Analysis of the Perfect Table Fuzzy Rainbow Tradeoff

. Cryptanalytic time memory tradeoff algorithms are tools for inverting one-way functions, and they are used in practice to recover passwords that restrict access to digital documents. This work provides an accurate complexity analysis of the perfect table fuzzy rainbow tradeoff algorithm. Based on the analysis results, we show that the lesser known fuzzy rainbow tradeoff performs better than the original rainbow tradeoff, which is widely believed to be the best tradeoff algorithm. The fuzzy rainbow tradeoff can attain higher online efficiency than the rainbow tradeoff and do so at a lower precomputation cost.


Introduction
Cryptanalytic time memory tradeoff algorithms are tools for inverting generic one-way functions. They are actively used by law enforcement agencies and hackers to recover passwords protecting accesses to digital documents and to obtain system login passwords from the stored password hashes. After a one-time precomputation phase, whose computational complexity order is typical as that of an exhaustive computation of the one-way function on all inputs under consideration, a digest of the computation is written to a table of size that is of much smaller order than the complete dictionary. In the online phase, referencing the precomputation table, the input corresponding to a given inversion target is recovered with a computational complexity that is of much smaller order than that of an exhaustive trial of inputs. These algorithms allow tradeoffs to be made between the size of the precomputation table and the expected time for inversion through adjustments of various algorithm parameters.
The first time memory tradeoff method was the classical algorithm by Hellman [1] and this was soon followed by the distinguished points variant. Rivest is given credit [2, page 100] for suggesting to apply the notion of distinguished points to the classical Hellman tradeoff. Currently, the rainbow tradeoff [3] is the most widely used algorithm.
The fuzzy rainbow tradeoff [4,5] is a more recent algorithm that combines the distinguished point and rainbow methods. The algorithm has already been used in the multitarget setting as an integral component of a fully functional attack [6,7] on GSM phones, and an elementary analysis of the fuzzy rainbow tradeoff appeared in [8]. The latter work cites a work related to [6] and refers to the attack by the name Kraken, but none of these works cite the original publication [4,5], indicating these to be an independent line of work. In fact, the analyses of [8] fall short of even the preliminary discussions given by [4,5]. For now, the execution complexities of the fuzzy rainbow tradeoff are not known accurately enough for the purpose of comparing the performances of different tradeoff algorithms.
The fuzzy rainbow tradeoff, as with most other tradeoff algorithms, comes in the nonperfect table and perfect table versions. The perfect table version is expected to perform better during the online phase than the nonperfect version, but this must be paid for with a larger precomputation effort. Our previous work [9] gave an accurate performance analysis of the nonperfect table fuzzy rainbow tradeoff and compared the results with the performances of the original nonperfect and perfect table rainbow tradeoffs, which are widely believed to be the best tradeoff algorithms. The conclusions made there were that the nonperfect fuzzy rainbow tradeoff was always advantageous over the nonperfect rainbow tradeoff and that, while the perfect rainbow tradeoff could achieve somewhat better online efficiency than the nonperfect fuzzy rainbow tradeoff, for online efficiency levels that could be reached by 2 Journal of Applied Mathematics both algorithms, the nonperfect fuzzy rainbow tradeoff could do so with a smaller amount of precomputation.
In this work, we analyze perfect table fuzzy rainbow tradeoff algorithm to present its performance accurately and compare this with the performances of the perfect rainbow tradeoff and the nonperfect fuzzy rainbow tradeoff. Our conclusion in rough terms is that the perfect fuzzy rainbow tradeoff outperforms the two comparison algorithms. This implies that the perfect fuzzy rainbow tradeoff, which has not yet received widespread recognition, is preferable to all the well-known tradeoff algorithms. We remark that the analysis given in this paper is completely different from that of our previous paper [9], which dealt with the nonperfect table case.
One clarification must be made concerning the subject algorithm of this work. The fuzzy rainbow tradeoff, as originally presented by [4,5], was a tradeoff algorithm designed to be used in the multitarget setting. This is where the attacker is given multiple inversion targets and is deemed successful if he is able to recover the input corresponding to at least one of targets. However, our analysis of the algorithm in this paper will be done under the single-target setting.
Recall that a simple multitarget adaptation of the original rainbow tradeoff is quite inferior in performance [10] to the existing multitarget adaptations [11] of the classical Hellman and distinguished point tradeoffs and that the fuzzy rainbow tradeoff was designed to be a variant of the rainbow tradeoff that performs at a similar level. We have done some preliminary investigations and believe that it will not be difficult to transform the existing analysis results for the Hellman and distinguished point algorithms that were claimed for the single-target setting and the results of the present paper to the multitarget setting. In fact, we expect the existing equations concerning algorithm performances to remain essentially valid under the multitarget setting. Nevertheless, this transformation still requires a nontrivial amount of work and is relegated to a separate future work that focuses on the multitarget versions of the tradeoff algorithms. The current work will stay within the single-target setting.
The rest of this paper is organized as follows. In Section 2, we quickly review the fuzzy rainbow tradeoff algorithm and fix the notation. The execution behavior of the perfect table fuzzy rainbow tradeoff is fully analyzed in Section 3. This is a highly technical section and is the main contribution of this paper. Some experimental data that support the theoretical findings of this section are given in the appendix. In Section 4, we combine the results of our analysis with the existing analyses of other tradeoff algorithms to compare their performances. This could be more valuable to the practitioner than the details provided by Section 3. Finally, this paper is summarized in Section 5.

