Learn to use AI like a Pro. Learn More

Demystifying Memory Trade-Off Attacks

Lecture 47: Memory Trade off Attack

Estimated read time: 1:20

    Learn to use AI like a Pro

    Get the latest AI workflows to boost your productivity and business performance, delivered weekly by expert consultants. Enjoy step-by-step guides, weekly Q&A sessions, and full access to our AI workflow archive.

    Canva Logo
    Claude AI Logo
    Google Gemini Logo
    HeyGen Logo
    Hugging Face Logo
    Microsoft Logo
    OpenAI Logo
    Zapier Logo
    Canva Logo
    Claude AI Logo
    Google Gemini Logo
    HeyGen Logo
    Hugging Face Logo
    Microsoft Logo
    OpenAI Logo
    Zapier Logo

    Summary

    The lecture focuses on the concept of memory trade-off attacks in cryptanalysis, specifically targeting block and stream cipher encryption systems. It explains how these ciphers can be viewed as one-way functions, which are easy to compute in one direction but challenging to invert without the correct key. The session covers the attack strategies, such as known plaintext attacks and brute force, highlighting their limitations due to key space size. The lecture further introduces the time-memory trade-off method proposed by Hellman, which involves preprocessing a large table to reduce the effort required for decrypting encrypted data. Key points include chain computation, solution storage optimization, and the implications of false alarms in this strategic attack approach.

      Highlights

      • Hellman's time-memory trade-off method is a breakthrough in cryptanalysis strategies 💡
      • The lecture dives deep into the workings of block and stream ciphers and their vulnerabilities ⚙️
      • Explains known plaintext attack and why brute force is frequently ineffective against strong ciphers 🚫
      • Discusses how to manage key and ciphertext spaces for effective cryptanalysis 🔑
      • Illustrates chain mechanisms to optimize decryption attacks 🧑‍🏫

      Key Takeaways

      • Understanding of memory trade-off attacks on encryption methods 🔍
      • Block and stream ciphers as one-way functions explained 🔐
      • Insight into Hellman's time-memory trade-off method 📈
      • Strategies to optimize encryption decryption processes 🧩
      • Exploration of chain computations and storage tricks 🖥️

      Overview

      Lecture 47 by NPTEL IIT Kharagpur dives into the mechanical intricacies of memory trade-off attacks targeting cryptographic systems, particularly block and stream ciphers. These ciphers are presented as one-way functions, characterized by their polytime forward computation yet resistant backward inversion without the specific key crucial for such decryption.

        The session unpacks the limitations of exhaustive search and parallel processing attacks due to vast key spaces, including brief explorations of alternatives such as known plaintext attacks. Teacher then partakes in detailing Hellman's method of time-memory trade-off, a strategy developed to compromise the key-reliant encryption with precomputed data tables, optimizing the attack methodology.

          In shedding light on practical applications, the lecture covers the success probabilities and potential pitfalls like false alarms accompanying these cryptanalytic strategies. There's also reference to alternate methods and future areas of research, showcasing how memorizing previous endeavors in system hacking and cryptanalysis remains a vibrant field with ongoing developments.

