Once Upon a Time-Memory Tradeoff Mark Stamp Department of Computer Science San Jose State University
TMTO2 This talk… Non-cryptanalytic TMTOs Crypto background Hellman’s cryptanalytic TMTO Distributed TMTO Conclusions
TMTO3 Non-crypto TMTOs Popcnt Shank’s algorithm
TMTO4 Popcnt Let x be a 32-bit integer Define popcnt(x) = number of 1’s in binary expansion of x How to compute popcnt(x) ?
TMTO5 Simple popcnt popcnt(x) t = 0 for i = 0 to 31 t = t + (x >> i) & 1 next i return t end popcnt
TMTO6 Efficient popcnt Initialize: table[i] = popcnt(i) for i = 0,1,…,255 popcnt(x) t = table[ x & 0xff ] + table[ (x >> 8) & 0xff ] + table[ (x >> 16) & 0xff ] + table[ (x >> 24) & 0xff ] return t end popcnt
TMTO7 Discrete Log Let p be prime, g {1,2,…, p 1} s.t. for any n there is a k with n = g k mod p Discrete log: given m {1,2,…, p 1} find e s.t. m = g e mod p Notation: e = log g (m) Could try each value in {1,2,…, p 1} to find e that works
TMTO8 Shank’s algorithm Shank’s is a TMTO for discrete log Given m, we want e = log g (m) A.Compute list L r as follows 1. Let r = sqrt(p 1) and compute g rj mod p for j = 0,1,…,r 1 2. Let L r be the list of ( j, g rj mod p) sorted on second coordinate
TMTO9 Shank’s alg (continued) B.Compute list L m as follows 1. Compute mg i mod p for i = 0,1,…,r 1 2. Let L m be the list of (i, mg i mod p) sorted on second coordinate
TMTO10 Shank’s alg. (cont. again) C.Then e = log g (m) is found by 1. Find elements of L r and L m that agree in 2nd coordinates, say, ( j, x) L r and (i, x) L m 2. Then e = log g (m) = rj + i mod (p 1) since g rj = mg i mod p Shank’s: baby step, giant step
TMTO11 Shank’s algorithm (example) Suppose p = 257, g = 3. Then r = 16 and L r is (0,1) (3,2) (6,4) (9,8) (12,16) (15,32) (2,64) (5,128) (13,129) (10,193) (7,225) (4,241) (1,249) (14,253) (11,255) (8,256) Suppose m = 132. Then L m is (9,23) (1,44) (3,62) (5,64) (8,69) (12,77) (15,79) (6,107) (0,132) (10,179) (2,186) (4,192) (13,197) (7,207) (11,231) (14,237) From L r and L m we find (2,64 ) and (5,64). Then log 3 (132) = 2 = 37 and easy to verify 3 37 = 132 mod 257
TMTO12 Block cipher Consider a block cipher C = E(P, K) where P is plaintext of length n C is ciphertext of length n K is key of length k
TMTO13 Block Cipher
TMTO14 Chosen plaintext attack We choose P and obtain C, where C = E(P, K) Want to find the key K 1. Exhaustive key search 2. Table pre-computation TMTO lies between 1. and 2.
TMTO15 Chain of encryptions Assume n = k. Then a chain is SP = K 0 = Starting Point K 1 = E(P, SP) K 2 = E(P, K 1 ) : EP = K t = E(P, K t 1 ) = End Point
TMTO16 Chain (another view)
TMTO17 Pre-computation Compute m encryption chains, each of length t +1 Save only start and end points (SP 0, EP 0 ) (SP 1, EP 1 ) : (SP m-1, EP m-1 )
TMTO18 TMTO Attack Memory: Given (SP i, EP i ), i = 0,1,…,m 1 For chosen P compute C = E(P, K) The key K is unknown Time: Compute chain (max of t steps) X 0 = C, X 1 = E(P, X 0 ), X 2 = E(P, X 1 ),…
TMTO19 Attack (continued) Given the chain X 0 = C, X 1 = E(P, X 0 ), X 2 = E(P, X 1 ),… Suppose we find X i = EP j Then C might be in chain (SP j, EP j ) Assume C is in chain (SP j, EP j )
TMTO20 Attack (continued again) Given C is in the chain (SP j, EP j ) and X i = EP j Re-compute chain (SP j, EP j ) Y 0 = SP j, Y 1 = E(P,Y 0 ), Y 2 = E(P,Y 1 ),… Then C = Y t i = E(P, Y t i 1 ) And Y t i 1 = K (always?)
TMTO21 In a perfect world Suppose the block cipher has 56 bit key Suppose we find m = 2 28 chains, each of length t = 2 28 and no chains overlap Memory: 2 28 pairs (SP j, EP j ) Time: about 2 28 (for attack) 1. Find C in about 2 27 tries 2. Find K with about 2 27 more tries
TMTO22 In a perfect world All chains distinct Ciphertext C lies within a chain EP 0 SP 0 C SP 1 SP 2 EP 1 EP 2
TMTO23 In the real world Chains are not so well-behaved Chains cycle and merge EP SP C
TMTO24 To reduce merging Compute chain as K i = F(E(P, K i 1 )) where F is a permutation Choose r different functions F For each F choose m random SP Each chain of length t
TMTO25 Notation m = number of random starting points for each function F t = length of each chain r = number of “random” functions F Note: mtr = total number of computed chain elements
TMTO26 Real-world issues False alarms, avoid cycles, reduce merging, etc. Pre-computation is lots of work (must be amortized over many attacks) Success is not assured What if block size not equal key length? What is the probability of success?
TMTO27 Probability of success Occupancy problem: b balls distributed with uniform probability to c cells Let p l (b,c) be probability of l empty cells. Feller [3] shows
TMTO28 Success probability (continued) Poisson approx to p l (b,c) is p l ( ) = e l /l! where = ce b/c So expected number of empty cells is
TMTO29 Success probability (still more) Expected number of occupied cells is c = c(1 e b/c ) Therefore P(cell i is occupied) = 1 e b/c TMTO attack succeeds if and only if the “cell” with key K is “occupied”
TMTO30 Success prob (last word, almost) mtr P(success) = 1 e mtr/2 k k k k k k
TMTO31 The bottom line Choose m = t = r = 2 k/3 and probability of success is about 0.63 (at least 0.55 by a more careful analysis) Pre-computation is O(mtr) work Each TMTO attack requires O(mr) “memory” and O(tr) “time”
TMTO32 Distinguished points Let a distinguished point be of the form (x 0,x 1,…,x s 1,0,0,…,0) Construct chain until distinguished point is found If no distinguished point is found within max steps, don’t save chain Then every EP is distinguished
TMTO33 Distinguished points +/- Disadvantages Chains are variable length Some extra work to find chains Triples (SP, EP, length) Advantage Distributed attack is very nice Why? One client for each F then client only needs (P, C) and F and max chain length no data!
TMTO34 References [1] M. Hellman, A cryptanalytic time-memory tradeoff, IEEE Trans on Info Thy, Vol. 26, No. 4, July 1980, pp [2] J.Borst, et al., On the time-memory tradeoff between exhaustive key search and table precomputation, [3] W. Feller, An Introduction to Probability Theory and Its Applications, volume 1, Wiley (1968) [4] M. Stamp, Once upon a time-memory tradeoff,