Slashdot Mirror

← Back to Stories (view on slashdot.org)

RSA-640 Factored

Posted by ScuttleMonkey on from the bigger-better-deal dept.

gslin writes to tell us MathWorld News is reporting that RSA-640 has been factored. F. Bahr, M. Boehm, J. Franke, and T. Kleinjung, memebers of the German Federal Agency for Information Technology Security (BSI) announced they had cracked the 193-digit number last Friday using the General Number Field Sieve. The team purportedly used 80 opteron CPUs and 5 months to achieve victory.

71 of 299 comments (clear)

  1. easy by Anonymous Coward · · Score: 5, Funny

    640=2*2*2*2*2*2*2*5.

    What do I win?

  2. Time to turn off the Internet... by adlib24 · · Score: 4, Funny

    I wish had nothing better to do for five moths than factor numbers...geez...who needs the Internet when there are numbers to factor. :)

  3. Factor? by brilinux · · Score: 2, Interesting

    I hardly know 'er...

    Seriously, this is interesting stuff. Of course, everytime we come up with a new security mechanism, computing power will overcome it. Fortunately, not everyone can do this sort of thing, and it takes time. But, as a mathematician, it is interesting to see both the methods used to crack this sort of thing, and, at least to me, more interestingly, the methods that are used to come up with new encryption systems. I cannot wait to see what will occur in several years, and even bigger prime numbers are known and usable...

    1. Re:Factor? by drgonzo59 · · Score: 5, Insightful
      "everytime we come up with a new security mechanism, computing power will overcome it"

      -Not always true. Say I can come up with a 2048 bit encryption, that is just increase the key size from 256 to 2048, I can to that in a second. It is going to take _a lot more time_ for the computing power to overcome that increase.

      If quantum computing will come around, I'll just switch to quantum encryption. Then you'll have to break the laws of QM to "break" the scheme. There are already rudimentary quantum encryption devices but there are no quantum computers that can take on even a 64 bit key space.

      The best bet instead of brute force is to do "human engineering" and look for other ways to obtain the information. The inherent math of the algorithm is rarely the weakest link, it is the people and then the particular implementations of the algorithms that are exploited the most.

    2. Re:Factor? by lachlan76 · · Score: 2, Funny

      The cipher in The Sum Of All Fears was actually One-Time Pad.

      And yes, I am a Tom Clancy fanboy ;)

    3. Re:Factor? by jgc7 · · Score: 5, Interesting

      Inerestingly enough, there is no proof that encryption is even possible. Presently we do not know of any methods to factor a number in polynomial time while we can create primes in polynomial time, but an algorithm may exist that can factor primes in polynomial time. If one is discovered, encryption as we know it today will be impossible... even with your quantum computer. In fact, a solution to the P NP problem comes with a $1,000,000 prize.

      --
      70% of statistics are made up.
    4. Re:Factor? by Osiris+Ani · · Score: 3, Insightful
      The best bet instead of brute force is to do "human engineering" and look for other ways to obtain the information.
      Indeed, the fastest, simplest form of cryptoanalysis involves an isolated room, a length of rubber hose, a ball-peen hammer, and the person with full knowledge of the information you require. Granted, that, too, falls into the "brute force" category, but it's often far more efficient than most exclusively computer-based methods.
    5. Re:Factor? by drgonzo59 · · Score: 2, Insightful
      Well, having a channel that can be provable to be safe from eavesdropping should be enough. Then both parties Amelie and Bertha (...tired of Alice and Bob) can exchange a key and then they can even use a "classical" channel for communication. Then can send each other a new key for every block, making it in fact look like a "one-time-pad" type encryption.

      The 'encryption' does take place - it is encoding information using quantum states (so far photon polarization or particle entanglement) which would make eavesdropping detectable. Imagine encrypting a file and then everytime someone tries to decrypt it, it will actually change the file itself and you cannot make copies.

      Also, if you say that what quantum encryption only does is help detect eavesdroppers, I could also claim that the public key distribution schemes also mostly "do nothing but" help distribute keys for further communication in a 'safe way'.

    6. Re:Factor? by obender · · Score: 5, Funny
      but an algorithm may exist that can factor primes in polynomial time

      Bill Gates wrote something similar in The Road Ahead:

      The obvious mathematical breakthrough would be development of an easy way to factor large prime numbers.

      Sorry to break it to you boys but I know an algorithm that can do that in constant time: the factors of any prime number are 1 and the number itself.

    7. Re:Factor? by empaler · · Score: 3, Informative

      I have a 250 gigabytes encrypted volume that I access all the time - increasing encryption level means more processor intensive disk operations. Of course, there's always a tradeoff when encrypting, but moving up to 2048 bit encryption is *a lot* of difference, performance-wise.

