|
|
|
|
|
|
by lucb1e
834 days ago
|
|
|
> (on one core, it's not parallelizable) Why is that? From what I see on Wikipedia ("n is a specific 616-digit (or 2048-bit) integer that is the product of two large primes (which are not given)" sounds like a textbook RSA public key), it's an offline brute force challenge, a guessing game, so different computers (or cores) could independently take different slices of the guessing space. I will admit that prime factorization is one of my weak spots and I'll just resort to a few minutes of running pari-gp for that, since I know it uses some algorithm that is much better than brute force (it was orders of magnitude faster than alternatives for a CTF challenge involving a 512-bit RSA key). Even if the factorization process' time spent is dominated by finding the next prime to try, rather than testing a prime for correctness for example, why couldn't you start anywhere in the 2048-bit space and find the next primes from there? Is there something you can use from the ciphertext that makes you need to start at a certain point and generate (single core) from there onwards? It sounds like the holy grail for key strengthening without memory trade-off options like scrypt and argon2 both struggle with |
|
|
Note that the puzzle can be solved by performing t successive squarings modulo n, beginning with the value 2. That is, set
W(0) = 2
W(i+1) = (W(i) ^ 2) (mod n) for i=1, 2, ...
and compute W(t).
There is no known way to perform this computation more quickly than to perform the t squarings sequentially, unless the factorization of n is known.