Professional Documents
Culture Documents
BACHELOR THESIS
Monika Seidlová
Department of Algebra
Prague 2012
I would like to thank my supervisor RNDr. Michal Hojsı́k, Ph.D. for his advice,
ideas, comments and especially for all the time he put into proof-reading and
consulting with me.
I declare that I carried out this bachelor thesis independently, and only with the
cited sources, literature and other professional sources.
I understand that my work relates to the rights and obligations under the Act
No. 121/2000 Coll., the Copyright Act, as amended, in particular the fact that
the Charles University in Prague has the right to conclude a license agreement
on the use of this work as a school work pursuant to Section 60 paragraph 1 of
the Copyright Act.
Conclusion 35
Bibliography 36
1
Introduction
In this bachelor thesis, we will look at a certain method of attack on block and
stream ciphers. Assume a chosen plaintext attack on a block cipher. The attacker
chooses an arbitrary but fixed plaintext P0 . The person being attacked is using a
secret key K to encrypt plaintexts. The attacker obtains a ciphertext C0 , which
is an encryption of P0 with the key K. She could have obtained C0 by passively
eavesdropping on an encrypted communication, where she knew an encryption of
P0 would be transmitted, or she could have directly requested the encryption of
P0 . Once she has C0 , she tries to find the key K. We always assume that the
attacker knows the cipher used and is able to encrypt and decrypt with it.
One attack she can perform is exhaustive search of the key. In an exhaustive
search, she tries encrypting P0 with all the possible keys. After each encryption,
she checks if the ciphertext matches C0 . Another possible strategy is for her to
do all the encrypting beforehand and save key-ciphertext pairs in a large table.
Once she obtains the C0 , she searches for it in the table. This method is called
table lookup. An advantage of table lookup over exhaustive search is that the
precomputed table can be used in more than one attack and the looking up is
much faster than exhaustive search, which takes a very long time. However, a
disadvantage of table lookup is that it requires large memory space.
A time-memory tradeoff attack is a compromise between exhaustive search
and table lookup. There is always a precomputation phase and an attack phase
in a time-memory tradeoff attack. During the precomputation phase, the attacker
does many encryptions and saves some of the results in a table. The attack phase
begins when she obtains C0 . She uses the data from the precomputed table and
she performs additional computations. The precomputation phase is performed
once and takes a very long time, whereas the attack phase can be repeated on
another C00 (encryption of P0 with a different key) and should be fast.
Let M denote the total amount of random access memory required to hold
the precomputed data. The unit of M is usually a word – a string of symbols of
certain length. Let T denote the computation time required during the real-time
phase of the attack and let P denote the computation time required during the
precomputation phase. The unit of T and P is one computational step. For
example, one encryption or one simple operation like addition can be considered
one computation step. Assume that the space of keys has N elements. Then in
an exhaustive search, we have T = N and M = 1. Contrarily, in table lookup,
we have T = 1 and M = N . In time-memory tradeoff attacks, there is a time-
memory curve, which defines the relation between T, M and N . For example, in
the first time-memory tradeoff attack we will describe, the time-memory curve is
T M 2 = N 2 . T and M can be chosen by the attacker, as long as they lie on the
curve.
In the first chapter, we will describe the original time-memory tradeoff attack
on block ciphers proposed by Martin Hellman in 1980. The description is followed
by some suggestions for modification. The second chapter will be concerning the
rainbow table attack, which is a newer time-memory tradeoff attack on block
ciphers. The second chapter also contains a description of a new attack, that
we propose. The new attack, called r-coloured rainbows, is an adaptation of
2
Hellman’s attack inspired by the rainbow table attack. These three attacks have
a lot in common and that allows us to compare their properties.
The third chapter will explain how time-memory tradeoff attacks can be ap-
plied to stream ciphers. Due to the different construction of stream ciphers, the
attack is not a chosen plaintext attack, but a known plaintext attack. In time-
memory tradeoff attacks on stream ciphers, the attacker can use more obtained
data than just one ciphertext. Therefore, a new parameter D is introduced. D
denotes the amount of data obtained during the attack. In an attack on a block
ciphers, D = 1. The fourth chapter will provide an example of an attack on a
specific cipher A5/1, which is a stream cipher used in GSM telephones to encrypt
calls.
In a time-memory tradeoff attack, the birthday paradox is often used to show
how much data should be stored in memory to achieve a certain probability of
success of the attack. We will use the corollary of the following theorem several
times.
p → 1 − e−αβ , N → +∞ .
|A| · |B| = N
√ √
α N ·β N =N
α·β =1
From the Theorem 1, we have that the probability that A and B intersect is
p → 1 − e−αβ , N → +∞ .
3
1. Hellman’s time-memory
tradeoff attack
Definition 3. A block cipher is an ordered quintuple (P, C, K, E, D), such that
1. P is a finite set of plaintexts,
2. C is a finite set of ciphertexts,
3. K is a finite set of keys,
4. E = {EK : P → C | K ∈ K} is a set of encryption maps,
5. D = {DK : C → P | K ∈ K} is a set of decryption maps,
6. ∀K ∈ K ∀x ∈ P : DK (EK (x)) = x.
Martin Hellman [1] described a time-memory tradeoff attack on block ciphers.
It is a chosen plaintext attack, so for a plaintext chosen by the attacker, she
obtains its encryption. Her goal is to find the key used to encrypt the chosen
plaintext to get the ciphertext. If she succeeds, she can decrypt all ciphertexts
encrypted with that one key. Assume a block cipher (P, C, K, E, D) and assume
that P = C = {0, 1}nc and K = {0, 1}nk for some nc , nk ∈ N. Hellman explained
his attack for nc > nk . For now, we will accept this assumption. We will discuss
a modification of the attack for nc = nk later in the chapter.
