TimeMemory TradeOffs: False Alarm Detection Using Checkpoints


 Nickolas Gallagher
 1 years ago
 Views:
Transcription
1 TimeMemory TradeOs: False Alarm Detection Using Checkpoints Gildas Avoine 1, Pascal Junod 2, and Philippe Oechslin 1,3 1 EPFL, Lausanne, Switzerland 2 Nagravision SA (Kudelski Group), Switzerland 3 Objecti Sécurité, Gland, Switzerland Abstract. Since the original publication o Martin Hellman s cryptanalytic timememory tradeo, a ew improvements on the method have been suggested. In all these variants, the cryptanalysis time decreases with the square o the available memory. However, a large amount o work is wasted during the cryptanalysis process due to socalled alse alarms. In this paper we present a method o detection o alse alarms which signiicantly reduces the cryptanalysis time while using a minute amount o memory. Our method, based on checkpoints, reduces the time by much more than the square o the additional memory used, e.g., an increase o 0.89% o memory yields a 10.99% increase in perormance. Beyond this practical improvement, checkpoints constitute a novel approach which has not yet been exploited and may lead to other interesting results. In this paper, we also present theoretical analysis o timememory tradeos, and give a complete characterization o the variant based on rainbow tables. Key words: timememory tradeo, cryptanalysis, precomputation 1 Introduction Many cryptanalytic problems can be solved in theory using an exhaustive search in the key space, but are still hard to solve in practice because each new instance o the problem requires to restart the process rom scratch. The basic idea o a timememory tradeo is to carry out an exhaustive search once or all such that ollowing instances o the problem become easier to solve. Thus, i there are N possible solutions to a given problem, a timememory tradeo can solve it with T units o time and M units o memory. In the methods we are looking at T is proportional to N 2 /M 2 and a typical setting is T = M = N 2/3. The cryptanalytic timememory tradeo has been introduced in 1980 by Hellman [8] and applied to DES. Given a plaintext P and a ciphertext C, the problem consists in recovering the key K such that C = S K (P ) where S is an encryption unction assumed to ollow the behavior o a random unction. Encrypting P under all possible keys and storing each corresponding ciphertext
2 allows or immediate cryptanalysis but needs N elements o memory. The idea o a tradeo is to use chains o keys. It is achieved thanks to a reduction unction R which generates a key rom a ciphertext. Using S and R, chains o alternating ciphertexts and keys can thus be generated. The key point is that only the irst and the last element o each chain are stored. In order to retrieve K, a chain is generated rom C. I at some point it yields a stored end o chain, then the entire chain is regenerated rom its starting point. However, inding a matching end o chain does not necessarily imply that the key will be ound in the regenerated chain. There exist situations where the chain that has been generated rom C merges with a chain that is stored in the memory which does not contains K. This situation is called a alse alarm. Matsumoto, with Kusuda [10] in 1996 and with Kim [9] in 1999, gave a more precise analysis o the parameters o the tradeo. In 1991, Fiat and Naor [6, 7] showed that there exist cryptographically sound oneway unctions that cannot be inverted with such a tradeo. Since the original work o Hellman, several improvements have been proposed. In 1982, Rivest [5] suggested an optimization based on distinguished points (DP) which greatly reduces the amount o lookup operations which are needed to detect a matching end point in the table. Distinguished points are keys (or ciphertexts) that satisy a given criterion, e.g., the last n bits are all zero. In this variant, chains are not generated with a given length but they stop at the irst occurrence o a distinguished point. This greatly simpliies the cryptanalysis. Indeed, instead o looking up in the table each time a key is generated on the chain rom C, keys are generated until a distinguished point is ound and only then a lookup is carried out in the table. I the average length o the chains is t, this optimization reduces the amount o lookups by a actor t. Because merging chains signiicantly degrades the eiciency o the tradeo, Borst, Preneel, and Vandewalle [4] suggested in 1998 to clean the tables by discarding the merging and cycling chains. This new kind o tables, called perect table, substantially decreases the required memory. Later, Standaert, Rouvroy, Quisquater, and Legat [14] dealt with a more realistic analysis o distinguished points and also proposed an FPGA implementation applied to DES with 40bit keys. Distinguished points can also be used to detect collisions when a unction is iterated, as proposed by Quisquater and Delescaille [13], and van Oorschot and Wiener [15]. In 2003, Oechslin [12] introduced the tradeo based on rainbow tables and demonstrated the eiciency o his technique by recovering Windows passwords. A rainbow table uses a dierent reduction unction or each column o the table. Thus two dierent chains can merge only i they have the same key at the same position o the chain. This makes it possible to generate much larger tables. Actually, a rainbow table acts almost as i each column o the table was a separate single classic 4 table. Indeed, collisions within a classic table (or a column o a rainbow table) lead to merges whereas collisions between dierent classic tables (or dierent columns o a rainbow table) do not lead to a merge. This analogy can be used to demonstrate that a rainbow table o mt chains o length t has 4 By classic we mean the tables as described in the original Hellman paper.
3 the same success rate as t single classic tables o m chains o length t. As the tradeo based on distinguished point, rainbow tables reduce the amount o lookups by a actor o t, compared to the classic tradeo. Up until now, tradeo techniques based on rainbow tables are the most eicient ones. Recently, an FPGA implementation o rainbow tables has been proposed by Mentens, Batina, Preneel, and Verbauwhede [11] in order to retrieve Unix passwords. Whether it is the classic Hellman tradeo, the distinguished points or the rainbow tables, they all suer rom a signiicant quantity o alse alarms. Contrarily to what is claimed in the original Hellman paper, alse alarms may increase the time complexity o the cryptanalysis by more than 50%. We will explain this point below. In this paper, we propose a technique whose goal is to reduce the time spent to detect alse alarms. It works with the classic tradeo, with distinguished points, and with rainbow tables. Such an improvement is especially pertinent in practical cryptanalysis, where timememory tradeos are generally used to avoid to repeat an exhaustive search many times. For example, when several passwords must be cracked [12], each o them should not take more than a ew seconds. In [1], the rainbow tables are used to speed up the search process in a special database. In such a commercial application, time is money, and thereore any improvement o timememory tradeo also. In Section 2, we give a rough idea o our technique based on checkpoints. We provide in Section 3 a detailed and ormal analysis o the rainbow tables. These new results allow to ormally compute the probability o success, the computation time, and the optimal size o the tables. Based on this analysis we can describe and evaluate our checkpoint technique in detail. We illustrate our method by cracking Windows passwords based on DES. In Section 4, we show how a tradeo can be characterized in general. This leads to the comparison o the three existing variants o tradeo. Finally, we give in Section 5 several implementation tips which signiicantly improve the tradeo in practice. 2 Checkpoint Primer 2.1 False Alarms When the precalculation phase is achieved, a table containing m starting points S 1,..., S m and m end points E 1,..., E m is stored in memory. This table can be regenerated by iterating the unction, deined by (K) := R(S K (P )), on the starting points. Given a row j, let X j,i+1 := (X j,i ) be the ith iteration o on S j and E j := X j,t. We have: S 1 = X 1,1 X1,2 X1,3... X1,t = E 1 S 2 = X 2,1 X2,2 X2,3... X2,t = E 2.. S m = X m,1 Xm,2 Xm,3... Xm,t = E m
