Crown Sterling Claims to Factor RSA Keylengths First Factored Twenty Years Ago

Earlier this month, I made fun of a company called Crown Sterling, for…for…for being a company that deserves being made fun of.

This morning, the company announced that they “decrypted two 256-bit asymmetric public keys in approximately 50 seconds from a standard laptop computer.” Really. They did. This keylength is so small it has never been considered secure. It was too small to be part of the RSA Factoring Challenge when it was introduced in 1991. In 1977, when Ron Rivest, Adi Shamir, and Len Adelman first described RSA, they included a challenge with a 426-bit key. (It was factored in 1994.)

The press release goes on: “Crown Sterling also announced the consistent decryption of 512-bit asymmetric public key in as little as five hours also using standard computing.” They didn’t demonstrate it, but if they’re right they’ve matched a factoring record set in 1999. Five hours is significantly less than the 5.2 months it took in 1999, but slower than would be expected if Crown Sterling just used the 1999 techniques with modern CPUs and networks.

Is anyone taking this company seriously anymore? I honestly wouldn’t be surprised if this was a hoax press release. It’s not currently on the company’s website. (And, if it is a hoax, I apologize to Crown Sterling. I’ll post a retraction as soon as I hear from you.)

EDITED TO ADD: First, the press release is real. And second, I forgot to include the quote from CEO Robert Grant: “Today’s decryptions demonstrate the vulnerabilities associated with the current encryption paradigm. We have clearly demonstrated the problem which also extends to larger keys.”

People, this isn’t hard. Find an RSA Factoring Challenge number that hasn’t been factored yet and factor it. Once you do, the entire world will take you seriously. Until you do, no one will. And, bonus, you won’t have to reveal your super-secret world-destabilizing cryptanalytic techniques.

EDITED TO ADD (9/21): Others are laughing at this, too.

EDITED TO ADD (9/24): More commentary.

EDITED TO ADD (10/9): There’s video of the “demo.” And some history of Crown Sterling’s CEO Robert Grant.

Tags: , , , ,

Posted on September 20, 2019 at 12:50 PM67 Comments

Comments

MarkH September 20, 2019 2:14 PM

The first Crown Sterling post in this blog received a comment earlier in the week, which unfortunately was soon deleted, so I only saw it one time.

It appeared to be an invitation to a demonstration, presumably the one that just took place. The bottom of the comment was signed Robert E. Grant, though the “Name” field at the top was something like “James Doe” … which seemed especially odd, because their lawsuit for “booing” at Black Hat names several Doe defendants!

I thought the invite was probably genuine, which prompted two reactions:

  1. These guys have a lot of stones, posting this in a place where they had just been trashed up hill and down dale.
  2. The invite said something like (rough paraphrase) there will be an independent person/agency present to confirm that we’re really doing it.

I haven’t a clue who attended … but if a crypto geek were present, s/he could have pointed out that presenting a factor of previously unsolved large RSA challenge number would prove that they had made an advance, without any need for an “independent” auditor.

I’m a bit surprised that their demonstration was so pathetic … but really, what else could they show?

For me, the drama of this is, “how much farther will these guys push this?”

@Anders:

Probably they have solved ROTx for values of x which are squares of primes, and are working on solutions for the other 23 variants!

Dave C. September 20, 2019 3:11 PM

I would recommend someone publishing an N on this website where N = pq and p and q are both 1024 bit primes and seeing if they can factor that.

Vesselin Bontchev September 20, 2019 3:50 PM

LULZ. No, Bruce, they didn’t demonstrate even that. They didn’t factor it on a laptop – or it would have taken a couple of minutes, instead of 50 seconds. Nope, the laptop was used only as a terminal to SSH to an AWS instance with 32 cores and 200 Gb of RAM. Also, they didn’t use their own oh-so-advanced method – they used an open source factoring program that implements the NFS factoring method. (They used CADO-NFS, to be precise.)

Oh, and they took down from YouTube the video of the press conference where all these facts can be easily seen.

They are frauds, trying to scam investors.

Dave C. September 20, 2019 3:50 PM

@ Anders – thanks!!

Try factoring this:
5,998,490,465,869,535,958,493,457,351,726,585,769,768,780,414,997,827,819,458,162,457,365,131,278,468,842,516,733,150,612,150,020,222,444,199,271,535,713,836,705,106,165,363,816,940,972,785,296,134,153,108,270,095,125,037,429,065,753,489,390,743,788,249,433,982,879,002,728,397,181,012,226,608,631,723,752,258,738,079,635,407,385,665,857,943,917,136,911,564,807,480,973,854,047,760,344,144,861,445,967,101,625,999,152,002,875,057,899,164,813,532,726,121,437,267,279,809,037,677,032,771,686,333,393,479,670,023,626,669,656,286,448,596,616,752,216,293,521,499,749,737,800,846,524,363,691,459,902,238,665,732,702,744,582,185,179,531,226,365,443,974,338,304,593,978,784,281,864,220,016,019,189,495,513,322,532,654,236,388,570,230,078,722,101,944,994,358,570,309,218,509,180,305,727,137,122,851,736,117,179,378,654,706,701,977

I have the two primes p and q which are both 1024 bits

Tatütata September 20, 2019 4:14 PM

Meanwhile…

As reported in the German broadsheet Der Tagesspiegel, quoting Numberphile, a solution was found by University of Bristol researcher Andrew Booker for the equation k = x³ + y³ + z³, with k taking the very very very special value of 42, which in addition for its profound philosophical meaning, was until now the last remaining number below 100 which could not be expressed as the sum of three cubes. According This search had begun in 1954. This solution was found on a fairly serious piece of hardware.

Here we go:
42 =
80435758145817515^3+
12602123297335631^3-
80538738812075974^3

The number 3 will be revisited to see if there are interesting solutions beyond the trivial 1³+1³+1³ and 4³+4³-5³. Above 100, the next candidate is 114.

Now that’s some really interesting number gazing.

Tatütata September 20, 2019 4:43 PM

My big fat greasy fingers flubbed. (I wore off today my all my motor skills reserve trying to navigate a tiny weeny touch screen UI on a scanner machine at the public library.) This time should be right.

If these folks want a challenge, maybe they could crack some public keys of famous people or institutions.

