Quantifying Shannons Work Function for Cryptanalytic Attacks

Quan tifying Shannon’s W ork F u ncti on for Cryptanaly tic A ttac ks R. J. J. H. v an Son Netherlands Cancer Institute, Amsterdam and A CLC, Univ ersit y of Amsterdam R.J.J.H.v anSon@gmail.com No ve mber 4, 202 1 1 Abstract Attac ks on cryptographic systems are limited by the a v ailable computa- tional resources. A theoretical understanding of these resource limitations is needed to ev aluate the security of cryp tographic primitives and p roce- dures. This stu dy uses an Attac ker versus Environmen t game formalism based on computability logic to qu antif y Sh annon’s wo rk function and ev aluate resource use in cryptanalysis. A simple cost function is defined whic h allows to quantify a wide range of theoretical and real computa- tional resources. With this approach the use of custom hardware , e.g., FPGA b oards, in cryptanalysis can b e analyzed. Applied to real cryptan- alytic problems, it raises, for instance, the expectation that the computer time needed to break some simple 90 bit strong cry ptographic primitives migh t theoretically b e less than tw o years. keyw ords: computation, cryptanalysis, computational complexit y 2 1 In tro d uction There hav e be e n many examples where the ongoing increase in computer speed and capac ities hav e made previous ly s ecure cryptog raphic systems vulner a ble to brute fo r ce attac ks . This per pe tual w ea kening of cry ptographic systems due to the progress in co mputer hardware has be e n incorp orated in rules o f application. F or insta nce, NIST in the USA publishes ela bo rate rules ab out the phasing out of shor ter (weaker) k eys and algorithms o ver time [30, 1]. How ever, thos e rules seem not to be based on a theoretical understanding o f the av ailability of computational r esources , but mor e on a historica l trend in tec hnica l prog ress (e.g., Mo ore’s law [35]). It is s till difficult to r eliably es timate the co mputational efforts needed to compromise a cr y ptographic system, i.e., Shannon’s cryptanaly s is w o rk func- tion [31]. Many studies a nd applications go for ultimate security by aiming for 2 k op erations, with k ≥ 128, to put brute force attacks out of reach for the fo r eseeable future. Others use genera l purpo se, o ff-the-shelf, computers as benchmarks. Both appro aches ha ve limitations. Long keys imply costly hard- ware and long computations and often do not describ e real life use, e.g., cost optimization for time-limited secrets. O n the other ha nd, general purpose office and home computers are not necessarily very efficient for br eaking co des and will almost cer tainly underes timate cont emp o rary har dware capabilities [39]. The erro r to think that an off-the- shelf genera l purp ose CPU fo r an office computer is an efficient device to recov er cryptogra phic keys and passwords or break cryptogr aphic codes , is a common one. Express ions lik e Calculating X to ok Y hours on a Z- level c omputer are very often encountered. As a result, there seems to b e gener a l surpr ise every time it is shown that low-cost, sp ecialized pro cesso r s can outp erform g eneral o ffice CPUs. F or example, even though the idea might not hav e b een new [4], there w a s again alarm in the media when in 2 0 07 a Russian softw ar e company , E lcomsoft, filed for a US patent for a techn ique to use low cost standard g raphics cards to recov er passw o rds [12]. Although the problem men tio ned ab ove is more generally seen in complex- it y and ga me theoretical a nalysis, it’s pra ctical imp ortance is most a cute for cryptanalysis and digital security . Many security p o licies rely on cryptog r aphic systems as a crucial element. The difficult y with studying vulnerabilities in cryptogr a phy is their theor etical status. The most interesting vulner abilities in cryptogr aphic systems are generally unt es ted and the cost of a theor etically po ssible a tta ck is therefore very difficult to estimate. Even though there is a go o d mathematical understanding o f how cryptographic systems ca n b e com- promised, there is no consensus about a formalism in which the resour c e s needed can be formally describ ed a nd qua nt ifie d. This study uses a gener al forma lism for quant ifying computational r esources which w a s pro po sed in [39]. This fo r malism defines reso urce use bo th on a symbolic level and on real hardware. The relev ant par ts of the mo del will be rep eated here to mak e the current study self contained. The mo del will then b e tailored to quan tifying the cry ptanalysis w or k function of Shannon [31] whic h aligns very closely to proble ms in ga me theo ry , e.g., the computatio nal Nash 3 equilibrium [10, 11 ], a nd alg o rithmic co mplexity theory with spac e and time bo unded automata [5]. Section 2 pr e sents a summar y of the mo del from [39] adapted to cr yptanal- ysis. The use o f the mo del will b e illustrated on existing har dware pr o ducts. In sec tion 3 , the model is applied to some e xamples from the cr yptanalysis literature. The results a re discus s ed in section 4. 2 Cryptanalytic attac ks as games Cryptanalytic attac ks are interactive proce dures wher e a cr y ptographic sys tem is attack ed using c omputational r esources to compromise protected informa - tion. It is ass umed that the a ttack er ca n only use a lgorithmic pro cedures and computers. Such an attack can b e emulated as a game by a co llection of T ur- ing Complete devices [31, 40]. F or their mathematical co nv enience, Universal T uring Machines (UTM) will b e used to illustrate the fo r malism [36], but the results hold for all such device s . Cryptanalytical attacks are problems of com- putabilit y . This model of cryptanaly tic attac ks fits the theoretic fr amework of c omputability lo gic [13, 14, 15, 16]. In computability logic, computability is defined in terms o f games. The “computer”, or Attac ker, plays a gainst the Environment and “wins” if it can complete the requested c o mputation successfully . Computability logic tries to be a complete lo gic of int er active computing. This study only refers to some general asp ects of computability logic. The reader can consult Japa ridze [15, 16] and the refere nc e s therein for extensive des criptions of the theory . In shor t, the A ttacker can play a game ag ainst the E nvironmen t on o ne or more “boa rds”, in parallel. This study will restr ict itself to a Har d Play mo del of deterministic static games [15]. That is, only purely algo rithmic and repro- ducible games are considered where the speed of the mov es is not relev ant . T he environmen t ca n execute an y num b er of mo ves for a ny single computational step of the System. In practice, these tw o conditions, a Hard Play model and static games, do not restrict the At ta ck er. They just prescrib e that any attack strategy should in volv e a num b e r of algor ithmic steps and that the Environment, whic h includes the c omplete universe, has unlimited capa cities for e x ecuting coun ter strategies. This mo de l ca n be extended to include proba bilistic strategies. In this framework, it is r ather straig ht fo rward to set up a mo del for a cryptanalytic attack (c.f., [40, 3 1]). 