Presentation is loading. Please wait.

Presentation is loading. Please wait.

Hellman’s TMTO 1 Hellman’s TMTO Attack. Hellman’s TMTO 2 Popcnt  Before we consider Hellman’s attack, consider simpler Time-Memory Trade-Off  “Population.

Published byLuke Fitzgerald Modified over 8 years ago

Similar presentations

Presentation on theme: "Hellman’s TMTO 1 Hellman’s TMTO Attack. Hellman’s TMTO 2 Popcnt  Before we consider Hellman’s attack, consider simpler Time-Memory Trade-Off  “Population."— Presentation transcript:

1 Hellman’s TMTO 1 Hellman’s TMTO Attack

2 Hellman’s TMTO 2 Popcnt  Before we consider Hellman’s attack, consider simpler Time-Memory Trade-Off  “Population count” or popcnt o Let x be a 32-bit integer o Define popcnt(x) = number of 1 ’s in binary expansion of x  How to compute popcnt(x) efficiently?

3 Hellman’s TMTO 3 Simple Popcnt  Most obvious thing to do is popcnt(x) // assuming x is 32-bit value t = 0 for i = 0 to 31 t = t + ((x >> i) & 1) next i return t end popcnt  Is this the most efficient method?

4 Hellman’s TMTO 4 More Efficient Popcnt  Pre-compute popcnt for all 256 bytes o Store pre-computed values in a table  Given x, lookup its bytes in this table o Sum these values to find popcnt(x)  See next slide for pseudo-code…

5 Hellman’s TMTO 5 More Efficient Popcnt Initialize: table[i] = popcnt(i) for i = 0,1,…,255 popcnt(x) // assuming x is 32-bit word p = table[ x & 0xff ] + table[ (x >> 8) & 0xff ] + table[ (x >> 16) & 0xff ] + table[ (x >> 24) & 0xff ] return p end popcnt

6 Popcnt TMTO  Advantage(s)? o Each popcnt now requires 4 steps, not 32  Disadvantage? o Pre-computation (one time work) o Additional storage  Balance “time” vs “memory” where… o Time == popcnt computation(s) o Memory == storage/pre-computation Hellman’s TMTO 6

7 Hellman’s TMTO 7 TMTO Basics  Pre-computation o One-time work o Results stored in a table  Pre-computation results used to make each subsequent computation faster  In general, larger pre-computation requires more initial work and larger “memory” o But then each computation takes less “time”  Try to balance “memory” and “time”

8 Hellman’s TMTO 8 Block Cipher Notation  Consider a block cipher C = E(P, K) where P is plaintext block of size n C is ciphertext block of size n K is key of size k

9 Hellman’s TMTO 9 Block Cipher as Black Box  For TMTO, treat block cipher as black box  Details of crypto algorithm not relevant

10 Hellman’s TMTO Attack  This is a chosen plaintext attack  We choose P  Then we are given corresponding C o That is, C = E(P, K)  We want to find the key K Hellman’s TMTO 10

11 TMTO Attack  Given: P and C = E(P, K)  Find: key K  Two “obvious” approaches 1.Exhaustive key search “Memory” is 0, but “time” of 2 k-1 for each attack 2.Pre-compute C = E(P, K) for all keys K Then given any C, simply look up key K in table “Memory” of 2 k but “time” of 0 per attack  TMTO lies between 1. and 2. Hellman’s TMTO 11

12 Hellman’s TMTO 12 Chain of Encryptions  For simplicity, we assume block length n and key length k are equal, that is, n = k o Attack still works if this does not hold  Define a chain of encryptions as SP = K 0 = Starting Point K 1 = E(P, SP) K 2 = E(P, K 1 ) : EP = K t = E(P, K t  1 ) = End Point

13 Hellman’s TMTO 13 Encryption Chain  Note that ciphertext from one iteration is used as key at next iteration  Note also that the same (chosen) plaintext P used at each iteration

14 Hellman’s TMTO 14 Pre-computation  Pre-compute m encryption chains, each of length t +1  Save only the start and end points (SP 0, EP 0 ) (SP 1, EP 1 ) : (SP m-1, EP m-1 ) EP 0 SP 0 SP 1 SP m-1 EP 1 EP m-1

15 Hellman’s TMTO 15 TMTO Attack  Memory: Pre-compute encryption chains and save (SP i, EP i ) for i = 0,1,…,m  1 o This is one-time work o Sort based on EP i  For each attack for unknown key K do… o We have P and C = E(P, K) where P is same plaintext used to compute chains o Time: Compute a chain (max of t steps) X 0 = C, X 1 = E(P, X 0 ), X 2 = E(P, X 1 ),…

16 Hellman’s TMTO 16 TMTO Attack  Consider the computed chain X 0 = C, X 1 = E(P, X 0 ), X 2 = E(P, X 1 ), …  Suppose for some i we find X i = EP j SP j EP j C K  Since C = E(P, K) key K appears to lie just before ciphertext C in this chain!

