Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security Science Technology

RSA-640 Factored 299

gslin writes to tell us MathWorld News is reporting that RSA-640 has been factored. F. Bahr, M. Boehm, J. Franke, and T. Kleinjung, memebers of the German Federal Agency for Information Technology Security (BSI) announced they had cracked the 193-digit number last Friday using the General Number Field Sieve. The team purportedly used 80 opteron CPUs and 5 months to achieve victory.
This discussion has been archived. No new comments can be posted.

RSA-640 Factored

Comments Filter:
  • easy (Score:5, Funny)

    by Anonymous Coward on Tuesday November 08, 2005 @11:35PM (#13985871)
    640=2*2*2*2*2*2*2*5.

    What do I win?
  • by adlib24 ( 739952 ) on Tuesday November 08, 2005 @11:36PM (#13985873)
    I wish had nothing better to do for five moths than factor numbers...geez...who needs the Internet when there are numbers to factor. :)
  • Factor? (Score:2, Interesting)

    by brilinux ( 255400 )
    I hardly know 'er...

    Seriously, this is interesting stuff. Of course, everytime we come up with a new security mechanism, computing power will overcome it. Fortunately, not everyone can do this sort of thing, and it takes time. But, as a mathematician, it is interesting to see both the methods used to crack this sort of thing, and, at least to me, more interestingly, the methods that are used to come up with new encryption systems. I cannot wait to see what will occur in several years, and even bigger pr
    • Re:Factor? (Score:5, Insightful)

      by drgonzo59 ( 747139 ) on Tuesday November 08, 2005 @11:49PM (#13985985)
      "everytime we come up with a new security mechanism, computing power will overcome it"

      -Not always true. Say I can come up with a 2048 bit encryption, that is just increase the key size from 256 to 2048, I can to that in a second. It is going to take _a lot more time_ for the computing power to overcome that increase.

      If quantum computing will come around, I'll just switch to quantum encryption. Then you'll have to break the laws of QM to "break" the scheme. There are already rudimentary quantum encryption devices but there are no quantum computers that can take on even a 64 bit key space.

      The best bet instead of brute force is to do "human engineering" and look for other ways to obtain the information. The inherent math of the algorithm is rarely the weakest link, it is the people and then the particular implementations of the algorithms that are exploited the most.

      • Not positive here, but I am not sure there really is such a thing as 'quantum encryption'

        At least when most people say it, they seem to talk about using the laws of quantum physics to detect eavesdroppers on a fiber optic line.

        Wikipedia's article on quantum cryptography seems to agree.

        http://en.wikipedia.org/wiki/Quantum_cryptography [wikipedia.org]
        • Re:Factor? (Score:3, Insightful)

          by drgonzo59 ( 747139 )
          Well, having a channel that can be provable to be safe from eavesdropping should be enough. Then both parties Amelie and Bertha (...tired of Alice and Bob) can exchange a key and then they can even use a "classical" channel for communication. Then can send each other a new key for every block, making it in fact look like a "one-time-pad" type encryption.

          The 'encryption' does take place - it is encoding information using quantum states (so far photon polarization or particle entanglement) which would make

      • Although many point to quantum crypto as the ultimate solution to security problems, it should be noted that, in addition to all logistic problems inherent to quantum crypto, no purely quantum-mechanical scheme exists -- all of them rely on an authenticated/trusted/whatever classical channel (i.e. one that transmits bits not qubits), and this classical channel has to be secured using conventional cryptography.

        I'm too lazy to dig up references for this, some karma whore can search eprint/arXiv and add the re
        • If that was the case, there would be no point in quantum encryption, since you already require a secure "classical" data channel.

          There are a couple of schemes of using quantum states/encoding to create a communication channel such that eavesdropping can be detected, thus eliminating the "man-in-the-middle" attacks. One can use the "action at a distance" or enanglement or one can also use the fact that states that are not orthogonal to each other cannot be reliable detected and that 'entangled' particles

      • Re:Factor? (Score:5, Interesting)

        by jgc7 ( 910200 ) on Wednesday November 09, 2005 @01:34AM (#13986539) Homepage
        Inerestingly enough, there is no proof that encryption is even possible. Presently we do not know of any methods to factor a number in polynomial time while we can create primes in polynomial time, but an algorithm may exist that can factor primes in polynomial time. If one is discovered, encryption as we know it today will be impossible... even with your quantum computer. In fact, a solution to the P NP [wikipedia.org] problem comes with a $1,000,000 prize.
        • Re:Factor? (Score:5, Funny)

          by obender ( 546976 ) on Wednesday November 09, 2005 @02:28AM (#13986822)
          but an algorithm may exist that can factor primes in polynomial time

          Bill Gates wrote something similar in The Road Ahead:

          The obvious mathematical breakthrough would be development of an easy way to factor large prime numbers.

