C
RYPTANALYSIS
O
N
FPGA
B
ASED
H
ARDWARE
Malcolm
Alda
Sumantri
malcolm@sumantri.net
Supervisors:
Matt Barrie (mattb@alumni.stanford.org)
Craig Jin (craig@ee.usyd.edu.au)
School
of Electrical and Information Engineering
The University of Sydney
Bachelor of Engineering
(Software)
&
Bachelor of Commerce
Student Number: 200127126
November 2005
2
STATEMENT OF ACHIEVEMENT
Conducted research on the benefits of cryptanalysis using FPGAs.
Conducted a literature review on previous hardware and softwar
e approaches for
the
cryptanalysis of the Data Encryption Standard (DES)
through
exhaustive key search
methods
and the time

memory trade

off
methods
.
Designed, implemented and tested a 48

stage pipelined DES implementation.
Designed a universal rainbow tab
le precomputation system applicable to various ciphers.
Designed a universal online attack system applicable to various ciphers.
Designed, implemented and tested a hardware rainbow table DES precomputation
implementation on the Sensory Networks
TM
NodalCore
TM
C

1000 card. This involved
learning the NodalCore
TM
chipset architecture and integration with the chipset
architecture.
Designed and implemented a hardware rainbow table DES online attack implementation
for the Sensory Networks
TM
NodalCore
TM
C

1000 car
d.
Designed software to interface with the precomputation hardware and the online attack
system hardware.
Conducted a design analysis and suggested optimizations for the 48

stage pipelined DES
unit, the rainbow table precomputation and online attack engine
s.
Proposed a solution
to rainbow table lookup
employing
open

source database
management system
software technology
, particularly PostgreSQL.
Extrapolated based on experimentation the complete cryptanalysis of DES.
Conducted a performance

cost analysis for
the various hardware engines implemented.
Identified adversaries and attackers and their current
ability to attack cryptosystems based
on cost.
Suggested countermeasures against the continual improvement in cryptanalytic
technology.
Suggested directions f
or future research.
Signed
: ___________________________
Malcolm Alda Sumantri
Signed
: ___________________________
Matt Barrie
Signed
: ___________________________
Craig Jin
3
ABSTRACT
The
subject of this thesis is in the field of information security. The motivation is based on the
existence of a shortcut to exhaustive key search. The shortcut involves trading off memory
to
achieve
a shorter time
for
cryptanalysis. This technique is know
n as the time

memory trade

off.
T
his thesis
specifically
studies the rainbow table variant of the time

memory trade

off and how it
can be used to attack symmetric block ciphers. The Data Encryption Standard (DES) is used to
study the effectiveness of thi
s attack.
Field

programmable gate arrays are reconfigurable digital integrated circuits that in the past
have proven to provide high performance and low cost for cryptographic application.
Their
application to cryptanalysis is experimented.
This thesis
presents both a universal hardware
design and a specific hardware design used for DES for a complete rainbow table cryptanalytic
system
for an FPGA based device
. This design is used to perform an attack
on
40

bit DES.
The result of the attack using the e
ngineered design is compared with similar works in the
literature. An economic analysis to cryptanalysis is presented by determining the most cost

effective FPGA chip to perform
large scale cryptanalysis
through a performance

cost survey of
various FPGA c
hips. Various classes of attackers are identified and a suggestion for a key length
which provides the security of information for the next 20 years is justified.
4
Dedicated
to my family
,
Lina, Bambang, Derice and Meyrick
5
TABLE OF CONTENTS
1
INTRODUCTION
................................
................................
................................
..............................
10
1.1
A
S
HORTCUT
TO
E
XHAUSTIVE
K
EY
S
EARCH
................................
................................
................
10
1.2
M
OTIV
ATION
................................
................................
................................
...............................
12
1.3
T
HESIS
O
RGANIZATION
................................
................................
................................
...............
13
2
BACKGROUND AND PREVI
OUS WORK
................................
................................
...................
14
2.1
C
IPHERS
................................
................................
................................
................................
......
14
2.1.1
Symmetric Ciphers
................................
................................
................................
.................
14
2.1.2
Asymmetric Ciphers
................................
................................
................................
...............
15
2.2
T
HE
D
ATA
E
NCRYPTION
S
TANDARD
................................
................................
...........................
16
2.2.1
Algorithm
................................
................................
................................
...............................
16
2.2.2
Timeline
................................
................................
................................
................................
.
19
2.3
C
RYPTANALYSIS ON THE
D
ATA
E
NCRYPTION
S
TANDARD
................................
...........................
20
2.3.1
Exhaustive Key Search
................................
................................
................................
..........
20
2.3.2
Advanced Cryptana
lytic Techniques
................................
................................
.....................
20
2.3.3
The Time

Memory Trade

off
................................
................................
................................
..
20
2.3.3.1
Original Time

Memory Trade

off
................................
................................
..............................
20
2.3.3.1.1
Notation
................................
................................
................................
................................
20
2.3.3.1.2
Precomputation
................................
................................
................................
.....................
21
2.3.3.1.3
Online Attack
................................
................................
................................
........................
22
2.3.3.1.4
Performance
................................
................................
................................
..........................
23
2.3.3.1.5
Probability and Shortcomings
................................
................................
...............................
24
2.3.3.2
Disting
uished Points
................................
................................
................................
..................
25
2.3.3.3
Rainbow Tables
................................
................................
................................
.........................
25
2.3.3.3.1
Mechanism
................................
................................
................................
............................
25
2.3.3.3.2
Benefits and Drawbacks of Rainbow Tables
................................
................................
........
26
2.3.3.3.3
Changes in M and T
................................
................................
................................
..............
27
2.3.3.3.4
A summary
................................
................................
................................
...........................
27
2.4
H
ARDWARE VERSUS
S
OFTWARE FOR
C
RYPTANALYSIS
................................
...............................
27
2.4.1
Application Specific Integrated Circuits (ASICs)
................................
................................
..
28
2.4.2
Field Programmable Gate Array (FPGAs)
................................
................................
...........
29
2.4.3
Benefits of Cryptanalysis on FPGAs
................................
................................
.....................
29
2.5
P
REVIO
US
W
ORK
................................
................................
................................
.........................
31
2.5.1
Cryptanalysis of DES
................................
................................
................................
.............
31
2.5.2
The Time

