Presentation is loading. Please wait.

Presentation is loading. Please wait.

Hellman’s TMTO 1 Hellman’s TMTO Attack. Hellman’s TMTO 2 Popcnt  Before we consider Hellman’s attack, consider simpler Time-Memory Trade-Off  “Population.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Hellman’s TMTO 1 Hellman’s TMTO Attack. Hellman’s TMTO 2 Popcnt  Before we consider Hellman’s attack, consider simpler Time-Memory Trade-Off  “Population."— Presentation transcript:

1 Hellman’s TMTO 1 Hellman’s TMTO Attack

2 Hellman’s TMTO 2 Popcnt  Before we consider Hellman’s attack, consider simpler Time-Memory Trade-Off  “Population count” or popcnt o Let x be a 32-bit integer o Define popcnt(x) = number of 1 ’s in binary expansion of x  How to compute popcnt(x) efficiently?

3 Hellman’s TMTO 3 Simple Popcnt  Most obvious thing to do is popcnt(x) // assuming x is 32-bit value t = 0 for i = 0 to 31 t = t + ((x >> i) & 1) next i return t end popcnt  Is this the most efficient method?

4 Hellman’s TMTO 4 More Efficient Popcnt  Pre-compute popcnt for all 256 bytes  Store pre-computed values in a table  Given x, lookup its bytes in this table o Sum these values to find popcnt(x)  Note that pre-computation is done once  Each popcnt now requires 4 steps, not 32

5 Hellman’s TMTO 5 More Efficient Popcnt Initialize: table[i] = popcnt(i) for i = 0,1,…,255 popcnt(x) // assuming x is 32-bit word p = table[ x & 0xff ] + table[ (x >> 8) & 0xff ] + table[ (x >> 16) & 0xff ] + table[ (x >> 24) & 0xff ] return p end popcnt

6 Hellman’s TMTO 6 TMTO Basics  Pre-computation o One-time work o Results stored in a table  Pre-computation results used to make each subsequent computation faster  Try to balance “memory” and “time”  In general, larger pre-computation requires more initial work and larger “memory” but then each computation takes less “time”

7 Hellman’s TMTO 7 Block Cipher Notation  Consider a block cipher C = E(P, K) where P is plaintext block of size n C is ciphertext block of size n K is key of size k

8 Hellman’s TMTO 8 Block Cipher as Black Box  For TMTO, treat block cipher as black box  Details of crypto algorithm not important

9 Hellman’s TMTO 9 Hellman’s TMTO Attack  Chosen plaintext attack: choose P and obtain C, where C = E(P, K)  Want to find the key K  Two “obvious” approaches 1.Exhaustive key search “Memory” is 0, but “time” of 2 k-1 for each attack 2.Pre-compute C = E(P, K) for all keys K Given C, simply look up key K in the table “Memory” of 2 k but “time” of 0 for each attack  TMTO lies between 1. and 2.

10 Hellman’s TMTO 10 Chain of Encryptions  Assume block length n and key length k are equal: n = k  Then a chain of encryptions is SP = K 0 = Starting Point K 1 = E(P, SP) K 2 = E(P, K 1 ) : EP = K t = E(P, K t  1 ) = End Point

11 Hellman’s TMTO 11 Encryption Chain  Ciphertext used as key at next iteration  Same (chosen) plaintext P used at each iteration

12 Hellman’s TMTO 12 Pre-computation  Pre-compute m encryption chains, each of length t +1  Save only the start and end points (SP 0, EP 0 ) (SP 1, EP 1 ) : (SP m-1, EP m-1 ) EP 0 SP 0 SP 1 SP m-1 EP 1 EP m-1

13 Hellman’s TMTO 13 TMTO Attack  Memory: Pre-compute encryption chains and save (SP i, EP i ) for i = 0,1,…,m  1 o This is one-time work o Must be sorted on EP i  To attack a particular unknown key K o For the same chosen P used to find chains, we know C where C = E(P, K) and K is unknown key o Time: Compute the chain (maximum of t steps) X 0 = C, X 1 = E(P, X 0 ), X 2 = E(P, X 1 ),…

14 Hellman’s TMTO 14 TMTO Attack  Consider the computed chain X 0 = C, X 1 = E(P, X 0 ), X 2 = E(P, X 1 ), …  Suppose for some i we find X i = EP j SP j EP j C K  Since C = E(P, K) key K should lie before ciphertext C in chain!