4 In order to increase the probability o success, i.e., the probability that K appears in the stored values, several tables with dierent reduction unctions are generated. Given a ciphertext C = S K (P ), the online phase o the cryptanalysis works as ollows: R is applied on C in order to obtain a key Y 1, and then the unction is iterated on Y 1 until matching any E j. Let s be the length o the generated chain rom Y 1 : C R Y 1 Y2... Ys Then the chain ending with E j is regenerated rom S j until yielding the expected key K. Unortunately K is not in the explored chain in most o the cases. Such a case occurs when R collides: the chain generated rom Y 1 merged with the chain regenerated rom S j ater the column where Y 1 is. That is a alse alarm, which requires (t s) encryptions to be detected. Hellman [8] points out that the expected computation due to alse alarms increases the expected computation by at most 50 percent. This reasoning relies on the act that, or any i, i (Y 1 ) is computed by iterating i times. However i (Y 1 ) should be computed rom Y i because i (Y 1 ) = (Y i ). In this case, the computation time required to reach a chain s end is signiicantly reduced on average while the computation time required to rule out alse alarms stays the same. Thereore, alse alarms can increase by more than 50 percent the expected computation. For example, ormulas given in Section 3 allow to determine the computation wasted during the recovering o Windows passwords [12]: alse alarms increase by 125% the expected computation. 2.2 Ruling Out False Alarms Using Checkpoints Our idea consists in deining a set o positions α i in the chains to be checkpoints. We calculate the value o a given unction G or each checkpoint o each chain j and store these G(X j,αi ) with the end o each chain X j,t. During the online phase, when we generate Y 1, Y 2,..., Y s, we also calculate the values or G at each checkpoint, yielding the values G(Y αi +s t). I Y s matches the end o a chain that we have stored, we compare the values o G or each checkpoint that the chain Y has gone through with the values stored in the table. I they dier at least or one checkpoint we know that this is a alse alarm. I they are identical, we cannot determine i a alse alarm will occur without regenerating the chain. In order to be eicient, G should be easily computable and the storage o its output should require ew bits. Below, we consider the unction G such that G(X) simply outputs the less signiicant bit o X. Thus we have: Pr{G(X j,α ) G(Y α+s t ) X j,α Y α+s t } = 1 ( 1 1 ) K 2. The case X j,α Y α+s t occurs when the merge appears ater the column α (Fig 1). The case X j,α = Y α+s t occurs when either K appears in the regenerated chain or the merge occurs beore the column α (Fig. 2).
5 S j checkpoint X j,α E j S j checkpoint X j,α E j Y s Y α+s t Y s Y α+s t Y 1 Y 1 Fig. 1. False alarm detected with probability 1/2 Fig. 2. False alarm not detected In the next section we will analyze the perormances o perect rainbow tables in detail. Then, we will introduce the checkpoint concept in rainbow tables and analyze both theoretical and practical results. 3 Perect Rainbow Tables and Checkpoints 3.1 Perect Tables The key to an eicient tradeo is to ensure that the available memory is used most eiciently. Thus we want to avoid the use o memory to store chains that contain elements which are already part o other chains. To do so, we irst generate more chains than we actually need. Then we search or merges and remove chains until there are no merges. The resulting tables are called perect tables. They have been introduced by [4] and analyzed by [14]. Creating perect rainbow and DP tables is easy since merging chains can be recognized by their identical end points. Since end points need to be sorted to acilitate the lookups, identiying the merges comes or ree. Classic chains do not have this advantage. Every single element o every classic chain that is generated has to be looked up in all elements o all chains o the same table. This requires mtl lookups in total where l is the number o stored tables. A more eicient method o generating perect classic tables is described in [2] Perect classic and DP tables are made o unique elements. In perect rainbow tables, no element appears twice in any given column, but it may appear more than once across dierent columns. This is consistent with the view that each column o a rainbow table acts like a single classic table. In all variants o the tradeo, there is a limit to the size o the perect tables that can be generated. The bruteorce way o inding the maximum number o chains o given length t that will not merge is to generate a chain rom each o the N possible keys and remove the merges. In the ollowing sections, we will consider perect tables only. 3.2 Optimal Coniguration From [12], we know that the success rate o a single unperect rainbow table is 1 t ( i=1 1 m i ) N where mi is the number o dierent keys in column i. With
6 perect rainbow tables, we have m i = m or all i s.t. 1 i t. The success rate o a single perect rainbow table is thereore ( P rainbow = 1 1 m ) t. (1) N The astest cryptanalysis time is reached by using the largest possible perect tables. This reduces the amount o duplicate inormation stored in the table and reduces the number o tables that have to be searched. For a given chain length t, the maximum number m max (t) o rainbow chains that can be generated without merges is obtained (see [12]) by calculating the number o independent elements at column t i we start with N elements in the irst column. Thus we have m max (t) = m t ( where m 1 = N and m n+1 = N 1 e mn N For non small t we can ind a closed orm or m max (see [2]): m max (t) 2N t + 2. ) where 0 < n < t. From (1), we deduce the probability o success o a single perect rainbow table having m max chains: ( Prainbow max = 1 1 m max N ) t 1 e t mmax N 1 e 2 86%. Interestingly, or any N and or t not small, this probability tends toward a constant value. Thus the smallest number o tables needed or a tradeo only depends on the desired success rate P. This makes the selection o optimal parameters very easy (see [2] or more details): ln(1 P ) l =, m = M ln(1 P ), and t = 2 l ln(1 M ln )l N M ln(1 P ). 3.3 Perormance o the TradeO Having deined the optimal coniguration o the tradeo, we now calculate the exact amount o work required during the online phase. The simplicity o rainbow tables makes it possible to include the work due to alse alarms both or the average and the worst case. Cryptanalysis with a set o rainbow tables is done by searching or the key in the last column o each table and then searching sequentially through previous columns o all tables. There are thus a maximum o lt searches. We calculate the expectation o the cryptanalysis eort by calculating the probability o success and the amount o work or each search k. When searching a key at position c o a table, the amount o work to generate a chain that goes to the end o the table is t c. The additional amount o work due to a possible alse alarm is c
7 since the chain has to be regenerated rom the start to c in order to rule out the alse alarm. The probability o success in the search k is given below: p k = m ( 1 m ) k 1. (2) N N We now compute the probability o a alse alarm during the search k. When we generate a chain rom a given ciphertext and lookup the end o the chain in the table, we can either not ind a matching end, ind the end o the correct chain or ind an end that leads to a alse alarm. Thus we can write that the probability o a alse alarm is equal to one minus the probability o actually inding the key minus the probability o inding no end point. The probability o not inding an end point is the probability that all points that we generate are not part o the chains that lead into the end points. At column i, these are the m i chains that we used to build the table. The probability o a alse alarm at search k (i.e., in column c = t k l ) is thus the ollowing: q c = 1 m i=t N ( 1 m ) i N where c = t k l, mt = m, and m i 1 = N ln(1 m i N ). When the tables have exactly the maximum number o chains m max we ind a short closed orm or q c (see [2] or more details): q c = 1 m N The average cryptanalysis time is thus: T = k=lt i=c p k (W (t c 1) + Q(c)) l + (1 k=1 c=t k l (3) c(c + 1) (t + 1)(t + 2). (4) i=x i=t where W (x) = i and Q(x) = q i i. i=1 m N )lt (W (t) + Q(1)) l (5) The second term o (5) is the work that is being carried out every time no key is ound in the table while the irst term corresponds to the work that is being carried out during the search k. W represents the work needed to generate a chain until matching a end point. Q represents the work to rule out a alse alarm. We can rewrite (5) as ollows: T = = k=lt p k k=1 c=t k l k=lt p k k=1 c=t k l ( i=t c 1 i=1 i=x ) ( i=t i + q i i l + (1 m i=t ) i=t N )lt i + q i i l i=c ( (t c)(t c 1) 2 i=1 i=1 ) ( i=t + q i i l + (1 mn )lt i=c t(t 1) 2 ) i=t + q i i l i=1
