Bernstein Departmen of Mathematics Statistics and Computer Science MC 249 The Univ ersit of Illinois at Chicago Chicago IL 606077045 djbcrypto In tro duction There is widespread yth that parallelizing computation cannot impro its pricep e ID: 40140
Download Pdf The PPT/PDF document "Understanding brute force Daniel J" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
UnderstandingbruteforceDanielJ.Bernstein?DepartmentofMathematics,Statistics,andComputerScience(M/C249)TheUniversityofIllinoisatChicagoChicago,IL60607{7045djb@cr.yp.to1IntroductionThereisawidespreadmyththatparallelizingacomputationcannotimproveitsprice-performanceratio.Therealityisthataparallelcomputerisoftenseveralordersofmagnitudefasterthanacomparablypricedserialcomputer.Considermultiplyingtwon-bitnumbers,forexample,orsortingnelementsof1;2;:::;n2 .Aproperlydesigned2-dimensionalparallelcomputerofsizen1+o(1)candobothjobsintimen1=2+o(1).Aserialcomputerforeitherproblemismuch,much,muchslowerandcan'tbemuchsmaller:itneedsn1+o(1)serialaccesseston1+o(1)bitsofmemory.Arelatedmythisthatanalyzingthetimeofacomputationonahugeserialcomputerisequivalenttoanalyzingthepriceandperformanceofparallelversionsofthesamecomputation.Therealityisthatparallelizationhasdierenteectsondierentalgorithms.Whencomputationsthattakeserialtimen1+o(1)areputonaparallelcomputerofsizen1+o(1),someofthemenduptakingtimeno(1);someofthemenduptakingtimen1+o(1);someofthemenduptakingtimen1=2+o(1);etc.Thesemythscausethreeproblemsincryptography:Cryptographersoftenwildlyoverestimatethereal-worldsecurityoftheircryptographicsystems|specically,thecostofcarryingoutthebestattackknown|becausetheyarerestrictingattentiontoserialattacks.Cryptographersoftenassertthatasystemhasbeen\broken"byamarginallyimprovedserialattack|eventhoughtheserialattackisslowerandmoreexpensivethanastandardparallelattack.Cryptographersoftenmakeincorrectchoicesamongsystems:theyswitchtoasystemthatisstrongeragainstserialattacksbutisweakeragainstthebestattacks|i.e.,againstparallelattacks.?TheauthorwassupportedbytheNationalScienceFoundationundergrantCCR{9983950,andbytheAlfredP.SloanFoundation.Dateofthisdocument:2005.04.25.PermanentIDofthisdocument:73e92f5b71793b498288efe81fe55dee.Thisisapreliminaryversionmeanttoannounceideas;itwillbereplacedbyanalversionmeanttorecordtheideasforposterity.Theremaybebigchangesbeforethenalversion.Futurereadersshouldnotbeforcedtolookatpreliminaryversions,unlesstheywanttocheckhistoricalcredits;ifyouciteapreliminaryversion,pleaserepeatallideasthatyouareusingfromit,sothatthereadercanskipit. Irstencounteredtheseerrorsinthecontextofintegerfactorization.Thispaperdiscussesthesameerrorsinthesimplercontextofbrute-forcekeysearch.Sections2and5ofthispaperdescribetwoparallelbrute-forcekey-searchmachines:The\standardparallelmachine"inSection2isastraightforwardparallelimplementationofawell-knownbrute-forcealgorithm,specicallyOechslin's\rainbow-tables"algorithmin[5].The\variantparallelmachine"inSection5isastraightforwardparallelimplementationofanotherwell-knownbrute-forcealgorithm,specicallyRivest's\distinguished-points"algorithm.Wienerin[6,Section6]analyzedtheamazingspeedofadistinguished-pointscomputationona3-dimensionalparallelmachine.Unfortunately,thecapabilitiesofthesemachinesarestillfarlesswidelyappreciatedthantheyshouldbe.Section3discussessomevastlyinferiorserialmachinesintherecentliterature.Section4discussesthequestionofhowwecanprotectagainsttheparallelbrute-forcekey-searchmachines.Thisquestionleadstoseveraladditionalareasofconfusionintheliterature.2Thestandardparallelbrute-forcekey-searchmachineThissectiondescribesthestandardparallelbrute-forcekey-searchmachine.Acompetentattackerusesthestandardparallelmachine|andnottheinferiorserialmachinesdescribedinSection3|whenhecannotndanycipher-specicweaknesses.TheproblemTheattackeristryingtonda16-byteAESkeyk,giventhe16bytesH(k)=AESk(8675309).There'snothingspecialaboutthenumber8675309,oraboutAES:thisisabrute-forceattackthatappliestoahugevarietyofciphers.Theattackerisactuallytryingtosimultaneouslysolvethesameproblemformanyindependentkeysk1;k2;:::.He'sgivenH(k1);H(k2);:::;he'dliketondk1;k2;:::.Let'ssayhe'sfacing210keysoverall.Thestandardkey-searchcircuitTheattackerbuildsaverysmallkey-searchcircuit.Thekey-searchcircuithasthreeinputs:a12-bytestring,a4-byteintegern,anda16-bytestrings.Thekey-searchcircuithasoneoutput:a16-bytestringZ(;n;s)denedrecursivelybyZ(;0;s)=sandZ(;n+1;s)=Z(;n;H(s(;n)).Thekey-searchcircuitisslightlylargerthananAEScircuit.IttakesslightlymoretimethannAEScomputations.Thiskey-searchcircuitisattachedtoacomparable-sizememorycircuitthatbuerssomeinputsandoutputs.Let'ssaythememorycircuitisbigenoughtohold24inputsand24correspondingoutputs. Thestandardkey-searchmachineTheattackernowbuildsamachinewith232key-searchcircuitsina216216mesh.Eachkey-searchcircuithasitsowncomparable-sizememorycircuit.Eachkey-searchcircuitisalsoconnectedtoitsimmediateneighbors(north,south,east,west)inthemesh.Aswe'llseelater,thisnetworkdoesn'thavetobeterriblyfast.Notethatquiteafewkey-searchcircuitswilltontoasinglelow-costchip.Thismachineisexpensivebutclearlycouldbebuilt:ithasabout242bytesofmemory,comparabletoa6464arrayofPCs.Theattackerfeeds236inputstohis232key-searchcircuits;recallthateachcircuitcanbuer24inputs.Specically,theattackerselectsa12-bytestringand236 233random16-bytestringsr1;r2;:::;generatesoneinput(;223;rj)foreachrandomrj;andgenerates223inputsforeachtargetH(ki),namely(;0;H(ki)),(;1;H(ki)),(;2;H(ki)),...,(;223 1;H(ki)).All232key-searchcircuitsnowruninparallel,producingZ(;223;rj)foreachrandomrjandZ(;0;H(ki));:::;Z(;223 1;H(ki))foreachtargetH(ki).Thistakesslightlymoretimethan22324=227AEScomputations.Theattackerthenapplies(forexample)Schimmler'ssortingalgorithmtosortthe236Zvalues.Thisalgorithmtakesjust221adjacentcompare-exchangesteps|notabottleneckcomparedto227AEScomputations.IfthesortingencountersacollisionbetweentwoZ(;223;rj)'s,itthrowsoneofthoserj'saway.IfthesortingencountersacollisionbetweenZ(;n;H(ki))andZ(;223;rj),themachinepausestoredo223 niterationsofthecomputationofZ(;223;rj).Iftheintermediatevalue(;n+1;s)satisesH(s(;n))=H(ki)thenthemachineprintss(;n)asaguessforki.HeuristicanalysisWhat'sthechancethataparticularkey,sayk1,isfoundbythismachine?Hereisacrudeestimate.Thereare236valuesZ(;223;rj),eachofwhichinvolved223intermediatevalues(;n+1;s)and223inputss(;n)toH,foratotalof259inputstoH.Ifanyofthosepseudorandominputsbumpedintok1thenthemachinewillndk1.Specically,ifanintermediatevalue(;n+1;s)inthecomputationofZ(;223;rj)satisess(;n)=k1,thenZ(;223;rj)=Z(;n;H(s(;n)))=Z(;n;H(k1));thesortingwilldiscoverthiscollision,willlocatethesameintermediatevalue(;n+1;s),andwillprints(;n)=k1asitsguessfork1.Thisoccurswithprobability259=2128=2 