
Factoring may be easier than we think (2016) - braised_babbage
http://math.mit.edu/~cohn/Thoughts/factoring.html
======
waynecochran
Imagine what you would do if you discovered how to factor efficiently?

Think carefully. You now how the power to decrypt much of the world's banking
and internet traffic and spoof certificates. There are forces in this world
that would kill you to have this power. Would you publish your findings for
everlasting fame? Would you sell it to the NSA for money (remember you can
prove your power without releasing your algorithm)? Would you use it for
personal gain or power? Who would you tell first? Who do you trust?

~~~
vbezhenar
1\. Setup few servers operating in different countries, pay for a few years
and set up a timer which will publish this algorithm on few public websites,
then destroy all credentials, so it could not be undone.

2\. Steal bitcoins from very old wallets with some small amounts. Supposedly
those wallets are lost. Steal enough to have enough money to live a good life.
Well, if for some reason I would have enough money, skip this step.

3\. Break google.com certificate and mail hashes to Google Security team. Ask
them to disclose that factorization is broken, so the rest of the world can
prepare. Repeat with some other big companies.

4\. Disclose algorithm when the world is ready.

~~~
Ar-Curunir
Factoring doesn't allow you to break discrete log; you won't be able to steal
from old wallets.

~~~
phkahler
It's been a long time since I looked at this but IIRC factoring and discreet
log are equivalent.

~~~
dvdkhlng
It's also a long time since I looked at this, but I recall pretty clearly,
that factoring is "easier" than DLP. "Easier" as in factoring is reducible [1]
to the DLP.

I.e. if you could do DLP in polynomial time, then also factoring becomes
polynomial (thanks to Shor's Algorithm [2]).

The reverse, however, is not currently known to be true AFAICS: having an
oracle that computes the DLP does not help you to speed up factoring (at least
not in a way that makes it polynomial).

[1]
[https://en.wikipedia.org/wiki/Reduction_(complexity)](https://en.wikipedia.org/wiki/Reduction_\(complexity\))

[2]
[https://en.wikipedia.org/wiki/Shor%27s_algorithm](https://en.wikipedia.org/wiki/Shor%27s_algorithm)

(EDIT: typo)

~~~
baby
They are equivalent according to this:
[https://crypto.stackexchange.com/questions/9385/reduction-
of...](https://crypto.stackexchange.com/questions/9385/reduction-of-integer-
factorization-to-discrete-logarithm-problem)

~~~
dvdkhlng
I think you are mistaken, they are not equivalent in any way that would be
meaningful to assessing cryptographic strength.

The stack-exchange questions that you link to refers to [1] "Discrete
Logarithms and Factoring". Section 1 "Introduction" already states many facts
that imply that DLP is hard, even if you can factor:

* fastest known method for DLP is O(exp(c sqrt(log n log log n)))

* 1. 3c) "if we can factor in polynomial time, then to quickly solve a^x ≡ b mod n, all we need are solutions modulo the prime divisors of n"

Note that "solutions modulo the prime divisors of n" are still instances of
the DLP with super-polynomial complexity, and in cryptographic applications N
is usually a prime number anyway (DHE, ElGamal crypto-system), so 1 3c) does
not actually apply.

See also the paper's section 6 final remarks "Conversely, one can ask for a
fast algorithm for prime-modulus problems, assuming all needed factorizations.
Both of these questions remain unanswered".

[1]
[https://www2.eecs.berkeley.edu/Pubs/TechRpts/1984/CSD-84-186...](https://www2.eecs.berkeley.edu/Pubs/TechRpts/1984/CSD-84-186.pdf)

------
Jabbles
_Let 's say a serious attempt consists of several months of work by an expert,
someone who knows enough number theory to read the literature on this problem.
Then the number of people who have seriously tried must be on the order of
magnitude of 100._

In academia, maybe. But I would not be surprised if millenia of experts' time
has been spent on this problem in intelligence agencies.

~~~
alexandercrohde
But if intelligence agencies broke factoring, would we know? Maybe they have.