The attacker randomly chooses m elements from the set of keys K = {0, 1}nk .
These m keys are called starting points and are denoted SPi , i = 1, . . . , m. The
function f is iterated on each of the starting points t times. The attacker defines
values Xi,j ∈ K = {0, 1}nk in the following manner:
Xi,0 := SPi for i = 1, . . . , m
Xi,j := f (Xi,j−1 ) for j = 1, . . . , t, i = 1, . . . , m .
4
f
P0
block
C0 R
K cipher f (K)
She denotes the end points of the iteration EPi := Xi,t for i = 1, . . . , m. The
iterations of f yield the following chains of keys (values from K):
f f f f
SP1 = X1,0 → X1,1 → ... → X1,t−1 → X1,t = EP1
f f f f
SP2 = X2,0 → X2,1 → ... → X2,t−1 → X2,t = EP2
.. ..
. .
f f f f
SPm = Xm,0 → Xm,1 → . . . → Xm,t−1 → Xm,t = EPm
• K = Xi,t−1 , or
• K 6= Xi,t−1 , a so-called false alarm has occurred,
because EPi has more than one preimage.
To determine which is the case, the attacker reconstructs the ith chain
from SPi to get the value of Xi,t−1 . From the definition of Xi,j , it is clear
that Xi,t−1 = f t−1 (SPi ). She checks whether Xi,t−1 is the key, so whether
5
C0 = EXi,t−1 (P0 ). If she has found the key, the attack is done. If not, a
false alarm has occurred.
2. If ∀i : Y1 6= EPi or a false alarm has occurred, then the key is not in the
second last column of B. The attacker computes Y2 = f (Y1 ).
With one operation, she checks whether Y2 = EPi for some i. If Y2 = EPi for
some i, then Xi,t−2 is the key or a false alarm has occurred. If ∀i : Y2 6= EPi or
there was a false alarm, then Y3 = f (Y2 ) is computed. Unless she finds the key,
the attacker computes Y2 , Y3 , Y4 , . . . , Yt and performs the checks described above.
Hellman’s attack is described as a chosen plaintext attack. However, if used
on a block cipher in ECB (Electronic Code Book) mode, it can be a ciphertext-
only attack. The attacker chooses P0 as a plaintext block, which she expects
will be contained in a plaintext frequently. For example, P0 may be a sequence
of blanks in ASCII or a file header. The attacker searches the ciphertext for
repeating blocks and assumes that one of the blocks which repeat is enciphered
P0 . She applies the attack on all the repeating blocks. The memory required for
the ciphertext-only attack remains the same as for the original chosen plaintext
attack. If there are c different blocks which repeat, the computation time increases
at most by a factor of c.
6
where 1 is the indicator function of an event and an entry is said to be new if its
value is not present in the previous rows nor in the previous entries of its row.
where Ai,j denotes the set of entries present in the table up to the entry Xi,j .
Clearly,
N − |Ai,0 | N − |Ai,0 | − 1 N − it
> > ··· > .
N N N
By combining the bounds, we get that
j+1
N − it
P r(Xi,j is new) ≥ .
N
Together, we have
m t−1 j+1
1 X X N − it
P (S) ≥ .
N i=1 j=0 N
Assume a large fixed N . For m, t such that mt2 N , the terms added on
the right side of (1.2) are all close to 1 and the bound could be rewritten as
m·t
P (S) ≥ .
N
From (1.1) we see that m·tN
is also an upper bound for P (S), because generally,
not all the entries are distinct. Therefore, for mt2 N , increasing m or t will
increase P (S).
x := N
w := j/N
y := −it ,
7
we get that for N → ∞
j jN
N − it −it N −ijt
= 1+ ≈ exp .
N N N
−mt2
Using exp N
to approximate exp −ijt
N
gives, that for mt2 N most
terms will be small and not add much to the lower bound of P (S). Hellman
concluded that the optimal values of m and t are such that mt2 = N . If m, t are
both large and satisfy mt2 = N , then numerical approximation gives
m t−1 j+1
1 X X N − it 0.80mt
≈ .
N i=1 j=0 N N
Hellman neglects the 0.80 factor. Then for m, t such that mt2 = N ,
mt N 1
P (S) ≈ = = ,
N Nt t
which is small. For that reason, the attacker computes t different tables Bl . Each
table Bl is computed using a different reduction function Rl and the corresponding
fl = Rl (EK (P0 )). During the attack, the attacker tries to find the key in one table
after another until she succeeds or she has tried all the tables. Since the cycle
structure varies among the different functions Rl , a collision of entries in two
tables does not imply that the successive entries in the same row will also collide.
This is very important for guaranteeing that more tables will yield better coverage
of the key space.
The memory required for the attack, M , is the number of (SPi , EPi ) pairs
stored, which is the number of rows per table times the number of tables. Thus,
M = m · t. The computation time during the attack, T , is the number of op-
erations per table times the number of tables, i.e. T = t2 . The time needed
during precomputation, P , is the number of rows per table times the number of
operations per row times the number of tables, i.e. P = m · t · t = N . Lastly, the
amount of data available during the attack, D, is one, because the attacker gets
only one ciphertext C0 . Together,
T M 2 = t2 · m2 t2 = t4 m2 = N 2 .
As a result, the time-memory tradeoff curve for this attack is T M 2 = N 2 .
Hellman suggested to use the point M = T = N 2/3 on the tradeoff curve.