Preliminaries
Let us review the terminology concerning the fuzzy rainbow tradeoff algorithm and fix our notation. The reader is assumed to be familiar with the basic theory of the time memory tradeoff technique. In particular, we assume knowledge of the precomputation phase and online phase algorithms of the distinguished point (DP) and rainbow tradeoffs. The few sections in the beginning of [12] could be helpful in recalling these basics.
Throughout this paper, the one-way function : N → H to be inverted is taken to act on a search space N of size N. We fix -many reduction functions : H → N ( = 1, . . . , ) and let : N → N denote the composition of the one-way function and the reduction function of the th color. The number of colors will typically be in the range 30 ≤ ≤ 150.
The structure of the precomputation matrix for the fuzzy rainbow tradeoff is a combination of those of the rainbow tradeoff and the DP tradeoff. One fixes a distinguishing property of probability 1/ and generates precomputation chains of the form which could be referred to as a fuzzy rainbow chain. That is, one iterates the one-way function of a fixed color until the first appearance of a DP and the ending point of this DP subchain is used as the starting point for the next DP subchain. The color of the iteration function is changed at each intermediate DP until one reaches the end of the th DP subchain. In short, each iteration of a rainbow chain is replaced by a DP chain, except that the number of colors used by each precomputation table is and that the expected chain length of each DP subchain is .
Any implementation of an algorithm that relies on DPs to terminate a task must employ a mechanism to detect chains falling into loops. Typically, a bound on the chain length is set, and chains reaching this bound are discarded, possibly to be replaced with newly generated chains. We will assume the chain length bound is large enough to make the discarding of chains very infrequent, so that any effect the discarding may have on the algorithm performance can be ignored. This paper deals with the perfect table version of the fuzzy rainbow tradeoff and the number of ending points for each perfect table is set to . That is, one generates sufficiently many precomputation chains for each precomputation table, so that nonmerging precomputation chains can be collected. As with any tradeoff algorithm, the ordered pairs, each consisting of a starting point and an ending point, are sorted according to the ending points and recorded as the precomputation table. A total of ℓ precomputation tables are created during the precomputation phase.
The reader is cautioned to distinguish between the terms precomputation table and precomputation matrix while reading this paper. A precomputation table consists of just the starting and ending point pairs of the precomputation chains, whereas a matrix consists of all points of the precomputation chains, including the intermediate points that are not written to the table. The precomputation matrix is mentally visualized as a collection of chains, with some of them possibly merging into each other in the nonperfect case, rather than as a structureless set of points.
One can regard a single nonperfect fuzzy rainbow precomputation matrix as a concatenation of -many nonperfect Journal of Applied Mathematics 3 DP submatrices. We will write DM to refer to the th DP submatrix (1 ≤ ≤ ) residing within a single nonperfect fuzzy rainbow matrix and use |DM | to denote the number of distinct points contained therein. The ending points of one DP submatrix become the starting points of the following DP submatrix, and the only difference between a standard nonperfect DP matrix and any DM is that the latter may contain duplicate starting points that lead to completely identical chains, should one insist on treating them as separate chains. The expected number of distinct starting points and ending points for DM is written as −1 and , respectively. In particular, 0 is the number of starting points that are initially used in creating a perfect fuzzy rainbow matrix, and = is the number of distinct terminal ending points of the fuzzy rainbow matrix.
The process of removing chain merges during the precomputation phase requires further clarification. The creation of a precomputation table for the perfect fuzzy rainbow tradeoff begins with a choice of 0 starting points and the generation of the first nonperfect DP submatrix DM 1 . After the generation of each nonperfect DP submatrix DM , the chains are sorted according to the ending points of DM and duplicate ending points are located to remove chain merges. Specifically, from each group of merging chains, one retains the chain with the longest th color DP chain segment and discards the other chains. We denote the resulting (temporary) perfect DP submatrix asDM . The set of ending points fromDM is identical to the set of ending points from DM , and these are used as the starting points for the next nonperfect DP submatrix DM +1 . For an appropriate choice of 0 , which will be discussed later, the final perfect DP submatrixDM is expected to contain = nonmerging chains. The collection of all DP chains inDM that eventually reach one of the DP chains that remain inDM is denoted by DM . In particular, we have DM =DM , and only the elements of the final perfect DP submatrices DM can contribute to the success of inversions.
The method for handling merges explained above does not make reference to the total lengths of the chains and relies only on the th DP chain segment lengths. We chose to work with such a merge removal rule, because it allowed existing results concerning the perfect DP tradeoff to be used during our analysis of the perfect fuzzy rainbow tradeoff. However, since some readers may object that it is more reasonable to base the merge removal rule on the total chain lengths, let us present two remarks concerning this matter.
First, we argue that the choice of merge removal method is not very important for the fuzzy rainbow tradeoff. Note that the rule for selecting one chain from a set of merging chains was an important issue for the perfect DP tradeoff that required attention because the chain lengths of a DP matrix form a geometric distribution. However, the lengths of the fuzzy rainbow chains form a distribution that very quickly approaches the normal distribution as is increased. Intuitively, this is to be expected, since the concatenation of multiple DP chains will create an averaging affect. In fact, it is not difficult to work out the distribution explicitly and verify the claim directly. Hence, the variation in fuzzy rainbow chain lengths is small, and the impact of choices based on chain lengths on the performance of the fuzzy rainbow tradeoff can only be limited. Furthermore, the averaging effect implies that, except at small values, our merge removal rule that references just the th DP chain segment is likely to return the chain that is the longest in overall length.
Second, we question whether it is reasonable to retain the longer chains in the first place. The practice is widely accepted with the perfect DP tradeoff, because it is expected to bring about higher success rate for the same amount of storage use. However, the approach also increases both the number of false alarms and the average cost of resolving each false alarm. Although we strongly believe that the positive effect of choosing longer chains on the success rate is likely to outweigh its negative effects on the online cost, currently, there is no publicly available theoretical argument or experimental evidence to support such a claim. A separate detailed study would be required to arrive at a definitive answer concerning this matter.
This completes our description of the precomputation phase for the perfect fuzzy rainbow tradeoff. To the reader with some experience in the tradeoff technique, the online phase algorithm should now be mostly obvious from the structure of the precomputation matrix. Given an inversion target, for each precomputation table and starting color 1 ≤ ≤ , one generates a partial fuzzy rainbow chain that starts from the th color. If the terminal DP of this online chain can be found among the ending points of the precomputation table, the corresponding starting point is used to regenerate the precomputation chain, which could possibly return the correct input to the inversion target. However, most of the collisions will turn out to be false alarms, in which case the regeneration of the precomputation chain may be stopped at the DP for the color from which the online chain was started.
Some clarifications must be made concerning the order in which the online chains are created. In short, the multiple precomputation tables of the fuzzy rainbow tradeoff are processed in parallel, in a manner similar to the approach taken by the rainbow tradeoff. In practice, a round-robin style method can be used to simulate the parallel treatment of tables with even a single CPU, and this modification will not have a visible effect on the computational complexity, unless a small is used.
Let us make this more explicit. The online phase of the fuzzy rainbow tradeoff is performed in discrete steps. On the 1st step, the online DP chains for the th colors, corresponding to the ℓ precomputation tables, are generated. All generated alarms are resolved before one moves onto the 2nd step. On the th step, fuzzy rainbow chains that start from the ( − + 1)th colors, for the ℓ precomputation tables, are generated, and all resulting alarms are treated. The online phase is terminated when either the correct answer to the inversion target is found, or all steps have been completed. Even though it is likely for the answer to be obtained in the middle of the processing of some th step, our analysis will assume that any step that has been initiated is fully completed, regardless of whether the answer has been secured. The effect of this simplification on the analysis results will be small, unless a small is used.

Journal of Applied Mathematics
Our analysis of the perfect fuzzy rainbow tradeoff will frequently utilize two approximation techniques. The first is the approximation (1 − (1/ )) ≈ − / . As explained in [12, Appendix A], this is appropriate when = ( ). The second technique is the approximation of a sum over a large index set into a definite integral. Both of these approximations will be very accurate, whenever we use them, as long as the tradeoff algorithm parameters are chosen reasonably. Throughout this paper, we will ignore multiplicative factors of 1 + (1/ ) size and write approximations of such order as equalities. Table Fuzzy Rainbow Tradeoff

Analysis of the Perfect
In this section, we analyze the online efficiency and the storage optimization issues for the perfect table fuzzy rainbow tradeoff. The expected computational complexity, rather than the worst case complexity, is computed and the effects of false alarms are fully taken into account. We always assume that the parameters , , and , for the perfect fuzzy rainbow tradeoff, are chosen to satisfy 2 = F msc N, with a matrix stopping constant F msc that is neither too large nor very close to zero.