    8. Re:Factor? by Musteval · · Score: 2, Funny

      You ARE using a one-time pad. It's just that the method of getting the pad to the other person is quantum in nature, making it completely secure. And as we all know, one-time pads are unbreakable if they are random and the key is not intercepted and the government doesn't use TEMPEST to read our screens and our computers don't have keyloggers and nobody has a secret camera hidden in the building and we mask our keystrokes so that computer that MIT made can't tell what we're typing just from the sounds and we wipe our hard drives afterwards and then set them on fire and melt them and put them into the fusion reactor that is being built and ...

      --
      Note to mods: I'm probably being sarcastic.
    9. Re:Factor? by gkhan1 · · Score: 3, Informative

      Wow, that was alot of incorrect in one post
      1) You factor large COMPOSITE numbers, not large prime numbers.
      2) P = NP is almost surely false. I mean, it's not proven, but it's not like anybody believes it to be true. It would just be too damn incredible if it were true.
      3) What do you mean "encryption wont be possible"??? Just because you can factor large numbers quickly, doensn't mean you can encrypt stuff. You can't use RSA, that's true, but there are other asymetric ciphers. AES will sure as hell still work. Worst case scenario, we'll just use one time pads and all will be dandy (for those of you who don't know, One time pad-ciphers (also called the Vernam cipher) is impossible to break if used correctly, and when I say impossible, I mean mathematically proved-no way no how-even when the aliens invade earth with super-super-computers will we be able to solve it)

    10. Re:Factor? by Jerry+Coffin · · Score: 2, Informative

      Presently we do not know of any methods to factor a number in polynomial time while we can create primes in polynomial time, but an algorithm may exist that can factor primes in polynomial time. If one is discovered, encryption as we know it today will be impossible...

      Nonsense. First of all, factoring per se only affects RSA encryption.

      It's likely that a major advance in factoring would also affect the security of Diffie-Hellman key exchange and ElGamal encryption, but it's not an absolute certainty. These are based on discrete logarithms, and while finding discrete logarithms hasn't (TTBOMK) been proven equivalent to factoring, current factoring methods can also be applied to finding discrete logarithms, and there's some theoretical basis for assuming any future ones will as well. For example, here is a paper discussing the relationship between the two (warning: quite mathematical).

      Those aren't the only methods of public-key cryptography though -- for example, elliptic curve cryptography might well be unaffected. In particular, both factoring and discrete logarithms display a property called "smoothness" (about which, see the paper above) which is necessary for the various "sieve"-type algorithms to operate correctly. At least so far, nobody has shown that elliptic curves have the property of smoothness (though various mathematicians argue both for and against its likelihood). As a consequence, breaking elliptic curve cryptogaphy uses entirely different methods, and there's little reason to believe that even a major advance in factoring would necessarily have any real effect on elliptical curve cryptography at all.

      Then we come to all the symmetric ciphers -- DES, 3DES, IDEA, FEAL, RC4, RC5, RC6, AES, and many, many more. The vast majority of these have little or nothing to do with prime numbers, and even the most amazing advance in factoring would be unlikely to affect any of them at all. The applicable area of mathematics is entirely different -- most symmetric algorithms are based in number theory while most symmetric algorithms are based on group theory.

      Since "quantum" has been thrown around a bit, I'll try to add a bit of clarification on that subject as well. Unfortunately, there are two rather different sorts of things related to cryptography that use quantum in their names. As has been noted elsethread, what's generally called quantum cryptography would more accurately be called quantum key exchange. It's basically just a way of sendin some bits over a fiber optic cable, and the receiver can detect whether anybody has tapped into the line to see what was sent.

      The second "quantum" thing is quantum computers. The Shor algorithm (due to Peter Shor) does factoring on a quantum computer in polynomial time, which is more or less the holy grail in fast factoring. The problem is that at least at the present time, there's no such thing as a practical quantum computer -- the most "powerful" quantum computers to date haven't even been sufficiently capable to replace a pocket calculator. Worse, the methods used to create quantum computers so far are widely believed to be unscalable, so there's no certainty that quantum computers can ever become practical -- though there's a great deal of research being devoted to the subject, and there's certainly a possibilty that they might.

      If quantum computers were to become practical, they would also affect symmetric ciphers. Basically, searching for the key of a symmetric cipher is normally proportional to the size of the key space. For a quantum computer, the search is proportional to the square root of the size of the key space instead.

