Factorization of a 768-Bit RSA Modulus

← Back to Stories (view on slashdot.org)

Factorization of a 768-Bit RSA Modulus

Posted by CmdrTaco on Thursday January 7, 2010 @05:22AM from the that's-a-lotta-math dept.

dtmos writes "The 768-bit, 232-digit number RSA-768 has been factored. 'The number RSA-768 was taken from the now obsolete RSA Challenge list as a representative 768-bit RSA modulus. This result is a record for factoring general integers. Factoring a 1024-bit RSA modulus would be about a thousand times harder, and a 768-bit RSA modulus is several thousands times harder to factor than a 512-bit one. Because the first factorization of a 512-bit RSA modulus was reported only a decade ago it is not unreasonable to expect that 1024-bit RSA moduli can be factored well within the next decade by an academic effort such as ours . . . . Thus, it would be prudent to phase out usage of 1024-bit RSA within the next three to four years.'"

31 of 192 comments (clear)

Min score:

Reason:

Sort:

Re:Meanwhile in Canada... by jasonwc · 2010-01-07 05:28 · Score: 5, Informative

I hope this is a joke. If not, you are confusing the strength of symmetric key encryption and public key encryption. The latter requires larger key sizes because the public and private key pair are mathetmically related whereas in symmetric encryption, there is a single key, and it ought to be randomly generated, and have no mathematical relation to any other value.
The key sizes are given for RSA/DSA encryption. Elliptical curve crypto can use much smaller key sizes while maintaining equivalent security levels. Unfortunately, most ECC is patent encumbered.
Re:Bad math... by pclminion · 2010-01-07 05:34 · Score: 3, Insightful

Everyone likes to show off how stupid they are, I guess. You don't measure public key keyspace like that. Not all possible bit patterns are valid keys. In fact, VERY FEW bit patterns are valid keys.
Can someone explain this to me? by Monkeedude1212 · 2010-01-07 05:37 · Score: 2, Interesting

So I just did a Wikipedia Crash course on RSA (I knew it was for public/private key encryption) and how it all works mathematically.
But I still don't know what they mean by Factorization, or what that exactly means.
I'm guessing they found all and compiled and tested the possible values and now have a nice big chart? Is 768-bit RSA now considered "broken"?
1. Re:Can someone explain this to me? by Arcquist · 2010-01-07 05:47 · Score: 5, Informative
  
  It's been a while since I studied this so take this with a grain of salt. I believe RSA involves 2 random large primes, 'p' and 'q' which are multiplied together to form a bigger number, 'n'. There is a bunch of other math to generate two more values 'd' and 'e' from 'p' and 'q'. The public key is 'n' and 'e', the private key is 'n' and 'd'. The math works that you can't get 'd' from 'e'. Factorization means just that, finding the factors of a number. In this case you're given 'n' which you know has only 2 factors ('p' and 'q' are both prime) so if you can factor 'n' and get 'p' and 'q' you can recalculate 'd' yourself and you now have the private key.
2. Re:Can someone explain this to me? by Mini-Geek · 2010-01-07 05:52 · Score: 4, Informative
  
  What they did was factor a 768-bit number, like one that could be used as a 768-bit RSA public key. e.g. to factor 15, you need to find that it is equal to 3*5, which can be easily done by dividing the first few primes and finding that 3 divides 15. To factor a very large number, like a 768-bit number that is semiprime with the two factors both about the same size, (as is the case with RSA public keys) is a very difficult task. It is currently best done by the General Number Field Sieve (GNFS). For more info on any of these concepts, use Wikipedia.
  This demonstrates the possibility of breaking any given 768-bit RSA key by factoring the public modulus, and shows how much work that takes. Note, however, that it is still very difficult, and in this case took multiple years of calendar time and hundreds of years of CPU time to crack.
  This does not mean that every 768-bit RSA key can be cracked any more easily than it could before, it just demonstrates that we have the ability to crack any 768-bit RSA key (given the time and resources).
  
  --
  do {print "Mini-Geek Rules!\n";}
  until ($TheEndOfTheWorld);
3. Re:Can someone explain this to me? by Rockoon · 2010-01-07 06:19 · Score: 4, Informative
  
  Just to be accurate, I do not believe that in RSA you pick two primes but instead pick two values that are at least psuedoprime. Testing large numbers for primality is time consuming, but quick tests can eliminate nearly all composite numbers. The set of numbers that pass these quick tests but are not prime are called psuedoprimes, and are still usually pretty hard to factor.
  
