time space tradeoffs for attacks against one way
play

Time space tradeoffs for attacks against one-way functions and PRGs - PowerPoint PPT Presentation

Sep 10, 2023 •43 likes •943 views

Time space tradeoffs for attacks against one-way functions and PRGs Anindya De University of California, Berkeley Joint work with Luca Trevisan - UC Berkeley and Stanford University Madhur Tulsiani - Princeton University 0 / 26 What is this

  1. Time space tradeoffs for attacks against one-way functions and PRGs Anindya De University of California, Berkeley Joint work with Luca Trevisan - UC Berkeley and Stanford University Madhur Tulsiani - Princeton University 0 / 26

  2. What is this talk about? • Can “brute-force” attacks on cryptographic primitives be improved upon? 1 / 26

  3. What is this talk about? • Can “brute-force” attacks on cryptographic primitives be improved upon? • Recover a key of length k in time less than 2 k . 1 / 26

  4. What is this talk about? • Can “brute-force” attacks on cryptographic primitives be improved upon? • Recover a key of length k in time less than 2 k . • In time t , recover key with probability better than t / 2 k . 1 / 26

  5. What is this talk about? • Can “brute-force” attacks on cryptographic primitives be improved upon? • Recover a key of length k in time less than 2 k . • In time t , recover key with probability better than t / 2 k . • Brute force : optimal when restricted to uniform algorithms 1 / 26

  6. What is this talk about? • Can “brute-force” attacks on cryptographic primitives be improved upon? • Recover a key of length k in time less than 2 k . • In time t , recover key with probability better than t / 2 k . • Brute force : optimal when restricted to uniform algorithms • Are better (non-uniform) attacks possible against: • one-way functions? • pseudo-random generators? 1 / 26

  7. Definitions of primitives • N = 2 n , [ N ] ∼ = { 0 , 1 } n . 2 / 26

  8. Definitions of primitives • N = 2 n , [ N ] ∼ = { 0 , 1 } n . • One-way function: f : [ N ] → [ N ] is ( t , ǫ ) -one way if for every algorithm A of complexity ≤ t � A f ( f ( x )) = x ′ | f ( x ′ ) = f ( x ) � Pr ≤ ǫ x ∼{ 0 , 1 } n 2 / 26

  9. Definitions of primitives • N = 2 n , [ N ] ∼ = { 0 , 1 } n . • One-way function: f : [ N ] → [ N ] is ( t , ǫ ) -one way if for every algorithm A of complexity ≤ t � A f ( f ( x )) = x ′ | f ( x ′ ) = f ( x ) � Pr ≤ ǫ x ∼{ 0 , 1 } n • PRG: G : [ N ] → [ 2 N ] is a ( t , ǫ ) -secure PRG if for every algorithm A of complexity ≤ t � � x ∼ [ N ] [ A G ( G ( x )) = 1 ] − y ∼ [ 2 N ] [ A G ( y ) = 1 ] � � � Pr Pr � ≤ ǫ � � 2 / 26

  10. Measure of Complexity • complexity � = time, as A may compute f − 1 in O ( log N ) time by storing all inverses. 3 / 26

  11. Measure of Complexity • complexity � = time, as A may compute f − 1 in O ( log N ) time by storing all inverses. • complexity = pre-computed advice + running time. 3 / 26

  12. Measure of Complexity • complexity � = time, as A may compute f − 1 in O ( log N ) time by storing all inverses. • complexity = pre-computed advice + running time. • Can be implemented on a RAM machine with time and space t . • Similar to circuit complexity. 3 / 26

  13. Upper bounds Primitive Complexity √ ˜ [Hellman 80] Permutation f O ( N ) 4 / 26

  14. Upper bounds Primitive Complexity √ ˜ [Hellman 80] Permutation f O ( N ) ˜ O ( N 2 / 3 ) [Hellman 80] Random function f (heuristic) 4 / 26

