[17641] in cryptography@c2.net mail archive
Time-Memory-Key tradeoff attacks?
daemon@ATHENA.MIT.EDU (Perry E. Metzger)
Fri Jul 8 15:27:01 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
To: cryptography@metzdowd.com
From: "Perry E. Metzger" <perry@piermont.com>
Date: Tue, 05 Jul 2005 12:56:58 -0400
The following has appeared in the IACR preprint archive. I would
appreciate comments. The author certainly has reasonable credentials,
but the document is low on detail:
http://eprint.iacr.org/2005/207
Some Thoughts on Time-Memory-Data Tradeoffs
Author: Alex Biryukov
Abstract: In this paper we show that Time-Memory tradeoff by Hellman
may be extended to Time-Memory-Key tradeoff thus allowing attacks much
faster than exhaustive search for ciphers for which typically it is
stated that no such attack exists. For example, as a result AES with
128-bit key has only 85-bit security if $2^{43}$ encryptions of an
arbitrary fixed text under different keys are available to the
attacker. Such attacks are generic and are more practical than some
recent high complexity chosen related-key attacks on round-reduced
versions of AES. They constitute a practical threat for any cipher
with 80-bit or shorter keys and are marginally practical for 128-bit
key ciphers. We also show that UNIX password scheme even with
carefully generated passwords is vulnerable to practical tradeoff
attacks. Finally we also demonstrate a combination of rainbow tables
with the time-memory-data tradeoff which results in a new tradeoff
curve.
By the way, much thanks to Eric Rescorla for pointing this out to me.
Perry
--
Perry E. Metzger perry@piermont.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