~~~
jahnu
If they have then they are using it exceedingly sparingly.

I strongly suspect it would be impossible to use it to any moderate degree
without being found out in one way or another.

I know this is a very very poorly worded question :) but I wonder what the
most amazing secret was that was held for the longest time?

~~~
komali2
> but I wonder what the most amazing secret was that was held for the longest
> time?

Very relevant, probably the Allie's breaking the Axis enigma code in WWII.

[https://en.m.wikipedia.org/wiki/Ultra](https://en.m.wikipedia.org/wiki/Ultra)

If the NSA broke RSA, they'd have a similar program set up to ensure nobody
notices.

------
est31
The US federal government once expended 10 percent of the US's electric energy
supply in the Manhattan project for getting weapons grade nuclear material.
This gives a rough ballpark for the amount of energy they are willing to
invest into major strategic advancements.

However, if you apply Landauer's principle, current factoring algorithms would
require enough energy to boil all oceans on the earth, that's a lot even
compared to the US's energy supply.

So algorithmic improvements are the real danger basically. Even if we
discovered a decryption method now, and immediately everyone stopped using
RSA, there would still be an immense impact because all the past encrypted
traffic that someone might have stored somewhere suddenly becomes decryptable.
And usually, traffic from 20 years ago is still relevant today.

~~~
0xb100db1ade
> current factoring algorithms would require enough energy to boil all oceans
> on the earth, that's a lot even compared to the US's energy supply.

Interesting. For what algorithm & key size?

I'd love to quote this. I've heard it before but I don't remember the source.

~~~
est31
[https://eprint.iacr.org/2013/635.pdf](https://eprint.iacr.org/2013/635.pdf)

> Boiling all water on the planet (including all starfish) amounts to about
> 2^24 lakes of Geneva and leads to global security: 114-bit symmetric
> cryptosystems, 228-bit cryptographic hashes, 2380-bit RSA. This needs to be
> done 16 thousand times to break AES-128, SHA-256, or 3064-bit RSA.

I think this paper isn't using Landauer's bounds though, but conventional
computers. So maybe my claim was wrong, because we aren't 16 thousand times
away from Landauer's bounds but millions [1].

[1]:
[https://web.archive.org/web/20141219043239/http://www.bloomf...](https://web.archive.org/web/20141219043239/http://www.bloomfieldknoble.com/nanomagnet-
memories-approach-low-power-limit/)

~~~
johndough
But why the starfish.

~~~
alfiedotwtf
Because if you're already boiling the oceans, you probably won't have enough
left over in the budget for marine conservation.

------
doubleunplussed
I've heard the following called "Aaronson's trilemma": Either the extended
Church-Turing thesis is false, or quantum computers are impossible, or...there
exists a classical polynomial factoring algorithm that runs in polynomial
time.

One of these things must be true, and debates around quantum computing usually
focus on the first two. But as argued, we don't have great reasons to believe
factoring in polynomial time is impossible. We certainly don't have a proof
that no such algorithm exists.

~~~
wbl
What is the extended Church-Turing thesis? We already know quantum computers
give speedups beyond classical lower bounds.

~~~
daveFNbuck
It's basically that BPP captures all realistic polynomial-time computations.
The speedup would have to be sufficient to show something like a problem in
BQP that isn't in BPP. I don't think anyone has been able to show that
unconditionally yet.

You'd also need to accept that Quantum computers are realistic, which is why
Aaronson's trilemma includes quantum computers being impossible.

~~~
scottlocklin
This sort of statement is exactly why serious people shouldn't take "quantum
complexity theory" seriously. The complexity class BQP is bullshit: there are
no quantum computers, the end.

Feel free to prove me wrong by building one which does useful calculations. No
time limit, until you die, in which case "time's up."