Memory Trade

off (and Variants)
................................
................................
.........
34
3
DESIGN AND IMPLEMENT
ATION
................................
................................
..............................
39
3.1
I
NTRODUCTION
................................
................................
................................
............................
39
3.2
P
RECOMPUTATION
D
ESIGN
................................
................................
................................
.........
39
3.2.1
Design Goals
................................
................................
................................
.........................
39
3.2.2
A Universal Precomputation Design
................................
................................
.....................
40
3.2.3
The Key Genera
tor Unit
................................
................................
................................
........
42
3.2.3.1
Design Considerations
................................
................................
................................
...............
42
3.2.3.2
Design
................................
................................
................................
................................
........
43
3
.2.4
The Cipher Encryption Unit
................................
................................
................................
..
44
3.2.5
The Reduction Function Unit
................................
................................
................................
.
44
3.2.5.1
Design Considerations
................................
................................
................................
...............
44
3.2.5.2
Design
................................
................................
................................
................................
........
44
3.3
T
HE
D
ATA
E
NCRYPTION
S
TANDARD
I
MPLEMENTATION
................................
..............................
45
3.3.1
Design Consi
derations
................................
................................
................................
...........
46
3.3.2
Implementation
................................
................................
................................
......................
46
3.3.3
Simulation Timing Diagram
................................
................................
................................
..
49
3.4
DES
R
AINBOW
T
ABLE
P
RECOMPUTATION
I
MPLEMENTATION
................................
.....................
49
3.4.1.1
Simulation Timing Diagram
................................
................................
................................
......
51
3.5
O
NLINE
A
TTACK
D
ESIGN
................................
................................
................................
............
53
6
3.5.1
Design Goals
................................
................................
................................
.........................
53
3.5.2
A Universal Rainbow Table Online Attacker
................................
................................
.........
53
3.6
DES
R
AINBOW
T
ABLE
O
NLINE
A
TTACK
I
MPLEMENTATION
................................
.......................
55
3.6.1
End

Point Generator System
................................
................................
................................
.
55
3.6.1.1
Simulation Timing Dia
gram
................................
................................
................................
......
57
3.6.2
Intermediate Key Generator
................................
................................
................................
..
58
3.6.2.1
Simulation Timing Diagram
................................
................................
................................
......
59
3.7
E
XPERIMENT
................................
................................
................................
...............................
60
3.7.1
Goals
................................
................................
................................
................................
......
60
3.7.2
Experimental Design
................................
................................
................................
.............
60
3.7.2.1
Cipher Choice
................................
................................
................................
............................
60
3.7.2.2
Rainbow Table Parameters
................................
................................
................................
........
60
3.7.3
Sensory Networks
TM
NodalCore
TM
C

1000
................................
................................
............
60
3.7.4
Integration with Sensory Networks
TM
NodalCore
TM
C

1000
................................
.................
62
3.7.5
Apparatus Setup
................................
................................
................................
.....................
64
4
ANALYSIS
................................
................................
................................
................................
.........
65
4.1
R
ESULTS AND COMPARISO
N TO OTHER WORKS
................................
................................
............
65
4.1.1
Data Encryption Standard Implementation
................................
................................
...........
65
4.1.2
Precomputation Hardware System
................................
................................
........................
66
4.1.2.1
Performance
................................
................................
................................
...............................
66
4
.1.2.2
Resource usage on XC2VP40 FPGA and Fitting Multiple Channels
................................
.........
68
4.1.3
Online Attack Hardware Systems
................................
................................
..........................
69
4.1.3.1
End

Point
Generator System
................................
................................
................................
......
69
4.1.3.1.1
Expected Performance
................................
................................
................................
..........
70
4.1.3.1.2
Resource Usage on XC2VP40 FPGA and Fitting Multiple Channels
................................
..
70
4.1.3.2
Intermediate Key Generator System
................................
................................
..........................
70
4.1.3.2.1
Expected Performance
................................
................................
................................
..........
71
4.1.3.2.2
Resource Usage on XC2VP40 FPGA and Multiple Channels
................................
..............
71
4.1.3.3
Expected performance of a complete online attack system
................................
........................
72
4.1.3.4
Proposed optimization to table lookup
................................
................................
.......................
73
4.2
R
AINBOW
T
ABLES
(T
IME

M
EMORY
T
RADE

OFF
)
VERSUS
E
XHAUSTIVE
K
EY
S
EARCH
................
73
4.3
A
N
E
CONOMIC
A
NALYSIS TO
C
RYPTANALYSIS
................................
................................
...........
75
4.3.1
Motivation
................................
................................
................................
..............................
75
4.3.2
Devices
................................
................................
................................
................................
..
75
4.3.3
Methodology
................................
................................
................................
..........................
75
4.3.4
Assumed Parallel Design
................................
................................
................................
.......
76
4.3.5
Relative Performance
................................
................................
................................
............
78
4.3.6
Performance

Cost for an Exhaustive DES Key Search Machine
................................
..........
79
4.3.7
Performance

Cost for a Rainbow Table Precomputation Machine
................................
.......
82
4.3.8
Performance

Cost for a Rainbow Table Online Attack Machine
................................
..........
83
4.4
A
DVERSARIES AND
A
TTACKS
(A
C
OST
A
PPROACH
)
................................
................................
....
85
4.4.1
IBM Taxonomy of Adversaries
................................
................................
..............................
86
4.4.2
Attack using Exhaustive Key Search
................................
................................
......................
87
4.4.3
Attacks using Rainbow Tables
................................
................................
...............................
88
4.4.3.1
Rainbow Table Precomputation
................................
................................
................................
.
88
4.4.3.2
Rainbow Table Online Attack
................................
................................
................................
....
90
4.5
C
OUNTERMEASURES
................................
................................
................................
...................
92
4.5.1
Key Length
................................
................................
................................
.............................
92
4.5.2
Modes of Operations
................................
................................
................................
.............
93
5
CONCLUSION
................................
................................
................................
................................
..
95
5.1
P
UTTING THINGS INTO P
ERSPECTIVE
................................
................................
............................
95
5.1.1
R
ainbow Tables and the Internet
................................
................................
...........................
95
5.1.2
Cryptographic Law
................................
................................
................................
................
95
5.2
F
UTURE
R
ESEARCH
................................
................................
................................
.....................
96
5.3
C
ONCLUSION
................................
................................
................................
...............................
97
7
5.3.1
Summary
................................
................................
................................
................................
97
5.3.2
Findings
................................
................................
................................
................................
.
97
5.3.3
Closing Remarks
................................
................................
................................
....................
98
APPENDIX A

PRIMITIVE FUNCTIONS
FOR DES
................................
................................
...........
99
APPENDIX B

PERFORMANCE

COST CALCULATIONS
................................
.............................
101
APPENDIX C

COST ANALYSIS CALCUL
ATIONS
................................
................................
........
102
6
REFERENCES
................................
................................
................................
................................
.
103
8
List of Figures
F
IGURE
2.1
S
YMMETRIC
E
NCRYPTION AND
D
ECRYPTION
................................
................................
..............
15
F
IGURE
2.2
A
SSYMMETRIC
E
NCRYPTION AND
D
ECRYPTION
................................
................................
..........
15
F
IGURE
2.3
DES
A
LGORITHM
................................
................................
................................
........................
17
F
IGURE
2.4
DES
CALCULATION OF F
(R,K)
................................
................................
................................
.....
18
F
IGURE
2.5
M
ATRIX OF IMAGES UNDE
R F
................................
................................
................................
.......
21
F
IGURE
2.6
C
OMPUTATIONAL
T
IME
R
EQUIREMENTS
G
RAPH
................................
................................
..........
24
F
IGURE
2.7
M
ATRIX OF
R
AINBOW
C
HAINS
................................
................................
................................
.....
26
F
IGURE
2.8
R
EPETITIVE GENERATION
OF END