2.1 The A t tac ker mo del In the framework o f computabilit y lo gic, the A ttacker is a co llection of UTMs, each with three tap es: a w o rk tap e, a v aluation tape , a nd a run tap e. The v aluation tap e is suppos ed to co ntain the game sp ecific pa rameters supplied b y the E nvironmen t, whereas the w o r k tap e will b e initialized with a progra m to load and play games from the v aluation tap e. A mor e general interpretation o f 4 the v a luation tape is that it cont a ins an y public information outside t he co ntrol of the Attac ker (for a more extensive des cription see [39]). The run tap e co ntains the mov es of the A ttacker a nd the Environment. In the current framework, b oth the Attac ker and the Environment write their mov es onto the run tap e. The alphabe t used on the run tap e is prescr ib ed by the En viro nment . The A ttack er can only mov e the reading he a d fo r ward on the run tap e a nd visit ea ch ce ll only once. The Environment is free to rea d the run tap e in any direction a s often as it wan ts, but can only write to empty cells. T o allow the “a ccess once” restriction, all mov es are written as self delimited or fixed leng th strings o nto the run tap e. Scanning the run tap e for moves of the Environment is a computational cost that must b e born by the A ttack er. T o minimize tha t cost, the moments at which the Environment can write to a r un tape are restricted. The Environmen t will only write to a run tap e in resp onse to a move of the Attac ker. After the A ttacker ha s wr itten a mov e to the r un tape, it can enter a “w a it” state and go to sleep. Only then will the Environmen t write it’s mo ve or mov es in a single self delimited or fixed length str ing to tap e a nd w a ke up the A ttack er who then can read the moves a nd contin ue. This in terpre ta tion of the run-ta pe embo dies the principle that the At ta ck er must actively query for information from the Environmen t. The A ttack er can recruit a s man y UTMs as it wan ts b y specifying them on the run ta pe from any of the existing UTMs. The comm unicatio n betw een the A ttacker UTMs is here mo dele d b y simply letting the work tap e s ov er lap. O ther solutions are p o ssible. An y newly instantiated UTM of the A ttack e r gets it’s own run tape and a co py of the v aluation tape. An y request fo r a new UTM should consist of a full description of the finite state machine, initial state, conten ts of the work tap e, p o s ition of the heads, and the ov erla p betw een w or k tapes. A new UTM is instan tiated with the finite state mac hine specified, the v aluation and w or k tap es loaded and the work tape is stitched up with the correct part of the requesting UTM’s work tap e . Then the UTM is put in the initial s tate with the heads over the correct tap e p ositio ns and s tarted. The poss ible moves of the Attac ker can be divided int o 4 classes: • Genera l info r mation requests • Structura l r equests • Encr yption requests • Challeng es The meaning of the first is obvious. The seco nd kind are requests to the En- vironment for new daughter UTMs or changes in the current UTM, e.g ., re- leasing work tap e memory . In mo deling a r ealistic attack, structural requests would (de-)commission computing resourc es. Encryption r equests implement the gathering of plaint e x ts and ciphertex ts. 5 The cost of defeating a cryptographic sy stem includes a ctually compromising it. Challenges are Attac ker initiated mov es to prov e it has w on, i.e., succeeded in compromising the cryptog raphic sys tem by actually e xecuting and completing the attac k. A challenge c o uld be to supply the current password, but could also demonstrate the abilit y to correctly pair cipher - and plain texts . Note that after every mov e of the Attac ker, the Environment m ust make a mov e, even if it is just a denial of the req uest. This mo del o f an Att ack er is able to describe a large num b er o f cryptanaly tic attacks. F or instance, distributed attacks, bo th co or dinated or not, known ciphertext or plaintext attacks, and c ho sen plain tex t attacks. Ev en attacks of “security by obscurity” systems could b e s tudied b y supplying a sto chastic mo del o f information lea k age to the v aluation ta p e . 2.2 Resource needs and cost of computation One problem with the ab ov e computational a ttack model is that most cry pto - graphic systems can b e defeated b y simple brute fo rce attacks, e.g., just trying all poss ible keys [31] or even simply trying all progr ams to crac k the encryption (c.f., algorithmic co mplexity [20]). How ever, the security of c r yptogra phy lies in the fact that p erfor ming computations has costs, a nd for a brute for ce a tta ck, these costs should be to o high to be feasible [3 1]. But to use these costs in a computational mo del, they should b e made explicit. In the remainder of this text, the mo del from [3 9] will b e us e d to quantify co mputational costs. The relev ant po ints will be describ ed here. A useful cost function fo r computatio ns should follow some sanity conditions. The definition should b e applicable to b oth theoretical and rea l devices. The costs sho uld b e cumulativ e and additiv e under appropr iate conditions. The universal nature of computational devices should b e mirro red in the existence of efficient em ulation of one device on another