Open access peer-reviewed chapter - ONLINE FIRST

Tradeoff Attacks on Symmetric Ciphers

By Orhun Kara

Submitted: July 7th 2020Reviewed: February 15th 2021Published: March 5th 2021

DOI: 10.5772/intechopen.96627

Downloaded: 34

Abstract

Tradeoff attacks on symmetric ciphers can be considered as the generalization of the exhaustive search. Their main objective is reducing the time complexity by exploiting the memory after preparing very large tables at a cost of exhaustively searching all the space during the precomputation phase. It is possible to utilize data (plaintext/ciphertext pairs) in some cases like the internal state recovery attacks for stream ciphers to speed up further both online and offline phases. However, how to take advantage of data in a tradeoff attack against block ciphers for single key recovery cases is still unknown. We briefly assess the state of art of tradeoff attacks on symmetric ciphers, introduce some open problems and discuss the security criterion on state sizes. We discuss the strict lower bound for the internal state size of keystream generators and propose more practical and fair bound along with our reasoning. The adoption of our new criterion can break a fresh ground in boosting the security analysis of small keystream generators and in designing ultra-lightweight stream ciphers with short internal states for their usage in specially low source devices such as IoT devices, wireless sensors or RFID tags.

Keywords

  • symmetric cipher
  • block cipher
  • stream cipher
  • tradeoff attack
  • keystream
  • keystream generator
  • Hellman table
  • rainbow table
  • one-way function
  • preimage

1. Introduction

In general, bulk encryption is performed through symmetric ciphers; that is, block ciphers or stream ciphers. Hash functions, message authentication codes and authenticated encryption schemes are also based on the quite similar design and security principles. All these cryptographic primitives are examples of one-way functions for which it must be computationally infeasible to find a preimage. Indeed, the only generic method to invert a given output is exhaustively searching for one of its inputs.1 This may be embodied as brute force attacks on block ciphers and stream ciphers, internal state recovery attacks on keystream generators, preimage attacks on hash functions or constructing valid messages to given tag values for message authentication codes.

The brute force attacks can be expedited significantly by utilizing very large tables that have been already prepared during the offline phase. This phase is called the precomputation phase also and is usually equivalent to exhaustive search. Nevertheless, once it is executed, the prepared tables can be used several times.

It may be possible to further improve a tradeoff attack by exploiting large amount of data (plaintext/ciphertext pairs). Biryukov-Shamir attack on keystream generators can be considered as a typical example of a tradeoff among time, memory and data [1]. One of the internal states of a long keystream sequence is recovered. However, it is still unknown how to use data to improve the tradeoff attacks on block ciphers.

The state sizes of block ciphers are not of security concern against tradeoff attacks, enabling to design ultra-lightweight block ciphers. In fact, we encounter several such block cipher designs in the literature during the last decades [2, 3, 4, 5, 6, 7, 8, 9]. However, it seems to be almost impossible to design ultra-lightweight stream ciphers due to their strict security criterion on the lower bound of their internal state sizes to resist tradeoff attacks.

The tradeoff attacks can be quite effective against some real world cryptographic primitives. The tradeoff tables can be used in practical applications to break real life ciphers such as A5/1 for the GSM encryption [10, 11, 12] or to crack passwords by finding preimages to hash functions [13, 14, 15, 16, 17]. In this chapter, we introduce briefly how to use tradeoff tables to invert small sized one-way functions. Moreover, we evaluate the state of art of the applications, raise some open problems and come up with a discussion on the countermeasures against tradeoff attacks on keystream generators.

We argue that it is possible to loosen the lower bound for the state size without sacrificing the security against tradeoff attacks and this can enable designing ultra-lightweight stream ciphers. We claim that the lower bound for the internal state size can be diminished to 4n/3bits from 2nbits where nis the key length. It is possible to design a keystream generator of size 4n/3bits, which remains still secure against tradeoff attacks and which presents a great advantage in low cost applications. Indeed, such ciphers are in real world demand due to the confidentially issues of lightweight devices such as RFID tags, wireless sensors or IoT devices.

It is straightforward that resistance against tradeoff attacks is not sufficient for security. Unfortunately, the security of small stream ciphers has not been studied sufficiently so far. We still do not know how to design secure and small stream ciphers. This is due to fact that almost all the stream ciphers in the literature have internal state sizes at least twice as large as their key sizes. Hence, there is almost no example in the literature to analyze. The recent small keystream generators such as Sprout [18] or Plantlet [19] are analyzed intensively in a short while and several weaknesses are discovered [20, 21, 22, 23, 24, 25, 26].

