time space tradeoffs for attacks against one way
play

Time space tradeoffs for attacks against one-way functions and PRGs - PowerPoint PPT Presentation

Sep 10, 2023 •43 likes •943 views

Time space tradeoffs for attacks against one-way functions and PRGs Anindya De University of California, Berkeley Joint work with Luca Trevisan - UC Berkeley and Stanford University Madhur Tulsiani - Princeton University 0 / 26 What is this

  1. Time space tradeoffs for attacks against one-way functions and PRGs Anindya De University of California, Berkeley Joint work with Luca Trevisan - UC Berkeley and Stanford University Madhur Tulsiani - Princeton University 0 / 26

  2. What is this talk about? • Can “brute-force” attacks on cryptographic primitives be improved upon? 1 / 26

  3. What is this talk about? • Can “brute-force” attacks on cryptographic primitives be improved upon? • Recover a key of length k in time less than 2 k . 1 / 26

  4. What is this talk about? • Can “brute-force” attacks on cryptographic primitives be improved upon? • Recover a key of length k in time less than 2 k . • In time t , recover key with probability better than t / 2 k . 1 / 26

  5. What is this talk about? • Can “brute-force” attacks on cryptographic primitives be improved upon? • Recover a key of length k in time less than 2 k . • In time t , recover key with probability better than t / 2 k . • Brute force : optimal when restricted to uniform algorithms 1 / 26

  6. What is this talk about? • Can “brute-force” attacks on cryptographic primitives be improved upon? • Recover a key of length k in time less than 2 k . • In time t , recover key with probability better than t / 2 k . • Brute force : optimal when restricted to uniform algorithms • Are better (non-uniform) attacks possible against: • one-way functions? • pseudo-random generators? 1 / 26

  7. Definitions of primitives • N = 2 n , [ N ] ∼ = { 0 , 1 } n . 2 / 26

  8. Definitions of primitives • N = 2 n , [ N ] ∼ = { 0 , 1 } n . • One-way function: f : [ N ] → [ N ] is ( t , ǫ ) -one way if for every algorithm A of complexity ≤ t � A f ( f ( x )) = x ′ | f ( x ′ ) = f ( x ) � Pr ≤ ǫ x ∼{ 0 , 1 } n 2 / 26

  9. Definitions of primitives • N = 2 n , [ N ] ∼ = { 0 , 1 } n . • One-way function: f : [ N ] → [ N ] is ( t , ǫ ) -one way if for every algorithm A of complexity ≤ t � A f ( f ( x )) = x ′ | f ( x ′ ) = f ( x ) � Pr ≤ ǫ x ∼{ 0 , 1 } n • PRG: G : [ N ] → [ 2 N ] is a ( t , ǫ ) -secure PRG if for every algorithm A of complexity ≤ t � � x ∼ [ N ] [ A G ( G ( x )) = 1 ] − y ∼ [ 2 N ] [ A G ( y ) = 1 ] � � � Pr Pr � ≤ ǫ � � 2 / 26

  10. Measure of Complexity • complexity � = time, as A may compute f − 1 in O ( log N ) time by storing all inverses. 3 / 26

  11. Measure of Complexity • complexity � = time, as A may compute f − 1 in O ( log N ) time by storing all inverses. • complexity = pre-computed advice + running time. 3 / 26

  12. Measure of Complexity • complexity � = time, as A may compute f − 1 in O ( log N ) time by storing all inverses. • complexity = pre-computed advice + running time. • Can be implemented on a RAM machine with time and space t . • Similar to circuit complexity. 3 / 26

  13. Upper bounds Primitive Complexity √ ˜ [Hellman 80] Permutation f O ( N ) 4 / 26

  14. Upper bounds Primitive Complexity √ ˜ [Hellman 80] Permutation f O ( N ) ˜ O ( N 2 / 3 ) [Hellman 80] Random function f (heuristic) 4 / 26

