Lucky's 1024-bit post

[Wei Dai]

On Wed, May 01, 2002 at 01:37:09AM +0200, Anonymous wrote:
> This is probably not the right way to approach the problem.  Bernstein's
> relation-finding proposal to directly use ECM on each value, while
> asymptotically superior to conventional sieving, is unlikely to be
> cost-effective for 1024 bit keys.  Better to extrapolate from the recent
> sieving results.

Yes, good point.

> For about $200 you can buy a 1000 MIPS CPU, and the memory needed for
> sieving is probably another couple of hundred dollars.  So call it $500
> to get a computer that can sieve 1000 MIPS years in a year.

You need a lot more than a couple of hundred dollars for the memory, 
because you'll need 125 GB per machine. See Robert Silverman's post at 
http://groups.google.com/groups?hl=en&selm=8626nu%24e5g%241%40nnrp1.deja.com&prev=/groups%3Fq%3D1024%2Bsieve%2Bmemory%26start%3D20%26hl%3Den%26scoring%3Dd%26selm%3D8626nu%2524e5g%25241%2540nnrp1.deja.com%26rnum%3D21

According to pricewatch.com, 128MB costs $14, so each of your sieving 
machines would cost about $14000 instead of $500.

> If we are willing to take one year to generate the relations then
> ($500 / 1000) x 8 x 10^10 is $40 billion dollars, used to buy
> approximately 80 million cpu+memory combinations.  

($14000 / 1000) x 8 x 10^10 is $1.1 trillion. So my earlier estimate for a
$10 trillion 4-month machine was only off by a factor of 3, which is a
nice coincidence. :)

(Too bad about the memory, otherwise you can get your sieving machine
almost for free by writing a worm to take over half of the Internet, which
currently has about 190 million hosts.)

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com