A Comparison of Perfect Table Cryptanalytic Tradeoff Algorithms

The performances of three major time memory tradeoff algorithms were compared in a recent paper. The algorithms considered there were the classical Hellman tradeoff and the non-perfect table versions of the distinguished point method and the rainbow table method. This paper adds the perfect table versions of the distinguished point method and the rainbow table method to the list, so that all the major tradeoff algorithms may now be compared against each other. Even though there are existing claims as to the superiority of one tradeoff algorithm over another algorithm, the algorithm performance comparisons provided by the current work and the recent preceding paper are of more practical value. Comparisons that take both the cost of pre-computation and the efficiency of the online phase into account, at parameters that achieve a common success rate, can now be carried out with ease. Comparisons can be based on the expected execution complexities rather than the worst case complexities, and details such as the effects of false alarms and various storage optimization techniques need no longer be ignored. A significant portion of this paper is allocated to accurately analyzing the execution behavior of the perfect table distinguished point method. In particular, we obtain a closed-form formula for the average length of chains associated with a perfect distinguished point table

Analysis of the Rainbow Tradeoff Algorithm Used in Practice

Cryptanalytic time memory tradeoff is a tool for inverting one-way functions, and the rainbow table method, the best-known tradeoff algorithm, is widely used to recover passwords. Even though extensive research has been performed on the rainbow tradeoff, the algorithm actually used in practice differs from the well-studied original algorithm. This work provides a full analysis of the rainbow tradeoff algorithm that is used in practice. Unlike existing works on the rainbow tradeoff, the analysis is done in the external memory model, so that the practically important issue of table loading time is taken into account. As a result, we are able to provide tradeoff parameters that optimize the wall-clock time

Comparison of Cryptanalytic Time Memory Tradeoff Algorithms with Focus on Some Rainbow Variants

학위논문 (박사)-- 서울대학교 대학원 : 수리과학부, 2016. 2. 홍진.Cryptanalytic time memory tradeoff algorithms are tools for inverting one-way functions, and they are used to recover passwords from unsalted password hashes. There are many publicly known tradeoff algorithms, and the rainbow tradeoff algorithm, which is widely believed to be the best tradeoff algorithm, at least among implementers, has been the most popular method. In this thesis, we provide accurate complexity analyses of the thick rainbow tradeoff algorithm and the non-perfect and perfect table fuzzy rainbow tradeoff algorithms. These are algorithms that have not yet received much attention. Our analyses show that, when the pre-computation cost and the online execution efficiency are both taken into consideration, the perfect table fuzzy rainbow tradeoff can be seen as performing the best among the three algorithms considered and actually even better than the original rainbow tradeoff. The computational complexities for some time memory data tradeoff methods are also analyzed. The multi-target tradeoffs that we cover are the classical Hellman, distinguished point, and fuzzy rainbow methods, both in their non-perfect and perfect table versions for the latter two methods. We find that their execution complexities are no different from the complexities of the corresponding single-target algorithms executed under certain matching parameters. As in the single-target case, we conclude that the perfect table fuzzy rainbow tradeoff algorithm is the most preferable among the multi-target tradeoff algorithms we have considered.Chapter 1 Introduction 1 Chapter 2 Preliminaries 5 2.1 Previous Results of Major Algorithms 7 2.1.1 Hellman Tradeoff 7 2.1.2 DP Tradeoff 8 2.1.3 Rainbow Tradeoff 10 2.2 Some Rainbow Variants 11 2.2.1 Thick Rainbow Tradeoff 12 2.2.2 Non-Perfect Table Fuzzy Rainbow Tradeoff 13 2.2.3 Perfect Table Fuzzy Rainbow Tradeoff 15 Chapter 3 Analyses of the Three Rainbow Variants 18 3.1 Thick Rainbow Tradeoff 18 3.1.1 Probability of Success 18 3.1.2 Online Complexity 21 3.2 Non-Perfect Table Fuzzy Rainbow Tradeoff 25 3.2.1 Probability of Success 25 3.2.2 Online Complexity 31 3.3 Perfect Table Fuzzy Rainbow Tradeoff 37 3.3.1 Probability of Success 37 3.3.2 Online Complexity 41 Chapter 4 Storage Optimization 49 4.1 The Degree of Ending Point Truncation 50 4.1.1 Thick Rainbow Tradeoff 50 4.1.2 Non-Perfect Table Fuzzy Rainbow Tradeoff 52 4.1.3 Perfect Table Fuzzy Rainbow Tradeoff 54 Chapter 5 Comparison of Algorithms 56 5.1 Adjustment Factors for Tradeoff Coefficients 56 5.2 Some Observations concerning Fuzzy Rainbow Tradeoffs 58 5.3 Comparison 63 Chapter 6 Time Memory Data Tradeoff Algorithms 67 6.1 Algorithms 67 6.2 Analysis 69 Chapter 7 Experiments 72 7.1 Thick Rainbow Tradeoff 72 7.2 Non-Perfect Table Fuzzy Rainbow Tradeoff 74 7.3 Perfect Table Fuzzy Rainbow Tradeoff 78 7.4 Time Memory Data Tradeoff Algorithms 84 Chapter 8 Conclusion 86 Abstract (in Korean) 91Docto

