Welcome to Doom9's Forum, THE in-place to be for everyone interested in DVD conversion. Before you start posting please read the forum rules. By posting to this forum you agree to abide by the rules. |
20th December 2008, 18:50 | #21 | Link |
Registered User
Join Date: Sep 2008
Posts: 189
|
That's another implementation in GP/Pari: http://uploaded.to/?id=pr2w41
And another in SAGE with Shoup's NTL (very fast): http://uploaded.to/?id=j7o6cz All three implementations produce polynomials which satisfy the Howgrave-Graham bound and thus have the same root over the integers. Sadly all of them are multiples of f so the resultant vanishes. I'm trying to figure out the problem. Lattice reduction is NP-hard so (probably) more difficult than integer factorization. The lattice construction could be wrong or maybe there is a much smaller basis but the reduction algorithm (approximation) doesn't find it. |
23rd December 2008, 15:47 | #22 | Link |
Registered User
Join Date: Sep 2008
Posts: 189
|
I had skipped an important step in my implementation and a few other things were wrong too. After fixing those issues and playing around with the parameters a bit i found a working combination so i can give you an example.
Let p = 289254655033, q = 576650390627 and N = p*q = 166798809815457581575691. We want to factor N. We setup some parameter which determine the polynomial f. By construction the polynomial f has a root (x_0, y_0) which will give us the factorization of N. It holds that p = m*x_0 + c and q = n*y_0 + d where we have to determine c,d by brute force search and x_0,y_0 by finding an appropriate second polynomial g with the same root. In this example is m = 5779 and n = 4877 (determined by my parameter choice). We want both m and n to be as small as possible because their size determines how many combinations for c and d we have to test. By brute force search (running the entire algorithm again and again) we find c = 3490 and d = 2000. We obtain the polynomial f( x, y ) = 272663114441221050502036905165359*x*y + 111815917343129403527593563734000*x + 164664175359034688744092195713290*y - 1613666891439484824286517533623583653166443925443 Now we construct a lattice and use lattice reduction techniques to find a short coefficient vector for our new polynomial g. This polynomial must have the same root and may not be a multiple of f (gcd(f,g) = 1 because f is irreducible). We find: g( x,y ) = -550027317057214807707838758454131*x^2*y^2 - 21035627259174470964704774394001486176978740190*x^2*y + 279798978942801467799047317444099858865221454226*x*y^2 - 8626461865562536561414577174664878412692940000*x^2 + 815210635045419056587043555126594181612580850722711584*x*y + 168973600365180529829184985202345054933202887160*y^2 - 138762500323450558676026989874427343055634473948375906415055203127687897949926*x + 60213348692682732919411494951824394082422924853210355495670640666282857023814*y - 174110984048404287435752616687571392254879687559395285145418320554729063981835001233 Now we compute the resultant of f and g: 4476571884282525266836510330141869220498240713975097720401448926613563671146029895483060633149767902954109339351810218406344618956582075732396*y^3 - 12944301498631912946627224525490850239753133562803345399593047007314825269294562029498487898880328775532821414009302732104707106625214703423125443824*y^2 - 61053757336251582441768270515159399095157293517551804381202990288793114577733640928959281804253883501665688671801616653381775535847520521818182191534537076572*y - 25037423551750369812975300235336096113581272995509465458164313917743589489401221657131723392563075939670940390415678987548009123529431653353682394713202072000 The roots of this polynomial are y_0 = 118238751 and y_0 = 1. We can disregard y_0 = 1 (don't know where this comes from) and use the special construction of f to obtain q = 4877*118238751+2000 = 576650390627. So we are done. The implementation: in sage Note: I still don't use brute force search here and instead calculate c = p mod m and d = q mod n so don't be confused. Also the calculation takes place over the integers obviously. Last edited by loo3aem3ON; 23rd December 2008 at 16:49. Reason: smaller example (with m_ = t_ = 1) |
23rd December 2008, 16:45 | #24 | Link |
Registered User
Join Date: Sep 2008
Posts: 189
|
BD+ uses RSA signed certificates. RSA is at most as difficult as factoring. My previous postings gives an example of how the proposed new factoring algorithm works. It's complexity (cost) is still unknown (the author claims polynomial complexity but that could be wrong) therefor i can't say if it will enable us to factor this 1280 bit integer. A single run with this 1280-bit integer takes almost an hour. About m*n/2 runs will be necessary on average.
Last edited by loo3aem3ON; 23rd December 2008 at 16:48. |
23rd December 2008, 16:58 | #25 | Link | |
x264 developer
Join Date: Sep 2005
Posts: 8,666
|
Quote:
(The good thing about this is that it makes the process very very easy to split among multiple computers)
__________________
Follow x264 development progress | akupenguin quotes | x264 git status ffmpeg and x264-related consulting/coding contracts | Doom10 Last edited by Dark Shikari; 23rd December 2008 at 17:01. |
|
23rd December 2008, 17:39 | #26 | Link |
Registered User
Join Date: Sep 2008
Posts: 189
|
m,n<T with T = log( N )^A for some constant A. For this example A was about 2.
That's the theory. In my experiments i found that the minimum A was slowly increasing with the size of N which is bad. You can download sage and experiment yourself. |
23rd December 2008, 20:58 | #27 | Link |
Software Developer
Join Date: Jun 2005
Location: Last House on Slunk Street
Posts: 13,248
|
Time for decrypting@home ???
