X

Download Hellmans TMTO Attack PowerPoint Presentation

SlidesFinder-Advertising-Design.jpg

Login   OR  Register
X


Iframe embed code :



Presentation url :

X

Description :

Hellmans TMTO Attack slides for your next presentation.

Tags :

cryptocurrency | crypto | bitcoin | elon musk | cryptanalysis

Home / Business & Management / Business & Management Presentations / Hellmans TMTO Attack PowerPoint Presentation

Hellmans TMTO Attack PowerPoint Presentation

Ppt Presentation Embed Code   Zoom Ppt Presentation

PowerPoint is the world's most popular presentation software which can let you create professional Hellmans TMTO Attack powerpoint presentation easily and in no time. This helps you give your presentation on Hellmans TMTO Attack in a conference, a school lecture, a business proposal, in a webinar and business and professional representations.

The uploader spent his/her valuable time to create this Hellmans TMTO Attack powerpoint presentation slides, to share his/her useful content with the world. This ppt presentation uploaded by slidefu in Business & Management ppt presentation category is available for free download,and can be used according to your industries like finance, marketing, education, health and many more.

About This Presentation

Hellmans TMTO Attack Presentation Transcript

Slide 1 - Part 1 - Cryptography 1 Hellmans TMTO Attack
Slide 2 - Popcnt Part 1  Cryptography 2 Before we consider Hellman’s attack, consider a simple Time-Memory TradeOff “Population count” or popcnt Let x be a 32-bit integer Define popcnt(x) = number of 1’s in binary expansion of x How to compute popcnt(x) efficiently?
Slide 3 - Simple Popcnt Part 1  Cryptography 3 Most obvious thing to do is popcnt(x) t = 0 for i = 0 to 31 t = t + ((x >> i) & 1) next i return t end popcnt But is it the most efficient?
Slide 4 - More Efficient Popcnt Part 1  Cryptography 4 Precompute popcnt for all 256 bytes Store precomputed values in a table Given any x, look up its bytes in the stored table Sum table values to find popcnt(x) Note that precomputation is done once Then each popcnt requires 4 steps, not 32
Slide 5 - More Efficient Popcnt Part 1  Cryptography 5 Initialize: table[i] = popcnt(i) for i = 0,1,…,255 popcnt(x) p = table[ x & 0xff ] + table[ (x >> 8) & 0xff ] + table[ (x >> 16) & 0xff ] + table[ (x >> 24) & 0xff ] return p end popcnt
Slide 6 - TMTO Basics Part 1  Cryptography 6 A precomputation One-time work Results stored in a table Precomputation results used to make each subsequent computation faster Balancing “memory” and “time” In general, larger precomputation requires more initial work and larger “memory” but each subsequent computation is faster
Slide 7 - Block Cipher Notation Part 1  Cryptography 7 Consider a block cipher C = E(P, K) where P is plaintext block of size n C is ciphertext block of size n K is key of size k
Slide 8 - Block Cipher as Black Box Part 1  Cryptography 8 For TMTO, treat block cipher as a black box Details of crypto algorithm are not important
Slide 9 - Hellman’s TMTO Attack Part 1  Cryptography 9 Chosen plaintext attack: choose P and obtain C, where C = E(P, K) Want to find the key K Two “obvious” approaches Exhaustive key search “Memory” of 0, but “time” of 2k-1 for each attack Pre-compute C = E(P, K) for all possible K Then given C, can simply look up key K in the table “Memory” of 2k but “time” of 0 for each attack TMTO lies between 1. and 2.
Slide 10 - Chain of Encryptions Part 1  Cryptography 10 Assume block and key lengths equal: n = k. Then a chain of encryptions is SP = K0 = Starting Point K1 = E(P, SP) K2 = E(P, K1) : : EP = Kt = E(P, Kt1) = End Point
Slide 11 - Encryption Chain Part 1  Cryptography 11 Ciphertext used as key at next iteration Same (chosen) plaintext at each iteration
Slide 12 - Pre-computation Part 1  Cryptography 12 Pre-compute m encryption chains, each of length t +1 Save only the start and end points (SP0, EP0) (SP1, EP1) : (SPm-1, EPm-1) EP0 SP0 SP1 SPm-1 EP1 EPm-1
Slide 13 - TMTO Attack Part 1  Cryptography 13 Memory: Pre-compute encryption chains and save (SPi, EPi) for i = 0,1,…,m1 This is one-time work Then to attack a particular unknown key K For the same chosen P used to find chains, we know C where C = E(P, K) and K is unknown key Time: Compute the chain (maximum of t steps) X0 = C, X1 = E(P, X0), X2 = E(P, X1),…
Slide 14 - TMTO Attack Part 1  Cryptography 14 Consider the computed chain X0 = C, X1 = E(P, X0), X2 = E(P, X1),… Suppose for some i we find Xi = EPj SPj EPj C K Since C = E(P, K) key K before C in chain!
Slide 15 - TMTO Attack Part 1  Cryptography 15 To repeat, we compute chain X0 = C, X1 = E(P, X0), X2 = E(P, X1),… If for some i we find Xi = EPj Then recompute chain from SPj Y0 = SPj, Y1 = E(P,Y0), Y2 = E(P,Y1),… Find C = Yti = E(P, Yti1) Is it always true that Yti1 = K ?
Slide 16 - Attacker’s Perfect World Part 1  Cryptography 16 Suppose block cipher has k = 56 That is, the key length is 56 bits Suppose we find m = 228 chains, each of length t = 228 and no chains overlap Memory: 228 pairs (SPj, EPj) Time: about 228 (per attack) Find C in about 227 tries Find K with about 227 more tries
Slide 17 - Attacker’s Perfect World Part 1  Cryptography 17 No chains overlap Every ciphertext C is in some chain EP0 SP0 C SP1 SP2 EP1 EP2
Slide 18 - In the Real World Part 1  Cryptography 18 Chains are not so well-behaved! Chains can cycle and merge EP SP C Chain from C goes to EP Chain from SP to EP does not contain K K
Slide 19 - Real-World TMTO Issues Part 1  Cryptography 19 Merging, cycles, false alarms, etc. Pre-computation is lots of work Must run attack many times to make initial work worthwhile Success is not assured What if block size not equal key length? This is easy to deal with What is the probability of success? This is not so easy to compute
Slide 20 - To Reduce Merging Part 1  Cryptography 20 Compute chain as F(E(P, Ki1)) where F permutes the bits Chains computed using different functions can intersect, but they will not merge EP1 SP0 SP1 EP0 F0 chain F1 chain
Slide 21 - Success Probability Part 1  Cryptography 21 m = number of random starting points for each function F t = encryptions in each chain r = number of “random” functions F Then mtr = total number of computed chain elements Choose m = t = r = 2k/3 and probability of success is at least 0.55 Pre-computation is O(mtr) work Each TMTO attack requires O(mr) “memory” and O(tr) “time”
Slide 22 - TMTO Bottom Line Part 1  Cryptography 22 Attack is feasible against DES Pre-computation is about 256 work Each attack requires about 237 “memory” 237 “time” Attack is not particular to DES No fancy math is required! Lesson: Clever algorithms can break crypto!