Tight Time-Memory Trade-Offs for Symmetric Encryption

  • Joseph JaegerEmail author
  • Stefano Tessaro
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11476)


Concrete security proofs give upper bounds on the attacker’s advantage as a function of its time/query complexity. Cryptanalysis suggests however that other resource limitations – most notably, the attacker’s memory – could make the achievable advantage smaller, and thus these proven bounds too pessimistic. Yet, handling memory limitations has eluded existing security proofs.

This paper initiates the study of time-memory trade-offs for basic symmetric cryptography. We show that schemes like counter-mode encryption, which are affected by the Birthday Bound, become more secure (in terms of time complexity) as the attacker’s memory is reduced.

One key step of this work is a generalization of the Switching Lemma: For adversaries with S bits of memory issuing q distinct queries, we prove an n-to-n bit random function indistinguishable from a permutation as long as \(S \times q \ll 2^n\). This result assumes a combinatorial conjecture, which we discuss, and implies right away trade-offs for deterministic, stateful versions of CTR and OFB encryption.

We also show an unconditional time-memory trade-off for the security of randomized CTR based on a secure PRF. Via the aforementioned conjecture, we extend the result to assuming a PRP instead, assuming only one-block messages are encrypted.

Our results solely rely on standard PRF/PRP security of an underlying block cipher. We frame the core of our proofs within a general framework of indistinguishability for streaming algorithms which may be of independent interest.


Provable security Symmetric cryptography Time-memory trade-offs 



We thank Aishwarya Thiruvengadam for insightful discussions in the initial stage of this project. Jaeger was supported in part by NSF grants CNS-1717640 and CNS-1526801, and by NSF grant CNS-1553758 while visiting UC Santa Barbara.

Stefano Tessaro’s work was partially supported by NSF grants CNS-1553758 (CAREER), CNS-1719146, CNS-1528178, and IIS-1528041, and by a Sloan Research Fellowship.


  1. 1.
    Abrego, B.M., Fernandez-Merchant, S., Neubauer, M.G., Watkins, W.: Sum of squares of degrees in a graph. J. Inequalities Pure Appl. Math. 10(3) (2009)Google Scholar
  2. 2.
    Alwen, J., Chen, B., Pietrzak, K., Reyzin, L., Tessaro, S.: Scrypt is maximally memory-hard. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10212, pp. 33–62. Springer, Cham (2017). Scholar
  3. 3.
    Alwen, J., Serbinenko, V.: High parallel complexity graphs and memory-hard functions. In: Servedio, R.A., Rubinfeld, R. (eds.) 47th ACM STOC, pp. 595–603. ACM Press, June 2015Google Scholar
  4. 4.
    Auerbach, B., Cash, D., Fersch, M., Kiltz, E.: Memory-tight reductions. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10401, pp. 101–132. Springer, Cham (2017). Scholar
  5. 5.
    Babbage, S.H.: Improved “exhaustive search” attacks on stream ciphers. In: European Convention on Security and Detection, pp. 161–166, May 1995Google Scholar
  6. 6.
    Barkan, E., Biham, E., Shamir, A.: Rigorous bounds on cryptanalytic time/memory tradeoffs. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 1–21. Springer, Heidelberg (2006). Scholar
  7. 7.
    Bellare, M., Krovetz, T., Rogaway, P.: Luby-Rackoff backwards: increasing security by making block ciphers non-invertible. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 266–280. Springer, Heidelberg (1998). Scholar
  8. 8.
    Bellare, M., Rogaway, P.: The security of triple encryption and a framework for code-based game-playing proofs. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 409–426. Springer, Heidelberg (2006). Scholar
  9. 9.
    Bey, C.: An upper bound on the sum of squares of degrees in a hypergraph. Discrete Math. 269(1–3), 259–263 (2003)MathSciNetCrossRefGoogle Scholar
  10. 10.
    Cioab, S.M.: Note: sums of powers of the degrees of a graph. Discrete Math. 306(16), 1959–1964 (2006)MathSciNetCrossRefGoogle Scholar
  11. 11.
    Cover, T.M., Thomas, J.A.: Elements of Information Theory. Wiley, New York (2006)zbMATHGoogle Scholar
  12. 12.
    Dai, W., Hoang, V.T., Tessaro, S.: Information-theoretic indistinguishability via the chi-squared method. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10403, pp. 497–523. Springer, Cham (2017). Scholar
  13. 13.
    Davies, D.W., Parkin, G.I.P.: The average cycle size of the key-stream in output feedback encipherment. In: Beth, T. (ed.) EUROCRYPT 1982. LNCS, vol. 149, pp. 263–279. Springer, Heidelberg (1983). Scholar
  14. 14.
    de Caen, D.: An upper bound on the sum of squares of degrees in a graph. Discrete Math. 185(1–3), 245–248 (1998)MathSciNetCrossRefGoogle Scholar
  15. 15.
    Golić, J.D.: Cryptanalysis of alleged A5 stream cipher. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 239–255. Springer, Heidelberg (1997). Scholar
  16. 16.
    Gruslys, V., Letzter, S., Morrison, N.: Hypergraph Lagrangians: resolving the Frankl-Füredi conjecture. arXiv preprint arXiv:1807.00793 (2018)
  17. 17.
    Iwata, T.: New blockcipher modes of operation with beyond the birthday bound security. In: Robshaw, M. (ed.) FSE 2006. LNCS, vol. 4047, pp. 310–327. Springer, Heidelberg (2006). Scholar
  18. 18.
    Iwata, T., Mennink, B., Vizár, D.: CENC is optimally secure. Cryptology ePrint Archive, Report 2016/1087 (2016).
  19. 19.
    Jaeger, J., Tessaro, S.: Tight time-memory trade-offs for symmetric encryption. Cryptology ePrint Archive, Report 2019/??? (2019).
  20. 20.
    Nikiforov, V.: Note: the sum of the squares of degrees: sharp asymptotics. Discrete Math. 307(24), 3187–3193 (2007)MathSciNetCrossRefGoogle Scholar
  21. 21.
    Nisan, N.: Pseudorandom generators for space-bounded computation. Combinatorica 12(4), 449–461 (1992)MathSciNetCrossRefGoogle Scholar
  22. 22.
    Patarin, J.: Mirror theory and cryptography. Cryptology ePrint Archive, Report 2016/702 (2016).
  23. 23.
    Pollard, J.M.: A monte carlo method for factorization. BIT Numer. Math. 15(3), 331–334 (1975)MathSciNetCrossRefGoogle Scholar
  24. 24.
    Quisquater, J.-J., Delescaille, J.-P.: How easy is collision search. New results and applications to DES. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 408–413. Springer, New York (1990). Scholar
  25. 25.
    Tessaro, S., Thiruvengadam, A.: Provable time-memory trade-offs: symmetric cryptography against memory-bounded adversaries. In: Beimel, A., Dziembowski, S. (eds.) TCC 2018. LNCS, vol. 11239, pp. 3–32. Springer, Cham (2018). Scholar
  26. 26.
    Wang, Y., Matsuda, T., Hanaoka, G., Tanaka, K.: Memory lower bounds of reductions revisited. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10820, pp. 61–90. Springer, Cham (2018). Scholar

Copyright information

© International Association for Cryptologic Research 2019

Authors and Affiliations

  1. 1.University of California, San DiegoLa JollaUSA
  2. 2.University of WashingtonSeattleUSA

Personalised recommendations