Birthday Paradox
advertisement
Introduction to
Time Memory Tradeoffs
Jin Hong
SNU
Today, we hope to learn ...
Birthday paradox
Hellman tradeoff on blockciphers
Babbage and Golic birthday paradox
based tradeoff on streamciphers
Biryukov-Shamir tradeoff on streamciphers
Recent developments
2006 SNU-KMS Winter Workshop on Cryptography
2
Birthday Paradox
Birthday paradox
– layman’s version
If you have 23 people
in one room, it’s a
good idea to bet on
finding two of them
having the same
birthday than not.
1.00
0.90
0.80
0.70
0.60
0.50
0.40
0.30
0.20
0.10
1
11
0.00
21
31
2006 SNU-KMS Winter Workshop on Cryptography
41
51
61
4
Birthday paradox
- most cryptographers’ version
Consider a box containing N numbered
balls. If you take out N½ balls, one at a
time, with replacements, then there’s a
large chance of seeing the same ball twice.
2006 SNU-KMS Winter Workshop on Cryptography
5
Birthday paradox
- a more general version
Consider a set of size N, and two subsets of size
A and B. If AB=N, there is a large chance that the
two subsets intersect non-trivially.
(1+1/n)^n
2.8
2.6
2.4
2.2
2.0
2006 SNU-KMS Winter Workshop on Cryptography
4
8
76
32
92
38
16
81
96
40
48
20
24
10
2
51
6
25
8
12
64
32
16
8
4
2
1.8
1
6
Hellman
Hellman tradeoff
Martin E. Hellman, A cryptanalytic timememory trade-off. IEEE Trans. on Infor.
Theory, 26 (1980).
A chosen-plaintext attack on blockcipher
DES
2006 SNU-KMS Winter Workshop on Cryptography
8
Blockcipher
n-bit plaintext
k-bit key
Blockcipher is a
parametrized family of
permutations.
Each k-bit key
specifies a
permutation on the set
of n-bit strings.
Without knowledge of
key, it is not possible
to obtain plaintext
from ciphertext.
block
cipher
n-bit ciphertext
2006 SNU-KMS Winter Workshop on Cryptography
9
Using a blockcipher
key
secure channel
plaintext
plaintext
plaintext
block
cipher
plaintext
block
cipher
2006 SNU-KMS Winter Workshop on Cryptography
block
cipher
block
cipher
insecure channel
block
cipher
transmit over
ciphertext ciphertext ciphertext ciphertext
block
cipher
ciphertext ciphertext ciphertext ciphertext
block
cipher
plaintext
plaintext
block
cipher
plaintext
share through
key
plaintext
The communicating parties share
a common key through some
other secure channel.
The long plaintext to be sent is
broken into small blocks.
Each block is encrypted though
the blockcipher using the common
key.
Generated short ciphertext blocks
are transmitted over insecure
channel.
Receiving party decrypts each
ciphertext block using the
common key to recover each
plaintext block.
The plaintext blocks are
concatenated to bring back the
whole plaintext.
10
Attacking a blockcipher
n-bit plaintext
k-bit key
The number of possible keys is much smaller
than the number of possible permutations on
the space of plaintext blocks.
The keys size is usually comparable to
plaintext size and the number of permutations
being used in any blockcipher is comparable
to the number of ciphertext blocks.
Hence, in principle, a small number of
plaintext-ciphertext pair determines the key
uniquely.
But, blockciphers are (or should be) designed
so that it is computationally infeasible to find
key from plaintext-ciphertext pairs.
If an adversary is successful in obtaining the
key from a few plaintext-ciphertext pairs, it
may be used to decrypt all other ciphertext
blocks encrypted under the same key.
2006 SNU-KMS Winter Workshop on Cryptography
block
cipher
n-bit ciphertext
11
Chosen-plaintext attack on DES
fixed plaintext
key
DES: 56-bit key, 64-bit block
Attacker is given the ciphertext
corresponding to a plaintext of
his choice.
Objective of the attacker is to
find key from the given
ciphertext.
Note that the expected ratio of
random mapping image points
is (1-1/e)~0.632.
