Biggest Public-key Crypto Crack Ever 67
galore writes "Certicom's ECC2k-108 Elliptic Curve Discrete Logarithm challenge has been broken! This was the largest public calculation ever to use a complex parallel algorithm. $5,000 dollars in winnings will be donated to the Free Software Foundation. Congratulations to everyone who participated, including team Slashdot! " There seems to be conflicting versions of info about the prize money - some says 8,000 to the Apache Foundation, others say 5,000 to the FSF.
Re:Elliptic Curve Encryption (Score:1)
1) Pick a level of security that you would like to enjoy. (Say "If distributed.net were 100 times its current size and grew exponentially, it would take them 1000 years to break it..." or something like that.)
2) Find the best known algorithm for integer factorization (i.e. cracking RSA). This would be the Number Field Sieve (or some variation thereof). Figure out the key length you would need to enjoy the level of security you wanted in part 1.
3) Find the best known algorithm for solving the elliptic curve discrete logarithm problem (i.e. cracking ECC). This would be the Parallized Pollard Rho algorithm. Figure out the key length you need to enjoy the level of security you wanted in part 1.
4) Figure out how long it would take RSA to encrypt/decrypt something with the key length you calculated in step 2.
5) Figure out how long it would take ECC to encrypt/decrypt something with the key length you calculated in step 3.
6) Compare.
To say "RSA is faster than ECC" without qualification ignores the fact that the running time of each algorithm is fundamentally dependent on key size. (choosing 2^16+1 as a public exponent still makes for slow decryption, and although there is no break per se, it is still suspected that low public exponents are less secure than random ones. See, for example, the survey paper "Twenty Years of Attacks on the RSA Cryptosystem" by Dan Boneh of Stanford.) Also, the choice of basis and finite field for ECC is not that hard either. You pick the choices that gives you the best results.
NB: This isn't really a walkthrough, if you haven't figured that out by now. Each of the steps, with the possible exception of step 6, actually take a fair amount of work and background research to do. Also, since the question at hand seems to be the centre of a religious debate, I'll try not to say which algorithm comes out on top.
donny
Re:Big deal? (Score:1)
> open every safe and when asked to demonstrate
> sits down in front of it and starts
> turning the wheel until he gets the combination
> by accident.
no, read up on it first. this was not a brute force attack, it used an intelligent algorithm. read more (and brush up on your abstract algebra) here: http://cristal.inria.fr/~harley/ecdl7/FAQ.html
later,
ian
Re:Elliptical Encryption (Score:1)
later,
ian
apache? (Score:1)
Re:Major news... (Score:1)
The program basically creates a string of random math which means nothing and then starts mutating them. It feeds about 30 primes plus their offsets in and then averages how far each one was off. When the algorithm reaches a 0% deviation, that means we solved the problem. His program got to 0.000?? - ask him for the algo it used.
The damn thing's output is ugly as sin though.. well.. actually ugly as sine *cough* .. but it ran out of memory to hold the gene pool and basically swapped the machine it was running on to hell. That's why we need more RAM. :(
As to why such an algorithm would be useful.. I thought that since people basically brute-force through X numbers and run fast-fourier transforms and what-not on them we thought it would be nice if you could compress the keyspace to a pitifully small number. a 1000-bit keyspace now only has maybe 16 bits of keyspace. And because of how primes work... a 10000-bit keyspace might only have 20 bits of keyspace now. Kinda makes using large keys pointless then and puts us back on the fast track to using OTP.
Another Internet distributed processing program. (Score:1)
have huge computing jobs to do; and millions whose computers just sit idle much of the time.
With the ProcessTree Network those BIG computing jobs can get done faster
and cheaper, and people can turn there computers idle time into money.
Re:Slashdot's got money behind it. (Score:1)
Anyone who is cracking RC5 for the money, is deluding themselves. Do it for the sex appeal!
Re:DES has no such loophole (Score:1)
A quick search of my literature reveals no such proof, although pg.366 of Applied Cryptography implies that Quintuple DES offers improved resistance to meet-in-the-middle attacks, as it certainly does for exhaustive search.
