Skip to main content
SpringerLink
Log in

Quantum time/memory/data tradeoff attacks

  • Published:
Designs, Codes and Cryptography Aims and scope Submit manuscript

Abstract

One of the most celebrated and useful cryptanalytic algorithms is Hellman’s time/memory tradeoff (and its Rainbow Table variant), which can be used to invert random-looking functions with domains of size N with time and space complexities satisfying \(TM^2=N^2\). In this paper we develop new upper bounds on their performance in the quantum setting. As a search problem, one can always apply to it the standard Grover’s algorithm, but this algorithm does not benefit from the possible availability of a large memory in which one can store auxiliary advice obtained during a free preprocessing stage. In fact, at FOCS’20 it was rigorously shown that for memory size bounded by \(M \le O(\sqrt{N})\), even quantum advice cannot yield an attack which is better than Grover’s algorithm.Our main result complements this lower bound by showing that in the standard Quantum Accessible Classical Memory (QACM) model of computation, we can improve Hellman’s tradeoff curve to \(T^{4/3}M^2=N^2\). When we generalize the cryptanalytic problem to a time/memory/data tradeoff attack (in which one has to invert f for at least one of D given values), we get the generalized curve \(T^{4/3}M^2D^2=N^2\). A typical point on this curve is \(D=N^{0.2}\), \(M=N^{0.6}\), and \(T=N^{0.3}\), whose time is strictly lower than both Grover’s algorithm (which requires \(T=N^{0.4}\) in this generalized search variant) and the classical Hellman algorithm (which requires \(T=N^{0.4}\) for these D and M).

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Algorithm 1
Algorithm 2
Algorithm 3
Algorithm 4
Algorithm 5
Algorithm 6
Algorithm 7
Algorithm 8
Algorithm 9
Algorithm 10
Algorithm 11

Similar content being viewed by others

Notes

  1. Throughout the paper we disregard logarithmic factors.

  2. The probability of a chain of length 8t in a random function to not contain a distinguished point, when a random point is a distinguished point with probability 1/t is \((1-1/t)^{8t} \approx 1/e^8\). Obviously, picking a larger limit decreases this failure rate.

  3. When using distinguished points, the value of \(y_i\) is the first distinguished point encountered in the iterative application of \(f(\cdot )\).

  4. In some cases related to stream ciphers, this process is repeated only for a single \(y_i\) [15].

  5. Reducing the size of a Hellman table below m rows, for \(m=N/t^2\) offers sub-optimal attack.

  6. While a straightforward application of Grover’s algorithm would not succeed in collecting all k solutions in k calls to the algorithm (due to the coupon collector’s problem), one can change the search space to exclude “known” results.

  7. We note that one could alter the function \(H(\cdot )\) so its value is 0 if the input is one of the previously identified solutions. This idea increases the complexity of the implementation of the function \(H(\cdot )\) for each new solution, and thus is less favorable the ideas mentioned above.

  8. In practice, this is equivalent to constant time implementation of a conditional move operation. This can be implemented in a circuit using only logical gates without temporary variables.

  9. As described in Sect. 4.2, this can be implemented in a circuit using only logical gates without a temporary variables.

References

  1. Ambainis A.: Quantum walk algorithm for element distinctness. SIAM J. Comput. 37(1), 210–239 (2007).

    Article  MathSciNet  Google Scholar 

  2. Banegas G., Bernstein D.J.: Low-communication parallel quantum multi-target preimage search. In: Adams C., Camenisch J. (eds.) Selected Areas in Cryptography—SAC 2017—24th International Conference, Ottawa, ON, Canada, August 16–18, 2017, Revised Selected Papers. Lecture Notes in Computer Science, vol. 10719, pp. 325–335. Springer, New York (2017).

  3. Barkan E.: Cryptanalysis of ciphers and protocols. PhD thesis, Technion, Israel (2006).

  4. Barkan E., Biham E., Shamir A.: Rigorous bounds on cryptanalytic time/memory tradeoffs. In: Dwork C. (ed.) Advances in Cryptology—CRYPTO 2006, 26th Annual International Cryptology Conference, Santa Barbara, California, USA, August 20–24, 2006, Proceedings. Lecture Notes in Computer Science, vol. 4117, pp. 1–21. Springer, New York (2006).

