Create Presentation
Download Presentation

Download Presentation

A Cryptanalytic Time-Memory Trade-Off

Download Presentation
## A Cryptanalytic Time-Memory Trade-Off

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -

**A Cryptanalytic Time-Memory Trade-Off**MARTIN E.HELLMAN,FELLOW,IEEE IEEE TRANSACTIONS ON INFORMATION THEORY, VOL, IT-26, NO4, JULY 1980 1**Outline**• Abstract • Introduction • Iterative approach • Hardware implementation • Conclusion • References 2**Abstract**• key cryptosystem require in operations with words of memory (avg) after a precomputation which requires operations. (several years). • When applied to the DES that solutions should cost between $1 and $100 each. • The method works in a chosen plaintext attack. (also be used in a ciphertext-only)**Introduction**• exhaustive search (T=N, M=1) and table lookup (T=1, M=N). • This technique requires approximately M= words of memory and T= operations provided • If complexity is measured by M+T this technique reduces the effective key length by one-third when judged against exhaustive search 4**Introduction**• This technique is not as good as knapsack and DLP, where M=T= can be obtained and where the precomputation is no more complex than the search itself. • This indicates that improvements may well be possible. 5**Introduction**• Exhaustive search can be accomplished under a known plaintext attack, while table lookup requires a chosen plaintext attack. 6**Introduction**• In an exhaustive search, the ciphertext can be deciphered under each key and the result compared with the known plaintext. • If they are equal, the key tried is probably correct. • Occasional false alarms are rejected by additional tests. 7**Introduction**• In table lookup, the cryptanalyst first enciphers some fixed plaintext under each of the N possible keys to produce N ciphertexts. • These are sorted and stored in a table with their associated keys. 8**Introduction**• When a user chooses a new key K, he is forced (in a chosen plaintext attack) to provide the cryptanalyst with the encipherment of • denotes the enciphering operation under key K 9**Iterative approach - f function**• DES operates on a 64-bit plaintext block P to produce a 64-bit ciphertext block C under the action of a 56-bit key: Key：56 bits DES Ciphertext：64 bits Plaintext：64 bits 10**Iterative approach - f function**• Letting be a fixed plaintext block, define • R is some simple reduction from 64 to 56 bits, such as dropping the last 8 bits of the ciphertext.**Iterative approach - Precomputation**• The cryptanalyst chooses m starting points, each an independent random variable drawn uniformly from the key space {1,2,…,N}. For he lets and computes as depicted in Fig. 2. 13**Iterative approach - Precomputation**• The last element or endpoint in the th chain (or row) is denoted by . Clearly • Cryptanalyst sorts the on the endpoints. • The sorted table is stored as the result of this precomputation. 15**Iterative approach - Attack**• Someone chooses a key K and the cryptanalyst intercepts or is given • He can apply the reduction operation R to obtain 16**Iterative approach - Attack**• If , either ,or has more than one inverse image. We refer to this latter event as a false alarm. • If is not an endpoint or a false alarm occurred, the cryptanalyst computes and checks if it is an endpoint. 17**Iterative approach - Attack**• If it is not, the key is not in the column of Fig.2, while if , the cryptanalyst checks if is the key. • In a similar manner, the cryptanalyst computes to check if the key in the , … , or 0th column of Fig.2. Fig. 2. Matrix of images under f. 18**Iterative approach - Probability**• If all elements in the 0th through columns of Fig.2 are different and if K is chosen uniformly from all possible values, the probability of success P(S) would be 19**Iterative approach - Probability**• If the matrix in Fig. 2 has some overlap, but a fixed fraction of distinct elements, the probability of success is only lowered by the same fixed fraction. 20**Iterative approach - Probability**• Theorem: If is modeled as a random function mapping the set into itself, and if the key K is chosen uniformly from this same set, then the probability of success is bounded by 21**Iterative approach - Probability**• Remark 1: Equation (10) indicates that for a fixed value of N there is not much to be gained by increasing m or t beyond the point at which • Because , the last term is closely approximated by and when most terms will be small. 22**Iterative approach - Probability**• If , each term in (10) is close to one and (10) reduces to which is also an upper bound so there is negligible overlap. 23**Iterative approach - Probability**• If , with both m and t large, then (10) can be numerically evaluated and equals to two significant figures. • Operating at therefore increases the expected cryptanalytic effort by at most the small constant factor 24**Iterative approach - Probability**• Approximating each term by , lower bounding these by exp and summing predicts an efficiency of when and and are both large. • A slightly more complex bound suggested by one of the reviewers predicts an efficiency of when and is a true lower bound. 