Factorization of a 768-Bit RSA Modulus

dtmos writes "The 768-bit, 232-digit number RSA-768 has been factored. 'The number RSA-768 was taken from the now obsolete RSA Challenge list as a representative 768-bit RSA modulus. This result is a record for factoring general integers. Factoring a 1024-bit RSA modulus would be about a thousand times harder, and a 768-bit RSA modulus is several thousands times harder to factor than a 512-bit one. Because the first factorization of a 512-bit RSA modulus was reported only a decade ago it is not unreasonable to expect that 1024-bit RSA moduli can be factored well within the next decade by an academic effort such as ours . . . . Thus, it would be prudent to phase out usage of 1024-bit RSA within the next three to four years.'"

Meanwhile in Canada...

[denis-The-menace]

We are forced to use 128-bit encryption for online banking!

Re:Meanwhile in Canada...

Isnt it AES?

Re:Meanwhile in Canada...

I don't believe you. Post your account credentials so I can check for myself.

Re:Meanwhile in Canada...

[jasonwc]

I hope this is a joke. If not, you are confusing the strength of symmetric key encryption and public key encryption. The latter requires larger key sizes because the public and private key pair are mathetmically related whereas in symmetric encryption, there is a single key, and it ought to be randomly generated, and have no mathematical relation to any other value.

The key sizes are given for RSA/DSA encryption. Elliptical curve crypto can use much smaller key sizes while maintaining equivalent security levels. Unfortunately, most ECC is patent encumbered.

Re:Meanwhile in Canada...

[Icegryphon]

Isnt it AES?

Ha, all my important documents are encrypted in Lucifer
ALL HAIL SATAN!

Re:Meanwhile in Canada...

[Kolie]

Maybe they force him to use 128-bit RSA. He didn't really specify.

Re:Meanwhile in Canada...

[corbettw]

Don't worry, your money will be safe in my offshore account.

Re:Meanwhile in Canada...

I was always a fan of twofish, My Niece on the other hand like the red and blue fishes better

Re:Meanwhile in Canada...

AES is a symmetric block cipher, meaning, you both need a shared key. While yes, the actual encryption on the data may be AES (I don't know this for sure), you still need to use a public key encryption method like RSA in order to handshake and transfer keys to each other before using AES.

Re:Meanwhile in Canada...

[jasonwc]

Yes, but he's likely referring to the strength of the SSL connection to his bank. While authentication is done with public key crypto (probably 1024 or 2048 bit key), the actual data stream is encrypted with some symmetric cyrpto algo such as AES or RC4 at 128 or 256 bits.

Re:Meanwhile in Canada...

[Icegryphon]

I was always a fan of twofish, My Niece on the other hand like the red and blue fishes better

Atleast she doesn't do blowfish.

Re:Meanwhile in Canada...

[havock]

We are forced to use 128-bit encryption for online banking!

Maybe you need to get a better bank! I just logged into a top 5 Canadian bank and they are using AES-256 with a 1024-bit RSA cert.

Re:Meanwhile in Canada...

Which is same as his onshore account?

Re:Meanwhile in Canada...

[Bert64]

A lot of banks here still only support 128-bit, most of them only support 128-bit RC4 and don't have support for any kind of AES, let alone 256-bit.
PayPal used to do AES256, but they also don't support it anymore, which seems quite ridiculous.

Re:Meanwhile in Canada...

[xZgf6xHx2uhoAj9D]

Keep in mind that AES-256 only uses a 128-bit key and has recently been broken (down to 118 bits of security or something like that?). AES-256 is currently less secure than AES-128.

Re:Meanwhile in Canada...

[FrozenGeek]

128-bit keys for symmetric ciphers, such as we use for banking equate to much large key sizes for asymmetric ciphers such as RSA. You are comparing apples and volkswagens.

Re:Meanwhile in Canada...

[morgan_greywolf]

Unfortunately, most ECC is patent encumbered.

Well, djb wrote a particular algorithm, Curve25519, that's in the public domain.

(Yeah, yeah, save your comments about djb's personality. Like it or not, the guy's a crypto and security genius.)

Re:Meanwhile in Canada...

[profplump]

AES-256 uses a 256-bit key. It has a fixed block size of 128 bits, but that's unrelated to the key length.

There is a related-key weakness in AES-256 and AES-192, bringing their effective strength down to 2^119 and 2^176 respectively. So AES-192 is your best bet right now, though 2^119 or 2^128 are not exactly feasible attack keyspaces either.

Re:Meanwhile in Canada...

[FrankSchwab]

uhh, no.

AES-256 uses a 256 bit key. It may have a weaker than expected key schedule for using that key, as Schneier has opined (do I know what that means? Not a chance), but it's certainly 256 bits long.

Re:Meanwhile in Canada...

And you know this how?

Re:Meanwhile in Canada...

[canajin56]

That would be RBC ;) BMO uses 3DES-196, TD also uses AES-256, but with a 2048 cert. Scotia Bank and CIBC use RC4-128 though. I guess the OP uses one of those two, and figured "if my bank does this, they all must!"

Re:Meanwhile in Canada...

[Rich0]

Yes, but he's likely referring to the strength of the SSL connection to his bank. While authentication is done with public key crypto (probably 1024 or 2048 bit key), the actual data stream is encrypted with some symmetric cyrpto algo such as AES or RC4 at 128 or 256 bits.

That is only helpful if the person sniffing the SSL connection doesn't capture the initial handshake.

The problem with symmetric crypto is key exchange. With SSL the client generates a premaster key, encrypts it with the server's public key, and sends it to the server. Then the client and server use this to derive a session key (at least, that is my reading of the relevant docs - I think the specifics depend on the exact cipher used). So, if you can crack the RSA key, then you can obtain the session key, which makes the entire session obtainable.

To use symmetric crypto you either need a shared secret, or you need to use a key-exchange technique. I believe all the key-exchange techniques are vulnerable to factoring (or P=NP issues in general), although their details vary. If factoring becomes easy we'll never be able to encrypt communications between parties unless they have a secure channel to exchange keys (typically involving plane tickets).

Disclaimer, I'm not a cryptographer and if somebody has more to add I'm all ears.

Re:Meanwhile in Canada...

[tempest69]

My guess is that the block cipher is selectable (in a manner similar to SCP), and I'm betting that it defaults to AES.
The new Intel proc's rock at AES encrypt/decrypt. Which will likely make it the speed king over blowfish.

Storm

Re:Meanwhile in Canada...

[Anpheus]

He said patent encumbered, not copyrighted.

Something can be open source and if it implements something protected by patent in the US or in other nations with laws that allow software patents or have agreements to make US patents enforceable, then it can still be illegal to distribute, and you'd probably be liable for damages if you built commercial software, but IANAL.

I think the patent encumbrances of ECC are the reason it's mysteriously absent from a lot of commercial software that deals with security and even a lot of Linux distros and software. I'd have to double-check, but for example, I don't think Windows Certificate Services supports ECC.

P.S.: Isn't it horrible that Error Correcting Codes and Elliptic Curve Cryptography have the same acronym? IMHO, we should rename one of the TLAs before it becomes a PITA.

Re:Meanwhile in Canada...

[jasonwc]

Yeah, I'm aware. I'm just pointing out what the first post was likely referring to.

Re:Meanwhile in Canada...

You're so wrong I'm not bothering to provide a correction. If your laziness and opinionated ignorance is that great, it's probably a waste of time. Google is your friend.

Re:Meanwhile in Canada...

[skylerweaver]

I thought they share a key with the http://en.wikipedia.org/wiki/Diffie-Hellman_key_exchange

So it doesn't matter if someone captures the initial handshake.

Re:Meanwhile in Canada...

[Chris+Burke]

So it doesn't matter if someone captures the initial handshake.

It matters if they can break the public key encryption, and thus discover the shared private key.

Re:Meanwhile in Canada...

[pow(b,2)]

No bank enforcing that policy would be in business long. 128 bit RSA keys can be broken in milliseconds with code written by a mildly persistent 6th grader.

Re:Meanwhile in Canada...

[Kolie]

Fwoosh.

Re:Meanwhile in Canada...

> Atleast she doesn't blow fish.

Fixed that for ya.

Re:Meanwhile in Canada...

[compro01]

If I am understanding correctly, the problem is that p is usually a pseudoprime, rather than a true prime. If you can factorize that, solving for a, b, and thus K becomes far easier.

The pseudoprime bit is because determining whether an arbitrary large number is prime is computationally expensive, but there are shortcuts that will detect most non-primes, but some numbers called pseudoprimes with very large factors slip through, which are usually good enough, as even though they aren't a true prime, there isn't an easy way to factor large numbers, and it therefore takes a long time. But as computers progress, what was impractical before becomes practical.

Re:Meanwhile in Canada...

[skylerweaver]

I am no expert in cryptography, but I remember my CS friends talking about 2 locks on a briefcase.

The shared key is encrypted with key A by Adam and sent to Betty (who can not open it without key A). Betty encrypts this with key B and sends it back to Adam. Adam decrypts this with key A and sends in back to Betty. Since the message now is only encrypted with key B, Betty can open it and get the shared key.

Or is this only a educational exercise and in actuality if you eavesdrop all of these transactions you can determine key A and B?

Re:Meanwhile in Canada...

[bytesex]

Wait. There are intel chips now that do AES ? Like VIA's padlock ? 256 bit AES ?

Re:Meanwhile in Canada...

[Weezul]

I'm unsure exactly what system is used but public keys may be used more thoroughly than you describe.