o ne. Here an “ efficient em ula tor” will be defined as an y device that can emulate an y computation on the tar get device with a cos t that is a linear function of the original cost a nd n umber of steps in the computation ([39]). Starting with a purely theoretical device, a very simple cost function for a single UTM that agre e s with all o f the ab ov e conditions is C = Λ X λ =1 I U T M ( λ ) (1) Where C is the total cost of the computation whic h r uns o ver Λ steps. I U T M ( λ ) is the information in bits stored in the UTM at step λ . I U T M includes details ab out the in ternal structure of the device, e.g., action tables of a UTM. See [39] for a discussio n a nd pro ofs. The definition of equation 1 can easily b e extended to other computational devices (even neural wet-w a r e [39]). T he only requirement is that the function- ality of the device can b e modeled as a collection of interconnected and modular 6 T able 1: Example pro cessor characteris tics. Co mp.: P a rallel pro grammable comp onents. #T rans.: Indicative num b er of tra nsistors. Bytes/s: Reso urce size I C P U times cycles / sec from equation 1. Note that tr ansistor counts are commercially sensitive information which sho uld b e in ter preted with extreme care. These n umbers will also v ary widely betw een pro duct v er sions. Type CPU Comp. a Clo ck a #T rans. a Bytes / s GPU A TI Radeon 58 70 1712 b 850 MHz 2.15 · 10 9 18.3 · 10 17 CPU Int el Cor e Duo 2 cores 2.6 GHz 291 · 10 6 7.57 · 10 17 FPGA Xilinx Virtex-5 slices c XC5VFX70 T- 2 11,200 249 MHz 1.1 · 10 9 2.74 · 10 17 XC5VLX30 - 3 4,800 251 MHz 1.1 · 1 0 9 2.76 · 10 17 XC5VFX70 T- 2 11,200 277 MHz 1.1 · 10 9 3.04 · 10 17 a Specifications as published in market i ng materials and [ 44, 45, 3]. b The total num b er of stream processors, texture units, and render output units [ 3]. c The Vi rtex-5 FPGA is organized in slices, with eac h sli ce containing four 6-input Look-Up-T ables (LUT) and four flip-flops [ 27 , 46 ] logical components, e.g., logical ga tes, finite state machines, o r UTMs. The fac- tor I U T M in equation 1 will b e r eplaced b y a factor I Dev which measures the nu mber of bits needed to identify the chosen device o ut of all the po ssible de- vices (including all non-functional ones) that could ha ve b een constructed us ing the same basic comp onents, plus the current state o f these comp onents. F or instance, the log ic al functions a mo de r n CPU silicon c hip can perfo r m are limited by the num b er o f transisto rs it contains. The size of I C P U would therefore be related to the nu mber of wa ys the trans istors on it can b e wir ed and how many states they can b e in. Note that in this description, no mention is made of the actual physics of the comp onents. That is, if the s a me range of logic functions could be p erformed using fluid v alves or photonic switches, the same I Dev could result. 2.3 Relations with real hardw are The ab ov e theory on efficient emulators can b e used to derive an estimate of the computational capabilities o f real hardware [39]. As mentioned befor e, a CPU chip is characterized by a num b er of a ctive elements, transistors , and the connections betw e e n them. The whole CPU is run at a certain sp eed. T he computational cost of running a certain computation o n a CPU can there fore be qua ntifi e d as the num b er of steps needed to c omplete the computation times the information fro zen in to the chip design. This exerc is e can also b e do ne the other w ay around. First, the requiremen ts for p erforming a basic computatio n in terms of electronic cir cuits (i.e.,transistor s) and num b er of steps a re determined. Then, the n umber of c o pies of the basic devices that fit on a silicon chip ar e determined. After that, the num b er a nd sp eed of the co mputations can be estimated, assuming state-of- the- art sp ecial purp ose ha r dware could b e used. It will not come a s a surprise to arr ive at the 7 conclusion that custom build electro nics can often outper form general purp ose CPUs. Using the cost function of equation 1 and the device info r mation co nt ent , I Dev , ca n simplify this ha rdware a nalysis in many cases. It might obviate a detailed analysis o f the required circuitry and repla c e it with a less precise but m uch mor e transparent calculation of compara ble “complex ity”. T o make this a nalysis, a mo del is needed of the computational resour ces current har dware can deliv er . A realis tic model should take details of the lim- itations of chip des ign into a ccount. In first approximation it is assumed that the maximal resour c es delivered b y a CP U a re prop ortiona l to the num b er o f transistor s . F o r the current study , a v e ry cr ude model is a s sumed [39]. F or an y given n umber of tra nsistors on a chip, it is ass umed that ea ch transistor c a n be in o ne of tw o states (1 bit) and to po logical constr aints limit the num b er of different w ays it can be connected to neighboring transistor s to ∼ 100 (7 bit). In total, each tra nsistor can thus b e describ ed with 1 byte. T a ble 1 g ives these nu mber s for a few example pro c e s sors. This naive har dware mo del is illus trated b elow o n some simplified cr yptanal- ysis pr oblems. The foc us of the r emainder of this section will b e on compute- bo und problems. The contribution of the memory components to the computa- tions will b e ignored in the analysis . 2.3.1 Example: The EFF DES crac ker In [39], the exa mple of the EFF cr acking the 56-bit single DES system in 1 998 [24, 6] is discussed. The challenge w as to find the key that could decrypt an unknown encry pted message. F r om this example it is p ossible to get an estimate of the n umber of tra nsistors, and co s ts, needed to implemen t basic cr yptogra phic functions. The EFF succeeded in designing a sea rch unit in silicon that could chec k a 56 bit DES key in 16 clo ck cycles [24, 6]. The E FF were able to fit 2 4 such search units onto a single chip containing around 1 0,000 transis tors and use the units in parallel. So a 56 - bit DES encryption unit plus co mparator needed ∼ 420 tra nsistors and runs in 16 clo ck c ycles. With an estimated I Dev ∼ 8 · #T ransisto rs bit, this comes down to around 6,70 0 bytes in equation 1 for c hecking a single 5 6-bit DES encryption+ compare (i.e., 8 · 16 · 10 4 / 24 bits, c.f., [39]). This trans lates to ∼ 120 byte p er bit key length if it is as s umed that encryption effort scales linearly with key length. F or a brute for ce key a ttack, the av era ge num b er of keys that have to b e tested scales with 2 k − 1 for k e y le ng th k . F o r this spe c ific DES a ttack, the computational costs, C DE S ( k ), needed to find a k ey of leng th k then scale a s: C DE S ( k ) = 120 · k · 2 k − 1 (b y tes ) (2) This co st will ris e for T r iple-DES. Probably in the order o f tripling of the cos t, e.g., 360 instead of 120 byte p er bit key length. 