It still needs to be shown, that the false alarms, which may occur during the
attack, do not significantly increase the computation time. The following theorem
due to Hellman gives an upper bound for the expected number of false alarms.
Theorem 6. The expected number of false alarms per table tried, E[F ], is bounded
by
mt(t + 1)
E[F ] ≤ . (1.3)
2N
8
Proof. Let Fi,j be the event that a false alarm has occurred as a result of Yj = EPi .
Then
Xm X t
E[F ] = P r(Fi,j ) .
i=1 j=1
K
or
SPi = Xi,0 Xi,1 ... Xi,t−j Xi,j−t+1 Xi,j−t+2 ... Xi,t = EPi
K Y1
or
..
.
or
SPi = Xi,0 Xi,1 ... Xi,t−j Xi,j−t+1 ... Xi,t−1 Xi,t = EPi
K Y1 ... Yj−1
Xm X t
j mt(t + 1)
E[F ] ≤ = .
i=1 j=1
N 2N
9
a reduction, but a function that maps the key space into itself. It is advantageous
for the attacker to choose R as a simple bijection on {0, 1}nk , such as a reordering
of the bits. The properties of the function
E(·) (P0 ) : K → C
K 7→ EK (P0 )
depend on the block cipher attacked. Generally, we cannot be sure that, for a
given P0 ,
(EK1 (P0 ) = EK2 (P0 )) ⇒ (K1 = K2 )
In other words, E(·) (P0 ) may not be injective for some P0 . However, a secure
block cipher with nk = nc should have this property for all P0 ∈ P. If we assume
that E(·) (P0 ) is injective and that R is a bijection, then their composite f is also
injective. Once we know that f is injective, the attack is simplified, because
chains of iterations of f do not merge and so false alarms do not occur.
During the attack phase, when Yj = EPi for some j ∈ {1, . . . , t} and
i ∈ {1, . . . , m}, then necessarily, Xi,t−j is the key, since no false alarm could
have occurred. There is no need to check whether C0 = EXi,t−j (P0 ). More im-
portantly, the ith row of B is reconstructed only when it really contains the key,
which happens at most once during the attack. In the original attack, the ith
row was reconstructed each time a false alarm occurred. From Theorem 6, the
increase in expected computation time due to false alarms is at most 50 percent.
This increase is avoided in the attack where nk = nc .
∀i ∈ {1, . . . , m} : EPi ∈ Su
for a fix chosen u. Along with the starting points and end points, the attacker
saves the length of the longest chain in the lth table, denoted tl . If two different
starting points lead to the same end point, a merge of the two chains must have
occurred. In that case, one of the chains can be disregarded and replaced by
10
another chain with a new starting point, in order to guarantee a table free of
merges. A collision among end points is discovered at no additional cost as the
end points must be sorted.
The attacker should choose the value of 1 ≤ u < nk so that the average length
of a chain is t. We use the birthday paradox. For an arbitrary but fixed i, put
A := {Xi,0 , Xi,1 , . . . , Xi,t } and B := Su . Function fl is random on the space of
N = 2nk keys, therefore A is a random subset of {0, 1}nk . B is not a random
subset of {0, 1}nk , but its elements are independent of those in set A. |A| = t,
unless the chain is looped, which we will discuss later. |B| = |Su | = 2nk −u = 2Nu .
From the birthday paradox, if |A| · |B| = N , then the probability that A ∩ B 6= ∅
is approximately 0.63. When A ∩ B 6= ∅, it means that the chain in A contains
a special point, which is what we want.
|A| · |B| = N
t·N
= N
2u
t
= 1
2u
t= 2u
1. if ∃i ∈ {1, . . . , m} : Yj = EPi then the ith row of the table either contains
the key or a false alarm has occurred;
For each table, the attacker computes Yj for j = 1, . . . , tl , unless she has already
found the key.
It is advantageous for the attacker to restrict the maximum length of a chain
during precomputation. Firstly, if fl is iterated more than a multiple of t times,
without coming across a special point, then due to the birthday paradox, it is
likely that the chain is in a loop. In that case, the chain should be abandoned
and another random starting point used. Secondly, assume a table contains one
or a few very long chains and the rest of the chains are considerably shorter – for
example, they have less than j̄ entries for some j̄ ∈ {1, . . . , tl /2}. Then computing
Yj for j = j̄, . . . , tl during the attack is wasteful, because it searches for the key
only in the few chains longer than j̄.
There is one difficulty during the attack. Since chains vary in length within
a table, when the attacker has Yj = EPi , she does not know at which position in
the ith chain the key candidate is. She needs to find the key candidate and verify
whether it is a false alarm. In the original publication [2], it is not specified how
to deal with this. We propose two options:
11
t −j
is fl i,l (SPi ). The advantage of this option is, that a false alarm is found
with ti,l −j steps. The disadvantage is that the size of each word of memory
increases from two numbers lower than N to two numbers lower than N
and one number approximately t, where t would often be chosen as N 1/3 .
• She does not save the number of iterations of fl used on SPi to get EPi
during the precomputation. When Yj = EPi during the attack, the attacker
uses the starting point SPi = Xi,0 as a key in encryption of P0 to check
whether it is the key used to get C0 . Thus, if EXi,0 (P0 ) = C0 then she has
found the key and is done. If not, she applies the reduction function to
EXi,0 (P0 ) and gets R(EXi,0 (P0 )) = Xi,1 . She checks whether Xi,1 ∈ Su . If
Xi,1 is a special point, then, from the construction of the chains, she knows
Xi,1 = EPi , which means that a false alarm occurred. If Xi,1 is not a special
point, she continues in the search and checks whether Xi,1 is the key. If not,
she applies the reduction to get Xi,2 and so on. The reason she must always
check whether the point she got is special is, that if she did not do so and a
false alarm occurred, then she could enter an endless cycle. The advantage
is that this method requires no additional memory. The disadvantage is
that, in the case of a false alarm, the entire chain is reconstructed.
