Hellman’s TMTO 1 Hellman’s TMTO Attack. Hellman’s TMTO 2 Popcnt  Before we consider Hellman’s attack, consider simpler Time-Memory Trade-Off  “Population.

Slides:



Advertisements
Similar presentations
February 12, 2007 WALCOM '2007 1/22 DiskTrie: An Efficient Data Structure Using Flash Memory for Mobile Devices N. M. Mosharaf Kabir Chowdhury Md. Mostofa.
Advertisements

Lee Jae-song 1.  How to cryptanalysis DES?  C = E K (P)  E is DES encryption funtion  K is a key, 56-bit.  P is a plaintext, C is a ciphertext, both.
Counting the bits Analysis of Algorithms Will it run on a larger problem? When will it fail?
Improved Attacks on Multiple Encryption Adi Shamir The Weizmann Institute Israel Joint with Itai Dinur, Orr Dunkelman, and Nathan Keller.
1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.
Types of Algorithms.
Theory of Computing Lecture 3 MAS 714 Hartmut Klauck.
Mining Data Streams.
CMSC 414 Computer (and Network) Security Lecture 4 Jonathan Katz.
Intro 1 Introduction Intro 2 Good Guys and Bad Guys  Alice and Bob are the good guys  Trudy is the bad guy  Trudy is our generic “intruder”
Cryptography and Network Security Chapter 3
Introduction to Cryptography and Security Mechanisms: Unit 5 Theoretical v Practical Security Dr Keith Martin McCrea
CS 206 Introduction to Computer Science II 09 / 10 / 2008 Instructor: Michael Eckmann.
Hash Table indexing and Secondary Storage Hashing.
PKZIP Stream Cipher 1 PKZIP PKZIP Stream Cipher 2 PKZIP  Phil Katz’s ZIP program  Katz invented zip file format o ca 1989  Before that, Katz created.
CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.
FEAL FEAL 1.
Akelarre 1 Akelarre Akelarre 2 Akelarre  Block cipher  Combines features of 2 strong ciphers o IDEA — “mixed mode” arithmetic o RC5 — keyed rotations.
Sigaba 1 Sigaba Sigaba 2 Sigaba  Used by Americans during WWII o And afterwards (to about 1948)  Never broken o Germans quit collecting, considered.
CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.
Factoring 1 Factoring Factoring 2 Factoring  Security of RSA algorithm depends on (presumed) difficulty of factoring o Given N = pq, find p or q and.
1 Overview of the DES A block cipher: –encrypts blocks of 64 bits using a 64 bit key –outputs 64 bits of ciphertext A product cipher –basic unit is the.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
RC4 1 RC4 RC4 2 RC4  Invented by Ron Rivest o “RC” is “Ron’s Code” or “Rivest Cipher”  A stream cipher  Generate keystream byte at a step o Efficient.
Tirgul 8 Universal Hashing Remarks on Programming Exercise 1 Solution to question 2 in theoretical homework 2.
Introduction to Modern Cryptography Lecture 2 Symmetric Encryption: Stream & Block Ciphers.
Intro To Encryption Exercise 1. Monoalphabetic Ciphers Examples:  Caesar Cipher  At Bash  PigPen (Will be demonstrated)  …
Hellman’s TMTO 1 Hellman’s TMTO Attack. Hellman’s TMTO 2 Popcnt  Before we consider Hellman’s attack, consider simpler Time-Memory Trade-Off  “Population.
ICS 454: Principles of Cryptography
1 Constructing Pseudo-Random Permutations with a Prescribed Structure Moni Naor Weizmann Institute Omer Reingold AT&T Research.
Stream Ciphers 1 Stream Ciphers. Stream Ciphers 2 Stream Ciphers  Generalization of one-time pad  Trade provable security for practicality  Stream.