8 We have run a ew experiments to illustrate T. The results are given in Table 1. Table 1. Calculated and measured perormance o rainbow tables N = , t = 10000, m = , l = 4 theory measured over 1000 experiments encryptions (average) encryptions (worst case) number o alse alarms (average) number o alse alarms (worst case) Checkpoints in Rainbow Tables From results o Section 3.3, we establish below the gain brought by the checkpoints. We irstly consider only one checkpoint α. Let Y 1... Y s be a chain generated rom a given ciphertext C. From (3), we know that the probability that Y 1... Y s merges with a stored chain is q t s. The expected work due to a alse alarm is thereore q t s (t s). We now compute the probability that the checkpoint detects the alse alarm. I the merge occurs beore the checkpoint (Fig. 2) then the alse alarm cannot be detected. I the chain is long enough, i.e., α + s > t, the merge occurs ater the checkpoint (Fig. 1) with probability q α. In this case, the alse alarm is detected with probability Pr{G(X j,α ) G(Y α+s t ) X j,α Y α+s t }. We deine g α (s) as ollows: 0 i there is no checkpoint in column α, g α (s) = 0 i (α + s) t, i.e. the generated chain does not reach column α, Pr{G(X j,α ) G(Y α+s t ) X j,α Y α+s t } otherwise. i=t We can now rewrite Q(x) = i (q i q α g α (t i)). i=x We applied our checkpoint technique with N = , t = 10000, m = , l = 4 and G as deined in Section 2.2. Both theoretical and experimental results are plotted on Fig. 3. We can generalize to t checkpoints. We can rewrite Q(x) as ollows: i=t Q(x) = i q i q i g i (t i) i=x j=t j=i+1 ( q j g j (t j) k))) (1 g k (t. k=j 1 k=i
9 theory 0.08 gain experiment position o the checkpoint Fig. 3. Theoretical and experimental gain when one checkpoint is used We now deine memory cost and time gain. Let M, T, N and M, T, N be the parameters o two tradeos respectively. We deine σ M and σ T as ollows: M = σ M M and T = σ T T. The memory cost o the second tradeo over the irst one is straightorwardly deined by (σ M 1) = M /M 1 and the time gain is (1 σ T ) = 1 T /T. When a tradeo stores more chains, it implies a memory cost. Given that T N 2 /M 2 the time gain is: (1 T T ) = 1 1 σm 2. Instead o storing additional chains, the memory cost can be used to store checkpoints. Thus, given a memory cost, we can compare the time gains when the additional memory is used to store chains and when it is used to store checkpoints. Numerical results are given in Table 2. The numerical results are amazing. An additional 0.89% o memory saves about 10.99% o cryptanalysis time. This is six times more than the 1.76% o gain that would be obtained by using the same amount o memory to store additional chains. Our checkpoints thus perorm much better than the basic tradeo. As we add more and more checkpoints, the gain per checkpoint decreases. In our example it is well worth to use 6 bits o checkpoint values (5.35% o additional memory) per chain to obtain a gain o 32.04%. The 0.89% o memory per checkpoint are calculated by assuming that the start and the end o the chains are stored in 56 bits each, as our example uses DES keys. As we explain in Section 5 the amount o bits used to store chain can be optimized and reduced to 49 bits in our example. In this case a bit o checkpoint data adds 2% o memory and it is still well worth using three checkpoints o one bit each to save 23% o work.
10 Table 2. Cost and gain o using checkpoint in password cracking, with N = , t = 10000, m = , and l = 4 Number o checkpoints Cost (memory) 0.89% 1.78% 2.67% 3.57% 4.46% 5.35% Gain (time) storing chains 1.76% 3.47% 5.14% 6.77% 8.36% 9.91% Gain (time) storing checkpoints 10.99% 18.03% 23.01% 26.76% 29.70% 32.04% Optimal checkpoints ± 5 ± 5 ± 5 ± 5 ± 50 ± Characterization and Comparison o TradeOs In this section we give a generic way o characterizing the dierent variants o the tradeo. We calculate the characteristic o rainbow tables exactly and compare it to measured characteristics o other variants. 4.1 TimeMemory Graphs Knowing how to calculate the success rate and the number o operations needed to invert a unction, we can now set out to plot the timememory graphs. In order to do so, we ix a given success rate and or each memory size we ind the table coniguration that yields the astest tradeo and plot the time that it takes. The graphs show that cryptanalysis time decreases with the square o the memory size, independently o the success rate. We can thus write the timememory relation as T = N 2 γ(p ) (6) M 2 where γ(p ) is a actor that depends only on the success probability. It is interesting to note that or P = 86% which is the the maximum success probability o a single rainbow table, the actor is equal to 1. In that case we ind the typical tradeo which was already described by Hellman, namely that M = T = N 2 3. Note that this simple expression o the tradeo perormance was not possible or the previous variants. In those cases, calculations were always based on nonperect tables, on the worst case (the key is not ound in any table) and ignoring the amount o work due to alse alarms. Optimizations have been proposed with these limitations, but to our knowledge the actual average amount o work, including alse alarms has never been used to ind optimal parameter. Our simple ormula allows or a very simple calculation o the optimal parameters when any two o the success rate, the inversion time or the memory are given.
11 % 20% 50% 86% 90% 99% 99.9% T/N e05 1e06 1e07 1e08 1e06 1e M/N Fig. 4. TimeMemory graphs or rainbow tables, with various success rates.for P rainbow = 86% the graph ollows exactly T = N 2 /M The TimeMemory Characteristic The previous section conirms that rainbow tables ollow the same T N 2 /M 2 relation as other variants o the tradeo. Still, they seem to perorm better. We thus need a criterion to compare the tradeos. We propose to use γ(p ) as the tradeo characteristic. The evolution o γ over a range o P shows how a variant is better than another. Figure 5 shows a plot o γ(p ) or rainbow tables: In the ollowing sections, we compare the perormance o rainbow tables with the perormance o classic tables and DP tables. DP tables are much harder to analyze because o the variable length o the chains. We will thus concentrate on classic tables irst. 4.3 Classic and DP Tables The tradeo using classic or DP tables can also be characterized using the γ actor. Indeed both tradeos ollow the T N 2 /M 2 relation in a large part o the parameter space up to a actor which depends o the success rate and the type o tradeo. We have irst devised a strategy to generate the largest possible perect tables or each variant o the tradeo and have then used as many tables as necessary to reach a given success rate. The details o this work and the resulting timememory graphs are available in [2]. In Figure 6 we show the evolution o the tradeo characteristic o classic tables and o DP tables. The experiments and analysis show that rainbow tables outperorm classic tables and DP tables or success rates above 80%. Below this limit, perect classic tables are slightly better than perect rainbow tables in terms o hash operations needed or cryptanalysis. However, the price o using classic tables is that they need t times more table lookups. Since these do not come or ree in most architectures (content addressable memory could be an exception), rainbow tables seem to be the best option in any case.