Example 1 : There are perhaps both presever and preclient keys that must be xored together, which are created separately on each side, and sent using the other's public key, thus ensuring that an eavesdropper must break both server and client public keys.

Example 2 : A sever could generate a session RSA key, digitally sign the session public key, and send both the session public and the server public key as well as the certificate authority's signature for the server public key. The client first verifies the signature for the server's public key and the session public key, then creates a symmetric session prekey like you describe, encrypts that symmetric key with the session public key, and send it to the server.

You may break this in three ways according to conventional wisdom :
(1) quickly break the session public key and listen live,
(2) slowly break the server public key and execute a man-in-the-middled attack to listen live,
(3) record the whole conversation, slowly break the session public key, and listen offline.

I'm pretty sure people breaking these large keys are not breaking them fast enough for (1), which already provides significant privacy.

You may also force them to break both the server and client key for (2) or (3) by symmetrizing the process with preserver and preclient keys, as described in Example 1 above.

Indeed, Example 2 may offer minimal advantages over Example 2 if virtually all connections originate from strangers, ala online banks. Remember, if you make the attacker break n separate keys, your increasing the computations cost for both attacker and legit users by the same factor. If otoh you just use larger key size, then attackers spend far more additional time than users.

Re:Meanwhile in Canada...

[MikeBabcock]

The whole point of this story is that the math behind public keys can be broken after this amount of computation, given a 768 bit key. DH is not special in this regard.

Re:Meanwhile in Canada...

[bytesex]

Eh, the one doesn't really have anything to do with the other. What you're talking about is 128 bit AES, which is symmetric encryption, which is shifting, xoring, and otherwise the making of chaotic of a block of data (16 bytes, in this case). RSA asymmetric encryption/decryption is more like a calculation that you miss certain parts of and therefore can really only be performed one way. To put it another way: symmetric encryption sees a block of data as a bits to be pushed around, while asymmetric encryption sees a block of data as a number to perform a calculation on. A really big number. Strengths of keys in amount of bits are useless in a comparison of both algorithms.

Re:Meanwhile in Canada...

[MikeBabcock]

Public key and regular symmetric block ciphers differ completely in usage and attack.

Public key crypto is typically used to hide a random session key for a symmetric block cipher which is then used for the rest of the "conversation".

That is to say, your bank transactions are being encrypted with some block cipher like 3DES or AES whose random session keys are exchanged privately between your computer and the bank using public key crypto.

If your bank's public key were broken (this story), anyone could get the session keys by evesdropping on your initial connection to the bank. If the block cipher were broken, anyone could grab your data no matter the security of the public key.

Re:Meanwhile in Canada...

[MikeBabcock]

Yahoo Canada's sign-in is 1024-bit RSA using SHA-1 signatures, and a 128 bit RC4 session key.

Re:Meanwhile in Canada...

[Rich0]

The problem is that this is an oversimplification. See the WP entry on Diffie-Hellman.

The values sent between Alice and Bob are inter-related via the discrete log problem - so if you can (relatively) quickly calculate discrete logs you can obtain the session key.

This particular article is about factoring and not discrete logs. A magic way to quickly factor numbers wouldn't necessarily break D-H. However, this article wasn't about a magic way of breaking RSA, but brute-force factorization. If you can brute-force 1kbit of RSA, you can brute-force the equivalent strength in D-H or DSA. The bitwise strength of the two probably isn't identical, but the principle is the same.

The real threat is if somebody comes up with some kind of quantum technique to factor or discrete-log big numbers. If that happens all kinds of NP problems get solved in realtime and that messes up everything. The slow growth in brute-force speed is fully anticipated, but there are practical upper-limits on computing power (if every quark in the universe is a logic gate and is compressed into a near-singularity, the system only goes so fast).

Re:Meanwhile in Canada...

[mlts]

If symmetric key cryptography gets broken in general, what likely will happen is that the well heeled businesses would have a link between sites using quantum encryption. This link is extremely slow, so it would be used to set up session keys. Then the conventional Internet links would be used for the bulk data transfer.

People who don't have the cash for fiber optics would have to use lower tech means. One means would be have people generate a one time pad, and instead of PGP/gpg keysigning parties, people would trade chunks of random numbers with each other. Later on, people would go home and XOR the keyfile they got with the keyfile for a persistant key, and that would then be used with some other system (sha-512 hash of date/time + the keyfile) for a message based key. This way, a known plaintext attack wouldn't reveal the long term key (similar to a shared WPA2-PSK secret).

Where things would get hairy with no public key encryption are one to many transactions, such as communicating with a bank. This probably would end up getting solved by some type of smart card system where the bank's servers have a large amount of shared keys, while the customer would have a smart card that would handle the session key generation, but prevent the shared key from leaving the secure container.

Re:Meanwhile in Canada...

[kestasjk]

There are plenty of alternatives to public-key crypto based on factoring. And it's pretty certain that it won't become "easy" for decades if ever, since quantum computers are coming along so slowly

Re:Meanwhile in Canada...

[owlstead]

I think the patent encumbrances of ECC are the reason it's mysteriously absent from a lot of commercial software that deals with security and even a lot of Linux distros and software. I'd have to double-check, but for example, I don't think Windows Certificate Services supports ECC.

http://blogs.technet.com/pki/archive/2008/01/23/how-to-set-up-a-ca-with-a-cng-ecc-certificate.aspx

Since Vista and Windows 2008 it does, but through CNG not through the more familiar CryptoAPI / CSP.

Even then it is limited to certain NIST curves - forget about doing any enhanced EC cryptography through that API.

Re:Meanwhile in Canada...

[mlts]

What is funny is that in 1991, the NeXT had an implementation of ECC Fast Elliptic Encryption as part of the OS (think NeXTStep 2). However due to ITAR regs, it was removed from subsequent versions.

Re:Meanwhile in Canada...

[owlstead]

There is a related-key weakness in AES-256 and AES-192, bringing their effective strength down to 2^119 and 2^176 respectively.

Only for related key attacks. Never ever leave out the context when talking about broken cryptographic algorithms.

Check it out, if you just generate a random key for each file you encrypt, then no such attack can take place.

AES-128 is certainly strong enough for the first couple of years anyway.

Re:Meanwhile in Canada...

I believe all the key-exchange techniques are vulnerable to factoring (or P=NP issues in general), although their details vary.

There's an exception: quantum key-exchange. You send the key, and the receiver can tell at the other end whether it was sniffed en route. If it was, they don't use it.

Re:Meanwhile in Canada...

[morgan_greywolf]

Since then, however, ITAR regs have been altered; I don't think the Fast Elliptic Encryption in NeXTStep 2 would be subject to todays ITAR regs.

Re:Meanwhile in Canada...

[StikyPad]

Too bad it's already been cracked.

Re:Meanwhile in Canada...

[solafide]

"If factoring becomes easy" --- factoring is just one problem whose difficulty can be used to create a difficult-to-break encryption system. The discrete log problem is essentially different from factoring, and would still be secure if factoring were easy; there are other such problems that can also be used.

Re:Meanwhile in Canada...

[solafide]

They found a vulnerability *in a piece of hardware they developed* --- there are other valid receivers beyond the one they developed. This means quantum crypto is still possible, just not with the kind of receiver they broke.

Re:Meanwhile in Canada...

[DamnStupidElf]

Westmere and onward have instructions that implement the cryptographic primitives used by Rijndael (of which AES comprises three modes); MixColumns, SubBytes, and ShiftRows (and the alternative Inverse variants for decryption). Keying, encryption, and decryption will be significantly faster.

Re:Meanwhile in Canada...

[Rich0]

True - wasn't thinking of this offhand. I wouldn't really classify this as an algorithmic key-exchange technique since it depends on physics more than math.

It also has some significant limitations - being able to get photons from one point to the other without any routing (or you have to trust the routers). It isn't easy to send single photons over any kind of distance. It isn't impossible, but it isn't like it can be used to get a key from one arbitrary location to another one 100 miles away. Just getting it to an arbitrary location 10 miles away would probably be a big challenge. Fiber optics work over moderate distances, but that doesn't get you to arbitrary locations.

I think that in practice one-time-pads used to secure session keys would actually be more practical. You just generate a tape with 1TB of random data on it and fly it to your remote office, and now you can change 128-bit keys every 10 mins for a VERY long time. With only moderate conservation of session keys two friends could exchange 1GB flash drives and be set for life. If this sort of thing were standardized in software your bank could give you a flash drive when you get an account and you'd have a secure channel for a long time as well.

Actually, this sort of system could be far more secure than SSL/RSA (no need to trust a CA when the bank hands you the key at the same time you hand them your cash). The only trick is keeping people from copying your key data without your notice.

Re:Meanwhile in Canada...

[selven]

The way it's usually done is that the public keys are used to encrypt just the symmetric session-specific key (since public key crypto is too slow to encrypt anything substantial) and then the symmetric keys, which are 128 or 256 bits long, encrypt the actual content. So it's not just authentication, it's the setting up of the encrypted connection that public keys are used for.

Re:Meanwhile in Canada...

[David+Jao]

Disclaimer, I'm not a cryptographer and if somebody has more to add I'm all ears.

I am a cryptographer, and your last paragraph has a few details wrong, although the general idea is correct.

I believe all the key-exchange techniques are vulnerable to factoring (or P=NP issues in general), although their details vary.

In fact, even symmetric key crypto is vulnerable to P=NP issues. A nondeterministic Turing machine can break symmetric key crypto just by guessing the (shared symmetric) key.

If factoring becomes easy we'll never be able to encrypt communications between parties unless they have a secure channel to exchange keys (typically involving plane tickets).

