## RSA-576 Factorization Officially Announced 141

Posted
by
timothy

from the what-google-does-in-its-spare-time dept.

from the what-google-does-in-its-spare-time dept.

product byproduct writes

*"RSA Security finally has a news item about the December 2003 factorization of RSA-576. (See earlier Slashdot coverage). We now know what the computational cost was: the 174-digit number was factored "using approximately 100 workstations in a little more than three months"."*
## Lots of hardware... (Score:5, Insightful)

## Re:Lots of hardware... (Score:5, Interesting)

## Re:Lots of hardware... (Score:1)

## Re:Lots of hardware... (Score:4, Insightful)

## half agree (Score:1)

I agree that the analysis could just as effectively be done using bif-O notation and all that, but I still dont think we should knock it.

If you have a problem with people factoring RSA keys, then just dont take interest - go somewhere else.

Personally, I would like to distributed computing used to find out more about the origins of our universe etc..

## Re:half agree (Score:1)

## Re:half agree (Score:2)

GTRacer

- R. Dorothy can take my mod points any day

## Re:Lots of hardware... (Score:2)

## Re:Lots of hardware... (Score:2)

... The only distributed task I contribute to is folding@home because all others don't seem worth the extra energy and heat my PC will put out.Tell you what, when

youpay formyPC andmyelectricity bill, thenyoucan decide what distributed tasks I contribute CPU time to.Yes, that's a bit of a rant, but it is up to the individual to make their own choices about which projects they contribute to. (Does this mean you also complained about all of those screensavers that burned CPU cycles displaying fly

## Re:Lots of hardware... (Score:2)

So Nah!

## Re:Lots of hardware... (Score:2)

## Moron of the day award for you (Score:1, Flamebait)

Cracking RC5 has nothing to do with factorization.

RC5 is a symetric crypto algorithm and winning the challenge is not a matter of smart algorithms like in the factorization case but of brute force, because one "just gave to" try all keys (statistically speaking you're likely to try about half of them, i.e. 2^71 keys) until one decipher the challenge in something meaningful. (in the case at hand recognizing something meaningful is easy as part of the text in the message is already known, in the real worl

## Re:Moron of the day award for you (Score:2)

## Re:Lots of hardware... (Score:1)

The best part is the client runs at the minimum priority, so you only give up cpu cycles if you don't need them.This is something I don't understand: I have either Seti or Folding (not at the same time) running on my Linux box in real-time priority and I can still compile, listen to Shoucast and do everything I want (even launch mplayer if you wish). Of course it's more difficult if you want to play a DirectX game, but I don't see the use of these programs running only at 1% of the CPU when you can do mo

## Re:Lots of hardware... (Score:2)

## Re:Lots of hardware... (Score:2)

## Still safe for a while (Score:5, Interesting)

Safe, that is unless someone invents quantum computers and makes them easy to produce..

## Re:Still safe for a while (Score:5, Interesting)

Also remember the moore's law doesn't apply to factoring algorithms.. This is because for the GNFS the *memory* speed is what's important and that isn't growing nearly as quickly..

Not convinced? Look at the linear proportionality in this graph [inria.fr]

Simon.

## Re:Still safe for a while (Score:1, Informative)

For each specific algorithm, the progress follows Moore's law that states that the speed of computers double every 18 months.At any rate, time to go buy a G5 I think, they are supposed to have pretty fast memory.

## Re:Still safe for a while (Score:2, Insightful)

Sorry for sounding like a dick, but Moore's Law states that the

number of transistorsper unit area doubles every eighteen months. This does not directly correspond to an increase in computer "speed".## Re:Still safe for a while (Score:2)

If my package limit only allows 16,000 transistors but in 4.5 years you get 128,000 transistors, you can solve far more problems and that can give you far more preformace than Moore's law by its self.

## Re:Still safe for a while (Score:2)

Even if one did not INCREASE the number of total transistors - the fact that they are closer together means the clock propogation delay is reduced thus MHz can increase without loss of synchronicity.

electricity does not travel even as fast as the speed of light - that and heat dissapation are the primary barriors to Moore's law.

