RSA-640 Factored

gslin writes to tell us MathWorld News is reporting that RSA-640 has been factored. F. Bahr, M. Boehm, J. Franke, and T. Kleinjung, memebers of the German Federal Agency for Information Technology Security (BSI) announced they had cracked the 193-digit number last Friday using the General Number Field Sieve. The team purportedly used 80 opteron CPUs and 5 months to achieve victory.

easy

640=2*2*2*2*2*2*2*5.

What do I win?

Re:easy

[rubycodez]

640! Kudos and one attaboy.

Re:easy

mmmmm... thats a lotta granola bars...

Re:easy

[drstock]

What do I win?

A green thermos. What color do you want?

Re:easy

[ysegalov]

5 = (2+i)(2-i) so that 640 = 2*2*2*2*2*2*2*(2+i)*(2-i).

Now what do I win?

Re:easy

5 = (2+i)(2-i) so that 640 = 2*2*2*2*2*2*2*(2+i)*(2-i).
 
Now what do I win?

I could troll here and insult your intelligence, but I've decided that I'll simply opt to answer your question: my anonymous assurance that you aren't impressing anybody with your obvious and frankly pointless remark.

Re:easy

[DrSkwid]

you win my heart

(2 * 2 ^ 2) * 2 * ( 2 * 2 ^ 2 ) * (2 + i) * (2 - i)

Re:easy

[zonker]

can i play?

639+1

what do i win?

Re:easy

[ysegalov]

Always a pleasure to meet the good-humored /. readers.

--

"Nobody will ever need more than 2*2*2*2*2*2*2*(2+i)*(2-i) Kb in a computer" (B. Gates)

Re:easy

Nothing really, seeing as how that was fucking obvious in the first place, and didn't really state anything new.

Is there an award for trying to look clever but failing miserably? Maybe you might be able to pull that one off.

Re:easy

[FirienFirien]

Hehehe... unfortunately, those 80 Opteron CPUs worked that out just before you did! The wonders of modern technology...

Re:easy

640! = 64409718565200018055131800965981532721782172857809 35050119769024917912649386556736435990175942482881 50831173208718164630201061409780121407122461364924 58377710508516955614515870499288921594586346123434 33180780170533237643858349983073211205085008177221 23334955489548539613464287113486796254782280386192 42902556432022520662136294311646067063179388639341 64085587743812021695906380070875341161592893857325 43950455135580702163621967540729516434733225112310 19894142562784272396885841079611839890149814550124 39303021946826615046590582495802088225465848653849 49658745367091435175285190031747259785364892724246 44581896134757504721500575093072296641784946756103 72209909854987875605056434890950842087494564950738 50342684518858945589680071711243181514726647615699 31491279455269105452696480012333296289382307693598 92378742869557307887038923609012421597040445457338 74337845037253151897729671908964331393489772603959 59589548517793461330628196613401917126378390242846 93257523202987341241900850720690028543718314179741 21710624363839688427903596832205914168418422225116 58140716647635269032404235004721905438667198590366 48063974166410911515008191851366556055573022807574 25873254919125351231886283164699615743032337296746 10898181081786065982252420557478741130812235511867 87217476385809669846991054271061032324367962162620 83477325316470089765943690841812967664794901526655 17956005888000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000 00000000000000000000. Just so you know.

Re:easy

As soon as addition qualifies as factoring, you'll win something.

Re:easy

x^2 + 5x + 6 = (x+2)(x+3), still with tried-and-tested addition

Re:easy

[rubycodez]

I'm having a little trouble with that decimal notation, could you please write it again with "hatches and cross-hatches" (e.g. -||||-) notation? thanks!

Re:easy

[Money+for+Nothin']

So you're good with numbers in your head... now try that on a PC! :P

Re:easy

Hey, is it asshole day already? I thought it was later this year.

Re:easy

[Fordiman]

obvious, pointless, perhaps, however, I dare you to solve for i.

Time to turn off the Internet...

[adlib24]

I wish had nothing better to do for five moths than factor numbers...geez...who needs the Internet when there are numbers to factor. :)

Re:Time to turn off the Internet...

[TheGSRGuy]

Go for it:

www.turnofftheinternet.com

Re:Time to turn off the Internet...

...would have been easier just to squash the moths

Re:Time to turn off the Internet...

[OhHellWithIt]

I think I would find something better to do during the first moth (sic).

Time Matters

[MATTtheROGUE]

This is similar to the issue that the Germans had during WWII, it's a matter of time. If it takes them too long to decrypt, then the data sometimes is useless. Let's hope the problem isn't the same.

Re:Time Matters

[joey_knisch]

However what if that team had decrypted a banks RSA key. Sure it may have taken 5 months and the bank may well have changed keys since. But what if they captured all the packets sent/recieved using the cracked key. I guarentee there would be a bit of useful information in them. I know I don't change account numbers / credit card numbers every 5 months.

Re:Time Matters

[Keith+McClary]

But sometimes there are communications you want to stay secret for years or decades. e.g. spies, double agents, activities of "special forces", etc.

Re:Time Matters

[camusflage]

Thow whole point of encryption in particular, as well as security in general, is to make it hard enough that by the time you get to something, it is useless. Whether that is by throwing enough roadblocks to getting to a protected system or making it take n hundred years to decrypt something, the end result is security.

Re:Time Matters

So, an opteron has roughly <8.8 peak GFlops:http://www.amd.com/us-en/Processors/Product Information/0,,30_118_8796_8800~96867,00.html> [amd.com] 60 of them would give around 528 GFlops (theoretical max). Given the fastest super computer in the world, the Blue Gene/L has roughly <183500 GFlops:http://www.top500.org/lists/plists.php?Y=20 05&M=06> [top500.org]. That means the Blue Gene/L can factor it roughly 350 times faster (assuming the algorithm scales linearly) or in roughly 9 hours 45 mins. Scary

Re:Time Matters

[atomm1024]

This is only interesting on a theoretical level. These days I don't think anyone uses a 1024 bit RSA key for serious purposes. Banks would probably use no less than 2048 bit.

Re:Time Matters

Think of it more like counterfeiting cash. You don't need to counterfeit a brand new $20 bill with all of the security features and new colors. You just have to counterfeit an old $20 and put it in a washing machine to wrinkle it up.

Many times people receive new credit cards with the same numbers, just a different expiration date when they renew. If a company at one time used 512 bit keys and you have those encrypted logs from 3 years ago you could be a moderately successful fraud. Or you could keep the encrypted logs from now and 3 years from now be able to crack them.

Re:Time Matters

[infolation]

This is similar to the issue that the Germans had during WWII

Although it's identical to the issue that the UK police claim they currently have. Which is why they want 90 days to lock citizens up without charge while they 'factor' their hard-drives.

Re:Time Matters

But nobody would ever use RSA for encrypting their harddrives! It's much too insecure at low key sizes, and very slow at large ones ...
AES or some similar standard is much safer and faster, and it would take a long time to crack a 256AES key. 90 days would never be enough, it would (at least) take some hundred years I think ...

Re:Time Matters

[tepples]

You don't need to counterfeit a brand new $20 bill with all of the security features and new colors. You just have to counterfeit an old $20 and put it in a washing machine to wrinkle it up.

That's why some countries (not the United States) tend to revise their paper currency often and demonetise old currency, sometimes stating that only banks (with the appropriate machinery for detecting counterfeit notes) must accept notes at least two revisions old.

Re:Time Matters

80 Opterons = 5 Months

288,000 Opterons = 1 second.

think Seti at home

Re:Time Matters

[YayaY]

You should not use Flops to estimate code breaking time. Flops mean FLoating point Operation Per Second. Code breaking is mostly done using integer calculation, so you should estimate a timeframe of completion using integer operation per second with something like the Dhrystone benchmark.

Factor?

[brilinux]

I hardly know 'er...

Seriously, this is interesting stuff. Of course, everytime we come up with a new security mechanism, computing power will overcome it. Fortunately, not everyone can do this sort of thing, and it takes time. But, as a mathematician, it is interesting to see both the methods used to crack this sort of thing, and, at least to me, more interestingly, the methods that are used to come up with new encryption systems. I cannot wait to see what will occur in several years, and even bigger prime numbers are known and usable...

Re:Factor?

[drgonzo59]

"everytime we come up with a new security mechanism, computing power will overcome it"

-Not always true. Say I can come up with a 2048 bit encryption, that is just increase the key size from 256 to 2048, I can to that in a second. It is going to take _a lot more time_ for the computing power to overcome that increase.

If quantum computing will come around, I'll just switch to quantum encryption. Then you'll have to break the laws of QM to "break" the scheme. There are already rudimentary quantum encryption devices but there are no quantum computers that can take on even a 64 bit key space.

The best bet instead of brute force is to do "human engineering" and look for other ways to obtain the information. The inherent math of the algorithm is rarely the weakest link, it is the people and then the particular implementations of the algorithms that are exploited the most.

Re:Factor?

[Urusai]

Let's just move to megabit encryption and call it a done deal. Sure, 128KB encryption blocks might be inconvenient, but you can sleep soundly at night.

Re:Factor?

[anethema]

Not positive here, but I am not sure there really is such a thing as 'quantum encryption'

At least when most people say it, they seem to talk about using the laws of quantum physics to detect eavesdroppers on a fiber optic line.

Wikipedia's article on quantum cryptography seems to agree.

http://en.wikipedia.org/wiki/Quantum_cryptography

Re:Factor?

[acidblood]

Although many point to quantum crypto as the ultimate solution to security problems, it should be noted that, in addition to all logistic problems inherent to quantum crypto, no purely quantum-mechanical scheme exists -- all of them rely on an authenticated/trusted/whatever classical channel (i.e. one that transmits bits not qubits), and this classical channel has to be secured using conventional cryptography.

I'm too lazy to dig up references for this, some karma whore can search eprint/arXiv and add the references to the thread.

Re:Factor?

[colenski]

Tom Clancy outlined this in "Sum of All Fears", reference: http://kh.bu.edu/qcl/pdf/hughes_r199518777668.pdf

Not like I'm a Tom Clancy fanboy or anything. Just sayin.

Re:Factor?

[lachlan76]

The cipher in The Sum Of All Fears was actually One-Time Pad.

And yes, I am a Tom Clancy fanboy ;)

Re:Factor?

[rollingrock]

That is misleading. The point is to securely distribute private keys. All that is needed is a public classical channel in addition to the quantum channel. Most algorithms (eg BB84) are only used to share a private key via QC, which can then used to transmit data over a classical channel. Changing your key for every bit, while impractical, makes this a completely secure method. For a trivial (granted highly inefficient)example of a secure scheme, map half the set of possible keys generated by our BB84 scheme to 0, half to 1 so that they are chosen with equal probability. If we get a 0, from the key, transmit your data bit unchanged, otherwise send the opposite. The data we send over the classical channel is indistinguishable from noise. Since BB84 gives us a secure way to share a random string of bits, it gives us a provably secure scheme for transmitting over a classical channel.

Re:Factor?

[jgc7]

Inerestingly enough, there is no proof that encryption is even possible. Presently we do not know of any methods to factor a number in polynomial time while we can create primes in polynomial time, but an algorithm may exist that can factor primes in polynomial time. If one is discovered, encryption as we know it today will be impossible... even with your quantum computer. In fact, a solution to the P NP problem comes with a $1,000,000 prize.

Re:Factor?

[xerxesdaphat]

Is there any particular reason why we use 256 bit keys, why not use these 2048 bit keys, or larger? What's the problem with doing this - it's not as though we're talking about shifting gigabytes of key here, its only 2048 bits. Or is there more chance of it being intercepted or something?

Re:Factor?

[Mars2020]

As far as I know it is NOT known whether an efficient factoring algorithm could or could not exist. So, assumimg it exists, it might factor RSA-640 in a few minutes on a regular PC. On the other hand, if it is proved that GNFS gives the optimal order of complexity, there is no hope for anything else better than brut force.

Re:Factor?

[Osiris+Ani]

The best bet instead of brute force is to do "human engineering" and look for other ways to obtain the information.

Indeed, the fastest, simplest form of cryptoanalysis involves an isolated room, a length of rubber hose, a ball-peen hammer, and the person with full knowledge of the information you require. Granted, that, too, falls into the "brute force" category, but it's often far more efficient than most exclusively computer-based methods.

Re:Factor?

[drgonzo59]

If that was the case, there would be no point in quantum encryption, since you already require a secure "classical" data channel.

There are a couple of schemes of using quantum states/encoding to create a communication channel such that eavesdropping can be detected, thus eliminating the "man-in-the-middle" attacks. One can use the "action at a distance" or enanglement or one can also use the fact that states that are not orthogonal to each other cannot be reliable detected and that 'entangled' particles share some common 'state' and keep that state even when the two are separated by some distance. What both schemes do is make it safe to distribute a key, that's all, but that should be good enough. A new key can be sent over the channel for each block make it look like a "one-time" pad type encryption.

Re:Factor?

[pAnkRat]

>Fortunately, not everyone can do this sort of thing, and it takes time

Not everybody has a BlueGene(tm) in their back yard but consider this:

MafiaBoss: We have captured some [CIA|BANK|POLICE] data, but it is encrypted.
DarkSideHacker: Hmmm, do you know the seti@home project? I allready have a huge spambot net for sending emails, and doing DDos attacks. But they can be reprogrammed.....

Re:Factor?

[drgonzo59]

Well, having a channel that can be provable to be safe from eavesdropping should be enough. Then both parties Amelie and Bertha (...tired of Alice and Bob) can exchange a key and then they can even use a "classical" channel for communication. Then can send each other a new key for every block, making it in fact look like a "one-time-pad" type encryption.