The tradeoff attacks on block ciphers so far are limited to the tradeoff between only time and memory. It is an open problem how to construct a tradeoff curve between memory and data or among memory, data and time for a single key recovery attack. We phrase the problem of inverting one-way function with data, the problem of mutual inverting of multiple one-way functionsand the problem of inverting only one of the several independent one-way functions. Moreover, we address these problems with block ciphers and raise a question about the hierarchical relationships between any pair of them.

The outline of the chapter is as follows. We briefly overview the tradeoff attacks on symmetric ciphers, give some recent applications of these attacks and evaluate them in Section 2. Then, we assess the tradeoff attacks on stream ciphers and keystream generators in Section 3. We also introduce the tradeoff attacks on block ciphers, discuss the differences from those on stream ciphers and state some open problems in Section 4. We assess the internal state recovery tradeoff attacks and make an argument about the internal state sizes of keystream generators in Section 5. Finally, we introduce our concluding remarks in Section 6.

Advertisement

2. Inverting a one-way function through tradeoff

Let f:GF2mGF2nbe a one-way function of mbit input and nbit output. That is, it is easy to compute the output, fx=y, of a given input xGF2m; but computationally infeasible to find a preimage xf1yfor a given output yGF2n.

The phrase” computationally infeasible” is not a formal or a precise statement. Indeed, we mean that the fastest algorithm of finding a preimage xf1ymust be exhaustively searching for x, either online or offline. This definition is valid for random one-way functions which are generally not permutations. The one-way functions deduced from symmetric ciphers are examples and we consider them only throughout the chapter. The time complexity of recovering one preimage of a given value yGF2nis about T=2ncalls of the ffunction (simply 2n) for a one-way function f. There is almost no memory or data complexity. Hence this can be considered as one of the extreme cases where only the time complexity dominates.

The time complexity may be substituted by the memory complexity if we compute all the xfxvalues in advance during the offline phase (which we call precomputation phase) and save them in a sorted table with respect to the second column, fx. Then, the time complexity of the precomputation phase is 2nand the memory complexity is M=2n. On the other hand, the time complexity of finding a preimage xf1yfor a given yduring the online phase is relatively negligible in comparison to the memory complexity. One needs to search for yin the second column of the table and this search takes roughly nsteps since the table is sorted. This is also one of the extreme cases where only the memory complexity dominates.

In general, we can regard the tradeoff attacks as the attacks searching for a preimage of a one-way function by utilizing a significant memory prepared in the precomputation phase to reduce the time complexity from 2n. A tradeoff curve between memory and time is introduced with possibly some restrictions. The time complexity is decreased by increasing the memory complexity or vice versa. But the ratio of increase/decrease depends on the tradeoff curve. In general, the optimum point on the curve is considered as the point where T=Mif the restrictions permit to choose this point. Let us remark that the precomputation phases of these attacks must be the whole exhaustive search to provide significantly high success rates. But, since this offline phase is run only once, its complexity can be ignored in some applications where one uses the tables several times to invert enormous number of outputs. The Hellman tables or the rainbow tables for the GSM encryption algorithm A5/1 are typical real world applications [10, 12].

It is possible to ease the problem of inverting a one-way function fby introducing large number of data. Then the corresponding tradeoff attacks can be further improved by constructing better tradeoff curves with the addition of the amount of data used.

We can define the problem of inverting one-way function with dataas follows. Let y1,,yDGF2nbe given. Then, find a preimage for one of them. That is, find xisuch that fxi=yi. This problem is easier than finding a preimage of only one given element yGF2n. Indeed, it is possible to prepare a sorted list of y1,,yDand then search for xsuch that fxis in this sorted list. It is clear that the time complexity of the exhaustive search is 2n/D. Hence, the time complexity of the default attack for inverting one-way function with data is reduced by a factor of D.

It is possible to address the problem of inverting one-way function with data in stream ciphers and mount some tradeoff attacks for single key setting. We introduce these attacks in Section 3. However, it is not known in the literature yet how to associate a single key recovery attack for a block cipher as a problem of inverting one-way function with data (see Section 4 for details of the tradeoff attacks in the case of block ciphers).

