Time-memory tradeoff attacks

Transcription

1 Charles University in Prague Faculty of Matheatics and Physics BACHELOR THESIS Monika Seidlová Tie-eory tradeoff attacks Departent of Algebra Supervisor of the bachelor thesis: Study prograe: Specialization: RDr Michal Hojsík, PhD Matheatics General atheatics Prague 2012

2 I would like to thank y supervisor RDr Michal Hojsík, PhD for his advice, ideas, coents and especially for all the tie he put into proof-reading and consulting with e

3 I declare that I carried out this bachelor thesis independently, and only with the cited sources, literature and other professional sources I understand that y work relates to the rights and obligations under the Act o 121/2000 Coll, the Copyright Act, as aended, in particular the fact that the Charles University in Prague has the right to conclude a license agreeent on the use of this work as a school work pursuant to Section 60 paragraph 1 of the Copyright Act In date

4 ázev práce: Tie-eory tradeoff útoky Autor: Monika Seidlová Katedra: Katedra algebry Vedoucí bakalářské práce: RDr Michal Hojsík, PhD, Katedra algebry Abstrakt: Martin Hellan popsal první tie-eory tradeoff útok na blokové šifry Jedná se o útok s volbou otevřeného textu, ve které útočník předpočítá velké nožství dat k jedné blokové šifře a pak jej ůže opakovaně využít k útoku na danou šifru Vylepšení, které navrhl Ron Rivest, zrychluje útok tí, že snižuje počet čtení z disku Další pozěnění původního útoku s názve duhové tabulky zrychluje útok ještě více a přináší další výhody Tie-eory tradeoff útoky ohou být využity také na proudové šifry jako útoky se znalostí otevřeného textu Tato bakalářská práce popisuje původní útok, jeho vylepšení a úpravu pro proudové šifry Jako příklad je shrnut útok na konkrétní proudovou šifru A5/1 Je navržen nový tie-eory tradeoff útok na blokové šifry nazývaný r-barevné duhy Tento nový útok je úpravou Hellanova útoku a sdílí společné prvky s duhovýi tabulkai Vlastnosti těchto tří útoků jsou porovnány a závěre je, že pro určité blokové šifry, ůže být navržený útok nejefektivnější Klíčová slova: tie-eory tradeoff útoky, kryptoanalýza, blokové šifry Title: Tie-eory tradeoff attacks Author: Monika Seidlová Departent: Departent of Algebra Supervisor: RDr Michal Hojsík, PhD, Departent of Algebra Abstract: Martin Hellan proposed the first tie-eory tradeoff attack on block ciphers It is a chosen plaintext attack, in which the attacker precoputes a large aount of data for soe block cipher and can then use it repeatedly in attacks on that block cipher An iproveent suggested by Ron Rivest speeds up the attack by reducing the nuber of eory accesses Another odification of the original attack called rainbow tables speeds up the attack even ore and brings other advantages Tie-eory tradeoff attacks can also be applied to strea ciphers as known plaintext attacks This bachelor thesis describes in detail the original attack, its iproveents and a odification to strea ciphers As an exaple, we suarize an attack on A5/1, a strea cipher used in obile phones We also propose a new tie-eory tradeoff attack on block ciphers called r-coloured rainbows The new attack is a odification of Hellan s attack and shares siilarities with the rainbow table attack We give a coparison of the properties of the three attacks and conclude that, for certain block ciphers, our attack ay be the ost effective of the three Keywords: tie-eory tradeoff attacks, cryptanalysis, block ciphers

5 Contents Introduction 2 1 Hellan s tie-eory tradeoff attack 4 11 The attack 4 12 The probability of success and the tradeoff 6 13 Modification of the attack for n k = n c 9 14 Hellan s attack with Rivest s sapling 10 2 Rainbow tables and r-coloured rainbows The rainbow table attack The probability of success Advantages over Hellan s attack The new r-coloured rainbows attack Coparison of the new attack with the previous attacks 19 3 Tie-eory tradeoff attacks on strea ciphers The BG attack Biryukov and Shair s attack Tie-eory tradeoff attacks on strea ciphers with sapling 26 4 Tie-eory tradeoff attacks on A5/ Description of the A5/1 strea cipher The biased birthday attack The rando subgraph attack 33 Conclusion 35 Bibliography 36 1

6 Introduction In this bachelor thesis, we will look at a certain ethod of attack on block and strea ciphers Assue a chosen plaintext attack on a block cipher The attacker chooses an arbitrary but fixed plaintext P 0 The person being attacked is using a secret key K to encrypt plaintexts The attacker obtains a ciphertext C 0, which is an encryption of P 0 with the key K She could have obtained C 0 by passively eavesdropping on an encrypted counication, where she knew an encryption of P 0 would be transitted, or she could have directly requested the encryption of P 0 Once she has C 0, she tries to find the key K We always assue that the attacker knows the cipher used and is able to encrypt and decrypt with it One attack she can perfor is exhaustive search of the key In an exhaustive search, she tries encrypting P 0 with all the possible keys After each encryption, she checks if the ciphertext atches C 0 Another possible strategy is for her to do all the encrypting beforehand and save key-ciphertext pairs in a large table Once she obtains the C 0, she searches for it in the table This ethod is called table lookup An advantage of table lookup over exhaustive search is that the precoputed table can be used in ore than one attack and the looking up is uch faster than exhaustive search, which takes a very long tie However, a disadvantage of table lookup is that it requires large eory space A tie-eory tradeoff attack is a coproise between exhaustive search and table lookup There is always a precoputation phase and an attack phase in a tie-eory tradeoff attack During the precoputation phase, the attacker does any encryptions and saves soe of the results in a table The attack phase begins when she obtains C 0 She uses the data fro the precoputed table and she perfors additional coputations The precoputation phase is perfored once and takes a very long tie, whereas the attack phase can be repeated on another C 0 (encryption of P 0 with a different key) and should be fast Let M denote the total aount of rando access eory required to hold the precoputed data The unit of M is usually a word a string of sybols of certain length Let T denote the coputation tie required during the real-tie phase of the attack and let P denote the coputation tie required during the precoputation phase The unit of T and P is one coputational step For exaple, one encryption or one siple operation like addition can be considered one coputation step Assue that the space of keys has eleents Then in an exhaustive search, we have T = and M = 1 Contrarily, in table lookup, we have T = 1 and M = In tie-eory tradeoff attacks, there is a tieeory curve, which defines the relation between T, M and For exaple, in the first tie-eory tradeoff attack we will describe, the tie-eory curve is T M 2 = 2 T and M can be chosen by the attacker, as long as they lie on the curve In the first chapter, we will describe the original tie-eory tradeoff attack on block ciphers proposed by Martin Hellan in 1980 The description is followed by soe suggestions for odification The second chapter will be concerning the rainbow table attack, which is a newer tie-eory tradeoff attack on block ciphers The second chapter also contains a description of a new attack, that we propose The new attack, called r-coloured rainbows, is an adaptation of 2