  5. Bennett C.H.: Time/space trade-offs for reversible computation. SIAM J. Comput. 18(4), 766–776 (1989).

    Article  MathSciNet  Google Scholar 

  6. Bernstein D.J., Jeffery S., Lange T., Meurer A.: Quantum algorithms for the subset-sum problem. In: Gaborit P. (ed.) Post-Quantum Cryptography—5th International Workshop, PQCrypto 2013, Limoges, France, June 4–7, 2013. Proceedings. Lecture Notes in Computer Science, vol. 7932, pp. 16–33. Springer, New York (2013).

  7. Biryukov A., Shamir A.: Cryptanalytic time/memory/data tradeoffs for stream ciphers. In: Okamoto T. (ed.) Advances in Cryptology—ASIACRYPT 2000, 6th International Conference on the Theory and Application of Cryptology and Information Security, Kyoto, Japan, December 3–7, 2000, Proceedings. Lecture Notes in Computer Science, vol. 1976, pp. 1–13. Springer, New York (2000).

  8. Biryukov A., Mukhopadhyay S., Sarkar P.: Improved time-memory trade-offs with multiple data. In: Preneel B., Tavares S.E. (eds.) Selected Areas in Cryptography, 12th International Workshop, SAC 2005, Kingston, ON, Canada, August 11–12, 2005, Revised Selected Papers. Lecture Notes in Computer Science, vol. 3897, pp. 110–127. Springer, New York (2005).

  9. Bonnetain X., Chailloux A., Schrottenloher A., Shen Y.: Finding many collisions via reusable quantum walks—application to lattice sieving. In: Hazay C., Stam M. (eds.) Advances in Cryptology—EUROCRYPT 2023—42nd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Lyon, France, April 23–27, 2023, Proceedings, Part V. Lecture Notes in Computer Science, vol. 14008, pp. 221–251. Springer, New York (2023).

  10. Boyer M., Brassard G., Høyer P., Tapp A.: Tight bounds on quantum searching. Fortschr. Phys. 46(4–5), 493–505 (1998).

    Article  Google Scholar 

  11. Brassard G., Høyer P., Tapp A.: Quantum cryptanalysis of hash and claw-free functions. In: LATIN. Lecture Notes in Computer Science, vol. 1380, pp. 163–169. Springer, New York (1998).

  12. Chailloux A., Naya-Plasencia M., Schrottenloher A.: An efficient quantum collision search algorithm and implications on symmetric cryptography. In: Takagi T., Peyrin T. (eds.) Advances in Cryptology—ASIACRYPT 2017—23rd International Conference on the Theory and Applications of Cryptology and Information Security, Hong Kong, China, December 3–7, 2017, Proceedings, Part II. Lecture Notes in Computer Science, vol. 10625, pp. 211–240. Springer, New York (2017).

  13. Chung K., Liao T., Qian L.: Lower bounds for function inversion with quantum advice. In: Kalai Y.T., Smith A.D., Wichs, D. (eds.) 1st Conference on Information-Theoretic Cryptography, ITC 2020, June 17–19, 2020, Boston, MA, USA. LIPIcs, vol. 163, pp. 8–1815. Schloss Dagstuhl—Leibniz-Zentrum für Informatik (2020a).

  14. Chung K., Guo S., Liu Q., Qian L.: Tight quantum time-space tradeoffs for function inversion. In: 61st IEEE Annual Symposium on Foundations of Computer Science, FOCS 2020, Durham, NC, USA, November 16–19, 2020, pp. 673–684 (2020b).

  15. Dunkelman O., Keller N.: Treatment of the initial value in time-memory-data tradeoff attacks on stream ciphers. Inf. Process. Lett. 107(5), 133–137 (2008).

    Article  MathSciNet  Google Scholar 

  16. Grassi L., Naya-Plasencia M., Schrottenloher A.: Quantum algorithms for the \(k\)-xor problem. In: Peyrin T., Galbraith S.D. (eds.) Advances in Cryptology—ASIACRYPT 2018—24th International Conference on the Theory and Application of Cryptology and Information Security, Brisbane, QLD, Australia, December 2–6, 2018, Proceedings, Part I. Lecture Notes in Computer Science, vol. 11272, pp. 527–559. Springer, New York (2018).