So, as I wrote: Meanwhile…

As reported in the German broadsheet Der Tagesspiegel, quoting Numberphile, a solution was found by University of Bristol researcher Andrew Booker for the equation k = x³ + y³ + z³, with k taking the very very very special value of 42, which in addition for its profound philosophical meaning, was until now the last remaining number below 100 which could not be expressed as the sum of three cubes. According This search had begun in 1954. This solution was found on a fairly serious piece of hardware.

Here we go:
42 =
80435758145817515^3+
12602123297335631^3-
80538738812075974^3

The number 3 will be revisited to see if there are interesting solutions beyond the trivial 1³+1³+1³ and 4³+4³-5³. Above 100, the next candidate is 114.

Now that’s some really interesting number gazing.

David September 20, 2019 4:53 PM

@Andres

I’m waiting their press release where they state they can break Caesar cipher!

Funny. But sadly, many decision makers will be wooed by these statements and buy their product. We all think that this company is horrible, but we’re not their PR target: it’s the idiots with the finger on the Purchase Order button.

Ronnie September 20, 2019 4:57 PM

A sceptical report on Ars Technica.
https://arstechnica.com/information-technology/2019/09/medicine-show-crown-sterling-demos-256-bit-rsa-key-cracking-at-private-event/

This was funny

In a blog post earlier this month, security expert and Harvard Kennedy School lecturer Bruce Schneier declared, “Crown Sterling is complete and utter snake oil.” Grant laughed at the term, telling Ars he had ordered bottles of Pride of Strathspey Scotch Whisky with custom “snake oil” labels.

SpaceLifeForm September 20, 2019 6:09 PM

@Dave C, @Anders

The site says that they have 100% confidence that the randomly generated numbers are prime.

Have doubts. Serious doubts.

As the site mentions, they gen random, test for primality, if fail, decrement by 1, repeat.

This is fail.

First, you gen random, and make sure it is plus or minus 1 mod 6.

No reason to do decrement by 1 until primality test passes.

One would decrement by 6, not 1.

Also, Primality tests are NOT reliable.

Do not use any semiprime from the site for your own encryption keys!

They have the factors!

Sed Contra September 20, 2019 6:47 PM

Is there any connection between this company and Memcomputing? Both make extraordinary claims using high-concept language. Maybe these extremes are common in California. Just wonderin’ …

Clive Robinson September 20, 2019 10:55 PM

@ Dave C.,

I am an impartial source. Why would you think otherwise?

Hmm as there are no sarcasm tags I’ll bite.

@andy is not actually saying you are not, such is the joy of the impreciseness of the english language it might appear so.

The point he is making is about “hidden knowledge” that certain supposadly “trusted sources” abbused. That is the NSA[1], RSA[2] Juniper[3] either came up with a backdoored system or pushed it into their products as defaults to steal their customers security.

There is a problem with “redundancy” with multiplying two primes which was mentioned in a single sentence in an accademic paper back in 1980. This gave rise to Adam Young and his academic supervisor Moti Yung coming up with a series of ideas that give rise to the cryptovirology and cryptokleptography domains of endevor. Later others work led Niels Ferguson to postulate that it was possible to build a backdoor into certain types of algorithm. People went looking and found it to be not only true but that the NSA had pushed it into a NIST standard. Then further looking found that RSA had taken money to push the bad algorithm in their productsvas the default, and Juniper Networks products were found to have a similar backdoor built in as the default…

You might have heard of the Blum Blum Shub (BBS) generator. It is a pseudorandom number generator proposed by Lenore Blum, Manuel Blum and Michael Shub back in 1986. It is based one Michael Rabin’s earlier work for a secure one-way function.

The BBS generator has the simple form of X[n+1] = X[n]^2 mod M, where M = pq is the product of two large primes p and q where the bottom two bits are set. There are proofs of it’s security under certain conditions. Unfortunately the work of Adam Young and Moti Yung can be used to break those conditions. I once wrote some code that did just that and one or two related and some more obvious “backdoors” as an overwhelming “insider attack”[3]. Just to prove a point about why “code reviews” don’t work when a programmer knows something the code reviewer does not, which more often than not was the case at the time. Unfortunatly it still is the case in any number of closed source companies, where the managment view is “the quick young people abroad cut the code” as they are dirt cheap in “Sweatypoor”, and “old team leaders who now manage rather than code do the code reviews” untill we kick them out as they get in the way of improved quarterly figures…

[1] https://csrc.nist.gov/csrc/media/projects/crypto-standards-development-process/documents/dualec_in_x982_and_sp800-90.pdf

[2] https://arstechnica.com/information-technology/2013/12/report-nsa-paid-rsa-to-make-flawed-crypto-algorithm-the-default/

[3] Juniper Networks remained more or less closed lipped on how the back door got in their code base. They did however imply it had been somehow attacked potentially by an insider, before jumping on the politicaly popular “reds under the bed” line of Russia or China. Others hold the view it was the NSA’s handy work, although there is not photographic evidence as was the case with some Cisco kit being supply chain attacked,

https://null-byte.wonderhowto.com/news/what-really-happened-with-juniper-networks-hack-0167439/

Clive Robinson September 20, 2019 11:51 PM

@ Ronnie,

This was funny

It’s actually funnier than it first looks.

Although “Pride of Strathspey” costs around $4800/litre $320/nip, for the 1946 it’s not what you might think from the lable anyway,

https://www.thewhiskyvault.com/ekmps/shops/c1207730/images/pride-of-strathspey-1946-41-year-old-gordon-macphail-bottling-10431-p%5Bekm%5D1200x1200%5Bekm%5D.jpg

Gordon & MacPhail of Elgin, are a very well respected firm of “independent bottlers” not “distilers” and their “Pride of Strathspey” is actually an old series of bottlings of a Macallan single malt whisky.

As a single malt it’s OK but there are considerably less over priced single malts I actually prefer on taste. If you want to get the best of it then sip from a gold Quaich[1] or gold rimmed lead crystal glass at body temprature.