There are many public key cryptosystems known, based upon a variety of hard problems. Some of these problems are identical to factoring, some of them (such as discrete logarithms over finite fields) are closely related (but not identical) to factoring, and some of them (like lattice rounding) have, as far as we know, no relationship to factoring.

If factoring becomes easy, we'll just switch to another public key cryptosystem based on a different hard problem. In particular, lattice-based cryptosystems are believed to be secure even against quantum computers.

Bad math...

WTF? 2^1024 != 2^768*1000

Screw you slashdot for making me type more than my perfectly concise statement above that gets the effing point across just fine.

Re:Bad math...

[pclminion]

Everyone likes to show off how stupid they are, I guess. You don't measure public key keyspace like that. Not all possible bit patterns are valid keys. In fact, VERY FEW bit patterns are valid keys.

Re:Bad math...

[marcosdumay]

Yep, but factoration also isn't O(a^n) where a is constant. It is more like O(a^(n/b)) where b is quite bigger than 1.

Re:Bad math...

They just took the line from the abstract in the paper.

Re:Bad math...

[jasonwc]

They're comparing the relative strength of a 768 bit RSA key to a 1024 bit RSA key. Because of the mathematical correlation between the public and private keys, the strength is nowhere near 2^768 or 2^1024. RSA has created a comparison table for RSA -> symetric cipher strength.

1024 bit ----> 80 bit
2048 bit ----> 112 bit
3072 bit ----> 128 bit

However, "1000 times stronger" seems far too small, in any case.

Source: http://www.rsa.com/RSALABS/node.asp?id=2004

Re:Bad math...

[cperciva]

It is more like O(a^(n/b))

No, factorization is more like O(a^(n^b)). For GNFS on RSA-sized inputs, 1000^(n^(1/3) - 2.5) is a good estimate of the number of operations required.

Re:Bad math...

[mikeee]

That's why we need to be more proactive; instead of trying to eliminate all the invalid keys, we should just pick the strongest possible key and standardize on it.

Re:Bad math...

[SoVeryTired]

You need to brush up on your exponents.

If a is some constant, then a^(n/b) = (a^(1/b))^n.
Define c = a^(1/b)
then
a^(n/b) = c^n

You can't just say "where a is constant". You need to specify a.

Re:Bad math...

[marcosdumay]

Yep, you are right. That was a mistake. And, as somebody already noticed, it is O(a^(n^(1/b))), where b > 1.

Re:Bad math...

[pow(b,2)]

Cryptographic strength, as applied to RSA keys, is measured by the time needed to factor the public modulus. The fastest way to do this is today is using the general number field sieve. The run time of the general number field sieve can be estimated as T(b) = exp(1.923 * ln(2^b)^(1/3) * (ln( ln(2^b)))^(2/3)), where b is the size of the input in bits. See Aoki's paper on a kilobit SNFS factorization for details. Chug through this estimate for b = 1024 and b = 768, and you'll find that the ratio is approximately 1000 (I got 1221.15). That's why 1024 bit RSA keys are approximately 1000 times stronger.

Re:Bad math...

A few companies already did.

Re:Bad math...

[owlstead]

Everyone likes to show off how stupid they are, I guess. You don't measure public key keyspace like that. Not all possible bit patterns are valid keys. In fact, VERY FEW bit patterns are valid keys.

Um, no that's just for RSA and DSA. You can more or less measure ECC key spaces like this. AFAIK it is not a fundamental part of asymmetric cryptographic techniques. Since this IS about RSA, the GP is certainly incorrect though. So you make a very valid point but your explanation is slightly off.

Re:Bad math...

[corerunner]

Ali G: What is the bestest pin number? Is it your house number or your birthday?

Can someone explain this to me?

[Monkeedude1212]

So I just did a Wikipedia Crash course on RSA (I knew it was for public/private key encryption) and how it all works mathematically.

But I still don't know what they mean by Factorization, or what that exactly means.

I'm guessing they found all and compiled and tested the possible values and now have a nice big chart? Is 768-bit RSA now considered "broken"?

Re:Can someone explain this to me?

[Arcquist]

It's been a while since I studied this so take this with a grain of salt. I believe RSA involves 2 random large primes, 'p' and 'q' which are multiplied together to form a bigger number, 'n'. There is a bunch of other math to generate two more values 'd' and 'e' from 'p' and 'q'. The public key is 'n' and 'e', the private key is 'n' and 'd'. The math works that you can't get 'd' from 'e'. Factorization means just that, finding the factors of a number. In this case you're given 'n' which you know has only 2 factors ('p' and 'q' are both prime) so if you can factor 'n' and get 'p' and 'q' you can recalculate 'd' yourself and you now have the private key.

Re:Can someone explain this to me?

[bytethese]

Don't worry, I'm puzzled by this too. My profs in school taught us that RSA can't be broken unless you know how to solve discrete logarithms so I am unsure what factoring has to do with it? Although I suppose if I know all the factors of a certain number, I could try to test all possible relatively prime inverses...

Re:Can someone explain this to me?

[jonbryce]

I think it means you can find the private key for a given public key.

Re:Can someone explain this to me?

[bytethese]

For someone who hasn't studied in a while, you seem to have a good grasp. To me, this seems to make sense now given the info you have provided. :)

Re:Can someone explain this to me?

[Mini-Geek]

What they did was factor a 768-bit number, like one that could be used as a 768-bit RSA public key. e.g. to factor 15, you need to find that it is equal to 3*5, which can be easily done by dividing the first few primes and finding that 3 divides 15. To factor a very large number, like a 768-bit number that is semiprime with the two factors both about the same size, (as is the case with RSA public keys) is a very difficult task. It is currently best done by the General Number Field Sieve (GNFS). For more info on any of these concepts, use Wikipedia.
This demonstrates the possibility of breaking any given 768-bit RSA key by factoring the public modulus, and shows how much work that takes. Note, however, that it is still very difficult, and in this case took multiple years of calendar time and hundreds of years of CPU time to crack.
This does not mean that every 768-bit RSA key can be cracked any more easily than it could before, it just demonstrates that we have the ability to crack any 768-bit RSA key (given the time and resources).

Re:Can someone explain this to me?

No. Factorization means that they split the product of two prime numbers into the constituent factors.
As you know now, the premise of RSA public key crypto lies in that it's hard to factorize "long" numbers
(768 bit long, in this case). They have shown that it's doable to factor a 768 bit long non-prime
number.

Keep in mind that proving non-primality and finding a factor are two separate issues. There are very
good primality tests that work in reasonable time on numbers tens of millions bit long (see GIMPS,
for example), yet (some/any) factors of those non-prime numbers are yet to be found, in most cases.

Re:Can someone explain this to me?

[Sir_Lewk]

The very short version of it is that a private key is a set of two very large prime numbers. The public key is these two prime numbers multiplied together. If you have the public key, and are able to factor it, you can determine the private key.

The security of RSA relies on the assumption that integer factorization is hard. So far that assumption, at least publically, has not been shown false (unless you have a quantum computer).

Re:Can someone explain this to me?

[maxume]

They factored a particular number named "RSA-768". They did this using a large but obtainable amount of computing power, meaning that RSA-768 probably shouldn't be used to protect secrets that are more valuable than the amount of computing power they expended (and given how easy it is to use bigger keys, they recommend doing that for everything).

Re:Can someone explain this to me?

[melted+keyboard]

An RSA public key consists of (e, n) and the private key consists of (d, n). If you can factor "n" into "p" and "q", then it is trivial to compute "d" from "e".

Re:Can someone explain this to me?

No, solving discrete logarithms allows you to break the El Gamal public key encryption system. Like prime factorization, the discrete logarithm problem is considered "hard".

Re:Can someone explain this to me?

[shadow_slicer]

No, 768-bit RSA is not broken. they just found the factors for a single number. It only took them 2.5 years, and over 5 terabytes of data too. I don't consider this making 768-bit RSA "broken" any more than 56bit DES is "broken", because they didn't find a way to solve it faster than brute force. The point is that it is now possible to solve this kind of problem. And if they can do it in 2.5 years with 3 supercomputers, a dedicated adversary could probably do it in a few months with a couple dozen.

Factorization is simply finding the prime factors of a number:
For example, the factors of n=21 are p=3 and q=7.

In RSA, I would take these factors and use them to calculate some other things:
I choose e=11 to be my public key exponent (since it is less than and shares no common factors with (7-1)*(3-1)). Then I would calculate my private key exponent "d" such that d*e=1 mod n: for example, d=2 would work.

So you announce n and e publicly. Someone can break your key if they can find d, which is equivalent to finding the two factors of n: p and q. So if I were to tell you 21, you have basically broken my private key once you know 3 and 7 are p and q.
In the article, it's not much different. Basically they found p and q for a 768-bit n.

Re:Can someone explain this to me?

So, this is like the 1024 blade razor?

Wouldn't the expense of carrying around a large cipher become burdensome at some point? Or, are they expecting that Moore's law will continue indefinitely, and that they will always have gobs and gobs of memory and processing power to work with?

One would think that there is a theoretical crossroads (near the quantum bit level) where it will become impractical to have such large ciphers just to check your bank account, because increasing the size of the cipher would require Nth order more bits to be processed on a device architecture that cannot get any more dense without seriously increasing the complexity of the system. (It would become very prohibitive to just increase the bit depth at this point, since quantum entanglement devices become increasingly difficult to manufacture and reliably use as the number of bits increases.)

Granted, that is a long ways off, but this still looks like a virtual incarnation of the 1024 blade razor, where adding more blades "makes it better!"