  17. Grover L.K.: A fast quantum mechanical algorithm for database search. In: STOC, pp. 212–219. ACM (1996).

  18. Hellman M.E.: A cryptanalytic time-memory trade-off. IEEE Trans. Inf. Theory 26(4), 401–406 (1980).

    Article  MathSciNet  Google Scholar 

  19. Hhan M., Xagawa K., Yamakawa T.: Quantum random oracle model with auxiliary input. In: ASIACRYPT (1). Lecture Notes in Computer Science, vol. 11921, pp. 584–614. Springer, New York (2019).

  20. Kaluderovic N., Kleinjung T., Kostic D.: Improved key recovery on the Legendre PRF. IACR Cryptol. ePrint Arch., 98 (2020).

  21. Kuperberg G.: Another Subexponential-time Quantum Algorithm for the Dihedral Hidden Subgroup Problem. In: Severini S., Brandão F.G.S.L. (eds.) 8th Conference on the Theory of Quantum Computation, Communication and Cryptography, TQC 2013, May 21–23, 2013, Guelph, Canada. LIPIcs, vol. 22, pp. 20–34. Schloss Dagstuhl—Leibniz-Zentrum für Informatik (2013).

  22. Naya-Plasencia M., Schrottenloher A.: Optimal Merging in Quantum k-xor and k-xor-sum Algorithms. In: Canteaut A., Ishai Y. (eds.) Advances in Cryptology—EUROCRYPT 2020—39th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Zagreb, Croatia, May 10–14, 2020, Proceedings, Part II. Lecture Notes in Computer Science, vol. 12106, pp. 311–340. Springer, New York (2020).

  23. Nayebi A., Aaronson S., Belovs A., Trevisan L.: Quantum lower bound for inverting a permutation with advice. Quantum Inf. Comput. 15(11 &12), 901–913 (2015).

    MathSciNet  Google Scholar 

  24. Oechslin P.: Making a faster cryptanalytic time-memory trade-off. In: Boneh D. (ed.) Advances in Cryptology—CRYPTO 2003, 23rd Annual International Cryptology Conference, Santa Barbara, California, USA, August 17–21, 2003, Proceedings. Lecture Notes in Computer Science, vol. 2729, pp. 617–630. Springer, New York (2003).

  25. Yao A.C.: Coherent functions and program checkers (extended abstract). In: Ortiz H. (ed.) Proceedings of the 22nd Annual ACM Symposium on Theory of Computing, May 13–17, 1990, Baltimore, Maryland, USA, pp. 84–94. ACM (1990).

Download references

Acknowledgements

We thank the following people for the insightful discussions: Rotem Arnon-Friedman, Gustavo Banegas, Daniel J. Bernstein, Tal Mor, and María Naya-Plasencia. Orr Dunkelman was supported in part by the Center for Cyber, Law, and Policy in conjunction with the Israel National Cyber Bureau in the Prime Minister’s Office and by the Israeli Science Foundation through Grant Nos. 880/18 and 3380/19. Nathan Keller was supported by the European Research Council under the ERC starting Grant Agreement n. 757731 (LightCrypt) and by the BIU Center for Research in Applied Cryptography and Cyber Security in conjunction with the Israel National Cyber Bureau in the Prime Minister’s Office. Eyal Ronen is partially supported by Len Blavatnik and the Blavatnik Family foundation, the Blavatnik ICRC, and Robert Bosch Technologies Israel Ltd. He is a member of CPIIS.

Author information

Authors and Affiliations

  1. Computer Science Department, University of Haifa, Haifa, Israel

    Orr Dunkelman

  2. Department of Mathematics, Bar-Ilan University, Ramat Gan, Israel

    Nathan Keller

  3. Computer Science Department, Tel Aviv University, Tel Aviv, Israel

    Eyal Ronen

  4. Faculty of Mathematics and Computer Science, Weizmann Institute of Science, Rehovot, Israel

    Adi Shamir

Authors
  1. Orr Dunkelman
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Nathan Keller
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Eyal Ronen
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Adi Shamir
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Orr Dunkelman.

Additional information

Communicated by T. Iwata.

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Dunkelman, O., Keller, N., Ronen, E. et al. Quantum time/memory/data tradeoff attacks. Des. Codes Cryptogr. 92, 159–177 (2024). https://doi.org/10.1007/s10623-023-01300-x

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10623-023-01300-x

Keywords

Mathematics Subject Classification

Search

Navigation