__________________
Go to https://standforukraine.com/ to find legitimate Ukrainian Charities 🇺🇦✊ Last edited by LoRd_MuldeR; 23rd December 2008 at 21:29. |
24th December 2008, 00:13 | #28 | Link | |||
x264 developer
Join Date: Sep 2005
Posts: 8,666
|
Quote:
I run it and get: Quote:
Also, I ran a test on the large N just to see how long one iteration took, and I got: Quote:
__________________
Follow x264 development progress | akupenguin quotes | x264 git status ffmpeg and x264-related consulting/coding contracts | Doom10 Last edited by Dark Shikari; 24th December 2008 at 00:23. |
|||
24th December 2008, 00:32 | #29 | Link | |
Registered User
Join Date: Sep 2008
Posts: 17
|
Quote:
If it is so.... well, BD+ has won, all they need to do is change certificate every 2 or 3 months and nobody will ever be able to play a BD+ title using AnyDVD-HD or an hypothetical open source BD player, if not months after it is released. |
|
24th December 2008, 00:38 | #30 | Link | ||
Registered User
Join Date: Sep 2008
Posts: 189
|
Quote:
It seems we need a preprocessing for finding a valid pair (m,n) with a small product m*n. And i thought i am the one being too optimistic about this. No this needs a lot more work. Quote:
Code:
0 0 gcd = 1 looks good: g( x,y ) = Code:
[(118238751, 1)] In this case you have to modify the parameters (e.g. A, X, Y, Z) slightly depending on where the exception occurs. I am currently focusing on finding "cheap" valid parameter combinations. The time a single iteration takes depends heavily on m_ and t_ (define the dimension of the lattice). Last edited by loo3aem3ON; 24th December 2008 at 01:07. |
||
24th December 2008, 00:56 | #31 | Link | |
x264 developer
Join Date: Sep 2005
Posts: 8,666
|
Quote:
Depending on how deep the crack was, it could be the end of public key cryptography as we know it. |
|
24th December 2008, 01:27 | #32 | Link |
Registered User
Join Date: Sep 2008
Posts: 189
|
If we can factor N it doesn't necessarily mean RSA is broken. It doesn't mean BD+ is broken because it would still require the aes device keys and a way to perfectly emulate a licensed player but it would have lost some of it's strength though. And it certainly doesn't mean the end of public key cryptography.
The knowledge of the private key of the BD+ license administration is not necessary to repair every (future) BD+ damaged movie. I try to evaluate the strength of this RSA keysize (1280) using the latest mathematical advances out of my personal interest. |
24th December 2008, 02:08 | #34 | Link | |
Registered User
Join Date: Sep 2008
Posts: 189
|
Quote:
Anyway individuals can factor a 512-bit rsa-modulus within a few hours nowadays and you wouldn't call this a break because larger "key sizes" are still secure. So if 1280-bit should become insecure people could switch to 2048 or 4096-bits which could depending on the complexity of the new algorithm still be secure. Furthermore there are lots of highly efficient attacks known on large N (4096-bit and longer) which exploit certain known properties of p and q. Last edited by loo3aem3ON; 24th December 2008 at 02:33. Reason: typos |
|
24th December 2008, 10:46 | #35 | Link | |
Registered User
Join Date: Sep 2008
Posts: 17
|
Quote:
loo3aem3ON, if I remember correctly, wrote the key is partially exposed (the most significant bits are known) and a low exponent (3) is used. |
|
19th January 2009, 04:30 | #36 | Link |
Registered User
Join Date: Aug 2008
Posts: 1
|
off beat approaches....
So ssl is an issue.
Does the latest news about the 200 PS3 being networked together and cracking ssl certificates provide any help to this subject? Additionally I realize 200 PS3 might not be feasible, however, what about something like SETI - a network of online computers worldwide - running the formulations. Another theory perhaps, what about freezing the RAM? Do the keys for the RSA go through the RAM at all? I admit I am less than a total noob on the issue of algorithms and RSA, but I just wanted to suggest a few things. |
19th January 2009, 04:54 | #37 | Link | |
Software Developer
Join Date: Jun 2005
Location: Last House on Slunk Street
Posts: 13,248
|
Quote:
But the current generation of Blu-Ray software players protect their keys much better. They use obfuscations to make it hard to find/extract the desired keys. Try to find a 128-Bit key in a 4 GB memory dump, if you don't know where to start. Especially when the key is only present in RAM for a few milliseconds...
__________________
Go to https://standforukraine.com/ to find legitimate Ukrainian Charities 🇺🇦✊ Last edited by LoRd_MuldeR; 19th January 2009 at 05:31. |
|
19th January 2009, 08:15 | #38 | Link | |
I dont care so should you
Join Date: Apr 2006
Location: In hell next to the boiling pit of Lava...
Posts: 989
|
Quote:
____________________________________________ OK let me get this strait. Are looking for d = Private key. Or are we looking for a class that retrieves d in an unencrypted form. Or is the main objective of this to solve for the certificates to build a class that enables us to use them against the disc in question. I know this isn't going to be any walk in the park. The idea of Brute force is not going to be of use. leased not for another 20 years when a standard PC can simultaneously compute 100,000 P-flops. and still have the computing space to do your taxes and encode a full HD movie. I think that slysofts secret is that they have found a way to copy the device certificate and use it to interface with the Disc is self. (But I have not any idea theory only) The way they get away with it is that it remains a secret as to what they actually did. But this is my own conclusion of course. The problem with using this type of method is that any device whos firmware has been tamped with will be revoked. Of Course total noob here so PS. here is the wiki on the encryption. http://en.wikipedia.org/wiki/RSA
__________________
My Installer's || |
|
19th January 2009, 18:43 | #39 | Link | |
Registered User
Join Date: Sep 2008
Posts: 189
|
Quote:
The RSA-1280 private exponent is used to sign the player certificates. It is kept secret by a central license administration. The private key (private exponent) never occurs in the memory of any player. |
|
|
|