1 - Bad Request - The University of Sydney

mexicanmorningΔιαχείριση Δεδομένων

16 Δεκ 2012 (πριν από 4 χρόνια και 8 μήνες)

553 εμφανίσεις







C
RYPTANALYSIS
O
N
FPGA

B
ASED
H
ARDWARE




Malcolm
Alda
Sumantri

malcolm@sumantri.net



Supervisors:

Matt Barrie (mattb@alumni.stanford.org)

Craig Jin (craig@ee.usyd.edu.au)



School

of Electrical and Information Engineering

The University of Sydney



Bachelor of Engineering
(Software)
&

Bachelor of Commerce

Student Number: 200127126


November 2005




2

STATEMENT OF ACHIEVEMENT




Conducted research on the benefits of cryptanalysis using FPGAs.




Conducted a literature review on previous hardware and softwar
e approaches for
the
cryptanalysis of the Data Encryption Standard (DES)
through

exhaustive key search
methods

and the time
-
memory trade
-
off
methods
.



Designed, implemented and tested a 48
-
stage pipelined DES implementation.



Designed a universal rainbow tab
le precomputation system applicable to various ciphers.



Designed a universal online attack system applicable to various ciphers.



Designed, implemented and tested a hardware rainbow table DES precomputation
implementation on the Sensory Networks
TM

NodalCore
TM

C
-
1000 card. This involved
learning the NodalCore
TM

chipset architecture and integration with the chipset
architecture.



Designed and implemented a hardware rainbow table DES online attack implementation
for the Sensory Networks
TM

NodalCore
TM

C
-
1000 car
d.



Designed software to interface with the precomputation hardware and the online attack
system hardware.



Conducted a design analysis and suggested optimizations for the 48
-
stage pipelined DES
unit, the rainbow table precomputation and online attack engine
s.



Proposed a solution
to rainbow table lookup
employing

open
-
source database
management system

software technology
, particularly PostgreSQL.



Extrapolated based on experimentation the complete cryptanalysis of DES.



Conducted a performance
-
cost analysis for

the various hardware engines implemented.



Identified adversaries and attackers and their current
ability to attack cryptosystems based
on cost.



Suggested countermeasures against the continual improvement in cryptanalytic
technology.



Suggested directions f
or future research.




Signed
: ___________________________



Malcolm Alda Sumantri




Signed
: ___________________________



Matt Barrie



Signed
: ___________________________




Craig Jin




3


ABSTRACT


The
subject of this thesis is in the field of information security. The motivation is based on the
existence of a shortcut to exhaustive key search. The shortcut involves trading off memory
to
achieve
a shorter time
for

cryptanalysis. This technique is know
n as the time
-
memory trade
-
off.
T
his thesis

specifically

studies the rainbow table variant of the time
-
memory trade
-
off and how it
can be used to attack symmetric block ciphers. The Data Encryption Standard (DES) is used to
study the effectiveness of thi
s attack.


Field
-
programmable gate arrays are reconfigurable digital integrated circuits that in the past
have proven to provide high performance and low cost for cryptographic application.
Their
application to cryptanalysis is experimented.
This thesis

presents both a universal hardware
design and a specific hardware design used for DES for a complete rainbow table cryptanalytic
system

for an FPGA based device
. This design is used to perform an attack
on

40
-
bit DES.

The result of the attack using the e
ngineered design is compared with similar works in the
literature. An economic analysis to cryptanalysis is presented by determining the most cost
-
effective FPGA chip to perform
large scale cryptanalysis

through a performance
-
cost survey of
various FPGA c
hips. Various classes of attackers are identified and a suggestion for a key length
which provides the security of information for the next 20 years is justified.



4







Dedicated
to my family
,


Lina, Bambang, Derice and Meyrick










5

TABLE OF CONTENTS

1

INTRODUCTION
................................
................................
................................
..............................
10

1.1

A

S
HORTCUT

TO
E
XHAUSTIVE
K
EY
S
EARCH

................................
................................
................
10

1.2

M
OTIV
ATION

................................
................................
................................
...............................
12

1.3

T
HESIS
O
RGANIZATION

................................
................................
................................
...............
13

2

BACKGROUND AND PREVI
OUS WORK

................................
................................
...................
14

2.1

C
IPHERS

................................
................................
................................
................................
......
14

2.1.1

Symmetric Ciphers

................................
................................
................................
.................
14

2.1.2

Asymmetric Ciphers

................................
................................
................................
...............
15

2.2

T
HE
D
ATA
E
NCRYPTION
S
TANDARD

................................
................................
...........................
16

2.2.1

Algorithm

................................
................................
................................
...............................
16

2.2.2

Timeline

................................
................................
................................
................................
.
19

2.3

C
RYPTANALYSIS ON THE
D
ATA
E
NCRYPTION
S
TANDARD

................................
...........................
20

2.3.1

Exhaustive Key Search

................................
................................
................................
..........
20

2.3.2

Advanced Cryptana
lytic Techniques

................................
................................
.....................
20

2.3.3

The Time
-
Memory Trade
-
off

................................
................................
................................
..
20

2.3.3.1

Original Time
-
Memory Trade
-
off

................................
................................
..............................

20

2.3.3.1.1

Notation

................................
................................
................................
................................

20

2.3.3.1.2

Precomputation

................................
................................
................................
.....................

21

2.3.3.1.3

Online Attack

................................
................................
................................
........................

22

2.3.3.1.4

Performance

................................
................................
................................
..........................

23

2.3.3.1.5

Probability and Shortcomings

................................
................................
...............................

24

2.3.3.2

Disting
uished Points

................................
................................
................................
..................

25

2.3.3.3

Rainbow Tables

................................
................................
................................
.........................

25

2.3.3.3.1

Mechanism
................................
................................
................................
............................

25

2.3.3.3.2

Benefits and Drawbacks of Rainbow Tables

................................
................................
........

26

2.3.3.3.3

Changes in M and T

................................
................................
................................
..............

27

2.3.3.3.4

A summary

................................
................................
................................
...........................

27

2.4

H
ARDWARE VERSUS
S
OFTWARE FOR
C
RYPTANALYSIS

................................
...............................
27

2.4.1

Application Specific Integrated Circuits (ASICs)

................................
................................
..
28

2.4.2

Field Programmable Gate Array (FPGAs)

................................
................................
...........
29

2.4.3

Benefits of Cryptanalysis on FPGAs

................................
................................
.....................
29

2.5

P
REVIO
US
W
ORK

................................
................................
................................
.........................
31

2.5.1

Cryptanalysis of DES

................................
................................
................................
.............
31

2.5.2

The Time
-
Memory Trade
-
off (and Variants)

................................
................................
.........
34

3

DESIGN AND IMPLEMENT
ATION

................................
................................
..............................
39

3.1

I
NTRODUCTION
................................
................................
................................
............................
39

3.2

P
RECOMPUTATION
D
ESIGN

................................
................................
................................
.........
39

3.2.1

Design Goals

................................
................................
................................
.........................
39

3.2.2

A Universal Precomputation Design

................................
................................
.....................
40

3.2.3

The Key Genera
tor Unit

................................
................................
................................
........
42

3.2.3.1

Design Considerations

................................
................................
................................
...............