Re:Can someone explain this to me?

[kalidasa]

RSA uses semiprimes - numbers with only two prime factors. If you know the factors p and q, you can derive the private key from the public key through multiplication mod (p-1)(q-1). There are much faster ways to factorize numbers than brute force - the best is the general number field sieve. It is Diffie-Hellman which uses discrete logs. There are better attacks against discrete logs than brute force, too. Once we have sufficiently powerful quantum computers, both the factorization problem and the discrete log problem will be made trivial by Schor's algorithm.

Re:Can someone explain this to me?

[Rockoon]

Just to be accurate, I do not believe that in RSA you pick two primes but instead pick two values that are at least psuedoprime. Testing large numbers for primality is time consuming, but quick tests can eliminate nearly all composite numbers. The set of numbers that pass these quick tests but are not prime are called psuedoprimes, and are still usually pretty hard to factor.

Re:Can someone explain this to me?

[Digital_Quartz]

Other people have explained factorization in this thread (finding the prime factors that make up a composite number), but I just wanted to point out why making a "nice big chart" won't work.

The "nice big chart" would have to be very big. If you wanted to factor all the numbers from 1 to 2^768, you'd need a chart with 2^768 entries on it. This chart would need to be made of something, or stored on a disk that was made of something. Made of something means it needs to be made of matter, which means it needs to be made of atoms. In the observable universe, there are about 2^84 atoms, so you'd need a universe around 8x10^205 times larger than ours to store the chart in.

Re:Can someone explain this to me?

Recovering an RSA secret key is no harder than the discrete logarithm problem. The RSA public key consists of the pair (e,n) and the associated secret key is (d,n) where any message 0<=m<n can be transformed into the ciphertext c=m^e mod n and the ciphertext can be decrypted as m=c^d mod n.

If one can solve the discrete logarithm problem over Z_n (integers modulo n), then one can recover the exponent d given the element m and a base c. One can simply encrypt arbitrary messages m to obtain a ciphertext c and apply the base c discrete logarithm in Z_n to obtain d.

Re:Can someone explain this to me?

[Sir_Lewk]

That is like saying RSA-16 (if such a thing existed) is not broken because the fasted way of cracking it is factorization. Brute force is a legitimate form of cryptoanalysis, particularly when it is computationally feasible. Calling an encryption scheme "broken" when an attack such as this is demonstrated is quite reasonable, no matter how inelegant you may find the attack.

Suggesting that DES is not broken is very silly because "not being broken" implies on some level that it is still acceptable to use.

Re:Can someone explain this to me?

What they did is considerably more involved than "testing all the possible values". I've got a PhD in maths (wrong sort for what they're doing), and it will still take me a couple of hours (at least) to understand what they did and why it works. Its all tied into number field theory and other such fun. The basics seem to be finding solutions of u^2 = v^2 mod n over some smoothed approximation to the integers. u and v then have a beter than even chance of being factors of n. The tricky part is how you find trial values for u and v...

So, the short answer to "can someone explain this to me?" is "not without a course in number theory first".

Re:Can someone explain this to me?

[u38cg]

Factorisation is just the process of splitting a number - say, 21 - into the numbers that multiply to produce it: 3*7=21. It is cryptographically useful because it doesn't have a short way of doing it: you have to simply try dividing by 2, 3, 4, 5, etc, till you get an answer. When you have a number that's several hundred digits long and only has two relatively large factors, this takes a very long time. There are some tricks you can use to speed it up, but that's essentially it.

Re:Can someone explain this to me?

[maxume]

Sort of, the key sizes are being increased because it is an effective way to offset the increases in computing power, not for marketing reasons.

If something convincingly better comes out, I'm sure people would use it.

Re:Can someone explain this to me?

[morgan_greywolf]

Exactly. They found p and q for one 768-bit n, and it took them 2.5 years, 3 supercomputers and 5 terabytes of data. If your data is important enough for someone to spend these kind of resources, you simply choose a 1024-bit n, or, even better, a 2048-bit n.

If your data is not important enough for someone to spend those kind of resources, then you can continue with 768-bit RSA and suffer no ill effects. If Moore's law holds true, you may want to consider upgrading to 1024-bit. The truly paranoid will want to use 2048-bit n or larger.

To put it very briefly: nothing to see here, move along.

Re:Can someone explain this to me?

By the way, yes, "through multiplication mod (p-1)(q-1)" is a simplification for "using the extended Euclidean algorithm to find the multiplicative inverse of the public key in the cyclic group Z/(p-1)(q-1)."

Re:Can someone explain this to me?

That's an implementation choice, but the principle does call for p and q to be actual primes in order to be truly secure.

Re:Can someone explain this to me?

I don't really want to know how RSA and other encryption systems work as much as I want a simple table of settings/key sizes that will make me immune to advances in technology making them crackable without my having to learn the details of each cryptosystem.

What is the minimum key length for each style of encryption that will mean that cracking the key with a Beowulf cluster of today's best technology would take longer than the age of the universe?

I want to be able to encrypt my signed confession to assassinating President Oprah Winfrey, post it on usenet for posterity and be able to rest easy that not even the concerted effort of nations could uncover by secret by decrypting the file.

Often the author of an encryption package will put a 'recommended value' in the documentation, but it's always with respect to the day's current technology. I want confession goddamnit proof against anything short of discovering P=NP. Speed is nice, slow is OK. Absolutely reliable encryption from now and into the future for at least 100 years is a must.

Re:Can someone explain this to me?

[Sir_Lewk]

I find it weird that people keep on quoting the 5 TB stat as one of the reasons this isn't anything to be worried about. With a few hundered dollars, and a 5 minute drive, I can pick up 5TB of storage right now at Walmart.

Re:Can someone explain this to me?

[morgan_greywolf]

Sure. But the 5 TB of storage you can buy from Walmart comes blank.

5 TB is a lot of data to generate when you're not using BitTorrent to do it. :->

Re:Can someone explain this to me?

[swillden]

Testing large numbers for primality is time consuming, but quick tests can eliminate nearly all composite numbers.

More precisely probabilistic primality testing can be used to ensure that a number is not composite to any required degree of certainty. For example, with the Miller-Rabin test, each time you run the test you have a 3/4 chance of discovering that the number is not prime (assuming it's not). So, you run the test enough time to achieve the degree of certainty you desire. If you run it 100 times and each time the result is "prime", then there is only a 1 in 10^-13 chance that it is composite. Given that level of assurance, it's very reasonable to simply say "it's prime".

If it's not prime then the key will be significantly easier to break, but we just ensure that the odds of that are negligible and go about our business.

Re:Can someone explain this to me?

[Sir_Lewk]

Well yeah of course, that is where the supercomputers and several years of number crunching comes in.

On a semi-related note, I still haven't been able to fill my 320GB harddrive with all of my torrenting :o I honestly don't know how people do it.

Re:Can someone explain this to me?

[morgan_greywolf]

Two words: high-def movies

Re:Can someone explain this to me?

What is it with Americans and writing psuedo instead of pseudo?

I know they sound the same in English, but that's hardly any excuse to have so many people making this mistake. Do your professors write psuedo as well?

Re:Can someone explain this to me?

Maybe we can use Green's Theorem to process a random sieve field with a SixSigma eigenvalue partial differential equation to factorize the resultant RSA?

Re:Can someone explain this to me?

[ispeters]

I think I get your point, but I also think you've missed a point: a 1024-blade razor is probably incrementally better than a 1023-blade razor (for some value of "better"). On the other hand, a 1024-bit key is twice as good as a 1023-bit key. Unless I've forgotten my 3rd-year CS courses, factorization difficulty is exponential in the number of bits, so things get harder really quickly. Of course, Moore's Law is also exponential so, in theory, the time from "use 256-bit keys" to "use 512-bit keys" is about the same as the the time from "use 512-bit keys" to "use 1024-bit keys", but that sort of rebuts your comment. If Moore's Law continues to hold, then the arms race continues, but it remains easier to compute and store a key of arbitrary size than to crack a key of the same size. If Moore's Law becomes a wistfully-remembered relic, then the arms race is over and there's a well-known key size that's easy to generate and store but hard to crack. The only way for the cracking side to win is to find an efficient way to factor large integers. Quantum computing is a potential option, finding a general solution to NP-complete problems is another. Neither seems imminent.

Re:Can someone explain this to me?

[swillden]

That is like saying RSA-16 (if such a thing existed) is not broken because the fasted way of cracking it is factorization. Brute force is a legitimate form of cryptoanalysis, particularly when it is computationally feasible. Calling an encryption scheme "broken" when an attack such as this is demonstrated is quite reasonable, no matter how inelegant you may find the attack.

Suggesting that DES is not broken is very silly because "not being broken" implies on some level that it is still acceptable to use.

Not at all.

You're assuming there is only a single definition of "broken", which is absolutely not the case in cryptography. The definition you're using is what cryptographers would call a "practical break" and it is almost orthogonal to the definitions that cryptographers normally use. Many cryptographic breaks are not practical, for example, but they're still considered perfectly valid breaks. On the other hand many unbroken ciphers exist which are worthless in practical terms, such as RSA-16.

DES falls somewhere in between. It's not worthless in practical terms, since the effort required to break it is high enough for some purposes, but it has relatively little security value in general. However, the fact that DES is not cryptographically broken does have significant meaning -- because it enables us to have confidence that 3DES is secure. I mention this to make the point that cryptographers' definitions of "broken" (there are many) do have practical implications.

Re:Can someone explain this to me?

