A Comparison of Time-Memory Trade-Off Attacks on Stream Ciphers

Contains fulltext : 117176.pdf (preprint version ) (Open Access

Comparison of Cryptanalytic Time Memory Tradeoff Algorithms with Focus on Some Rainbow Variants

학위논문 (박사)-- 서울대학교 대학원 : 수리과학부, 2016. 2. 홍진.Cryptanalytic time memory tradeoff algorithms are tools for inverting one-way functions, and they are used to recover passwords from unsalted password hashes. There are many publicly known tradeoff algorithms, and the rainbow tradeoff algorithm, which is widely believed to be the best tradeoff algorithm, at least among implementers, has been the most popular method. In this thesis, we provide accurate complexity analyses of the thick rainbow tradeoff algorithm and the non-perfect and perfect table fuzzy rainbow tradeoff algorithms. These are algorithms that have not yet received much attention. Our analyses show that, when the pre-computation cost and the online execution efficiency are both taken into consideration, the perfect table fuzzy rainbow tradeoff can be seen as performing the best among the three algorithms considered and actually even better than the original rainbow tradeoff. The computational complexities for some time memory data tradeoff methods are also analyzed. The multi-target tradeoffs that we cover are the classical Hellman, distinguished point, and fuzzy rainbow methods, both in their non-perfect and perfect table versions for the latter two methods. We find that their execution complexities are no different from the complexities of the corresponding single-target algorithms executed under certain matching parameters. As in the single-target case, we conclude that the perfect table fuzzy rainbow tradeoff algorithm is the most preferable among the multi-target tradeoff algorithms we have considered.Chapter 1 Introduction 1 Chapter 2 Preliminaries 5 2.1 Previous Results of Major Algorithms 7 2.1.1 Hellman Tradeoff 7 2.1.2 DP Tradeoff 8 2.1.3 Rainbow Tradeoff 10 2.2 Some Rainbow Variants 11 2.2.1 Thick Rainbow Tradeoff 12 2.2.2 Non-Perfect Table Fuzzy Rainbow Tradeoff 13 2.2.3 Perfect Table Fuzzy Rainbow Tradeoff 15 Chapter 3 Analyses of the Three Rainbow Variants 18 3.1 Thick Rainbow Tradeoff 18 3.1.1 Probability of Success 18 3.1.2 Online Complexity 21 3.2 Non-Perfect Table Fuzzy Rainbow Tradeoff 25 3.2.1 Probability of Success 25 3.2.2 Online Complexity 31 3.3 Perfect Table Fuzzy Rainbow Tradeoff 37 3.3.1 Probability of Success 37 3.3.2 Online Complexity 41 Chapter 4 Storage Optimization 49 4.1 The Degree of Ending Point Truncation 50 4.1.1 Thick Rainbow Tradeoff 50 4.1.2 Non-Perfect Table Fuzzy Rainbow Tradeoff 52 4.1.3 Perfect Table Fuzzy Rainbow Tradeoff 54 Chapter 5 Comparison of Algorithms 56 5.1 Adjustment Factors for Tradeoff Coefficients 56 5.2 Some Observations concerning Fuzzy Rainbow Tradeoffs 58 5.3 Comparison 63 Chapter 6 Time Memory Data Tradeoff Algorithms 67 6.1 Algorithms 67 6.2 Analysis 69 Chapter 7 Experiments 72 7.1 Thick Rainbow Tradeoff 72 7.2 Non-Perfect Table Fuzzy Rainbow Tradeoff 74 7.3 Perfect Table Fuzzy Rainbow Tradeoff 78 7.4 Time Memory Data Tradeoff Algorithms 84 Chapter 8 Conclusion 86 Abstract (in Korean) 91Docto