Re:DES has no such loophole (Score:1)
Unfortunately, there is generally no way of formally proving security for these block ciphers, other than showing that it can resist various known real and hypothetical attacks (opening the possibility that some currently unknown technique could be found that crack a block cipher wide open)
So, in other words, DES and TripleDES have stood the test of time, but there is no guarantee that TripleDES is more secure than a newer block cipher. Personally, I'd use QuintupleDES if I were really ultra paranoid, otherwise I like Blowfish because of its speed. (And it is free for anyone to use and implement)
Is this enough of a challenge (Score:1)
ECC Challenge (Score:1)
To be clear, what has been broken is a single key on an elliptic curve which has a 108 bit order. The smallest key size which Certicom commercially recommends is a 160 bit key, which is on the order of 2^26 times as hard to break (a factor of approximately 67 million).
The papers available at www.cryptosavvy.com [cryptosavvy.com] are a good, independent, and recent reference for key size comparisons.
Tim Dierks
Chief Technical Officer, Certicom
tdierks@certicom.com [mailto]
Re:Corrections (Score:1)
There are a number of ECC patents, but it's possible to write a 'nice' implementation without violating any of them. It's not possible to write an implementation of RSA without violating their patent.
2. ECC is not faster than RSA. RSA is not faster than ECC. Nor are they equal in speed. While this all sounds terribly contradictory, it's all true; as we all know from having complained about NT-versus-Linux benchmarks, whoever is paying the analysis firm gets the results they want. When Certicom pays for ECC-versus-RSA, it always turns out that ECC is faster. When RSADSI pays for it, it always turns out that RSA is faster.
Emacs beats vi!
You have to take into account the relative strength of ECC keys versus RSA keys. ECC keys can be much shorter and therefore require much less processing. It's debately what that ratio should be, but contest like this help decide those numbers.
Even assuming that ECC were unambiguously faster than RSA, it wouldn't make a tinker's dam of difference. The applications which use asymmetric cryptography extensively are few and very far between. Symmetric ciphers have a better foundation in number theory, are more thoroughly cryptanalyzed and are often faster. Most of the time when asymmetric crypto is used, it's only used to negotiate a symmetric key. If it takes RSA a millisecond to encrypt/decrypt a 256-bit Twofish key, what do I care if it takes ECC a microsecond to do the same task?
One millisecond? Ok, I'm using weird hardware - but my decryption is way longer than 1 millisecond. (IIRC around 50-100ms for a 256 bit field). Considering all secure connections must decrypt at least one asymetrical key, you are looking at least 50ms on connection time. That means you can only accept 20 connections per second per machine. For high ussage applications this ain't so great. Speed does matter. Makes very little difference on a web browser - i'll give you that, but if you download a secure page with 20 inline images - each must do a RSA decrypt. Multiply by the number of users and you've got a CPU crisis on the server side - unless you start buying crpto-accelerator boards.
Encrypted speakers (Score:1)
Re:A Clueless Question ... (Score:1)
Chris Hagar
Re:Major news... (Score:1)
How to get involved with Distributed.net (Score:1)
Go to The Distributed.net download page [distributed.net] and grab the client for your platform. Specific instructions on how to install it for your platform are in the client, but the win32 version has a nice installer. :)
Configuring it can be kind of a pain if your a dialup/offline user, but if you have a lan type connection just plunk in your email address and thats about that, your ready to go. It'll connect to the internet and download some "blocks" to work on. When its done them, it'll send them back.
The day after you send some blocks in, go to the Distributed.net Stats Server [distributed.net] and do a search for your email address. From there you can get your password, and can join a team.
If you want to join team slashdot, after you have retrieved your password, do a team search for slashdot, go to the team info, and there should be an "I want to join this team" link. Click it.
After that, your blocks will also count towards the team.
If you need more help with it, you can post here, visit #distributed on efnet, or if your desperate, email me. :-)
Happy cracking!
Re:DES has no such loophole (Score:1)
ECC? (Score:1)
Re:Major news... (Score:1)
Re:BAYWATCH.JPG (Score:1)
No.
