Charles University in Prague

Faculty of Mathematics and Physics

BACHELOR THESIS

Monika Seidlová

Time-memory tradeoff attacks

Department of Algebra

Supervisor of the bachelor thesis: RNDr. Michal Hojsı́k, Ph.D.

Study programme: Mathematics
Specialization: General mathematics

Prague 2012
I would like to thank my supervisor RNDr. Michal Hojsı́k, Ph.D. for his advice,
ideas, comments and especially for all the time he put into proof-reading and
consulting with me.
I declare that I carried out this bachelor thesis independently, and only with the
cited sources, literature and other professional sources.
I understand that my work relates to the rights and obligations under the Act
No. 121/2000 Coll., the Copyright Act, as amended, in particular the fact that
the Charles University in Prague has the right to conclude a license agreement
on the use of this work as a school work pursuant to Section 60 paragraph 1 of
the Copyright Act.

In ........... date ...............

Název práce: Time-memory tradeoff útoky

Autor: Monika Seidlová

Katedra: Katedra algebry

Vedoucı́ bakalářské práce: RNDr. Michal Hojsı́k, Ph.D., Katedra algebry

Abstrakt: Martin Hellman popsal prvnı́ time-memory tradeoff útok na blokové

šifry. Jedná se o útok s volbou otevřeného textu, ve kterém útočnı́k předpočı́tá
velké množstvı́ dat k jedné blokové šifře a pak jej může opakovaně využı́t k útoku
na danou šifru. Vylepšenı́, které navrhl Ron Rivest, zrychluje útok tı́m, že snižuje
počet čtenı́ z disku. Dalšı́ pozměněnı́ původnı́ho útoku s názvem duhové tabulky
zrychluje útok ještě vı́ce a přinášı́ dalšı́ výhody. Time-memory tradeoff útoky
mohou být využity také na proudové šifry jako útoky se znalostı́ otevřeného
textu. Tato bakalářská práce popisuje původnı́ útok, jeho vylepšenı́ a úpravu pro
proudové šifry. Jako přı́klad je shrnut útok na konkrétnı́ proudovou šifru A5/1.
Je navržen nový time-memory tradeoff útok na blokové šifry nazývaný r-barevné
duhy. Tento nový útok je úpravou Hellmanova útoku a sdı́lı́ společné prvky
s duhovými tabulkami. Vlastnosti těchto třı́ útoků jsou porovnány a závěrem je,
že pro určité blokové šifry, může být navržený útok nejefektivnějšı́.

Klı́čová slova: time-memory tradeoff útoky, kryptoanalýza, blokové šifry

Title: Time-memory tradeoff attacks

Author: Monika Seidlová

Department: Department of Algebra

Supervisor: RNDr. Michal Hojsı́k, Ph.D., Department of Algebra

Abstract: Martin Hellman proposed the first time-memory tradeoff attack on

block ciphers. It is a chosen plaintext attack, in which the attacker precomputes
a large amount of data for some block cipher and can then use it repeatedly in
attacks on that block cipher. An improvement suggested by Ron Rivest speeds
up the attack by reducing the number of memory accesses. Another modification
of the original attack called rainbow tables speeds up the attack even more and
brings other advantages. Time-memory tradeoff attacks can also be applied to
stream ciphers as known plaintext attacks. This bachelor thesis describes in detail
the original attack, its improvements and a modification to stream ciphers. As
an example, we summarize an attack on A5/1, a stream cipher used in mobile
phones. We also propose a new time-memory tradeoff attack on block ciphers
called r-coloured rainbows. The new attack is a modification of Hellman’s attack
and shares similarities with the rainbow table attack. We give a comparison of
the properties of the three attacks and conclude that, for certain block ciphers,
our attack may be the most effective of the three.

Keywords: time-memory tradeoff attacks, cryptanalysis, block ciphers

Contents
Introduction 2

1 Hellman’s time-memory tradeoff attack 4

1.1 The attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.2 The probability of success and the tradeoff . . . . . . . . . . . . . 6
1.3 Modification of the attack for nk = nc . . . . . . . . . . . . . . . . 9
1.4 Hellman’s attack with Rivest’s sampling . . . . . . . . . . . . . . 10

2 Rainbow tables and r-coloured rainbows 13

2.1 The rainbow table attack . . . . . . . . . . . . . . . . . . . . . . . 13
2.2 The probability of success . . . . . . . . . . . . . . . . . . . . . . 14
2.3 Advantages over Hellman’s attack . . . . . . . . . . . . . . . . . . 16
2.4 The new r-coloured rainbows attack . . . . . . . . . . . . . . . . . 16
2.5 Comparison of the new attack with the previous attacks . . . . . 19

3 Time-memory tradeoff attacks on stream ciphers 23

3.1 The BG attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
3.2 Biryukov and Shamir’s attack . . . . . . . . . . . . . . . . . . . . 25
3.3 Time-memory tradeoff attacks on stream ciphers with sampling . 26

4 Time-memory tradeoff attacks on A5/1 29

4.1 Description of the A5/1 stream cipher . . . . . . . . . . . . . . . 29
4.2 The biased birthday attack . . . . . . . . . . . . . . . . . . . . . . 30
4.3 The random subgraph attack . . . . . . . . . . . . . . . . . . . . 33

Conclusion 35

Bibliography 36

1
Introduction
In this bachelor thesis, we will look at a certain method of attack on block and
stream ciphers. Assume a chosen plaintext attack on a block cipher. The attacker
chooses an arbitrary but fixed plaintext P0 . The person being attacked is using a
secret key K to encrypt plaintexts. The attacker obtains a ciphertext C0 , which
is an encryption of P0 with the key K. She could have obtained C0 by passively
eavesdropping on an encrypted communication, where she knew an encryption of
P0 would be transmitted, or she could have directly requested the encryption of
P0 . Once she has C0 , she tries to find the key K. We always assume that the
attacker knows the cipher used and is able to encrypt and decrypt with it.
One attack she can perform is exhaustive search of the key. In an exhaustive
search, she tries encrypting P0 with all the possible keys. After each encryption,
she checks if the ciphertext matches C0 . Another possible strategy is for her to
do all the encrypting beforehand and save key-ciphertext pairs in a large table.
Once she obtains the C0 , she searches for it in the table. This method is called
table lookup. An advantage of table lookup over exhaustive search is that the
precomputed table can be used in more than one attack and the looking up is
much faster than exhaustive search, which takes a very long time. However, a
disadvantage of table lookup is that it requires large memory space.
A time-memory tradeoff attack is a compromise between exhaustive search
and table lookup. There is always a precomputation phase and an attack phase
in a time-memory tradeoff attack. During the precomputation phase, the attacker
does many encryptions and saves some of the results in a table. The attack phase
begins when she obtains C0 . She uses the data from the precomputed table and
she performs additional computations. The precomputation phase is performed
once and takes a very long time, whereas the attack phase can be repeated on
another C00 (encryption of P0 with a different key) and should be fast.
Let M denote the total amount of random access memory required to hold
the precomputed data. The unit of M is usually a word – a string of symbols of
certain length. Let T denote the computation time required during the real-time
phase of the attack and let P denote the computation time required during the
precomputation phase. The unit of T and P is one computational step. For
example, one encryption or one simple operation like addition can be considered
one computation step. Assume that the space of keys has N elements. Then in
an exhaustive search, we have T = N and M = 1. Contrarily, in table lookup,
we have T = 1 and M = N . In time-memory tradeoff attacks, there is a time-
memory curve, which defines the relation between T, M and N . For example, in
the first time-memory tradeoff attack we will describe, the time-memory curve is
T M 2 = N 2 . T and M can be chosen by the attacker, as long as they lie on the
curve.
In the first chapter, we will describe the original time-memory tradeoff attack
on block ciphers proposed by Martin Hellman in 1980. The description is followed
by some suggestions for modification. The second chapter will be concerning the
rainbow table attack, which is a newer time-memory tradeoff attack on block
ciphers. The second chapter also contains a description of a new attack, that
we propose. The new attack, called r-coloured rainbows, is an adaptation of

2
Hellman’s attack inspired by the rainbow table attack. These three attacks have
a lot in common and that allows us to compare their properties.
The third chapter will explain how time-memory tradeoff attacks can be ap-
plied to stream ciphers. Due to the different construction of stream ciphers, the
attack is not a chosen plaintext attack, but a known plaintext attack. In time-
memory tradeoff attacks on stream ciphers, the attacker can use more obtained
data than just one ciphertext. Therefore, a new parameter D is introduced. D
denotes the amount of data obtained during the attack. In an attack on a block
ciphers, D = 1. The fourth chapter will provide an example of an attack on a
specific cipher A5/1, which is a stream cipher used in GSM telephones to encrypt
calls.
In a time-memory tradeoff attack, the birthday paradox is often used to show
how much data should be stored in memory to achieve a certain probability of
success of the attack. We will use the corollary of the following theorem several
times.

Theorem 1. The birthday paradox

Assume that sets A and B are subsets of {1, . . . , N },
√N ∈ N, and A is√ picked
randomly with uniform
√ distribution. When |A| = α N and |B| = β N , for
some α, β ∈ (0, N ), sets A and B intersect with the probability

p → 1 − e−αβ , N → +∞ .

The proof of this theorem can be found in [8].