So Pride of Strathspey like, Robert Grant’s demonstration is realy “not what it says on the lable” 😉

[1] A Quaich is a Scottish “Cup of Friendship” that can be made from a number of metals. However the surface of pure gold –so plate works as well as solid– has the ability to change the flavour of what is being consumed slightly and this complements many malt whiskies and game (I’ve not tried it with porridge/oatmeal though 😉

Alex September 21, 2019 12:53 AM

Does this bring back memories of Distributed.net running on Pentium Is or IIs with the cow mooing sound effects every time it finshed a task?

Dave C. September 21, 2019 10:33 AM

@Clive Robinson

Well my challenge still stands. I am not affiliated with their company and don’t plan on publishing the factors. If they can publish the factors it MAY mean they have something worth taking a closer look at. Until that time probably not.

Dave C. September 21, 2019 11:03 AM

In looking at the parameter to the function IsProbablyPrime the value 1 was used. This means the probability of my primes being composite is 1/2. Not good. Need to run their code with a value much higher like 128.

AC2 September 21, 2019 1:14 PM

Some real gems in the YouTube video…

Pity they didn’t include the latter half where they described the math that would allow them to factor 2048 bit “very rapidly”…

maqp September 21, 2019 1:39 PM

From the press release

The paper includes four different geometric and arithmetic methods for public key (semiprime) factorization and one of the methods titled, “The Reciprocal Factoring Method” includes an analysis of reciprocal values of public keys and their embedded private keys (prime factors) found within their period decimal extensions.

“Today’s decryptions demonstrate the vulnerabilities associated with the current encryption paradigm,” said Grant. “We have clearly demonstrated the problem which also extends to larger keys.”

This absurd algorithm is something I dissected in the previous blog post https://www.schneier.com/blog/archives/2019/09/the_doghouse_cr_1.html#c6798668

Clive Robinson September 21, 2019 2:04 PM

@ Dave C.,

Well my challenge still stands.

That’s fine as far as I’m concerned.

But there are a couple of things that will come up.

Firstly, if they succeed in a reasonable time, the question of some kind of collusion arises.

Secondly, if they can not produce p & q in a reasonable time especially if they know they can not do it, they can raise questions about what you did in the way of input.

Whilst the second is not of particular interest you can set up a basic set of ground rules you could publish and ask two or more independent monitors to over see that you adhear to it.

The first is potentially of real interest because it could involve a hidden back door which would be quite topical to say the least of it. Especially when you could in fact set up a set of ground rules that would pass anyone checking them and pass the independent monitors over sight…

Put simply there are a couple of basic ways to generate P and q.

1, For each prime start with a randomly generated number of aproximately the correct size, then increment or decrement from it checking for valid primenes. Stoping when not only do you have two valid primes the product is also valid.

2, Just generate one prime from a start point and increment / decrement till it’s a valid prime. Then take the required product size and divide by the valid prime and use that as the start point to find the second valid prime and final valid multiple.

The first is in effect a random process the second a determanistic process.

However as you would be using a computer to do the increment/decrement and check for validity you could apparently do the first whilst doing the second.

It’s thus fairly easy to see how you could hide a bit of code to change the random number up to a starting point that is a multiple of a secret number then search from their for a valid prime.

Knowing what the secret is those alegedly factoring for the primes actually just search for valid primes from one of several start points based on the multiples of the secret number.

The result is they have a small search space for a valid prime then they just factor the product with each valid prime they generate untill they get the other valid prime…

There are a whole multitude of other tricks that you can do simply due to the very high level of redundancy in M where P and Q are valid primes.

It’s why such chalenges are effectively meaningless unless the generating process is very strongly audited. Just having P or Q is insufficient to check for whole swaths of collusion tricks.

Have a look at the work of Adam Young and Moti Yung, if you want to see a few,

https://en.m.wikipedia.org/wiki/Kleptography

SpaceLifeForm September 21, 2019 2:10 PM

@Dave C

“Maybe we could also use openssl to do this using a good entropy source.”

LOL

I prefer the curve on lava lamps.

maqp September 21, 2019 3:14 PM

@Vesselin Bontchev, all

The cado-nfs debug messages can still be seen on the video:
https://www.youtube.com/watch?v=uEVJrQEVd0I#t=7m45s

Info:root: Set tasks.threads=32 based on detected logical CPUs

The amount of RAM is also being displayed.

Was that not the same press conference video? If not, what was on the other video?

Nicholas Weaver noticed this but I’m not sure if he was the first one:

https://twitter.com/ncweaver/status/1175493814296858624

Finally, gotta appreciate the sense of humor from the maintainer of the satire repository:

https://github.com/CrownSterlingIO/SemiPrimeFactorization/commit/b43ea3cce3a37024c077456e33e43190434c7028

Dave C. September 22, 2019 10:50 AM

@SpaceLifeForm
Actually FIPS versions of openssl are used in many types of network security products to generate RSA and other keys.

SpaceLifeForm September 22, 2019 2:24 PM

@Dave C

Again, LOL.

“Actually FIPS versions of openssl are used in many types of network security products to generate RSA and other keys.”

Big deal. FIPS is NIST, and OpenSSL is a stinking pile of crap. There is a reason that LibreSSL does not support FIPS.

If you want to support backdoored code and trust the U.S. Government, go ahead, especially if your job depends upon it.

Note the difference in the build systems for OpenSSL and LibreSSL.

OpenSSL has it’s own customized build system, does not use AutoTools or LibTool.
Has special magic header and config files.

LibreSSL uses AutoTools and LibTool.

Here’s a clue from

https[:]//wiki.openssl.org/index.php/Compilation_and_Installation

“OpenSSL uses a custom build system to configure the library. Configuration will allow the library to set up the recursive makefiles from makefile.org. Once configured, you use make to build the library. You should avoid custom build systems because they often miss details, like each architecture and platform has a unique opensslconf.h and bn.h generated by Configure.”

Parse that very carefully.

Note the disconnect about ‘custom build systems’.

The message is: Trust OUR custom build system, but don’t do it yourself.

LibreSSL said NO, we are not buying.

Dave C. September 22, 2019 6:43 PM

@SpaceLifeForm
I can see where you are coming from and so there is a fundamental area of disagreement which is not worth my time to argue with.

mishehu September 23, 2019 3:00 AM

@SpaceLifeForm

The build system is not in of itself a sign of the trustworthiness of a codebase. If you have anything to actually substantiate your claims, I’ll have to ask for citations please. Otherwise you are simply spreading FUD. Complaining that the project doesn’t use libdrool and autoheadache is meaningless.

