2048-bit RSA keys
Joseph Ashwood
ashwood at msn.com
Tue Aug 17 01:46:06 EDT 2010
FAIR DISCLOSURE: I am the inventor of some of the technology quoted,
specifically US Patant Application 20090094406. And just to plug myself even
more, yes the technology is for sale.
--------------------------------------------------
From: "Bill Stewart" <bill.stewart at pobox.com>
Subject: Re: 2048-bit RSA keys
> At 01:54 PM 8/16/2010, Perry E. Metzger wrote:
>>On Mon, 16 Aug 2010 12:42:41 -0700 Paul Hoffman
>><paul.hoffman at vpnc.org> wrote:
>> > At 11:35 AM +1000 8/16/10, Arash Partow wrote:
>> > >Just out of curiosity, assuming the optimal use of today's best of
>> > >breed factoring algorithms - will there be enough energy in our
>> > >solar system to factorize a 2048-bit RSA integer?
>> >
>> > We have no idea. The methods used to factor number continue to
>> > slowly get better,[...]
>>
>>He asked about "today's best of breed algorithms", not future ones. In
>>that context, and assuming today's most energy efficient processors
>>rather than theoretical future processors, the question has a concrete
>>answer.
>
> With today's best-of-breed algorithms and hardware designs,
> there isn't enough money in the economy to build a machine
> that comes close to making a scratch in the surface of
> that kind of energy consumption, whether for factoring or
> for simple destruction.
I'm not so convinced. Since we're discussing cost it makes sense to look at
the cost based structure from http://www.rsa.com/rsalabs/node.asp?id=2088.
The storage required for 2048 is approximately 2^64 bytes, this is usually
cited as the limitation. Considering technologies like US Patent Application
20090094406 (mass quantities of Flash at better than DRAM speed), this is
actually an achievable capacity with more speed than any current cpu can
handle (2^64 storage could operate at up to millions of TB/sec). The cost is
very signficant, from http://www.dramexchange.com/#flash, the best price per
capacity is 32Gbit Flash, this is 2^32 bytes, so 2^32 such chips are
required, session average of $6.99 each, this is "only" 2^32*6.99 about $30
billion. Adding in the cost for the glue logic needed to build the
20090094406 adds less than 10% to the cost, so its still under $35billion.
Its worth noting that since we're talking about disk access protocols, the
systems in place already handle addresses longer than 64-bits, so there are
no redesign costs on the processors from this. So the cost resulting from
the storage requirement for 2048 bit factoring is only about $35 billion.
If, as the page suggests, the storage is still truly the dominant cost
factor 2048 is bordering on within reach for high value targets.
Fortunately, this does not appear to be the case, storage jumped ahead of
computation.
The computation cost is not as clear to me, I didn't invent the technologies
so I'm not as intimately familiar. Computation costs are given by "A
Cost-Based Security Analysis of Symmetric and Asymmetric Key Lengths" at 9 x
10^15 times more complex than a 512-bit factoring, but does not immediately
appear to offer good cost estimates, a few quick searches foun RSA-155 took
about 8400 MIPS*years. Wikipedia gives a number of 147600 MIPS for an Intel
Core i7. Intel gives prices at $560 per cpu
(http://www.intel.com/buy/desktop/boxed-processor/embedded.htm?sSKU=BX80601940).
Assuming a full year is an acceptable time frame the 2048 factoring would
require 5.1*10^14 processors, costing, well bluntly, a crapload, or about
$285,600,000,000,000,000.
I'm sure in such volume the price for the cpus could be brought down
significantly, and other cpus may be more cost efficient.
Considering that google gives a number of $14.59 trillion, the purchase
would require nearly 20,000 years of US GDP.
So unless someone can bring the computation cost down significantly (very
possible, since I used a very brute force method) it seems unlikely that
2048-bit numbers can be factord any time soon.
The most important part though is that the cost structure has changed
signficantly. A few years ago the dominant cost was the storage, this has
changed significantly.
Joe
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list