중복제거 테이블을 이용한 특이점 절충기법과 그의 병렬처리에 대한 분석

학위논문 (박사)-- 서울대학교 대학원 : 수리과학부, 2016. 2. 홍진.In a recent paper, the performances of three major time memory tradeoff algorithms, namely, the classical Hellman tradeoff and the non-perfect table versions of the distinguished point(DP) and the rainbow table tradeoff methods, were analyzed and compared against each other. The analysis was accurate in the sense that the extra costs of resolving false alarms were not ignored, and the performance comparison was fair in the sense that both the online complexity and the pre-computation cost were taken into account and the techniques for optimizing storage size were taken into account. Based on this paper, another recent paper analyzed a DP variant, which treats the non-perfect DP tables in parallel, and compared its performance with those of the previous three tradeoff algorithms. In this thesis, we analyze the performances of three more tradeoff algorithms and compare them with the aforementioned four algorithms. The algorithms newly considered here will be the perfect table versions of the DP, rainbow table, and parallel DP tradeoff methods. The performance of an algorithm cannot be represented by a single numeric value and algorithm preferences will depend on the available resources and various situations faced by the tradeoff algorithm implementer. Hence, we will present the performances of the tradeoff algorithms as curves providing the full range of options made available by the algorithms, so as to allow for the implementers to make their choices. However, our comparisons show that, under typical situations, the perfect table parallel DP tradeoff algorithm is more likely to be preferable over the other DP algorithm variants and that the perfect rainbow table method is superior to the other tradeoff algorithms. On the other hand, yet another recent paper notes that the perfect rainbow table method is widely implemented in practice to process its pre-computation tables in a serial manner, rather than in parallel, as was originally proposed by the algorithm designers. This is because, even though the parallel treatment of the pre-computation tables would be more efficient in theory, the size of tables are too large to be fully loaded into fast main memory in real-world applications such as password recovery and this affects the real-world performances of the algorithms negatively. Following the approach of the paper, we give the optimal physical wall-clock online execution times for the practically used serial perfect rainbow and the perfect table versions of the DP and rainbow tradeoffs that treat their pre-computation tables in parallel. This is done with various realistic password spaces and at various high success rate requirements, under a specific limitation on the size of available storage. Unlike any theoretical approach to the tradeoff algorithms, the physical online execution time includes the time taken for loading the pre-computation tables from disk to fast memory and the time taken by table lookups. We find that, in contrast with the software developers' intuition, the serial perfect rainbow tradeoff algorithm is inferior to the two algorithms that treat their tables in parallel, when their optimal physical online times are compared under reasonable assumptions and settings. Our simplified conclusions are that, for the larger of the two search spaces we dealt with, the parallel version of the perfect rainbow table method gives the shortest wall-clock online time, and that, for the smaller search space, when restricted to the same amount of pre-computation, the perfect parallel DP tradeoff is faster than the other algorithms.Chapter 1 Introduction 1 Chapter 2 Preliminaries 7 2.1 Algorithm Clarification, Terminology, and Notation 7 2.1.1 Four Versions of the DP Tradeoff 8 2.1.2 Non-perfect and Perfect Rainbow Tradeoffs pR, p¯R 19 2.1.3 Perfect Rainbow Tradeoff, Used in Practice s¯R 25 2.1.4 Other Conventions and Comments 27 2.2 Storage Optimization Techniques 28 2.3 Previous Results 29 2.3.1 Analyses of the Original DP and Parallel DP Tradeoffs 30 2.3.2 Analysis of the Non-perfect Rainbow Tradeoff 31 Chapter 3 Perfect Table Tradeoff Algorithms 33 3.1 Analysis of the Perfect DP Tradeoff 33 3.1.1 Online Efficiency 33 3.1.2 Storage Optimization 46 3.1.3 Experiment Results 50 3.2 Analysis of the Perfect Rainbow Tradeoff 56 3.2.1 Online Efficiency 56 3.2.2 Storage Optimization 60 Chapter 4 Perfect Parallel DP Tradeoff 65 4.1 Online Efficiency 65 4.2 Storage Optimization 72 4.3 Experiment Results 75 Chapter 5 Comparisons Focused on Theoretical Complexities 85 5.1 Method of Comparison 86 5.2 Comparison of DP Variants 88 5.3 p¯D vs. Rainbow 92 Chapter 6 Practice-Oriented Comparison 100 6.1 Additional Costs for the p¯D and p¯R Tradeoffs 102 6.2 Analysis of the s¯R Tradeoff 103 6.3 Expressions for the Physical Online Time 104 6.4 How to Minimize the Physical Online Time 106 6.5 Comparisons 107 Chapter 7 Conclusion 116 Bibliography 119 Appendix A Practical System Constants τF, τL, and τH 123 A.1 tF 123 A.2 tL 125 A.3 tH 126 Abstract (in Korean) 129Docto