12
2. Rainbow tables and r-coloured
rainbows
2.1 The rainbow table attack
Again, assume a block cipher (P, C, K, E, D) and assume that P = C = {0, 1}nc
and K = {0, 1}nk for nc , nk ∈ N such that nc > nk . Philippe Oechslin [3] de-
scribed a modification of Hellman’s attack, which yields the same time-memory
tradeoff curve, is twice as fast during the attack phase and has the advantages
of sampling. Oechslin proposed to precalculate one large mt × t table instead of
Hellman’s t tables of size m × (t + 1) each. He called his table a rainbow table.
Although Oechslin described his modification for an mt × t table, we will present
his idea on an mt × (t + 1) table in order to be in correspondence with Hellman’s
parameters.
13
Unless she finds the key, the attacker computes
f1 f2 ft−1 ft
Figure 2.1: The bold dots represent points in the ciphertext space. By E(·) , it is
meant that the function E(·) (P0 ) is applied to the previous point of the key space.
14
t Hellman’s tables 1 rainbow table
t+1 t+1
f1 f1 f1 f1 f2 ft−1 ft
1 1 1
X1,0 X1,1 X1,t X1,0 X1,1 X1,t−1 X1,t
m f1 f2 ft−1 ft
f1 f1 f1
1 1 1 X2,0 X2,1 X2,t−1 X2,t
Xm,0 Xm,1 Xm,t
t+1
f2 f2 f2
2 2 2
X1,0 X1,1 X1,t
m
f2 f2 f2
2 2 2
Xm,0 Xm,1 Xm,t
mt
t+1
ft−1 ft−1 ft−1
t−1 t−1 t−1
X1,0 X1,1 X1,t
m
ft−1 ft−1 ft−1
t−1 t−1 t−1
Xm,0 Xm,1 Xm,t
t+1
ft ft ft
t t t
X1,0 X1,1 X1,t
m
ft ft ft f1 f2 ft−1 ft
t
Xm,0 t
Xm,1 t
Xm,t Xmt,0 Xmt,1 Xmt,t−1 Xmt,t
Figure 2.2: One rainbow table as well as t classical tables contain mt chains of
length t + 1, they both use t functions fj , but in a different arrangement.
15
2.3 Advantages over Hellman’s attack
Oechslin’s attack has many advantages. Firstly, when neglecting false alarms,
the number of calculations during the attack phase in the worst case, when all
columns are searched, is
t(t + 1)
1 + 2 + 3 + · · · + (t − 1) + t = .
2
Hellman’s attack requires t2 calculations in the worst case. Therefore, Oechslin’s
attack reduces the computation time almost twice.
Secondly, rainbow tables have the same advantages over Hellman’s method
that Rivest’s sampling has:
• If two chains in a rainbow table merge, the end points of the chains are
the same and the merge can easily be detected during precomputation. By
replacing one of the merging chains with a new one, the attacker achieves
a table free of merges at a little additional precomputation effort.
• A rainbow table cannot contain any loops, because each successive function
fj applied to the points in one chain is different. Thus, rainbow tables are
free of loops, just as tables with sampling are, but without the additional
precomputation effort required to replace loops.
16
mt2 points. Therefore, each table must have m · r rows. Thus, the attacker pre-
computes t/r tables of size mr × (t + 1), where m, t, r, such that 1 ≤ r ≤ t and
r | t, are parameters of the attack.
17
following:
Y1 := Rr (C0 )
Y2 := fr (Rr−1 (C0 ))
Y3 := fr (fr−1 (Rr−2 (C0 )))
..
.
Yr−1 := fr (fr−1 (. . . (f3 (R2 (C0 ))) . . . ))
Yr := fr (fr−1 (. . . (f3 (f2 (R1 (C0 )))) . . . ))
Yr+1 := fr (fr−1 (. . . (f3 (f2 (f1 (Rr (C0 ))))) . . . ))
Yr+2 := fr (fr−1 (. . . (f3 (f2 (f1 (fr (Rr−1 (C0 )))))) . . . ))
..
.
..
.
Yt−1 := fr (. . . (fr (. . . . . . (fr (. . . (f3 (R2 (C0 ))) . . . )) . . . . . . )) . . . )
Yt := fr (. . . (fr (. . . . . . (fr (. . . (f3 (f2 (R1 (C0 )))) . . . )) . . . . . . )) . . . )
t(t + 1)
1 + 2 + 3 + · · · + (t − 1) + t = .
2
It is the same computation time as for one rainbow table. However, in our
r-coloured rainbows attack, she has t/r tables, not just one. Therefore, the new
attack would be quite inefficient. Fortunately, an improvement can be made in
the calculation. Notice that
Yqr+p = hq (Yp )
18
computes Y1 , . . . , Yt in the following order to utilize the above observation.
Y1 = Rr (C0 )
Yr+1 = h(Y1 )
Y2r+1 = h(Yr+1 )
..
.
Yt−r+1 = h(Yt−2r+1 )
Y2 = fr (Rr−1 (C0 ))
Yr+2 = h(Y2 )
Y2r+2 = h(Yr+2 )
..
.
..
.
