Time-Memory Trade-Offs: False Alarm Detection Using Checkpoints (Extended Version ⋆ ) Gildas Avoine 1 , Pascal Junod 2 , and Philippe Oechslin 1,3 1 EPFL, Lausanne, Switzerland 2 Nagravision SA (Kudelski Group), Switzerland 3 Objectif S´ ecurit´ e, Gland, Switzerland Technical Report LASEC-REPORT-2005-002, September 2005 Swiss Federal Institute of Technology in Lausanne School of Computer and Cmmunication Sciences EPFL - I&C - ISC - LASEC Station 14 - Building INF CH-1015 Lausanne, Switzerland Abstract. Since the original publication of Martin Hellman’s cryptanalytic time-memory trade- off, a few improvements on the method have been suggested. In all these variants, the cryptanalysis time decreases with the square of the available memory. However, a large amount of work is wasted during the cryptanalysis process due to so-called “false alarms”. In this paper we present a method of detection of false alarms which can significantly reduce the cryptanalysis time while using a minute amount of memory. Our method, based on “checkpoints”, can reduce the time by much more than the square of the additional memory used, e.g., an increase of 0.89% of memory yields a 10.99% increase in performance. Even if our optimization is bounded, the gain in time per memory used is radically more important than in any existing variant of the trade-off. Beyond this practical improvement, checkpoints constitute a novel approach which has not yet been exploited and may lead to other interesting results. In this paper, we also present theoretical analysis of time-memory trade-offs, and give a complete characterization of the variant based on rainbow tables. This is the first time an exact expression is given for a variant of the trade-off and that the time-memory relationship can actually be plotted. Key words: time-memory trade-off, cryptanalysis, precomputation 1 Introduction Many cryptanalytic problems can be solved in theory using an exhaustive search in the key space, but are still hard to solve in practice because each new instance of the problem requires to restart the process from scratch. The basic idea of a time-memory trade-off is to carry out an exhaustive search once for all such that following instances of the problem become easier to solve. Thus, if there are N possible solutions to a given problem, a time-memory trade-off can solve it with T units of time and M units of memory. In the methods we are looking at T is proportional to N 2 /M 2 and a typical setting is T = M = N 2/3 . The cryptanalytic time-memory trade-off has been introduced in 1980 by Hellman [9] and applied to DES. Given a plaintext P and a ciphertext C, the problem consists in recovering the key K such that C = S K (P ) where S is an encryption function assumed to follow the behavior of a random function. Encrypting P under all possible keys and storing each corresponding ciphertext allows for immediate cryptanalysis but needs N elements of memory. The idea of a trade-off is to use chains of keys. It is ⋆ This technical report is the extended version of a paper [2] that will appear in the proceedings of Indocrypt 2005, LNCS, Springer-Verlag, December 2005.