2006 SNU-KMS Winter Workshop on Cryptography
DES
ciphertext
12
Two extreme attacks
Exhaustive search
Try all keys until correct one is found.
This takes quite a long time.
Table lookup
Pre-compute all (key, ciphertext) pairs.
Sort the list according to the ciphertexts.
Read off answer from the dictionary, as soon
as ciphertext is given.
This requires quite a large amount of storage.
2006 SNU-KMS Winter Workshop on Cryptography
13
Tradeoff
We could come somewhere in the middle of the
two extreme solutions through a tradeoff between
online time and storage space.
Offline phase
Pre-compute all (key,ciphertext) pairs, and
store a digest of the computation in a table smaller
than the complete dictionary.
Online phase
Given a target, using the incomplete table, find answer
in time shorter than require for exhaustive search.
2006 SNU-KMS Winter Workshop on Cryptography
14
Notation
Denote DES encryption by C = EK(P)
Define reduction function
R: (Z/2Z)64 (Z/2Z)56 to be any fixed
“choosing” of 56 bits from 64 bits.
Fix plaintext P0 and define
f: (Z/2Z)56 (Z/2Z)56 by f(K) = R◦EK(P0).
Attacker’s objective translates to that of
finding K, given f(K)=R(C).
2006 SNU-KMS Winter Workshop on Cryptography
15
Hellman table
sp1 ◦ f
sp2 ◦ f
sp3 ◦ f
◦
◦
◦
◦
f
f
f
◦
◦
◦
◦
f
f
f
f
f
◦ ....... ◦
f
◦ ....... ◦
f
◦ ....... ◦
f
◦ ....... ◦
◦
◦
◦
◦
f
◦ ep1
f
◦ ep2
f
◦ ep3
f
◦ epm
.......
.......
spm ◦ f
f
t
2006 SNU-KMS Winter Workshop on Cryptography
16
......
......
......
Hellman tradeoff
......
......
HT = {(spi,epi)}i, sorted according to the
second component.
For j=0…t-1, successively check if the
correct key belongs to the (t-j)th column
by applying f to R(C) j-many times, and
checking for existence of the result among
the epi’s.
If key belongs to column t-j, it can be
recovered from spi by applying f to it
appropriately many times.
2006 SNU-KMS Winter Workshop on Cryptography
17
Questions?
sp1 ◦ f
sp2 ◦ f
sp3 ◦ f
◦
◦
◦
◦
f
f
f
◦
◦
◦
◦
f
f
f
f
f
◦ ....... ◦
f
◦ ....... ◦
f
◦ ....... ◦
f
◦ ....... ◦
◦
◦
◦
◦
f
◦ ep1
f
◦ ep2
f
◦ ep3
f
◦ epm
.......
.......
spm ◦ f
f
t
2006 SNU-KMS Winter Workshop on Cryptography
18
......
......
......
False alarm
......
......
Due to f being not injective, existence of
fj(R(C)) among the epi’s do not guarantee
that the correct key belongs to the (t-j)th
column.
These false alarms cost t applications of f
and its frequency is hard to analyze.
2006 SNU-KMS Winter Workshop on Cryptography
19
......
......
......
Success probability
......
......
Let N=256 be the number of all keys.
Birthday paradox gives the matrix stopping
rule: t2m = N.
Success probability
= (# of distinct keys in HT)/N
~ 0.8 tm/N (when t2m = N)
Success probability of t tables, that use
different reduction functions
= 1-(1-tm/N)t ~ 1-exp(-t2m/N) = 1-1/e
2006 SNU-KMS Winter Workshop on Cryptography
20
Hellman tradeoff curve
Pre-computation time: P=t2m=N
Online time: T=t2 (applications of f)
Storage: M = tm (sp-ep pairs)
Tradeoff curve: TM2=N2
Conversely, given T and M satisfying TM2=N2,
setting t = T½ and m = M/t results in a tradeoff
algorithm requiring time T and storage M.
If cost is measured as T+M, the optimal tradeoff
point is T=M=N2/3.
What we have discussed so far does not depend
on structure of DES. It is applicable to any oneway function.
2006 SNU-KMS Winter Workshop on Cryptography
21
Inversion problem
Inversion Problem
Given a one-way function f: XY and a target
point y∈Y, find any x∈X such that f(x)=y.