  15. Upper bounds Primitive Complexity √ ˜ [Hellman 80] Permutation f O ( N ) ˜ O ( N 2 / 3 ) [Hellman 80] Random function f (heuristic) ˜ O ( N 3 / 4 ) [Fiat-Naor 99] Any f , all inputs 4 / 26

  16. Upper bounds Primitive Complexity √ ˜ [Hellman 80] Permutation f O ( N ) ˜ O ( N 2 / 3 ) [Hellman 80] Random function f (heuristic) ˜ O ( N 3 / 4 ) [Fiat-Naor 99] Any f , all inputs √ ˜ ǫ ≤ N − 1 / 3 O ( ǫ N ) [DTT 10] Any f , ǫ -fraction of inputs ˜ O ( ǫ 5 / 4 N 3 / 4 ) ǫ ≥ N − 1 / 3 4 / 26

  17. Upper bounds Primitive Complexity √ ˜ [Hellman 80] Permutation f O ( N ) ˜ O ( N 2 / 3 ) [Hellman 80] Random function f (heuristic) ˜ O ( N 3 / 4 ) [Fiat-Naor 99] Any f , all inputs √ ˜ ǫ ≤ N − 1 / 3 O ( ǫ N ) [DTT 10] Any f , ǫ -fraction of inputs ˜ O ( ǫ 5 / 4 N 3 / 4 ) ǫ ≥ N − 1 / 3 ˜ def O ( ǫ 2 N ) [ACR 97] PRG G ( x ) = ( f ( x ) , P ( x )) 4 / 26

  18. Upper bounds Primitive Complexity √ ˜ [Hellman 80] Permutation f O ( N ) ˜ O ( N 2 / 3 ) [Hellman 80] Random function f (heuristic) ˜ O ( N 3 / 4 ) [Fiat-Naor 99] Any f , all inputs √ ˜ ǫ ≤ N − 1 / 3 O ( ǫ N ) [DTT 10] Any f , ǫ -fraction of inputs ˜ O ( ǫ 5 / 4 N 3 / 4 ) ǫ ≥ N − 1 / 3 ˜ def O ( ǫ 2 N ) [ACR 97] PRG G ( x ) = ( f ( x ) , P ( x )) ˜ O ( ǫ 2 N ) [DTT 10] Any PRG 4 / 26

  19. Upper bounds Primitive Complexity √ ˜ [Hellman 80] Permutation f O ( N ) ˜ O ( N 2 / 3 ) [Hellman 80] Random function f (heuristic) ˜ O ( N 3 / 4 ) [Fiat-Naor 99] Any f , all inputs √ ˜ ǫ ≤ N − 1 / 3 O ( ǫ N ) [DTT 10] Any f , ǫ -fraction of inputs ˜ O ( ǫ 5 / 4 N 3 / 4 ) ǫ ≥ N − 1 / 3 ˜ def O ( ǫ 2 N ) [ACR 97] PRG G ( x ) = ( f ( x ) , P ( x )) ˜ O ( ǫ 2 N ) [DTT 10] Any PRG All above results are actually stated as time-space tradeoffs. Complexity is optimized when T = S . 4 / 26

  20. Lower bounds Better stated in terms of a tradeoff between T and S . 5 / 26

  21. Lower bounds Better stated in terms of a tradeoff between T and S . Primitive Tradeoff [Yao 90] T · S = ˜ Permutation f , ǫ -fraction Ω( ǫ N ) √ [Gennaro-Trevisan 00] of inputs for T = O ( ǫ N ) [Wee 05] 5 / 26

  22. Lower bounds Better stated in terms of a tradeoff between T and S . Primitive Tradeoff [Yao 90] T · S = ˜ Permutation f , ǫ -fraction Ω( ǫ N ) √ [Gennaro-Trevisan 00] of inputs for T = O ( ǫ N ) [Wee 05] T · S = ˜ Permutation f , ǫ -fraction Ω( ǫ N ) [DTT 10] of inputs for any T 5 / 26