1&1~=Umm September 23, 2019 6:22 AM

@mishehu:

“The build system is not in of itself a sign of the trustworthiness of a codebase.”

Nor is the opposite.

OpenSSL has to put it politely a checkered path.

Mathew Green said of it,

    The good news is that it’s relatively easy to tamper with an SSL implementation to make it encrypt and exfiltrate the current RNG seed. This still requires someone to physically alter the library, or install a persistent exploit, but it can be done cleverly without even adding much new code to the existing OpenSSL code. (OpenSSL’s love of function pointers makes it particularly easy to tamper with this stuff.)

That is it has been written in a deliberately poor way that facilitates attacks.

But you might also want to consider why LibreSSL came to be when for years OpenSSL was the only game in town for virtually everybody. From an arstechnica article the lead paragraph said,

    OpenBSD founder Theo de Raadt has created a fork of OpenSSL, the widely used open source cryptographic software library that contained the notorious Heartbleed security vulnerability.

And quoted him saying,

    “Our group removed half of the OpenSSL source tree in a week. It was discarded leftovers”

Which in of it’s self implies the OpenSSL code base was at best poorly maintaind and thus questionable at best. Theo has a reputation for honesty and good security code assesment as does the team of software developers he heads up. Theo went on to say,

    “The Open Source model depends [on] people being able to read the code. It depends on clarity. That is not a clear code base, because their community does not appear to care about clarity. Obviously, when such cruft builds up, there is a cultural gap. I did not make this decision… in our larger development group, it made itself.”

Whilst it is possible to have security with out clarity in the source code, it usually does not work that way. Similar with the cleanliness of the source code base. The article went on to say,

    “When asked what he meant by OpenSSL containing “discarded leftovers,” de Raadt said there were “Thousands of lines of VMS support. Thousands of lines of ancient WIN32 support. Nowadays, Windows has POSIX-like APIs and does not need something special for sockets. Thousands of lines of FIPS support, which downgrade ciphers almost automatically.”

So the suspect cruft which was in part ancient history which should have been cleaned up by the developer but for various reasons he did not… Oh and of course in part that comment about “Thousands of lines of FIPS support, which downgrade ciphers” is again not what you want in a security product.

But what happened between Mathew Green’s comment and Theo de Raadt’s?

You could “go and follow the money” as the old saying has it but to save you the time it was “Heartbleed” that is described in another article with,

    “Researchers have discovered an extremely critical defect in the cryptographic software library an estimated two-thirds of Web servers use to identify themselves to end users and prevent the eavesdropping of passwords, banking credentials, and other sensitive data.”

That is 66% of webservers were vulnerable. Worse most Internet users at the time went to such broken web servers. This was because as OpenSSL Software Foundation President Steve Marquess said,

    “I’m looking at you, Fortune 1000 companies,” Marquess wrote. “The ones who include OpenSSL in your firewall/appliance/cloud/financial/security products that you sell for profit, and/or who use it to secure your internal infrastructure and communications.”

You can read up further about Heartbleed, but put simply people started to dig into OpenSSL and a whole can of worms came out of it.

Some quite pointedly suggested that the NSA had been behind the alleged “bug” due to various reasons.

The point is OpenSSL had strayed well off the path of what was considered sensible software practice and as a result most users of the Internet had become exposed to a significant security risk that some had assumed was at the hands of the NSA, thus all the traffic over insecure OpenSSL had gone into the NSA vaults…

So the question arises with OpenSSL still not following what some consider sensible software practice, why should they trust it over another development that does?

And the answer is “no reason at all”.

As has been pointed out before “You are not a murderer untill you kill someone, then there is no turning back”. We can not say if other SigInt enterties had known and used Heartbleed. But we do know that certain SigInt entities have had people murdered over weak Internet security put in place by another US IC entity.

Which raises the question of why anyone should challenge what are for some sensible doubts?

So perhaps you should now do as you ask of others,

If you have anything to actually substantiate your claims, I’ll have to ask for citations please. Otherwise you are simply spreading FUD.

I’m sure some people will look forward to reading them, but don’t leave it to long, they might get ideas about you…

[1] https://blog.cryptographyengineering.com/2013/12/03/how-does-nsa-break-ssl/

[2] https://arstechnica.com/information-technology/2014/04/openssl-code-beyond-repair-claims-creator-of-libressl-fork/

[3] https://arstechnica.com/information-technology/2014/04/critical-crypto-bug-in-openssl-opens-two-thirds-of-the-web-to-eavesdropping/

256 < 2048 by quite a bit September 23, 2019 6:24 AM

Two 128 bit primes multiplied looks like:

69,420,827,571,959,709,546,340,695,189,354,893,943,777,501,940,316,291,649,816,713,221,998,382,139,059

Two 1024 bit primes multiplied looks like:

19,343,667,891,781,738,797,370,449,870,396,728,863,202,179,703,682,342,733,967,278,822,480,775,276,979,813,504,845,595,034,120,393,370,152,899,748,537,330,898,548,017,116,175,240,963,843,867,106,157,651,562,938,898,587,956,984,439,585,038,390,081,531,059,793,636,342,757,112,708,239,493,995,608,005,284,452,393,526,826,826,070,437,900,649,990,778,255,928,880,967,794,060,642,207,210,135,237,248,313,591,984,445,102,205,903,536,129,280,729,693,873,645,010,158,968,436,202,325,737,975,359,495,133,351,478,385,069,986,802,247,946,708,263,098,835,744,821,961,101,805,321,686,249,554,702,982,917,404,602,650,552,634,211,721,543,194,027,909,462,103,211,831,759,214,437,760,483,022,798,117,868,041,446,071,398,803,987,275,533,080,729,349,251,435,281,331,126,580,312,335,348,000,444,123,257,382,275,855,627,368,919,052,416,438,211

Just a tad harder.

Keep making fun of these fraudsters: Clown Turdling

Vesselin Bontchev September 23, 2019 6:46 AM

@maqp, sorry I don’t understand what you are asking.