          Sorry to break it to you boys but I know an algorithm that can do that in constant time: the factors of any prime number are 1 and the number itself.

        • I think you are talking about using a quantum computer to factor large integers. So far quantum encryption has nothing to do with that, it is a why to encode a message as quantum states that will change when they are measured. So it makes it possible to create secure communication channel that can be proven according to QM laws to be safe from eavesdropping. That is what is meant by quantum encryption.

          It has already been done a couple of times, but is still too expensive for mass production, but there _i

        • Re:Factor? (Score:3, Informative)

          by gkhan1 ( 886823 )
          Wow, that was alot of incorrect in one post
          1) You factor large COMPOSITE numbers, not large prime numbers.
          2) P = NP is almost surely false. I mean, it's not proven, but it's not like anybody believes it to be true. It would just be too damn incredible if it were true.
          3) What do you mean "encryption wont be possible"??? Just because you can factor large numbers quickly, doensn't mean you can encrypt stuff. You can't use RSA, that's true, but there are other asymetric ciphers. AES will sure as hell stil
        • Re:Factor? (Score:3, Informative)

          Presently we do not know of any methods to factor a number in polynomial time while we can create primes in polynomial time, but an algorithm may exist that can factor primes in polynomial time. If one is discovered, encryption as we know it today will be impossible...

          Nonsense. First of all, factoring per se only affects RSA encryption.

          It's likely that a major advance in factoring would also affect the security of Diffie-Hellman key exchange and ElGamal encryption, but it's not an absolute certainty

      • Re:Factor? (Score:4, Insightful)

        by Osiris Ani ( 230116 ) on Wednesday November 09, 2005 @01:44AM (#13986592)
        The best bet instead of brute force is to do "human engineering" and look for other ways to obtain the information.
        Indeed, the fastest, simplest form of cryptoanalysis involves an isolated room, a length of rubber hose, a ball-peen hammer, and the person with full knowledge of the information you require. Granted, that, too, falls into the "brute force" category, but it's often far more efficient than most exclusively computer-based methods.
        • Re:Factor? (Score:3, Informative)

          I know you are joking but I have actually had a boss that used this to reason why many security enhancements (like encrypting passwords on the network) were not worth implementing. It is a silly analogy that many people people believe.

          Network based attack are far more common that physical attacks for a lot of good reasons. The main ones are:
          1. Need for proximity is often removed
          2. There is anonimity (much of the time)
          3. There are less legal consquenses
          4. Culpability is harder to prove (Log files don't stand
  • Congrats (Score:2, Funny)

    by Anonymous Coward
    The answer was 42!
    Now what was the question
  • Hmmm. (Score:5, Funny)

    by jd ( 1658 ) <imipakNO@SPAMyahoo.com> on Tuesday November 08, 2005 @11:37PM (#13985892) Homepage Journal
    The German Federal Government is short on cash, I know, but resorting to funding the "Agency for Information Technology Security" by winning RSA contests? Besides, if they're so up on IT security, why didn't they just cheat by logging onto RSA's computers?
    • Re:Hmmm. (Score:5, Interesting)

      by LnxAddct ( 679316 ) <sgk25@drexel.edu> on Tuesday November 08, 2005 @11:42PM (#13985925)
      While I think your remark was a joke about them breaking into RSA's computers, this is still worth mentioning. Noone in the entire world knows or has ever known the factors of the remaining numbers. Read this [rsasecurity.com] for more info.
      Regards,
      Steve
      • Thanks for the link Steve. Are you affiliated with RSA? RE: Step #4 "The laptop's hard drive was destroyed". Cute touch, but I can't help wondering why they just don't instead temporarily remove the laptop's hard drive, boot and run the test from a CD, and save hundreds of dollars per contest?
    • Re:Hmmm. (Score:2, Interesting)