Corollary 2. Assume sets A and B are subsets of {1, . . . , N }, N ∈ N is large,

and A is picked randomly with uniform distribution. If |A| · |B| = N , then the
probability that A and B intersect is approximately 0.63.

Proof. Let sets A and B be subsets of {1, . . . , N }, N ∈ N is large, such that

|A| · |B| √
= N . Let A be picked
√ randomly with uniform
√ distribution. We can write
|A| = α N and |B| = β N , for some α, β ∈ (0, N ). We have

|A| · |B| = N
√ √
α N ·β N =N
α·β =1

From the Theorem 1, we have that the probability that A and B intersect is

p → 1 − e−αβ , N → +∞ .

1 − e−αβ = 1 − e−1 ≈ 0.63 .

Since N is large, the probability of intersection is approximately 0.63.

3
1. Hellman’s time-memory
tradeoff attack
Definition 3. A block cipher is an ordered quintuple (P, C, K, E, D), such that
1. P is a finite set of plaintexts,
2. C is a finite set of ciphertexts,
3. K is a finite set of keys,
4. E = {EK : P → C | K ∈ K} is a set of encryption maps,
5. D = {DK : C → P | K ∈ K} is a set of decryption maps,
6. ∀K ∈ K ∀x ∈ P : DK (EK (x)) = x.
Martin Hellman [1] described a time-memory tradeoff attack on block ciphers.
It is a chosen plaintext attack, so for a plaintext chosen by the attacker, she
obtains its encryption. Her goal is to find the key used to encrypt the chosen
plaintext to get the ciphertext. If she succeeds, she can decrypt all ciphertexts
encrypted with that one key. Assume a block cipher (P, C, K, E, D) and assume
that P = C = {0, 1}nc and K = {0, 1}nk for some nc , nk ∈ N. Hellman explained
his attack for nc > nk . For now, we will accept this assumption. We will discuss
a modification of the attack for nc = nk later in the chapter.

1.1 The attack

In Hellman’s attack, the attacker chooses an arbitrary but fixed plaintext block,
denote it P0 . A map f : {0, 1}nk → {0, 1}nk is defined as follows:

f (K) := R(EK (P0 )) ,

nc nk
where R : {0, 1} → {0, 1} is a reduction, which is easy to compute, such as
dropping some nc − nk bits. The construction of function f is depicted in Fig-
ure 1.1. If the cryptosystem is secure, then f is a one-way function. The value
of f (K) can easily be computed from K, but computing K from f (K) is at least
as hard as the problem of finding the secret key K from a plaintext and reduced
ciphertext pair (P0 , f (K)), which we assume is difficult.

The precomputation phase

The attacker randomly chooses m elements from the set of keys K = {0, 1}nk .
These m keys are called starting points and are denoted SPi , i = 1, . . . , m. The
function f is iterated on each of the starting points t times. The attacker defines
values Xi,j ∈ K = {0, 1}nk in the following manner:
Xi,0 := SPi for i = 1, . . . , m
Xi,j := f (Xi,j−1 ) for j = 1, . . . , t, i = 1, . . . , m .

4
 f
P0

block
C0 R
K cipher f (K)

Figure 1.1: Construction of function f

She denotes the end points of the iteration EPi := Xi,t for i = 1, . . . , m. The
iterations of f yield the following chains of keys (values from K):
f f f f
SP1 = X1,0 → X1,1 → ... → X1,t−1 → X1,t = EP1
f f f f
SP2 = X2,0 → X2,1 → ... → X2,t−1 → X2,t = EP2
.. ..
. .
f f f f
SPm = Xm,0 → Xm,1 → . . . → Xm,t−1 → Xm,t = EPm

The chains can be represented by an m × (t + 1) table B, where bij = Xi,j ,

1 ≤ i ≤ m, 0 ≤ j ≤ t. The optimal choice of parameters m and t will be discussed
later. At this point, it is only important to note, that the attacker may choose
m and t arbitrarily.
The attacker saves the doubles (SPi , EPi ) for i = 1, . . . , m in random access
memory. Later, she will search for a given EPi to recover the corresponding SPi .
Therefore, she must save them sorted by EPi . For example, she may use hash
coding to allow her to search the table in linear time. In hash coding, each value
of EPi is hashed to get an index. The values of SPi are stored in a table sorted
by their corresponding indices.

The attack phase

It is a chosen plaintext attack, so the attacker chose a P0 , precomputed the

table and, during the real-time phase, she obtains C0 = EK (P0 ) and wants to find
out what key K was used. First, she applies the reduction R to get Y1 := R(C0 ).
Notice that Y1 = R(EK (P0 )) = f (K). With one table lookup, she checks whether
Y1 = EPi for some i ∈ {1, . . . , m}.

1. If Y1 = EPi for some i, then

• K = Xi,t−1 , or
• K 6= Xi,t−1 , a so-called false alarm has occurred,
because EPi has more than one preimage.

To determine which is the case, the attacker reconstructs the ith chain
from SPi to get the value of Xi,t−1 . From the definition of Xi,j , it is clear
that Xi,t−1 = f t−1 (SPi ). She checks whether Xi,t−1 is the key, so whether

5
 C0 = EXi,t−1 (P0 ). If she has found the key, the attack is done. If not, a
false alarm has occurred.
2. If ∀i : Y1 6= EPi or a false alarm has occurred, then the key is not in the
second last column of B. The attacker computes Y2 = f (Y1 ).

With one operation, she checks whether Y2 = EPi for some i. If Y2 = EPi for
some i, then Xi,t−2 is the key or a false alarm has occurred. If ∀i : Y2 6= EPi or
there was a false alarm, then Y3 = f (Y2 ) is computed. Unless she finds the key,
the attacker computes Y2 , Y3 , Y4 , . . . , Yt and performs the checks described above.
Hellman’s attack is described as a chosen plaintext attack. However, if used
on a block cipher in ECB (Electronic Code Book) mode, it can be a ciphertext-
only attack. The attacker chooses P0 as a plaintext block, which she expects
will be contained in a plaintext frequently. For example, P0 may be a sequence
of blanks in ASCII or a file header. The attacker searches the ciphertext for
repeating blocks and assumes that one of the blocks which repeat is enciphered
P0 . She applies the attack on all the repeating blocks. The memory required for
the ciphertext-only attack remains the same as for the original chosen plaintext
attack. If there are c different blocks which repeat, the computation time increases
at most by a factor of c.

1.2 The probability of success and the tradeoff

The probability of success of the attack, P (S), is the probability that K is in the
first t columns (all the entries except the last column) of the precomputed table.
Denote N := 2nk the number of all possible keys. If K is chosen uniformly at
random from K and if the m · t entries in the first t columns of the table are all
different, then
m·t
P (S) = . (1.1)
N
A slight overlap in the table can be tolerated, as long as there is a constant fraction
of distinct entries. Hellman [1] presented the following theorem and proof.
Theorem 4. If f : {1, . . . , N } → {1, . . . , N } is a random map and if
K ∈ {1, . . . , N } is selected randomly, then
m t−1  j+1
1 X X N − it
P (S) ≥ . (1.2)
N i=1 j=0 N

Proof. Put A := {K ∈ {1, . . . , N } | K = Xi,j , 1 ≤ i ≤ m, 0 ≤ j ≤ t − 1}. We

have
E[ |A| ]
P (S) =
NP Pt−1
E[ m i=1 j=0 1(Xi,j is new)]
=
Pm Pt−1 N
i=1 j=0 P r(Xi,j is new)
= ,
N

6
where 1 is the indicator function of an event and an entry is said to be new if its
value is not present in the previous rows nor in the previous entries of its row.

P r(Xi,j is new) ≥ P r(Xi,0 , Xi,1 , . . . , Xi,j are all new) =

= P r(Xi,0 is new) · P r(Xi,1 is new | Xi,0 is new) · . . .
. . . · P r(Xi,j is new | Xi,0 , Xi,1 , . . . , Xi,j−1 are new) =
N − |Ai,0 | N − |Ai,0 | − 1 N − |Ai,0 | − 2 N − |Ai,0 | − j
= · · · ... · ,
N N N N

where Ai,j denotes the set of entries present in the table up to the entry Xi,j .
Clearly,
N − |Ai,0 | N − |Ai,0 | − 1 N − it
> > ··· > .
N N N
By combining the bounds, we get that
 j+1
N − it
P r(Xi,j is new) ≥ .
N

Together, we have
m t−1  j+1
1 X X N − it
P (S) ≥ .
N i=1 j=0 N

Assume a large fixed N . For m, t such that mt2  N , the terms added on
the right side of (1.2) are all close to 1 and the bound could be rewritten as
m·t
P (S) ≥ .
N
From (1.1) we see that m·tN
is also an upper bound for P (S), because generally,
not all the entries are distinct. Therefore, for mt2  N , increasing m or t will
increase P (S).