8 2.3.2 GPU c hips and sup er-computers A mo dern Graphics P ro cessing Unit (GPU) chip, like the A TI HD Radeo n 5 8 70, contains around 2 .1 5 billio n transistors and runs at a clo ck speed of 850 MHz [3]. Such a pro cesso r ha ndles computations at a cos t of ∼ 18 · 10 17 bytes p er second (table 1). If suc h a pro ces s or could b e constructed to run as an efficient parallel DES key sea rch engine, i.e.,lik e the EFF custom chips, it w ould b e able to find a 56 bit DES key in 133 sec o nds on av er age. T o illustrate the ca pabilities of GPUs, the analysis is e x tended to a hypo- thetical encryptio n method with the same featur es as the single DES encryption standard, D E S ∗ . This DE S ∗ system is a mo del of simple cryptog raphic prim- itives and e ncryptions. The fictional D E S ∗ differs fro m real DE S in that it allows v ariable key lengths. F or every key leng th, an EFF DES crack er setup can be constructed for this fictiona l DE S ∗ that scales lik e equation 2 and uses 120 b yte per bit k e y leng th to chec k a single key . On a customized pro cessor of this size and sp eed, finding a 64 bit DE S ∗ key would require, on av era ge, aro und 11 hours, and a 7 2 bit DE S ∗ key less than 5 mon ths. A dedicated 6 5k (2 16 ) pro cessor cluster would find an 84 bit D E S ∗ key in around 10 da ys and a 92 bit key in a round 8 y ear s. A 96 bit DE S ∗ key would take such a clus ter around 120 y ear s (o n a verage; 240 y ear s worst case). F or finding a 96 bit D E S ∗ key in less than t wo years a verage, the tec hnolog y would have to sp eed up b y a factor of 60. A t the histor ic al rate o f prog ress of I Dev , around 2.6 dB/year ( ≈ 1 . 82 /year [39]), this w ould take another 7 year to achiev e (but see [35]). F or comparison, the fifth highest entry in the Nov ember 2009 TOP 5 00 lis t of sup e rcomputers, the Tianhe-1 sup er c omputer at the National SuperComputer Cent er in Tianjin/NUDT, China, contains 4096 Intel Xeon E5 540 pro cessor s (2.5GHz, 7 . 3 · 10 8 transistor s ) and 1024 E5 450 pro c essors (3GHz, 8 . 2 · 10 8 tran- sistors) connec ted to 5120 A TI Radeon HD 48 7 0 GPUs (650 MHz, 9 . 6 · 10 8 transistor s ) with a grand total of o ver 98T B of memory [32, 33, 37]. T ogether the pro cessor s deliver 1 . 3 · 10 22 bytes/sec ( ig noring memory). If such a mac hine would hav e b een build as a dedicated D E S ∗ key searcher, it would b e a ble to find an 84 bit D E S ∗ key in 87 days, on av erag e. The Tianhe-1 w a s build for close to 88 million USD [37]. If the co st o f encryption of T riple DES is indeed only ∼ 3 times that of single DES, the ab ov e n umbers a r e not comforting. T riple DES with 2 indep endent 5 6 bit k ey s (keying option 2) has a listed key streng th m uch less than the expected 112 bits [25, 38]. NIST designates this keying option to have only 8 0 bits of security [30] and retir es it in 2010. A mes sage encoded with the equiv alent o f an 80 bit DES k e y c o uld theoretically b e de c rypted within a few days with a sp ecial purp ose 65k pro c e ssor cluster a s describ ed ab ove. Ho wever, the known attacks, e.g., [38, 2 5], are mor e complex than mere T r iple DES encryption, with impor tant time versus memory trade-off relations. Ther efore, a separ ate analysis would be needed to calculate the co s ts of br eaking double-key T riple DES. 9 2.3.3 A b etter fit with FPGA The preceding sections as s umed that an attack er could design and pro duce larg e nu mber s of sp ecial pur po se CP U chips with state of the art semi- conductor techn ology to compr omise cryptog raphic systems. In many situatio ns , s uch a threat mo del is unr ealistic. In such cases, a better mo del w o uld assume that the attack er would use existing customizable pro ducts. A p opular pr o duct in this class is a Field Progr ammable Gate Array (FPGA), a n int eg rated circuit designed to be configur ed b y the customer or designer after man ufactur ing [43]. Large differences in per formance b etw een g eneral purp ose pr o cessor s and sp ecially progra mmed (FPGA) chips hav e b een demonstrated in the context of public key blo ck ciphers by Gligo roski et a l. [8]. T hey compared softw are implemen ta tions on a dual cor e Int e l Cor e 2 Duo C P U with implementations on Xilinx Virtex-5 FPGA c hips (table 1). On an Intel Core Duo dual pro c e ssor, encrypting a 160 bit block with their MQQ 1 algorithm takes 80,105 cycles and decrypting takes 6,212 cycles (tables 7 a nd 8 in [8]). Assuming the CPU is running at 2.6 GHz, this transla tes to a throughput of, resp ectively , 5 .19Mb and 6 7.0Mb p er second. Encryption of a basic data blo ck (64 bit) with 1024- bit RSA requires 11 9,800 cycles, decrypt- ing 2,952 ,752 cycles on the CP U. Throughputs for RSA are then, r esp ectively , 1.39Mb a nd 56.4Kb p er second. The same MQQ alg orithm had a cor resp onding thr oughput for encryption of 44 Gb p er second when implemen ted on four 276.7MHz Xilinx Virtex-5 FP- GAs and 399Mb p er second for decr ypting when implemented on a single 249.4 MHz Xilinx Virtex-5 FPGA. An implementation of 1024-bit RSA on a 251 MHz Virtex-5 FPGA had a thro ughput of 40Kb p er second (unsp ecified fo r encryp- tion or decr yption). The computationa l resource s consumed when encrypting or decr ypting a s ingle bit ar e compared in table 2. F or co mparison, res ults for A E S-128 on 1 6 byte blocks were collected. O n an Int el Core Duo E6700 CPU, the throughput was 1Gbps [26]. Two different im- plement a tions on Virtex-5 b oa r ds ac hieved 4.1 Gbps throughput [2] (unspecified Virtex-5 t yp es, ass umed to b e the same as for the RSA, up dating the results, 3.8Gbs, repo rted in [8]). Efficient