The 'encryption' does take place - it is encoding information using quantum states (so far photon polarization or particle entanglement) which would make eavesdropping detectable. Imagine encrypting a file and then everytime someone tries to decrypt it, it will actually change the file itself and you cannot make copies.

Also, if you say that what quantum encryption only does is help detect eavesdroppers, I could also claim that the public key distribution schemes also mostly "do nothing but" help distribute keys for further communication in a 'safe way'.

Re:Factor?

[Sloppy]

The best bet instead of brute force is to do "human engineering" and look for other ways to obtain the information.

Unfortunately, you can't automate human engineering and place it on all the network backbones, to spy on all your citizens without their knowledge. If someone tortures me and keeps asking me for my secret key, I might guess what they're up to.

Re:Factor?

[obender]

but an algorithm may exist that can factor primes in polynomial time

Bill Gates wrote something similar in The Road Ahead:

The obvious mathematical breakthrough would be development of an easy way to factor large prime numbers.

Sorry to break it to you boys but I know an algorithm that can do that in constant time: the factors of any prime number are 1 and the number itself.

Re:Factor?

[drgonzo59]

I think you are talking about using a quantum computer to factor large integers. So far quantum encryption has nothing to do with that, it is a why to encode a message as quantum states that will change when they are measured. So it makes it possible to create secure communication channel that can be proven according to QM laws to be safe from eavesdropping. That is what is meant by quantum encryption.

It has already been done a couple of times, but is still too expensive for mass production, but there _is_ proof (theoretical and experimental) that quantum encryption is possible.

Then if I can use quantum encryption, I don't have to worry about factoring or P?=NP problem. I'll just send a new key for every block and make it look to someone monitoring the "classical" data channel as if I am using a "one-time-pad" so factoring has nothing to do with it.

Re:Factor?

[infogrind]

Of course you can always switch to a new encryption scheme or larger key size. But that doesn't touch messages that you have encrypted in the past, with a weaker encryption.

Eventually, all those will be broken. (Another question is, at the time this is achieved, will the message content still be worth anything?)

Re:Factor?

[empaler]

I have a 250 gigabytes encrypted volume that I access all the time - increasing encryption level means more processor intensive disk operations. Of course, there's always a tradeoff when encrypting, but moving up to 2048 bit encryption is *a lot* of difference, performance-wise.

Re:Factor?

[drgonzo59]

Perhaps using a 1024 bit key is better but beyond that there is no point on using a 2048 bit key at this point. If we are going to continue to rely on current brute force factoring using classical computers 1024 is already _very_ good. If one day though someone figures out how to build a functional quantum computer with relatively large registers (1000+ bits), then even 2048 bit encryption won't help us for very long...

So practically you don't really get better or "more" secure encryption by using 2048 bits, but you will significantly slow down the applications that are supposed to generate the keys of such length. Try generating a 2048 bit public key on a 100 Mhz Pentium, see how long it takes. Would you want to wait that long every time you want to send a message?

Re:Factor?

[lisaparratt]

What, you mean an encryption algorithm, like a One Time Pad, that's completely uncrackable as long as the keys are secure, which of course they will be, because they're sent over the quantum channel?

Re:Factor?

[Musteval]

You ARE using a one-time pad. It's just that the method of getting the pad to the other person is quantum in nature, making it completely secure. And as we all know, one-time pads are unbreakable if they are random and the key is not intercepted and the government doesn't use TEMPEST to read our screens and our computers don't have keyloggers and nobody has a secret camera hidden in the building and we mask our keystrokes so that computer that MIT made can't tell what we're typing just from the sounds and we wipe our hard drives afterwards and then set them on fire and melt them and put them into the fusion reactor that is being built and ...

Re:Factor?

[Calroth]

Say I can come up with a 2048 bit encryption, that is just increase the key size from 256 to 2048, I can to that in a second. It is going to take _a lot more time_

Obligatory quote from Bruce Schneier, referenced from this Slashdot post, which referenced this web site, which referenced Schneier's Applied Cryptography:

in regards to the strength of 256-bit encryption:

now, the annual energy output of our sun is about 121 * 10^41 ergs. this is enough to power about 2.7 * 10^56 single bit changes on our ideal computer; enough state changes to put a 187-bit counter through all its values. if we build a dyson sphere around the sun and captured all of its energy output for 32 years, without any loss, we should power a computer to count up to 2 ^ 192. of course, it wouldn't have the energy left over to perform any useful calculations with this counter.

but that's just one star, and a measly one at that. a typical supernova releases something like 10^51 ergs. (about a hundred times as much energy would be released in the form of neutrinos, but i let them go for now.) if all this energy could be channeled into a single orgy of computation, a 219-bit counter could be cycled through all of its states.

these numbers have nothing to do with the technology of the devices; they are the maximum that thermodynamics will allow. and they strongly imply that brute-force attracks against 256-bit keys will be infeasable until computers are built from something other than matter and occupy something other than space.

bruce schneier, applied cryptography, p 158

(Note that he's talking about symmetric ciphers, like DES - not public key ciphers, like RSA. But you get the idea.)

Re:Factor?

Sorry to break it to you boys but I know an algorithm that can do that in constant time

Sorry to spoil your answer, but just returning the prime number as output requires time that is logarithmic in the size of the prime, not constant (one step for each digit in the answer).

Re:Factor?

The only way to prove that a number is prime is to prove that it has no factors other than one and itself. Once you have proven that a number is prime than clearly you can factor it in constant time, but that's hardly impressive. Factor 32805592099748442548107420314645062399211606732283 97988106903434895134644511401975437619140698905949 45251948581425823146167636637467081207415218524627 02588083274954144328560376197355667343748447038499 56013739736469532109844544298776968942978978890220 34799326380695035625184794996536629337396640718552 25483719779649039616697060568502684734994955621508 03425209326447449946707724181021885226359431271227 10612401241669525952545358847814155202494892941888 32211842157911715344812739811606414850139336562428 90390457916792222939860320591041870758622733339305 63236338155282341943896540996586475435821049572165 62303277296229480468077667511380363488470015931141 68160373304535957389399079461511868362789851845537 09439246752539740109055794552962678403088798522051 82796574842175841102587473888251717732920982403724 53997665644480984113047103511360106063909010618595 47228609572651064383396563278829228488848257724585 62691141677028588001666708376672267165525578357382 80866039175470150006085403549022233305729196059999 and let us know what you find.

Re:Factor?

[mattspammail]

With distributed/grid computing available, it's more possible than ever before. It starts with a trojan sent out with a title that contains the name of the most recent teeny bopper hotty and the word "nude".

Ex: Roseanne_Barr_nude.exe

Re:Factor?

[Anpheus]

I'm afraid your info is slightly off, it doesn't take any key size to make "Quantum Encryption" secure. Quantum encryption relies on extremely expensive equipment sending individual photons down a piece of fiber to another computer. And given how rudimentary quantum computers are (7 or 9 qubits) they can barely factor small double digit numbers. Though they can do so more quickly in terms of algorithmic time, it still takes them a while. Obligatory Wikipedia link... Quantum Cryptography

Re:Factor?

[Short+Circuit]

Nice catch, but don't forget to take into account the time it takes to determine if a number is prime.

Re:Factor?

Why would you encrypt the entire volume when it's that size? If you're ever in any legal situation where the government wants access to your data you'll either turn over what they need to access it or sit in jail. Having weak encryption for everything is definitely not an improvement over having strong encryption for useful things, like personal information.

Re:Factor?

You just did a common misconception. "Quantic encryption" isn't encryption at all. Under such an unfortunate name there are a set of methods which are just quantic *key exchange*. Encryption is done by traditional methods as it is done nowadays.

If the encryption mechanism doesn't have any flaws, only the length of the encryption key matters. The only problem is that, in the far future, maybe it is not very practical having to use keys longer than the original document. Well, if governments follow the current trend, maybe it will be.

Re:Factor?

>Then you'll have to break the laws of QM to "break" the scheme.
>
Wrong. QM is statistically based. QM encryption fidelity relies on detecting that the message has been read by a third party in transit - either rendering the message garbage or alerting the intended recipient that the message is now known.

QM encryption and cracking will all come down to a balance of probabilities....

Re:Factor?

[Retric]

LOL, you can still get a "man-in-the-middle" attack you just need to subvert 2 channels vs 1. The idea that by using QM on one channel you can you a vary public channel to send the rest of your data so it's harder to subvert. But, all your realy doing is adding channels that you need to take over to do a true 'man-in-the-middle" attack. "Man-in-the-middle" will always work if you subvert all channels of comunication.

Re:Factor?

[OverlordQ]

AES is a symettric cipher correct?

all this crypto terms at 7:00 am dont help much :|

Re:Factor?

[gkhan1]

Wow, that was alot of incorrect in one post
1) You factor large COMPOSITE numbers, not large prime numbers.
2) P = NP is almost surely false. I mean, it's not proven, but it's not like anybody believes it to be true. It would just be too damn incredible if it were true.
3) What do you mean "encryption wont be possible"??? Just because you can factor large numbers quickly, doensn't mean you can encrypt stuff. You can't use RSA, that's true, but there are other asymetric ciphers. AES will sure as hell still work. Worst case scenario, we'll just use one time pads and all will be dandy (for those of you who don't know, One time pad-ciphers (also called the Vernam cipher) is impossible to break if used correctly, and when I say impossible, I mean mathematically proved-no way no how-even when the aliens invade earth with super-super-computers will we be able to solve it)

Re:Factor?

"Indeed, the fastest, simplest form of cryptoanalysis involves an isolated room, a length of rubber hose, a ball-peen hammer, and the person with full knowledge of the information you require."

Don't forget the split screen and the ticking clock right before the commercial break.

Re:Factor?

[marcosdumay]

"If quantum computing will come around, I'll just switch to quantum encryption. Then you'll have to break the laws of QM to "break" the scheme. There are already rudimentary quantum encryption devices but there are no quantum computers that can take on even a 64 bit key space."

Yes, but quantum criptography has only deployed simetric algorithms for now, so, if quantum computing comes around today, we are doomed.

Re:Factor?

The only way to prove that a number is prime is to prove that it has no factors other than one and itself.

That's not true. BTW, the number you posted is not prime.

Re:Factor?

You don't get it, do you? It's a joke. If you're looking for an algorithm that can factor large prime numbers, grandparent has a constant time algorithm. It's up to you to keep your end of the bargain and run the algorithm only on prime numbers. Otherwise, well, Garbage In Garbage Out. ;-)

By the way, the time to check whether a number is prime is known to be polynomial in the logarithm of the number. The hard part is finding the factors when you know the number isn't prime.

Re:Factor?

[Jerry+Coffin]

Presently we do not know of any methods to factor a number in polynomial time while we can create primes in polynomial time, but an algorithm may exist that can factor primes in polynomial time. If one is discovered, encryption as we know it today will be impossible...

Nonsense. First of all, factoring per se only affects RSA encryption.

It's likely that a major advance in factoring would also affect the security of Diffie-Hellman key exchange and ElGamal encryption, but it's not an absolute certainty. These are based on discrete logarithms, and while finding discrete logarithms hasn't (TTBOMK) been proven equivalent to factoring, current factoring methods can also be applied to finding discrete logarithms, and there's some theoretical basis for assuming any future ones will as well. For example, here is a paper discussing the relationship between the two (warning: quite mathematical).

Those aren't the only methods of public-key cryptography though -- for example, elliptic curve cryptography might well be unaffected. In particular, both factoring and discrete logarithms display a property called "smoothness" (about which, see the paper above) which is necessary for the various "sieve"-type algorithms to operate correctly. At least so far, nobody has shown that elliptic curves have the property of smoothness (though various mathematicians argue both for and against its likelihood). As a consequence, breaking elliptic curve cryptogaphy uses entirely different methods, and there's little reason to believe that even a major advance in factoring would necessarily have any real effect on elliptical curve cryptography at all.

Then we come to all the symmetric ciphers -- DES, 3DES, IDEA, FEAL, RC4, RC5, RC6, AES, and many, many more. The vast majority of these have little or nothing to do with prime numbers, and even the most amazing advance in factoring would be unlikely to affect any of them at all. The applicable area of mathematics is entirely different -- most symmetric algorithms are based in number theory while most symmetric algorithms are based on group theory.

Since "quantum" has been thrown around a bit, I'll try to add a bit of clarification on that subject as well. Unfortunately, there are two rather different sorts of things related to cryptography that use quantum in their names. As has been noted elsethread, what's generally called quantum cryptography would more accurately be called quantum key exchange. It's basically just a way of sendin some bits over a fiber optic cable, and the receiver can detect whether anybody has tapped into the line to see what was sent.

The second "quantum" thing is quantum computers. The Shor algorithm (due to Peter Shor) does factoring on a quantum computer in polynomial time, which is more or less the holy grail in fast factoring. The problem is that at least at the present time, there's no such thing as a practical quantum computer -- the most "powerful" quantum computers to date haven't even been sufficiently capable to replace a pocket calculator. Worse, the methods used to create quantum computers so far are widely believed to be unscalable, so there's no certainty that quantum computers can ever become practical -- though there's a great deal of research being devoted to the subject, and there's certainly a possibilty that they might.

If quantum computers were to become practical, they would also affect symmetric ciphers. Basically, searching for the key of a symmetric cipher is normally proportional to the size of the key space. For a quantum computer, the search is proportional to the square root of the size of the key space instead.

This, however, has less effect that most people realize. In particular, the size of the key space is squared by doubling the size of the key. In point of fact, many (if not most) current symmetric ciphers already use keys large enough to render attacks by quantum computers

Re:Factor?

[jgc7]

I think you are a bit harsh.

