TCSV Security Deep Dive: Factoring and Speed Demos

Silicon Valley/Microsoft, California Oct 28, 2015

See TCSV Blog Supporting presentation: Deep Dive: Cybercrime, Security, and Privacy in the Snowden Era

The Telecom Council of Silicon Valley Deep Dive on Security in the Snowden Era illuminated some new approaches to balancing security and privacy with effective, new-generation, cryptographic technologies.

The conversation moved beyond passwords, analytics and best practices and looked at an innovative virtual security framework called Dynamic Distributed Key Infrastructures (DDKI). DDKI is a virtually manufactured and virtually provisioned framework that is distinguished by Dynamic Identity Verification and Authentication (DIVA) which is a protocol that provides continuous and dynamic cryptographic one-time pad, one time-password authentication and unbreakable one-time-pad authenticated encryption.

The goal is to balance security and privacy issues and to simplify the implementation and scalability.

The demonstrations that the Telecom Council SAW included both a significant look at the future of cryptography and the vulnerability of the cryptography we currently rely on. They SAW a Whitenoise exponential key being made and used at lightning speed.

The TCSV LEARNED that the estimated time to break a 128-bit public key by brute force is supposed to take a billion-billion years.

They also SAW that an NIST recommended key strength of 128-bits that is "acceptable" through 2030 was broken in a second.

Worse, it was considered whether RSA-like semi-primes might be broken with a simple "prime number dictionary attack" since the Internet has lists of pre-calculated prime numbers that go up to 10 ^ 18.

But it was not all bad news. Dynamic Distributed Key Infrastructures work seamlessly with existing public key frameworks and fixes the asymmetric fatal flaws with a virtually manufactured and virtually provisioned framework that is invoked with one call from single-sign-on for continuous, secure network access and use.

You can learn how DDKI and DIVA work and conduct the demos you were shown at the Deep Dive yourselves.

We would like to offer any TCSV member to participate in your own, self directed, unique pilot through the University of Victoria so that you can evaluate solutions to address your security needs at arms reach.

(Please contact


Demos presented by Whitenoise

Whitenoise Key Creation and memory Speed Testing [YouTube]

Factoring Public Keys [YouTube] - How secure are public key networks?

This is RSA telling you years ago that your security is hanging by a thread

"The   RSA Factoring Challenge   was a challenge put forward by   RSA Laboratories   on March 18, 1991 to encourage research into   computational number theory   and the practical difficulty of   factoring   large   integers   and cracking   RSA   keys used in   cryptography . They published a list of   semiprimes   (numbers with exactly two   prime factors ) known as the   RSA numbers , with a cash prize for the successful factorization of some of them. The smallest of them, a 100 decimal digit number called   RSA-100   was factored by April 1, 1991, but many of the bigger numbers have still not been factored and are expected to remain unfactored for quite some time, however advances in   quantum computers   make this prediction uncertain due to   Shor's algorithm ."

Factoring materials for demo

RSA provided an academic distraction with large co-prime factoring contests. Because they are a difficult novelty, we confuse that with the level of security we actually get from RSA deployable key sizes. RSA would need to regularly deploy these key strengths to make a valid comparison between the security of public key asymmetric networks and the contest key strengths.

It also distracts us from the ultimate asymmetric framework security weakness. It has always been vulnerable to man-in-the-middle attacks and is now vulnerable to many other attack classes.

Additionally, increasing certificate strengths for Certificate Authorities and root trust authorities is somewhat misleading because those have other kinds of vulnerabilities and other purposes.

What is important is the level of security that actually gets down to the end user, device, mobile, PIC, register, sensor etc. because those are the most vulnerable points of network egress. Those keys are a significantly weaker reality since processing stronger public keys is increasingly difficult as devices get smaller, cheaper, closer to the edge etc. Public keys are all but unusable in the vast majority of cheap components in the Internet of Everything that are flooding networks with unattributed data that is either poorly secured or not secured at all.

Since our concern is the security of the exploding number of endpoints on the Internet of Everything that have severely restricted computational power and since the NIST considers 128-bit public keys to be sufficient until 2031 and beyond that is what we factored with the Whitenoise Large Number Factorer for this TCSV demonstration. (Also, our demonstration slot was only 5 minutes, most of which will show Whitenoise key creation and speed testing.)

We are not making any specific claim with this demonstration.

We simply showed that our approach will break a 128-bit public key equivalent semi-prime in moments on just a typical notebook. We believe that the underlying algorithmic approach to factor semi-primes is validated and a big improvement over existing techniques like the traditional sieve method. We believe that implemention to scale with paralle processing, multi-core processing, and in a 64-bit application should make factoring bi primes of any usable public key size simpler. This is a matter for continued scientific evaluation and confirmation.

It is worrisome that while preparing materials for this demonstation that it was noted that NIST recommended public key strengths through 2031 and beyond might be breakable with a simple prime number dictionary attack. No claim is being made but it is felt that it merits testing and further investigation.

As we see in the NIST recommendations above for usable public key strengths, the majority of the world's network endpoints that can deploy pki are protected with 128-bit and 256-bit keys. There is a direct correlation between the strength of public keys and the exploding computational effort and resources required to process them. 128-bit and 256-bit public keys are the prevalently used pki key strength because of overhead problems associated with the use of stronger public keys.

Note: " In 2014, symmetric keys will need to go from a minimum of 80 bits to a minimum of 112 bits; in 2031, they'll go from 112 to 128 bits. Those are key-size increases of 40% and about 15% respectively."

The weakest Whitenoise symmetric key is 1600 bits and can easily be made to any key strength or resultant key stream length as you will see in the TCSV demonstration and the YouTube link provided above.

One of the primary differentiators between public key systems and Dynamic Distributed Key Infrastructures (DDKI) is that asymmetric, public key strength and its performance and security doesn't scale well with increasing public key sizes whereas Whitenoise technologies do scale well simply and quickly with no negative impact on performance. 

Directions on factoring utility demo.

Note: Whitenoise keys are not susceptible to mathematical or factoring attacks because the keys are created by a mechanical process. They are not dependent on arithmetic functions.

The public key security cornerstone is the belief that factoring public keys is INFEASIBLE and would take thousands of years to break. Our technique shows otherwise. A brute force attack to break a 128-bit key is estimated to take a billion-billion years.

Breaking a 128-bit key for the demo validates that the technique works and is sufficient to demonstrate the vulnerability of the key strengths that NIST recommends are usable until 2030 and beyond. The greatest threat to our networks will be unattributed or poorly protected data entering networks from the myriad of cheap, "smart" components from the Internet of Everything that is rapidly creating exploding numbers of network access points.

This is a YouTube video demonstration of factoring bi-primes:

More factoring information from wiki:

"Among symmetric key encryption algorithms, only the   one-time pad   can be proven to be secure against any adversary no matter how much computing power is available." wiki This describes Whitenoise!

"...there is no public-key scheme with this property, since all public-key schemes are susceptible to a " brute-force key search attack ". Such attacks are impractical if the amount of computation needed to succeed termed the "work factor" by   Claude Shannon is out of reach of all potential attackers. In many cases, the work factor can be increased by simply choosing a longer key. But other algorithms may have much lower work factors, making resistance to a brute-force attack irrelevant." wiki

"Some special and specific algorithms have been developed to aid in attacking some public key encryption algorithms. Both   RSA   and   ElGamal encryption have known attacks that are much faster than the brute-force approach. These factors have changed dramatically in recent decades, both with the decreasing cost of computing power and with new mathematical discoveries." wiki