Yes, this was the press conference video. As I said, it shows that they did not factor the number on a Mac laptop but instead used the Mac to SSH (look carefully at the top line of the screen, slightly to the right of the center) to a machine with 32 cores and around 200 Gb RAM (the first and the sixth lines displayed by the program). It’s not even their tool, it’s CADO-NFS.

The really funny part is that my student managed to factor the first number used in their demonstration (that took them 51 seconds to factor) on a laptop with a 4-core CPU using the YAFU utility and the Quadratic Sieve factoring method (SIQS) in just 43.8794 seconds. No need for 32 cores, LOL.

Jeremy September 23, 2019 7:43 AM

@1&1~=Umm –

Two assertions in your post caught my eye:

Thousands of lines of FIPS support, which downgrade ciphers almost automatically.

Attributed to Theo de Raadt.

But we do know that certain SigInt entities have had people murdered over weak Internet security put in place by another US IC entity.

Your own assertion.

Can you direct me to discussion of either?

Clive Robinson September 23, 2019 9:16 AM

@ Jeremy,

I’ve linked to the ARStechnica artickes that Theo was quoted in.

As for the deaths it was CIA sources in China and Iran,

This was when the deaths were first reported but the cause unknown,

https://www.theguardian.com/us-news/2017/may/20/china-dismantled-cia-spying-operations-new-york-times

This was from when more investigation had been carried out,

https://thefederalist.com/2018/11/07/6-questions-huge-cia-blunder-allowed-enemies-kill-70-u-s-spies/

Dave C. September 23, 2019 9:44 AM

For what it is worth, here is a 2048 bit RSA modulus N generated using OpenSSL 1.0.2f 28 Jan 2016 (not in FIPS mode):

D15AF30AD1BA7722042704BE7301475D0B920ED3B02CDB77205CEC999C2F9B579ECB291C8CF991DA3F2C26994358A18194A749E4A762F97C218317CFB8AD4A66B56FB3EB0138684BC134461E67DE0E7485B71BF0DE37CC5A8FE05068BD226FFD658FC3BC5F5CDE47C53DD4970040A3EE127A5513B8FD53FE7114E18E631B7A3EEF82B542A10746A34747005F0551076FE6CEC8EB8345B420864A38EE9499CCF807FC4E5F86ACAF50C64CE6253C5E737C3F18A33C9FDC54E1481DA11CC09A4FCC857E126B79F195407C18009D0B96F431B5BED63824ACFB280489D2E2386AA8F1C0480B4FA02858100F240F941A5152E0D65285F283FB80F9EF81AFC8984B6D0B

It would be an interesting test for someone to factor this.

DH September 23, 2019 10:30 AM

Bruce, I’m not a cryptographer or mathematician, but I did hear about this company well before their Black Hat snafu. Aside from my initial thought that it was the plot to Sneakers, my only other reply to the person asking about it was to “trust the math.” 😉

SpaceLifeForm September 23, 2019 3:29 PM

@1&1~=Umm

Well said. Besides the issues you pointed to, I still do not like that one needs Perl to do the build. For either OpenSSL OR LibreSSL.

That is a dependency that should not exist.

I have not built either recently, but I think I should, and intentionaly break the build at strategic points, to debug.

@mishehu

Nice red herring.

It’s about using trusted build tools.
Yes, AutoTools and LibTool can be painful at times, I agree.

But, using build tools that autogenerate .h files BEFORE compilation, is questionable practice.

What is buried in those header files?

Magic numbers via #DEFINE? Obtained from /dev/urandom during the configure process?

How about magic obfuscated Macros?

How about plain .c code embedded in the .h file?

Does the build process actually bury magic stuff in .h files that magically disappear after the library is built?

Think about that. Hidden magic.

SpaceLifeForm September 23, 2019 5:38 PM

@Clive @Jeremy

It was CIA trying to do double encryption, but they screwed up, big time. Vault7 revealed that. They tried double, but used weak.

@Dave C

Just stop. Really, just stop trying to defend OpenSSL. You are not helping yourself or the country that you are supposed to defend.

Go to Smokey Bones.

Phill Hallam-Baker September 23, 2019 10:11 PM

This irritated me enough to write a piece looking at the claims. It occurred to me that Bruce’s snake oil crypto signs are for folk proposing new algorithms. People claiming to have broken existing algorithms create a whole new dimension of crazy.

The biggest problem with the Crown Sterling claims is that they could easily prove they are not full of shit by simply factoring any of the unsolved RSA challenge numbers. That is clearly the threshold criteria for being taken seriously.

But I also looked at how they claim to break RSA and it is roughly a 10^250 worse than the existing known attacks. Which is kinda bad.

https://medium.com/@hallam/getting-rsa-256-bits-wrong-4a9339f2f178

mishehu September 23, 2019 11:03 PM

@SpaceLifeForm –

There is no red herring, only what appears to be a severe misunderstanding on your behalf about build systems. Pretty much all that you listed off is completely independent of whether or not the build system is a custom one or is a common one. Or are you suggesting that it’s not possible to things such as populate “magic” numbers derived from /dev/random or /dev/urandom into header files with automake et al or cmake or other common build systems? If that is what you think, you are sadly mistaken about what can and cannot be done with the popular build systems.

You are, of course, free to distrust any software you desure. But for those reasons centering on the build system, I find them to not be valid.

That said, we’re digressing from the topic of Crown Sterling’s oh-so-sterling claims. Regarding that, I wonder if somebody’s just having a lot of fun at Bruce’s expense with what may be an elaborate troll. (Perhaps I’m just too cynical?)

maqp September 24, 2019 3:23 AM

@Vesselin Bontchev

sorry I don’t understand what you are asking.

You said

Oh, and they took down from YouTube the video of the press conference where all these facts can be easily seen.

I wanted to check if they really did that, but found a video on Crown Sterling’s youtube channel where the SSH connection, n/o logical CPUs, amount RAM and the cado-nfs debug message was still showing. So I asked if there was another conference video that was removed, and if, what was there.

So I wasn’t e.g. questioning whether the giveaways were present in the first place, but whether there was another video that had even more stuff that was removed.