42

3.2.3.2

Design

................................
................................
................................
................................
........

43

3
.2.4

The Cipher Encryption Unit

................................
................................
................................
..
44

3.2.5

The Reduction Function Unit

................................
................................
................................
.
44

3.2.5.1

Design Considerations

................................
................................
................................
...............

44

3.2.5.2

Design

................................
................................
................................
................................
........

44

3.3

T
HE
D
ATA
E
NCRYPTION
S
TANDARD
I
MPLEMENTATION

................................
..............................
45

3.3.1

Design Consi
derations
................................
................................
................................
...........
46

3.3.2

Implementation

................................
................................
................................
......................
46

3.3.3

Simulation Timing Diagram

................................
................................
................................
..
49

3.4

DES

R
AINBOW
T
ABLE
P
RECOMPUTATION
I
MPLEMENTATION

................................
.....................
49

3.4.1.1

Simulation Timing Diagram

................................
................................
................................
......

51

3.5

O
NLINE
A
TTACK
D
ESIGN

................................
................................
................................
............
53



6

3.5.1

Design Goals

................................
................................
................................
.........................
53

3.5.2

A Universal Rainbow Table Online Attacker

................................
................................
.........
53

3.6

DES

R
AINBOW
T
ABLE
O
NLINE
A
TTACK
I
MPLEMENTATION

................................
.......................
55

3.6.1

End
-
Point Generator System

................................
................................
................................
.
55

3.6.1.1

Simulation Timing Dia
gram

................................
................................
................................
......

57

3.6.2

Intermediate Key Generator

................................
................................
................................
..
58

3.6.2.1

Simulation Timing Diagram

................................
................................
................................
......

59

3.7

E
XPERIMENT

................................
................................
................................
...............................
60

3.7.1

Goals
................................
................................
................................
................................
......
60

3.7.2

Experimental Design

................................
................................
................................
.............
60

3.7.2.1

Cipher Choice

................................
................................
................................
............................

60

3.7.2.2

Rainbow Table Parameters

................................
................................
................................
........

60

3.7.3

Sensory Networks
TM

NodalCore
TM

C
-
1000

................................
................................
............
60

3.7.4

Integration with Sensory Networks
TM

NodalCore
TM

C
-
1000

................................
.................
62

3.7.5

Apparatus Setup

................................
................................
................................
.....................
64

4

ANALYSIS

................................
................................
................................
................................
.........
65

4.1

R
ESULTS AND COMPARISO
N TO OTHER WORKS
................................
................................
............
65

4.1.1

Data Encryption Standard Implementation

................................
................................
...........
65

4.1.2

Precomputation Hardware System

................................
................................
........................
66

4.1.2.1

Performance

................................
................................
................................
...............................

66

4
.1.2.2

Resource usage on XC2VP40 FPGA and Fitting Multiple Channels

................................
.........

68

4.1.3

Online Attack Hardware Systems

................................
................................
..........................
69

4.1.3.1

End
-
Point

Generator System

................................
................................
................................
......

69

4.1.3.1.1

Expected Performance

................................
................................
................................
..........

70

4.1.3.1.2

Resource Usage on XC2VP40 FPGA and Fitting Multiple Channels

................................
..

70

4.1.3.2

Intermediate Key Generator System

................................
................................
..........................

70

4.1.3.2.1

Expected Performance

................................
................................
................................
..........

71

4.1.3.2.2

Resource Usage on XC2VP40 FPGA and Multiple Channels

................................
..............

71

4.1.3.3

Expected performance of a complete online attack system

................................
........................

72

4.1.3.4

Proposed optimization to table lookup

................................
................................
.......................

73

4.2

R
AINBOW
T
ABLES
(T
IME
-
M
EMORY
T
RADE
-
OFF
)

VERSUS
E
XHAUSTIVE
K
EY
S
EARCH

................
73

4.3

A
N
E
CONOMIC
A
NALYSIS TO
C
RYPTANALYSIS

................................
................................
...........
75

4.3.1

Motivation

................................
................................
................................
..............................
75

4.3.2

Devices

................................
................................
................................
................................
..
75

4.3.3

Methodology

................................
................................
................................
..........................
75

4.3.4

Assumed Parallel Design

................................
................................
................................
.......
76

4.3.5

Relative Performance

................................
................................
................................
............
78

4.3.6

Performance
-
Cost for an Exhaustive DES Key Search Machine

................................
..........
79

4.3.7

Performance
-
Cost for a Rainbow Table Precomputation Machine
................................
.......
82

4.3.8

Performance
-
Cost for a Rainbow Table Online Attack Machine

................................
..........
83

4.4

A
DVERSARIES AND
A
TTACKS
(A

C
OST
A
PPROACH
)

................................
................................
....
85

4.4.1

IBM Taxonomy of Adversaries

................................
................................
..............................
86

4.4.2

Attack using Exhaustive Key Search

................................
................................
......................
87

4.4.3

Attacks using Rainbow Tables

................................
................................
...............................
88

4.4.3.1

Rainbow Table Precomputation

................................
................................
................................
.

88

4.4.3.2

Rainbow Table Online Attack

................................
................................
................................
....

90

4.5

C
OUNTERMEASURES

................................
................................
................................
...................
92

4.5.1

Key Length

................................
................................
................................
.............................
92

4.5.2

Modes of Operations

................................
................................
................................
.............
93

5

CONCLUSION

................................
................................
................................
................................
..
95

5.1

P
UTTING THINGS INTO P
ERSPECTIVE
................................
................................
............................
95

5.1.1

R
ainbow Tables and the Internet

................................
................................
...........................
95

5.1.2

Cryptographic Law

................................
................................
................................
................
95

5.2

F
UTURE
R
ESEARCH

................................
................................
................................
.....................
96

5.3

C
ONCLUSION

................................
................................
................................
...............................
97



7

5.3.1

Summary

................................
................................
................................
................................
97

5.3.2

Findings

................................
................................
................................
................................
.
97

5.3.3

Closing Remarks

................................
................................
................................
....................
98

APPENDIX A
-

PRIMITIVE FUNCTIONS
FOR DES

................................
................................
...........
99

APPENDIX B
-

PERFORMANCE
-
COST CALCULATIONS

................................
.............................
101

APPENDIX C
-

COST ANALYSIS CALCUL
ATIONS

................................
................................
........
102

6

REFERENCES

................................
................................
................................
................................
.
103




8

List of Figures

F
IGURE
2.1

S
YMMETRIC
E
NCRYPTION AND
D
ECRYPTION

................................
................................
..............
15

F
IGURE
2.2

A
SSYMMETRIC
E
NCRYPTION AND
D
ECRYPTION

................................
................................
..........
15

F
IGURE
2.3

DES

A
LGORITHM

................................
................................
................................
........................
17

F
IGURE
2.4

DES

CALCULATION OF F
(R,K)

................................
................................
................................
.....
18

F
IGURE
2.5

M
ATRIX OF IMAGES UNDE
R F

................................
................................
................................
.......
21

F
IGURE
2.6

C
OMPUTATIONAL
T
IME
R
EQUIREMENTS
G
RAPH
................................
................................
..........
24