7 Hellan s attack inspired by the rainbow table attack These three attacks have a lot in coon and that allows us to copare their properties The third chapter will explain how tie-eory tradeoff attacks can be applied to strea ciphers Due to the different construction of strea ciphers, the attack is not a chosen plaintext attack, but a known plaintext attack In tieeory tradeoff attacks on strea ciphers, the attacker can use ore obtained data than just one ciphertext Therefore, a new paraeter D is introduced D denotes the aount of data obtained during the attack In an attack on a block ciphers, D = 1 The fourth chapter will provide an exaple of an attack on a specific cipher A5/1, which is a strea cipher used in GSM telephones to encrypt calls In a tie-eory tradeoff attack, the birthday paradox is often used to show how uch data should be stored in eory to achieve a certain probability of success of the attack We will use the corollary of the following theore several ties Theore 1 The birthday paradox Assue that sets A and B are subsets of {1,, },, and A is picked randoly with unifor distribution When A = α and B = β, for soe α, β (0, ), sets A and B intersect with the probability p 1 e αβ, + The proof of this theore can be found in [8] Corollary 2 Assue sets A and B are subsets of {1,, }, is large, and A is picked randoly with unifor distribution If A B =, then the probability that A and B intersect is approxiately 063 Proof Let sets A and B be subsets of {1,, }, is large, such that A B = Let A be picked randoly with unifor distribution We can write A = α and B = β, for soe α, β (0, ) We have A B = α β = α β = 1 Fro the Theore 1, we have that the probability that A and B intersect is p 1 e αβ, + 1 e αβ = 1 e Since is large, the probability of intersection is approxiately 063 3

8 1 Hellan s tie-eory tradeoff attack Definition 3 A block cipher is an ordered quintuple (P, C, K, E, D), such that 1 P is a finite set of plaintexts, 2 C is a finite set of ciphertexts, 3 K is a finite set of keys, 4 E = {E K : P C K K} is a set of encryption aps, 5 D = {D K : C P K K} is a set of decryption aps, 6 K K x P : D K (E K (x)) = x Martin Hellan [1] described a tie-eory tradeoff attack on block ciphers It is a chosen plaintext attack, so for a plaintext chosen by the attacker, she obtains its encryption Her goal is to find the key used to encrypt the chosen plaintext to get the ciphertext If she succeeds, she can decrypt all ciphertexts encrypted with that one key Assue a block cipher (P, C, K, E, D) and assue that P = C = {0, 1} nc and K = {0, 1} n k for soe nc, n k Hellan explained his attack for n c > n k For now, we will accept this assuption We will discuss a odification of the attack for n c = n k later in the chapter 11 The attack In Hellan s attack, the attacker chooses an arbitrary but fixed plaintext block, denote it P 0 A ap f : {0, 1} n k {0, 1} n k is defined as follows: f(k) := R(E K (P 0 )), where R : {0, 1} nc {0, 1} n k is a reduction, which is easy to copute, such as dropping soe n c n k bits The construction of function f is depicted in Figure 11 If the cryptosyste is secure, then f is a one-way function The value of f(k) can easily be coputed fro K, but coputing K fro f(k) is at least as hard as the proble of finding the secret key K fro a plaintext and reduced ciphertext pair (P 0, f(k)), which we assue is difficult The precoputation phase The attacker randoly chooses eleents fro the set of keys K = {0, 1} n k These keys are called starting points and are denoted SP i, i = 1,, The function f is iterated on each of the starting points t ties The attacker defines values X i,j K = {0, 1} n k in the following anner: X i,0 := SP i for i = 1,, X i,j := f(x i,j 1 ) for j = 1,, t, i = 1,, 4

9 f P 0 K block cipher C0 R f(k) Figure 11: Construction of function f She denotes the end points of the iteration EP i := X i,t for i = 1,, The iterations of f yield the following chains of keys (values fro K): f f f f SP 1 = X 1,0 X1,1 X1,t 1 X1,t = EP 1 f f f f SP 2 = X 2,0 X2,1 X2,t 1 X2,t = EP 2 f f f f SP = X,0 X,1 X,t 1 X,t = EP The chains can be represented by an (t + 1) table B, where b ij = X i,j, 1 i, 0 j t The optial choice of paraeters and t will be discussed later At this point, it is only iportant to note, that the attacker ay choose and t arbitrarily The attacker saves the doubles (SP i, EP i ) for i = 1,, in rando access eory Later, she will search for a given EP i to recover the corresponding SP i Therefore, she ust save the sorted by EP i For exaple, she ay use hash coding to allow her to search the table in linear tie In hash coding, each value of EP i is hashed to get an index The values of SP i are stored in a table sorted by their corresponding indices The attack phase It is a chosen plaintext attack, so the attacker chose a P 0, precoputed the table and, during the real-tie phase, she obtains C 0 = E K (P 0 ) and wants to find out what key K was used First, she applies the reduction R to get Y 1 := R(C 0 ) otice that Y 1 = R(E K (P 0 )) = f(k) With one table lookup, she checks whether Y 1 = EP i for soe i {1,, } 1 If Y 1 = EP i for soe i, then K = X i,t 1, or K X i,t 1, a so-called false alar has occurred, because EP i has ore than one preiage To deterine which is the case, the attacker reconstructs the i th chain fro SP i to get the value of X i,t 1 Fro the definition of X i,j, it is clear that X i,t 1 = f t 1 (SP i ) She checks whether X i,t 1 is the key, so whether 5