Thanks for the tip on YAFU, it was really simple to use. I managed to factor the first prime used in Crown Sterling demonstration in time

SIQS elapsed time = 91.8618 seconds.
Total factoring time = 108.1558 seconds

using a 3GHz CPU (single thread).

Jurjen September 25, 2019 1:17 AM

I had a look at the paper “Uncovering multiscale order in the prime numbers via scattering”. He uses a lot of jargon (mostly from physics) to disguise what he is doing.
Then he discovers that primes in an interval have a periodic pattern using Fourier analysis. He concludes that if you do this accurate enough, you can predict the primes.
Actually, this method of using these patterns to predict primes isn’t new. It is called the sieve of Eratosthenes.

Weather September 26, 2019 1:47 AM

I see why it was hosted at blackhat, with go this social engineering hack we want to try, I’m guessing by the looks it was spot on or miles off course.

Vesselin Bontchev September 26, 2019 10:01 AM

@maqp, I understand now; sorry I didn’t get it the first time.

They posted the video, but people started making fun of them in the comments, pointing out that they are using CADO-NFS, etc. So, they made the video “private” – i.e., not viewable by the general public. That’s when I posted my comment here. Later, they made the video public again (so you can watch it now) – but disabled the ability to comment on it.

maqp September 26, 2019 12:18 PM

@Vesselin Bontchev

Haha. So the same story as was with the first TimeAI video they uploaded: its commenting was also disabled after it received a lot of critique.

SpaceLifeForm September 26, 2019 8:22 PM

The @thepacketrat noted:

So, when I interviewed Robert Grant at Crown Sterling, he said that he had reached out to
@schneierblog about looking at his crypto work, but was told “there was a significant pay-to-play,” so he didn’t go forward with it.

[Me thinks Robert Grant has some sieving to do to get out of the swamp he created]

maqp October 27, 2019 8:17 PM

@All

In the previous post I tried to evaluate the efficiency of the Crown Sterling reciprocal factoring method. Turns out there is no memory requirement for it. But it’s still not feasible:

Looking at https://www.geeksforgeeks.org/find-length-period-decimal-value-1n/ the way the algorithm

def getPeriod(n) : 
    # Find the (n+1)th remainder after decimal point in value of 1/n  
    rem = 1 # Initialize remainder  
    for i in range(1, n + 2):  
        rem = (10 * rem) % n 
  
    # Store (n+1)th remainder  
    d = rem 
      
    # Count the number of remainders before 
    # next occurrence of (n+1)'th remainder 'd'
    count = 0
    rem = (10 * rem) % n 
    count += 1
    while rem != d : 
        rem = (10 * rem) % n 
        count += 1
      
    return count

produces the period, is it first iterates over the range (1, n+2), so the first step has n+1 steps.

The remainder is then stored, and remainders are iterated backwards until the remainder repeats: the second part only requires as many steps as the period has length.

So, for RSA-2048, you need 22048 + len(period) steps to determine the period.

The most efficient way to find the factors is, while you’re iterating over the 22048+1 steps, you keep log10sqrt(22048) digits long substring (308 for RSA 2048) that is the RSA prime factor candidate (best case scenario).

When you produce the next decimal with the algorithm above, you need to slice off from the other end in order to prevent the memory cost from reaching insane levels: Like I said in the previous post, for just the RSA-100 (that has been insecure since the 80s) you’d have to store 15226050279225333605356183781326374297180681149613
80688657908494580122963258952897654000350692006139-1 digits, i.e. you’d have to store in the order of 10 petabytes of digits inside every atom in the observable universe.

Once you’ve added the next decimal of the reciprocal to the substring, you have 309 digit long substring. Thus, you have to slice one digit from the other end to get back to the 308 digit substring. This substring is most likely not prime, but checking that with a really efficient test like Rabin-Miller takes much much longer than just seeing whether it divides the semi-prime evenly. So to see if the substring is a prime factor, you just divide the semi-prime with it.

Because you sliced the one digit from the other end after every iteration, you have to keep doing the division after every step, because otherwise you might miss the prime factor candidate.

The question is, how efficient is this?

Well, I took time to implement as efficient algorithm as I could based on the non-existent documentation (read: the instagram post) with Python (the language should matter very little as we’re comparing efficiency between the algorithms by counting the steps, not by comparing the execution time).

The source code along with example output can be found here: https://gist.github.com/maqp/b04e27e795ab01c5cdefdcddc59e3a02

The tl;dr is, for that particular game of 100 rounds with 32-bit semiprimes, the Crown Sterling Reciprocal Factoring Method was on average 5.85 times slower than random division (brute force).

Note that the implementation of the reciprocal factoring method we’re using does not first have to iterate over the entire reciprocal, it’s testing the period on the fly so it exits as soon as possible.

Considering the comparison, it can be concluded the reciprocal factoring algorithm is just a crappier implementation of trial division, and that both run in exponential time (which in turn means Crown Sterling has achieved nothing.)

This makes it a lot less efficient than GNFS of the cado-nfs program they were using to break RSA256, and as shown above, slower than brute force.

While I’ve been thinking about this, I asked the good folks at cryptography.stackexchange.com about Crown Sterling’s reciprocal factoring method:

https://crypto.stackexchange.com/questions/74614/what-is-the-efficiency-of-the-new-crown-sterling-semiprime-factoring-method

The top answer turned out to be a fascinating read and technical dissection of the snake oil claims by the company. I highly recommend reading it.

Clive Robinson October 27, 2019 11:09 PM

@ maqp,

You’ve been having fun 😉

I’ll have a more detailed think about it but my gut instinct on first reading is you are right.

Mind you appart from the initial flurry of ruffled feathers from Crown Sterling news wise the story appears to have sunk without trace.

@ ALL,

Does anyone know if Crown Sterling has done anything other than their initial bluster reported in the news?

maqp October 28, 2019 3:37 AM

@Clive Robinson

They’ve been re-hashing the mod24 quasi-prime wheel for very long time.

Apart from the history Bruce linked above, most information has been in the instagram (go figure):

The prime wheel first appeared in August 7, 2018.

The findings from Shakespeare Sonnets with Alan Green appeared in Sept 29, 2018.

A Picture from March 12 this year shows Grant being interviewed for the Thrive movie https://www.youtube.com/watch?v=lEV5AFFcZ-s — I tried skimming it and the end credits, but didn’t find him anywhere.