F
IGURE
2.7

M
ATRIX OF
R
AINBOW
C
HAINS

................................
................................
................................
.....
26

F
IGURE
2.8

R
EPETITIVE GENERATION

OF END
-
POINTS DURING THE ON
LINE ATTACK

................................
......
26

F
IGURE
2.9

-

P
ICTURE TAKEN OF SING
LE
DES

C
RACKER
C
IRCUIT
B
OARD WITH
D
EEP
C
RACK
C
HIPS

............
28

F
IGURE
2.10

FPGA

S
TRUCTURE

................................
................................
................................
....................
29

F
IGURE
2.11

D
EEP
C
RACK CHIP OF
DES

C
RACKER
P
ROJECT

................................
................................
.........
33

F
IGURE
2.12

P
RECOMPUTATION DESIGN

OF
Q
UISQUATER AND
S
TANDAERT
[6]

................................
.............
36

F
IGURE
3.1

R
AINBOW
T
ABLE
P
RECOMPUTATION
D
IGITAL
S
YSTEM
D
ESIGN

................................
..................
41

F
IGURE
3.2

S
TATE MACHINE DIAGRAM

FOR
S
TART
-
P
OINT
G
ENERATOR

................................
........................
43

F
IGURE
3.3

S
TATE MACHINE DIAGRAM

FOR
R
EDUCTION
F
UNCTION
U
NIT

................................
......................
45

F
IGURE
3.4

3
-
S
TAGE
DES

R
OUND

................................
................................
................................
.................
47

F
IGURE
3.5

I
NSTANTIATION OF
16

R
OUNDS OF
DES

................................
................................
......................
48

F
IGURE
3.6

T
IMING
D
IAGRAM OF
48
-
STAGE

PIPELINED
DES

I
MPLEMENTATION

................................
............
49

F
IGURE
3.7

D
IGITAL
S
YSTEM
D
ESIGN OF
DES

R
AINBOW
T
ABLE
P
RECOMPUTATION

................................
.....
50

F
IGURE
3.8

T
IMING DIAGR
AM SHOWING TWO OUTPU
T SEQUENCES OF PRECO
MPUTATION IMPLEMENTA
TION

52

F
IGURE
3.9

T
IMING DIAGRAM SHOWIN
G ONE OUTPUT SEQUENC
E
(
CLOSER VIEW OF FIRST

WRITE
)

.................
52

F
IGURE
3.10

R
AINBOW
C
HAIN
E
ND
-
P
OINT
G
ENERATION

................................
................................
...............
53

F
IGURE
3.11

-

K
EY
F
INDING
T
ASK BY
G
ENERATING THE
P
ARTIAL
R
AINBOW
C
HAIN

................................
.....
54

F
IGURE
3.12

H
ARDWARE
/S
OFTWARE
C
O
-
DESIGN FOR
R
AINBOW
C
HAIN
E
ND
-
P
OINT
G
ENERATOR

................
54

F
IGURE
3.13

E
ND
-
POINT
G
ENERATOR
D
ESIGN

................................
................................
...............................
56

F
IGURE
3.14

T
IMING DIAGRAM FOR
E
ND
-
P
OINT
G
ENERATOR SHOWING THR
EE OUTPUT CYCLES

...................
57

F
IGURE
3.15

I
NTERMEDIATE
K
EY
G
ENERATOR
D
ESIGN

................................
................................
.................
58

F
IGURE
3.16

T
IMING DIAGRAM OF
I
NTERMEDIATE
K
EY
G
ENERATOR UNIT

................................
....................
59

F
IGURE
3.17

S
ENSORY
N
ETWORKS
TM

N
ODAL
C
ORE
TM

C
-
1000

PCI

C
ARD

................................
.....................
61

F
IGURE
3.18

B
LOCK DIAGRAM OF
S
ENSORY
N
ETWORKS
TM

N
ODAL
C
ORE
TM

C
-
S
ERIES
A
RCHITECTURE
[43]

..
62

F
IGURE
3.19

T
HE
R
AINBOW
T
ABLE
C
HANNELS

................................
................................
.............................
63

F
IGURE
3.20

A
PPARATUS SETUP OF EX
PERIMENT

................................
................................
...........................
64

F
IGURE
4.1

C
OMPARISON OF
P
RECOMPUTATION
T
HROUGHPUT FOR
40
-
BIT
DES

................................
...........
67

F
IGURE
4.2

T
IMING
D
IAGRAM SHOWING TIME
PERIOD AVAILABLE FOR

P
RECOMPUTER
PCI

ARBITRATOR

.....
69

F
IGURE
4.3

C
OMPARISON OF
O
NLINE
A
TTACK TIME FOR
40
-
BIT
DES

................................
............................
72

F
IGURE
4.4

B
LOCK DIAGRAM OF MULT
IPLE
P
RECOMPUTATION ENGINE
S

................................
.......................
77

F
IGURE
4.5

S
TATE MACHINE FOR INP
UT CONTROLLER OF MUL
TIPLE
P
RECOMPUTATION SYSTEM

...................
78

F
IGURE
4.6

M
AXIMUM FREQUENCIES O
F
X
ILINX
FPGA
S FOR
DES

K
EY
S
EARCH

................................
..........
78

F
IGURE
4.7

M
AXIMUM FREQUENCIES O
F
X
ILINX
FPGA
S FOR RAINBOW TABLE
ENGINES

...............................
79

F
IGURE
4.8

C
OST
-
P
ERFORMANCE OF
E
XHAUSTIVE
DES

K
EY
S
EARCH
[25]

................................
...................
80

F
IGURE
4.9

C
OST
-
P
ERFORMANCE OF
E
XHAUSTIVE
DES

K
EY
S
EARCH
(
L
OW
-
END DETAIL
)

[25]

....................
80

F
IGURE
4.10

FPGA

E
XHAUSTIVE
K
EY
S
EARCH FOR
DES

E
CONOMICS

................................
..........................
81

F
IGURE
4.11

CDMF

CRYPTANALYSIS ECONOM
ICS BY
G
OLDBERG AND
W
AGNER
[7]
................................
.....
82

F
IGURE
4.12

FPGA

R
AINBOW
T
ABLE
P
RECOMPUTATION FOR
DES

E
CONOMICS

................................
...........
83

F
IGURE
4.13

FPGA

R
AINBOW
T
ABLE
O
NLI
NE
A
TTACK FOR
DES

E
CONOMICS

................................
..............
84

F
IGURE
4.14

P
ERFORMANCE OF
E
ND
-
P
OINT
G
ENERATOR ACROSS
X
ILINX
FPGA

FAMILIES

..........................
85

F
IGURE
4.15

T
IME FO
R
DES

B
RUTE
-
FORCE VS
.

