Provable Time-Memory Trade-Offs: Symmetric Cryptography Against Memory-Bounded Adversaries

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11239)


We initiate the study of symmetric encryption in a regime where the memory of the adversary is bounded. For a block cipher with n-bit blocks, we present modes of operation for encryption and authentication that guarantee security beyond \(2^n\) encrypted/authenticated messages, as long as (1) the adversary’s memory is restricted to be less than \(2^n\) bits, and (2) the key of the block cipher is long enough to mitigate memory-less key-search attacks. This is the first proposal of a setting which allows to bypass the \(2^n\) barrier under a reasonable assumption on the adversarial resources.

Motivated by the above, we also discuss the problem of stretching the key of a block cipher in the setting where the memory of the adversary is bounded. We show a tight equivalence between the security of double encryption in the ideal-cipher model and the hardness of a special case of the element distinctness problem, which we call the list-disjointness problem. Our result in particular implies a conditional lower bound on time-memory trade-offs to break PRP security of double encryption, assuming optimality of the worst-case complexity of existing algorithms for list disjointness.


Foundations Symmetric cryptography Randomness extraction 



Stefano Tessaro’s work was partially supported by NSF grants CNS-1553758 (CAREER), CNS-1423566, CNS-1719146, CNS-1528178, and IIS-1528041, and by a Sloan Research Fellowship. Aishwarya Thiruvengadam’s work was partially supported by the Defense Advanced Research Projects Agency (DARPA) and Army Research Office (ARO) under Contract No. W911NF-15-C-0236, and a subcontract No. 2017-002 through Galois.