March 21 shows him sketching the Time AI logo.

He did the privacy piracy interview, Ted Talk, The prime wheel interview for Hold my Ark. Then there was the blackhat talk, cado-nfs presentation, and now apparently they hosted a new age conference called Conference on Precession of Ancient Knowledge, or, CPAK: https://www.instagram.com/p/B3Cen7WnNo0/?igshid=a4usg3kn0xfu

My guess is Crown Sterling is still in its baby steps.

But if you look at https://www.youtube.com/watch?v=8paZWjiJIk8 you’ll see the company portfolio of Strathspey Crown (the parent company?) and all the snake oil in the world from Audiophile crap, medical patches with hundreds of medications in them, something called GeneRADAR that looks A LOT like the Theranos blood scanner, Botox alternative called Jeuveau, some social media app for physicians, some refrigerant..

And then there’s Torus Tech:

Torus Tech focuses specifically on quantum vacuum energy technologies across a wide area of application including energy production, gravitational control, health and medical treatments and many more. Resonance science and unified physics theory lie at the core of all these applications carried by a strong partnership between our research team and the core engineering team.

They have a product called “Harmonic Flux Resonator”:

Replicating the magnetohydrodynamics occurring in a variety of astrophysical objects.

Energy extracted directly from the vacuum. Nothing to burn, nothing to consume, nothing to destroy. No fumes, no toxins, no limitations. Nothing short of a paradigm shift which will alter the course of human kind forever.

So… free energy… Oh, they have another product:

ARK® crystals are a revolutionary technology that greatly boosts the body’s natural ability to attune with the vitalistic and expansive zero-point field of the quantum vacuum. The quantum vacuum represents the revelatory understanding in modern physics that space is not empty; on the contrary, it is the one thing that connects all things.”

They are serious about selling you $51,200 piece of machined bullshit: https://arkcrystals.com/product/64-ark-crystal-bundle/ (I really like the looks though, maybe it passes as art, at least in their opinion).

My favorite part on that site however is the “this is all bullshit” legal disclaimer they have to put there:

DISCLAIMER – Statements made on this site have not been evaluated by the Food and Drug Administration. This product is not intended to diagnose, treat, cure, or prevent any disease. Consult your own doctor.

So, with that being said, considering Time AI is the last item on that portfolio, it could also be the newest. The reason Crown Sterling hasn’t done anything else yet is because they’ve been really busy building an empire of bullshit.

I’m fairly sure these guys will make the main story on John Oliver by the end of the next decade.

BJ Snyder November 1, 2019 9:23 PM

I really read this thread because I do not know how to factor on the computer. I have an equation but I can’t get it to handle large numbers. I am going to attempt to plug it into Mathematica.

But my question is why (in general, I am not talking just Crown Sterling) is factoring semi-Primes considered impossible? I think you guys are stuck on the fact that Primes have know patterns. But that is the wrong problem to work on. A patterns in factoring are possible. And those factoring patterns can be applied to semi-Primes. I could argue more put I will give an example:

/* PNPcheck = sqrt[(((((x ^ 2) * (PNP ^ 4) + 2 * PNP ^ 2 * (x ^ 5)) + x ^ 8) / PNP ^ 4) * (((PNP ^ 2) / x ^ 2)))];

    estimate = (2 * x ^ 5 / PNP ^ 2 + x ^ 8 / PNP ^ 4);

*/

    pnp_check = (((( (x*x) * (PNP*PNP*PNP*PNP) + 2 * (PNP * PNP) * (x*x*x*x*x)) + (x*x*x*x*x*x*x*x)) /   (PNP*PNP*PNP*PNP)) * ( ( (PNP*PNP) / (x*x) )));


    root = sqrt(double(pnp_check));

PNPcheck = n and x = p in n=p*q

You know n and plug in a guess for x. With 2 guess values less than the correct x and a value greater than the correct x, a normal distribution will find the correct x.

This works with factoring all numbers.

So if you continue to use brute force to attack semi-Primes you will be in an endless battle. I can make numbers bigger and you can factoring them, but the process never ends. You find a pattern and create a function and you change the game.

Of course you don’t believe me. So give me advice on how I can multiply a large number by itself 7 times. If you take the time to test the equation you may believe.

Weather November 2, 2019 12:42 AM

72+ (xxxxx)) + (xxxxxxx*x))
Is seven times, the PNP might affect the equation, but you could sum it down 5/8 of 1 plus 2.

Clive Robinson November 9, 2019 1:48 AM

@ Observer,

Ahh, Crown Sterling again…

Speaking of Kings Crowns and British Sterling.

William Shakespeare in his play Hamlet gave us the phrase,

    Hoist with his own petard

Which is a common euphemism in the UK[1], and what appears to have happened to Mr Grant…

[1] It implies that “Poetic Justice” or “an ironic reversal of fate on a beligerant” has happened. A Petard[2] is a “breaching bomb” from the time gunpowder was the only real explosive. Basically it was a small iron barrel about 1/3rd full of gunpowder with iron spikes on the outside of the barrel. To use it a grenadier would light the fuse, run up to the wooden doors to be breached and smash it hard against the door so it stuck on the spikes. The grenadier would then beat a vary hasty retreat and would most probably be shot if the petard did not go off very quickly. So the grenadier would cut the fuse as short as he would dare. If he cut it to short then the grenadier is quite literally hoisted off his feet by the explosion, hence the phrase.