POINTS DURING THE ON
LINE ATTACK
................................
......
26
F
IGURE
2.9

P
ICTURE TAKEN OF SING
LE
DES
C
RACKER
C
IRCUIT
B
OARD WITH
D
EEP
C
RACK
C
HIPS
............
28
F
IGURE
2.10
FPGA
S
TRUCTURE
................................
................................
................................
....................
29
F
IGURE
2.11
D
EEP
C
RACK CHIP OF
DES
C
RACKER
P
ROJECT
................................
................................
.........
33
F
IGURE
2.12
P
RECOMPUTATION DESIGN
OF
Q
UISQUATER AND
S
TANDAERT
[6]
................................
.............
36
F
IGURE
3.1
R
AINBOW
T
ABLE
P
RECOMPUTATION
D
IGITAL
S
YSTEM
D
ESIGN
................................
..................
41
F
IGURE
3.2
S
TATE MACHINE DIAGRAM
FOR
S
TART

P
OINT
G
ENERATOR
................................
........................
43
F
IGURE
3.3
S
TATE MACHINE DIAGRAM
FOR
R
EDUCTION
F
UNCTION
U
NIT
................................
......................
45
F
IGURE
3.4
3

S
TAGE
DES
R
OUND
................................
................................
................................
.................
47
F
IGURE
3.5
I
NSTANTIATION OF
16
R
OUNDS OF
DES
................................
................................
......................
48
F
IGURE
3.6
T
IMING
D
IAGRAM OF
48

STAGE
PIPELINED
DES
I
MPLEMENTATION
................................
............
49
F
IGURE
3.7
D
IGITAL
S
YSTEM
D
ESIGN OF
DES
R
AINBOW
T
ABLE
P
RECOMPUTATION
................................
.....
50
F
IGURE
3.8
T
IMING DIAGR
AM SHOWING TWO OUTPU
T SEQUENCES OF PRECO
MPUTATION IMPLEMENTA
TION
52
F
IGURE
3.9
T
IMING DIAGRAM SHOWIN
G ONE OUTPUT SEQUENC
E
(
CLOSER VIEW OF FIRST
WRITE
)
.................
52
F
IGURE
3.10
R
AINBOW
C
HAIN
E
ND

P
OINT
G
ENERATION
................................
................................
...............
53
F
IGURE
3.11

K
EY
F
INDING
T
ASK BY
G
ENERATING THE
P
ARTIAL
R
AINBOW
C
HAIN
................................
.....
54
F
IGURE
3.12
H
ARDWARE
/S
OFTWARE
C
O

DESIGN FOR
R
AINBOW
C
HAIN
E
ND

P
OINT
G
ENERATOR
................
54
F
IGURE
3.13
E
ND

POINT
G
ENERATOR
D
ESIGN
................................
................................
...............................
56
F
IGURE
3.14
T
IMING DIAGRAM FOR
E
ND

P
OINT
G
ENERATOR SHOWING THR
EE OUTPUT CYCLES
...................
57
F
IGURE
3.15
I
NTERMEDIATE
K
EY
G
ENERATOR
D
ESIGN
................................
................................
.................
58
F
IGURE
3.16
T
IMING DIAGRAM OF
I
NTERMEDIATE
K
EY
G
ENERATOR UNIT
................................
....................
59
F
IGURE
3.17
S
ENSORY
N
ETWORKS
TM
N
ODAL
C
ORE
TM
C

1000
PCI
C
ARD
................................
.....................
61
F
IGURE
3.18
B
LOCK DIAGRAM OF
S
ENSORY
N
ETWORKS
TM
N
ODAL
C
ORE
TM
C

S
ERIES
A
RCHITECTURE
[43]
..
62
F
IGURE
3.19
T
HE
R
AINBOW
T
ABLE
C
HANNELS
................................
................................
.............................
63
F
IGURE
3.20
A
PPARATUS SETUP OF EX
PERIMENT
................................
................................
...........................
64
F
IGURE
4.1
C
OMPARISON OF
P
RECOMPUTATION
T
HROUGHPUT FOR
40

BIT
DES
................................
...........
67
F
IGURE
4.2
T
IMING
D
IAGRAM SHOWING TIME
PERIOD AVAILABLE FOR
P
RECOMPUTER
PCI
ARBITRATOR
.....
69
F
IGURE
4.3
C
OMPARISON OF
O
NLINE
A
TTACK TIME FOR
40

BIT
DES
................................
............................
72
F
IGURE
4.4
B
LOCK DIAGRAM OF MULT
IPLE
P
RECOMPUTATION ENGINE
S
................................
.......................
77
F
IGURE
4.5
S
TATE MACHINE FOR INP
UT CONTROLLER OF MUL
TIPLE
P
RECOMPUTATION SYSTEM
...................
78
F
IGURE
4.6
M
AXIMUM FREQUENCIES O
F
X
ILINX
FPGA
S FOR
DES
K
EY
S
EARCH
................................
..........
78
F
IGURE
4.7
M
AXIMUM FREQUENCIES O
F
X
ILINX
FPGA
S FOR RAINBOW TABLE
ENGINES
...............................
79
F
IGURE
4.8
C
OST

P
ERFORMANCE OF
E
XHAUSTIVE
DES
K
EY
S
EARCH
[25]
................................
...................
80
F
IGURE
4.9
C
OST

P
ERFORMANCE OF
E
XHAUSTIVE
DES
K
EY
S
EARCH
(
L
OW

END DETAIL
)
[25]
....................
80
F
IGURE
4.10
FPGA
E
XHAUSTIVE
K
EY
S
EARCH FOR
DES
E
CONOMICS
................................
..........................
81
F
IGURE
4.11
CDMF
CRYPTANALYSIS ECONOM
ICS BY
G
OLDBERG AND
W
AGNER
[7]
................................
.....
82
F
IGURE
4.12
FPGA
R
AINBOW
T
ABLE
P
RECOMPUTATION FOR
DES
E
CONOMICS
................................
...........
83
F
IGURE
4.13
FPGA
R
AINBOW
T
ABLE
O
NLI
NE
A
TTACK FOR
DES
E
CONOMICS
................................
..............
84
F
IGURE
4.14
P
ERFORMANCE OF
E
ND

P
OINT
G
ENERATOR ACROSS
X
ILINX
FPGA
FAMILIES
..........................
85
F
IGURE
4.15
T
IME FO
R
DES
B
RUTE

FORCE VS
.
I
NVESTMENT
C
OST
................................
...............................
88
F
IGURE
4.16
T
IME FOR
P
RECOMPUTATION VS
I
NVESTMENT
C
OST
................................
................................
.
90
F
IGURE
4.17
T
IME FOR ONLINE A
TTACK VS
I
NVESTMENT
C
OST
................................
................................
.....
91
9
List of Tables
T
ABLE
1.1