  1. 1.
    Aiello, W., Bellare, M., Di Crescenzo, G., Venkatesan, R.: Security amplification by composition: the case of doubly-iterated, ideal ciphers. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 390–407. Springer, Heidelberg (1998). Scholar
  2. 2.
    Ajtai, M.: A non-linear time lower bound for boolean branching programs. Theory Comput. 1(8), 149–176 (2005)MathSciNetCrossRefGoogle Scholar
  3. 3.
    Alwen, J., Blocki, J., Pietrzak, K.: Depth-robust graphs and their cumulative memory complexity. In: Coron and Nielsen [18], pp. 3–32 (2017)Google Scholar
  4. 4.
    Alwen, J., Chen, B., Pietrzak, K., Reyzin, L., Tessaro, S.: Scrypt is maximally memory-hard. In: Coron and Nielsen [18], pp. 33–62 (2017)Google Scholar
  5. 5.
    Alwen, J., Dodis, Y., Wichs, D.: Leakage-resilient public-key cryptography in the bounded-retrieval model. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 36–54. Springer, Heidelberg (2009). Scholar
  6. 6.
    Alwen, J., Serbinenko, V.: High parallel complexity graphs and memory-hard functions. In: Servedio, R.A., Rubinfeld, R. (eds.) 47th ACM STOC, Portland, OR, USA, 14–17 June 2015, pp. 595–603. ACM Press (2015)Google Scholar
  7. 7.
    Auerbach, B., Cash, D., Fersch, M., Kiltz, E.: Memory-tight reductions. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10401, pp. 101–132. Springer, Cham (2017). Scholar
  8. 8.
    Beame, P., Clifford, R., Machmouchi, W.: Element distinctness, frequency moments, and sliding windows. In: 54th FOCS, Berkeley, CA, USA, 26–29 October 2013, pp. 290–299. IEEE Computer Society Press (2013)Google Scholar
  9. 9.
    Beame, P., Saks, M., Sun, X., Vee, E.: Time-space trade-off lower bounds for randomized computation of decision problems. J. ACM 50(2), 154–195 (2003)MathSciNetCrossRefGoogle Scholar
  10. 10.
    Beame, P., Saks, M.E., Sun, X., Vee, E.: Time-space trade-off lower bounds for randomized computation of decision problems. J. ACM 50(2), 154–195 (2003)MathSciNetCrossRefGoogle Scholar
  11. 11.
    Bellare, M., Dai, W.: Defending against key exfiltration: efficiency improvements for big-key cryptography via large-alphabet subkey prediction. In: Thuraisingham, B.M., Evans, D., Malkin, T., Xu, D. (eds.), ACM CCS 17, Dallas, TX, USA, 31 October - 2 November 2017, pp. 923–940. ACM Press (2017)Google Scholar
  12. 12.
    Bellare, M., Desai, A., Jokipii, E., Rogaway, P.: A concrete security treatment of symmetric encryption. In: 38th FOCS, Miami Beach, Florida, 19–22 October 1997, pp. 394–403. IEEE Computer Society Press (1997)Google Scholar
  13. 13.
    Bellare, M., Goldreich, O., Krawczyk, H.: Stateless evaluation of pseudorandom functions: security beyond the birthday barrier. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 270–287. Springer, Heidelberg (1999). Scholar
  14. 14.
    Bellare, M., Kane, D., Rogaway, P.: Big-key symmetric encryption: resisting key exfiltration. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 373–402. Springer, Heidelberg (2016). Scholar
  15. 15.
    Bellare, M., Rogaway, P.: The security of triple encryption and a framework for code-based game-playing proofs. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 409–426. Springer, Heidelberg (2006). Scholar
  16. 16.
    Bogdanov, A., Papakonstantinou, P.A., Wan, A.: Pseudorandomness for linear length branching programs and stack machines. In: Gupta, A., Jansen, K., Rolim, J., Servedio, R. (eds.) APPROX/RANDOM -2012. LNCS, vol. 7408, pp. 447–458. Springer, Heidelberg (2012). Scholar
  17. 17.
    Borodin, A., Fischer, M.J., Kirkpatrick, D.G., Lynch, N.A., Tompa, M.: A time-space tradeoff for sorting on non-oblivious machines. J. Comput. Syst. Sci. 22(3), 351–364 (1981)CrossRefGoogle Scholar
  18. 18.
    Coron, J.-S., Nielsen, J.B. (eds.): EUROCRYPT 2017. LNCS, vol. 10211. Springer, Heidelberg (2017)zbMATHGoogle Scholar
  19. 19.
    Dodis, Y., Ostrovsky, R., Reyzin, L., Smith, A.D.: Fuzzy extractors: how to generate strong keys from biometrics and other noisy data. SIAM J. Comput. 38(1), 97–139 (2008)MathSciNetCrossRefGoogle Scholar
  20. 20.
    Garg, S., Raz, R., Tal, A.: Extractor-based time-space lower bounds for learning. CoRR, abs/1708.02639 (2017)Google Scholar
  21. 21.
    Gaži, P.: Plain versus randomized cascading-based key-length extension for block ciphers. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 551–570. Springer, Heidelberg (2013). Scholar
  22. 22.
    Gaži, P., Lee, J., Seurin, Y., Steinberger, J., Tessaro, S.: Relaxing full-codebook security: a refined analysis of key-length extension schemes. In: Leander, G. (ed.) FSE 2015. LNCS, vol. 9054, pp. 319–341. Springer, Heidelberg (2015). Scholar
  23. 23.
    Gaži, P., Maurer, U.: Cascade encryption revisited. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 37–51. Springer, Heidelberg (2009). Scholar
  24. 24.
    Gaži, P., Tessaro, S.: Efficient and optimally secure key-length extension for block ciphers via randomized cascading. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 63–80. Springer, Heidelberg (2012). Scholar
  25. 25.
    Håstad, J., Impagliazzo, R., Levin, L.A., Luby, M.: A pseudorandom generator from any one-way function. SIAM J. Comput. 28(4), 1364–1396 (1999)MathSciNetCrossRefGoogle Scholar
  26. 26.
    Hoang, V.T., Tessaro, S.: Key-alternating ciphers and key-length extension: exact bounds and multi-user security. In: Robshaw and Katz [34], pp. 3–32 (2016)CrossRefGoogle Scholar
  27. 27.
    Impagliazzo, R., Meka, R., Zuckerman, D.: Pseudorandomness from shrinkage. In: 53rd FOCS, New Brunswick, NJ, USA, 20–23 October 2012, pp. 111–119. IEEE Computer Society Press (2012)Google Scholar
  28. 28.
    Lee, J.: Towards key-length extension with optimal security: cascade encryption and Xor-cascade encryption. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 405–425. Springer, Heidelberg (2013). Scholar
  29. 29.
    Nisan, N.: Pseudorandom generators for space-bounded computation. Combinatorica 12(4), 449–461 (1992)MathSciNetCrossRefGoogle Scholar
  30. 30.
    Nisan, N., Zuckerman, D.: Randomness is linear in space. J. Comput. Syst. Sci. 52(1), 43–52 (1996)MathSciNetCrossRefGoogle Scholar
  31. 31.
    Pollard, J.M.: A monte carlo method for factorization. BIT Numer. Math. 15(3), 331–334 (1975)MathSciNetCrossRefGoogle Scholar
  32. 32.
    Raz, R.: Fast learning requires good memory: a time-space lower bound for parity learning. In: Dinur, I. (ed.), 57th FOCS, New Brunswick, NJ, USA, 9–11 October 2016, pp. 266–275. IEEE Computer Society Press (2016)Google Scholar
  33. 33.
    Raz, R.: A time-space lower bound for a large class of learning problems. In: 58th FOCS, pp. 732–742. IEEE Computer Society Press (2017)Google Scholar
  34. 34.
    Robshaw, M., Katz, J. (eds.): Advances in Cryptology – CRYPTO 2016, Part I. LNCS, vol. 9814. Springer, Heidelberg (2016). Scholar
  35. 35.
    Savage, J.E.: Models of Computation: Exploring the Power of Computing, 1st edn. Addison-Wesley Longman Publishing Co. Inc., Boston (1997)Google Scholar
  36. 36.
    Vadhan, S.P.: Constructing locally computable extractors and cryptosystems in the bounded-storage model. J. Cryptol. 17(1), 43–77 (2004)MathSciNetCrossRefGoogle Scholar
  37. 37.
    Vadhan, S.P.: Pseudorandomness. Found. Trends Theoret. Comput. Sci. 7(1–3), 1–336 (2012)MathSciNetCrossRefGoogle Scholar
  38. 38.
    van Oorschot, P.C., Wiener, M.J.: Parallel collision search with cryptanalytic applications. J. Cryptol. 12(1), 1–28 (1999)MathSciNetCrossRefGoogle Scholar
  39. 39.
    Yao, A.C.: Near-optimal time-space tradeoff for element distinctness. In: 29th FOCS, White Plains, New York, 24–26 October 1988, pp. 91–97. IEEE Computer Society Press (1988)Google Scholar
  40. 40.
    Yao, A.C.: Near-optimal time-space tradeoff for element distinctness. SIAM J. Comput. 23(5), 966–975 (1994)MathSciNetCrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2018

Authors and Affiliations

  1. 1.University of CaliforniaSanta BarbaraUSA

Personalised recommendations