## The full cost of cryptanalytic attacks

Venue: | Journal of Cryptology |

Citations: | 15 - 0 self |

### BibTeX

@ARTICLE{Wiener_thefull,

author = {Michael J. Wiener},

title = {The full cost of cryptanalytic attacks},

journal = {Journal of Cryptology},

year = {},

volume = {17},

pages = {2004}

}

### OpenURL

### Abstract

Abstract. An open question about the asymptotic cost of connecting many processors to a large memory using three dimensions for wiring is answered, and this result is used to find the full cost of several cryptanalytic attacks. In many cases this full cost is higher than the accepted complexity of a given algorithm based on the number of processor steps. The full costs of several cryptanalytic attacks are determined, including Shanks ’ method for computing discrete logarithms in cyclic groups of prime order n, which requires n 1/2+o(1) processor steps, but when all factors are taken into account, has full cost n 2/3+o(1). Other attacks analyzed are factoring with the number field sieve, generic attacks on block ciphers, attacks on double and triple encryption, and finding hash collisions. In many cases parallel collision search gives a significant asymptotic advantage over well-known generic attacks.

### Citations

2466 | Handbook of Applied Cryptography - Menezes, Oorschot, et al. - 1996 |

359 | The Art of Computer Programming, Vol. 3: Sorting and Searching - Knuth - 1973 |

230 |
Monte Carlo methods for index computation (mod p
- Pollard
- 1978
(Show Context)
Citation Context ...ment in computing discrete logarithms in groups of prime order n from the method attributed to D. Shanks by Knuth [7, p. 591], which requires storage for n 1/2 group elements, to Pollard’s rho method =-=[15]-=-, which requires that only a small constant number of group elements be stored (see Section 4). By counting only processor steps in attacks when choosing key sizes, the cryptographer is being conserva... |

221 | bounds for discrete logarithms and related problems
- Shoup, “Lower
- 1997
(Show Context)
Citation Context ... x in G, find x. Shoup showed that a generic discrete logarithm algorithm, one that does not exploit any special properties of the encodings of group elements, must perform Ω(n 1/2 ) group operations =-=[17]-=-. He also said that “one cannot substantially improve upon the Pohlig-Hellman algorithm using generic algorithms.” This is true with respect to the number of group operations performed. However, when ... |

146 | Parallel Collision Search with Cryptanalytic Applications
- Oorschot, Wiener
- 1999
(Show Context)
Citation Context .... To compute multiple logarithms efficiently requires parallel processing. Although Pollard’s rho method cannot be directly parallelized efficiently, a related method called parallel collision search =-=[21]-=- can be parallelized efficiently. When parallel collision search is applied to a single discrete logarithm, all of the processors work on the one problem. However, each processor could be working to f... |

130 |
A Cryptanalytic Time – Memory trade-Off
- Hellman
- 1980
(Show Context)
Citation Context ...cessors are used. The cost per solution is Θ(n 1/3 (log n) 4/3 ). An interesting attack that provides some middle ground between exhaustive search and table look up is Hellman’s time-memory trade-off =-=[6]-=-, which proceeds as follows. Pre-computation: choose a positive integer a and let b = ⌈n/a 2 ⌉. Choose a constant plaintext P and a function h that maps ciphertexts to keys so that f(k) = h(Ek(P )) de... |

58 |
Solving homogeneous linear equations over GF[2] via block Wiedemann algorithm
- Coppersmith
- 1994
(Show Context)
Citation Context ...of n 1/5+o(1) . This is a considerable improvement over Shanks’ method. 5 Factoring Factoring an integer n using the number field sieve (NFS) [8] involves a relation collection step and a matrix step =-=[3, 13]-=-. The costs of these two steps are traded off against each other in selecting NFS smoothness bounds [9]. Bernstein [2] observed that in the standard analysis of NFS, this trade-off is based on the tra... |

52 |
A Block Lanczos Algorithm for Finding Dependencies over
- Montgomery
- 1995
(Show Context)
Citation Context ...of n 1/5+o(1) . This is a considerable improvement over Shanks’ method. 5 Factoring Factoring an integer n using the number field sieve (NFS) [8] involves a relation collection step and a matrix step =-=[3, 13]-=-. The costs of these two steps are traded off against each other in selecting NFS smoothness bounds [9]. Bernstein [2] observed that in the standard analysis of NFS, this trade-off is based on the tra... |

47 | On the security of multiple encryption
- Merkle, Hellman
- 1981
(Show Context)
Citation Context ...re memory [10]. However, the larger memory causes this attack to have higher full cost than using parallel collision search. The more interesting case is two-key triple encryption. Merkle and Hellman =-=[12]-=- describe an attack that requires n chosen plaintexts that proceeds as follows. Choose some fixed text M. For each possible key k, compute and store (k, E −1 k (M)) in a hash table indexed by E−1 k (M... |

46 |
Exhaustive Cryptanalysis of the NBS
- Diffie, Hellman
- 1977
(Show Context)
Citation Context ...multaneously. 16s7 Double Encryption Double encryption consists of encrypting each plaintext block twice with two independent keys: C = Ek2 (Ek1 (P )). Because a meet-in-the-middle attack is possible =-=[4]-=-, double encryption is widely believed to offer little advantage over regular single encryption. Here we do an asymptotic analysis of different attack approaches. The size of the key space for double ... |