Edit add for downvoters: the strong Church Turing thesis is also almost
certainly, and very obviously bullshit. How does that make you feel?

~~~
daveFNbuck
Which statement are you saying demonstrates why people shouldn't take quantum
complexity theory seriously?

~~~
scottlocklin
BQP doesn't exist: there are no quantum computers. Saying BQP is like saying
"magic fairy dust perfect unitary transformers that effectively encode a
perfect complex number in the same sense a protractor theoretically can solve
NP-complete problems by encoding real numbers."

~~~
doubleunplussed
The qbits and unitaries don't have to be perfect - it's about how things scale
when you add qbits. Quantum error correction shows that you can add more qbits
to make up for imperfection, and still be left with a quantum computer, i. e.
the imperfection hasn't demoted the thing to a classical computer.

Of course they haven't built one yet, but none of the difficulties encountered
so far have involved discovering new physics, which is what you would need to
do to rule out quantum computers since the laws of physics as currently
understood permit them.

~~~
scottlocklin
You've just regurgitated Aaronson's statement on the topic. Aaronson never
studied physics, and has probably never fiddled with an op-amp or tried to
make entangled anything in the world of matter. There's zero evidence quantum
error correction will work; it's just an idea with no basis in the world of
matter. There's zero evidence you can meaningfully and usefully manipulate
quantum coherent states, let alone manipulate an exponentially huge number of
them with a polynomially large number of computational elements, which is the
essential claim of quantum computing. They make great claims: great claims
need evidence; not theoretical wankery. Building a couple of scalable error
corrected qubits would be a great start; it might even cause me to shut up
about it.

Never in the history of the human race has something as complex as a computer
architecture existed in the theoretical world before it exists in some form in
the physical world, let alone one for which we define complexity classes.

The entire field is intensely silly, and the last time I said so in a public
place, the waiter turned out to be some dude who just got his Ph.D. in the
subject. He didn't agree with me exactly, but the fact the dude had a job
bringing people steaks for a living is a decent argument I'm right.

~~~
doubleunplussed
My arguments are my own. I am an atomic physicist, and I meaningfully and
usefully manipulate coherent quantum states every day. Not for making a
quantum computer mind you, but quantum states nonetheless. Quantum mechanics
works. The atoms do exactly what the Schrödinger equation says they should,
however much entanglement is added. We are yet to see it break down. Plenty of
my colleagues are working on quantum computers, with atoms, ions, photons, and
solid state systems, and from where I stand it doesn't look like nonsense. It
looks steady progress, and if there are insurmountable barriers, they have not
yet been encountered.

I am not certain that quantum computers are possible, but I am certain that
you are _wildly_ overconfident that they are not.

~~~
scottlocklin
How much money are you willing to stake on that statement? I'll make a market
for you; if you think your education gives you an edge over the wildly
overconfident guy -we can even stick it on a blockchain that is quantum future
proof if you like. Your choice.

Saying "quantum mechanics works" is not the same as saying "I can manipulate
exponential QM states with polynomial imperfect physical devices." In the
early days, people sketched out optical quantum computers that totally worked,
but had exponential growth in elements with quantum states. Which, I bet, is
how the universe is always going to work.

Money where your mouth is: I haven't found any other good shorts for this
shitty idea.

~~~
doubleunplussed
I asked you elsewhere in the thread what odds you're willing to bet at, so
absolutely I'm willing to put my money where my mouth is. I'll happily bet
that there will be a demonstration of 'quantum supremacy' within 20 years -
that is, a quantum computer computing something faster than a classical
computer, whether it's Grover's algorithm or factoring or something else.
Let's say by the 1st of July 2039.

I'm not super confident there will be quantum computers, whereas you seem very
confident there will not be. What do you think the probability of quantum
supremacy within 20 years is? If you think it's 5 % and I think it's 50 %,
perhaps we can take the geometric mean and bet at 6:1 odds (~15% chance).

Will you give me those odds? Let's say I stake $200. Then I'd give you that if
I lose, and you'd give me $1200 if I win. Or we can increase the amount a bit.
Today's dollars, we can inflation adjust since it'll be 20 years.

The terms might sound favourable to me, but you seem very confident that there
won't be quantum computers ever, so less than 15% chance in the next 20 years
seems consistent with your belief.

I wouldn't know how to put the bet on a blockchain, but if you know about that
and want to, I'm happy. Otherwise I am happy to just take your word.

We can also shorten the duration of the bet, but I would want to shift the
odds a bit since although I think quantum computers have a decent chance of
being possible, there is considerable uncertainty in how long it would take to
get to the point of demonstrating quantum supremacy. Probably I would accept
doubling the odds if the duration of the bet were halved and so on.

