102 research outputs found
A Comparison of Time-Memory Trade-Off Attacks on Stream Ciphers
Contains fulltext :
117176.pdf (preprint version ) (Open Access
Tight Time-Space Lower Bounds for Finding Multiple Collision Pairs and Their Applications
We consider a collision search problem (CSP), where given a parameter , the goal is to find collision pairs in a random function (where using bits of memory. Algorithms for CSP have numerous cryptanalytic applications such as space-efficient attacks on double and triple encryption. The best known algorithm for CSP is parallel collision search (PCS) published by van Oorschot and Wiener, which achieves the time-space tradeoff for .
In this paper, we prove that any algorithm for CSP satisfies for , hence the best known time-space tradeoff is optimal (up to poly-logarithmic factors in ). On the other hand, we give strong evidence that proving similar unconditional time-space tradeoff lower bounds on CSP applications (such as breaking double and triple encryption) may be very difficult, and would imply a breakthrough in complexity theory. Hence, we propose a new restricted model of computation and prove that under this model, the best known time-space tradeoff attack on double encryption is optimal
Data Structures Meet Cryptography: 3SUM with Preprocessing
This paper shows several connections between data structure problems and
cryptography against preprocessing attacks. Our results span data structure
upper bounds, cryptographic applications, and data structure lower bounds, as
summarized next.
First, we apply Fiat--Naor inversion, a technique with cryptographic origins,
to obtain a data structure upper bound. In particular, our technique yields a
suite of algorithms with space and (online) time for a preprocessing
version of the -input 3SUM problem where .
This disproves a strong conjecture (Goldstein et al., WADS 2017) that there is
no data structure that solves this problem for and for any constant .
Secondly, we show equivalence between lower bounds for a broad class of
(static) data structure problems and one-way functions in the random oracle
model that resist a very strong form of preprocessing attack. Concretely, given
a random function (accessed as an oracle) we show how to
compile it into a function which resists -bit
preprocessing attacks that run in query time where
(assuming a corresponding data structure lower bound
on 3SUM). In contrast, a classical result of Hellman tells us that itself
can be more easily inverted, say with -bit preprocessing in
time. We also show that much stronger lower bounds follow from the hardness of
kSUM. Our results can be equivalently interpreted as security against
adversaries that are very non-uniform, or have large auxiliary input, or as
security in the face of a powerfully backdoored random oracle.
Thirdly, we give non-adaptive lower bounds for 3SUM and a range of geometric
problems which match the best known lower bounds for static data structure
problems
Quantum Time/Memory/Data Tradeoff Attacks
One of the most celebrated and useful cryptanalytic algorithms is Hellman\u27s time/memory tradeoff (and its Rainbow Table variant), which can be used to invert random-looking functions on possible values with time and space complexities satisfying . As a search problem, one can always transform it into the quantum setting by using Grover\u27s algorithm, but this algorithm does not benefit from the possible availability of auxiliary advice obtained during a free preprocessing stage. However, at FOCS\u2720 it was rigorously shown that a small amount of quantum auxiliary advice (which can be stored in a quantum memory of size ) cannot possibly yield an attack which is better than Grover\u27s algorithm.
In this paper we develop new quantum versions of Hellman\u27s cryptanalytic attack which use large memories
in the standard QACM (Quantum Accessible Classical Memory) model of computation. In particular, we improve Hellman\u27s tradeoff curve to . When we generalize the cryptanalytic problem to a time/memory/data tradeoff attack (in which one has to invert for at least one of given values), we get the generalized curve . A typical point on this curve is , , and , whose time is strictly lower than both Grover\u27s algorithm and the classical Hellman algorithm (both of which
require for these and parameters)
Analysis of the Parallel Distinguished Point Tradeoff
Cryptanalytic time memory tradeoff algorithms are tools for quickly inverting one-way functions and many consider the rainbow table method to be the most efficient tradeoff algorithm. However, it was recently announced, mostly based on experiments, that the parallelization of the perfect distinguished point tradeoff algorithm brings about an algorithm that is 50\% more efficient than the perfect rainbow table method. Motivated by this claim, while noting that the massive pre-computation associated with any tradeoff algorithm makes the non-perfect forms of tradeoff algorithms more practical, we provide an accurate theoretic analysis of the parallel version of the non-perfect distinguished point tradeoff algorithm.
Performance differences between different tradeoff algorithms are usually not very large, but even these small differences can be crucial in practice. So we take care not to ignore the side effects of false alarms in providing an online time complexity analysis of the parallel distinguished point tradeoff algorithm. Our complexity results are used to compare the parallel non-perfect distinguished point tradeoff against the non-perfect rainbow table method. The two algorithms are compared under identical success rate requirements and the pre-computation efforts are also taken into account. Contrary to our anticipation, we find that the rainbow table method is superior in typical situations, even though the parallelization did have a positive effect on the efficiency of the distinguished point tradeoff algorithm
The Cost of False Alarms in Hellman and Rainbow Tradeoffs
Cryptanalytic time memory tradeoff algorithms are generic one-way function inversion techniques that utilize pre-computation. Even though the online time complexity is known up to a small multiplicative factor for any tradeoff algorithm, false alarms pose a major obstacle in its accurate assessment.
In this work, we study the expected pre-image size for an iteration of functions and use the result to analyze the cost incurred by false alarms. We are able to present the expected online time complexities for the Hellman tradeoff and the rainbow table method in a manner that takes false alarms into account. We also analyze the effects of the checkpoint method in reducing false alarm costs.
The ability to accurately compute the online time complexities will allow one to choose their tradeoff parameters more optimally, before starting the expensive pre-computation process
The Function-Inversion Problem: Barriers and Opportunities
The task of function inversion is central to cryptanalysis: breaking
block ciphers, forging signatures, and cracking password hashes are all
special cases of the function-inversion problem. In 1980, Hellman showed
that it is possible to invert a random function in
time given only
bits of precomputed advice about .
Hellmanâs algorithm is the basis for the popular âRainbow Tablesâ
technique (Oechslin, 2003), which achieves the same asymptotic cost and
is widely used in practical cryptanalysis.
Is Hellmanâs method the best possible algorithm for inverting functions
with preprocessed advice? The best known lower bound, due to Yao (1990),
shows that , which still admits the
possibility of an attack. There remains
a long-standing and vexing gap between Hellmanâs upper bound
and Yaoâs lower bound. Understanding the feasibility of an
algorithm is cryptanalytically relevant since such an
algorithm could perform a key-recovery attack on AES-128 in time
using a precomputed table of size .
For the past 29 years, there has been no progress either in improving
Hellmanâs algorithm or in strengthening Yaoâs lower bound. In this work,
we connect function inversion to problems in other areas of theory to
(1) explain why progress may be difficult and (2) explore possible ways
forward.
Our results are as follows:
- We show that *any* improvement on Yaoâs lower bound on
function-inversion algorithms will imply new lower bounds on
depth-two circuits with arbitrary gates. Further, we show that
proving strong lower bounds on *non-adaptive* function-inversion
algorithms would imply breakthrough circuit lower bounds on
linear-size log-depth circuits.
- We take first steps towards the study of the *injective*
function-inversion problem, which has manifold cryptographic
applications. In particular, we show that improved algorithms for
breaking PRGs with preprocessing would give improved algorithms for
inverting injective functions with preprocessing.
- Finally, we show that function inversion is closely related to
well-studied problems in communication complexity and data
structures. Through these connections we immediately obtain the best
known algorithms for problems in these domains
- âŠ