I pw-zip FOO.BAR to FOO.ZIP
I reverse FOO.ZIP to PIZ.OOF
I uuencode PIZ.OOF to PIZOOF.UU
I pw-ZIP PIZOOF.UU as PIZOOF.ZIP
I reverse PIZOOF.ZIP to PIZ.FOOZIP
I rename PIZ.FOOZIP to BAYWATCH.JPG
Well, maybe not .JPG but, like, .LOG or .CmdrTaco
But you are right - in the long run it won't be secure enough. If OTOH I replace ZIP with PGP and/or some scrambler that uses Abe's speech as the key... And then, the cracker still must have a clue what the heck is that interesting with a file like MSG.LOG...
Re:Elliptical Encryption (Score:1)
So, if I just went and pw-zipped a file, uuencoded it, reversed it, re-zipped again with password and called the whole thing BAYWATCH.JPG, what time would it take to decrypt it?
What I want to say is: if you are smart enough to leave no traces (or better yet, lure the crackers to a wrong trail), could even a 'mediocre' encryption algorithm (or combos thereof) be 'secure enough'? (that's that stegano thing, right?)
Why not? (Score:1)
It's cool. What other reason do you need?
I elaborate anyway: it's like a worldwide Beowulf cluster, except sorta not.
Further, it shows what a whole bunch of idle CPU cycles can accomplish.
And anyway, see the subject: why not?
Re:A Clueless Question ... (Score:1)
Ahhh. Excuse my ignorance, then.
-RickHunter
Re:A Clueless Question ... (Score:1)
I think the point is to see how long it takes and how much power has to be applied to effectively brute-force the key. Mathematical models can predict this, but its nice to have a real-world validation. Then they can say "Look how secure our system is! It too X computers of Y power Z months to crack A message encrypted with B key! Now give us much money!" ;)
-RickHunter
Re:A Clueless Question ... (Score:1)
As I read the article, that was indeed the point. The sponsors of the contest wanted media attention on how HARD it was to break their technique.
Re:Major news... (Score:1)
Re:A Clueless Question ... (Score:1)
Burris
Re:What about cracking RC5? (Score:1)
Which project? (Score:1)
Re:Major news... (Score:1)
It's a @#$%^&* messy spec, with parts released only with signed NDA. I suspect that someone may figure out a fairly fast hack of the "copy-1-time" :copy-never" " copy freely" attribute and pass that info around. What this breaking of a key-pair shows is what a brute force attack will cost (today).
Re:Hurrah! (Score:1)
Soon we'll crack the code of this seti@home thing.
I've written them and asked them to open-source their core like d.net did [distributed.net], claiming that this would cut down on illegal [cr|h]acking to make the client faster.
Level I or Level II? (Score:1)
Maybe I'm a fool but I could not notice on the page which of these "levels" was solved. I think that's kindof an important distinction to make.
1st REAL post (Score:1)
What about cracking RC5? (Score:1)
UMR Rulez
Re:A Clueless Question ... (Score:1)
No, you see: It's really as simple as 60 years ago, in WW2: When the Germans heard the words:
they thought it meant which is in fact the result when you translate the words into German and back with Babelfish [altavista.com].This, however, hasn't brought me any closer to understanding what we're discussing here. But I do know that, once the Americans learned how to decrypt the Germans, the war was won. And this is why we'll never be taken over by the machines - we're smarter than them, and we speak real German :-p
Excuse me for being offtopic. It won't happen again. Promise.
Re:Morals. (Score:1)
Some questions about the implications (Score:2)
Given the key-length and the time taken, what (if any) are the implications for EC encryption?
proceeds to to apache, not fsf (Score:2)
--
The plan:
Solve part of Certicom's ECC challenge.
Win $10000 and give most of it to the Apache Software Foundation.
Um, that's it.
...
Certicom is offering a prize of $10000 for the first correct solution. If we win it, $1000 will go to each of the two people who find the match and we will donate the remaining $8000 to the Apache Software Foundation. Note that following our previous successes, we have already donated $12000 to the Free Software Foundation.
--
older versions of this effort donated to the FSF, this one is definitely going to apache.
later,
ian
Re:Not cryptographically weak.... (Score:2)
later,
ian
Major news... (Score:2)
Isn't it about time the Apache project relocated to a country not a member of the WIPO? :)
Re:Major news... (Score:2)
ask this guy [mailto] about linear solving. It was my idea, but he's got one that's pretty fscking close to being able to predict primes in linear time. I just wish we had enough memory.. we got to a deviation of less than 0.0000?? per thousand.. :( I think we need a 256MB chip to let the tree fully 'bloom'.. but ask him.. he knows how the algo works better than I.
