Quantum time/memory/data tradeoff attacks

Orr Dunkelman; Nathan Keller; Eyal Ronen; Adi Shamir

doi:10.1007/s10623-023-01300-x

Quantum time/memory/data tradeoff attacks

Orr Dunkelman, Nathan Keller, Eyal Ronen, Adi Shamir

Department of Mathematics

Research output: Contribution to journal › Article › peer-review

1 Scopus citations

Abstract

One of the most celebrated and useful cryptanalytic algorithms is Hellman’s time/memory tradeoff (and its Rainbow Table variant), which can be used to invert random-looking functions with domains of size N with time and space complexities satisfying TM²= N² . In this paper we develop new upper bounds on their performance in the quantum setting. As a search problem, one can always apply to it the standard Grover’s algorithm, but this algorithm does not benefit from the possible availability of a large memory in which one can store auxiliary advice obtained during a free preprocessing stage. In fact, at FOCS’20 it was rigorously shown that for memory size bounded by M≤O(N) , even quantum advice cannot yield an attack which is better than Grover’s algorithm.Our main result complements this lower bound by showing that in the standard Quantum Accessible Classical Memory (QACM) model of computation, we can improve Hellman’s tradeoff curve to T^{4 / 3}M²= N² . When we generalize the cryptanalytic problem to a time/memory/data tradeoff attack (in which one has to invert f for at least one of D given values), we get the generalized curve T^{4 / 3}M²D²= N² . A typical point on this curve is D= N^0.2 , M= N^0.6 , and T= N^0.3 , whose time is strictly lower than both Grover’s algorithm (which requires T= N^0.4 in this generalized search variant) and the classical Hellman algorithm (which requires T= N^0.4 for these D and M).

Original language	English
Pages (from-to)	159-177
Number of pages	19
Journal	Designs, Codes, and Cryptography
Volume	92
Issue number	1
DOIs	https://doi.org/10.1007/s10623-023-01300-x
State	Published - Jan 2024

Bibliographical note

Publisher Copyright:
© 2023, The Author(s), under exclusive licence to Springer Science+Business Media, LLC, part of Springer Nature.

Funding

We thank the following people for the insightful discussions: Rotem Arnon-Friedman, Gustavo Banegas, Daniel J. Bernstein, Tal Mor, and María Naya-Plasencia. Orr Dunkelman was supported in part by the Center for Cyber, Law, and Policy in conjunction with the Israel National Cyber Bureau in the Prime Minister’s Office and by the Israeli Science Foundation through Grant Nos. 880/18 and 3380/19. Nathan Keller was supported by the European Research Council under the ERC starting Grant Agreement n. 757731 (LightCrypt) and by the BIU Center for Research in Applied Cryptography and Cyber Security in conjunction with the Israel National Cyber Bureau in the Prime Minister’s Office. Eyal Ronen is partially supported by Len Blavatnik and the Blavatnik Family foundation, the Blavatnik ICRC, and Robert Bosch Technologies Israel Ltd. He is a member of CPIIS. We thank the following people for the insightful discussions: Rotem Arnon-Friedman, Gustavo Banegas, Daniel J. Bernstein, Tal Mor, and María Naya-Plasencia. Orr Dunkelman was supported in part by the Center for Cyber, Law, and Policy in conjunction with the Israel National Cyber Bureau in the Prime Minister’s Office and by the Israeli Science Foundation through Grant Nos. 880/18 and 3380/19. Nathan Keller was supported by the European Research Council under the ERC starting Grant Agreement n. 757731 (LightCrypt) and by the BIU Center for Research in Applied Cryptography and Cyber Security in conjunction with the Israel National Cyber Bureau in the Prime Minister’s Office. Eyal Ronen is partially supported by Len Blavatnik and the Blavatnik Family foundation, the Blavatnik ICRC, and Robert Bosch Technologies Israel Ltd. He is a member of CPIIS.

Funders	Funder number
Blavatnik ICRC
María Naya-Plasencia
Robert Bosch Technologies Israel Ltd
Blavatnik Family Foundation
European Commission	757731
Israel Science Foundation	880/18, 3380/19

