IEEE TRANSACTIONS ON INFORMATION THEORY, VOL.
IT-26, NO. 4, JULY 1980
401
A Cryptanalytic Time - Memory Trade-Off
MARTIN E. HELLMAN,
FELLOW, IEEE
A&M&-A probabilistic method is presented wtdcb cryptanalyzes any
N key cryptosystem in N2i3 operations with N2j3 words of memory
(average vale) after a precomputatioo which requires N operations. If
tke precomputation cao be performed in a reasooable time period (e.g*
several years), the additional computation reqoired to recover e& key
compares very favorably wltb the N operations reqdred by an exkaostive
sear& and the N words of memory reqoircd by table lookup. When
applied to the Data Enqption Standard (DES) osed lo block mode, it
imlicatea tbat soluths should cost between $1 and $100 esck. Themethod
worksinachosenplaintextattackand,itcipherbloekchainingisnotused,
am also be osed in a ciphertext-only attack.
I.
INTRODUCTION
M
ANY SEARCHING tasks, such as the knapsack
[l] and discrete logarithm problems [2], allow
time-memory trade-offs. That is, if there are N possible
solutions to search over, the time-memory trade-off
allows the solution to be found in T operations (time) with
M words of memory, provided the time-memory product
TM equals N. (Often the product is of the form cN log,N,
but for simplicity we neglect logarithmic and constant
factors.)
Cryptanalysis is a searching problem that allows the
two extremes of exhaustive search (T= N, M = 1) and
table lookup (T= 1, M= N), but until this paper no
general time-memory trade-offs had been published. Let-
ting m and
t
be parameters whose significance will be
explained later and neglecting precomputation, this tech-
nique requires approximately M= mt words of memory
and T= t2 operations provided mt2= N. Letting m =
t
=
N ‘I3 results in M = T= N2i3, which is much more cost
effective than exhaustive search and table lookup. If com-
plexity is measured by M+ T this technique reduces the
effective key length by one-third when judged against
exhaustive search. Breaking the 56-bit Data Encryption
Standard (DES) with this method is less complex than
doing an exhaustive search on a 38-bit key system.
Complexity and cost are not synonymous because
memory costs more than time. But Section III shows that
the cost per solution of breaking the DES .drops from
approximately $5000 for exhaustive search to approxi-
mately $10 using the time-memory trade-off.
This time-memory trade-off is not as good as those
known for the knapsack and discrete logarithm problems,
Manuscript received October 24, 1978; revised October 16, 1979. This
work was supported in part by the National Science Foundation under
Grants ENG 10173 and ECS
16161. This paper
was presented at the
IEEE International Svmmsium on Information Theorv. Grianano. Italv.
June 25-29, 1979. - -
-, I .,
The author is with the Department of Electrical Engineering, Stanford
University, Durand 135, Stanford, CA 94305.
where M= T = N ‘I2 can be obtained and where the pre-
computation is no more complex than the search itself,
This indicates that improvements may well be possible.
Exhaustive search can be accomplished under a known
plaintext attack, while table lookup requires a chosen
plaintext attack [3]. In an exhaustive search, the ciphertext
can be deciphered under each key and the result com-
pared with the known plaintext. If they are equal, the key
tried is probably correct. Occasional false alarms are
rejected by additional tests.
In table lookup, the cryptanalyst first enciphers some
fixed plaintext PO under each of the N possible keys to
produce N ciphertexts. These are sorted and stored in a
table with their associated keys.
When a user chooses a new key K, he is forced (in a
chosen plaintext ,attack) to provide the cryptanalyst with
the encipherment of PO
ccl = %(~O)~
(1)
where SK(*) denotes the enciphering operation under key
K. Because the table is sorted by ciphertext, the cryptana-
lyst can find C, and its associated key in at most log,N
operations using a binary search. Either by neglecting
logarithmic factors or through hash coding [4], this will be
counted as one operation.
The N operations required to compute the table are not
counted because they constitute a precomputation which
can be performed at the cryptanalyst’s leisure. In the real
world, we must ensure that the precomputation is not
excessive, and this will be done in Section III for the
time-memory trade-off applied to the DES.
Those unfamiliar with cryptography often question the
validity of using a known or chosen plaintext attack in
assessing the strength of a system. They think of a cipher-
text-only attack in which the cryptanalyst possesses only
ciphertext and some statistical knowledge of the plaintext.