I
NVESTMENT
C
OST

................................
...............................
88

F
IGURE
4.16

T
IME FOR
P
RECOMPUTATION VS
I
NVESTMENT
C
OST

................................
................................
.
90

F
IGURE
4.17

T
IME FOR ONLINE A
TTACK VS
I
NVESTMENT
C
OST

................................
................................
.....
91




9

List of Tables

T
ABLE
1.1

-

T
IME
/S
PACE
R
EQUIREMENTS OF
C
RYPTANALYTIC
M
ETHODS

................................
....................
10

T
ABLE
1.2

-

E
XAMPLE CIPHERTEXT
/
KEY TABLE FOR A K
-
BIT LENGTH CIPHER GI
VEN
P
CHOSEN

..........................
11

T
ABLE
1.3

-

T
IME
/S
PACE
C
RYPTANALYTIC
R
EQUIREMENTS FOR
DES

AND
T
RIPLE
-
DES

..............................
11

T
ABLE
2.1

H
ISTORY OF THE
DES

................................
................................
................................
...................
19

T
ABLE
2.2

DES

S
TRENGTHS
A
GAINST
A
TTACKS

................................
................................
...........................
27

T
ABLE
2.3

S
UMMA
RY OF CRYPTANALYTIC
DEVICES AGAINST THE
DES

................................
........................
31

T
ABLE
2.4

T
IME
-
MEMORY TRADE
-
OFF IMPLEMENTATIONS

................................
................................
............
38

T
ABLE
3.1

P
RECOMPUTATION
S
YSTE
M
D
ESIGN
G
OALS

................................
................................
.................
39

T
ABLE
3.2
-

O
NLINE
A
TTACK
P
HASE

................................
................................
................................
..............
55

T
ABLE
3.3

C
ALCULATION OF MEMORY

REQUIREMENTS TO CRYP
TANALYZE
56
-
BIT
DES

...............................
60

T
ABLE
3.4

V
IRTEX
-
II

P
RO
VP40

L
OGIC
R
ESOURCES
A
VAILABLE

................................
................................
..
61

T
ABLE
3.5

S
UMMARY OF
I/O

REQUIREMENTS FOR THE

HARDWARE ENGINES

................................
.................
64

T
ABLE
4.1

S
YNTHESIS RESULTS OF
DES

IMPLEMENTATION

................................
................................
...........
65

T
ABLE
4.2

-

C
OMPARISON OF
D
ATA
E
NCRYPTION
S
TANDARD IMPLEMENTATI
ONS

................................
........
66

T
ABLE
4.3

CLB

USAGE FOR
P
RECOMPUTATION MODULE

ON
XC2VP40

................................
........................
6
8

T
ABLE
4.4

CLB

USAGE FOR
P
RECOMPUTATION MODULE

XC2VP40

(
AS PERCENTAGE
)

................................
.
68

T
ABLE
4.5

CLB

USAGE FOR
E
ND
-
P
OINT
G
ENERATOR MODULE ON
XC2VP40

................................
...............
69

T
ABLE
4.6

CLB

USAGE FOR
E
ND
-
P
OINT
G
ENERATOR MODULE
XC2VP40

(
AS PERCE
NTAGE
)

.......................
70

T
ABLE
4.7

CLB

USAGE FOR
I
NTERMEDIATE
K
EY
G
ENERATOR MODULE ON
XC2VP40

................................
.
71

T
ABLE
4.8

CLB

USAGE FOR
I
NTERMEDIATE
K
EY
G
ENER
ATOR MODULE ON
XC2VP40

(
AS PERCENTAGE
)

....
71

T
ABLE
4.9

A
DVANTAGES AND DISADV
ANTAGES OF THE TIME
-
MEMORY TRADE
-
OFF VS
.

EXHAUSTIVE KEY
SEARCH

................................
................................
................................
................................
.................
74

T
ABLE
4.10

C
LASS OF ATTACKERS PE
RFORMING BRUTE
-
FORCE ON
DES

................................
.......................
87

T
ABLE
4.11

C
LASS OF ATTACKERS PR
ECOMPUTING A RAINBOW

TABLE FOR
DES

................................
..........
89

T
ABLE
4.12

C
OST TO OBTAIN A KEY
IN ONE YEAR THROUGH
BRUTE
-
FORCE

................................
...................
92

T
ABLE
4.13

M
ODES OF OPERATIONS V
ULNERABILITIES
................................
................................
..................
93










10

1

Introduction

There
exists a
shortcut

to exhaustive key search. Your adversary no longer needs to perform
a
brute
-
force attack

t
hat would otherwise take a large
amount of
computational time.
The atta
ck
time
is
shortened by trading
memory for time.
As will be proved in this

thesis, t
hese types of
attacks have major consequences in the digital security world.

1.1

A
Shortcut

to Exhaustive Key Search

Cryptanalysis is

the science of
determining the meaning of encrypted (or scrambled) information
without having the secret key that
is required to do so.
A successful cryptanalytic attempt is
when the plaintext message
can be revealed
without the key.

A symmetric cipher is a cryptographic algorithm

(or fun
ction), denoted as
S
, that uses a key
k

to
encrypt a plaintext
P

to yield the
scrambled message known as the ciphertext
C
.

C = S
k

(P)

There are two extreme methods for

the secret key search: exhaustive key search and table lookup.
Exhaustive key search involves trying every possible key in the key space by
repeatedly
performing encr
yption and comparison

until the key is found
.
Therefore, for a cipher
with N
possible
keys

(N = 2
k
, for a
k
-
bit key length cipher)
,
the worst case will
be in the

order of O(
N
).
The two extreme methods differ in their time/space requirements.

Exhaustive
key search uses a
computational time of N and constant space (or memory); whilst table lookup uses constant
computational time and memory N.

Table
1
.
1

-

Time/Space Requirements of Cryptanalytic Methods

Cryptan
alytic Method

Time Requirement

Memory Requirement

Exhaustive Key Search

N

1

Table Lookup

1

N

Assume

a chosen plaintext attack

where
the adversary can choos
e any plaintext/ciphertext pair
denoted
P
chosen

and
C
chosen
, respectively

and knows the cryptograp
hic algorithm (or cipher)
denoted by

function
S
. The adversary seeks the value of the secret key
k
.

I
n searching for the secret key the adversary can use the chosen plaintext and start with key
k
0

from the key space; perform an encryption
using

k
0

to yie
ld ciphertext
C
0

and compare that with
C
chosen
. If the ciphertexts match
,

the adversary knows that the secret key is
k
0
, if not, the


11

adversary repeats the procedure by choosing another key
from the key space
until
a match is
found.

In the other extreme, a

t
able lookup consists of two phases for key search.
Again, assume a
chosen plaintext attack.
The first
phase

is to
compute

all possible ciphertext
s

by
using every key
in
the key space

for some

chosen plaintext
,
P
chosen
.

The ciphertexts generated by each

corresponding key are stored as

ciphertext/key

pairs in a table
. That is, imagine a table with two
columns


one for the ciphertext and the other for the key used to encrypt P
chosen
; every row will
be a different ciphertext since a different key from the

keyspace
is

used.
In the second
phase

(the
online attack

phase)
,
the adversary chooses a plaintext/ciphertext pair with which
precomputation

has been performed for. A table lookup using
C
chosen

is performed to determine the secret key.