      This, however, has less effect that most people realize. In particular, the size of the key space is squared by doubling the size of the key. In point of fact, many (if not most) current symmetric ciphers already use keys large enough to render attacks by quantum computers

      --
      The universe is a figment of its own imagination.
    11. Re:Factor? by HrothgarReborn · · Score: 2, Informative

      I know you are joking but I have actually had a boss that used this to reason why many security enhancements (like encrypting passwords on the network) were not worth implementing. It is a silly analogy that many people people believe.

      Network based attack are far more common that physical attacks for a lot of good reasons. The main ones are:
      1. Need for proximity is often removed
      2. There is anonimity (much of the time)
      3. There are less legal consquenses
      4. Culpability is harder to prove (Log files don't stand up as well as DNA)
      5. It involves mental rather than physical skill
      6. For many people it is an easier moral justification
      7. Ability to attack thousands of targets at once
      8. Low impact for jobs that don't pan out as expected
      9. No messy cleanup.

      In the world of data security you cannot draw good comparisons to physical secuirty. Often in the physical world you just need to make sure your car is harder to steal than the one parked next to it but in cyberspace a single car thief can attack a whole parking lot, drive away with all of them at once, not show up on any security cameras and even put a remote control device in your car to take over at their whim later. What's best is he can do this from a wheelchair, from a distant city, can be any age, sex, social position or race so profiling doesn't work to narrow suspects. A lot of time there is no motive (not even a finacnial one) other than just the trill of seeing if you can do it. The analogy of relating cyber security threats to real world examples does great injustice to understanding the real problem. But humans need something concrete within their own experiance to relate the problem to and so everyone ties the cyber world to the physical and many bad decisions result.

      Sorry, but I have heard the "they can beat my password out of me easier" a few too many times in complete seriousness to let this pass without comment.

      As for traditional social engineering, it is often quite easy to get someone to tell you their password but it is much more complicated to fool someone into telling you their 2048 bit private key.

  4. Congrats by Anonymous Coward · · Score: 2, Funny

    The answer was 42!
    Now what was the question

  5. Hmmm. by jd · · Score: 4, Funny

    The German Federal Government is short on cash, I know, but resorting to funding the "Agency for Information Technology Security" by winning RSA contests? Besides, if they're so up on IT security, why didn't they just cheat by logging onto RSA's computers?

    --
    It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
    1. Re:Hmmm. by LnxAddct · · Score: 5, Interesting

      While I think your remark was a joke about them breaking into RSA's computers, this is still worth mentioning. Noone in the entire world knows or has ever known the factors of the remaining numbers. Read this for more info.
      Regards,
      Steve

    2. Re:Hmmm. by panth0r · · Score: 2, Interesting

      Let's seriously think about this, the Germans, if anything, lost money on this excursion, they upped an bought 80 opteron processors with the hardware required to run them and the RAM needed, they pumped electricity into the building where this heavy processing was taking place, and they paid the people running the computers... all for $30,000 - fees, customs, taxes and such... if anything, they probably lost a substantial sum.

      --
      I like suggestions, but I don't like contributing towards them.
  6. Processor time? by panth0r · · Score: 2, Interesting

    I think that's really cool and would wish them the best of luck, but I would like to know how many processor hours that took them to crack it? Also, with that chunky $30,000 reward, did they turn any profit (after taxes, fees, and such). Second one's a joke, calm down. But it'd be cool to know the processor time it took.

    --
    I like suggestions, but I don't like contributing towards them.
    1. Re:Processor time? by et764 · · Score: 2, Informative

      Does anyone know of something like the GIMPS to factor these RSA numbers? It seems like if 80 Opterons can do it in 5 months, a massive distributed network of computers donating idle time could do this in a much shorter amount of time, such as churning out a new factorization every few weeks. I have a feeling the larger RSA numbers quickly become much more complicated to factor. Does anyone know the complexity class of factorization?

    2. Re:Processor time? by Dubpal · · Score: 3, Informative
      When RSA-200 (a number similar in size to RSA-640) was cracked it was reported (and is noted on this wikipedia page that:

      The CPU time spent on finding these factors by a collection of parallel computers amounted very approximately to the equivalent of 55 years work for a single 2.2 GHz Opteron-based computer. Although that's a rough approximation, it certainly puts the magnitude of effort cracking these numbers involves.

      --
      If you want a picture of the future, imagine a boot stamping on a human face forever.
      - George Orwell
    3. Re:Processor time? by xquark · · Score: 2, Informative

      Contrary to popular belief a large part of the GNFS (the last most important phase, ~80% of the
      algorithms run time) is actually sequential and can not be parallelized in any way shape or form.

