LOGBOOK

HELP

Quiz Entry - updated: 2026.07.05

What is a reduction function, and why is it the secret ingredient that makes rainbow tables work?

A reduction function maps a hash back to a plaintext-shaped string — not the original password, but some valid candidate in the target keyspace. It's what lets a chain alternate hash → plaintext → hash → plaintext.

Why we need it:

Hash functions are one-way — you can't "un-hash." So how does a rainbow chain go password → hash → password → hash → ...?

Answer: between hashes, you apply a reduction function that converts the hash bits into something that looks like a password. It's not a true inverse — it's just any deterministic function that maps a hash → a string in your password keyspace.

Toy example:

For 4-char lowercase passwords:

Reduce(hash) = take the hash mod 26⁴, interpret as 4 lowercase letters

So hash("apple") = 0x1f3d8a4e... → reduce → "kqzm" (some other 4-char word). Then hash("kqzm") = 0x9b2c... → reduce → "vnxp". And so on.

Why this builds a useful index:

Each chain covers ~thousands of (password, hash) pairs while storing only the start and end. To crack a hash:

  1. Apply reduce → get candidate plaintext
  2. Hash it, apply reduce, hash, reduce... up to chain length
  3. If you hit a known endpoint → recompute that chain from its start
  4. The plaintext just before your target hash IS the original password

Why "rainbow":

Original Hellman tables used ONE reduction function — collisions caused chains to merge and waste space. Philippe Oechslin's 2003 innovation: use a different reduction function at each step of the chain. Visualized as colored layers → "rainbow" tables. This dramatically reduces chain merges and improves coverage.

Why salting kills this:

Reduction functions are designed for a specific keyspace. A salt extends the input by random bytes, so the "plaintext" the reduction function produces no longer matches what was actually hashed. Every salt → entirely new table needed.

Tip: This is why rainbow tables are tied to a specific (algorithm, charset, length) combo — the reduction function bakes those assumptions in. An NTLM-lowercase-7-char table is useless for SHA-256 or for 8-char passwords.

Deep dive: https://en.wikipedia.org/wiki/Rainbow_table#Precomputed_hash_chains and Ryan Sheasby's series for the visual intuition.

Go deeper:

From Quiz: INTROL / Password Cracking | Updated: Jul 05, 2026