Once Upon a Time-Memory Tradeoff

Mark Stamp

Department of Computer Science

San Jose State University

TMTO 2

This talk…

Non-cryptanalytic TMTOs Crypto background Hellman’s cryptanalytic TMTO Distributed TMTO Conclusions

TMTO 3

Non-crypto TMTOs

Popcnt Shank’s algorithm

TMTO 4

Popcnt

Let x be a 32-bit integer Define popcnt(x) = number of 1’s in

binary expansion of x How to compute popcnt(x) ?

TMTO 5

Simple popcnt

popcnt(x)t = 0for i = 0 to 31

t = t + (x >> i) & 1next ireturn t

end popcnt

TMTO 6

Efficient popcnt

Initialize: table[i] = popcnt(i) for i = 0,1,…,255popcnt(x)

t = table[ x & 0xff ]+ table[ (x >> 8) & 0xff ]+ table[ (x >> 16) & 0xff ]+ table[ (x >> 24) & 0xff ]

return tend popcnt

TMTO 7

Discrete Log Let p be prime, g {1,2,…, p1} s.t. for

any n there is a k with n = gk mod p Discrete log: given m {1,2,…, p1}

find e s.t. m = ge mod p Notation: e = logg(m) Could try each value in {1,2,…, p1} to

find e that works

TMTO 8

Shank’s algorithm

Shank’s is a TMTO for discrete log Given m, we want e = logg(m)

A. Compute list Lr as follows1. Let r = sqrt(p 1) and compute grj mod

p for j = 0,1,…,r 1

2. Let Lr be the list of ( j, grj mod p) sorted on second coordinate

TMTO 9

Shank’s alg (continued)

B. Compute list Lm as follows

1. Compute mgi mod p for i = 0,1,…,r 12. Let Lm be the list of (i, mgi mod p)

sorted on second coordinate

TMTO 10

Shank’s alg. (cont. again)

C. Then e = logg(m) is found by

1. Find elements of Lr and Lm that agree in 2nd coordinates, say, ( j, x) Lr and (i, x) Lm

2. Then e = logg(m) = rj + i mod (p 1) since grj = mgi mod p

Shank’s: baby step, giant step

TMTO 11

Shank’s algorithm (example) Suppose p = 257, g = 3. Then r = 16 and Lr is

(0,1) (3,2) (6,4) (9,8) (12,16) (15,32) (2,64) (5,128) (13,129) (10,193) (7,225) (4,241) (1,249) (14,253) (11,255)

(8,256) Suppose m = 132. Then Lm is

(9,23) (1,44) (3,62) (5,64) (8,69) (12,77) (15,79) (6,107) (0,132) (10,179) (2,186) (4,192) (13,197) (7,207) (11,231)

(14,237) From Lr and Lm we find (2,64) and (5,64).

Then log3(132) = 2 16 + 5 = 37 andeasy to verify 337 = 132 mod 257

TMTO 12

Block cipher

Consider a block cipherC = E(P, K)

whereP is plaintext of length nC is ciphertext of length nK is key of length k

TMTO 13

Block Cipher

TMTO 14

Chosen plaintext attack We choose P and obtain C, where

C = E(P, K) Want to find the key K

1. Exhaustive key search2. Table pre-computation

TMTO lies between 1. and 2.

TMTO 15

Chain of encryptionsAssume n = k. Then a chain is

SP = K0 = Starting Point

K1 = E(P, SP)

K2 = E(P, K1)::

EP = Kt = E(P, Kt1) = End Point

TMTO 16

Chain (another view)

TMTO 17

Pre-computation Compute m encryption chains,

each of length t +1 Save only start and end points

(SP0, EP0)

(SP1, EP1) :

(SPm-1, EPm-1)

