take years to factor numbers, we're still safe. If it gets down to hours, watch out!

      --
      Have you read my blog lately?
    5. Re:55 CPU years by TedCheshireAcad · · Score: 4, Informative

      Another victory for the General Number Field Sieve (I think). The article was a little light on the details, but it mentioned they used a "general algorithm", which I'm assuming is the GNFS. The original paper may shed some light on the algorithm, for the algebraically inclined Slashdotter. (Link courtesty of Google Scholar)

  5. I don't get it... by neiffer · · Score: 3, Funny

    I tried to do it on my TI-85 and I keep getting an error!

    1. Re:I don't get it... by ArielMT · · Score: 2, Funny

      I tried to do it on my TI-85 and I keep getting an error!

      Turn your calculator upside down on the step just before the error.

      --
      It must be Windows. It needs half a gig of RAM and a hardware-accelerated graphics card just to run Solitaire.
    2. Re:I don't get it... by SuperBigGulp · · Score: 2, Funny

      I have a laptop computer from Ohio Arts, but every time I turn it upside down the screen goes blank. I also wish it had a keyboard...it isn't easy trying to factor large numbers with just the two knobs.

      --
      Someday a Slashdot ID of 177180 will mean something.
  6. Did Michelle Deliop write this? by winkydink · · Score: 3, Funny

    May 9, 2005 The two unique prime factors of a 200 digit number have been discovered by researchers at Bonn University.

    Note: we need a source on this. All we have now is an anonymous edit on Wikipedia from someone at Cal State Fullerton.

    An anonymous edit in Wikipedia. Now there's a source for you!

    --

    "I'd rather be a lightning rod than a seismometer." -Ken Kesey

  7. Waste of time! by Tom7 · · Score: 4, Insightful

    I think these RSA challenges are a waste of computer power. It's trivial to compute how much computing resources it will take to factor numbers using an existing algorithm on paper, and you get a more accurate estimate than you get from sampling experimentally. I'm all for the development of new, faster algorithms and implementations, but the challenge should be for the development and demonstration of these algorithms, not the brute-force months-on-end search that ensues.

    1. Re:Waste of time! by Anonymous Coward · · Score: 5, Insightful

      If someone claims to have found a better factoring method, then it's easier for RSA to check that p,q < n and p*q = n, than to read his algorithm and analysis and award a prize based on that. (Imagine how many crackpots would apply with 100 pages long "proofs").

    2. Re:Waste of time! by Vellmont · · Score: 4, Insightful


      It's trivial to compute how much computing resources it will take to factor numbers using an existing algorithm on paper, and you get a more accurate estimate than you get from sampling experimentally
      You can certainly make a decent estimate of how long it will take, but you're never going to get a close approximation of the real-world performance of your implementation until you actually write the code and run it.

      The other side is that theoretical calculations are nice, but there's nothing quite like actual verification. It's much easier for a programmer to justify using larger key lengths when someone has actually cracked smaller key lengths rather than using calculations based on estimates of computing power.

      --
      AccountKiller
    3. Re:Waste of time! by Tom7 · · Score: 2, Insightful

      I said it's worthwhile to make good implementations. I think we should do this. Then, based on our understanding of the code's behavior (and probably some short-lived experiments), we can extrapolate to find the expected time to completion. This is also better for randomized algorithms that actually running it, since by running it we only get one point randomly sampled from the probability distribution. They clearly knew that the experiment would take approximately 1.5 years to run, otherwise they wouldn't run it.

      What we should not do is, once we figure out how long something is going to take, to actually run it if the answer is totally pointless. This last step is a waste of time.

    4. Re:Waste of time! by kurzweilfreak · · Score: 2, Funny

      Yeah, all that computing power could be used on better things.... like posting on /. Or Quake 3. Or finishing Duke Nukem Forever! Don't they know there are hungry children all over the world! Won't someone please think of the children?!

      --

      kurzweil_freak

      5th Kyu Genbukan Ninpo/KJJR student

      Be the darkness that allows the light to shine.

    5. Re:Waste of time! by Tom7 · · Score: 2, Insightful

      It took them a year and a half of computer time on, I believe, a cluster. I am arguing that that computational resource was wasted (plust the cost of powering and maintaining the cluster, etc.).

