Presentation is loading. Please wait.

Presentation is loading. Please wait.

Once Upon a Time-Memory Tradeoff Mark Stamp Department of Computer Science San Jose State University.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Once Upon a Time-Memory Tradeoff Mark Stamp Department of Computer Science San Jose State University."— Presentation transcript:

1 Once Upon a Time-Memory Tradeoff Mark Stamp Department of Computer Science San Jose State University

2 TMTO2 This talk…  Non-cryptanalytic TMTOs  Crypto background  Hellman’s cryptanalytic TMTO  Distributed TMTO  Conclusions

3 TMTO3 Non-crypto TMTOs  Popcnt  Shank’s algorithm

4 TMTO4 Popcnt  Let x be a 32-bit integer  Define popcnt(x) = number of 1’s in binary expansion of x  How to compute popcnt(x) ?

5 TMTO5 Simple popcnt popcnt(x) t = 0 for i = 0 to 31 t = t + (x >> i) & 1 next i return t end popcnt

6 TMTO6 Efficient popcnt Initialize: table[i] = popcnt(i) for i = 0,1,…,255 popcnt(x) t = table[ x & 0xff ] + table[ (x >> 8) & 0xff ] + table[ (x >> 16) & 0xff ] + table[ (x >> 24) & 0xff ] return t end popcnt

7 TMTO7 Discrete Log  Let p be prime, g  {1,2,…, p  1} s.t. for any n there is a k with n = g k mod p  Discrete log: given m  {1,2,…, p  1} find e s.t. m = g e mod p  Notation: e = log g (m)  Could try each value in {1,2,…, p  1} to find e that works

8 TMTO8 Shank’s algorithm  Shank’s is a TMTO for discrete log  Given m, we want e = log g (m) A.Compute list L r as follows 1. Let r =  sqrt(p  1)  and compute g rj mod p for j = 0,1,…,r  1 2. Let L r be the list of ( j, g rj mod p) sorted on second coordinate

9 TMTO9 Shank’s alg (continued) B.Compute list L m as follows 1. Compute mg  i mod p for i = 0,1,…,r  1 2. Let L m be the list of (i, mg  i mod p) sorted on second coordinate

10 TMTO10 Shank’s alg. (cont. again) C.Then e = log g (m) is found by 1. Find elements of L r and L m that agree in 2nd coordinates, say, ( j, x)  L r and (i, x)  L m 2. Then e = log g (m) = rj + i mod (p  1) since g rj = mg  i mod p  Shank’s: baby step, giant step

11 TMTO11 Shank’s algorithm (example)  Suppose p = 257, g = 3. Then r = 16 and L r is (0,1) (3,2) (6,4) (9,8) (12,16) (15,32) (2,64) (5,128) (13,129) (10,193) (7,225) (4,241) (1,249) (14,253) (11,255) (8,256)  Suppose m = 132. Then L m is (9,23) (1,44) (3,62) (5,64) (8,69) (12,77) (15,79) (6,107) (0,132) (10,179) (2,186) (4,192) (13,197) (7,207) (11,231) (14,237)  From L r and L m we find (2,64 ) and (5,64). Then log 3 (132) = 2  16 + 5 = 37 and easy to verify 3 37 = 132 mod 257

12 TMTO12 Block cipher Consider a block cipher C = E(P, K) where P is plaintext of length n C is ciphertext of length n K is key of length k

13 TMTO13 Block Cipher

14 TMTO14 Chosen plaintext attack  We choose P and obtain C, where C = E(P, K)  Want to find the key K 1. Exhaustive key search 2. Table pre-computation  TMTO lies between 1. and 2.

15 TMTO15 Chain of encryptions Assume n = k. Then a chain is SP = K 0 = Starting Point K 1 = E(P, SP) K 2 = E(P, K 1 ) : EP = K t = E(P, K t  1 ) = End Point

16 TMTO16 Chain (another view)

17 TMTO17 Pre-computation  Compute m encryption chains, each of length t +1  Save only start and end points (SP 0, EP 0 ) (SP 1, EP 1 ) : (SP m-1, EP m-1 )

18 TMTO18 TMTO Attack  Memory: Given (SP i, EP i ), i = 0,1,…,m  1  For chosen P compute C = E(P, K)  The key K is unknown  Time: Compute chain (max of t steps) X 0 = C, X 1 = E(P, X 0 ), X 2 = E(P, X 1 ),…

19 TMTO19 Attack (continued)  Given the chain X 0 = C, X 1 = E(P, X 0 ), X 2 = E(P, X 1 ),…  Suppose we find X i = EP j  Then C might be in chain (SP j, EP j )  Assume C is in chain (SP j, EP j )

20 TMTO20 Attack (continued again)  Given C is in the chain (SP j, EP j ) and X i = EP j  Re-compute chain (SP j, EP j ) Y 0 = SP j, Y 1 = E(P,Y 0 ), Y 2 = E(P,Y 1 ),…  Then C = Y t  i = E(P, Y t  i  1 )  And Y t  i  1 = K (always?)