10 C 0 = E Xi,t 1 (P 0 ) If she has found the key, the attack is done If not, a false alar has occurred 2 If i : Y 1 EP i or a false alar has occurred, then the key is not in the second last colun of B The attacker coputes Y 2 = f(y 1 ) With one operation, she checks whether Y 2 = EP i for soe i If Y 2 = EP i for soe i, then X i,t 2 is the key or a false alar has occurred If i : Y 2 EP i or there was a false alar, then Y 3 = f(y 2 ) is coputed Unless she finds the key, the attacker coputes Y 2, Y 3, Y 4,, Y t and perfors the checks described above Hellan s attack is described as a chosen plaintext attack However, if used on a block cipher in ECB (Electronic Code Book) ode, it can be a ciphertextonly attack The attacker chooses P 0 as a plaintext block, which she expects will be contained in a plaintext frequently For exaple, P 0 ay be a sequence of blanks in ASCII or a file header The attacker searches the ciphertext for repeating blocks and assues that one of the blocks which repeat is enciphered P 0 She applies the attack on all the repeating blocks The eory required for the ciphertext-only attack reains the sae as for the original chosen plaintext attack If there are c different blocks which repeat, the coputation tie increases at ost by a factor of c 12 The probability of success and the tradeoff The probability of success of the attack, P (S), is the probability that K is in the first t coluns (all the entries except the last colun) of the precoputed table Denote := 2 n k the nuber of all possible keys If K is chosen uniforly at rando fro K and if the t entries in the first t coluns of the table are all different, then P (S) = t (11) A slight overlap in the table can be tolerated, as long as there is a constant fraction of distinct entries Hellan [1] presented the following theore and proof Theore 4 If f : {1,, } {1,, } is a rando ap and if K {1,, } is selected randoly, then P (S) 1 t 1 [ ] j+1 it (12) i=1 j=0 Proof Put A := {K {1,, } K = X i,j, 1 i, 0 j t 1} We have P (S) = E[ A ] = E[ i=1 = t 1 j=0 1(X i,j is new)] i=1 t 1 j=0 P r(x i,j is new), 6

11 where 1 is the indicator function of an event and an entry is said to be new if its value is not present in the previous rows nor in the previous entries of its row P r(x i,j is new) P r(x i,0, X i,1,, X i,j are all new) = = P r(x i,0 is new) P r(x i,1 is new X i,0 is new) P r(x i,j is new X i,0, X i,1,, X i,j 1 are new) = = A i,0 A i,0 1 A i,0 2 A i,0 j, where A i,j denotes the set of entries present in the table up to the entry X i,j Clearly, A i,0 > A i,0 1 > > it By cobining the bounds, we get that [ ] j+1 it P r(x i,j is new) Together, we have P (S) 1 t 1 [ ] j+1 it i=1 j=0 Assue a large fixed For, t such that t 2, the ters added on the right side of (12) are all close to 1 and the bound could be rewritten as P (S) t Fro (11) we see that t is also an upper bound for P (S), because generally, not all the entries are distinct Therefore, for t 2, increasing or t will increase P (S) Lea 5 For large, [ ] j ( ) it ijt exp Proof An identity fro real analysis states that for x, y, w R, [ 1 + y x] wx exp(wy) If we put x := w := j/ y := it, 7

12 we get that for [ ] j it = [ 1 + it ] j ( ) ijt exp ( ) t Using exp 2 to approxiate exp ( ) ijt gives, that for t 2 ost ters will be sall and not add uch to the lower bound of P (S) Hellan concluded that the optial values of and t are such that t 2 = If, t are both large and satisfy t 2 =, then nuerical approxiation gives 1 t 1 [ ] j+1 it 080t i=1 j=0 Hellan neglects the 080 factor Then for, t such that t 2 =, P (S) t = t = 1 t, which is sall For that reason, the attacker coputes t different tables B l Each table B l is coputed using a different reduction function R l and the corresponding f l = R l (E K (P 0 )) During the attack, the attacker tries to find the key in one table after another until she succeeds or she has tried all the tables Since the cycle structure varies aong the different functions R l, a collision of entries in two tables does not iply that the successive entries in the sae row will also collide This is very iportant for guaranteeing that ore tables will yield better coverage of the key space The eory required for the attack, M, is the nuber of (SP i, EP i ) pairs stored, which is the nuber of rows per table ties the nuber of tables Thus, M = t The coputation tie during the attack, T, is the nuber of operations per table ties the nuber of tables, ie T = t 2 The tie needed during precoputation, P, is the nuber of rows per table ties the nuber of operations per row ties the nuber of tables, ie P = t t = Lastly, the aount of data available during the attack, D, is one, because the attacker gets only one ciphertext C 0 Together, T M 2 = t 2 2 t 2 = t 4 2 = 2 As a result, the tie-eory tradeoff curve for this attack is T M 2 = 2 Hellan suggested to use the point M = T = 2/3 on the tradeoff curve It still needs to be shown, that the false alars, which ay occur during the attack, do not significantly increase the coputation tie The following theore due to Hellan gives an upper bound for the expected nuber of false alars Theore 6 The expected nuber of false alars per table tried, E[F ], is bounded by t(t + 1) E[F ] (13) 2 8

13 Proof Let F i,j be the event that a false alar has occurred as a result of Y j = EP i Then t E[F ] = P r(f i,j ) i=1 j=1 F i,j can occur in j different situations as illustrated in Figure 12 represents the function f SP i = X i,0 X i,1 X i,t j X i,j t+1 X i,t = EP i or K SP i = X i,0 X i,1 X i,t j X i,j t+1 X i,j t+2 X i,t = EP i or or K Y 1 SP i = X i,0 X i,1 X i,t j X i,j t+1 X i,t 1 X i,t = EP i K Y 1 Y j 1 Figure 12: A diagra of the possible ways of F i,j occurring Assuing that f is a rando function on {1,, }, the values K, f(k) = Y 1, f 2 (K) = Y 2, are independent rando variables uniforly distributed over the space {1,, } As a result, the first way of F i,j occurs with the probability of 1/, the second with the probability of (1 1/)(1/), the third with the probability of (1 1/) 2 (1/), etc Therefore, each way of F i,j occurs with at ost the probability of 1/ Thus, E[F ] i=1 t j=1 j = t(t + 1) 2 Hellan concluded that if t 2 = 1, then the increase in expected coputation tie due to false alars will at ost be 50 percent 13 Modification of the attack for n k = n c In his description of the attack, Hellan assued that n k < n c In other words, he assued that the key space is saller than the ciphertext space, which is the case of the DES block cipher We explore how the attack changes if n k = n c To see if the attack would differ fro the case n k < n c, we inspect the function f(k) = R(E K (P 0 )) For n k = n c, the function R : {0, 1} nc {0, 1} n k is no longer 9