12 0 12 rainbow 14 rainbow classic dp (p) 6 (p) P 1P Fig. 5. The TimeMemory characteristic o rainbow tables.steps happen every time an additional table has to be used to achieve the given success probability. Fig. 6. The TimeMemory characteristics o rainbow, classic and DP tables compared. 5 Implementation Tips For the sake o completeness we want to add some short remarks on the optimized implementation o the tradeos. Indeed, an optimized implementation can yield perormance gains almost as important as the algorithmic optimizations. We limit our tips to the implementation o rainbow tables. 5.1 Storing the Chain End Points The number o operations o the tradeo decreases with the square o the available memory. Since available memory is measured in bytes and not in number o chains, it is important to choose an eicient ormat or storing the chains. A irst issue is whether to use inputs or outputs o the unction to be inverted (keys or ciphertexts) as beginning and end o chains. In practice the keys are usually smaller than the ciphertexts. It is thus more eicient to store keys (the key at the end o the chain has no real unction but the extra reduction needed to generate it rom the last ciphertext is well worth the saved memory). A second and more important issue is that we can take advantage o the way the tables are organized. Indeed a table consists o pairs o beginnings and ends o chains. To acilitate lookups the chains are sorted by increasing values o the chain ends. Since the ends are sorted, successive ends oten have an identical preix. As suggested in [3] we can thus remove a certain length o preix and replace it by an index table that indicates where every preix starts in the table. In our Windows password example, there are about 2 37 keys o 56 bits. Instead o storing the 56 bits, we store a 37 bit index. From this index we take 21 bits as preix and store only the last 16 bits in memory. We also store a table with 2 21 entries that point to the corresponding suixes or each possible preix.
13 5.2 Storing the Chain Starting Points The set o keys used or generating all the chains is usually smaller that the total set o keys. Since rainbow tables allow us to choose the starting points, we can use keys with increasing value o their index. In our example we used about 300 million starting points. This value can be expressed in 29 bits, so we only need to store the 29 lower bits o the index. The total amount o memory needed to store a chain is thus bits or the start and the end. The table that relates the preixes to the suixes incurs about 3.5 bits per chain. Altogether we thus need 49 bits per chain. A simple implementation that stores the ull 56 bits o the start and end chain would need 2.25 times more memory and be 5 times slower. 5.3 Storing the Checkpoints For reasons o eiciency o memory access it may in some implementations be more eicient to store the start and the end o a chain (that is, its suix) in multiples o 8 bits. I the size o some parameters does not exactly match the size o the memory units, the spare bits can be used to store checkpoints or ree. In our case, the 29 bits o the chain start are stored in a 32 bit word, leaving 3 bits available or checkpoints. 6 Conclusion We have introduced a new optimization or cryptanalytic timememory tradeos which perorms much better than the usual T N 2 /M 2. Our method works by reducing the work due to alse alarms. Since this work is only a part o the total work our method can not reduce the work indeinitely. Besides having better perormance, checkpoints can be generated almost or ree while generating the tradeo tables. There is thus no indication or not using checkpoints and we conjecture that they will be used in many uture implementations o the tradeo. Also, checkpoints are a new concept in timememory tradeos and they may lead to urther optimizations and applications. In order to analyze the gain due to checkpoints we have presented a complete analysis o the rainbow tables. Using this analysis we are able to predict the gain that can be achieved with checkpoints. Finally we have also presented a simple way o comparing the existing variants o the tradeo with a socalled tradeo characteristic. We have calculated this characteristic or rainbow tables and measured it or the other variants. The results show that rainbow tables outperorm the other variants in all cases except when table lookups are ree and the success probability is below 80%. The act that the cryptanalysis time decreases with the square o the number o elements stored in memory indicates that it is very important to reduce the memory usage. This is why we have shared our tips on how this can be achieved in practice.
14 Reerences 1. Gildas Avoine, Etienne Dysli, and Philippe Oechslin. Reducing time complexity in RFID systems. In Selected Areas in Cryptography SAC 2005, Lecture Notes in Computer Science, Kingston, Canada, August SpringerVerlag. 2. Gildas Avoine, Pascal Junod, and Philippe Oechslin. Timememory tradeos: False alarms detection using checkpoints. Technical Report LASECREPORT , Swiss Federal Institute o Technology (EPFL), Security and Cryptography Laboratory (LASEC), Lausanne, Switzerland, September Alex Biryukov, Adi Shamir, and David Wagner. Real time cryptanalysis o A5/1 on a PC. In Fast Sotware Encryption FSE 00, volume 1978 o Lecture Notes in Computer Science, pages 1 18, New York, USA, April SpringerVerlag. 4. Johan Borst, Bart Preneel, and Joos Vandewalle. On the timememory tradeo between exhaustive key search and table precomputation. In Symposium on Inormation Theory in the Benelux, pages , Veldhoven, The Netherlands, May Dorothy Denning. Cryptography and Data Security, page 100. AddisonWesley, Boston, Massachusetts, USA, June Amos Fiat and Moni Naor. Rigorous time/space tradeos or inverting unctions. In ACM Symposium on Theory o Computing STOC 91, pages , New Orleans, Louisiana, USA, May ACM, ACM Press. 7. Amos Fiat and Moni Naor. Rigorous time/space tradeos or inverting unctions. SIAM Journal on Computing, 29(3): , December Martin Hellman. A cryptanalytic timememory trade o. IEEE Transactions on Inormation Theory, IT26(4): , July Iljun Kim and Tsutomu Matsumoto. Achieving higher success probability in timememory tradeo cryptanalysis without increasing memory size. IEICE Transactions on Communications/Electronics/Inormation and Systems, E82A(1):123, January Koji Kusuda and Tsutomu Matsumoto. Optimization o timememory tradeo cryptanalysis and its application to DES, FEAL32, and Skipjack. IEICE Transactions on Fundamentals, E79A(1):35 48, January Nele Mentens, Lejla Batina, Bart Preneel, and Ingrid Verbauwhede. Cracking Unix passwords using FPGA platorms. SHARCS  Special Purpose Hardware or Attacking Cryptographic Systems, February Philippe Oechslin. Making a aster cryptanalytic timememory tradeo. In Advances in Cryptology CRYPTO 03, volume 2729 o Lecture Notes in Computer Science, pages , Santa Barbara, Caliornia, USA, August IACR, SpringerVerlag. 13. JeanJacques Quisquater and JeanPaul Delescaille. How easy is collision search? Application to DES (extended summary). In Advances in Cryptology EURO CRYPT 89, volume 434 o Lecture Notes in Computer Science, pages , Houthalen, Belgium, April IACR, SpringerVerlag. 14. FrançoisXavier Standaert, Gael Rouvroy, JeanJacques Quisquater, and Jean Didier Legat. A timememory tradeo using distinguished points: New analysis & FPGA results. In Workshop on Cryptographic Hardware and Embedded Systems CHES 2002, volume 2523 o Lecture Notes in Computer Science, pages , Redwood Shores, Caliornia, USA, August SpringerVerlag. 15. Michael Wiener and Paul van Oorschot. Parallel collision search with cryptanalytic applications. Journal o Cryptology, 12(1):1 28, March 1999.