Analysis of the Parallel Distinguished Point Tradeoff

Cryptanalytic time memory tradeoff algorithms are tools for quickly inverting one-way functions and many consider the rainbow table method to be the most efficient tradeoff algorithm. However, it was recently announced, mostly based on experiments, that the parallelization of the perfect distinguished point tradeoff algorithm brings about an algorithm that is 50\% more efficient than the perfect rainbow table method. Motivated by this claim, while noting that the massive pre-computation associated with any tradeoff algorithm makes the non-perfect forms of tradeoff algorithms more practical, we provide an accurate theoretic analysis of the parallel version of the non-perfect distinguished point tradeoff algorithm. Performance differences between different tradeoff algorithms are usually not very large, but even these small differences can be crucial in practice. So we take care not to ignore the side effects of false alarms in providing an online time complexity analysis of the parallel distinguished point tradeoff algorithm. Our complexity results are used to compare the parallel non-perfect distinguished point tradeoff against the non-perfect rainbow table method. The two algorithms are compared under identical success rate requirements and the pre-computation efforts are also taken into account. Contrary to our anticipation, we find that the rainbow table method is superior in typical situations, even though the parallelization did have a positive effect on the efficiency of the distinguished point tradeoff algorithm

The Cost of False Alarms in Hellman and Rainbow Tradeoffs

Cryptanalytic time memory tradeoff algorithms are generic one-way function inversion techniques that utilize pre-computation. Even though the online time complexity is known up to a small multiplicative factor for any tradeoff algorithm, false alarms pose a major obstacle in its accurate assessment. In this work, we study the expected pre-image size for an iteration of functions and use the result to analyze the cost incurred by false alarms. We are able to present the expected online time complexities for the Hellman tradeoff and the rainbow table method in a manner that takes false alarms into account. We also analyze the effects of the checkpoint method in reducing false alarm costs. The ability to accurately compute the online time complexities will allow one to choose their tradeoff parameters more optimally, before starting the expensive pre-computation process

A Comparison of Time-Memory Trade-Off Attacks on Stream Ciphers

Contains fulltext : 117176.pdf (preprint version ) (Open Access

Invertibility of multiple random functions and its application to symmetric ciphers

The invertibility of a random function (IRF, in short) is an important problem and has wide applications in cryptography. For ex- ample, searching a preimage of Hash functions, recovering a key of block ciphers under the known-plaintext-attack model, solving discrete loga- rithms over a prime field with large prime, and so on, can be viewed as its instances. In this work we describe the invertibility of multiple random functions (IMRF, in short), which is a generalization of the IRF. In order to solve the IMRF, we generalize the birthday theorem. Based on the generalized birthday theorem and time-memory tradeoff (TMTO, in short) method, we present an efficient TMTO method of solving an IMRF, which can be viewed as a generalization of three main TMTO attacks, that is, Hellman’s attack, Biryukov and Shamir’s attack with BSW sampling, and Biryukov, Mukhopadhyay and Sarkar’s time- memory-key tradeoff attack. Our method is highly parallel and suitable for distributed computing environments. As a generalization of Hellman’s attack, our method overcomes its shortcoming of using only one pair of known plaintext and ciphertext and first admits more than one datum in a TMTO on block ciphers at the single key scenario. As a generaliza- tion of Biryukov and Shamir’s attack with BSW sampling, our method overcomes its shortcoming of using only a few data with specific prefix in stream ciphers and can utilize all data without any waste. As appli- cations, we get two new tradeoff curves: N2 = TM2D3, N = PD and D=τforblockciphers,andN2 =τ3TM2D2,N=τPDandD≥τ for stream ciphers, where τ is the number of random functions, that is, the number of independent computing units available to an attacker, N is the size of key space (for block ciphers) or state (for stream ci- phers) space, D the number of data captured by the attacker, and T, M, P the time/memory/precomputation cost consumed at each computing unit respectively. As examples, assume that 4096 computing units can be available for the attacker. Denote by 5-tuple (τ, T, M, D, P ) the costof our method. Then the cost of breaking DES, AES-128 and A5/1 is (212, 225.3, 225.3, 212, 244), (212, 273.3, 273.3, 212, 2116) and (212, 222.7, 217.3,217.3, 234.7) respectivel