15 Hellman’s TMTO 15 TMTO Attack  Summary of attack phase: we compute chain X 0 = C, X 1 = E(P, X 0 ), X 2 = E(P, X 1 ),…  If for some i we find X i = EP j  Then reconstruct chain from SP j Y 0 = SP j, Y 1 = E(P,Y 0 ), Y 2 = E(P,Y 1 ),…  Find C = Y t  i = E(P, Y t  i  1 ) (always?)  Then K = Y t  i  1 (always?)

16 Hellman’s TMTO 16 Trudy’s Perfect World  Suppose block cipher has k = 56 o That is, the key length is 56 bits  Spse we find m = 2 28 chains each of length t = 2 28 and no chains overlap (unrealistic)  Memory: 2 28 pairs (SP j, EP i )  Time: about 2 28 (per attack) o Start at C, find some EP j in about 2 27 steps o Find K with about 2 27 more steps  Attack never fails!

17 Hellman’s TMTO 17 Trudy’s Perfect World  No chains overlap  Every ciphertext C is in one chain EP 0 SP 0 C SP 1 SP 2 EP 1 EP 2 K

18 Hellman’s TMTO 18 The Real World  Chains are not so well-behaved!  Chains can cycle and merge EP SP C  Chain beginning at C goes to EP  But chain from SP to EP does not give K  Is this Trudy’s nightmare? K

19 Hellman’s TMTO 19 Real-World TMTO Issues  Merging chains, cycles, false alarms, etc.  Pre-computation is lots of work o Must attack many times to amortize cost  Success is not assured o Probability depends on initial work  What if block size not equal key length? o This is easy to deal with  What is the probability of success? o This is not so easy to compute…

20 Hellman’s TMTO 20 To Reduce Merging  Compute chain as F(E(P, K i  1 )) where F permutes the bits  Chains computed using different functions can intersect, but they will not merge EP 1 SP 0 SP 1 EP 0 F 0 chain F 1 chain

21 Hellman’s TMTO 21 Hellman’s TMTO in Practice  Let o m = random starting points for each F o t = encryptions in each chain o r = number of “tables”, i.e., random functions F  Then mtr = total pre-computed chain elements  Pre-computation is about mtr work  Each TMTO attack requires o About mr “memory” and about tr “time”  If we choose m = t = r = 2 k/3 then probability of success is at least 0.55

22 Hellman’s TMTO 22 Success Probability  Throw n balls into m urns  What is expected number of urns that have at least one ball?  This is classic “occupancy” problem o See Feller, Intro. to Probability Theory  Why is this relevant to TMTO attack? o “Urns” correspond to keys o “Balls” correspond to constructing chains

23 Hellman’s TMTO 23 Success Probability  Using occupancy problem approach  Assuming k -bit key and m,t,r defined as previously discussed  Then, approximately, P( success ) = 1  e  mtr/k  An upper bound can be given that is slightly “better”

24 Hellman’s TMTO 24 Success Probability  Success probability P( success ) = 1  e  mtr/k

25 Hellman’s TMTO 25 Distributed TMTO  Employ “distiguished points”  Do not use fixed-length chains  Instead, compute chain until some distinguished point is found  Example of distinguished point:

26 Hellman’s TMTO 26 Distributed TMTO  Similar pre-computation, except we have triples: (SP i, EP i, l i ) for i = 0,1,…,rm o Where l i is the length of the chain o And r is number of tables o And m is number of random starting points  Let M i be the maximum l j for the i th table  Each table has a fixed random function F

27 Hellman’s TMTO 27 Distributed TMTO  Suppose r computers are available  Each computer deals with one table o That is, one random function F  “Server” gives computer i the values F i, M i, C and definition of distinguished point  Computer i computes chain beginning from C using F i of (at most) length M i

28 Hellman’s TMTO 28 Distributed TMTO  If computer i finds a distinguished point within M i steps o Returns result to “server” for secondary test o Server searches for K on corresponding chain (same as in non-distributed TMTO) o False alarms possible (distinguished points)  If no distinguished point found in M i steps o Computer i gives up o Key cannot lie on any F i chains  Note that computer i does not need any SP  Only server needs (SP i, EP i, l i ) for i = 0,1,…,rm

29 Hellman’s TMTO 29 TMTO: The Bottom Line  Attack is feasible against DES  Pre-computation is about 2 56 work  Each attack requires about 2 37 “memory” and 2 37 “time”  Attack not particular to DES  No fancy math is required!  Lesson: Clever algorithms can break crypto!

Download ppt "Hellman’s TMTO 1 Hellman’s TMTO Attack. Hellman’s TMTO 2 Popcnt  Before we consider Hellman’s attack, consider simpler Time-Memory Trade-Off  “Population."

