The Cost of False Alarms in Hellman and Rainbow Tradeoffs

Cryptanalytic time memory tradeoff algorithms are generic one-way function inversion techniques that utilize pre-computation. Even though the online time complexity is known up to a small multiplicative factor for any tradeoff algorithm, false alarms pose a major obstacle in its accurate assessment. In this work, we study the expected pre-image size for an iteration of functions and use the result to analyze the cost incurred by false alarms. We are able to present the expected online time complexities for the Hellman tradeoff and the rainbow table method in a manner that takes false alarms into account. We also analyze the effects of the checkpoint method in reducing false alarm costs. The ability to accurately compute the online time complexities will allow one to choose their tradeoff parameters more optimally, before starting the expensive pre-computation process

Comparison of Cryptanalytic Time Memory Tradeoff Algorithms with Focus on Some Rainbow Variants

학위논문 (박사)-- 서울대학교 대학원 : 수리과학부, 2016. 2. 홍진.Cryptanalytic time memory tradeoff algorithms are tools for inverting one-way functions, and they are used to recover passwords from unsalted password hashes. There are many publicly known tradeoff algorithms, and the rainbow tradeoff algorithm, which is widely believed to be the best tradeoff algorithm, at least among implementers, has been the most popular method. In this thesis, we provide accurate complexity analyses of the thick rainbow tradeoff algorithm and the non-perfect and perfect table fuzzy rainbow tradeoff algorithms. These are algorithms that have not yet received much attention. Our analyses show that, when the pre-computation cost and the online execution efficiency are both taken into consideration, the perfect table fuzzy rainbow tradeoff can be seen as performing the best among the three algorithms considered and actually even better than the original rainbow tradeoff. The computational complexities for some time memory data tradeoff methods are also analyzed. The multi-target tradeoffs that we cover are the classical Hellman, distinguished point, and fuzzy rainbow methods, both in their non-perfect and perfect table versions for the latter two methods. We find that their execution complexities are no different from the complexities of the corresponding single-target algorithms executed under certain matching parameters. As in the single-target case, we conclude that the perfect table fuzzy rainbow tradeoff algorithm is the most preferable among the multi-target tradeoff algorithms we have considered.Chapter 1 Introduction 1 Chapter 2 Preliminaries 5 2.1 Previous Results of Major Algorithms 7 2.1.1 Hellman Tradeoff 7 2.1.2 DP Tradeoff 8 2.1.3 Rainbow Tradeoff 10 2.2 Some Rainbow Variants 11 2.2.1 Thick Rainbow Tradeoff 12 2.2.2 Non-Perfect Table Fuzzy Rainbow Tradeoff 13 2.2.3 Perfect Table Fuzzy Rainbow Tradeoff 15 Chapter 3 Analyses of the Three Rainbow Variants 18 3.1 Thick Rainbow Tradeoff 18 3.1.1 Probability of Success 18 3.1.2 Online Complexity 21 3.2 Non-Perfect Table Fuzzy Rainbow Tradeoff 25 3.2.1 Probability of Success 25 3.2.2 Online Complexity 31 3.3 Perfect Table Fuzzy Rainbow Tradeoff 37 3.3.1 Probability of Success 37 3.3.2 Online Complexity 41 Chapter 4 Storage Optimization 49 4.1 The Degree of Ending Point Truncation 50 4.1.1 Thick Rainbow Tradeoff 50 4.1.2 Non-Perfect Table Fuzzy Rainbow Tradeoff 52 4.1.3 Perfect Table Fuzzy Rainbow Tradeoff 54 Chapter 5 Comparison of Algorithms 56 5.1 Adjustment Factors for Tradeoff Coefficients 56 5.2 Some Observations concerning Fuzzy Rainbow Tradeoffs 58 5.3 Comparison 63 Chapter 6 Time Memory Data Tradeoff Algorithms 67 6.1 Algorithms 67 6.2 Analysis 69 Chapter 7 Experiments 72 7.1 Thick Rainbow Tradeoff 72 7.2 Non-Perfect Table Fuzzy Rainbow Tradeoff 74 7.3 Perfect Table Fuzzy Rainbow Tradeoff 78 7.4 Time Memory Data Tradeoff Algorithms 84 Chapter 8 Conclusion 86 Abstract (in Korean) 91Docto

A Comparison of Cryptanalytic Tradeoff Algorithms

Three time memory tradeoff algorithms are compared in this paper. Specifically, the classical tradeoff algorithm by Hellman, the distinguished point tradeoff method, and the rainbow table method, in their non-perfect table versions, are treated. We show that, under parameters and assumptions that are typically considered in theoretic discussions of the tradeoff algorithms, Hellman and distinguished point tradeoffs perform very close to each other and that the rainbow table method performs somewhat better than the other two algorithms. Our method of comparison can easily be applied to other situations, where the conclusions could be different. The analysis of tradeoff efficiency presented in this paper does not ignore the effects of false alarms and also covers techniques for reducing storage, such as ending point truncations and index tables. Our comparison of algorithms takes the success probabilities and pre-computation efforts fully into account