AIK

## Memory speed vs. CPU speed increases (Score:5, Interesting)

On the other hand, factoring is a problem where the increases in Algorithm Speed have been just as critical as increases in Computer Speed. So maybe GNFS has reached the point where it's computer-speed-bound, but next year's Super-Duper-Number-Field-Sieve may be several times more efficient than GNFS, just like GNFS was several times more efficient than NFS in the ranges that are now interesting. Sometimes this happens just because mathematicians keep doing new work, and sometimes it happens because computer capacity (e.g. memory size) grows enough from Moore's Law that algorithms which weren't practical in the past become practical. There were factoring tools that weren't useful when most computers had 128MB of RAM, but work fine now, and there may be tools that aren't practical when most computers have less than 4GB of RAM, but five years from now your SonyNintendo box will have enough RAM to run Sieve@Home.

## Unless... (Score:1)

## Re:Unless... (Score:1)

## Thank you (Score:1)

## If it were trivial I would have already solved it (Score:1)

precisely640 variables (a320,...,a0 and b320,...,b0 where a0=b0=1, and a*b=n). There are of course 36,869 carry terms and a huge number of intermediate terms, but each of these can be expressed as a function of the bits that comprise the two 321 bit factors.## Safe from whom? (Score:2, Insightful)

If the goal is personal security, I agree that the average credit card hacker is not going to make the investment. On the other hand, the NSA has the hardware resources to attack on a grand scale, with perhaps even better algorithms.

It will be a while before RIAA and MPAA can hijack NSA resources to pursue P2P users, so I guess we ARE still

## Re:Safe from whom? (Score:1)

it took 1000 machines100

## Re:Still safe for a while (Score:1)

## Re:Still safe for a while (Score:1)

Sure ECC has the size thing beat and is better suited for smaller machines, oh and is neater math, but that's about it

Tom

## Re:Still safe for a while (Score:3, Interesting)

symmetriccrypto key doubles the keyspace. In public key crypto which RSA is one type of, it is necessary to add 10 bits to double the difficulty. That 10 bit number is somewhat fuzzy. It can be a little more or a little less depending on whether we are talking about elliptic curves or Diffie-Hellman and others.## See also dmaxwell's correction (Score:3, Informative)

First, adding one bit to the size of a number only doubles the range of possible numbers.

Second, even that doesn't apply to RSA because not every number is a possible key (not even close!). A key is the product of two large primes. Numbers like that are thin on the ground.

Third, there's no value in making your crypto harder to cra

## Re:See also dmaxwell's correction (Score:2)

First, adding one bit to the size of a number only doubles the range of possible numbers.Dear genius:

That *is* exponential. It's 2 to the power of (number of bits). Add another bit, exponential growth. YMMV, HAND.

-Mr. Big Fat Jerk

## These Contests Shape Standards (Score:1)

ANSI X9F1 -- the influential working group that develops US standards for the financial services industry on data security -- has reportedly decided, at least informally, that 2010 will be the year at which they will require an upgrade from 80-bit to 112-bit crypto security.

NIST generally follows the lead of X9 in these matters.

80-bit ciphers are generally understood, on the basis of equivalent resistance to brute force attacks -- the state of the art, as measured by the results in RSA Security's

## Re:Still safe for a while (Score:5, Informative)

Wow nice random word generator.. Can I have a go?

Seriosuly, It's utter rubbish. I mean please explain to me how you stack an S-box into a corner of a cryptographic chamber..

It's just a substitution you muppet.. And cryptography isn't all hardware speed.. I mean WEP [berkeley.edu]

was broken with trivial computing power!Simon.

## Re:Still safe for a while (Score:1)

The flaw made it possible to inject unauthorized packets and reduce the time/space needed for brute forcing the key.

## Re:Still safe for a while (Score:2)

## Re:Still safe for a while (Score:2, Interesting)

WEP had a flaw in the protocol.The flaw made it possible to inject unauthorized packets and reduce the time/space needed for brute forcing the key.Thanks for demonstrating a common misconception in cryptography: it is all about encryption and decryption. Its not. Its also about the algorithms and protocols you use in your applications. Encryption/decryption is a factor in the security but it is not the whole point of cryptography.

