Skip to main content
Springer Nature Link
Log in

Distributed Time-Memory Tradeoff Attacks on Ciphers

(with Application to Stream Ciphers and Counter Mode)

  • Conference paper
  • First Online:
Information Security and Privacy (ACISP 2018)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10946))

Included in the following conference series:

  • 2069 Accesses

Abstract

In this paper, we consider the implications of parallelizing time-memory tradeoff attacks using a large number of distributed processors. It is shown that Hellman’s original tradeoff method and the Biryukov-Shamir attack on stream ciphers, which incorporates data into the tradeoff, can be effectively distributed to reduce both time and memory, while other approaches are less advantaged in a distributed approach. Distributed tradeoff attacks are specifically discussed as applied to stream ciphers and the counter mode operation of block ciphers, where their feasibility is considered in relation to distributed exhaustive key search. In particular, for counter mode with an unpredictable initial count, we show that distributed tradeoff attacks are applicable, but can be made infeasible if the entropy of the initial count is at least as large as the key. In general, the analyses of this paper illustrate the effectiveness of a distributed tradeoff approach and show that, when enough processors are involved in the attack, it is possible some systems, such as lightweight cipher implementations, may be susceptible to attack in practice.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Hellman, M.E.: A cryptanalytic time-memory trade-off. IEEE Trans. Inf. Theory 26(4), 401–406 (1980)

    Article  MathSciNet  MATH  Google Scholar 

  2. Babbage, S.: A space/time tradeoff in exhaustive search attacks on stream ciphers. In: European Convention on Security and Detection, IEEE Conference Publication No. 408, pp. 161–166 (1995)

    Google Scholar 

  3. Golić, J.D.: Cryptanalysis of alleged A5 stream cipher. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 239–255. Springer, Heidelberg (1997). https://doi.org/10.1007/3-540-69053-0_17

    Chapter  Google Scholar 

  4. Biryukov, A., Shamir, A.: Cryptanalytic time/memory/data tradeoffs for stream ciphers. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 1–13. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44448-3_1

    Chapter  Google Scholar 

  5. Hong, J., Sarkar, P.: New applications of time memory data tradeoffs. In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 353–372. Springer, Heidelberg (2005). https://doi.org/10.1007/11593447_19

    Chapter  Google Scholar 

  6. Denning, D.E.: Cryptography and Data Security. Addison-Wesley, Boston (1982)

    MATH  Google Scholar 

  7. Oechslin, P.: Making a faster cryptanalytic time-memory trade-off. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 617–630. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_36

    Chapter  Google Scholar 

  8. Armknecht, F., Mikhalev, V.: On lightweight stream ciphers with shorter internal states. In: Leander, G. (ed.) FSE 2015. LNCS, vol. 9054, pp. 451–470. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48116-5_22

    Chapter  Google Scholar 

  9. Mikhalev, V., Armknecht, F., Müller, C.: On ciphers that continuously access the non-volatile key. IACR Trans. Symmetric Cryptol. 2016(2), 52–79 (2016)

    Google Scholar 

  10. Hamann, M., Krause, M., Meier, W.: LIZARD - a lightweight stream cipher for power-constrained devices. IACR Trans. Symmetric Cryptol. 2017(1), 45–79 (2017)

    Google Scholar 

  11. Dunkelman, O., Keller, N.: Treatment of the initial value in time-memory-data tradeoff attacks on stream ciphers. Inf. Process. Lett. 107(5), 133–137 (2008)

    Article  MathSciNet  MATH  Google Scholar 

  12. Avoine, G., Junod, P., Oechslin, P.: Characterization and improvement of time-memory trade-off based on perfect tables. ACM Trans. Inf. Syst. Secur. 11(4), 17:1–17:22 (2008)

    Article  MATH  Google Scholar 

  13. Hong, J., Moon, S.: A comparison of cryptanalytic tradeoff algorithms. J. Cryptol. 26(4), 559–637 (2013)

    Article  MathSciNet  MATH  Google Scholar 

  14. van den Broek, F., Poll, E.: A comparison of time-memory trade-off attacks on stream ciphers. In: Youssef, A., Nitaj, A., Hassanien, A.E. (eds.) AFRICACRYPT 2013. LNCS, vol. 7918, pp. 406–423. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38553-7_24

    Chapter  Google Scholar 

  15. Borst, J., Preneel, B., Vandewalle, J.: On the time-memory tradeoff between exhaustive key search and table precomputation. In: Proceedings of the 19th Symposium in Information Theory in the Benelux, WIC, pp. 111–118 (1998)

    Google Scholar 

  16. Hong, J., Lee, G.W., Ma, D.: Analysis of the parallel distinguished point tradeoff. In: Bernstein, D.J., Chatterjee, S. (eds.) INDOCRYPT 2011. LNCS, vol. 7107, pp. 161–180. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25578-6_14

    Chapter  Google Scholar 

  17. Kim, J.W., Seo, J., Hong, J., Park, K., Kim, S.-R.: High-speed parallel implementations of the rainbow method based on perfect tables in a heterogeneous system. Softw. Pract. Exper. 45(6), 837–855 (2015)

