1 / 34

Once Upon a Time-Memory Tradeoff

Once Upon a Time-Memory Tradeoff. Mark Stamp Department of Computer Science San Jose State University. This talk…. Non-cryptanalytic TMTOs Crypto background Hellman’s cryptanalytic TMTO Distributed TMTO Conclusions. Non-crypto TMTOs. Popcnt Shank’s algorithm. Popcnt.

Télécharger la présentation

Once Upon a Time-Memory Tradeoff

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Once Upon a Time-Memory Tradeoff Mark Stamp Department of Computer Science San Jose State University

  2. This talk… • Non-cryptanalytic TMTOs • Crypto background • Hellman’s cryptanalytic TMTO • Distributed TMTO • Conclusions TMTO

  3. Non-crypto TMTOs • Popcnt • Shank’s algorithm TMTO

  4. Popcnt • Let x be a 32-bit integer • Define popcnt(x) = number of 1’s in binary expansion of x • How to compute popcnt(x) ? TMTO

  5. Simple popcnt popcnt(x) t = 0 for i = 0 to 31 t = t + (x >> i) & 1 next i return t end popcnt TMTO

  6. Efficient popcnt Initialize: table[i] = popcnt(i) for i = 0,1,…,255 popcnt(x) t = table[ x & 0xff ] + table[ (x >> 8) & 0xff ] + table[ (x >> 16) & 0xff ] + table[ (x >> 24) & 0xff ] return t end popcnt TMTO

  7. Discrete Log • Let p be prime, g {1,2,…, p1} s.t. for any n there is a k with n = gkmod p • Discrete log: given m {1,2,…, p1} find e s.t. m = gemod p • Notation: e = logg(m) • Could try each value in {1,2,…, p1} to find e that works TMTO

  8. Shank’s algorithm • Shank’s is a TMTO for discrete log • Given m, we want e = logg(m) A. Compute list Lr as follows • Let r = sqrt(p 1) and compute grj mod p forj = 0,1,…,r  1 • Let Lr be the list of ( j,grj mod p) sorted on second coordinate TMTO

  9. Shank’s alg (continued) B. Compute list Lm as follows • Compute mgi mod p fori = 0,1,…,r  1 • Let Lm be the list of (i,mgi mod p) sorted on second coordinate TMTO

  10. Shank’s alg. (cont. again) C. Then e = logg(m) is found by • Find elements of Lr and Lm that agree in 2nd coordinates, say, ( j,x)  Lr and (i,x) Lm • Then e = logg(m) = rj + i mod (p  1) since grj = mgi mod p • Shank’s: baby step, giant step TMTO

  11. Shank’s algorithm (example) • Suppose p = 257,g = 3. Thenr = 16 andLris (0,1) (3,2) (6,4) (9,8) (12,16) (15,32) (2,64) (5,128) (13,129) (10,193) (7,225) (4,241) (1,249) (14,253) (11,255) (8,256) • Suppose m = 132. Then Lm is (9,23) (1,44) (3,62) (5,64) (8,69) (12,77) (15,79) (6,107) (0,132) (10,179) (2,186) (4,192) (13,197) (7,207) (11,231) (14,237) • From Lr and Lm we find (2,64) and (5,64). Then log3(132) = 2  16 + 5 = 37 and easy to verify 337 = 132 mod 257 TMTO

  12. Block cipher Consider a block cipher C = E(P, K) where P is plaintext of length n C is ciphertext of length n K is key of length k TMTO

  13. Block Cipher TMTO

  14. Chosen plaintext attack • We chooseP and obtain C, where C = E(P, K) • Want to find the key K • Exhaustive key search • Table pre-computation • TMTO lies between 1. and 2. TMTO

  15. Chain of encryptions Assume n = k. Then a chain is SP = K0 =Starting Point K1 = E(P, SP) K2 = E(P, K1) : : EP = Kt = E(P, Kt1) =End Point TMTO

  16. Chain (another view) TMTO

  17. Pre-computation • Compute m encryption chains, each of length t +1 • Save only start and end points (SP0, EP0) (SP1, EP1) : (SPm-1, EPm-1) TMTO