As a result, when people break SSL,WEP, it is as much a part of prac

## Re:Still safe for a while (Score:5, Informative)

Bear in mind, using bits to exponentially increase cryptographic strength only works until you reach the Berenstein factor, which is a practical limit on the number of S-boxes that can be stacked in any particular corner of the cryptographic chamber. After a certain point, which varies according to the chamber ceiling, it is possible albiet less space efficient to take advantage of parallel stacking to some extent.Mods -- how could you let this get modded up? First, S-boxes are in DES, not RSA. Next, even if the random reference was to the correct cryptographic algorithm, the rest of the comment still makes no sense at all.

C'mon people, post if you have a clue, and only if you have a clue.

## Security (Score:5, Insightful)

Unfortunately, crypto is only as strong as the user(weakest link)

While it's not always comforting to know these things can be factored, at least we can take comfort in knowing that *most* hackers/spooks don't exactly have a 100 node server farm laying around just dying to crack your keys.

Of course, unless you're the NSA and measure their servers by acres...

## Re:Security (Score:4, Interesting)

we can take comfort in knowing that *most* hackers/spooks don't exactly have a 100 node server farm laying around just dying to crack your keys.Of course, unless you're the NSA and measure their servers by acres...Or if you grabbed the source for the latest windoze worm and modded it to bruteforce keys in addition to spreading...

I have a suspicion that doing that would give you a supercomputer that quite possibly ranked #1 on the supercomputer charts, and for free to boot*.

*) Comes with complimentary government provided lodging and meals.

## Re:Security (Score:2)

While it's not always comforting to know these things can be factored, at least we can take comfort in knowing that *most* hackers/spooks don't exactly have a 100 node server farm laying around just dying to crack your keys.While that may be true, there is still a significant chance that, with less hardware, the hacker can always get "lucky" and be able to use less computing power to "guess" the factorization. For instance, a hacker could just start with a prime number that is an arbitrary distance from

## Re:Security (Score:1)

Responding to the parent post: rather a lot of hackers have easy access to 100 node farms. It's not difficult any more to find 100 cpus, especially for an algorithm such as GNFS which doesn't need especially fast communications between them. The final stages are more of a bottleneck than the sieving, but far from impossible for reasonably clueful people

## Re:Security (Score:2)

RSA keys aren't 1:1 and while my math isn't good enough to prove it, they are 1:many as this code [abnormal.com] shows how it works.

## Re:Security (Score:1)

Of course, they don't remember the million bits, oh no, they have a passphrase, which is something they can reliably type blind and remember, probably some few 10s of effective bits (as it's probably English).

So how secure is this data, again?

## Re:Security (Score:3, Informative)

Yes, it's not going to be difficult to attack the users passphrase if it's stupid. However you make an assumption that most people who encrypt their harddrive keep their keys on the laptop.

I don't.

With loop-aes, you have pretty good abstraction.

So you can have a set of gpg keys, a file encrypted to a given public key, and the data to be decrypted, all in different places.

In theory, it can be done over a netwo

## Re:Security (Score:2)

A Diceware passphrase has 12.9 bits of entropy per word, assuming you can throw dice randomly.

## More about distributed computing... (Score:4, Informative)

A primer on distributed computing [bacchae.co.uk]

## The advantage of one way encryption... (Score:3, Funny)

I encrypt everything on my hard-drive using one-way compact encryption, it only cost me $100 and converts every file into 0 bytes that can't be de-crypted by anyone... not even me. Now THAT is proper security.

I previously used 2^(10e20) bit encryption which would have taken several universes to crack. Unfortunately it took one earth life to encrypt a 1 Mb file so I had to revert to the super-secure method above.

And Yes I do have a tin-foil hat... why do you ask ? Oh and the application that does the one way encryption. Well I work on Windows but I get this Unix utility called Cygwin and the guy sold me a program that does the encryption. I had a look at what was in encrypt.sh and what it says is

cat

Amazing how simple UNIX makes encryption... but then I use Windows so its all beyond me.

## Hundred computers * 3 months (Score:5, Interesting)

"Toy Story 2" had about 800,000 computer hours worth of rendering.

