bachelor
bachelor
bachelor
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
3.2 Attacking the MAC 27<br />
3.2.1 Time-memory trade-offs<br />
Time-memory trade-offs (TMTOs) are a class of precomputation attacks that<br />
can be applyed to all one-way functions, that is functions taking any input and<br />
producing an output that is computationally hard to source back to its preimage.<br />
For a one-way function H and the result of the function c, the preimage is the<br />
p that satisfies H(p) = c for some c. One-way functions are not designed to be<br />
reversible, and as such hash functions and MACs pose as good candidates for<br />
this kind of attack.<br />
This thesis will decribe two time-memory trade-offs, namely Hellman tables as<br />
described in the 1980 paper “A Cryptanalytic Time-Memory Trade-Off”[4] by<br />
Hellman, and the 2003 paper “Making A Faster Cryptanalytic Time-Memory<br />
Trade-Off”[9] by Oechslin.<br />
3.2.1.1 Hellman tables<br />
In a 1980 paper by Martin Hellman[4], a new “time-memory trade-off” is proposed.<br />
The way it works is that it implements a reduction function R that<br />
maps hash values back into the plaintext space. This facilitates the generation<br />
of chains with alternating preimages and hash values. To further refine the<br />
method, the one-way function is combined with the reduction function into a<br />
new function f in order to get a mapping from the space of preimages to itself.<br />
For some one-way function H, f can be described as f(p) = R(H(p)). f is also<br />
known as the step function of the table.<br />
The trick is then to only save the first and last values in the chain, discarding<br />
all the intermediate steps. The table consists of some amount of chains m, all<br />
starting with some random preimage and ending with a value equivalent derived<br />
by performing the plaintext-to-plaintext function f over and over, always feeding<br />
it with the output from the last iteration, see Figure 3.2.<br />
d2654f → f 732efc → f 143679 → f 84e5dc → f f<br />
} {{<br />
. . . → 0006f3<br />
}<br />
d2654f→0006f3<br />
Figure 3.2: A Hellman chain and how it is stored.<br />
elements are in storage.<br />
Only the first and last<br />
For practicality reasons attacks employ more than just one table; having one table<br />
cover a large keyspace will result in a very large file, which is time-consuming