69.Thisestimateisslightlyoveroptimistic,forthreereasons:rst,therearenotquiteasmanyrj's;second,theremightbecollisionsamongtheinputstoH;third,theremightbeacollisionbetweentwoZ(;223;rj)'s,eliminatingtherjrelevanttok1.Butthersteectissmallandtheothereectsareconjecturallynegligible.Themachinendsk1withprobabilityconjecturallycloseto2 69.Ofcourse,themachinesimultaneouslyhasachanceofndingk2,andachanceofndingk3,andsoon.Itschanceofndingatleastoneofthe210targetkeysis,conjecturally,closeto2 59. Theattackercanincreasethechanceofsuccessbyrunningthemachinerepeatedlywithnewchoicesof.Forexample,afterrunningthemachine25times,theattackerhaschancecloseto2 64ofndingk1,andchancecloseto2 54ofndingatleastonekey.These25runstakeonlyslightlymoretimethan232AEScomputations.Ifthemachinedoesndakey|oracollisionthatdoesn'tproduceakey|thenthemachinehastotakeextratime;butthisisarareevent,soitcanbeignoredinevaluatingthemachine'sperformance.Letmesummarize.Thismachinehas,conjecturally,chancecloseto2 64ofndingk1afterthetimefor232AEScomputations;chancecloseto2 54ofndingatleastoneofthe210targetkeysafterthetimefor232AEScomputations;chancecloseto2 32ofndingk1afterthetimefor264AEScomputations;chancecloseto2 22ofndingatleastoneofthe210targetkeysafterthetimefor264AEScomputations;chancecloseto1ofndingatleastonekeyafterthetimefor286AEScomputations;andchancecloseto1ofndingmostofthe210targetkeysafterthetimefor296AEScomputations.Themachinehasreasonablesize:232AEScircuits,plusacomparableamountofmemory.Asymptoticssamemachinedesigncanbescaleduptopparallelkey-searchcircuits,forawiderangeofvaluesofp.Thesize-pmachinehasagoodchanceofdiscoveringatargetb-bitkeyinthetimefor2b=pcipherevaluations.Evenbetter,themachinecanbesimultaneouslyappliedtoqkeysforanyquptoroughlypp.Themachinethenhasagoodchanceofdiscoveringmostofthekeysinthetimefor2b=pcipherevaluations.Thepplimitarisesasfollows.Eachkeyisfedto24p=8qkey-searchcircuits.Eachcircuitrunsfor24p=8qiterations.Thesubsequentsortingof24pnumberstakes8p24padjacentcompare-exchangesteps,whichbecomeabottleneckasqgrowspastpp.SeeSection5foravariantthatecientlyhandleslargerq.Thesuccessprobabilityofthemachineagainsteachkeyscaleslinearlywithtime.Forexample,inthetimefor2b=pqcipherevaluations,theattackerhasagoodchanceofdiscoveringatleastonekey.Inthetimefor2b 20=pqcipherevaluations,theattackerhasroughlya2 20chanceofdiscoveringatleastonekey.Thispatterncontinuesdowntoaverysmallamountoftime.Forq=1,asimplermachinedoesthesamejob:distributeH(k1)tomanycircuits,eachofwhichsearchessequentiallythrougharangeofpossibilitiesfork1.Computationsforonekeycanbemergedtosomeextentwithcomputationsforthenextkey,savingtime. 3TheserialalternativeAverysmallserialcomputer|asinglekey-searchcircuit|cancomputeab-bitkeykfromH(k)inatmost2bevaluationsofH;e.g.,atmost2128AESevaluationsfora128-bitAESkey.Ifthat'stoomuchtime,whatdoestheattackerdo?Theobviousansweristobuildthestandardparallelbrute-forcekey-searchmachinedescribedinSection2.Thisisatime-processortradeo,tradingpricelinearlyforperformance.Amuchworseansweristouseatime-memorytradeo:aserialcomputerthatcomputeskfromH(k)infewerthan2bevaluationsofH,afteramassiveprecomputation.Thistime-memorytradeotradespriceforperformance,butnotlinearly;itmightsetspeedrecordsforserialcomputers,butitispainfullyslowcomparedtoaproperlydesignedparallelcomputer.Consider,forexample,thesameattackasinSection2,butusingmemoryonaserialcomputer,ratherthanprocessorsonamassivelyparallelcomputer.We'llseethattheserialcomputerismuch,much,muchslowerandnotmuchsmaller.Theattackerselectsa12-bytestringand236 