      by panth0r ( 722550 )
      Let's seriously think about this, the Germans, if anything, lost money on this excursion, they upped an bought 80 opteron processors with the hardware required to run them and the RAM needed, they pumped electricity into the building where this heavy processing was taking place, and they paid the people running the computers... all for $30,000 - fees, customs, taxes and such... if anything, they probably lost a substantial sum.
  • Processor time? (Score:2, Interesting)

    by panth0r ( 722550 )
    I think that's really cool and would wish them the best of luck, but I would like to know how many processor hours that took them to crack it? Also, with that chunky $30,000 reward, did they turn any profit (after taxes, fees, and such). Second one's a joke, calm down. But it'd be cool to know the processor time it took.
    • Re:Processor time? (Score:2, Informative)

      by et764 ( 837202 )
      Does anyone know of something like the GIMPS [mersenne.org] to factor these RSA numbers? It seems like if 80 Opterons can do it in 5 months, a massive distributed network of computers donating idle time could do this in a much shorter amount of time, such as churning out a new factorization every few weeks. I have a feeling the larger RSA numbers quickly become much more complicated to factor. Does anyone know the complexity class of factorization?
      • Re:Processor time? (Score:2, Informative)

        by xquark ( 649804 )
        Contrary to popular belief a large part of the GNFS (the last most important phase, ~80% of the
        algorithms run time) is actually sequential and can not be parallelized in any way shape or form.

        Arash Partow
    • Re:Processor time? (Score:3, Informative)

      by Dubpal ( 860472 ) *
      When RSA-200 (a number similar in size to RSA-640) was cracked it was reported (and is noted on this wikipedia page [wikipedia.org] that:

      The CPU time spent on finding these factors by a collection of parallel computers amounted very approximately to the equivalent of 55 years work for a single 2.2 GHz Opteron-based computer. Although that's a rough approximation, it certainly puts the magnitude of effort cracking these numbers involves.

      • Although that's a rough approximation, it certainly puts the magnitude of effort cracking these numbers involves

        Also bear in mind that increasing the size of the number by a single binary digit doubles the search space needed to find a solution. RSA-640 has, obviously, 640 binary digits. However, most common RSA keys have at least 1024 bits, and some have upwards of 4000 bits. Do the math and you can see that there's a loooong way to go before anything that is currently being used will be cracked in

        • Re:Processor time? (Score:5, Informative)

          by Thundersnatch ( 671481 ) on Wednesday November 09, 2005 @12:29AM (#13986233) Journal
          single binary digit doubles the search space needed

          We're not talking about symmetric cryptography here. We're dealing with large prime numbers and lots of funny math. The General Number Field Sieve factoring algorithm is not O(2^n) like a brute force search on AES would be. The actual order of growth of the GNFS algorithm is:

          O(e^(1.9229+O(1))*ln(n)^(1/3)*ln(ln(n))^(2/3))

          This can be found numerous places on the web. So adding one bit to your RSA key does far, far less for you than adding one bit to symmetric cipher like AES. You can do the math yourself, but you'll find that you need to add >>1 bits to an RSA key to double its strength.

    • Assuming 50W per Opteron and 5 months continuous operation, I calculate they spent at least US$1400 on electricity alone (based on Chicago electric prices, I'm not sure if it's more orless over there).

      And that figure ignores the electriciy used by the other components in the computers (be they servers, workstations, or whatever).

      Still, the $30K in prize money goes a long way toward paying the electric bill.
      • The prize money is mostly a prestige thing and a little kickback for what you did spend. The costs of factoring these things are such that the money isn't enough to be considered profitable. If you account for hardware costs and all they are way behind, though I'm sure the hardware will be used for other things now.

