1 Making a Faser Crypanalyic Time-Memory Trade-Off Philippe Oechslin Laboraoire de Securié e de Crypographie (LASEC) Ecole Polyechnique Fédérale de Lausanne Faculé I&C, 1015 Lausanne, Swizerland Absrac. In 1980 Marin Hellman described a crypanalyic ime-memory rade-off which reduces he ime of crypanalysis by using precalculaed daa sored in memory. This echnique was improved by Rives before 1982 wih he inroducion of disinguished poins which drasically reduces he number of memory lookups during crypanalysis. This improved echnique has been sudied exensively bu no new opimisaions have been published ever since. We propose a new way of precalculaing he daa which reduces by wo he number of calculaions needed during crypanalysis. Moreover, since he mehod does no make use of disinguished poins, i reduces he overhead due o he variable chain lengh, which again significanly reduces he number of calculaions. As an example we have implemened an aack on MS-Windows password hashes. Using 1.4GB of daa (wo CD-ROMs) we can crack 99.9% of all alphanumerical passwords hashes (2 37 ) in 13.6 seconds whereas i akes 101 seconds wih he curren approach using disinguished poins. We show ha he gain could be even much higher depending on he parameers used. Key words: ime-memory rade-off, crypanalysis, precompuaion, fixed plainex 1 Inroducion Crypanalyic aacks based on exhausive search need a lo of compuing power or a lo of ime o complee. When he same aack has o be carried ou muliple imes, i may be possible o execue he exhausive search in advance and sore all resuls in memory. Once his precompuaion is done, he aack can be carried ou almos insanly. Alas, his mehod is no pracicable because of he large amoun of memory needed. In  Hellman inroduced a mehod o rade memory agains aack ime. For a cryposysem having keys, his mehod can recover a key in 2/3 operaions using 2/3 words of memory. The ypical applicaion of his mehod is he recovery of a key when he plainex and he cipherex are known. One domain where his applies is in poorly designed daa encrypion sysem where an aacker can guess he firs few byes of daa (e.g.
2 2 #include <sdio.h> ). Anoher domain are password hashes. Many popular operaing sysems generae password hashes by encryping a fixed plainex wih he user s password as key and sore he resul as he password hash. Again, if he password hashing scheme is poorly designed, he plainex and he encrypion mehod will be he same for all passwords. In ha case, he password hashes can be calculaed in advance and can be subjeced o a ime-memory rade-off. The ime-memory rade-off (wih or wihou our improvemen) is a probabilisic mehod. Success is no guaraneed and he success rae depends on he ime and memory allocaed for crypanalysis. 1.1 The original mehod Given a fixed plainex P 0 and he corresponding cipherex C 0, he mehod ries o find he key k which was used o encipher he plainex using he cipher S. We hus have: C 0 = S k (P 0 ) We ry o generae all possible cipherexs in advance by enciphering he plainex wih all possible keys. The cipherexs are organised in chains whereby only he firs and he las elemen of a chain is sored in memory. Soring only he firs and las elemen of a chain is he operaion ha yields he rade-off (saving memory a he cos of crypanalysis ime). The chains are creaed using a reducion funcion R which creaes a key from a cipher ex. The cipher ex is longer ha he key, hence he reducion. By successively applying he cipher S and he reducion funcion R we can hus creae chains of alernaing keys and cipherexs. k i S ki (P 0) C i R(C i) k i+1 The succession of R(S k (P 0 )) is wrien f(k) and generaes a key from a key which leads o chains of keys: k i f ki+1 f ki+2... m chains of lengh are creaed and heir firs and las elemens are sored in a able. Given a cipherex C we can ry o find ou if he key used o generae C is among he ones used o generae he able. To do so, we generae a chain of keys saring wih R(C) and up o he lengh. If C was indeed obained wih a key used while creaing he able hen we will evenually generae he key ha maches he las key of he corresponding chain. Tha las key has been sored in memory ogeher wih he firs key of he chain. Using he firs key of he chain he whole chain can be regeneraed and in paricular he key ha comes jus before R(C). This is he key ha was used o generae C, which is he key we are looking for. Unforunaely here is a chance ha chains saring a differen keys collide and merge. This is due o he fac ha he funcion R is an arbirary reducion
3 3 of he space of cipherexs ino he space of keys. The larger a able is, he higher is he probabiliy ha a new chain merges wih a previous one. Each merge reduces he number of disinc keys which are acually covered by a able. The chance of finding a key by using a able of m rows of keys is given in he original paper  and is he following: P able 1 m 1 i=1 j=0 ( i ) j+1 1 (1) The efficiency of a single able rapidly decreases wih is size. To obain a high probabiliy of success i is beer o generae muliple ables using a differen reducion funcion for each able. The probabiliy of success using l ables is hen given by: P success m 1 i=1 j=0 ( 1 i l ) j+1 Chains of differen ables can collide bu will no merge since differen reducion funcions are applied in differen ables. (2) False alarms When searching for a key in a able, finding a maching endpoin does no imply ha he key is in he able. Indeed, he key may be par of a chain which has he same endpoin bu is no in he able. In ha case generaing he chain from he saved saring poin does no yield he key, which is referred o as a false alarm. False alarms also occur when a key is in a chain ha is par of he able bu which merges wih oher chains of he able. In ha case several saring poins correspond o he same endpoin and several chains may have o be generaed unil he key is finally found. 1.2 Exising work In  Rives suggess o use disinguished poins as endpoins for he chains. Disinguished poins are poins for which a simple crieria holds rue (e.g. he firs en bis of a key are zero). All endpoins sored in memory are disinguished poins. When given a firs cipherex, we can generae a chain of keys unil we find a disinguished poin and only hen look i up in he memory. This grealy reduces he number of memory lookups. All following publicaions use his opimisaion.  describes how o opimise he able parameers, m and l o minimise he oal cos of he mehod based on he coss of memory and of processing engines.  shows ha he parameers of he ables can be adjused such as o increase he probabiliy of success, wihou increasing he need for memory or he crypanalysis ime. This is acually a rade-off beween precompuaion ime and success rae. However, he success rae canno be arbirarily increased. Bors noes in  ha disinguished poins also have he following wo advanages:
4 4 They allow for loop deecion. If a disinguished poin is no found afer enumeraing a given number of keys (say, muliple imes heir average occurrence), hen he chain can be suspeced o conain a loop and be abandoned. The resul is ha all chains in he able are free of loops. Merges can easily be deeced since wo merging chains will have he same endpoin (he nex disinguished poin afer he merge). As he endpoins have o be sored anyway he merges are discovered wihou addiional cos.  sugges ha i is hus easy o generae collision free ables wihou significan overhead. Merging chains are simply hrown away and addiional chains are generaed o replace hem. Generaing merge free ables is ye anoher rade-off, namely a reducion of memory a he cos of exra precompuaion. Finally  noes ha all calculaions used in previous papers are based on Hellman s original mehod and ha he resuls may be differen when using disinguished poins due o he variaion of chain lengh. They presen a deailed analysis which is backed up by simulaion in a purpose-buil FPGA. A varian of Hellman s rade-off is presened by Fia and oar in . Alhough his rade-off is less efficien, i can be rigorously analysed and can provably inver any ype of funcion. 2 Resuls of he original mehod 2.1 Bounds and parameers There are hree parameers ha can be adjused in he ime-memory rade-off: he lengh of he chains, he number of chains per able m and he number of ables produced l. These parameers can be adjused o saisfy he bounds on memory M, crypanalysis ime T and success rae P success. The bound on success rae is given by equaion 2. The bound on memory M is given by he number of chains per able m, he number of ables l and he amoun of memory m 0 needed o sore a saring poin and an endpoin (8 byes in our experimens). The bound in ime T is given by he average lengh of he chains, he number of ables l and he rae 1 0 a which he plainex can be enciphered ( /s in our case). This bound corresponds o he wors case where all ables have o be searched bu i does no ake ino accoun he ime spen on false alarms. M = m l m 0 T = l 0 Figure 1 illusraes he bounds for he problem of cracking alphanumerical windows passwords (complexiy of 2 37 ). The surface on he op-lef graph is he bound on memory. Soluions saisfying he bound on memory lie below his surface. The surface on he boom-lef graph is he bound on ime and soluions also have o be below ha surface o saisfy he bound. The graph on he righ side shows he bound on success probabiliy of 99.9% and he combinaion of he wo previous bounds. To saisfy all hree bounds, he parameers of he
5 5 M < 1.4GB Success > 0.999, min(m <1.4GB, T < 220) l l m T < 220s 0 l m m Fig. 1. Soluion space for a success probabiliy of 99.9%, a memory size of 1.4GB and a maximum of 220 seconds in our sample problem. soluion mus lie below he proruding surface in he cenre of he graph (ime and memory consrains) and above he oher surface (success rae consrain). This figure nicely illusraes he conen of , namely ha he success rae can be improved wihou using more memory or more ime: all he poins on he ridge in he cenre of he graph saisfy boh he bound on crypanalysis ime and memory bu some of hem are furher away from he bound of success rae han ohers. Thus he success rae can be opimised while keeping he same amoun of daa and crypanalysis ime, which is he resul of . We can even go one sep furher han he auhors and sae ha he opimal poin mus lie on he ridge where he bounds on ime and memory mee, which runs along m = T M. This reduces he search for he opimal soluion by one dimension. 3 A new able srucure wih beer resuls The main limiaion of he original scheme is he fac ha when wo chains collide in a single able hey merge. We propose a new ype of chains which can collide wihin he same able wihou merging. We call our chains rainbow chains. They use a successive reducion funcion for each poin in he chain. They sar wih reducion funcion 1 and end wih reducion funcion 1. Thus if wo chains collide, hey merge only if he collision appears a he same posiion in boh chains. If he collision does no appear a he same posiion, boh chains will coninue wih a differen reducion funcion and will hus no merge. For chains of lengh, if a collision occurs, he chance of i being a merge is hus only 1. The probabiliy of success wihin a single
6 6 able of size m is given by: P able = 1 (1 m i ) (3) i=1 ( where m 1 = m and m n+1 = 1 e mn The derivaion of he success probabiliy is given in he appendix. I is ineresing o noe ha he success probabiliy of rainbow ables can be direcly compared o ha of classical ables. Indeed he success probabiliy of classical ables of size m is approximaely equal o ha of a single rainbow able of size m. In boh cases he ables cover m 2 keys wih differen reducion funcions. For each poin a collision wihin a se of m keys ( a single classical able or a column in he rainbow able) resuls in a merge, whereas collisions wih he remaining keys are no merges. The relaion beween ables of size m and a rainbow able is shown in Figure 2. The probabiliy of success are compared in Figure 3. oe ha he axes have been relabeled o creae he same scale as wih he classical case in Figure 1. Rainbow ables seem o have a slighly beer probabiliy of success bu his may jus be due o he fac ha he success rae calculaed in he former case is he exac expecaion of he probabiliy where as in he laer case i is a lower bound. To lookup a key in a rainbow able we proceed in he following manner: Firs we apply R n 1 o he cipherex and look up he resul in he endpoins of he able. If we find he endpoin we know how o rebuild he chain using he corresponding saring poin. If we don find he endpoin, we ry if we find i by applying R n 2, f n 1 o see if he key was in he second las column of he able. Then we ry o apply R n 3, f n 2, f n 1, and so forh. The oal number of calculaions we have o make is hus ( 1) 2. This is half as much as wih he classical mehod. Indeed, we need 2 calculaions o search he corresponding ables of size m. Rainbow chains share some advanages of chains ending in disinguished poins wihou suffering of heir limiaions: The number of able look-ups is reduced by a facor of compared o Hellman s original mehod. Merges of rainbow chains resul in idenical endpoins and are hus deecable, as wih disinguished poins. Rainbow chains can hus be used o generae merge-free ables. oe ha in his case, he ables are no collision free. Rainbow chains have no loops, since each reducion funcion appears only once. This is beer han loop deecion and rejecion as described before, because we don spend ime on following and hen rejecing loops and he coverage of our chains is no reduced because of loops han can no be covered. Rainbow chains have a consan lengh whereas chains ending in disinguished poins have a variable lengh. As we shall see in Secion 4.1 his )