14 a reduction, but a function that aps the key space into itself It is advantageous for the attacker to choose R as a siple bijection on {0, 1} n k, such as a reordering of the bits The properties of the function E ( ) (P 0 ) : K C K E K (P 0 ) depend on the block cipher attacked Generally, we cannot be sure that, for a given P 0, (E K1 (P 0 ) = E K2 (P 0 )) (K 1 = K 2 ) In other words, E ( ) (P 0 ) ay not be injective for soe P 0 However, a secure block cipher with n k = n c should have this property for all P 0 P If we assue that E ( ) (P 0 ) is injective and that R is a bijection, then their coposite f is also injective Once we know that f is injective, the attack is siplified, because chains of iterations of f do not erge and so false alars do not occur During the attack phase, when Y j = EP i for soe j {1,, t} and i {1,, }, then necessarily, X i,t j is the key, since no false alar could have occurred There is no need to check whether C 0 = E Xi,t j (P 0 ) More iportantly, the i th row of B is reconstructed only when it really contains the key, which happens at ost once during the attack In the original attack, the i th row was reconstructed each tie a false alar occurred Fro Theore 6, the increase in expected coputation tie due to false alars is at ost 50 percent This increase is avoided in the attack where n k = n c 14 Hellan s attack with Rivest s sapling In Hellan s attack, it was not taken into consideration that access to eory takes uch longer than a coputation For exaple, one rando access to a hard disk takes approxiately 10 illion ties longer in real tie than a siple coputational step such as addition or ultiplication on an average current processor The attack could be ade uch faster by reducing the nuber of table lookups during the attack phase Ron Rivest [2] introduced a technique referred to as sapling or use of special points, which achieves just that He suggested to iterate the function f l on each starting point, during precoputation, not exactly t ties, but until a special point is reached The attacker can choose which points she considers special, as long as for every key, it is easy to recognize whether it is special or not A siple choice of special points is keys with 0s in the first u bits Then the set of special points is S u := {(s 1, s 2,, s nk ) {0, 1} n k s i = 0, i = 1,, u}, u < n k Ending the iterations of f l with a special point achieves that i {1,, } : EP i S u for a fix chosen u Along with the starting points and end points, the attacker saves the length of the longest chain in the l th table, denoted t l If two different starting points lead to the sae end point, a erge of the two chains ust have occurred In that case, one of the chains can be disregarded and replaced by 10

15 another chain with a new starting point, in order to guarantee a table free of erges A collision aong end points is discovered at no additional cost as the end points ust be sorted The attacker should choose the value of 1 u < n k so that the average length of a chain is t We use the birthday paradox For an arbitrary but fixed i, put A := {X i,0, X i,1,, X i,t } and B := S u Function f l is rando on the space of = 2 n k keys, therefore A is a rando subset of {0, 1} n k B is not a rando subset of {0, 1} n k, but its eleents are independent of those in set A A = t, unless the chain is looped, which we will discuss later B = S u = 2 nk u = 2 u Fro the birthday paradox, if A B =, then the probability that A B is approxiately 063 When A B, it eans that the chain in A contains a special point, which is what we want A B = t 2 u = t 2 u = 1 t = 2 u Thus, for u such that 2 u = t, the average length of a chain will be t During the attack phase, the attacker coputes Y 1, Y 2, Y 3, as in Hellan s attack She does not need to check whether Y j = EP i for soe i by accessing eory She only checks whether Y j S u, which is easy If Y j S u, then 1 if i {1,, } : Y j = EP i then the i th row of the table either contains the key or a false alar has occurred; 2 if i {1,, } : Y j EP i then the attacker proceeds with Y j+1 For each table, the attacker coputes Y j for j = 1,, t l, unless she has already found the key It is advantageous for the attacker to restrict the axiu length of a chain during precoputation Firstly, if f l is iterated ore than a ultiple of t ties, without coing across a special point, then due to the birthday paradox, it is likely that the chain is in a loop In that case, the chain should be abandoned and another rando starting point used Secondly, assue a table contains one or a few very long chains and the rest of the chains are considerably shorter for exaple, they have less than j entries for soe j {1,, t l /2} Then coputing Y j for j = j,, t l during the attack is wasteful, because it searches for the key only in the few chains longer than j There is one difficulty during the attack Since chains vary in length within a table, when the attacker has Y j = EP i, she does not know at which position in the i th chain the key candidate is She needs to find the key candidate and verify whether it is a false alar In the original publication [2], it is not specified how to deal with this We propose two options: During precoputation, she saves the nuber of iterations of f l used on SP i to get EP i in the eory with the (SP i, EP i ) pair and denotes it t i,l Then once Y j = EP i during the attack, she knows that the key candidate 11

16 is f t i,l j l (SP i ) The advantage of this option is, that a false alar is found with t i,l j steps The disadvantage is that the size of each word of eory increases fro two nubers lower than to two nubers lower than and one nuber approxiately t, where t would often be chosen as 1/3 She does not save the nuber of iterations of f l used on SP i to get EP i during the precoputation When Y j = EP i during the attack, the attacker uses the starting point SP i = X i,0 as a key in encryption of P 0 to check whether it is the key used to get C 0 Thus, if E Xi,0 (P 0 ) = C 0 then she has found the key and is done If not, she applies the reduction function to E Xi,0 (P 0 ) and gets R(E Xi,0 (P 0 )) = X i,1 She checks whether X i,1 S u If X i,1 is a special point, then, fro the construction of the chains, she knows X i,1 = EP i, which eans that a false alar occurred If X i,1 is not a special point, she continues in the search and checks whether X i,1 is the key If not, she applies the reduction to get X i,2 and so on The reason she ust always check whether the point she got is special is, that if she did not do so and a false alar occurred, then she could enter an endless cycle The advantage is that this ethod requires no additional eory The disadvantage is that, in the case of a false alar, the entire chain is reconstructed The advantage of Rivest s sapling over Hellan s original attack is that the nuber of disk operations during the attack is reduced With sapling, the attacker only accesses the eory when Y j is a special point, which happens about once per chain of Y j For each f l, there is a chain of Y j coputed Therefore, the eory is accessed only t ties and not t 2 ties as in the original attack The nuber of coputations during the attack reains T = t 2 The other advantages of sapling are that the tables are free of erges and free of loops, which eans increased coverage of the key space 12

