1 Making a Faser Crypanalyic Time-Memory Trade-Off Philippe Oechslin Laboraoire de Securié e de Crypographie (LASEC) Ecole Polyechnique Fédérale de Lausanne Faculé I&C, 1015 Lausanne, Swizerland Absrac. In 1980 Marin Hellman described a crypanalyic ime-memory rade-off which reduces he ime of crypanalysis by using precalculaed daa sored in memory. This echnique was improved by Rives before 1982 wih he inroducion of disinguished poins which drasically reduces he number of memory lookups during crypanalysis. This improved echnique has been sudied exensively bu no new opimisaions have been published ever since. We propose a new way of precalculaing he daa which reduces by wo he number of calculaions needed during crypanalysis. Moreover, since he mehod does no make use of disinguished poins, i reduces he overhead due o he variable chain lengh, which again significanly reduces he number of calculaions. As an example we have implemened an aack on MS-Windows password hashes. Using 1.4GB of daa (wo CD-ROMs) we can crack 99.9% of all alphanumerical passwords hashes (2 37 ) in 13.6 seconds whereas i akes 101 seconds wih he curren approach using disinguished poins. We show ha he gain could be even much higher depending on he parameers used. Key words: ime-memory rade-off, crypanalysis, precompuaion, fixed plainex 1 Inroducion Crypanalyic aacks based on exhausive search need a lo of compuing power or a lo of ime o complee. When he same aack has o be carried ou muliple imes, i may be possible o execue he exhausive search in advance and sore all resuls in memory. Once his precompuaion is done, he aack can be carried ou almos insanly. Alas, his mehod is no pracicable because of he large amoun of memory needed. In  Hellman inroduced a mehod o rade memory agains aack ime. For a cryposysem having keys, his mehod can recover a key in 2/3 operaions using 2/3 words of memory. The ypical applicaion of his mehod is he recovery of a key when he plainex and he cipherex are known. One domain where his applies is in poorly designed daa encrypion sysem where an aacker can guess he firs few byes of daa (e.g.
2 2 #include <sdio.h> ). Anoher domain are password hashes. Many popular operaing sysems generae password hashes by encryping a fixed plainex wih he user s password as key and sore he resul as he password hash. Again, if he password hashing scheme is poorly designed, he plainex and he encrypion mehod will be he same for all passwords. In ha case, he password hashes can be calculaed in advance and can be subjeced o a ime-memory rade-off. The ime-memory rade-off (wih or wihou our improvemen) is a probabilisic mehod. Success is no guaraneed and he success rae depends on he ime and memory allocaed for crypanalysis. 1.1 The original mehod Given a fixed plainex P 0 and he corresponding cipherex C 0, he mehod ries o find he key k which was used o encipher he plainex using he cipher S. We hus have: C 0 = S k (P 0 ) We ry o generae all possible cipherexs in advance by enciphering he plainex wih all possible keys. The cipherexs are organised in chains whereby only he firs and he las elemen of a chain is sored in memory. Soring only he firs and las elemen of a chain is he operaion ha yields he rade-off (saving memory a he cos of crypanalysis ime). The chains are creaed using a reducion funcion R which creaes a key from a cipher ex. The cipher ex is longer ha he key, hence he reducion. By successively applying he cipher S and he reducion funcion R we can hus creae chains of alernaing keys and cipherexs. k i S ki (P 0) C i R(C i) k i+1 The succession of R(S k (P 0 )) is wrien f(k) and generaes a key from a key which leads o chains of keys: k i f ki+1 f ki+2... m chains of lengh are creaed and heir firs and las elemens are sored in a able. Given a cipherex C we can ry o find ou if he key used o generae C is among he ones used o generae he able. To do so, we generae a chain of keys saring wih R(C) and up o he lengh. If C was indeed obained wih a key used while creaing he able hen we will evenually generae he key ha maches he las key of he corresponding chain. Tha las key has been sored in memory ogeher wih he firs key of he chain. Using he firs key of he chain he whole chain can be regeneraed and in paricular he key ha comes jus before R(C). This is he key ha was used o generae C, which is he key we are looking for. Unforunaely here is a chance ha chains saring a differen keys collide and merge. This is due o he fac ha he funcion R is an arbirary reducion