        In general it's like the X-Prize. The money wasn't intended to be an amount such that winning it would be a major financial reward, it was intended to be a goal to reach and give you enough to ho
  • Arrgh! (Score:5, Funny)

    by Ventriloquate ( 551798 ) on Tuesday November 08, 2005 @11:43PM (#13985931)
    My TI-82 was just about to solve that one!
  • by pHatidic ( 163975 ) on Tuesday November 08, 2005 @11:47PM (#13985965)
    I knew that one of the factors ended in a 1 and the other ended in a 9 or that they both ended in 3. Am I eligible to split the prize?
  • by Joe Random ( 777564 ) on Tuesday November 08, 2005 @11:53PM (#13986017)
    should be enough for anyone."
  • Dual Cores (Score:2, Funny)

    by Zuul42 ( 929686 )
    If they had waited three months, they could have used dual core CPUs and solved it in half the time.

    Oh wait. No, that wouldn't have worked. Nevermind.

    • Re:Dual Cores (Score:2, Interesting)

      by et764 ( 837202 )
      Reminds me of this paper [arxiv.org] where they argued that large computations can actually be completed faster by slacking off for a few months and then buying a faster computer.
  • by happyEverGeek ( 705021 ) on Wednesday November 09, 2005 @12:13AM (#13986130)
    I wonder how long it would have taken 1.5 million zombie PCs.
    • by iced_tea ( 588173 ) on Wednesday November 09, 2005 @01:38AM (#13986559) Journal
      from http://www.rsasecurity.com/rsalabs/node.asp?id=208 8 [rsasecurity.com]

      To put this in perspective, it would require about 1.4 billion 500 MHz machines, each with about 170 Gbytes of memory to do the sieving for a 1024-bit number in the same time as RSA-512. While a hacker might try to steal cycles on the Internet by creating a ?Number Field Sieve Worm? it is hard to see how such an attack could find enough machines with enough memory to make such an attack feasible. Further, such an attack would be detected and shut down rather quickly as with the Robert Morris worm. Of course increasing speed will reduce the required number accordingly. It would take a single Cray with 6 Terabytes of memory approximately 70 million days (192,000 years) to solve the matrix. One could reduce this to a mere 19 years with 10000 Crays each with only 600 Mbytes of memory running perfectly in parallel. It is likely that within 10 years common desktop machines will be as fast or faster than a Cray C90 is now. However, it is unlikely in the extreme that 10000 machines running in parallel will be anywhere close to 10000 times as fast as one machine. It would require 10 million such machines running perfectly in parallel to solve the matrix in about the same time as that for RSA-512.

      So basically, according to the article from RSA it's not feasable... but still an interesting IDEA. Maybe a worm that installs something like folding@home that would have immediate benefits. ;)
      • "Maybe a worm that installs something like folding@home that would have immediate benefits. ;)"

        If only. Really, if only.

        The thing is, though, Vijay frowns on that. It would not make him happy. If you have control over more than a few PCs, he wants proof you have the authority to do that. Not up front, mind you, but the folding community will eventually ask "Who is that guy?" once you've accumulated enough points, and you'd better have a good answer, like you have the authority to run so many clients, or
      • Remember that those calculations assume a specific algorithm.
        It could always happen that some bright guy finds a more efficient (or more easily distributed) way to attack the problem. This is always a risk with encryption that relies on "computationally hard" problems.
  • by Myria ( 562655 ) on Wednesday November 09, 2005 @12:16AM (#13986143)
    I won't be interested until they do RSA-2048. Then we could factor the Xbox private key and do whatever we want.

    Melissa
  • An idea (Score:5, Funny)

    by bradbeattie ( 908320 ) <bradbeattie&alumni,uwaterloo,ca> on Wednesday November 09, 2005 @12:29AM (#13986229) Homepage Journal
    Why don't we just start using 1.44mb encryption keys. We'd finally have a use for all of these floppies.
    • Re:An idea (Score:2, Funny)

      by Anonymous Coward
      Of course you know that a 1.44MB formatted disk(FAT formatted) only has 1.38MB of free space. So we would need 2 damn disks for your 1.44MB key.
    • And then when you leave the office you just throw your encryption key floppy into your attache case with it's three digit combination...
    • Re:An idea (Score:4, Insightful)

      by Ibag ( 101144 ) on Wednesday November 09, 2005 @07:10AM (#13987761)
      I realize you were joking, but I'd like to respond anyway.

      RSA keys are based on having two large prime numbers whose product is then difficult to factor. In general, the larger these numbers are, the harder it is to factor: trial division is O(sqrt(n)), and even the best methods of factoring are still of increasing time for increasing numbers. Using a general method, a 1.44mb key would take a LONG time to factor. However, there is one very important caveat...