Similar presentations

Lee Jae-song 1.  How to cryptanalysis DES?  C = E K (P)  E is DES encryption funtion  K is a key, 56-bit.  P is a plaintext, C is a ciphertext, both.

Lee Jae-song 1.  How to cryptanalysis DES?  C = E K (P)  E is DES encryption funtion  K is a key, 56-bit.  P is a plaintext, C is a ciphertext, both.
Counting the bits Analysis of Algorithms Will it run on a larger problem? When will it fail?

Counting the bits Analysis of Algorithms Will it run on a larger problem? When will it fail?
Improved Attacks on Multiple Encryption Adi Shamir The Weizmann Institute Israel Joint with Itai Dinur, Orr Dunkelman, and Nathan Keller.

Improved Attacks on Multiple Encryption Adi Shamir The Weizmann Institute Israel Joint with Itai Dinur, Orr Dunkelman, and Nathan Keller.
Types of Algorithms.

Types of Algorithms.
CMSC 414 Computer (and Network) Security Lecture 4 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 4 Jonathan Katz.
Intro 1 Introduction Intro 2 Good Guys and Bad Guys  Alice and Bob are the good guys  Trudy is the bad guy  Trudy is our generic “intruder”

Intro 1 Introduction Intro 2 Good Guys and Bad Guys  Alice and Bob are the good guys  Trudy is the bad guy  Trudy is our generic “intruder”
Cryptography and Network Security Chapter 3

Cryptography and Network Security Chapter 3
1 Chapter 5 Hashes and Message Digests Instructor: 孫宏民 Room: EECS 6402, Tel:03-5742968, Fax : 886-3-572-3694.

1 Chapter 5 Hashes and Message Digests Instructor: 孫宏民 Room: EECS 6402, Tel: , Fax :
Introduction to Cryptography and Security Mechanisms: Unit 5 Theoretical v Practical Security Dr Keith Martin McCrea 34901784 443099

Introduction to Cryptography and Security Mechanisms: Unit 5 Theoretical v Practical Security Dr Keith Martin McCrea
Hash Table indexing and Secondary Storage Hashing.

Hash Table indexing and Secondary Storage Hashing.
PKZIP Stream Cipher 1 PKZIP PKZIP Stream Cipher 2 PKZIP  Phil Katz’s ZIP program  Katz invented zip file format o ca 1989  Before that, Katz created.

PKZIP Stream Cipher 1 PKZIP PKZIP Stream Cipher 2 PKZIP  Phil Katz’s ZIP program  Katz invented zip file format o ca 1989  Before that, Katz created.
CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.
FEAL FEAL 1.

FEAL FEAL 1.
Akelarre 1 Akelarre Akelarre 2 Akelarre  Block cipher  Combines features of 2 strong ciphers o IDEA — “mixed mode” arithmetic o RC5 — keyed rotations.

Akelarre 1 Akelarre Akelarre 2 Akelarre  Block cipher  Combines features of 2 strong ciphers o IDEA — “mixed mode” arithmetic o RC5 — keyed rotations.
Ref. Cryptography: theory and practice Douglas R. Stinson

Ref. Cryptography: theory and practice Douglas R. Stinson
Sigaba 1 Sigaba Sigaba 2 Sigaba  Used by Americans during WWII o And afterwards (to about 1948)  Never broken o Germans quit collecting, considered.

Sigaba 1 Sigaba Sigaba 2 Sigaba  Used by Americans during WWII o And afterwards (to about 1948)  Never broken o Germans quit collecting, considered.
CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.
Factoring 1 Factoring Factoring 2 Factoring  Security of RSA algorithm depends on (presumed) difficulty of factoring o Given N = pq, find p or q and.

Factoring 1 Factoring Factoring 2 Factoring  Security of RSA algorithm depends on (presumed) difficulty of factoring o Given N = pq, find p or q and.
1 Overview of the DES A block cipher: –encrypts blocks of 64 bits using a 64 bit key –outputs 64 bits of ciphertext A product cipher –basic unit is the.

1 Overview of the DES A block cipher: –encrypts blocks of 64 bits using a 64 bit key –outputs 64 bits of ciphertext A product cipher –basic unit is the.
RC4 1 RC4 RC4 2 RC4  Invented by Ron Rivest o “RC” is “Ron’s Code” or “Rivest Cipher”  A stream cipher  Generate keystream byte at a step o Efficient.

RC4 1 RC4 RC4 2 RC4  Invented by Ron Rivest o “RC” is “Ron’s Code” or “Rivest Cipher”  A stream cipher  Generate keystream byte at a step o Efficient.

Similar presentations

Ads by Google