  15. Upper bounds Primitive Complexity √ ˜ [Hellman 80] Permutation f O ( N ) ˜ O ( N 2 / 3 ) [Hellman 80] Random function f (heuristic) ˜ O ( N 3 / 4 ) [Fiat-Naor 99] Any f , all inputs 4 / 26

  16. Upper bounds Primitive Complexity √ ˜ [Hellman 80] Permutation f O ( N ) ˜ O ( N 2 / 3 ) [Hellman 80] Random function f (heuristic) ˜ O ( N 3 / 4 ) [Fiat-Naor 99] Any f , all inputs √ ˜ ǫ ≤ N − 1 / 3 O ( ǫ N ) [DTT 10] Any f , ǫ -fraction of inputs ˜ O ( ǫ 5 / 4 N 3 / 4 ) ǫ ≥ N − 1 / 3 4 / 26

  17. Upper bounds Primitive Complexity √ ˜ [Hellman 80] Permutation f O ( N ) ˜ O ( N 2 / 3 ) [Hellman 80] Random function f (heuristic) ˜ O ( N 3 / 4 ) [Fiat-Naor 99] Any f , all inputs √ ˜ ǫ ≤ N − 1 / 3 O ( ǫ N ) [DTT 10] Any f , ǫ -fraction of inputs ˜ O ( ǫ 5 / 4 N 3 / 4 ) ǫ ≥ N − 1 / 3 ˜ def O ( ǫ 2 N ) [ACR 97] PRG G ( x ) = ( f ( x ) , P ( x )) 4 / 26

  18. Upper bounds Primitive Complexity √ ˜ [Hellman 80] Permutation f O ( N ) ˜ O ( N 2 / 3 ) [Hellman 80] Random function f (heuristic) ˜ O ( N 3 / 4 ) [Fiat-Naor 99] Any f , all inputs √ ˜ ǫ ≤ N − 1 / 3 O ( ǫ N ) [DTT 10] Any f , ǫ -fraction of inputs ˜ O ( ǫ 5 / 4 N 3 / 4 ) ǫ ≥ N − 1 / 3 ˜ def O ( ǫ 2 N ) [ACR 97] PRG G ( x ) = ( f ( x ) , P ( x )) ˜ O ( ǫ 2 N ) [DTT 10] Any PRG 4 / 26

  19. Upper bounds Primitive Complexity √ ˜ [Hellman 80] Permutation f O ( N ) ˜ O ( N 2 / 3 ) [Hellman 80] Random function f (heuristic) ˜ O ( N 3 / 4 ) [Fiat-Naor 99] Any f , all inputs √ ˜ ǫ ≤ N − 1 / 3 O ( ǫ N ) [DTT 10] Any f , ǫ -fraction of inputs ˜ O ( ǫ 5 / 4 N 3 / 4 ) ǫ ≥ N − 1 / 3 ˜ def O ( ǫ 2 N ) [ACR 97] PRG G ( x ) = ( f ( x ) , P ( x )) ˜ O ( ǫ 2 N ) [DTT 10] Any PRG All above results are actually stated as time-space tradeoffs. Complexity is optimized when T = S . 4 / 26

  20. Lower bounds Better stated in terms of a tradeoff between T and S . 5 / 26

  21. Lower bounds Better stated in terms of a tradeoff between T and S . Primitive Tradeoff [Yao 90] T · S = ˜ Permutation f , ǫ -fraction Ω( ǫ N ) √ [Gennaro-Trevisan 00] of inputs for T = O ( ǫ N ) [Wee 05] 5 / 26

  22. Lower bounds Better stated in terms of a tradeoff between T and S . Primitive Tradeoff [Yao 90] T · S = ˜ Permutation f , ǫ -fraction Ω( ǫ N ) √ [Gennaro-Trevisan 00] of inputs for T = O ( ǫ N ) [Wee 05] T · S = ˜ Permutation f , ǫ -fraction Ω( ǫ N ) [DTT 10] of inputs for any T 5 / 26

  23. Lower bounds Better stated in terms of a tradeoff between T and S . Primitive Tradeoff [Yao 90] T · S = ˜ Permutation f , ǫ -fraction Ω( ǫ N ) √ [Gennaro-Trevisan 00] of inputs for T = O ( ǫ N ) [Wee 05] T · S = ˜ Permutation f , ǫ -fraction Ω( ǫ N ) [DTT 10] of inputs for any T def T · S = Ω( ǫ 2 N ) [DTT 10] PRG G = ( f ( x ) , P ( x )) 5 / 26

  24. Hellman’s approach for permutations f ( x )

  25. Hellman’s approach for permutations f ( x ) f ( f ( x ))

  26. Hellman’s approach for permutations f ( x ) f ( f ( x )) f ( f ( f ( x )))

  27. Hellman’s approach for permutations f ( x ) f ( f ( x )) x f ( f ( f ( x )))

  28. Hellman’s approach for permutations f ( x ) f ( f ( x )) x f ( f ( f ( x ))) √ In small cycles of size less than N , compute f ( x ) , f ( f ( x )) , . . . 6 / 26

  29. Hellman’s approach for permutations f ( x ) f ( f ( x )) x f ( f ( f ( x ))) √ In small cycles of size less than N , compute f ( x ) , f ( f ( x )) , . . . At some point, you hit x . f − 1 ( x ) is the penultimate point in the sequence. 6 / 26

  30. Hellman’s approach for permutations f ( x ) f ( f ( x )) x f ( f ( f ( x ))) √ In small cycles of size less than N , compute f ( x ) , f ( f ( x )) , . . . At some point, you hit x . f − 1 ( x ) is the penultimate point in the sequence. √ Time complexity of computation is ˜ O ( N ) . 6 / 26

  31. What happens to large cycles? a x √ N c b d √ In large cycles, store back-links at a distance of N 7 / 26

  32. What happens to large cycles? a x √ N c b d √ In large cycles, store back-links at a distance of N For e.g., store ( a , b ) , ( b , c ) , ( c , d ) and ( d , a ) in a data-structure 7 / 26

  33. What happens to large cycles? a x √ N c b d Compute f ( x ) , f ( f ( x )) , . . . till you hit a point in the data structure, say a 8 / 26

  34. What happens to large cycles? a x √ N c b d Compute f ( x ) , f ( f ( x )) , . . . till you hit a point in the data structure, say a When you hit a , use back-link to go back to b 8 / 26

  35. What happens to large cycles? a x √ N c b d Now, compute f ( a ) , f ( f ( a )) , . . . until you hit x 9 / 26

  36. What happens to large cycles? a x √ N c b d Now, compute f ( a ) , f ( f ( a )) , . . . until you hit x The penultimate point in the sequence is f − 1 ( x ) 9 / 26

  37. What happens to large cycles? a x √ N c b d √ Note that all the cycles can be covered by O ( N ) back-links (each back-link √ covering a distance of N ) 10 / 26

  38. What happens to large cycles? a x √ N c b d √ Note that all the cycles can be covered by O ( N ) back-links (each back-link √ covering a distance of N ) √ Also, the total time complexity is N as you hit a “back-link” in that time 10 / 26

  39. Time and space complexity for inverting permutations √ √ • Total time T = ˜ N ) and space S = ˜ O ( O ( N ) . 11 / 26

  40. Time and space complexity for inverting permutations √ √ • Total time T = ˜ N ) and space S = ˜ O ( O ( N ) . • Can be used to invert ǫ fraction of the elements in time √ √ T = ˜ ǫ N ) and space S = ˜ O ( O ( ǫ N ) • In fact, we can achieve any time ( T ) space ( S ) tradeoff such that T · S = ǫ N . 11 / 26

  41. Abstracting the approach for permutations • Cover the graph ( x → f ( x ) ) of f by m disjoint paths of length ℓ . 12 / 26

  42. Abstracting the approach for permutations • Cover the graph ( x → f ( x ) ) of f by m disjoint paths of length ℓ . • Gives algo with T = ˜ O ( ℓ ) and S = ˜ O ( m ) (one back-link per path). 12 / 26

Recommend

Space/time tradeoffs; dynamic programming; y g g transform and conquer 1. Space/time

Space/time tradeoffs; dynamic programming; y g g transform and conquer 1. Space/time

6. Space-time tradeoffs and dynamic programming D. Keil Analysis of Algorithms 1/11 Topic 6: Space/time tradeoffs; dynamic programming; y g g transform and conquer 1. Space/time tradeoffs 2. Dynamic programming 3 Example: sequence

498 views • 18 slides
Quantum Time-Space Tradeoffs for Deciding Systems of Linear Inequalities Robert Spalek

Quantum Time-Space Tradeoffs for Deciding Systems of Linear Inequalities Robert Spalek

Quantum Time-Space Tradeoffs for Deciding Systems of Linear Inequalities Robert Spalek sr@cwi.nl joint work with Andris Ambainis and Ronald de Wolf quant-ph/0511200 Robert Spalek, CWI Quantum Time-Space Tradeoffs for Deciding

816 views • 57 slides
Week 5 Space-Time Tradeoffs and Calgary Drop-In Centre Locating a Particular Piece of Data

Week 5 Space-Time Tradeoffs and Calgary Drop-In Centre Locating a Particular Piece of Data

Week 5 Space-Time Tradeoffs and Calgary Drop-In Centre Locating a Particular Piece of Data 2 Growth-rate Functions O(1) constant time, the time is independent of n , e.g. array look-up O(log n ) logarithmic time, usually the log

549 views • 6 slides
Quantum Time-Space Tradeoffs by Recording Queries Yassine Hamoudi, Frdric Magniez IRIF ,

Quantum Time-Space Tradeoffs by Recording Queries Yassine Hamoudi, Frdric Magniez IRIF ,

Quantum Time-Space Tradeoffs by Recording Queries Yassine Hamoudi, Frdric Magniez IRIF , Universit de Paris arXiv: 2002.08944 Google Sycamores calculation Time 5 minutes Memory 53 qubits + few megabytes Simulation by

1.42k views • 119 slides
MA/CSSE 473 Day 24 Student questions Space-time tradeoffs Hash tables review String search

MA/CSSE 473 Day 24 Student questions Space-time tradeoffs Hash tables review String search

MA/CSSE 473 Day 24 Student questions Space-time tradeoffs Hash tables review String search algorithms intro We did not get to them in other sections THINGS WE DID LAST TIME IN SECTION 1 1 Horner's Rule It involves a representation change.

468 views • 15 slides
Area and Time Tradeoffs in FPGAs Examining the concept of area/time tradeoffs in FPGA design,

Area and Time Tradeoffs in FPGAs Examining the concept of area/time tradeoffs in FPGA design,

Area and Time Tradeoffs in FPGAs Examining the concept of area/time tradeoffs in FPGA design, pattern matching, and Advanced Encryption Standard (AES) Richie Ung Trang (z5061606) Harry Gougousidis (z5159917) Henry Veng (z5113239) Presentation

569 views • 30 slides
Quantum and Classical Strong Direct Product Theorems and Optimal Time-Space Tradeoffs Robert

Quantum and Classical Strong Direct Product Theorems and Optimal Time-Space Tradeoffs Robert

Quantum and Classical Strong Direct Product Theorems and Optimal Time-Space Tradeoffs Robert palek joint work with Ronald de Wolf and Hartmut Klauck Computing Many Copies of a Function Suppose the complexity of f is well understood, e.g.

519 views • 23 slides
Time-Space Tradeoffs for Two-Pass Learning Sumegha Garg (Princeton) Joint Work with Ran Raz

Time-Space Tradeoffs for Two-Pass Learning Sumegha Garg (Princeton) Joint Work with Ran Raz

Time-Space Tradeoffs for Two-Pass Learning Sumegha Garg (Princeton) Joint Work with Ran Raz (Princeton) and Avishay Tal (UC Berkeley) [Shamir 14], [Steinhardt-Valiant-Wager 15] Initiated a study of memory-samples lower bounds for learning Can one

636 views • 26 slides
Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22 Overview What is a stream cipher? Classification of attacks Different Attacks Exhaustive Key Search Time Memory Tradeoffs

656 views • 22 slides
SPIFFY: Inducing Cost-Detectability Tradeoffs for Persistent Link-Flooding Attacks Min Suk Kang

SPIFFY: Inducing Cost-Detectability Tradeoffs for Persistent Link-Flooding Attacks Min Suk Kang

SPIFFY: Inducing Cost-Detectability Tradeoffs for Persistent Link-Flooding Attacks Min Suk Kang Virgil D. Gligor Vyas Sekar ECE Department and CyLab, Carnegie Mellon University Feb 22, 2016 Large-scale link-flooding attacks Massive DDoS

511 views • 20 slides
Time-Memory Tradeoffs for Short Hash Collisions Akshima University of Chicago Joint work with

Time-Memory Tradeoffs for Short Hash Collisions Akshima University of Chicago Joint work with

Time-Memory Tradeoffs for Short Hash Collisions Akshima University of Chicago Joint work with David Cash, Andrew Drucker, Hoeteck Wee 1 This Talk Inspects time-space tradeo ff s for finding short collisions in Merkle-Damgrd hash

890 views • 55 slides
s c a l e When Hardware Attacks Hardwear.io 27 September 2019 1 Attack exploitation space:

s c a l e When Hardware Attacks Hardwear.io 27 September 2019 1 Attack exploitation space:

s c a l e When Hardware Attacks Hardwear.io 27 September 2019 1 Attack exploitation space: time vs distance Remote key brute software protocol force relay attack side Fast Slow mitm channel Hardware attacks require: Hardware

360 views • 24 slides
s c a l e Marc Witteman Croatian Summer school 2017 Attack exploitation space: time vs distance

s c a l e Marc Witteman Croatian Summer school 2017 Attack exploitation space: time vs distance

When Hardware Attacks s c a l e Marc Witteman Croatian Summer school 2017 Attack exploitation space: time vs distance Remote key brute software protocol force relay attack side Fast Slow mitm channel Hardware attacks require:

688 views • 25 slides
Analysis of the Tradeoffs between Energy and Run Time for Multilevel Checkpointing Prasanna

Analysis of the Tradeoffs between Energy and Run Time for Multilevel Checkpointing Prasanna

Analysis of the Tradeoffs between Energy and Run Time for Multilevel Checkpointing Prasanna Balaprakash, Leonardo A. Bautista Gomez , Slim Bouguerra, Stefan M. Wild, Franck Cappello , and Paul D. Hovland ANL PMBS workshop @ SC14

705 views • 43 slides
A New Quantum Lower-Bound Method, with Applications to Direct Product Theorems and Time-Space

A New Quantum Lower-Bound Method, with Applications to Direct Product Theorems and Time-Space

A New Quantum Lower-Bound Method, with Applications to Direct Product Theorems and Time-Space Tradeoffs Robert Spalek joint work with Andris Ambainis and Ronald de Wolf CWI, Amsterdam University of Waterloo Robert

606 views • 47 slides
Space and Speed Tradeoffs in TCAM Hierarchical Packet Classification Alex Kesselman , Kirill

Space and Speed Tradeoffs in TCAM Hierarchical Packet Classification Alex Kesselman , Kirill

Space and Speed Tradeoffs in TCAM Hierarchical Packet Classification Alex Kesselman , Kirill Kogan , Sergey Nemzer and Michael Segal Google, Inc. Email: alx@google.com Cisco Systems, Netanya, Israel and Communication

70 views • 6 slides
S Space-in-Time and Time-in-Space Self-Organizing Maps i Ti d Ti i S S lf O i i M for

S Space-in-Time and Time-in-Space Self-Organizing Maps i Ti d Ti i S S lf O i i M for

S Space-in-Time and Time-in-Space Self-Organizing Maps i Ti d Ti i S S lf O i i M for Exploring Spatiotemporal Patterns Gennady Andrienko & Natalia Andrienko http://geoanalytics.net htt // l ti t Sebastian Bremm, Tobias Schreck,

632 views • 29 slides
Lecture 14 Space-Time The Wedding of Time and Space Announcements References: Today:

Lecture 14 Space-Time The Wedding of Time and Space Announcements References: Today:

Lecture 14 Space-Time The Wedding of Time and Space Announcements References: Today: Wedding of Space and Time: Time dilation, Length Contraction March (Ch 10), Lightman (Ch 3) Next time: Energy and Mass: E = mc 2 March (Ch

450 views • 4 slides
TIME/ACCURACY TRADEOFFS FOR LEARNING A RELU WITH RESPECT TO GAUSSIAN MARGINALS Surbhi Goel

TIME/ACCURACY TRADEOFFS FOR LEARNING A RELU WITH RESPECT TO GAUSSIAN MARGINALS Surbhi Goel

TIME/ACCURACY TRADEOFFS FOR LEARNING A RELU WITH RESPECT TO GAUSSIAN MARGINALS Surbhi Goel Sushrut Karmalkar Adam Klivans The University of Texas at Austin 1 WHAT IS RELU REGRESSION? Given : Samples drawn from distribution

372 views • 21 slides
NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3

NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3

CMPS122: COMPUTER SECURITY NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3 due tonight NETWORKING ATTACKS LAST TIME TCP/IP networking stack Physical layer Data link layer Network

1.1k views • 61 slides
Exploring the parameter space in lattice attacks Daniel J. Bernstein Tanja Lange Based on

Exploring the parameter space in lattice attacks Daniel J. Bernstein Tanja Lange Based on

1 Exploring the parameter space in lattice attacks Daniel J. Bernstein Tanja Lange Based on attack survey from 2019 BernsteinChuengsatiansup Langevan Vredendaal. Some hard lattice meta-problems: Analyze cost of known attacks.

489 views • 36 slides
Metrization Theorem Space-Time Analogs . . . How the (Non- . . . for Space-Times: Constructive

Metrization Theorem Space-Time Analogs . . . How the (Non- . . . for Space-Times: Constructive

Causality: A Reminder Urysohns Problem: . . . Space-Time Models: . . . Space-Time Analog of . . . Metrization Theorem Space-Time Analogs . . . How the (Non- . . . for Space-Times: Constructive . . . Constructive . . . A Constructive

831 views • 16 slides
AUTOMATIC TRADEOFFS: ACCURACY AND ENERGY Stephanie Forrest

AUTOMATIC TRADEOFFS: ACCURACY AND ENERGY Stephanie Forrest

AUTOMATIC TRADEOFFS: ACCURACY AND ENERGY Stephanie Forrest Westley Weimer Jonathan Dorn Jeremy Lacomis 1/13/17 1 Tradeoffs So6ware development involves

527 views • 28 slides
Cartography or Geospatial Shama Rashid 23-Nov-2009 The Space-Time Cube Revisited from a

Cartography or Geospatial Shama Rashid 23-Nov-2009 The Space-Time Cube Revisited from a

Cartography or Geospatial Shama Rashid 23-Nov-2009 The Space-Time Cube Revisited from a Geo-Visualization Perspective Menno Jan Kraak International Cartographic Conference, 2003 60s Hgerstrands space-time model: Space-Time

541 views • 27 slides

More recommend