Re:Elliptical Encryption (ECC is faster!!) (Score:2)
Quoting Alfred Menzes, a consultant at Certicom and general ECC god-of-knowledge,in his web page [uwaterloo.ca] says:
This same paper (written in response to Bruce's discussion of ECC in his Nov99 crypto-gram [counterpane.com] goes on to say on speed:
Re:Elliptical Encryption (Score:2)
512 rsa really takes a few days to factor with specialized hardware (AFAIK).
SLASH BUG (Score:2)
A bug report has been filed with Taco.
Re:Not cryptographically weak.... (Score:2)
However, unlike DES, there is no known mathematical loophole
Sorry, this is glaringly inaccurate. There is NO known mathematical loophole in DES - the "least effort attack" is a brute-force attack. If there was a weakness known in the algorithm then the best attack would exploit this instead.
The DES algorithm is excellent, merely suffering from keys that are too short at 56 bits to give adequate protection - note the difference between the *quality* of the algorithm and the level of protection here. Triple-DES (112 bit key equivalent - don't believe anyone trying to sell it to you as a 168 bit key solution since there is an attack against double-DES making it only a single bit stronger than single-DES. Yadda yadda - see "Applied Cryptography" for the details) builds upon this and gives a level of protection considered unbreakable since the best attack is still the brute force attack trying all keys in turn, and 2^112 is somewhat larger than 2^56.
SRe:Major news... (Score:2)
So, this doesn't mean the algorithm is broken. We've known all along that the keys could be cracked in this way. It does give us a better picture of how large the keys must be to make cracking them unfeasable.
Unless the implementations you mention use keys that are not much larger than the ones recently cracked then they are still quite safe. Major news would be an algorithm that ran in linear time.
Burris
Re:Major news... (Score:2)
Re:Not cryptographically weak.... (Score:2)
Your statements about the strengths of double and triple DES should be clarified. The key-length equivalents that you mention are only applicative for what is know as a "meet in the middle" attack, whereby the attacker uses a known PT->CT pair and decrypts one DES encryption of the CT with a test key while encrypting the PT with another test key under one DES encryption. The attacker keeps a list of the pairs of the results in the middle (I'm handwaving here, as there are some optimizations that can be made) and when there is a match, the correct keys can be trivially recovered. The attack requires serious memory to even think of carrying out (orders of magnitude greater than all of the RAM installed on every computer that has ever been built).
Re:Elliptical Encryption (Score:2)
Re:Major news... (Score:2)
"I thought that since people basically brute-force through X numbers and run fast-fourier transforms and what-not on them we thought it would be nice if you could compress the keyspace to a pitifully small number. a 1000-bit keyspace now only has maybe 16 bits of keyspace."
Please spare us your thoughts and actually learn something about what you are blatthering about. To find large prime numbers, most people use a variant of Miller-Rabin SPPT efficiently. To enumerate all the primes in a certain interval, we use either an Atkins sieve or an appropiately blocked standard sieve. To determine the next larger prime than a certain number, we use standard sieving or delta-big delta sieving. To decompose a composite into primes, we use either the ECM (
And how precisely do you plan on compressing a 1000-bit keyspace into a 16-bit keyspace? Ever heard of the pigeonhole principle? Do you even know how many primes are in that interval? The distribution of prime numbers in a specific interval is regular in a very specific and formal way that effectively means that you can treat them as randomly distributed (yes, I know about the RH, I don't care). And how would a 10000-bit be represented as 20-bits of keyspace? Please tell me "how primes work"? I would really like to know and collect my Fields medal.
Finally, if you by some miracle got your GA working (and please don't get me started on this particular bit of idiocy; smoothness arguments about the primes and their spacing will be a waste of space), how would this render symmetric algorithms obselete? How would this magically crack DES, IDEA, or [insert block cipher here]? How would this magically crack RC4, SEAl or [insert stream cipher here]? How would this magically crack ECC, the modified-Chor-Rivest knapsack scheme, NTRU, or [insert other PK algorithm here]?