      Arash Partow

      --
      Arash Partow's Philosophy: Be a person who knows what they don't know, and not a person who doesn't know.
    4. Re:Processor time? by Thundersnatch · · Score: 4, Informative
      single binary digit doubles the search space needed

      We're not talking about symmetric cryptography here. We're dealing with large prime numbers and lots of funny math. The General Number Field Sieve factoring algorithm is not O(2^n) like a brute force search on AES would be. The actual order of growth of the GNFS algorithm is:

      O(e^(1.9229+O(1))*ln(n)^(1/3)*ln(ln(n))^(2/3))

      This can be found numerous places on the web. So adding one bit to your RSA key does far, far less for you than adding one bit to symmetric cipher like AES. You can do the math yourself, but you'll find that you need to add >>1 bits to an RSA key to double its strength.

    5. Re:Processor time? by Thundersnatch · · Score: 2, Interesting

      Assuming 50W per Opteron and 5 months continuous operation, I calculate they spent at least US$1400 on electricity alone (based on Chicago electric prices, I'm not sure if it's more orless over there).

      And that figure ignores the electriciy used by the other components in the computers (be they servers, workstations, or whatever).

      Still, the $30K in prize money goes a long way toward paying the electric bill.

    6. Re:Processor time? by Thundersnatch · · Score: 2, Informative

      Surprisingly, lowly Excel was able to handle this math for me.
      It looks like a 1024-bit number will take about 73,500 times as long as a 640-bit number to factor using GNFS. Which correlates to about 2.4 million Opteron-years, based on the German factoring of RSA-640.

      Here's a table:
      bits|GNFS complexity
      384| 8.09434E+16
      512| 1.75249E+19
      640| 1.78448E+21
      768| 1.07460E+23
      896| 4.37451E+24
      1024|1.31176E+26
      1536|1.30666E+31
      2048|1.52656E+35
      3072|5.77594E+41
      4096|1.28186E+47

      My understanding of GNFS is that only the sieving steps are trivial to parallelize. The final steps must be performed on a single machine with huge memory. So perhaps a 1024-bit RSA number is even safer than my math indicates, as it may be that no machine which can handle the final steps for a 1024-bit number exists.

  7. Arrgh! by Ventriloquate · · Score: 5, Funny

    My TI-82 was just about to solve that one!

  8. Re:One of Bill Gates' dreams... by et764 · · Score: 2, Funny

    Well, he certainly failed miserably at using less than 640k.

  9. I got part of it by pHatidic · · Score: 4, Funny

    I knew that one of the factors ended in a 1 and the other ended in a 9 or that they both ended in 3. Am I eligible to split the prize?

    1. Re:I got part of it by stevey · · Score: 4, Funny
      Turns out these number anomalies only happen with base-10 numbers. When you have base-16 numbers, these mysterious relationships of the last digits disappear.

      If only there were some magical way of turning numbers from base-16 into base-10. Then those tricks would suddenly be useful again...

    2. Re:I got part of it by Pogue+Mahone · · Score: 4, Informative
      well that still rules out 97 out of 100 possibilities.

      Not really. Both of the factors are prime, so that means that the last digit cannot be 0, 4, 6 or 8. Its also very unlikely to end in 2 or 5, since there is exactly one prime number ending in each of those digits, and those can be ruled out by simple observation. That leaves 4 digits --- 1, 3, 7 and 9, thus there are 16 possible combinations for the two last digits. You narrowed it down to 4 of those possibilities: 1 and 9, 3 and 3, 7 and 7, 9 and 1. So your elimination rate is a mere 75%. Sorry to disappoint.

      Signed:
      The Math(s) Nazi

      --
      Every bloody emperor has his hand up history's skirt [Peter Hammill/VdGG]
  10. Re:Time Matters by joey_knisch · · Score: 4, Insightful

    However what if that team had decrypted a banks RSA key. Sure it may have taken 5 months and the bank may well have changed keys since. But what if they captured all the packets sent/recieved using the cracked key. I guarentee there would be a bit of useful information in them. I know I don't change account numbers / credit card numbers every 5 months.

  11. Re:Irrelevant by patio11 · · Score: 4, Insightful

    From a security point of view, "less than five seconds on modern hardware" is absolutely unnecessary. After a transmission has been intercepted, and we work under the assumption that essentially all of them are these days, that transmission has to remain secure potentially for a very, very long time (sure, an encrypted radio communication might have no operational significance in two hours -- an encrypted dossier of a field agent had better stay secure until he's dead, and an encrypted report on security breaches in US nuclear command&control protocols better stay unbroken for the better part of the next century). And what takes a beowulf cluster of supercomputers 5 months to do today will be possible to crack on a botneck in less than a week by 2010, I guarantee you (I write distributed applications for a living and worked with a three-letter agency which was rather miffed that a competing TLA had the existence of their own internal distributed cracker leaked to the press back in 2002 or so). A couple years after that it will be a few minutes on dedicated hardware and a few years after that a desktop machine will smash it as a matter of course. Events like this are warning flares to people with serious security needs that you need to start transitioning to harder codes or longer key lengths.