Number of Color Boundary Points.
Let us consider a nonperfect fuzzy rainbow matrix created from 0 starting points and its nonperfect DP submatrices DM . For each 0 ≤ ≤ , the collection of points that form the boundaries of the nonperfect DP submatrices will be referred to as the th color boundary points of the nonperfect fuzzy rainbow matrix.
Our previous work [9] stated the relation and gave the iterative formula for computing , where F msc = ( 0 2 )/N is the matrix stopping constant for the nonperfect fuzzy rainbow matrix. The work also derived the closed-form approximation under the assumption that is large, and claimed this to be accurate for even small values. The claimed accuracy is verified once more through experiments for parameters of our interest in the Appendix, and we will assume (4) is sufficiently accurate for the purpose of this work in the remainder of this paper. Let us rewrite (4) in terms of the perfect fuzzy rainbow tradeoff parameters, so that the expression is more suitable for this work.

Lemma 1.
To create a perfect fuzzy rainbow matrix containing nonmerging chains, one must expect to generate 0 = (2/(2 − F )) chains. Furthermore, the number of th color boundary points in the nonperfect fuzzy rainbow matrix generated during this process is expected to be for = 0, 1, . . . , .
Proof. Substituting = into (4), we know that a nonperfect fuzzy rainbow matrix created with 0 starting points is expected to contain = (2/(2 + F msc )) 0 nonmerging chains, where F msc = ( 0 2 )/N. The requirement of = = (2/(2 + F msc )) 0 may be written as Solving this equation for F msc , we can rewrite it as which is equivalent to the first statement of this lemma. Substituting the first claim and the above equation into (4), we find and this is the second claim of this lemma.
The first two displayed equations appearing in this proof both imply that F msc < 2 is always satisfied, which is similar to the situation with perfect rainbow tradeoffs. The reader may have guessed that taking F msc very close to 2 corresponds to making bad parameter choices. In fact, we will later observe in Section 4.4 that F msc is bounded sufficiently away from 2 for any meaningful parameters and that the precomputation requirement grows unrealistically large as F msc approaches 2.
Because of its frequent appearances in the remainder of this section, we will introduce the notation When a small is in use, the symbol f should be understood as designating the middle term, with the second equality interpreted as an approximation. However, we will mostly take the final term as the definition of f , assuming to be sufficiently large, and use this notation even for = + 1 and = + 2. Since F msc is bounded away from 2 for all practical parameter sets, we may assume f to be of Θ(1/ ) order. Our use of the lower case letter f, rather than F, is meant to serve as a reminder that f is not of Θ(1) order. One can directly verify from the definition that Journal of Applied Mathematics 5 Combination of the middle expression with the knowledge of f = Θ(1/ ) implies (f /f ) = Θ(1), for ≥ , and the right-hand side expression similarly implies the same claim, for ≥ .

Probability of Success.
An expression for the probability of success of the perfect fuzzy rainbow tradeoff is obtained in this subsection. We first define and present a formula for the precomputation coefficient of the algorithm.

Proposition 2.
The precomputation phase of the perfect table fuzzy rainbow tradeoff is expected to require F N iterations of the one-way function, where the precomputation coefficient is Proof. Since each DP chain is expected to be of length , on average, the computation of each temporary submatrix DM from its −1 distinct starting points requires −1 iterations of the one-way function. The effort of sorting the ending points ofDM , so that duplicates can be removed and the distinct starting points for the next submatrix are obtained, is of log order, which is much smaller than the effort of generating the submatrix, and can be ignored. Taking account of the ℓ tables, the cost of precomputation can be stated as Applying Lemma 1, we can write this as to obtain the claimed formula. Let us use the notation where |DM | denotes the number of distinct points expected in the th submatrix of a perfect fuzzy rainbow matrix, and define the coverage rate of a perfect fuzzy rainbow matrix to be Note that the definitions allow us to expect both F cr, and F cr to be of Θ(1) order. The coverage rate (15) of a perfect fuzzy rainbow matrix may be computed from and F msc through the following formula.

Lemma 3. The coverage rate of the DP submatrix DM is given by
Proof. Recall that DM is a subcollection of the chains appearing inDM . Note that the selection of chains fromDM to be retained in DM depends on the behavior of the chains that extend out from the ending points ofDM and is independent of the th submatrix itself. In other words, the chains of DM have been selected at random from the chains ofDM . Hence, the averages of chain lengths contained inDM and DM will be the same, and we can make the crucial observation that In other words, the coverage rate of DM is equal to the coverage rate ofDM . Now, recall that eachDM is simply a normal perfect DP matrix and also recall from [13] that the coverage rate of a perfect DP matrix D cr may be computed as where D msc = 2 /N is the matrix stopping constant for the perfect DP matrix of ending points. Thus we can write as claimed.
We are now ready to state the success probability of the perfect fuzzy rainbow tradeoff as a function of the algorithm parameters.

Proposition 4.
Consider an input to the one-way function that is chosen uniformly at random from the input space. Given the image of this input under the one-way function as the inversion target, the online phase of the perfect table fuzzy rainbow tradeoff will succeed in recovering the original input with probability Proof. The probability of success one can expect from the online processing of a single DP submatrix DM is |DM |/N. Since the submatrices were generated by different reduction functions, we may treat them as being independent. Thus, the probability of success for the complete online phase, taking all the ℓ tables into account, may be written as This can be approximated by as claimed. 6

Journal of Applied Mathematics
Given any set of parameters, one can compute the success rate by combining the above formula with definition (15), Lemma 3, and notation (9). More precisely, the success rate may be seen as a function of F msc , ℓ/ , and , rather than as a function of the more basic constant and parameters N, , , ℓ, and .
The proposition also shows that one can fix positive integer and F msc < 2 to any value and still attain any success rate requirement F ps by adhering to the relation Note that this implies that, unless the requirement for the probability of success F ps is unrealistically close to 1, we will have ℓ/ = Θ(1). In other words, the parameters ℓ and will be of the same order.

Online Complexity.
The time memory tradeoff curve for the perfect fuzzy rainbow tradeoff is obtained in this subsection through a careful computation of the average case online execution complexities. This is the most complicated part of this paper. We start by assessing how likely each step of the online phase is to be executed.

Lemma 5.
The probability for an online chain that starts from the th color of a perfect fuzzy rainbow matrix to be generated, that is, the probability for the th DP submatrix DM to be searched for the correct answer, is where F is as given by Proposition 4.
Proof. The online chain that starts from the th color of a perfect fuzzy rainbow matrix will be generated if and only if the correct answer to the inversion target does not belong to the submatrices DM +1 , . . . , DM contained in the ℓ perfect fuzzy rainbow matrices. Hence, the probability under consideration is The equality claimed in the lemma statement follows from an application of Proposition 4.
The cost of generating the online chains is a direct corollary to this lemma. It suffices to realize that an online chain that starts from the th color is expected to be of length ( − + 1) and that there are ℓ tables to consider. Proposition 6. The generation of the online chains for the perfect fuzzy rainbow tradeoff is expected to require iterations of the one-way function.
Our next goal is to obtain the cost of resolving alarms that appear during the online phase. This part calls for very delicate arguments involving random functions and is very technical. The practice-oriented reader can skip the following few lemmas and jump to Proposition 10.
We will consider an online chain that starts from the th color and treat the case of it merging into the fuzzy rainbow matrix within the th color and the case of it merging at a strictly later color separately. As a preliminary result, we require the probability for an online chain to merge into a fuzzy rainbow matrix.