use of ha rdware is determined b y the fit b e tween algo rithm a nd the logic implemented in the chips. Encr y pting with MQQ is amena ble to paral- lelization and fits very well on the Virtex- 5 [7]. F rom table 2 it can be seen that encryption with MQQ will use ∼ 530 0 times more resour ces (cycles · transistors, i.e., bytes) when co mputed on a gener al purp o se CPU than on a dedicated FPGA. An increase in hardware efficiency b y a factor of ∼ 530 0 w ould transla te in an a dditio nal 12 bits k ey leng th that could b e decrypted for the same “costs”. On the other hand, dec r yption shows o nly a mo dest increase in efficiency by a factor of ∼ 16 . Another algo r ithm, 1024 - bit RSA, can hardly b e pa rallelized and shows no real efficiency difference b etw een CPU and FPGA. The AES-128 res ults are 1 There are successful attac ks known against MQQ which preclude its use in encryption [7]. This d o es not affec t the comput ational pr operties discussed here. 10 in betw een, with a five time incre a se in efficiency b etw ee n FPGA and general purp ose CPU (assuming single core use). The differences b etw een the cases in table 2 raises the question of how the efficiency gains c an b e under s to o d. The large ga ins for the encr y ption using the MQQ alg orithm implemented o n the Virtex-5 FPGA w e r e derived from the ability to implement the steps of the algorithm in a pip eline that could output one encrypted data blo ck p er clo ck cycle [7 ]. O bviously , a tailor e d par - allel pipeline approach is not p ossible with the fixe d lo gic of a general purp ose CPU. As illustrated by table 2, such dramatic increases using FPGAs might be uncommon. 3 Adv ersaries on a budget A r eally Univ ersa l UTM can crack an y cryptogra phic system that is based on secret information that is less complex than the message. This can be done by iterating ov er all programs and select the one that decrypts the message firs t. In a secr et key based sys tem, it can be done by a brute force attack iterating over all k eys . Ho wever, brute force strategies can tak e more time a nd matter than are av aila ble in the universe (c.f., [21, 22, 23]). Therefore, a meaningful wa y is needed to limit the p ow er of the Attac ker without losing the theor etical power of the UTM. The Attac ker needs resour ces to p e rform the required computations. Resources are understo o d in the sense of [16, 39]. The resources are supplied by the en viro nment on a request basis. With a cost function to quantify computational needs in place, meaningful limits ca n b e placed on the A ttacker. A bud get is alloc a ted to the At ta ck er, a nd befo re every step in the computation, the reso urce co sts of that co mputation step are subtracted fro m the budget. If the budget b ecomes depleted, the A ttacker loses. The size of the smallest budget for which the At ta ck er can win the challenges befor e the budget is depleted can b e considere d the str ength of the cryptogr a phic s ystem under study . It is ob vio us that a fully univ ers a l UTM is regained in the limit of a n infinite budget. An intuitiv ely meaningful w ay to set a budget is to c a lculate the c o mputa- T able 2: Co mputational reso urces consumed (bytes) when encrypting o r de- crypting 1 bit using the MQ Q base d a lgorithm ( n =16 0)[8], 102 4 -bit RSA [8], and AES-128 [26, 2]. See table 1 for har dware sp ecificatio ns. The RSA res ults for the Virtex- 5 combine encryption and dec r yption. See text for details. MQQ 1024 RSA AES-128 encryption decryptio n encryption decryptio n bo th Core Duo 146 GB 11.3 GB 272 GB a 6.71 TB a 379 MB Virtex-5 27.5 MB b 687 MB c - d 6.9 TB d 67.3 MB a per core [7]. b four Vi rtex-5 XC5VFX70T-2 at 277 MHz. c one Vir tex-5 XC5VFX70T- 2 at 249 MHz. d one Virtex-5 XC5 V LX30-3 at 251 MHz, unsp ecified com bined results f or encryption and decryption w ere giv en. 11 tional cost of testing all poss ible keys. So if testing o ne k ey cos ts C key , testing all keys of length k bits will cost C key · 2 k , a s expected. T o assist in b o o k keep- ing, the A ttack er can request the curre nt size o f it’s budget on the run tape . The v aluation tap e con ta ins the information ab out the r esources av ailable from the environmen t. F or instance, in situations where the Attac ker do es not hav e to design a computer sys tem from sc r atch, the v aluation tap e migh t co ntain a catalogue of av a ilable computer systems. T o illustrate the use of the a bove theory , a few cryptanalytical cases from the literature ar e presented. Atten tion will be focuss ed o n non-interactive cryptanal- ysis. A full a c c ount s hould also a ddress the interactive ga thering of infor mation, e.g., differen tial cryptanalysis. 3.1 Challenges: One-Time Pad example Mo deling cr y ptanalytical attacks as games enforce s an explicit definition of the conditions under which the A ttack er wins. The computability logic mo del de- scrib ed here defines winnability as the ability of the Attac ker to succeed at a nu mber of predefined c hallenges . These challenges can be int e r active. F or instance, in most crypto graphic systems, the ability to g uess whether a known message has b een comm unica ted would b e a serious vulnera bilit y . In th e formalism presented here, suc h knowledge could be forma liz e d a s b eing able to guess a bove chance which ciphertext enco des a given pla intext. As a n example, supp ose the challenge is to exploit a vulnerability in a O ne- Time Pad (OTP ) implementation where e a ch plaint ex t is XORed (eXclusive OR) with a unique sequence of ra ndo m bits. The Att a ck er presents tw o self delimited plaint e x ts o n the r un tap e. The environment a nswers with a s e lf delimited cipher text that encrypts one of these pla int e x ts. The environmen t can pad the shortest plaint e x t to the length o f the longes t b efore encryption. The Attac ker then tells which ciphertext w a s encrypted. If the Attac ker can guess the corr ect plaintext ab ove chance, the Attac ker wins. The threshold of pro of can b e put at a ny con venient level. The attack strategy w o uld then b e to request encryptions of kno w n or c ho- sen plaintexts. The One-T ime pad bit strings are av a ilable for analysis after removing (XOR-ing) the known plain texts fro m the ciphertext. If some s tatis- tical de v iation from a pur e , uncorrelated, unifor m distribution can b e detected in the bit strings, the challenges can in principle b e won. Simply chose the ciphertext that XORed with the plaintext shows the anomaly . As the O TP is proven secure [31], the challenges ar e only winnable if the (long) keys are not completely random, e .g., when us ing an insecur e Random Num b er Genera tor (RNG). An Attac ker mo del migh t include a s im ulation of compromising a RNG as in, e.g., [9, 17]. By v ar ying the challenges b etw een ciphertext only , plaint e x t c hos e n b y Environment, and plain text chosen by At- tack er the effects of different se curity p olic ies can be ev aluated. F or instance, the costs and b enefits of preven ting guess ing plaintexts c a n b e co mpared to those of pe r io dically reseeding the key genera tor a nd r edistributing new keys [17]. 