[OT] ROCA cracking on GPU
#1
I have a question that is off-topic from hashcat, so i won't be offended if the gods of mod decide to nuke it or something, but i figured I'd give it a shot as some people here might have thoughts.

The recently announced ROCA vulnerability enables cracking of RSA keys generated by the affected Infineon TPMs. As part of the announcement, they mentioned the factorization can be readily parallelized, and they further outlined the following rough attack costs:

Quote:The time complexity and cost for the selected key lengths (Intel E5-2650 v3@3GHz Q2/2014):
  • 512 bit RSA keys - 2 CPU hours (the cost of $0.06);
  • 1024 bit RSA keys – 97 CPU days (the cost of $40-$80);
  • 2048 bit RSA keys – 140.8 CPU years, (the cost of $20,000 - $40,000).

I will first admit that i haven't looked at the technical details of this at all yet, I am actually not even sure if they have released the full attack details yet or if that's not going to hit until they give their talk on Nov 2. My completely uninformed guess is that the attack is going to amount to normal RSA factorization but where you don't have to try nearly as many possibilities as you should because of constraints in how the primes are generated.

So, with those caveats appropriately caveated, does anyone have a sense of whether the type of work that must be done to crack these keys is suited to GPUs? I know that both CADO-NFS and msieve have some amount of GPU support but i'm not really sure what kind of performance differences they really yield.

Ultimately i'd really like to see if cost/time to factor 2048 keys can be brought down to more readily achievable levels.