1. As many have pointed out, I misspoke with the prime vs composite issue. Trust me, I am not that dumb.

2. Point taken, but according to the wikipedia entry, 9 out of 100 believe it is True. More than nobody, but you are probably right... even among mathematicians 9 in 100 are probably idiots.

3. By encryption I mean public key encryption. Who gives a damn about private key encryption. Are you going to ship floppy disks with your "one time pad" to the website prior to placing an online order? Of course taking a random sequence of 0's and 1's as long as your data and XORing with your data will produce an unbreakable cipher text. Furthermore, all known examples of P NP algoriths have been shown to be equivalent. I would be interested if there are any public key encryption methods that dont rely on P = NP being false.

Re:Factor?

"At least when most people say it, they seem to talk about using the laws of quantum physics to detect eavesdroppers on a fiber optic line."

This use seems vulnerable to a denial-of-service attack. An eavesdropping device anywhere on the line would render the line compromised and unusable until the eavesdropping device was found and removed. It doesn't even have to be a real eavesdropping device, it just has to trigger the quantum detector. Cheap and easy DOS.

Re:Factor?

[HrothgarReborn]

I know you are joking but I have actually had a boss that used this to reason why many security enhancements (like encrypting passwords on the network) were not worth implementing. It is a silly analogy that many people people believe.

Network based attack are far more common that physical attacks for a lot of good reasons. The main ones are:
1. Need for proximity is often removed
2. There is anonimity (much of the time)
3. There are less legal consquenses
4. Culpability is harder to prove (Log files don't stand up as well as DNA)
5. It involves mental rather than physical skill
6. For many people it is an easier moral justification
7. Ability to attack thousands of targets at once
8. Low impact for jobs that don't pan out as expected
9. No messy cleanup.

In the world of data security you cannot draw good comparisons to physical secuirty. Often in the physical world you just need to make sure your car is harder to steal than the one parked next to it but in cyberspace a single car thief can attack a whole parking lot, drive away with all of them at once, not show up on any security cameras and even put a remote control device in your car to take over at their whim later. What's best is he can do this from a wheelchair, from a distant city, can be any age, sex, social position or race so profiling doesn't work to narrow suspects. A lot of time there is no motive (not even a finacnial one) other than just the trill of seeing if you can do it. The analogy of relating cyber security threats to real world examples does great injustice to understanding the real problem. But humans need something concrete within their own experiance to relate the problem to and so everyone ties the cyber world to the physical and many bad decisions result.

Sorry, but I have heard the "they can beat my password out of me easier" a few too many times in complete seriousness to let this pass without comment.

As for traditional social engineering, it is often quite easy to get someone to tell you their password but it is much more complicated to fool someone into telling you their 2048 bit private key.

Re:Factor?

[drgonzo59]

Quantum encryption will make "man-in-the-middle" impossible. The attack works by reading the information and perhaps retransmitting it. You can do that with a classical line, but in the quantum case the moment someone start "reading" the information there will be a large increase in errors and thus the attempt will be evident.

In other words you can still cut the lines, and stop the communication but you cannot launch a "monkey-in-the-middle" then, since an error will be detected and make your attempt obvious.

If you are thinking of someone (Eve) setting up a completely new channel of communication and fooling one of the parties (say B) that she is other party (Alice), then that is not "man-in-the-middle" it is an authentication problem.

Re:Factor?

Some examples of popular and well-respected symmetric algorithms include Twofish, AES (aka Rijndael), Blowfish, RC4, 3DES, and IDEA.

Re:Factor?

[empaler]

You must mistake me for someone who lives in a country with even less privacy than the one that I *actually* live in. Then again, the US acts as if it owns the world anyway.

Re:Factor?

[Retric]

How do you think "man-in-the-middle" attacks work vs RSA style public key incription? You can call it an authentication isue if you want but it's all under the heading of "man-in-the-middle" attacks the goal of which is to fool both party's into talking to the wrong system. In any case you can fool QM based encription if you get both party's talking to you while they think they are talking to eachother on ALL channels.

If you want to get into a semantic argument fine, but if people think QM is going to fix the security isues they are going to make it easy for people to fool them. QM gives you little advantage over public key's but it makes it easyer to fool the system. With public key's you can distribute a key with the softwhere/hardwhere but with QM your trusting that nobody is messing with your network which IMO is little better than assuming that nobody can take tap a fiber line under the ocean. (Which RUSSA fell for.)

Re:Factor?

[Retric]

Hmm, you might be miss understanding what I am saying. Let's say Allice and Bob have 2 lines one of which is sending QM info an the other is a classic line which athentecates which QM bits where valid and then the message incoded with those bit's. Now of you tap both lines you can get Allice to send you the message read it and then reincode it for Bob; which is the clasic "man-in-the-middle" attack. You do need acess to both lines, but if you have a few hundred miles of fiber it's not posible to guard all of the line and if people assuem that QM is making things safe they might use 2 strands of fiber on the same cable for this which would make it realy easy to subvert.

Re:Factor?

[Retric]

You don't need to encode all of the disk using RSA encription. You can use RSA to secure your key's for some other faster system. Basicly at startup you need to enter your private key and then the system decodes the key(s) that let it decode the HDD but after startup you don't spend any time decoding RSA data.

Re:Factor?

[cburley]

P = NP is almost surely false.

Not for N=1 or P=0.

;-)

Re:Factor?

[anethema]

Sure the scheme itself loosely does this, but you can also use the public key to encrypt anything, without even distributing it.

With quantum 'encryption' all you are doing is sending photons down a optic line in such a way that if they are intercepted, you will know about it. There is no actual encryption going on..at all.

Re:Factor?

[anethema]

True but as the post above mentions, it will probably be used to exchange a symmetric key with total security then not be used again untill next time a key needs exchanging. So a DOS -could- be effective but by the time the thing is needed again, engineers, fbi, whoever can be sent to remove the device to exchnage another key.

Considering some forms of encryption cannot realistically be broken in any kind of human time-frame, this is a pretty good overall idea i think :)

Congrats

The answer was 42!
Now what was the question

Re:Congrats

What does you get if multiply 6 by 9?

Factored... Big Deal

hmm this doesn't suprise me that they already factored the 193 digit encryption code. Bring on the 293 digits!

Re:Factored... Big Deal

[DeafByBeheading]

Actually, the next one has only 212 digits...

Re:Factored... Big Deal

[photon317]

The 212 digit one (RSA-704) won't be cracked for a long, long time yet using current algorithms like the ones the RSA-640 winners did. 640->704 doesn't sound like much, but it is monumental. I did some back-of-the-envelope math. I'm naively assuming that with a 64-bit gain in key size, the problem complexity is 2^32 harder (since one factor is always under the square root). I'm sure that seive algorithm they're using manages to cut that 2^32 down some, but it's not going to make a practical difference I don't think. If you happen to have ~8000 Opteron cpus at your disposal instead of their 80, and you have the same code they cracked RSA-640 in 5 months with, and it scales up to 8000 cpus just fine, it would take somewhere in the neighborhood of hundreds of millions of years to break RSA-704.

Re:Factored... Big Deal

[photon317]

Scratch that, I read some more about the GNFS they're using, and while I don't claim to understand completely, I don't think it would take them 2^32 longer to reach RSA-704 - it may well be in reach in the relatively near future.

Re:Factored... Big Deal

[clap_hands]

They've already factored one with 200 digits last May (RSA-200).

Re:Factored... Big Deal

[owlstead]

Yup. One of the reasons being that you only have to factor in primes. Bwahaha, factor in, I crack myself.

Hmmm.

[jd]

The German Federal Government is short on cash, I know, but resorting to funding the "Agency for Information Technology Security" by winning RSA contests? Besides, if they're so up on IT security, why didn't they just cheat by logging onto RSA's computers?

Re:Hmmm.

[LnxAddct]

While I think your remark was a joke about them breaking into RSA's computers, this is still worth mentioning. Noone in the entire world knows or has ever known the factors of the remaining numbers. Read this for more info.
Regards,
Steve

Re:Hmmm.

[superpulpsicle]

Could Germany's government cash shortage have anything to do with the population decrease crisis. People just aren't having enough kids down there.

Re:Hmmm.

[panth0r]

Let's seriously think about this, the Germans, if anything, lost money on this excursion, they upped an bought 80 opteron processors with the hardware required to run them and the RAM needed, they pumped electricity into the building where this heavy processing was taking place, and they paid the people running the computers... all for $30,000 - fees, customs, taxes and such... if anything, they probably lost a substantial sum.

Re:Hmmm.

The laptop's hard drive was destroyed.

I wonder if it's still on EBay...

Re:Hmmm.

[quigonn]

Boy, I don't know where you live, but in central Europe, problems are hardly ever monocausal. And how could more kids generate money, anyway?

Re:Hmmm.

[Vlad_the_Inhaler]

The main cause is reunification, the secondary causes could be said to be an economic slowdown which started in 2001, some tax cuts which were designed to stimulate growth, and the introduction of the Euro which was often used to hide price increases. Some of those price hikes were perceived rather than real, but consumer spending went way down as a result.

Re:Hmmm.

[andersa]

4. The laptop's hard drive was destroyed.

Hey? No pictures?!?!!!

Re:Hmmm.

They buy children in Belgium

http://www.unhchr.ch/Huridocda/Huridoca.nsf/0/eee2 76066375879b8025689600531c70?Opendocument

Re:Hmmm.

[lowy]

Thanks for the link Steve. Are you affiliated with RSA? RE: Step #4 "The laptop's hard drive was destroyed". Cute touch, but I can't help wondering why they just don't instead temporarily remove the laptop's hard drive, boot and run the test from a CD, and save hundreds of dollars per contest?

Re:Hmmm.

[tepples]

I can't help wondering why they just don't instead temporarily remove the laptop's hard drive, boot and run the test from a CD, and save hundreds of dollars per contest?

I'd imagine that all the contests up to RSA-2048 were generated in one pass. It would save tens, not hundreds, of dollars per contest.

Re:Hmmm.

[way2trivial]

but they STILL HAVE the hardware, which they can now continue to use, or sell..

Processor time?

[panth0r]

I think that's really cool and would wish them the best of luck, but I would like to know how many processor hours that took them to crack it? Also, with that chunky $30,000 reward, did they turn any profit (after taxes, fees, and such). Second one's a joke, calm down. But it'd be cool to know the processor time it took.

Re:Processor time?

[et764]

Does anyone know of something like the GIMPS to factor these RSA numbers? It seems like if 80 Opterons can do it in 5 months, a massive distributed network of computers donating idle time could do this in a much shorter amount of time, such as churning out a new factorization every few weeks. I have a feeling the larger RSA numbers quickly become much more complicated to factor. Does anyone know the complexity class of factorization?

Re:Processor time?

[Dubpal]

When RSA-200 (a number similar in size to RSA-640) was cracked it was reported (and is noted on this wikipedia page that:

The CPU time spent on finding these factors by a collection of parallel computers amounted very approximately to the equivalent of 55 years work for a single 2.2 GHz Opteron-based computer. Although that's a rough approximation, it certainly puts the magnitude of effort cracking these numbers involves.

Re:Processor time?

[Joe+Random]

Although that's a rough approximation, it certainly puts the magnitude of effort cracking these numbers involves

Also bear in mind that increasing the size of the number by a single binary digit doubles the search space needed to find a solution. RSA-640 has, obviously, 640 binary digits. However, most common RSA keys have at least 1024 bits, and some have upwards of 4000 bits. Do the math and you can see that there's a loooong way to go before anything that is currently being used will be cracked in any reasonable time.

Re:Processor time?

[xquark]

Contrary to popular belief a large part of the GNFS (the last most important phase, ~80% of the
algorithms run time) is actually sequential and can not be parallelized in any way shape or form.

Arash Partow

Re:Processor time?

[Thundersnatch]

single binary digit doubles the search space needed

We're not talking about symmetric cryptography here. We're dealing with large prime numbers and lots of funny math. The General Number Field Sieve factoring algorithm is not O(2^n) like a brute force search on AES would be. The actual order of growth of the GNFS algorithm is:

O(e^(1.9229+O(1))*ln(n)^(1/3)*ln(ln(n))^(2/3))

This can be found numerous places on the web. So adding one bit to your RSA key does far, far less for you than adding one bit to symmetric cipher like AES. You can do the math yourself, but you'll find that you need to add >>1 bits to an RSA key to double its strength.

Re:Processor time?

[Thundersnatch]

Assuming 50W per Opteron and 5 months continuous operation, I calculate they spent at least US$1400 on electricity alone (based on Chicago electric prices, I'm not sure if it's more orless over there).

And that figure ignores the electriciy used by the other components in the computers (be they servers, workstations, or whatever).

Still, the $30K in prize money goes a long way toward paying the electric bill.

Re:Processor time?

Yes. It's called NP-Complete.

Re:Processor time?

Parent wrote:
>I have a feeling the larger RSA numbers quickly become much more complicated to factor. Does anyone know the complexity class of factorization?

*** Some other AC just posted that it's NP complete. I disagree.

Integer factorization is clearly within the complexity class NP, so that puts an exponential upper bound on the solution. However, it's trivial to show that factorization is a fairly small subset of SAT, so I'm inclined to guess that factorization is in the complexity class GI (graph isomorphism).

All problems in NP can be solved in 2^O(poly(N)) by brute force if necessary, and the fastest NP complete solvers run in 2^(sqrt(N)). However, that's made mostly irrelevant by the known fact that GNFS runs in 2^(cuberoot(N * logN * logN)). In other words, GNFS (factorization) is faster than the fastest of NP complete solvers.

Presently we know P <= GI <= NP, but we do not know if any of these are proper inclusions. However, based on my personal study, I believe that P < GI < NP. I also believe that RSA-1024 is more than 8000x harder than RSA-640, and RSA-2048 is more a million times harder than RSA-1024. Therefore, I have a gut feeling that barring a better "crack" on factoring, RSA-2048 will be "safe" well beyond the lifetimes of our great, great grandchildren.