    --
    Help poke pirates in the eyepatch, arr.
  12. "640 bits... by Joe+Random · · Score: 4, Funny

    should be enough for anyone."

  13. Re:Irrelevant by cpeikert · · Score: 3, Insightful

    And will not be, unless P=NP, or we use some form of new computers.

    Factoring is almost certainly not NP-hard. It could very well be that P != NP, and yet factoring is easy.

  14. Dual Cores by Zuul42 · · Score: 2, Funny
    If they had waited three months, they could have used dual core CPUs and solved it in half the time.

    Oh wait. No, that wouldn't have worked. Nevermind.

    1. Re:Dual Cores by et764 · · Score: 2, Interesting

      Reminds me of this paper where they argued that large computations can actually be completed faster by slacking off for a few months and then buying a faster computer.

  15. Zombie Cluster by happyEverGeek · · Score: 5, Funny

    I wonder how long it would have taken 1.5 million zombie PCs.

    --
    To a politician, one email equals one voter.
  16. I'll wait for RSA-2048 by Myria · · Score: 3, Interesting

    I won't be interested until they do RSA-2048. Then we could factor the Xbox private key and do whatever we want.

    Melissa

    --
    "Screw Sun, cross-platform will never work. Let's move on and steal the Java language." - Visual J++ Product Manager
    1. Re:I'll wait for RSA-2048 by adlib24 · · Score: 5, Funny
      Of course we would only do perfectly harmless things... like...um...use Xbox Live to construct a cluster to factor RSA-4096. ;)

      p.s. all your xbox is belong to us.

  17. Re:Factored... Big Deal by DeafByBeheading · · Score: 2, Informative

    Actually, the next one has only 212 digits...

    --
    Telltale Games: Bone, Sam and Max
  18. An idea by bradbeattie · · Score: 5, Funny

    Why don't we just start using 1.44mb encryption keys. We'd finally have a use for all of these floppies.

    1. Re:An idea by Anonymous Coward · · Score: 2, Funny

      Of course you know that a 1.44MB formatted disk(FAT formatted) only has 1.38MB of free space. So we would need 2 damn disks for your 1.44MB key.

    2. Re:An idea by Ibag · · Score: 3, Insightful

      I realize you were joking, but I'd like to respond anyway.

      RSA keys are based on having two large prime numbers whose product is then difficult to factor. In general, the larger these numbers are, the harder it is to factor: trial division is O(sqrt(n)), and even the best methods of factoring are still of increasing time for increasing numbers. Using a general method, a 1.44mb key would take a LONG time to factor. However, there is one very important caveat...

      If you go high enough, people don't know very many primes. In fact, there are lists of the largest known primes. I'd wager that there are less than a few thousand known primes greater than 2^720k, probably a lot less. This means that if you have a 1.44Mb number which you know to be the product of two primes, then either you can do trial divisions from a short list to factor the number, or else someone has discovered a new large prime.

      In short, if you have a large enough key, the task of generating primes is difficult enough that factoring becomes much easier. To give you an idea of how difficult finding primes is, n has about a 1/(ln n) chance of being prime, and using a specialized algorithm, it takes about a day to check a mersenne number of this size for primality. General algorithms are, of course, slower. This means that, to perhaps an order of magnitude or two, it would take about million 1Ghz computer days to find two new suitible primes to multiply together. Of course, if you do this, its not likely that someone will crack your key without a quantum computer, but its also not likely that you will find a key pair until quantum computers are widespread.

      I guess if you want big keys like that, you should look into eliptic curves. At least by the time you generate a key, there is a chance that it won't be trivial to break!

    3. Re:An idea by locofungus · · Score: 2, Informative

      If you go high enough, people don't know very many primes. In fact, there are lists of the largest known primes. I'd wager that there are less than a few thousand known primes greater than 2^720k, probably a lot less.

      Depends on whether you want provable primes or probable primes.

      It's a five minute job to generate a few thousand probable primes >2^720k. Don't know what you'd do with them though.

      And they will be prime, you can make the probability of them not being prime as small as you like - 1 in 2^100 should be enough.

      But if you want to prove them prime then that is a different matter.

      Every prime used in a real implementation of public key cryptography is a probable prime. The only reason for proving a number prime is to get yourself on the record books.

      Tim.