17 2 Rainbow tables and r-coloured rainbows 21 The rainbow table attack Again, assue a block cipher (P, C, K, E, D) and assue that P = C = {0, 1} nc and K = {0, 1} n k for nc, n k such that n c > n k Philippe Oechslin [3] described a odification of Hellan s attack, which yields the sae tie-eory tradeoff curve, is twice as fast during the attack phase and has the advantages of sapling Oechslin proposed to precalculate one large t t table instead of Hellan s t tables of size (t + 1) each He called his table a rainbow table Although Oechslin described his odification for an t t table, we will present his idea on an t (t + 1) table in order to be in correspondence with Hellan s paraeters The precoputation phase As in the original attack, t functions f j : K K will be used in the precoputation f j (K) = R j (E K (P 0 )), where R j : C K, j = 1,, t are distinct siple reduction functions Using the sae notation, we have SP i = X i,0, EP i = X i,t, i = 1,, t and the rows of the table are calculated using the following recursion forula: X i,j+1 = f j+1 (X i,j ), j = 1,, t, i = 1,, t The recursion yields the following rainbow chains: f 1 f 2 f t 1 f t SP 1 = X 1,0 X1,1 X1,t 1 X1,t = EP 1 f 1 f 2 f t 1 f t SP 2 = X 2,0 X2,1 X2,t 1 X2,t = EP 2 f 1 f 2 f t 1 f t SP t = X t,0 Xt,1 Xt,t 1 Xt,t = EP t The attacker saves the doubles (SP i, EP i ) for i = 1,, t sorted by EP i The attack phase Again, it is a chosen plaintext attack The attacker has chosen a P 0, precoputed the table for it and now she obtains the ciphertext C 0 = E K (P 0 ) and tries to find the key K She coputes Y 1 := R t (C 0 ) and checks whether Y 1 = EP i for soe i {1,, t} 1 If Y 1 = EP i, then the attacker reconstructs the i th chain to find X i,t 1 Either X i,t 1 is the key of a false alar has occurred 2 If i : Y 1 EP i or a false alar has occurred, then the attacker coputes Y 2 := f t (R t 1 (C 0 )) and checks whether Y 2 = EP i 13

18 Unless she finds the key, the attacker coputes Y 3 := f t (f t 1 (R t 2 (C 0 ))) Y 4 := f t (f t 1 (f t 2 (R t 3 (C 0 )))) Y t 1 := f t (f t 1 ( (f 3 (R 2 (C 0 ))) )) Y t := f t (f t 1 ( (f 3 (f 2 (R 1 (C 0 )))) )) and checks whether they are the key Figure 21 illustrates a rainbow chain in detail and should clarify why the attacker ust always start with applying a different reduction function and then a sequence of functions f j to the C 0 f 1 f 2 f t 1 f t X i,t 1 E ( ) SP i = X i,0 X i,1 X i,t = EP i E ( ) R 2 R t 1 R t E ( ) R 1 Figure 21: The bold dots represent points in the ciphertext space By E ( ), it is eant that the function E ( ) (P 0 ) is applied to the previous point of the key space E ( ) 22 The probability of success The probability of success of the attack is the probability that the key used to get C 0 is in the first t coluns (end points excepted) of the t (t+1) rainbow table That probability is dependent on the coverage of the key space by the t 2 entries in the rainbow tables The probability of success of Hellan s attack also depends on the coverage of the key space by the t 2 entries in the t tables Therefore, the probabilities of success can be copared by coparing the coverage One rainbow table and t Hellan s tables contain the sae nuber of entries What deterines the coverage is the nuber of collisions, erges and loops Collisions aong two entries with different preiages occur with the sae probability in a rainbow table as in Hellan s tables, because f l are considered rando functions Assue a collision occurs aong the t 2 points in the first t coluns of either the classical tables or one rainbow table The collision causes a erge of chains only if the two points are in the sae group of t points, that is in the sae classical table or in one colun of the rainbow table In the next section, it will be explained how erges can be reoved fro a rainbow table and that a rainbow table does not have any loops Therefore, the expected coverage of an t (t + 1) rainbow table is at least as good as the expected coverage of t Hellan s tables of size (t + 1) and so the probability of success of a rainbow table is greater than or equal to that of Hellan s tables Figure 22 shows t Hellan s tables and one rainbow table 14

19 X 2,0 t Hellan s tables t + 1 f 1 f 1 f 1 X1,0 1 X1,1 1 X1,t 1 f 1 f 1 X,0 1 X,1 1 f 1 t + 1 X 1,t f 2 f 2 f 2 X1,0 2 X1,1 2 X1,t 2 f 2 f 2 f 2 X,1 2 X,t 2 1 rainbow table t + 1 f t 1 f 1 f 2 f t X 1,t 1 X 1,0 X 1,1 X 1,t f t 1 f 1 f 2 f t X 2,t 1 X 2,0 X 2,1 X 2,t t + 1 t f t 1 f t 1 f t 1 X1,0 t 1 X1,1 t 1 X1,t t 1 X,0 t 1 f t 1 f t 1 f t 1 X,1 t 1 X,t t 1 t + 1 f t f t f t X1,0 t X1,1 t X1,t t X t,0 f t f t f t X t,0 X t,1 X t,t X t,1 X t,t f t 1 f 1 f 2 f t X t,t 1 Figure 22: One rainbow table as well as t classical tables contain t chains of length t + 1, they both use t functions f j, but in a different arrangeent 15