2.1 Hellman and rainbow tables

One very well known way of inverting a one-way function is using Hellman tables [27]. Initially, Hellman introduced the tables only for recovering the DES keys in his original work in [27] but it can be used to invert any one-way function.

Let us assume that the input and the output sizes of a one-way function, f, are equal. That is, f:GF2nGF2n. The general cases may easily be deduced by the reduction or enlargement techniques as Hellman applied for the DES encryption by reducing its block size to 56 bits. Let xGF2nbe an input. Then, compute fx,f2x,,ftxand save the pair, xftx.

If a given value yGF2nis equal to fixfor some i1tthen we can find a preimage for y easily: fi1xwill be a preimage since ffi1x=y. We can check if y=fixfor some iby checking the equality ftiy=ftx. Indeed we have

ftifix=ftx=ftiy.E1

Therefore, it is highly probable that y=fix. It may be possible that yfixeven though ftiy=ftxsince fis not a permutation. This case is considered as a false alarm. The probability of the false alarms should be taken into account for the success rate of the attack. Gildas et al.introduce an efficient way of ruling out the false alarms, particularly in the perfect tables [28].

Choosing mdifferent xpoints and preparing a table of mpairs xftxsorted with respect to ftx(which is called a Hellman table), it is possible to find a preimage of a given output yGF2nif y=fixfor some xin these mpairs by calling the ffunction and checking if the result is among the second (sorted) values of the pairs xftxat most ttimes. Therefore, examining if yis in the set fixwith mtelements, costs tcalls of fand the memory amount we need is msince we save mpairs for one table of mtelements. These mpairs consist of the initial and the final columns of the table.

The most significant disadvantage of Hellman tables is the high propagation of the collisions throughout the rows. If fix=fjxfor some 1i,j<tand different starting points xx, then the collision is going to merge to the rest of the rows as fi+kx=fj+kxk=1,,mintitj. This restricts the capacity of a Hellman table. Indeed, we should choose the number of the rows and the columns mand tsuch that mt22nto optimize the probability of collisions according to the birthday paradox [27]. Therefore, we need roughly ttables since one table can contain at most mtdifferent elements and each Hellman table must be prepared by using a different function deduced from a slight derivation of the f-function so as to ensure the independence of the tables.

The time complexity is T=t2since examining through one table costs tcalls of the f-function and we have ttables. Similarly, we need M=mtmemory to save ttables. As a corollary, the tradeoff curve M2T=22nis deduced with mt2=2n. The optimum point on the curve is T=M=22n/3. The precomputation phase for preparing the tables is equivalent to the exhaustive search and hence its complexity is 2n.

Oechslin introduces another kind of tables to invert one-way functions, which he calls rainbow tables [29]. He proposes to use a different function for the computation of each column and hence each row is constituted as

f1x,f2f1x,,ftft1f1xE2

instead of fx,f2x,,ftxfor a chosen starting point xwhere fis are derived from fby slight modifications. Only the initial point xand its final evaluation ftft1f1xare saved as in the case of Hellman tables.

Rainbow tables have a significant advantage over Hellman tables: The collisions in different columns do not propagate in rainbow tables. So, it is possible to use only one rainbow table for covering majority of the space GF2n. The table contains tcolumns and mtrows. However, tracing through a rainbow table costs much more. For a given output y, check if it is in the last column. If not then check ftyand then ftft1yand then, ftft1ft2yand so on are in the last column one by one.

Both the Hellman tables and the rainbow tables have the same tradeoff curve. But, the time complexity is tt1/2for a rainbow table which is roughly twice less than t2. This makes rainbow tables more popular in practical applications.

Barkan et al.compares these two methods and combine them in a general model based on stateful random graphs [30]. They also improve the time complexity of the rainbow tables [30]. Lu et al.use the unified rainbow tables to break GSM A5/1 algorithm and recover an A5/1 key in 9 s with a success rate of 81% by using general purpose GPUs with 3 NVIDIA GeForce GTX690 cards [12]. There are also FPGA implementation versions of tracing through the rainbow tables of the A5/1 states [10, 11]. The success rates of the rainbow tables for A5/1 are improved in [12]. Rainbow tables are commonly used to invert hash functions and crack passwords [13, 14, 15, 16, 17]. Even though rainbow tables are ubiquitously used in the real world applications, Biryukov et al.show that Hellman tables are superior to rainbow tables in multiple data scenario [31].