It won't, because you're talking out of your ass here.[/quasi-flame]
Re:Major news... (Score:2)
So please, tell me, what does "linear solving" entail? What does it mean to "predict primes in linear time"? What does this "deviation" refer to? How does this tree "fully 'bloom'"?
Re:Major news... (Score:2)
From jxkljklsjfd@hotmail.com Re: Hello (412893) (Score:2)
Have I got a deal for you. For only $19.99 (Plus $42.36 S&H) you could be the owner of a hand-made, titanium-polymer, mechanical pencil. No more broken pencils moments before cracking a code. This pencil has a full, money-back guarantee (Minus shipping and handling both ways). And if you order in the next 349 seconds (324 if you read slow), I'll toss in a free piece of 0.7mm lead.
[/Spam]
Sorry, I know it's slighly OT but I couldn't resist this one.
kwsNI
Why they did it? (Score:2)
Re:From jxkljklsjfd@hotmail.com Re: Hello (412893) (Score:2)
Very suspicious... (Score:3)
Team Apache cracks the code and the Apache Software Foundation gets the cash...
Apache (or some variant thereof) runs on over 50% of Internet-connected web servers...
When was the last time you took a peek in the Apache source code to make sure they weren't sneaking some sort of distributed processing client into the web server? Very suspicious indeed... maybe that's why my server's processor usage has been higher than normal! :=]
________________________
The plaintext message... (Score:3)
All participants are officially under arrest.
Please proceed to your nearest police station to turn yourselves in, and nobody gets hurt.
Re:Some questions about the implications (Score:3)
The 97-bit challenge was broken (by the same project) in a couple of months, also in line w/ prediction.
The next challenge is 131 bits, which should take a LOT more time and power to break. The challengers can use these results to justify their claim that the 161+ bit challenges are infeasible.
FWIW, people in the field believe a 160 bit ECC problem to be roughly equivalent to 1024 bits of RSA, which is currently WAY beyond what can be feasibly attacked (barring no advances in factoring technology)
ECC has a bright future and these challenges only serve to emphasize that point.
See the link on the Certicom ECC challenge [certicom.com] for more info.
BAYWATCH.JPG (Score:3)
1. Try and display it as a
2. Look at the first few hundred bytes of the file. Almost every distinctive filetype out there today has distinctive header information. Standard compression libraries (PKZip, zlib, etc.) have very well-known headers.
3. Try to unzip the BAYWATCH.JPG file. Hey, it's asking for a password. Damn.
4. Leaf through my notebooks to find PKZip's encryption algorithm (it's trivially weak, but I don't remember its implementation off the top of my head).
5. Ah ha! I've found the cipher that's used in PKZip. Now I've just got to write a Perl script that'll break the cipher--it is a trivially weak cipher, after all.
6. Presto. Now I've got the original file back, or so I think. I take a look at it with a hex editor. Hey, this is
7. Check the file again. I've suddenly got the secret recipe for the $250 Neiman-Marcus cookies. I hand over the fruits of my labor to Boris and Natasha in the hopes that they will use these cookies to lure the moose and squirrel to their doom.
... Looking through the chain, you've got some file (FOO.BAR) which you compressed using PKZip (FOO.ZIP). You ran it through uuencode and uudecode (net result, no change), leaving it as FOO.ZIP. Then you just compressed-it-with-password again and renamed it BAYWATCH.JPG.
Total time for me to break it--six hours. That includes time to write the Perl script to break PKZip's encryption (provided I don't already have one somewhere), time to debug the Perl script, and enough time to order a pizza and have a decent lunch while I work.
If I've already got a Perl script to rip PKZip's encryption, then figure it'd take me about fifteen minutes.
What I want to say is: if you are smart enough to leave no traces (or better yet, lure the crackers to a wrong trail), could even a 'mediocre' encryption algorithm (or combos thereof) be 'secure enough'?
... I hope this post answers your question. The short answer is "no". The long answer is "usually, no".
Big deal? (Score:3)
This is about as cool as a guy who claims he can open every safe and when asked to demonstrate sits down in front of it and starts turning the wheel until he gets the combination by accident. Everybody knows you can do it that way.
Now if the attack had taken just a few sheets of paper, a pencil and a calculator, then I'd be impressed.