7 7 m k1 1,1 m k 1 m,1 k2 1,1 m m k 2 m,1. k 1 1,1 k 1 f 1 m,1 k 1,1 k m,1 f 1 f 1 f 1 k 1 1, f 1 f 1 f 1 k 1 m, f 2 f 2 f 2 k 2 1, f 2 f 2 f 2 k 2 m,. f 1 f 1 f 1 k 1 1, f 1 f 1 k 1 m, f f f k 1, f f f k m, m f k 1 f 2 f 1 1,1 k 1, f k 1 f 2 f 1 m,1 k m, Fig. 2. classic ables of size m on he lef and one rainbow able of size m on he righ. In boh cases merges can occur wihin a group of m keys and a collision can occur wih he remaining m( 1) keys. I akes half as many operaions o look up a key in a rainbow able han in classic ables. reduces he number of false alarms and he exra work due o false alarms. This effec can be much more imporan ha he facor of wo gained by he srucure of he able. 4 Experimenal resuls We have chosen cracking of MS Windows passwords as an example because i has a real-world significance and can be carried ou on any sandard worksaion. The password hash we ry o crack is he LanManager hash which is sill suppored by all versions of MS Windows for backward compaibiliy. The hash is generaed by cuing a 14 characers password ino wo chunks of seven characers. In each chunk, lower case characers are urned o upper case and hen he chunk is used as a key o encryp a fixed plain-ex wih DES. This yields wo 8 bye hashes which are concaenaed o form he 16 bye LanManager hash. Each halves of he LanManager hash can hus be aacked separaely and passwords of up o 14 alphanumerical generae only 2 37 differen 8 bye hashes (raher han bye hashes).
8 8 Success > and min(memory <1.4GB, Time < 110) l m Fig. 3. Comparison of he success rae of classical ables and rainbow ables. The upper surface represens he consrain of 99.9% success wih classical ables, he lower surface is he same consrain for rainbow ables. For rainbow ables he scale has been adjused o allow a direc comparison of boh ypes of ables m m, l l Based on Figure 1 we have chosen he parameers for classic ables o be c = 4666, m c = 8192 and for rainbow ables o be r = 4666, m r = c m c = We have generaed 4666 classic ables and one rainbow able and measured heir success rae by cracking 500 random passwords on a sandard worksaion (P4 1.5GHz, 500MB RAM). The resuls are given in he able below: classic wih DP rainbow, m, l 4666, 8192, , , 1 prediced coverage 75.5% 77.5% measured coverage 75.8% 78.8% Table 1. Measured coverage for classic ables wih disinguished poins and for rainbow ables, afer cracking of 500 password hashes This experimen clearly shows ha rainbow ables can achieve he same success rae wih he same amoun of daa as classical ables. Knowing his, i is now ineresing o compare he crypanalysis ime of boh mehods since rainbow ables should be wice as fas. In Table 2 we compare he mean crypanalysis ime, he mean number of hash operaions per crypanalysis and he mean number of false alarms per crypanalysis.
9 9 Wha we see from able 2 is ha our mehod is acually abou 7 imes faser han he original mehod. Indeed, each crypanalysis incurs an average of 9.3M hash calculaions wih he improved mehod whereas he original mehod incurs 67.2M calculaions. A facor of wo is explained by he srucure of he ables. The remaining speed-up is caused by he fac ha here are more false alarms wih disinguished poins (2.8 imes more in average) and ha hese false alarms generae more work. Boh effecs are due o he fac ha wih disinguished poins, he lengh of he chains is no consan. 4.1 The imporance of being consan Faal aracion: Variaions in chain lengh inroduce variaions in merge probabiliy. Wihin a given se of chains (e.g. one able) he longer chains will have more chances o merge wih oher chains han he shor ones. Thus he merges will creae larger rees of longer chains and smaller rees of shorer chains. This has a doubly negaive effec when false alarms occur. False alarm will more probably happen wih large rees because here are more possibiliies o merge ino a large ree han ino a small one. A single merge ino a large ree creaes more false alarms since he ree conains more chains and all chains have o be generaed o confirm he false alarm. Thus false alarms will no only end o happen wih longer chains, hey will also end o happen in larger ses. Larger overhead: Addiionally o he aracion effec of longer chains, he number of calculaions needed o confirm a false alarm on a variable lengh chains is larger han wih consan lengh chains. When he lengh of a chain is no known he whole chain has o be regeneraed o confirm he false alarm. Wih consan lengh chains we can coun he number of calculaions done o reach he end of a chain and hen know exacly a wha posiion o expec he key. We hus only have o generae a fracion of a chain o confirm he false alarm. Moreover, wih rainbow chains, false alarms will occur more ofen when we look a he longer chains (i.e. saring a he columns more o he lef of a able). Forunaely, his is also where he par of he chain ha has o be generaed o confirm he false alarms is he shores. Boh hese effecs can be seen in Table 2 by looking a he number of endpoins found, he number of false alarms and he number of calculaions per false alarm, in case of failure. Wih disinguished poins each maching poin generaes abou 4 false alarms and he mean lengh of he chains generaed is abou Wih rainbow chains here are only abou 2.5 false alarms per endpoin found and only 1500 keys generaed per false alarm. The fac ha longer chains yield more merges has been noed in  wihou menioning ha i increases he probabiliy and overhead of false alarms. As a resul, he auhors propose o only use chains which are wihin a cerain range of lengh. This reduces he problems due o he variaion of lengh bu i also reduces he coverage ha can be achieved wih one reducion funcion and increases he precalculaion effor.