  18. TMTO Attack • Memory: Given (SPi, EPi), i = 0,1,…,m1 • For chosen P compute C = E(P, K) • The key K is unknown • Time: Compute chain (max of t steps) X0 = C, X1 = E(P, X0), X2 = E(P, X1),… TMTO

  19. Attack (continued) • Given the chain X0 = C, X1 = E(P, X0), X2 = E(P, X1),… • Suppose we find Xi= EPj • Then C might be in chain (SPj, EPj) • Assume C is in chain (SPj, EPj) TMTO

  20. Attack (continued again) • Given C is in the chain (SPj, EPj) and Xi= EPj • Re-compute chain (SPj, EPj) Y0 = SPj, Y1 = E(P,Y0), Y2 = E(P,Y1),… • Then C = Yti = E(P, Yti1) • And Yti1 = K (always?) TMTO

  21. In a perfect world • Suppose the block cipher has 56 bit key • Suppose we find m = 228 chains, each of length t = 228 and no chains overlap • Memory: 228 pairs (SPj, EPj) • Time: about 228 (for attack) • Find C in about 227 tries • Find K with about 227 more tries TMTO

  22. In a perfect world • All chains distinct • Ciphertext C lies within a chain SP0 EP0 C EP1 SP1 EP2 SP2 TMTO

  23. In the real world • Chains are not so well-behaved • Chains cycle and merge C EP SP TMTO

  24. To reduce merging • Compute chain as Ki = F(E(P, Ki1)) where F is a permutation • Choose r different functions F • For each F choose m random SP • Each chain of length t TMTO

  25. Notation • m = number of random starting points for each function F • t = length of each chain • r = number of “random” functions F • Note: mtr = total number of computed chain elements TMTO

  26. Real-world issues • False alarms, avoid cycles, reduce merging, etc. • Pre-computation is lots of work (must be amortized over many attacks) • Success is not assured • What if block size not equal key length? • What is the probability of success? TMTO

  27. Probability of success • Occupancy problem: b balls distributed with uniform probability to c cells • Let pl(b,c) be probability of l empty cells. Feller [3] shows TMTO

  28. Success probability (continued) • Poisson approx to pl(b,c) is pl() = el/l! where  = ceb/c • So expected number of empty cells is TMTO

  29. Success probability (still more) • Expected number of occupied cells is c  = c(1  eb/c) • Therefore P(cell i is occupied)= 1  eb/c • TMTO attack succeeds if and only if the “cell” with key K is “occupied” TMTO

  30. Success prob (last word, almost) mtr P(success) = 1  emtr/2k ---- ------------- 2k2 0.22 2k1 0.39 2k 0.63 2k+1 0.86 2k+2 0.98 TMTO

  31. The bottom line • Choose m = t = r = 2k/3 and probability of success is about 0.63 (at least 0.55 by a more careful analysis) • Pre-computation is O(mtr) work • Each TMTO attack requires O(mr) “memory” and O(tr) “time” TMTO

  32. Distinguished points • Let a distinguished point be of the form (x0,x1,…,xs1,0,0,…,0) • Construct chain until distinguished point is found • If no distinguished point is found within max steps, don’t save chain • Then every EP is distinguished TMTO

  33. Distinguished points +/- • Disadvantages • Chains are variable length • Some extra work to find chains • Triples (SP, EP, length) • Advantage • Distributed attack is very nice • Why? One client for each F then client only needs (P, C) and F and max chain length  no data! TMTO

  34. References [1] M. Hellman, A cryptanalytic time-memory tradeoff, IEEE Trans on Info Thy, Vol. 26, No. 4, July 1980, pp. 401-406 [2] J.Borst, et al., On the time-memory tradeoff between exhaustive key search and table precomputation, http://www.esat.kuleuven.ac.be/~borst/downloadable/tm.ps.gz [3] W. Feller, An Introduction to Probability Theory and Its Applications, volume 1, Wiley (1968) [4] M. Stamp, Once upon a time-memory tradeoff, http://www.cs.sjsu.edu/faculty/stamp/articles/tmto.pdf TMTO

More Related