            Chapters

            • 00:00 - 00:30: Introduction to Cryptanalysis This chapter introduces the concept of cryptanalysis, focusing on the general attack strategy of inverting one-way functions within a limited time frame. It explains the foundation of what constitutes a one-way function, setting the stage for understanding how cryptanalysis can be applied to these cryptographic elements.
            • 00:30 - 01:30: Understanding One-Way Functions A one-way function is introduced as a type of function with a mapping from A to B, such that calculating f(x) = y is straightforward, but reversing the process (computing x from y) is computationally difficult. These functions are fundamental as they can be computed in polynomial time in one direction, yet are hard to invert.
            • 01:30 - 02:30: Cryptographic Primitives as One-Way Functions This chapter introduces the concept of cryptographic primitives functioning as one-way functions. It explains the difficulty of inverting a cryptographic function, such as block ciphers and stream ciphers, which are designed to be hard to reverse-engineer. The chapter also touches upon how these primitives are used in cryptography to secure data by relying on their one-way nature to prevent attacks.
            • 02:30 - 04:00: Block and Stream Ciphers Explained In this chapter, the concept of block and stream ciphers is explained. The chapter introduces the idea of block ciphers as inverting a function, using a 'one-way function' as an example. It describes how computing f(X) is straightforward, but retrieving X from f(X) is difficult, highlighting the foundational security principle of block ciphers. The chapter sets the stage for further exploration into how one-way functions are implemented to secure digital communication.
            • 04:00 - 05:00: Challenge of Inverting Functions The chapter "Challenge of Inverting Functions" discusses the function of block ciphers and stream ciphers in cryptography. A block cipher is designed as a function that converts n-bit plaintext into n-bit ciphertext using a cipher key. The chapter delves into various elements of block ciphers, such as the plaintext and ciphertext spaces, the size of the key, and the key space. The core theme is understanding these elements together to comprehend the broader challenge of inverting functions within cryptographic systems.
            • 05:00 - 15:00: Hellman's Time-Memory Trade-Off Attack Hellman's Time-Memory Trade-Off Attack: This chapter discusses a specific cryptographic attack method where a fixed plaintext (P) leads to a function mapping from the key space to the ciphertext space. The function, denoted as 'e', ties the plaintext, key space, and the resulting ciphertext in a structured relationship.
            • 15:00 - 18:00: Conclusion and Advanced Topics The chapter focuses on the concept of key space and ciphertext space in cryptography. It explores the function from key space to ciphertext space, emphasizing the role and transformation of fixed points, denoted as EP, in this context. The chapter introduces the relationship between the spaces and examines different functions that operate within this framework. Advanced topics are touched upon, although the transcript is notably fragmented and lacks specific details on these advanced discussions.