"The Hulk" had 2.5 Million computer hours [nydailynews.com]

My office has nearly 400 fast machines , imagine this running them makes it 25 days . Running that every weekend makes it 12 weeks or 3 months

DDoS time is over with all networks being careful about... the next big windows worm will be a distributed processing program

## Re:Hundred computers * 3 months (Score:4, Interesting)

Even with military-style secrets, timing is key. If a US war plan is intercepted by a foreign intelligence service, only to be decrypted months later, that data is pretty useless.

## Re:Hundred computers * 3 months (Score:2, Interesting)

would anyone invest Pixars IT budget to steal a few credit card numbers?It depends on the credit limits of the cards, and whether or not the holder knows the data's been accessed..

## Re:Hundred computers * 3 months (Score:2, Interesting)

## Factoring in advance (Score:1, Interesting)

## Re:Factoring in advance (Score:4, Insightful)

If you knew that factoring big numbers was important to breaking encryption, and would be for quite a long time wouldn't you simply have started a huge factoring effort decades ago? I know I would have.Factoring what? You won't know the number you need factored until you intercept or steal the encrypted data.

You could, I suppose, start multiplying every pair of primes together and try and organise a database of the results but the storage - even if you just store some sort of clue to the primes used - would be staggering, even for just 1024-bit RSA.

## Re:Factoring in advance (Score:1)

## Re:Factoring in advance (Score:3, Informative)

Not true, because if you can factorise the modulus in the public key (which is generally easy to get), you can generate the private key.Yeah, that was misleading - I was just trying to say you need a target for your arbitrary factor effort. In my mind I'd figured you'd have to have the encrypted message to know what private key it was encrypted for - although I realise now that's not necessarily true (and neither's the reverse). But it could be for real tinfoil-hat types

There's no good reason, either

## Re:Factoring in advance (Score:5, Insightful)

You won't know the number you need factored until you intercept or steal the encrypted data.You don't have to steal anything. The number to factor (the modulus) is given away as part of the public key.

organise a database of the results but the storage - even if you just store some sort of clue to the primes used - would be staggering, even for just 1024-bit RSA.For 1024-bit numbers, the factors will be on the order of 512-bits. The density of primes is rougly 1/ln(n), and ln(2^512) is about 355, so you should expect around every 355 numbers to be prime. That's

only3e151 numbers, not to mention that you'd have to figure every product of the two, which is 0.5*(3e151)^2, or 7e302 numbers.Staggering doesn't begin to describe how many of these things you'd have to store.

## 40 Licks (Score:3, Funny)

How many licks does it take to get to the center of a Tootsie Pop?

I'm afraid the world will never know.

## Re:40 Licks (Score:2, Funny)

## Re:40 Licks (Score:1)

2

3

CRUNCH3

## If anyone wants... (Score:3, Informative)

## Virginia Tech (Score:1, Interesting)

artlu [artlu.net]

## Re:Virginia Tech (Score:4, Insightful)

Uh, oh, someone is bad at math...

I don't think VA's unknown numbered G5 park is about 2^448th more powerful than 100 PC(?) nodes. I don't think it's possible.

Or, I simply have been trolled :)

On the other hand, let me check my sig again...

## Why waste all the CPU power? (Score:5, Funny)

## Anyone know what the predicted strenght was? (Score:3, Interesting)

I mean, when they say that we should be using 4096bit keys today, how long do they predict that it will take to crack that key? (taking into account Moores law and perhaps linear growth over time of the number of clients contributing CPU cycles). Is it possible to guestimate?

## Key and Information Lifetimes (Score:2)

But the universe refuses to maintain the 'state' in which it was in and several factor

## Jens Franke (Score:5, Interesting)

I happen to know him a little, as one of my friends is his student, and another one was. If you think mathematicians are crazy, Franke is more than that. When you talk to him, he will usually just continue to stare at the piece of paper he has directly in front of his eyes (Nobody knows why he isn't wearing glasses.) and think of that as a normal way of communicating. His office consists of 3 huge desks (plus a computer desk); on each of them there is huge bunch of completely unorganized papers lying around, mixed with empty yoghurt cans.