3 3 of he space of cipherexs ino he space of keys. The larger a able is, he higher is he probabiliy ha a new chain merges wih a previous one. Each merge reduces he number of disinc keys which are acually covered by a able. The chance of finding a key by using a able of m rows of keys is given in he original paper  and is he following: P able 1 m 1 i=1 j=0 ( i ) j+1 1 (1) The efficiency of a single able rapidly decreases wih is size. To obain a high probabiliy of success i is beer o generae muliple ables using a differen reducion funcion for each able. The probabiliy of success using l ables is hen given by: P success m 1 i=1 j=0 ( 1 i l ) j+1 Chains of differen ables can collide bu will no merge since differen reducion funcions are applied in differen ables. (2) False alarms When searching for a key in a able, finding a maching endpoin does no imply ha he key is in he able. Indeed, he key may be par of a chain which has he same endpoin bu is no in he able. In ha case generaing he chain from he saved saring poin does no yield he key, which is referred o as a false alarm. False alarms also occur when a key is in a chain ha is par of he able bu which merges wih oher chains of he able. In ha case several saring poins correspond o he same endpoin and several chains may have o be generaed unil he key is finally found. 1.2 Exising work In  Rives suggess o use disinguished poins as endpoins for he chains. Disinguished poins are poins for which a simple crieria holds rue (e.g. he firs en bis of a key are zero). All endpoins sored in memory are disinguished poins. When given a firs cipherex, we can generae a chain of keys unil we find a disinguished poin and only hen look i up in he memory. This grealy reduces he number of memory lookups. All following publicaions use his opimisaion.  describes how o opimise he able parameers, m and l o minimise he oal cos of he mehod based on he coss of memory and of processing engines.  shows ha he parameers of he ables can be adjused such as o increase he probabiliy of success, wihou increasing he need for memory or he crypanalysis ime. This is acually a rade-off beween precompuaion ime and success rae. However, he success rae canno be arbirarily increased. Bors noes in  ha disinguished poins also have he following wo advanages:
4 4 They allow for loop deecion. If a disinguished poin is no found afer enumeraing a given number of keys (say, muliple imes heir average occurrence), hen he chain can be suspeced o conain a loop and be abandoned. The resul is ha all chains in he able are free of loops. Merges can easily be deeced since wo merging chains will have he same endpoin (he nex disinguished poin afer he merge). As he endpoins have o be sored anyway he merges are discovered wihou addiional cos.  sugges ha i is hus easy o generae collision free ables wihou significan overhead. Merging chains are simply hrown away and addiional chains are generaed o replace hem. Generaing merge free ables is ye anoher rade-off, namely a reducion of memory a he cos of exra precompuaion. Finally  noes ha all calculaions used in previous papers are based on Hellman s original mehod and ha he resuls may be differen when using disinguished poins due o he variaion of chain lengh. They presen a deailed analysis which is backed up by simulaion in a purpose-buil FPGA. A varian of Hellman s rade-off is presened by Fia and oar in . Alhough his rade-off is less efficien, i can be rigorously analysed and can provably inver any ype of funcion. 2 Resuls of he original mehod 2.1 Bounds and parameers There are hree parameers ha can be adjused in he ime-memory rade-off: he lengh of he chains, he number of chains per able m and he number of ables produced l. These parameers can be adjused o saisfy he bounds on memory M, crypanalysis ime T and success rae P success. The bound on success rae is given by equaion 2. The bound on memory M is given by he number of chains per able m, he number of ables l and he amoun of memory m 0 needed o sore a saring poin and an endpoin (8 byes in our experimens). The bound in ime T is given by he average lengh of he chains, he number of ables l and he rae 1 0 a which he plainex can be enciphered ( /s in our case). This bound corresponds o he wors case where all ables have o be searched bu i does no ake ino accoun he ime spen on false alarms. M = m l m 0 T = l 0 Figure 1 illusraes he bounds for he problem of cracking alphanumerical windows passwords (complexiy of 2 37 ). The surface on he op-lef graph is he bound on memory. Soluions saisfying he bound on memory lie below his surface. The surface on he boom-lef graph is he bound on ime and soluions also have o be below ha surface o saisfy he bound. The graph on he righ side shows he bound on success probabiliy of 99.9% and he combinaion of he wo previous bounds. To saisfy all hree bounds, he parameers of he