10 10 classic wih DP rainbow raio, m, l 4666, 8192, , , 1 1 mean crypanalysis ime o success 68.9s 9.37s 7.4 o failure 181.0s 26.0s 7.0 average 96.1s 12.9s 7.4 mean nbr of hash calculaions o success 48.3M 6.77M 7.1 o failure 126M 18.9M 6.7 average 67.2M 9.34M 7.2 mean nbr of searches o success o failure average mean nbr of maching endpoins found o success o failure average mean nbr of false alarms o success o failure average mean nbr of hash calculaions per false alarms o success o failure average Table 2. saisics for classic ables wih disinguished poins and for rainbow ables 4.2 Increasing he gain even furher We have calculaed he expeced gain over classical ables by considering he wors case where a key has o be searched in all columns of a rainbow able and wihou couning he false alarms. While a rainbow able is searched from he amoun of calculaion increases quadraicly from 1 o 2 1 2, whereas in classical ables i increases linearly o 2. If he key is found early, he gain may hus be much higher (up o a facor of ). This addiional gain is parly se off by he fac ha in rainbow ables, false alarms ha occur in he beginning of he search, even if rarer, are he ones ha generae he mos overhead. Sill, i should be possible o consruc a (possibly pahological) case where rainbow ables have an arbirary large gain over classical ables. One way of doing i is o require a success rae very close o 100% and a large. The examples in he lieraure ofen use a success rae of up o 80% wih 1/3 ables of order of 1/3 chains of 1/3 poins. Such a configuraion can be replaced wih a single rainbow able of order of 2/3 rows of 1/3 keys. For some applicaions a success rae of 80% may be sufficien, especially if here are several samples of cipherex available and we
11 11 need o recover jus any key. In our example of password recovery we are ofen ineresed in only one paricular password (e.g. he adminisraor s password). In ha case we would raher have a near perfec success rae. High success raes lead o configuraions where he number of ables is several imes larger han he lengh of he chains. Thus we end up having several rainbow ables (5 in our example). Using a high success rae yields a case were we ypically will find he key early and we only rarely have o search all rows of all ables. To benefi from his fac we have o make sure ha we do no search he five rainbow ables sequenially bu ha we firs look up he las column of each able and hen only move o he second las column of each able. Using his procedure we reach a gain of 12 when using five ables o reach 99.9% success rae compared o he gain of 7 we had wih a single able and 78% success rae. More deails are given in he nex secion. 4.3 Cracking Windows passwords in seconds Afer having noiced ha rainbow chains perform much beer han classical ones, we have creaed a larger se of ables o achieve our goal of 99.9% success rae. The measuremens on he firs able show ha we would need 4.45 ables of lines and 4666 columns. We have chosen o generae 5 ables of lines in order o have an ineger number of ables and o respec he memory consrain of 1.4GB. On he oher hand we have generaed ables of 4666 columns and 7501 lines. The resuls are given in Table 3. We have cracked 500 passwords, wih 100% success in boh cases. classic wih DP rainbow raio rainbow sequenial raio, m, l 4666, 7501, , 35M, , 35M, 5 1 crypanalysis ime 101.4s s 7.5 hash calculaions 90.3M 7.4M M 7.6 false alarms (fa) hashes per fa effor spen on fa 80% 76% % 1.1 success rae 100% 100% 1 100% 1 Table 3. Crypanalysis saisics wih a se of ables yielding a success rae of 99.9%. From he middle column we see ha rainbow ables need 12 imes less calculaions. The gain in crypanalysis ime is only 1.5 imes beer due o disk accesses. On a worksaion wih 500MB of RAM a beer gain in ime (7.5) can be achieved by resricing he search o one rainbow able a a ime (rainbow sequenial). From able 3 we see ha rainbow ables need 12 imes less calculaions han classical ables wih disinguished poins. Unforunaely he gain in ime is only a facor of 1.5. This is because we have o randomly access 1.4GB of daa on a worksaion ha has 500MB of RAM. In he previous measuremens wih a
12 12 single able, he able would say in he filesysem cache, which is no possible wih five ables. Insead of upgrading he worksaion o 1.5GB of RAM we chose o implemen an approach where we search in each rainbow able sequenially. This allows us o illusrae he discussion from he end of he previous secion. When we search he key in all ables simulaneously raher han sequenially, we work wih shorer chains and hus generae less work (7.4M operaions raher han 11.8M). Shorer chains also mean ha we have less false alarms (1311 per key cracked, raher han 2773). Bu shor chains also mean ha calculaions needed o confirm a false alarm are higher (4321 agains 3080). I is ineresing o noe ha in all cases, he calculaions due o false alarms make abou 75% of he crypanalysis effor. Looking a he generic parameers of he rade-off we also noe ha he precalculaion of he ables has needed an effor abou 10 imes higher han calculaing a full dicionary. The large effor is due o he probabilisic naure of he mehod and i could be reduced o hree imes a full dicionary if we would accep 90% success rae raher ha han 99.9%. 