T
IME
/S
PACE
R
EQUIREMENTS OF
C
RYPTANALYTIC
M
ETHODS
................................
....................
10
T
ABLE
1.2

E
XAMPLE CIPHERTEXT
/
KEY TABLE FOR A K

BIT LENGTH CIPHER GI
VEN
P
CHOSEN
..........................
11
T
ABLE
1.3

T
IME
/S
PACE
C
RYPTANALYTIC
R
EQUIREMENTS FOR
DES
AND
T
RIPLE

DES
..............................
11
T
ABLE
2.1
H
ISTORY OF THE
DES
................................
................................
................................
...................
19
T
ABLE
2.2
DES
S
TRENGTHS
A
GAINST
A
TTACKS
................................
................................
...........................
27
T
ABLE
2.3
S
UMMA
RY OF CRYPTANALYTIC
DEVICES AGAINST THE
DES
................................
........................
31
T
ABLE
2.4
T
IME

MEMORY TRADE

OFF IMPLEMENTATIONS
................................
................................
............
38
T
ABLE
3.1
P
RECOMPUTATION
S
YSTE
M
D
ESIGN
G
OALS
................................
................................
.................
39
T
ABLE
3.2

O
NLINE
A
TTACK
P
HASE
................................
................................
................................
..............
55
T
ABLE
3.3
C
ALCULATION OF MEMORY
REQUIREMENTS TO CRYP
TANALYZE
56

BIT
DES
...............................
60
T
ABLE
3.4
V
IRTEX

II
P
RO
VP40
L
OGIC
R
ESOURCES
A
VAILABLE
................................
................................
..
61
T
ABLE
3.5
S
UMMARY OF
I/O
REQUIREMENTS FOR THE
HARDWARE ENGINES
................................
.................
64
T
ABLE
4.1
S
YNTHESIS RESULTS OF
DES
IMPLEMENTATION
................................
................................
...........
65
T
ABLE
4.2

C
OMPARISON OF
D
ATA
E
NCRYPTION
S
TANDARD IMPLEMENTATI
ONS
................................
........
66
T
ABLE
4.3
CLB
USAGE FOR
P
RECOMPUTATION MODULE
ON
XC2VP40
................................
........................
6
8
T
ABLE
4.4
CLB
USAGE FOR
P
RECOMPUTATION MODULE
XC2VP40
(
AS PERCENTAGE
)
................................
.
68
T
ABLE
4.5
CLB
USAGE FOR
E
ND

P
OINT
G
ENERATOR MODULE ON
XC2VP40
................................
...............
69
T
ABLE
4.6
CLB
USAGE FOR
E
ND

P
OINT
G
ENERATOR MODULE
XC2VP40
(
AS PERCE
NTAGE
)
.......................
70
T
ABLE
4.7
CLB
USAGE FOR
I
NTERMEDIATE
K
EY
G
ENERATOR MODULE ON
XC2VP40
................................
.
71
T
ABLE
4.8
CLB
USAGE FOR
I
NTERMEDIATE
K
EY
G
ENER
ATOR MODULE ON
XC2VP40
(
AS PERCENTAGE
)
....
71
T
ABLE
4.9
A
DVANTAGES AND DISADV
ANTAGES OF THE TIME

MEMORY TRADE

OFF VS
.
EXHAUSTIVE KEY
SEARCH
................................
................................
................................
................................
.................
74
T
ABLE
4.10
C
LASS OF ATTACKERS PE
RFORMING BRUTE

FORCE ON
DES
................................
.......................
87
T
ABLE
4.11
C
LASS OF ATTACKERS PR
ECOMPUTING A RAINBOW
TABLE FOR
DES
................................
..........
89
T
ABLE
4.12
C
OST TO OBTAIN A KEY
IN ONE YEAR THROUGH
BRUTE

FORCE
................................
...................
92
T
ABLE
4.13
M
ODES OF OPERATIONS V
ULNERABILITIES
................................
................................
..................
93
10
1
Introduction
There
exists a
shortcut
to exhaustive key search. Your adversary no longer needs to perform
a
brute

force attack
t
hat would otherwise take a large
amount of
computational time.
The atta
ck
time
is
shortened by trading
memory for time.
As will be proved in this
thesis, t
hese types of
attacks have major consequences in the digital security world.
1.1
A
Shortcut
to Exhaustive Key Search
Cryptanalysis is
the science of
determining the meaning of encrypted (or scrambled) information
without having the secret key that
is required to do so.
A successful cryptanalytic attempt is
when the plaintext message
can be revealed
without the key.
A symmetric cipher is a cryptographic algorithm
(or fun
ction), denoted as
S
, that uses a key
k
to
encrypt a plaintext
P
to yield the
scrambled message known as the ciphertext
C
.
C = S
k
(P)
There are two extreme methods for
the secret key search: exhaustive key search and table lookup.
Exhaustive key search involves trying every possible key in the key space by
repeatedly
performing encr
yption and comparison
until the key is found
.
Therefore, for a cipher
with N
possible
keys
(N = 2
k
, for a
k

bit key length cipher)
,
the worst case will
be in the
order of O(
N
).
The two extreme methods differ in their time/space requirements.
Exhaustive
key search uses a
computational time of N and constant space (or memory); whilst table lookup uses constant
computational time and memory N.
Table
1
.
1

Time/Space Requirements of Cryptanalytic Methods
Cryptan
alytic Method
Time Requirement
Memory Requirement
Exhaustive Key Search
N
1
Table Lookup
1
N
Assume
a chosen plaintext attack
where
the adversary can choos
e any plaintext/ciphertext pair
denoted
P
chosen
and
C
chosen
, respectively
and knows the cryptograp
hic algorithm (or cipher)
denoted by
function
S
. The adversary seeks the value of the secret key
k
.
I
n searching for the secret key the adversary can use the chosen plaintext and start with key
k
0
from the key space; perform an encryption
using
k
0
to yie
ld ciphertext
C
0
and compare that with
C
chosen
. If the ciphertexts match
,
the adversary knows that the secret key is
k
0
, if not, the
11
adversary repeats the procedure by choosing another key
from the key space
until
a match is
found.
In the other extreme, a
t
able lookup consists of two phases for key search.
Again, assume a
chosen plaintext attack.
The first
phase
is to
compute
all possible ciphertext
s
by
using every key
in
the key space
for some
chosen plaintext
,
P
chosen
.
The ciphertexts generated by each
corresponding key are stored as
ciphertext/key
pairs in a table
. That is, imagine a table with two
columns
–
one for the ciphertext and the other for the key used to encrypt P
chosen
; every row will
be a different ciphertext since a different key from the
keyspace
is
used.
In the second
phase
(the
online attack
phase)
,
the adversary chooses a plaintext/ciphertext pair with which
precomputation
has been performed for. A table lookup using
C
chosen
is performed to determine the secret key.
Table
1
.
2

Example ciphertext/key table for a k

bit length cipher given P
chosen
Ciphertext
Key
S
k0
(P
chosen
)
k
0
S
k
1
(P
chosen
)
k
1
S
k
2
(P
chosen
)
k
2
…
…
S
kk