Lemma 5. For N ∈ N large,

 j  
N − it −ijt
≈ exp .
N N

Proof. An identity from real analysis states that for x → ∞, y, w ∈ R,

h y iwx
1+ ≈ exp(wy) .
x
If we put

x := N
w := j/N
y := −it ,

7
we get that for N → ∞
 j   jN  
N − it −it N −ijt
= 1+ ≈ exp .
N N N

 

−mt2
Using exp N
to approximate exp −ijt
N
gives, that for mt2  N most
terms will be small and not add much to the lower bound of P (S). Hellman
concluded that the optimal values of m and t are such that mt2 = N . If m, t are
both large and satisfy mt2 = N , then numerical approximation gives
m t−1  j+1
1 X X N − it 0.80mt
≈ .
N i=1 j=0 N N

Hellman neglects the 0.80 factor. Then for m, t such that mt2 = N ,
mt N 1
P (S) ≈ = = ,
N Nt t
which is small. For that reason, the attacker computes t different tables Bl . Each
table Bl is computed using a different reduction function Rl and the corresponding
fl = Rl (EK (P0 )). During the attack, the attacker tries to find the key in one table
after another until she succeeds or she has tried all the tables. Since the cycle
structure varies among the different functions Rl , a collision of entries in two
tables does not imply that the successive entries in the same row will also collide.
This is very important for guaranteeing that more tables will yield better coverage
of the key space.
The memory required for the attack, M , is the number of (SPi , EPi ) pairs
stored, which is the number of rows per table times the number of tables. Thus,
M = m · t. The computation time during the attack, T , is the number of op-
erations per table times the number of tables, i.e. T = t2 . The time needed
during precomputation, P , is the number of rows per table times the number of
operations per row times the number of tables, i.e. P = m · t · t = N . Lastly, the
amount of data available during the attack, D, is one, because the attacker gets
only one ciphertext C0 . Together,

T M 2 = t2 · m2 t2 = t4 m2 = N 2 .
As a result, the time-memory tradeoff curve for this attack is T M 2 = N 2 .
Hellman suggested to use the point M = T = N 2/3 on the tradeoff curve.
It still needs to be shown, that the false alarms, which may occur during the
attack, do not significantly increase the computation time. The following theorem
due to Hellman gives an upper bound for the expected number of false alarms.

Theorem 6. The expected number of false alarms per table tried, E[F ], is bounded
by
mt(t + 1)
E[F ] ≤ . (1.3)
2N

8
Proof. Let Fi,j be the event that a false alarm has occurred as a result of Yj = EPi .
Then
Xm X t
E[F ] = P r(Fi,j ) .
i=1 j=1

Fi,j can occur in j different situations as illustrated in Figure 1.2.

represents the function f

SPi = Xi,0 Xi,1 ... Xi,t−j Xi,j−t+1 ............... Xi,t = EPi

K
or

SPi = Xi,0 Xi,1 ... Xi,t−j Xi,j−t+1 Xi,j−t+2 ... Xi,t = EPi

K Y1
or
..
.
or

SPi = Xi,0 Xi,1 ... Xi,t−j Xi,j−t+1 ... Xi,t−1 Xi,t = EPi

K Y1 ... Yj−1

Figure 1.2: A diagram of the possible ways of Fi,j occurring

Assuming that f is a random function on {1, . . . , N }, the values K, f (K) = Y1 ,

f 2 (K) = Y2 , . . . are independent random variables uniformly distributed over the
space {1, . . . , N }. As a result, the first way of Fi,j occurs with the probability
of 1/N , the second with the probability of (1 − 1/N )(1/N ), the third with the
probability of (1 − 1/N )2 (1/N ), etc. Therefore, each way of Fi,j occurs with at
most the probability of 1/N . Thus,

Xm X t
j mt(t + 1)
E[F ] ≤ = .
i=1 j=1
N 2N

Hellman concluded that if mt2 = N  1, then the increase in expected com-

putation time due to false alarms will at most be 50 percent.

1.3 Modification of the attack for nk = nc

In his description of the attack, Hellman assumed that nk < nc . In other words,
he assumed that the key space is smaller than the ciphertext space, which is the
case of the DES block cipher. We explore how the attack changes if nk = nc .
To see if the attack would differ from the case nk < nc , we inspect the function
f (K) = R(EK (P0 )). For nk = nc , the function R : {0, 1}nc → {0, 1}nk is no longer

9
a reduction, but a function that maps the key space into itself. It is advantageous
for the attacker to choose R as a simple bijection on {0, 1}nk , such as a reordering
of the bits. The properties of the function

E(·) (P0 ) : K → C
K 7→ EK (P0 )

depend on the block cipher attacked. Generally, we cannot be sure that, for a
given P0 ,
(EK1 (P0 ) = EK2 (P0 )) ⇒ (K1 = K2 )
In other words, E(·) (P0 ) may not be injective for some P0 . However, a secure
block cipher with nk = nc should have this property for all P0 ∈ P. If we assume
that E(·) (P0 ) is injective and that R is a bijection, then their composite f is also
injective. Once we know that f is injective, the attack is simplified, because
chains of iterations of f do not merge and so false alarms do not occur.
During the attack phase, when Yj = EPi for some j ∈ {1, . . . , t} and
i ∈ {1, . . . , m}, then necessarily, Xi,t−j is the key, since no false alarm could
have occurred. There is no need to check whether C0 = EXi,t−j (P0 ). More im-
portantly, the ith row of B is reconstructed only when it really contains the key,
which happens at most once during the attack. In the original attack, the ith
row was reconstructed each time a false alarm occurred. From Theorem 6, the
increase in expected computation time due to false alarms is at most 50 percent.
This increase is avoided in the attack where nk = nc .

1.4 Hellman’s attack with Rivest’s sampling

In Hellman’s attack, it was not taken into consideration that access to memory
takes much longer than a computation. For example, one random access to a
hard disk takes approximately 10 million times longer in real time than a simple
computational step such as addition or multiplication on an average current proc-
essor. The attack could be made much faster by reducing the number of table
lookups during the attack phase. Ron Rivest [2] introduced a technique referred
to as sampling or use of special points, which achieves just that. He suggested
to iterate the function fl on each starting point, during precomputation, not ex-
actly t times, but until a ”special point” is reached. The attacker can choose
which points she considers special, as long as for every key, it is easy to recognize
whether it is special or not. A simple choice of special points is keys with 0s in
the first u bits. Then the set of special points is

Su := {(s1 , s2 , . . . , snk ) ∈ {0, 1}nk | si = 0, i = 1, . . . , u}, u < nk .

Ending the iterations of fl with a special point achieves that

∀i ∈ {1, . . . , m} : EPi ∈ Su

for a fix chosen u. Along with the starting points and end points, the attacker
saves the length of the longest chain in the lth table, denoted tl . If two different
starting points lead to the same end point, a merge of the two chains must have
occurred. In that case, one of the chains can be disregarded and replaced by

10
another chain with a new starting point, in order to guarantee a table free of
merges. A collision among end points is discovered at no additional cost as the
end points must be sorted.
The attacker should choose the value of 1 ≤ u < nk so that the average length
of a chain is t. We use the birthday paradox. For an arbitrary but fixed i, put
A := {Xi,0 , Xi,1 , . . . , Xi,t } and B := Su . Function fl is random on the space of
N = 2nk keys, therefore A is a random subset of {0, 1}nk . B is not a random
subset of {0, 1}nk , but its elements are independent of those in set A. |A| = t,
unless the chain is looped, which we will discuss later. |B| = |Su | = 2nk −u = 2Nu .
From the birthday paradox, if |A| · |B| = N , then the probability that A ∩ B 6= ∅
is approximately 0.63. When A ∩ B 6= ∅, it means that the chain in A contains
a special point, which is what we want.

|A| · |B| = N
t·N
= N
2u
t
= 1
2u
t= 2u

Thus, for u such that 2u = t, the average length of a chain will be t.

During the attack phase, the attacker computes Y1 , Y2 , Y3 , . . . as in Hellman’s
attack. She does not need to check whether Yj = EPi for some i by accessing
memory. She only checks whether Yj ∈ Su , which is easy. If Yj ∈ Su , then

1. if ∃i ∈ {1, . . . , m} : Yj = EPi then the ith row of the table either contains
the key or a false alarm has occurred;

2. if ∀i ∈ {1, . . . , m} : Yj 6= EPi then the attacker proceeds with Yj+1 .

For each table, the attacker computes Yj for j = 1, . . . , tl , unless she has already
found the key.
It is advantageous for the attacker to restrict the maximum length of a chain
during precomputation. Firstly, if fl is iterated more than a multiple of t times,
without coming across a special point, then due to the birthday paradox, it is
likely that the chain is in a loop. In that case, the chain should be abandoned
and another random starting point used. Secondly, assume a table contains one
or a few very long chains and the rest of the chains are considerably shorter – for
example, they have less than j̄ entries for some j̄ ∈ {1, . . . , tl /2}. Then computing
Yj for j = j̄, . . . , tl during the attack is wasteful, because it searches for the key
only in the few chains longer than j̄.
There is one difficulty during the attack. Since chains vary in length within
a table, when the attacker has Yj = EPi , she does not know at which position in
the ith chain the key candidate is. She needs to find the key candidate and verify
whether it is a false alarm. In the original publication [2], it is not specified how
to deal with this. We propose two options:

• During precomputation, she saves the number of iterations of fl used on

SPi to get EPi in the memory with the (SPi , EPi ) pair and denotes it ti,l .
Then once Yj = EPi during the attack, she knows that the key candidate

11
 t −j
is fl i,l (SPi ). The advantage of this option is, that a false alarm is found
with ti,l −j steps. The disadvantage is that the size of each word of memory
increases from two numbers lower than N to two numbers lower than N
and one number approximately t, where t would often be chosen as N 1/3 .