21 TMTO21 In a perfect world  Suppose the block cipher has 56 bit key  Suppose we find m = 2 28 chains, each of length t = 2 28 and no chains overlap  Memory: 2 28 pairs (SP j, EP j )  Time: about 2 28 (for attack) 1. Find C in about 2 27 tries 2. Find K with about 2 27 more tries

22 TMTO22 In a perfect world  All chains distinct  Ciphertext C lies within a chain EP 0 SP 0 C SP 1 SP 2 EP 1 EP 2

23 TMTO23 In the real world  Chains are not so well-behaved  Chains cycle and merge EP SP C

24 TMTO24 To reduce merging  Compute chain as K i = F(E(P, K i  1 )) where F is a permutation  Choose r different functions F  For each F choose m random SP  Each chain of length t

25 TMTO25 Notation  m = number of random starting points for each function F  t = length of each chain  r = number of “random” functions F  Note: mtr = total number of computed chain elements

26 TMTO26 Real-world issues  False alarms, avoid cycles, reduce merging, etc.  Pre-computation is lots of work (must be amortized over many attacks)  Success is not assured  What if block size not equal key length?  What is the probability of success?

27 TMTO27 Probability of success  Occupancy problem: b balls distributed with uniform probability to c cells  Let p l (b,c) be probability of l empty cells. Feller [3] shows

28 TMTO28 Success probability (continued)  Poisson approx to p l (b,c) is p l ( ) = e  l /l! where = ce  b/c  So expected number of empty cells is

29 TMTO29 Success probability (still more)  Expected number of occupied cells is c  = c(1  e  b/c )  Therefore P(cell i is occupied) = 1  e  b/c  TMTO attack succeeds if and only if the “cell” with key K is “occupied”

30 TMTO30 Success prob (last word, almost) mtr P(success) = 1  e  mtr/2 k ---- ------------- 2 k  2 0.22 2 k  1 0.39 2 k 0.63 2 k+1 0.86 2 k+2 0.98

31 TMTO31 The bottom line  Choose m = t = r = 2 k/3 and probability of success is about 0.63 (at least 0.55 by a more careful analysis)  Pre-computation is O(mtr) work  Each TMTO attack requires O(mr) “memory” and O(tr) “time”

32 TMTO32 Distinguished points  Let a distinguished point be of the form (x 0,x 1,…,x s  1,0,0,…,0)  Construct chain until distinguished point is found  If no distinguished point is found within max steps, don’t save chain  Then every EP is distinguished

33 TMTO33 Distinguished points +/-  Disadvantages  Chains are variable length  Some extra work to find chains  Triples (SP, EP, length)  Advantage  Distributed attack is very nice  Why? One client for each F then client only needs (P, C) and F and max chain length  no data!

34 TMTO34 References [1] M. Hellman, A cryptanalytic time-memory tradeoff, IEEE Trans on Info Thy, Vol. 26, No. 4, July 1980, pp. 401-406 [2] J.Borst, et al., On the time-memory tradeoff between exhaustive key search and table precomputation, http://www.esat.kuleuven.ac.be/~borst/downloadable/tm.ps.gz http://www.esat.kuleuven.ac.be/~borst/downloadable/tm.ps.gz [3] W. Feller, An Introduction to Probability Theory and Its Applications, volume 1, Wiley (1968) [4] M. Stamp, Once upon a time-memory tradeoff, http://www.cs.sjsu.edu/faculty/stamp/articles/tmto.pdf http://www.cs.sjsu.edu/faculty/stamp/articles/tmto.pdf

Download ppt "Once Upon a Time-Memory Tradeoff Mark Stamp Department of Computer Science San Jose State University."

Similar presentations

Chapter 11. Hash Tables.

Chapter 11. Hash Tables.
The Future (and Past) of Quantum Lower Bounds by Polynomials Scott Aaronson UC Berkeley.