20 23 Advantages over Hellan s attack Oechslin s attack has any advantages Firstly, when neglecting false alars, the nuber of calculations during the attack phase in the worst case, when all coluns are searched, is (t 1) + t = t(t + 1) 2 Hellan s attack requires t 2 calculations in the worst case Therefore, Oechslin s attack reduces the coputation tie alost twice Secondly, rainbow tables have the sae advantages over Hellan s ethod that Rivest s sapling has: the nuber of disk operations during Oechslin s attack is at ost t, because there is only one table Hellan s attack needs up to t 2 disk operations, because there are t tables As entioned earlier, disk operations take a lot of tie and it is a significant iproveent to reduce their nuber If two chains in a rainbow table erge, the end points of the chains are the sae and the erge can easily be detected during precoputation By replacing one of the erging chains with a new one, the attacker achieves a table free of erges at a little additional precoputation effort A rainbow table cannot contain any loops, because each successive function f j applied to the points in one chain is different Thus, rainbow tables are free of loops, just as tables with sapling are, but without the additional precoputation effort required to replace loops Thirdly, rainbow tables do not have soe of the disadvantages of sapling, because their chains have constant length In a table with varying chain lengths, a long chain has ore points than a short chain; thus, there are ore places where another chain can erge into it Long chains are likely to erge with other long chains, creating large trees A large tree is likely to yield a false alar, because it has any branches When a false alar occurs in a long chain, it takes ore coputational effort to deterine that it is a false alar than in a short chain Oechslin concludes that false alars cause a greater increase in coputation tie in tables with sapling, which have variable chain length, than in rainbow tables 24 The new r-coloured rainbows attack We propose a new odification of Hellan s attack, which we call r-coloured rainbows The new attack is soething in between the original attack and rainbow tables In one table of r-coloured rainbows, r different functions f l are used repeatedly in each row The general assuptions reain: (P, C, K, E, D) is a block cipher, P = C = {0, 1} nc and K = {0, 1} n k for nc, n k such that n c > n k We want to use t different functions f l altogether and have t + 1 coluns in each table Since each table contains r different functions f l, we precopute t/r tables The paraeter r ust satisfy 1 r t and r t To be consistent with the other attacks, we want the tables without the last colun to contain 16

21 t 2 points Therefore, each table ust have r rows Thus, the attacker precoputes t/r tables of size r (t + 1), where, t, r, such that 1 r t and r t, are paraeters of the attack The precoputation phase As in the two previous attacks, t functions f l precoputation: f l (K) = R l (E K (P 0 )), : K K are used in the where R l : C K are distinct siple reduction functions We use the sae notation again, so X i,j are entries in a table and SP i = X i,0 and EP i = X i,t, i = 1,, r The entries in each table are calculated with the following forula: X i,j+1 = f (j od r)+1 (X i,j ), j = 0,, t 1, i = 1,, r The resultant table looks like this: SP 1 = X 1,0 f 1 X1,1 f 2 f r X1,r f 1 f r X1,t = EP 1 SP 2 = X 2,0 f 1 X2,1 f 2 f r X2,r f 1 f r X2,t = EP 2 SP r = X r,0 f 1 Xr,1 f 2 f r Xr,r f 1 f r Xr,t = EP r The attacker saves the doubles (SP i, EP i ) for i = 1,, r sorted by EP i The attack phase Once ore, it is a chosen plaintext attack, so the attacker obtains C 0 = E K (P 0 ) and tries to find the key K As in the previous attacks, for each table, the attacker coputes soe Y 1,, Y t fro the C 0 For each Y j, she checks if Y j = EP i If so, she reconstructs the i th chain If Y j does not get her the key, she coputes Y j+1 This part of the attack is analogous to the previous two attacks The only step, which is different is how Y j are calculated In our r-coloured rainbows attack, the attacker coputes the 17

22 following: Y 1 := R r (C 0 ) Y 2 := f r (R r 1 (C 0 )) Y 3 := f r (f r 1 (R r 2 (C 0 ))) Y r 1 := f r (f r 1 ( (f 3 (R 2 (C 0 ))) )) Y r := f r (f r 1 ( (f 3 (f 2 (R 1 (C 0 )))) )) Y r+1 := f r (f r 1 ( (f 3 (f 2 (f 1 (R r (C 0 ))))) )) Y r+2 := f r (f r 1 ( (f 3 (f 2 (f 1 (f r (R r 1 (C 0 )))))) )) Y t 1 := f r ( (f r ( (f r ( (f 3 (R 2 (C 0 ))) )) )) ) Y t := f r ( (f r ( (f r ( (f 3 (f 2 (R 1 (C 0 )))) )) )) ) The calculation of Y j requires j coputations If the attacker coputed Y 1,, Y t as shown above, her coputation tie for one r-coloured table would be (t 1) + t = t(t + 1) 2 It is the sae coputation tie as for one rainbow table However, in our r-coloured rainbows attack, she has t/r tables, not just one Therefore, the new attack would be quite inefficient Fortunately, an iproveent can be ade in the calculation otice that Y r+1 = f r (f r 1 ( (f 3 (f 2 (f 1 (Y 1 )))) )) Y r+2 = f r (f r 1 ( (f 3 (f 2 (f 1 (Y 2 )))) )) If we denote h := f r f r 1 f 2 f 1, then Y qr+p = h q (Y p ) for p, q such that p {1,, r} and qr + p {1,, t} The attacker 18

23 coputes Y 1,, Y t in the following order to utilize the above observation Y 1 = R r (C 0 ) Y r+1 = h(y 1 ) Y 2r+1 = h(y r+1 ) Y t r+1 = h(y t 2r+1 ) Y 2 = f r (R r 1 (C 0 )) Y r+2 = h(y 2 ) Y 2r+2 = h(y r+2 ) Y r = f r (f r 1 ( (f 3 (f 2 (R 1 (C 0 )))) )) Y 2r = h(y r ) Y t r = h(y t 2r ) Y t = h(y t r ) With the iproveent, the coputation tie for one table, in the worst case when all Y j are calculated, is t r r(r 1) 2 The function h is a coposition of r functions and we count it as r operations If each Y j were coputed with function h, then the coputation required for Y 1, Y 2,, Y t would be t r But Y 1, Y 2,, Y r 1 each require only r coputations 2 on average and that is why r(r 1) is subtracted The coputation tie for all 2 t/r tables is T = t ( ) r(r 1) t r = t 2 t(r 1) r Coparison of the new attack with the previous attacks Before we take a closer look at the three attacks and copare the, notice that 1-coloured rainbows attack is Hellan s attack and that a t-coloured rainbow is a rainbow table Figure 23 graphically copares the coputation tie for Hellan s t tables, r-coloured rainbows for two choices of r and one rainbow table Each dot represents one coputation during the attack The separated coluns represent the t/r different tables Each short row in one separated colun represents the coputations for one Y j Fro the forula for the coputation tie in 19