• She does not save the number of iterations of fl used on SPi to get EPi
during the precomputation. When Yj = EPi during the attack, the attacker
uses the starting point SPi = Xi,0 as a key in encryption of P0 to check
whether it is the key used to get C0 . Thus, if EXi,0 (P0 ) = C0 then she has
found the key and is done. If not, she applies the reduction function to
EXi,0 (P0 ) and gets R(EXi,0 (P0 )) = Xi,1 . She checks whether Xi,1 ∈ Su . If
Xi,1 is a special point, then, from the construction of the chains, she knows
Xi,1 = EPi , which means that a false alarm occurred. If Xi,1 is not a special
point, she continues in the search and checks whether Xi,1 is the key. If not,
she applies the reduction to get Xi,2 and so on. The reason she must always
check whether the point she got is special is, that if she did not do so and a
false alarm occurred, then she could enter an endless cycle. The advantage
is that this method requires no additional memory. The disadvantage is
that, in the case of a false alarm, the entire chain is reconstructed.

The advantage of Rivest’s sampling over Hellman’s original attack is that

the number of disk operations during the attack is reduced. With sampling,
the attacker only accesses the memory when Yj is a special point, which happens
about once per chain of Yj . For each fl , there is a chain of Yj computed. Therefore,
the memory is accessed only t times and not t2 times as in the original attack. The
number of computations during the attack remains T = t2 . The other advantages
of sampling are that the tables are free of merges and free of loops, which means
increased coverage of the key space.

12
2. Rainbow tables and r-coloured
rainbows
2.1 The rainbow table attack
Again, assume a block cipher (P, C, K, E, D) and assume that P = C = {0, 1}nc
and K = {0, 1}nk for nc , nk ∈ N such that nc > nk . Philippe Oechslin [3] de-
scribed a modification of Hellman’s attack, which yields the same time-memory
tradeoff curve, is twice as fast during the attack phase and has the advantages
of sampling. Oechslin proposed to precalculate one large mt × t table instead of
Hellman’s t tables of size m × (t + 1) each. He called his table a rainbow table.
Although Oechslin described his modification for an mt × t table, we will present
his idea on an mt × (t + 1) table in order to be in correspondence with Hellman’s
parameters.

The precomputation phase

As in the original attack, t functions fj : K → K will be used in the precom-

putation.
fj (K) = Rj (EK (P0 )) ,
where Rj : C → K, j = 1, . . . , t are distinct simple reduction functions. Using
the same notation, we have SPi = Xi,0 , EPi = Xi,t , i = 1, . . . , mt and the rows
of the table are calculated using the following recursion formula:

Xi,j+1 = fj+1 (Xi,j ), j = 1, . . . , t, i = 1, . . . , mt .

The recursion yields the following rainbow chains:

f1 f2 ft−1 ft
SP1 = X1,0 → X1,1 → ... → X1,t−1 → X1,t = EP1
f1 f2 ft−1 ft
SP2 = X2,0 → X2,1 → ... → X2,t−1 → X2,t = EP2
.. ..
. .
f1 f2 ft−1 ft
SPmt = Xmt,0 → Xmt,1 → . . . → Xmt,t−1 → Xmt,t = EPmt
The attacker saves the doubles (SPi , EPi ) for i = 1, . . . , mt sorted by EPi .

The attack phase

Again, it is a chosen plaintext attack. The attacker has chosen a P0 , precom-

puted the table for it and now she obtains the ciphertext C0 = EK (P0 ) and tries
to find the key K. She computes Y1 := Rt (C0 ) and checks whether Y1 = EPi for
some i ∈ {1, . . . , mt}.
1. If Y1 = EPi , then the attacker reconstructs the ith chain to find Xi,t−1 .
Either Xi,t−1 is the key of a false alarm has occurred.

2. If ∀i : Y1 6= EPi or a false alarm has occurred, then the attacker computes

Y2 := ft (Rt−1 (C0 )) and checks whether Y2 = EPi .

13
Unless she finds the key, the attacker computes

Y3 := ft (ft−1 (Rt−2 (C0 )))

Y4 := ft (ft−1 (ft−2 (Rt−3 (C0 ))))
..
.
Yt−1 := ft (ft−1 (. . . (f3 (R2 (C0 ))) . . . ))
Yt := ft (ft−1 (. . . (f3 (f2 (R1 (C0 )))) . . . ))

and checks whether they are the key.

Figure 2.1 illustrates a rainbow chain in detail and should clarify why the
attacker must always start with applying a different reduction function and then
a sequence of functions fj to the C0 .

f1 f2 ft−1 ft

SPi = Xi,0 Xi,1 ... Xi,t−1 Xi,t = EPi

E(·) R1 E(·) R2 E(·) Rt−1 E(·) Rt

Figure 2.1: The bold dots represent points in the ciphertext space. By E(·) , it is
meant that the function E(·) (P0 ) is applied to the previous point of the key space.

2.2 The probability of success

The probability of success of the attack is the probability that the key used to get
C0 is in the first t columns (end points excepted) of the mt×(t+1) rainbow table.
That probability is dependent on the coverage of the key space by the mt2 entries
in the rainbow tables. The probability of success of Hellman’s attack also depends
on the coverage of the key space by the mt2 entries in the t tables. Therefore,
the probabilities of success can be compared by comparing the coverage. One
rainbow table and t Hellman’s tables contain the same number of entries. What
determines the coverage is the number of collisions, merges and loops.
Collisions among two entries with different preimages occur with the same
probability in a rainbow table as in Hellman’s tables, because fl are considered
random functions. Assume a collision occurs among the mt2 points in the first
t columns of either the classical tables or one rainbow table. The collision causes
a merge of chains only if the two points are in the same group of mt points, that
is in the same classical table or in one column of the rainbow table. In the next
section, it will be explained how merges can be removed from a rainbow table and
that a rainbow table does not have any loops. Therefore, the expected coverage
of an mt × (t + 1) rainbow table is at least as good as the expected coverage
of t Hellman’s tables of size m × (t + 1) and so the probability of success of a
rainbow table is greater than or equal to that of Hellman’s tables. Figure 2.2
shows t Hellman’s tables and one rainbow table.

14
 t Hellman’s tables 1 rainbow table

t+1 t+1
f1 f1 f1 f1 f2 ft−1 ft
1 1 1
X1,0 X1,1 X1,t X1,0 X1,1 X1,t−1 X1,t
m f1 f2 ft−1 ft
f1 f1 f1
1 1 1 X2,0 X2,1 X2,t−1 X2,t
Xm,0 Xm,1 Xm,t

t+1
f2 f2 f2
2 2 2
X1,0 X1,1 X1,t
m
f2 f2 f2
2 2 2
Xm,0 Xm,1 Xm,t

mt
t+1
ft−1 ft−1 ft−1
t−1 t−1 t−1
X1,0 X1,1 X1,t
m
ft−1 ft−1 ft−1
t−1 t−1 t−1
Xm,0 Xm,1 Xm,t

t+1
ft ft ft
t t t
X1,0 X1,1 X1,t
m
ft ft ft f1 f2 ft−1 ft
t
Xm,0 t
Xm,1 t
Xm,t Xmt,0 Xmt,1 Xmt,t−1 Xmt,t

Figure 2.2: One rainbow table as well as t classical tables contain mt chains of
length t + 1, they both use t functions fj , but in a different arrangement.

15
2.3 Advantages over Hellman’s attack
Oechslin’s attack has many advantages. Firstly, when neglecting false alarms,
the number of calculations during the attack phase in the worst case, when all
columns are searched, is

t(t + 1)
1 + 2 + 3 + · · · + (t − 1) + t = .
2
Hellman’s attack requires t2 calculations in the worst case. Therefore, Oechslin’s
attack reduces the computation time almost twice.
Secondly, rainbow tables have the same advantages over Hellman’s method
that Rivest’s sampling has:

• the number of disk operations during Oechslin’s attack is at most t, because

there is only one table. Hellman’s attack needs up to t2 disk operations,
because there are t tables. As mentioned earlier, disk operations take a lot
of time and it is a significant improvement to reduce their number.

• If two chains in a rainbow table merge, the end points of the chains are
the same and the merge can easily be detected during precomputation. By
replacing one of the merging chains with a new one, the attacker achieves
a table free of merges at a little additional precomputation effort.

• A rainbow table cannot contain any loops, because each successive function
fj applied to the points in one chain is different. Thus, rainbow tables are
free of loops, just as tables with sampling are, but without the additional
precomputation effort required to replace loops.

Thirdly, rainbow tables do not have some of the disadvantages of sampling,

because their chains have constant length. In a table with varying chain lengths,
a long chain has more points than a short chain; thus, there are more places where
another chain can merge into it. Long chains are likely to merge with other long
chains, creating large trees. A large tree is likely to yield a false alarm, because
it has many branches. When a false alarm occurs in a long chain, it takes more
computational effort to determine that it is a false alarm than in a short chain.
Oechslin concludes that false alarms cause a greater increase in computation time
in tables with sampling, which have variable chain length, than in rainbow tables.

