Project:Sandbox

Rainbow chains is an improvement of Time-Memory Trade-Off proposed by Oechslin in 2013.

The problem with the Hellman's Time-Memory Trade-Off is the number of false alarm. When two sequences collide, they merge and cause false alarms. The idea of Oechslin is to create a lookup table where the sequences can collide without merging.

=Concept=

Rainbow chains
Instead of using a single reduction function $$R$$ for a lookup table, the idea is to use a different reduction function for each column of the table. In such a table, if two rows collide in two different columns, they don't merge as we use two different reduction functions for the following step. However, if two sequences collide in the same column, they still merge.

Recovering the key
We first apply $$R_{n-1}$$ to the eavesdropped ciphertext $$C$$. If $$R_{n-1}(C)$$ is one the endpoints then we can rebuild the chain and check the key.

If we don't find any key candidates or only find a false alarms, we then apply $$f_{n-1}(R_{n-2}(C))$$ and check again for a corresponding endpoint.

In total, if we have to test every column, we need $$1+2+3+\dots+t-2+t-1=\frac{t(t-1)}{2}$$. This is the half of the computations needed for $$t$$ standard lookup tables.

Advantages
Rainbow chains share some advantages of chains ending in distinguished points without suffering of their limitations :


 * 1) As already seen, the number of table look-ups is reduced compared to Hellman’s Time-Memory Trade Off method. It can be calculated that it is a reduction by a factor $$t$$.
 * 2) Merges of rainbow chains result in identical endpoints and are thus detectable, as with distinguished points. Rainbow chains can thus be used to generate merge-free tables. Note that in this case, the tables are not collision free.
 * 3) Rainbow chains have no loops, since each reduction function appears only once. This is better than loop detection and rejection as escribed before, because we don’t spend time on following and then rejecting loops and the coverage of our chains is not reduced because of loops than can not be covered.
 * 4) Rainbow chains have a constant length whereas chains ending in distinguished points have a variable length. This reduces the number of false alarms and the extra work due to false alarms. This effect can be much more important that the factor of two gained by the structure of the table.

=Theoretical analysis= With rainbow chains, the probability of a merging after collision is $$1/t$$.

The probability of success for a $$m \times t$$ table is given by $$P(S)=1-\product\limits_{i=1}^t(1-\frac{m_i}{N})$$ where $$m_1=m$$ and $$m_{n+1}=N(1-e^{-\frac{m_n}{N}})$$.

It is interesting to note that the probability of success of $$t$$ $$m \times t$$ tables is approximately equal that the probability of success of a $$m \times t^2$$ rainbow table.

=Complexity=

=See also=
 * Algorithmic efficiency

=References=

=External links=
 * Philippe Oechslin: Making a Faster Cryptanalytic Time-Memory Trade-Off.
 * Once Upon a Time-Memory Tradeoff.