1
(P
chosen
)
k
k

1
Both exhaustive key search and table lookup have the
ir drawbacks.
Exhaustive key search may
not succeed if the time
for key search
exceeds
the time window of the attack.
Take for example
the Data Encryption Standard
(DES)
cipher with a 56

bit key length. If an encryption and
comparison takes 1 microsecond
and on average 2
55
keys need to be searched, then a time of 2
55
microseconds (or 1142 years) are required for an exhaustive key search.
Table lookup may
require too much memory
for the precomputed table
and therefore become
s infeasible. A
complete DES t
able would require a total of 64+56=120 bits for the 64

bit ciphertext block and
the 56

bit key in each row. Hence 120 * 2
56
bits or approximately 983,040 terabytes are required
for the table.
Table
1
.
3

Tim
e/Space Cryptanalytic Requirements for DES and Triple

DES
Cipher
Key
Length
Exhaustive Key Search
Time
Requirements
Table Lookup
Space
Requirements
Time for
encryptions and
comparison
Average time
to break
Memory
requirements
per row
Total memory
requir
ements
Data Encryption Standard
56 bits
1 μs
1142 years
120 bits
983,040
terabytes
Triple

DES
1
112
bits
1 μs
8.2 x 10
19
years
112
+ 64 =
176
bits
1.04 x 10
23
terabytes
1
The security of Triple

DES is 112 bits
since
12
In 1980, Hellman
introduced that a
trade

off
exists between
these
two extremes
[1]
. He
introd
uced the time

memory
trade

off
. Hellman demonstrated that a trade

off curve between
memory and time exists for which a probabilistic cryptanalytic technique similar to that of a table
lookup could be performed using less memory but more computationa
l time during the
online
attack
2
. Moreover, i
n recent years optimizations have been made to the original time

memory
trade

off
[2, 3]
.
These optimizations
hav
e lead to
a
higher probability of
cryptanalytic
success
and
less
computational
time
required
to perform the table lookup.
The most recent is
the
rainbow table
variant of the time

memory
trade

off
introduced by Oechslin
in 2003
[3]
.
Theoretically, the rainbow table variant of the time

memory
trade

off
has been
proven to be effective
[3]
. The few
s
oftware and hardware implementations
of
the rainbow table
variant of the time

memory trade

off
in the literature
has thus far proven to be
very effective
[3

6]
.
1.2
Motivation
The rainbow table variant of the time

memory
trade

off
presents a significant shortcut t
o
exhaustive key search. Few works in the literature has shown real experimental results based on
hardware
implementation. Most importantly the practical ramifications of rainbow tables to our
deployed cryptosystems
such as DES, Triple

DES and AES
3
have
never been studied and
presented.
Goldberg and Wagner
[7]
and Blaze et al
.
[8]
gives evidence that there is a need to
continuously
assess
currently deployed
cryptosystems
.
In
[8]
,
Blaze et al.
suggested minimum k
ey lengths
for
va
rying
encryption algorithms
used
in the commercial domain.
Their argument was based on the
ability of cryptanalyst
to
use readily available technology that makes brute

force decryption
attacks faster and cheaper.
Similarly,
Goldberg and
Wagner
[7]
showed th
e effectiveness of
programmable logic devices in cryptanalytic a
pplications
by showing
various performance

cost
ratios of
their
implementatio
ns.
Advancements in programmable logic technology, particularly field programmable gate arrays
(FPGAs)
have increased the computational power of our adversaries while keeping thei
r costs
down.
Rouvroy and Standaert
[6]
estimated that it would only cost $12 to crack a DES key in 30
minutes using rainbow tables
assuming precomputation (
2005)
.
Advancements in FPGA
2
Chapter 2 of this thesis provides details of Hellman’s time

memory trade

off.
3
AES is an abbreviation for the Advanced Encryption Standard which is a 128

bit block cipher.
13
technology and theoretical optimizations to the time

memory
trade

off
(considered
a
shortcut
to
exhaustive search) have motivated this study.
1.3
Thesis Organization
This thesis is divided into five chapters. Following this introd
uction, Chapter 2 provides a
background on the theory required to understand the rest of this thesis and presents related work
in the literature. Chapter 3 describes the design and implementation taken to obtain the results.
Chapter 4 presents an analysi
s of the results. Chapter 5 presents conclusions and suggested
directions for future work.
14
2
Background and Previous Work
This chapter first provides a brief overview of the necessary theory required to understand this
thesis followed by a survey of relat
ed work in the field of cryptanalysis on FPGA hardware.
2.1
Ciphers
A cipher is a cryptographic algorithm
[9]
. The plaintext (
P
) is used to refer to the original
intelligible message. Through an encryption algorithm the plaintext becomes a scram
bled and
unintelligible message, known as the ciphertext (
C
).
Encryption is accomplished by scrambling
data using mathematical procedures that make it extremely difficult and time consuming for
anyone other than authorized recipients
–
those with the corr
ect decryption keys
–
to recover the
plaintext
[8]
.
Decryption is the reverse of encryption. Given the ciphertext, the decryption
scheme will output the original plaintext.
C = S
k
(P)
The s
ize of encryption keys are measured in bits. The difficulty of trying all possible keys grows
exponentially with the number of bits used. Adding one bit to the key doubles the number of
possible keys; adding ten increases by a factor of more than a thous
and.
Kerckhoff’s law states that in the design of cryptosystems, the security should be derived from
only from the key
[10]
. That is, the s
ecurity
of a cryptosystem
should not depend on keeping the
algorithm a secret, but instead keeping the key secret
[9

11]
. Proper encryption guarantees that
the information will be safe even if it falls in hostile hands
[8]
.
A c
ryptographic algorithm is considered strong if
[8]
:
1.
There is no shortcut that allows the opponent to recover the plain text witho
ut using brute
force to test keys until the correct one is found; and
2.
The number of possible keys is sufficiently large to make such an attack infeasible.
2.1.1
Symmetric Ciphers
Symmetric ciphers
are encryption/decryption algorithms which use the same key for e
ncrypting
and decrypting.
15
Encryption
Decryption
P
E
K
(
P
) =
C
P
K
K
Figure
2
.
1
Symmetric Encryption and Decryption
The algorithm usually performs transpositions and substitutions. In the traditional cryptographic
mod
el, if Alice sends an encrypted message to Bob using key
K
and using encryption algorithm
E
, then Bob must decrypt the encrypted message using
K
and decryption algorithm
D
. Where,
P
C
E
C
D
C
P
E
K
K
K
)
(
)
(
)
(
1
E
is the encryption function with two inputs: the s
ymmetric key
K
and the plaintext
P
.
D
is the
decryption function with two inputs: symmetric key
K
and the ciphertext
C
.
There are two types of symmetric ciphers:
block ciphers
and
stream ciphers
. Block ciphers
operate on blocks of plaintext and ciphertext
–
often 64 bits. Using the same key, the same
plaintext block will always encrypt to the same ciphertext block.
DES is a block cipher.
Stream
ciphers operate on streams of plaintext and ciphertext one bit or byte (sometimes even one 32