5 5 M < 1.4GB Success > 0.999, min(m <1.4GB, T < 220) l l m T < 220s 0 l m m Fig. 1. Soluion space for a success probabiliy of 99.9%, a memory size of 1.4GB and a maximum of 220 seconds in our sample problem. soluion mus lie below he proruding surface in he cenre of he graph (ime and memory consrains) and above he oher surface (success rae consrain). This figure nicely illusraes he conen of , namely ha he success rae can be improved wihou using more memory or more ime: all he poins on he ridge in he cenre of he graph saisfy boh he bound on crypanalysis ime and memory bu some of hem are furher away from he bound of success rae han ohers. Thus he success rae can be opimised while keeping he same amoun of daa and crypanalysis ime, which is he resul of . We can even go one sep furher han he auhors and sae ha he opimal poin mus lie on he ridge where he bounds on ime and memory mee, which runs along m = T M. This reduces he search for he opimal soluion by one dimension. 3 A new able srucure wih beer resuls The main limiaion of he original scheme is he fac ha when wo chains collide in a single able hey merge. We propose a new ype of chains which can collide wihin he same able wihou merging. We call our chains rainbow chains. They use a successive reducion funcion for each poin in he chain. They sar wih reducion funcion 1 and end wih reducion funcion 1. Thus if wo chains collide, hey merge only if he collision appears a he same posiion in boh chains. If he collision does no appear a he same posiion, boh chains will coninue wih a differen reducion funcion and will hus no merge. For chains of lengh, if a collision occurs, he chance of i being a merge is hus only 1. The probabiliy of success wihin a single
6 6 able of size m is given by: P able = 1 (1 m i ) (3) i=1 ( where m 1 = m and m n+1 = 1 e mn The derivaion of he success probabiliy is given in he appendix. I is ineresing o noe ha he success probabiliy of rainbow ables can be direcly compared o ha of classical ables. Indeed he success probabiliy of classical ables of size m is approximaely equal o ha of a single rainbow able of size m. In boh cases he ables cover m 2 keys wih differen reducion funcions. For each poin a collision wihin a se of m keys ( a single classical able or a column in he rainbow able) resuls in a merge, whereas collisions wih he remaining keys are no merges. The relaion beween ables of size m and a rainbow able is shown in Figure 2. The probabiliy of success are compared in Figure 3. oe ha he axes have been relabeled o creae he same scale as wih he classical case in Figure 1. Rainbow ables seem o have a slighly beer probabiliy of success bu his may jus be due o he fac ha he success rae calculaed in he former case is he exac expecaion of he probabiliy where as in he laer case i is a lower bound. To lookup a key in a rainbow able we proceed in he following manner: Firs we apply R n 1 o he cipherex and look up he resul in he endpoins of he able. If we find he endpoin we know how o rebuild he chain using he corresponding saring poin. If we don find he endpoin, we ry if we find i by applying R n 2, f n 1 o see if he key was in he second las column of he able. Then we ry o apply R n 3, f n 2, f n 1, and so forh. The oal number of calculaions we have o make is hus ( 1) 2. This is half as much as wih he classical mehod. Indeed, we need 2 calculaions o search he corresponding ables of size m. Rainbow chains share some advanages of chains ending in disinguished poins wihou suffering of heir limiaions: The number of able look-ups is reduced by a facor of compared o Hellman s original mehod. Merges of rainbow chains resul in idenical endpoins and are hus deecable, as wih disinguished poins. Rainbow chains can hus be used o generae merge-free ables. oe ha in his case, he ables are no collision free. Rainbow chains have no loops, since each reducion funcion appears only once. This is beer han loop deecion and rejecion as described before, because we don spend ime on following and hen rejecing loops and he coverage of our chains is no reduced because of loops han can no be covered. Rainbow chains have a consan lengh whereas chains ending in disinguished poins have a variable lengh. As we shall see in Secion 4.1 his )
7 7 m k1 1,1 m k 1 m,1 k2 1,1 m m k 2 m,1. k 1 1,1 k 1 f 1 m,1 k 1,1 k m,1 f 1 f 1 f 1 k 1 1, f 1 f 1 f 1 k 1 m, f 2 f 2 f 2 k 2 1, f 2 f 2 f 2 k 2 m,. f 1 f 1 f 1 k 1 1, f 1 f 1 k 1 m, f f f k 1, f f f k m, m f k 1 f 2 f 1 1,1 k 1, f k 1 f 2 f 1 m,1 k m, Fig. 2. classic ables of size m on he lef and one rainbow able of size m on he righ. In boh cases merges can occur wihin a group of m keys and a collision can occur wih he remaining m( 1) keys. I akes half as many operaions o look up a key in a rainbow able han in classic ables. reduces he number of false alarms and he exra work due o false alarms. This effec can be much more imporan ha he facor of wo gained by he srucure of he able. 4 Experimenal resuls We have chosen cracking of MS Windows passwords as an example because i has a real-world significance and can be carried ou on any sandard worksaion. The password hash we ry o crack is he LanManager hash which is sill suppored by all versions of MS Windows for backward compaibiliy. The hash is generaed by cuing a 14 characers password ino wo chunks of seven characers. In each chunk, lower case characers are urned o upper case and hen he chunk is used as a key o encryp a fixed plain-ex wih DES. This yields wo 8 bye hashes which are concaenaed o form he 16 bye LanManager hash. Each halves of he LanManager hash can hus be aacked separaely and passwords of up o 14 alphanumerical generae only 2 37 differen 8 bye hashes (raher han bye hashes).