  --
  "His name was James Damore."
4. Re:Can someone explain this to me? by Digital_Quartz · 2010-01-07 06:20 · Score: 4, Interesting
  
  Other people have explained factorization in this thread (finding the prime factors that make up a composite number), but I just wanted to point out why making a "nice big chart" won't work.
  The "nice big chart" would have to be very big. If you wanted to factor all the numbers from 1 to 2^768, you'd need a chart with 2^768 entries on it. This chart would need to be made of something, or stored on a disk that was made of something. Made of something means it needs to be made of matter, which means it needs to be made of atoms. In the observable universe, there are about 2^84 atoms, so you'd need a universe around 8x10^205 times larger than ours to store the chart in.
5. Re:Can someone explain this to me? by Sir_Lewk · 2010-01-07 06:24 · Score: 3, Interesting
  
  That is like saying RSA-16 (if such a thing existed) is not broken because the fasted way of cracking it is factorization. Brute force is a legitimate form of cryptoanalysis, particularly when it is computationally feasible. Calling an encryption scheme "broken" when an attack such as this is demonstrated is quite reasonable, no matter how inelegant you may find the attack.
  Suggesting that DES is not broken is very silly because "not being broken" implies on some level that it is still acceptable to use.
  
  --
  "linux is just DOS with a UNIX like syntax" -- Galactic Dominator (944134)
6. Re:Can someone explain this to me? by maxume · 2010-01-07 06:34 · Score: 2, Insightful
  
  Sort of, the key sizes are being increased because it is an effective way to offset the increases in computing power, not for marketing reasons.
  If something convincingly better comes out, I'm sure people would use it.
  
  --
  Nerd rage is the funniest rage.
7. Re:Can someone explain this to me? by swillden · 2010-01-07 07:30 · Score: 4, Informative
  
  Testing large numbers for primality is time consuming, but quick tests can eliminate nearly all composite numbers.
  More precisely probabilistic primality testing can be used to ensure that a number is not composite to any required degree of certainty. For example, with the Miller-Rabin test, each time you run the test you have a 3/4 chance of discovering that the number is not prime (assuming it's not). So, you run the test enough time to achieve the degree of certainty you desire. If you run it 100 times and each time the result is "prime", then there is only a 1 in 10^-13 chance that it is composite. Given that level of assurance, it's very reasonable to simply say "it's prime".
  If it's not prime then the key will be significantly easier to break, but we just ensure that the odds of that are negligible and go about our business.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
8. Re:Can someone explain this to me? by swillden · 2010-01-07 07:40 · Score: 3, Insightful
  
  That is like saying RSA-16 (if such a thing existed) is not broken because the fasted way of cracking it is factorization. Brute force is a legitimate form of cryptoanalysis, particularly when it is computationally feasible. Calling an encryption scheme "broken" when an attack such as this is demonstrated is quite reasonable, no matter how inelegant you may find the attack.
  Suggesting that DES is not broken is very silly because "not being broken" implies on some level that it is still acceptable to use.
  Not at all.
  You're assuming there is only a single definition of "broken", which is absolutely not the case in cryptography. The definition you're using is what cryptographers would call a "practical break" and it is almost orthogonal to the definitions that cryptographers normally use. Many cryptographic breaks are not practical, for example, but they're still considered perfectly valid breaks. On the other hand many unbroken ciphers exist which are worthless in practical terms, such as RSA-16.
  DES falls somewhere in between. It's not worthless in practical terms, since the effort required to break it is high enough for some purposes, but it has relatively little security value in general. However, the fact that DES is not cryptographically broken does have significant meaning -- because it enables us to have confidence that 3DES is secure. I mention this to make the point that cryptographers' definitions of "broken" (there are many) do have practical implications.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
9. Re:Can someone explain this to me? by Trepidity · 2010-01-07 07:49 · Score: 4, Informative
  
  Some software, such as GPG, uses primality tests that don't actually converge to arbitrary certainty regardless of the number of iterations, because certain rare types of non-primes known as "pseudoprimes", which satisfy tests that usually only prime numbers satisfy, will pass all iterations. For example, GPG uses the Fermat primality test, which will always pass Carmichael numbers. Since Carmichael numbers are extremely rare, though, it doesn't make a whole lot of practical difference.
  (The Miller-Rabin test that you mention doesn't have any such category of pseudoprime.)
  
  --
  10 PRINT CHR$(205.5+RND(1)); : GOTO 10
10. Re:Can someone explain this to me? by Hurricane78 · 2010-01-07 08:11 · Score: 2, Insightful
  
  Like say, a botnet.
  Let’s calculate this:
  So taking you $defaultCPU, whatever that is, a botnet of hundrets of thousands of systems, with (for simplicity let’s say) 1 core, you could crack a 768-bit RSA in... roughly guessed... ...a third of a day. (hundrets of years * 365 / hundrets of thousands of sytems)
  I need a botnet! ^^
  By the way: It is possible to infect a botnet by infecting the botnet client itself? Should be doable, right?
  Or do those clients have some extreme self-protection form being compromised? (After all, the programmer should be an expert in this area. ;)
  
  --
  Any sufficiently advanced intelligence is indistinguishable from stupidity.
11. Re:Can someone explain this to me? by mhotchin · 2010-01-07 09:12 · Score: 2, Informative
  
  At university, we used to call them 'industrial grade primes'.
  