You would want to have most of that data in memory, not on disk as that would be very slow. That way you wouldn't get the result in 2.5 years but a very large multiple of that time.

Factorization is still hard. These things can't (yet) be done effectively on consumer hardware.

Re:Can someone explain this to me?

But I still don't know what they mean by Factorization, or what that exactly means.

I don't necessarily mean to pick on you, but this post is mostly in response to a number of the other posts below yours that seem to be confused on the subject, too. There seem to be a lot of other people posting here that clearly have some sort of CS and programming backgrounds that don't seem to understand factorization either. And yet somehow this is something that I learned about in high school (and it was covered in a few math classes in college, too). I've never taken a CS class in my life, but I am able to follow the general ideas of what the article is talking about. Why is it that people that specifically work in the field that this applies to don't seem to understand these concepts very well?

Re:Can someone explain this to me?

it's very reasonable to simply say "it's prime"

i guess Megatron will be pissed off

Re:Can someone explain this to me?

[Trepidity]

Some software, such as GPG, uses primality tests that don't actually converge to arbitrary certainty regardless of the number of iterations, because certain rare types of non-primes known as "pseudoprimes", which satisfy tests that usually only prime numbers satisfy, will pass all iterations. For example, GPG uses the Fermat primality test, which will always pass Carmichael numbers. Since Carmichael numbers are extremely rare, though, it doesn't make a whole lot of practical difference.

(The Miller-Rabin test that you mention doesn't have any such category of pseudoprime.)

Re:Can someone explain this to me?

[Chapter80]

In college I wrote a Python program capable of factoring primes up to 1024 bits long. It ran fairly quickly. I should dig out that program, and post it here for peer review. I think you'll find some cleverness in the algorithm used.

Oh here it is.

# Title: Circular Imaginary Number Prime Factorization Program.
# Released under the GPL
#
# Uses imaginary numbers, ratio of circumference to diameter in
# the calculation of the factors of a prime number.
#
# Able to factor prime numbers as large as 1024 bits and up
#
# Key in your input in either decimal or binary

# Runs in O() time.

import math

def exponentiate(num, exponent):
        """exponentiate function, starts at 1, and multiplies by num
              as many times as exponent tells you to.
              Needed as a function, since ^ operator doesn't work on
              complex numbers."""
        result = 1
        for x in range(exponent.real):
                result = result * num
        return result

primenum = int(raw_input("Please enter a really big prime number: "))
factors = []
i = complex(0,1)

for factor_candidate in range ((exponentiate(math.e,math.pi*i)),2):
        if primenum % factor_candidate == 0:
                factors.extend([factor_candidate, primenum/factor_candidate])
print factors

Re:Can someone explain this to me?

[marcosdumay]

Well, 768 was never a standard length for RSA. Everything smaler than 1024 bits was considered broken long ago (512 was broken a few years ago). What this really means is that we should stop using 1024 bits already, and standardize on 2048. By the way, 2048 bits RSA is expected to never be broken on Earth (if we ever go to space and start gathering the majority of the power released by a star, things change), but nobody is really certain.

Re:Can someone explain this to me?

[vxice]

Breaking RSA encryption will become much easier once quantum computing becomes realistic. When factoring large numbers the bottleneck is in data transfer if using multiple computers which is almost required due to processing requirements. Quantum computing allows for better data transfer rates and there are already algorithms that take advantage of this and have been proven in theory but until we get our hands on quantum computing rsa will remain secure.

Re:Can someone explain this to me?

[xaustinx]

"unless something dramatic changes in factoring" Something like using ATI and NVIDIA GPU's to accelerate factoring? something dramatic like that? http://eecm.cr.yp.to/pc109-20090901.pdf If you take the latest in CPU/Multi GPU configurations; and build around the idea of operating them for this purpose, i think RSA-1024 could be cracked in a similar amount of time. Far less than 10 or 5 years. Their paper doesn't make any references at all to GPU accelerated factoring, it's not even on their radar. http://fastra2.ua.ac.be/

Re:Can someone explain this to me?

[russotto]

Last I saw, the GPU based processors had a serious problem when using for cryptanalysis; there was no fast parallel inverse calculation method. However, I was looking at elliptic curve encryption; I don't know if factoring requires inverse calculation.

Re:Can someone explain this to me?

[Hurricane78]

Like say, a botnet.

Let’s calculate this:
So taking you $defaultCPU, whatever that is, a botnet of hundrets of thousands of systems, with (for simplicity let’s say) 1 core, you could crack a 768-bit RSA in... roughly guessed... ...a third of a day. (hundrets of years * 365 / hundrets of thousands of sytems)

I need a botnet! ^^
By the way: It is possible to infect a botnet by infecting the botnet client itself? Should be doable, right?
Or do those clients have some extreme self-protection form being compromised? (After all, the programmer should be an expert in this area. ;)

Re:Can someone explain this to me?

[shaitand]

This team cracked ONE key and it took them 3 supercomputers and 2.5yrs.

Factorization was possible before it was every actually done. Factorization of 1024bit keys is already possible even though it has not yet been.

768bit RSA is no more or less safe to use than it was yesterday. Considering the efforts it took to crack, I'd say 768bit RSA with key expiration of less than 2.5yrs is EXTREMELY safe to use.

Re:Can someone explain this to me?

[Sir_Lewk]

I did not mean to imply that there is only a single valid definition of break in cryptography. It is general knowledge that not all cryptographic attacks are practical. However, that does not mean that practical breaks cannot also be cryptographic breaks.

As you indicated, there are many kinds of cryptographic attacks. Some of them are practical, others are not. Some of them only apply to ciphers when they are used in certain modes. Others only work if an often unreasonable amount of information is already known about the ciphertext or plaintext.

RSA factoring is a rather "crude" attack that only works when the keysize is small. Nevertheless, it is in fact a cryptographic attack. It is also far more complex and efficient than a straightforward bruteforce attack. The purpose of this story was to inform the reader that RSA factoring should now also be considered a practical attack for larger keysizes than it was previously known to be.

In short, there is an RSA break, as we have always known, but it is only practical for small keys. The definition of "small keys" has just been updated.

Re:Can someone explain this to me?

GPUs are not well suited for large integer operations -- the current generation nVidia GPU's take four times as long to multiply 32 bit integers as they do to multiply 32 bit floats, for instance. Modulus also has very slow performance except when the modulus is 2^n.

Re:Can someone explain this to me?

[pow(b,2)]

GPU's are far less useful for the general number field sieve, and any other algorithm is completely useless to factor interesting sized RSA keys. This is because sieving is a memory intensive process which doesn't lend itself well to GPU architectures. Something drastic, as it relates to factoring, means the emergence of a new algorithm.

Re:Can someone explain this to me?

[Hawke]

It means they broke a 768-bit RSA key in 6 months. As a practical matter, everyone has to have the information they had, so the decryption can be done offline. They only used 80 computers, so assuming the task is linearly parallelizable (which I don't know), anyone who cares (and can afford 1000 high-end computers) can break a 768-bit RSA key in about 2 days or so.

Which means that a 1024-bit key is only safe for about 3 years. (But 3 years of 1000 high-end computers dedicated to the task of breaking your key is still really expensive. So that's probably pretty safe. Stealing the computer with the private key is still cheaper). But given the pace of technology and factoring techniques, that will likely come down.

4096-bit keys seem to be sufficiently safe for the foreseeable future. (Didn't gpg used to mock you if you told it to create a key that large?)

Re:Can someone explain this to me?

[Sir_Lewk]

And Caesar Ciphers are EXTREMELY secure against elementary school children when the information you are protecting only has a useful lifespan of a few minutes.

You point, while correct, is irrelevant to my point.

Re:Can someone explain this to me?

[pow(b,2)]

Not to mention that using a chart with single atoms as characters would be distinctly hard to read.

Re:Can someone explain this to me?

[immakiku]

Not exactly true, though the conclusion is almost correct. The problem is that the domain is not 2^768 large. Not all numbers 768 bits long are products of two primes.

Re:Can someone explain this to me?

[Maladius]

In the observable universe, there are about 2^84 atoms

Approximations of the number of atoms in the universe are around 10^80 minimum.
http://en.wikipedia.org/wiki/Observable_universe

That's still far less than 2^768 though. So your original point still stands.
That's a crazy realization though, that there literally wouldn't be enough atoms in the universe to store every number from 1 to 2^768.

Re:Can someone explain this to me?

[Sir_Lewk]

These things can't (yet) be done effectively on consumer hardware.

Ah contraire!

Factoring 768-bit RSA keys can't (yet) be done effectively on comsumer hardware, but it is extremely practical for 512-bit keys. TI graphing calculator hackers did it with the donated CPU time of a handful of hobbists. And they did it 12 or so times in a matter of months.

Factorization is still hard. Factorization of 768-bit keys can't (yet) be done effectively on consumer hardware.

That is a more accurate statement.

Re:Can someone explain this to me?

Refactoring your breakthrough factoring program, I got

print [raw_input ("Type a really big prime number here: "),1]

Re:Can someone explain this to me?

[hivebrain]

Or you could just store it on the Amazon cloud. Their 5 gazillabyte plan will run you about $40/month.

Re:Can someone explain this to me?

[mhotchin]

At university, we used to call them 'industrial grade primes'.

No real point to this post, just a memory from 1987.

Re:Can someone explain this to me?

That's the joke...

"prime factorization" =/= factorizing primes

Re:Can someone explain this to me?

[tlhIngan]

What about how does this RSA-768 refer to the common RSA-128 "strong encryption" used in SSL/HTTPS?