8 8 Success > and min(memory <1.4GB, Time < 110) l m Fig. 3. Comparison of he success rae of classical ables and rainbow ables. The upper surface represens he consrain of 99.9% success wih classical ables, he lower surface is he same consrain for rainbow ables. For rainbow ables he scale has been adjused o allow a direc comparison of boh ypes of ables m m, l l Based on Figure 1 we have chosen he parameers for classic ables o be c = 4666, m c = 8192 and for rainbow ables o be r = 4666, m r = c m c = We have generaed 4666 classic ables and one rainbow able and measured heir success rae by cracking 500 random passwords on a sandard worksaion (P4 1.5GHz, 500MB RAM). The resuls are given in he able below: classic wih DP rainbow, m, l 4666, 8192, , , 1 prediced coverage 75.5% 77.5% measured coverage 75.8% 78.8% Table 1. Measured coverage for classic ables wih disinguished poins and for rainbow ables, afer cracking of 500 password hashes This experimen clearly shows ha rainbow ables can achieve he same success rae wih he same amoun of daa as classical ables. Knowing his, i is now ineresing o compare he crypanalysis ime of boh mehods since rainbow ables should be wice as fas. In Table 2 we compare he mean crypanalysis ime, he mean number of hash operaions per crypanalysis and he mean number of false alarms per crypanalysis.
9 9 Wha we see from able 2 is ha our mehod is acually abou 7 imes faser han he original mehod. Indeed, each crypanalysis incurs an average of 9.3M hash calculaions wih he improved mehod whereas he original mehod incurs 67.2M calculaions. A facor of wo is explained by he srucure of he ables. The remaining speed-up is caused by he fac ha here are more false alarms wih disinguished poins (2.8 imes more in average) and ha hese false alarms generae more work. Boh effecs are due o he fac ha wih disinguished poins, he lengh of he chains is no consan. 4.1 The imporance of being consan Faal aracion: Variaions in chain lengh inroduce variaions in merge probabiliy. Wihin a given se of chains (e.g. one able) he longer chains will have more chances o merge wih oher chains han he shor ones. Thus he merges will creae larger rees of longer chains and smaller rees of shorer chains. This has a doubly negaive effec when false alarms occur. False alarm will more probably happen wih large rees because here are more possibiliies o merge ino a large ree han ino a small one. A single merge ino a large ree creaes more false alarms since he ree conains more chains and all chains have o be generaed o confirm he false alarm. Thus false alarms will no only end o happen wih longer chains, hey will also end o happen in larger ses. Larger overhead: Addiionally o he aracion effec of longer chains, he number of calculaions needed o confirm a false alarm on a variable lengh chains is larger han wih consan lengh chains. When he lengh of a chain is no known he whole chain has o be regeneraed o confirm he false alarm. Wih consan lengh chains we can coun he number of calculaions done o reach he end of a chain and hen know exacly a wha posiion o expec he key. We hus only have o generae a fracion of a chain o confirm he false alarm. Moreover, wih rainbow chains, false alarms will occur more ofen when we look a he longer chains (i.e. saring a he columns more o he lef of a able). Forunaely, his is also where he par of he chain ha has o be generaed o confirm he false alarms is he shores. Boh hese effecs can be seen in Table 2 by looking a he number of endpoins found, he number of false alarms and he number of calculaions per false alarm, in case of failure. Wih disinguished poins each maching poin generaes abou 4 false alarms and he mean lengh of he chains generaed is abou Wih rainbow chains here are only abou 2.5 false alarms per endpoin found and only 1500 keys generaed per false alarm. The fac ha longer chains yield more merges has been noed in  wihou menioning ha i increases he probabiliy and overhead of false alarms. As a resul, he auhors propose o only use chains which are wihin a cerain range of lengh. This reduces he problems due o he variaion of lengh bu i also reduces he coverage ha can be achieved wih one reducion funcion and increases he precalculaion effor.
