Algorithmic Complexity Attacks on Allocators

Jack Lloyd — Wed, 01 Nov 2006 05:00:00 GMT

A few years back some researchers presented the concept of performing denial of service through algorithmic complexity attacks, which essentially cause pathological behavior in data structures like hash tables through carefully chosen inputs.

Finding Equivalences of Boolean Function

Jack Lloyd — Wed, 30 Aug 2006 04:00:00 GMT

A fairly common class of functions in crypto are functions mapping {0,1}³ onto {0,1}. In particular, these show up a lot in hash functions derived from MD4, including MD5, SHA-1, RIPEMD, and SHA-512. These range in complexity from simple three-term expressions like "(A xor B xor C)" to functions like "((A and B) or (C and (A or B)))". One interesting and important difference between these two functions becomes very important when you consider how to implement these functions on an x86 (or x86-64) processor. The x86 uses two-operand instructions, and has very few registers, so computing something like "(A and B) xor (not(A) and C)", which requires two temporaries (one to hold A and B, the other (not(A) and C)) might require you to spill values to the stack. Often, that means a major performance hit. Finding an alternate form for this function that only requires fewer temporary registers could be a major benefit. Obviously finding these equivalences could be done by hand, but having a computer do it seemed both faster and more interesting.

Bitbashing (Posts about algorithms)

Algorithmic Complexity Attacks on Allocators

Finding Equivalences of Boolean Function