      Like I said, actual cracked keys are far easier to justify to a programmer than theoretical calculations. Actual cracked keys can be trusted 100%. Calculations of performance from unknown researches can be trusted much less than that.

      I strongly disagree. A theoretical analysis is better because you can prove that it works for all cases (not just the one you experimentally verify), and because you get a more accurate picture for a probabilistic algorithm.

  8. Infinite Improbability... by wcitech · · Score: 3, Funny

    The air force has a practical use for this discovery, because when these numbers are fed into an infinite improbability drive, oncoming surface to air missles will be changed into a sperm whale and a harmless bowl of petunias.

    1. Re:Infinite Improbability... by Anonymous Coward · · Score: 2, Funny

      Oh no, not again.

    2. Re:Infinite Improbability... by Haydn+Fenton · · Score: 2, Funny

      42.

      ...Meh, I felt left out.

    3. Re:Infinite Improbability... by VoidWraith · · Score: 2, Informative

      Just the flowers. The whale was coming to terms with its newfound existence.

  9. Damn you GNU factor v2.0.11 by GillBates0 · · Score: 3, Funny

    My plans for world domination have been foiled.

    $ factor --version
    factor (GNU sh-utils) 2.0.11

    $ factor 10000000000000000000
    10000000000000000000: 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5

    $ factor 100000000000000000000
    factor: `100000000000000000000' is not a valid positive integer
    Try `factor --help' for more information.

    On a positive note, I was short only by 179 digits.

    --
    An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
  10. Algorithmic difficulty by G4from128k · · Score: 3, Interesting

    Factoring numbers looks harder than it is. At first glance, it looks like adding digits makes the factoring problem exponentially harder. The question is: what is the base of the exponent. A naive analysis suggests that adding one binary digit makes the number twice as big and thus makes the factoring problem twice as hard. Such analyses are where get estimates that proclaim it will take a computer the life of the universe to factor an X-digit number.

    If adding one bit to the number, makes the problem twice as hard, then the base of the exponent for the executive time is 2. But what if the base is not 2, but is only 1.01? Then, adding 200 bits to the number only makes the problem 7 times harder (1.01 ^ 200). The scary part is that we can't prove that factoring has a lower limit to the base of the exponent. It could be 1.1, 1.01, or 1.001, or 1.0001. This means that any crypto based on prime factors has an unknown vulnerability in it.

    For now, prime factoring is hard, tomorrow, it might not be.

    --
    Two wrongs don't make a right, but three lefts do.
    1. Re:Algorithmic difficulty by ch-chuck · · Score: 2, Funny

      so there's still a chance that 'Sneakers' might come true?

      --
      try { do() || do_not(); } catch (JediException err) { yoda(err); }
    2. Re:Algorithmic difficulty by SlashThat · · Score: 2, Informative
      At first glance, it looks like adding digits makes the factoring problem exponentially harder. The question is: what is the base of the exponent.
      This is an interesting analysis, but unfortunately completely wrong. The thing is that the Number Field Sieve algorithm's complexity is sub- exponential in number length. (To be precise, it's O(exp(c*log(n)^(1/3)*loglog(n)^(2/3)+o(1))) ).
      A naive analysis suggests that adding one binary digit makes the number twice as big and thus makes the factoring problem twice as hard.
      Well ... no. No one ever claimed that, at least nobody familiar with the subject. It is easily seen not to be the case both from basic complexity analysis and experimental data. Again, the algorithm's complexity is not exponential.

      That said, it doesn't seem that the factoring problem will become any easier, at least not before Quantum computers are built. The factoring problem is considered "the holy grail" of cryptography for 3 decades now, and there were hardly any advances in the last 15 years, despite the huge interest in the problem.
      --
      1's and 0's should be free.
  11. Notation? by man1ed · · Score: 3, Insightful

    Does anyone know what the notation "11281+1" means?

    1. Re:Notation? by iMaple · · Score: 5, Informative

      Does anyone know what the notation "11281+1" means?

