How much computing resource is required to brute-force RSA?

Question

It's been over 30 years since Rivest, Shamir and Adleman first publicly described their algorithm for public-key cryptography; and the intelligence community is thought to have known about it for around 40 years—possibly longer.

It's fair to assume that, during those 40 years, certain three-letter organisations have employed their vast resources toward "breaking" RSA. One brute-force approach may have been to enumerate every possible key-pair such that, upon encountering a message known to be encrypted with a particular public-key, they need merely lookup the associated private-key in order to decrypt that message. Signatures could be forged similarly.

How reasonable is this hypothesis? How much computing resource would have been required over those 40 years to enumerate every possible {1024,2048,4096}-bit key-pair? I think it best to avoid discussion and leave the question of whether the spooks could have harnessed such resource as an exercise to the reader.

Answer 1

It's not possible.

The number of primes smaller than $x$ is approximately $\frac{x}{\ln x}$. Therefore the number of $512$ bit primes (approximately the length you need for $1024$ bit modulus) is approximately:

$$\frac{2^{513}}{\ln 2^{513}}-\frac{2^{512}}{\ln 2^{512}} \approx 2.76×10^{151}$$

The number of RSA moduli (i.e. pair of two distinct primes) is therefore:

$$\frac{(2.76×10^{151})^2}{2}-2.76×10^{151}=1.88×10^{302}$$

Now consider that the observable universe contains about $10^{80}$ atoms. Assume that you could use each of those atoms as a CPU, and each of those CPUs could enumerate one modulus per millisecond. To enumerate all $1024$ bit RSA moduli you would need:

\begin{eqnarray*} 1.88×10^{302}ms / 10^{80}&=&1.88×10^{222}ms\\ &=&1.88×10^{219}s\\ &=&5.22×10^{215}h\\ &=&5.95×10^{211} \text{years} \end{eqnarray*}

Just as a comparison: the universe is about $13.75×10^9$ years old.

It's not a question of resources, it's simply not possible.

Also, it would not make any sense to do that. There are much faster ways to find out a secret key. In fact there are algorithms with sub-exponential running time for factoring integers.

Answer 2

The brute force technique described in the question is hopeless, as pointed in this other answer.

However there are much better techniques to attack RSA keys, including GNFS. Therefore 1024-bit RSA keys, even though they offer sizable security, can no longer be considered entirely safe from predictable academic efforts, or even safe at all from Three-Letter-Agencies. See my detailed answer to How big an RSA key is considered secure today?. And for new systems, use whatever recommendation is applicable, or refer to one of the many on this site dedicated to keylength recommendations.

Also, sometime one can exploit a goof in the key generator, or attack RSA in ways that do not involve integer factorization: stealing the private key; extracting it by Differential Power Analysis, Timing or Fault attack; or taking advantage of a weakness in padding. See also Twenty Years of Attacks on the RSA Cryptosystem.

Update: Computational efforts performed in the last 40 years help new attacks because the methods have been worked out, but (for any known practical method) the computational effort spent for attacking a particular key is not useful in attacking another key, much like knowing that $1234567890221=23801\cdot 51870421$ does not really help finding the factorization of $1234567890197$.