Does the 128-bit mean a 128-bit key that can be trivially factored? Or is it something different?

Re:Can someone explain this to me?

[Fjandr]

Americans have a very low functional literacy rate. The problem is endemic, and is unlikely to go away as people care less about accuracy and more about expediency.

Re:Can someone explain this to me?

[Mini-Geek]

you could crack a 768-bit RSA in... roughly guessed... ...a third of a day.

Sorry, no. That doesn't take into account the fact that some parts can't be run in parallel on many home computers. Not to mention that the longest part, sieving, for a number this size, needs about 1 GB of RAM free, which I'd think people would be likely to notice and shut down pretty quickly...
Sieving is the step that takes the most time, in this case 1500 CPU years ("On a single core 2.2 GHz AMD Opteron processor with 2 GB RAM per core, sieving would have taken about fifteen hundred years."), but can easily be run in parallel. Let's say you have access to 100,000 cores, each with at least 1 GB of RAM that you can use (read the PDF...). It will now take you 5.475 days to do the sieving.
Polynomial selection can, like sieving, be easily distributed, and is a relatively trivial task with 100,000 cores available. (roughly 20 CPU years, or under 2 botnet-hours, and a non-enormous amount of RAM)
The hard parts are the final steps: filtering, building a matrix, solving it, and finding the factors. You basically need one or more supercomputers to do it, with at least one of them having 1 TB of RAM and fast access to 5 TB of data. To do it like they did, you'd also need to write your own block Wiedmann implementation. If not, you'd have to use the block Lanczos, which can only be run on a single computer/supercomputer/cluster.

Doubtless, someone could botnet enough computing power to sieve for an RSA-768 key in a matter of weeks, but to actually finish it and get the factors would require an expensive supercomputer, be it purchased, (better hope whatever's behind that key is valuable...and thank goodness that they were stupid enough to use just a 768-bit key on it) botnetted, (good luck to get one and not have anyone notice!) or otherwise acquired.

Re:Can someone explain this to me?

[levicivita]

Having just read the wikipedia page on RSA and assuming that it is correct, you are wrong. n = p x q where p and q are large primes, not pseudo-primes. As such the informative mod is not warranted.

Re:Can someone explain this to me?

[Rockoon]

If you had explored deeper, you would have discovered (after clicking on the primality test link) that "Most popular primality tests are probabilistic tests. These tests use, apart from the tested number n, some other numbers a which are chosen at random from some sample space; the usual randomized primality tests never report a prime number as composite, but it is possible for a composite number to be reported as prime."
In your rush to respond, you forgot that you arent an expert in the subject so should have explored the matter.

Re:Can someone explain this to me?

[levicivita]

In practice all this paper achieved is the ability to write the following statement, which you can feel free to check with a program like Mathematica (I did). As the parent suggested, once you have p and q, then you can deduce the private key and decode any message encrypted with this key.

1230186684530117755130494958384962720772853569595 3347921973224521517264005072636575187452021997864 6938995647494277406384592519255732630345373154826 8507917026122142913461670429214311602221240479274 737794080665351419597459856902143413
= 3347807169895689878604416984821269081770479498371 3768568912431388982883793878002287614711652531743 087737814467999489
x
3674604366679959042824463379962795263227915816434 3087642676032283815739666511279233373417143396810 270092798736308917

Re:Can someone explain this to me?

[Mini-Geek]

It is cryptographically useful because it doesn't have a short way of doing it: you have to simply try dividing by 2, 3, 4, 5, etc, till you get an answer. When you have a number that's several hundred digits long and only has two relatively large factors, this takes a very long time. There are some tricks you can use to speed it up, but that's essentially it.

This is very, very wrong. What you describe is the most naive possible way to factor a number, a.k.a. trial division (without an obvious "trick" to speed it up: not bothering dividing by composites). There are far more efficient ways to factor large numbers. The fastest, currently, for numbers over about 90 digits without any easily-found smaller factors, is the General Number Field Sieve.
http://en.wikipedia.org/wiki/Integer_factorization
http://en.wikipedia.org/wiki/Trial_division
http://en.wikipedia.org/wiki/General_number_field_sieve

Re:Can someone explain this to me?

[Rockoon]

..and if you look at the runtime of the fastest known primality test that is not probabilistic, you will figure out for yourself that nobody is generating RSA primes with it:

graph of runtime

Re:Can someone explain this to me?

[swillden]

In short, there is an RSA break, as we have always known, but it is only practical for small keys. The definition of "small keys" has just been updated.

Agreed, with one small caveat regarding terminology.

In cryptographic circles, brute force (which factorization is, for RSA) is not considered a "break" of the algorithm. So it would be correct to say that RSA-768 has been shown to be weak, but if you say it's broken people will tend to think you mean some weakness other than practicality of brute force.

That nit aside, your characterization that we've just had the definition of "small keys" updated is spot on.

Re:Can someone explain this to me?

Then gzip it. Duh.

(Kidding!)

Re:Can someone explain this to me?

[mlts]

Don't forget that the computing time (big O) goes up by the cube of the size of the key when doing RSA. So something that takes 2 seconds at 1024 bits will take 8 seconds at 2048 bits.

Right now, RSA is still solid if you use at least 2048 bits for your key (which is the maximum size of a lot of smart cards). However, the key sizes that RSA needs are getting so large (some recommendations on keylength.com even go near 16384 bit keys), that it might be good to find another algorithm like ECC which only uses 200-300 bits for a secure key.

Re:Can someone explain this to me?

[TubeSteak]

The "nice big chart" would have to be very big. If you wanted to factor all the numbers from 1 to 2^768, you'd need a chart with 2^768 entries on it.

Why would you need a chart that big?
Can't you ignore everything that ends in a 0, 2, 4, 5, 6, 8?

I mean, we're only trying to factor prime numbers.

Re:Can someone explain this to me?

[shaitand]

"Suggesting that DES is not broken is very silly because "not being broken" implies on some level that it is still acceptable to use."

Your point, in summary seemed to be that saying RSA 768bit was "not being broken" was unacceptable because it implied that RSA 768bit was acceptable to use.

My point was that during any sort of sane key lifespan, RSA is proof against multiple super computers and that makes it very acceptable to use for almost any purpose.

Re:Can someone explain this to me?

[ntheory]

Miller-Rabin is OK for quick checks but if you're really desperate to prove that a number is prime there's a decently fast test (relatively) called the AKS primality test. http://en.wikipedia.org/wiki/AKS_primality_test

Re:Can someone explain this to me?

[selven]

2^84 atoms? That's only 32 moles! Did you mean 10^84 atoms?

Re:Can someone explain this to me?

In the observable universe, there are about 2^84 atoms

Fyi: It's actually about 10^80 atoms in the observable universe (or about 2^265).

Re:Can someone explain this to me?

[David+Jao]

Just to be accurate, I do not believe that in RSA you pick two primes but instead pick two values that are at least psuedoprime. Testing large numbers for primality is time consuming, but quick tests can eliminate nearly all composite numbers. The set of numbers that pass these quick tests but are not prime are called psuedoprimes, and are still usually pretty hard to factor.

In 1977, when RSA was first published, testing large numbers for primality was time consuming. But in the past 30 years, primality proving algorithms have improved by more than factoring algorithms have improved. Today it is very easy to test large primes for primality and prove (with a computer) that they are prime.

Many actual implementations use pseudoprimes for historical reasons, but there is no reason today to prefer pseudoprimes over primes.

I should also remark that, according to the original text of the RSA Challenge, all of the RSA Challenge Numbers, including the number being factored in the article, were generated using provable primes, and not pseudoprimes. The challenge organizers expended extra effort to use provable primes for the purposes of the challenge.

Re:Can someone explain this to me?

[Digital_Quartz]

10^80 is less than 2^84.

2^4 is 16, so 2^84 == 16^80, which is obviously larger than 10^80.

Re:Can someone explain this to me?

[Maladius]

2^84 != 16^80 16^80 == (2^4)^80 = 2^320 I think you were thinking about (2^4)*(2^80) in which case you'd add the exponents to get (2^84).

Re:Can someone explain this to me?

[Digital_Quartz]

It's true, and you'd also have a hard time encoding two primes on a single atom. But the current estimates on the number of atoms in the universe vary pretty wildly, so it's not a bad guess.

If you really want a more accurate estimate of how much larger a universe we need, you first need to compute the number of composite numbers which are the product of two primes and are less than 2^768. Let K be the number of primes less than the square root of 2^768:

K = PI(root(2^768))

(where PI is the prime-counting function)

The number of composites, N, is "K choose 2", plus all the square numbers:

N = K!/2*(K-2)! + K

So that's the size of the number of values we actually want to store. Storage wise, assume we can store these all in a table sorted by the composite number, and then use a binary search to find the number we're looking for. (This is of course completely preposterous; while you'd only need to access lg(N) records to do a binary search, which is going to be way less than 768, your hard drive is going to take on the order of 10^230 square inches of space to store all this data, so it's going to take your read head a LONG time to do 768 reads all over the disk).

For the naive storage scheme, you'd need 3*768 bits to store each composite and it's two primes. The actual number of atoms you need is dependent on your storage medium. The average storage today for hard drives is around 250GBit/in^2. Stanford has managed a bit density of 35bit/electron with holographic storage technology, which is mighty impressive; you'd only need around 5 atoms per entry.

Then you need to pick which estimate of the number of atoms which exist in our observable universe you like best. :)

Re:Can someone explain this to me?

[Digital_Quartz]

Unfortunately, no. We're only trying to factor composite numbers. Prime numbers are easy to factor; they only have two factors, themselves and 1.