N.b. I know that personal opinions don't carry much weight coming from an AC, but that's all I can offer.

Re:Processor time?

[Bubble666]

It's actually less of a chunk.. it's more something like 20k
http://www.rsasecurity.com/rsalabs/node.asp?id=209 3
RSA-1024 with a reward of 100 000$ USD seems to be the best cpu time/reward challenge

Re:Processor time?

[et764]

Could using a less efficient, but parallelizable algorithm work? If GNFS can only run on 1 CPU, it seems like it's easier to add more CPUs, and while a parallelizable brute force algorithm for example is still going to be 2^O(poly(N)) (barrowing from another post), it's a lot easier to make the constant multiplier on this smaller than it is for the GNFS. In the general case it will still be really easy to make a key that can't be factored in a feasible amount of time, it seems that a less efficient but parallelizable algorithm would bring the next RSA number or two into the realm of possibilities. It shouldn't be too hard to find the equivalent computation power of 160,000 Opterons (hmm.. that's a bigger number than I was expecting), especially given that historically computing power has been growing exponentially.

If GNFS isn't parallelicable, why did they use 80 Operons? Maybe this was to speed up something like multiplying large numbers together?

Re:Processor time?

[et764]

It's a shame you haven't been modded any higher than you have yet. This is a very informative post. I hadn't heard that SAT falls into another category, GI yet, but I knew SAT was NP-Complete. I knew PRIMES is in P, but factorization is quite a bit different than PRIMES.

How small of a subset is factorization of SAT? Aren't some subsets of SAT (like 2-SAT) in P?

If RSA-1024 is only 8000x as complex as RSA-640, I wouldn't bet on it lasting too much longer. A machine with 80 Operons did RSA-640 in about half a year, and there are definitely much more powerful computers out there. Plus, computer power has historically grown exponentially, so it shouldn't be that long until enough computing power would be available, even if it's not today. Of course, increasing the key size of RSA is a lot easier than increasing computing power (unless someone manages to make a quantum computer), so some variant of RSA will probably be safe, provided no holes are found.

Re:Processor time?

[ZachPruckowski]

Well, if they do it serially, couldn't they just split it up? I mean, hey, computer 1, you take 1-100, computer 2, you get 101-200, etc.?

Re:Processor time?

Ooops. I made an error in my post, so I need to clarify: My numbers were based upon the formula that limits the growth of what I believe the lower bound for GI Complete; however, the curves intersect at about N=65536, so I have given a false expectation. As it turns out, GNFS's runtime "only" grows by about a million times as N goes from 640 to 2048, which is several orders of magnitude better than I projected.

Anyway, I'd easily wager that no computer will ever solve the hypothetical RSA-65536. There simply are not enough particles in the universe to store all of the necessary internal state for the algorithms (yes, I'm saying that it would be impossible for quantum computers to do it).

Re:Processor time?

[locofungus]

Although it doesn't say it here the matrix reduction phase usually requires a supercomputer with vast amounts of memory.

If they have cracked this just using Opterons then that is a major breakthrough and would make factoring SSL certificates within the target of zombie networks.

On the other hand, if this is 5 months of opteron + a week of supercomputer then that $1400 electricity bill for the opterons is going to be dwarfed by the costs of the supercomputer time (and probably electricity)

Tim.

Re:Processor time?

>Aren't some subsets of SAT (like 2-SAT) in P?
2-SAT is in P (and apparently NL which I have not studied), but 3-SAT is NP complete.

>How small of a subset is factorization of SAT?
You can easily construct a multiplcation circuit and then ask whether the given "inputs" multiply out to a predefined value, except you have to include overflow restrictions to prevent aliasing so you don't get the wrong result like: 5 * 9 = 13 (mod 16 or 32). Anyway, this method allows you to transform any factorization problem into a SAT problem; so factorization is a subset of SAT. How small? Well that's a bit harder to quantify.

Remember that simply going from 2-SAT to 3-SAT crosses the line from P (a small subset) to NP complete (the identity subset). I consider it a small subset because it's a well-defined transformation that's at worst N^2 in the size of the input, which is sqrt in the size of the target value. That makes it a linear transformation in the size of the target, but there's a lot information "lost" in the reduction so I believe it to be irreversible and therefore a small subset. Technically you could prove me wrong by showing a transformation from some NP complete problem onto factorization, which would mean factorization is NP complete. However, for all we know, there may be some way to prove that factorization is in P (this would be a natural consequence if someone proved P = NP).

For another example of a subset of SAT that's solvable in P, replace the multiplier above with an adder or remove the overflow/aliasing restriction on the multiplier. In the case of addition, the resulting problem is related to the subset-sum problem, which is NP complete; however, it differs from subset-sum in that it only considers one addition instead of the additions of an exponential number of subsets.

>If RSA-1024 is only 8000x as complex as RSA-640...
I incorrectly corrected myself in a followup post before I noticed your reply, so I'll correct it here. GNFS grows from 2^73 to 2^90 to 2^120 as it goes from 640 to 1024 to 2048 bits. That's a growth of 128k followed by a growth of 1 billion (2^90/2^73 = 2^17, and 2^120/2^90 = 2^30). I stand by my belief in a lower bound for GI that predicts minimum growths of 2^13 and 2^21 for those same numbers.

--- Switching gears ---

>computer power has historically grown exponentially
Transistor density has doubled approximately every 18 months. As the die sizes have fallen, clock rates have gone up; however, we've reached a plateu as I'm sure you've noticed. Clock speeds have not increased much in the past few years, but we have seen a rise in hyperthreading/multi cores. I personally do not expect to see more than a couple of doublings over the next decade, but I'll assume that we will see doublings every 18 months for the remaining calculations.

To achieve an increase of 2^33, we would need to see 33 doublings, or 50 years worth of steady performance growth. (* As a bonus exercise, go check my fact that we only need about 10 doublings = 15 years to get from current supercomputers to the ability to simulate a human nervous system.)

Using GNFS, that would require at least 47 doublings; 47 * 1.5 = 70 years before we would have the technology to break RSA-2048 as quickly as they broke RSA-640. And that's just one key, and that's assuming everything goes right.

But wait... I'm just getting started. Let's talk memory requirements. I don't know about the GNFS memory requirements, but I believe that my theoretical performance lower bound for GI is also the lower bound for memory usage. If that's true, then assuming you could get away with storing only one bit per atom, the largest power-of-2 RSA factoring problem we could solve with all the resources of the planet would be RSA-4096. (RSA-8192 would require several times the 2^163 atoms in the planet, and RSA-65536 would a good chunk of the 2^264 atoms in the known universe.) As for "likely," I'd estimate a top end just past RSA-1024 but well shy of RSA-2048, which would literally require megatons of RAM if my calculations are correct.

Again, I've presented a lot of IFs and speculation from an AC, but that's the best I've got.

Re:Processor time?

[multiplexo]

We're not talking about symmetric cryptography here. We're dealing with large prime numbers and lots of funny math. The General Number Field Sieve factoring algorithm is not O(2^n) like a brute force search on AES would be. The actual order of growth of the GNFS algorithm is:

O(e^(1.9229+O(1))*ln(n)^(1/3)*ln(ln(n))^(2/3))

This can be found numerous places on the web. So adding one bit to your RSA key does far, far less for you than adding one bit to symmetric cipher like AES. You can do the math yourself, but you'll find that you need to add >>1 bits to an RSA key to double its strength.

How much longer would it take to break a 1024 bit cypher using this method? I can't get bc to do the math for me.

Re:Processor time?

[Thundersnatch]

Surprisingly, lowly Excel was able to handle this math for me.
It looks like a 1024-bit number will take about 73,500 times as long as a 640-bit number to factor using GNFS. Which correlates to about 2.4 million Opteron-years, based on the German factoring of RSA-640.

Here's a table:
bits|GNFS complexity
384| 8.09434E+16
512| 1.75249E+19
640| 1.78448E+21
768| 1.07460E+23
896| 4.37451E+24
1024|1.31176E+26
1536|1.30666E+31
2048|1.52656E+35
3072|5.77594E+41
4096|1.28186E+47

My understanding of GNFS is that only the sieving steps are trivial to parallelize. The final steps must be performed on a single machine with huge memory. So perhaps a 1024-bit RSA number is even safer than my math indicates, as it may be that no machine which can handle the final steps for a 1024-bit number exists.

Re:Processor time?

[Thundersnatch]

Something else interesting from my math:

Bits|GNFS complexity
640|1.78448E+21
641|1.84589E+21

So adding a single bit to a 640-bit RSA key makes it just about 3.4% stronger. This cannot be easily extrapolated, though, because of the non-linear complexity of GFNS. A 1025-bit RSA key is only about 2.6% stronger than a 1024-bit key, for example.

Re:Processor time?

[scruffy]

O(e^(1.9229+O(1))*ln(n)^(1/3)*ln(ln(n))^(2/3))

You are missing parenstheses. You probably meant:

O(e^{(1.9229+O(1))*ln(n)^(1/3)*ln(ln(n))^(2/3)})

Re:Processor time?

[Thundersnatch]

Good catch. That's what I get for cut-and-pasting the formula from a PDF into text.

I think the calculations I made about relative complexity in another part of this thread are correct, though. The Excel formula I used for those calculations was:

=EXP(1.9229*POWER(k*LN(2),1/3)*POWER(LN(k*LN(2)),2 /3))

where k is the number of bits in the number to be factored. In the original formula n=2^k, so ln(n) = k*ln(2). Or did I screw seomthing else up?

Re:Processor time?

A serial algorithm means splitting it up is kind of useless because 1-100 would have to be completed *before* you could start working on 101-200.

Re:Processor time?

[ZachPruckowski]

AC's post: A serial algorithm means splitting it up is kind of useless because 1-100 would have to be completed *before* you could start working on 101-200.

We're talking about multiplying prime numbers, right? So couldn't I split the list of known primes in half, and give the halves out so that the 3 possibilities are covered by 3 computers. For instance, 1 computer does half A x half B, another does AxA, and the third does BxB. When one of them finds it, I stop them all.

hats on, everyone!

[cryptoz]

Cue tin foil hats.....now!

As the owner of a cryptography website...this news is interesting to hear. I remember people saying that the later sets of problems in RSAs would hold out. Guess not. (Note the growing gaps in dates in the table in TFA). A good read, actually. Congrats, guys.

Cost/digit

You know, someone needs to compute the cost of factoring per digit and weight that cost against other priorities. I wouldn't mind if they were testing some new cluster, but testing for 5 months is a bit of a stretch. Even considering that they received 20k$ for their efforts, the waste is just repulsing.

Irrelevant

[ReformedExCon]

Brute force will eventually figure out the factors, unless the universe experiences heat death first.

The real interesting thing is whether we can solve the problem simply and in a reasonable time (less than 5 seconds on modern hardware). Unfortunately, that algorithm is still not available.

Re:Irrelevant

[woolio]

Unfortunately, that algorithm is still not available.

AHEM! More like FORTUNATELY that algorithm is still not available!

Re:Irrelevant

[patio11]

From a security point of view, "less than five seconds on modern hardware" is absolutely unnecessary. After a transmission has been intercepted, and we work under the assumption that essentially all of them are these days, that transmission has to remain secure potentially for a very, very long time (sure, an encrypted radio communication might have no operational significance in two hours -- an encrypted dossier of a field agent had better stay secure until he's dead, and an encrypted report on security breaches in US nuclear command&control protocols better stay unbroken for the better part of the next century). And what takes a beowulf cluster of supercomputers 5 months to do today will be possible to crack on a botneck in less than a week by 2010, I guarantee you (I write distributed applications for a living and worked with a three-letter agency which was rather miffed that a competing TLA had the existence of their own internal distributed cracker leaked to the press back in 2002 or so). A couple years after that it will be a few minutes on dedicated hardware and a few years after that a desktop machine will smash it as a matter of course. Events like this are warning flares to people with serious security needs that you need to start transitioning to harder codes or longer key lengths.

Re:Irrelevant

[Barnoid]

Unfortunately, that algorithm is still not available.

And will not be, unless P=NP, or we use some form of new computers.

Re:Irrelevant

[ReformedExCon]

From a mathematical and scientific point of view, solving factors in constant time is very interesting. Security based on prime factorization will simply be one technology that will be obsolete if a general algorithm can be found that runs in constant time. I gave it 5 seconds because I don't know how many steps such an algorithm would take, but 15,000,000,000 CPU cycles ought to be enough.

Re:Irrelevant

[cpeikert]

And will not be, unless P=NP, or we use some form of new computers.

Factoring is almost certainly not NP-hard. It could very well be that P != NP, and yet factoring is easy.

Re:Irrelevant

It is very relevant. Most people need their cryptosystems to be unsolveable for periods longer than 8 months. Most systems cannot and should not use excessively large keys due to CPU, storage, and threat requirements. These contests provide solid data that can be used in the risk analysis that leads to determination of key lengths.

Re:Irrelevant

[Jobe_br]

Factoring is almost certainly not NP-hard.

Ahem, not exactly.

It is not known exactly which complexity classes contain the integer factorization problem. The decision-problem form of it ("does N have a factor less than M?") is known to be in both NP and co-NP. This is because both YES and NO answers can be checked if given the prime factors along with their primality proofs. It is known to be in BQP because of Shor's algorithm. It is suspected to be outside of all three of the complexity classes P, NP-Complete, and co-NP-Complete. If it could be proved that it is in either NP-Complete or co-NP-Complete, that would imply NP = co-NP. That would be a very surprising result, therefore integer factorization is widely suspected to be outside both of those classes. Many people have tried to find classical polynomial-time algorithms for it and failed, therefore it is widely suspected to be outside P.