bit
word) at a t
ime. The same plaintext bit or byte will encrypt to a different bit or byte every time it
is encrypted.
2.1.2
Asymmetric Ciphers
Asymmetric ciphers are those encryption/decryption algorithms that use two different keys for
encrypting and decrypting.
Encryption
Decryption
P
E
KA
(
P
) =
C
P
K
A
K
B
Figure
2
.
2
Assymmetric Encryption and Decryption
16
They are generally used to manage the keys used for symmetric ciphers. Public key cryptography
is used for secure key distribution and di
gital signatures. This was first presented by Diffie and
Hellman in
[12]
.
In public key cryptography two keys are generated. Alice generates the two keys.
Alice keeps
one key secret
; this key is known as the private key
–
Alice’s private key is denoted as
KR
A
. The
other key, the p
ublic key, is made public to all those that wish to communicate with Alice
–
Alice’s public key is denoted as
KU
A
. The requirement is that when Alice encrypts her plaintext
P
with
KR
A
, only
KU
A
can decrypt the ciphertext. It should be computationally inf
easible to
decrypt the ciphertext without
KU
A
.
2.2
The
Data Encryption Standard
The Data Encryption Standard
(DES)
is
the most heavily studied and commercially
used cipher in
the world. The
American National Standards Institute (ANSI) approved DES as a privat
e

sector
standard in 1981
[9]
.
Today,
DES is used
a large range of systems including
civilian satellite
communications, gateway servers, set

top boxes, Virtual Private Networks (VPN), video
transmissions,
UNIX password hashing
and numerous da
ta transfer applications
[13]
.
DES
[14]
is
a
block cipher that
takes a
64

bit key and
64

bit input
block
and outputs a 64

bit
encrypted block.
The actual effective key size is only 56 bits since the least significant bit in
every byte can be used as parity.
2.2.1
Algorithm
DES proceeds in three phases
as shown in Figure 2
.3
taken from
[13]
. First, the 64

bit plaintext
block passes through an initial permutation (
IP
) that rearranges the bits to produce the permuted
input. The second phase consists of 16 rounds
of encryption involving both
per
mutation and
substitution.
The third phase takes the output of the 16 rounds through the inverse of the initial
permutation (
IP

1
) to produce th
e 64

bit ciphertext.
Note that th
e initial permutation and final
permutation mechanisms do not add to the secu
rity of the algorithm.
17
Figure
2
.
3
DES Algorithm
The second phase of DES has the exact structure of a Feistel
network
.
A Feistel network is a
ladder structure network as shown in Figure
2.
3. Input is split
into two blocks, the left and right
halves
[15]
. It usually consists of multiple rounds of repeated operations such as bit

shifting,
non

linear functions and linear mixing. A Feistel network aims to provid
e a large amount of
“confusion and diffusion”. Confusion
is used to make the relationship between the ciphertext and
the key as difficult as possible
[15]
. In DES, it is achieved through the S

Boxes. Diffu
sion is
used to dissipate the statistical structure of the plaintext into long range statistical properties of
the ciphertext
[15]
. It is achieved through the repeated application of permutations (P

Boxes in
DES).
A valuable property of a Feistel network is its ability to easily perform decryption by reversing
the order of the rounds
[15]
without needing to invert the one

way round functions.
This
also
effecti
vely reduces the amount of hardware circuitry and logic in the implementation of such a
cipher.
18
Back to the second phase of DES, i
n each round the 64

bit intermediate value is divided into 32

bit halves
–
the left half (
L
i
) and the right half (
R
i
), where i
denotes the current round. The
processing of each round is defined as follows:
)
,
(
1
1
1
i
i
i
i
i
i
K
R
f
L
R
R
L
The function
f
takes as
a 32

bit input,
R
i

1
,
and
48

bit input,
K
i
.
Figure 2.4
taken from
[14]
shows
the calculation of the function
f.
Figure
2
.
4
DES calculation of f(R,K)
R
i

1
is put through an expansion function
E
.
Let
E
denote a function which takes a block
of 32
bits as input and yields a block of 48 bits as output. The expansion function
E
is obtained by
selecting the bits in its inputs in order according to the
E
b
it

s
electio
n t
able defined in
[14]
and
shown in Appendix A.
The key in each round is subset of the original 64

bit key with bits permuted. At each iteration, a
different block
K
i
is chosen from an intermediate 64

bit key designated by
KEY
.
The
key
sc
hedule function
is denoted by
KS
, where
KS
takes as input an integer
i
in the range of 1 to 16
and a 64

bit block
KEY
as input.
This yields a 48

bit block output
K
i
:
)
,
(
KEY
n
KS
K
i
19
Full details of
KS
are given in
[14]
.
Now,
E(R
i

1
)
is xor’ed with
K
i
and goes through the
substitution mechanism. That is,
i
i
K
R
E
)
(
1
Is put through
selection
–
the selection mechanism consists of 8 selection func
tions
S
1
,…,S
8
(referred to as S

boxes).
Each function takes a 6

bit block as input and yields a 4

bit block as
output
. The
definitions of the S

boxes are
defined by
[14]
.
The output of the selection
mechanism is 32

bit intermediate block which is put through a permutation function (referred to
as the P

box).
A table defines the permutation and is shown in Appendix A.
2.2.2
Timeline
People have questioned the security
of the DES for a long time and there has been much
speculation on its design principles,
for example,
the cryptographic significance of the S

boxes
[6]
. The
major concern of the security of DES is its short key length. DES is still a very
commonly deployed encryption algorithm.
The following table is taken
from
[16]
sho
ws key events regarding the DES:
Table
2
.
1
History of the DES
Year
Event
1973
NBS publishes a first request for a standard
encryption algorithm
1974
NBS publishes a second request for encryption algorithms
1975
DES is published in the Federal Register for comment
1976
First workshop on DES
1976
Second workshop, discussing mathematical foundation of DES
1976
DES is approve
d as a standard
1977
DES is published as a FIPS standard FIPS PUB 46
1983
DES is reaffirmed for the first time
1986
Videocipher II, a TV satellite scrambling system based upon DES begins use by HBO
1988
DES is reaffirmed for the second time as FIPS 46

1, superseding FIPS PUB 46
1992
Biham and Shamir publish the first theoretical attack with less complexity than brute force: differential
cryptanalysis. However, it requires an unrealistic 247 chosen plaintexts (Biham and Shamir, 1992).
1993
DES is reaff
irmed for the third time as FIPS 46

2
1994
The first experimental cryptanalysis of DES is performed using linear cryptanalysis (Matsui, 1994).
1997
The DESCHALL Project breaks a message encrypted with DES for the first time in public.
1998
The EFF's DES
cracker (Deep Crack) breaks a DES key in 56 hours.
1999
Together, Deep Crack and distributed.net break a DES key in 22 hours and 15 minutes.
1999
DES is reaffirmed for the fourth time as FIPS 46