  23. Lower bounds Better stated in terms of a tradeoff between T and S . Primitive Tradeoff [Yao 90] T · S = ˜ Permutation f , ǫ -fraction Ω( ǫ N ) √ [Gennaro-Trevisan 00] of inputs for T = O ( ǫ N ) [Wee 05] T · S = ˜ Permutation f , ǫ -fraction Ω( ǫ N ) [DTT 10] of inputs for any T def T · S = Ω( ǫ 2 N ) [DTT 10] PRG G = ( f ( x ) , P ( x )) 5 / 26

  24. Hellman’s approach for permutations f ( x )

  25. Hellman’s approach for permutations f ( x ) f ( f ( x ))

  26. Hellman’s approach for permutations f ( x ) f ( f ( x )) f ( f ( f ( x )))

  27. Hellman’s approach for permutations f ( x ) f ( f ( x )) x f ( f ( f ( x )))

  28. Hellman’s approach for permutations f ( x ) f ( f ( x )) x f ( f ( f ( x ))) √ In small cycles of size less than N , compute f ( x ) , f ( f ( x )) , . . . 6 / 26

  29. Hellman’s approach for permutations f ( x ) f ( f ( x )) x f ( f ( f ( x ))) √ In small cycles of size less than N , compute f ( x ) , f ( f ( x )) , . . . At some point, you hit x . f − 1 ( x ) is the penultimate point in the sequence. 6 / 26

  30. Hellman’s approach for permutations f ( x ) f ( f ( x )) x f ( f ( f ( x ))) √ In small cycles of size less than N , compute f ( x ) , f ( f ( x )) , . . . At some point, you hit x . f − 1 ( x ) is the penultimate point in the sequence. √ Time complexity of computation is ˜ O ( N ) . 6 / 26

  31. What happens to large cycles? a x √ N c b d √ In large cycles, store back-links at a distance of N 7 / 26

  32. What happens to large cycles? a x √ N c b d √ In large cycles, store back-links at a distance of N For e.g., store ( a , b ) , ( b , c ) , ( c , d ) and ( d , a ) in a data-structure 7 / 26

  33. What happens to large cycles? a x √ N c b d Compute f ( x ) , f ( f ( x )) , . . . till you hit a point in the data structure, say a 8 / 26

  34. What happens to large cycles? a x √ N c b d Compute f ( x ) , f ( f ( x )) , . . . till you hit a point in the data structure, say a When you hit a , use back-link to go back to b 8 / 26

  35. What happens to large cycles? a x √ N c b d Now, compute f ( a ) , f ( f ( a )) , . . . until you hit x 9 / 26

  36. What happens to large cycles? a x √ N c b d Now, compute f ( a ) , f ( f ( a )) , . . . until you hit x The penultimate point in the sequence is f − 1 ( x ) 9 / 26

  37. What happens to large cycles? a x √ N c b d √ Note that all the cycles can be covered by O ( N ) back-links (each back-link √ covering a distance of N ) 10 / 26

  38. What happens to large cycles? a x √ N c b d √ Note that all the cycles can be covered by O ( N ) back-links (each back-link √ covering a distance of N ) √ Also, the total time complexity is N as you hit a “back-link” in that time 10 / 26

  39. Time and space complexity for inverting permutations √ √ • Total time T = ˜ N ) and space S = ˜ O ( O ( N ) . 11 / 26

  40. Time and space complexity for inverting permutations √ √ • Total time T = ˜ N ) and space S = ˜ O ( O ( N ) . • Can be used to invert ǫ fraction of the elements in time √ √ T = ˜ ǫ N ) and space S = ˜ O ( O ( ǫ N ) • In fact, we can achieve any time ( T ) space ( S ) tradeoff such that T · S = ǫ N . 11 / 26

  41. Abstracting the approach for permutations • Cover the graph ( x → f ( x ) ) of f by m disjoint paths of length ℓ . 12 / 26