Aside from the fact that one should be conservative in
assessing security levels, a successful known or chosen
plaintext attack can often be modified to work under the
ciphertext-only assumptions. Reference [5] explains one
such instance, where the parity bit in the American Na-
tional Standard Code for Information Interchange
(ASCII) allows a known plaintext attack to be turned into
a ciphertext-only attack.
Similarly, the chosen plaintext assumption required for
table lookup can often be relaxed. If the DES is used in
block mode, the cryptanalyst can choose P,, to be a
frequent plaintext block, such as the ASCII representation
of eight blanks. He then inspects the ciphertext for re-
0018-9448/80/0700-0401$00.75 01980 IEEE
402
IEEE TRANSACTIONS ON INFORMATION THEORY, VOL.
IT-26, NO. 4, JULY 1980
peated blocks and uses his cryptanalytic approach on
each repeated block. If there are ten repeated blocks, this
only increases his effort by a factor of ten. The correct
solution is easily determined through additional tests.
r-----
-1
The cryptanalytic technique described in this paper
requires the same kind of chosen plaintext attack as does
a table lookup. We use the chosen plaintext assumption to
simplify explanations, but it should be remembered that
the time-memory trade-off can also be used with a
ciphertext-only attack by looking for repeated ciphertext
blocks and assuming that they correspond to the chosen
(frequent) plaintext.
f(K)
Fig. 1.
Construction of
the
function J
sp, : x,~ .!- x,, f, x,~ f, ... f, X,, = EP,
II.
ITERATIVE APPROACH
sidering a specific -cryptosystem, such as the DES. It
The time-memory trade-off is best understood by con-
operates on a 64-bit plaintext block P to produce a 64-bit
ciphertext block C under the action of a 56-bit key:
c= S,(P).
(2)
SP2 = X2& X2,1 X22f, ... ie X2,: EP2
SP,’ X,oLX,,L X,$- “’ t X,t: EPm
Letting
PO
be a fixed plaintext block, define
fW=R[ WPO)]~
(3)
where
R
is some simple reduction from 64 to 56 bits, such
as dropping the last 8 bits of the ciphertext. Fig. 1 depicts
the construction off.
Computing
f(K)
is almost as simple as enciphering, but
computing K from
f(K)
is equivalent to cryptanalysis. If
the cryptosystem is secure,
f
is therefore a one-way func-
tion [3]. The time-memory trade-off described in this
paper applies to inverting any one-way function, not just
those derived from cryptosystems.
As part of the precomputation, the cryptanalyst chooses
m starting points, SP,, SP,, * * + , SP,, each an independent
random variable drawn uniformly from the key space
{ 1,2, * * * ,N}. For 1 <i<m he lets
xi, = SP,
(4)
and computes
xjj =f(xi,j- I),
1 <j<t
(5)
as depicted in Fig. 2. The parameters m and
t
are chosen
by the cryptanalyst to trade-off time against memory, as
discussed below.
If Y, = EP,, either K= Xi,,... i (i.e., K is in the next to last
Fig. 2.
column of Fig. 2), or EP, has more than one inverse
Matrix of images
under J
image. We refer to this latter event as a false alarm. If
Y, = EP,, the cryptanalyst therefore computes Xi,,- i and
checks if it is the key, for example by seeing if it deciphers
If Y, is not an endpoint the key is not in the next to the
Co into Pw
Because
all intermediate columns in Fig. 2
were discarded to save memory, the cryptanalyst must
start at SP, and recompute Xi,i,Xi,2,. . . , etc. until he
last column in Fig. 2. (If it were, Y,, which is its image
under
f,
would be an endpoint.)
reaches Xi,, _ i .
The last element or endpoint in the ith chain (or row) is
denoted by EP,. Clearly
EP, =
f
‘(SP,).
(6)
To reduce memory requirements, the cryptanalyst dis-
cards all intermediate points as they are produced and
sorts the { SP,, EP,}y= , on the endpoints. The sorted table
is stored as the result of this precomputation.
Now suppose someone chooses a key K and the crypt-
analyst intercepts or is given
co = MPO).
(7)
He can apply the reduction operation R to obtain
Y,=R(C,)=f(K).
(8)
He can check if Y, is an endpoint in one “operation”
because the {(SP,,EP,)} are sorted on the endpoints.
