# Hellman’s TMTO Attack - PowerPoint PPT Presentation  Download Presentation Hellman’s TMTO Attack

Hellman’s TMTO Attack
Download Presentation ## Hellman’s TMTO Attack

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
##### Presentation Transcript

1. Hellman’s TMTO Attack Hellman’s TMTO 1

2. Popcnt • Before we consider Hellman’s attack, consider simpler Time-Memory Trade-Off • “Population count” or popcnt • Let x be a 32-bit integer • Define popcnt(x) = number of 1’s in binary expansion of x • How to compute popcnt(x) efficiently? Hellman’s TMTO 2

3. Simple Popcnt • Most obvious thing to do is popcnt(x) // assuming x is 32-bit value t = 0 for i = 0 to 31 t = t + ((x >> i) & 1) next i return t end popcnt • Is this the most efficient method? Hellman’s TMTO 3

4. More Efficient Popcnt • Pre-compute popcnt for all 256 bytes • Store pre-computed values in a table • Given x, lookup its bytes in this table • Sum these values to find popcnt(x) • See next slide for pseudo-code… Hellman’s TMTO 4

5. More Efficient Popcnt Initialize: table[i] = popcnt(i) for i = 0,1,…,255 popcnt(x) // assuming x is 32-bit word p = table[x & 0xff] + table[(x >> 8) & 0xff] + table[(x >> 16) & 0xff] + table[(x >> 24) & 0xff] return p end popcnt Hellman’s TMTO 5

6. Popcnt TMTO • Advantage(s)? • Each popcnt now requires 4 steps, not 32 • Disadvantage? • Pre-computation (one time work) • Additional storage • Balance “time” vs “memory” where… • Time == popcnt computation(s) • Memory == storage/pre-computation Hellman’s TMTO 6

7. TMTO Basics • Pre-computation • One-time work • Results stored in a table • Pre-computation results used to make each subsequent computation faster • In general, larger pre-computation requires more initial work and larger “memory” • But then each computation takes less “time” • Try to balance “memory” and “time” Hellman’s TMTO 7

8. Block Cipher Notation • Consider a block cipher C = E(P, K) where P is plaintext block of size n C is ciphertext block of size n K is key of size k Hellman’s TMTO 8

9. Block Cipher as Black Box • For TMTO, treat block cipher as black box • Details of crypto algorithm not relevant Hellman’s TMTO 9

10. Hellman’s TMTO Attack • This is a chosen plaintext attack • We choose P • Then we are given corresponding C • That is, C = E(P, K) • We want to find the key K Hellman’s TMTO 10

11. TMTO Attack • Given: P and C = E(P, K) • Find: key K • Two “obvious” approaches • Exhaustive key search “Memory” is 0, but “time” of 2k-1 for each attack • Pre-computeC = E(P, K)for all keysK Then given any C, simply look up key K in table “Memory” of 2k but “time” of 0 per attack • TMTO lies between 1. and2. Hellman’s TMTO 11

12. Chain of Encryptions • For simplicity, we assume block length n and key length k are equal, that is, n = k • Attack still works if this does not hold • Define a chain of encryptions as SP = K0 =Starting Point K1 = E(P, SP) K2 = E(P, K1) : : EP = Kt = E(P, Kt1) =End Point Hellman’s TMTO 12

13. Encryption Chain • Note that ciphertext from one iteration is used as key at next iteration • Note also that the same (chosen) plaintextP used at each iteration Hellman’s TMTO 13

14. Pre-computation • Pre-compute m encryption chains, each of length t +1 • Save only the start and end points (SP0, EP0) (SP1, EP1) : (SPm-1, EPm-1) EP0 SP0 EP1 SP1 EPm-1 SPm-1 Hellman’s TMTO 14

15. TMTO Attack • Memory: Pre-compute encryption chains and save (SPi, EPi) fori = 0,1,…,m1 • This is one-time work • Sort based on EPi • For each attack for unknown key K do… • We have P and C = E(P, K) where P is same plaintext used to compute chains • Time: Compute a chain (max of t steps) X0 = C, X1 = E(P, X0), X2 = E(P, X1),… Hellman’s TMTO 15

16. TMTO Attack • Consider the computed chain X0 = C, X1 = E(P, X0), X2 = E(P, X1), … • Suppose for some i we find Xi= EPj EPj C SPj K • Since C= E(P, K) key K appears to lie just before ciphertext C in this chain! Hellman’s TMTO 16

17. TMTO Attack • Summary of attack phase: compute X0 = C, X1 = E(P, X0), X2 = E(P, X1),… • If for some i we find Xi= EPj then reconstruct chain from SPj Y0 = SPj, Y1 = E(P,Y0), Y2 = E(P,Y1),… • We find C = Yti = E(P, Yti1) (always?) • So that K =Yti1 (always?) Hellman’s TMTO 17

