What are the largest cryptographic keys ever broken by public computation, and what does the 112-bit elliptic-curve "PlayStation 3" crack teach about comparing algorithms?
The public records are RSA-829, DH-795 and ECC-114 bits — all far below today's 3072-bit (RSA/DH) and 256-bit (ECC) recommendations. The 112-bit ECC crack matters because 112-bit ECC is only ~56-bit symmetric strength, so it shows that key sizes across algorithms are only comparable through their shared security level.
* Records fall well short of recommended sizes — that gap is the safety margin. *
Records are set by academic teams factoring numbers or solving discrete logs, and they mark how far real hardware has reached:
| Algorithm | Largest broken | When | ≈ decimal digits |
|---|---|---|---|
| RSA (factoring) | 829 bits | Feb 2020 | ~250 |
| DH (discrete log) | 795 bits | Dec 2019 | ~240 |
| ECC (elliptic-curve discrete log) | 114 bits | Jun 2020 | ~35 |
Notice the huge margin: the recommended sizes (RSA 3072, ECC 256) sit far above anything broken — that gap is the safety buffer.
The 112-bit ECC story (cracked with ~200 PlayStation 3 consoles) is a lesson in cross-algorithm comparison. A 112-bit elliptic curve has roughly 56-bit symmetric strength, which is also about a 512-bit RSA. The write-up noted the effort was "about 14 full 56-bit DES key searches" — but a constant factor of 14 does not change the security class: 56-bit-equivalent is weak, full stop. That is exactly why the ECC minimum was raised to 256 bits (better 384/512). You can never compare "112-bit ECC vs 2048-bit RSA" by the raw numbers — only by mapping both onto the same security level (here, ~56 vs ~112 bits, so the 2048-bit RSA wins easily).
Go deeper:
RSA numbers (Wikipedia) — the factoring-challenge records, including RSA-250 (829 bits, 2020).
keylength.com — see how far today's recommendations sit above any break.