5 An oulook a perfec ables Rainbow ables and classic ables wih disinguished poins boh have he propery ha merging chains can be deeced because of heir idenical endpoins. Since he ables have o be sored by endpoin anyway, i seems very promising o creae perfec ables by removing all chains ha merge wih chains ha are already in he able. In he case of disinguished poins we can even choose o reain he longes chain of a se of merging chains o maximise he coverage of he able. The success rae of rainbow ables and ables wih disinguished poins are easy o calculae, a leas if we assume ha chains wih disinguished poins have a average lengh of. In ha case i is sraigh forward o see ha a rainbow able of size m has he same success rae han ables of size m. Indeed, in he former case we have rows of m disinc keys where in he laer case we have ables conaining m disinc keys each. Ideally we would wan o consruc a single perfec able ha covers he complee domain of keys. The challenge abou perfec ables is o predic how many non-merging chains of lengh i is possible o generae. For rainbow chains his can be calculaed in he same way as we calculae he success rae for non-perfec ables. Since we evaluae he number of disinc poins in each column of he able, we need only look a he number of disinc poins in he las column o know how many disinc chains here will be. ( ˆP able = 1 e m where m 1 = and m n+1 = 1 e mn ) (4) For chains delimied by disinguished poins, his calculaion is far more complex. Because of he faal aracion described above, he longer chains will be merged ino large rees. Thus when eliminaing merging chains we will eliminae
13 13 more longer chains han shorer ones. A single experimen wih 16 million chains of lengh 4666 shows ha afer eliminaion of all merges (by keeping he longes chain), only 2% of he chains remain and heir average lengh has decreased from 4666 o 386! To keep an average lengh of 4666 we have o eliminae 96% of he remaining chains o reain only he longes 4% (14060) of hem. The precalculaion effor involved in generaing maximum size perfec ables is prohibiive (). To be implemenable a soluion would use a se of ables which are smaller han he larges possible perfec ables. More advanced analysis of perfec ables is he focus of our curren effor. We conjecure ha because of he limied number of available non-merging chains, i migh acually be more efficien o use near-perfec ables. 6 Conclusions We have inroduced a new way of generaing precompued daa in Hellman s original crypanalyic ime-memory rade-off. Our opimisaion has he same propery as he use of disinguished poins, namely ha i reduces he number of able look-ups by a facor which is equal o he lengh of he chains. For an equivalen success rae our mehod reduces he number of calculaions needed for crypanalysis by a facor of wo agains he original mehod and by an even more imporan facor (12 in our experimen) agains disinguished poins. We have shown ha he reason for his exra gain is he variable lengh of chains ha are delimied by disinguished poins which resuls in more false alarms and more overhead per false alarm. We conjecure ha wih differen parameers (e.g. a higher success rae) he gain could be even much larger han he facor of 12 found in our experimen. These facs make our mehod a very aracive replacemen for he original mehod improved wih disinguished poins. The fac ha our mehod yields chains ha have a consan lengh also grealy simplifies he analysis of he mehod as compared o variable lengh chains using disinguished poins. I also avoids he exra precalculaion effor which occurs when variable lengh chains have o be discarded because hey have an inappropriae lengh or conain a loop. Consan lengh could even prove o be advanageous for hardware implemenaions. Finally our experimen has demonsraed ha he ime-memory rade-off allows anybody owning a modern personal compuer o break crypographic sysems which were believed o be secure when implemened years ago and which are sill in use oday. This goes o demonsrae he imporance of phasing ou old crypographic sysems when beer sysems exis o replace hem. In paricular, since memory has he same imporance as processing speed for his ype of aack, ypical worksaions benefi doubly from he progress of echnology. Acknowledgemens The auhor wishes o hank Maxime Mueller for implemening a firs version of he experimen.
14 14 References 1. J. Bors, B. Preneel, and J. Vandewalle. On ime-memory radeoff beween exhausive key search and able precompuaion. In P. H.. de Wih and M. van der Schaar-Mirea, ediors, 19h Symp. on Informaion Theory in he Benelux, pages , Veldhoven (L), Werkgemeenschap Informaie- en Communicaieheorie, Enschede (L). 2. D.E. Denning. Crypography and Daa Securiy, page 100. Addison-Wesley, Amos Fia and Moni aor. Rigorous ime/space radeoffs for invering funcions. In STOC 1991, pages , M. E. Hellman. A crypanalyic ime-memory rade off. IEEE Transacions on Informaion Theory, IT-26: , Kim and Masumoo. Achieving higher success probabiliy in ime-memory radeoff crypanalysis wihou increasing memory size. TIEICE: IEICE Transacions on Communicaions/Elecronics/Informaion and Sysems, Koji KUSUDA and Tsuomu MATSUMOTO. Opimizaion of ime-memory radeoff crypanalysis and is applicaion o DES, FEAL-32, and skipjack. IEICE Transacions on Fundamenals, E79-A(1):35 48, January F.X. Sandaer, G. Rouvroy, J.J. Quisquaer, and J.D. Lega. A ime-memory radeoff using disinguished poins: ew analysis & FPGA resuls. In proceedings of CHES 2002, pages Springer Verlag, Appendix The success rae of a single rainbow able can be calculaed by looking a each column of he able and reaing i as a classical occupancy problem. We sar wih m 1 = m disinc keys in he firs column. In he second column he m 1 keys are randomly disribued over he keyspace of size, generaing m 2 disinc keys: ( m 2 = (1 1 1 ) m1 ( ) 1 e m 1 Each column i has m i disinc keys. The success rae of he able is hus: ) P = 1 (1 m i ) i=1 where ( m 1 = m, m n+1 = 1 e mn ) The resul is no in a closed form and has o be calculaed numerically. This is no disadvanage agains he success rae of classical ables since he large number of erms in he sum of ha equaion requires a numerical inerpolaion. The same approach can be used o calculae he number of non-merging chains ha can be generaed. Since merging chains are recognised by heir idenical endpoin, he number of disinc keys in he las column m is he number
15 15 of non-merging chains. The maximum number of chains can be reached when choosing every single key in he key space as a saring poin. ( m 1 =, m n+1 = 1 e mn ) The success probabiliy of a able wih he maximum number of non-merging chains is: ˆP = 1 (1 m ) 1 e m oe ha he effor o build such a able is.