If Y, is not an endpoint or a false alarm occurred, the
cryptanalyst computes
y2
=f(Y,) (9)
and checks if it is an endpoint. If it is not, the key is not in
the
t
- 2nd column of Fig. 2, while if Y,= EP,, the cryp-
tanalyst checks if Xi,,-2 is the key. In a similar manner,
the cryptanalyst computes
Y, =
f( Y2), . - . , Y, = f( Y,- 1)
to
check if the key is in the
t
- 3rd, * e * , or 0th column of Fig.
2.
If all mt elements in the 0th through
t
- 1st columns of
Fig. 2 are different and if K is chosen uniformly from all
possible values, the probability of success P(S) would be
mt/N. Only m words of memory and
t
operations are
required, so the time-memory product has come into
play. An exhaustive search with
t
operations has only
P(S) = t/N, while a table lookup with m words of mem-
ory has only P(S) = m/N.
If the matrix in Fig. 2 has some overlap, but a fixed
fraction of distinct elements, the probability of success is
only lowered by the same fixed fraction. A mild amount
of overlap therefore can be tolerated in the matrix without
affecting the basic gain inherent in the time-memory
trade-off. This analysis also neglects other constant and
logarithmic factors (e.g., it counts an encipherment, reduc-
tion operation,
and check for Y, equal to an endpoint as
one operation).
Theorem: If
f(*)
is modeled as a random function
mapping the set { 1,2,. . .
,N} into itself, and if the key K
HELLMAN: CRYPTOANALYTIC TIME-MEMORY TRADE-OFF
403
is chosen uniformly from this same set, then the probabil-
with the bound. If there were no overlap at all, P(S)
ity of success is bounded by would have been 9.8 percent.
m t-1
P(S)>(l/N) x 2 [(N-it)/N]‘+‘.
(10)
j=lj=f)
Remark I: Equation (10) indicates that for a fixed
value of N there is not much to be gained by increasing m
or t beyond the point at which mt2 = N. Because [(N -
it)/N] j+‘&
exp( - ijt/N), the last term is closely ap-
proximated by exp( - mt2/N) and when mt2>N most
terms will be small. (Most will have values of i and j
which are a significant fraction of m and t, respectively.)
If mt2< N, each term in (10) is close to one and (10)
reduces to
P(S) >mt/N,
(11)
which is also an upper bound so there is negligible over-
lap. Increasing either m or t then produces a significant
effect. If mt2= N, with both m and t large, then (10) can
be. numerically evaluated and equals 0.80mt/ N to two
significant figures. (Approximating the sum by an integral
and scaling m and t shows that the fractional efficiency,
0.80, is independent of m and t so long as the product mt2
is unaltered.) Operating at mt2 = N therefore increases the
expected cryptanalytic effort by at most the small con-
stant factor l/0.80= 1.25. We will often neglect this slight
increase in cryptanalytic effort. Numerical evaluation of
(10) can be avoided at the expense of some looseness.
Approximating each term by exp( - ijt/N), lower bound-
ing these by exp( - it2/N) and summing predicts an
efficiency of I- exp( - 1) = 0.63 when mt2 = N and m and
t are both large. A slightly more complex bound suggested
by one of the reviewers predicts an efficiency of 3/4=
0.75 when mt2= N and is a true lower bound.
Remark 2: A secure cryptosystem is a good pseudoran-
dom number generator so modeling
f(*)
as a random
function makes intuitive sense. As will be seen from the
proof,
f(*)
need only be random so far as its cycle struc-
ture (i.e., the lengths of its cycles and associated “tails”) is
concerned. This is a much weaker condition.
Also, to a large extent, the random function assumption
increases the expected effort and is therefore conservative.
If
f(e)
tended to have longer than average cycles, less
overlap would occur. In the limit, if
f(*)
had one cycle of
length N then the starting and endpoints could be spaced
N*i2 apart and completely cover the key space with
M= T= N’12, a significant improvement over the N2j3
complexity under the random function assumption.
If
f(*)
had the other extreme of degeneracy,
f(K) = K
for all K, then cryptanalysis would be even more trivial.
There are cycle structures which ruin the time-memory
trade-off, but it is hard to see how one could obtain them
with a secure cryptosystem.