            Lecture 47: Memory Trade off Attack Transcription

            • 00:00 - 00:30 [Music] okay so we talked about time-limited of cryptanalysis it's a generic attack on on any inverting to invert a one-way function so that one or a function so what is the only function
            • 00:30 - 01:00 when a function is basically if you have a mapping from A to B they said this is the straight so from this way it is easy if we have an X it is f of X which is basically Y so this is using me there is a polynomial time algorithm to compute this and but this is hard this way it is hard so given it given a FX or Y it is it is
            • 01:00 - 01:30 hard to get get X is called so that is basically inverting if is called on a function so we will see how the cryptographic primitives like block ciphers stream cipher and other primitives also can be viewed as a one-way function so attack on this base
            • 01:30 - 02:00 basically attack on the block cipher is basically inverting such a one a function okay so slightly so so this is the one I function so one a function can you go to the slide please so here we have a X we can easily compute f of X and form f of X it is hard to get if X so this is the one a function now we will see how we can have this one a
            • 02:00 - 02:30 function from block cipher or stream cipher so basically a block cipher is a function which is taking n bit plaintext and giving us n bit ciphertext and s is the kiss key size throw shock each key is a s bit so this is the ski space so easy function from plane takes place cross a space to the ciphertext space and P is the plaintext and C is the ciphertext and key is the key this is
            • 02:30 - 03:00 denoted by case ekp okay so if we fix P then we define if we fix P then this is basically a function for key space to the ciphertext space so this is basically e which is basically plaintext space a key space to that ciphertext so if we
            • 03:00 - 03:30 fix a so this is a plaintext place this is the key space this is the cyber takes place so if we fix a P and then it is basically EP we can do not so this is a function from key space to the ciphertext space okay but this function is basically form a SB to NV but we want this function to
            • 03:30 - 04:00 be SB trace bit so and this function is a one-way function because if we have a cipher takes so this is known plaintext attack if you have a cipher takes now if we can get the corresponding key then that is the attack on block cipher okay so but now we want this to be same if it is a base is equal to M then no problem but if you ate is this is not equal to n say for example for des this is 64 this
            • 04:00 - 04:30 is 56 so what we can do to make this we can reduce some bit we can remove some bit okay and for AES this is 128-bit and if it is 128 bit but the AES has many version of key if it is more than we can add some of the bits so this is the this is the way we can have this we can have
            • 04:30 - 05:00 a are on this after this make it is bit clear speed so this F is basically is the one a function we are looking for now the challenge is to invert this X a if so challenge is to this is the known plaintext attack we have a plaintext and we have the ciphertext now the challenge is to invert that F to get the key so because now the function is from key space to
            • 05:00 - 05:30 the ciphertext base why we need the same domain and codomain because we want to apply F repeatedly for our I memory to adapt attack to have a chain you keep on applying okay now this is the way we look block cipher as a warning function now we look at stream cipher how we can look at stream cipher as among a function so this is the general structure of a stream cipher so in stream cipher what we have we have a state it could be lfsr based stream
            • 05:30 - 06:00 cipher or any general stream cipher so it is basically a finite state machine we have a state which is basically sometimes it is initialized by the key or we we run that we initialize this by the IV initial vector and we run the state few times the initialization Pasha's and then we get a initial state and then we have a we with the key and IV that is
            • 06:00 - 06:30 called initialization vector and then each time each clocking this state is updating by the G function it is taking the value of the state and it is output is giving the next state values and for the key stream what we have we it is taking the value of the state at that point of time it is applying a function and it is generating the key stream depending on how many keys limit will keep around this and then that key stream is XOR with the plaintext to get
            • 06:30 - 07:00 the cipher text B so this is a general synchronous stream cipher because here the plaintiffs are not involved in this business in this part plane takes neither cipher text so this is only coming out to be so this the synchronous stream cyphers there is a synchronous stream server where this plane ticks are also paths can be participate in the state updation function okay now how we can have a
            • 07:00 - 07:30 one-way function out of this so we just defined a function f from this state space so this is the set of all possible state space to this now if the state state is say speed s bead lfsr for example you can say okay then this function we define the first it is bit extreme okay now is just fast it is with key stream
            • 07:30 - 08:00 now this is key and IV from the key string so this is a one a function because if we know that if we could invert this then we'll be knowing the initial that we will be knowing the some value of the internal state once we know some value of the internal state then we can get the all the key stream forward key stream we are running the state if we know some value of the internal state at some point of time then that value
            • 08:00 - 08:30 will be creating this key stream in future so all the key stream will be known on that of ours so this is the attack on the stream cipher okay so other modes are other upper other primitives are also can be think as a warming function so basically our problem is to invite you on a function so our problem is we have a function if s between speed and this is a one a