Exhaustive Search
Try out each x∈X until we see an x with f(x)=y.
Table Lookup
Pre-compute and store all (x,f(x)) pairs in a
table (dictionary), sorted according to the
second component. Read off answer when
target point y∈Y is given.
2006 SNU-KMS Winter Workshop on Cryptography
22
Time-memory tradeoff
Tradeoff
Offline phase
Pre-compute all (x,f(x)) pairs, and
store a digest of the computation in a table
smaller than the complete dictionary.
Online phase
Given a target, using the incomplete table,
find answer in time shorter than require for
exhaustive search.
2006 SNU-KMS Winter Workshop on Cryptography
23
Hellman tradeoff summary
If the keyspace is of size N (DES: 256), for any
set of values P, T, and M, satisfying
TM2 = N2, P = N
one may find the key in
online time T
T = M = N2/3
using
offline pre-computation time P and
storage of size M for table.
Hellman’s algorithm may be used on arbitrary
one-way functions.
2006 SNU-KMS Winter Workshop on Cryptography
24
Tweaks
to Hellman’s Methods
Distinguished points
Rivest, before 1982 (according to a book by
Denning)
Distinguished point example: a binary string
starting with 10 zeros.
To create each row of the Hellman table, function
f is iterated until a pre-defined distinguished
point is reached.
The length of rows is variable.
This removes much of the table lookup time
during the online phase.
2006 SNU-KMS Winter Workshop on Cryptography
26
Rainbow tables
Philippe Oechslin, Making a Faster Cryptanalytic
Time-Memory Trade-Off. Crypto 2003.
sp1 ◦ f1 ◦ f2 ◦ f3 ◦ . . . . . . . ◦ ft-1 ◦ ft
sp2 ◦ f1 ◦ f2 ◦ f3 ◦ . . . . . . . ◦ ft-1 ◦ ft
sp3 ◦ f1 ◦ f2 ◦ f3 ◦ . . . . . . . ◦ ft-1 ◦ ft
◦ ep2
◦ ep3
.......
.......
spm ◦ f1 ◦ f2 ◦ f3 ◦ . . . . . . . ◦ ft-1 ◦ ft
◦ ep1
◦ epm
2006 SNU-KMS Winter Workshop on Cryptography
27
Rainbow tables
In a way, t Hellman tables corresponds to
one rainbow table.
Compared to the original Hellman method,
rainbow tables use half the online time for
the same storage.
Using 1.4GB of data (two CD-ROMs)
rainbow table method cracks 99.9% of all
alphanumerical MS-Windows password
hashes in 13.6 seconds.
2006 SNU-KMS Winter Workshop on Cryptography
28
Checkpoints
G. Avoine, P. Junod, P. Oechslin, Time-memory
trade-offs: False alarms detection using
checkpoints. Indocrypt 2005.
sp1 ◦ f
sp2 ◦ f
sp3 ◦ f
◦
◦
◦
◦
f
f
f
◦
◦
◦
◦
f
f
f
f
f
◦ ....... ◦
f
◦ ....... ◦
f
◦ ....... ◦
f
◦ ....... ◦
◦
◦
◦
◦
f
◦ ep1
f
◦ ep2
f
◦ ep3
f
◦ epm
.......
.......
spm ◦ f
f
t
2006 SNU-KMS Winter Workshop on Cryptography
29
Other neat tricks
Starting points need not be random. For
the original Hellman method, they could be
small counters concatenated with table
numbers. This results in storage savings.
(This is an argument against the
usefulness of rainbow tables.)
After sorting, the endpoints that are close
together have common significant bits.
This also leads to storage savings.
2006 SNU-KMS Winter Workshop on Cryptography
30
Digression
Are tradeoffs meaningful?
Tradeoff algorithms require exhaustive search. How can such
a thing be a meaningful attack?
In constrained environments, systems of marginal security
are used. With tradeoff attacks, security level is meaningfully
reduced.
Low (short-term) security may be all one wanted. With
tradeoff attacks, the security of these systems may turn out
to what was expected.