Yr = fr (fr−1 (. . . (f3 (f2 (R1 (C0 )))) . . . ))
Y2r = h(Yr )
..
.
Yt−r = h(Yt−2r )
Yt = h(Yt−r )
With the improvement, the computation time for one table, in the worst case
when all Yj are calculated, is
r(r − 1)
t·r− .
2
The function h is a composition of r functions and we count it as r operations.
If each Yj were computed with function h, then the computation required for
Y1 , Y2 , . . . , Yt would be t · r. But Y1 , Y2 , . . . , Yr−1 each require only 2r computations
on average and that is why r(r−1) 2
is subtracted. The computation time for all
t/r tables is
t r(r − 1) t(r − 1)
T = t·r− = t2 − .
r 2 2
19
t Hellman’s tables r-coloured rainbows
r=1 r = 6t
t tables 6 tables
t t
t r
r(r−1)
T1 = t 2 T2 = 6 t · r − 2
11t2 t
= 12 + 2
t t
t
r
r(r−1) t(t+1)
T3 = 2 t · r − 2
T4 = 2
3t2 t2 t
= + t = 2 + 2
4 2
20
r-coloured rainbows
t(r − 1)
T = t2 − ,
2
we see that the closer r is to t, the smaller T is. This corresponds with the
observation that in Figure 2.3, for t > 6, T1 > T2 > T3 > T4 . Therefore, our new
attack is not better, in terms of computation time, than a rainbow table, but it
is better than Hellman’s attack.
One of the main advantages of a rainbow table over Hellman’s tables is that
it requires less hard disk accesses during the attack. Hellman’s attack requires
t2 disk operations. Rainbow tables require only t disk operations. Our r-coloured
rainbows attack requires
t t2
t· =
r r
disk operations. Therefore, for a fixed t, our attack reduces the number of disk
operations by a factor of r when compared to Hellman’s. With regards to the
number of disk operations, our attack is again not better than a rainbow table,
but it is better than Hellman’s attack.
Another property of the attack that should be compared is the coverage of the
key space. The tables in all three attacks contain mt2 points in the first t columns.
If a collision among two entries in r-coloured rainbows occurs, it causes a merge
only if the next functions applied are the same. In one chain, one specific function
fl is applied t/r times and there are m · r chains in a table. The other tables do
not use fl at all. Therefore, a merge results from a collision only if the colliding
entries are in the same group of mr · (t/r) = mt entries, which corresponds to a
fixed fl . Thus, collisions cause merges in r-coloured rainbows equally often as in
Hellman’s tables and a rainbow table.
Merges in r-coloured rainbows can be detected by colliding end points only
if the merge occurred in the same column. Assume there are two entries in a
table colliding and causing a merge, then the entries must be in the same group
of t/r columns. Therefore, only r/t of merges start in the same column and
can be detected and removed during precomputation. Again, this is better than
Hellman’s inability to detect any merges and it is worse than being able to detect
all merges in a rainbow table.
Loops can occur in r-coloured rainbows, but only if two entries in the same
row, which are a multiple of r positions apart, collide. As a result, the length
of a loop in r-coloured rainbows is always a multiple of r. Parameter r bounds
the length of loops from below. In Hellman’s attack, a loop occurs when any two
entries in one row collide and a loop can be of any length. Therefore, loops occur
r times less frequently in r-coloured rainbows than in Hellman’s attack and their
length is bounded from below.
From the above discussion, it is clear that r-coloured rainbows with t/r tables
of size mr × (t + 1) have better coverage than Hellman’s t tables of size m × (t + 1)
and worse coverage than an mt × (t + 1) rainbow table. Thus, the probability
of success of r-coloured rainbows is also in between the probability of success of
Hellman’s attack and the rainbow table attack.
So far, for every property of the attack that we inspected, the r-coloured rain-
bows perform better than the original attack and worse than a rainbow table. Do
21
r-coloured rainbows bring anything new and better than the other two attacks?
Yes, they may. Recall function h:
h = fr ◦ fr−1 ◦ · · · ◦ f2 ◦ f1 .
When calculating the computation time T , we assumed function fl is one com-
putation step and so h is r computation steps. However, if the cryptosystem
attacked were such, that it would allow for some efficient implementation of h,
the r-coloured rainbows attack would improve. The fact, that the attacker can
choose the reduction function Rl in each fl , may help her implement h efficiently.
Assume the attacker is able to reduce the computation steps needed to apply
function h from r steps to r/c steps, for some c ≤ r. Function h is different for
every table, so assume the attacker is able to efficiently implement all t/r func-
tions h. Then the computation time for one table is
r r(r + 1)
(t − r) + .
c 2
The first term counts the steps needed to calculate Yr+1 , . . . , Yt , which uses func-
tion h. The second term is the number of calculations needed for Y1 , . . . , Yr ,
where h is not used. The t/r tables require
r r(r + 1)
t
(t − r) +
r c 2
t(t − r) t(r + 1)
= +
c 2
t2 tr t(r + 1)
= − +
c c 2
computations. When neglecting the second and third terms, where only t and not
t2 appears, the computation time can be reduced by a factor of c in comparison
with Hellman’s time. This is a much greater improvement than the reduction by
2 achieved by a rainbow table.
With the efficient implementation of function h, the precomputation in the
r-coloured rainbows attack is also c times faster than in the other two attacks.
The original precomputation time
t
mr · t · = mt2 = N
r
is the same as with Hellman’s attack or a rainbow table. The efficient precom-
putation time is
t t mt2 N
mr · · = = .
c r c c
22
3. Time-memory tradeoff attacks
on stream ciphers
Time-memory tradeoff attacks can be performed not only on block ciphers, but
on stream ciphers as well.