Each and every non-prime, or "composite" number is a product of two or more prime numbers. For example, 28 is the product of 2, 2, and 7.

So, we can actually eliminate all the prime numbers from the chart. You also can eliminate all the composite numbers with more than two prime factors, if your objective is only to break RSA.

But using current technology we also need a lot more than just one atom to store each record of the table in. Even using holographic storage you'd need around 10 atoms, and using a traditional hard drive you'd need around 12x10^18 atoms.

Re:Can someone explain this to me?

being pedantic I suppose, but you'd only need to store numbers up to sqrt(2^768)
(2^384) - within that if my math is right 3.4e113 is expected to be prime.

so more like a universe 1.7e88 times the size of ours =)

Re:Can someone explain this to me?

[u38cg]

The first time you encounter the concept of factoring (as per OP's question) is probably not the best time to introduce mathematics requiring groups and rings. And while the GNFS is indeed magnificently superior to naive searching, it is not sufficiently fast to make a significant difference to the cryptographic strength of a system based on the difficulty of finding large factors - hence, I judged it was not worth mentioning.

Re:Can someone explain this to me?

[levicivita]

Expert or no expert, let's stick to the facts. Here's what wikipedia's page on fast deterministic tests for primality says:

The elliptic curve primality test, which actually proves that the given number is prime, can be proven to run in O((log n)6), but only if some still unproven (but widely assumed to be true) statements of analytic number theory are used. It is one of the most often used deterministic tests in practice.

The elliptic curve primality test is 1) 'a general-purpose algorithm, meaning it does not depend on the number being a special form' 2) has been able to produce a certificate for 'the 20,562-digit Mills' prime' in about 6 years of single CPU run time 3) as of 1991 'it is now possible to test arbitrary integers up to 400 digits in a few days on a single SUN 3/60 workstation' according to the Atkin and Morain paper Elliptic Curves and Primality Proving.

Lastly, from the AKS primality test page, it would appear that the AKS test is more significant as a theoretical result than as a practical algorithm.

I am not an expert in this field, however it appears to me that you may not be one either.

Re:Can someone explain this to me?

[immakiku]

Were you refuting my statement or adding justification to your original estimate?

I agree with your conclusion that building a table is not the correct way to go about this, but if you're going to explain the reason why not, you should be more accurate

Your second estimate is also inaccurate in that it is smaller than the domain size. There are primes greater than 2^384 that are factors of composites less than 2^768.

The difference between the two estimates, though, is only a factor of about 2^16, so basically the true size of the domain is somewhere between 2^752 and 2^768. Neither of those figures are conducive to storage, so yes, your conclusion is correct.

P.S. Your discussion of storage size also clouds the issue needlessly ;-)

Re:Can someone explain this to me?

[Mini-Geek]

The first time you encounter the concept of factoring (as per OP's question) is probably not the best time to introduce mathematics requiring groups and rings.

Granted.

And while the GNFS is indeed magnificently superior to naive searching, it is not sufficiently fast to make a significant difference to the cryptographic strength of a system based on the difficulty of finding large factors - hence, I judged it was not worth mentioning.

While the fact remains that you can make the number large enough for it to be impractical even with GNFS, I must disagree that it makes no significant difference. If the only thing we could do was trial division by primes, a 44 digit RSA composite would need at most ~200 quintillion divisions to find the factors. (see http://primes.utm.edu/howmany.shtml, there are ~200 quintillion primes below 10^22) More than sufficient for safe encryption. Even if you could do 1 billion per second, you'd need almost 6400 years to crack it.
But since there's GNFS, a 309 digit (1024 bit) number is currently the standard, and is being phased out.

In any case, you could've said something along the lines of "There are some more efficient ways, but they are still difficult for large numbers." instead of "There are some tricks you can use to speed it up, but that's essentially it."

Re:Can someone explain this to me?

[Rockoon]

Everything that you have said screams "people using RSA do not use 100% guaranteed primes, but instead must use psuedoprimes because it would take their desktop years to find two large primes"

New algorithms?

[Jonas+Buyl]

1024 bit RSA keys are already considered insecure due to the possibility of finding more efficient algorithms. 2048 is considered secure enough.

Re:New algorithms?

[z4ns4stu]

And newly generated keys for PGP/GPG are suggested to be at least 4096 bits.

Re:New algorithms?

[Dc0der]

Due to the possibility of finding more efficient algorithms? Wouldn't that rule out RSA-any size? 1024 bit RSA keys are considered mildly secure because they are breakable with a large budget.

Re:New algorithms?

[broken_chaos]

Really? Can you cite that somewhere? Last I recall seeing (a few months ago, only) is that 2048-bit was the recommended number (likely secure to somewhere around 2030, I believe), and 4096-bit was the maximum without source modification, due to compatibility issues with some older GPG/PGP implementations for anything larger.

Re:New algorithms?

[z4ns4stu]

I just tried generating a new key using GPG and you appear to be correct. I'll have to go back and try to figure out what I was doing that it recommended I use a key no smaller than 4096-bits.

Re:New algorithms?

[godrik]

Here is the relevant wikipedia approved citation :

http://science.slashdot.org/comments.pl?sid=1501696&cid=30685106

Re:New algorithms?

[Sir_Lewk]

That depends entirely on how much more efficient these new algorithms may be.

Re:New algorithms?

[beej]

I, too, thought the 2048 was the default. However, in lieu of any reason not to choose 4096, I choose (and use) 4096.

Re:New algorithms?

I'm just going to make my PGP/GPG key 65536 bits. :)

The real scary part is 3 years to obsolecence

[DRAGONWEEZEL]

I'd agree with that for government and it's true that the military should phase out 1024, but does the general public need to worry?

Re:The real scary part is 3 years to obsolecence

[z4ns4stu]

I'd say that depends on two things:

1. How much you value your privacy vs. the difficulty of distributing new keys
2. How much you like new toys

Re:The real scary part is 3 years to obsolecence

I'd agree with that for government and it's true that the military should phase out 1024, but does the general public need to worry?

Yes, what could the general public possibly fear from ubiquitous monitoring by the government or military?

Re:The real scary part is 3 years to obsolecence

[FrankSchwab]

In the security world, there's always a tradeoff between the cost of the security, the cost to an attacker to break the security, and the value of the thing being protected.

In the military world, there are many secrets which need to be (are seen as needing to be) kept for many years. For these, an encryption that takes a year and $10M to break may not be good enough, because after a year and $10M, an enemy might have information worth more than that. For my bank account, encryption that takes a year and $10M to break is more than sufficient, because the value to an attacker is approximately $47.32, plus the overdraft fees that they can stick me with.

There is no current concern for the average person, unless you're dealing in nuclear secrets or are protecting a politicians date book. Given a choice in the future, moving to a larger RSA key size is prudent change, but that's about it.

/frank

Re:The real scary part is 3 years to obsolecence

[DRAGONWEEZEL]

hehe

1. I love new toys.

2. I don't keep anything private except pins,passwords,and underpants.

I guess I forgot though that there is this new fangled graphics card as a processor thing... I suppose some malware creator could create a distributed program taking advantage of the power of a graphics card to break these down. In which case, 2048 is a only a few years away (but by then graphics cards will be as big as a TV acording to the size of my 5870)

Re:The real scary part is 3 years to obsolecence

[DRAGONWEEZEL]

Informative post. That's what I was thinking, just not so elaborately.

I guess that's what I was wondering. Is the key size doubling going to do much for "ME" in the next 5 years? What I don't know is what is the cost of the 2Mbit key in system resources to implement in an aplicable way?

Mind you I know nothing of these details, just typing out loud.

Re:The real scary part is 3 years to obsolecence

[DRAGONWEEZEL]

Ubiquitous monitoring encrypted at 2048...
why would they want to hear me fart, and then encrypt it at that rate?

Dude take off your tinfoil hat, their rays can penetrate that now. Please switch to a graphene and lead cap asap. I have one for sale for a measley 2.2 mil. Comes w/ bottle opener, and guiness logo. May only stop rays from one direction. Void when worn over a toupe or comb-over. Not effective on bare skin. Some side efects have been experienced. These include but are not limited to: spontaneous combustion, alien abduction, dreams of standing on a myan tempmle w/ thousands of naked ladies throwing pickles at you, itchy eyes, atraction to fat chicks, and sometimes in rare occurences death, resurection, then death again. Batteries not included. Not valid with any other offer. This coupon has No cash value.

Re:The real scary part is 3 years to obsolecence

[EndlessNameless]

Your sig makes your post exceptionally ironic.

Re:The real scary part is 3 years to obsolecence

[JDeane]

Your post gave me a great idea...

Sure your account may be empty and cracking the encryption not worth it.

but I am sure that there would be more then 10 million dollars worth of accounts in the banking computer.

So why not try to crack them all at one time? What I mean is that if a key does not work for say your encrypted account or what ever try the same key on all the accounts. Probably faster that way then then to try all the keys on one account.

Of course this all assumes unfettered access to a banks computer, and at that point it may just be easier to rob the local Quicky Mart.

Now for downloaded .gov files thats a whole different mess. Pretty much the more secret something is they should encrypt the hell out of it pick some number of bits that makes it so hard to crack that by the time they do the information will be 50 years old.