Cracking Passwords With Timememory Tradeoffs. Gildas Avoine Université catholique de Louvain, Belgium
Cracking Passwords With Timememory Tradeoffs Gildas Avoine Université catholique de Louvain, Belgium SUMMARY Motivations Hellman Tables Oechslin Tables Real Life Examples Fingerprint Tables Conclusion
More informationA novel timememory tradeoff method for password recovery
available at www.sciencedirect.com journal homepage: www.elsevier.com/locate/diin A novel timememory tradeoff method for password recovery Vrizlynn L.L. Thing*, HweiMing Ying Institute for Infocomm
More informationLecture Note 8 ATTACKS ON CRYPTOSYSTEMS I. Sourav Mukhopadhyay
Lecture Note 8 ATTACKS ON CRYPTOSYSTEMS I Sourav Mukhopadhyay Cryptography and Network Security  MA61027 Attacks on Cryptosystems Up to this point, we have mainly seen how ciphers are implemented. We
More informationA NOVEL ALGORITHM WITH IMLSI INDEX FOR INCREMENTAL MAINTENANCE OF MATERIALIZED VIEW
A NOVEL ALGORITHM WITH IMLSI INDEX FOR INCREMENTAL MAINTENANCE OF MATERIALIZED VIEW 1 Dr.T.Nalini,, 2 Dr. A.Kumaravel, 3 Dr.K.Rangarajan Dept o CSE, Bharath University Emailid: nalinicha2002@yahoo.co.in
More informationRainbow Cracking: Do you need to fear the Rainbow? Philippe Oechslin, Objectif Sécurité. OS Objectif Sécurité SA, Gland, www.objectifsecurite.
ainbow Cracking: Do you need to fear the ainbow? Philippe Oechslin, Objectif Sécurité 1 On the menu 1. ainbow tables explained 2. Who is vulnerable 3. Tools and history 4. What you should do about it 2
More informationWhat output size resists collisions in a xor of independent expansions?
What output size resists collisions in a xor of independent expansions? Daniel J. Bernstein Department of Mathematics, Statistics, and Computer Science (MC 249) University of Illinois at Chicago, Chicago,
More informationMessage authentication
Message authentication  Hash based MAC unctions  MAC unctions based on bloc ciphers  Authenticated encryption (c) Levente Buttyán (buttyan@crysys.hu) Secret preix method MAC (x) = H( x) insecure!
More informationCryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Lecture No. # 11 Block Cipher Standards (DES) (Refer Slide
More informationCopyright 2005 IEEE. Reprinted from IEEE MTTS International Microwave Symposium 2005
Copyright 2005 IEEE Reprinted rom IEEE MTTS International Microwave Symposium 2005 This material is posted here with permission o the IEEE. Such permission o the IEEE does t in any way imply IEEE endorsement
More informationCryptography and Network Security
Cryptography and Network Security Spring 2012 http://users.abo.fi/ipetre/crypto/ Lecture 3: Block ciphers and DES Ion Petre Department of IT, Åbo Akademi University January 17, 2012 1 Data Encryption Standard
More informationA performance analysis of EtherCAT and PROFINET IRT
A perormance analysis o EtherCAT and PROFINET IRT Conerence paper by Gunnar Prytz ABB AS Corporate Research Center Bergerveien 12 NO1396 Billingstad, Norway Copyright 2008 IEEE. Reprinted rom the proceedings
More informationFIXED INCOME ATTRIBUTION
Sotware Requirement Speciication FIXED INCOME ATTRIBUTION Authors Risto Lehtinen Version Date Comment 0.1 2007/02/20 First Drat Table o Contents 1 Introduction... 3 1.1 Purpose o Document... 3 1.2 Glossary,
More information1 Data Encryption Algorithm
Date: Monday, September 23, 2002 Prof.: Dr JeanYves Chouinard Design of Secure Computer Systems CSI4138/CEG4394 Notes on the Data Encryption Standard (DES) The Data Encryption Standard (DES) has been
More information6.857 Computer and Network Security Fall Term, 1997 Lecture 4 : 16 September 1997 Lecturer: Ron Rivest Scribe: Michelle Goldberg 1 Conditionally Secure Cryptography Conditionally (or computationally) secure
More informationCryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Karagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Karagpur Lecture No. #06 Cryptanalysis of Classical Ciphers (Refer
More informationA FRAMEWORK FOR AUTOMATIC FUNCTION POINT COUNTING
A FRAMEWORK FOR AUTOMATIC FUNCTION POINT COUNTING FROM SOURCE CODE Vinh T. Ho and Alain Abran Sotware Engineering Management Research Laboratory Université du Québec à Montréal (Canada) vho@lrgl.uqam.ca
More informationSpeeding up GPUbased password cracking
Speeding up GPUbased password cracking SHARCS 2012 Martijn Sprengers 1,2 Lejla Batina 2,3 Sprengers.Martijn@kpmg.nl KPMG IT Advisory 1 Radboud University Nijmegen 2 K.U. Leuven 3 March 1718, 2012 Who
More informationManufacturing and Fractional Cell Formation Using the Modified Binary Digit Grouping Algorithm
Proceedings o the 2014 International Conerence on Industrial Engineering and Operations Management Bali, Indonesia, January 7 9, 2014 Manuacturing and Fractional Cell Formation Using the Modiied Binary
More informationCSCE 465 Computer & Network Security
CSCE 465 Computer & Network Security Instructor: Dr. Guofei Gu http://courses.cse.tamu.edu/guofei/csce465/ Secret Key Cryptography (I) 1 Introductory Remarks Roadmap Feistel Cipher DES AES Introduction
More information!!! Technical Notes : The Oneclick Installation & The AXIS Internet Dynamic DNS Service. Table of contents
Technical Notes: Oneclick Installation & The AXIS Internet Dynamic DNS Service Rev: 1.1. Updated 20040601 1 Table o contents The main objective o the Oneclick Installation...3 Technical description
More informationStrengthen RFID Tags Security Using New Data Structure
International Journal of Control and Automation 51 Strengthen RFID Tags Security Using New Data Structure Yan Liang and Chunming Rong Department of Electrical Engineering and Computer Science, University
More informationEnhancing Advanced Encryption Standard SBox Generation Based on Round Key
Enhancing Advanced Encryption Standard SBox Generation Based on Round Key Julia Juremi Ramlan Mahmod Salasiah Sulaiman Jazrin Ramli Faculty of Computer Science and Information Technology, Universiti Putra
More informationPatch management is a crucial component of information security management. An important problem within
MANAGEMENT SCIENCE Vol. 54, No. 4, April 2008, pp. 657 670 issn 00251909 eissn 15265501 08 5404 0657 inorms doi 10.1287/mnsc.1070.0794 2008 INFORMS Security Patch Management: Share the Burden or Share
More informationNetwork Security. Computer Networking Lecture 08. March 19, 2012. HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23
Network Security Computer Networking Lecture 08 HKU SPACE Community College March 19, 2012 HKU SPACE CC CN Lecture 08 1/23 Outline Introduction Cryptography Algorithms Secret Key Algorithm Message Digest
More informationInternational Journal of Information Technology, Modeling and Computing (IJITMC) Vol.1, No.3,August 2013
FACTORING CRYPTOSYSTEM MODULI WHEN THE COFACTORS DIFFERENCE IS BOUNDED Omar Akchiche 1 and Omar Khadir 2 1,2 Laboratory of Mathematics, Cryptography and Mechanics, Fstm, University of Hassan II MohammediaCasablanca,
More information2. Getting Started with the Graphical User Interface
May 2011 NII5201711.0.0 2. Getting Started with the Graphical User Interace NII5201711.0.0 The Nios II Sotware Build Tools (SBT) or Eclipse is a set o plugins based on the Eclipse ramework and the Eclipse
More informationThe Misuse of RC4 in Microsoft Word and Excel
The Misuse of RC4 in Microsoft Word and Excel Hongjun Wu Institute for Infocomm Research, Singapore hongjun@i2r.astar.edu.sg Abstract. In this report, we point out a serious security flaw in Microsoft
More informationCryptography: Authentication, Blind Signatures, and Digital Cash
Cryptography: Authentication, Blind Signatures, and Digital Cash Rebecca Bellovin 1 Introduction One of the most exciting ideas in cryptography in the past few decades, with the widest array of applications,
More informationDeveloping and Investigation of a New Technique Combining Message Authentication and Encryption
Developing and Investigation of a New Technique Combining Message Authentication and Encryption Eyas ElQawasmeh and Saleem Masadeh Computer Science Dept. Jordan University for Science and Technology P.O.