10 10 classic wih DP rainbow raio, m, l 4666, 8192, , , 1 1 mean crypanalysis ime o success 68.9s 9.37s 7.4 o failure 181.0s 26.0s 7.0 average 96.1s 12.9s 7.4 mean nbr of hash calculaions o success 48.3M 6.77M 7.1 o failure 126M 18.9M 6.7 average 67.2M 9.34M 7.2 mean nbr of searches o success o failure average mean nbr of maching endpoins found o success o failure average mean nbr of false alarms o success o failure average mean nbr of hash calculaions per false alarms o success o failure average Table 2. saisics for classic ables wih disinguished poins and for rainbow ables 4.2 Increasing he gain even furher We have calculaed he expeced gain over classical ables by considering he wors case where a key has o be searched in all columns of a rainbow able and wihou couning he false alarms. While a rainbow able is searched from he amoun of calculaion increases quadraicly from 1 o 2 1 2, whereas in classical ables i increases linearly o 2. If he key is found early, he gain may hus be much higher (up o a facor of ). This addiional gain is parly se off by he fac ha in rainbow ables, false alarms ha occur in he beginning of he search, even if rarer, are he ones ha generae he mos overhead. Sill, i should be possible o consruc a (possibly pahological) case where rainbow ables have an arbirary large gain over classical ables. One way of doing i is o require a success rae very close o 100% and a large. The examples in he lieraure ofen use a success rae of up o 80% wih 1/3 ables of order of 1/3 chains of 1/3 poins. Such a configuraion can be replaced wih a single rainbow able of order of 2/3 rows of 1/3 keys. For some applicaions a success rae of 80% may be sufficien, especially if here are several samples of cipherex available and we
11 11 need o recover jus any key. In our example of password recovery we are ofen ineresed in only one paricular password (e.g. he adminisraor s password). In ha case we would raher have a near perfec success rae. High success raes lead o configuraions where he number of ables is several imes larger han he lengh of he chains. Thus we end up having several rainbow ables (5 in our example). Using a high success rae yields a case were we ypically will find he key early and we only rarely have o search all rows of all ables. To benefi from his fac we have o make sure ha we do no search he five rainbow ables sequenially bu ha we firs look up he las column of each able and hen only move o he second las column of each able. Using his procedure we reach a gain of 12 when using five ables o reach 99.9% success rae compared o he gain of 7 we had wih a single able and 78% success rae. More deails are given in he nex secion. 4.3 Cracking Windows passwords in seconds Afer having noiced ha rainbow chains perform much beer han classical ones, we have creaed a larger se of ables o achieve our goal of 99.9% success rae. The measuremens on he firs able show ha we would need 4.45 ables of lines and 4666 columns. We have chosen o generae 5 ables of lines in order o have an ineger number of ables and o respec he memory consrain of 1.4GB. On he oher hand we have generaed ables of 4666 columns and 7501 lines. The resuls are given in Table 3. We have cracked 500 passwords, wih 100% success in boh cases. classic wih DP rainbow raio rainbow sequenial raio, m, l 4666, 7501, , 35M, , 35M, 5 1 crypanalysis ime 101.4s s 7.5 hash calculaions 90.3M 7.4M M 7.6 false alarms (fa) hashes per fa effor spen on fa 80% 76% % 1.1 success rae 100% 100% 1 100% 1 Table 3. Crypanalysis saisics wih a se of ables yielding a success rae of 99.9%. From he middle column we see ha rainbow ables need 12 imes less calculaions. The gain in crypanalysis ime is only 1.5 imes beer due o disk accesses. On a worksaion wih 500MB of RAM a beer gain in ime (7.5) can be achieved by resricing he search o one rainbow able a a ime (rainbow sequenial). From able 3 we see ha rainbow ables need 12 imes less calculaions han classical ables wih disinguished poins. Unforunaely he gain in ime is only a facor of 1.5. This is because we have o randomly access 1.4GB of daa on a worksaion ha has 500MB of RAM. In he previous measuremens wih a