Profi Tes Modelling in Life Assurance Using Spreadshees PROFIT TEST MODELLING IN LIFE ASSURANCE USING SPREADSHEETS PART ONE Erik Alm Peer Millingon 2004 Profi Tes Modelling in Life Assurance Using Spreadshees
Chaper 1.6 Financial Managemen Par I: Objecive ype quesions and answers 1. Simple pay back period is equal o: a) Raio of Firs cos/ne yearly savings b) Raio of Annual gross cash flow/capial cos n c) = (1
The Applicaion of Muli Shifs and Brea Windows in Employees Scheduling Evy Herowai Indusrial Engineering Deparmen, Universiy of Surabaya, Indonesia Absrac. One mehod for increasing company s performance
Chaper 8: Regression wih Lagged Explanaory Variables Time series daa: Y for =1,..,T End goal: Regression model relaing a dependen variable o explanaory variables. Wih ime series new issues arise: 1. One
INTEREST RATE FUTURES AND THEIR OPTIONS: SOME PRICING APPROACHES OPENGAMMA QUANTITATIVE RESEARCH Absrac. Exchange-raded ineres rae fuures and heir opions are described. The fuure opions include hose paying
Individual Healh Insurance April 30, 2008 Pages 167-170 We have received feedback ha his secion of he e is confusing because some of he defined noaion is inconsisen wih comparable life insurance reserve
WEALTH ADVISORY Esae Planning Sraegies for closely-held, family businesses The Granor Reained Annuiy Trus (GRAT) An efficien wealh ransfer sraegy, paricularly in a low ineres rae environmen Family business
The Transpor Equaion Consider a fluid, flowing wih velociy, V, in a hin sraigh ube whose cross secion will be denoed by A. Suppose he fluid conains a conaminan whose concenraion a posiion a ime will be
Why Did he Demand for Cash Decrease Recenly in Korea? Byoung Hark Yoo Bank of Korea 26. 5 Absrac We explores why cash demand have decreased recenly in Korea. The raio of cash o consumpion fell o 4.7% in
Mahemaics in Pharmacokineics Wha and Why (A second aemp o make i clearer) We have used equaions for concenraion () as a funcion of ime (). We will coninue o use hese equaions since he plasma concenraions
Chaper 2 Problems 2.1 During a hard sneeze, your eyes migh shu for 0.5s. If you are driving a car a 90km/h during such a sneeze, how far does he car move during ha ime s = 90km 1000m h 1km 1h 3600s = 25m
TEMPORAL PATTERN IDENTIFICATION OF TIME SERIES DATA USING PATTERN WAVELETS AND GENETIC ALGORITHMS RICHARD J. POVINELLI AND XIN FENG Deparmen of Elecrical and Compuer Engineering Marquee Universiy, P.O.
Chabo College Physics Lab Circuis Sco Hildreh Goals: Coninue o advance your undersanding of circuis, measuring resisances, currens, and volages across muliple componens. Exend your skills in making breadboard
A Noe on Using he Svensson procedure o esimae he risk free rae in corporae valuaion By Sven Arnold, Alexander Lahmann and Bernhard Schwezler Ocober 2011 1. The risk free ineres rae in corporae valuaion
TSG-RAN Working Group 1 (Radio Layer 1) meeing #3 Nynashamn, Sweden 22 nd 26 h March 1999 RAN TSGW1#3(99)196 Agenda Iem: 9.1 Source: Tile: Documen for: Moorola Macro-diversiy for he PRACH Discussion/Decision
USE OF EDUCATION TECHNOLOGY IN ENGLISH CLASSES Mehme Nuri GÖMLEKSİZ Absrac Using educaion echnology in classes helps eachers realize a beer and more effecive learning. In his sudy 150 English eachers were
R.L. Hanna Page HALF-LIFE EQUATIONS The basic equaion ; he saring poin ; : wrien for ime: x / where fracion of original maerial and / number of half-lives, and / log / o calculae he age (# ears): age (half-life)
Opion Pricing And Mone Carlo Simulaions George M. Jabbour, (Email: email@example.com), George Washingon Universiy Yi-Kang Liu, (firstname.lastname@example.org), George Washingon Universiy ABSTRACT The advanage of Mone Carlo
Sock raing wih Recurren Reinforcemen Learning (RRL) CS9 Applicaion Projec Gabriel Molina, SUID 555783 I. INRODUCION One relaively new approach o financial raing is o use machine learning algorihms o preic
Principal componens of sock marke dynamics Mehodology and applicaions in brief o be updaed Andrei Bouzaev, email@example.com Why principal componens are needed Objecives undersand he evidence of more han one
Inernaional Journal of Business and conomics, 26, Vol. 5, No. 3, 225-23 Opion Pu-all Pariy Relaions When he Underlying Securiy Pays Dividends Weiyu Guo Deparmen of Finance, Universiy of Nebraska Omaha,
CHAPTER 2 Double Enry Sysem of Accouning Sysem of Accouning \ The following are he main sysem of accouning for recording he business ransacions: (a) Cash Sysem of Accouning. (b) Mercanile or Accrual Sysem
Auomaic measuremen and deecion of GSM inerferences Poor speech qualiy and dropped calls in GSM neworks may be caused by inerferences as a resul of high raffic load. The radio nework analyzers from Rohde
JOURNAL OF INFORMATION SCIENCE AND ENGINEERING, 611-64 (006) Efficien One-ime Signaure Schemes for Sream Auhenicaion * YONGSU PARK AND YOOKUN CHO + College of Informaion and Communicaions Hanyang Universiy