      --
      God said, "div D = rho, div B = 0, curl E = -@B/@t, curl H = J + @D/@t," and there was light.
  19. Re:celeron's by scbysnx · · Score: 2, Funny

    I think he was joking.. I hope he was joking

  20. wikipedia article and easy money by millette · · Score: 2, Informative

    The Wikipedia article on RSA-640 has more info. Check this for easy money ;)

  21. RSA Cracked by Joseph_V · · Score: 4, Funny

    And in only 5 months... how P Q ular.

  22. One of the great Two problems Solved by icecow · · Score: 2, Funny

    ...now if he could just find his keys.

    --
    Stop invalid scientific research. Ask your local scientists to feed their lab rats with a phytoestrogen-free chow.
  23. WTF is the General Number Field Sieve... by acidblood · · Score: 5, Informative

    ...many are asking. It's hard to find introductory materials on the NFS, because the number of people who actually understand the algorithm is probably in the hundreds, if not less, and most are worried about research not teaching. For those interested in a high-level view, plus some low-level details, of the (special and general) NFS, you can have a look at the slides for a talk that I gave on exactly this topic at a crypto workshop a couple of months ago. I won't even try to summarize the NFS here, because anything other than a very high level, handwaving, bird's eye view of NFS would take the better part of a page to explain. However, in this thread I can answer specific questions that anyone might have about the talk above.

    Now for those with the mathematical maturity to delve into the algorithm, I suggest the book Prime Numbers: A Computational Perspective by R. Crandall and C. Pomerance (link to Amazon.com lifted from Google, no referrals), which is certainly one of the best introductions to the algorithm that I have read.

    By the way, if anyone wants to help perform huge factorizations in a distributed computing network, check out the NFSNET, although they mostly apply SNFS on values from the Cunningham tables, no cryptographic targets.

    --

    Join the NFSNET. Our prime goal is making little numbers out of big ones. http://www.nfsnet.org/

    1. Re:WTF is the General Number Field Sieve... by Chapter80 · · Score: 2, Informative
      Yes it does scale up, but the time roughly doubles with each digit added (RSA-641 would take twice as long as RSA-640).

      Actually, it's not quite that bad. Big-O notation helps you to calculate the time it takes to run these algorithms, and there's a formula that helps you determine order-of-magnitude runtime for each digit. (Big-O calculations don't tell you how long it will take in hours, but it WILL help you approximate runtime relative to runtime that you already know.) For instance you can calculate how many times longer RSA-1024 would take as compared to RSA-640. It's a lot longer!

      The Number Field Sieve Big O notation is on wikipedia. You can calculate it with n=640 and with n=1024, and see how much bigger the O is for n=1024. That will give you an idea as to how much longer (or how much more computation) 1024 would take, relative to 640.

  24. Unix factor fails me again! by spinfire · · Score: 3, Funny

    factor:
    `3107418240490043721350750035888567930037346022842 72754572016194882320644051808150455634682967172328 67824379162728380334154710731085019195485290073377 24822783525742386454014691736602477652346609' is too large

    --
    isomerica.net | Foonetic IRC
  25. Re:Irrelevant by cpeikert · · Score: 3, Interesting

    What did I write that is inconsistent with the wikipedia entry?

    "Integer factorization is widely suspected to be outside both of those classes [NP-complete and co-NP-complete]."

    Just because a problem is outside P, doesn't mean it's NP-hard. Which is exactly what I said to start with.

  26. Re:Factored... Big Deal by photon317 · · Score: 2, Interesting


    The 212 digit one (RSA-704) won't be cracked for a long, long time yet using current algorithms like the ones the RSA-640 winners did. 640->704 doesn't sound like much, but it is monumental. I did some back-of-the-envelope math. I'm naively assuming that with a 64-bit gain in key size, the problem complexity is 2^32 harder (since one factor is always under the square root). I'm sure that seive algorithm they're using manages to cut that 2^32 down some, but it's not going to make a practical difference I don't think. If you happen to have ~8000 Opteron cpus at your disposal instead of their 80, and you have the same code they cracked RSA-640 in 5 months with, and it scales up to 8000 cpus just fine, it would take somewhere in the neighborhood of hundreds of millions of years to break RSA-704.

    --
    11*43+456^2
  27. What a guy! by Ponzicar · · Score: 2, Funny

    I don't know who this general Steve is, but he must be one heck of a math whiz!

