Many searching problems allow time-memory tradeoffs. That is, if there are K possible solutions to search over, the time-memory tradeoff allows the solution to be found in T operations (time) with M words of memory, provided the time-memory product T × M equals K. Cryptanalytic attacks based on exhaustive key search are the typical context where time-memory tradeoffs are applicable.
Due to large key sizes, exhaustive key search usually needs unrealistic computing powers and corresponds to a situation where T = K and M = 1. However, if the same attack has to be carried out numerous times, it may be possible to execute the exhaustive search in advance and store all the results in a memory. Once this precomputation is done, the attack could be performed almost instantaneously, although in practice, the method is not realistic because of the huge amount of memory needed: T = 1, M = K. The aim of a time-memory tradeoff is to mount an attack that has a lower online processing complexity...
- Borst, J. (2001). “Block ciphers: Design, Analysis and Side-Channel Analysis.” PhD Thesis, Departement of Electrical Engineering, Katholieke Universiteit Leuven.Google Scholar
- Standaert, F.X., G. Rouvroy, J.-J. Quisquater, and J.D. Legat (2002). “A time-memory tradeoff using distinguished points: New analysis and FPGA results.” Proceedings of CHES 2002, Lecture Notes in Computer Science, vol. 2523, eds. B.S. Kaliski Jr., Ç.K. Koç, and C. Paar. Springer-Verlag, Berlin, 593–609.Google Scholar
- Oechslin, P. (2003). “Making a faster cryptanalytic time-memory trade-off.” Advances in Cryptology—CRYPTO 2003, Lecture Notes in Computer Science, vol. 2729, ed. D. Boneh. Springer-Verlag, Berlin, 617–630.Google Scholar
- Quisquater, J.J. and J.P. Delescaille (1990). “How easy is collision search?" Application to DES. Advances in Cryptology—EUROCRYPT'89, Lecture Notes in Computer Science, vol. 434, eds. J.-J. Quisquater and J. Vandewalle. Springer-Verlag, Berlin, 429–434.Google Scholar