His mathematical skill is enormous, he has done research in quite a lot of different areas of mathematics (analysis, algebraic geometry, algebraic topology, category theory), but he never bothers at all with making his results well-known. (In fact, at least one time he actually had to be persuaded to even publish his result, which got immediately accepted in

Inventionaes, the most highly regarded journal in pure mathematics.) He even couldn't be bothered to apply for a much better-payed position at another university in Germany when he was almost urged to do so.Anyone who knows him will burst out laughing when he reads that he supposedly said "I'm very proud of all these individuals from around the world and their efforts to solve this first factoring challenge." and all this other stuff in that paragraph of the article. I bet the author of this press release desperately tried to get some phrases longer than 5 words out of his mouth, gave up, and then decided to just make up all the quotes.

Now with his mathematical skills, number factoring is (in his own opinion) a rather dull activity. The reason he is doing this is that he expects an economic breakdown soon, and he thinks of his knowledge in number-factoring as an assurance against the coming job crisis. (Of course, his position is guaranteed by the German state until his retirement.)

But if you manage to get along with him, he is actually quite nice and extremely helpful.

## Re:Jens Franke (Score:2, Interesting)

I happen to know him a little, as one of my friends is his student, and another one was. If you think mathematicians are crazy, Franke is more than that. When you talk to him, he will usually just continue to stare at the piece of paper he has directly in front of his eyes (Nobody knows why he isn't wearing glasses.) and think of that as a normal way of communicating.I also know Jens quite well (we are on first-name terms) and he seems sane enough to me. Perhaps I have hung around with mathematicians too

## Next Time, Hire Google (Score:4, Interesting)

And they had the money to hire the experts needed to manage that cluster like a single supercomputer. Sure, they probably got some of that initial funding from ordinary venture capitalists, but what if some Govt. outfit helped, on the grounds of requesting access for occasional factoring purposes? After that IPO gets invested in a bigger farm, not even 2048-bit keys may be safe.

## So, has any Slashdot reader checked the results? (Score:2)

The last digit looks OK, anyway.

No, don't bother to flame me for laziness... I already know...

There was a time when I would have tried to do that

on paper by hand, just to keep in practice. These days, not only am I too lazy to try that, but I don't currently have any software system at hand that implements indefinite-sized integer arithmetic... and I'm too lazy to implement one.## Re:So, has any Slashdot reader checked the results (Score:2)

## Re:So, has any Slashdot reader checked the results (Score:1)

## Re:So, has any Slashdot reader checked the results (Score:1)

## Re:So, has any Slashdot reader checked the results (Score:2, Informative)

BigInteger p1 = new BigInteger("3980750864240649373971255005503864911 9 9064362342526708406385189575946388957261768583317" );

BigInteger p2 = new BigInteger("47277214610743530253622307197304822463 2914695302097116459852171130520711256363590397527" );

BigInteger p = p1.multiply(p2);

System.out.println(p);

188198812920607963838697239461650439807163563379 41 73827007633564229888597152346654853190606065047430 45317388011303396716199692321205734031879550656996 2213051

## Re:So, has any Slashdot reader checked the results (Score:2)

Use Pari/GP [u-bordeaux.fr]. It's even GLP.

## Re:So, has any Slashdot reader tryed python? (Score:1)

## soooo.... (Score:2, Insightful)

## RSA Labs had a press release way earlier (Score:2)

It just took some time to get to the marketoid...

Factorization of RSA-576 [rsasecurity.com]

## ugh... 4.5 months - for this? (Score:2)

My summary: they used about 100 workstations and it took 3 months. General credits to those involved.

That's it. Oh yeah, and a quote.

My interest is in how an individual's effort would have compared to their's. 100 machines is a little too vague - and is only really useful in the initial sieving process anyway. The last stage hasn't been implemented in a distributed fashion yet, so it can only be done on one.

Perhaps an estimate that can be roughly referenced by ot

## Re:ugh... 4.5 months - for this? (Score:1)

Jeeze, what planet (or university) are you from? Someplace where Google or Copernic is outlawed?