24 t Hellan s tables r = 1 t tables r-coloured rainbows r = t 6 6 tables t t t T 1 = t 2 r ( ) T 2 = 6 t r r(r 1) 2 = 11t t 2 r-coloured rainbows r = t 2 2 tables 1 rainbow table r = t 1 table t t r ( ) T 3 = 2 t r r(r 1) 2 = 3t2 4 + t 2 t T 4 = t(t+1) 2 = t2 2 + t 2 Figure 23: Coparison of the coputation ties of the three attacks 20

25 r-coloured rainbows T = t 2 t(r 1), 2 we see that the closer r is to t, the saller T is This corresponds with the observation that in Figure 23, for t > 6, T 1 > T 2 > T 3 > T 4 Therefore, our new attack is not better, in ters of coputation tie, than a rainbow table, but it is better than Hellan s attack One of the ain advantages of a rainbow table over Hellan s tables is that it requires less hard disk accesses during the attack Hellan s attack requires t 2 disk operations Rainbow tables require only t disk operations Our r-coloured rainbows attack requires t t r = t2 r disk operations Therefore, for a fixed t, our attack reduces the nuber of disk operations by a factor of r when copared to Hellan s With regards to the nuber of disk operations, our attack is again not better than a rainbow table, but it is better than Hellan s attack Another property of the attack that should be copared is the coverage of the key space The tables in all three attacks contain t 2 points in the first t coluns If a collision aong two entries in r-coloured rainbows occurs, it causes a erge only if the next functions applied are the sae In one chain, one specific function f l is applied t/r ties and there are r chains in a table The other tables do not use f l at all Therefore, a erge results fro a collision only if the colliding entries are in the sae group of r (t/r) = t entries, which corresponds to a fixed f l Thus, collisions cause erges in r-coloured rainbows equally often as in Hellan s tables and a rainbow table Merges in r-coloured rainbows can be detected by colliding end points only if the erge occurred in the sae colun Assue there are two entries in a table colliding and causing a erge, then the entries ust be in the sae group of t/r coluns Therefore, only r/t of erges start in the sae colun and can be detected and reoved during precoputation Again, this is better than Hellan s inability to detect any erges and it is worse than being able to detect all erges in a rainbow table Loops can occur in r-coloured rainbows, but only if two entries in the sae row, which are a ultiple of r positions apart, collide As a result, the length of a loop in r-coloured rainbows is always a ultiple of r Paraeter r bounds the length of loops fro below In Hellan s attack, a loop occurs when any two entries in one row collide and a loop can be of any length Therefore, loops occur r ties less frequently in r-coloured rainbows than in Hellan s attack and their length is bounded fro below Fro the above discussion, it is clear that r-coloured rainbows with t/r tables of size r (t+1) have better coverage than Hellan s t tables of size (t+1) and worse coverage than an t (t + 1) rainbow table Thus, the probability of success of r-coloured rainbows is also in between the probability of success of Hellan s attack and the rainbow table attack So far, for every property of the attack that we inspected, the r-coloured rainbows perfor better than the original attack and worse than a rainbow table Do 21

26 r-coloured rainbows bring anything new and better than the other two attacks? Yes, they ay Recall function h: h = f r f r 1 f 2 f 1 When calculating the coputation tie T, we assued function f l is one coputation step and so h is r coputation steps However, if the cryptosyste attacked were such, that it would allow for soe efficient ipleentation of h, the r-coloured rainbows attack would iprove The fact, that the attacker can choose the reduction function R l in each f l, ay help her ipleent h efficiently Assue the attacker is able to reduce the coputation steps needed to apply function h fro r steps to r/c steps, for soe c r Function h is different for every table, so assue the attacker is able to efficiently ipleent all t/r functions h Then the coputation tie for one table is ( r r(r + 1) (t r) + c) 2 The first ter counts the steps needed to calculate Y r+1,, Y t, which uses function h The second ter is the nuber of calculations needed for Y 1,, Y r, where h is not used The t/r tables require ( t ( ) r r(r + 1) (t r) + r c) 2 = t(t r) c = t2 c tr c + t(r + 1) 2 + t(r + 1) 2 coputations When neglecting the second and third ters, where only t and not t 2 appears, the coputation tie can be reduced by a factor of c in coparison with Hellan s tie This is a uch greater iproveent than the reduction by 2 achieved by a rainbow table With the efficient ipleentation of function h, the precoputation in the r-coloured rainbows attack is also c ties faster than in the other two attacks The original precoputation tie r t t r = t2 = is the sae as with Hellan s attack or a rainbow table The efficient precoputation tie is r t c t r = t2 = c c 22

27 3 Tie-eory tradeoff attacks on strea ciphers Tie-eory tradeoff attacks can be perfored not only on block ciphers, but on strea ciphers as well Definition 7 An additive synchronous strea cipher is an ordered 7-tuple (A, K, I, Σ, g 0, g, F ), such that 1 A(+, 0) is a finite additive group, 2 K is a finite set of keys, 3 I is a finite set of initialization vectors, 4 Σ is a finite set of internal states of the cipher, 5 g 0 : K I Σ is the initialization function, 6 g : Σ Σ is the next-state function, 7 F : Σ A is the keystrea generation function The internal state of a synchronous strea cipher is initialized with the key K K and an initialization vector IV I by an initialization function g 0, ie s 0 = g 0 (K, IV ) Function g, which aps a state to another state, produces an endless sequence of states (s 0, s 1, s 2, ) with the forula s h+1 = g(s h ) The keystrea is an endless sequence of sybols (z 0, z 1, z 2, ) aps a state to one sybol of the keystrea: Function F z h = F (s h ) In an additive synchronous strea cipher, a plaintext strea p P is encrypted by adding it with the keystrea: c h = p h + z h The set of plaintexts is the set of all finite length sequences of sybols fro A (ie A*) and the set of ciphertexts C is also A* Figure 31 shows the structure of an additive synchronous strea cipher In this chapter, we assue that A = Z 2 (+, 0) and K = Σ = {0, 1} n for soe n Denote = 2 n the nuber of all internal states Also assue that the attacker knows functions g 0, g and F and does not know the key nor the internal state at any oent 23