The internal state of a synchronous stream cipher is initialized with the key
K ∈ K and an initialization vector IV ∈ I by an initialization function g0 , i.e.
s0 = g0 (K, IV ). Function g, which maps a state to another state, produces an
endless sequence of states (s0 , s1 , s2 , . . . ) with the formula
sh+1 = g(sh ) .
The keystream is an endless sequence of symbols (z0 , z1 , z2 , . . . ). Function F
maps a state to one symbol of the keystream:
zh = F (sh ) .
In an additive synchronous stream cipher, a plaintext stream p ∈ P is encrypted
by adding it with the keystream: ch = ph + zh . The set of plaintexts is the set of
all finite length sequences of symbols from A (i.e. A*) and the set of ciphertexts
C is also A*. Figure 3.1 shows the structure of an additive synchronous stream
cipher.
In this chapter, we assume that A = Z2 (+, 0) and K = Σ = {0, 1}n for some
n ∈ N. Denote N = 2n the number of all internal states. Also assume that the
attacker knows functions g0 , g and F and does not know the key nor the internal
state at any moment.
23
K
g0 sh g
IV
zh
ph ch
zh = ph ⊕ ch
zh+1 = ph+1 ⊕ ch+1
..
.
If the attacker is able to invert the function f for any one of the keystream seg-
ments of length n that she has available, then she can decrypt the ciphertext that
follows. Once she has one internal state sh , she can compute the successive states
using the known function g and use them to generate the rest of the keystream
with F . Notice that in this attack, it is not her goal to find the key K, because
she does not need it for decryption. However, for stream ciphers with g and g0
invertible, she can compute K if she knows the number of iterations of g applied
thus far.
In the precomputation phase, the attacker randomly chooses m distinct points
from the space of states {1, . . . , N } and denotes them SPi for i ∈ {1, . . . , m}. She
computes EPi := f (SPi ). She saves the pairs (SPi , EPi ) for i = 1, . . . , m sorted
by EPi in random access memory as in the previously described attacks.
In the attack phase, the attacker obtains a segment of the keystream, which is
D+n−1 bits long. D denotes the amount of data available during the attack (the
n − 1 is neglected). There are D partially overlapping subsegments of length n of
24
the obtained segment. Denote the subsegments Z1 , . . . , ZD . The attacker checks
whether Z1 = EPi for some i ∈ {1, . . . , m}. If so, then she uses the corresponding
internal state SPi to generate more of the keystream and verifies whether a false
alarm has occurred or whether SPi is the real internal state. If Z1 fails to produce
the internal state, the attacker tries Z2 , then Z3 , etc.
The amount of memory used M is the number of (SPi , EPi ) pairs, which is
m. In order for the attack to be successful, at least one of the D subsegments
Zj must collide with one of the M values of EPi . From the birthday paradox, if
DM = N , then the two sets intersect with the probability approximately 0.63.
In the attack, T = D, because, in the worst case, the attacker accesses memory
once for each Z1 , . . . , ZD . The time-memory tradeoff curve is therefore T M = N .
The precomputation time is the same as the memory needed, i.e. P = M . The
attacker may choose to not use all the data D, then 1 ≤ T ≤ D.
Notice the difference between the time-memory tradeoff attack on a stream
cipher and the attacks described earlier on block ciphers. The attacks on block
ciphers were chosen plaintext attacks: the attacker chose one P0 , precomputed
her tables for that P0 and then she needed an encryption of P0 to be able to
perform the attack. It is not clear how she could use more ciphertexts in one
attack to speed up the attack or increase its probability of success.
The attack on stream ciphers is unlike this. It is a known plaintext attack,
which is stronger. The precomputation is done without the use of any fixed P0 .
The precomputed values depend only on functions g and F , which are constant
for a specific stream cipher. Once she has the precomputed data, she can use it to
attack encryptions of various plaintexts. More importantly, she can use more data
in one attack to raise her probability of success. It seems that the construction
of stream ciphers makes them more vulnerable against time-memory tradeoff
attacks.
which maps the stream cipher internal state sh to the first n bits of the keystream
generated from that state by F . As in the BG attack, the attacker has D + n − 1
consecutive bits of the keystream and her goal is to invert function f on any of
the D segments of n bits. The attack uses tables of iterations of f as in Hellman’s
attack. Define
fl (s) := Rl (f (s)), s ∈ {0, 1}n ,
where Rl : {0, 1}n → {0, 1}n is a simple bijection. Note that fl is not necessarily
a bijection, because f is not injective. In each table, a different function fl is
used.
The precomputation and attack phase are exactly as described by Hellman,
with one exception. During the attack phase, the attacker has D keystream seg-
ments, whereas in the original attack on block ciphers there is only one ciphertext
25
C0 . The attacker executes the attack phase on each of Z1 , . . . , ZD , unless she suc-
ceeds.
For Biryukov and Shamir’s attack to be successful, one of Z1 , . . . , ZD must
be present in one of the tables without the first column. Therefore, the coverage
of the tables without the first column can be reduced from N to N/D. This
is from the birthday paradox. The set {Z1 , . . . , ZD } and the set of all but first
column entries in the tables are both subsets of {1, . . . , N } and the latter is chosen
uniformly at random. In order for the two sets to intersect with probability
approximately 0.63, the product of their cardinalities must be N . We have
N
D· =N .
D
Therefore, the coverage should be N/D. From Hellman, we know that t tables
of size m × (t + 1) for m, t such that mt2 = N , are optimal for the coverage of
N points. To achieve a coverage of N/D points, less tables or smaller tables may
be used.