As a check on the validity of (lo), we ran a small test
on the DES reduced to a IO-bit key (N= 1024) with
m = t = 10. The lower bound predicts that P(S) > 7.7 per-
cent, and with 20 different R functions we obtained a
range of 6.8 percent to 9.1 percent, in excellent agreement
Remark 3: Equation (10) indicates that P(S) will be
small for typical values of m and
t.
For example, if
m =
t
= N ‘i3 then P(S) 2 1 /(N ‘i3). This is overcome by
generating O(N ‘i3) different tables with different choices
for R. If the first table does not produce a success, the
second table is tried, etc. New choices of R are valuable
because their cycle structures are independent of past
tables, so a point repeated in two tables does not imply a
repeated row.
Even if R is restricted to be a mapping which just
chooses an ordered subset of 56 bits out of the ciphertext’s
64 bits there are (64!)/(8!)=3
x
lOa choices for R. If the
cryptosystem is a good pseudorandom number generator
even such minor changes in R will make the cycle struc-
tures of the associated
f(*)
functions independent. This
was done in the small DES simulation and P(S) = 81.3
percent overall coverage was obtained with 20 tables. If
the coverage of each table was independent of the others,
then 80.7 percent coverage was predicted from the indi-
vidual P(S). There was a slight positive bias because the
200 starting points for the 20 tables were taken to be the
first 200 integers. This modification from random selec-
tion of the starting points reduces the expected search
effort but is more difficult to analyze.
Proof
of
Theorem: The proof is closely related to the
birthday problem [6, p. 331. Letting A denote the subset of
keys covered by the first
t
columns of Fig. 2 (i.e., not
including the endpoints) we have
P(S)=EIA(/N,
WI
where IA) denotes the number of elements in A. Letting
Z(X) denote the indicator function of the event X,
m t-1
P(S)=E 2 x l{X,is new}/N
j=] j=o
m t-1
= js, jxo Pr(Xu is new> / N
(13)
where a point being “new” means it has not occurred in a
previous row or thus far in its row. Using
Pr(Xg is new)
> Pr(XiO,Xil, . * .
,X0 are all new)
= Pr (Xi, is new) Pr (Xi, is newlXio is new) * * *
Pr(Xti is newIXiO,Xil;..,Xij-, arenew)
(14)
I N-IAiOl N-IAiOl-l
N- IAid -j
**’
N N N
’
when A, denotes the set of elements covered thus far.
Clearly each factor in (14) is larger than (N - it)/N since
there are at most
t
different elements in each row. There-
fore
Pr(X,is new) > [(N- it)/N]‘+’
(15)
404
IEEE TRANSACTIONS ON INFORMATION THEORY, VOL.
IT-26, NO. 4, JULY 1980
and
m r-1
P(S) > (l/N) 2 2 [(N- it)/N]‘+‘.
i=l
j=O
completing the proof.
To obtain the N213
complexity claimed earlier, set m = t
=
N
‘/3 so that P(S) is approximately N -‘/3 for a single
table. Generate Nli3 (
or several times that number) of
tables with different reduction mappings R. With high
probability one of the tables will produce the correct
answer, although occasionally a key will be chosen that is
not included in the tables, and the method will fail to
produce a solution.
Overall there are M= N213 words of memory (Nil3
tables, each with m = N ‘I3
words), and the overall number
of operations is also T= N
*I3 (N iI3 operations per table).
The different tables can be tried sequentially, with Nil3
parallel processors, or anywhere in between.
We must still show that the false alarm rate is not so
high as to dominate the computation.
Theorem: The expected number of false alarms per
table tried, E(F), is bounded by
E(F) <mt(t+ 1)/2N.
(16)
Remark: When a false alarm occurs, at most
t
opera-
tions are required to rule it out, which is comparable to
the normal computation required for computing
y,,
y*, * * . 9
Y,.
If mt*= N and ~1, then the expected com-
putation due to false alarms increases the expected com-
putation by at most 50 percent.
Proof Letting Fi,. denote the occurrence of a false
alarm due to q = EP,,
(17)
i=lj=l
$ can occur in j different ways: due to f(K) merging
immediately with the ith row of the matrix, that is if
f(K)=f’-j+‘(SP,), or merging after one iteration, that is if
f(K) is not in the ith row of the matrix, but f*(K) equals
f’-j+* (SPi); etc. E
ac o t ese j different ways of causing
h f h
R’Y to occur has probability at most l/N because, up to
the merging, K, f(K), etc. are independent random vari-
ables uniformly distributed over { 1,2,. . . , N }. Therefore
E(F)< $! 5 j/N
i=l
j-1
= mt( t + 1)/2N,
(18)
completing the proof.