      It means 11282 :) .
      There seems to be a typo in the article post (A typo on slashdaot .. thats news ..I mean just one typo thats cool). Its probably due to some filter. It should say 11^281 +1

    2. Re:Notation? by petermgreen · · Score: 3, Insightful

      ^ is kinda a dirty hack notation where you can't superscript

      my guess is that someone copypasted it and in doing so lost the superscript (it should be noted that slashdot don't allow superscripting at least in comments)

      --
      note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
  12. Re:so? by CodeBuster · · Score: 3, Informative

    It means that an incrementally more efficient algorithm has been discovered which allows a slightly larger prime to be factored in a reasonable amount of time. However, this does not represent the sort of breakthrough algorithm that blows the problem wide open and allows factoring of arbitrarily large primes in time polynomial to the size of the input (the length of the prime number to be factored in this case). Thus, this new algorithm does not scale elegantly as one increases the size of the inputs and therefore it does not represent the general solution to the prime number factorization problem. Your public key crypto systems are safe if the prime numbers are large enough...for now.

  13. Re:so? by yamla · · Score: 2, Funny

    I can factor primes of any size in constant time. It does not matter how large they are. Let us take a prime number, we'll call it p. What are the factors? The factors are exactly 1 and p. There are no other integer factors of prime number p. :)

    --

    Oceania has always been at war with Eastasia.
  14. I don't want to spoil the ending but... by fxer · · Score: 5, Funny

    ...the punchline is

    3,532,461,934,402,770,121,272,604,978,198,464,36 8, 671,197,400,197,625,023,649,303,468,776,121,253,67 9,423,200,058,547,956,528,088,349
    and
    7,925,869, 954,478,333,033,347,085,841,480,059,687, 737,975,857,364,219,960,734,330,341,455,767,872,81 8,152,135,381,409,304,740,185,467

    tip your waitresses! :)

  15. Re:there are two kinds of people... by MoonBuggy · · Score: 3, Insightful

    Well the fact that the researchers from number 1 stated that the factorising took 55 CPU years (based on a 2.2GHz Opteron) pretty much sorts things out for the others. We can realistically assume that anyone with a few-million-$ reason could devote 100+ CPUs to this so basically you have to hope that your data will be outdated in 6 months or so.

    Alternatively if you take advantage of Sun's rent-a-cluster for $1/CPU hour you'd get change from $500,000 and get your results faster too, but then you have to pay again for the next problem that needs cracking, so it's probably more economical to purchase a smaller cluster.

  16. Real Discovery! by kenp2002 · · Score: 4, Interesting

    I have found a way to crack any code in a matter of minutes. It's simple!!! It works plenty of times!!

    Find out where the subject lives that encrypted the data. (1-3 days)

    Break into their home. (10 minutes)

    Look under their keyboard (1 minute)

    Read their private and public key off the notecard taped under the keyboard. (2 minutes.)
    Optionally: Steal the notecard and leave a fake one with the wrong key written down.
    Laugh maniacally... Done!!!

    To date when doing security sweeps at my various clients sites, 80% of staff have their password somewhere in their cube. 50% had their PGP keys under the keyboard, 10% had pen drives marked "Passwords" handing off a thumb tack on their cube wall. Who cares about better encyption, physical security (or perhaps mental security is a better choice) is where we need to focus.

    And remember network admins! Have you users spade or neutered :)

    --
    -=[ Who Is John Galt? ]=-
  17. Verify yourself! by graf0z · · Score: 3, Informative
    To verify the factorization just type

    echo "3532461934402770121272604978198464368671197400197 6\
    25023649303468776121253679423200058547956528088349 *\
    79258699544783330333470858414800596877379758573642 \
    19960734330341455767872818152135381409304740185467 " | bc
    After deleting the spaces slashcode mysteriously puts in, you should get RSA-200.

    Btw: Not 11^281+1 itself (which has obviously >281 decimal digits) was the previous world record, but a 176-digit factor of 11^281+1 called "c176":

    echo "8428398995380842661984668205419427509438600\
    88703946121840940131686719691460399191375953 *\
    11981208699381274324213719517435209389491006\
    236671100986363096780488054684807819312870741" | bc
    /graf0z.
  18. Repeatability by Kozar_The_Malignant · · Score: 2

    The time to do it once may or may not be meaningful. Do it six more times and average the results.

    --
    Some mornings it's hardly worth chewing through the restraints to get out of bed.