Figure 3.2 summarizes the options for reducing the coverage and shows which
option reduces the required time and memory the most. The time required dur-
ing the attack, T , is computed as the number of columns in each table minus one
times the number of tables times the number of available data D. The amount
of memory required, M , is computed as the product of the number of rows and
the number of tables. From Figure 3.2, we see that for D > 1 option 3) is the
best, because T3 = T1 < T2 and M3 = M2 < M1 . The fact that 2) has worse
computation time than 1) and 3) can also be seen from the observation that
fl (Zj ) is one operation during the attack and reveals whether the real internal
state is in one of m entries of the table. For m0 < m, that one operation reveals
less information. Therefore, in Biryukov and Shamir’s attack, t/D tables of size
m × (t + 1) are precomputed, for m, t such that D | t and mt2 = N . The random
access memory needed for the attack is M = mt D
and the computation time is
2
T = t . The precomputation time P is the number of rows times the number of
columns minus one times the number of tables, thus P = m · t · Dt = N/D. If
D | t, then t ≥ D and thus D2 ≤ T ≤ N . For m, t such that mt2 = N and D | t,
the parameters M, T and D satisfy the following relationship:
2 2
2 2 2 mt
TM D = t · · D2 = m2 t4 = N 2 .
D2
The authors suggested to use parameters m = t = N 1/3 , which yields
P = T = N 2/3 , M = D = N 1/3 as a particular point on the tradeoff curve.
26
Coverage of N points
t+1 t+1 t+1 t+1 t+1
T = t · t · D = t2 · D
m m m m m
M =m·t
Assume D | t, D | m
3 basic options:
1) t
+1 t
+1 t
+1 t
+1 t
+1
D D D D D
t
T1 = D · t · D = t2
m m m m m M1 = m · t
t
D
27
must prepare a table of (SPi , EPi ) pairs such that EPi is a special keystream
segment for each i ∈ {1, . . . , m}. The only way to achieve that is to keep gen-
erating random starting points, applying function f and checking whether the
end point is special until M pairs with special end points are generated. This
trial-and-error method is very costly for the precomputation time.
Every (2u )th point from {1, . . . , N } is special. To precompute M pairs with
special end points, M · 2u trials during precomputation would be necessary on
average. Thus, P = M · 2u , instead of the original P = M . The attack time is
reduced from T = D to T = 2Du , because, from the obtained data, only special
points would be used. From the birthday paradox, to achieve approximately 0.63
probability of collision among the M special end points and the 2Du obtained spe-
cial points, M and D must satisfy
D N
M· u
= u .
2 2
Thus, the memory-data tradeoff is M D = N for any u. To find a time-precomputa-
tion tradeoff, consider T P .
D
TP = u
· M 2u = DM = N .
2
Together, T P = M D = N , for 1 ≤ T ≤ 2Du . It is interesting to note that the
sampling changed the original time-memory tradeoff T M = N into two indepen-
dent tradeoffs: the time-precomputation tradeoff T P = N and the memory-data
tradeoff M D = N .
Secondly, Biryukov and Shamir described how sampling would affect the
tradeoff of their attack on stream ciphers. Recall the tradeoff T M 2 D2 = N 2
for D2 ≤ T ≤ N . In the case of Biryukov and Shamir’s attack, sampling can be
done in the same way as described for Hellman’s attack. Precomputation time
remains ND
, as without sampling. The memory needed stays the same at M = mt D
,
2
as well. The computation time T also stays unaffected at t . Together, the trade-
off of the attack with sampling remains T M 2 D2 = N 2 for D2 ≤ T ≤ N . The
difference is that, with sampling, the hard disk is accessed only t times during
the attack, as opposed to t2 times.
28
4. Time-memory tradeoff attacks
on A5/1
This chapter gives a summary of two time-memory tradeoff attacks on the stream
cipher A5/1 described by Alex Biryukov, Adi Shamir and David Wagner in [7].
29
C1
18 17 16 13 8 0
R1
C2
21 20 10 0
zh R2
C3
22 21 20 10 7 0
R3
30
predecessors (i, j − 1, k − 1), (i − 1, j, k − 1), (i − 1, j − 1, k) and (i − 1, j − 1, k − 1).
Not all the possible predecessors necessarily lead to state (i, j, k). A state can
have none to four predecessors. Therefore, running the clocking backwards is tree
exploration.
The BG attack is used to find an internal state, which produces the keystream
that the attacker obtained. The function f that the attacker wants to invert is
a map from the set of all states {0, 1}64 to {0, 1}51 , the set of keystream prefixes
of length 51. As mentioned, the attack makes use of special points. A keystream
prefix is said to be special if the first 16 bits are a specific sequence of bits α.
For simplification, the sequence α is chosen such that it does not coincide with
shifted versions of itself, eg. α = (1, 0, 0, ..., 0).
The attacker wants all the end points stored in memory to be special keystream
prefixes. The number of internal states which generate a special keystream prefix
is about 264 /216 = 248 and they are referred to as special states. The authors
described how the attacker can use a weakness in the design of the registers to
generate all the 248 special states without testing all the 264 states. The fact that
each register has only one clocking tap and that it is in the middle, far away
from the msb’s, allows for efficient sampling. The attacker can arbitrarily choose
the bits in certain 48 positions of the state and compute the other 16 to be such
that the keystream produced by the state begins with α. The attacker is able to
generate all the 248 special states this way.
The authors introduced a new security measure called sampling resistance.
It is the maximal length of α such that special states can be sampled without
trial-and-error. The sampling resistance of A5/1 is 16.