III.
HARDWARE IMPLEMENTATION
The preceding ideas establish the time-memory trade-
off from a theoretical viewpoint but, because of the higher
cost of memory, it is necessary to look at specific hard-
ware implementations to determine to what extent, if any,
the technique produces a cost savings over exhaustive
search. This section therefore estimates the cost of a
machine which breaks the DES using the time-memory
trade-off. The machine uses off-the-shelf hardware costing
approximately $4 million and produces 100 solutions per
day, with an average wait of one day between the time the
problem is entered and the solution produced. The
machine can also be used to effect the precomputation in
approximately one year.
If the machine is used, fully loaded, for five years after
the precomputation then the equivalent cost per solution
is $25. Other manufacturing and operating costs may
increase this to $100 per solution, but use of less expensive
components and larger values of m may reduce the cost to
as little as $1 per solution. The geometric midpoint, $10
per solution, is taken as an “order of magnitude” estimate.
When compared to the estimated $5000 per solution
cost [5] of exhaustive search, it is seen that the new
technique is significantly cheaper. Further, the time-
memory trade-off’s cost could be reduced if custom
large-scale integrated (LSI) circuitry is allowed as in [5]. It
should be remembered, however, that the time-memory
trade-off does not work in a known plaintext attack if
block chaining or cipher feedback is used, whereas ex-
haustive search continues to be usable. Also the higher
throughput of the time-memory machine (100 problems
per day versus 2 problems per day in [5]) requires a larger
number of problems to keep the machine fully loaded and
realize its full cost advantage.
The DES has N=256 = 7
X
lOi keys. By rounding this
to N = 1017, we can neglect overlap in the matrices be-
cause (10) shows that approximately 80 percent of the
points are distinct when mt*= N. Optimizing over m and
t
is not a simple matter because there is no simple objective
function. The values m = lo5 and
t
= lo6 were selected
after some trial and error as resulting in a reasonable
machine cost, cost per solution, time to solution, and
throughput. Using these values results in
P(S)=mt/N=10-6,
(19)
so approximately 10’ tables are needed. Overall M= 10”
words of memory are required, each 112-bits long (56 bits
each for SP, and EP,), for a total memory requirement of
1013 bits. A $20 magnetic tape can store on the order of
10’ bits so 10 000 tapes are needed at a cost $0.2M. To
read these in one day requires 100 tape drives. (The data
transfer rate is then approximately
100x
lo6 bits per sec-
ond, or 1013 bits per day. Assigning 100 tapes to each
drive also means a tape is changed every 15 minutes per
drive.) At a cost of $20 000 per drive this adds $2.OM to
the system cost.
Each tape drive has a semiconductor memory consist-
ing of 625 16-kbit random access memory (RAM) chips,
or 10’ bits per memory. This can store the m = 10’ words
needed for one table, at an approximate cost of $4 000 per
memory ($6 per chip) or $0.4M total cost.
Because there are
t
= lo6 points in a row of Fig. 2 and
P(S) = 10m6, on the average it is necessary to compute
lo’* values off(*) before achieving success. There are 100
HELLMAN: CRYFTOANALYTIC TIME-MEMORY TRADE-OFF
tape drive/memory units working in parallel, and there
are approximately lo5 seconds in a day, so a DES unit
must be able to implement the f(*) function in 10p5s= 10
ps to achieve a one-day solution time. Fairchild has
announced a DES chip set which will implement thef(*)
function in approximately 5 ps (load a key and a plain-
text, encrypt, and output the ciphertext). Initially it is
selling for approximately $100 per unit but should reach
$20 in quantity within a few years. Using the $100 figure
to be conservative, each fast memory can have 100 DES
units associated with it, each one working on a different
problem. (Parallelism cannot speed up computation of
successive iterations off(*).) This approximately equalizes
the DES and other costs ($10 000 per drive for DES units)
and does not overload the memory since there are more
memory chips, and they can be accessed much faster than
the DES units need data. There are some multiplexing
and queueing problems, but these can be resolved easily
because of the probabilistic nature of the search. If a
small fraction of the memory accesses are delayed by
queueing, it might be most cost effective to merely go on
to the next iteration and forfeit that chance of success.