Your neighbor may be incapable of exhaustive search, but a
network of hackers may have gotten together and published
the needed table. Your adversary may have had such help
from a third party.
As soon as exhaustive search is possible by someone, one
cannot be sure of the security level provided by the affected
system.
2006 SNU-KMS Winter Workshop on Cryptography
32
Affordable tradeoffs
(www.rainbowcrack-online.com)
They have huge tables that implement Oechslin’s tradeoff
algorithm and will recover passwords on a subscription basis.
Password hashing schemes based on MD5, LanManage,
SHA1, Cisco PIX, NTLM, MySQL-323, MySQL-SHA1, and
MD4 are served and they also sell these tables.
LanManager case details:
2006 SNU-KMS Winter Workshop on Cryptography
33
Babbage, Golic
Babbage Golic tradeoff
S. H. Babbage, Improved exhaustive
search attacks on stream ciphers.
European Convention on Security and
Detection, 1995.
J. Dj. Golić, Cryptanalysis of alleged A5
stream cipher. Eurocrypt’97.
Attack on streamciphers.
2006 SNU-KMS Winter Workshop on Cryptography
35
Streamcipher
internal
state
2006 SNU-KMS Winter Workshop on Cryptography
keystream
Each initial internal state, i.e.,
an element of (Z/2Z)s,
specifies a long bit
sequence (keystream).
few
bits
internal
state
few
bits
Filter function is applied to
internal state to produce a
short bit sequence.
The internal state is updated.
internal
state
few
bits
internal
state
few
bits
Streamcipher is a pseudorandom bit stream generator.
The following two steps are
repeated.
filter
function
few
bits
state
update
function
internal
state
36
Using a streamcipher
share through
secure channel
2006 SNU-KMS Winter Workshop on Cryptography
=
plaintext
insecure channel
long keystream
transmit over
internal
state
ciphertext
=
ciphertext
long keystream
plaintext
1. The communicating parties
share a common initial
internal state through some
other secure channel.
2. A long keystream is
generated from the common
internal state.
3. Plaintext is added onto the
carrier keystream.
4. Generated ciphertext is
transmitted over insecure
channel.
5. Receiving party generates
the same keystream from
shared initial state.
6. Plaintext is recovered from
ciphertext by “subtracting”
the keystream from
ciphertext.
internal
state
37
Attacking a streamcipher
internal
state
keystream
2006 SNU-KMS Winter Workshop on Cryptography
keystream segment
Anything that allows recovery
of whole keystream from a
partial keystream segment is
a successful attack.
An appropriate length of
keystream segment
determines the starting
internal state uniquely.
But, streamciphers are
designed so that it is
computationally infeasible to
recover the starting internal
state from a finite keystream
segment.
38
The crucial discovery
internal
state
keystream
segment
internal
state
2006 SNU-KMS Winter Workshop on Cryptography
keystream
segment
Given a long
keystream, it suffices
to find the internal
state corresponding to
any one of the
keystream segments.
Once state is
recovered, the cipher
may be run forward to
obatina future
keystream.
39
Two extreme solutions
Exhaustive search
Try all possible internal states until a known keystream
segment is produced.
With N possible states and D keystream segments, N/D
tries are expected until an answer is found.
Table lookup
Pre-compute enough (state, keystream seg) pairs.
Sort the list according to the keystream segments.
When D keystream segments are given, look for them in
the table and read off answer.
N/D pairs should be pre-computed and stored.
2006 SNU-KMS Winter Workshop on Cryptography
40
Babbage Golic tradeoff
If the number of possible states is N, and the online target data
set will be of size D, for any set of values P, T, M, and D,
satisfying
TM = N, P = M ≥ N/D
one may find the key in
online time T
T = M = D = N1/2
using
offline pre-computation time P,
storage of size M for table, and
online data of size D.
This birthday paradox based method does not depend on the
structure of streamciphers, and hence may be used to invert
arbitrary one-way functions.
2006 SNU-KMS Winter Workshop on Cryptography
41
Attack restatement in terms of
one-way functions
Let there be N possible internal states.
Define function one-way function by
f: internal state (ln N) bits of keystream.