Lemma 7.
An online DP chain segment of the th color will not merge into the nonperfect DP submatrix DM with probability (1/(1 + f )) = (f +2 /f ). The probability for an online chain that starts from the th color not to merge into the perfect fuzzy rainbow precomputation matrix is Proof. An online DP chain segment of the th color will escape merging into the nonperfect DP submatrix DM with probability where the approximation is justified by the facts ( /N) = Θ(1/ ) and ( |DM |/N) = Θ(1/ ). Substituting (2) into this expression and then applying (9), the probability can be written as The probabilities for an online chain to merge into DM and DM are usually different, but the two are the same when = . Now, an online chain that starts from the th color does not merge into the perfect precomputation matrix if and only if none of its DP chain segments merge into the submatrices DM , DM +1 , . . . , DM , and this happens if and only if the online DP chain segments do not merge into the nonperfect submatrices DM , DM +1 , . . . , DM . Here, we emphasize that a series of submatrices ending at the terminal th color is being considered. The claimed probability is the product of the term (1/(1 + f )) = ((f +2 )/f ) over = , . . . , .
The following lemma gives the cost of dealing with an alarm from a possible delayed merge, assuming the generation of an online chain that starts from the th color. Lemma 8. Consider a single perfect fuzzy rainbow precomputation matrix and its associated colors. Assume the generation of an online chain for this matrix that starts from the th color. The cost of resolving an alarm that may be induced by a possible merge of this online chain into the fuzzy rainbow matrix strictly after the th color is expected to be iterations of the one-way function.
Proof. We require the probability for an online chain that starts from the th color to merge into the perfect fuzzy rainbow precomputation matrix without merging into the submatrix DM . Such a merge could occur through the following two separate events. (a) The th color online DP chain segment does not merge into the nonperfect submatrix DM , but the online chain part that extends out from the ending DP of the th color segment merges into the perfect precomputation matrix. (b) The th color online chain merges into DM , without merging into DM , in which case the online chain is destined to merge into the perfect precomputation matrix at a later color.
If the th color online DP chain segment does not merge into DM , the chain that extends from its ending point may still be iterated with a random function. Hence, it is clear from Lemma 7 that the probability for the (a)-event to occur is On the other hand, the extended part of the online chain is allowed no randomness in the (b)-event. We already know from the proof of Lemma 3 that an ending point of DM , that is, an ending point ofDM , has probability ( / ) = (f /f ) of remaining among the ending points of DM . Once again, Lemma 7 allows us to claim as the probability for the (b)-event to occur. The probability for a merge to appear strictly after the th color is the sum of the above two probabilities. A merge of the online chain into the precomputation matrix that appears strictly after the th color requires one to regenerate the associated precomputation chain up to the end of the th color. Note that (14) allows us to write the average chain length |DM |/ of each DP submatrix DM as F cr, . Hence, to resolve the alarm from the merge discussed above, one must expect to compute (F cr,1 + ⋅ ⋅ ⋅ + F cr, ) iterations of the one-way function.
The claimed cost of resolving alarms is a simple product of the merge probability and the work factor we have already stated.
The cost of dealing with an immediate merge of the online chain into the perfect precomputation matrix is given next.

Lemma 9. Consider a single perfect fuzzy rainbow precomputation matrix and its associated colors. Assume the generation of an online chain for this matrix that starts from the th color. The cost of resolving an alarm that may be induced by a possible merge of this online chain into the fuzzy rainbow matrix within the th color segment is expected to be approximately
iterations of the one-way function.
Proof. Arguments given in the proof of Lemma 8 already show that the probability for a merge to occur within the th color segment into the perfect DP submatrix is Since the online chain will merge into at most one precomputation chain in DM , it only remains to find out how much work is required to resolve such a merge. An alarm will require the associated precomputation chain to be regenerated at least up to the start of the th DP submatrix, and we saw during the proof of Lemma 8 that this costs (F cr,1 + ⋅ ⋅ ⋅ + F cr, −1 ) iterations of the one-way function. The number of additional th color segment iterations that are required must be handled more carefully. One can expect this to be larger than F cr, , because longer precomputation chains are more likely to be involved in merges.
The work [12] stated in its Lemma 12 that the cost of resolving alarms expected from the processing of a single nonperfect DP table is 2D msc iterations of the one-way function, where D msc is the matrix stopping constant of the nonperfect DP matrix. Following the arguments given in the proof of the same lemma, one can write the number of false alarms expected during the processing of a single DP table as Computing the ratio of these two numbers, we can conclude that, during the processing of a single nonperfect DP table, each alarm calls for 2 iterations of the one-way function to resolve, on average. Now, since (10) implies that ( / −1 ) = 1 − Θ(1/2 ), we know that only a small portion of DM is discarded in creatingDM , so that the DP matrices DM andDM must be similar in their distributions of chain lengths. We also saw during the proof of Lemma 3 that the selection of DM fromDM does not affect the distribution of chain lengths. Hence, it is reasonable to expect a merge of the online chain within the th color segment into either DM or DM to call for approximately 2 iterations of the th colored oneway function, on average.

Journal of Applied Mathematics
We wish to add a small tweak to the 2 claim. Note that the average chain length of a nonperfect DP matrix is , whereas that of DM is F cr, . Since the average chain length may be understood as a concise representation of the distribution of chain lengths, one might expect chain lengths, and one might expect 2F cr, , which take the average chain length of DM into account, to be a better approximation of the additional work than 2 . In any case, since Lemma 3 implies that F cr, = 1 − Θ(1/4 ), we know that 2 know that 2 and 2F cr, are very close to each other. In similarity, we choose to take (1 + F cr, ) as the number of extra th color iterations required, since this will make our later formulas look slightly simpler.
Combining Lemmas 8 and 9, we can state that the cost of dealing with an alarm that may be induced by an online chain generated from the th color is where we have relied on (10) Since, unlike other results of this paper, we have stated Lemma 9 only as an approximation, let us briefly explain that this is still very accurate. Using relation (10) and the rough approximations ∑ =1 F cr, = Θ( ) and f = Θ(1/ ), it is easy to verify the facts , This shows that, unless is very small, the first factor of (35) is at least times larger than the second factor. On the other hand, the proof of Lemma 9 shows that the error given by formula (35) will be more than sufficiently bounded by its second factor. Hence, we can expect (35) to be accurate up to a 1 + (1/ ) factor, at the worst. In fact, our testing to be presented in the Appendix confirms that the accuracy of (35) is much higher than what we have claimed here. The computational cost of dealing with the alarms is now a direct corollary to Lemmas 5, 8, and 9.
iterations of the one-way function.
The online computational complexity of the perfect fuzzy rainbow tradeoff can be stated as the sum of its two components stated by Propositions 6 and 10. Recalling from the discussion given under (23) that (ℓ/ ) = Θ(1), it is easy to argue that is of Θ( 2 2 ) order. The following time memory tradeoff curve is a direct consequence of our knowledge secured of the online time complexity and the observation that the storage complexity is = ℓ.

