In 1999 cryptographer Ron Rivest published an encrypted text that was designed to take 35 years to break. Apparently, it has now been solved.

Two years ago, I blogged about the so-called LCS35 cryptogram, a cryptographic challenge created by cryptographer Ron Rivest in 1998. It is listed at position 48 on my Top 50 unsolved encrypted messages list. This challenge depends on the following equation:


To solve the challenge, one needs to calculate the value of w, which is the key that can be used to decrypt the actual cryptogram. The values of t and n are the following:

t = 79685186856218

n = 631446608307288889379935712613129233236329881833084137558899

The LCS35 challenge was developed by Ron Rivest, known as the “R” in RSA. I took the following picture of him at the RSA Conference 2015 in San Francisco:



Ron Rivest published this challenge on the occasion of the 35th birthday of MIT’s Laboratory for Computer Science (LCS) in 1998. The main design goal was that it would take approximately 35 years to solve it. It is therefore referred to as “LCS35 challenge” or “LCS35 cryptogram”. I wrote my first blog article about it in 2014 (in German).

The LCS35 challenge uses ideas described in the paper Time-lock puzzles and timed-release Crypto by Rivest, Adi Shamir (the “S” in RSA), and David Wagner. To the extent known, the value of w can only be calculated sequentially, which means that it is not possible to parallelize the calculation process. The puzzle can be solved by performing t successive squarings modulo n. There is no known way to perform this computation more quickly, unless one knows the factorization of n, which is the product of two large prime numbers.

Rivest chose the value of t taking into consideration the growth in computational power due to Moore’s Law. He estimated that the puzzle would require 35 years of continuous computation to solve, with the computer used being replaced every year by the fastest model available.


The ciphertext

Once one has found out the value of w, one has to exclusive-or it with the following ciphertext:


The result is the plaintext, which provides information about the factorisation of n. This allows the solution to be easily verified.

There’s one important problem Rivest mentions in his LCS35 description: If there’s an error in the computation, all the following work will be useless.

Crypto experts will note that there is a relationship between the LCS35 challenge and the RSA algorithm (co-invented by Rivest, Shamir and Leonard Adleman). Both can be broken by factorizing a large prime number product. In this case, the product has 2048 bits. The longest prime number product ever publicly factorized is 768 bits long. It is therefore as good as impossible to attack a 2048 prime number product, which means that the RSA algorithm with a 2048 public key is secure and that the LCS35 challenge can only be solved via the squaring method described above.


The solution

In my 2017 article I wrote: “I am not aware of anyone, who is currently working on the LCS35 challenge. According to Rivest’s LCS35 description, the solution will be publicly announced in 2033. My expectation is that nobody will come up with the solution before.”

Apparently, I was wrong.

Blog readers Jon Paul and George Lasry have informed me that a Belgian computer programmer named Bernard Fabrot has now found the solution. Fabrot sent his solution to CSAIL, the successor of MIT’s Laboratory for Computer Science, which has confirmed its correctness.

1 / 2 / Auf einer Seite lesen

Kommentare (1)

  1. #1 Gerd
    3. Mai 2019

    Note that Fabrot got the result two weeks earlier than the cryptophage project, but his approach was not faster. Fabrot’s C-program was running for 3 and a half years, where the dedicated FPGA-circuit of the cryptophage project needed only two months.
    As a FPGA approach is so much faster, the expected time to solve an encryption using a CPU based computer is not of great value. Codebreakers are not forced to use CPUs for that.