Encyclopedia of Cryptography and Security

2005 Edition
| Editors: Henk C. A. van Tilborg

Time-memory tradeoffs

  • Jean-Jacques Quisquater
  • François-Xavier Standaert
Reference work entry
DOI: https://doi.org/10.1007/0-387-23483-7_430

Many searching problems allow time-memory tradeoffs. That is, if there are K possible solutions to search over, the time-memory tradeoff allows the solution to be found in T operations (time) with M words of memory, provided the time-memory product T × M equals K. Cryptanalytic attacks based on exhaustive key search are the typical context where time-memory tradeoffs are applicable.

Due to large key sizes, exhaustive key search usually needs unrealistic computing powers and corresponds to a situation where T = K and M = 1. However, if the same attack has to be carried out numerous times, it may be possible to execute the exhaustive search in advance and store all the results in a memory. Once this precomputation is done, the attack could be performed almost instantaneously, although in practice, the method is not realistic because of the huge amount of memory needed: T = 1, M = K. The aim of a time-memory tradeoff is to mount an attack that has a lower online processing complexity...

This is a preview of subscription content, log in to check access.


  1. [1]
    Hellman, M. (1980). “A cryptanalytic time-memory tradeoff.” IEEE Transactions on Information Theory, 26, 401–406.zbMATHMathSciNetCrossRefGoogle Scholar
  2. [2]
    Denning, D. (1982). Cryptography and Data Security. Addison-Wesley, Reading, MA, 100.zbMATHGoogle Scholar
  3. [3]
    Borst, J. (2001). “Block ciphers: Design, Analysis and Side-Channel Analysis.” PhD Thesis, Departement of Electrical Engineering, Katholieke Universiteit Leuven.Google Scholar
  4. [4]
    Standaert, F.X., G. Rouvroy, J.-J. Quisquater, and J.D. Legat (2002). “A time-memory tradeoff using distinguished points: New analysis and FPGA results.” Proceedings of CHES 2002, Lecture Notes in Computer Science, vol. 2523, eds. B.S. Kaliski Jr., Ç.K. Koç, and C. Paar. Springer-Verlag, Berlin, 593–609.Google Scholar
  5. [5]
    Oechslin, P. (2003). “Making a faster cryptanalytic time-memory trade-off.” Advances in Cryptology—CRYPTO 2003, Lecture Notes in Computer Science, vol. 2729, ed. D. Boneh. Springer-Verlag, Berlin, 617–630.Google Scholar
  6. [6]
    Quisquater, J.J. and J.P. Delescaille (1990). “How easy is collision search?" Application to DES. Advances in Cryptology—EUROCRYPT'89, Lecture Notes in Computer Science, vol. 434, eds. J.-J. Quisquater and J. Vandewalle. Springer-Verlag, Berlin, 429–434.Google Scholar
  7. [7]
    Van Oorschot, P.C. and M.J. Wiener (1999). “Parallel collision search with cryptanalytic applications.” Journal of Cryptology, 12 (1), 1–28.zbMATHMathSciNetCrossRefGoogle Scholar

Copyright information

© International Federation for Information Processing 2005

Authors and Affiliations

  • Jean-Jacques Quisquater
  • François-Xavier Standaert

There are no affiliations available