3. Tradeoff attacks on stream ciphers

The main building blocks of (synchronous) stream ciphers are keystream generators. The most general design principle of keystream generators make use of a state update function ϕ:GF2sGF2sand an output function g:GF2sGF2rproducing r-bit output from each s-bit internal state. An internal state Stis updated to the next internal state St+1via ϕ. The initial internal state S0is called the seed and produced from a key Kand an initial vector IVthrough an initialization algorithm InAlg:

InAlg:GF2n×GF2lGF2sKIVS0.E3

The objective of the attacks on stream ciphers is twofold in general. They aim at either recovering the key or an internal state. The same approach is adopted for tradeoff attacks. The state recovery attacks are conventional examples of the problem of inverting one-way function with data in a single key attack scenario. Indeed, it is enough to recover one of the internal states occurred during the encryption process.

Babbage [32] and Golić [33] independently introduce a natural way of recovering one of the internal states by using data. They define a one-way function by extending the output function which produces enough number of output bits by calling ϕand gcertain number of times consecutively to identify the input state from its keystream piece uniquely. One can compute Mpairs of the states and their outputs during the precomputation phase and save them as sorted with respect to the outputs. Then, it is highly probable to recover one of the states which produce Ddata when MD2sduring the online phase. The optimum point on the tradeoff curve MD=2sis M=D=2s/2. So, s/2is supposed to be larger than the key length to ensure that the Babbage-Golić attack is slower than the exhaustive search. This imposes a well known and highly adopted security criterion on stream ciphers: The internal state size must be at least twice as large as the key size. It was one of the main security requirements for the stream ciphers in both the NESSIE project [34] and the eSTREAM project [35, 36].

Another tradeoff attack on keystream generators using data is introduced by Biryukov and Shamir [1]. They propose to use Hellman tables to recover one of the internal states which produce Ddata. It is nothing but finding a preimage for one of the data. The optimum online complexity is achieved when only one Hellman table is constructed. So, mt2=2sand D=twith M=m,T=tD. Hence, we have the tradeoff curve given as M2D2T=22swith the restriction DT. The optimum point on the curve is achieved when D2=T=Mand this gives T=2s/2. Again, if s2nthen the online phase of the Biryukov-Shamir attack will be slower than the exhaustive search, confirming the security criterion that the internal state size should be at least twice as large as the key size.

Both the Babbage-Golić attack and the Biryukov-Shamir attack aim at recovering one of the internal states. The online phases of these attacks are compared with the exhaustive search rather than the default tradeoff attacks. The attacks use multiple data since the one-way function they would like to invert has several outputs available. On the other hand, it is possible to define the one-way function as the function taking the n-bit main key as input and producing the keystream of n-bits for a chosen fixed IV. The internal state size has no significance for inverting this one-way function. So, we have the classical complexities T=M=22n/3. However, we can not exploit the multiple data for this function. Therefore the Babbage-Golić attack and the Biryukov-Shamir attack are superior when the internal state size is too short. The tradeoff attacks on the GSM encryption algorithm A5/1 with its 64 bit internal state are mostly the applications of the Biryukov-Shamir attack [10, 11, 12].

Armknecht and Mikhalev examine the keyed update functions and show that the keystream generators with keyed state update functions are secure against conventional tradeoff attacks no matter how small the internal state sizes are [18]. They also introduce an example cipher they call Sprout [18]. A keyed state update function takes the main key as the second parameter of the input to produce the next internal state from the current internal state.

The cipher Sprout is analyzed intensively in a short while and some weaknesses are discovered [20, 22]. More interestingly, special tradeoff attacks are mounted [21, 23]. Then, Armknecht and Mikhalev present another keystream generator with keyed state update. They call it Plantlet [19]. This cipher also attains significant interests of cyrptanalysts and several results are published including correlation attacks [24, 25, 26, 37, 38], some of them are even faster than exhaustive search [25]. It seems that it is indeed a challenging task for the crypto community to design keystream generators of small state sizes even if the tradeoff attacks are ignored in their security assessments.

4. Tradeoff attacks on block ciphers

Let E:GF2n×GF2mGF2mbe a block cipher of n-bit key and m-bit block size. EKP=EKPand EKis a permutation for a fixed key K. We can define a one-way function fx=ExP0=ExP0for a chosen fixed plaintext P0. Finding a preimage for a given ciphertext is nothing but finding a key candidate that encrypts the plaintext P0to the given ciphertext.