During precomputation, the attacker samples all the special states. However,
not all the 248 special pairs will be stored in memory. Some special states are
likelier than others to occur and thus their corresponding special keystream pre-
fixes are likelier than others to be present in the obtained data. The strategy is
to store only the special pairs, which are very likely to occur. What causes the
non-uniform probability distribution among the states is the tree structure of the
graph of the clocking function.
The authors use the following notation:
• a state s is coloured red, if the sequence of keystream bits produced from
state s starts with α;
• a state s is coloured green, if the sequence of keystream bits produced from
state s contains an occurrence of α which starts somewhere between bit
positions 101 and 277 of the keystream.
In other words, a red state is a special state and a green state is an initial state,
from which a red state is generated.
Running the clocking backwards from a red state produces a tree of states.
The depths and widths of trees vary, because each state can have none to four
predecessors. If a red-rooted tree is deeper than 100, then it contains some green
states. The green states in the tree, which are at depths 101 to 277, are referred
to as the green belt. Figure 4.2 shows examples of red-rooted trees. The white
states at depths 1 to 100 are of no interest to the attacker, because they are initial
states that yield a red state somewhere in the 100 clockings when the keystream
is not produced.
31
Red roots
100
The reason why the green belt is defined only to depth 277 is that the deeper
states cannot be used in the attack. In the obtained data, the attacker searches
for α in each 228-bit segment of the keystream. If α starts somewhere in the
last 50 bits of the 228 bits, it is disregarded, because the attacker needs at least
35 bits of the keystream to follow α in order to identify the special keystream
prefix as an end point in the precomputed table.
The attacker wants to store in memory those red states, with their keystream
prefix, which are the likeliest to occur. The red states with the largest green belts
occur with the highest probability. The weight of a red-rooted tree is defined as
the number of green states in its belt. The attacker chooses a value w and stores
a red state only if the weight of its tree is greater than w.
The name of the attack is the biased birthday attack, because the birthday
paradox is used in the original BG attack, where it is assumed that the starting
points are chosen uniformly at random and that the states in the real data are
also distributed uniformly. In this attack on A5/1, neither of the two sets is
chosen uniformly at random, thus the biased birthday attack. The bias in the
selection of starting points raises the attack’s probability of success.
Finally, a summary of the attacker’s steps. The attacker samples all red states.
She explores the trees of the red states using the efficient software implementation
of the states. If a tree’s weight is greater than a fixed w, she computes the first
35 bits of keystream following α from that red state. She saves the state and
keystream prefix as a starting point and end point pair in a table sorted by end
points. The trees are not saved.
During the attack, she obtains some seconds or minutes worth of the keystream.
She divides the keystream into segments of length 228, which correspond to the
frames. She searches the first 193 bits of each 228-bit segment for α. For each
α that she finds, she uses the 35 successive bits to check whether this special
keystream prefix is in the precomputed table. If so, she has the corresponding
red state. From that red state, she backtracks the clocking. She rebuilds the
tree, but only to a certain depth, where she knows the candidates for the initial
state are. For each green state at the appropriate depth, she clocks the state
backwards and computes the key. It remains to be shown, that the key can be
uniquely computed from an initial state. For each key, she tries to use it in the
initialization of another frame and then verifies whether that frame’s keystream
agrees with the keystream in the real data. The real key must be among the key
candidates.
The attacker can obtain a unique key from an initial state. The stop-go rule
is not used in the initialization, so the known frame counter can be removed by
running the registers backwards. From the state after the key was XORed in, the
32
attacker gets 64 linear combinations of the 64 key bits, from which the unique
key can be calculated.
The authors show that a biased birthday attack can be performed with the
probability of success 0,6 with the following parameters:
33
The authors recommended to use parameters t = 212 and m = 224 . Then
M = 236 is the memory space required and T = 224 is the computation time.
The amount of data required is about 2 seconds, because it is expected that one
occurrence of α will appear within that time. With the parameters above, the
preprocessing requires 248 steps, about 146GB of memory are used and the attack
time is several minutes.
34
Conclusion
We started with a detailed description of the original time-memory tradeoff attack
by Hellman. We considered how the attack would simplify if the key space was
the same size as the ciphertext and plaintext space. Ron Rivest’s idea of special
points was explained. The second chapter was all about rainbows and colour.
Firstly, we gave a description of the rainbow table attack and inspected why it
is better than the original attack. Secondly, we proposed the new r-coloured
rainbows attack, which is a hybrid of the original attack and a rainbow table.
Detailed comparison confirmed that the hybrid is between the two in terms of
efficiency. However, we found that for block ciphers with a certain property,
the r-coloured rainbows attack outperforms its predecessors. The third chapter
focused on attacks on stream ciphers. With the new parameter of the amount
of data, we saw time-memory-data tradeoffs. Another change, that the stream
ciphers brought, was that the attack became a known plaintext attack as opposed
to the chosen plaintext attack on block ciphers. To end off with, we summarized
how the BG attack, Hellman’s attack and sampling could take part in finding out
a conversation key in A5/1.
35
Bibliography
[1] Hellman, M. E. A Cryptanalytic Time-Memory Trade-Off. IEEE Transac-
tions on Information Theory, Vol. IT-26, N 4, pp. 401-406, 1980.
[7] Biryukov, A., Shamir, A., Wagner, D. Real Time Cryptanalysis of A5/1
on a PC. Proceedings of Fast Software Encryption 2000, Lecture Notes in
Computer Science 1978, pp. 1-18, Springer-Verlag, 2000.
36