2.4 The new r-coloured rainbows attack

We propose a new modification of Hellman’s attack, which we call r-coloured rain-
bows. The new attack is something in between the original attack and rainbow
tables. In one table of r-coloured rainbows, r different functions fl are used re-
peatedly in each row. The general assumptions remain: (P, C, K, E, D) is a block
cipher, P = C = {0, 1}nc and K = {0, 1}nk for nc , nk ∈ N such that nc > nk .
We want to use t different functions fl altogether and have t + 1 columns
in each table. Since each table contains r different functions fl , we precompute
t/r tables. The parameter r must satisfy 1 ≤ r ≤ t and r | t. To be consistent
with the other attacks, we want the tables without the last column to contain

16
mt2 points. Therefore, each table must have m · r rows. Thus, the attacker pre-
computes t/r tables of size mr × (t + 1), where m, t, r, such that 1 ≤ r ≤ t and
r | t, are parameters of the attack.

The precomputation phase

As in the two previous attacks, t functions fl : K → K are used in the

precomputation:
fl (K) = Rl (EK (P0 )) ,
where Rl : C → K are distinct simple reduction functions. We use the same
notation again, so Xi,j are entries in a table and SPi = Xi,0 and EPi = Xi,t ,
i = 1, . . . , mr. The entries in each table are calculated with the following
formula:

Xi,j+1 = f(j mod r)+1 (Xi,j ), j = 0, . . . , t − 1, i = 1, . . . , mr .

The resultant table looks like this:

f1 f2 fr f1 fr
SP1 = X1,0 → X1,1 → ... → X1,r → ...... → X1,t = EP1
f1 f2 fr f1 fr
SP2 = X2,0 → X2,1 → ... → X2,r → ...... → X2,t = EP2
.. ..
. .
f1 f2 fr f1 fr
SPmr = Xmr,0 → Xmr,1 → . . . → Xmr,r → ...... → Xmr,t = EPmr
The attacker saves the doubles (SPi , EPi ) for i = 1, . . . , mr sorted by EPi .

The attack phase

Once more, it is a chosen plaintext attack, so the attacker obtains C0 = EK (P0 )

and tries to find the key K.
As in the previous attacks, for each table, the attacker computes some Y1 , . . . , Yt
from the C0 . For each Yj , she checks if Yj = EPi . If so, she reconstructs the ith
chain. If Yj does not get her the key, she computes Yj+1 . This part of the attack
is analogous to the previous two attacks. The only step, which is different is how
Yj are calculated. In our r-coloured rainbows attack, the attacker computes the

17
following:

Y1 := Rr (C0 )
Y2 := fr (Rr−1 (C0 ))
Y3 := fr (fr−1 (Rr−2 (C0 )))
..
.
Yr−1 := fr (fr−1 (. . . (f3 (R2 (C0 ))) . . . ))
Yr := fr (fr−1 (. . . (f3 (f2 (R1 (C0 )))) . . . ))
Yr+1 := fr (fr−1 (. . . (f3 (f2 (f1 (Rr (C0 ))))) . . . ))
Yr+2 := fr (fr−1 (. . . (f3 (f2 (f1 (fr (Rr−1 (C0 )))))) . . . ))
..
.
..
.
Yt−1 := fr (. . . (fr (. . . . . . (fr (. . . (f3 (R2 (C0 ))) . . . )) . . . . . . )) . . . )
Yt := fr (. . . (fr (. . . . . . (fr (. . . (f3 (f2 (R1 (C0 )))) . . . )) . . . . . . )) . . . )

The calculation of Yj requires j computations. If the attacker computed Y1 , . . . , Yt

as shown above, her computation time for one r-coloured table would be

t(t + 1)
1 + 2 + 3 + · · · + (t − 1) + t = .
2
It is the same computation time as for one rainbow table. However, in our
r-coloured rainbows attack, she has t/r tables, not just one. Therefore, the new
attack would be quite inefficient. Fortunately, an improvement can be made in
the calculation. Notice that

Yr+1 = fr (fr−1 (. . . (f3 (f2 (f1 (Y1 )))) . . . ))

Yr+2 = fr (fr−1 (. . . (f3 (f2 (f1 (Y2 )))) . . . ))

If we denote h := fr ◦ fr−1 ◦ · · · ◦ f2 ◦ f1 , then

Yqr+p = hq (Yp )

for p, q ∈ N such that p ∈ {1, . . . , r} and qr + p ∈ {1, . . . , t}. The attacker

18
computes Y1 , . . . , Yt in the following order to utilize the above observation.

Y1 = Rr (C0 )
Yr+1 = h(Y1 )
Y2r+1 = h(Yr+1 )
..
.
Yt−r+1 = h(Yt−2r+1 )
Y2 = fr (Rr−1 (C0 ))
Yr+2 = h(Y2 )
Y2r+2 = h(Yr+2 )
..
.
..
.
Yr = fr (fr−1 (. . . (f3 (f2 (R1 (C0 )))) . . . ))
Y2r = h(Yr )
..
.
Yt−r = h(Yt−2r )
Yt = h(Yt−r )

With the improvement, the computation time for one table, in the worst case
when all Yj are calculated, is

r(r − 1)
t·r− .
2
The function h is a composition of r functions and we count it as r operations.
If each Yj were computed with function h, then the computation required for
Y1 , Y2 , . . . , Yt would be t · r. But Y1 , Y2 , . . . , Yr−1 each require only 2r computations
on average and that is why r(r−1) 2
is subtracted. The computation time for all
t/r tables is  
t r(r − 1) t(r − 1)
T = t·r− = t2 − .
r 2 2

2.5 Comparison of the new attack with the pre-

vious attacks
Before we take a closer look at the three attacks and compare them, notice that
1-coloured rainbows attack is Hellman’s attack and that a t-coloured rainbow is
a rainbow table.
Figure 2.3 graphically compares the computation time for Hellman’s t tables,
r-coloured rainbows for two choices of r and one rainbow table. Each dot re-
presents one computation during the attack. The separated columns represent
the t/r different tables. Each ”short” row in one separated column represents
the computations for one Yj . From the formula for the computation time in

19
 t Hellman’s tables r-coloured rainbows
r=1 r = 6t
t tables 6 tables

t t

t r
 
r(r−1)
T1 = t 2 T2 = 6 t · r − 2

11t2 t
= 12 + 2

r-coloured rainbows 1 rainbow table

r = 2t r=t
2 tables 1 table

t t

t
r
 
r(r−1) t(t+1)
T3 = 2 t · r − 2
T4 = 2

3t2 t2 t
= + t = 2 + 2
4 2

Figure 2.3: Comparison of the computation times of the three attacks

20
r-coloured rainbows

t(r − 1)
T = t2 − ,
2
we see that the closer r is to t, the smaller T is. This corresponds with the
observation that in Figure 2.3, for t > 6, T1 > T2 > T3 > T4 . Therefore, our new
attack is not better, in terms of computation time, than a rainbow table, but it
is better than Hellman’s attack.
One of the main advantages of a rainbow table over Hellman’s tables is that
it requires less hard disk accesses during the attack. Hellman’s attack requires
t2 disk operations. Rainbow tables require only t disk operations. Our r-coloured
rainbows attack requires
t t2
t· =
r r
disk operations. Therefore, for a fixed t, our attack reduces the number of disk
operations by a factor of r when compared to Hellman’s. With regards to the
number of disk operations, our attack is again not better than a rainbow table,
but it is better than Hellman’s attack.
Another property of the attack that should be compared is the coverage of the
key space. The tables in all three attacks contain mt2 points in the first t columns.
If a collision among two entries in r-coloured rainbows occurs, it causes a merge
only if the next functions applied are the same. In one chain, one specific function
fl is applied t/r times and there are m · r chains in a table. The other tables do
not use fl at all. Therefore, a merge results from a collision only if the colliding
entries are in the same group of mr · (t/r) = mt entries, which corresponds to a
fixed fl . Thus, collisions cause merges in r-coloured rainbows equally often as in
Hellman’s tables and a rainbow table.
Merges in r-coloured rainbows can be detected by colliding end points only
if the merge occurred in the same column. Assume there are two entries in a
table colliding and causing a merge, then the entries must be in the same group
of t/r columns. Therefore, only r/t of merges start in the same column and
can be detected and removed during precomputation. Again, this is better than
Hellman’s inability to detect any merges and it is worse than being able to detect
all merges in a rainbow table.
Loops can occur in r-coloured rainbows, but only if two entries in the same
row, which are a multiple of r positions apart, collide. As a result, the length
of a loop in r-coloured rainbows is always a multiple of r. Parameter r bounds
the length of loops from below. In Hellman’s attack, a loop occurs when any two
entries in one row collide and a loop can be of any length. Therefore, loops occur
r times less frequently in r-coloured rainbows than in Hellman’s attack and their
length is bounded from below.
From the above discussion, it is clear that r-coloured rainbows with t/r tables
of size mr × (t + 1) have better coverage than Hellman’s t tables of size m × (t + 1)
and worse coverage than an mt × (t + 1) rainbow table. Thus, the probability
of success of r-coloured rainbows is also in between the probability of success of
Hellman’s attack and the rainbow table attack.
So far, for every property of the attack that we inspected, the r-coloured rain-
bows perform better than the original attack and worse than a rainbow table. Do

