3

In the literature on attacks against hash functions, I frequently come across algorithms requiring $2^n$ work described as being preimage or collision "attacks" on a hash function with only marginally more than $n$ bits of output$^1$.

Have I grievously misunderstood the terminology here?

If the result of the attack is an $n$-bit value then brute force takes $2^n$ tries; how can anything only slightly better than this be considered a meaningful enough "attack" to be worthy of publishing?

It seems to be making article titles nearly useless; a well peer-reviewed article titled "an attack against AES" in a reputable publication could be anything from irrelevant to cataclysmically internet-shattering in its consequences.

Here's an example from the Wikipedia page for Salsa20:

In 2007, Tsunoo et al. announced a cryptanalysis of Salsa20 which breaks 8 out of 20 rounds to recover the 256-bit secret key in $2^{255}$

  1. or key-recovery "attacks" against a symmetric cipher having only marginally more than $n$ bits of secret key, although I've been reading mostly hash function papers lately.
otus
  • 32,132
  • 5
  • 70
  • 165
Barbering without a License
  • 141
  • 3
  • When you can achieve similar results, you can say they are not worthy of being published. Until then... – fkraiem Sep 09 '17 at 05:30
  • Mathematicians are very... detail-oriented, to put it one way. $2^{255}$ is clearly not the same as $2^{256}$ to a mathematician. – Ella Rose Sep 09 '17 at 14:31
  • What the 2007 paper really showed, was that there is a significant bias in the probability of some 4-round output bit differences. This is a valuable observation. The reason for the high complexity is that the authors tried to push the attack to eight rounds. – Aleph Sep 09 '17 at 22:23

3 Answers3

5

It's just a matter of terminology, which (as often in mathematics and related disciplines) may not match your intuitive interpretation of the words.

  • An attack is any algorithm that performs better than the "obvious" brute force algorithms. Cryptographic primitives are designed to admit no attack better than generic ones, so any proof that this goal is not met constitutes a break (but maybe not a complete break) to a theorist. For more practically-minded people, it demonstrates attack vectors and techniques which may be useful in constructing more efficient algorithms.
  • If an attack is effectively breaking the system for realistic key sizes, it is often referred to as a practical attack. (And people usually proudly put this term into their paper's titles if their attack performs this good.) For well-studied primitives, this luckily does not happen very often.
  • Some papers describe attacks against round-reduced variants of a cipher: this again serves as a demonstration of attack techniques and (just like any other kind of cryptanalysis) is an important step in cipher design, because it provides an estimate for the number of rounds the cipher should have. Papers should (and usually do) clearly point out that they're attacking non-standard variants.

Then of course, unfortunately some (if not many) people have a tendency to oversell their results — there's nothing you can do against that, but the above should help in filtering for the kind of attacks you're interested in.

yyyyyyy
  • 12,081
  • 4
  • 47
  • 68
  • thank you so much, the terminology "practical attack" was what I was looking for and passes the google-test for MD5 and RC4. :) – Barbering without a License Sep 11 '17 at 06:24
  • (continued) I can think of plenty of other adjectives, but knowing that the cryptography research community has agreed on the word "practical" (as opposed to "useful", "efficient", "happy" or "fahrvergnügen") for this purpose makes the literature vastly more accessible to me. Thanks again! – Barbering without a License Sep 11 '17 at 06:30
  • I don't think that the term attack logically implies better than brute force. For example, as seen in the common terms generic attack (an attack that works against a random object of the same type as the algorithm) and for that matter brute force attack. The security goal for many algorithms is that no attacks against the algorithm should perform better than the generic attacks against the type of algorithm. – Luis Casillas Sep 11 '17 at 20:57
3

A cryptosystem comes with an advertised security level. The type of cryptosystem, e.g. collision-resistant hash function (CRHF) or pseudorandom function family (PRF) or public-key key encapsulation mechanism (KEM), tells you what the security level means: usually, an adversary's success probability for some kind of attack as a function of the area*time or AT cost the adversary is willing to spend.

Salsa20 is advertised to be a PRF with a 256-bit security level. Loosely, this means that there is a best standard generic attack, meaning an attack that doesn't depend on the details of Salsa20 but works with any PRF $F_k\colon \{0,1\}^{128} \to \{0,1\}^{512}$ for 256-bit key $k$, that has a certain AT cost, and all other known attacks have worse AT cost.

To distinguish $\mathrm{Salsa20}_k$ for unknown key $k$ from a random function $F\colon \{0,1\}^{128} \to \{0,1\}^{512}$, with probability near 1, the advertised best AT cost is around $2^{256}$, in some sensible choice of commensurate units for (a) Salsa20 circuits, (b) bits of memory, and (c) durations of time. (You can make the units commensurate by choosing the smallest conceivable euro cost of each one. The cost goes down if you are content to break any one of many keys.) This attack works by exhaustively trying all possible values of $k$.

We call the cryptosystem broken if someone demonstrates an attack that does depend on the details of the cryptosystem and has better AT cost—even if it is only AT cost $2^{255}$ instead of the advertised AT cost $2^{256}$. In that case, the advertisement on which everyone might have been relying turns out to be false.

Sometimes we distinguish between ‘theoretical attacks’ like a $2^{255}$-AT attack that could never actually be carried out with our current understanding of humanity's available energy budget, and ‘practical attacks’ like the $2^{64}$-AT attack that yielded a collision in SHA-1, but the boundary is fuzzy and changes over time.

Some people consider only the time cost, not the area cost as well, which is silly because large memory is expensive and not instantaneous, and parallel small-memory attacks nearly always outperform serial large-memory attacks in practice. That's presumably why the Wikipedia page you cite follows the paper citation about an attack on Salsa20/8 with the caveat ‘However, this attack does not seem to be comparative with the brute force attack.’ (although I haven't looked closely at the estimated attack costs to see why they are less notable, other than being a little higher, than those of J.P. Aumasson et al), and why I said there's no evidence to suspect MD5's preimage resistance is broken in an earlier answer in spite of a $2^{123.4}$-time preimage attack on it.

(More details on cost metrics and security notions.)

Squeamish Ossifrage
  • 48,392
  • 3
  • 116
  • 223
1

What makes you stumble is the difference between "theoretical attacks" and "practical attacks".

The later are the ones that are feasible for an adversary and cryptographically break your neck, while theoretical attacks point to weakness and potential problems in schemes or algorithms… but they're not really practically feasible.

Now, no matter if it's theoretical or practical, in crypotography an attack is an attack. One "merely" has to attack an algorithms in a way that's more successful than brute-force.

If the attack becomes feasible, a theoretical attack becomes a practical attack… sometimes even a complete "practical break".

yyyyyyy
  • 12,081
  • 4
  • 47
  • 68
e-sushi
  • 17,891
  • 12
  • 83
  • 229