12 Occasiona lly , the secur ity of the OTP against cryptanalysis is questio ned, as in [41, 42]. The formalis m presented here can help to e v aluate whether and how a vulner ability , if any , can b e explo ited. F or instance, fr om the ana ly sis presented in [41, 4 2] it is not clear how a chosen plaintext challenge as pre s ented here can b e won, i.e., whether there is a v ulner ability at all. 3.2 Dictionary attac ks and time versu s memory trade-offs There exis t metho ds to efficiently pre-calculate dictionaries with sto r ed cipher- text/key pairs to a mo rtize the co s t of encryptio ns o ver many different key at- tacks [1 9, 28]. T o ev aluate their threat, it is necessa ry to estimate the resources needed to construct a nd op erate such a dictionary . Constructing a table o f Rainbow chains o r a dictionary of encryptions is equiv alent to doing a brute force key s earch and requir es the same effor t [19, 28]. The new question is how m uch r esources are needed to use the dictionary after it has b een created. F or simplicity , assume a key size of k and an ordered ( C ipher text i , K e y i ) dictionary with L = 2 k − ǫ encryptions of a 3 k long plaintext X 0 as in [19]. The factor ǫ determines the fraction o f keys in the dictionary as 2 − ǫ . With these nu mber s, the size of the dictionary is D = 4 k L . According to [19] it takes at most 3 k ( k − ǫ ) comparisons to find an encryption in the dictionary , but k − ǫ compariso ns seems a more c o nserv ative c ho ice. F or k = 56 a nd ǫ = 6, the size of the dictionary is D = 4 · 56 · 2 50 ≈ 2 . 5 · 1 0 17 bits, or 3 . 1 · 10 16 bytes, and the exp ected n umber of comparisons p er lo okup be c omes 50. In the ideal case, every comparison is done in, say , tw o steps for a total of 100 steps p e r lo okup. Assume that Attac kers “ lease” access to the dictionary for each look-up, that is, there are no “wait s tates” a nd the resour ce is in constant use b y Attac kers. The a verage cost of a lo okup is then 3 . 1 · 10 18 bytes, ignoring the small costs of th e co mparisons themselves. The av er age cost of a discov er ed key w ould be around 2 · 1 0 20 bytes. Compar ed to the curr ent scop e of hardware, at 1 0 18 byte/s for a sing le des k top system [3 9], this cos t is unremark able. The real p o int is no t the “computation” o r pro cessing, but the req uired storage capacity of 31 petabyte (31 · 10 15 ). This is around 15% of the ca pa city of a lar ge data-cent e r lik e Go ogle’s Go ogleplex facilit y , or a “b otnet” of a few million computers with some 10 GB e a ch. Such a r esource w o uld r equire parallel access through many no des, whic h w ould change the simple co st model ab ove. A bo tnet of this size would ha ve to c o ntain some 3 millio n co mpromised computers with a real cost in the order o f $ 15 a piece, in 2007 dollar s, on the black market, or $45 millio n in total [29]. The combined v alue of the enco ded informa tion m us t outw eig h the c osts of this set up to make this attack worth while. The computational capacity of such a distributed da ta cent er or b otnet, with it’s delay ed resp ons e times, is obviously differ ent fro m an int eg rated de s ktop sys tem. This analy s is shows that using such a dictionary is, unsurprising ly , not so m uch a computational a s a stora ge problem. In this case, the maintenance of such a large stor a ge is muc h mo re a limitation than the duratio n of the computation. 13 3.3 Pseudo Random Num b er Generator attac ks: The TF- 1 generator Pseudo-Rando m Number Generators (P RNGs) are imp orta nt cryptog raphic primitives that c an be vulnerable to their own types of attac ks [17]. PRNGs a re used, for example, to ge nerate the symmetric keys in public key comm unication proto cols like SSL (Secur e Socket Lay er pro to col). Their rela tive security , or lack thereof, is strongly determined by the res ources av ailable to the A ttack e r (e.g., [1 7]). The Klimov-Shamir num b er genera tor TF-1 is analyzed b y Tsaba n [34]. In short, for a word size w , this PRNG has a n internal state of size 4 w . The int ended “ strength” is 2 2 w [18, 34], i.e., 2 w bit. Ho wever, Ts aban finds that the internal state can b e found in 16 · 2 1 . 5 w elementary op erations (i.e., 1 . 5 w bit s tr ength) after scanning 2 w output words for a 0 v a lue [3 4]. Each possible int er nal state can, o n av er age, be check ed in 16 basic o pe r ations given a special 0 v alue in the output. The 16 opera tions needed to c heck the in ter na l state a re very basic. A DES Crack er like sea rch unit sho uld be sufficient (see section 2.3 .1). The origina l DES Cr ack er search unit us ed a round 12 0 byte p er bit key width. F or the sake of argument, it is assumed here that a compar able setup could b e constructed that analyzes the internal state ag a in o f the TF-1 num b er g e nerator for 120 byte per bit in the r educed w o r d s ize 1 . 