44 | Speeding up Pollard’s rho method for computing discrete logarithms, in Algorithmic Number Theory Seminar ANTS-III
- Teske
- 1998
(Show Context)
Citation Context ...ng as the iterating function used by all processors does not depend on the group element whose logarithm is sought. This requirement is satisfied by an iterating function f : G → G suggested by Teske =-=[18]-=-, where G is partitioned into about 20 disjoint sets Ti, each set is assigned a fixed randomly chosen group element g xi with known logarithm xi, and f(y) = yg xi if y ∈ Ti. For parallel collision sea... |

32 | M.J.: A Known Plaintext Attack on Two-Key Triple Encryption
- Oorschot, Wiener
- 1990
(Show Context)
Citation Context ...ack on double encryption if we ignore the need for an enormous number of chosen plaintexts. A known-plaintext variant of the Merkle-Hellman attack requires fewer texts at the cost of more computation =-=[20]-=-. Suppose that there are w known plaintexts. Choose a constant M and seek a plaintext P such that Ek1 (P ) = M as follows. Store the plaintext-ciphertext pairs in a first hash table indexed on the pla... |

31 |
Three-dimensional VLSI, I: A case study
- Rosenberg
- 1981
(Show Context)
Citation Context ...types of circuits of dimension n, the total area required in a twodimensional realization including wiring is n 2+o(1) , and the total volume required in a three-dimensional realization is n 3/2+o(1) =-=[16]-=-. To reduce wiring costs below the Θ(n 3/2 ) bound requires that more than a constant amount of information be carried through a constant volume, which seems not to be possible with current wired and ... |

19 |
Locality, communications, and interconnect length in multicomputers
- Vitanyi
- 1988
(Show Context)
Citation Context ...ecomes costly. To address the objection that wires are thin, Vitányi treated wires as having no volume in showing that exponential computations cannot be completed in polynomial time with parallelism =-=[22]-=-. In our case if wires are assumed to have zero thickness but non-zero cost per unit length, the wiring costs in Section 2.1 drop from Θ(n 3/2 ) to Θ(n 4/3 ), the number of components in Theorem 1 dro... |

14 |
Time-memoryprocessor trade-offs
- Amirazizi, Hellman
- 1988
(Show Context)
Citation Context ...st of an algorithm is very processor-centric; we count the total number of operations performed by all processors. An exception is the work of Amirazizi and Hellman on time-memory-processor tradeoffs =-=[1]-=-, which is closely related to the topic of this paper. To examine this focus on processors, we take a superficial look at the components that make up a processor: memory elements, logic gates, and len... |

14 | Analysis of Bernstein’s factorization circuit
- Lenstra, Shamir, et al.
- 2002
(Show Context)
Citation Context ...he computation. The full cost of an algorithm run on a collection of hardware is the number of components multiplied by the duration of their use. This is called the throughput cost by Lenstra et al. =-=[9]-=-, and is also used by Bernstein [2]. To say something useful about an algorithm itself rather than the combination of the algorithm and the hardware that implements it, we seek the implementation of t... |

10 | Circuits for Integer Factorization: A
- Bernstein
- 2001
(Show Context)
Citation Context ... algorithm run on a collection of hardware is the number of components multiplied by the duration of their use. This is called the throughput cost by Lenstra et al. [9], and is also used by Bernstein =-=[2]-=-. To say something useful about an algorithm itself rather than the combination of the algorithm and the hardware that implements it, we seek the implementation of the algorithm that minimizes full co... |

10 |
An improved algorithm for computing discrete logarithms over GF(p) and its cryptographic significance
- POHLIG, HELLMAN
- 1978
(Show Context)
Citation Context ...lgorithms.” This is true with respect to the number of group operations performed. However, when the full cost of the attack is considered, it is possible to improve upon the Pohlig-Hellman algorithm =-=[14]-=- (which uses Shanks’ method). Pollard’s rho method [15] is not deterministic, but it eliminates the large memory needed by Shanks’ method, reducing the full cost to Θ(n 1/2 ) times the cost of 10sperf... |

3 | Preneel: On the Security of Double and 2-Key Triple Modes of Operation
- Handschuh, B
- 1999
(Show Context)
Citation Context ...he attacks on encryption and multiple encryption, only the basic electronic codebook mode is considered. Handschuh and Preneel deal with attacks on multiple encryption with various modes of operation =-=[5]-=-. 2 Full Cost of Connecting Many Processors to a Large Memory For cryptanalytic attacks that require a large memory, we often require the use of parallel processors to minimize the full cost of the at... |

3 |
Attacking triple encryption,” Fast Software Encryption’98, LNCS 1372
- Lucks
- 1998
(Show Context)
Citation Context ...using parallel collision search. Lucks gives an interesting attack that reduces the total number of processor steps by a constant factor at the cost of requiring more known plaintexts and more memory =-=[10]-=-. However, the larger memory causes this attack to have higher full cost than using parallel collision search. The more interesting case is two-key triple encryption. Merkle and Hellman [12] describe ... |