More informationUsing quantum computing to realize the Fourier Transform in computer vision applications
Using quantum computing to realize the Fourier Transorm in computer vision applications Renato O. Violin and José H. Saito Computing Department Federal University o São Carlos {renato_violin, saito }@dc.uscar.br
More information2. Developing Nios II Software
2. Developing Nios II Sotware July 2011 ED510021.4 ED510021.4 Introduction This chapter provides indepth inormation about sotware development or the Altera Nios II processor. It complements the Nios
More informationCryptanalysis of Grain using Time / Memory / Data Tradeoffs
Cryptanalysis of Grain using Time / Memory / Data Tradeoffs v1.0 / 20080225 T.E. Bjørstad The Selmer Center, Department of Informatics, University of Bergen, Pb. 7800, N5020 Bergen, Norway. Email :
More informationIs the trailingstop strategy always good for stock trading?
Is the trailingstop strategy always good or stock trading? Zhe George Zhang, Yu Benjamin Fu December 27, 2011 Abstract This paper characterizes the trailingstop strategy or stock trading and provides
More informationDifferential Fault Analysis of Secret Key Cryptosystems
Differential Fault Analysis of Secret Key Cryptosystems Eli Biham Computer Science Department Technion  Israel Institute of Technology Haifa 32000, Israel bihamocs.technion.ac.il http://www.cs.technion.ac.il/
More informationDierential Cryptanalysis of DESlike Cryptosystems Eli Biham Adi Shamir The Weizmann Institute of Science Department of Apllied Mathematics July 19, 1990 Abstract The Data Encryption Standard (DES) is
More informationIntegrated airline scheduling
Computers & Operations Research 36 (2009) 176 195 www.elsevier.com/locate/cor Integrated airline scheduling Nikolaos Papadakos a,b, a Department o Computing, Imperial College London, 180 Queen s Gate,
More informationBlock encryption. CS4920: Lecture 7 Secret key cryptography. Determining the plaintext ciphertext mapping. CS4920Lecture 7 4/1/2015
CS4920: Lecture 7 Secret key cryptography Reading Chapter 3 (pp. 5975, 9293) Today s Outcomes Discuss block and key length issues related to secret key cryptography Define several terms related to secret
More informationSECURITY IMPROVMENTS TO THE DIFFIEHELLMAN SCHEMES
www.arpapress.com/volumes/vol8issue1/ijrras_8_1_10.pdf SECURITY IMPROVMENTS TO THE DIFFIEHELLMAN SCHEMES Malek Jakob Kakish Amman Arab University, Department of Computer Information Systems, P.O.Box 2234,
More informationCryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs
Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs Enes Pasalic University of Primorska Koper, 2014 Contents 1 Preface 3 2 Problems 4 2 1 Preface This is a
More informationOn the Security of Double and 2key Triple Modes of Operation
On the Security of Double and 2key Triple Modes of Operation [Published in L. Knudsen, d., Fast Software ncryption, vol. 1636 of Lecture Notes in Computer Science, pp. 215 230, SpringerVerlag, 1999.]
More informationTimeOptimal Online Trajectory Generator for Robotic Manipulators
TimeOptimal Online Trajectory Generator or Robotic Manipulators Francisco Ramos, Mohanarajah Gajamohan, Nico Huebel and Raaello D Andrea Abstract This work presents a trajectory generator or timeoptimal
More informationDarcy Friction Factor Formulae in Turbulent Pipe Flow
Darcy Friction Factor Formulae in Turbulent Pipe Flow Jukka Kiijärvi Lunowa Fluid Mechanics Paper 110727 July 29, 2011 Abstract The Darcy riction actor in turbulent pipe low must be solved rom the Colebrook
More informationPricing via Processing or Combatting Junk Mail
Pricing via Processing or Combatting Junk Mail Cynthia Dwork Moni Naor Draft of full version Abstract We present a computational technique for combatting junk mail, in particular, and controlling access
More informationAccommodating Transient Connectivity in Ad Hoc and Mobile Settings
Accommodating Transient Connectivity in Ad Hoc and Mobile Settings Radu Handorean, Christopher Gill and GruiaCatalin Roman Department o Computer Science and Engineering Washington University in St. Louis
More informationA New 128bit Key Stream Cipher LEX
A New 128it Key Stream Cipher LEX Alex Biryukov Katholieke Universiteit Leuven, Dept. ESAT/SCDCOSIC, Kasteelpark Arenerg 10, B 3001 Heverlee, Belgium http://www.esat.kuleuven.ac.e/~airyuko/ Astract.
More informationLecture 4 Data Encryption Standard (DES)
Lecture 4 Data Encryption Standard (DES) 1 Block Ciphers Map nbit plaintext blocks to nbit ciphertext blocks (n = block length). For nbit plaintext and ciphertext blocks and a fixed key, the encryption
More informationIronKey Data Encryption Methods
IronKey Data Encryption Methods An IronKey Technical Brief November 2007 Information Depth:Technical Introduction IronKey is dedicated to building the world s most secure fl ash drives. Our dedication
More informationA PPENDIX H RITERIA FOR AES E VALUATION C RITERIA FOR
A PPENDIX H RITERIA FOR AES E VALUATION C RITERIA FOR William Stallings Copyright 20010 H.1 THE ORIGINS OF AES...2 H.2 AES EVALUATION...3 Supplement to Cryptography and Network Security, Fifth Edition
More informationKy Vu DeVry University, Atlanta Georgia College of Arts & Science
Ky Vu DeVry University, Atlanta Georgia College of Arts & Science Table of Contents  Objective  Cryptography: An Overview  Symmetric Key  Asymmetric Key  Transparent Key: A Paradigm Shift  Security
More informationThe Tangled Web of Agricultural Insurance: Evaluating the Impacts of Government Policy
The Tangled Web o Agricultural Insurance: Evaluating the Impacts o Government Policy Jason Pearcy Vincent Smith July 7, 2015 Abstract This paper examines the eects o changes in major elements o the U.S.