TMTO 18

TMTO Attack

Memory: Given (SPi, EPi), i = 0,1,…,m1 For chosen P compute

C = E(P, K) The key K is unknown Time: Compute chain (max of t

steps)X0 = C, X1 = E(P, X0), X2 = E(P, X1),…

TMTO 19

Attack (continued)

Given the chainX0 = C, X1 = E(P, X0), X2 = E(P, X1),…

Suppose we find Xi = EPj

Then C might be in chain (SPj, EPj)

Assume C is in chain (SPj, EPj)

TMTO 20

Attack (continued again)

Given C is in the chain (SPj, EPj)

and Xi = EPj

Re-compute chain (SPj, EPj)

Y0 = SPj, Y1 = E(P,Y0), Y2 = E(P,Y1),… Then C = Yti = E(P, Yti1) And Yti1 = K (always?)

TMTO 21

In a perfect world Suppose the block cipher has 56 bit

key Suppose we find m = 228 chains, each

of length t = 228 and no chains overlap Memory: 228 pairs (SPj, EPj) Time: about 228 (for attack)

1. Find C in about 227 tries2. Find K with about 227 more tries

TMTO 22

In a perfect world All chains distinct Ciphertext C lies within a chain

EP0SP0

CSP1

SP2

EP1

EP2

TMTO 23

In the real world Chains are not so well-behaved Chains cycle and merge

EP

SP

C

TMTO 24

To reduce merging Compute chain as Ki = F(E(P, Ki1))

where F is a permutation Choose r different functions F For each F choose m random SP Each chain of length t

TMTO 25

Notation m = number of random starting points

for each function F t = length of each chain r = number of “random” functions F Note: mtr = total number of computed

chain elements

TMTO 26

Real-world issues False alarms, avoid cycles, reduce

merging, etc. Pre-computation is lots of work (must

be amortized over many attacks) Success is not assured What if block size not equal key

length? What is the probability of success?

TMTO 27

Probability of success Occupancy problem: b balls

distributed with uniform probability to c cells

Let pl(b,c) be probability of l empty cells. Feller [3] shows

TMTO 28

Success probability (continued)

Poisson approx to pl(b,c) is

pl() = el/l! where = ceb/c So expected number of empty cells is

TMTO 29

Success probability (still more)

Expected number of occupied cells isc = c(1 eb/c)

ThereforeP(cell i is occupied) = 1 eb/c

TMTO attack succeeds if and only if the “cell” with key K is “occupied”

TMTO 30

Success prob (last word, almost)

mtr P(success) = 1 emtr/2k

---- ------------- 2k2 0.22

2k1 0.39

2k 0.63

2k+1 0.86

2k+2 0.98

TMTO 31

The bottom line

Choose m = t = r = 2k/3 and probability of success is about 0.63 (at least 0.55 by a more careful analysis)

Pre-computation is O(mtr) work Each TMTO attack requires O(mr)

“memory” and O(tr) “time”

TMTO 32

Distinguished points Let a distinguished point be of the

form (x0,x1,…,xs1,0,0,…,0) Construct chain until distinguished

point is found If no distinguished point is found

within max steps, don’t save chain Then every EP is distinguished

TMTO 33

Distinguished points +/- Disadvantages

Chains are variable length Some extra work to find chains Triples (SP, EP, length)

Advantage Distributed attack is very nice Why? One client for each F then client only

needs (P, C) and F and max chain length no data!

TMTO 34

References[1] M. Hellman, A cryptanalytic time-memory tradeoff,

IEEE Trans on Info Thy, Vol. 26, No. 4, July 1980, pp. 401-406

[2] J.Borst, et al., On the time-memory tradeoff between exhaustive key search and table precomputation, http://www.esat.kuleuven.ac.be/~borst/downloadable/tm.ps.gz

[3] W. Feller, An Introduction to Probability Theory and Its Applications, volume 1, Wiley (1968)

[4] M. Stamp, Once upon a time-memory tradeoff, http://www.cs.sjsu.edu/faculty/stamp/articles/tmto.pdf