
The Factorization of RSA-240 - hsnewman
https://listserv.nodak.edu/cgi-bin/wa.exe?A2=NMBRTHRY;fd743373.1912&FT=M&P=T&H=&S=
======
max_
Does any one here care to explain what impact this will have on modern crypto
security systems?

~~~
ljhsiung
Zero. If you're using anything with 800-bit security, you're probably a time
traveler from the 90s.

The more fun academic contribution to this is they found a faster sieve, here
[http://cado-nfs.gforge.inria.fr](http://cado-nfs.gforge.inria.fr). It's very
neat stuff, I think they claim 30% less CPU years using the identical hardware
to crack RSA-768, when applying this same software to RSA-768.

As with the original list, it's just unsolved problems that may help reveal
more and more efficient ways to find/generate primes.

~~~
DuskStar
> I think they claim 30% less CPU years using the identical hardware to crack
> RSA-768, when applying this same software to RSA-768.

Are you sure? My reading was "in 70% of the the time it took to crack RSA-768,
using their hardware, we cracked RSA-240" \- this would match up relatively
well with the fact that the expected difficulty increase was x2.25 and then
they say "Taking this into account, and still using identical hardware, our
computation was 3 times faster than the expected time that would have been
extrapolated from previous records."

Collaborating this, the previous record took ~4000+1500+900+200=6600 core
years and the current one 4000. The Xeon Gold 6130 used has a single thread
passmark of 1754 while the Xeon E5-2660 used in the RSA-768 factorization
scored 1471, from [0]. Normalizing for passmark, the new RSA-240 factorization
took 72.3% as much compute as the RSA-768 factorization. I would not be at all
surprised if their software saw smaller gains through the generations than
Passmark did, and it wouldn't take much to bring 72.3% to 70%.

0: [https://www.cpubenchmark.net/compare/Intel-Xeon-
Gold-6130-vs...](https://www.cpubenchmark.net/compare/Intel-Xeon-Gold-6130-vs-
Intel-Xeon-E5-2660/3126vs1219)

~~~
SethTro
I agree, this was 3x faster than expected.

Note: Factoring RSA-240 only took 900 core-years the additional 3100 core-
years were on the discrete log.

RSA 240 is 8 digits longer, it takes ~2x as much work for each 5.5 additional
digits so this should have taken 2.7x as much compute.

------
6nf
Wolfram Alpha won't do the multiplication for me. Google does it but I only
get the 7 most significant digits. Any other online ways to check this?

[https://www.google.com/search?q=5094359522858399145550510235...](https://www.google.com/search?q=509435952285839914555051023580843714132648382024111473186660296521821206469746700620316443478873837606252372049619334517+*+244624208838318150567813139024002896653802092578931401452041221336558477095178155258218897735030590669041302045908071447)

EDIT: This one works:
[http://www.javascripter.net/math/calculators/100digitbigintc...](http://www.javascripter.net/math/calculators/100digitbigintcalculator.htm)

~~~
lokedhs
I will take the opportunity to promote Maxima, which is a very nice open
source maths tool with a very long history (started in the 60's, and still
being developed). It leverages the bignum support in Common Lisp, and has no
problems handling numbers like these.

[http://maxima.sourceforge.net/](http://maxima.sourceforge.net/)

[https://wxmaxima-developers.github.io/wxmaxima/](https://wxmaxima-
developers.github.io/wxmaxima/)

You can use Maxima's built-in command "factor" on this number as well,
although I guess you'll have to be very patient.

I obviously also want to promote my own project, which is different UI on top
of Maxima:

[https://flathub.org/apps/details/com.dhsdevelopments.Climaxi...](https://flathub.org/apps/details/com.dhsdevelopments.Climaxima)

~~~
kazinator
Bignums are there _because_ of Macsyma (Maxima's ancestor)!

 _" Bignums—arbitrary precision integer arithmetic—were added [to MacLisp] in
1970 or 1971 to meet the needs of Macsyma users."_

[[https://www.dreamsongs.com/Files/HOPL2-Uncut.pdf](https://www.dreamsongs.com/Files/HOPL2-Uncut.pdf),
P. 10 bottom]

------
bane
Interesting, RSA-230 was factored a little more than 1 year ago.

------
crookshanked
What is going on with the URL? Also this user submitted something along this
RSA-240 factoring twice. Seems really phishy that they're using a .exe in the
url.

~~~
wahern
wa.exe is the web interface for LISTSERV on Windows:
[https://www.lsoft.com/manuals/16.0/htmlhelp/list%20subscribe...](https://www.lsoft.com/manuals/16.0/htmlhelp/list%20subscribers/IntrototheWebInterface.html)

AFAICT this mailing-list post is the original public announcement, but perhaps
the submitter followed up with the Schneier link in anticipation of concerns
like yours.

~~~
crookshanked
Thanks for the explanation!