Theorem 11. The time memory tradeoff curve for the perfect table fuzzy rainbow tradeoff is TM
As a corollary to Lemma 5, we can state that the online phase of the perfect table fuzzy rainbow tradeoff is expected to call for lookups to the precomputation table. One can easily verify that this is of Θ( ) order, which is much smaller than the online computational complexity = Θ( 2 2 ).

Storage Optimization.
The storage complexity appearing in the tradeoff curve of Theorem 11 refers to the total number of entries that need to be stored in the precomputed tables. However, practical interest would be in the size of the required physical recording media expressed in number of bits. Hence, we need to discuss the number of bits occupied by each starting and ending point pair in the tables.
The naive approach would allocate 2 log N bits to each table entry, but there are more efficient methods. Each starting point can be recorded in log 0 bits [14][15][16] through the use of consecutive starting points. In storing the ending points, one need not record bits that can be recovered from the definition of the distinguishing property [15,17]. One can create an index table [15] for each sorted table and remove almost log most significant bits from each ending point. Finally, one could simply truncate the ending points [5,15] to a certain length before recording them, at the expense of dealing with additional false alarms arising from partial matches.
We will not explain the details of the methods mentioned above, since readable descriptions may be found in [12,13]. Let us just provide the explicit relation between the degree of truncation and the amount of online computation increased by the associated false alarms.

Proposition 12.
Assume the use of the ending point truncation method in which the probability for two truncated randomly chosen DPs to be identical is 1/ . Then, during the online phase of the perfect fuzzy rainbow tradeoff, one can expect to observe extra invocations of the one-way function induced by truncation-related alarms.
Proof. The probability for the ℓ online chains that start from the th color for each precomputation matrix to be generated is given by Lemma 5. The probability for such a generated chain not to merge into the perfect fuzzy rainbow precomputation matrix is given by Lemma 7. The probability for a nonmerging online chain to cause a truncation-related alarm with any one of the truncated ending points is 1/ and there are of these ending points, each of which could require separate treatment. Each alarm will require (F cr,1 + ⋅ ⋅ ⋅ + F cr, ) iterations of the one-way function to resolve. Taking the ℓ precomputation matrices into account, the claimed formula is a simple combination of the facts mentioned so far.
The cost stated above can easily be checked to be of Θ( 2 2 ( / )) order. One can show, either by comparing this against = Θ( 2 2 ) or through heuristic arguments, that the additional cost of resolving alarms induced by the ending point truncation technique can be suppressed to a negligible level by having the truncation retain slightly more than log bits of information for each ending point. The arguments appearing in [12,13] may then be repeated, almost word for word, to conclude that each entry of the perfect table fuzzy rainbow tradeoff can be recorded in log 0 + bits, where is a small positive integer.
The final conclusion made in the previous paragraph has not appeared before in the literature for the perfect fuzzy rainbow tradeoff. However, this is an expected result that has been obtained through straightforward adaptations of the arguments given in [12,13].

Algorithm Comparison
This section may be slightly difficult to understand in full if the reader is unfamiliar with the approach that was recently introduced by [12] to compare different tradeoff algorithms and its further developments made by [13,18]. However, we will refrain from providing lengthy repetitive explanation and justification of the comparison approach and ask the more interested reader to refer to the cited articles.

Overview of the Comparison Method.
Recall that the conclusion of [13], in overly simplified terms, was that the perfect rainbow tradeoff algorithm is superior to all the other widely known tradeoff algorithms. Also recall from our recent work [9] that the nonperfect version of the fuzzy rainbow tradeoff, which is not yet widely known, is preferable to the perfect rainbow tradeoff when one is constrained in precomputation resources. Hence, we wish to compare the performance of the perfect fuzzy rainbow tradeoff, which we have analyzed in this paper, against those of the perfect rainbow and the nonperfect fuzzy rainbow tradeoffs.
In the remainder of this paper, we will use symbols R and F to extend the notation we had been using concerning the perfect fuzzy rainbow tradeoff to the perfect rainbow and nonperfect fuzzy rainbow tradeoffs, and we will use the symbol X when we wish to reference a coefficient without making the tradeoff algorithm specific. For example, symbols R tc and F tc denote the tradeoff coefficients for the perfect rainbow and nonperfect fuzzy rainbow tradeoffs, respectively, and X tc refers to any tradeoff coefficient. The symbols F, R, and F will also be used as in F , R , and F to clarify that the parameter or some complexity value is to be associated with a certain algorithm.
We will follow the approach of [12] in comparing the performances of different tradeoff algorithms against each other. In short, a small number of success rate requirements X ps will be chosen, and a graph for each algorithm, displaying the upper level tradeoff between its precomputation cost and online cost, will be plotted. The overall relative positions of the curves corresponding to different algorithms, subject to the same X ps , will allow certain conclusions to be made concerning algorithm performances. The curves themselves will also be of value when choosing algorithm parameters for implementation.
It is clear that the precomputation cost of a tradeoff algorithm can be numerically represented in full by the precomputation coefficient X pc = ( /N). In the perfect fuzzy rainbow tradeoff case, this can be computed from Proposition 2, and the corresponding results for our two comparison target algorithms can be found in [9,13]. Note that X pc presents the computational cost as the number of iterations, in multiplies of N, required of the common target one-way function, regardless of the tradeoff algorithm.
The online cost or efficiency of a tradeoff algorithm is mostly captured by its tradeoff coefficient. However, since the appearing in the definition X tc = 2 /N 2 represents the number of table entries, rather than the physical number of bits required to store the tables, the tradeoff coefficient cannot be used directly in comparing different algorithms. One must first adjust X tc to account for the differences in number of bits required per table entry by the algorithms being compared. For example, the comparison of the nonperfect DP and rainbow tradeoffs by [12] was carried out with the relatively adjusted tradeoff coefficients (1/4)D tc and R tc . The adjustment factor (1/2) 2 reflects the fact that the DP tradeoff requires roughly half as many bits to store each precomputation table entry in comparison to the rainbow tradeoff, under parameter choices that are typically considered during theoretical analyses of the tradeoff algorithms.

Tradeoff Coefficient Adjustment.
We wish to be slightly more careful in treating the tradeoff coefficient adjustment factors than focusing on just the theoretically typical parameters. In general, as a trivial extension of the approach given by [12], one can use the adjusted tradeoff coefficient  (42) to represent the online cost of each algorithm, and plot the X pc versus X atc curves to obtain a fair comparison of different algorithms. Here, the constant (3/(2 log N)) 2 serves the purpose of bringing the adjustment factor to Θ(1) order at typical parameters and is not an essential factor for the purpose of comparisons. The tradeoff coefficients F tc , R tc , and F tc may be computed from Theorem 11 and the corresponding results from [9,13], but more work is required before we can specify the number of bits part more concretely for each algorithm.
Recalling the contents of Section 3.4 and Lemma 1, the adjusted tradeoff coefficient for the perfect fuzzy rainbow tradeoff may be written more concretely in terms of algorithm parameters as Referring to results from [9,13], it is not difficult to work out similar adjustment factors for the perfect rainbow and nonperfect fuzzy rainbow tradeoffs to claim as the more concrete expressions. The small positive integer corresponds to the number of ending point bits remaining after applications of the truncation and index file techniques. Working with Proposition 12 and corresponding results from [13,18], one can reasonably argue that for the three algorithms can be set to a common value, which is why we have not subscripted them with the algorithm symbols. The terms involving F msc and ℓ R , appearing in (43) and (44), have their roots in the merge removal process for producing perfect tables and reflect what fraction of the initially generated chains remains in the perfect table. Since the X pc -X atc curves are to be plotted using F msc and ℓ R as parameters, the existence of these terms will not cause any later difficulties. However, the three log values require further attention.
Note that one cannot hope to simply make independent log value choices that achieve optimality for each algorithm, since optimality cannot be defined objectively. The most favorable balance between precomputation cost , storage cost , and expected online inversion time is a subjective matter that would be different for every implementer and situation. For our algorithm comparison to be fair, the values log F , log R , and log F need to be left as choices to be made by the implementer. Nevertheless, we can still restrict the three choices to be made in a reasonably correlated manner. The natural approach is to correlate the choices through the requirement that the , , and complexities for the three algorithms be made roughly comparable and with the strict restriction that the success rates of the three algorithms be identical. Since the performances of the three algorithms commonly satisfy 2 ≈ N 2 , if an implementer under a specific situation is asked to produce parameters sets for the three algorithms that he deems favorable, his choices for the three algorithms would be roughly matching the performance figures , , and .
Let us now choose to view each positive integer as presenting a separate version of the perfect fuzzy rainbow algorithm. That is, we treat the perfect fuzzy rainbow tradeoff as a series of infinitely many different algorithms. A similar view will be taken of the nonperfect fuzzy rainbow algorithm. Below, we will describe a rule for correlating the parameter sets among these two infinite series of algorithms and the perfect rainbow tradeoff algorithm, for each fixed common probability of success X ps .
We first take integers ⋆ and ⋆ such that log ⋆ + 2 log ⋆ ≈ log N and set the perfect fuzzy rainbow parameters to for each ≥ 1, where the coverage rate F cr , corresponding to each , is to be computed through (9), Lemma 3,and (15). The perfect rainbow tradeoff parameters corresponding to the above are set to where R msc = ( R R /N), and in such a way that ℓ R is an integer. Finally, the nonperfect fuzzy rainbow parameters are set to for each ≥ 1, where F msc = ( F, 2 F, /N) and F cr is the coverage rate for the nonperfect fuzzy rainbow tradeoff. Note that the requirement log ⋆ + 2 log ⋆ ≈ log N does not affect the implementer's control over the --tradeoff in any way. Further note that one has sufficient control over F msc , ℓ R , and F msc , even when log ⋆ and log ⋆ are fixed to approximate values. That is, one can vary the X pc -X tc curve parameters F msc , ℓ R , and F msc quite freely while keeping all the log X values somewhat stable.
Using (23) and similar claims from [9,13], it is trivial to verify that all parameter sets achieve the same success rate X ps . It is also easy to verify, using the facts F = Θ( F 2 F F ), F = Θ( 2 F 2 F ), and F = Θ( F F ) and the corresponding facts from [9,13], that the performance figures , , and are of similar order for all the above parameter sets. In fact, it is possible to argue that the above method is the only possible manner in which comparable , , and complexities can be achieved by the different algorithms at a common success rate.
The reasonable association between the parameter sets for different algorithms given by (46), (47), and (48) allows the adjusted tradeoff coefficients to be written as where we have relied on log N ≈ log ⋆ + 2 log ⋆ in writing (50). We have also additionally subscripted the (adjusted) tradeoff coefficients with the parameter to make their dependence on more explicit. To compare the performances of different tradeoff algorithms, it now suffices to fix X ps , choose reasonable values for log ⋆ + and log N, and plot the X pc -X atc curves, for all the algorithms.

Choosing the Color Count .
Before comparing the perfect fuzzy rainbow tradeoff with the other two algorithms, we wish to make comparisons among the many versions of the perfect fuzzy rainbow tradeoff corresponding to different choices. A small number of the F pc -F atc curves are given in Figure 1.
The left-hand side box contains plots of the (F pc, , F tc, ) points, for the case when the success rate is set to 90% and log ⋆ + is set to 21. Each of the three curves is for specific values. The right-hand side box contains similar curves for the F ps = 90% and log ⋆ + = 33 case. Note that = 8 would be a reasonable value in view of the discussions given by Section 3.4 and that log ⋆ = 13 and log ⋆ = 25 are choices that would typically be made during theoretical discussions of the tradeoff technique for the very small N = 2 39 and the very large N = 2 75 search space sizes. Hence, our log ⋆ + = 21 and log ⋆ + = 33 examples are representative of the behaviors at both ends of the realistic tradeoff application environments.
Each curve has been plotted precisely to its lowest point. The curve points that would appear to the right of a lowest point are meaningless, since they correspond to parameter sets that call for higher precomputation efforts while achieving lower online efficiencies than the parameter sets corresponding to the lowest point.
One may roughly associate overall better performance with a curve that is closer to the lower left corner of each figure box. However, it can be seen that curves corresponding to different values may cross over each other. In fact, we could verify that the lowest curve in each box crosses over the middle curve appearing in its box at a high X atc value. Hence, one cannot claim one value to be providing definitely superior performance over another value, at least not strictly logically.
Nevertheless, if we restrict our attention to the lower parts of the curves, which are of higher practical interest than the high X atc parts, it becomes clear that little harm will be done by simplifying matters and ranking the performances for different choices based only on the lowest point of each curve. In other words, for practical purposes, it is sufficiently reasonable to declare an value to be optimal for a specific (F ps , log ⋆ + ) pair if We emphasize that such a simplification is possible only because of the nice relative positions of the many curves and that the same simplification may not be applicable to other comparison situations. The optimal number of colors , as defined through comparisons at the lowest points of the curves, is given by Table 1, for various success rate requirements F ps and a wide range of log ⋆ + values. The F msc value that attains the minimum possible F atc, value is listed under each optimal .