  No real point to this post, just a memory from 1987.
12. Re:Can someone explain this to me? by Mini-Geek · 2010-01-07 10:48 · Score: 2, Informative
  
  you could crack a 768-bit RSA in... roughly guessed... ...a third of a day.
  Sorry, no. That doesn't take into account the fact that some parts can't be run in parallel on many home computers. Not to mention that the longest part, sieving, for a number this size, needs about 1 GB of RAM free, which I'd think people would be likely to notice and shut down pretty quickly...
  Sieving is the step that takes the most time, in this case 1500 CPU years ("On a single core 2.2 GHz AMD Opteron processor with 2 GB RAM per core, sieving would have taken about fifteen hundred years."), but can easily be run in parallel. Let's say you have access to 100,000 cores, each with at least 1 GB of RAM that you can use (read the PDF...). It will now take you 5.475 days to do the sieving.
  Polynomial selection can, like sieving, be easily distributed, and is a relatively trivial task with 100,000 cores available. (roughly 20 CPU years, or under 2 botnet-hours, and a non-enormous amount of RAM)
  The hard parts are the final steps: filtering, building a matrix, solving it, and finding the factors. You basically need one or more supercomputers to do it, with at least one of them having 1 TB of RAM and fast access to 5 TB of data. To do it like they did, you'd also need to write your own block Wiedmann implementation. If not, you'd have to use the block Lanczos, which can only be run on a single computer/supercomputer/cluster.
  Doubtless, someone could botnet enough computing power to sieve for an RSA-768 key in a matter of weeks, but to actually finish it and get the factors would require an expensive supercomputer, be it purchased, (better hope whatever's behind that key is valuable...and thank goodness that they were stupid enough to use just a 768-bit key on it) botnetted, (good luck to get one and not have anyone notice!) or otherwise acquired.
  
  --
  do {print "Mini-Geek Rules!\n";}
  until ($TheEndOfTheWorld);
Re:Meanwhile in Canada... by Anonymous Coward · 2010-01-07 05:37 · Score: 3, Informative

AES is a symmetric block cipher, meaning, you both need a shared key. While yes, the actual encryption on the data may be AES (I don't know this for sure), you still need to use a public key encryption method like RSA in order to handshake and transfer keys to each other before using AES.
Re:Meanwhile in Canada... by jasonwc · 2010-01-07 05:38 · Score: 2, Insightful

Yes, but he's likely referring to the strength of the SSL connection to his bank. While authentication is done with public key crypto (probably 1024 or 2048 bit key), the actual data stream is encrypted with some symmetric cyrpto algo such as AES or RC4 at 128 or 256 bits.
New algorithms? by Jonas+Buyl · 2010-01-07 05:45 · Score: 3, Interesting

1024 bit RSA keys are already considered insecure due to the possibility of finding more efficient algorithms. 2048 is considered secure enough.
1. Re:New algorithms? by z4ns4stu · 2010-01-07 05:57 · Score: 5, Insightful
  
  And newly generated keys for PGP/GPG are suggested to be at least 4096 bits.
  
  --
  The whole moon and the entire sky are reflected in one dewdrop on the grass. - Dogen
2. Re:New algorithms? by godrik · 2010-01-07 08:18 · Score: 3, Funny
  
  Here is the relevant wikipedia approved citation :
  http://science.slashdot.org/comments.pl?sid=1501696&cid=30685106
Re:Meanwhile in Canada... by Icegryphon · 2010-01-07 05:45 · Score: 4, Funny

I was always a fan of twofish, My Niece on the other hand like the red and blue fishes better
Atleast she doesn't do blowfish.
Re:Bad math... by jasonwc · 2010-01-07 05:46 · Score: 4, Informative

They're comparing the relative strength of a 768 bit RSA key to a 1024 bit RSA key. Because of the mathematical correlation between the public and private keys, the strength is nowhere near 2^768 or 2^1024. RSA has created a comparison table for RSA -> symetric cipher strength.
1024 bit ----> 80 bit
2048 bit ----> 112 bit
3072 bit ----> 128 bit
However, "1000 times stronger" seems far too small, in any case.
Source: http://www.rsa.com/RSALABS/node.asp?id=2004
Re:Bad math... by cperciva · 2010-01-07 05:52 · Score: 3, Insightful

It is more like O(a^(n/b))
No, factorization is more like O(a^(n^b)). For GNFS on RSA-sized inputs, 1000^(n^(1/3) - 2.5) is a good estimate of the number of operations required.