      If you go high enough, people don't know very many primes. In fact, there are lists of the largest known primes. I'd wager that there are less than a few thousand known primes greater than 2^720k, probably a lot less. This means that if you have a 1.44Mb number which you know to be the product of two primes, then either you can do trial divisions from a short list to factor the number, or else someone has discovered a new large prime.

      In short, if you have a large enough key, the task of generating primes is difficult enough that factoring becomes much easier. To give you an idea of how difficult finding primes is, n has about a 1/(ln n) chance of being prime, and using a specialized algorithm, it takes about a day to check a mersenne number of this size for primality. General algorithms are, of course, slower. This means that, to perhaps an order of magnitude or two, it would take about million 1Ghz computer days to find two new suitible primes to multiply together. Of course, if you do this, its not likely that someone will crack your key without a quantum computer, but its also not likely that you will find a key pair until quantum computers are widespread.

      I guess if you want big keys like that, you should look into eliptic curves. At least by the time you generate a key, there is a chance that it won't be trivial to break!
  • by millette ( 56354 ) <robin@NOSPam.millette.info> on Wednesday November 09, 2005 @12:31AM (#13986237) Homepage Journal
    The Wikipedia article on RSA-640 [wikipedia.org] has more info. Check this for easy money [rsasecurity.com] ;)
  • RSA Cracked (Score:4, Funny)

    by Joseph_V ( 908814 ) on Wednesday November 09, 2005 @12:38AM (#13986263)
    And in only 5 months... how P Q ular.
  • ...now if he could just find his keys.
  • by acidblood ( 247709 ) <decio.decpp@net> on Wednesday November 09, 2005 @12:45AM (#13986295) Homepage
    ...many are asking. It's hard to find introductory materials on the NFS, because the number of people who actually understand the algorithm is probably in the hundreds, if not less, and most are worried about research not teaching. For those interested in a high-level view, plus some low-level details, of the (special and general) NFS, you can have a look at the slides [unicamp.br] for a talk that I gave on exactly this topic at a crypto workshop a couple of months ago. I won't even try to summarize the NFS here, because anything other than a very high level, handwaving, bird's eye view of NFS would take the better part of a page to explain. However, in this thread I can answer specific questions that anyone might have about the talk above.

    Now for those with the mathematical maturity to delve into the algorithm, I suggest the book Prime Numbers: A Computational Perspective [amazon.com] by R. Crandall and C. Pomerance (link to Amazon.com lifted from Google, no referrals), which is certainly one of the best introductions to the algorithm that I have read.

    By the way, if anyone wants to help perform huge factorizations in a distributed computing network, check out the NFSNET [nfsnet.org], although they mostly apply SNFS on values from the Cunningham tables, no cryptographic targets.
  • by spinfire ( 148920 ) <dpn@isomerica.net> on Wednesday November 09, 2005 @12:47AM (#13986308) Homepage
    factor:
    `3107418240490043721350750035888567930037346022842 72754572016194882320644051808150455634682967172328 67824379162728380334154710731085019195485290073377 24822783525742386454014691736602477652346609' is too large
  • Wow.. 193 bits. I'm quite astounded that it's come this far. I'm actually a little puzzled.. wasn't it only three years ago that it took something like four years and thousands of distributed PCs to crack [slashdot.org] RC5-64 (64 bits, as I understand it) ?

    If I'm not mistaken, shouldn't it be 2^129 times more difficult to factor a 193 bit number than a 64 bit one? Perhaps I'm not understanding something.. someone want to clue me in?
    • by cimetmc ( 602506 ) on Wednesday November 09, 2005 @02:33AM (#13986849)
      You are completely off track here and made 2 huge mistakes in your comparison:

      1) The number RSA-640 has 193 *decimal* digits, but 640 bits (as the number in RSA-640 indicates).

      2) You are comparing symetric key suzes (RC5-64 = 64 bit) with assymetric key sizes (RSA-640 640 bit). You can't compare these key sizes directly. Assymetric key sizes are much bigger than symetric key sizes for the same level of security. So you are trying to compare numebrs that simply cannot be compared.