Table
1
.
2

-

Example ciphertext/key table for a k
-
bit length cipher given P
chosen

Ciphertext

Key

S
k0
(P
chosen
)

k
0

S
k
1
(P
chosen
)

k
1

S
k
2
(P
chosen
)

k
2





S
kk
-
1
(P
chosen
)

k
k
-
1

Both exhaustive key search and table lookup have the
ir drawbacks.
Exhaustive key search may
not succeed if the time

for key search

exceeds
the time window of the attack.

Take for example
the Data Encryption Standard

(DES)

cipher with a 56
-
bit key length. If an encryption and
comparison takes 1 microsecond

and on average 2
55

keys need to be searched, then a time of 2
55

microseconds (or 1142 years) are required for an exhaustive key search.

Table lookup may
require too much memory

for the precomputed table

and therefore become
s infeasible. A
complete DES t
able would require a total of 64+56=120 bits for the 64
-
bit ciphertext block and
the 56
-
bit key in each row. Hence 120 * 2
56

bits or approximately 983,040 terabytes are required
for the table.

Table
1
.
3

-

Tim
e/Space Cryptanalytic Requirements for DES and Triple
-
DES

Cipher

Key
Length

Exhaustive Key Search

Time
Requirements

Table Lookup

Space
Requirements

Time for
encryptions and
comparison

Average time
to break

Memory
requirements
per row

Total memory
requir
ements

Data Encryption Standard

56 bits

1 μs

1142 years

120 bits

983,040
terabytes

Triple
-
DES
1

112

bits

1 μs

8.2 x 10
19

years

112

+ 64 =

176

bits

1.04 x 10
23

terabytes




1

The security of Triple
-
DES is 112 bits
since



12

In 1980, Hellman

introduced that a
trade
-
off

exists between
these

two extremes

[1]
. He
introd
uced the time
-
memory
trade
-
off
. Hellman demonstrated that a trade
-
off curve between
memory and time exists for which a probabilistic cryptanalytic technique similar to that of a table
lookup could be performed using less memory but more computationa
l time during the
online
attack
2
. Moreover, i
n recent years optimizations have been made to the original time
-
memory
trade
-
off

[2, 3]
.
These optimizations

hav
e lead to
a
higher probability of

cryptanalytic

success
and

less
computational
time
required

to perform the table lookup.

The most recent is
the
rainbow table

variant of the time
-
memory
trade
-
off

introduced by Oechslin
in 2003
[3]
.
Theoretically, the rainbow table variant of the time
-
memory

trade
-
off
has been

proven to be effective

[3]
. The few

s
oftware and hardware implementations

of

the rainbow table
variant of the time
-
memory trade
-
off

in the literature

has thus far proven to be

very effective
[3
-
6]
.

1.2

Motivation

The rainbow table variant of the time
-
memory
trade
-
off

presents a significant shortcut t
o
exhaustive key search. Few works in the literature has shown real experimental results based on

hardware

implementation. Most importantly the practical ramifications of rainbow tables to our
deployed cryptosystems

such as DES, Triple
-
DES and AES
3

have
never been studied and
presented.

Goldberg and Wagner

[7]

and Blaze et al
.
[8]

gives evidence that there is a need to

continuously
assess
currently deployed

cryptosystems
.

In
[8]
,

Blaze et al.
suggested minimum k
ey lengths
for

va
rying
encryption algorithms
used
in the commercial domain.
Their argument was based on the
ability of cryptanalyst
to
use readily available technology that makes brute
-
force decryption
attacks faster and cheaper.

Similarly,
Goldberg and
Wagner
[7]

showed th
e effectiveness of
programmable logic devices in cryptanalytic a
pplications

by showing

various performance
-
cost
ratios of

their

implementatio
ns.

Advancements in programmable logic technology, particularly field programmable gate arrays
(FPGAs)
have increased the computational power of our adversaries while keeping thei
r costs
down.
Rouvroy and Standaert

[6]

estimated that it would only cost $12 to crack a DES key in 30
minutes using rainbow tables

assuming precomputation (
2005)
.

Advancements in FPGA



2

Chapter 2 of this thesis provides details of Hellman’s time
-
memory trade
-
off.

3

AES is an abbreviation for the Advanced Encryption Standard which is a 128
-
bit block cipher.



13

technology and theoretical optimizations to the time
-
memory
trade
-
off

(considered
a

shortcut

to
exhaustive search) have motivated this study.

1.3

Thesis Organization

This thesis is divided into five chapters. Following this introd
uction, Chapter 2 provides a
background on the theory required to understand the rest of this thesis and presents related work
in the literature. Chapter 3 describes the design and implementation taken to obtain the results.
Chapter 4 presents an analysi
s of the results. Chapter 5 presents conclusions and suggested
directions for future work.




14

2

Background and Previous Work

This chapter first provides a brief overview of the necessary theory required to understand this
thesis followed by a survey of relat
ed work in the field of cryptanalysis on FPGA hardware.

2.1

Ciphers

A cipher is a cryptographic algorithm
[9]
. The plaintext (
P
) is used to refer to the original
intelligible message. Through an encryption algorithm the plaintext becomes a scram
bled and
unintelligible message, known as the ciphertext (
C
).
Encryption is accomplished by scrambling
data using mathematical procedures that make it extremely difficult and time consuming for
anyone other than authorized recipients


those with the corr
ect decryption keys


to recover the
plaintext
[8]
.
Decryption is the reverse of encryption. Given the ciphertext, the decryption
scheme will output the original plaintext.

C = S
k

(P)

The s
ize of encryption keys are measured in bits. The difficulty of trying all possible keys grows
exponentially with the number of bits used. Adding one bit to the key doubles the number of
possible keys; adding ten increases by a factor of more than a thous
and.


Kerckhoff’s law states that in the design of cryptosystems, the security should be derived from
only from the key
[10]
. That is, the s
ecurity
of a cryptosystem
should not depend on keeping the
algorithm a secret, but instead keeping the key secret
[9
-
11]
. Proper encryption guarantees that
the information will be safe even if it falls in hostile hands
[8]
.

A c
ryptographic algorithm is considered strong if
[8]
:

1.

There is no shortcut that allows the opponent to recover the plain text witho
ut using brute
force to test keys until the correct one is found; and

2.

The number of possible keys is sufficiently large to make such an attack infeasible.

2.1.1

Symmetric Ciphers

Symmetric ciphers

are encryption/decryption algorithms which use the same key for e
ncrypting
and decrypting.



15

Encryption
Decryption
P
E
K
(
P
) =
C
P
K
K

Figure
2
.
1

Symmetric Encryption and Decryption


The algorithm usually performs transpositions and substitutions. In the traditional cryptographic
mod
el, if Alice sends an encrypted message to Bob using key
K

and using encryption algorithm
E
, then Bob must decrypt the encrypted message using
K

and decryption algorithm
D
. Where,

P
C
E
C
D
C
P
E
K
K
K




)
(
)
(
)
(
1

E

is the encryption function with two inputs: the s
ymmetric key
K

and the plaintext
P
.
D

is the
decryption function with two inputs: symmetric key
K

and the ciphertext
C
.

There are two types of symmetric ciphers:
block ciphers

and
stream ciphers
. Block ciphers
operate on blocks of plaintext and ciphertext



often 64 bits. Using the same key, the same
plaintext block will always encrypt to the same ciphertext block.