중복제거 테이블을 이용한 특이점 절충기법과 그의 병렬처리에 대한 분석

학위논문 (박사)-- 서울대학교 대학원 : 수리과학부, 2016. 2. 홍진.In a recent paper, the performances of three major time memory tradeoff algorithms, namely, the classical Hellman tradeoff and the non-perfect table versions of the distinguished point(DP) and the rainbow table tradeoff methods, were analyzed and compared against each other. The analysis was accurate in the sense that the extra costs of resolving false alarms were not ignored, and the performance comparison was fair in the sense that both the online complexity and the pre-computation cost were taken into account and the techniques for optimizing storage size were taken into account. Based on this paper, another recent paper analyzed a DP variant, which treats the non-perfect DP tables in parallel, and compared its performance with those of the previous three tradeoff algorithms. In this thesis, we analyze the performances of three more tradeoff algorithms and compare them with the aforementioned four algorithms. The algorithms newly considered here will be the perfect table versions of the DP, rainbow table, and parallel DP tradeoff methods. The performance of an algorithm cannot be represented by a single numeric value and algorithm preferences will depend on the available resources and various situations faced by the tradeoff algorithm implementer. Hence, we will present the performances of the tradeoff algorithms as curves providing the full range of options made available by the algorithms, so as to allow for the implementers to make their choices. However, our comparisons show that, under typical situations, the perfect table parallel DP tradeoff algorithm is more likely to be preferable over the other DP algorithm variants and that the perfect rainbow table method is superior to the other tradeoff algorithms. On the other hand, yet another recent paper notes that the perfect rainbow table method is widely implemented in practice to process its pre-computation tables in a serial manner, rather than in parallel, as was originally proposed by the algorithm designers. This is because, even though the parallel treatment of the pre-computation tables would be more efficient in theory, the size of tables are too large to be fully loaded into fast main memory in real-world applications such as password recovery and this affects the real-world performances of the algorithms negatively. Following the approach of the paper, we give the optimal physical wall-clock online execution times for the practically used serial perfect rainbow and the perfect table versions of the DP and rainbow tradeoffs that treat their pre-computation tables in parallel. This is done with various realistic password spaces and at various high success rate requirements, under a specific limitation on the size of available storage. Unlike any theoretical approach to the tradeoff algorithms, the physical online execution time includes the time taken for loading the pre-computation tables from disk to fast memory and the time taken by table lookups. We find that, in contrast with the software developers' intuition, the serial perfect rainbow tradeoff algorithm is inferior to the two algorithms that treat their tables in parallel, when their optimal physical online times are compared under reasonable assumptions and settings. Our simplified conclusions are that, for the larger of the two search spaces we dealt with, the parallel version of the perfect rainbow table method gives the shortest wall-clock online time, and that, for the smaller search space, when restricted to the same amount of pre-computation, the perfect parallel DP tradeoff is faster than the other algorithms.Chapter 1 Introduction 1 Chapter 2 Preliminaries 7 2.1 Algorithm Clarification, Terminology, and Notation 7 2.1.1 Four Versions of the DP Tradeoff 8 2.1.2 Non-perfect and Perfect Rainbow Tradeoffs pR, p¯R 19 2.1.3 Perfect Rainbow Tradeoff, Used in Practice s¯R 25 2.1.4 Other Conventions and Comments 27 2.2 Storage Optimization Techniques 28 2.3 Previous Results 29 2.3.1 Analyses of the Original DP and Parallel DP Tradeoffs 30 2.3.2 Analysis of the Non-perfect Rainbow Tradeoff 31 Chapter 3 Perfect Table Tradeoff Algorithms 33 3.1 Analysis of the Perfect DP Tradeoff 33 3.1.1 Online Efficiency 33 3.1.2 Storage Optimization 46 3.1.3 Experiment Results 50 3.2 Analysis of the Perfect Rainbow Tradeoff 56 3.2.1 Online Efficiency 56 3.2.2 Storage Optimization 60 Chapter 4 Perfect Parallel DP Tradeoff 65 4.1 Online Efficiency 65 4.2 Storage Optimization 72 4.3 Experiment Results 75 Chapter 5 Comparisons Focused on Theoretical Complexities 85 5.1 Method of Comparison 86 5.2 Comparison of DP Variants 88 5.3 p¯D vs. Rainbow 92 Chapter 6 Practice-Oriented Comparison 100 6.1 Additional Costs for the p¯D and p¯R Tradeoffs 102 6.2 Analysis of the s¯R Tradeoff 103 6.3 Expressions for the Physical Online Time 104 6.4 How to Minimize the Physical Online Time 106 6.5 Comparisons 107 Chapter 7 Conclusion 116 Bibliography 119 Appendix A Practical System Constants τF, τL, and τH 123 A.1 tF 123 A.2 tL 125 A.3 tH 126 Abstract (in Korean) 129Docto

A Comparison of Cryptanalytic Tradeoff Algorithms

Three time memory tradeoff algorithms are compared in this paper. Specifically, the classical tradeoff algorithm by Hellman, the distinguished point tradeoff method, and the rainbow table method, in their non-perfect table versions, are treated. We show that, under parameters and assumptions that are typically considered in theoretic discussions of the tradeoff algorithms, Hellman and distinguished point tradeoffs perform very close to each other and that the rainbow table method performs somewhat better than the other two algorithms. Our method of comparison can easily be applied to other situations, where the conclusions could be different. The analysis of tradeoff efficiency presented in this paper does not ignore the effects of false alarms and also covers techniques for reducing storage, such as ending point truncations and index tables. Our comparison of algorithms takes the success probabilities and pre-computation efforts fully into account