      Marcel
      • by swillden ( 191260 ) <shawn-ds@willden.org> on Wednesday November 09, 2005 @09:20AM (#13988515) Journal

        So you are trying to compare numebrs that simply cannot be compared.

        Well, you can compare them, but you have to factor in the relationship between the complexity of the attack and the keysize in each case. In the case of RC5, brute force search of the keyspace is O(2^n) where n is the size of the key in bits. As a previous post mentions, the GNFS algorithm's complexity is O(e^(1.9229+O(1))*ln(n)^(1/3)*ln(ln(n))^(2/3)), where n is the number to be factored.

        So to compare the complexity of these two attacks you just need to see if 2^64 is larger or smaller than e^(1.9229*ln(2^640)^(1/3)*ln(ln(2^640))^(2/3)).

        Unless I made a mistake, the complexity of RSA-640 is about 5.5e13, whereas RC5-64 is about 1.8e19, so RC5-64 is approximately 300,000 times harder than RSA-640. I'm not sure that GNFS is as easy to massively parellelize as RC5 searching, though, so in practice RSA-640 may be harder than RC5-64, even though it has lower complexity. Also, big-O complexity ignores constant multipliers, so if each step in the GNFS algorithm is, say, a million times more complex than each RC5 trial encryption, than RSA-640 may actually be three times as hard as RC5.

        Okay, so maybe you can't compare them :-)

  • What a guy! (Score:2, Funny)

    by Ponzicar ( 861589 )
    I don't know who this general Steve is, but he must be one heck of a math whiz!
  • by atomm1024 ( 570507 ) on Wednesday November 09, 2005 @01:52AM (#13986635)
    Here is a very useful site, listing estimates of how long various algorithms will be secure, and at what key sizes. It covers public- and secret-key algorithms, as well as hashes.

    http://www.keylength.com/ [keylength.com]
  • This is the same RSA that OpenSSH can use for keys, right? Makes me wonder how DSA stacks up. What's the ratio between the time required to break RSA and the time required to break DSA, using the same length for both? What about other algorithms I haven't mentioned? I tried to grep the web, but it didn't turn up any hits.
  • by clap_hands ( 320732 ) on Wednesday November 09, 2005 @03:27AM (#13987058) Homepage
    A nice result! Interestingly, the same team factored RSA-200 last May [wikinews.org], which is 663 bits long (confusingly, there's two series of RSA challenge numbers with different naming conventions) but for which no prize was given for its solution. RSA-640 is shorter, at 640 bits, but carries a US$20,000 prize. It's not entirely clear why the team went for the larger, prizeless number first.

    Maybe there's other factors at work here besides prize money? (ROFL etc).
  • ...should be enough to anybody!

  • RSA cost study [rsasecurity.com] says "It makes no sense for an adversary to spend (say) $10 million breaking a key if recovering the key will only net (say) $10 thousand." Third party payer negates this asumption. Exceptions to the rule are seen in the everyday spending of U.S. taxpayer's millions by low level government employees and politicians alike for their personal gain or amusement, no matter how minor.
  • Has anyone publish (theoretical) costs of system capable to break given RSA lenght in one day based on the known systems?
  • by Dr. Spork ( 142693 ) on Wednesday November 09, 2005 @10:47AM (#13989222)
    I want it to be clear that I support science and the use of brute computation in science, but this is not anything of the sort. After this five-month exercise which cost thousands of dollars of wasted electricity (all those processors could have been idling instead) and the associated increase in global polution, what have we learned? Absolutely nothing. We already knew roughly how long it would take to factor this, it's a quick calculation. But then going through the motions of actually factoring the number is absolutely pointless, and I'd even say irresponsible.

    It's like figuring out how many times you'd need to toss a coin before you'd be likely to get 7 heads in a row... and after figuring this out, actually tossing the coin until you get 7 heads. Anybody who actually did that would a moron. It would show nothing... much like these "factor this" challenges.

    • not the point (Score:3, Interesting)

      This is completely correct. Any cryptologist could have predicted this give or take a certain margin. Even more: if I were them, I would not have started without an initial estimate.

      However, this is not the point. The point is to prove ANYONE (not only cryptanalyst) that it CAN be broken, though it takes some processing, and there is no alternative for doing.

"The medium is the message." -- Marshall McLuhan

Working...