233random16-bytestringsr1;r2;:::.Hecomputes,serially,Z(;223;rj)foreachrandomrj,andstorestheresultsinanassociativearray.Then,foreachtargetH(ki)inturn,theattackercomputesZ(;0;H(ki));:::;Z(;223 1;H(ki)),andlooksupeachresultintheassociativearray.Conjecturallyhehasprobabilitycloseto2 69ofndingki,exactlyasinSection2.Thisserialmachineisbillionsoftimesslowerthantheparallelmachine.Theserialmachineperforms223(223 1)=2AESevaluationsforeachtargetki,totallingabout255AESevaluations;and,evenworse,223AESevaluationsforeachrandomrj,totallingabout259AESevaluations.Forcomparison,theparallelmachinenishesinthetimeforjust227AESevaluations.Theserialmachineisnotbillionsoftimeslessexpensivethantheparallelmachine.Itisn'tevententimeslessexpensive.It'sabouthalfthesizeoftheparallelmachine:itdoesn'thavethe232AEScircuits,butitdoeshavethesame242bytesofmemory.PerhapsI'moverestimatingthecostofmemorycomparedtoanAEScircuit;ifso,simplyexpandtheamountofmemoryinbothmachinestobalancethememory-circuitcostwiththeAES-circuitcost,andtheconclusionwillbethesame.Tosummarize:Thetime-memorytradeoproducesaludicrouslyunbalancedmachinewithtonsofmemorywaitingforoneserialCPU.Theattackerwouldhavetobecompletelyinsanetousethisserialmachine.Asymptoticsdisadvantageofatime-memorytradeo,comparedtoatime-processortradeo,growslinearlywiththesizeofthemachine.Forexample,aserialkey-searchmachinewithabout274bytesofmemoryisabout263timesslowerthanacomparablypricedparallelkey-searchmachine,andabout233timesslowerthanaparallelkey-searchmachinecosting230timesless. SometimesIseeonecryptanalystarguingthatasystemhasbeen\broken"byatime-memorytradeoonaserialcomputerwith290bytesofmemory,andanothercryptanalystarguingthatbuilding290bytesofmemoryisawfullydicultsothesystemhasnotbeen\broken."Thisisapointlessargumentaboutanincompetentmachinedesign.Thestandardparallelbrute-forcekey-searchmachineisbillionsoftimeslessexpensivethanthatserialcomputerandbillionsoftimesfaster.Anyonewhothinksthattime-memorytradeosareworrisomeshouldbeutterlyterriedbythevastlysuperiorpriceandperformanceofaproperlydesignedparallelmachine.FancierserialattacksArecentpaperadvertisesaserialcomputerwith2380bitsoffastmemorythat,usingacomplicatedalgorithm,takesonly2534cyclestoidentifya544-bitkey.Thisattackisportrayedasbeingsuccessfulbecauseitis(slightly)\fasterthanexhaustivesearch."Let'scomparethisserialcomputertothestandardparallelbrute-forcekey-searchmachinewith,say,2200key-searchcircuits.Theparallelmachineisnearly2200timesfasterthanthisserialcomputer,andvastlylessexpensive.Whydidtheauthorofthispapercharacterizethisserialattackassuccessfulcryptanalysis?It'ssimplynottruethattheattackis\fasterthanexhaustivesearch"|unlessyouassumethattheattackerisforcinghimselftouseaserialcomputer,i.e.,thattheattackerisanidiot.Perhapsaparallelizationofthecomplicatedalgorithmcouldbeattheparallelbrute-forcekey-searchmachine,butIdoubtit:atrstglance,parallelizationwillimprovetheprice-performanceratioofthecomplicatedalgorithmbyafactorofonlyabout2180.Thisiscertainlynotanisolatedmistake.Mostofthe\breaks"thatIseeintheliteratureareslightlyfasterthanserialbrute-forcesearchbutaremuchslowerthanamuchlessexpensiveparallelbrute-forcesearch.Manypeopleseemtothinkthatthenumberofcipherrounds\broken"byadierentialattack,forexample,isthenumberofroundsforwhichthedierentialattackismarginallyfasterthanaserialbrute-forcesearch|ignoringthequestionofwhetherthedierentialattackisfasterthanaparallelbrute-forcesearch.Thismistakeshouldnotbetolerated.Acryptanalyticmachineisafailureifit'sslowerthanthestandardparallelbrute-forcekey-searchmachineatthesameprice.Newattacksmustbecomparedtothebestpreviousattacks,notmerelythebestpreviousserialattacks.4DefendingagainstthestandardattackConsideragainthestandardparallelmachineinSection2,with232AEScircuits.Recallthat,after264AEScomputations,thismachinehaschancecloseto2 32ofndingatargetkeyk1,andchancecloseto2 22ofndingatleastoneofthe210targetkeys. Isthisanacceptablelevelofsecurity?Manypeopledon'tthinkso.Thissectionanalyzestwodierentwaystomodifycryptographicsystemstomaketheattacker'sjobmoredicult.Input-spaceseparationThestandardparallelmachineattacksalargebatchoftargetkeysataboutthesamecostasattackingasinglekey.Oftentheattacker'sbenetisproportionaltothenumberoftargetkeyssuccessfullyfound.Perhapstheattackeristryingtostealthecomputationalpowerofasmanytargetcomputersaspossible,andeachextrakeyletshimstealpowerfromanextracomputer.Theattacker'scost-benetratioisthendividedbythenumberoftargetkeys.ThisamortizationreliesontheattackerbeinggivenH(k1);H(k2);:::forthesamefunctionH:e.g.,AESk1(8675309);AESk2(8675309);:::.Ifthere'snooverlapbetweentheinputstoAESk1andtheinputstoAESk2thentheattackercan'tsimultaneouslyattackk1andk2.\Aha!"onemightsay.\Weshoulddesignourcryptographicprotocolssothatdierentkeysareappliedtodisjointinputsets!"Example:DeCanniere,Lano,andPreneelin[2,Section5]suggestdesigningstreamcipherssothatnoncesareaslongaskeys,andthenchoosingnoncespseudorandomly.Thissuggestionfailstoachievethegoal|atypicalnoncewillstillbeusedformanykeysifthenumberofnoncesisbelowthenumberofkeystimesthenumberofmessagesperkey|butonecanmakenoncesevenlongertopreventrepetition.Unfortunately,[2]focusesentirelyonthecostsandbenetsfortheattacker,andneglectstoconsiderthecostsandbenetsforthecryptographicusers:Manystreamciphers|counter-modeAES,forexample|havesmallinputsizesandwouldhavetoberadicallyreworked,presumablylosingspeed,tohandlelongnonces.Theauthorsof[2]assertthat\thestateisalreadyatleasttwicethekeysize";thisistrueforsomestreamciphersbutfalseforcountermode.Evenwhenastreamciphereasilyacceptsalongnonce,generatingalongpseudorandomnonceismuchmoreexpensivethangeneratingastandardsequentialnonce.LongpseudorandomnoncescostCPUcyclestocompute|thepseudorandomnumbergeneratorisanotherattacktarget,soitneedstobeatleastasstrongasthemaincipher|andtheycostbandwidthtotransmit.Asforbenets:Input-spaceseparationdoesn'tmakemykeymorediculttond.Itstopstheattackerfromndingotherpeople'skeysaspartofthesamecomputation,andperhapsthisdierencewilldetertheattacker,butperhapsitwon't.Tosummarize,input-spaceseparationhaslimitedbenetsandquitenoticeablecosts.Seebelowforadierentapproachthathasmuchlargerbenetsandmuchsmallercosts. LargerkeysAmoreobviouswaytomaketheattacker'sjobmuchmoredicultistousealargerkey.Whyfoolaroundwith128-bitkeyswhenwecansimplyuse256-bitkeys?Thebenetstousersareclear,andfaroutweighthebenetsofinput-spaceseparation.Brute-forcekey-searchattackssuddenlybecome2128timesslower|i.e.,completelyimpracticalfortheforeseeablefuture.