Using the Cloud to Determine Key Strengths

  • Thorsten Kleinjung
  • Arjen K. Lenstra
  • Dan Page
  • Nigel P. Smart
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7668)


We develop a new methodology to assess cryptographic key strength using cloud computing, by calculating the true economic cost of (symmetric- or private-) key retrieval for the most common cryptographic primitives. Although the present paper gives both the current (2012) and last year’s (2011) costs, more importantly it provides the tools and infrastructure to derive new data points at any time in the future, while allowing for improvements such as of new algorithmic approaches. Over time the resulting data points will provide valuable insight in the selection of cryptographic key sizes.


Hash Function Reserved Price Block Cipher Elliptic Curve Discrete Logarithm Problem Cryptology ePrint Archive 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
  2. 2.
  3. 3.
    Amazon Elastic Compute Cloud (Amazon EC2),
  4. 4.
    Bahr, F., Boehm, M., Franke, J., Kleinjung, T.: Subject: RSA200. Announcement, May 9 (2005)Google Scholar
  5. 5.
    Bailey, D.V., Batina, L., Bernstein, D.J., Birkner, P., Bos, J.W., Chen, H.-C., Cheng, C.-M., van Damme, G., de Meulenaer, G., Perez, L.J.D., Fan, J., Güneysu, T., Gurkaynak, F., Kleinjung, T., Lange, T., Mentens, N., Niederhagen, R., Paar, C., Regazzoni, F., Schwabe, P., Uhsadel, L., Van Herrewege, A., Yang, B.-Y.: Breaking ECC2K-130. Cryptology ePrint Archive, Report 2009/541 (2009),
  6. 6.
    Biham, E.: A Fast New DES Implementation in Software. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 260–272. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  7. 7.
    Biryukov, A., Khovratovich, D., Nikolić, I.: Distinguisher and Related-Key Attack on the Full AES-256. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 231–249. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  8. 8.
    The BOINC project,
  9. 9.
    Caron, T.R., Silverman, R.D.: Parallel implementation of the quadratic sieve. J. Supercomputing 1, 273–290 (1988)CrossRefGoogle Scholar
  10. 10.
    Cavallar, S., Dodson, B., Lenstra, A.K., Lioen, W., Montgomery, P.L., Murphy, B., te Riele, H., Aardal, K., Gilchrist, J., Guillerm, G., Leyland, P., Marchand, J., Morain, F., Muffett, A., Putnam, C., Putnam, C., Zimmermann, P.: Factorization of a 512-Bit RSA Modulus. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 1–18. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  11. 11.
    Certicom Inc. The Certicom ECC Challenge,
  12. 12.
    Coppersmith, D.: Modifications to the number field sieve. J. of Cryptology 6, 169–180 (1993)MathSciNetzbMATHCrossRefGoogle Scholar
  13. 13.
    Hayashi, T., Shimoyama, T., Shinohara, N., Takagi. T.: Breaking pairing-based cryptosystems using η T pairing over GF(397). Cryptology ePrint Archive, Report 2012/345 (2012),
  14. 14.
    Franke, J., Kleinjung, T., Paar, C., Pelzl, J., Priplata, C., Stahlke, C.: SHARK: A Realizable Special Hardware Sieving Device for Factoring 1024-Bit Integers. In: Rao, J.R., Sunar, B. (eds.) CHES 2005. LNCS, vol. 3659, pp. 119–130. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  15. 15.
    Gilmore, J. (ed.): Cracking DES: Secrets of Encryption Research, Wiretap Politics & Chip Design. Electronic Frontier Foundation. O’Reilly & Associates (1998)Google Scholar
  16. 16.
    Güneysu, T., Kasper, T., Novotný, M., Paar, C., Rupp, A.: Cryptanalysis with COPACOBANA. IEEE Transactions on Computers 57, 1498–1513 (2008)CrossRefGoogle Scholar
  17. 17.
    Gueron, S.: Intel’s New AES Instructions for Enhanced Performance and Security. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 51–66. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  18. 18.
    Kleinjung, T., Aoki, K., Franke, J., Lenstra, A.K., Thomé, E., Bos, J.W., Gaudry, P., Kruppa, A., Montgomery, P.L., Osvik, D.A., te Riele, H., Timofeev, A., Zimmermann, P.: Factorization of a 768-Bit RSA Modulus. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 333–350. Springer, Heidelberg (2010)Google Scholar
  19. 19.
    Kleinjung, I., Bos, J.W., Lenstra, A.K., Osvik, D.A., Aoki, K., Contini, S., Franke, J., Thomé, E., Jermini, P., Thiémard, M., Leyland, P., Montgomery, P.L., Timofeev, A., Stockinger, H.: A heterogeneous computing environment to solve the 768-bit RSA challenge. Cluster Computing 15, 53–68 (2012)CrossRefGoogle Scholar
  20. 20.