The total parts cost is $3,6M. If depreciated over five
years this is approximately $2500 per day, or $25 per
solution since the machine works on 100 problems in
parallel. While other manufacturing and operating costs
might increase this to $100 per solution, the use of a larger
value of m should decrease cost per solution (but increase
machine cost). This is because the larger table uses more
memory chips, allowing a commensurate increase in the
number of DES units and the number of problems being
solved in parallel. Of course, the cryptanalyst must have
enough problems to keep the machine fully loaded if he is
to realize this cost savings.
It also should be possible to use less expensive compo-
nents. For example, the $2.0 M for 100 tape drives might
be replaced by $0.1 M for 100 video recorders used as
inexpensive tape drives. The probabilistic nature of the
computation allows us to tolerate occasional errors in the
data, and the sequential nature of the accessed data
eliminates the need for extremely rapid forward and re-
verse speeds.
The DES chip cost was conservative. If they can be
obtained for $20 per unit, then 500 units can be interfaced
to each tape drive/memory at no increase in projected
cost, and 500 solutions would be produced each day.
Memory costs are also falling rapidly. Taken together,
these improvements indicate that the cost per solution
might be as low as $1 in the near future.
The precomputation is equivalent to an exhaustive
search of the keyspace because there are approximately t
tables, each requiring mt encipherments, for a total of
mt2 = N encipherments. A single Fairchild DES unit oper-
ating at 5 ~LS per encipherment would require 11 000 years
for the precomputation, but the above described machine
with 10 000 units could complete it in 1.1 years.
Because tape cost is a small part of the overall system
cost, the added cost to store several times the average
405
number of tables needed for a solution is unimportant,
and the expected computation per solution is not increased
if the tables are used cyclically. A new problem can be
entered at any stage without affecting the average number
of tables that it must try before achieving success.
For similar reasons, it is possible to produce different
tapes for different “targets”: using eight blanks as the
chosen plaintext would be a good general choice, while
“XYZ C&p” or “Login
:” might work better for other
targets. A special machze would be needed for doing
ongoing precomputations, but it would consist primarily
of 10 000 DES units and one tape drive so its parts cost
would be approximately $1 .OM and not have a large effect
on system cost.
IV.
CONCLUSION
The time-memory trade-off was described for use with
a block cipher, but the same approach works with a
synchronous stream cipher [7]. The first
k
bits of
keystream are taken as the f(K) function, where k is the
number of bits of key. This can be done under a known
plaintext attack.
The method works on all systems in a chosen plaintext
attack [7] but does not work with a known plaintext attack
on a cipher feedback system [7] if the initial load of the
shift register is random and varies between conversations.
Proposed Federal standards suggest this precaution.
Even a block cipher can foil the time-memory trade-off
in a known plaintext attack through cipher block chaining
[7], [8] or other techniques which introduce memory into
the encipherment. Then, even when eight blanks occur in
the plaintext, their encipherment depends on the preced-
ing text. Even if the first block of text is fairly standard
(e.g., “Login: “), this technique can be foiled by the
transmission oFa random “indicator” which is used to
affect the encipherment (e.g., it is taken as the 0th plain-
text block). Again, proposed standards include provision
for cipher block chaining with a random indicator.
While this time-memory trade-off cryptanalytic tech-
nique can be easily foiled, it does work on the DES in
basic block mode, More importantly, it indicates that even
when cipher block chaining or other techniques are
added, a larger key size is needed to have a reasonable
assurance of security. While table lookup and exhaustive
search are currently infeasible on systems with 64-bit or
larger key sizes, an N
*I2 time-memory trade-off would
push the minimum usable key size up to 128 bits. The
N213 technique described here, coupled with the large
number of N’12 time-memory tradeoffs known for other
searching problems, indicates that valuable data should
not be entrusted to a device with smaller key size.
REFERENCES
111
121
R. C. Merkle and M. E. Hellman, “Hiding information and signa-
tures in trapdoor knapsacks,” IEEE Trans. Inform Theory, vol.
IT-24, pp. 525-530, Sept. 1978.
S. C. Pohlig and M. E. Hellman, “An improved algorithm for