Random Walk in -D Random walks appear in many cones: diffusion is a random walk process undersanding buffering, waiing imes, queuing more generally he heory of sochasic processes gambling choosing he bes
Price elasiciy of demand for crude oil: esimaes for 23 counries John C.B. Cooper Absrac This paper uses a muliple regression model derived from an adapaion of Nerlove s parial adjusmen model o esimae boh
Risk Modelling of Collaeralised Lending Dae: 4-11-2008 Number: 8/18 Inroducion This noe explains how i is possible o handle collaeralised lending wihin Risk Conroller. The approach draws on he faciliies
Term Srucure of Prices of Asian Opions Jirô Akahori, Tsuomu Mikami, Kenji Yasuomi and Teruo Yokoa Dep. of Mahemaical Sciences, Risumeikan Universiy 1-1-1 Nojihigashi, Kusasu, Shiga 525-8577, Japan E-mail:
Real-Time Scheduling Sysem Model Task is a schedulable eniy, i.e., a hread Time consrains of periodic ask T: - s: saring poin - e: processing ime of T - d: deadline of T - p: period of T Periodic ask T
Chaper 7. esponse of Firs-Order L and C Circuis 7.1. The Naural esponse of an L Circui 7.2. The Naural esponse of an C Circui 7.3. The ep esponse of L and C Circuis 7.4. A General oluion for ep and Naural
CALCULATION OF OMX TALLINN CALCULATION OF OMX TALLINN 1. OMX Tallinn index...3 2. Terms in use...3 3. Comuaion rules of OMX Tallinn...3 3.1. Oening, real-ime and closing value of he Index...3 3.2. Index
36 Invesmen Managemen and Financial Innovaions, 4/4 Marke Liquidiy and he Impacs of he Compuerized Trading Sysem: Evidence from he Sock Exchange of Thailand Sorasar Sukcharoensin 1, Pariyada Srisopisawa,
REFERENCES RC Circuis: Elecrical Insrumens: Mos Inroducory Physics exs (e.g. A. Halliday and Resnick, Physics ; M. Sernheim and J. Kane, General Physics.) This Laboraory Manual: Commonly Used Insrumens:
Acceleraion Lab Teacher s Guide Objecives:. Use graphs of disance vs. ime and velociy vs. ime o find acceleraion of a oy car.. Observe he relaionship beween he angle of an inclined plane and he acceleraion
SKF Documened Soluions Real world savings and we can prove i! How much can SKF save you? Le s do he numbers. The SKF Documened Soluions Program SKF is probably no he firs of your supplier parners o alk
IEEE Inernaional Conference on Mulimedia Compuing & Sysems, June 17-3, 1996, in Hiroshima, Japan, p. 151-155 Consan Lengh Rerieval for Video Servers wih Variable Bi Rae Sreams Erns Biersack, Frédéric Thiesse,
Marki Excess Reurn Credi Indices Guide for price based indices Sepember 2011 Marki Excess Reurn Credi Indices Guide for price based indices Conens Inroducion...3 Index Calculaion Mehodology...4 Semi-annual
Appendix D Flexibiliy Facor/Margin of Choice Deskop Research Cheshire Eas Council Cheshire Eas Employmen Land Review Conens D1 Flexibiliy Facor/Margin of Choice Deskop Research 2 Final Ocober 2012 \\GLOBAL.ARUP.COM\EUROPE\MANCHESTER\JOBS\200000\223489-00\4
Absrac number: 05-0407 Single-machine Scheduling wih Periodic Mainenance and boh Preempive and Non-preempive jobs in Remanufacuring Sysem Liu Biyu hen Weida (School of Economics and Managemen Souheas Universiy
Working Paper No. 482 Ne Inergeneraional Transfers from an Increase in Social Securiy Benefis By Li Gan Texas A&M and NBER Guan Gong Shanghai Universiy of Finance and Economics Michael Hurd RAND Corporaion
Chaper Kinemaics in One Dimension Chaper DESCRIBING MOTION:KINEMATICS IN ONE DIMENSION PREVIEW Kinemaics is he sudy of how hings moe how far (disance and displacemen), how fas (speed and elociy), and how
Page 9 Design of Inducors and High Frequency Transformers Inducors sore energy, ransformers ransfer energy. This is he prime difference. The magneic cores are significanly differen for inducors and high
Recen Advances in Business Managemen and Markeing Analysis of Pricing and Efficiency Conrol Sraegy beween Inerne Reailer and Convenional Reailer HYUG RAE CHO 1, SUG MOO BAE and JOG HU PARK 3 Deparmen of
Chaper H Inducance and Transien Circuis Blinn College - Physics 2426 - Terry Honan As a consequence of Faraday's law a changing curren hrough one coil induces an EMF in anoher coil; his is known as muual
Reurn Calculaion of US Treasur Consan Mauri Indices Morningsar Mehodolog Paper Sepeber 30 008 008 Morningsar Inc All righs reserved The inforaion in his docuen is he proper of Morningsar Inc Reproducion
UNDERSTANDING THE DEATH BENEFIT SWITCH OPTION IN UNIVERSAL LIFE POLICIES Nadine Gazer Conac (has changed since iniial submission): Chair for Insurance Managemen Universiy of Erlangen-Nuremberg Lange Gasse
Saisical Analysis wih Lile s Law Supplemenary Maerial: More on he Call Cener Daa by Song-Hee Kim and Ward Whi Deparmen of Indusrial Engineering and Operaions Research Columbia Universiy, New York, NY 17-99
AGES 8+ C Fas-Dealing Propery Trading Game C Y Collecor s Ediion Original MONOPOLY Game Rules plus Special Rules for his Ediion. CONTENTS Game board, 6 Collecible okens, 28 Tile Deed cards, 16 Wha he Deuce?
