Is it feasible to build an index of prime factors?

Question

Would it be possible to break an RSA key, in for example 1 week of time, if the cracker have already spent X number of years building an index of primes by performing every permutation of existing prime keys up to $2^{2048}$?

I understand this would take an immense amount of time to do, but it would only be done once. Obviously, computing such an index would take a considerable amount of time and would have to be done with someone having the right amount of resource. Given the public key, you would be able to look up what the two primes are, and hence retrieve the private key instantly.

Breaking an 256 AES would then be easier, as AES keys are often generated using the RSA private key.

Would it be possible to build such an index? How long would that take in permutations and perhaps with the fastest computer in the world?

Effectively crossdupe https://stackoverflow.com/questions/3267632/rainbow-tables-as-a-solution-to-large-prime-factoring and https://stackoverflow.com/questions/16091581/how-many-prime-numbers-are-there-available-for-rsa-encryption and https://math.stackexchange.com/questions/74524/rsa-encryption-breaking-2048-keys-with-index . In short, the universe isn't big enough to store the factors, much less the products. — dave_thompson_085, Mar 24 '21 at 22:46
I understand, that also rewards the effort of answers and comments, I have added a new question at Can Big Data together with deep neural networks attack RSA by affording the vast calculation of prime multiplications in advance?. — questionto42, Mar 25 '21 at 09:47

score 43 · Accepted Answer · answered Oct 21 '11 at 14:02

43

Let's assume for an instant that you could build a large table of all primes. Then... what ? How would you use it ? What would you look up ?

If you "just" scan the table and try to divide the number to factor by each prime, then this is known as trial division; there is no need to store the primes (they can be regenerated on-the-fly; that's the division which is expensive). Yet this is an highly inefficient factorization algorithm. We know much better factorization algorithms (which nonetheless utterly fail at making the slightest scratch on the surface of a 2048-bit RSA modulus).

Of course, the list of 1024-bit primes is so large that storing it, or even simply generating each prime, is ludicrously infeasible. There are about $2^{1014}$ such primes; that's close to $10^{308}$. Suppose you are an omnipotent but severely bored deity, and you decide to store these primes, using a storage device which uses the size of an hydrogen atom for each prime (we, as humans, can certainly not store that much information in so small a space, but hey, that's a piece of cake for an omnipotent God). The known universe has an approximate volume of $10^{79}$ m³. The volume of an hydrogen atom is close to $10^{-30}$ m³. So our eccentric divinity can pack about $10^{109}$ values in the whole Universe. He would still need $10^{199}$ complete Universes to store them all. $10^{199}$ is a mind-boggling number (if your mind is not boggled by it, then it must already be much more boggled by something else). It is ten billions of billions of billions of billions of billions of billions of billions of billions of billions of billions of billions of billions of billions of billions of billions of billions of billions of billions of billions of billions of billions of billions. In other words, a lot. And we are still talking about complete Universes packed with atom-sized integers.

answered Oct 21 '11 at 14:02

Thomas Pornin

86,974
16
242
314

1

Are these long scale or short scale billions? (Short scale, if I counted right.) – Paŭlo Ebermann Oct 23 '11 at 21:56
Short scale. Usually I try to use British English ("colour", "centre"...) but for numbers I follow American usage, so that our American friends do not misunderstand. – Thomas Pornin Oct 24 '11 at 00:48
3