--
Tarsnap: Online backups for the truly paranoid
The real scary part is 3 years to obsolecence by DRAGONWEEZEL · 2010-01-07 06:06 · Score: 2, Interesting

I'd agree with that for government and it's true that the military should phase out 1024, but does the general public need to worry?

--
How much is your data worth? Back it up now.
1. Re:The real scary part is 3 years to obsolecence by FrankSchwab · 2010-01-07 06:48 · Score: 4, Insightful
  
  In the security world, there's always a tradeoff between the cost of the security, the cost to an attacker to break the security, and the value of the thing being protected.
  In the military world, there are many secrets which need to be (are seen as needing to be) kept for many years. For these, an encryption that takes a year and $10M to break may not be good enough, because after a year and $10M, an enemy might have information worth more than that. For my bank account, encryption that takes a year and $10M to break is more than sufficient, because the value to an attacker is approximately $47.32, plus the overdraft fees that they can stick me with.
  There is no current concern for the average person, unless you're dealing in nuclear secrets or are protecting a politicians date book. Given a choice in the future, moving to a larger RSA key size is prudent change, but that's about it.
  /frank
  
  --
  And the worms ate into his brain.
Re:Meanwhile in Canada... by morgan_greywolf · 2010-01-07 06:22 · Score: 3, Informative

Unfortunately, most ECC is patent encumbered.
Well, djb wrote a particular algorithm, Curve25519, that's in the public domain.
(Yeah, yeah, save your comments about djb's personality. Like it or not, the guy's a crypto and security genius.)

--
My blog
Re:Meanwhile in Canada... by profplump · 2010-01-07 06:25 · Score: 3, Informative

AES-256 uses a 256-bit key. It has a fixed block size of 128 bits, but that's unrelated to the key length.
There is a related-key weakness in AES-256 and AES-192, bringing their effective strength down to 2^119 and 2^176 respectively. So AES-192 is your best bet right now, though 2^119 or 2^128 are not exactly feasible attack keyspaces either.
Re:Bad math... by mikeee · 2010-01-07 06:32 · Score: 4, Funny

That's why we need to be more proactive; instead of trying to eliminate all the invalid keys, we should just pick the strongest possible key and standardize on it.
Re:Meanwhile in Canada... by Rich0 · 2010-01-07 06:43 · Score: 4, Informative

Yes, but he's likely referring to the strength of the SSL connection to his bank. While authentication is done with public key crypto (probably 1024 or 2048 bit key), the actual data stream is encrypted with some symmetric cyrpto algo such as AES or RC4 at 128 or 256 bits.
That is only helpful if the person sniffing the SSL connection doesn't capture the initial handshake.
The problem with symmetric crypto is key exchange. With SSL the client generates a premaster key, encrypts it with the server's public key, and sends it to the server. Then the client and server use this to derive a session key (at least, that is my reading of the relevant docs - I think the specifics depend on the exact cipher used). So, if you can crack the RSA key, then you can obtain the session key, which makes the entire session obtainable.
To use symmetric crypto you either need a shared secret, or you need to use a key-exchange technique. I believe all the key-exchange techniques are vulnerable to factoring (or P=NP issues in general), although their details vary. If factoring becomes easy we'll never be able to encrypt communications between parties unless they have a secure channel to exchange keys (typically involving plane tickets).
Disclaimer, I'm not a cryptographer and if somebody has more to add I'm all ears.
Re:Meanwhile in Canada... by Anpheus · 2010-01-07 06:54 · Score: 3, Informative

He said patent encumbered, not copyrighted.
Something can be open source and if it implements something protected by patent in the US or in other nations with laws that allow software patents or have agreements to make US patents enforceable, then it can still be illegal to distribute, and you'd probably be liable for damages if you built commercial software, but IANAL.
I think the patent encumbrances of ECC are the reason it's mysteriously absent from a lot of commercial software that deals with security and even a lot of Linux distros and software. I'd have to double-check, but for example, I don't think Windows Certificate Services supports ECC.
P.S.: Isn't it horrible that Error Correcting Codes and Elliptic Curve Cryptography have the same acronym? IMHO, we should rename one of the TLAs before it becomes a PITA.
Re:Bad math... by pow(b,2) · 2010-01-07 08:12 · Score: 4, Informative

Cryptographic strength, as applied to RSA keys, is measured by the time needed to factor the public modulus. The fastest way to do this is today is using the general number field sieve. The run time of the general number field sieve can be estimated as T(b) = exp(1.923 * ln(2^b)^(1/3) * (ln( ln(2^b)))^(2/3)), where b is the size of the input in bits. See Aoki's paper on a kilobit SNFS factorization for details. Chug through this estimate for b = 1024 and b = 768, and you'll find that the ratio is approximately 1000 (I got 1221.15). That's why 1024 bit RSA keys are approximately 1000 times stronger.