understanding brute force cryptanalyst wants to find
play

Understanding brute force Cryptanalyst wants to find secret 128-bit - PowerPoint PPT Presentation

Dec 17, 2023 •300 likes •428 views

Understanding brute force Cryptanalyst wants to find secret 128-bit AES key , D. J. Bernstein (0). given AES Thanks to: He builds an attack machine. University of Illinois at Chicago NSF CCR9983950 Machine 1: His

  1. ✁ ✁ ✁ Understanding brute force Cryptanalyst wants to find secret 128-bit AES key , D. J. Bernstein � (0). given AES Thanks to: He builds an attack machine. University of Illinois at Chicago NSF CCR–9983950 Machine 1: His desktop PC, Alfred P. Sloan Foundation searching through possibilities for . 2 9 dollars; Machine costs 2 22 seconds; takes 2 128 . succeeds with chance

  2. ✁ ✁ ✁ ✁ � ✁ ✁ rute force Cryptanalyst wants to find This is a silly attack secret 128-bit AES key , The cryptanalyst has � (0). given AES Machine 2: desktop He builds an attack machine. each searching through Illinois at Chicago possibilities for CCR–9983950 Machine 1: His desktop PC, Foundation searching through Machine costs 2 2 22 seconds; possibilities for . takes succeeds with chance 2 9 dollars; Machine costs 2 22 seconds; takes Same keys/dollar-second: 2 128 . succeeds with chance Same chance/dolla But larger chance!

  3. ✁ ✁ ✁ ✁ ✁ ✁ Cryptanalyst wants to find This is a silly attack machine. secret 128-bit AES key , The cryptanalyst has more money. � (0). given AES Machine 2: desktop PCs, He builds an attack machine. each searching through possibilities for . Machine 1: His desktop PC, 2 9 searching through Machine costs dollars; 2 22 seconds; possibilities for . takes 2 128 . succeeds with chance 2 9 dollars; Machine costs 2 22 seconds; Same keys/dollar-second: 2 13 . takes 2 128 . � 115 . succeeds with chance Same chance/dollar-second: 2 But larger chance!

  4. ✁ ✁ � ✁ ✁ ✁ ✁ ✁ ants to find This is a silly attack machine. This is a silly attack AES key , The cryptanalyst has more money. Only a tiny part of is doing anything useful. Machine 2: desktop PCs, Machine 3: tiny attack machine. each searching through each searching through possibilities for . desktop PC, possibilities for 2 9 through Machine costs dollars; 2 22 seconds; AES circuit, in bulk, r . takes is orders of magnitude 2 128 . succeeds with chance 2 9 dollars; less expensive than Same keys/dollar-second: 2 13 . seconds; allowing much larger 2 128 . � 115 . chance Same chance/dollar-second: 2 Cost ratio grows with But larger chance! Recall DES Cracker: 2 19 keys/dollar-second.

  5. ✁ ✁ ✁ ✁ This is a silly attack machine. This is a silly attack machine. The cryptanalyst has more money. Only a tiny part of the PC is doing anything useful. Machine 2: desktop PCs, Machine 3: tiny AES circuits, each searching through each searching through possibilities for . possibilities for . 2 9 Machine costs dollars; 2 22 seconds; AES circuit, in bulk, takes is orders of magnitude 2 128 . succeeds with chance less expensive than PC, Same keys/dollar-second: 2 13 . allowing much larger . � 115 . Same chance/dollar-second: 2 Cost ratio grows with PC size! But larger chance! Recall DES Cracker: in 1997, 2 19 keys/dollar-second.

  6. � ✁ � � ✁ ✁ ✁ ✁ ✁ ✁ ✁ attack machine. This is a silly attack machine. This is still silly if cryptanalyst has more money. Only a tiny part of the PC cryptanalyst is actually is doing anything useful. many keys 1 2 desktop PCs, Machine 3: tiny AES circuits, through Complicated but standa each searching through r . brute-force key-sea possibilities for . handles keys 2 9 dollars; using rainbow tables, AES circuit, in bulk, seconds; using distinguished is orders of magnitude 2 128 . chance less expensive than PC, Similar time, price r-second: 2 13 . allowing much larger . Conjecturally � 115 . chance/dollar-second: 2 Cost ratio grows with PC size! of success for every chance! distinguished points, Recall DES Cracker: in 1997, 2 19 keys/dollar-second.

  7. ✁ ✁ ✁ ✁ � � � This is a silly attack machine. This is still silly if Only a tiny part of the PC cryptanalyst is actually attacking ✁ . is doing anything useful. many keys 1 2 3 Machine 3: tiny AES circuits, Complicated but standard parallel each searching through brute-force key-search machine possibilities for . handles keys at once using rainbow tables, or AES circuit, in bulk, using distinguished points. is orders of magnitude less expensive than PC, Similar time, price to one key. 2 128 chance allowing much larger . Conjecturally Cost ratio grows with PC size! of success for every key; distinguished points, slightly lower. Recall DES Cracker: in 1997, 2 19 keys/dollar-second.

  8. ✁ � ✁ ✁ � ✁ � attack machine. This is still silly if Is this acceptable securit of the PC cryptanalyst is actually attacking If not, what do we ✁ . anything useful. many keys 1 2 3 Option 1: Input-space tiny AES circuits, to stop many-keys Complicated but standard parallel through “Use a large random brute-force key-search machine r . Heavy costs (usually handles keys at once limited benefits. using rainbow tables, or bulk, using distinguished points. magnitude Option 2: Use 32-b than PC, “Randomness in key Similar time, price to one key. 2 128 chance rger . Smaller costs; larger Conjecturally with PC size! of success for every key; See paper for further distinguished points, slightly lower. Cracker: in 1997, http://cr.yp.to r-second. /papers.html#bruteforce

  9. � � � ✁ ✁ ✁ This is still silly if Is this acceptable security? cryptanalyst is actually attacking If not, what do we do? ✁ . many keys 1 2 3 Option 1: Input-space separation, to stop many-keys attacks. Complicated but standard parallel “Use a large random nonce.” brute-force key-search machine Heavy costs (usually understated); handles keys at once limited benefits. using rainbow tables, or using distinguished points. Option 2: Use 32-byte keys. “Randomness in key, not nonce.” Similar time, price to one key. 2 128 chance Smaller costs; larger benefits. Conjecturally of success for every key; See paper for further analysis: distinguished points, slightly lower. http://cr.yp.to /papers.html#bruteforce

  10. � � � ✁ ✁ ✁ Is this acceptable security? Basic cryptanalytic if actually attacking If not, what do we do? A new attack is pointless ✁ . 3 Option 1: Input-space separation, it takes less time to stop many-keys attacks. standard parallel than standard brute-fo “Use a large random nonce.” ey-search machine at the same price Heavy costs (usually understated); eys at once with the same success limited benefits. tables, or Most papers get this distinguished points. Option 2: Use 32-byte keys. Example: The attack “Randomness in key, not nonce.” rice to one key. 9 rounds of 256-bit 2 128 chance Smaller costs; larger benefits. had larger price and every key; complete brute-force See paper for further analysis: through all 2 256 keys. oints, slightly lower. http://cr.yp.to /papers.html#bruteforce

  11. Is this acceptable security? Basic cryptanalytic economics If not, what do we do? A new attack is pointless unless Option 1: Input-space separation, it takes less time to stop many-keys attacks. than standard brute-force machine “Use a large random nonce.” at the same price Heavy costs (usually understated); with the same success chance. limited benefits. Most papers get this wrong. Option 2: Use 32-byte keys. Example: The attack “breaking” “Randomness in key, not nonce.” 9 rounds of 256-bit Serpent Smaller costs; larger benefits. had larger price and time than a complete brute-force search See paper for further analysis: through all 2 256 keys. http://cr.yp.to /papers.html#bruteforce

Recommend

MA/CSSE 473 Day 13 Brute Force Divide and Conquer MA/CSSE 473 Day 13 Student Questions

MA/CSSE 473 Day 13 Brute Force Divide and Conquer MA/CSSE 473 Day 13 Student Questions

MA/CSSE 473 Day 13 Brute Force Divide and Conquer MA/CSSE 473 Day 13 Student Questions Brute force algorithms Divide and Conquer What is the brute force approach to Calculate the n th Fibonacci number? 1. Compute the n th power

387 views • 14 slides
A JEALOUS A JEALOUS CRYPTANALYST CRYPTANALYST In search of a short vector A story by Leo

A JEALOUS A JEALOUS CRYPTANALYST CRYPTANALYST In search of a short vector A story by Leo

A JEALOUS A JEALOUS CRYPTANALYST CRYPTANALYST In search of a short vector A story by Leo Ducas, Marc Stevens and Wessel van Woerden ONCE UPON A TIME ONCE UPON A TIME ONCE UPON A TIME ONCE UPON A TIME A cryptanalyst visited the

307 views • 18 slides
Theorems, Algorithms and Brute Force: Building a Census of 3-Manifolds Benjamin Burton School of

Theorems, Algorithms and Brute Force: Building a Census of 3-Manifolds Benjamin Burton School of

Theorems, Algorithms and Brute Force: Building a Census of 3-Manifolds Benjamin Burton School of Mathematical and Geospatial Sciences RMIT University Melbourne, Australia Benjamin Burton (RMIT) Theorems, Algorithms and Brute Force November

444 views • 21 slides
MA/CSSE 473 Day 11 Knuth interview Amortization (growable Array) Brute Force Examples MA/CSSE

MA/CSSE 473 Day 11 Knuth interview Amortization (growable Array) Brute Force Examples MA/CSSE

MA/CSSE 473 Day 11 Knuth interview Amortization (growable Array) Brute Force Examples MA/CSSE 473 Day 11 Questions? Donald Knuth Interview Amortization Brute force (if time) Decrease and conquer intro Q1 2 1 Donald

511 views • 11 slides
Better than Brute-Force Optimized Hardware Architecture for Effcient Biclique Attacks on AES-128

Better than Brute-Force Optimized Hardware Architecture for Effcient Biclique Attacks on AES-128

Better than Brute-Force Optimized Hardware Architecture for Effcient Biclique Attacks on AES-128 Andrey Bogdanov*, Elif Bilge Kavun**, Christof Paar**, Christian Rechberger***, Tolga Yalcin** * KU Leuven, Belgium, ** HGI-RUB, Germany, ***

467 views • 22 slides
Banburismus Banburismus British codebreakers used cribs (guesses), brute force, and the and

Banburismus Banburismus British codebreakers used cribs (guesses), brute force, and the and

One-Slide Summary Banburismus Banburismus British codebreakers used cribs (guesses), brute force, and the and the and analysis to break the Lorenz cipher. Guessed wheel settings were likely to be correct if they resulted in a Story So Far

112 views • 9 slides
Complete Search (aka Brute Force) Section 3.13.2 Dr. Mayfield and Dr. Lam Department of

Complete Search (aka Brute Force) Section 3.13.2 Dr. Mayfield and Dr. Lam Department of

Complete Search (aka Brute Force) Section 3.13.2 Dr. Mayfield and Dr. Lam Department of Computer Science James Madison University Oct 16, 2015 CS: Just do it! Complete search = try every possibility Should never give you Wrong Answer

399 views • 15 slides
eb Security Software Studio yslin@DataLAB 1 Common Security Risks Brute-Force Attacks

eb Security Software Studio yslin@DataLAB 1 Common Security Risks Brute-Force Attacks

eb Security Software Studio yslin@DataLAB 1 Common Security Risks Brute-Force Attacks SQL Injections Cross-Site Scripting (XSS) Cross-Site Request Forgery (CSRF) 2 Common Security Risks Brute-Force Attacks SQL

1.66k views • 141 slides
Automatic Translation Error Analysis or how to brute-force through exponential complexity

Automatic Translation Error Analysis or how to brute-force through exponential complexity

Automatic Translation Error Analysis or how to brute-force through exponential complexity algorithms by abusing beam search Mark Fishel, T ATI Feb. 5, 2011, Theory Days at Nelijrve Outline Approaches to MT evaluation Automatic analysis

418 views • 18 slides
1 Problem with Brute force Nave Bayes ( ) ( ) ( ) It cannot generalize to unseen

1 Problem with Brute force Nave Bayes ( ) ( ) ( ) It cannot generalize to unseen

Outline Bayes theorem Discrete Bayesian classifiers Maximum likelihood classification Brute force Bayesian learning Nave Bayes Lecture 5 Bayesian Belief Networks Bayes theorem Maximum likelihood ( ) ( ) ( ) P x

72 views • 4 slides
Mining Threat-intelligence from Billion- scale SSH Brute-Force Attacks Yuming Wu 1 , Phuong M.

Mining Threat-intelligence from Billion- scale SSH Brute-Force Attacks Yuming Wu 1 , Phuong M.

Mining Threat-intelligence from Billion- scale SSH Brute-Force Attacks Yuming Wu 1 , Phuong M. Cao 1 , Alexander Withers 2 , Zbigniew T. Kalbarczyk 1 , Ravishankar K. Iyer 1 1 University of Illinois at Urbana-Champaign (UIUC) 2 National

421 views • 14 slides
Dynamic programming Topics for this week: - backtracking revisited: a brute-force technique that

Dynamic programming Topics for this week: - backtracking revisited: a brute-force technique that

[Week 9] Dynamic programming Topics for this week: - backtracking revisited: a brute-force technique that finds a solution by trying all possibilities (usually VERY SLOW) - sometimes can be remedied by storing pre-computed values: called

116 views • 7 slides
Preventing brute force attacks against stack canary protector on networking servers Hector

Preventing brute force attacks against stack canary protector on networking servers Hector

Preventing brute force attacks against stack canary protector on networking servers Hector Marco Preventing brute force attacks against stack canary protector on networking servers Hector Marco-Gisbert , Ismael Ripoll Universit` at Polit`

721 views • 44 slides
MA/CSSE 473 Day 25 Student questions String search Horspool Boyer Moore intro Brute Force,

MA/CSSE 473 Day 25 Student questions String search Horspool Boyer Moore intro Brute Force,

MA/CSSE 473 Day 25 Student questions String search Horspool Boyer Moore intro Brute Force, Horspool, Boyer Moore STRING SEARCH 1 Brute Force String Search Example The problem: Search for the first occurrence of a pattern of length m in a

326 views • 10 slides
Topics for this week Backtracking: - a brute-force technique that finds a solution by trying all

Topics for this week Backtracking: - a brute-force technique that finds a solution by trying all

[Week 3] Topics for this week Backtracking: - a brute-force technique that finds a solution by trying all possibilities - related data structures - pruning to eliminate certain possibilities from the search - time complexity: usually really

662 views • 6 slides
Scalable Multi-core Model Checking: Technology & Applications of Brute Force Part III:

Scalable Multi-core Model Checking: Technology & Applications of Brute Force Part III:

UNIVERSITY OF TWENTE. Formal Methods & Tools. Scalable Multi-core Model Checking: Technology & Applications of Brute Force Part III: Symbolic Jaco van de Pol 30, 31 October 2014 VTSA 2014, Luxembourg ... Binary Decision Diagrams -

1k views • 61 slides
Scalable Multi-core Model Checking: Technology & Applications of Brute Force part II:

Scalable Multi-core Model Checking: Technology & Applications of Brute Force part II:

UNIVERSITY OF TWENTE. Formal Methods & Tools. Scalable Multi-core Model Checking: Technology & Applications of Brute Force part II: Liveness & Timed Systems Jaco van de Pol 30, 31 October 2014 VTSA 2014, Luxembourg ...

861 views • 45 slides
Scalable Multi-core Model Checking: Technology & Applications of Brute Force Day I:

Scalable Multi-core Model Checking: Technology & Applications of Brute Force Day I:

UNIVERSITY OF TWENTE. Formal Methods & Tools. Scalable Multi-core Model Checking: Technology & Applications of Brute Force Day I: Reachability Jaco van de Pol 30, 31 October 2014 VTSA 2014, Luxembourg ... Introduction Multi-core

583 views • 27 slides
Brute Force March 8, 2020 1 / 17 Symmetric Encryption k k m c m E D We often model

Brute Force March 8, 2020 1 / 17 Symmetric Encryption k k m c m E D We often model

Brute Force March 8, 2020 1 / 17 Symmetric Encryption k k m c m E D We often model encryption as a key alternating cipher: k 1 k 2 k 3 m c F 1 F 2 F 3 2 / 17 Symmetric Encryption (2) Two main constructions for practical

603 views • 17 slides
DynaGuard: Armoring Canary-Based Protections against Brute-force Attacks Theofilos Petsios,

DynaGuard: Armoring Canary-Based Protections against Brute-force Attacks Theofilos Petsios,

DynaGuard: Armoring Canary-Based Protections against Brute-force Attacks Theofilos Petsios, Vasileios P. Kemerlis Michalis Polychronakis Angelos D. Keromytis Columbia University Stony Brook University Brown University 2015 Annual Computer

736 views • 36 slides
Scalable Multi-core Model Checking: Technology & Applications of Brute Force Part IV: Biology

Scalable Multi-core Model Checking: Technology & Applications of Brute Force Part IV: Biology

UNIVERSITY OF TWENTE. Formal Methods & Tools. Scalable Multi-core Model Checking: Technology & Applications of Brute Force Part IV: Biology Jaco van de Pol 30, 31 October 2014 VTSA 2014, Luxembourg ... Signalling ANIMO In Silico

388 views • 22 slides
TODAY Substring search Brute force Knuth-Morris-Pratt Boyer-Moore Rabin-Karp

TODAY Substring search Brute force Knuth-Morris-Pratt Boyer-Moore Rabin-Karp

BBM 202 - ALGORITHMS D EPT . OF C OMPUTER E NGINEERING S UBSTRING S EARCH Acknowledgement: The course slides are adapted from the slides prepared by R. Sedgewick and K. Wayne of Princeton University. TODAY Substring search Brute

993 views • 83 slides
Closest Pair One-Shot Problem Given a set P of N points, find p,q P, such that the distance

Closest Pair One-Shot Problem Given a set P of N points, find p,q P, such that the distance

CS 16: Closest Points April Closest Pair One-Shot Problem Given a set P of N points, find p,q P, such that the distance d(p, q) is minimum. Algorithms for determining the closest pair: 1. Brute Force O( N 2 ) 2. Divide and Conquer O(N log

543 views • 18 slides
Why is Go hard for computers to play? Game tree complexity = b d Brute force search intractable:

Why is Go hard for computers to play? Game tree complexity = b d Brute force search intractable:

Why is Go hard for computers to play? Game tree complexity = b d Brute force search intractable: 1. Search space is huge 2. Impossible for computers to evaluate who is winning Convolutional neural network Value network Evaluation v

444 views • 16 slides

More recommend