DAST 2005 Week 4 – Some Helpful Material Randomized Quick Sort & Lower bound & General remarks…
Session 6: Introduction to cryptanalysis part 1. Contents Problem definition Symmetric systems cryptanalysis Particularities of block ciphers cryptanalysis.
Lecture 23 Symmetric Encryption
CMEA 1 CMEA. CMEA 2 CMEA  Cellular Message Encryption Algorithm  Designed for use with cell phones o To protect confidentiality of called number o For.
MD4 1 MD4. MD4 2 MD4  Message Digest 4  Invented by Rivest, ca 1990  Weaknesses found by 1992 o Rivest proposed improved version (MD5), 1992  Dobbertin.
Once Upon a Time-Memory Tradeoff Mark Stamp Department of Computer Science San Jose State University.
Computer Security CS 426 Lecture 3
Cryptanalysis. The Speaker  Chuck Easttom  
February 17, 2015Applied Discrete Mathematics Week 3: Algorithms 1 Double Summations Table 2 in 4 th Edition: Section th Edition: Section th.
Cloud and Big Data Summer School, Stockholm, Aug., 2015 Jeffrey D. Ullman.
Cryptanalysis of Modern Symmetric-Key Block Ciphers [Based on “A Tutorial on Linear and Differential Cryptanalysis” by Howard Heys.] Modern block ciphers.
ICS 220 – Data Structures and Algorithms Week 7 Dr. Ken Cosh.
Merkle-Hellman Knapsack Cryptosystem Merkle offered $100 award for breaking singly - iterated knapsack Singly-iterated Merkle - Hellman KC was broken by.
Topic 21 Cryptography CS 555 Topic 2: Evolution of Classical Cryptography CS555.
Section 2.1: Shift Ciphers and Modular Arithmetic Practice HW from Barr Textbook (not to hand in) p.66 # 1, 2, 3-6, 9-12, 13, 15.
Hashing Table Professor Sin-Min Lee Department of Computer Science.
Disclosure risk when responding to queries with deterministic guarantees Krish Muralidhar University of Kentucky Rathindra Sarathy Oklahoma State University.
Merkle-Hellman Knapsack Cryptosystem
Hashing Sections 10.2 – 10.3 CS 302 Dr. George Bebis.
Symbol Tables and Search Trees CSE 2320 – Algorithms and Data Structures Vassilis Athitsos University of Texas at Arlington 1.
Alternative Wide Block Encryption For Discussion Only.
Lecture 23 Symmetric Encryption
Tirgul 11 Notes Hash tables –reminder –examples –some new material.
Block Ciphers and the Advanced Encryption Standard
Hashtables. An Abstract data type that supports the following operations: –Insert –Find –Remove Search trees can be used for the same operations but require.
DES Analysis and Attacks CSCI 5857: Encoding and Encryption.
Linear Cryptanalysis of DES
DATA & COMPUTER SECURITY (CSNB414) MODULE 3 MODERN SYMMETRIC ENCRYPTION.
B-TREE. Motivation for B-Trees So far we have assumed that we can store an entire data structure in main memory What if we have so much data that it won’t.
Linear Cryptanalysis of DES M. Matsui. 1.Linear Cryptanalysis Method for DES Cipher. EUROCRYPT 93, 1994.Linear Cryptanalysis Method for DES Cipher 2.The.
CS526Topic 2: Classical Cryptography1 Information Security CS 526 Topic 2 Cryptography: Terminology & Classic Ciphers.
Theory of Computational Complexity Yusuke FURUKAWA Iwama Ito lab M1.
The Stream Model Sliding Windows Counting 1’s
Hellman’s TMTO Attack Hellman’s TMTO 1.
Counting How Many Elements Computing “Moments”
ICS 454: Principles of Cryptography
Database Design and Programming
On the resemblance and containment of documents (MinHash)
ICS 555: Block Ciphers & DES Sultan Almuhammadi.
Presentation transcript:

Hellman’s TMTO 1 Hellman’s TMTO Attack

Hellman’s TMTO 2 Popcnt  Before we consider Hellman’s attack, consider simpler Time-Memory Trade-Off  “Population count” or popcnt o Let x be a 32-bit integer o Define popcnt(x) = number of 1 ’s in binary expansion of x  How to compute popcnt(x) efficiently?

Hellman’s TMTO 3 Simple Popcnt  Most obvious thing to do is popcnt(x) // assuming x is 32-bit value t = 0 for i = 0 to 31 t = t + ((x >> i) & 1) next i return t end popcnt  Is this the most efficient method?

Hellman’s TMTO 4 More Efficient Popcnt  Pre-compute popcnt for all 256 bytes o Store pre-computed values in a table  Given x, lookup its bytes in this table o Sum these values to find popcnt(x)  See next slide for pseudo-code…

Hellman’s TMTO 5 More Efficient Popcnt Initialize: table[i] = popcnt(i) for i = 0,1,…,255 popcnt(x) // assuming x is 32-bit word p = table[ x & 0xff ] + table[ (x >> 8) & 0xff ] + table[ (x >> 16) & 0xff ] + table[ (x >> 24) & 0xff ] return p end popcnt

Popcnt TMTO  Advantage(s)? o Each popcnt now requires 4 steps, not 32  Disadvantage? o Pre-computation (one time work) o Additional storage  Balance “time” vs “memory” where… o Time == popcnt computation(s) o Memory == storage/pre-computation Hellman’s TMTO 6

Hellman’s TMTO 7 TMTO Basics  Pre-computation o One-time work o Results stored in a table  Pre-computation results used to make each subsequent computation faster  In general, larger pre-computation requires more initial work and larger “memory” o But then each computation takes less “time”  Try to balance “memory” and “time”

Hellman’s TMTO 8 Block Cipher Notation  Consider a block cipher C = E(P, K) where P is plaintext block of size n C is ciphertext block of size n K is key of size k

Hellman’s TMTO 9 Block Cipher as Black Box  For TMTO, treat block cipher as black box  Details of crypto algorithm not relevant

Hellman’s TMTO Attack  This is a chosen plaintext attack  We choose P  Then we are given corresponding C o That is, C = E(P, K)  We want to find the key K Hellman’s TMTO 10

TMTO Attack  Given: P and C = E(P, K)  Find: key K  Two “obvious” approaches 1.Exhaustive key search “Memory” is 0, but “time” of 2 k-1 for each attack 2.Pre-compute C = E(P, K) for all keys K Then given any C, simply look up key K in table “Memory” of 2 k but “time” of 0 per attack  TMTO lies between 1. and 2. Hellman’s TMTO 11

Hellman’s TMTO 12 Chain of Encryptions  For simplicity, we assume block length n and key length k are equal, that is, n = k o Attack still works if this does not hold  Define a chain of encryptions as SP = K 0 = Starting Point K 1 = E(P, SP) K 2 = E(P, K 1 ) : EP = K t = E(P, K t  1 ) = End Point

Hellman’s TMTO 13 Encryption Chain  Note that ciphertext from one iteration is used as key at next iteration  Note also that the same (chosen) plaintext P used at each iteration

Hellman’s TMTO 14 Pre-computation  Pre-compute m encryption chains, each of length t +1  Save only the start and end points (SP 0, EP 0 ) (SP 1, EP 1 ) : (SP m-1, EP m-1 ) EP 0 SP 0 SP 1 SP m-1 EP 1 EP m-1

Hellman’s TMTO 15 TMTO Attack  Memory: Pre-compute encryption chains and save (SP i, EP i ) for i = 0,1,…,m  1 o This is one-time work o Sort based on EP i  For each attack for unknown key K do… o We have P and C = E(P, K) where P is same plaintext used to compute chains o Time: Compute a chain (max of t steps) X 0 = C, X 1 = E(P, X 0 ), X 2 = E(P, X 1 ),…

Hellman’s TMTO 16 TMTO Attack  Consider the computed chain X 0 = C, X 1 = E(P, X 0 ), X 2 = E(P, X 1 ), …  Suppose for some i we find X i = EP j SP j EP j C K  Since C = E(P, K) key K appears to lie just before ciphertext C in this chain!

Hellman’s TMTO 17 TMTO Attack  Summary of attack phase: compute X 0 = C, X 1 = E(P, X 0 ), X 2 = E(P, X 1 ),…  If for some i we find X i = EP j then reconstruct chain from SP j Y 0 = SP j, Y 1 = E(P,Y 0 ), Y 2 = E(P,Y 1 ),…  We find C = Y t  i = E(P, Y t  i  1 ) (always?)  So that K = Y t  i  1 (always?)