3, which specifies the preferred use of Triple DES, with
s
ingle DES permitted only in legacy systems.
2001
The Advanced Encryption Standard is published in FIPS 197
2002
The AES standard becomes effective
2004
National Institute of Standards and Technology (NIST) recommends the use of Triple

DES over DES.
20
2.3
Cry
ptanalysis
on
the Data Encryption Standard
This section will discuss the theoretical cryptanalytic methods applicable to DES.
2.3.1
Exhaustive Key Search
Exhaustive key search
is the most practical
cryptanalytic
attack on DES.
Given
a
plaintext and
ciphertext
du
ring an attack
, an exhaustive key search, or a brute

force attack, will perform
encryption on every possible key
in the key space
until the encryption yields the given ciphertext
in a known or chosen plaintext attack
.
Hence, for a
n
n

bit key
length cipher,
the total size of the key space is 2
n
. On average, O(2
n

1
)
operations are required for the search.
2.3.2
Advanced Cryptanalytic Techniques
Other cryptanalytic techniques against DES include differential cryptanalysis and linear
cryptanalysis. These are so cal
led
advanced
attacks. Differential cryptanalysis involves a better
than brute force approach to attacking DES with known plaintext, ciphertext pairs
[17]
. It
involves examining the xor of two texts. Line
ar cryptanalysis considers the ciphertext derived by
combining certain bits from the plaintext and key
[17]
. The weakness of these advanced attacks
is their requirement for a prohibitively large number of
known or chosen plaintext/ciphertext
pairs.
2.3.3
The Time

Memory
Trade

off
In 1980, Hellman
[1]
introduced the time

memo
ry
trade

off
. R
ivest
[2]
introduced
the first
optimization of the time

memory
trade

off
by
usi
ng distinguished points
.
In 2003, Oechslin
[3]
introduced the rainbow table optimization
. This section will
introduce the theory behind
the
original
time

memory
trade

off
[1]
and its
variants
[2, 3]
.
2.3.3.1
Original Time

Memory
Trade

off
2.3.3.1.1
Notation
In a chosen or known plaintext attack, g
iven a fixed plaintext
P
0
and corresponding ciphertext
C
0
,
the
method tries to find the key
N
k
which was used to encipher the p
laintext using
cipher
S
,
a
one

way function
.
The entire set of the key space is denoted as
N
. For a cipher with an
n

bit
key length, there are 2
n
distinct keys.
The ciphertext is therefore defined by:
)
(
0
0
P
S
C
k
21
Now define a function
R
which performs a mapping of th
e ciphertext
to becoming a key length
string. If the cipher operates with 64

bit data blocks and uses a 56

bit key
, such as DES
, then
applying function
R
to some ciphertext, say
C
0
will yield a 56

bit key string.
Further, function
f
is
defined as:
)]
(
[
)
(
0
P
S
R
k
f
i
k
i
The function
R
will be referred to as either the mask function or reduction function. There are
numerous ways to implement such a function.
In the case of DES, reduction functions include
dropping eith bits of the output and permuting t
he remaining 56 bits (e.g. xoring with some value,
randomly shifting).
2.3.3.1.2
Precomputation
Similar to a table lookup, the first stage performs requires
precomputation
.
The algorithm is as
follows: C
hoose
m
start

point
denoted by
SP
1
,
SP
2
, …,
SP
m
,
where
each
is
an
independently
drawn from the key space
N
.
For
m
i
1
let
i
i
SP
X
0
And for
t
j
1
compute:
)
(
1
,
j
i
ij
X
f
X
This
yields
m
chains of length
t
for one table
as
shown in Figure
2.5
.
The parameters
m
a
nd
t
are
chosen by the cryptanalyst to trade

off time against memory.
Typically, for a
k

bit key,
t
=
m
=
2
k/3
[5]
.
Figure
2
.
5
Matrix of images under f
The last element or endpoint in the
i
th chain (or row) is denoted by
EP
i
.
22
)
(
i
t
i
SP
f
EP
To reduce memory requ
irements, all intermediate points are discarded as they are produced.
Only the
start

point
and
en
d

points
ar
e stored and sorted in a table.
It is easy to see that
X
ij
is
basically a key in the key

space
N
.
Hence, the bounds of memory M (used to store the
precomputation
tables) and time T (required
to find the password starting from the hash) are de
fined by
[5]
:
0
0
*
*
*
*
t
l
t
T
m
l
m
M
Here,
l
is used to denote the number of tables,
m
0
is the amount of memory required to store each
chain, that is, the
start

po
int
and
end

point
. With DES,
m
0
is 2* 56 bits = 14 bytes. The time in
which one key is generated is denoted by
t
0
.
Multiple tables are generated by using a different
reduction function. Multiple tables will increase the probability of cryptanalytic suc
cess as
described in the next few sections.
2.3.3.1.3
Online Attack
The next task in cryptanalysis is to perform the online attack.
A
ss
u
me a
chosen plaintext attack
wher
eby the cryptanalyst intercepts,
is given
or guesses
C
chosen
and
P
chosen
but not the secret key
k
x
.
T
he cryptanalyst intercepts:
)
(
chosen
x
k
chosen
P
S
C
In this
type of
attack the cryptanalyst has already performed the task of pre

computing the table in
the
precomputation
phase using
P
chosen
. He/she already has a table with the
start

point
and
end

points
sorted and indexed such that a lookup based on an endpoint ca
n be performed in one
operation.
The process of finding the key is iterative. First, the cryptanalyst applies the
reduction function R
to obtain:
)
(
)
(
1
K
f
C
R
Y
chosen
23
If
Y
1
is an end

p
oint, say
Y
1
= EP
i
then either
k
x
= X
i,t

1
or
EP
i
has m
ore than one inverse image.
In
case that
Y
1
=
EP
i
the cryptanalyst uses the corresponding
start

point
(
SP
i
) of
end

point
(
EP
i
) to
compute
X
i,t

1
by starting from
SP
i
and applying the function
f
. The c
ryptanalyst checks that
X
i,t