DES is a block cipher.

Stream
ciphers operate on streams of plaintext and ciphertext one bit or byte (sometimes even one 32
-
bit
word) at a t
ime. The same plaintext bit or byte will encrypt to a different bit or byte every time it
is encrypted.

2.1.2

Asymmetric Ciphers

Asymmetric ciphers are those encryption/decryption algorithms that use two different keys for
encrypting and decrypting.

Encryption
Decryption
P
E
KA
(
P
) =
C
P
K
A
K
B

Figure
2
.
2

Assymmetric Encryption and Decryption



16

They are generally used to manage the keys used for symmetric ciphers. Public key cryptography
is used for secure key distribution and di
gital signatures. This was first presented by Diffie and
Hellman in
[12]
.

In public key cryptography two keys are generated. Alice generates the two keys.
Alice keeps
one key secret
; this key is known as the private key


Alice’s private key is denoted as
KR
A
. The
other key, the p
ublic key, is made public to all those that wish to communicate with Alice


Alice’s public key is denoted as
KU
A
. The requirement is that when Alice encrypts her plaintext
P

with
KR
A
, only
KU
A

can decrypt the ciphertext. It should be computationally inf
easible to
decrypt the ciphertext without
KU
A
.

2.2

The
Data Encryption Standard

The Data Encryption Standard

(DES)

is
the most heavily studied and commercially

used cipher in
the world. The
American National Standards Institute (ANSI) approved DES as a privat
e
-
sector
standard in 1981
[9]
.
Today,
DES is used
a large range of systems including
civilian satellite
communications, gateway servers, set
-
top boxes, Virtual Private Networks (VPN), video
transmissions,
UNIX password hashing
and numerous da
ta transfer applications
[13]
.


DES

[14]

is
a
block cipher that

takes a
64
-
bit key and
64
-
bit input

block
and outputs a 64
-
bit
encrypted block.

The actual effective key size is only 56 bits since the least significant bit in
every byte can be used as parity.


2.2.1

Algorithm

DES proceeds in three phases

as shown in Figure 2
.3

taken from
[13]
. First, the 64
-
bit plaintext
block passes through an initial permutation (
IP
) that rearranges the bits to produce the permuted
input. The second phase consists of 16 rounds
of encryption involving both

per
mutation and
substitution.
The third phase takes the output of the 16 rounds through the inverse of the initial

permutation (
IP
-
1
) to produce th
e 64
-
bit ciphertext.
Note that th
e initial permutation and final
permutation mechanisms do not add to the secu
rity of the algorithm.



17


Figure
2
.
3

DES Algorithm

The second phase of DES has the exact structure of a Feistel
network
.
A Feistel network is a
ladder structure network as shown in Figure
2.
3. Input is split

into two blocks, the left and right
halves
[15]
. It usually consists of multiple rounds of repeated operations such as bit
-
shifting,
non
-
linear functions and linear mixing. A Feistel network aims to provid
e a large amount of
“confusion and diffusion”. Confusion
is used to make the relationship between the ciphertext and
the key as difficult as possible
[15]
. In DES, it is achieved through the S
-
Boxes. Diffu
sion is
used to dissipate the statistical structure of the plaintext into long range statistical properties of
the ciphertext
[15]
. It is achieved through the repeated application of permutations (P
-
Boxes in

DES).


A valuable property of a Feistel network is its ability to easily perform decryption by reversing
the order of the rounds
[15]

without needing to invert the one
-
way round functions.

This
also
effecti
vely reduces the amount of hardware circuitry and logic in the implementation of such a
cipher.



18

Back to the second phase of DES, i
n each round the 64
-
bit intermediate value is divided into 32
-
bit halves


the left half (
L
i
) and the right half (
R
i
), where i

denotes the current round. The
processing of each round is defined as follows:

)
,
(
1
1
1
i
i
i
i
i
i
K
R
f
L
R
R
L








The function
f

takes as
a 32
-
bit input,

R
i
-
1
,

and

48
-
bit input,

K
i
.
Figure 2.4

taken from
[14]

shows
the calculation of the function
f.


Figure
2
.
4

DES calculation of f(R,K)

R
i
-
1

is put through an expansion function
E
.
Let
E

denote a function which takes a block

of 32
bits as input and yields a block of 48 bits as output. The expansion function
E

is obtained by
selecting the bits in its inputs in order according to the
E

b
it
-
s
electio
n t
able defined in
[14]

and
shown in Appendix A.


The key in each round is subset of the original 64
-
bit key with bits permuted. At each iteration, a
different block
K
i

is chosen from an intermediate 64
-
bit key designated by
KEY
.
The

key
sc
hedule function
is denoted by
KS
, where
KS

takes as input an integer
i

in the range of 1 to 16
and a 64
-
bit block
KEY

as input.
This yields a 48
-
bit block output
K
i
:

)
,
(
KEY
n
KS
K
i




19

Full details of
KS

are given in
[14]
.
Now,

E(R
i
-
1
)

is xor’ed with
K
i

and goes through the
substitution mechanism. That is,

i
i
K
R
E


)
(
1

Is put through
selection


the selection mechanism consists of 8 selection func
tions
S
1
,…,S
8

(referred to as S
-
boxes).
Each function takes a 6
-
bit block as input and yields a 4
-
bit block as
output
. The
definitions of the S
-
boxes are

defined by
[14]
.
The output of the selection
mechanism is 32
-
bit intermediate block which is put through a permutation function (referred to
as the P
-
box).
A table defines the permutation and is shown in Appendix A.

2.2.2

Timeline

People have questioned the security
of the DES for a long time and there has been much
speculation on its design principles,

for example,

the cryptographic significance of the S
-
boxes
[6]
. The
major concern of the security of DES is its short key length. DES is still a very
commonly deployed encryption algorithm.

The following table is taken
from
[16]

sho
ws key events regarding the DES:

Table
2
.
1

History of the DES

Year

Event

1973

NBS publishes a first request for a standard
encryption algorithm

1974

NBS publishes a second request for encryption algorithms

1975

DES is published in the Federal Register for comment

1976

First workshop on DES

1976

Second workshop, discussing mathematical foundation of DES

1976

DES is approve
d as a standard

1977

DES is published as a FIPS standard FIPS PUB 46

1983

DES is reaffirmed for the first time

1986

Videocipher II, a TV satellite scrambling system based upon DES begins use by HBO

1988

DES is reaffirmed for the second time as FIPS 46
-
1, superseding FIPS PUB 46

1992

Biham and Shamir publish the first theoretical attack with less complexity than brute force: differential
cryptanalysis. However, it requires an unrealistic 247 chosen plaintexts (Biham and Shamir, 1992).

1993

DES is reaff
irmed for the third time as FIPS 46
-
2

1994

The first experimental cryptanalysis of DES is performed using linear cryptanalysis (Matsui, 1994).

1997

The DESCHALL Project breaks a message encrypted with DES for the first time in public.

1998

The EFF's DES

cracker (Deep Crack) breaks a DES key in 56 hours.

1999

Together, Deep Crack and distributed.net break a DES key in 22 hours and 15 minutes.

