In the real world, when an encryption chain is generated, bad things can happen. One bad thing occurs when a chain overlaps with itself, forming a cycle. Another bad thing occurs when two chains merge into a single chain. Both merging and cycling chains are illustrated in Figure 6.9.
Suppose we execute a TMTO attack beginning fromCin Figure 6.9. Then following the algorithm described in the previous section, we eventually arrive at the endpointEP. We then go toSPto reconstruct the chain that we expect to lead us to the keyK. However, in this case, we won’t findKsinceC is not on the(SP, EP )chain, even though we arrived atEP fromC. We’ll refer to this as a false alarm.
To decrease the number of false alarms, we must decrease the number of cycling and merging chains. In order to accomplish this, a “random function”F is used and a chain is computed as K0=SP K1=F (E(P, SP )) K2=F (E(P, K1)) K3=F (E(P, K2)) ... Kt−1=EP=F (E(P, Kt−2)).
When n=k, we can choose F to be a permutation. We’ll need a large supply of functionsF, and, fortunately, there is no shortage of permutations.
The advantage of these random functions can be seen in Figure 6.10. Without the use of these functions (or if the same function was used on both chains), once the chains collide, they will necessarily merge into a single chain. By using different functionsF0 andF1, the chains almost certainly will not merge.
We’ll chooserdifferent functionsFi, and for each of these we’ll constructmchains, each with a randomly selected starting point. As above, each chain is of lengtht. The set of chains that correspond to a specific function is known as atable. To summarize,
Figure 6.10. Preventing merging chains.
we have
r=number of tables
m=number of chains in each table
t =length of each chain.
The cryptanalytic TMTO precomputation will effectively cover some percentage of the key space with chains. The resulting TMTO attack will find any key that lies within some chain, but a key that doesn’t appear within any chain can’t be found with the TMTO attack. The attack is therefore probabilistic and the objective is to maximize the probability of success for a given amount of work.
When the key length k is equal to the cipher block lengthn, the algorithm for precomputingrtables of chains, each table havingmchains, with each chain of lengtht, is given in Table 6.12.
The findChains( ) algorithm in Table 6.12 findsrmchains, each of lengtht and hence covers at mostrmt possible keys. If the desired keyK is within some chain, it will be found by the attack given in Tables 6.13 and 6.14, below.
TA B L E 6.12. Algorithm to compute chains.
//Find(SPi,j, EPi,j),i=0,1, . . . , r−1 andj=0,1, . . . , m−1 findChains( )
fori=0 tor−1
Choose a random functionFi
//Generate tablei forj=0 tom−1
Generate a random starting pointSPi,j
K0=SPi,j for=1 tot−1 K=Fi(E(P, K−1)) next EPi,j=Kt−1 nextj nexti end findChains
HELLMAN’S TIME-MEMORY TRADE-OFF 141 TA B L E 6.13. Algorithm to find an endpoint. //Search for anEP findEP( ) fori=0 tor−1 Y=Fi(C) forj=1 tot for=0 tom−1 ifY ==EPi,then found = findKey(i,,j) if not found false alarm else// found=K return(found) end if end if next Y=Fi(E(P, Y )) nextj nexti
return(key not found) end findEP
In an ideal world, all of thermtchain elements would be distinct, in which case the chance of finding a randomly selected key would bermt/2k. Below, we’ll see that the real world is not so kind to Trudy.
For efficient searching, the pairs(SPi,j, EPi,j),j=0,1, . . . , m−1, should be sorted by endpoints. The algorithm for finding a matching endpoint appears in Table 6.13. The function findKey( ) referenced in Table 6.13 is given in Table 6.14. Note thattis the length of each chain.
TA B L E 6.14. Algorithm to find the key.
//Is keyKat positiont−j−1 in chainof tablei? findKey(i,,j) Y=SPi, forq=1 tot−j−1 Y=Fi(E(P, Y )) nextq K=Y ifC=E(P, K) return(K) else//false alarm
return(not found) end if
If the block length is not equal to the key length, that is,k=n, then we can’t directly use ciphertext as a key for the next element in a chain. Fortunately, this situation only requires a slight modification to the algorithms above.
For concreteness, consider DES, which has a key length ofk=56 and a block size ofn=64. The only change required to the algorithms above is to modify the functionsFi. In this case, Fi cannot be a permutation, but we can take eachFi to be a truncated permutation of the form
Fi(x0, x1, . . . , x63)=(xi0, xi1, . . . , xi55)
where the indices ij, j=0,1, . . . ,55, are distinct elements of {0,1, . . . ,63}. The attack then proceeds as described above.
If k > n, then we require k/n matching plaintext, ciphertext pairs in order to uniquely determine the key. This is easy to arrange by redefining the functionsFito han- dle multiple ciphertext blocks and, if required, truncating the permutation as described in the previous paragraph.
One interesting variation on Hellman’s TMTO employs “distinguished points” [31]. This variant does not use fixed-length chains; instead, a chain is constructed until a point with some distinguishing characteristic is found. For example, we could choose to construct each chain until we obtain an output of the form
(x0, x1, . . . , xs−1,0,0, . . . , 0 n−s
).
Then each chain will, on average, be of length 2n−s. In practice, we would set a limit on the maximum length of a chain and reject any that exceed the limit.
Using distinguished points, the precomputation is similar to the standard case described above, except that we now retain triples
(SPj, EPj, j) forj=0,1,2, . . . , rm (6.30) wherej is the length of chainj. We must also keep track of the maximum length of any chain within tablei, which we denote byMi, fori=0,1, . . . , r−1.
The primary advantage to distinguished points is that it allows for a more efficient distributed version of the TMTO attack. Supposercomputers are available. Then each computer can search one of thertables of chains. In this scenario, a server only needs to send computerithe functionFi along with the ciphertextCandMi as well as the definition of a distinguished point. In particular, the triples inequation 6.30do not need to be transmitted to any of thercomputers, which saves considerable bandwidth.
Computeriproceeds with the attack as described above; however, instead of looking for a matchingEPjat each step, it simply looks for a distinguished point. If such a point is found withinMiiterations, the distinguished point is returned to the server, which then checks to see whether it matches an actual endpoint in tablei. If so, the server attempts to recoverKas in the previous case.
HELLMAN’S TIME-MEMORY TRADE-OFF 143