~~~
scottlocklin
We'd need a hard definition of "quantum supremacy" -I believe there have been
several press releases claiming this already, and I think you agree with me
that there are no such machines at hand.

There's this ethereum thing called Augur we could use to place the bet, though
that's an interesting bet in itself (ethereum and auger being around in 20
years is not a sure thing). I suppose also "long bets." If you google my name
you can find my contact info.

------
mabbo
In a sense, this is terrifying. I mean, the math nerd in me is delighted at
the idea, but in all practical senses if someone were to stumble upon and
share a usably fast factoring algorithm tomorrow, the sky would fall.

Sure, lots of crypto exists that isn't prime factoring based and we could move
to that in a hurry- but it would be a lot like if we'd realized the Y2K
problem on December 31st, 1999. Everything would need to be updated right now,
immediately, today.

And yet part of me is kind of excited it could happen.

~~~
Mirioron
It wouldn't even be as tame as you mentioned. Any encrypted information that
has been caught and stored would also become available.

------
JacksonGariety
> Of course, I have no real evidence for my views...

> On the other hand, the people who talk about the great difficulty of
> factoring have equally little evidence...

This is a classic antinomy (paradox): one can argue indefinitely in either
direction, because the question lies along the bounds of human reason (or so
says Immanuel Kant).

The two sentences above, in themselves, provide a bit of evidence of the
impossibility of solving the problem, and at the same time provide evidence
for the possibility of handling this problem as a significant phenomenon of
pure mathematics.

:)

EDIT: I mean only that the insolubility of the problem may itself be of
mathematical use: it may (insofar as it is unsolvable, and insofar as it
appears to be soluble) amount to a kind of 'anchor' for mathematics, a marker
that indicates the boundary of the mathematical sciences, and that such a
boundary would be of tremendous import to mathematicians and philosophers. Why
is _this_ problem, _this_ problem specifically, unsolvable? (Rather than some
other problem that has been solved?)

tl;dr The question of "why have we have trying to solve this problem for
millennia?" is perhaps more significant for mathematics than the solution to
the problem.

------
kmill
This is the Henry Cohn that recently received recognition for his work on
optimal sphere packings in 8 and 24 dimensions:
[http://www.ams.org/journals/notices/201804/rnoti-p463.pdf](http://www.ams.org/journals/notices/201804/rnoti-p463.pdf)

------
JPLeRouzic
I am not a scientist, but in my team 15 years ago, many people much more
talented than me were in love with public cryptography. For them encryption
with a 1024 key was perfect, impossible to break. They did not even considered
that several RSA challenges had already been found.

Even if I had no education in mathematics I tried to show that in fact it was
feasible to factor some enough large numbers with "bc" (using square root and
a few other simple tricks) so the risk of having encryption broken by
professionals was quite serious.

My boss asked to another guy for its advice, which was essentially that for a
start he would not try to break any encryption scheme anyway. And that was the
end of the story. The unstated lesson was probably that there were no reason
to expect a career boost by working on such topics.

~~~
delinka
I'm not following your story.