Some Observation.
It can be seen from Table 1 that the optimal value becomes larger as the success rate requirement is increased and also as the number of bits per table entry becomes larger. The same trend could be observed from an analogous table presented by [18] for the nonperfect fuzzy rainbow tradeoff.
An intuitive explanation for the trend concerning the success rate can be given as follows. Since the online phase of the fuzzy rainbow tradeoff processes the precomputations tables in parallel, a higher value, corresponding to higher segmentation of the precomputation matrix, allows for more immediate exit from the online phase upon an encounter with the correct answer. Early exits from the online phase are less common under low success rates, and the importance of higher value increases as the success rate requirement is increased. As for the trend related to the change in log ⋆ + , one could treat this as a natural scaling effect that accompanies the general increase in search space size associated with the increase in log ⋆ .
Let us now return to the definition of the adjusted tradeoff coefficient. A careful reading of [13] shows that they had ignored the term involving ℓ R from (50) in comparing the perfect rainbow tradeoff with the other major tradeoff algorithms. This was justified in their work based on the observation that the term remains upper bounded by a small number, when parameters are restricted to those that do not call for impractically large precomputation efforts.
Applying the same argument to the perfect fuzzy rainbow tradeoff, we can see that the log(2/(2 − F msc )) term of (49) is likewise upper bounded for parameters that are reasonable in view of precomputation cost. Hence, we could consider the possibility of using the adjusted tradeoff coefficient defined as This definition could be favorable to the previous definition (49), in view of simplicity. The effect of removing the log(2/(2 − F msc )) term can be seen from Figure 2. The curves for F atc, and F atc, are noticeably different from each other, and the use of the simpler (53) in place of the more accurate (49) cannot be justified.
An overview of Table 1 reveals that any reasonable choice of parameters will mostly satisfy the bound F msc ≤ 1.8, and this bound implies that the term log(2/(2 − F msc )) ≤ 3.32193 is always somewhat small. However, referring once more to Table 1, we see that log values of interest are not very large. Furthermore, practical values of log ⋆ + are not very large either. Hence, unlike the situation with the perfect rainbow tradeoff, the bound on log(2/(2 − F msc )) is not small enough, in comparison to the terms it is added together with, to be completely ignored.
Our final comment is intimately connected to the above discussion. Combining the bound F msc ≤ 1.8 with Proposition 2 and (23), we can state the bound concerning the precomputation coefficient. Hence, unless the success rate requirement is set unrealistically close to 1, precomputation cost will be automatically bounded by Θ(N) for all meaningful parameters.

Algorithm Comparison.
We are finally ready to compare the performance of the perfect fuzzy rainbow tradeoff with those of the perfect rainbow tradeoff and the nonperfect fuzzy rainbow tradeoff. The comparison at the 90% success rate is given by Figure 3, which presents the X pc -X atc curves for the three tradeoff algorithms. The left-hand side box was drawn with parameters that would be used with a very small search space and the right-hand side box represents the situation of a very large search space. The values for the perfect fuzzy rainbow tradeoffs were chosen to be the optimal ones given by Table 1. The corresponding table from [18] was used to decide on the values for the nonperfect fuzzy rainbow tradeoff.
The comparisons at 99% and 99.9% success rates are given by Figures 4 and 5. As before, parameters typically considered during theoretical analyses of the tradeoff algorithms corresponding to a small search space and a large search space were used. In every comparison box, the curve for the perfect fuzzy rainbow tradeoff appears much closer to the lower left corner than the points for the perfect rainbow tradeoff. The perfect fuzzy rainbow tradeoff can attain better online efficiency than the perfect rainbow tradeoff for the same online cost and attain equal online efficiency at lower precomputation cost. Furthermore, the perfect fuzzy rainbow tradeoff can attain online efficiency that is not possible with the perfect rainbow tradeoff.
Similar statements are true concerning the comparison between the perfect and nonperfect fuzzy rainbow tradeoffs, except that, at the lower end of the possible precomputation cost range, the two curves cross over each other, and the nonperfect fuzzy rainbow tradeoff can provide better online efficiency for the same precomputation effort. However, this is the region where the online efficiency is extremely bad, so that these parameters would be of limited practical interest.
In all, we can state that the perfect fuzzy rainbow tradeoff displays better performance than both the perfect rainbow tradeoff and the nonperfect fuzzy rainbow tradeoff, over a wide range of tradeoff algorithm application situations.