    Lenstra, A.K.: Unbelievable Security; Matching AES Security Using Public Key Systems. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 67–86. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  21. 21.
    Lenstra, A.K.: Key Lengths. In: The Handbook of Information Security, ch. 114. Wiley (2005)Google Scholar
  22. 22.
    Lenstra, A.K., Lenstra Jr., H.W. (eds.): The development of the number field sieve. Lecture Notes in Math., vol. 1554. Springer (1993)Google Scholar
  23. 23.
    Lenstra, A.K., Manasse, M.S.: Factoring by Electronic Mail. In: Quisquater, J.J., Vandewalle, J. (eds.) EUROCRYPT 1989. LNCS, vol. 434, pp. 355–371. Springer, Heidelberg (1990)Google Scholar
  24. 24.
    Lenstra, A.K., Verheul, E.R.: Selecting Cryptographic Key Sizes. J. of Cryptology 14, 255–293 (2001)MathSciNetzbMATHGoogle Scholar
  25. 25.
    Matsui, M., Nakajima, J.: On the Power of Bitslice Implementation on Intel Core2 Processor. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 121–134. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  26. 26.
    NIST. Secure Hash Signature Standard (SHS) – FIPS PUB 180-2,
  27. 27.
    NIST. Digital Signature Standard (DSS) – FIPS PUB 186-2,
  28. 28.
  29. 29.
    van Oorschot, P.C., Wiener, M.J.: Parallel collision search with cryptanalytic applications. J. of Cryptology 12, 1–28 (1999)zbMATHCrossRefGoogle Scholar
  30. 30.
    Osvik, D.A., Shamir, A., Tromer, E.: Efficient Cache Attacks on AES, and Countermeasures. J. of Cryptology 23, 37–71 (2010)MathSciNetzbMATHCrossRefGoogle Scholar
  31. 31.
    Pollard, J.: Monte Carlo methods for index computation mod p. Math. Comp. 32, 918–924 (1978)MathSciNetzbMATHGoogle Scholar
  32. 32.
    Quisquater, J.-J., Standaert, F.: Exhaustive key search of the DES: Updates and refinements. In: SHARCS 2005 (2005)Google Scholar
  33. 33.
    Quisquater, J.-J., Standaert, F.: Time-memory tradeoffs. In: Encyclopedia of Cryptography and Security, pp. 614–616. Springer (2005)Google Scholar
  34. 34.
    Rouvroy, G., Standaert, F.-X., Quisquarter, J.-J., Legat, J.-D.: Design strategies and modified descriptions to optimize cipher FPGA implementations: Fact and compact results for DES and Triple-DES. In: ACM/SIGDA - Symposium on FPGAs, pp. 247–247 (2003)Google Scholar
  35. 35.
    The RSA challenge numbers, formerly on, now on for instance
  36. 36.
    SECG. Standards for Efficient Cryptography Group. SEC2: Recommended Elliptic Curve Domain Parameters version 1.0,
  37. 37.
  38. 38.
    Shamir, A.: Factoring large numbers with the TWINKLE device (2000) (manuscript)Google Scholar
  39. 39.
    Shamir, A., Tromer, E.: Factoring Large Numbers with the TWIRL Device. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 1–26. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  40. 40.
    Smart, N.P. (ed.): ECRYPT II: Yearly report on algorithms and keysizes (2009-2010),
  41. 41.
    Standaert, F.-X., Rouvroy, G., Quisquater, J.-J., Legat, J.-D.: Efficient Implementation of Rijndael Encryption in Reconfigurable Hardware: Improvements and Design Tradeoffs. In: Walter, C.D., Koç, Ç.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 334–350. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  42. 42.
    Stevens, M., Sotirov, A., Appelbaum, J., Lenstra, A., Molnar, D., Osvik, D.A., de Weger, B.: Short Chosen-Prefix Collisions for MD5 and the Creation of a Rogue CA Certificate. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 55–69. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  43. 43.
    Wang, X., Feng, D., Lai, X., Yu, H.: Collisions for Hash Functions MD4, MD5, HAVAL-128 and RIPEMD. Cryptology ePrint Archive, Report 2004/199 (2004),
  44. 44.
    Wang, X., Yao, A., Yao, F.: New Collision Search for SHA-1. Crypto 2005 Rump session (2005),
  45. 45.
    Wang, X., Yin, Y.L., Yu, H.: Finding Collisions in the Full SHA-1. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 17–36. Springer, Heidelberg (2005)Google Scholar
  46. 46.
    Wang, X., Yu, H.: How to Break MD5 and Other Hash Functions. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 19–35. Springer, Heidelberg (2005)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Thorsten Kleinjung
    • 1
  • Arjen K. Lenstra
    • 1
  • Dan Page
    • 2
  • Nigel P. Smart
    • 2
  1. 1.EPFL IC LACALLausanneSwitzerland
  2. 2.Dept. Computer ScienceUniversity of BristolBristolUnited Kingdom

Personalised recommendations