Is it really $10M per key? DJB points out that if you're willing to spend a lot of money building parallel hardware, you can get some surprising performance benefits allowing you to crack large numbers of keys at once.
That paper does not apply to integer factorization, and number field sieve computations in general. DJB himself, in another paper [1, §5], argues that is more cost effective to factor one number at a time.
Per that paper, it would be $10M per 'device', with one device managing one key per year. Of course you might as well build more hardware while you are at it.
I'm not sure about that; the paper talks about parallel machines that can search out many keys at once. Its focus is on known plaintext attacks against AES, but it seems like the techniques described could apply to IFP for RSA.
I'm not a cryptographer so I could be totally off base here.
I only had time to skim it, so you might be right. Either way, I think it is only safe to operate with the assumption that 1024bit keys are well within the grasp of projects with modest funding.
Yeah basically. But if this is what the NSA were actually doing, I suspect they'd be throwing way more than $80M at it for a handful of devices, and instead be throwing half a billion at it for half a datacenter full of them. Why build a dozen or two crackers when you have the money for hundreds?
I think this sort of budget indicates more of a research project.
http://cr.yp.to/snuffle/bruteforce-20050425.pdf