  28. Re:Zombie Cluster - not feasable =( by iced_tea · · Score: 4, Informative

    from http://www.rsasecurity.com/rsalabs/node.asp?id=208 8

    To put this in perspective, it would require about 1.4 billion 500 MHz machines, each with about 170 Gbytes of memory to do the sieving for a 1024-bit number in the same time as RSA-512. While a hacker might try to steal cycles on the Internet by creating a ?Number Field Sieve Worm? it is hard to see how such an attack could find enough machines with enough memory to make such an attack feasible. Further, such an attack would be detected and shut down rather quickly as with the Robert Morris worm. Of course increasing speed will reduce the required number accordingly. It would take a single Cray with 6 Terabytes of memory approximately 70 million days (192,000 years) to solve the matrix. One could reduce this to a mere 19 years with 10000 Crays each with only 600 Mbytes of memory running perfectly in parallel. It is likely that within 10 years common desktop machines will be as fast or faster than a Cray C90 is now. However, it is unlikely in the extreme that 10000 machines running in parallel will be anywhere close to 10000 times as fast as one machine. It would require 10 million such machines running perfectly in parallel to solve the matrix in about the same time as that for RSA-512.

    So basically, according to the article from RSA it's not feasable... but still an interesting IDEA. Maybe a worm that installs something like folding@home that would have immediate benefits. ;)

  29. Re:Time Matters by Anonymous Coward · · Score: 3, Informative

    So, an opteron has roughly <8.8 peak GFlops:http://www.amd.com/us-en/Processors/Product Information/0,,30_118_8796_8800~96867,00.html> [amd.com] 60 of them would give around 528 GFlops (theoretical max). Given the fastest super computer in the world, the Blue Gene/L has roughly <183500 GFlops:http://www.top500.org/lists/plists.php?Y=20 05&M=06> [top500.org]. That means the Blue Gene/L can factor it roughly 350 times faster (assuming the algorithm scales linearly) or in roughly 9 hours 45 mins. Scary

  30. Recommended key sizes by atomm1024 · · Score: 4, Interesting

    Here is a very useful site, listing estimates of how long various algorithms will be secure, and at what key sizes. It covers public- and secret-key algorithms, as well as hashes.

    http://www.keylength.com/

    --
    Signature.
  31. Re:celeron's by Anonymous Coward · · Score: 5, Informative

    celeron's
    (Score:1, Funny)
    by rufuseddy (781982) on Tuesday November 08, @11:35PM (#13985872)
    (http://www.oceighty.net/)
    blah, if they would of used 80 celeron's they would have cracked it twice as fast.......

    Dude, what's wrong with you? You wrote "would of"[sic] and "would have" in the same sentence! To make matters worse, you didn't capitalize a proper noun ("Celeron"), you used an apostrophe before an "s" in a plural twice, you didn't capitalize the first word of a sentence, and you ended your "sentence" with seven periods. Go back to the fifth grade. Do not pass go. Do not collect 200 dollars.

  32. Re:How does this compare to RC5-64? by cimetmc · · Score: 4, Informative

    You are completely off track here and made 2 huge mistakes in your comparison:

    1) The number RSA-640 has 193 *decimal* digits, but 640 bits (as the number in RSA-640 indicates).

    2) You are comparing symetric key suzes (RC5-64 = 64 bit) with assymetric key sizes (RSA-640 640 bit). You can't compare these key sizes directly. Assymetric key sizes are much bigger than symetric key sizes for the same level of security. So you are trying to compare numebrs that simply cannot be compared.

    Marcel

  33. It works in all bases. by lheal · · Score: 5, Funny

    For any base b, the sum of the digits (in base b) of a multiple of (b-1) add to a multiple of (b-1). The proof is fairly simple: http://www.pseudorandom.co.uk/2002/maths/divby9/.

    For instance, in base 16, 3 * F (45 dec) is 2D, and 2+D=F.

    This leads to a (slow) algorithm for primality check. For a given number r, simply (hah!) check all the bases up to about log_b(r) to see if all your base r belong to us.

    --
    Raise your children as if you were teaching them to raise your grandchildren, because you are.
  34. I got 100% by RAMMS+EIN · · Score: 2, Funny

    I have an even better one. If you convert the number to binary, you'll observe it ends in 1. The only way to get that from two numbers is if they both end in 1. So here's your first digit with 100% certainty!

    --
    Please correct me if I got my facts wrong.
  35. Not the largest RSA number factored to date by clap_hands · · Score: 2, Interesting

    A nice result! Interestingly, the same team factored RSA-200 last May, which is 663 bits long (confusingly, there's two series of RSA challenge numbers with different naming conventions) but for which no prize was given for its solution. RSA-640 is shorter, at 640 bits, but carries a US$20,000 prize. It's not entirely clear why the team went for the larger, prizeless number first.

    Maybe there's other factors at work here besides prize money? (ROFL etc).

  36. Spending tax dollars vs common sense by appro · · Score: 2, Interesting

    RSA cost study says "It makes no sense for an adversary to spend (say) $10 million breaking a key if recovering the key will only net (say) $10 thousand." Third party payer negates this asumption. Exceptions to the rule are seen in the everyday spending of U.S. taxpayer's millions by low level government employees and politicians alike for their personal gain or amusement, no matter how minor.