1999

DES is reaffirmed for the fourth time as FIPS 46
-
3, which specifies the preferred use of Triple DES, with
s
ingle DES permitted only in legacy systems.

2001

The Advanced Encryption Standard is published in FIPS 197

2002

The AES standard becomes effective

2004

National Institute of Standards and Technology (NIST) recommends the use of Triple
-
DES over DES.



20

2.3

Cry
ptanalysis
on

the Data Encryption Standard

This section will discuss the theoretical cryptanalytic methods applicable to DES.

2.3.1

Exhaustive Key Search

Exhaustive key search
is the most practical

cryptanalytic
attack on DES.

Given
a

plaintext and
ciphertext

du
ring an attack
, an exhaustive key search, or a brute
-
force attack, will perform
encryption on every possible key
in the key space
until the encryption yields the given ciphertext

in a known or chosen plaintext attack
.

Hence, for a
n

n
-
bit key
length cipher,

the total size of the key space is 2
n
. On average, O(2
n
-
1
)
operations are required for the search.

2.3.2

Advanced Cryptanalytic Techniques

Other cryptanalytic techniques against DES include differential cryptanalysis and linear
cryptanalysis. These are so cal
led
advanced

attacks. Differential cryptanalysis involves a better
than brute force approach to attacking DES with known plaintext, ciphertext pairs
[17]
. It
involves examining the xor of two texts. Line
ar cryptanalysis considers the ciphertext derived by
combining certain bits from the plaintext and key
[17]
. The weakness of these advanced attacks
is their requirement for a prohibitively large number of
known or chosen plaintext/ciphertext
pairs.

2.3.3

The Time
-
Memory
Trade
-
off

In 1980, Hellman

[1]

introduced the time
-
memo
ry
trade
-
off
. R
ivest
[2]

introduced

the first
optimization of the time
-
memory
trade
-
off

by

usi
ng distinguished points
.

In 2003, Oechslin
[3]

introduced the rainbow table optimization
. This section will

introduce the theory behind
the
original

time
-
memory
trade
-
off

[1]

and its
variants

[2, 3]
.


2.3.3.1

Original Time
-
Memory
Trade
-
off

2.3.3.1.1

Notation

In a chosen or known plaintext attack, g
iven a fixed plaintext
P
0

and corresponding ciphertext
C
0
,
the
method tries to find the key

N
k


which was used to encipher the p
laintext using

cipher
S
,
a

one
-
way function
.


The entire set of the key space is denoted as
N
. For a cipher with an
n
-
bit
key length, there are 2
n

distinct keys.
The ciphertext is therefore defined by:

)
(
0
0
P
S
C
k




21

Now define a function
R

which performs a mapping of th
e ciphertext
to becoming a key length
string. If the cipher operates with 64
-
bit data blocks and uses a 56
-
bit key
, such as DES
, then
applying function
R

to some ciphertext, say
C
0

will yield a 56
-
bit key string.
Further, function
f

is
defined as:

)]
(
[
)
(
0
P
S
R
k
f
i
k
i


The function
R

will be referred to as either the mask function or reduction function. There are
numerous ways to implement such a function.
In the case of DES, reduction functions include
dropping eith bits of the output and permuting t
he remaining 56 bits (e.g. xoring with some value,
randomly shifting).

2.3.3.1.2

Precomputation

Similar to a table lookup, the first stage performs requires
precomputation
.

The algorithm is as
follows: C
hoose
m

start
-
point

denoted by

SP
1
,
SP
2
, …,
SP
m
,
where
each

is

an
independently

drawn from the key space
N
.

For
m
i


1
let

i
i
SP
X

0

And for
t
j


1

compute:

)
(
1
,


j
i
ij
X
f
X

This

yields
m

chains of length
t

for one table
as

shown in Figure

2.5
.

The parameters
m

a
nd
t

are
chosen by the cryptanalyst to trade
-
off time against memory.

Typically, for a
k
-
bit key,
t

=
m

=
2
k/3

[5]
.


Figure
2
.
5

Matrix of images under f

The last element or endpoint in the
i
th chain (or row) is denoted by
EP
i
.



22

)
(
i
t
i
SP
f
EP


To reduce memory requ
irements, all intermediate points are discarded as they are produced.
Only the
start
-
point

and
en
d
-
points

ar
e stored and sorted in a table.

It is easy to see that
X
ij

is
basically a key in the key
-
space
N
.


Hence, the bounds of memory M (used to store the
precomputation

tables) and time T (required
to find the password starting from the hash) are de
fined by
[5]
:

0
0
*
*
*
*
t
l
t
T
m
l
m
M



Here,
l

is used to denote the number of tables,
m
0

is the amount of memory required to store each
chain, that is, the
start
-
po
int

and
end
-
point
. With DES,
m
0

is 2* 56 bits = 14 bytes. The time in
which one key is generated is denoted by
t
0
.

Multiple tables are generated by using a different
reduction function. Multiple tables will increase the probability of cryptanalytic suc
cess as
described in the next few sections.

2.3.3.1.3

Online Attack

The next task in cryptanalysis is to perform the online attack.
A
ss
u
me a

chosen plaintext attack
wher
eby the cryptanalyst intercepts,
is given
or guesses
C
chosen

and
P
chosen

but not the secret key
k
x
.

T
he cryptanalyst intercepts:

)
(
chosen
x
k
chosen
P
S
C


In this
type of
attack the cryptanalyst has already performed the task of pre
-
computing the table in
the
precomputation

phase using
P
chosen
. He/she already has a table with the
start
-
point

and
end
-
points

sorted and indexed such that a lookup based on an endpoint ca
n be performed in one
operation.

The process of finding the key is iterative. First, the cryptanalyst applies the

reduction function R
to obtain:

)
(
)
(
1
K
f
C
R
Y
chosen





23

If
Y
1

is an end
-
p
oint, say
Y
1

= EP
i

then either
k
x

= X
i,t
-
1

or
EP
i

has m
ore than one inverse image.

In
case that
Y
1

=
EP
i

the cryptanalyst uses the corresponding
start
-
point

(
SP
i
) of
end
-
point

(
EP
i
) to
compute
X
i,t
-
1

by starting from
SP
i

and applying the function
f
. The c
ryptanalyst checks that
X
i,t
-
1

is indeed
k
x

by checking to see if
C
chosen

deciphers to
P
chosen
, if so, then
k
x

has been determined.

The event that
EP
i

has more than one inverse is called a false alarm. If
Y
1

is not an
end
-
point

or a
false alarm has occur
red then,
the cryptanalyst performs
f

on
Y
1

to yield
Y
2

and checks to
determine if
Y
2

is an
end
-
point
.

)
(
1
2
Y
f
Y


If
Y
2

is an end
-
point then
k
x

is found by computing
X
i,t
-
2

from
SP
i
.
If
Y
2

is not an
end
-
point

then the
key is not in the
t
-
2
nd

c
olumn.

The procedure is continued until the 0
th

column
is reached as
shown
in Figure 2.5
.

2.3.3.1.4

Performance

As a result
,

a probabilistic method which can cryptanalyze any
k
-
bit

key cryptosystem

in 2
2
k
/3

operations (evaluations of function f)

is possible provide
d 2
k

operations have been completed
prior to the attack and that
2
k

*
2
2
k
/3

bits

are used in memory
.