    Article  Google Scholar 

  18. Avoine, G., Carpent, X., Kordy, B., Tardif, F.: How to Handle Rainbow Tables with External Memory. In: Pieprzyk, J., Suriadi, S. (eds.) ACISP 2017. LNCS, vol. 10342, pp. 306–323. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-60055-0_16

    Chapter  Google Scholar 

  19. Lee, G.W., Hong, J.: Comparison of perfect table cryptanalytic tradeoff algorithms. Des. Codes Crypt. 80(3), 473–523 (2016)

    Article  MathSciNet  MATH  Google Scholar 

  20. National Institute of Standards and Technology. NIST Special Publication 800–38A: Recommendation for Block Cipher Modes of Operation, December 2001. https://csrc.nist.gov/publications/detail/sp/800-38a/final

  21. Biryukov, A., Mukhopadhyay, S., Sarkar, P.: Improved time-memory trade-offs with multiple data. In: Preneel, B., Tavares, S. (eds.) SAC 2005. LNCS, vol. 3897, pp. 110–127. Springer, Heidelberg (2006). https://doi.org/10.1007/11693383_8

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Memorial University of Newfoundland, St. John’s, Canada

    Howard M. Heys

Authors
  1. Howard M. Heys
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Howard M. Heys .

Editor information

Editors and Affiliations

  1. University of Wollongong, Wollongong, NSW, Australia

    Willy Susilo

  2. University of Wollongong, Wollongong, NSW, Australia

    Guomin Yang

Appendices

Appendix A: Summary of Tradeoffs

Table 1 contains a summary of all tradeoffs discussed and applied in this paper. Tradeoff expressions and preprocessing complexity, as well as target applications and meaningful restrictions on tradeoff parameters, are presented.

Table 1. Summary of Tradeoffs
Full size table

Appendix B: Numerical Results for Some Tradeoffs

In this section, we highlight a few cases to illustrate the applicability of the distributed TMTO attack. The data presented considers two key sizes of 80 bits (Table 2) and 128 bits (Table 3) and represents results for both stream ciphers and block ciphers using counter mode. A key size of 80 bits is consistent with the typical use of a lightweight block or stream cipher, while the 128-bit key represents an application that uses AES-128 level security. The results in the tables represent a tradeoff attack using the DK approach of a single-key system and the table values assume equal complexity for the online time and memory, i.e., \(T_0 = M_0\). The tradeoff expression of (11) is applied and the constraints \(D_{iv} \le V\) and \(W \le T_0\) are satisfied. For \(V > 1\), \(P_0 = KV/(D_{iv}W)\) resulting in

$$\begin{aligned} T_0 = \frac{P_0^{2/3}}{W^{1/3}} \end{aligned}$$
(19)

which can be used to derive the values in the tables. However, for the case of \(V = 1\) (that is, a predictable initial count in counter mode or a stream cipher with no IV), data cannot be used in the tradeoff and \(P_0 = KV/W\) with (19) still suitable.

For both key sizes, various IV sizes are given and the complexity presented for cases of differing amounts of data, \(D_{iv}\), and number of processors, W. For reference, the appropriate distributed exhaustive key search complexity (DEKS) is also presented for each case. Each TMTO case given in the tables has the online time complexity and the preprocessing complexity for an individual processor presented in the format “\(T_0/P_0\)”.

It is obvious from the tables that there are many scenarios in which distributed TMTO attacks could be made more effective than a distributed exhaustive key search. Most notably, if \(V = 1\), one Hellman table can be constructed straightforwardly to cover just the keys. In this case, although the use of data from multiple IVs is not applicable, applying a distributed approach can result in extremely small online time complexities - as low as \(2^{33.3}\) for a lightweight cipher with an 80-bit key using \(2^{20}\) processors. For cases with \(V > 1\), using data drawn from a modest number of IVs can result in a compromise of the security of the cipher. For example, with \(K = 2^{128}\) and \(V = 2^{32}\), using data from only \(2^{20}\) IVs and applying \(2^{20}\) processors results in a TMTO attack with an online time complexity of \(2^{73.3}\) and a preprocessing time complexity of \(2^{120}\). Hence, the online time complexity is substantially better than the distributed exhaustive key search complexity of \(2^{108}\), while the preprocessing complexity is only slightly worse.

Table 2. TMTO Results \(T_0/P_0\) for 80-bit Keys
Full size table
Table 3. TMTO Results \(T_0/P_0\) for 128-bit Keys
Full size table

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer International Publishing AG, part of Springer Nature

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Heys, H.M. (2018). Distributed Time-Memory Tradeoff Attacks on Ciphers. In: Susilo, W., Yang, G. (eds) Information Security and Privacy. ACISP 2018. Lecture Notes in Computer Science(), vol 10946. Springer, Cham. https://doi.org/10.1007/978-3-319-93638-3_9

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-93638-3_9

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-93637-6

  • Online ISBN: 978-3-319-93638-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics