Project:Sandbox

Time-Memory Trade-Off is a type of algorithm that try to find a effective middle between XXX

Conventions

 * $$C$$: Ciphertext
 * $$f(K)$$: Reduction function of enciphering of plaintext $$P_0$$ with key $$K$$
 * $$K$$: Key
 * $$l$$: number of lookup tables
 * $$m$$: number of row in lookup table
 * $$N$$: Size of the key
 * $$P$$: Plaintext
 * $$R$$: Reduction function
 * $$S$$: Ciphering function
 * $$t$$: number of iteration to build lookup table. Number of columns in lookup table minus 1.

Introduction
Cryptanalysis is a searching problem where the attacker try to obtain some information about a cryptographic system. In the following page, we will take the point of view of an attacker trying to retrieve the key used in a cryptographic algorithm thanks to a known of chosen plaintext attack. XXX

For the sake of simplicity, we take as example a system that stores a password by enciphering a known word using as key the password to store. So we have: $$C_0=S_K(P_0)$$

Standard approaches
The attack can traditionally be done thanks to 2 methods: exhaustive search or lookup tables.

Exhaustive search
In this case, in our example, the attacker first gets the ciphertext. He then tries each possible key one by one enciphering the plaintext $$P_0$$ with the tried key and comparing the result with the gotten ciphertext.

Lookup tables
In the case, there is a preparation phase where the attacker executes a off-line exhaustive search and stores it in an lookup table. Then, during the on-line part of the attack, the attacker gets a ciphertext and uses the lookup table to find the corresponding key.

Hellman's Time-Memory Trade-Off
Hellman proposed in 1980 a new kind of attack. The goal was to speed up the on-line part of the attack by precalculating some data but to avoid to store a full lookup table.

Reduction function
We use therefor a reduction function. The reduction function is a kind of hash function taking a ciphertext of given length as parameter and giving as result a chain having the length of the key of the cryptographic system. The reduction can be a simple selection of given bits or a more complex combination of the bits of the entry.

For instance, for DES, we have block of 64 bits for plaintext and ciphertext and the key-length is 56 bits. A reduction function is a function that gives a 56-bits results for every 64-bits entry.

For Hellman's method, we define $$f(K)$$ being the reduction of the enciphering of a given plaintext with key $$K$$: $$f(K)=R(S_K(P_0))$$.

Precomputation
The attacker chooses randomly $$m$$ independent starting point from the key space (within all possible keys). He then applies $$t$$ time the function $$f$$ on the starting point. For each starting point, this generates a sequence of keys. The last key of each sequence is called endpoint.

So the attacker constructs a table with $$m$$ sequences (rows). For each sequence, the $$t$$ first columns contain $$t$$ potential keys and the last column contains the endpoint.

To reduce memory requirement, the attacker only store the couples starting points - endpoints. He stores them in a precalculation table sorted on endpoints.

Online attack
Now suppose the attacker gets the ciphertext $$C_0=S_K(P_0)$$. He applies the reduction to $$C_0$$: $$Y_1=R(C_0)=f(K)$$.

If $$Y_1$$ is one of the endpoint, then the searched key is potentially in the $$(t-1)$$-th column of the precalculation table. As he dropped every intermediate columns, he has to take the corresponding starting point and reconstruct the sequence until the $$(t-1)$$-th column. Then he tests the key by ciphering $$P_0$$. If he finds $$C_0$$ the tested key is the right one. Else, it is what we will call a false alarm.

If $$Y_1$$ is not one of the endpoint, he computes $$Y_2=f(Y_1)$$. He checks now if $$Y_2$$ is one of the endpoint. Then the searched key is potentially in the $$(t-2)$$-th column of the precalculation table. Reconstructing the sequence, he can compute the key and check its validity (is it the used key or a false alarm?).

Proceeding recursively, he continues test $$Y_{i+1}=f(Y_i)$$ until he's found the key or until $$Y_t$$ (corresponding to the end of the table).

Probability of success
If the reduction function is modeled as a random function mapping the space of the key into itself, it can be proven that the probability of success is bounded by: $$P(S) \geq (1/N) \sum\limits_{i=1}^m\sum\limits_{j=0}^{t-1}[(N-it)/N]^{j+1}$$

This equation leads to several conclusions:
 * 1) . For a fixed value of $$N$$, the gain by increasing $$m$$ or $$t$$ beyond $$mt^2=N$$ will be small. Indeed, $$[(N-it)/N]^{j+1}$$ can then be approximated by $$exp(-ijt/N)$$ which tends to $$exp(-t^2/N)$$.
 * 2) . XXX