Interestingly, Figure
2.
6 shows the growth of the time requirements for the two methods plotted
against the key size. It shows that the online attack of

the time
-
memory trade
-
off provides a
significantly lower computational time requirement growth rate compared to exhaustive key
search. This illustrates that increasing the key sizes has a smaller effect on the security of the
cryptosystem.



24

Computational Time Requirements for Exhaustive Key Search
and Time-Memory Trade-off (Online Attack)
Key Length
Computational Time
Exhaustive Key Search
Time-Memory Tradeoff

Figure
2
.
6

Computational Time Requirements

Graph

Hellman

notes that the
precomputation

time should not be considered as time for cryptanalysis as
it is performed at the attackers leisure

[1]
. Only the online attack is con
sidered
a cryptanalytic
attempt.

Hence, the time
-
memory
trade
-
off

presents a significant improvement

over

(or shortcut

to
) exhaustive search as it can break any
k
-
bit cipher in less than 2
k
-
1

operations
, which is the
average number of operations to succes
sfully complete
exhaustive key search
; s
pecifically only
2
2
k
/3

operations are required.

2.3.3.1.5

Probability and Shortcomings

Hellman notes that this method is pro
babilistic and that there is a chance that chains starting at
different keys collide and merge

[1]
.

A co
llision is a situation where two keys during
precomputation

are
the same
.
This
event happens

since

the reduction function
R

is an arbitrary
function

of the space of ciphertexts into the space of keys
, for which the ciphertext space is larger
than the key
space
.

The larger the table

is,
the greater the probability of new chains merging with
a previous one.

Each merge reduces the number of distinct keys covered by a table.

The probability of finding a key by using one table of
m

rows of
t

keys is given by:


2
k
-
1

2
(2/3)k



25

Further, to obtain a high probability of success, multiple tables using different reduction functions
for

each table should be created. With


number of tables, t
he probability of success is:


Chains of different table
s

can colli
de but will not merge since each table generated uses a
different reduction function.

2.3.3.2

Distinguished Points

The optimization proposed by Rive
st is to use distinguished points as endpoin
ts

[2]
.
Distinguished points are points for which a simple criterion holds true, for example, the first 16
significant bit
s are zero.

All endpoints stored
in memory are distinguished points.

Hence, when performing the online attack
and generate a chain,
a
search of
the
precomputed table
is not performed
until a distinguished point is found.

This optimization decreases the number of
memory lookups.

In
[18]
, Borst no
tes the

advantages of distinguished points
:



They allow for loop detectio
n: If a distinguished point is not found after iterating a
specified number of keys, then the chain can be suspected to contain a loop and be
abandoned.

The result is that all chains

in the table are loop free.



Merges can easily be detected since two merging chains will have the same endpoint (the
next distinguished point after the merge).

Merging chains are discarded and additional
chains generated to replace them.

2.3.3.3

Rainbow Tables

Oe
chslin notes that the main limitation of the original scheme is when two chains collide in a
single table
to
merge

[3]
.
He proposed a new type of chain

which can collide within the same
table without mergin
g.

These chains are called rainbow chains.


2.3.3.3.1

Mechanism

Instead of using the same reduc
tion function per table; they use successive reduction functions for
each point in the chain.
Thus, in regards to Figure
2.5
, each column has a different function
f

due


26

to a different reduction function.

They start with reduction function 1 and end with
reduction
function
t
-
1
[3]
.


This is
shown in
Figure
2.
7 below
.

SP
1
=
X
10
X
11
X
12
...
X
1
t
=
EP
1
SP
2
=
X
20
X
21
X
22
...
X
2
t
=
EP
2
SP
3
=
X
30
X
31
X
32
...
X
2
t
=
EP
3
SP
m
=
X
m
0
X
m
1
X
m
2
...
X
mt
=
EP
m
.
.
.
.
.
.
.
.
.
f
1
f
2
f
3
f
t
-
1

Figure
2
.
7

Matrix of Rainbow Chains

Therefore,
if two chains collide they would only merge if they appeared in the same position in
both chains. If
they are not in the same position in their respective chains
,
a merge will not occur
as a different reduction function would apply
to each in

their next iteration.

The probability of
merges is reduced substantially
[3]
.

The online attack is as follow
s:

first apply
R
t
-
1

to the

chosen

ciphertex
t

denoted by
C
chosen

and
perform a
lookup
for a matching endpoint
to

R
t
-
1
(C
chosen
)
=Y
1
.

If the value of
Y
1

is an end
-
point in
the rainbow table
then rebuild the chain using the corresponding start chain

to yield the key.


If
not,
apply
f
t
-
2

to
Y
1

to see if

the key is in the second last column of the table. Continue to apply the
previous reduction function until a match is found or
f
1

is applied and no match is found.

C
chosen
Y
1
t
f
t
-
1
Y
1
t
Y
2
t
f
t
-
2
Y
2
t
Y
3
t
f
t
-
3
Y
(
m
-
1
)
t
Y
3
t
f
t
.
.
.

Figure
2
.
8

Re
petitive generation of end
-
points during the online attack

2.3.3.3.2

Benefits

and Drawbacks

of Rainbow Tables

Oechslin

[3]

points out the rainbow chains shares the advantages of chains ending in
distinguished points without suffering their limitations
, that is
:



The number of table look
-
ups is reduced by

a factor of
t

compared to Hellman’s original
method.



27



Mergers of rainbow chains result in identical endpoints and are thus detectable. Rainbow
chains can generate merge
-
free tables.



Rainbow chains have no loops since each reduction function appears onl
y o
nce.



Rainbow chains have constant length whereas chains ending in distinguished points have
variable lengths.

Further, r
ainbow tables have higher probability of success and easier analysis of Hellman’s
original method
[5]
.

The disadvantage of
the rainbow table method

or any other time
-
memory trade
-
off method

of
cryptanalysis is

the fact that it is probabilistic
.

The cryptanalyst is not guaranteed success in
breaking

the system.

2.3.3.3.3

Changes in M and T

As a result of applying a different
f

function for each column a single rainbow table has
mt

rows
and
t

columns. It requires
M

=
mt

memory for storage and
T

=
t
2
/2 time for scanning
[3]
.
There
is no
longer
the
need to create multiple tables like Hellman’s or
iginal time
-
memory trade
-
off
[1]
.

2.3.3.3.4

A summary

The following table

summarizes the strength of DES against the mentioned attacks taken from
Barrie
[17]
. Added is a row for the rainbow table variant.

Table
2
.
2

DES Strengths Against Attacks

Attack

Complexity

Number of Messages

Requirements

Known

Chosen

Storage

Processing

Exhaustive Precomputation

-

1

2
56

1 (lookup)

Exhaustive Search

1

-

0

2
55

Linear Cryptanalysi
s

2
43

(85%)

-

For texts

2
43


2
34

(10%)

-

For texts

2
50

Differential Cryptanalysis

-

2
47

For texts

2
47


2
55

-

For texts

2
55

Rainbow Table (suggested
parameters
[3]
)

-

1

2k*2
2k/3

2
k/3