            • 08:30 - 09:00 function this can either derive from block cipher or stream cipher or Motorama partial and the challenge is to invert this one a function so given a Y which is basically if a bit how to the challenge is to get need to invert need to get X so how to get it so that is the problem definition okay so this is the problem definition
            • 09:00 - 09:30 given a Y from this if f of X we need to invert this so this is we can do in the generic way so like we have seen the exhaustive search at ax which is basically would force method which will try for all possible key now to reduced against the exhaustive subject depends on the size of the key space if the key space is more it is not possible to do the exhaustive search attack then one can think of parallel passing even if
            • 09:30 - 10:00 the parallel passing also if the size is very weak like for AES it is the size of the case keystream is 2 to 1 to 8 so it is 2 to the power 1 to 8 so even if we have say 50 processor running in parallel so then also 2 to the power 1 to 8 is the time so 2 to the power say if we are 56 also processor then it is 2 to the power 70 which is huge so exhaustive search will not work on this AES but we have seen on des des key size
            • 10:00 - 10:30 is 56 bit and if we have 36 machine running in parallel this is the attack done by electronics pounder foundation they made a hardware to attack this and this is basically 2 to the power 20 so this can be achieved so it depends on the the size of the ski space where if the key space is less we can have a special-purpose software hardware to
            • 10:30 - 11:00 have this the like I said Electronics founder Foundation they build a machine parallel machine with this now this data cannot be mount for multiple targets suppose we have many XY 1 y 2 y Y D then every time you have to run this so how to handle this multiple target so for that Hillman was into Hillman introduced this time memory trader attack on 1919 in 1980 and basically is consists of two
            • 11:00 - 11:30 phases on this P computation phase which is we call offline phase however is online phase and then later on reversed modified this using the distinguish point and then they later on some work by even we have some contribution in this area so let us talk about Hillman method
            • 11:30 - 12:00 so Hillman method on so we can write TMT you time memory ta da matta to invert a one-way function so we have a y so what it is doing it has to face off line face on online face so in the online space so
            • 12:00 - 12:30 earlier you have seen we are doing that table lookup method table lookup method means we are storing this basically so we have to invert this F so you have given y is equal to f of X you need to get this Y so in the table lookup method what we are doing we are choosing X 1 and we are getting Y you are which is basically F of x1 like this so we are storing for all possible X n if so it is basically F is basically 0 1 s 2 0 1 s
            • 12:30 - 13:00 so basically we have an h2 to the Paris so 2 to the piraeus possible values we have so then Y n if X n so basically we are storing these two PR in the increasing order of the endpoint and this is the this is also the to face this is offline face of the P computation phase and in the online phase what we do we have given a Y which
            • 13:00 - 13:30 is basically f of X we don't know if we need to find it so what we do is search for this Y in the in point and if we got say YK if YK is matching with this then the corresponding it is the key so just a table Luca will give us the solution but the problem is here we need to store all the values over here so if n is large that could be expensive that that many memory we may not be having also the memory access time so where we are
            • 13:30 - 14:00 keeping this data where we are keeping this table in the CD in the hard disk that time also should be considered in to the runtime because if we are keeping this in a Ram okay then it will faster than if we are accessing the hard-disk so at that time also should be considered now here time memory data means okay so here we are we all online time is less but memory is more so somehow if we can trade up this to time
            • 14:00 - 14:30 and memory we have some memory not very much and we have some we can spend some time at the online so there is a trade-off so that is a that is the idea of Hillman so hard element did Hellman compute some Hellman computer table like this so Hillman choose some some points say 2 1
            • 14:30 - 15:00 3 1 these are called start point so Hellman choose randomly M points from the say these are all a speed so we are looking our F is is big toe is bit okay so Hillman choose some these are always bit number and then Hillman compute it change apply F on it so it will give me also a speed number so this is basically
            • 15:00 - 15:30 as one to take enough - it so if one three like this so continue like up to s1 t okay so this is a chain so if we have this X so for our H I row so if we have say x i1 we apply F on it this is
            • 15:30 - 16:00 so this is basically f of x i1 which is again we are going to so this is again s bit so if that's why we need the domain cordovan should be same because we want to repeatedly apply if on this numbers so that's the reason we want to make it same domain code I mean so again we apply F on it so we got if I three which is basically same as f of i -
            • 16:00 - 16:30 which is basically F of F of I - like this okay so these are you'll continue so after we got so this is f of I t minus 1 and we got so if my t minus 1 is missing on the F of F of F of i1 like this so this is basically F of I T so if
            • 16:30 - 17:00 poverty is nothing but if T times on this F of I R okay so this is the N my table so so here is the Hellman table so we choose the start points like it is starting from 0 1 0 like this anyway we
            • 17:00 - 17:30 have taken from 1 so these are that start point Hellman is choosing at random and then compute this F on each of this and again it is a Hizb it again we can apply F on it so like this we are continuing and we are ending to it end point X 1 T so like this we are doing and then X 1 3 0 X 3 1 like this we continue like this so so
            • 17:30 - 18:00 this is we are doing in people offline phase and we store that so this table we are computing and we are storing we are not storing whole table Volturi where whole table storing is same as table lookup method so we do not have that much memory in our hand so we are just storing the start point and end point pair so we compute this then we store this this point and this point so X 1 1 comma X 1 2 like this per second X 2 1 X