Keywords

Hellman tables
Quantum cryptanalysis
Rainbow tables
TMD attacks

Access to Document

10.1007/s10623-023-01300-x

Cite this

@article{049736da864241599c98e562773e3b50,

title = "Quantum time/memory/data tradeoff attacks",

abstract = "One of the most celebrated and useful cryptanalytic algorithms is Hellman{\textquoteright}s time/memory tradeoff (and its Rainbow Table variant), which can be used to invert random-looking functions with domains of size N with time and space complexities satisfying TM2= N2 . In this paper we develop new upper bounds on their performance in the quantum setting. As a search problem, one can always apply to it the standard Grover{\textquoteright}s algorithm, but this algorithm does not benefit from the possible availability of a large memory in which one can store auxiliary advice obtained during a free preprocessing stage. In fact, at FOCS{\textquoteright}20 it was rigorously shown that for memory size bounded by M≤O(N) , even quantum advice cannot yield an attack which is better than Grover{\textquoteright}s algorithm.Our main result complements this lower bound by showing that in the standard Quantum Accessible Classical Memory (QACM) model of computation, we can improve Hellman{\textquoteright}s tradeoff curve to T4 / 3M2= N2 . When we generalize the cryptanalytic problem to a time/memory/data tradeoff attack (in which one has to invert f for at least one of D given values), we get the generalized curve T4 / 3M2D2= N2 . A typical point on this curve is D= N0.2 , M= N0.6 , and T= N0.3 , whose time is strictly lower than both Grover{\textquoteright}s algorithm (which requires T= N0.4 in this generalized search variant) and the classical Hellman algorithm (which requires T= N0.4 for these D and M).",

keywords = "Hellman tables, Quantum cryptanalysis, Rainbow tables, TMD attacks",

author = "Orr Dunkelman and Nathan Keller and Eyal Ronen and Adi Shamir",

note = "Publisher Copyright: {\textcopyright} 2023, The Author(s), under exclusive licence to Springer Science+Business Media, LLC, part of Springer Nature.",

year = "2024",

month = jan,

doi = "10.1007/s10623-023-01300-x",

language = "אנגלית",

volume = "92",

pages = "159--177",

journal = "Designs, Codes, and Cryptography",

issn = "0925-1022",

publisher = "Springer Netherlands",

number = "1",

}

TY - JOUR

T1 - Quantum time/memory/data tradeoff attacks

AU - Dunkelman, Orr

AU - Keller, Nathan

AU - Ronen, Eyal

AU - Shamir, Adi

PY - 2024/1

Y1 - 2024/1

N2 - One of the most celebrated and useful cryptanalytic algorithms is Hellman’s time/memory tradeoff (and its Rainbow Table variant), which can be used to invert random-looking functions with domains of size N with time and space complexities satisfying TM2= N2 . In this paper we develop new upper bounds on their performance in the quantum setting. As a search problem, one can always apply to it the standard Grover’s algorithm, but this algorithm does not benefit from the possible availability of a large memory in which one can store auxiliary advice obtained during a free preprocessing stage. In fact, at FOCS’20 it was rigorously shown that for memory size bounded by M≤O(N) , even quantum advice cannot yield an attack which is better than Grover’s algorithm.Our main result complements this lower bound by showing that in the standard Quantum Accessible Classical Memory (QACM) model of computation, we can improve Hellman’s tradeoff curve to T4 / 3M2= N2 . When we generalize the cryptanalytic problem to a time/memory/data tradeoff attack (in which one has to invert f for at least one of D given values), we get the generalized curve T4 / 3M2D2= N2 . A typical point on this curve is D= N0.2 , M= N0.6 , and T= N0.3 , whose time is strictly lower than both Grover’s algorithm (which requires T= N0.4 in this generalized search variant) and the classical Hellman algorithm (which requires T= N0.4 for these D and M).

AB - One of the most celebrated and useful cryptanalytic algorithms is Hellman’s time/memory tradeoff (and its Rainbow Table variant), which can be used to invert random-looking functions with domains of size N with time and space complexities satisfying TM2= N2 . In this paper we develop new upper bounds on their performance in the quantum setting. As a search problem, one can always apply to it the standard Grover’s algorithm, but this algorithm does not benefit from the possible availability of a large memory in which one can store auxiliary advice obtained during a free preprocessing stage. In fact, at FOCS’20 it was rigorously shown that for memory size bounded by M≤O(N) , even quantum advice cannot yield an attack which is better than Grover’s algorithm.Our main result complements this lower bound by showing that in the standard Quantum Accessible Classical Memory (QACM) model of computation, we can improve Hellman’s tradeoff curve to T4 / 3M2= N2 . When we generalize the cryptanalytic problem to a time/memory/data tradeoff attack (in which one has to invert f for at least one of D given values), we get the generalized curve T4 / 3M2D2= N2 . A typical point on this curve is D= N0.2 , M= N0.6 , and T= N0.3 , whose time is strictly lower than both Grover’s algorithm (which requires T= N0.4 in this generalized search variant) and the classical Hellman algorithm (which requires T= N0.4 for these D and M).

KW - Hellman tables

KW - Quantum cryptanalysis

KW - Rainbow tables

KW - TMD attacks

UR - http://www.scopus.com/inward/record.url?scp=85173702250&partnerID=8YFLogxK

U2 - 10.1007/s10623-023-01300-x

DO - 10.1007/s10623-023-01300-x

M3 - ???researchoutput.researchoutputtypes.contributiontojournal.article???

AN - SCOPUS:85173702250

SN - 0925-1022

VL - 92

SP - 159

EP - 177

JO - Designs, Codes, and Cryptography

JF - Designs, Codes, and Cryptography

IS - 1

ER -

Quantum time/memory/data tradeoff attacks

Abstract

Bibliographical note

Funding

Keywords

Access to Document

Other files and links

Fingerprint

Cite this