At the time when 1024-bit numbers used in RSA were 'perfect', it was
infeasible to factor the number in a reasonable amount of time. The most
straightforward approach is just to iterate over integers from 2 to your
target number (call it _n_ ), and see if anything divides evenly. Now, you
start looking for shortcuts. First, you can test only half the numbers,
because the second half will give identical results (e.g. n=20, n/2 = 10;
later, n/10 = 2; no need to even test the second half of the range.) Next, it
becomes obvious that we only care about odd numbers (if it's divisible by an
even number, it's divisible by two); but really, when it comes down do it, we
only care about prime factors (for one thing, all non-primes can be decomposed
into prime factors; for another, we used prime numbers to get _n_.) And
lastly, for the simple shortcuts, you really only have to get to int(sqrt( _n_
)) + 1 or so. So we've cut down the number of integers we have to divide with.

Did we find the two prime factors of our _n_ in a "reasonable" time? If so,
just double the bit length to get a problem twice as hard. Every publicly-
known shortcut to factoring large numbers just means you need to make your _n_
larger to increase the workload on an attacker.

The question then becomes: has anyone found a shortcut that will factor any
number within a "reasonable" time? We don't know.

As to your career-related comments, I read cluelessness from your boss, and
carelessness from the 'other guy' \- if OG "would not try to break any
encryption scheme," then he's not the person whose advice you want about the
strength of cryptosystems. Your boss just lacked critical thinking skills.

~~~
garmaine
Even 15 years ago 1024-bit numbers were not secure.

~~~
qq3
I'm working on RSA4096 and this is secure minimum up to 2040. Factoring is
secure for all times, that's a numeric principle. You only have to make the
key/number greater. I'm working for 50 years with prime numbers and now I'm
where I was when I was 17. Only a little nearer. What Fermat didn't find and
Euler missed (!) is the knowledge that there is no super'algorhythm' for
factoring.

------
PhantomGremlin
Nobody yet has mentioned a film that was premised on the invention of a black
box "capable of breaking the encryption of nearly every computer system".

IIRC the movie plot was somewhat convoluted and confusing and I don't have any
desire to see it again. I'm bringing it up because there are a number of "what
would you do if" posts here.

In the end, the "sneakers" use the box to cause: _the sudden bankruptcy of the
Republican National Committee, and the simultaneous receipt of large anonymous
donations by Amnesty International, Greenpeace, and the United Negro College
Fund._

[https://en.wikipedia.org/wiki/Sneakers_(1992_film)](https://en.wikipedia.org/wiki/Sneakers_\(1992_film\))

------
webdva
> The first thing to realize is that until the advent of public key
> cryptography in the 1970's, few people cared about factoring. Some people
> were interested in it for its intrinsic beauty, but nobody thought it was
> good for anything, and it certainly wasn't the notorious unsolved problem it
> is today. If anything, it was mildly obscure.

"There is no branch of mathematics, however abstract, which may not some day
be applied to phenomena of the real world." \- Nikolai Ivanovich Lobachevsky

Applied mathematics is a problem looking for a solution and pure or abstract
mathematics is a solution looking for a problem. An instance of this is the
extension of the set of complex numbers called the quaternions discovered long
ago which eventually found their application in affairs that require the
representation of orientations in three dimensions, such as in computer
graphics.

It seems here then that a motivated entrepreneur can establish a remunerative
business should he or she find a solution to this prime factoring problem.

------
debatem1
I think it's interesting how many people worry about factorization. A second
preimage attack on SHA2 would be at least as dangerous, and nowhere near as
many people know or care about its assumptions.

~~~
hackcasual
Breaking hashes aren't a decision problem, so they're not directly comparable,
but sha2 isn't on the same shaky mathematical ground that RSA is.

~~~
phicoh
SHA-2 was on related shaky ground. Remember that in relatively short
significant advances were made in breaking MD-5 and SHA-1. SHA-2 is based on
similar constructs as MD-5/SHA-1.

For this reason the SHA-3 competition was started to find a new hash function
based on different principles.

In the end it was found that creating practical attacks for SHA-2 is too hard.
But we don't know what the future will bring.