Stolen liberally from Wikipedia: http://en.wikipedia.org/wiki/Prime_factorization

Re:Irrelevant

[cpeikert]

What did I write that is inconsistent with the wikipedia entry?

"Integer factorization is widely suspected to be outside both of those classes [NP-complete and co-NP-complete]."

Just because a problem is outside P, doesn't mean it's NP-hard. Which is exactly what I said to start with.

Re:Irrelevant

In fact, the whole _point_ of the RSA contests is to make it more worthwhile for people to disclose that they can factor such numbers. This way the security community has a general idea of where people are up to. Of course, governments may have more valuable uses for factoring technology.

Re:Irrelevant

[nvlass]

Let's build ultimate the RSA-640 look-up table, so we can do it in O(1)!!!!

Re:Irrelevant

[meringuoid]

an encrypted report on security breaches in US nuclear command&control protocols better stay unbroken for the better part of the next century

Nah. Ten years, tops.

If a report exists on security breaches in the nuclear command protocols, then presumably those flaws were fixed, and fixed fast - nobody wants to risk a Strangelove scenario. The only serious risk, then, is the embarrassment factor of a leak, and that does not matter once the president of the day is no longer in power. Who cares if a scandal comes to light affecting the president-before-last?

Re:Irrelevant

> Let's build ultimate the RSA-640 look-up table, so we can do it in O(1)!!!!

I do realize you're joking (mods: give parent +5 funny, but don't waste your points on this post), but I have a compelling need to be a spoilsport and point out a few things:

1. lookup tables are not O(1) as commonly believed
   There's a common misconception that tables are O(1) that seems to stem from the fact that under limited circumstances a computer can perform random access lookups in O(8/16/32/64 bits), which is (duh) logarithmic in the size of the number being addressed. Essentially the hardware designer has made makes a limiting assumption for you: that no number can be larger than N bits. This assumption allows the hardware to perform a logarithmic search behind the scenes, and that search appears as a constant time lookup; however, if you built a table larger than your hardware can address, you would quickly discover the logarithmic nature of a table lookup.
   
   Consider a massive array of 2^80 table built with 2^20 clusters of computers, each with 2^20 hard disks, each holding 1TB (2^40 bytes) of data. You want the #1010101010000010000100010001000101001000101111011 1110001001010101111111111001011b-th byte. How do you get it? Well perhaps you know that the first 20 bits resolve into a cluster identifier, and then the next 20 bits resolve to a disk number, and the remaining 40 bits resolve as an index on the hard drive. Rhetorical question: what happens when we add another bit? Clearly this is a logarithmic process (polynomial in the number of bits).
    
2. Building the table would take exponential time in the number of bits (i.e. 2^640).
3. There are no where near 2^640 atoms in the known universe (google it -- there are only about 10^80 = about 2^266), so it would be physically impossible to build such a table!

Arrgh!

[Ventriloquate]

My TI-82 was just about to solve that one!

Re:Arrgh!

[asm_rocks]

ummm... OH, it's a joke.

Re:One of Bill Gates' dreams...

[et764]

Well, he certainly failed miserably at using less than 640k.

I got part of it

[pHatidic]

I knew that one of the factors ended in a 1 and the other ended in a 9 or that they both ended in 3. Am I eligible to split the prize?

Re:I got part of it

No, what about 7 and 7?

Re:I got part of it

[Spy+der+Mann]

I tried that trick when I was younger, to see if i could reduce the complexity of factorization.

Turns out these number anomalies only happen with base-10 numbers. When you have base-16 numbers, these mysterious relationships of the last digits disappear.

It's not a very useful knowledge, but I thought you should know.

Re:I got part of it

[pHatidic]

ahh true...well that still rules out 97 out of 100 possibilities. I.e. each number could potentially end with any of 10 digits, and same with the other number so that is 100 combinations. But we know that the only ending digits can now be 1&9, 3&3, or 7&7. 97% elimination rate ain't that bad.

Re:I got part of it

base 16 has analogous relationships.

Re:I got part of it

[stevey]

Turns out these number anomalies only happen with base-10 numbers. When you have base-16 numbers, these mysterious relationships of the last digits disappear.

If only there were some magical way of turning numbers from base-16 into base-10. Then those tricks would suddenly be useful again...

Re:I got part of it

[pHatidic]

Yeah I think everyone tried that when they were younger. It seems like such an obvious thing, except for that it breaks down so fast, esp when you get a zero in the sequence.

Re:I got part of it

[LnxAddct]

Well, I guess it depends how you look at it. Every RSA number can have factors that end in 1 combination out of 10 possible combinations (this is common knowledge). These combinations are: 1*1, 1*3, 1*7, 1*9, 3*3, 3*7, 3*9, 7*7, 7*9, 9*9 . Now you've reduced it from 10 to 3, a 70% reduction (still good). You can continue this process to the 2nd digit and so forth, but it eventually all evens out and you wind up having to do just as many calculations as though you divided up the sqrt(n) by every odd number that doesn't end in 5. Saying a 97% reduction is a little misleading, or maybe I'm just too used to automatically discarding even numbers and multiples of 5 in my head.
Regards,
Steve

Re:I got part of it

[Pogue+Mahone]

well that still rules out 97 out of 100 possibilities.

Not really. Both of the factors are prime, so that means that the last digit cannot be 0, 4, 6 or 8. Its also very unlikely to end in 2 or 5, since there is exactly one prime number ending in each of those digits, and those can be ruled out by simple observation. That leaves 4 digits --- 1, 3, 7 and 9, thus there are 16 possible combinations for the two last digits. You narrowed it down to 4 of those possibilities: 1 and 9, 3 and 3, 7 and 7, 9 and 1. So your elimination rate is a mere 75%. Sorry to disappoint.

Signed:
The Math(s) Nazi

Re:I got part of it

[Chapter80]

RSA-640 ends in a 9.

I know you were joking, but you said that the factors must either end with (1,9) or (3,3).

You forgot about (7,7).

how long would it take..

[KingPunk]

im curious as to how long itd take on the national computing grid? ..gee, couple days, tops?

What if...

[nxtr]

What if there's a team that started with a slightly slower machine before them and they only needed a few more days to complete the factoring?

Re:What if...

[panth0r]

Like in academics, athletics, and and other competition, there should be no prize for second place.

Re:What if...

They lose.

"640 bits...

[Joe+Random]

should be enough for anyone."

Re:celeron's

[panth0r]

I'm not going to get into an involved response, but had they opted for Celerons rather than Opterons, the time would have been much, much greater, start at any level you want and the Opteron is a better processor for this job.

Dual Cores

[Zuul42]

If they had waited three months, they could have used dual core CPUs and solved it in half the time.

Oh wait. No, that wouldn't have worked. Nevermind.

Re:Dual Cores

Actually, if they were using opterons thats not too far from the truth, assuming there isnt heavy communication. Factor in the possible frequency bump for the same price you might get through 3 months, its probably true.

Re:Dual Cores

[et764]

Reminds me of this paper where they argued that large computations can actually be completed faster by slacking off for a few months and then buying a faster computer.

Zombie Cluster

[happyEverGeek]

I wonder how long it would have taken 1.5 million zombie PCs.

I'll wait for RSA-2048

[Myria]

I won't be interested until they do RSA-2048. Then we could factor the Xbox private key and do whatever we want.

Melissa

Re:I'll wait for RSA-2048

[adlib24]

Of course we would only do perfectly harmless things... like...um...use Xbox Live to construct a cluster to factor RSA-4096. ;)

p.s. all your xbox is belong to us.

Re:I'll wait for RSA-2048

[MichaelSmith]

factor the Xbox private key

Sounds like a good idea for a pure OSS distributed application. Of course then Microsoft would run rogue clients to stuff up the factoring process.

Does anybody else thing this is feasible? Is it worth working on?

Re:I'll wait for RSA-2048

[ClamIAm]

I thought that this guy already figured it out, but didn't want to get litigated into obvlivion.

Re:I'll wait for RSA-2048

[Threni]

> I won't be interested until they do RSA-2048. Then we could factor the Xbox private key and do
> whatever we want.

How would someone brute-forcing cracking an RSA-2048 key help you factor a different key?

Re:I'll wait for RSA-2048

[jsight]

Yes, and No.

It's been tried before, and it is not feasible.

shooting from the hip again, eh?

The article summary even says they used the General Number Field Sieve. Nobody uses Trial Division. Try not speaking from a position of ignorance next time.

Wow

[raoul666]

I've seen these for a while, never thought they'd be on-topic...first prime factorization post, here it is:

1634733 6458092538 4844313388 3865090859 8417836700 3309231218 1110852389 3331001045 0815121211 8167511579 x 1900871 2816648221 1312685157 3935413975 4718967899 6851549366 6638539088 0271038021 0449895719 1261465571

An idea

[bradbeattie]

Why don't we just start using 1.44mb encryption keys. We'd finally have a use for all of these floppies.

Re:An idea

Of course you know that a 1.44MB formatted disk(FAT formatted) only has 1.38MB of free space. So we would need 2 damn disks for your 1.44MB key.

Re:An idea

If you're only going to store one thing on a disk, why bother with a filesystem? It's just /dev/floppy or something.

Re:An idea

[lisaparratt]

That's a genius idea! The bad sectors and general failures that HD floppies are reknowned for will provide completely uncrackable encryption! /me goes to patent it

Re:An idea

[Ibag]

I realize you were joking, but I'd like to respond anyway.

RSA keys are based on having two large prime numbers whose product is then difficult to factor. In general, the larger these numbers are, the harder it is to factor: trial division is O(sqrt(n)), and even the best methods of factoring are still of increasing time for increasing numbers. Using a general method, a 1.44mb key would take a LONG time to factor. However, there is one very important caveat...

If you go high enough, people don't know very many primes. In fact, there are lists of the largest known primes. I'd wager that there are less than a few thousand known primes greater than 2^720k, probably a lot less. This means that if you have a 1.44Mb number which you know to be the product of two primes, then either you can do trial divisions from a short list to factor the number, or else someone has discovered a new large prime.

In short, if you have a large enough key, the task of generating primes is difficult enough that factoring becomes much easier. To give you an idea of how difficult finding primes is, n has about a 1/(ln n) chance of being prime, and using a specialized algorithm, it takes about a day to check a mersenne number of this size for primality. General algorithms are, of course, slower. This means that, to perhaps an order of magnitude or two, it would take about million 1Ghz computer days to find two new suitible primes to multiply together. Of course, if you do this, its not likely that someone will crack your key without a quantum computer, but its also not likely that you will find a key pair until quantum computers are widespread.

I guess if you want big keys like that, you should look into eliptic curves. At least by the time you generate a key, there is a chance that it won't be trivial to break!

Re:An idea

[locofungus]

If you go high enough, people don't know very many primes. In fact, there are lists of the largest known primes. I'd wager that there are less than a few thousand known primes greater than 2^720k, probably a lot less.

Depends on whether you want provable primes or probable primes.

It's a five minute job to generate a few thousand probable primes >2^720k. Don't know what you'd do with them though.

And they will be prime, you can make the probability of them not being prime as small as you like - 1 in 2^100 should be enough.

But if you want to prove them prime then that is a different matter.

Every prime used in a real implementation of public key cryptography is a probable prime. The only reason for proving a number prime is to get yourself on the record books.

Tim.

Re:An idea

[Short+Circuit]

Encode your key with some sort of error correction, like Hamming code combined with 512-line striping. Then perform a low-level format on the floppy to give it enough extra space for your error-correcting bits.

You could lose up to one sector for every seven, without any trouble. If you go up to 1024-line striping, you can even lose two adjacent sectors. 1024 lines would give you four.

Try formatting a floppy with 12 sectors per track, 80 tracks, and use 6144-line reversing striping. (12 sectors * 512 bytes/sector) In your first pass, read one sector from each side of each track, starting at track 0 and ending with track 79. Next, read the next sector from each side of each track, starting at track 79 and ending with track 0. Repeat back and forth until you've read the whole disk.

You've now got a fairly fault-tolerant, if a bit slow, floppy disk. Add whatever data you'd like. The failure of up to 80 sectors can be tolerated, without loss of data. And you can lose up to 12 adjacent sectors, an entire track. (Which is more likely than 12 randomly scattered sectors; Physical damage tends to occur in streaks.) At worst, you lose 512 bytes of data if you lose the same-numbered sector on two tracks near each other.

Re:celeron's

[scbysnx]

I think he was joking.. I hope he was joking

wikipedia article and easy money

[millette]

The Wikipedia article on RSA-640 has more info. Check this for easy money ;)

Computing Power

Which means you'll be able to buy a wristwatch next year that can do it in 5 minutes.

RSA Cracked

[Joseph_V]

And in only 5 months... how P Q ular.

One of the great Two problems Solved

[icecow]

...now if he could just find his keys.

WTF is the General Number Field Sieve...

[acidblood]

...many are asking. It's hard to find introductory materials on the NFS, because the number of people who actually understand the algorithm is probably in the hundreds, if not less, and most are worried about research not teaching. For those interested in a high-level view, plus some low-level details, of the (special and general) NFS, you can have a look at the slides for a talk that I gave on exactly this topic at a crypto workshop a couple of months ago. I won't even try to summarize the NFS here, because anything other than a very high level, handwaving, bird's eye view of NFS would take the better part of a page to explain. However, in this thread I can answer specific questions that anyone might have about the talk above.

Now for those with the mathematical maturity to delve into the algorithm, I suggest the book Prime Numbers: A Computational Perspective by R. Crandall and C. Pomerance (link to Amazon.com lifted from Google, no referrals), which is certainly one of the best introductions to the algorithm that I have read.