Attacker’s objective translates to that of finding
any one of the internal states, corresponding to
any one of the keystream segments.
Multi-target Inversion
Given a one-way function f: XY and a target
set S⊂Y, find at least one x∈X such that f(x)∈S.
2006 SNU-KMS Winter Workshop on Cryptography
42
Biryukov, Shamir
Hellman review
Go back to pages 24 and 16.
2006 SNU-KMS Winter Workshop on Cryptography
44
Birthday + Hellman
There’s no reason we can’t apply Hellman
table method to the streamcipher situation.
This time, we have the advantage of not
having to cover the whole search space.
During the offline phase, it suffices to deal
with only N/D internal states.
2006 SNU-KMS Winter Workshop on Cryptography
45
Birthday + Hellman
(single target)
Offline coverage
P=N
t tables
Online time
T = t•t = t2
Storage
M = m•t = mt
Tradeoff curve
TM2 = N2
(multiple targets)
Offline coverage
P = N/D
t/D tables
Online time
T = t•(t/D)•D = t2
Storage
M = m•(t/D) = mt/D
Tradeoff curve
TM2D2 = N2
2006 SNU-KMS Winter Workshop on Cryptography
46
BS-tradeoff
internal
state
state
update
keystream
2006 SNU-KMS Winter Workshop on Cryptography
keystream
segment
internal
state
keystream
segment
A. Biryukov and A.
Shamir, Cryptanalytic
time/memory/data
tradeoffs for stream
ciphers. Asiacrypt
2000.
Combination of
Hellman tradeoff and
birthday paradox
based tradeoff.
47
BS-tradeoff
If the state size is N, and the online target data set will be of
size D, for any set of values P, T, M, and D, satisfying
TM2D2 = N2, P = N/D, D2 ≤ T
one may find the key in
T = M = N1/2, D = N1/4
online time T
using
offline pre-computation time P,
storage of size M for table, and
online data of size D.
Biryukov-Shamir’s tradeoff algorithm does not depend on the
structure of streamciphers, and hence may be used to invert
arbitrary one-way functions.
2006 SNU-KMS Winter Workshop on Cryptography
48
TMD-tradeoff theory summary
Even though not made explicit in the original
works, the tradeoff algorithms can be applied to
arbitrary one-way functions.
Assume a one-way function to be inverted acting
on a search space of size N.
For situations where single target inversion
problem is applicable, there is a tradeoff
algorithm of online complexity N2/3.
For situations where multiple target inversion
problem is applicable, there is a tradeoff
algorithm of online complexity N1/2.
2006 SNU-KMS Winter Workshop on Cryptography
49
Tradeoff on
Streamciphers
Revisited
Using a streamcipher
internal
state
secure channel
=
plaintext
insecure channel
long keystream
transmit over
internal
state
ciphertext
=
ciphertext
long keystream
plaintext
share through
2006 SNU-KMS Winter Workshop on Cryptography
51
Another tradeoff on (old)
streamciphers
key
setup
internal
state
Example: Attacker wants to make bad
reputation of one particular popular
mobile telecom system. It suffices for
him to decrypt any one message.
Even with single data tradeoff, online
complexity of attack corresponds to
2/3 of key size.
This attack works irrespective of
internal state size.
2006 SNU-KMS Winter Workshop on Cryptography
keystream
key
keystream
prefix
Target one-way function is
{key} {keystream prefix}.
Assume keystream prefix exposed due
to protocol.
Once key is found, rest of keystream is
exposed.
In some situations, multiple data
tradeoff is possible.
52
Another tradeoff on (recent)
streamciphers
IV
key
setup
internal
state
2006 SNU-KMS Winter Workshop on Cryptography
keystream
key
keystream
prefix
Attacker wants to attack one
particular user. Assume fixed user
key with variable IV.
Target one-way function is
{(key,IV)} {keystream prefix}.
It suffices to obtain any one (key,IV)
pair. If found, all other sessions
can be decrypted.
Assume keystream prefix exposed
due to protocol.
Multiple data tradeoff possible.
Online complexity of attack is half
of key size.
This attack works irrespective of
internal state size.
53
Example
eSTREAM (ECRYPT Stream Cipher Project)
Profile 2 must accommodate 80-bit keys and
at least one of 32-bit or 64-bit IVs.
