CryptoDB
Tight Time-Memory Trade-Offs for Symmetric Encryption
Authors: | |
---|---|
Download: |
|
Abstract: | Concrete security proofs give upper bounds on the attacker’s advantage as a function of its time/query complexity. Cryptanalysis suggests however that other resource limitations – most notably, the attacker’s memory – could make the achievable advantage smaller, and thus these proven bounds too pessimistic. Yet, handling memory limitations has eluded existing security proofs.This paper initiates the study of time-memory trade-offs for basic symmetric cryptography. We show that schemes like counter-mode encryption, which are affected by the Birthday Bound, become more secure (in terms of time complexity) as the attacker’s memory is reduced.One key step of this work is a generalization of the Switching Lemma: For adversaries with S bits of memory issuing q distinct queries, we prove an n-to-n bit random function indistinguishable from a permutation as long as $$S \times q \ll 2^n$$S×q≪2n. This result assumes a combinatorial conjecture, which we discuss, and implies right away trade-offs for deterministic, stateful versions of CTR and OFB encryption.We also show an unconditional time-memory trade-off for the security of randomized CTR based on a secure PRF. Via the aforementioned conjecture, we extend the result to assuming a PRP instead, assuming only one-block messages are encrypted.Our results solely rely on standard PRF/PRP security of an underlying block cipher. We frame the core of our proofs within a general framework of indistinguishability for streaming algorithms which may be of independent interest. |
Video from EUROCRYPT 2019
BibTeX
@article{eurocrypt-2019-29344, title={Tight Time-Memory Trade-Offs for Symmetric Encryption}, booktitle={Advances in Cryptology – EUROCRYPT 2019}, series={Advances in Cryptology – EUROCRYPT 2019}, publisher={Springer}, volume={11476}, pages={467-497}, doi={10.1007/978-3-030-17653-2_16}, author={Joseph Jaeger and Stefano Tessaro}, year=2019 }