5 w . E ach basic op eratio n sho uld again need only a s ingle clock cycle. F or such a sys tem, the ab ov e analysis for the single DES cr ack er w ould still hold up to a fixed factor (see sections 2.3 .1 and 2.3.2). An efficient setup with the complexity and speed o f a A TI HD Radeo n 5870 (see section 2.3 .2 and table 1) would need under half a sec o nd to find the internal state for a w ord width of w = 32 bit (48 bit strength) and less than fiv e months for a w or d width o f w = 48 bit (72 bit strength), both on av era ge (see table 3). A cluster using 65 thousand s uch set-ups could finish a w = 56 bit word leng th in ten days (84 bit stre ngth). A theor etical w = 6 0 bit word length v ariant (90 bit strength) could b e exp ected to b e broken in less than t wo years. F or word lengths o f w = 64 (96 bit strength), the time still runs into 120 y ear s and remains elus ive as Tsaban a lready notes [34]. The n umber of output words needed to find a 0 word can b ecome un wieldy for the longer , w = { 48 , 56 } , w ord leng ths (see table 3). F o r w = 48 , aro und 2 48 − 1 ≈ 10 14 output words ha ve to be scanned for a 0 v alue. That is a round 40 hours at a billion (10 9 ) words p er seco nd (a verage). F or w = 56 this would be a waiting time o f 14 mon ths. Note that orig ina lly , the in tended stre ng ths of w ord lengths of 32 , 48, and 56 bit in TF-1 were, r esp ectively , 64, 96, a nd 112 bit. An efficien t attac k of the TF-1 n umber generator would b e to set up a cheap system to scan for 0-w o rds storing a his tory of PRNG output and relev a nt da ta to compro mise. Only after a 0-word has b ee n encountered, the machinery to attack the c ypher w ould b e commissioned a nd the atta ck p erfor med. No one has yet rep orted a DES Crack er lik e set-up for TF-1. So the above calculations are based on the assumption that it c o uld b e p oss ible to harness the design co mplex it y of a mo dern GPU for custo m desig ned crypta na lysis hard- 14 ware. The ab ove analy sis allows to put a monetar y num b er on the price to cr a ck this sp ecific PRNG. User s of this algorithm ca n now judge themselves ho w muc h any adv ers a ries would b e willing to pa y fo r such a set-up and what the chances are o f a version of the algorithm that do es not need to find a 0 w ord. 4 Discussion and conclusions Cryptanalysis promises to be a very fertile field for dev elo ping insight into the quantification of computational resource needs. A game theoretic view of cry pt- analysis w as in tro duced b y V o n Neumann and Morgenstern a nd la ter tak en up by Shannon [40, 31]. This study a dopts this game a pproach and pr o p oses to use c omput ability lo gic [15, 16, 39] to rigo rously define Shannon’s work function [31]. In this approa ch, attack pro cedures a re for mulated in terms of co mputable functions [36], the resources used, and also a full definition of the context of the attack. Based on a few “ natural” requir ements, a simple for mu la for quantified re- sources emerges as equation 1 with the features of Memory times Steps , i.e., a dimension of bytes [39]. This count includes the informatio n “frozen” into the computationa l device itself, e .g ., the UTM action table or the comp onents and connections of the CPU. By reducing silicon CP U complexity to tr ansistor connectivity and memory ca pacity , it is possible to ro ughly guess the capacity of r eal hardw a re. Using the estimated har dware complexity of mas s mar ket pro cessor s as an upper boundar y , it is p os s ible to estimate the limits of customized cryptanalytic hardware. Thes e limits can b e used to understand historic a l cases, like the fail- ure of 56 bit DES encryptions [6]. These limits can also be used to predict the (theoretical) failure of mo der n cryptogra phic primitives like the TF-1 P RNG with a theoretical strength of 84 and 90 bit keys (in tended stre ng ths w ere orig i- nally 112 and 12 0 bits) [1 8, 34] as w ell as the efforts needed to actually effectuate T able 3: Exp ected times for finding the in ter nal sta te of a TF-1 PRNG [3 4] using theoretically optimal custom CPUs with the complexity of an A TI HD Radeon 5870 (1 . 83 · 10 18 Byte/s). See text for details. #CPU : num b er o f CPU equiv alents; #values : num b er of P RNG v alues needed to find sp ecia l 0 v alue; time : expec ted time to find the int e rnal sta te a fter finding the sp ecial 0 v a lue. w strength (bit) #CPU #values time 32 48 1 2 . 1 · 10 9 0.5 sec 48 72 1 1 . 4 · 10 14 4.2 mon ths 56 84 65,536 3 . 6 · 10 16 9.4 da ys 60 90 65,536 5 . 8 · 10 17 1.8 y ea r 64 96 65,536 9 . 2 · 10 18 120 y e ars 15 the attac k s . It can b e concluded that the genera l problem of quantif ying co mputational resource use in interactive cryptanaly sis a ttacks can b e solved in a formalized setting. When used to formaliz e cryptanalysis, it b ecomes p ossible to quantify the crypta na lysis work function [31]. E ven the computational costs o f hypo- thetical attacks on cryptographic pr imitives can be estimated b efore they ha ve to b e demonstra ted a t great monetar y cost. Examples show that it would currently (2010) be feasible to build hardw a re that could break s ome 84 bit str e ng th cryptog raphic primitiv es in mere days, and 9 0 bit streng th pr imitives in less than t wo years. 5 ac kno wledgmen t This pr o ject was made possible b y gra nt 276-75-0 02 o f the Netherlands O rgan- isation of Scientific Resea rch (NW O) References [1] Barker, W. C. R e c ommendation for the T riple Data Encryption Alg o- rithm ( TDEA) blo ck cipher . National Institute of Standards and T e chnol- ogy , Gaithersburg, MD, USA, 2004 , http://nla.gov.au/nla.cat-vn41 8 1820. [2] Bulens, P., St and aer t, F., Quisqua ter, J. , Pellegrin, P ., and R ou v ro y, G. Implementation of the AES-12 8 on Virtex-5 FPGAs. L e ctur e Notes in Computer Scienc e 5023 (2008), 16–26. [3] Case, L. A TI HD Ra deon 5 870: The F astest Video car d Ever (PS It’s $380). MAXIMUMPC (Sept. 20 0 9), http://www.maximumpc.com/ arti- cle/features/ ati radeon 5 8 70 fastest videoca r d ev e r ps its 380. [4] Cook, D., Bara tto, R., and Keromytis, A. Remo tely k e yed c r ypto- graphics secure r emote display a ccess using (mostly) untrusted hardw a re. Information and Commu n ic ations Se cu rity (2005), 363–375 . [5] Da ylight, E. G., Koolen, W. M., and Vit ´ anyi, P . M. B. On time-bo unded incompressibility of compressible strings. arXiv: 0809.2965v 4 [cs.CC] (2008). [6] El ectr o nic Frontier F ounda tion . F requently Asked Questions (F A Q) a bo ut the Elec tronic F r o ntier F oun- dation’s ‘DES Crack er ’ Machine. Online, July 1 998, ht tp:/ / w2.eff.org / Priv acy/ Crypto/Cr ypto misc/DESCrack er /HTML/ 19980 716 eff des faq.html. [7] Gl igoroski, D. p ersona l communication, 20 10. 