12 12 single able, he able would say in he filesysem cache, which is no possible wih five ables. Insead of upgrading he worksaion o 1.5GB of RAM we chose o implemen an approach where we search in each rainbow able sequenially. This allows us o illusrae he discussion from he end of he previous secion. When we search he key in all ables simulaneously raher han sequenially, we work wih shorer chains and hus generae less work (7.4M operaions raher han 11.8M). Shorer chains also mean ha we have less false alarms (1311 per key cracked, raher han 2773). Bu shor chains also mean ha calculaions needed o confirm a false alarm are higher (4321 agains 3080). I is ineresing o noe ha in all cases, he calculaions due o false alarms make abou 75% of he crypanalysis effor. Looking a he generic parameers of he rade-off we also noe ha he precalculaion of he ables has needed an effor abou 10 imes higher han calculaing a full dicionary. The large effor is due o he probabilisic naure of he mehod and i could be reduced o hree imes a full dicionary if we would accep 90% success rae raher ha han 99.9%. 5 An oulook a perfec ables Rainbow ables and classic ables wih disinguished poins boh have he propery ha merging chains can be deeced because of heir idenical endpoins. Since he ables have o be sored by endpoin anyway, i seems very promising o creae perfec ables by removing all chains ha merge wih chains ha are already in he able. In he case of disinguished poins we can even choose o reain he longes chain of a se of merging chains o maximise he coverage of he able. The success rae of rainbow ables and ables wih disinguished poins are easy o calculae, a leas if we assume ha chains wih disinguished poins have a average lengh of. In ha case i is sraigh forward o see ha a rainbow able of size m has he same success rae han ables of size m. Indeed, in he former case we have rows of m disinc keys where in he laer case we have ables conaining m disinc keys each. Ideally we would wan o consruc a single perfec able ha covers he complee domain of keys. The challenge abou perfec ables is o predic how many non-merging chains of lengh i is possible o generae. For rainbow chains his can be calculaed in he same way as we calculae he success rae for non-perfec ables. Since we evaluae he number of disinc poins in each column of he able, we need only look a he number of disinc poins in he las column o know how many disinc chains here will be. ( ˆP able = 1 e m where m 1 = and m n+1 = 1 e mn ) (4) For chains delimied by disinguished poins, his calculaion is far more complex. Because of he faal aracion described above, he longer chains will be merged ino large rees. Thus when eliminaing merging chains we will eliminae
13 13 more longer chains han shorer ones. A single experimen wih 16 million chains of lengh 4666 shows ha afer eliminaion of all merges (by keeping he longes chain), only 2% of he chains remain and heir average lengh has decreased from 4666 o 386! To keep an average lengh of 4666 we have o eliminae 96% of he remaining chains o reain only he longes 4% (14060) of hem. The precalculaion effor involved in generaing maximum size perfec ables is prohibiive (). To be implemenable a soluion would use a se of ables which are smaller han he larges possible perfec ables. More advanced analysis of perfec ables is he focus of our curren effor. We conjecure ha because of he limied number of available non-merging chains, i migh acually be more efficien o use near-perfec ables. 