It is possible to invert fxby using tradeoff tables. Hellman initially mounted the tradeoff attack on the block cipher DES in his original work [27]. The online time complexity is reduced to 22n/3. But preparing the tables requires as many encryption calls as in the exhaustive search.

There is no known method of using multiple data to improve the tradeoff curve M2T=22nin the single key recovery setting for block ciphers yet. Choosing another plaintext will result in another one-way function to convert. So, using multiple data yields the following problem. Let f1,,fDbe Dindependent one-way functions of n-bit inputs and n-bit outputs. We call the problem of finding xas the problem of the mutual inverting of multiple one-way functionswhere

f1x=y1,f2x=y2,,fDx=yDE4

and y1,,yDare given.

Choosing Ddifferent plaintexts P1,,PDfor a block cipher Eis an example of the problem of the mutual inverting of multiple one-way functions given as: f1x=ExP1, f2x=ExP2,,fDx=ExPD. Here xis the key and we have Dchosen plaintexts encrypted with x. Then, finding xbecomes a mutual inverting problem of multiple one-way functions.

The problem may further be generalized as inverting only one of the Dindependent one-way functions. Let

f1x1=y1,f2x2=y2,,fDxD=yDE5

be given for Dindependent one-way functions f1,,fD. The goal is to find one of xifor i=1,,D.

The problem of mutual inverting multiple one-way functions can be applied to stream ciphers also. Several one-way functions may be defined by choosing several IVs. Each IVdetermines a one-way function taking the key as the input and producing n-bit keystream. That is, each one-way function fIV:GF2nGF2nis defined as

fIVK=z1znE6

where Kis an n-bit key and z1znis the first n-bit keystream segment produced by the pair KIV. The function fIVcan be inverted by the conventional Hellman tables or rainbow tables. Finding preimage for one specific fIVcan be considered as the default tradeoff attack on stream ciphers and its online complexity is given as 22n/3.

It may be still possible to use any number of IVs. For the single key attack scenario, the keystream generator is initialized by several different IVs and the corresponding n-bit keystream segments are produced. Then, the unknown inputs of the one-way functions will be mutual, namely the main key.

It seems that inverting only one specific one-way function once is not easier than the other two problems. One can use the algorithm of inverting a one-way function to invert one of Done-way functions. So, an algorithm inverting a one-way function can be used to solve the problem of inverting at least one function among Done-way functions. Similarly, any algorithm inverting one of Done-way functions can straightforwardly be used to solve the mutual inverting problem.

It is not known yet if these three problems are of equal difficulty. It is an open problem if the mutual inverting problem is strictly easier than the problem of inverting one of the several one-way functions. It is also an open problem that inverting one of the several one-way functions is strictly easier than inverting only one one-way function. If there is an algorithm solving problem of mutual inverting problem but not solving the problem of inverting one-way function then the security levels and the key lengths for both block ciphers and stream ciphers must be assessed again. Because, the algorithms solving mutual inverting problems efficiently can be very powerful and serious attacks on symmetric ciphers.

5. Assessment of security criterion on state size

The online complexities of both the Babbage-Golić and the Biryukov-Shamir attacks are compared to the complexity of the exhaustive search and the security criterion on the state size of a stream cipher is imposed thereof. However, there is still a faster tradeoff attack even though the internal state size is larger than twice of the key size. It is possible to define a one-way function from a main key to its keystream piece of a stream cipher by choosing and fixing an IV. Then, one of the preimages of the keystream segment will be the main key. The attack complexity is derived from the key size rather than the internal state size. At the optimum point of the tradeoff curve, the online complexity is 22n/3where nis the key length. This is the default Hellman or Oechslin tradeoff attacks and valid for block ciphers also. Note that the complexity is much smaller than 2n, the complexity of the exhaustive search.

Any tradeoff attack on symmetric ciphers should be compared with the default tradeoff attack with its complexity 22n/3, instead of the exhaustive search. In this case, the strict criterion on the internal state size can be lightened, enabling to design ultra-lightweight stream ciphers. Indeed, a stream cipher of 128 bit key is required at least 256 bit internal state according to the conventional security criterion. If we assume one bit register is implemented by a flip flop of 6 GE (Gate Equivalent) area, we must allocate roughly 1.5 K GE only for the registers. This is why there is almost no stream cipher in the literature having a hardware implementation less than 1 K GE. However, there are several block cipher designs with hardware implementations less than 1 K GE such as Ktantan [9], PRINTCipher [39], SLIM [2] and LBlock [7].

