Encryption security may not be secure anymore, if a breakthrough being touted as ‘possibly the biggest event in computer science and financial services for 50 years’ is proved correct.
The breakthrough by students at the University of Toronto allows huge integer numbers to be factored quicker than previously thought possible, meaning encrypted files can be broken into in as little as ‘100 hours compute time’.
All current banking transactions, digital signatures, network communications, credit and debit card transactions, not to mention personal communications on platforms such as WhatsApp, use encryption.
We have always been told that encryption is the most effective way to achieve data security. To read an encrypted file, you must have access to a secret key or password that enables you to decrypt it.
How did they do it?
The University of Toronto academic press release:
AES-256 Encryption Possibly Now Broken After New Method To Speedily Factor Integers Greater Than 128 Bits Found
Mathematics Dept./Computer Science Dept.
Factoring of large integers using estimation of weak intermediate key points along a quadratic curve has been discovered by Dept. of Computer Science PhD candidates xxxxxx x. xxxxxxxx xxxxxx and Dept. of Mathematics MSc candidate xx xx xxxxx and his visiting professor advisor xxxxxx xxxxxxxxx (PhD, Princeton University).
Quadratic Curves embodied within numeric sentences such as Fibonacci Sequences, Non-Evenly Divisible Values including PI, Catalan Numbers, Mersenne Primes, were examined by IBM-sourced data mining software originally developed as part of the Deep Blue project which became the core for IBM’s Jeopardy-winning Watson SuperComputer.
The University of Toronto students were awarded thousands of hours of CPU time on an IBM Watson-based supercomputing system as part of a Youth in Computer Sciences Initiative sponsored by the Government of Ontario and Government of Canada.
After completion of the data mining experiment, the students found that intermediate keys created specifically within the AES-256 encryption algorithm had cryptographically weak output that followed a Quadratic curve when initial keys contained identifiable Fibonacci sequences, non-evenly divisible values including PI, Catalan numbers and Mersenne primes which allowed the students to estimate possible integer factors allowing them to recover the initial encryption key within as little as 100 hours compute time.
The students and their advisor will be presenting an abstract of their final paper at the August 1 to August 4 2016 Conference on Applications of Computer Algebra at the Kassel University, Kassel, Germany.
As part of the presentation, source code will be distributed for peer review and an announcement on further papers and conference appearances will be forthcoming after the conference in Germany.
Any organisation with a computer powerful enough to factor huge interger numbers quickly will be able to gain the key to unlock any file, and it won’t only be governments, corporations and large institutions who can afford supercomputers. The students at the University of Toronto were using an IBM Watson supercomputer that has an IBM Power Server System of 80 teraflops. Anyone with the right know how can purchase the same CPU horsepower for around $25,000 these days.
Which sounds like a lot, but not when you consider that you could use it to wire yourself $2 billion in a SWIFT money transaction or stock trade account by impersonating CitiGroup or Goldman Sachs.
Trillions of dollars is at risk if this information is let out. Does the university realize how dangerous this discovery could be? Perhaps they do, because the press release has been removed and they are not responding when asked if they still plan to release the source code and take the abstract of their final paper to the conference in Kassel, Germany.
According to industry experts, the discovery also raises the question of whether the ‘flaw’ was actually an inbuilt component of encryption technology, introduced on purpose by its creators or encryption standards modifiers.
If this is the case, governments may have had the skeleton key to unlock every encrypted file in the world all along.
From financial transactions to personal communications, it is possible nothing has been truly secure and private.