            • 18:00 - 18:30 2 3 days so xm1 I mean they are in the slide it is from 0x empty so we are not storing the whole table you are only storing the start point and end point pair and in the sorted order of end point so that search will be faster if you have sorted order of in point story then the search
            • 18:30 - 19:00 will be in the logarithm time so search will be faster okay so this we are doing we store the start point and end point pair in the increasing order of the input so that we can do the search in the first binary search okay so now this is the attack so we have stored we have stored the start point in point in the online offline phase or P competition phase and this is the attack at this is
            • 19:00 - 19:30 called a tag or this is the online phase what we are doing so we are just having the start point in point P R now we have gear so for online attack we have given there Y which is basically f of X we don't know X but we know that Y so what we do and suppose we assume Y is in the table suppose we assume this X or this case here we say K is in the table suppose you have to assume this in order
            • 19:30 - 20:00 to working this method assume that the K is in the table but we don't know where is the K because we don't have e have the whole table in the online face we have only the start point in point P so suppose say K is somewhere here suppose this is K ok so what we do but we do not
            • 20:00 - 20:30 know this is we are not having we are not having the whole table here having only the start point so this is say start point and say xl1 this is going there and we have n point X L T okay so what we do so if this is K then this is our Y okay so we know the Y so what we do on the Y we'll keep on apply if but we don't know the position where
            • 20:30 - 21:00 is this case so we just check Y whether Y is matching with the endpoints or not this is the first check if Y is matching with one of the endpoint then we know the previous one is the key X or key okay now if not we apply so suppose Y is here then we apply F on it and we check with that and we first check Y is matching with the endpoints are not binary search if not we apply F on Y and
            • 21:00 - 21:30 we check whether this is matching with the endpoints or not if this is matching then y must be here because we do not know the position of Y if it is not again we apply F on this and we try to match so every time we are having the table lookup we are matching with the endpoints so how many times we will do we will try at most eight P times because we know the length of the chain
            • 21:30 - 22:00 is T so we will do have at most T times two and every time we check whether it is matching with Y or not so this is the what we are doing sorry so we have why we are applying if and every time we are checking we are matching we are doing the binary search on this to check whether this is matching or not so this way will continue okay now suppose we got a match
            • 22:00 - 22:30 then we'll what we will do then the previous value will be the K or X but we do not have the way to come to the previous value but what we can do we we know this if it is matching with the end point we know the corresponding start point so what we do will keep on apply the if on the start point of that corresponding row where this key is there and then once we reach to the Y then restore the previous value as the
            • 22:30 - 23:00 key so that is the attack okay so this is the way we just keep on apply y F on Y so until it is to the Y so if we reach to the Y then the previous value is the key because we have a match over here then we come to the corresponding start point then we apply if until you see the Y once we see the Y then the previous value will be the key okay so this is
            • 23:00 - 23:30 that now so that - so this is the success probability of this attack is basically depends on the number of distinct key into the table divided by the key space this is we say 2 to the power s n is 2 to the Perez now so we want all the keys should be distinct in the table but by birthday paradox we have to stop when M M T into T is less
            • 23:30 - 24:00 than n so this is the matrix stopping condition so empty square equal to M so because M M is the number of row T is the number of columns so M T Square must be in so this is the so stopping condition so you have to stop this so if you stop this if you keep our matrix size as that empty square equal to n then it can cover only 1 by T of total number of key size so need to have tea many tables but we need
            • 24:00 - 24:30 to have different different function forty minute tables so we will use some variant of this a function forty different table where F is a simple function this is our construction we have chosen F to be some XR with the from lfsr key generation and this is basically giving us some trade of PM square so this we can calculate T MCC T is the time run time TM square is equal
            • 24:30 - 25:00 to n square now this is the time so if we choose T is equal to M so if we have time and memory is same then we have TM square is equal to n to the power 2 by 3 this this is the time which is very reasonable okay so this is basically but there are some issues here like how to handle the like false alarm false Allah means it may
            • 25:00 - 25:30 happen that so we are looking for this K so it may happen that there is some match over here so that that match is creating us a match in the endpoints but which is not basically having that giving us the key so these are called false alarm but anyway we are not going into details of those because this this
            • 25:30 - 26:00 is a another is search area one can explore but only thing this is a this is a generic approach because here we are just considering the size key space we are not bothering about the inner design of the block cipher or stream cipher so this is a generic attack on so these are many varying like if you have multiple multiple data then how we can use that so DP method rainbow method rainbow table but this is out of this out of the
            • 26:00 - 26:30 scope of this course so if one has interest to explore in this area one can there is huge literature on this one can I will look thank you