[2] Now for the etymology that amuses the inner school boy, we all have but deny 😉 Petard is from the French word “pétard” from the late 16th century. It in turn is from the “Middle French” word péter meaning “break wind,” from Old French word “pet” for “a fart”. I’ve mentioned befor the very expensive late 1980’s sales drive by GEC Plessey Telecomms after they rebranded as “GPT” in France. It goes down in the annals of historic marketing failiures because of an American Marketing Guru who shall remain anonymous. They advised that those giving talks should boldly “own the lectern” by going up and saying their name then GPT to “reinforce the brand”. But importantly with a slight French accent on the GPT to “promote encompassement” (what ever the heck that means 😉 Well if you say “Bill Smith, GPT” with an American idea of what a French accent might be on the GPT, to a Frenchman what he hears in his head is “Bill Smith, I have farted”…

Trurl December 23, 2019 4:58 PM

8333333333333333333333333333333333333333333333333333333333333333333333\
3333333333333333333333333333333333333333333333333333333333333333333333\
3333333333333333333333333333333333333333333333333333333333333333333

256 < 2048 by quite a bit • September 23, 2019 6:24 AM

Two 128 bit primes multiplied looks like:

69,420,827,571,959,709,546,340,695,189,354,893,943,777,501,940,316,291,649,816,713,221,998,382,139,059

Two 1024 bit primes multiplied looks like:

19,343,667,891,781,738,797,370,449,870,396,728,863,202,179,703,682,342,733,967,278,822,480,775,276,979,813,504,845,595,034,120,393,370,152,899,748,537,330,898,548,017,116,175,240,963,843,867,106,157,651,562,938,898,587,956,984,439,585,038,390,081,531,059,793,636,342,757,112,708,239,493,995,608,005,284,452,393,526,826,826,070,437,900,649,990,778,255,928,880,967,794,060,642,207,210,135,237,248,313,591,984,445,102,205,903,536,129,280,729,693,873,645,010,158,968,436,202,325,737,975,359,495,133,351,478,385,069,986,802,247,946,708,263,098,835,744,821,961,101,805,321,686,249,554,702,982,917,404,602,650,552,634,211,721,543,194,027,909,462,103,211,831,759,214,437,760,483,022,798,117,868,041,446,071,398,803,987,275,533,080,729,349,251,435,281,331,126,580,312,335,348,000,444,123,257,382,275,855,627,368,919,052,416,438,211

Just a tad harder.

Keep making fun of these fraudsters: Clown Turdling

I’m getting close and I’m only using Mathematica and guessing.

In[118]:= PNP = \
1934366789178173879737044987039672886320217970368234273396727882248077\
5276979813504845595034120393370152899748537330898548017116175240963843\
8671061576515629388985879569844395850383900815310597936363427571127082\
3949399560800528445239352682682607043790064999077825592888096779406064\
2207210135237248313591984445102205903536129280729693873645010158968436\
2023257379753594951333514783850699868022479467082630988357448219611018\
0532168624955470298291740460265055263421172154319402790946210321183175\
9214437760483022798117868041446071398803987275533080729349251435281331\
126580312335348000444123257382275855627368919052416438211

x = PNP * (1/
833333333333333333333333333333333333333333333333333333333333333333\
3333333333333333333333333333333333333333333333333333333333333333333333\
3333333333333333333333333333333333333333333333333333333333333333333333\
3)

Sqrt[((((x^2 * PNP^4 + 2* PNP^2 * x^5) + x^8) /
PNP^4) * ((PNP^2/ x^2)))]

Out[118]= \
1934366789178173879737044987039672886320217970368234273396727882248077\
5276979813504845595034120393370152899748537330898548017116175240963843\
8671061576515629388985879569844395850383900815310597936363427571127082\
3949399560800528445239352682682607043790064999077825592888096779406064\
2207210135237248313591984445102205903536129280729693873645010158968436\
2023257379753594951333514783850699868022479467082630988357448219611018\
0532168624955470298291740460265055263421172154319402790946210321183175\
9214437760483022798117868041446071398803987275533080729349251435281331\
126580312335348000444123257382275855627368919052416438211

Out[119]= \
1934366789178173879737044987039672886320217970368234273396727882248077\
5276979813504845595034120393370152899748537330898548017116175240963843\
8671061576515629388985879569844395850383900815310597936363427571127082\
3949399560800528445239352682682607043790064999077825592888096779406064\
2207210135237248313591984445102205903536129280729693873645010158968436\
2023257379753594951333514783850699868022479467082630988357448219611018\
0532168624955470298291740460265055263421172154319402790946210321183175\
9214437760483022798117868041446071398803987275533080729349251435281331\
126580312335348000444123257382275855627368919052416438211/\
8333333333333333333333333333333333333333333333333333333333333333333333\
3333333333333333333333333333333333333333333333333333333333333333333333\
3333333333333333333333333333333333333333333333333333333333333333333

Out[120]= \
1119462642967601379625749889949236065777407216363091843656817758630897\
2822004013012808616251428523303469194983368339224288931527755260370593\
4564726982165021366914927214391866070447793539124105460668568853618924\
3132905693874616958336079958862242579650280812660512453816275628067977\
7721150419713278365400937039926619418164741229089532498330068239309776\
1690074453198227284210005164670550843915175125291348603192500942129571\
2160296397474642360130036975254240806723286365854612676445799004846266\
7602028680911873106587947193189889293999449715734241944639662748710845\
3864217222758522411029165882690689971923777751749568939373903823332879\
0347862820497821662686301328739580127103593058742239980461079578843089\
8938404770001288892056326897984920834525603021493609403571623845097415\
9269047818150038841906826639724779147047347019045703317553593717846683\
7809250765440348545752291612966122145077943669090956833677756556314535\
3415742755622794040068289994068630691327156047081726660842339291269766\
7917971187981886248629293392246074136458310437500753586451933193176668\
2313587611783431933780044950953903564442478335965847599970260746987255\
0731160508492599759339823308128315559840203913178785278415738419343860\
320599550946803281571941063514234186096009901328/\
5787037037037037037037037037037037037037037037037037037037037037037037\
0370370370370370370370370370370370370370370370370370370370370370370370\
3703703703703703703703703703703703703703703703703703703703703703703009\
2592592592592592592592592592592592592592592592592592592592592592592592\
5925925925925925925925925925925925925925925925925925925925925925925925\
9259259259259259259259259259259259259259259259259259259259259259537037\
0370370370370370370370370370370370370370370370370370370370370370370370\
3703703703703703703703703703703703703703703703703703703703703703703703\
7037037037037037037037037037037037037037037037037037037037037

In[121]:= N[%120]

Out[121]= 1.934431447048015*10^616

BJ February 11, 2020 9:02 PM

Hello am I even close

5.998490465869538X10^615 =

1.816968190853090X10^205. * 3.3013734065719492767310020297X10^410

May not be exact to digit but magnitude is there.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.