Reading this answer again, the storage problem is even worse! According to the holographic principle, the maximum information density in a volume is proportional to the square of its radius (e.g., its surface area) rather than the cube (e.g., its volume). Redoing the math, we can only pack roughly $10^{84}$ values in the observable universe, and would need $10^{224}$ universes to store them. And of course, once you've stored them, you'd need to be able to efficiently look them up when needed, which is a whole other can of worms. – Stephen Touset Jan 05 '16 at 18:38
@ThomasPornin I am reading this again and appreciate your thinking and your level of sophistication. But let's try to push this a bit further. What if the storage problem was tackled in a different manner? What if, rather than storing each prime, the deity decided to store just enough sparse numbers, allowing it to jump to a number, and then walk from there up or down. How sparse would that data be? And lets say, given 5 years head start to create these sparse indexes, the actual search from any point to find the right private key, must not take more than 7 days. Would that make it feasible? – mjs Jul 22 '19 at 17:58
The generating computer(s) would be able to generate randomly and keep only the found prime long enough from next, removing older ones. Or walk from zero + 2 to infinity, albeit that might put things into perspective. How long would it take to walk to 2^2048 ? – mjs Jul 22 '19 at 18:03
@ThomasPornin Relevant: https://www.researchgate.net/post/What_is_the_fastest_technique_to_find_the_next_prime_number_starting_from_a_given_prime_P
Especially Neil J Calkins answer.
– mjs Jul 22 '19 at 18:14
From Danas answer, This becomes very obvious at large sizes. For instance if P = 10^1000 (with the next prime being 10^1000+453), then how would we use a sieve to find the next prime? The outer loop would have over 10^496 iterations! It's only a quarter second using a partial sieve plus primality tests. APR-CL and ECPP prove it in about 7 minutes on a single core.
7 minutes to find any next prime for large numbers on a single core?
– mjs Jul 22 '19 at 18:26
The number of atoms is not the boundary, since the brain has more links than the universe has atoms (and count different intensities of links as single links, then the links are infinite). Therefore, see Can Big Data together with deep neural networks attack RSA by affording the vast calculation of prime multiplications in advance? that leaves this physical boundary. – questionto42 Mar 25 '21 at 10:28
Exactly! some times physics of the universe just limit the possibilities and probabilities. Similar arguments apply to the infinite monkey theorem, or quantitative evolution theory. They just won't crack it to explain the origins and complexity of life in this universe. At least if we do not come up with an infinity of parallel universes. Infinity is like the universal way out, similar to an omnipotent God, it can explain almost everything, story anything, and calculate anything. – Hjan Jan 16 '23 at 19:46

fgrieu · Answer 2 · 2021-03-25T18:01:36.167

No, it is not at all feasible to build an index of prime factors to break RSA.

Even if we consider 384-bit RSA, which was in use but breakable in 1995, the index would need to include a sizable portion of the 160 to 192-bit primes, so that the smallest factor of the modulus has a chance to be in the index. Per the Prime number theorem there are in the order of $2^{185}$ of such primes. The biggest data storage systems in existence by 2020 have a capacity of about $2^{64}$ bits, so if each prime used only one bit, the odds that the right prime is present is about $2^{-121}$. We are talking odds thinner than winning the lottery (e.g. the jackpot there) 4 times in a row.

score 11 · Answer 3 · answered Oct 21 '11 at 13:28

11

There are close to $2.27\cdot10^{613}$ primes smaller than $2^{2048}$.

There are close to $9.4\cdot10^{79}$ atoms in the observable universe.

Even if you could compute all those prime numbers, you wouldn't have any place to store them...

answered Oct 21 '11 at 13:28

Dennis

2,151
15
21

Why are we counting atoms? An electron or proton is not an atom and much smaller... right? – mjs Oct 24 '11 at 09:56
6

@Hamidam: My point is that there are $2.42\cdot10^{533}$ times as many primes smaller than $2^{2048}$ than there are atoms in the observable universe. Unless we can store $2.42\cdot10^{533}$ bits of data in a single atom, it doesn't really matter what we're counting. The largest atom known to mankind is an isotope of Ununoctium that consists of 530 subatomic particles: 118 protons, 118 electrons and 294 neutrons. – Dennis Oct 24 '11 at 10:58

SAI Peregrinus · Answer 4 · 2021-03-24T23:35:41.177

9

The Prime Number Theorem proves that there are approximately $\frac{x}{\ln x}$ primes less than any positive integer $x$. There are thus about $\frac{2^{2048}-1}{\ln (2^{2048}-1)}-\frac{2^{2047}}{\ln (2^{2047})}=22.8\times 10^{612} - 11.4\times 10^{612}=11\times 10^{612}$ 2048-bit primes. That's a rather large number, since there are only about $10^{80}$ atoms in the entire universe. So unless the attacker has $10^{533}$ spare universes, all entirely transformed into computer storage, this won't work. The time it would take to compute all of these primes is also rather large.