The difference between RSA and SHA-2 is that RSA is a very nice mathematical
structure and we are still learning a lot about (prime) numbers. In contrast,
SHA-2 is weird structure that has to solve a hard problem. It is hard to
attack.

------
dooglius
EDIT: this comment was mistaken, bitcoin uses elliptic curve based key pairs,
as hackcasual points out below.

One thing to keep in mind:

Bitcoin wallets are implemented with public/private key pairs. If you believed
that you had a method to crack that, well you probably couldn't just take all
the bitcoin (people would notice and the market value would evaporate), but
you could probably figure out a way to make at least 1% (a couple billion). So
if it can be broken with a group of smart people thinking hard, that sounds
like a startup opportunity.

~~~
whatshisface
If Bitcoin was broken it would instantly become worthless.

~~~
dumbfoundded
Not if you did it in a smart way. Let's say you could arbitrarily make
transactions. Probably the best way to do it would be to steal all the coins
from a particular exchange, like Coinbase. Then everyone would think Coinbase
pwnd but bitcoin is fine. Rinse and repeat with other exchanges once a year
and you can make a hefty profit.

------
miccah
I did a toy project on wheel factorization if anyone is interested. Through it
I learned some interesting math and ancient algorithms. It is by no means the
cutting edge of factorization, but it was a fun little project.

[https://github.com/mcastorina/wheel-
factorization/blob/maste...](https://github.com/mcastorina/wheel-
factorization/blob/master/README.md#performance)

------
dang
Discussed at the time:
[https://news.ycombinator.com/item?id=12355431](https://news.ycombinator.com/item?id=12355431)

------
karmakaze
With a grain of salt

> Of course, I have no real evidence for my views: [...]

~~~
6gvONxR4sf7o
Might want to include context there:

>Of course, I have no real evidence for my views; ... On the other hand, the
people who talk about the great difficulty of factoring have equally little
evidence.

~~~
karmakaze
When we talk about the 'difficulty of factoring' there's an implication. The
direct meaning is that there may well be a simple algorithm for factoring that
has yet to be discovered. No one disputes this.

The implied idea is that this discovery could happen at any time and all
things depending on it are at risk. This is also true but it's unreasonable to
think that it is likely given that much effort has been put into this.

Yes we don't know, but two unknowns are not 50:50. Of course regardless of how
you estimate its truth consider the cost of being wrong when using anything
depending on it.

------
carapace
Purely tangential, speculative questions: If you did prove that P = NP would
you tell anyone? If so, how? Why?

~~~
nneonneo
Yes, I’d check the proof with some trusted colleagues, because odds are I’m
wrong and I’d want to know why.

P=NP is a very hard problem and there have been a lot of failed solutions
(including some that are flawed for very subtle reasons that can be easy to
overlook). Even many famous, well known people have fallen into the trap of
thinking they have a viable solution.

------
adamnemecek
Fast factorization is going to be one of the killer apps of photonic
computers.

~~~
goerz
You mean quantum computing (for which photonics are not a leading candidate),
or regular photonic computing? Because the latter doesn’t scale any better
than normal computers.

------
waynecochran
I have always wondered if the NSA has figured out how to factor effeciently.

~~~
phicoh
One thing to remember here is that RSA can be used in 2 ways: to encrypt and
to sign.

If RSA is used to encrypt (for example if you send an encrypted message using
PGP) then factoring directly breaks the encryption.

In practice, a lot of encryption on the Internet uses RSA to sign the hash of
a key obtained using Diffie-Hellman. In this case breaking RSA would allow the
NSA to impersonate but not directly break existing communications. The problem
with impersonation is that it is very noticeable.

What I find odd about the linked article is that it only talks about
factoring. In practice, the discrete log. problem is just as important and is
very much related to factoring.

------
naveen99
The reason factoring is hard is because finding very large probably prime
numbers is easier making number sieve based methods useless for the purpose of
breaking large numbers used in cryptography.

------
carapace
You can build a machine with a laser and a big mirror.