1
is indeed
k
x
by checking to see if
C
chosen
deciphers to
P
chosen
, if so, then
k
x
has been determined.
The event that
EP
i
has more than one inverse is called a false alarm. If
Y
1
is not an
end

point
or a
false alarm has occur
red then,
the cryptanalyst performs
f
on
Y
1
to yield
Y
2
and checks to
determine if
Y
2
is an
end

point
.
)
(
1
2
Y
f
Y
If
Y
2
is an end

point then
k
x
is found by computing
X
i,t

2
from
SP
i
.
If
Y
2
is not an
end

point
then the
key is not in the
t

2
nd
c
olumn.
The procedure is continued until the 0
th
column
is reached as
shown
in Figure 2.5
.
2.3.3.1.4
Performance
As a result
,
a probabilistic method which can cryptanalyze any
k

bit
key cryptosystem
in 2
2
k
/3
operations (evaluations of function f)
is possible provide
d 2
k
operations have been completed
prior to the attack and that
2
k
*
2
2
k
/3
bits
are used in memory
.
Interestingly, Figure
2.
6 shows the growth of the time requirements for the two methods plotted
against the key size. It shows that the online attack of
the time

memory trade

off provides a
significantly lower computational time requirement growth rate compared to exhaustive key
search. This illustrates that increasing the key sizes has a smaller effect on the security of the
cryptosystem.
24
Computational Time Requirements for Exhaustive Key Search
and TimeMemory Tradeoff (Online Attack)
Key Length
Computational Time
Exhaustive Key Search
TimeMemory Tradeoff
Figure
2
.
6
Computational Time Requirements
Graph
Hellman
notes that the
precomputation
time should not be considered as time for cryptanalysis as
it is performed at the attackers leisure
[1]
. Only the online attack is con
sidered
a cryptanalytic
attempt.
Hence, the time

memory
trade

off
presents a significant improvement
over
(or shortcut
to
) exhaustive search as it can break any
k

bit cipher in less than 2
k

1
operations
, which is the
average number of operations to succes
sfully complete
exhaustive key search
; s
pecifically only
2
2
k
/3
operations are required.
2.3.3.1.5
Probability and Shortcomings
Hellman notes that this method is pro
babilistic and that there is a chance that chains starting at
different keys collide and merge
[1]
.
A co
llision is a situation where two keys during
precomputation
are
the same
.
This
event happens
since
the reduction function
R
is an arbitrary
function
of the space of ciphertexts into the space of keys
, for which the ciphertext space is larger
than the key
space
.
The larger the table
is,
the greater the probability of new chains merging with
a previous one.
Each merge reduces the number of distinct keys covered by a table.
The probability of finding a key by using one table of
m
rows of
t
keys is given by:
2
k

1
2
(2/3)k
25
Further, to obtain a high probability of success, multiple tables using different reduction functions
for
each table should be created. With
number of tables, t
he probability of success is:
Chains of different table
s
can colli
de but will not merge since each table generated uses a
different reduction function.
2.3.3.2
Distinguished Points
The optimization proposed by Rive
st is to use distinguished points as endpoin
ts
[2]
.
Distinguished points are points for which a simple criterion holds true, for example, the first 16
significant bit
s are zero.
All endpoints stored
in memory are distinguished points.
Hence, when performing the online attack
and generate a chain,
a
search of
the
precomputed table
is not performed
until a distinguished point is found.
This optimization decreases the number of
memory lookups.
In
[18]
, Borst no
tes the
advantages of distinguished points
:
They allow for loop detectio
n: If a distinguished point is not found after iterating a
specified number of keys, then the chain can be suspected to contain a loop and be
abandoned.
The result is that all chains
in the table are loop free.
Merges can easily be detected since two merging chains will have the same endpoint (the
next distinguished point after the merge).
Merging chains are discarded and additional
chains generated to replace them.
2.3.3.3
Rainbow Tables
Oe
chslin notes that the main limitation of the original scheme is when two chains collide in a
single table
to
merge
[3]
.
He proposed a new type of chain
which can collide within the same
table without mergin
g.
These chains are called rainbow chains.
2.3.3.3.1
Mechanism
Instead of using the same reduc
tion function per table; they use successive reduction functions for
each point in the chain.
Thus, in regards to Figure
2.5
, each column has a different function
f
due
26
to a different reduction function.
They start with reduction function 1 and end with
reduction
function
t

1
[3]
.
This is
shown in
Figure
2.
7 below
.
SP
1
=
X
10
X
11
X
12
...
X
1
t
=
EP
1
SP
2
=
X
20
X
21
X
22
...
X
2
t
=
EP
2
SP
3
=
X
30
X
31
X
32
...
X
2
t
=
EP
3
SP
m
=
X
m
0
X
m
1
X
m
2
...
X
mt
=
EP
m
.
.
.
.
.
.
.
.
.
f
1
f
2
f
3
f
t

1
Figure
2
.
7
Matrix of Rainbow Chains
Therefore,
if two chains collide they would only merge if they appeared in the same position in
both chains. If
they are not in the same position in their respective chains
,
a merge will not occur
as a different reduction function would apply
to each in
their next iteration.
The probability of
merges is reduced substantially
[3]
.
The online attack is as follow
s:
first apply
R
t

1
to the
chosen
ciphertex
t
denoted by
C
chosen
and
perform a
lookup
for a matching endpoint
to
R
t

1
(C
chosen
)
=Y
1
.
If the value of
Y
1
is an end

point in
the rainbow table
then rebuild the chain using the corresponding start chain
to yield the key.
If
not,
apply
f
t

2
to
Y
1
to see if
the key is in the second last column of the table. Continue to apply the
previous reduction function until a match is found or
f
1
is applied and no match is found.
C
chosen
Y
1
t
f
t

1
Y
1
t
Y
2
t
f
t

2
Y
2
t
Y
3
t
f
t

3
Y
(
m

1
)
t
Y
3
t
f
t
.
.
.
Figure
2
.
8
Re
petitive generation of end

points during the online attack
2.3.3.3.2
Benefits
and Drawbacks
of Rainbow Tables
Oechslin
[3]
points out the rainbow chains shares the advantages of chains ending in
distinguished points without suffering their limitations
, that is
:
The number of table look

ups is reduced by
a factor of
t
compared to Hellman’s original
method.
27
Mergers of rainbow chains result in identical endpoints and are thus detectable. Rainbow
chains can generate merge

free tables.
Rainbow chains have no loops since each reduction function appears onl
y o
nce.
Rainbow chains have constant length whereas chains ending in distinguished points have
variable lengths.
Further, r
ainbow tables have higher probability of success and easier analysis of Hellman’s
original method
[5]
.
The disadvantage of
the rainbow table method
or any other time

memory trade

off method
of
cryptanalysis is
the fact that it is probabilistic
.
The cryptanalyst is not guaranteed success in
breaking
the system.
2.3.3.3.3
Changes in M and T
As a result of applying a different
f
function for each column a single rainbow table has
mt
rows
and
t
columns. It requires
M
=
mt
memory for storage and
T
=
t
2
/2 time for scanning
[3]
.
There
is no
longer
the
need to create multiple tables like Hellman’s or
iginal time

memory trade

off
[1]
.
2.3.3.3.4
A summary
The following table
summarizes the strength of DES against the mentioned attacks taken from
Barrie
[17]
. Added is a row for the rainbow table variant.
Table
2
.
2
DES Strengths Against Attacks
Attack
Complexity
Number of Messages
Requirements
Known
Chosen
Storage
Processing
Exhaustive Precomputation

1
2
56
1 (lookup)
Exhaustive Search
1

0
2
55
Linear Cryptanalysi
s
2
43
(85%)

For texts
2
43
2
34
(10%)

For texts
2
50
Differential Cryptanalysis

2
47
For texts
2
47
2
55

For texts
2
55
Rainbow Table (suggested
parameters
[3]
)

1
2k*2
2k/3
2
k/3
Comments 0
Log in to post a comment