  42. Abstracting the approach for permutations • Cover the graph ( x → f ( x ) ) of f by m disjoint paths of length ℓ . • Gives algo with T = ˜ O ( ℓ ) and S = ˜ O ( m ) (one back-link per path). 12 / 26

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Space/time tradeoffs; dynamic programming; y g g transform and conquer 1. Space/time

Space/time tradeoffs; dynamic programming; y g g transform and conquer 1. Space/time

6. Space-time tradeoffs and dynamic programming D. Keil Analysis of Algorithms 1/11 Topic 6: Space/time tradeoffs; dynamic programming; y g g transform and conquer 1. Space/time tradeoffs 2. Dynamic programming 3 Example: sequence

498 views • 18 slides
Quantum Time-Space Tradeoffs for Deciding Systems of Linear Inequalities Robert Spalek

Quantum Time-Space Tradeoffs for Deciding Systems of Linear Inequalities Robert Spalek

Quantum Time-Space Tradeoffs for Deciding Systems of Linear Inequalities Robert Spalek sr@cwi.nl joint work with Andris Ambainis and Ronald de Wolf quant-ph/0511200 Robert Spalek, CWI Quantum Time-Space Tradeoffs for Deciding

816 views • 57 slides
Week 5 Space-Time Tradeoffs and Calgary Drop-In Centre Locating a Particular Piece of Data

Week 5 Space-Time Tradeoffs and Calgary Drop-In Centre Locating a Particular Piece of Data

Week 5 Space-Time Tradeoffs and Calgary Drop-In Centre Locating a Particular Piece of Data 2 Growth-rate Functions O(1) constant time, the time is independent of n , e.g. array look-up O(log n ) logarithmic time, usually the log

549 views • 6 slides
Quantum Time-Space Tradeoffs by Recording Queries Yassine Hamoudi, Frdric Magniez IRIF ,

Quantum Time-Space Tradeoffs by Recording Queries Yassine Hamoudi, Frdric Magniez IRIF ,

Quantum Time-Space Tradeoffs by Recording Queries Yassine Hamoudi, Frdric Magniez IRIF , Universit de Paris arXiv: 2002.08944 Google Sycamores calculation Time 5 minutes Memory 53 qubits + few megabytes Simulation by

1.42k views • 119 slides
MA/CSSE 473 Day 24 Student questions Space-time tradeoffs Hash tables review String search

MA/CSSE 473 Day 24 Student questions Space-time tradeoffs Hash tables review String search

MA/CSSE 473 Day 24 Student questions Space-time tradeoffs Hash tables review String search algorithms intro We did not get to them in other sections THINGS WE DID LAST TIME IN SECTION 1 1 Horner's Rule It involves a representation change.

468 views • 15 slides
Area and Time Tradeoffs in FPGAs Examining the concept of area/time tradeoffs in FPGA design,

Area and Time Tradeoffs in FPGAs Examining the concept of area/time tradeoffs in FPGA design,

Area and Time Tradeoffs in FPGAs Examining the concept of area/time tradeoffs in FPGA design, pattern matching, and Advanced Encryption Standard (AES) Richie Ung Trang (z5061606) Harry Gougousidis (z5159917) Henry Veng (z5113239) Presentation

569 views • 30 slides
Quantum and Classical Strong Direct Product Theorems and Optimal Time-Space Tradeoffs Robert

Quantum and Classical Strong Direct Product Theorems and Optimal Time-Space Tradeoffs Robert

Quantum and Classical Strong Direct Product Theorems and Optimal Time-Space Tradeoffs Robert palek joint work with Ronald de Wolf and Hartmut Klauck Computing Many Copies of a Function Suppose the complexity of f is well understood, e.g.