17 Hellman’s TMTO 17 TMTO Attack  Summary of attack phase: compute X 0 = C, X 1 = E(P, X 0 ), X 2 = E(P, X 1 ),…  If for some i we find X i = EP j then reconstruct chain from SP j Y 0 = SP j, Y 1 = E(P,Y 0 ), Y 2 = E(P,Y 1 ),…  We find C = Y t  i = E(P, Y t  i  1 ) (always?)  So that K = Y t  i  1 (always?)

18 Hellman’s TMTO 18 Trudy’s Perfect World  Suppose block cipher has k = 56 o That is, the key length is 56 bits  Suppose we can find m = 2 28 chains each of length t = 2 28 with no overlap o Is this realistic?  Then all 2 56 possible keys covered by exactly one element of a chain  This looks promising…

19 Hellman’s TMTO 19 Trudy’s Perfect World  If we can find m = 2 28 chains each of length t = 2 28 and no intersection, then…  Memory: 2 28 pairs (SP j, EP i )  Time: about 2 28 (per attack) o Start at C, find some EP j in about 2 27 steps o Find K with about 2 27 more steps o So, work per attack is about 2 28  Trivial work and attack never fails! o For Trudy, life doesn’t get any better…

20 Hellman’s TMTO 20 Trudy’s Perfect World  No chains intersect  Every ciphertext C is in one chain EP 0 SP 0 C SP 1 SP 2 EP 1 EP 2 K

21 Hellman’s TMTO 21 The Real World  Real chains are not so well-behaved  Chains can cycle and merge  Chain beginning at C goes to EP  But chain from SP to EP does not give K  This looks like Trudy’s nightmare… EP SP CK

22 Hellman’s TMTO 22 The Real World  Chains can cycle and merge  This adversely affects attacks, as mentioned on previous slide  It also, adversely affects pre- computation and probability of success  Why? EP SP CK

23 Hellman’s TMTO 23 Real-World TMTO Issues  Merging chains, cycles, false alarms, …  Pre-computation is lots of work o Must attack many times to amortize cost  Success is not assured o Depends on initial work, merging, cycles, …  What if block size not equal key length? o This is easy to deal with  What is the probability of success? o This is not so easy to compute…

24 Hellman’s TMTO 24 To Reduce Merging  Compute chain as F(E(P, K i  1 )) where F permutes the bits o Then we have F(E(P, K)) = F(C)  Chains computed using different functions can intersect, but will not merge EP 1 SP 0 SP 1 EP 0 F 0 chain F 1 chain

25 Hellman’s TMTO 25 Hellman’s TMTO in Practice  Let m = random starting points for each F t = encryptions in each chain r = number of “tables”, i.e., functions F  Then mtr pre-computed chain elements o Pre-computation is about mtr work  Each TMTO attack requires o About mr “memory” (storage), and tr “time”  If we choose m = t = r = 2 k/3 then probability of success is at least 0.55

26 Hellman’s TMTO 26 Success Probability?  Throw n balls into m urns  Expected number of urns that have at least one ball?  This is classic “occupancy problem” o See Feller, Intro. to Probability Theory  Why is this relevant to TMTO ? o “Urns” correspond to keys o “Balls” correspond to constructing chains

27 Hellman’s TMTO 27 Success Probability  Using occupancy problem approach…  Assuming k -bit key and m,t,r as defined on previous slide o Can choose m = t = r but not necessary  Then, approximately, P( success ) = 1  e  mtr/k  An upper bound can be given that is slightly “better”

28 Hellman’s TMTO 28 Success Probability  Success probability P( success ) = 1  e  mtr/k

29 Hellman’s TMTO 29 Distributed TMTO  Employ “distinguished points”  Do not use fixed-length chains  Instead, compute chain until some distinguished point is found  Example of distinguished point:

30 Hellman’s TMTO 30 Distributed TMTO  Similar pre-computation as before, except we have triples: (SP i, EP i, l i ) for i = 0,1,…,rm o Where l i is the length of the chain o And r is number of tables o And m is number of random starting points  Let M i be the maximum l j for the i th table  Each table has a fixed random function F

31 Hellman’s TMTO 31 Distributed TMTO  Suppose r computers are available  Each computer deals with one table o So, only one random function F per computer  “Master” gives computer i values F i, M i, C o And definition of distinguished point  Computer i computes chain beginning with C and using F i of (at most) length M i

32 Hellman’s TMTO 32 Distributed TMTO  If computer i finds a distinguished point within M i steps o Returns result to “master” for secondary test o Master searches for K on corresponding chain, using same approach as in non-distributed TMTO o False alarms can occur (e.g., distinguished points)  If no distinguished point found in M i steps o Computer i gives up, since key not on any F i chains  Note that computer i does not need to know any SP or EP or l  Master knows (SP i, EP i, l i ) for i = 0,1,…,rm

33 Hellman’s TMTO 33 TMTO for DES  Attack is feasible against DES  Recall that for DES, we have k = 56  Assume that we use m = t = r = 2 k/3 ≈ 2 18.67  Then pre-computation is about 2 56 work o And we store about 2 37 starting/end point pairs  So, each time attack is conducted… o …use about 2 37 “memory” and requires 2 37 “time”

34 Hellman’s TMTO 34 TMTO: The Bottom Line  Attack is not specific to DES o Applies to any block cipher  Inner working of cipher is not relevant o But key length is…  No fancy math required o Just a clever algorithm  Lesson: Clever algorithms can break crypto!