Conclusion
The execution behavior of the perfect table version of the fuzzy rainbow tradeoff algorithm was analyzed in this   Figure 3: The adjusted tradeoff coefficients in relation to the precomputation coefficients for the perfect fuzzy rainbow, perfect rainbow, and nonperfect fuzzy rainbow tradeoffs at 90% success rate (bottom: X pc ; left: X atc ).
paper. The average case online computational complexity that fully accounts for the effects of false alarms was accurately obtained. The expected number of precomputation table entries and the number of bits required to record each table entry were also obtained accurately. The results of our complexity analysis were used to compare the performance of the perfect fuzzy rainbow tradeoff with those of other tradeoff algorithms. The perfect rainbow tradeoff was recently argued by [13] to be advantageous over all other widely known tradeoff algorithms, and our recent work [9] had shown that the less widely known nonperfect fuzzy rainbow tradeoff outperforms the perfect rainbow tradeoff under certain circumstances. Hence, our comparison targets were set to the perfect rainbow tradeoff and the nonperfect fuzzy rainbow tradeoff.
The comparison took the following aspects of the tradeoff algorithms into account: success rate of inversion, precomputation complexity, computational complexity of the online phase, and physical storage size of the precomputation table. The comparison called for a carefully designed rule that correlated the number of bits per table entry to be used by each algorithm in a fair manner. The current work is the first to include the effects arising from the merge removal process of the perfect table creation into this rule. We were able to conclude that the perfect fuzzy rainbow tradeoff is highly preferable to the perfect rainbow tradeoff. The perfect fuzzy rainbow tradeoff was also found to be superior to the nonperfect fuzzy rainbow tradeoff, except possibly at parameters that would have both of the algorithms performing very poorly during the online phase in exchange for a very small advantage in precomputation cost. The one-way function for the tests was taken to be the key to ciphertext mapping, under a randomly generated fixed plaintext, of AES-128. Independence between multiple tests was acquired through distinct randomly generated plaintexts. Truncations of 128-bit ciphertexts to binary strings of a certain fixed length and zero-padded extensions of these to 128-bit keys were used to bring the search space to a manageable size. The parameter was always taken to be an integer power of 2, and the distinguishing property was set to check whether log least significant bits were zero. The reduction functions were set to constant XOR-ing operations.
Let us first check the accuracy of Lemma 1 through experiments. Recall that Lemma 1 is equivalent to (4) and that (4) was taken from our previous work [9], which dealt with the nonperfect fuzzy rainbow tradeoff. Note that the accuracy of (4) was already confirmed through tests in [18], even for small values. However, the parameter sets used there were such that the F msc = ( 0 2 )/N values were 0.92 and 1.37, and, according to (4), which is at least approximately correct, these correspond to F msc values of 0.63 and 0.81. The results of Section 4.3 imply that our current interest should be with parameter sets belonging to the rough range 1.5 ≤ F msc ≤ 1.8. Hence, we cannot rely on the previous test results to claim that the accuracy of Lemma 1 is sufficient for use with the perfect table case analysis.
One can infer from a careful review of how [9] obtained the approximate closed-form formula (4) from the iterative formula (3) that the inaccuracy of (4) is likely to increase as is made smaller and also as F msc is made to approach 2. We experimented with multiple parameter sets for which the ( , F msc ) pair was close to one of those appearing in Table 1, that is, those that correspond to optimal online efficiencies for some success rate requirement. We discovered that the inaccuracy was greater with optimal parameter sets for the lower success rates and that the level of (in)accuracy was rather stable among parameter sets for the same success rate. We could also confirm that the accuracy increased when F msc was made smaller under a fixed value.
Two of the test results are given by Figure 6. After choosing parameters , , , and N, we computed 0 through Lemma 1 and generated the fuzzy rainbow matrix from 0 starting points. A total of ten fuzzy rainbow matrices were generated for each parameter set, and the number of th color boundary points was recorded and averaged separately for each . A small number of chains did not reach a DP within our chain length bound of 15 , at various colors, and we discarded these without replacing them with newly generated chains. The lines of Figure 6 represent the theory given by Lemma 1 and the dots correspond to the experimental data. Each dot gives the count of the th color boundary points, averaged over ten tests.
The test results for the worst parameter set we had experimented with are given in the two left-hand side boxes of Figure 6. This is the situation where our theory is least accurate, but even in this case, the bottom box shows that the largest inaccuracy of (4) is approximately 5%. The righthand side boxes present test results for a parameter set whose ( , F msc ) pair does not necessarily correspond to optimal online efficiency for any success rate. Since precomputation cost considerations will make parameter sets of suboptimal online efficiency more practical, the right-hand side boxes present the situation one would be experiencing in practice. The test results match our theory reasonably well, although not perfectly. We may conclude that Lemma 1 predicts the number of th color boundary points sufficiently accurately for use in practice.
We wish to remark that our test results are in almost perfect agreement with what can be computed through the iterative formula (3), which (4) is supposed to approximate. Since values of interest are of manageable sizes, one could always revert to using the iterative formula (3) should there be the need for higher accuracy.
Let us now explain our second experiment. One argument that was crucial during our analysis was that the selection process of DP subchains DM from among the DP subchainsDM is not correlated with the lengths of the DP subchains inDM . This claim is equivalent to the equation that appeared during the proof of Lemma 3. This argument also allowed us to claim during the proof to Lemma 8 that (F cr,1 + ⋅ ⋅ ⋅ + F cr, ) iterations of the one-way function are necessary to regenerate a precomputation chain up to the th color. This is a new argument that had not been used in any of the previous works, and it would be reasonable to verify this claim experimentally. Note that Lemma 3 allows us to expect these values to be of 1 − Θ(1/4 ) order, implying that there are more discarded chains within each DP submatrix for smaller values. Hence, in testing (A.1), to increase the chances of discovering possible errors, one would not only choose parameters for which / is large but also choose to use small values. Since the formula of Lemma 3, given in terms of notation (9), is guaranteed to be accurate only for values of interest, which are not very small, it would be more appropriate to test our argument directly through (A.1), rather than through the formula of Lemma 3.
Test results for the two small = 8 and = 15 values are given in Table 2. The other parameters 0 and were chosen so that the corresponding experimentally obtained F msc = ( 2 )/N values would be large, corresponding to a large 0 / ratio, while still falling within our range of interest. Tests for each of the two parameter sets were repeated ten times. All figures displayed by Table 2, other than the parameters, including the and 2 /N values, are averages taken over the ten repetitions. In particular, the stated (|DM |/ )/(|DM |/ ) values are averages and not the simple ratios of the two averages appearing above these values. The experimental data strongly supports the correctness of (A.1).
Our third experiment aimed to test how accurate (35) was in presenting the cost of resolving a possible alarm associated with an online chain that is generated from the th color. This was of particular interest because the formula depended on Lemma 9, which was stated as an approximation. The experimental verification of (35) would also increase our confidence in the extremely delicate random function arguments we gave during the proof of Lemma 8.
The results of our tests that were carried out with two separate sets of parameters are given in Table 3. Each set of data involves 50 precomputation tables created from the specified 0 -many starting points. For each precomputation table and each fixed starting color , we generated sufficiently many online chains so as to observe approximately 2000 merges. Our test results are in good agreement with our theoretical predictions given by (35).
We have added another row of theoretical predictions in Table 3. Tracing back through the proofs of Lemmas 7, 8, and 9 and referring to Lemmas 1 and 3, one can see that (35) is a simplified expression for Since Lemma 1 is a closed-form formula that approximates the iterative formula (3), our theoretical predictions of the alarm cost can be made more accurate through (A.2) and (3), although the required calculations can be slightly uncomfortable due to the iterative nature of (3). Indeed, we can see in Table 3 that the theoretical predictions made through (A.2) and (3) are even closer to the test results than the predictions of the closed-form formula (35). Finally, we present an experimental verification of Theorem 11, which is essentially equivalent to the claim that (38) gives the online computational complexity of the perfect fuzzy rainbow tradeoff. Since this test was meant to be an overall sanity check of our theory, we used realistic values.
For each choice of parameters , , , and ℓ, we computed 0 through Lemma 1 and generated a full set of ℓ precomputation tables, each from 0 starting points. After the completion of each precomputation phase, we generated 10 4 random inversion targets and performed the online phase. Test results corresponding to three separate parameter sets are displayed in Table 4. During both the precomputation and the online phases, we discarded any chain that reached the length of 15 without a DP within any of its subchains. The computational effort associated with these discarded chains is included in the test online complexities.
Let us take a closer look at the first parameter set. Noting that log = 21.0, we truncated each ending point to the length of log |ep| = 26 bits, allowing for 5.0 extra bits of information. A small fraction of the ending points were made identical to each other, and we were careful to process all matching truncated ending points during the online phase. An 18-bit index is reasonable for the log = 21.0 situation, and its application to our truncated 26-bit ending points would allow each ending point to be stored in = 3.0 + 5.0 = 26-18 bits. However, we did not do so in favor of easier implementation and simply allocated 3 bytes and 4 bytes to the starting and ending points, respectively. Since log( / ) = 15.2, we are dealing with the log ⋆ + ≈ 23 situation, and we can check through Table 1 that Test-1 used a parameter set for the 90% success rate that is close to optimal in view of the online phase.
Our Test-2 implementation recorded 24 bits of each ending point and this would correspond to log ⋆ + = 13.1 + 24 − 16 ≈ 21.1, when a 16-bit index is used.  Table 3: Experimental verification of theoretically obtained expected cost of resolving a possible alarm associated with an online chain that starts from the th color.  Intending to reach a 95% success rate, we used = 56, which is close to the optimal value for this situation. However, the and parameters were chosen so that the F msc value is smaller than what is optimal for the online phase. This parameter set should be more practical in view of lower precomputation cost.
Parameters for Test-3 were likewise chosen to be realistic rather than to be optimal for the online phase. One difference with the parameter set for Test-2 is that we truncated the ending points to a slightly longer length. We could verify that our prediction of the cost of resolving alarms was more accurate for this case than Test-1 and Test-2.
The theory and experimental figures for the three tests are in good agreement. In reality, as can be expected from Figure 6, the average values from the tests are slightly larger than our predictions and this brings about a success rate that is higher than expected. The higher success rate lowers the cost of generating online chains, while application of the ending point truncation technique raises the cost of resolving false alarms. The combination of the two opposite effects is what we are seeing in Table 4. We have verified through separate computations that replacing Lemma 1 with its iterative counterpart (3) produces even better predictions of at least the costs of generating the online chains. Hence, the small discrepancies between theory and test found in Table 4 are due to the accuracy limitations of Lemma 1 rather than to any oversights in our theoretical arguments.