519 views • 23 slides
Time-Space Tradeoffs for Two-Pass Learning Sumegha Garg (Princeton) Joint Work with Ran Raz

Time-Space Tradeoffs for Two-Pass Learning Sumegha Garg (Princeton) Joint Work with Ran Raz

Time-Space Tradeoffs for Two-Pass Learning Sumegha Garg (Princeton) Joint Work with Ran Raz (Princeton) and Avishay Tal (UC Berkeley) [Shamir 14], [Steinhardt-Valiant-Wager 15] Initiated a study of memory-samples lower bounds for learning Can one

636 views • 26 slides
Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22 Overview What is a stream cipher? Classification of attacks Different Attacks Exhaustive Key Search Time Memory Tradeoffs

656 views • 22 slides
SPIFFY: Inducing Cost-Detectability Tradeoffs for Persistent Link-Flooding Attacks Min Suk Kang

SPIFFY: Inducing Cost-Detectability Tradeoffs for Persistent Link-Flooding Attacks Min Suk Kang

SPIFFY: Inducing Cost-Detectability Tradeoffs for Persistent Link-Flooding Attacks Min Suk Kang Virgil D. Gligor Vyas Sekar ECE Department and CyLab, Carnegie Mellon University Feb 22, 2016 Large-scale link-flooding attacks Massive DDoS

511 views • 20 slides
Time-Memory Tradeoffs for Short Hash Collisions Akshima University of Chicago Joint work with

Time-Memory Tradeoffs for Short Hash Collisions Akshima University of Chicago Joint work with

Time-Memory Tradeoffs for Short Hash Collisions Akshima University of Chicago Joint work with David Cash, Andrew Drucker, Hoeteck Wee 1 This Talk Inspects time-space tradeo ff s for finding short collisions in Merkle-Damgrd hash

890 views • 55 slides
s c a l e When Hardware Attacks Hardwear.io 27 September 2019 1 Attack exploitation space:

s c a l e When Hardware Attacks Hardwear.io 27 September 2019 1 Attack exploitation space:

s c a l e When Hardware Attacks Hardwear.io 27 September 2019 1 Attack exploitation space: time vs distance Remote key brute software protocol force relay attack side Fast Slow mitm channel Hardware attacks require: Hardware

360 views • 24 slides
s c a l e Marc Witteman Croatian Summer school 2017 Attack exploitation space: time vs distance

s c a l e Marc Witteman Croatian Summer school 2017 Attack exploitation space: time vs distance

When Hardware Attacks s c a l e Marc Witteman Croatian Summer school 2017 Attack exploitation space: time vs distance Remote key brute software protocol force relay attack side Fast Slow mitm channel Hardware attacks require:

688 views • 25 slides
Analysis of the Tradeoffs between Energy and Run Time for Multilevel Checkpointing Prasanna

Analysis of the Tradeoffs between Energy and Run Time for Multilevel Checkpointing Prasanna

Analysis of the Tradeoffs between Energy and Run Time for Multilevel Checkpointing Prasanna Balaprakash, Leonardo A. Bautista Gomez , Slim Bouguerra, Stefan M. Wild, Franck Cappello , and Paul D. Hovland ANL PMBS workshop @ SC14

705 views • 43 slides
A New Quantum Lower-Bound Method, with Applications to Direct Product Theorems and Time-Space

A New Quantum Lower-Bound Method, with Applications to Direct Product Theorems and Time-Space

A New Quantum Lower-Bound Method, with Applications to Direct Product Theorems and Time-Space Tradeoffs Robert Spalek joint work with Andris Ambainis and Ronald de Wolf CWI, Amsterdam University of Waterloo Robert

606 views • 47 slides
Space and Speed Tradeoffs in TCAM Hierarchical Packet Classification Alex Kesselman , Kirill

Space and Speed Tradeoffs in TCAM Hierarchical Packet Classification Alex Kesselman , Kirill

Space and Speed Tradeoffs in TCAM Hierarchical Packet Classification Alex Kesselman , Kirill Kogan , Sergey Nemzer and Michael Segal Google, Inc. Email: alx@google.com Cisco Systems, Netanya, Israel and Communication

