Latest 77-883 Exam Questions,Microsoft 77-883 Test

Abstract. In this paper we formalize a general model of cryptana-lytic time/memory tradeo.s for the inversion of a random function f : {0,1,...,N .1}

¡ú{0,1,...,N .1}. The model **exam 77-883** 77-883 test **exam 77-883 download** contains all the known tradeo. techniques as special cases. It is based on a new notion of state-ful random graphs. The evolution of a path in the stateful random graph depends on a hidden state such as the color in the Rainbow scheme or the table number in the classical Hellman scheme. We prove an upper bound on the number of images y = f(x)for which f canbe inverted, andde-rive from it a lower bound on the number of hidden states. These bounds hold for an overwhelming majority of the functions f, and their proofs are based on a rigorous combinatorial analysis. With some additional nat-ural assumptions on the behavior of the online phase of the scheme, we

2

prove a lower bound on its worst-case time complexity T = ¦¸( N),**77-883 exam**

**77-883 test** M2 ln N

where M is the memory **microsoft exam 77-883** complexity. Finally, we describe new rainbow-based time/memory/data tradeo.s, and a new method for improving the time complexity of the online phase (by a small factor) by performing a deeper analysis during preprocessing.

Keywords: Time/memory tradeo., time/memory/data tradeo., rigor-ous, lower bound, hidden state, stateful random graph, Hellman, Rain-bow, Cryptanalysis.

1 Introduction

In thispaper weare interested in generic (¡°black-box¡±) schemes forthe inversion of one-way functionssuch as f(x)= Ex(0), where E isany encryption algorithm, xisthe key, and 0isthe .xed plaintext zero. Forthe sake ofsimplicity, we assume that both x and f(x) are chosen fromthe set of N values {0,1,...,N . 1}.

The simplest example ofa genericscheme isexhaustive search,in which a

'

pre-image of f(x)isfoundby tryingall the possiblepre-images x, andchecking whether f(x')= f(x). The worst-case time complexity T (measured by the number ofapplications of f)ofexhaustivesearch is N, andthe space complexity M is negligible.Another extreme scheme isholdingahugetable with all the

C. Dwork (Ed.): CRYPTO 2006, LNCS 4117, pp. 1¨C21, 2006.

. International Association for Cryptologic Research 2006

E. Barkan, E. Biham, and A. Shamir

images (in increasing order), andforeach image storing one of its pre-images. Thismethodrequires a preprocessing phase whose time andspace complexities are about N, followed by an online inversion phase whose runningtime T is negligibleandspace complexity M isabout N. Cryptanalytictime/memory tradeo.sdealwith .ndingacompromise between these extreme schemes,in the form ofa tradeo. between the time andmemory complexities ofthe online phase (assuming that the preprocessing phase comes forfree). Cryptanalytic time/memory/data tradeo.sare a variant which accepts D inversion problems andhas to be successfulin at least one ofthem.Thisscenario typically arises in stream ciphers,whenit su.ces toinvert the function that maps aninternal state to the output at onepointto break the cipher.However, the scenario also arises in block ciphers when the attacker needs to recover onekeyout of D di.erent encryptions with di.erentkeys of the same message [4,5]. Note that for D =1 the problem degenerates to the time/memory tradeo. discussed above.

1.1 Previous Work

The .rst andmost famous cryptanalytictime/memory tradeo. was suggested byHellmanin1980[11]. Histradeo. requires a preprocessing phase with a time

¡Ì

complexityofabout N andallowsa tradeo. curve of MT = N.Aninteresting point on thiscurve is M = T = N2/3.Since only values of T ¡Ü N are interesting,

¡Ì

thiscurve isrestricted to M ¡Ý N.Hellman¡¯sscheme consists ofseveral tables, where each tablecovers only asmall fraction ofthe possible values of f(x) us-ingchains of repeated applications of f.Hellman rigorously calculated a lower bound on the expected coverage of images by asingletable in hisscheme.How-ever,Hellman¡¯sanalysis ofthe coverage of images by the full scheme was highly heuristic, and in particular itmade the formally unjusti.able assumption that many simple variants of f are independent ofeach other.Under thisanalysis, the success rate of Hellman¡¯stradeo. forarandom f isabout 55%, which was veri.ed usingcomputer simulations.Shamirand Spencer proved in arigorous way(in an unpublished manuscript from 1981) that foranoverwhelmingmajor-ityof the functions f, even the best Hellman table (with chains ofunbounded length created from the best collection ofstart points,which are chosen using an unlimited preprocessing phase) has essentially the same coverage of images as a random Hellman table (up to amultiplicative logarithmicfactor). However, they could notrigorously dealwith the full (multi-table)Hellman scheme.

In 1982, Rivest noted that in practice, the time complexityisdominated by the number ofdisk accesses (random access to disk can be many orders ofmagnitude slower than the evaluation of f). He suggested to use distinguished points to

¡Ì

reduce the number ofdisk **microsoft exam 77-883** accesses to about T .The idea ofdistinguished points was described in detail andanalyzed in 1998byBorst,Preneel, and Vandewalle [8], andbyStandaert, Rouvroy, Quisquater, and Legat in 2002 [15].

In 1996, Kusuda and Matsumoto[13] described how to .ndanoptimal choice ofthe tradeo. parameters in order to .ndthe optimal cost ofaninversion ma-chine.Kimand Matsumoto[12] showed in 1999 how toincrease the precompu-tation time to allow aslightly higher success probability. In 2000, Biryukov and

Rigorous Bounds on Cryptanalytic Time/Memory Tradeo.s

Shamir [6] generalized time/memory tradeo.sto time/memory/data tradeo.s, anddiscussed speci.c applications of these tradeo.sto stream ciphers.

Anew time/memory tradeo. scheme was suggested by Oechslin [14]in 2003. Itclaims to savea factor2 in the worst-case time complexity compared toHell-man¡¯s original scheme (see Section 6.1 foradiscussion ofthispoint). Another in-teresting work on time/memory tradeo.s was performed byFiat and Naor [9,10] in 1991. Theyintroduce a rigorous time/memory tradeo. for inverting any func-tion. Theirtradeo. curve is less favorablecompared toHellman¡¯stradeo., but itcan be used toinvert any function rather than arandomfunction.

A question which naturally arises is what is the best tradeo. curvepossiblefor cryptanalytictime/memory tradeo.s?Yao[16] showed that T = ¦¸(N log N )isa

M

lower bound on the time **77-883 syllabus** 77-883 exam **microsoft exam 77-883** complexity, regardless of the structure ofthe algorithm, where M ismeasured in bits.Thisbound is essentially tight in case f isasingle-cyclepermutation.1 However, the question remains open forfunctions which are notsingle-cyclepermutations. Can there be a better cryptanalytictime/memory tradeo. thanwhat isknown today?