16 [8] Gl igoroski, D., Mark ovski, S., and Knapskog, S. J. A public key blo ck cipher based o n m ultiv ar iate quadr atic quasig r oups. arXiv:080 8.0247v1 [cs.CR] (2 0 08). [9] Gutterman, Z. , Pinkas, B., a n d Reinman, T. Analysis of the Lin ux Random Number Genera to r. In SP ’06: Pr o c e e dings of the 2006 IEEE Symp osium on S e cu rity and Privacy (S& P’06) (W ashington, DC, USA, 2006), IEEE Computer So ciety , pp. 371– 385. [10] Halpern, J. Y. Beyond nash equilibrium: Solution c o ncepts for the 21st centu ry . arXiv:0806 .2139v1 [cs.GT] (2 008). [11] Halpern, J. Y., and P ass, R. Game theory with co stly computation. arXiv:080 9.0024v1 [cs.GT] (200 8). [12] HEL P N E T SECU RITY . Patent filed for revolutionary technique to quickly recov er lost passwords. Online, 10 2007 , http://www.net- security .org/secworld.php?id=556 7. [13] Jap arid z e, G. Int ro duction to computability lo gic. Ann. Pure Appl. L o gic 123 , 1-3 (2 0 03), 1 –99. [14] Jap arid z e, G. Computabilit y logic: a forma l theory of interaction. arXiv:cs/04 04024v3 [cs.LO] (20 04). [15] Jap arid z e, G. In the beginning w as game seman tics. arXiv:cs/ 0507045v3 [cs.LO] (2005). [16] Jap arid z e, G. In tro duction to Cirquent Calculus and Abstract Resource Sema ntics. J L o gic Computation 16 , 4 (2006), 489–532 , ht tp:/ / logcom.oxfordjourna ls.org/ cgi/reprint/16/4/489.pdf. [17] Kelsey, J., Schneier, B., W a gner, D ., and Hall, C. Cryptana lytic A ttacks on Pseudor andom Number Genera tors. L e cture Notes i n Computer Scienc e 1372 (1998), 168–188 . [18] Klimov, A. , and Shamir, A. New cryptog raphic primitives ba sed on m ultiword T-functions. In FSE (2 004), B. K. Roy and W. Meier, Eds., vol. 3017 of L e ctu re Notes in Computer Scienc e , Springer, pp. 1–15. [19] Li, A.-P. A generic a tta ck to ciphers. arXiv:071 0.2970v2 [cs.CR] (2 007). [20] Li, M., and Vit ´ anyi, P. An intr o duction to Kolmo gor ov c omplexity and its applic ations (2nd e d.) . Springer-V er lag New Y ork, Inc., Secaucus, NJ, USA, 1997. [21] Lloyd, S. Ultimate physical limits to computation. Natur e 406 (August 2000), 1047–10 54, arXiv:quant-ph/99080 43v3. [22] Lloyd, S. Computational Capacity of the Univ ers e . Phys. R ev. L ett. 88 , 23 (Ma y 2002), 237901. 17 [23] Lloyd, S. A theory of quantum gravit y based on quant um computation. arXiv:quant-ph/05 01135v8 (20 05). [24] Loukides, M., and Gilmore, J. , Eds. Cr acking DES: Se cr ets of encryp- tion r ese ar ch, wir etap p olitics and chip design . O ’Reilly & Asso ciates, Inc., Sebastop ol, CA, USA, 19 98. [25] Lucks, S. Attac king t r iple encry ptio n. L e ctur e Notes in Comp u ter Scienc e 1372 (1 998), 2 39–2 53. [26] Ma tzan, J. The In tel Core 2 Duo processo r. Har dwar e in R eview (Oct. 2 0 06), h ttp:// www.hardwareinreview.com/ pro cesso rs/ the int el core 2 duo proce s sor.html. [27] Na tional Instruments . Adv antages of the Xilinx Virtex-5 FPGA. On- line, 2008, http://zone.ni.com/devz one/cda/ tut/p/ id/744 0. [28] Oechslin, P. Making a F aster Cr yptanalytic Time-Memor y T ra de-Off. In CR YPTO (2003), pp. 61 7 –630 . [29] P axson , V., Franklin, J., Perrig, A . , and Sa v age, S. An in- quiry into the natur e and causes of the wealth of in ternet miscrea nts. In CCS ’07: Pr o c e e dings of the 14th ACM c onfer enc e on Computer and c om- munic ations se curity (New Y ork, NY, USA, 200 7 ), ACM, pp. 375– 388, ht tp:/ / www.icsi.b erkeley .edu/cgi-bin/ pubs / publication.pl?ID=002 289. [30] Polk , W. T., Dodson, D. F. , and Bu rr , W. E. Crypto gr aphic algorithms and key sizes for Personal Identity V erific ation . National Institute of Standards and T echnology , Gaithersburg , MD, USA, 2006 , ht tp:/ / nla.gov.au/nla.cat-v n38424 30. [31] Shannon, C. E. Comm unication Theory of Secrecy Systems. Bel l S ystem T e chnic al Jou r n al 28 , 4 (1949), 656 –715 . [32] Strom, D. T op500 news: The rise of the GP U. David Str oms Web Infor- mant (20 09), http://strom.wordpress.com/ 2009/11/19/top5 00/. [33] TOP500. o rg . Tianhe-1, China ’s first P eta flop’s sca le supercom- puter. TOP500 (nov 2009), http://top500.or g/blog /200 9/11/13/ tianhe 1 chinas first p etaflop s scale superco mputer . [34] Tsaban, B. Theore tica l cryptanalysis o f the Klimov-Shamir n umber gen- erator TF-1. arXiv:cs/0507063 v2 [cs.CR] (2005 ). [35] Tuomi, I. The lives and death of Mo ore’s Law. First Monday 7 , 11 (2002 ), 4, ht tp:/ / firstmonday .org/htbin/cgiwrap/ bin/o js/index.php/ fm/article/view/ 1000 /921 . [36] Turing, A. M. On computable num b ers , with an a pplica tion to the ent s cheidungsproblem. Pr o c e e dings of the L ondon Mathematic al So ciety. Se c ond Series 42 (193 6 ), 2 30–2 6 5. 18 [37] V alich, T. GPGPU start to tak e ov er the HP C sector: 5120 A TI GPUs deployed in China. BRIGHT SIDE OF NEWS (11 2009 ), ht tp:/ / www.brightsideofnews.com/news/2 009/ 11/3/gpgpu-start-to-take- ov er-the- hp c- sector-5 600-a ti-gpus-deploy ed-in-china.asp x. [38] V an Oorschot, P., and Wiener, M. A known-plain text at- tack on t wo-key triple e ncryption. In L e ctu r e Notes in Com- puter Scienc e: A dvanc es in C ryptolo gy-Eur o crypt90 Pr o c e e dings (1990), pp. 318 –325 , ht tp:/ / citeseerx.ist.psu.e du/ viewdo c/download? doi=10.1 .1.66.6 575&r ep=rep1&type=p df. [39] v an Son, R. J. J. H. Q uantifying r esource use in computations. arXiv:091 1.5262v1 [cs.CC] (2 009). [40] von Neumann, J., and Morgenstern, O. The The ory of Games and Ec onomic Behavior . Pr inceton Universit y Press , Princeto n, 1 947. [41] W ang, Y. Confirmation o f shannon’s mistake a b o ut p er fect secrec y of one-time-pad. arXiv:070 9.4420v1 [cs.CR] (2 0 07). [42] W ang, Y. Mistake Analyses on Pro of ab out Perfect Secrecy of O ne-time- pad. arXiv:070 9.3334v1 [cs.CR] (200 7 ). [43] Wikipedia . Field-progr ammable gate arr ay . Online, F ebrua ry 2 010, ht tp:/ / en.wikip edia.or g /wiki/Field-pr ogra mmable gate arr ay . [44] Wikipedia . Lis t of in tel cor e 2 micropro cess o rs. Online, F ebr uary 2010, ht tp:/ / en.wikip edia.or g /wiki/List of Intel Core 2 micropro cessor s. [45] Wikipedia . T ransistor count. Online, F ebruar y 20 10, ht tp:/ / en.wikip edia.or g /wiki/T r ansistor count. [46] Xilinx . Virtex-5 F amily Overview. Online, F ebr uary 2 009, ht tp:/ / www.xilinx.com/s uppo rt/do cumentation/data sheets/ds10 0.p df. 19