\But256-bitAEStakes14rounds,while128-bitAEStakesonly10!"somepeoplewillargue.\Ingeneral,256-bitciphershavemoreroundsthan128-bitciphers.That'saquiteseriouscostinspeed;weneedtoconsiderotherwaystousethesameCPUcycles."Butthisargumentconfusestwodierentchanges.Wecanswitchto256-bitkeys,eectivelyeliminatingbrute-forceattacks,withoutincreasingthenumberofrounds.Theonlycostisthecostofgeneratingandstoringlargerkeys,whichisnormallymuchsmallerthanthecostofgeneratingandtransmittinglargerandomnoncesforeverymessage.Thebenetismuchlarger.\But256-bitAESdeliberatelyuses14roundstokeepussecureagainstnon-brute-forceattacks!"somepeoplewillargue.\There'san8-roundattacktakingtimeonly2204,forexample.Okay,okay,that'sonamachinewith2104bitsofmemory,butmaybesomeadditionalideaswillproducea10-roundattackmoreecientthana256-bitparallelbrute-forcekey-searchattack."Butthisargumentconfusessecuritylevelwithkeysize.Ineversaidthatthischangewouldproducea256-bitsecuritylevel.Isaidthatitwouldmaketheattacker'sjobmuchmoredicult|producinglargerbenetsthaninput-spaceseparationatlowercost.Iftheresultingsecuritylevelis,say,192bits,thenthemissionhasbeenaccomplished.\Butyou'renotallowedtousekeyslargerthanthetargetsecuritylevel!"somepeoplewillargue.\It's,um,againstthelaw!Thestandarddenitionofsecurityvarieswithyourkeysize!"Butthat'sasillydenitionofsecurity.Perhapsthemostecientwaytoachievea192-bitsecurityleveliswithasystemhavinga256-bitkey.Iftheuserwantsa192-bitsecuritylevel,thentheusershouldselectthatsystem.There'snojusticationfordemandingareducedkeysize.(Helix,introducedbyFerguson,Whiting,Schneier,Kelsey,Lucks,andKohnoin[3],isanexampleofafaststreamcipherthatusesakeysizeaboveitstargetsecuritylevel.Idon'tknowwhetherthisisthemostecientapproach,butIcertainlywouldnotwantittobeexcludedfromconsideration.)I'mnotsayingthatincreasingthenumberofroundsisabadidea.Onthecontrary:extraroundshave,historically,beenquiteeectiveatstoppingnon-brute-forceattacks.Butthishasnothingtodowiththequestionofwhetherrandomnessshouldbeaddedtononcesortokeys. 5Thevariantparallelbrute-forcekey-searchattackThissectiondescribesavariantofthestandardparallelbrute-forcekey-searchmachine.Thisvariantisalittleslowerbuthastheadvantagethatitcanhandlemanymorekeyssimultaneously.TheproblemTheproblemisthesameasinSection2:theattackeristryingtond16-byteAESkeysk1;k2;:::,givenH(k1);H(k2);:::.Let'sagainassumethattheattackerisfacing210keysoverall.Thevariantkey-searchcircuitTheattackerbuildsaverysmallkey-searchcircuit.Thekey-searchcircuithasthreeinputs:a23-bitstring,a16-bytestring,anda16-bytestrings.Thekey-searchcircuithasoneoutput:a16-bytestringD(;;s)denedrecursivelyassifsbeginswith,andasD(;;H(s))otherwise.Thiskey-searchcircuitisattachedtoacomparable-sizememorycircuitthatbuers24inputsand24outputs,asinSection2.Howlongdoesthekey-searchcircuittaketoproduceits24outputs?The16-bytestringssbouncearoundpseudorandomly,andoneoutofevery223stringsbeginswith,sothenumberofiterationsperoutputistypicallyonthescaleof223.Maybeless;maybemore;occasionallythecircuitfallsintoaloopandneverproducesanoutput;butthekey-searchcircuittypicallycomputesoutputsformostofitsinputswithin227iterations.Thevariantkey-searchmachineTheattackernowbuildsamachinewith232key-searchcircuitsina216216mesh.Eachkey-searchcircuithasitsowncomparable-sizememorycircuit,andisconnectedtoitsimmediateneighbors,asinSection2.Theattackerfeeds236inputstohis232key-searchcircuits.Specically,theattackerselectsa23-bitstring,a16-bytestring,and236 210random16-bytestringsr1;r2;:::;generatesoneinput(;;rj)foreachrandomrj;andgeneratesoneinput(;;H(ki))foreachtargetH(ki).All232key-searchcircuitsnowruninparallelfor227iterations,producingD(;;rj)for(conjecturally)mostj'sandD(;;H(ki))for(conjecturally)mosti's.Thistakesslightlymoretimethan227AEScomputations.TheattackerthensortstheDvalues.IfthesortingencountersacollisionbetweentwoD(;;rj)'s,itthrowsoneofthoserj'saway.IfitencountersacollisionbetweenD(;;H(ki))andD(;;rj),themachinepausestoredotheD(;;rj)computation.Ifanyintermediatevalue(;;s)satisesH(s)=H(ki)thenthemachineprintssasaguessforki. HeuristicanalysisWhat'sthechancethataparticularkey,sayk1,isfoundbythismachine?Thecrudeestimateisthatthereare236valuesD(;;rj),eachinvolving223intermediatevalues(;;s)and223inputsstoH,foratotalof259inputstoH.Ifanyofthoseinputsbumpedintok1thenthemachinewillndk1.Specically,ifanintermediatevalue(;;s)inthecomputationofD(;;rj)satisess=k1,thenD(;;rj)=D(;;H(s))=D(;;H(k1));thesortingwilldiscoverthiscollision,willlocatethesameintermediatevalue(;;s),andwillprints=k1asitsguessfork1.Thisoccurswithprobability259=2128=2 69.Thisestimateisslightlyoveroptimistic,forallthereasonsinSection2andmore:forexample,somerj'sfailtoproducevaluesD(;;rj).Thesefailuresareadisadvantageofthevariantmachinecomparedtothestandardmachine.Butonecanreasonablyconjecturethatarandomchoiceof;hasprobabilitylargerthan2 71ofndingk1,notmuchworsethanthestandardmachine.AsinSection2,themachinesimultaneouslyhasachanceofndingotherkeys;andtheattackercanincreasethechanceofsuccessbyrunningthemachinerepeatedlywithnewchoicesof;.Thevariantmachinealsohasanadvantageoverthestandardmachine:itusesfarfewerkey-search-circuitinputspertargetkey,soitcanhandlefarmoretargetkeyssimultaneously.References1.DanBoneh(editor),Advancesincryptology:CRYPTO2003,23rdannualinterna-tionalcryptologyconference,SantaBarbara,California,USA,August17{21,2003,proceedings,LectureNotesinComputerScience,2729,Springer,Berlin,2003.ISBN3{540{40674{3.MR2005d:94151.2.ChristopheDeCanniere,JosephLano,BartPreneel,Commentsontherediscoveryoftimememorydatatradeos(2005).URL:http://www.ecrypt.eu.org/stream/.3.NielsFerguson,DougWhiting,BruceSchneier,JohnKelsey,StefanLucks,Ta-dayoshiKohno,Helix:fastencryptionandauthenticationinasinglecryptographicprimitive,in[4](2003),330{346.URL:http://www.macfergus.com/helix/.4.ThomasJohansson(editor),Fastsoftwareencryption:10thinternationalworkshop,FSE2003,Lund,Sweden,February24{26,2003,revisedpapers,LectureNotesinComputerScience,2887,Springer-Verlag,Berlin,2003.ISBN3{540{20449{0.5.PhilippeOechslin,Makingafastercryptanalytictime-memorytrade-o,in[1](2003),617{630.6.MichaelJ.Wiener,Thefullcostofcryptanalyticattacks,JournalofCryptol-ogy17(2004),105{124.ISSN0933{2790.URL:http://www3.sympatico.ca/wienerfamily/Michael/.