25**Iterative approach - Probability**• Remark 2: A secure cryptosystem is a good pseudorandom number generator so modeling as random function makes intuitive sense. • As will be seen from the proof, need only be random so far as its cycle structure (i.e., the lengths of its cycles and associated “tails”) is concerned Fig. 2. Matrix of images under f.**Iterative approach - Probability**• If tended to have longer than average cycle, less overlap would occur. • In the limit, if had one cycle of length N then the starting and endpoints could be spaced , a significant improvement over the complexity under the random function assumption. 27**Iterative approach - Probability**• If had the other extreme of degeneracy, for all , then cryptanalysis would be even more trivial. • There are cycle structures which ruin the time-memory trade-off 28**Iterative approach - Test**• As a check on the validity of , we ran a small test on the DES reduced to a 10-bit key (N=1024) with • The lower bound predicts that percent, and with 20 different functions we obtained a range of 6.8 percent to 9.1 percent, in excellent agreement with the bound. If there were no overlap at all, would have been 9.8 percent. 29**Iterative approach - Test**• Remark 3: Equation indicates that will be small for typical values of and . • For example, if then • This overcome by generating different tables with different choices for 30**Iterative approach - Test**• There are choices for • This was done in the small DES simulation and percent overall coverage was obtained with 20 tables. • If the coverage of each table was independent of the others, then 80.7 percent coverage was predicted from the individual 31**Iterative approach - Test**• There was a slight positive bias because the 200 starting points for the 20 tables were taken to be the first 200 integers. • This modification from random selection of the starting points reduces the expected search effort but is more difficult to analyze. 32**Iterative approach - Proof**• Proof of Theorem: Letting A denote the subset of keys covered by the first t columns of Fig.2 (i.e. not including the endpoints) we have where denotes the number of elements in A. 33**Iterative approach - Proof**• Letting denote the indicator function of the event X, where a point being “new” means it has not occurred in a previous row or thus far in its row. Fig. 2. Matrix of images under f. 34**Iterative approach - Proof**• When denotes the set of elements covered thus far. Fig. 2. Matrix of images under f. 35**Iterative approach - Proof**• Clearly each factor in is larger than since there are at most t different elements in each row. Therefore and 36**Iterative approach**• To obtain the complexity claimed earlier, set so that is approximately for a single table. Generate ( or several times that number) of tables with different reduction mappings . 37**Iterative approach**• Overall there are words of memory ( tables, each with words), and the overall number of operations is also ( operations per table). • The different tables can be tried sequentially, with parallel processors, or anywhere in between. 38**Iterative approach - Proof**• Theorem: The expected number of false alarms per table tried, is bound by • Remark: When a false alarm occurs, at most t operations are required to rule it out, which is comparable to the normal computation required for computing 39**Iterative approach - Proof**• If and , then the expected computation due to false alarms increases the expected computation by at most 50 percent. 40**Iterative approach - Proof**• Proof: Letting denote the occurrence of a false alarm due to • can occur in j different ways : due to merging immediately with the ith row of the matrix, that is if , or merging after one iteration, that is if is not in the ith row of the matrix, but equals ; etc. 41**Iterative approach - Proof**Fig. 2. Matrix of images under f.**Hardware Implementation**• The machine uses off-the-shelf hardware costing approximately $4 million and produces 100 solutions per day. • The machine can also be used to effect the precomputation in approximately one year. • The geometric midpoint, $10 per solution, is taken as an “order of magnitude” estimate. 43**Hardware Implementation**• The DES has key. By rounding this to , we can neglect overlap in the matrices because shows that approximately 80 percent of the points are distinct when . 45**Hardware Implementation**• Optimizing over m and t is not a simple matter because there is no simple objective function. The values m = and t = were selected after some trial and error as resulting in a reasonable machine cost, cost per solution, time to solution, and throughput.**Hardware Implementation**• Using these values results in • So approximately tables are needed. • The total parts cost is $3.6M. 47**Hardware Implementation**• The precomputation is equivalent to an exhaustive search of the keyspace because there are approximately table, each requiring encipherments, for a total of encipherments. 48**Hardware Implementation**• A single Fairchild DES unit operating require 11,000 years for precomputation, but the above machine with 10,000 unit could complete it in 1.1 years.**Hardware Implementation**• Tape cost is a small part of the overall system cost. ($0.2M) • Eight blanks, XYZ Corp or Login___ might work better for other targets.