Keldysh Formalism: Non-equilibrium Green s Funcion Jinshan Wu Deparmen of Physics & Asronomy, Universiy of Briish Columbia, Vancouver, B.C. Canada, V6T 1Z1 (Daed: November 28, 2005) A review of Non-equilibrium
CLASSIFICATION OF REINSURANCE IN LIFE INSURANCE Kaarína Sakálová 1. Classificaions of reinsurance There are many differen ways in which reinsurance may be classified or disinguished. We will discuss briefly
DDoS Aacks Deecion Model and is Applicaion 1, MUHAI LI, 1 MING LI, XIUYING JIANG 1 School of Informaion Science & Technology Eas China Normal Universiy No. 500, Dong-Chuan Road, Shanghai 0041, PR. China
Enropy: From he Bolzmann equaion o he Maxwell Bolzmann disribuion A formula o relae enropy o probabiliy Ofen i is a lo more useful o hink abou enropy in erms of he probabiliy wih which differen saes are
Opimal Invesmen and Consumpion Decision of Family wih Life Insurance Minsuk Kwak 1 2 Yong Hyun Shin 3 U Jin Choi 4 6h World Congress of he Bachelier Finance Sociey Torono, Canada June 25, 2010 1 Speaker
Chaper 6: Business Valuaion (Income Approach) Cash flow deerminaion is one of he mos criical elemens o a business valuaion. Everyhing may be secondary. If cash flow is high, hen he value is high; if he
Quarerly Repor on he Euro Area 3/202 II.. Deb reducion and fiscal mulipliers The deerioraion of public finances in he firs years of he crisis has led mos Member Saes o adop sizeable consolidaion packages.
Presen Value Mehodology Econ 422 Invesmen, Capial & Finance Universiy of Washingon Eric Zivo Las updaed: April 11, 2010 Presen Value Concep Wealh in Fisher Model: W = Y 0 + Y 1 /(1+r) The consumer/producer
Name Dae Time o Complee h m Parner Course/ Secion / Grade RC, RL and RLC circuis Inroducion In his experimen we will invesigae he behavior of circuis conaining combinaions of resisors, capaciors, and inducors.
LEASNG VERSUSBUYNG Conribued by James D. Blum and LeRoy D. Brooks Assisan Professors of Business Adminisraion Deparmen of Business Adminisraion Universiy of Delaware Newark, Delaware The auhors discuss
DYNAMIC MODELS FOR VALUATION OF WRONGFUL DEATH PAYMENTS Hong Mao, Shanghai Second Polyechnic Universiy Krzyszof M. Osaszewski, Illinois Sae Universiy Youyu Zhang, Fudan Universiy ABSTRACT Liigaion, exper
ACTUARIAL FUNCTIONS _05 User Guide for MS Office 2007 or laer CONTENT Inroducion... 3 2 Insallaion procedure... 3 3 Demo Version and Acivaion... 5 4 Using formulas and synax... 7 5 Using he help... 6 Noaion...
Module 3 Design for Srengh Lesson 2 Sress Concenraion Insrucional Objecives A he end of his lesson, he sudens should be able o undersand Sress concenraion and he facors responsible. Deerminaion of sress
A Direc Manipulaion Inerface for 3D Compuer Animaion Sco Sona Snibbe y Brown Universiy Deparmen of Compuer Science Providence, RI 02912, USA Absrac We presen a new se of inerface echniques for visualizing
Disribuing Human Resources among Sofware Developmen Proecs Macario Polo, María Dolores Maeos, Mario Piaini and rancisco Ruiz Summary This paper presens a mehod for esimaing he disribuion of human resources
Prof. Harris Dellas Advanced Macroeconomics Winer 2001/01 The Real Business Cycle paradigm The RBC model emphasizes supply (echnology) disurbances as he main source of macroeconomic flucuaions in a world
Informaion Theoreic Evaluaion of Change Predicion Models for Large-Scale Sofware Mina Askari School of Compuer Science Universiy of Waerloo Waerloo, Canada firstname.lastname@example.org Ric Hol School of Compuer
ISF 2002 23 rd o 26 h June 2002 Forecasing, Ordering and Sock- Holding for Erraic Demand Andrew Eaves Lancaser Universiy / Andalus Soluions Limied Inroducion Erraic and slow-moving demand Demand classificaion
4. Inernaional ariy ondiions 4.1 urchasing ower ariy he urchasing ower ariy ( heory is one of he early heories of exchange rae deerminaion. his heory is based on he concep ha he demand for a counry's currency
Inroducion Chaper 14: Dynamic D-S dynamic model of aggregae and aggregae supply gives us more insigh ino how he economy works in he shor run. I is a simplified version of a DSGE model, used in cuing-edge
The Impac of Surplus Disribuion on he Risk Exposure of Wih Profi Life Insurance Policies Including Ineres Rae Guaranees Alexander Kling 1 Insiu für Finanz- und Akuarwissenschafen, Helmholzsraße 22, 89081
Predicing Sock Marke Index Trading Using Neural Neworks C. D. Tilakarane, S. A. Morris, M. A. Mammadov, C. P. Hurs Cenre for Informaics and Applied Opimizaion School of Informaion Technology and Mahemaical
Improvemen of a Incas Avoidance Mehod for Daa Cener Neworks Kazuoshi Kajia, Shigeyuki Osada, Yukinobu Fukushima and Tokumi Yokohira The Graduae School of Naural Science and Technology, Okayama Universiy
PATHWISE PROPERTIES AND PERFORMANCE BOUNDS FOR A PERISHABLE INVENTORY SYSTEM WILLIAM L. COOPER Deparmen of Mechanical Engineering, Universiy of Minnesoa, 111 Church Sree S.E., Minneapolis, MN 55455 email@example.com
1 The Impac of Surplus Disribuion on he Risk Exposure of Wih Profi Life Insurance Policies Including Ineres Rae Guaranees Alexander Kling Insiu für Finanz- und Akuarwissenschafen, Helmholzsraße 22, 89081
Model-Based Monioring in Large-Scale Disribued Sysems Diploma Thesis Carsen Reimann Chemniz Universiy of Technology Faculy of Compuer Science Operaing Sysem Group Advisors: Prof. Dr. Winfried Kalfa Dr.
RKET BALANCE OF PAYMENTS AND FINANCIAL MA REPORT 2015 All officiell saisik finns på: www.scb.se Saisikservice: fn 08-506 948 01 All official saisics can be found a: www.scb.se Saisics service, phone +46