28 K IV g 0 s h g F z h p h c h Figure 31: Additive synchronous strea cipher 31 The BG attack Babbage [4] and Golić [5] independently described the following siple tieeory tradeoff attack on additive synchronous strea ciphers, referred to as the BG attack Define a function f : {0, 1} n {0, 1} n to ap each state s h {0, 1} n to the first n bits of the keystrea produced by function F fro state s h : f(s h ) = (F (s h ), F (s h+1 ),, F (s h+n 1 )) = (z h, z h+1,, z h+n 1 ) It is assued that f is a rando one-way function, which is not necessarily injective The attacker obtains the ciphertext and, as it is a known plaintext attack, there is a segent of the ciphertext for which she knows the plaintext She coputes a keystrea segent as z h = p h c h z h+1 = p h+1 c h+1 If the attacker is able to invert the function f for any one of the keystrea segents of length n that she has available, then she can decrypt the ciphertext that follows Once she has one internal state s h, she can copute the successive states using the known function g and use the to generate the rest of the keystrea with F otice that in this attack, it is not her goal to find the key K, because she does not need it for decryption However, for strea ciphers with g and g 0 invertible, she can copute K if she knows the nuber of iterations of g applied thus far In the precoputation phase, the attacker randoly chooses distinct points fro the space of states {1,, } and denotes the SP i for i {1,, } She coputes EP i := f(sp i ) She saves the pairs (SP i, EP i ) for i = 1,, sorted by EP i in rando access eory as in the previously described attacks In the attack phase, the attacker obtains a segent of the keystrea, which is D+n 1 bits long D denotes the aount of data available during the attack (the n 1 is neglected) There are D partially overlapping subsegents of length n of 24

29 the obtained segent Denote the subsegents Z 1,, Z D The attacker checks whether Z 1 = EP i for soe i {1,, } If so, then she uses the corresponding internal state SP i to generate ore of the keystrea and verifies whether a false alar has occurred or whether SP i is the real internal state If Z 1 fails to produce the internal state, the attacker tries Z 2, then Z 3, etc The aount of eory used M is the nuber of (SP i, EP i ) pairs, which is In order for the attack to be successful, at least one of the D subsegents Z j ust collide with one of the M values of EP i Fro the birthday paradox, if DM =, then the two sets intersect with the probability approxiately 063 In the attack, T = D, because, in the worst case, the attacker accesses eory once for each Z 1,, Z D The tie-eory tradeoff curve is therefore T M = The precoputation tie is the sae as the eory needed, ie P = M The attacker ay choose to not use all the data D, then 1 T D otice the difference between the tie-eory tradeoff attack on a strea cipher and the attacks described earlier on block ciphers The attacks on block ciphers were chosen plaintext attacks: the attacker chose one P 0, precoputed her tables for that P 0 and then she needed an encryption of P 0 to be able to perfor the attack It is not clear how she could use ore ciphertexts in one attack to speed up the attack or increase its probability of success The attack on strea ciphers is unlike this It is a known plaintext attack, which is stronger The precoputation is done without the use of any fixed P 0 The precoputed values depend only on functions g and F, which are constant for a specific strea cipher Once she has the precoputed data, she can use it to attack encryptions of various plaintexts More iportantly, she can use ore data in one attack to raise her probability of success It sees that the construction of strea ciphers akes the ore vulnerable against tie-eory tradeoff attacks 32 Biryukov and Shair s attack Alex Biryukov and Adi Shair [6] proposed an iproved tie-eory tradeoff attack on strea ciphers Essentially, they cobined Hellan s idea with the BG attack In Biryukov and Shair s attack, there is also the function f : {0, 1} n {0, 1} n, which aps the strea cipher internal state s h to the first n bits of the keystrea generated fro that state by F As in the BG attack, the attacker has D + n 1 consecutive bits of the keystrea and her goal is to invert function f on any of the D segents of n bits The attack uses tables of iterations of f as in Hellan s attack Define f l (s) := R l (f(s)), s {0, 1} n, where R l : {0, 1} n {0, 1} n is a siple bijection ote that f l is not necessarily a bijection, because f is not injective In each table, a different function f l is used The precoputation and attack phase are exactly as described by Hellan, with one exception During the attack phase, the attacker has D keystrea segents, whereas in the original attack on block ciphers there is only one ciphertext 25

30 C 0 The attacker executes the attack phase on each of Z 1,, Z D, unless she succeeds For Biryukov and Shair s attack to be successful, one of Z 1,, Z D ust be present in one of the tables without the first colun Therefore, the coverage of the tables without the first colun can be reduced fro to /D This is fro the birthday paradox The set {Z 1,, Z D } and the set of all but first colun entries in the tables are both subsets of {1,, } and the latter is chosen uniforly at rando In order for the two sets to intersect with probability approxiately 063, the product of their cardinalities ust be We have D D = Therefore, the coverage should be /D Fro Hellan, we know that t tables of size (t + 1) for, t such that t 2 =, are optial for the coverage of points To achieve a coverage of /D points, less tables or saller tables ay be used Figure 32 suarizes the options for reducing the coverage and shows which option reduces the required tie and eory the ost The tie required during the attack, T, is coputed as the nuber of coluns in each table inus one ties the nuber of tables ties the nuber of available data D The aount of eory required, M, is coputed as the product of the nuber of rows and the nuber of tables Fro Figure 32, we see that for D > 1 option 3) is the best, because T 3 = T 1 < T 2 and M 3 = M 2 < M 1 The fact that 2) has worse coputation tie than 1) and 3) can also be seen fro the observation that f l (Z j ) is one operation during the attack and reveals whether the real internal state is in one of entries of the table For <, that one operation reveals less inforation Therefore, in Biryukov and Shair s attack, t/d tables of size (t + 1) are precoputed, for, t such that D t and t 2 = The rando access eory needed for the attack is M = t and the coputation tie is D T = t 2 The precoputation tie P is the nuber of rows ties the nuber of coluns inus one ties the nuber of tables, thus P = t t = /D If D D t, then t D and thus D 2 T For, t such that t 2 = and D t, the paraeters M, T and D satisfy the following relationship: ( ) T M 2 D 2 = t 2 2 t 2 D 2 = 2 t 4 = 2 D 2 The authors suggested to use paraeters = t = 1/3, which yields P = T = 2/3, M = D = 1/3 as a particular point on the tradeoff curve 33 Tie-eory tradeoff attacks on strea ciphers with sapling Biryukov and Shair discussed how Rivest s sapling would affect the tradeoffs in attacks on strea ciphers Firstly, they considered the effect on the tradeoff of the BG attack A keystrea segent Z j {0, 1} n is said to be special if the first u bits are zeroes, u < n In order to eploy special points in the BG attack, the attacker 26