By the way, if anyone wants to help perform huge factorizations in a distributed computing network, check out the NFSNET, although they mostly apply SNFS on values from the Cunningham tables, no cryptographic targets.

Re:WTF is the General Number Field Sieve...

[SillySnake]

Does the algorithm they used scale up.. i.e. could it be used with much greater computer power/time to crack RSA-1024 or others?

Re:WTF is the General Number Field Sieve...

[Chapter80]

Yes it does scale up, but the time roughly doubles with each digit added (RSA-641 would take twice as long as RSA-640).

Actually, it's not quite that bad. Big-O notation helps you to calculate the time it takes to run these algorithms, and there's a formula that helps you determine order-of-magnitude runtime for each digit. (Big-O calculations don't tell you how long it will take in hours, but it WILL help you approximate runtime relative to runtime that you already know.) For instance you can calculate how many times longer RSA-1024 would take as compared to RSA-640. It's a lot longer!

The Number Field Sieve Big O notation is on wikipedia. You can calculate it with n=640 and with n=1024, and see how much bigger the O is for n=1024. That will give you an idea as to how much longer (or how much more computation) 1024 would take, relative to 640.

Re:WTF is the General Number Field Sieve...

[rbannon]

I'm running www.nfsnet.org's client on my dual G5 under Mac OS X, two clients in fact, and even though it saturates processor usage,

PID COMMAND %CPU TIME #TH #PRTS #MREGS RPRVT RSHRD RSIZE VSIZE
13668 linesiever 95.5% 7:21.53 1 14 32 75.7M 552K 76.1M 111M
13559 linesiever 94.6% 12:09.74 1 14 32 75.7M 552K 76.0M 111M

I hardly notice it, and it's running 24/7. Not many people are doing it, and I encourage others to join in, PLEASE.

Free iPod!

Re:WTF is the General Number Field Sieve...

[gid]

I used to run clients like this as well until I realized that it causes your CPU to use more electricity and hence, run hotter. I stopped to hopefully prolong the life of my computers.

Re:WTF is the General Number Field Sieve...

[Chapter80]

Follow up:

Big O(2^640)=1.4E+21
Big O(2^1024)=9.6E+25

So it'd be about 70,000 times harder to factor (using the same algorithm) RSA-1024 vs RSA-640. So 70,000 times as many machines, or 70,000 times as long, or 70,000 times as fast of processors, or some combination multiplying to 70,000.

At least that's what my quick calculations show.

Unix factor fails me again!

[spinfire]

factor:
`3107418240490043721350750035888567930037346022842 72754572016194882320644051808150455634682967172328 67824379162728380334154710731085019195485290073377 24822783525742386454014691736602477652346609' is too large

so......

[jimmy69]

how many RSA-640s will there be in the xbox360, and is that more than the ps3 will have?

Uh . . . wth?

[James_Aguilar]

There can be no factorization algorithm that runs in constant time. It's not even theoretically possible. The lower bound on the time taken to generate the answer is the time taken to verify its certificate, which is linear in the number of bits used to represent the factors. To even find a polynomial time algorithm is to prove that P=NP (Hint: it won't happen -- it's been proven that we don't even have the right kinds of maths to talk about the problem yet.).

And 15,000,000,000 CPU cycles?! Where did you get that number? OK, nevermind, I don't want to know . . . probably no place that I want to talk about. That's like . . . only three hours on my laptop, which is not a very fast laptop. I'm pretty confident right now that you have no idea what you are talking about.

Re:Uh . . . wth?

First off, you state that P=NP is impossible because we don't have the right kind of math. However, given the right kind of math (kind of like how Calculus is the right kind of math for Physics), it should be possible. As for it being proven to be impossible, you're going to have to find a source for that proof, because I don't believe you.

As for 15,000,000,000 CPU cycles, that is 5 seconds worth of CPU time on a 3GHz machine. 3 hours? I guess if you're running a 1.4MHz CPU, yeah, it might take quite a while to do anything interesting.

Re:Uh . . . wth?

I am confident YHBT YHL HAND.

Re:Uh . . . wth?

[WalksOnDirt]

A polynomial time factorization algorithm would prove P=NP only if factorization is NP-complete, which it is not known, or conjectured, to be.

Re:Uh . . . wth?

Doesn't need to be NP-complete. Poly time factorisation would prove P=NP if factorisation is merely NP-hard.

Re:Uh . . . wth?

[cpeikert]

To even find a polynomial time algorithm is to prove that P=NP

As another poster has said, and as I wrote below, factoring is very unlikely to be NP-hard. Therefore finding a poly-time factoring algorithm would not prove that P=NP. It very well could be the case that factoring is easy, and P != NP.

Re:Uh . . . wth?

>> There can be no factorization algorithm that runs in constant time
Not true at all.

Step 1: generate a random answer
Step 2: check to see if the answer is correct.
Step 3: If not correct, destroy universe.

This will leave you with one universe with the correct answer.

Why are you giving me that look again?

Re:Uh . . . wth?

[patio11]

Unfortunately, even if your DESTROY_UNIVERSE primitive runs in constant time, "check to see if the answer is correct" is linear with respect to the number of bits used to represent the factors. We can tweak your algorithm to make it constant, however:

Step 1: Say the number is prime.
Step 2: Destroy the universe.

Well, OK, so technically this algorithm might not terminate on the correct answer -- but try proving it by counterexample :)

Good Use of BotNets

[SRA8]

Instead of pharming bank and brokerage website passwords, botnets can just use their resources to do these factorizations! Much safer than financial fraud ;-)

How does this compare to RC5-64?

[schmiddy]

Wow.. 193 bits. I'm quite astounded that it's come this far. I'm actually a little puzzled.. wasn't it only three years ago that it took something like four years and thousands of distributed PCs to crack RC5-64 (64 bits, as I understand it) ?

If I'm not mistaken, shouldn't it be 2^129 times more difficult to factor a 193 bit number than a 64 bit one? Perhaps I'm not understanding something.. someone want to clue me in?

Re:How does this compare to RC5-64?

RC5 is a symmetric cipher, which was broken by attempting every possible key. RSA640 challenge is a factoring problem. You're comparing apples to cats.

Re:How does this compare to RC5-64?

[cimetmc]

You are completely off track here and made 2 huge mistakes in your comparison:

1) The number RSA-640 has 193 *decimal* digits, but 640 bits (as the number in RSA-640 indicates).

2) You are comparing symetric key suzes (RC5-64 = 64 bit) with assymetric key sizes (RSA-640 640 bit). You can't compare these key sizes directly. Assymetric key sizes are much bigger than symetric key sizes for the same level of security. So you are trying to compare numebrs that simply cannot be compared.

Marcel

Re:How does this compare to RC5-64?

They weren't trying to factor RC5-64, it was a random (symetric) key one tried to find by brute force.

It's a totally different algorithm.

Re:How does this compare to RC5-64?

[swillden]

So you are trying to compare numebrs that simply cannot be compared.

Well, you can compare them, but you have to factor in the relationship between the complexity of the attack and the keysize in each case. In the case of RC5, brute force search of the keyspace is O(2^n) where n is the size of the key in bits. As a previous post mentions, the GNFS algorithm's complexity is O(e^(1.9229+O(1))*ln(n)^(1/3)*ln(ln(n))^(2/3)), where n is the number to be factored.

So to compare the complexity of these two attacks you just need to see if 2^64 is larger or smaller than e^(1.9229*ln(2^640)^(1/3)*ln(ln(2^640))^(2/3)).

Unless I made a mistake, the complexity of RSA-640 is about 5.5e13, whereas RC5-64 is about 1.8e19, so RC5-64 is approximately 300,000 times harder than RSA-640. I'm not sure that GNFS is as easy to massively parellelize as RC5 searching, though, so in practice RSA-640 may be harder than RC5-64, even though it has lower complexity. Also, big-O complexity ignores constant multipliers, so if each step in the GNFS algorithm is, say, a million times more complex than each RC5 trial encryption, than RSA-640 may actually be three times as hard as RC5.

Okay, so maybe you can't compare them :-)

Re:How does this compare to RC5-64?

>Unless I made a mistake, the complexity of RSA-640 is about 5.5e13, whereas RC5-64 is about 1.8e19 ... big-O complexity ignores constant multipliers ... Okay, so maybe you can't compare them :-)

I think your conclusion is correct. Big-Oh notation is not useful for direct conversion to raw performance numbers.

For a concrete example, consider my two functions A(N) and B(N). If I tell you that A(N) is O(N) and B(N) is O(logN), you'll probably eagerly pick B over A without even thinking, because it's faster in the limit. If I define A(N) is N and B(N) is 4096 * (logN/log2), then it's easy to verify that A(N) < B(N) for all numbers in the interval N = [2, 65535]. This is just a simple example. It gets even messier when we add multiple levels of exponentiation.

While you cannot compare RSA-640 to RC5-64 using values obtained from their Big-Oh formulae, you can make qualitative comparisons involving differences. For example, you can compare RSA-640 to RSA-641 or to RSA-1280, and you can compare RC5-64 to RC5-65 or RC5-128. Then you can say things like: doubling the input size of RSA-640 results in a runtime increase of factor X and doubling the RC5-64 input size results in a runtime increase of factor Y and then compare X and Y and draw a conclusion. However, I strongly advise against assuming that RC5-64 cannot be cracked faster than simple brute force 2^N. If it can be linearly converted to SAT, clique or vertex-cover, then it would be easily solvable in 2^sqrt(N). (** For all we know, it may be possible to break RC5 in P, even if factoring is outside of P. **)

I'll also advise caution in selecting the base for your logarithms. Most papers I've found on GNFS quote base-e, while most computer scientists use base-2 exclusively for calculations. This raises the question of whether they really mean ln or whether they mean lg (the base-2 logarithm), which makes an enormous difference in the calculation, and it also makes most "back of the envelope" calcuations highly suspect. When we use hard numbers like those found on http://www.crypto-world.com/FactorRecords.html, we see that going from RSA-160 to RSA-200 (a 25% increase in input size) results in a change from 2.7 CPU years to 121 CPU years just for the GNFS step. That's a change of about 44.8x, yet the formula we're given for GNFS only predicts a change of 28.4x using base-e or about 19.3x using base-2. Clearly we're missing some information about the GNFS, and we need more data points to draw any kind of meaningful conclusion about its actual growth rate on real-world problems.

Anyway, for me the key takeaway is that GNFS is still "state of the art", and it's only approximately 2^cuberoot(N), which is still exponential in N. Although that's fast enough to scare some people about the security of RSA encryption, it's nowhere near tractable for large N. Wake me up when someone comes out with a factoring algorithm that runs in 2^polylog(N), or better yet: Poly(N). :-)

/me starts building an RSA-1000000 "just to be safe"

Re:How does this compare to RC5-64?

[swillden]

I think your conclusion is correct. Big-Oh notation is not useful for direct conversion to raw performance numbers.

Not without any other information, anyway. In order to convert O() calculations to useful (if approximate) performance numbers, you have to "calibrate" the system and estimate your constant multipliers.

That's basically what you said -- get performance numbers for two or three data points, then determine the relationship between the computational steps and the performance data. Then you can compare RC5 and RSA cracking performance.

I strongly advise against assuming that RC5-64 cannot be cracked faster than simple brute force 2^N. If it can be linearly converted to SAT, clique or vertex-cover, then it would be easily solvable in 2^sqrt(N)

Yes, it's certainly possible that RC5 could be broken, providing a faster-than-brute-force opportunity for solution. It's likewise possible that RSA could be further broken. The two algorithms would likely fall to very different attacks, and I'm not trying to equate the likelihood of the two, but the probabilities of either happening within the next few years are a complete unknown. The discussion at hand, then, is the computational time required for the best known attacks. For RC5, that's brute force.

I'll also advise caution in selecting the base for your logarithms. Most papers I've found on GNFS quote base-e, while most computer scientists use base-2 exclusively for calculations.

I think in this case I would expect GNFS complexity to use logarithms base e. Computer scientists generally use base 2, but that's because they're usually working with algorithms whose complexity is naturally expressed in terms of logs base 2. In the case of the GNFS, it seems likely that the algorithm's efficiency must depend in some way on the density of primes, pi(x), and pi(x) is bounded by expressions involving log_e(x).

we see that going from RSA-160 to RSA-200 (a 25% increase in input size) results in a change from 2.7 CPU years to 121 CPU years just for the GNFS step. That's a change of about 44.8x, yet the formula we're given for GNFS only predicts a change of 28.4x using base-e

That is strange, isn't it? I don't know enough about GNFS (read: nothing) to guess at what the difference may be. Perhaps it's just that whatever method they use to scale to 1GHz Pentiums doesn't work as well as they'd like, or maybe there are some practical issues that prevent real implementations of GNFS from scaling as well as the theory predicts -- perhaps memory accesses become a bottleneck, or some such. That would be a reasonable guess, because memory access speeds have not kept up with CPU speeds, but that guess presumes that GNFS requires significant memory bandwidth, something I don't know to be true.

It's also possible, depending on how the algorithm works, that GNFS could get "luckier" with some problems than with others of the same complexity. Brute force search of a flat keyspace, like RC5, certainly has that characteristic. You *could* hit the right key with your first trial encryption, or you could completely exhaust the keyspace before finding the key. I suspect that GNFS isn't the same sort of randomizable search, but there may be an element of "luck" in the sieving stage. That could very easily account for the 1.5x discrepancy you noted.

Re:celeron's

if they would of used

if they would have used

MOD PARENT UP FUNNY

The above is a math joke. I'm not going to explain it because it's not funny then, but I think that those who understand it would like it and might not see it at its present "1" level.

forget quantum computing...

we need time travel! then it doesn't matter much how many months it takes to crack!