Hellman’s TMTO 18 Trudy’s Perfect World  Suppose block cipher has k = 56 o That is, the key length is 56 bits  Suppose we can find m = 2 28 chains each of length t = 2 28 with no overlap o Is this realistic?  Then all 2 56 possible keys covered by exactly one element of a chain  This looks promising…

Hellman’s TMTO 19 Trudy’s Perfect World  If we can find m = 2 28 chains each of length t = 2 28 and no intersection, then…  Memory: 2 28 pairs (SP j, EP i )  Time: about 2 28 (per attack) o Start at C, find some EP j in about 2 27 steps o Find K with about 2 27 more steps o So, work per attack is about 2 28  Trivial work and attack never fails! o For Trudy, life doesn’t get any better…

Hellman’s TMTO 20 Trudy’s Perfect World  No chains intersect  Every ciphertext C is in one chain EP 0 SP 0 C SP 1 SP 2 EP 1 EP 2 K

Hellman’s TMTO 21 The Real World  Real chains are not so well-behaved  Chains can cycle and merge  Chain beginning at C goes to EP  But chain from SP to EP does not give K  This looks like Trudy’s nightmare… EP SP CK

Hellman’s TMTO 22 The Real World  Chains can cycle and merge  This adversely affects attacks, as mentioned on previous slide  It also, adversely affects pre- computation and probability of success  Why? EP SP CK

Hellman’s TMTO 23 Real-World TMTO Issues  Merging chains, cycles, false alarms, …  Pre-computation is lots of work o Must attack many times to amortize cost  Success is not assured o Depends on initial work, merging, cycles, …  What if block size not equal key length? o This is easy to deal with  What is the probability of success? o This is not so easy to compute…

Hellman’s TMTO 24 To Reduce Merging  Compute chain as F(E(P, K i  1 )) where F permutes the bits o Then we have F(E(P, K)) = F(C)  Chains computed using different functions can intersect, but will not merge EP 1 SP 0 SP 1 EP 0 F 0 chain F 1 chain

Hellman’s TMTO 25 Hellman’s TMTO in Practice  Let m = random starting points for each F t = encryptions in each chain r = number of “tables”, i.e., functions F  Then mtr pre-computed chain elements o Pre-computation is about mtr work  Each TMTO attack requires o About mr “memory” (storage), and tr “time”  If we choose m = t = r = 2 k/3 then probability of success is at least 0.55

Hellman’s TMTO 26 Success Probability?  Throw n balls into m urns  Expected number of urns that have at least one ball?  This is classic “occupancy problem” o See Feller, Intro. to Probability Theory  Why is this relevant to TMTO ? o “Urns” correspond to keys o “Balls” correspond to constructing chains

Hellman’s TMTO 27 Success Probability  Using occupancy problem approach…  Assuming k -bit key and m,t,r as defined on previous slide o Can choose m = t = r but not necessary  Then, approximately, P( success ) = 1  e  mtr/k  An upper bound can be given that is slightly “better”

Hellman’s TMTO 28 Success Probability  Success probability P( success ) = 1  e  mtr/k

Hellman’s TMTO 29 Distributed TMTO  Employ “distinguished points”  Do not use fixed-length chains  Instead, compute chain until some distinguished point is found  Example of distinguished point:

Hellman’s TMTO 30 Distributed TMTO  Similar pre-computation as before, except we have triples: (SP i, EP i, l i ) for i = 0,1,…,rm o Where l i is the length of the chain o And r is number of tables o And m is number of random starting points  Let M i be the maximum l j for the i th table  Each table has a fixed random function F

Hellman’s TMTO 31 Distributed TMTO  Suppose r computers are available  Each computer deals with one table o So, only one random function F per computer  “Master” gives computer i values F i, M i, C o And definition of distinguished point  Computer i computes chain beginning with C and using F i of (at most) length M i

Hellman’s TMTO 32 Distributed TMTO  If computer i finds a distinguished point within M i steps o Returns result to “master” for secondary test o Master searches for K on corresponding chain, using same approach as in non-distributed TMTO o False alarms can occur (e.g., distinguished points)  If no distinguished point found in M i steps o Computer i gives up, since key not on any F i chains  Note that computer i does not need to know any SP or EP or l  Master knows (SP i, EP i, l i ) for i = 0,1,…,rm

Hellman’s TMTO 33 TMTO for DES  Attack is feasible against DES  Recall that for DES, we have k = 56  Assume that we use m = t = r = 2 k/3 ≈  Then pre-computation is about 2 56 work o And we store about 2 37 starting/end point pairs  So, each time attack is conducted… o …use about 2 37 “memory” and requires 2 37 “time”

Hellman’s TMTO 34 TMTO: The Bottom Line  Attack is not specific to DES o Applies to any block cipher  Inner working of cipher is not relevant o But key length is…  No fancy math required o Just a clever algorithm  Lesson: Clever algorithms can break crypto!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.