New Applications of Time Memory Data Tradeoffs

  • Jin Hong
  • Palash Sarkar
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3788)


Time/memory tradeoff (TMTO) is a generic method of inverting oneway functions. In this paper, we focus on identifying candidate oneway functions hidden in cryptographic algorithms, inverting which will result in breaking the algorithm. The results we obtain on stream and block ciphers are the most important ones. For streamciphers using IV, we show that if the IV is shorter than the key, then the algorithm is vulnerable to TMTO. Further, from a TMTO point of view, it makes no sense to increase the size of the internal state of a streamcipher without increasing the size of the IV. This has impact on the recent ECRYPT call for streamcipher primitives and clears an almost decade old confusion on the size of key versus state of a streamcipher. For blockciphers, we consider various modes of operations and show that to different degrees all of these are vulnerable to TMTO attacks. In particular, we describe multiple data chosen plaintext TMTO attacks on the CBC and CFB modes of operations. This clears a quarter century old confusion on this issue starting from Hellman’s seminal paper in 1980 to Shamir’s invited talk at Asiacrypt 2004. We also provide some new applications of TMTO and a set of general guidelines for applying TMTO attacks.


time memory data tradeoff 


  1. 1.
    3GPP TS 55.215 V6.2.0 (2003-09), A5/3 and GEA3 Specifications, Available from
  2. 2.
    Consortium for efficient embedded security. Efficient embedded security standards (EESS) #1. Version 2.0 (June 2003), Available from
  3. 3.
    ECRYPT. Call for stream cipher primitives. Version 1.2 (February 2004),
  4. 4.
    Babbage, S.H.: Improved exhaustive search attacks on stream ciphers. In: European Convention on Security and Detection. IEE Conference publication No. 408, pp. 161–166. IEE (1995)Google Scholar
  5. 5.
    Biryukov, A., Mukhopadhyay, S., Sarkar, P.: Improved time-memory trade-offs with multiple data. In: Preneel, B., Tavares, S. (eds.) SAC 2005. LNCS, vol. 3897, pp. 110–127. Springer, Heidelberg (2006) (to appear)Google Scholar
  6. 6.
    Biryukov, A.: Some thoughts on time-memory-data tradeoffs. Cryptology ePrint Archive, Report 2005/207 (June 30, 2005),
  7. 7.
    Biryukov, A., Shamir, A.: Cryptanalytic time/memory/data tradeoffs for stream ciphers. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 1–13. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  8. 8.
    De Cannière, C., Lano, J., Preneel, B.: Comment on the rediscovery of time memory data tradeoffs. Available as a link on the ECRYPT Call for Stream Cipher Primitives [3] page version 1.3 (April 2005)Google Scholar
  9. 9.
    Denning: Cryptography and data security. Addison-Wesley, Reading (1982)zbMATHGoogle Scholar
  10. 10.
    Fiat, A., Naor, M.: Rigorous time/space tradeoffs for invering functions. SIAM J. on Computing 29(3), 790–803 (1999)CrossRefMathSciNetGoogle Scholar
  11. 11.
    Fluhrer, S., Mantin, I., Shamir, A.: Weakness in the key scheduling algorithm of RC4. In: Vaudenay, S., Youssef, A.M. (eds.) SAC 2001. LNCS, vol. 2259, pp. 1–24. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  12. 12.
    Golić, J.D.: Cryptanalysis of alleged A5 stream cipher. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 239–255. Springer, Heidelberg (1997)Google Scholar
  13. 13.
    Gutterman, Z., Malkhi, D.: Hold your sessions: An attack on Java session-id generation. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 44–57. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  14. 14.
    Halevi, S., Rogaway, P.: A tweakable enciphering mode. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 482–499. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  15. 15.
    Halevi, S., Rogaway, P.: A parallelizable enciphering mode. In: Okamoto, T. (ed.) CT-RSA 2004. LNCS, vol. 2964, pp. 292–304. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  16. 16.
    Hellman, M.E.: A cryptanalytic time-memory trade-off. IEEE Trans. on Infor. Theory 26, 401–406 (1980)zbMATHCrossRefMathSciNetGoogle Scholar
  17. 17.
    Hong, J., Sarkar, P.: Rediscovery of time memory tradeoffs. Cryptology ePrint Archive, Report 2005/090 (March 22, 2005),
  18. 18.
    Howgrave-Graham, N., Silverman, J.H., Whyte, W.: Choosing parameter sets for NTRUEncrypt with NAEP and SVES-3. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 118–135. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  19. 19.
    Iwata, T., Kurosawa, K.: OMAC: One-Key CBC MAC. In: Johansson, T. (ed.) FSE 2003. LNCS, vol. 2887, pp. 129–153. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  20. 20.
    Kim, I.-J., Matsumoto, T.: Achieving higher success probability in time-memory trade-off cryptanalysis without increasing memory size. IEICE Trans. Fundamentals, E82-A, pp. 123–129 (1999)Google Scholar
  21. 21.
    Liskov, M., Rivest, R.L., Wagner, D.: Tweakable block ciphers. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 31–46. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  22. 22.
    Mukhopadhyay, S., Sarkar, P.: TMTO with multiple data: Analysis and new single table trade-offs. Cryptology ePrint Archive, Report 2005/214 (July 4, 2005),
  23. 23.
    Oechslin, P.: Making a fast cryptanalytic time-memory trade-off. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 617–630. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  24. 24.
    Rogaway, P., Bellare, M., Black, J., Krovetz, T.: OCB: A block-ciper mode of operation for efficient authenticated ecryption. In: 8th ACM CCS, pp. 196–205. ACM Press, New York (2001)Google Scholar
  25. 25.
    Shamir, A.: Stream ciphers: Dead or alive? Presentation slides for invited talk given at Asiacrypt (2004), Available from

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Jin Hong
    • 1
  • Palash Sarkar
    • 2
  1. 1.National Security Research InstituteDaejeonKorea
  2. 2.Cryptology Research Group, Applied Statistics UnitIndian Statistical InstituteKolkataIndia

Personalised recommendations