Mind you, this is a formal announcement, not an article. The technical details are for the researchers to announce, that's not RSA's reponsibility. And while the inital report of a factoring success -- and mention of any new technique -- usually spreads quickly over the Net (watch the Yahoo Prime Numbers [yahoo.com] group), academic papers take longer. And when you're dealing with experts at this level, they'll take their

## Re:ugh... 4.5 months - for this? (Score:2)

Second: Not unlike countless others, you misread one of my posts. I honestly can't see where I asked for theory. I am looking for how hard it was to solve this problem.

Wasn't that the point of the challenge? To quote the website [rsasecurity.com]: "to encourage research into computational number theory and the practical difficulty of factorin

## Re:ugh... 4.5 months - for this? (Score:1)

"I honestly can't see where I asked for theory. I am looking for how hard it was to solve this problem," sez TB.I sympathize with your interest in some straightforward measure that would allow you to compare one factoring project with some previous project. I really do.

Unfortunately, I think you are confusing your irritation with the tardy "formal announcement" of the joint project's success -- the basis for the /. "article" -- with your frustration that the prime researchers (Jens Franke and Thors

## Goes to show (Score:3, Insightful)

## Why bother? (Score:2)

We now know what the computational cost was...We also could have spared ourselves the computer-months of CPU time and just computed the computational cost using a few miliseconds of calculator time.

The only time such an exercise is successful is when a new code-breaking technique is developed to solve the problem, not when brute force wins.

## Re:It has to be asked... (Score:2, Interesting)

What does this tell us? That if you throw enough machines and/or money at a solvable cryptographic challenge you'll solve it?

## Re:It has to be asked... (Score:2)

## Re:It has to be asked... (Score:1)

Couldn't agree more.. but from what I see they didn't use a distributed client.Not entirely true. The article states that three of the contributors were part of NFSNET [nfsnet.org] which does have a distributed client.

Paul

## Re:It has to be asked... (Score:5, Insightful)

It tells us HOW MANY machines we need to throw at the challenge.

The whole key to protecting information is to make it cost more to recover the information than it is worth.

For example, if information is going to need to be kept secret for twenty years, projects like this help you learn based on current technology, how much crypto is sufficent (or overkill).

## Re:It has to be asked... (Score:1)

## Re:It has to be asked... (Score:2)

## Re:It has to be asked... (Score:4, Insightful)

Surely a complexity calculation would suffice? After running a few iterations of the solverBecause there's no motive to optimise the solver. Open up the project, offer a prize and you'll get many eyes looking for the absolute best solution - then you can study the complexity of that.

## Re:It has to be asked... (Score:2)

That post deserved its +5 Insightful but here's a quibble anyway.

The idea of making information more expensive to crack than it's worth depends on your being attacked by people with economic motives.

If the attackers are true hackers they'll do it for the challenge. The more elaborate and clever your security, the harder they'll work. The "solve a puzzle-win a prize" motivation pulls people hard

## Re:It has to be asked... (Score:2)

The idea of making information more expensive to crack than it's worth depends on your being attacked by people with economic motives.I understand what you are saying, however it's besides the point. In protecting

anythingyou need to assess what (or who) exactly the threat is, including their motivation, be it social, political or financial for example. Even if, in your scenario, its a bunch of challenge-happy hackers, then you merely protect your information according to this different threat. This may## Re:It has to be asked... (Score:1)

If we all remember our RSA encryption methods, or in fact any encryption method, they are all breakable, it's just a matter of enough computing power to do it. With RSA all you have to do is factor the big prime number pq into p and q and then you know phi = (p-1)(q-1) and from there you can get the decryption exponent no problem.

Encryption was designed to be just unbreakable

enough, not totally unbreakable. 576-bits is a small one compared to what is often used for critical data these da## Re:It has to be asked... (Score:2, Insightful)

Like RC5 for example. If you break the RC5-64 key, everyone is happy. Then they want to break the RC-72 key.

Wow.. it takes ages and ages.. and what does it *really* proof?

Yes, it is breakable too.. wow. I'd rather have a few new medicins available, thank you :)

What I'm trying to say: there is plenty of computer power available on this world.. bu