A Comparison of Perfect Table Cryptanalytic Tradeoff Algorithms

The performances of three major time memory tradeoff algorithms were compared in a recent paper. The algorithms considered there were the classical Hellman tradeoff and the non-perfect table versions of the distinguished point method and the rainbow table method. This paper adds the perfect table versions of the distinguished point method and the rainbow table method to the list, so that all the major tradeoff algorithms may now be compared against each other. Even though there are existing claims as to the superiority of one tradeoff algorithm over another algorithm, the algorithm performance comparisons provided by the current work and the recent preceding paper are of more practical value. Comparisons that take both the cost of pre-computation and the efficiency of the online phase into account, at parameters that achieve a common success rate, can now be carried out with ease. Comparisons can be based on the expected execution complexities rather than the worst case complexities, and details such as the effects of false alarms and various storage optimization techniques need no longer be ignored. A significant portion of this paper is allocated to accurately analyzing the execution behavior of the perfect table distinguished point method. In particular, we obtain a closed-form formula for the average length of chains associated with a perfect distinguished point table

Analysis of the Parallel Distinguished Point Tradeoff

Cryptanalytic time memory tradeoff algorithms are tools for quickly inverting one-way functions and many consider the rainbow table method to be the most efficient tradeoff algorithm. However, it was recently announced, mostly based on experiments, that the parallelization of the perfect distinguished point tradeoff algorithm brings about an algorithm that is 50\% more efficient than the perfect rainbow table method. Motivated by this claim, while noting that the massive pre-computation associated with any tradeoff algorithm makes the non-perfect forms of tradeoff algorithms more practical, we provide an accurate theoretic analysis of the parallel version of the non-perfect distinguished point tradeoff algorithm. Performance differences between different tradeoff algorithms are usually not very large, but even these small differences can be crucial in practice. So we take care not to ignore the side effects of false alarms in providing an online time complexity analysis of the parallel distinguished point tradeoff algorithm. Our complexity results are used to compare the parallel non-perfect distinguished point tradeoff against the non-perfect rainbow table method. The two algorithms are compared under identical success rate requirements and the pre-computation efforts are also taken into account. Contrary to our anticipation, we find that the rainbow table method is superior in typical situations, even though the parallelization did have a positive effect on the efficiency of the distinguished point tradeoff algorithm

Time-Memory Trade-Offs: False Alarm Detection Using Checkpoints

Since the original publication of Martin Hellman's cryptanalytic time-memory trade-off, a few improvements on the method have been suggested. In all these variants, the cryptanalysis time decreases with the square of the available memory. However, a large amount of work is wasted during the cryptanalysis process due to so-called "false alarms". In this paper we present a method of detection of false alarms which significantly reduces the cryptanalysis time while using a minute amount of memory. Our method, based on "checkpoints", reduces the time by much more than the square of the additional memory used, e.g., an increase of 0.89% of memory yields a 10.99% increase in performance. Beyond this practical improvement, checkpoints constitute a novel approach which has not yet been exploited and may lead to other interesting results. In this paper, we also present theoretical analysis of time-memory trade-offs, and give a complete characterization of the variant based on rainbow tables

A New Cryptanalytic Time/Memory/Data Trade-off Algorithm

In 1980, Hellman introduced a time/memory trade-off (TMTO) algorithm satisfying the TMTO curve $TM^2=N^2$, where $T$ is the online time, $M$ is the memory and $N$ is the size of the search space. Later work by Biryukov-Shamir incorporated multiple data to obtain the curve $TM^2D^2=N^2$, where $D$ is the number of data points. In this paper, we describe a new table structure obtained by combining Hellman\u27s structure with a structure proposed by Oechslin. Using the new table structure, we design a new multiple data TMTO algorithm both with and without the DP method. The TMTO curve for the new algorithm is obtained to be $T^3M^7D^8=N^7$. This curve is based on a conjecture on the number of distinct points covered by the new table. Support for the conjecture has been obtained through some emperical observations. For $D>N^{1/4}$, we show that the trade-offs obtained by our method are better than the trade-offs obtained by the BS method

Quantum Time/Memory/Data Tradeoff Attacks

One of the most celebrated and useful cryptanalytic algorithms is Hellman\u27s time/memory tradeoff (and its Rainbow Table variant), which can be used to invert random-looking functions on $N$ possible values with time and space complexities satisfying $TM^2=N^2$. As a search problem, one can always transform it into the quantum setting by using Grover\u27s algorithm, but this algorithm does not benefit from the possible availability of auxiliary advice obtained during a free preprocessing stage. However, at FOCS\u2720 it was rigorously shown that a small amount of quantum auxiliary advice (which can be stored in a quantum memory of size $M \leq O(\sqrt{N})$) cannot possibly yield an attack which is better than Grover\u27s algorithm. In this paper we develop new quantum versions of Hellman\u27s cryptanalytic attack which use large memories in the standard QACM (Quantum Accessible Classical Memory) model of computation. In particular, we improve Hellman\u27s tradeoff curve to $T^{4/3}M^2=N^2$. When we generalize the cryptanalytic problem to a time/memory/data tradeoff attack (in which one has to invert $f$ for at least one of $D$ given values), we get the generalized curve $T^{4/3}M^2D^2=N^2$. A typical point on this curve is $D=N^{0.2}$, $M=N^{0.6}$, and $T=N^{0.3}$, whose time is strictly lower than both Grover\u27s algorithm and the classical Hellman algorithm (both of which require $T=N^{0.4}$ for these $D$ and $M$ parameters)