Download ppt "Hellman’s TMTO 1 Hellman’s TMTO Attack. Hellman’s TMTO 2 Popcnt  Before we consider Hellman’s attack, consider simpler Time-Memory Trade-Off  “Population."

Similar presentations

February 12, 2007 WALCOM '2007 1/22 DiskTrie: An Efficient Data Structure Using Flash Memory for Mobile Devices N. M. Mosharaf Kabir Chowdhury Md. Mostofa.

February 12, 2007 WALCOM '2007 1/22 DiskTrie: An Efficient Data Structure Using Flash Memory for Mobile Devices N. M. Mosharaf Kabir Chowdhury Md. Mostofa.
Lee Jae-song 1.  How to cryptanalysis DES?  C = E K (P)  E is DES encryption funtion  K is a key, 56-bit.  P is a plaintext, C is a ciphertext, both.

Lee Jae-song 1.  How to cryptanalysis DES?  C = E K (P)  E is DES encryption funtion  K is a key, 56-bit.  P is a plaintext, C is a ciphertext, both.
Counting the bits Analysis of Algorithms Will it run on a larger problem? When will it fail?

Counting the bits Analysis of Algorithms Will it run on a larger problem? When will it fail?
Improved Attacks on Multiple Encryption Adi Shamir The Weizmann Institute Israel Joint with Itai Dinur, Orr Dunkelman, and Nathan Keller.

Improved Attacks on Multiple Encryption Adi Shamir The Weizmann Institute Israel Joint with Itai Dinur, Orr Dunkelman, and Nathan Keller.
1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.

1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.
Types of Algorithms.

Types of Algorithms.
Theory of Computing Lecture 3 MAS 714 Hartmut Klauck.

Theory of Computing Lecture 3 MAS 714 Hartmut Klauck.
Mining Data Streams.

Mining Data Streams.
CMSC 414 Computer (and Network) Security Lecture 4 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 4 Jonathan Katz.
Intro 1 Introduction Intro 2 Good Guys and Bad Guys  Alice and Bob are the good guys  Trudy is the bad guy  Trudy is our generic “intruder”

Intro 1 Introduction Intro 2 Good Guys and Bad Guys  Alice and Bob are the good guys  Trudy is the bad guy  Trudy is our generic “intruder”
Cryptography and Network Security Chapter 3

Cryptography and Network Security Chapter 3
Introduction to Cryptography and Security Mechanisms: Unit 5 Theoretical v Practical Security Dr Keith Martin McCrea 34901784 443099

Introduction to Cryptography and Security Mechanisms: Unit 5 Theoretical v Practical Security Dr Keith Martin McCrea
CS 206 Introduction to Computer Science II 09 / 10 / 2008 Instructor: Michael Eckmann.

CS 206 Introduction to Computer Science II 09 / 10 / 2008 Instructor: Michael Eckmann.
Hash Table indexing and Secondary Storage Hashing.

Hash Table indexing and Secondary Storage Hashing.
PKZIP Stream Cipher 1 PKZIP PKZIP Stream Cipher 2 PKZIP  Phil Katz’s ZIP program  Katz invented zip file format o ca 1989  Before that, Katz created.

PKZIP Stream Cipher 1 PKZIP PKZIP Stream Cipher 2 PKZIP  Phil Katz’s ZIP program  Katz invented zip file format o ca 1989  Before that, Katz created.
CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.
FEAL FEAL 1.

FEAL FEAL 1.
Akelarre 1 Akelarre Akelarre 2 Akelarre  Block cipher  Combines features of 2 strong ciphers o IDEA — “mixed mode” arithmetic o RC5 — keyed rotations.

Akelarre 1 Akelarre Akelarre 2 Akelarre  Block cipher  Combines features of 2 strong ciphers o IDEA — “mixed mode” arithmetic o RC5 — keyed rotations.
Sigaba 1 Sigaba Sigaba 2 Sigaba  Used by Americans during WWII o And afterwards (to about 1948)  Never broken o Germans quit collecting, considered.

Sigaba 1 Sigaba Sigaba 2 Sigaba  Used by Americans during WWII o And afterwards (to about 1948)  Never broken o Germans quit collecting, considered.
CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.

Similar presentations

Ads by Google