Journal of Cryptology

, Volume 17, Issue 2, pp 105–124 | Cite as

The Full Cost of Cryptanalytic Attacks

  • Michael J. Wiener


An open question about the asymptotic cost of connecting many processors to a large memory using three dimensions for wiring is answered, and this result is used to find the full cost of several cryptanalytic attacks. In many cases this full cost is higher than the accepted complexity of a given algorithm based on the number of processor steps. The full costs of several cryptanalytic attacks are determined, including Shanks’ method for computing discrete logarithms in cyclic groups of prime order n, which requires n 1/2+o(1) processor steps, but, when all factors are taken into account, has full cost n 2/3+o(1). Other attacks analyzed are factoring with the number field sieve, generic attacks on block ciphers, attacks on double and triple encryption, and finding hash collisions. In many cases parallel collision search gives a significant asymptotic advantage over well-known generic attacks.

Cryptanalysis Discrete logarithm Factoring Number field sieve Parallel collision search Meet-in-the-middle attack Double encryption Triple encryption Hash collision 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Copyright information

© Springer-Verlag 2003

Authors and Affiliations

  1. 1.20 Hennepin Street, Nepean, OntarioCanada K2J 3Z4

Personalised recommendations