  37. Re:Zombie Cluster - not feasable =( by pe1chl · · Score: 2, Insightful

    Remember that those calculations assume a specific algorithm.
    It could always happen that some bright guy finds a more efficient (or more easily distributed) way to attack the problem. This is always a risk with encryption that relies on "computationally hard" problems.

  38. Cost of "one day breaker" system by anfi · · Score: 2, Interesting

    Has anyone publish (theoretical) costs of system capable to break given RSA lenght in one day based on the known systems?

    1. Re:Cost of "one day breaker" system by MooseTick · · Score: 2, Interesting

      Here you go. 80 PCs at $1000/PC churning for 5 months to crack a 640 bit #.

      Assuming it was truly distributive, then 12000 PCs could crack it in a day. Assume each use 500Watts, then each has a power cost of about $.25/day if 1kW/h is a dime. That totals to $12 million for the PCs and another $3000 for power. The power cost is negligable but the infrastructure to distribute that power likely wouldn't be. We'll pretend that we already have a nice building with a 13000 socket power strip for our PCs. Let's say it cost $1 million to be easy.

      That would total $13 million to crack a 640 bit number in a day. Since each added bit doubles the complexity, then to solve for numbers with bits > 640 we could say N= # of bits - 640. From there the cost to crack a number would be $13M * 2^N.

      If you think about it, this is well within the reach of most corporations and could likely be achieved by someone using a virus to steal computing power. The virus could break up the problem and whenever someone hit on the answer it could phone home with it and they could collect the $20k!

      --
      Ninjas don't carry tic tacs
  39. Re:Time Matters by infolation · · Score: 3, Insightful
    This is similar to the issue that the Germans had during WWII

    Although it's identical to the issue that the UK police claim they currently have. Which is why they want 90 days to lock citizens up without charge while they 'factor' their hard-drives.

  40. Re:what about the xbox rsa-2048 by Vo0k · · Score: 2, Interesting

    No.
    About 1200 years.
    Progress in computation of the solution is linear. Moore's law is exponential. By year 3200 the computers will be strong enough to crack it in 6 months.

    --
    Anagram("United States of America") == "Dine out, taste a Mac, fries"
  41. Re:How does this compare to RC5-64? by swillden · · Score: 3, Interesting

    So you are trying to compare numebrs that simply cannot be compared.

    Well, you can compare them, but you have to factor in the relationship between the complexity of the attack and the keysize in each case. In the case of RC5, brute force search of the keyspace is O(2^n) where n is the size of the key in bits. As a previous post mentions, the GNFS algorithm's complexity is O(e^(1.9229+O(1))*ln(n)^(1/3)*ln(ln(n))^(2/3)), where n is the number to be factored.

    So to compare the complexity of these two attacks you just need to see if 2^64 is larger or smaller than e^(1.9229*ln(2^640)^(1/3)*ln(ln(2^640))^(2/3)).

    Unless I made a mistake, the complexity of RSA-640 is about 5.5e13, whereas RC5-64 is about 1.8e19, so RC5-64 is approximately 300,000 times harder than RSA-640. I'm not sure that GNFS is as easy to massively parellelize as RC5 searching, though, so in practice RSA-640 may be harder than RC5-64, even though it has lower complexity. Also, big-O complexity ignores constant multipliers, so if each step in the GNFS algorithm is, say, a million times more complex than each RC5 trial encryption, than RSA-640 may actually be three times as hard as RC5.

    Okay, so maybe you can't compare them :-)

    --
    Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  42. Sorry, but isn't this just a waste of electricity? by Dr.+Spork · · Score: 2, Interesting
    I want it to be clear that I support science and the use of brute computation in science, but this is not anything of the sort. After this five-month exercise which cost thousands of dollars of wasted electricity (all those processors could have been idling instead) and the associated increase in global polution, what have we learned? Absolutely nothing. We already knew roughly how long it would take to factor this, it's a quick calculation. But then going through the motions of actually factoring the number is absolutely pointless, and I'd even say irresponsible.

    It's like figuring out how many times you'd need to toss a coin before you'd be likely to get 7 heads in a row... and after figuring this out, actually tossing the coin until you get 7 heads. Anybody who actually did that would a moron. It would show nothing... much like these "factor this" challenges.

  43. not the point by elgatozorbas · · Score: 2, Interesting
    This is completely correct. Any cryptologist could have predicted this give or take a certain margin. Even more: if I were them, I would not have started without an initial estimate.

    However, this is not the point. The point is to prove ANYONE (not only cryptanalyst) that it CAN be broken, though it takes some processing, and there is no alternative for doing.