For most of my life I’ve waited for someone to post a credible claim that they’ve broken a major cryptosystem like RSA, and I’m pretty sure tomorrow I’ll still be waiting.
But that doesn’t make it any less fun to think about what a real (implemented) RSA break would look like. Imagine you were a genius who found an efficient factoring algorithm. You have so much opportunity for drama.
Obviously you could just post your algorithm but that’s boring and anyway practical people won’t be able to tell if it works, especially if it’s complicated and you’re not one of a very small number of researchers.
Fortunately back in the early 90s, RSA security posted a bunch of factoring challenges of which many remain unsolved. So obviously you’d pick some of the big ones and just start blasting out factors. en.m.wikipedia.org/wiki/RSA_Facto…
Your paper “Answers to some of the RSA factoring challenges” picks five of the big ones, gives their factors, and drops the mic. You post it to IACR ePrint.
At this point it’s very important to take a long vacation where nobody knows how to contact you. This is essential to making things more exciting.
A week later, in a fit of irritation, you repost your paper with two more factoring challenges answered. This time someone actually reads it.
By now people are talking about your results on Twitter. It’s gotten to the top of HN. The NYT is interested but doesn’t quite know what to say. Since you haven’t posted your algorithm there’s doubt about whether this is real or a trick.
A trick is possible. After all someone made those RSA challenges, and presumably at some point they knew the factorization. Maybe they kept it? Seems unlikely but so is a polynomial time factoring algorithm.
I’ve always assumed at this point you want to start breaking some really diverse keys. This is harder now that RSA is dying out on the Internet, but DKIM still uses it and so do some older TLS certificates. So break them all. At this point you might be doing some damage.
Sorry I should rephrase. So do lots of TLS certificates. Actually this is great. So now you’re selectively breaking major parts of the Internet and people are really getting nervous.
While this sounds fun, the trick here is not to break things. It’s to be dramatic enough that everyone takes you seriously enough to start ripping a lot of plumbing out of the Internet and replacing it fast, but before the bad guys get you or your algorithm.
(I had it stupidly in my head that RSA was going away because TLS did away with it in the handshake but the signatures are still everywhere. Yikes a real factoring breakthrough would be super bad.)
I want to be clear that you really have to break some stuff. You can’t just be nice and responsibly disclose this, or provide proof that you have people’s keys.
It took the industry something like 15 years to get rid of the hash function MD5 even as we knew it was getting broken, and even after it was *publicly* broken a spy agency used the break to get Microsoft to sign their malware. google.com/amp/s/arstechn…
A real (hypothetical) break of RSA is a million times worse than a break of MD5 in terms of how urgently the solution has to be rolled out. People need to scared. The IETF has got to be convening emergency meetings.
I’m not saying you should break anything important. Break Sharepoint.
Ok so this is still my favorite “exciting crypto research” scenario and I hope if anyone ever does come up with such a result they’ll be as dramatic as possible about how they reveal it. It sure won’t be me :)
Ok I want to shift away from fantasy to pass along something my friend @nadiaheninger calls “real talk about factoring”. This is all her from here on out, she just doesn’t like to use Twitter.
She points out that the running time of the number field sieve, our best factoring algorithm, is L_n(1/3, (64/9)^(1/3)).
The first number is the exponent of the ln n in the exponent. The second is the constant in the exponent.
She notes that if you change the second one to (32/9)^(1/3) it takes 1024-bit factoring from "still probably out of reach of academic computing power for a few years" to "was done pretty easily in 2007 by some academics".
Says Nadia: the 1/3 is more interesting. The quadratic sieve has a 1/2. It was in the early 90s that mathematicians figured out how to improve the 1/2 to a 1/3.
Again Nadia: The impact of improving the 1/3 to a 1/4 depends quite a lot on the constant, but a back of the envelope calculation shows that an L(1/4) factoring algorithm would likely bring 2048-bit RSA into feasible range.
And so she concludes: Now everyone who is freaking out about factoring... how confident are you that the number field sieve is the best factoring algorithm out there? Does that look like a natural running time?
As a note, she reminds me that in 2013 there was a series of breakthroughs for the function field sieve for discrete log for small characteristic finite fields that changed the running time from L(1/3) to L(1/4) and then to quasipolynomial.
For more than two decades before that the running time had been the same as for large-characteristic discrete log and factoring.
So (Matt again): as “fun” as it would be for someone to break RSA, it’s a lot more fun to think about when it’s completely implausible rather than when it’s a thing that isn’t totally outside of the realm of possibility.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
Ok so let’s try these checklists out and see what it’s like to lock a phone down. I assume I’m concerned about someone else accessing my iCloud account as well as apps being evil.
Here’s step 1.
Ok this works pretty well, but it gives me the following confusing exception.
I was trying to be really low-key on this one, so let me make it really blunt. There is every reason to believe the NSA tried to subvert commercial cryptography in the 2000s, and now one of the architects of that work runs applied crypto at Amazon.
I couldn’t tweet a better description than the headline for this piece: After SolarWinds breach, lawmakers ask NSA for help in cracking Juniper cold case. cyberscoop.com/nsa-juniper-ba…
For those who haven’t heard this story, the context here is back in 2015 hackers broke into the source code repository of Juniper’s NetScreen firewalls and introduced serious vulnerabilities. 1/
Everyone has heard of the SolarWinds supply chain attack, but almost nobody outside our little community remembers Juniper. We don’t even know who the ultimate victim was. And there’s a reason for that. 2/
My students @maxzks and Tushar Jois spent most of the summer going through every piece of public documentation, forensics report, and legal document we could find to figure out how police were “breaking phone encryption”. 1/
This was prompted by a claim from someone knowledgeable, who claimed that forensics companies no longer had the ability to break the Apple Secure Enclave Processor, which would make it very hard to crack the password of a locked, recent iPhone. 2/
We wrote an enormous report about what we found, which we’ll release after the holidays. The TL;DR is kind of depressing:
Authorities don’t need to break phone encryption in most cases, because modern phone encryption sort of sucks. 3/