BS-tradeoff on 80-bit key / 32-bit IV
TM2D2 = N2, P = N/D, D2 ≤ T
N = 2112, T = 264, M = 250, D = 230, P = 282
Doing 282 key setups as pre-computation, one
prepares a table containing 250 data points.
Then, given 230 keystream prefixes, the key can be
recovered using 264 key setups.
These numbers are large, but small enough to be
considered a threat.
2006 SNU-KMS Winter Workshop on Cryptography
54
Tradeoff on
Blockciphers
Revisited
Using a blockcipher
secure channel
block
cipher
plaintext
block
cipher
plaintext
block
cipher
plaintext
block
cipher
plaintext
ciphertext ciphertext ciphertext ciphertext
insecure channel
plaintext
block
cipher
plaintext
block
cipher
plaintext
block
cipher
plaintext
block
cipher
ciphertext ciphertext ciphertext ciphertext
transmit over
key
share through
key
56
2006 SNU-KMS Winter Workshop on Cryptography
key
IV
Blockcipher mode of operation
2006 SNU-KMS Winter Workshop on Cryptography
57
Another tradeoff on
blockciphers
fixed plaintext1
fixed plaintext2
blockcipher
blockcipher
ciphertext1
ciphertext2
IV
Assume chosen plaintext
scenario with multi-block
chosen plaintext.
Assume fixed key and variable IV.
Target one-way function is
{(key,IV)} {ciphertext blocks}.
It suffices to obtain any one
(key,IV) pair. If found, all other
sessions can be decrypted.
Assume multiple ciphertexts
corresponding to fixed chosen
plaintext and different IV’s
available due to protocol.
Multiple data tradeoff attack is
possible.
key
2006 SNU-KMS Winter Workshop on Cryptography
58
Another tradeoff on
blockciphers
fixed plaintext2
blockcipher
blockcipher
ciphertext1
ciphertext2
key
IV
fixed plaintext1
In CBC, any ciphertext block
may be thought of as an IV
for subsequent encryption.
Multiple data is possible
even from a single session.
Online complexity of attack
is half of key+IV size.
If block size is smaller than key
size, security is less than key
size.
2006 SNU-KMS Winter Workshop on Cryptography
59
fixed plaintext1
fixed plaintext2
blockcipher
blockcipher
ciphertext1
ciphertext2
IV
key
IV
Another tradeoff on
blockciphers
In CBC, any ciphertext block
may be thought of as an IV
for subsequent encryption.
Multiple data is possible
even from a single session.
Online complexity of attack
is half of key+IV size.
If block size is smaller than key
size, security is less than key
size.
2006 SNU-KMS Winter Workshop on Cryptography
60
Another tradeoff on
blockciphers
fixed plaintext
fixed plaintext
fixed plaintext
blockcipher
blockcipher
blockcipher
blockcipher
ciphertext
ciphertext
ciphertext
ciphertext
key
IV
IV
fixed plaintext
In CBC, any ciphertext block
may be thought of as an IV
for subsequent encryption.
Multiple data is possible
even from a single session.
Online complexity of attack
is half of key+IV size.
If block size is smaller than key
size, security is less than key
size.
2006 SNU-KMS Winter Workshop on Cryptography
61
Example
3GPP A5/3
128-bit key, 64-bit blockcipher KASUMI in modified
OFB mode is used.
But IV is a 22-bit counter and key is a double copy of a
single 64-bit key
Only 228 bits of keystream used for each key IV.
BS-tradeoff
Target one-way function is {(key,IV)} {keystream prefix}.
TM2D2 = N2, P = N/D, D2 ≤ T
N = 286
T = 243, M = 243, D = 221.5, P = 264.5
2006 SNU-KMS Winter Workshop on Cryptography
62
TMD-tradeoff
is a Versatile Tool
Summary
Hellman family of TMD tradeoff techniques
can be used to invert generic one-way
functions.
It is possible to apply them to various
situations other than that in which each
algorithm was originally applied to, and
also in many different ways.
2006 SNU-KMS Winter Workshop on Cryptography
64
Questions?