Recall that we have the tradeoff curve MD=2sfor the Babbage-Golić attack with the optimum point M=N=2s/2where sis the internal state size of a given stream cipher. The online time complexity is also equal to the data complexity. Then, we simply should consider the attack to be successful if 2s/2<22n/3. Therefore, the internal state size must be at least 4n/3. An attacker may prefer to choose much larger Mon the curve MD=2s. For example, preparing a memory of M=2n, we have D=2n/3for the case s=4n/3. However, it is possible to restrict the total number of the keystream bits produced per one key and force the users to change the key before completing encrypting the amount of 2n/3data.

Similarly, the optimum point of the tradeoff curve for the Biryukov-Shamir attack is D2=M=T=2s/2where M2D2T=22s. Then, the attack will be slower than the default key recovery tradeoff attack if again 2s/222n/3. Once more, we achieve the same security bound that the minimum size for the internal state must be 4n/3. If the precomputation phase is required to be not faster than the exhaustive search, then the amount of data encrypted per one key can be bounded above by 2n/3.

As a result, the tradeoff attacks aiming at the internal state recovery should be compared to the default tradeoff key recovery attack. Then, it is possible to loosen the restriction on the state size from 2nto 4n/3. This new criterion can enable novel designs of ultra-lightweight stream ciphers. However, stream ciphers with short internal states may prone to several other attacks. The attacks on Plantlet and Sprout are the examples [20, 21, 22, 23, 24, 25, 26, 37, 38]. Therefore, it seems to be a fruitful challenge for the cryptography community to design secure stream ciphers having quite short internal states. On the other hand, the real world applications such as IoT devices, RFID tags or wireless sensors require ultra-lightweight stream ciphers for confidentially.

Advertisement

6. Conclusions

We briefly introduce the tradeoff attacks on symmetric ciphers and initiate hopefully a fruitful discussion about how to assess the degree of precautions or countermeasure to be taken against these attacks.

The tradeoff attacks targeting at recovering one of the internal states producing a given keystream sequence are compared to the exhaustive search attack on the corresponding key used. However, a stream cipher key can be recovered much faster thorough the default tradeoff attack. Therefore, the internal state recovery tradeoff attacks should be compared to the default key recovery tradeoff attack. In this case, it is possible to loosen the bound for the countermeasure taken against state recovery tradeoff attacks.

The internal state size is supposed to be at least twice as large as the key size if the security threshold for tradeoff attacks is taken as the complexity of the exhaustive search. This is indeed a well known and worldwide adopted security criterion. We argue that it is indeed not necessary to allocate such large internal state just for the resistance against tradeoff attacks. The internal state size is enough to be at least 4n/3-bits particularly for the lightweight applications where nis the key length. Besides, there are several other cyrptanalytic techniques for internal state recovery that must be taken into account. It is an open problem how to design secure stream ciphers with short internal states. Such ciphers must be secure against other types of attacks such as divide-and-conquer attacks, guess and determine attacks or correlation attacks. It is interesting to study this generic problem.

We believe that it is a challenging task to design small stream ciphers and the industry requires such ciphers to use in lightweight applications such as IoT devices, wireless sensors or RFID tags.

Acknowledgments

We would like to thank Mehmet Sabır Kiraz, Ali Aydın Selçuk and Sırrı Erdem Ulusoy for their helpful comments. We also would like to thank IntechOpen LIMITED for the grant.

Conflict of interest

The authors declare no conflict of interest.

Notes

  • Permutations as one-way functions are out of scope of this chapter.

Download for free

chapter PDF

© 2021 The Author(s). Licensee IntechOpen. This chapter is distributed under the terms of the Creative Commons Attribution 3.0 License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

How to cite and reference

Link to this chapter Copy to clipboard

Cite this chapter Copy to clipboard

Orhun Kara (March 5th 2021). Tradeoff Attacks on Symmetric Ciphers [Online First], IntechOpen, DOI: 10.5772/intechopen.96627. Available from:

chapter statistics

34total chapter downloads

More statistics for editors and authors

Login to your personal dashboard for more detailed statistics on your publications.

Access personal reporting

We are IntechOpen, the world's leading publisher of Open Access books. Built by scientists, for scientists. Our readership spans scientists, professors, researchers, librarians, and students, as well as business professionals. We share our knowledge and peer-reveiwed research papers with libraries, scientific and engineering societies, and also work with corporate R&D departments and government entities.

More About Us