edited Mar 24 '21 at 23:35

answered Mar 24 '21 at 23:01

SAI Peregrinus

5,836
19
26

1

That's the number of atoms in the observable universe, not the entire universe. – Maeher Mar 25 '21 at 09:39
And the number of atoms is not the boundary anyway, since the brain has more links than the universe has atoms. Therefore, see Can Big Data together with deep neural networks attack RSA by affording the vast calculation of prime multiplications in advance? that leaves this physical boundary. – questionto42 Mar 25 '21 at 09:50
1

The brain's links are made up of neurons' dendrites and axons, which are made of atoms. There are only around $10^{15}$ connections, at most, in a brain. – SAI Peregrinus Mar 25 '21 at 14:05

score 7 · Answer 5 · edited Apr 13 '17 at 12:19

You are underestimating something, either the number of primes that an attacker would have to generate and store, or the size of the primes that must be multiplied in standard factorisation-based cryptosystems. Current recommandations suggest taking $1024$-bit primes. The number of $1024$-bit primes is about $1.26\times 10^{305}$, according to this answer on math.stackexchange. Even if the attacker was able to generate a billion prime per second, it would not take a week to generate all such primes, it would take $4\times 10^{288}$ years, and I do not have good ways of describing how huge this number is. The number of particles in the universe is nothing compared to that. Even the cube of the number of particles in the universe is nothing compared to that. I'm not even talking about storing this gigantic list, or searching through it.

So, basically, the answer to the question "what stops an attacker" is: "reality". — Jörg W Mittag, Feb 14 '17 at 01:54

score 4 · Answer 6 · answered Oct 21 '11 at 12:44

How long would that take in permutations and perhaps with the fastest computer in the world?

Given the analysis by @fgrieu using the prime number theorem, we know there are roughly $2^{185}$ possible prime numbers which could be used to construct a $384$-bit RSA key pair. Thus there are $2^{185^2}$ possible RSA key pairs (since it takes two primes to make up the key). Let's assume that generating the primes takes no time and that you can generate $10^{30}$ key pairs a second. To estimate the time it would take to create all key pairs, you'd do $2^{185^2}/10^{30}$ to get the number of seconds. Change this then to something a little easier to comprehend (centuries in this case), and it would take approximately $7.63\cdot 10^{71}$ centuries to create all the key pairs.

Now, just to show how difficult it is, let's assume you can do $10^{100}$ key pairs per second. It would still take $7625$ years to create the index.

So, even limiting ourselves to $384$-bit RSA, there currently isn't enough storage to store all possible key pairs and it would take over seven centuries to create the index. I don't even want to know what it would take for $2048$-bit RSA.

mhp · Answer 7 · 2016-01-05T16:46:48.473

The answer is no. It would not help at all to know all primes!

The proof is relatively simple from the fundamental theorem on the growth rate of primes. According to this theorem there are approximately $n/\log(n)$ primes less than $n$ for sufficiently large $n$. So if you are trying all divisors of $n$ less than $\sqrt{n}$, then you must try about $\sqrt{n}/\log(\sqrt{n})$ primes. This is about $\sqrt{n}/\log{n}$ primes as opposed to about $\sqrt{n}$ possible integers. As you see the speedup factor is $O(\log n)$ compared to brute force.

There are other methods of factorization that have much better asymptotic performance. The easiest one to understand is the modified Fermat's factorization which has an asymptotic performance $O(n^{1/3})$ [Lehman], in practice this can be reduced to $O(n^{1/4})$, although there is no well known proof for that. More advanced methods such as quadratic sieve or the general number field have much better asymptotic performance. These more advanced methods do not rely on knowing if a number is prime. So having a list of primes does not speed up these methods.

Is it feasible to build an index of prime factors?

7 Answers7

Linked

Related