More informationA MPCPBased Centralized Rate Control Method for Mobile Stations in FiWi Access Networks
A MPCPBased Centralized Rate Control Method or Mobile Stations in FiWi Access Networks 215 IEEE. Personal use o this material is permitted. Permission rom IEEE must be obtained or all other uses, in any
More informationLecture 2: Complexity Theory Review and Interactive Proofs
600.641 Special Topics in Theoretical Cryptography January 23, 2007 Lecture 2: Complexity Theory Review and Interactive Proofs Instructor: Susan Hohenberger Scribe: Karyn Benson 1 Introduction to Cryptography
More information8. ENERGY PERFORMANCE ASSESSMENT OF COMPRESSORS 8.1 Introduction
8. ENERGY PERFORMANCE ASSESSMENT OF COMPRESSORS 8.1 Introduction The compressed air system is not only an energy intensive utility but also one o the least energy eicient. Over a period o time, both perormance
More informationCryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur
Cryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Module No. # 01 Lecture No. # 05 Classic Cryptosystems (Refer Slide Time: 00:42)
More informationThe Mathematics of the RSA PublicKey Cryptosystem
The Mathematics of the RSA PublicKey Cryptosystem Burt Kaliski RSA Laboratories ABOUT THE AUTHOR: Dr Burt Kaliski is a computer scientist whose involvement with the security industry has been through
More informationLecture 5  Cryptography
CSE497b Introduction to Computer and Network Security  Spring 2007  Professors Jaeger Lecture 5  Cryptography CSE497b  Spring 2007 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse497bs07/
More information1. Overview of Nios II Embedded Development
May 2011 NII5200111.0.0 1. Overview o Nios II Embedded Development NII5200111.0.0 The Nios II Sotware Developer s Handbook provides the basic inormation needed to develop embedded sotware or the Altera
More informationKey Hopping A Security Enhancement Scheme for IEEE 802.11 WEP Standards
White Paper Key Hopping A Security Enhancement Scheme for IEEE 802.11 WEP Standards By Dr. WenPing Ying, Director of Software Development, February 2002 Introduction Wireless LAN networking allows the
More information8. Hardware Acceleration and Coprocessing
July 2011 ED510061.2 8. Hardware Acceleration and ED510061.2 This chapter discusses how you can use hardware accelerators and coprocessing to create more eicient, higher throughput designs in OPC Builder.
More informationSecure Applications of LowEntropy Keys
Secure Applications of LowEntropy Keys John Kelsey Bruce Schneier Chris Hall David Wagner Counterpane Systems U.C. Berkeley {kelsey,schneier,hall}@counterpane.com daw@cs.berkeley.edu Abstract. We introduce
More informationSecurity Analysis of Cryptographically Controlled Access to XML Documents
Security Analysis o Cryptographically Controlled Access to XML Documents MARTÍN ABADI University o Caliornia, Santa Cruz, and Microsot Research, Silicon Valley, USA and BOGDAN WARINSCHI University o Bristol,
More information1. Overview of Nios II Embedded Development
January 2014 NII5200113.1.0 1. Overview o Nios II Embedded Development NII5200113.1.0 The Nios II Sotware Developer s Handbook provides the basic inormation needed to develop embedded sotware or the
More informationOffshore Oilfield Development Planning under Uncertainty and Fiscal Considerations
Oshore Oilield Development Planning under Uncertainty and Fiscal Considerations Vijay Gupta 1 and Ignacio E. Grossmann 2 Department o Chemical Engineering, Carnegie Mellon University Pittsburgh, PA 15213
More informationWINTER SCHOOL ON COMPUTER SECURITY. Prof. Eli Biham
WINTR SCHOOL ON COMPUTR SCURITY Prof. li Biham Computer Science Department Technion, Haifa 3200003, Israel January 27, 2014 c li Biham c li Biham  January 27, 2014 1 Cryptanalysis of Modes of Operation
More informationMultidimensional Matrix Mathematics: Notation, Representation, and Simplification, Part 1 of 6
June 30  July 2 2010 London U.K. Multidimensional Matrix Mathematics: Notation Representation and Simpliication Part 1 o 6 Ashu M. G. Solo Abstract This is the irst series o research papers to deine multidimensional
More informationCIS433/533  Computer and Network Security Cryptography
CIS433/533  Computer and Network Security Cryptography Professor Kevin Butler Winter 2011 Computer and Information Science A historical moment Mary Queen of Scots is being held by Queen Elizabeth and
More informationFinancial Services [Applications]
Financial Services [Applications] Tomáš Sedliačik Institute o Finance University o Vienna tomas.sedliacik@univie.ac.at 1 Organization Overall there will be 14 units (12 regular units + 2 exams) Course
More informationSIMPLIFIED CBA CONCEPT AND EXPRESS CHOICE METHOD FOR INTEGRATED NETWORK MANAGEMENT SYSTEM
SIMPLIFIED CBA CONCEPT AND EXPRESS CHOICE METHOD FOR INTEGRATED NETWORK MANAGEMENT SYSTEM Mohammad Al Rawajbeh 1, Vladimir Sayenko 2 and Mohammad I. Muhairat 3 1 Department o Computer Networks, AlZaytoonah
More informationLecture 3: OneWay Encryption, RSA Example
ICS 180: Introduction to Cryptography April 13, 2004 Lecturer: Stanislaw Jarecki Lecture 3: OneWay Encryption, RSA Example 1 LECTURE SUMMARY We look at a different security property one might require
More informationThe Advanced Encryption Standard: Four Years On
The Advanced Encryption Standard: Four Years On Matt Robshaw Reader in Information Security Information Security Group Royal Holloway University of London September 21, 2004 The State of the AES 1 The
More informationInternational Journal of Pure and Applied Sciences and Technology
Int. J. Pure Appl. Sci. Technol., 18(1) (213), pp. 4353 International Journal o Pure and Applied Sciences and Technology ISS 2229617 Available online at www.iopaasat.in Research Paper Eect o Volatility
More informationDr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010
CS 494/594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010 1 Introduction to Cryptography What is cryptography?
More informationCommon Pitfalls in Cryptography for Software Developers. OWASP AppSec Israel July 2006. The OWASP Foundation http://www.owasp.org/
Common Pitfalls in Cryptography for Software Developers OWASP AppSec Israel July 2006 Shay Zalalichin, CISSP AppSec Division Manager, Comsec Consulting shayz@comsecglobal.com Copyright 2006  The OWASP
More informationA Comparative Study Of Two Symmetric Encryption Algorithms Across Different Platforms.