70 views • 6 slides
Inverting Proof Systems for Secrecy under OWA Giora Slutzki Department of Computer Science Iowa

Inverting Proof Systems for Secrecy under OWA Giora Slutzki Department of Computer Science Iowa

Inverting Proof Systems for Secrecy under OWA Giora Slutzki Department of Computer Science Iowa State University Ames, Iowa 50010 slutzki@cs.iastate.edu May 9th, 2010 Jointly with Jia Tao and Vasant Honavar G. Slutzki (ISU) Inverting Proof

375 views • 35 slides
On basing one-way permutations on NP-hard problems under quantum reductions Nai-Hui Chia

On basing one-way permutations on NP-hard problems under quantum reductions Nai-Hui Chia

On basing one-way permutations on NP-hard problems under quantum reductions Nai-Hui Chia (PennState to UTAustin) Joint work with Sean Hallgren (PennState) and Fang Song (PortlandState to TAMU) 1 How do people say a crypto system is

567 views • 24 slides
Bayesian inference in Inverse problems Bani Mallick bmallick@stat.tamu.edu Department of

Bayesian inference in Inverse problems Bani Mallick bmallick@stat.tamu.edu Department of

Bayesian inference in Inverse problems Bani Mallick bmallick@stat.tamu.edu Department of Statistics, Texas A&M University, College Station 1/20 Inverse Problems Inverse problems arise from indirect observations of a quantity of interest

872 views • 45 slides
Stokes Profile Inversion and Comparison to Full-Resolution Data Max Genecov LASP REU

Stokes Profile Inversion and Comparison to Full-Resolution Data Max Genecov LASP REU

Stokes Profile Inversion and Comparison to Full-Resolution Data Max Genecov LASP REU July 31, 2014 Mentors: Alfred de Wijn, Rebeca Centeno Elliott Solar Magnetic Fields Magnetic field strength and orientation are great

675 views • 22 slides
Addition and Subtraction Philipp Koehn 4 September 2019 Philipp Koehn Computer Systems

Addition and Subtraction Philipp Koehn 4 September 2019 Philipp Koehn Computer Systems

Addition and Subtraction Philipp Koehn 4 September 2019 Philipp Koehn Computer Systems Fundamentals: Addition and Subtraction 4 September 2019 1 addition Philipp Koehn Computer Systems Fundamentals: Addition and Subtraction 4 September

512 views • 35 slides
DTTF/NB479: Dszquphsbqiz Day 7 Announcements: Matlab tutorial linked to in syllabus

DTTF/NB479: Dszquphsbqiz Day 7 Announcements: Matlab tutorial linked to in syllabus

DTTF/NB479: Dszquphsbqiz Day 7 Announcements: Matlab tutorial linked to in syllabus Questions? Today: Block ciphers, especially Hill Ciphers Modular matrix inverses 1 Block Ciphers So far, changing 1 character in the plaintext changes

108 views • 6 slides
Today: Verilog and Sequential Logic Today: Verilog and Sequential Logic T Flip-f lops S

Today: Verilog and Sequential Logic Today: Verilog and Sequential Logic T Flip-f lops S

Today: Verilog and Sequential Logic Today: Verilog and Sequential Logic T Flip-f lops S represent at ion of clocks - t iming of st at e changes S asynchronous vs. synchronous T Count ers (St at e Machines) S st ruct ural view (FFs

394 views • 5 slides
Inversion of Mutually Orthogonal CA Luca Mariot, Alberto Leporati Bicocca Security Lab (BiSLab)

Inversion of Mutually Orthogonal CA Luca Mariot, Alberto Leporati Bicocca Security Lab (BiSLab)

Inversion of Mutually Orthogonal CA Luca Mariot, Alberto Leporati Bicocca Security Lab (BiSLab) Dipartimento di Informatica, Sistemistica e Comunicazione (DISCo) Universit degli Studi Milano - Bicocca ACRI 2018 Como, September 17-21, 2018

508 views • 19 slides

More recommend