What a guy!

[Ponzicar]

I don't know who this general Steve is, but he must be one heck of a math whiz!

Re:What a guy!

[AceyMan]

Ponzicar wrote
I don't know who this general Steve is, but he must be one heck of a math whiz!

He's the cousin of that other smarty pants, Bruce force.
..runs and hides.

Re:Zombie Cluster - not feasable =(

[iced_tea]

from http://www.rsasecurity.com/rsalabs/node.asp?id=208 8

To put this in perspective, it would require about 1.4 billion 500 MHz machines, each with about 170 Gbytes of memory to do the sieving for a 1024-bit number in the same time as RSA-512. While a hacker might try to steal cycles on the Internet by creating a ?Number Field Sieve Worm? it is hard to see how such an attack could find enough machines with enough memory to make such an attack feasible. Further, such an attack would be detected and shut down rather quickly as with the Robert Morris worm. Of course increasing speed will reduce the required number accordingly. It would take a single Cray with 6 Terabytes of memory approximately 70 million days (192,000 years) to solve the matrix. One could reduce this to a mere 19 years with 10000 Crays each with only 600 Mbytes of memory running perfectly in parallel. It is likely that within 10 years common desktop machines will be as fast or faster than a Cray C90 is now. However, it is unlikely in the extreme that 10000 machines running in parallel will be anywhere close to 10000 times as fast as one machine. It would require 10 million such machines running perfectly in parallel to solve the matrix in about the same time as that for RSA-512.

So basically, according to the article from RSA it's not feasable... but still an interesting IDEA. Maybe a worm that installs something like folding@home that would have immediate benefits. ;)

Re:celeron's

[rufuseddy]

I'm glad to see people can still notice a joke. (Yes it was a joke!)

And, as RSA says

[Sycraft-fu]

The prize money is mostly a prestige thing and a little kickback for what you did spend. The costs of factoring these things are such that the money isn't enough to be considered profitable. If you account for hardware costs and all they are way behind, though I'm sure the hardware will be used for other things now.

In general it's like the X-Prize. The money wasn't intended to be an amount such that winning it would be a major financial reward, it was intended to be a goal to reach and give you enough to hopefully cover a fair bit of your costs.

The only way the money would be worth it in and of itself was if you figured out some dynamite way of factoring RSA quickly. However in that case, I think I'd approach the NSA, I bet they'd pay more :).

Recommended key sizes

[atomm1024]

Here is a very useful site, listing estimates of how long various algorithms will be secure, and at what key sizes. It covers public- and secret-key algorithms, as well as hashes.

http://www.keylength.com/

security is a process

[coolphysco1010]

this shows security is process then of a black box sloution ...lol

/. reported it faster than RSA did...

[RandomPrecision]

Here you can see, as of now, that RSA claims their RSA-640 has not yet been factored.

Anyway, see ya later, I'm going straight for the RSA-2048. $200,000 can make you forget that you've spent a good deal of your life trying to unmultiply two numbers.

But the question is

[Sycraft-fu]

How long, roughly, can we expect something of a given crypto strength to remain secure, at a given level of means of attackers? That's the real question when trying to evaluate if crypto is good enough or if it needs an upgrade.

I mean let's say I am in a situation where my data is only worth it for 6 months, maybe the data is an access code and it changes every 6 months. Let's also say what it guards is pretty low dollar, my bank account maybe. Ok so my crypto needs to be good enough that someone with at most a couple grand to throw at the problem can't get it in 6 months. Nearly anything would work for that.

Ok so now suppose it's guarding data that needs to be secret for at least 10 years, and it's really valuable and could potentially face attackers with 10s of millions of dollars to throw at it. Well, it's going to have to be much stronger, but how strong?

That's what these kind of things can tell us. So, with basically the best available current technology on a reasonable scale, you can break RSA-640 in a little less than half a year. So probably good enough for my bank code, not good enough for the super secret data. Well using that as a baseline, and looking at trends in growth, we can get a reasonable estimate of what we'd want for the secret data case.

Suppose it was stored with RSA-768, we could run the numbers on it (I'm not going to go through all that trouble, but you can if you want) to see if that's good enough for our criteria, or if we need to move it to better security.

Bunch Of Savages In This Town

[Raypeso]

I was checking out the wikipedia link, and this was at the top of the page: /. This article has recently been linked from Slashdot (backlink). Please keep an eye on the page history for errors or vandalism.

Uh, huh...

[SeaFox]

And then when you leave the office you just throw your encryption key floppy into your attache case with it's three digit combination...

Re:Zombie Cluster - not feasable =(

[bmo]

"Maybe a worm that installs something like folding@home that would have immediate benefits. ;)"

If only. Really, if only.

The thing is, though, Vijay frowns on that. It would not make him happy. If you have control over more than a few PCs, he wants proof you have the authority to do that. Not up front, mind you, but the folding community will eventually ask "Who is that guy?" once you've accumulated enough points, and you'd better have a good answer, like you have the authority to run so many clients, or you're out.

--
BMO - www.bumwine.com folding team. Team number 43909

Re:celeron's

celeron's
(Score:1, Funny)
by rufuseddy (781982) on Tuesday November 08, @11:35PM (#13985872)
(http://www.oceighty.net/)
blah, if they would of used 80 celeron's they would have cracked it twice as fast.......

Dude, what's wrong with you? You wrote "would of"[sic] and "would have" in the same sentence! To make matters worse, you didn't capitalize a proper noun ("Celeron"), you used an apostrophe before an "s" in a plural twice, you didn't capitalize the first word of a sentence, and you ended your "sentence" with seven periods. Go back to the fifth grade. Do not pass go. Do not collect 200 dollars.

Re:celeron's

[autOmato]

That's exactly what I thought. It drives me nuts when people write 'would of', 'could of', 'should of', and the like. Too bad, you're an Anonymous Coward so I can't put you on my friends list.

Re:Zombie Cluster - not feasable =(

The thing is, though, Vijay frowns on that. It would not make him happy. If you have control over more than a few PCs, he wants proof you have the authority to do that. Not up front, mind you, but the folding community will eventually ask "Who is that guy?" once you've accumulated enough points, and you'd better have a good answer, like you have the authority to run so many clients, or you're out.

ahh... true! good point! But I'd assume that you could also hide your clients among other groups, especially some of the larger ones. That is, assuming you wouldn't want to recieve credit for your cumulative WU count. Or you could make it choose a random Folding@Home group to join. Or you could choose another distributed project completely.

How does DSA stack up?

[RAMMS+EIN]

This is the same RSA that OpenSSH can use for keys, right? Makes me wonder how DSA stacks up. What's the ratio between the time required to break RSA and the time required to break DSA, using the same length for both? What about other algorithms I haven't mentioned? I tried to grep the web, but it didn't turn up any hits.

It works in all bases.

[lheal]

For any base b, the sum of the digits (in base b) of a multiple of (b-1) add to a multiple of (b-1). The proof is fairly simple: http://www.pseudorandom.co.uk/2002/maths/divby9/.

For instance, in base 16, 3 * F (45 dec) is 2D, and 2+D=F.

This leads to a (slow) algorithm for primality check. For a given number r, simply (hah!) check all the bases up to about log_b(r) to see if all your base r belong to us.

Re:It works in all bases.

[WuphonsReach]

(claps politely)

Very nice application of an old and dated joke.

I got 100%

[RAMMS+EIN]

I have an even better one. If you convert the number to binary, you'll observe it ends in 1. The only way to get that from two numbers is if they both end in 1. So here's your first digit with 100% certainty!

Re:I got 100%

[Short+Circuit]

I wonder how far base conversions can take you in observing patterns.

Not the largest RSA number factored to date

[clap_hands]

A nice result! Interestingly, the same team factored RSA-200 last May, which is 663 bits long (confusingly, there's two series of RSA challenge numbers with different naming conventions) but for which no prize was given for its solution. RSA-640 is shorter, at 640 bits, but carries a US$20,000 prize. It's not entirely clear why the team went for the larger, prizeless number first.

Maybe there's other factors at work here besides prize money? (ROFL etc).

mod parent GEEK.

[earthbound+kid]

That was the best worst nerd joke ever. :)

The Reich strikes back

Hahaha... ph33r us

For a minute...

I thought the title said "RSA-640 Fuxx0red"

Not feasible

[Nephrite]

80 CPUs and 5 months to breack lousy 640 bits... Oh what a great achievement.
I wonder how much time they will need to break 1024 bits used everywhere for some time now and then 2048 which is GPG default key size.

Well, we may consider RSA still safe given that most script kiddies don't have even two cpus at their disposal.

As to the guys who did break it, I allow them to have a cookie.

Re:Not feasible

Change your name to "Neophite" as you obviously don't know squat about encryption.

Re:Not feasible

[Nephrite]

O yeah!
Enlighten me, oh Great Cowardly Anonymous guru!

RSA 640...

[squoozer]

...should be enough to anybody!

Spending tax dollars vs common sense

[appro]

RSA cost study says "It makes no sense for an adversary to spend (say) $10 million breaking a key if recovering the key will only net (say) $10 thousand." Third party payer negates this asumption. Exceptions to the rule are seen in the everyday spending of U.S. taxpayer's millions by low level government employees and politicians alike for their personal gain or amusement, no matter how minor.

MOD LE PARENT UP!!

Right on, I was wondering the same shit and this guy answered it.

Re:Zombie Cluster - not feasable =(

There were a few simple 'trojans' distributed via p2p (I think they looked for and copied themselves to shared folders, but that doesn't really make them worms) which were wrapped copies of SETI@Home preconfigured to install silently and work under someone else's account. I don't know if the same thing has been done with Folding@Home but it should be possible.

Re:Zombie Cluster - not feasable =(

[pe1chl]

Remember that those calculations assume a specific algorithm.
It could always happen that some bright guy finds a more efficient (or more easily distributed) way to attack the problem. This is always a risk with encryption that relies on "computationally hard" problems.

one time pad: proven to be the only secure cipher

[free2]

The "one time pad" has been proven to be the only secure cipher that will ever be available:
http://en.wikipedia.org/wiki/One-time_pad

But non-decipherable stuff is archived

[ishmalius]

Code-breaking agencies all over the world have a practice of archiving everything of pertinent value, for possible decryption in the future. So even if it is not breakable today, it could be in the near future.

So, do feel safe about having your personal secrets made public eventually, no matter how careful you are at encryption?

Cost of "one day breaker" system

[anfi]

Has anyone publish (theoretical) costs of system capable to break given RSA lenght in one day based on the known systems?

Re:Cost of "one day breaker" system

[MooseTick]

Here you go. 80 PCs at $1000/PC churning for 5 months to crack a 640 bit #.

Assuming it was truly distributive, then 12000 PCs could crack it in a day. Assume each use 500Watts, then each has a power cost of about $.25/day if 1kW/h is a dime. That totals to $12 million for the PCs and another $3000 for power. The power cost is negligable but the infrastructure to distribute that power likely wouldn't be. We'll pretend that we already have a nice building with a 13000 socket power strip for our PCs. Let's say it cost $1 million to be easy.

That would total $13 million to crack a 640 bit number in a day. Since each added bit doubles the complexity, then to solve for numbers with bits > 640 we could say N= # of bits - 640. From there the cost to crack a number would be $13M * 2^N.

If you think about it, this is well within the reach of most corporations and could likely be achieved by someone using a virus to steal computing power. The virus could break up the problem and whenever someone hit on the answer it could phone home with it and they could collect the $20k!

I'm serious.

Prize money is great. I will factor it. I'm serious.

Lappy 486???

And they had to kill poor little lappy, eh steve???
oh for shame! wahhh

Re:celeron's

[Astronomypete]

This is why I love slashdot people corect your every spelling mistook. Or gramma errer. And they dont even have the courage to own up to who they are!!!?!

Pete takes another karmic hit!!

Re:celeron's

[lpcustom]

For the life of me, I can't understand why anyone would take that post seriously. He was joking! Anyone who could possibly think that a celeron is better than a opteron wouldn't be able to tie their own shoe laces much less post a comment on slashdot. What's happened to everyone's sense of humor? Please don't correct people on humorous statements. I think that's the "in" thing with the newest generation. If I had to guess I'd say you are a 14-17 year old. I don't remember correcting humorous comments when I was that age. I'd verify that someone was indeed ignorant before correcting them. Kids, verify someone's stupidity before you make an ass of yourself!

Re:what about the xbox rsa-2048

[Vo0k]

No.
About 1200 years.
Progress in computation of the solution is linear. Moore's law is exponential. By year 3200 the computers will be strong enough to crack it in 6 months.

Unless you're talking Sonny Bono timescales...

[tepples]

So, do feel safe about having your personal secrets made public eventually

I'm 25. If it takes 60 years to crack my files, does that really matter if I'm expected to die at 84?

Quantum Computers

[Redwin]

If the development of quantum computers succeeds then you will need to find a different mechanisim all together as Shor's Algorithm can factor numbers in polynomial time and might cause some problems even for large key lengths.

RSA SecurIDs

[peetola]

Does this mean I don't have to have my SecurID with me to log into the VPN at work?

Re:RSA SecurIDs

[WeeLad]

Sure, but carrying around 80 opterons on your keychain can be cumbersome.

Quick - tell Tony Blair...

[Geeky]

Tony Blair needs to know about this as soon as possible. 90 days isn't long enough, we need to be holding those terror suspects for five months...

Re:what about the xbox rsa-2048

[MooseTick]

I've got $1000 that says you are wrong. RSA-2048 will be solved in the next 25 years.
It hasen't even been proven yet that factoring is a hard problem!