A Comparative Study Of Two Symmetric Algorithms Across Different Platforms. Dr. S.A.M Rizvi 1,Dr. Syed Zeeshan Hussain 2 and Neeta Wadhwa 3 Deptt. of Computer Science, Jamia Millia Islamia, New Delhi,
More informationPart I. Universität Klagenfurt  IWAS Multimedia Kommunikation (VK) M. Euchner; Mai 2001. Siemens AG 2001, ICN M NT
Part I Contents Part I Introduction to Information Security Definition of Crypto Cryptographic Objectives Security Threats and Attacks The process Security Security Services Cryptography Cryptography (code
More informationPower functions: f(x) = x n, n is a natural number The graphs of some power functions are given below. n even n odd
5.1 Polynomial Functions A polynomial unctions is a unction o the orm = a n n + a n1 n1 + + a 1 + a 0 Eample: = 3 3 + 5  The domain o a polynomial unction is the set o all real numbers. The intercepts
More informationHigh School Students Who Take Acceleration Mechanisms Perform Better in SUS Than Those Who Take None
May 2008 Dr. Eric J. Smith, Commissioner Dr. Willis N. Holcombe, Chancellor High School Who Take Acceleration Mechanisms Perorm Better in SUS Than Those Who Take None Edition 200801 Introduction. is one
More informationStatistical weakness in Spritz against VMPCR: in search for the RC4 replacement
Statistical weakness in Spritz against VMPCR: in search for the RC4 replacement Bartosz Zoltak www.vmpcfunction.com bzoltak@vmpcfunction.com Abstract. We found a statistical weakness in the Spritz algorithm
More informationIMPROVING PERFORMANCE OF RANDOMIZED SIGNATURE SORT USING HASHING AND BITWISE OPERATORS
Volume 2, No. 3, March 2011 Journal of Global Research in Computer Science RESEARCH PAPER Available Online at www.jgrcs.info IMPROVING PERFORMANCE OF RANDOMIZED SIGNATURE SORT USING HASHING AND BITWISE
More informationCRYPTANALYSIS OF HASH FUNCTIONS USING ADVANCED MULTIPROCESSING
CRYPTANALYSIS OF HASH FUNCTIONS USING ADVANCED MULTIPROCESSING Gómez J., Montoya F.G., Benedicto R., Jimenez A., Gil C. and Alcayde A. University of Almeria, Spain {jgomez, pagilm, rbenedicto, ajimenez,
More informationHASH CODE BASED SECURITY IN CLOUD COMPUTING
ABSTRACT HASH CODE BASED SECURITY IN CLOUD COMPUTING Kaleem Ur Rehman M.Tech student (CSE), College of Engineering, TMU Moradabad (India) The Hash functions describe as a phenomenon of information security
More informationApplicationLevel Optimizations on NUMA Multicore Architectures: the Apache Case Study
ApplicationLevel Optimizations on NUMA Multicore Architectures: the Apache Case Study Fabien Gaud INRIA abien.gaud@inria.r Gilles Muller INRIA gilles.muller@inria.r Renaud Lachaize Grenoble University
More information8. Exception Handling
8. Exception Handling February 2011 NII5200610.1.0 NII5200610.1.0 Introduction This chapter discusses how to write programs to handle exceptions in the Nios II processor architecture. Emphasis is placed
More informationSolving Newton s Second Law Problems
Solving ewton s Second Law Problems Michael Fowler, Phys 142E Lec 8 Feb 5, 2009 Zero Acceleration Problems: Forces Add to Zero he Law is F ma : the acceleration o a given body is given by the net orce
More informationThe Complex Step Method Applied to Waterflooding Optimization
JOSE L. CARBALLAL JR. and BERNARDO HOROWITZ. THE COMPLEX STEP METHOD APPLIED TO WATERFLOODING 45 The Complex Step Method Applied to Waterlooding Optimization José L. Carballal Jr. 1, Bernardo Horowitz
More informationA Practical Attack on Broadcast RC4
A Practical Attack on Broadcast RC4 Itsik Mantin and Adi Shamir Computer Science Department, The Weizmann Institute, Rehovot 76100, Israel. {itsik,shamir}@wisdom.weizmann.ac.il Abstract. RC4is the most
More informationStorage Management for Files of Dynamic Records
Storage Management for Files of Dynamic Records Justin Zobel Department of Computer Science, RMIT, GPO Box 2476V, Melbourne 3001, Australia. jz@cs.rmit.edu.au Alistair Moffat Department of Computer Science
More informationThe Stream Cipher HC128
The Stream Cipher HC128 Hongjun Wu Katholieke Universiteit Leuven, ESAT/SCDCOSIC Kasteelpark Arenberg 10, B3001 LeuvenHeverlee, Belgium wu.hongjun@esat.kuleuven.be Statement 1. HC128 supports 128bit
More information2.3 Domain and Range of a Function
Section Domain and Range o a Function 1 2.3 Domain and Range o a Function Functions Recall the deinition o a unction. Deinition 1 A relation is a unction i and onl i each object in its domain is paired
More informationK 2r+8 PHT <<<1 MDS MDS
)*.1,(/+032 THE INSTITUTE OF ELECTRONICS, INFORMATION AND COMMUNICATION ENGINEERS 034 TECHNICAL REPORT OF IEICE. 7865'9 Twosh ;? @A 3 B&C y 3 NTT FRUX_a[\]Ye`khE f 2390847 Gnql #Hw~ ˆ g 11
More informationAn Oblivious Password Cracking Server
An Oblivious Password Cracking Server Aureliano Calvo  aureliano.calvo@coresecurity.com Ariel Futoransky  ariel.futoransky@coresecurity.com Carlos Sarraute  carlos.sarraute@coresecurity.com Corelabs
More informationThe Tangled Web of Agricultural Insurance: Evaluating the Impacts of Government Policy
Journal o Agricultural and Resource Economics 40(1):80 111 ISSN 10685502 Copyright 2015 Western Agricultural Economics Association The Tangled Web o Agricultural Insurance: Evaluating the Impacts o Government
More informationSystemLevel Security for Network Processors with Hardware Monitors
SystemLevel Security or Network Processors with Hardware Monitors Kekai Hu, Tilman Wol, Thiago Teixeira and Russell Tessier Department o Electrical and Computer Engineering University o Massachusetts,
More informationAN IMPLEMENTATION OF HYBRID ENCRYPTIONDECRYPTION (RSA WITH AES AND SHA256) FOR USE IN DATA EXCHANGE BETWEEN CLIENT APPLICATIONS AND WEB SERVICES
HYBRID RSAAES ENCRYPTION FOR WEB SERVICES AN IMPLEMENTATION OF HYBRID ENCRYPTIONDECRYPTION (RSA WITH AES AND SHA256) FOR USE IN DATA EXCHANGE BETWEEN CLIENT APPLICATIONS AND WEB SERVICES Kalyani Ganesh
More informationEfficient Continuous Scanning in RFID Systems
Eicient Continuous Scanning in RFID Systems Bo Sheng Northeastern University Email: shengbo@ccs.neu.edu Qun Li College o William and Mary Email: liqun@cs.wm.edu Weizhen Mao College o William and Mary Email:
More informationHardware Implementation of AES Encryption and Decryption System Based on FPGA
Send Orders for Reprints to reprints@benthamscience.ae The Open Cybernetics & Systemics Journal, 2015, 9, 13731377 1373 Open Access Hardware Implementation of AES Encryption and Decryption System Based
More informationIJESRT. [Padama, 2(5): May, 2013] ISSN: 22779655
IJESRT INTERNATIONAL JOURNAL OF ENGINEERING SCIENCES & RESEARCH TECHNOLOGY Design and Verification of VLSI Based AES Crypto Core Processor Using Verilog HDL Dr.K.Padama Priya *1, N. Deepthi Priya 2 *1,2
More informationEye Gaze Tracking Under Natural Head Movements
Eye Gaze Tracking Under Natural Head Movements Zhiwei Zhu and Qiang Ji Department o ECE, Rensselaer Polytechnic Institute, Troy, NY,12180 {zhuz,jiq}@rpi.edu Abstract Most available remote eye gaze trackers
More informationA Novel Approach for Signing Multiple Messages: Hash Based Signature
International Journal of Information & Computation Technology. ISSN 09742239 Volume 4, Number 15 (2014), pp. International Research Publications House http://www. irphouse.com A Novel Approach for Signing
More information