18. Trudy’s Perfect World • Suppose block cipher has k = 56 • That is, the key length is 56 bits • Suppose we can find m = 228 chains each of length t = 228 with no overlap • Is this realistic? • Then all 256 possible keys covered by exactly one element of a chain • This looks promising… Hellman’s TMTO 18

19. Trudy’s Perfect World • If we can find m = 228 chains each of length t = 228 and no intersection, then… • Memory:228 pairs (SPj, EPi) • Time: about 228 (per attack) • Start at C, find some EPj in about 227 steps • Find K with about 227 more steps • So, work per attack is about 228 • Trivial work and attack never fails! • For Trudy, life doesn’t get any better… Hellman’s TMTO 19

20. Trudy’s Perfect World • No chains intersect • Every ciphertext C is in one chain SP0 EP0 C EP1 SP1 K EP2 SP2 Hellman’s TMTO 20

21. The Real World • Real chains are not so well-behaved • Chains can cycle and merge K C EP SP • Chain beginning at C goes to EP • But chain from SP to EP does not give K • This looks like Trudy’s nightmare… Hellman’s TMTO 21

22. The Real World • Chains can cycle and merge K C EP SP • This adversely affects attacks, as mentioned on previous slide • It also, adversely affects pre-computation and probability of success • Why? Hellman’s TMTO 22

23. Real-World TMTO Issues • Merging chains, cycles, false alarms, … • Pre-computation is lots of work • Must attack many times to amortize cost • Success is not assured • Depends on initial work, merging, cycles, … • What if block size not equal key length? • This is easy to deal with • What is the probability of success? • This is not so easy to compute… Hellman’s TMTO 23

24. To Reduce Merging • Compute chain asF(E(P, Ki1)) where F permutes the bits • Then we have F(E(P, K)) =F(C) • Chains computed using different functions can intersect, but will not merge SP0 F0 chain EP1 SP1 F1 chain EP0 Hellman’s TMTO 24

25. Hellman’s TMTO in Practice • Let m = random starting points for each F t = encryptions in each chain r = number of “tables”, i.e., functions F • Then mtr pre-computed chain elements • Pre-computation is about mtr work • Each TMTO attack requires • About mr “memory” (storage), and tr “time” • If we choose m = t = r = 2k/3 then probability of success is at least 0.55 Hellman’s TMTO 25

26. Success Probability? • Throw n balls into m urns • Expected number of urns that have at least one ball? • This is classic “occupancy problem” • See Feller, Intro. to Probability Theory • Why is this relevant to TMTO ? • “Urns” correspond to keys • “Balls” correspond to constructing chains Hellman’s TMTO 26

27. Success Probability • Using occupancy problem approach… • Assuming k-bit key and m,t,r as defined on previous slide • Can choose m = t = r but not necessary • Then, approximately, P(success) = 1 emtr/k • An upper bound can be given that is slightly “better” Hellman’s TMTO 27

28. Success Probability • Success probability P(success) = 1 emtr/k Hellman’s TMTO 28

29. Distributed TMTO • Employ “distinguished points” • Do not use fixed-length chains • Instead, compute chain until some distinguished point is found • Example of distinguished point: Hellman’s TMTO 29

30. Distributed TMTO • Similar pre-computation as before, except we have triples: (SPi, EPi,li) fori = 0,1,…,rm • Where li is the length of the chain • And r is number of tables • And m is number of random starting points • Let Mi be the maximum lj for the ith table • Each table has a fixed random function F Hellman’s TMTO 30

31. Distributed TMTO • Suppose r computers are available • Each computer deals with one table • So, only one random function F per computer • “Master” gives computer i values Fi, Mi, C • And definition of distinguished point • Computer i computes chain beginning with C and using Fi of (at most) length Mi Hellman’s TMTO 31

32. Distributed TMTO • If computer i finds a distinguished point within Mi steps • Returns result to “master” for secondary test • Master searches for K on corresponding chain, using same approach as in non-distributed TMTO • False alarms can occur (e.g., distinguished points) • If no distinguished point found in Mi steps • Computer i gives up, since key not on any Fi chains • Note that computer i does not need to know any SP or EP or l • Master knows (SPi, EPi,li) fori = 0,1,…,rm Hellman’s TMTO 32

33. TMTO for DES • Attack is feasible against DES • Recall that for DES, we have k = 56 • Assume that we use m= t= r= 2k/3 ≈ 218.67 • Then pre-computation is about 256work • And we store about 237 starting/end point pairs • So, each time attack is conducted… • …use about237“memory” and requires 237 “time” Hellman’s TMTO 33

34. TMTO: The Bottom Line • Attack is not specific to DES • Applies to any block cipher • Inner working of cipher is not relevant • But key length is… • No fancy math required • Just a clever algorithm • Lesson: Clever algorithms can break crypto! Hellman’s TMTO 34