The Future (and Past) of Quantum Lower Bounds by Polynomials Scott Aaronson UC Berkeley.
Hash Tables.

Hash Tables.
ONE WAY FUNCTIONS SECURITY PROTOCOLS CLASS PRESENTATION.

ONE WAY FUNCTIONS SECURITY PROTOCOLS CLASS PRESENTATION.
Xiutao Feng Institute of Software Chinese Academy of Sciences A Byte-Based Guess and Determine Attack on SOSEMANUK.

Xiutao Feng Institute of Software Chinese Academy of Sciences A Byte-Based Guess and Determine Attack on SOSEMANUK.
Lee Jae-song 1.  How to cryptanalysis DES?  C = E K (P)  E is DES encryption funtion  K is a key, 56-bit.  P is a plaintext, C is a ciphertext, both.

Lee Jae-song 1.  How to cryptanalysis DES?  C = E K (P)  E is DES encryption funtion  K is a key, 56-bit.  P is a plaintext, C is a ciphertext, both.
Near-Duplicates Detection

Near-Duplicates Detection
Lecture 8: Lattices and Elliptic Curves

Lecture 8: Lattices and Elliptic Curves
Log Files. O(n) Data Structure Exercises 16.1.

Log Files. O(n) Data Structure Exercises 16.1.
CNS2010handout 8 :: introduction to number theory1 computer and network security matt barrie.

CNS2010handout 8 :: introduction to number theory1 computer and network security matt barrie.
11.Hash Tables Hsu, Lih-Hsing. Computer Theory Lab. Chapter 11P.2 11.1 Directed-address tables Direct addressing is a simple technique that works well.

11.Hash Tables Hsu, Lih-Hsing. Computer Theory Lab. Chapter 11P Directed-address tables Direct addressing is a simple technique that works well.
Windows Core Security1© 2006 Microsoft Corp Cryptography: Helping Number Theorists Bring Home the Bacon Since 1977 Dan Shumow SDE Windows Core Security.

Windows Core Security1© 2006 Microsoft Corp Cryptography: Helping Number Theorists Bring Home the Bacon Since 1977 Dan Shumow SDE Windows Core Security.
Factoring 1 Factoring Factoring 2 Factoring  Security of RSA algorithm depends on (presumed) difficulty of factoring o Given N = pq, find p or q and.

Factoring 1 Factoring Factoring 2 Factoring  Security of RSA algorithm depends on (presumed) difficulty of factoring o Given N = pq, find p or q and.
Practical Techniques for Searches on Encrypted Data Author: Dawn Xiaodong Song, David Wagner, Adrian Perrig Presenter: 紀銘偉.

Practical Techniques for Searches on Encrypted Data Author: Dawn Xiaodong Song, David Wagner, Adrian Perrig Presenter: 紀銘偉.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
RC4 1 RC4 RC4 2 RC4  Invented by Ron Rivest o “RC” is “Ron’s Code” or “Rivest Cipher”  A stream cipher  Generate keystream byte at a step o Efficient.

RC4 1 RC4 RC4 2 RC4  Invented by Ron Rivest o “RC” is “Ron’s Code” or “Rivest Cipher”  A stream cipher  Generate keystream byte at a step o Efficient.
Tirgul 8 Universal Hashing Remarks on Programming Exercise 1 Solution to question 2 in theoretical homework 2.

Tirgul 8 Universal Hashing Remarks on Programming Exercise 1 Solution to question 2 in theoretical homework 2.
Discrete Log 1 Discrete Log. Discrete Log 2 Discrete Logarithm  Discrete log problem:  Given p, g and g a (mod p), determine a o This would break Diffie-Hellman.

Discrete Log 1 Discrete Log. Discrete Log 2 Discrete Logarithm  Discrete log problem:  Given p, g and g a (mod p), determine a o This would break Diffie-Hellman.
Foundations of Network and Computer Security J J ohn Black Lecture #3 Aug 28 th 2009 CSCI 6268/TLEN 5550, Fall 2009.

Foundations of Network and Computer Security J J ohn Black Lecture #3 Aug 28 th 2009 CSCI 6268/TLEN 5550, Fall 2009.
Hashing COMP171 Fall 2005. Hashing 2 Hash table * Support the following operations n Find n Insert n Delete. (deletions may be unnecessary in some applications)

Hashing COMP171 Fall Hashing 2 Hash table * Support the following operations n Find n Insert n Delete. (deletions may be unnecessary in some applications)

Similar presentations

Ads by Google