21
r-coloured rainbows bring anything new and better than the other two attacks?
Yes, they may. Recall function h:

h = fr ◦ fr−1 ◦ · · · ◦ f2 ◦ f1 .
When calculating the computation time T , we assumed function fl is one com-
putation step and so h is r computation steps. However, if the cryptosystem
attacked were such, that it would allow for some efficient implementation of h,
the r-coloured rainbows attack would improve. The fact, that the attacker can
choose the reduction function Rl in each fl , may help her implement h efficiently.
Assume the attacker is able to reduce the computation steps needed to apply
function h from r steps to r/c steps, for some c ≤ r. Function h is different for
every table, so assume the attacker is able to efficiently implement all t/r func-
tions h. Then the computation time for one table is
r r(r + 1)
(t − r) + .
c 2
The first term counts the steps needed to calculate Yr+1 , . . . , Yt , which uses func-
tion h. The second term is the number of calculations needed for Y1 , . . . , Yr ,
where h is not used. The t/r tables require
  r  r(r + 1) 
t
(t − r) +
r c 2
t(t − r) t(r + 1)
= +
c 2
t2 tr t(r + 1)
= − +
c c 2

computations. When neglecting the second and third terms, where only t and not
t2 appears, the computation time can be reduced by a factor of c in comparison
with Hellman’s time. This is a much greater improvement than the reduction by
2 achieved by a rainbow table.
With the efficient implementation of function h, the precomputation in the
r-coloured rainbows attack is also c times faster than in the other two attacks.
The original precomputation time
t
mr · t · = mt2 = N
r
is the same as with Hellman’s attack or a rainbow table. The efficient precom-
putation time is
t t mt2 N
mr · · = = .
c r c c

22
3. Time-memory tradeoff attacks
on stream ciphers
Time-memory tradeoff attacks can be performed not only on block ciphers, but
on stream ciphers as well.

Definition 7. An additive synchronous stream cipher is an ordered 7-tuple

(A, K, I, Σ, g0 , g, F ), such that

1. A(+, 0) is a finite additive group,

2. K is a finite set of keys,

3. I is a finite set of initialization vectors,

4. Σ is a finite set of internal states of the cipher,

5. g0 : K × I → Σ is the initialization function,

6. g : Σ → Σ is the next-state function,

7. F : Σ → A is the keystream generation function.

The internal state of a synchronous stream cipher is initialized with the key
K ∈ K and an initialization vector IV ∈ I by an initialization function g0 , i.e.
s0 = g0 (K, IV ). Function g, which maps a state to another state, produces an
endless sequence of states (s0 , s1 , s2 , . . . ) with the formula

sh+1 = g(sh ) .
The keystream is an endless sequence of symbols (z0 , z1 , z2 , . . . ). Function F
maps a state to one symbol of the keystream:

zh = F (sh ) .
In an additive synchronous stream cipher, a plaintext stream p ∈ P is encrypted
by adding it with the keystream: ch = ph + zh . The set of plaintexts is the set of
all finite length sequences of symbols from A (i.e. A*) and the set of ciphertexts
C is also A*. Figure 3.1 shows the structure of an additive synchronous stream
cipher.
In this chapter, we assume that A = Z2 (+, 0) and K = Σ = {0, 1}n for some
n ∈ N. Denote N = 2n the number of all internal states. Also assume that the
attacker knows functions g0 , g and F and does not know the key nor the internal
state at any moment.

23
 K
g0 sh g

IV

zh
ph ch

Figure 3.1: Additive synchronous stream cipher

3.1 The BG attack

Babbage [4] and Golić [5] independently described the following simple time-
memory tradeoff attack on additive synchronous stream ciphers, referred to as the
BG attack. Define a function f : {0, 1}n → {0, 1}n to map each state sh ∈ {0, 1}n
to the first n bits of the keystream produced by function F from state sh :

f (sh ) = (F (sh ), F (sh+1 ), . . . , F (sh+n−1 )) = (zh , zh+1 , . . . , zh+n−1 ) .

It is assumed that f is a random one-way function, which is not necessarily
injective. The attacker obtains the ciphertext and, as it is a known plaintext
attack, there is a segment of the ciphertext for which she knows the plaintext.
She computes a keystream segment as

zh = ph ⊕ ch
zh+1 = ph+1 ⊕ ch+1
..
.

If the attacker is able to invert the function f for any one of the keystream seg-
ments of length n that she has available, then she can decrypt the ciphertext that
follows. Once she has one internal state sh , she can compute the successive states
using the known function g and use them to generate the rest of the keystream
with F . Notice that in this attack, it is not her goal to find the key K, because
she does not need it for decryption. However, for stream ciphers with g and g0
invertible, she can compute K if she knows the number of iterations of g applied
thus far.
In the precomputation phase, the attacker randomly chooses m distinct points
from the space of states {1, . . . , N } and denotes them SPi for i ∈ {1, . . . , m}. She
computes EPi := f (SPi ). She saves the pairs (SPi , EPi ) for i = 1, . . . , m sorted
by EPi in random access memory as in the previously described attacks.
In the attack phase, the attacker obtains a segment of the keystream, which is
D+n−1 bits long. D denotes the amount of data available during the attack (the
n − 1 is neglected). There are D partially overlapping subsegments of length n of

24
the obtained segment. Denote the subsegments Z1 , . . . , ZD . The attacker checks
whether Z1 = EPi for some i ∈ {1, . . . , m}. If so, then she uses the corresponding
internal state SPi to generate more of the keystream and verifies whether a false
alarm has occurred or whether SPi is the real internal state. If Z1 fails to produce
the internal state, the attacker tries Z2 , then Z3 , etc.
The amount of memory used M is the number of (SPi , EPi ) pairs, which is
m. In order for the attack to be successful, at least one of the D subsegments
Zj must collide with one of the M values of EPi . From the birthday paradox, if
DM = N , then the two sets intersect with the probability approximately 0.63.
In the attack, T = D, because, in the worst case, the attacker accesses memory
once for each Z1 , . . . , ZD . The time-memory tradeoff curve is therefore T M = N .
The precomputation time is the same as the memory needed, i.e. P = M . The
attacker may choose to not use all the data D, then 1 ≤ T ≤ D.
Notice the difference between the time-memory tradeoff attack on a stream
cipher and the attacks described earlier on block ciphers. The attacks on block
ciphers were chosen plaintext attacks: the attacker chose one P0 , precomputed
her tables for that P0 and then she needed an encryption of P0 to be able to
perform the attack. It is not clear how she could use more ciphertexts in one
attack to speed up the attack or increase its probability of success.
The attack on stream ciphers is unlike this. It is a known plaintext attack,
which is stronger. The precomputation is done without the use of any fixed P0 .
The precomputed values depend only on functions g and F , which are constant
for a specific stream cipher. Once she has the precomputed data, she can use it to
attack encryptions of various plaintexts. More importantly, she can use more data
in one attack to raise her probability of success. It seems that the construction
of stream ciphers makes them more vulnerable against time-memory tradeoff
attacks.

3.2 Biryukov and Shamir’s attack

Alex Biryukov and Adi Shamir [6] proposed an improved time-memory tradeoff
attack on stream ciphers. Essentially, they combined Hellman’s idea with the BG
attack. In Biryukov and Shamir’s attack, there is also the function

f : {0, 1}n → {0, 1}n ,

which maps the stream cipher internal state sh to the first n bits of the keystream
generated from that state by F . As in the BG attack, the attacker has D + n − 1
consecutive bits of the keystream and her goal is to invert function f on any of
the D segments of n bits. The attack uses tables of iterations of f as in Hellman’s
attack. Define
fl (s) := Rl (f (s)), s ∈ {0, 1}n ,
where Rl : {0, 1}n → {0, 1}n is a simple bijection. Note that fl is not necessarily
a bijection, because f is not injective. In each table, a different function fl is
used.
The precomputation and attack phase are exactly as described by Hellman,
with one exception. During the attack phase, the attacker has D keystream seg-
ments, whereas in the original attack on block ciphers there is only one ciphertext

25
C0 . The attacker executes the attack phase on each of Z1 , . . . , ZD , unless she suc-
ceeds.
For Biryukov and Shamir’s attack to be successful, one of Z1 , . . . , ZD must
be present in one of the tables without the first column. Therefore, the coverage
of the tables without the first column can be reduced from N to N/D. This
is from the birthday paradox. The set {Z1 , . . . , ZD } and the set of all but first
column entries in the tables are both subsets of {1, . . . , N } and the latter is chosen
uniformly at random. In order for the two sets to intersect with probability
approximately 0.63, the product of their cardinalities must be N . We have
N
D· =N .
D
Therefore, the coverage should be N/D. From Hellman, we know that t tables
of size m × (t + 1) for m, t such that mt2 = N , are optimal for the coverage of
N points. To achieve a coverage of N/D points, less tables or smaller tables may
be used.
Figure 3.2 summarizes the options for reducing the coverage and shows which
option reduces the required time and memory the most. The time required dur-
ing the attack, T , is computed as the number of columns in each table minus one
times the number of tables times the number of available data D. The amount
of memory required, M , is computed as the product of the number of rows and
the number of tables. From Figure 3.2, we see that for D > 1 option 3) is the
best, because T3 = T1 < T2 and M3 = M2 < M1 . The fact that 2) has worse
computation time than 1) and 3) can also be seen from the observation that
fl (Zj ) is one operation during the attack and reveals whether the real internal
state is in one of m entries of the table. For m0 < m, that one operation reveals
less information. Therefore, in Biryukov and Shamir’s attack, t/D tables of size
m × (t + 1) are precomputed, for m, t such that D | t and mt2 = N . The random
access memory needed for the attack is M = mt D
and the computation time is
2
T = t . The precomputation time P is the number of rows times the number of
columns minus one times the number of tables, thus P = m · t · Dt = N/D. If
D | t, then t ≥ D and thus D2 ≤ T ≤ N . For m, t such that mt2 = N and D | t,
the parameters M, T and D satisfy the following relationship:
 2 2
2 2 2 mt
TM D = t · · D2 = m2 t4 = N 2 .
D2
The authors suggested to use parameters m = t = N 1/3 , which yields
P = T = N 2/3 , M = D = N 1/3 as a particular point on the tradeoff curve.