6 Conclusions We have inroduced a new way of generaing precompued daa in Hellman s original crypanalyic ime-memory rade-off. Our opimisaion has he same propery as he use of disinguished poins, namely ha i reduces he number of able look-ups by a facor which is equal o he lengh of he chains. For an equivalen success rae our mehod reduces he number of calculaions needed for crypanalysis by a facor of wo agains he original mehod and by an even more imporan facor (12 in our experimen) agains disinguished poins. We have shown ha he reason for his exra gain is he variable lengh of chains ha are delimied by disinguished poins which resuls in more false alarms and more overhead per false alarm. We conjecure ha wih differen parameers (e.g. a higher success rae) he gain could be even much larger han he facor of 12 found in our experimen. These facs make our mehod a very aracive replacemen for he original mehod improved wih disinguished poins. The fac ha our mehod yields chains ha have a consan lengh also grealy simplifies he analysis of he mehod as compared o variable lengh chains using disinguished poins. I also avoids he exra precalculaion effor which occurs when variable lengh chains have o be discarded because hey have an inappropriae lengh or conain a loop. Consan lengh could even prove o be advanageous for hardware implemenaions. Finally our experimen has demonsraed ha he ime-memory rade-off allows anybody owning a modern personal compuer o break crypographic sysems which were believed o be secure when implemened years ago and which are sill in use oday. This goes o demonsrae he imporance of phasing ou old crypographic sysems when beer sysems exis o replace hem. In paricular, since memory has he same imporance as processing speed for his ype of aack, ypical worksaions benefi doubly from he progress of echnology. Acknowledgemens The auhor wishes o hank Maxime Mueller for implemening a firs version of he experimen.
14 14 References 1. J. Bors, B. Preneel, and J. Vandewalle. On ime-memory radeoff beween exhausive key search and able precompuaion. In P. H.. de Wih and M. van der Schaar-Mirea, ediors, 19h Symp. on Informaion Theory in he Benelux, pages , Veldhoven (L), Werkgemeenschap Informaie- en Communicaieheorie, Enschede (L). 2. D.E. Denning. Crypography and Daa Securiy, page 100. Addison-Wesley, Amos Fia and Moni aor. Rigorous ime/space radeoffs for invering funcions. In STOC 1991, pages , M. E. Hellman. A crypanalyic ime-memory rade off. IEEE Transacions on Informaion Theory, IT-26: , Kim and Masumoo. Achieving higher success probabiliy in ime-memory radeoff crypanalysis wihou increasing memory size. TIEICE: IEICE Transacions on Communicaions/Elecronics/Informaion and Sysems, Koji KUSUDA and Tsuomu MATSUMOTO. Opimizaion of ime-memory radeoff crypanalysis and is applicaion o DES, FEAL-32, and skipjack. IEICE Transacions on Fundamenals, E79-A(1):35 48, January F.X. Sandaer, G. Rouvroy, J.J. Quisquaer, and J.D. Lega. A ime-memory radeoff using disinguished poins: ew analysis & FPGA resuls. In proceedings of CHES 2002, pages Springer Verlag, Appendix The success rae of a single rainbow able can be calculaed by looking a each column of he able and reaing i as a classical occupancy problem. We sar wih m 1 = m disinc keys in he firs column. In he second column he m 1 keys are randomly disribued over he keyspace of size, generaing m 2 disinc keys: ( m 2 = (1 1 1 ) m1 ( ) 1 e m 1 Each column i has m i disinc keys. The success rae of he able is hus: ) P = 1 (1 m i ) i=1 where ( m 1 = m, m n+1 = 1 e mn ) The resul is no in a closed form and has o be calculaed numerically. This is no disadvanage agains he success rae of classical ables since he large number of erms in he sum of ha equaion requires a numerical inerpolaion. The same approach can be used o calculae he number of non-merging chains ha can be generaed. Since merging chains are recognised by heir idenical endpoin, he number of disinc keys in he las column m is he number
15 15 of non-merging chains. The maximum number of chains can be reached when choosing every single key in he key space as a saring poin. ( m 1 =, m n+1 = 1 e mn ) The success probabiliy of a able wih he maximum number of non-merging chains is: ˆP = 1 (1 m ) 1 e m oe ha he effor o build such a able is.