I think for something to remain that secret the encryption should be measured in MB's not bits. I like the idea of a random location in a Mandelbrot sequence used as key but that might be too easy to crack (I am not a math person when it comes to stuff like this the hardest encryption I ever cracked in my entire life was the Captain Crunch hidden letter crap.. lol) So yeah it could be way too easy for all I know. but I think cracking it would look awesome lol

Re:The real scary part is 3 years to obsolecence

[anegg]

Those are two different values: The value of keeping your data secret (hidden from everyone else) versus the value of keeping your data available to you for your own use. Data backups satisfy the latter, encryption the former. For many people, most of their data needs to be available, but not necessarily hidden.

Re:The real scary part is 3 years to obsolecence

[sp3d2orbit]

At my bank $47.32 + overdraft fees ~= $10 M

Re:The real scary part is 3 years to obsolecence

[ImprovOmega]

Yikes, a 2Kbit key. A 2Mbit key probably won't be necessary for another few thousand years (unless we finally get quantum computing up and running properly).

Re:The real scary part is 3 years to obsolecence

[DRAGONWEEZEL]

Lol whops ty for pointing that out.. I do that all the time, though I'm quite aware of the difference.

Re:The real scary part is 3 years to obsolecence

[DRAGONWEEZEL]

Exactly. If a client loses their pics, they usually place a value of 0-Infinity on them.

$0 if they are on face book, and available to the world.

If they are a hobby photographer, they usually are in the range of 100-500 usd.

If they lost nude pics of themselves to a malware infection, it could be infinate... 8')

I don't discriminate though, and help as many people as cheaply as possible.

The question is what is the cost to implement and use vs. the level of increased protection?

In reality, if someone wants to break encryption for real, they are going to have more resources to break encryption than any one person will have invested in encryption & dedication to using it, which is a fundamental problem for all types of security.

Locking a car is easy, and keeps most people out, but most people don't try to get in...

So if you limit it to the number of people who try to get in, the first to break a window, or use a tow truck gets the car.

Re:The real scary part is 3 years to obsolecence

[Eil]

My take on it has been this: If a larger key length doesn't incur a significant performance or storage penalty, use it. There's always the outward chance that a weakness in the algorithm (or more likely, the implementation that you're using) will contain a flaw that reduces the effective key length. For example, it is believed that brute-forcing AES 128-bit symmetric encryption would take more energy than exists in the known universe. Yet, almost all implementations offer a 256-bit key length. If a shortcut is found that reduces the effective key length of AES by 128 bits, then anyone using a 256-bit key is still fully protected. On modern hardware, the performance difference between the two is completely negligible so there's not really a good argument against using a 256-bit key except that it's probably overkill from a theoretical standpoint.

(Disclaimer to the greater Slashdot audience: I'm an amateur at encryption but I'm always willing to learn more, so if I've got something wrong please correct me rather than insulting me.)

Not obsolete -- defunct

[rwade]

The number RSA-768 was taken from the now obsolete RSA Challenge list as a representative 768-bit RSA modulus.

In fact, the challenge list is defunct, the challenge having been canceled by RSA. The challenges are still scientifically interesting, so to call them obsolete is factually inaccurate.

Re:Not obsolete -- defunct

[Vainglorious+Coward]

In fact, the challenge list is defunct, the challenge having been canceled by RSA. The challenges are still scientifically interesting, so to call them obsolete is factually inaccurate.

You need to address this to the authors of the paper itself, since dtmos didn't "write" a "summary" so much as directly cut & paste from the paper's first paragraph. Yeah, yeah I did RTFA, what was I thinking...

why wait?

[Jodka]

Thus, it would be prudent to phase out usage of 1024-bit RSA within the next three to four years.

Or immediately if you are encrypting things now which you want to remain secret throughout the decade and beyond.

Oblig. Futurama reference

[TeethWhitener]

Or you could just use tiny atoms...but have you priced those lately? I'm not made of money!

Very large numbers are awesome.

Whenever something comes up involving work with very large numbers, I have to try to explain this seemingly simple concept to people and usually they look at me like I'm either insane or an idiot. The people that have a decent grasp of math and some common sense, though, get their minds blown and have a new respect for encryption, which is rewarding.

The Meaning of Factorization

[gratuitous_arp]

RSA Labs explains the meaning of factorization in the old Challenge FAQ:

http://www.rsa.com/rsalabs/node.asp?id=2094

Look at the section, "What does it mean when a Challenge Number is factored?"

It is interesting to note that this section of the FAQ makes an example of RSA-768 being cracked in 2010 -- turns out they were very close, whether they tried to be or not (the article states that the number was actually factored in Dec 2009).

Factorization isn't quite bruteforce

GNFS doesn't work by trivial division by all possible divisors. In fact, GNFS is exponentially faster than trial division.

Factoring N with GNFS works by searching for a collection of square equations, i.e. ones trivially factorable into two parts, which are equal mod N. Once several of these are found you take the GCD of their values and the result is one of the factors. For an RSA number there are four possible results, two are useful (the factors) two are not (1 and N). GCD is very very easily to calculate fast. If you get a trivial result you try another set. It only takes a few candidates before the chance of failure is acceptably infinitesimal.

Cracking RSA = Cracking Diffie-Hellman, so no win

[billstewart]

There are potentially three sets of crypto used - RSA, optional ephemeral Diffie-Hellman for more secure key exchange, and the symmetric crypto for message body encryption (typically 3DES or AES.) Symmetric crypto uses relatively short keys, typically 128 or equivalent-to-112 bits; the public-key algorithms use longer keys, but they have special forms so they _need_ to be longer.

Diffie-Hellman key exchange is roughly similar in strength to RSA encryption or signatures.

More importantly, if the Bad Guy can crack your RSA keys, then the Bad Guy can impersonate you in Diffie-Hellman key exchanges by doing a man-in-the-middle attack and forging signatures on the DH key parts.

So if you're using a 768-bit certificate for some reason, or a 1024-bit certificate and the NSA is out to get you, you're vulnerable. (If the KGB is out to get you, it's moot, because they'll sneak into your house or data center and put a keylogger in your keyboard. And if the Mafia's out to get you, they'll just threaten to break your kneecaps.)

Pseudoprimes vs. Real Primes

[billstewart]

No, that's not the problem. Yeah, one time in a million or billion you might have RSA key parts that aren't really primes, but you can decide how paranoid you want to be, and that's not a practical attack. This factoring is taking the RSA public key n=pq and using a combination of good algorithms and lots of brute force to find p and q, and works even when p and q are genuine primes. If p were a fake prime, it might take less horsepower to find it, but this is cracking the hard problem, not just the occasionally-lucky case.

Good algorithms, not just brute force

[billstewart]

This isn't just brute force - the algorithm research has meant that our ability to factor large numbers has been growing a *lot* faster than Moore's law. That doesn't directly apply to breaking DH, except to the extent that factoring is useful in breaking discrete logarithms or the algorithms used are useful for it.

The catch is that you usually keep an RSA key around for a while; DH is often used with ephemeral parameters as well as ephemeral keys, so even if you had a year-long DH crack, it might only let you steal one message. On the other hand, cracking RSA signatures lets you do a man-in-the-middle attack where you substitute your forged DH parameters (which you know) for the target's supposedly-securely-signed parameters.

I smell a new Moore's law

[BlueCoder]

Something like 256bits extra bits of encryption for every 5 or 10 years.

So well probably need approx 25Kbit keys if we are even to have a chance of keeping something encrypted for 100 years. 3Mbit keys for a 1000 years...

Alternatives to Public-Key Crypto? Limited!

[billstewart]

It's generally believed that if you can attack factoring, you can attack discrete logarithms, so Diffie-Hellman in integer prime-number bases is still risky, so if Quantum Computers ever get good enough to bother RSA, they'll be a real pain. On the other hand, Elliptic Curves may still be safe. Nobody's sure quite how safe (right now EC keys can be significantly shorter than factoring-based RSA or DH, but that may fall if there are theoretical breakthroughs, which is much less likely with factoring), but they may be enough, and at least the patents will have run out before Quantum Computers get good enough to factor numbers more interesting than 15.

But otherwise you're stuck with secret-key symmetric cryptography, or One-Time Pads. Remember Kerberos and the various other systems that depend on a Master Key locked safely in a Key Distribution Center? Remember couriers with briefcases handcuffed to their arms? Yuk! There were good reasons to use public keys instead!

There has been some work done on quantum-computer attacks on symmetric key systems, but AFAIK the best that it looks like they'll do in general is to effectively halve the key length, so that's easy enough to work around.

Most ECC patents expire this coming decade

[billstewart]

The basic Elliptic Curve Crypto math was published in 1986 and isn't patented, but there have been a lot of implementation techniques that let you use the stuff efficiently which have been patented. However, even many of those patents have expired already or will soon (plus some of them have problems with prior art that could sink them, but the prime example of that is the Apple/NeXT patent which expires Real Soon.) There are a bunch of patents that issued in 2001 that may be a problem, but even those expire in 2021 unless the US does a Disney and extends them.

The good news is that effective Quantum Cryptography is a ways off - it's unlikely that the next decade will give us widespread effective QC that can reliably factor big numbers, so we aren't likely to need wholesale replacement of free crypto with patented crypto before then.

On the other hand, if QC can also crack ECC, that'd be annoying.

Yes. Sorry. Temporary insanity. :P

[Digital_Quartz]

nm

Revised math

[Digital_Quartz]

So, 10^80 atoms in the universe, which is around 2^265, so 2^768/2^265 = 2^503, or a universe 2.6x10^151 times larger than ours (with all of the caveats I've pointed out elsewhere in this thread about how that's a very rough guesstimate.)

Thanks for pointing out my craziness. :)

Re:Revised math

[Maladius]

Yeah...that's about right...It's incredible how large the number 2^768 really is.
Craziness happens :)