3.3 Time-memory tradeoff attacks on stream ci-

phers with sampling
Biryukov and Shamir discussed how Rivest’s sampling would affect the tradeoffs
in attacks on stream ciphers.
Firstly, they considered the effect on the tradeoff of the BG attack. A
keystream segment Zj ∈ {0, 1}n is said to be special if the first u bits are ze-
roes, u < n. In order to employ special points in the BG attack, the attacker

26
 Coverage of N points
t+1 t+1 t+1 t+1 t+1
T = t · t · D = t2 · D
m m m m m
M =m·t

Coverage of N/D points

Assume D | t, D | m

3 basic options:

1) t
+1 t
+1 t
+1 t
+1 t
+1
D D D D D
t
T1 = D · t · D = t2
m m m m m M1 = m · t

2) t+1 t+1 t+1 t+1 t+1 T2 = t · t · D = t2 · D

m m m m m m mt
D D D D D M2 = D ·t= D

3) t+1 t+1 t+1 T3 = t · t

· D = t2
D
t mt
m m m M3 = m · D = D

t
D

Figure 3.2: Options for reducing the coverage

27
must prepare a table of (SPi , EPi ) pairs such that EPi is a special keystream
segment for each i ∈ {1, . . . , m}. The only way to achieve that is to keep gen-
erating random starting points, applying function f and checking whether the
end point is special until M pairs with special end points are generated. This
trial-and-error method is very costly for the precomputation time.
Every (2u )th point from {1, . . . , N } is special. To precompute M pairs with
special end points, M · 2u trials during precomputation would be necessary on
average. Thus, P = M · 2u , instead of the original P = M . The attack time is
reduced from T = D to T = 2Du , because, from the obtained data, only special
points would be used. From the birthday paradox, to achieve approximately 0.63
probability of collision among the M special end points and the 2Du obtained spe-
cial points, M and D must satisfy
D N
M· u
= u .
2 2
Thus, the memory-data tradeoff is M D = N for any u. To find a time-precomputa-
tion tradeoff, consider T P .
D
TP = u
· M 2u = DM = N .
2
Together, T P = M D = N , for 1 ≤ T ≤ 2Du . It is interesting to note that the
sampling changed the original time-memory tradeoff T M = N into two indepen-
dent tradeoffs: the time-precomputation tradeoff T P = N and the memory-data
tradeoff M D = N .
Secondly, Biryukov and Shamir described how sampling would affect the
tradeoff of their attack on stream ciphers. Recall the tradeoff T M 2 D2 = N 2
for D2 ≤ T ≤ N . In the case of Biryukov and Shamir’s attack, sampling can be
done in the same way as described for Hellman’s attack. Precomputation time
remains ND
, as without sampling. The memory needed stays the same at M = mt D
,
2
as well. The computation time T also stays unaffected at t . Together, the trade-
off of the attack with sampling remains T M 2 D2 = N 2 for D2 ≤ T ≤ N . The
difference is that, with sampling, the hard disk is accessed only t times during
the attack, as opposed to t2 times.

28
4. Time-memory tradeoff attacks
on A5/1
This chapter gives a summary of two time-memory tradeoff attacks on the stream
cipher A5/1 described by Alex Biryukov, Adi Shamir and David Wagner in [7].

4.1 Description of the A5/1 stream cipher

The stream cipher A5/1 is used in GSM telephones to encrypt calls. A GSM
call is transmitted as a sequence of frames. Each frame contains 228 bits. Every
4.6 millisecond, a frame is sent. For each conversation, a new 64-bit key K is
used. The stream cipher uses the key and a publicly known 22-bit frame counter
to initialize its internal state for each frame. The generator produces 228 bits of
the keystream, which are XORed with the 228 bits of the frame to produce the
ciphertext.
An internal state of the cipher has 64 bits and consists of three linear feedback
shift registers of lengths 19, 22 and 23. Denote the registers R1, R2 and R3
respectively and denote the least significant bit (lsb) in each register as bit zero.
Figure 4.1 illustrates the construction of the stream cipher. When R1 is clocked,
bits 13, 16, 17 and 18 are XORed together, all the bits are shifted to the left
and the result of the XOR is placed in bit position zero. The other registers are
clocked in the same way, only in R2, bits in positions 20 and 21 are XORed and
in R3, bits in positions 7, 20, 21 and 22 are XORed. Each register is a maximal
length linear feedback shift register. That means that the clocking function has
a period of 219 − 1, 222 − 1, 223 − 1, respectively. The one state that is not in the
long cycle of states is always the zero vector.
The clocking of all registers uses a stop-go rule. Each register has one clocking
tap, denoted C1, C2 and C3. When the whole state of the three registers is to be
clocked, the majority function on C1, C2 and C3 determines which of the registers
are clocked. The registers, whose clocking tap is the same as the majority of the
clocking taps, are clocked and the other register or none is not clocked.
To generate the 228 bits of keystream for a frame, the following steps are
taken:
1. the registers are filled with zeroes and all clocked without the stop-go rule 64
times. In each clocking, one bit of the key K is XORed to all the three lsb’s.
2. The registers are all clocked 22 times without the stop-go rule. In each
clocking, one bit of the frame counter is XORed to all the three lsb’s. The
state of the three registers after these two steps is called the initial state of
the frame.
3. The registers are clocked 100 times, employing the stop-go rule and not
producing any output.
4. The registers are clocked 228 times, employing the stop-go rule. The most
significant bits (msb) of the three registers are XORed together in each
clocking to produced 228 bits of the keystream.

29
 C1
18 17 16 13 8 0

R1

C2
21 20 10 0

zh R2

C3
22 21 20 10 7 0

R3

Figure 4.1: Construction of the A5/1 stream cipher

4.2 The biased birthday attack

Biryukov, Shamir and Wagner call their first attack on A5/1 the biased birthday
attack. In this attack, the goal of the attacker is to find the conversation key
K. It is assumed that she obtains the keystream for many frames. For example,
she obtains the first two minutes worth of keystream. It is important that the
attacker knows which part of the call the keystream is from, so that she knows the
corresponding frame counters. If she succeeds and has the key, she can generate
the keystream for all the frames, not only the ones she knows, and decipher the
entire call.
The very basic idea of the biased birthday attack is to use the BG attack with
sampling to get an internal state from some segment of the keystream. Then
the attacker backtracks the registers from that internal state to the initialization
stage and extracts the key K.
Firstly, the authors explained how the registers and their clocking can be
efficiently implemented in software. They use three cyclic arrays with 219 − 1,
222 − 1 and 223 − 1 bits. Each bit in an array is the clocking tap of a state of
the register and successive bits are clocking taps of successive states. In the first
array, any 19 successive bits are a state of R1. Therefore, every index i of the first
array uniquely identifies a state of R1, whose clocking tap bit is the ith bit of the
array. The other two arrays work the same for R2 and R3. A state of the three
registers is then a triplet (i, j, k) of indices of the arrays. To find out the msb’s for
a state (i, j, k), the attacker looks in the arrays in positions i − 10, j − 11, k − 12.
Clocking the state means adding one to two or three of the indices, depending on
the majority function on the clocking taps.
The state of A5/1 can also be run backwards. A state (i, j, k) has four possible