You can't just "switch"

[SimonShine]

> -Not always true. Say I can come up with a 2048 bit encryption, that is just increase the key size from 256 to 2048, I can to that in a second. It is going to take _a lot more time_ for the computing power to overcome that increase.

You can't just "switch". If you encrypt material, it is because of the general idea that it might fall into unwanted hands. If it has first fallen into unwanted hands, you can't simply update the data they have so that it isn't encrypted with 256 bits rather than 2048. What you do within seconds leaves a trail of encrypted data that any eavesdroppers could get started on cracking. That includes publicly accessible email archives and keyservers.

The best effort you can do regarding this dilemma is of course to avoid releasing your keys. If you want your keys for the exact reason that you can release them, you better pick an encryption that is estimated not to be able to be cracked within reasonable time, or at least until quantum cryptography.

And yeah, 2048 should stick for now.

Sorry, but isn't this just a waste of electricity?

[Dr.+Spork]

I want it to be clear that I support science and the use of brute computation in science, but this is not anything of the sort. After this five-month exercise which cost thousands of dollars of wasted electricity (all those processors could have been idling instead) and the associated increase in global polution, what have we learned? Absolutely nothing. We already knew roughly how long it would take to factor this, it's a quick calculation. But then going through the motions of actually factoring the number is absolutely pointless, and I'd even say irresponsible.

It's like figuring out how many times you'd need to toss a coin before you'd be likely to get 7 heads in a row... and after figuring this out, actually tossing the coin until you get 7 heads. Anybody who actually did that would a moron. It would show nothing... much like these "factor this" challenges.

Algorithm

[JedaFlain]

General Number Field Sieve? That sounds complicated, they should just try:

for ( n = 2; n sqrt(num); n++ )
    if (num % n == 0)
        return n;

Took me a minute. Now I just need some opterons. I can taste the prize already!

Factorization and Primality Testing

[gr8_phk]

The other book Amazon recommends with that one is a really good introduction to the topic. It can bring most slashdot readers up to speed on all the theory and practice up to the Multiple Polynomial Quadratic Seive (MPQS). It does not cover the more recent advances like GNFS which are similar in concept but require more math background.

When the numbers get large enough, is it practical to start writing these algorithms in Python? That would be really cool IMHO.

not the point

[elgatozorbas]

This is completely correct. Any cryptologist could have predicted this give or take a certain margin. Even more: if I were them, I would not have started without an initial estimate.

However, this is not the point. The point is to prove ANYONE (not only cryptanalyst) that it CAN be broken, though it takes some processing, and there is no alternative for doing.

Re:celeron's

Anonymous Coward? Or just unwilling to bow to Slashdot's "give us your first-born" registration policy?

Incorrect! (or Proof by Google)

640=2*2*2*2*2*2*2*5.

What do I win?

You win nothing, for your answer is incorrect. You were supposed to factor RSA minus 640. A quick Google search reveals that R*S*A is 8.314472. (Yes, I know that there are a bunch of letters and crap after the number, but ignore them. They're not important.) So you need to take 8.314472 minus 640. A quick Google search reveals that this is -631.685528. So you have to factor this. Try again.

I love Google! It always produces the right answer.

Pure ignorant BS

[bluGill]

You have no clue what you are talking about. Mathematicians have studied primes. They already know that primes are relatively dense. Between 1 and n there are approximately n/ln(n) primes. That is there are plenty of them, even in the very large numbers. Even at 1000 digit numbers you are only looking at a few hundred tries before you find a useful prime.

Note that I said useful prime. There are numbers that are not prime that will work for RSA encryption (newton primes). A token effort is made to eliminate them, but only because some think they might be less secure than normal primes - there is no known way to exploit a RSA if it contains a newton prime, that doesn't work for regular primes.

Re:Pure ignorant BS

[Ibag]

You're partly right. Between 1 and n, there are about n/ln(n) primes, but between n and n+k for some small k, there are much fewer. The odds that an arbitrary number n is prime is about 1/ln(n). In fact, this empirical observation is what caused Gauss to define the Li function, Li(n)=Integral1/ln(x)] from 2 to n. It is an even better estimator for Pi(x) than n/ln(n). While there are constants that bound how well n/ln(n) works (about 1.1 and .9), Li(n)-Pi(n) actually changes signs an infinite number of times.

While there is about a 1/ln(n) chance that n is prime, trial division up to something small can eliminate the majority of composites fairly quickly, though, so I probably gave a slightly less than ideal estimate on how long it would take to find two primes. However, I do not believe that this will put me off by more than a constant factor.

Assuming the riemann hypothesis, I believe there are O((log n)^12) algorithms for proving primality (with a pretty big constant in front....I'm basing this on memory, its been a while since I have studied this stuff heavily), but I don't recall reading about better. As another poster mentioned, you can suffice with strong pseudoprimes to multiple bases to get a negligible chance of compositness fairly quickly, but it still requires nontrivial time on numbers this large (about 2500 digits). I haven't ever played around with timing for pseudo-primality tests for numbers quite this large, but I have coded all the standard algorithms before and done testing for smaller numbers.

For what its worth, I am an aspiring mathematician. I did my undergrad at a top 5 school in math (with a large smattering of comp sci classes), and I'm currently working on my PhD at another top 5 school in math. I have done work on computational aspects of primes (and on prime distribution) both recreationally and for classes. I might have been off by a little on some of this stuff (I was working from memory, I'm sorry), but I am not as ill informed as you might like.

Don't hold your breath

[Tired_Blood]

Just so you know, it took RSA Laboratories 4.5 months to officially annouce the factoring of RSA-576.
As for my first comment in that thread, I remember being in a real bad mood before reading the article: one of my rare outbursts. :(

Re:one time pad: proven to be the only secure ciph

No, you have that backwards.

What you mean is: the one time pad is the only available cipher that has been proven to be secure. A subtle (but very important) difference.

Re:Sorry, but isn't this just a waste of electrici

....and that's exactly how you would determine, to a specified degree of confidence, whether the coin is "fair" or not. And repeating the procedure many more times, in an industrial setting, is how manufacturers set service lives and MTBF's in a meaningful way. And until you actually get those factors and check them, you don't know if your algorithm has been encoded correctly. So there are lots of reasons to do this, but you seem a bit short in the imagination/knowledge department - just because you can't concieve of/know them, don't assume others are as limited as you.

Re:one time pad: proven to be the only secure ciph

[free2]

What you mean is: the one time pad is the only available cipher that has been proven to be secure.
No.
from wikipedia:
Universal unbreakability:
Claude Shannon's work showed any perfect encryption system requires that the number of possible plaintext messages does not exceed the number of possible keys. If the number of possible keys and plaintexts are measured in, say, bits, this is equivalent to saying that the key must be at least as long as the plaintext.

You can find the Shannon proof on the web.

You lose

You forgot to factor the 2s:

2 = (1+i)*(1-i).

Bill Gates Predicts

[dmh20002]

"Nobody will ever need more than 640 bits in their encryption key"

Bill Gates, October 2005

Re:Zombie Cluster - not feasable =(

[adavies42]

Surely this kind of factoring is an "embarassingly parallel" problem, like SETI, Folding, etc.? If so, shouldn't the complete independence of the calculations each machine runs mean you *do* get an n-fold speedup, minus some trivial adjustment for transmission of the data? It's not like this is a physicist's particle simulation, where every calculation involves every other one.

Yahoo could do it...

I'm told that Yahoo has something in the order of 88,000 BSD systems running across a myriad of data centers, across a network that makes some Tier-1 ISP's look silly.

Imagine what a large search engine with that kind of power and a nice cache of information could try...

p1^2-p2^2=(p1+p2)(p1-p2) (mod n)

no we're not talking about multiplying integers. we are talking about is anything from a family of algorithms based on the observatino that (i think the ro p^2 's algorithm was the first?) p1^2-p2^2=(p1+p2)(p1-p2) but you work in modular arithmatic. you get a whole lot of candidate vectors, and you multiply the vectors together to make p1 and p2, so you can gather the vectors, the candidates on parallel computers, but you have to factor a big matrix formed from these candidates, anyway this big matrix calculation usually is implemented on a single big cpu actually but the assertion tyhat this is necessary is almost certainly not true, i myself believe that it can be parallelized, possibly less efficently but it would overall retain most of the efficiency common to all factorisation algorithms based on the above general scheme, which i belive range over most of the field sieve algorithms. possibly a field (modular arithmatic) is also related to the possible use of eulers little equation? or whatever its called, a generalisation of ... perhaps it was fermats little therom? p^a =1 (modn) ? number theory is hard! but it definately contains the secretes of the universe (pun intended)

Re:Sorry, but isn't this just a waste of electrici

[asm_rocks]

You're absolutly right. It shows nothing but how utterly stupid one is to figure something using lots of money and getting nothing back except some number. It's NOT worth that much money. And neither is that number. - - - It is what it is, its not what its not: now thats a thought

Re:Incorrect! (or Proof by Google)

[Asm-Coder]

One up for flawed logic!!

Re:what about the xbox rsa-2048

[Vo0k]

nor unproven, so let's give it 50:50. :)

Re:easy (and only slightly off-topic)

[GuyverDH]

Code 1: 1A
Code 2: 1A2B
Code 3: 1A2B-3

What's the final code?

need a better subject...

[bluGill]

About 5 minutes after I posted that I realized that the subject was too harsh. Sorry about that.

I too am working from memory. It has been 8 years since I studied this. I did a little research myself.

While the constants are large, a multi-gigahertz computer has no problem dealing with 2000 didits numbers. And as computing power goes up, we can deal with large number faster than you can factor them. So for practical purposes I can find 2 primes with 200 didgets relatively fast on a modern computer. However you cannot factor the product of them with any great speed.

We don't generate new public keys very often. Maybe yearly, and it only takes a short time. Generally getting a good seed to the random number generator, and entering a new passphase will take longer. For practical purposes there are plenty of prime numbers.

Re:one time pad: proven to be the only secure ciph

There is no perfect cipher other than the one time pad; that is true.

But you claimed that there are no other secure ciphers. Most cryptographers would agree that any cipher which operates with arbitrary key lengths in no worse than polynomial time (with knowledge of the key) and for which there is proof that no algorithm exists to decrypt in polynomial time (without knowledge of the key) is "secure". And it is an open question whether any such cipher exists.

Re: brute force

>You *could* hit the right key with your first trial encryption, or you could completely exhaust the keyspace before finding the key.

Such is the nature of NP. :-) Anything that can be guessed can be guessed on the first try. While you might get lucky on a few keys, statistics suggest that you'll have to compare half the keys on average: 2^(N-1). I realize that you already understand that, but I'm just trying to explain for the rest of the slashdotters.

Now I'm going to switch gears and try to drive home the point that that RC5 can probably be cracked a lot faster than brute force.

Remember: All problems in NP are polynomially related to one another (* it's conjectured that all problems in NP are linearly related to one another), and the optimization problem related to every NP decision problem only has to call said decision problem a poly (linear) number of times. Thus, anything that can be guessed can be fully solved in a polynomial number of calls to an NPC solver. The best NPC (decision) solvers run in 2^sqrt(N).

Consider the solver for an optimization problem that works by reducing to an NPC decision problem and iterating until it has the optimized result (i.e. the encryption key). This runs in f(N) + poly(N) * 2^sqrt(f(N)) = O(2^(sqrt(f(n)) + O(logN))) = O(2^O(sqrt(f(N))). If the polynomial reduction function f(N) is less than N^2, then our method runs faster than brute force (i.e. 2^N). Typically you'll be able to find a reduction that's N or N*logN; if such a reduction exists, someone will find it. And when they do, RC5 will not require a brute force search.

Never assume any problem in NP requires a brute force search. Instead, you should assume it can be solved in 2^sqrt(N) or better.

Re: brute force

[swillden]

Never assume any problem in NP requires a brute force search. Instead, you should assume it can be solved in 2^sqrt(N) or better.

Under this assumption all modern symmetric ciphers are untrustworthy. Even with 256-bit keys, this would provide an upper bound complexity of 2^16. If there were a good way of finding f(N) for a given NPC problem, I guess we wouldn't necessarily have to abandon encipherment entirely, but we would need some truly enormous keys... and the "or better" part of your statement tends to imply that may not be enough. The crypto geek in me quivers, but the programmer in me wonders what sorts of *other* optimization problems we could solve if we had such tools...

For the present, of course, RC5 (and 3DES, and AES, and Twofish, and...) are considered secure not because it's provably impossible to break them faster than brute force, but because lots of very smart people have tried and failed. That's likely where we'll always be, I suspect :-)

Re: brute force

>Even with 256-bit keys...may not be enough

I've been studying NP completeness for a while, and I believe that P < NP < EXP. In other words, I believe that every problem in NP can be solved in less than exponential time, but the hardest problems in NP (i.e. NPC) will never be solved in polynomial time. Mark my words: within the next 5 years, someone will publish a 2^polylog(N) solution for an NPC problem. The day after that happens, all cryptography based on "small" keys will be broken.

Based on my reading of the FAQ on the RSA website, it appears that the complexity of RC5 is created by rounds; however, the rounds are not related to the key size. Bonus: the only operations mentioned are addition, xor and rotation, all of which can be performed in linear time. Proposal: construct 256 different SAT circuits (representing 0, 1, 2, .. 255 rounds), each of which would be linear in the size of the key. In this proposal our f(N) is O(N); however, the constant hidden by the Big-Oh notation is fairly large.

Once you've got the SAT circuits, simply run the optimization method I described earlier, and you have a RC5 solver that runs in O(2^O(sqrt(N))). Granted: the reduction idea I've presented here may have constants so large that the solver would not actually improve the cracking performance on RC5-64, though it might allow RC5-2040 to be cracked in a reasonable timeframe on today's hardware. ;-)