I was about to (Score:3)
A Clueless Question ... (Score:3)
So one particular message, encrypted with one particular pair of keys was cracked after running a brute force cracker on lots and lots of machines. I don't get it, what does this prove? Does it not in fact demostrate how hard it is to crack ECC? In fact, this does not prove anything. Maybe there are specific key-pairs which are particularly easy to brute force?
Can someone please enlighten me?
Re:A Clueless Question ... (Score:3)
Burris
Elliptical Encryption (Score:4)
- patent free (RSA expires this year!)
- faster than RSA
- can be implemented easily using 8/16bit microcode (ideal for smartcards)
Bruce likes to claim cracking contents have no value, but I disagree. EEs haven't been studied as much as RSA, so contest like this are important to showing the algorithms strength as implemented in the real world - and more importantly - generating interest in the research community.
Corrections (Score:4)
1. ECC is not patent free. Several companies are engaged in patent war over ECC (Certicom being the number one). The "nice" curves have already been patented (mathematicians in the audience will crucify me for describing some curves as "nice", but it's a reasonably accurate layman description--some curves make crypto easier than others, hence they're "nice").
2. ECC is not faster than RSA. RSA is not faster than ECC. Nor are they equal in speed. While this all sounds terribly contradictory, it's all true; as we all know from having complained about NT-versus-Linux benchmarks, whoever is paying the analysis firm gets the results they want. When Certicom pays for ECC-versus-RSA, it always turns out that ECC is faster. When RSADSI pays for it, it always turns out that RSA is faster.
Even assuming that ECC were unambiguously faster than RSA, it wouldn't make a tinker's dam of difference. The applications which use asymmetric cryptography extensively are few and very far between. Symmetric ciphers have a better foundation in number theory, are more thoroughly cryptanalyzed and are often faster. Most of the time when asymmetric crypto is used, it's only used to negotiate a symmetric key. If it takes RSA a millisecond to encrypt/decrypt a 256-bit Twofish key, what do I care if it takes ECC a microsecond to do the same task?
3. RSA smartcards have existed for years. Check out the iButton for an example of how asymmetric cryptography can be used in smartwear (jewelry, buttons, etc).
Insofar as Schneier's distaste for cracking contests, I've got to say I'm in the same boat. Running a cracking contest doesn't prove anything. It doesn't prove it's secure, brute-force cracking rarely betrays insecurities, and what it's best at is media hype. PHBs the world over look at cracking contests and say "Wow, ECC stood up really well to that distributed attack, I guess it's safe for us to use!", without even once bothering to learn what the theory behind ECC is.
Schneier himself uses contests, so it's disingenuous to suggest he claims contests have no value. Schneier's Blowfish contest offered a cash award to the best cryptanalytic results against Blowfish, regardless of whether or not those results led to a break. That seems to me to be a more healthy way to run contests, although I'm still not entirely sold on the idea.
DES has no such loophole (Score:5)
However, unlike DES, there is no known mathematical loophole
Wrong answer, thank you for playing. DES is one of the most, if not the, most thoroughly-analyzed ciphers of all time. So far, the best way to break DES is by a brute force attack. There are some attacks against it which some people use as proof that the NSA put a backdoor in it, but these attacks are extremely esoteric -- for instance, the key complementation property means you only have to test half the possible keys; this reduces the difficulty of some attacks (chosen-plaintext attacks, specifically, although I think Eli Biham has a known-plaintext version) by a factor of 2--meaning the keyspace is only of size 2**55, not 2**56.
The rules for using DES are simple. Don't use weak keys; don't use complementary keys; use it in DESede (aka TripleDES) mode. The resulting ciphersystem is as close to unbreakable as you're likely to ever get. If your system is eventually broken, you can be reasonably certain that the cipher was not the subsystem which suffered the breach.
I trust DESede more than I trust Blowfish, more than I trust IDEA, more than any other symmetric ciphersystem out there.
Interestingly enough, so does Schneier. A few months back at a crypto conference someone in the gallery asked him what the strongest cipher today was. As I recall, his words were "Triple DES. There is no question."
Not cryptographically weak.... (Score:5)
I'd be more interested in real cryptographic algorithm analysis of the algorithm, but that is not by any means my forte.