30
predecessors (i, j − 1, k − 1), (i − 1, j, k − 1), (i − 1, j − 1, k) and (i − 1, j − 1, k − 1).
Not all the possible predecessors necessarily lead to state (i, j, k). A state can
have none to four predecessors. Therefore, running the clocking backwards is tree
exploration.
The BG attack is used to find an internal state, which produces the keystream
that the attacker obtained. The function f that the attacker wants to invert is
a map from the set of all states {0, 1}64 to {0, 1}51 , the set of keystream prefixes
of length 51. As mentioned, the attack makes use of special points. A keystream
prefix is said to be special if the first 16 bits are a specific sequence of bits α.
For simplification, the sequence α is chosen such that it does not coincide with
shifted versions of itself, eg. α = (1, 0, 0, ..., 0).
The attacker wants all the end points stored in memory to be special keystream
prefixes. The number of internal states which generate a special keystream prefix
is about 264 /216 = 248 and they are referred to as special states. The authors
described how the attacker can use a weakness in the design of the registers to
generate all the 248 special states without testing all the 264 states. The fact that
each register has only one clocking tap and that it is in the middle, far away
from the msb’s, allows for efficient sampling. The attacker can arbitrarily choose
the bits in certain 48 positions of the state and compute the other 16 to be such
that the keystream produced by the state begins with α. The attacker is able to
generate all the 248 special states this way.
The authors introduced a new security measure called sampling resistance.
It is the maximal length of α such that special states can be sampled without
trial-and-error. The sampling resistance of A5/1 is 16.
During precomputation, the attacker samples all the special states. However,
not all the 248 special pairs will be stored in memory. Some special states are
likelier than others to occur and thus their corresponding special keystream pre-
fixes are likelier than others to be present in the obtained data. The strategy is
to store only the special pairs, which are very likely to occur. What causes the
non-uniform probability distribution among the states is the tree structure of the
graph of the clocking function.
The authors use the following notation:
• a state s is coloured red, if the sequence of keystream bits produced from
state s starts with α;
• a state s is coloured green, if the sequence of keystream bits produced from
state s contains an occurrence of α which starts somewhere between bit
positions 101 and 277 of the keystream.
In other words, a red state is a special state and a green state is an initial state,
from which a red state is generated.
Running the clocking backwards from a red state produces a tree of states.
The depths and widths of trees vary, because each state can have none to four
predecessors. If a red-rooted tree is deeper than 100, then it contains some green
states. The green states in the tree, which are at depths 101 to 277, are referred
to as the green belt. Figure 4.2 shows examples of red-rooted trees. The white
states at depths 1 to 100 are of no interest to the attacker, because they are initial
states that yield a red state somewhere in the 100 clockings when the keystream
is not produced.

31
 Red roots
100

177 Green belt

Figure 4.2: Diagram of red-rooted trees

The reason why the green belt is defined only to depth 277 is that the deeper
states cannot be used in the attack. In the obtained data, the attacker searches
for α in each 228-bit segment of the keystream. If α starts somewhere in the
last 50 bits of the 228 bits, it is disregarded, because the attacker needs at least
35 bits of the keystream to follow α in order to identify the special keystream
prefix as an end point in the precomputed table.
The attacker wants to store in memory those red states, with their keystream
prefix, which are the likeliest to occur. The red states with the largest green belts
occur with the highest probability. The weight of a red-rooted tree is defined as
the number of green states in its belt. The attacker chooses a value w and stores
a red state only if the weight of its tree is greater than w.
The name of the attack is the biased birthday attack, because the birthday
paradox is used in the original BG attack, where it is assumed that the starting
points are chosen uniformly at random and that the states in the real data are
also distributed uniformly. In this attack on A5/1, neither of the two sets is
chosen uniformly at random, thus the biased birthday attack. The bias in the
selection of starting points raises the attack’s probability of success.
Finally, a summary of the attacker’s steps. The attacker samples all red states.
She explores the trees of the red states using the efficient software implementation
of the states. If a tree’s weight is greater than a fixed w, she computes the first
35 bits of keystream following α from that red state. She saves the state and
keystream prefix as a starting point and end point pair in a table sorted by end
points. The trees are not saved.
During the attack, she obtains some seconds or minutes worth of the keystream.
She divides the keystream into segments of length 228, which correspond to the
frames. She searches the first 193 bits of each 228-bit segment for α. For each
α that she finds, she uses the 35 successive bits to check whether this special
keystream prefix is in the precomputed table. If so, she has the corresponding
red state. From that red state, she backtracks the clocking. She rebuilds the
tree, but only to a certain depth, where she knows the candidates for the initial
state are. For each green state at the appropriate depth, she clocks the state
backwards and computes the key. It remains to be shown, that the key can be
uniquely computed from an initial state. For each key, she tries to use it in the
initialization of another frame and then verifies whether that frame’s keystream
agrees with the keystream in the real data. The real key must be among the key
candidates.
The attacker can obtain a unique key from an initial state. The stop-go rule
is not used in the initialization, so the known frame counter can be removed by
running the registers backwards. From the state after the key was XORed in, the

32
attacker gets 64 linear combinations of the 64 key bits, from which the unique
key can be calculated.
The authors show that a biased birthday attack can be performed with the
probability of success 0,6 with the following parameters:

• 248 precomputation steps;

• 120 seconds of data;

• about 146 GB of memory (235 pairs stored);

• 1 second of attack time.

4.3 The random subgraph attack

The second attack described by Biryukov, Shamir and Wagner – the random
subgraph attack – has the same goal and the same assumptions as the biased
birthday attack. The attacker wants to find the conversation key K and has
a part of the keystream available. The second attack also makes use of the
efficient implementation of the clocking and the low sampling resistance of A5/1.
Although the attacks share some similarities, their main ideas are different. The
random subgraph attack applies Hellman’s attack to the space of red states and
thus only requires one occurrence of α in the data, which shortens the length of
the required data.
The set of all red states is a subset of the set of all states {0, 1}64 and has
48
2 elements. Each red state has a ”full name” of 64 bits, which is just the 64 bits
in the registers. However, less bits can be used to identify a red state. When
48 bits in specific positions of the registers are chosen arbitrarily, they uniquely
define a red state, because the other 16 bits can be chosen in only one way so
that the keystream prefix is α. These 48 bits are the ”short name” of a red state.
The long name can easily be computed from the short name, as done in sampling.
Red states are also almost uniquely defined by the 48 bits of the keystream which
follow α. This is referred to as the output name.
Function f : {0, 1}48 → {0, 1}48 for Hellman’s table is defined as a map
from short names to output names. To compute f , the 48 bits are expand-
ed to a long name, which is used as a state to produce 64 bits and the last
48 bits are the output. Hellman’s attack needs many variants of function f , so
fl : {0, 1}48 → {0, 1}48 is defiend as follows:

fl (s) := Rl (f (s)), s ∈ {0, 1}48 ,

where Rl : {0, 1}48 → {0, 1}48 is some simple bijection.
To save computation time on accessing memory, Rivest’s sampling is used.
The authors call a red state bright if the first 28 bits of its keystream contain the
16-bit α followed by 12 zero bits. Each chain in the tables starts with a red state
and ends after approximately 212 iterations of fl with a bright red state.
Once the attacker has a red state, which generates some of the obtained
keystream, she proceeds to search the tree and compute the key as in the first
attack.

33
 The authors recommended to use parameters t = 212 and m = 224 . Then
M = 236 is the memory space required and T = 224 is the computation time.
The amount of data required is about 2 seconds, because it is expected that one
occurrence of α will appear within that time. With the parameters above, the
preprocessing requires 248 steps, about 146GB of memory are used and the attack
time is several minutes.

34
Conclusion
We started with a detailed description of the original time-memory tradeoff attack
by Hellman. We considered how the attack would simplify if the key space was
the same size as the ciphertext and plaintext space. Ron Rivest’s idea of special
points was explained. The second chapter was all about rainbows and colour.
Firstly, we gave a description of the rainbow table attack and inspected why it
is better than the original attack. Secondly, we proposed the new r-coloured
rainbows attack, which is a hybrid of the original attack and a rainbow table.
Detailed comparison confirmed that the hybrid is between the two in terms of
efficiency. However, we found that for block ciphers with a certain property,
the r-coloured rainbows attack outperforms its predecessors. The third chapter
focused on attacks on stream ciphers. With the new parameter of the amount
of data, we saw time-memory-data tradeoffs. Another change, that the stream
ciphers brought, was that the attack became a known plaintext attack as opposed
to the chosen plaintext attack on block ciphers. To end off with, we summarized
how the BG attack, Hellman’s attack and sampling could take part in finding out
a conversation key in A5/1.

35
Bibliography
[1] Hellman, M. E. A Cryptanalytic Time-Memory Trade-Off. IEEE Transac-
tions on Information Theory, Vol. IT-26, N 4, pp. 401-406, 1980.

[2] Denning, D.E. Cryptography and Data Security. p. 100. Addison-Wesley,

1982. ISBN 978-0-201-10150-8.

[3] Oechslin, P. Making a Faster Cryptanalytic Time-Memory Trade-Off.

CRYPTO 2003, Lecture Notes in Computer Science 2729, pp. 617-630,
Springer, 2003

[4] Babbage, S. A Space/Time Tradeoff in Exhaustive Search Attacks on

Stream Ciphers. European Convention on Security and Detection, IEEE Con-
ference Publication No. 408, 1995.

[5] Golić, J. Cryptanalysis of Alleged A5 Stream Cipher. Proceedings of Eu-

rocrypt’97, Lecture Notes in Computer Science 1233, pp. 239-255, Springer-
Verlag, 1997.

[6] Biryukov, A., Shamir, A. Cryptanalytic Time/Memory/Data Tradeoffs

for Stream Ciphers. ASIACRYPT 2000, Lecture Notes in Computer Science
1976, pp. 1-13, Springer-Verlag, 2000.

[7] Biryukov, A., Shamir, A., Wagner, D. Real Time Cryptanalysis of A5/1
on a PC. Proceedings of Fast Software Encryption 2000, Lecture Notes in
Computer Science 1978, pp. 1-18, Springer-Verlag, 2000.

[8] Vaudenay, S. A classical introduction to cryptography - applications for

communications security. Springer, 2005. ISBN 978-0-387-25464-7.

36