A way to detect a collision… Birthday Attacks A way to detect a collision…
Principle Of MD Strongly collision-free: Can’t find any pair m1 ≠ m2 such that h(m1)=h(m2) easily (Sometimes we can settle for weakly collision-free: given m, can’t find m’ ≠ m with h(m) = h(m’). The birthday paradox doesn’t mean that there’s a high probability that someone else has my birthday. Likewise, the birthday paradox doesn’t mean that finding a collision with a known digest is easy. We can calculate how many messages we need to hash to have a good chance of finding a collision.
Definition Birthday attacks are a class of brute-force techniques that target the cryptographic hash functions. The goal is to take a cryptographic hash function and find two different inputs that produce the same output.
The Birthday Problem What is the probability that at least two of r randomly selected people have the same birthday? (Same month and day, but not necessarily the same year.)
The Birthday Paradox How large must r be so that the probability is greater than 50 percent? The answer is 23 It is a paradox in the sense that a mathematical truth contradicts common intuition.
Birthday Calendar Wall Equivalence to our hashing space Jan 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
Calculating the Probability-1 Assumptions Nobody was born on February 29 People's birthdays are equally distributed over the other 365 days of the year
Calculating the Probability-2 In a room of k people q: the prob. all people have different birthdays p: the prob. at least two of them have the same birthdays
Birthday Attacks Birthday paradox In a group of 23 randomly chosen people, at least two will share a birthday with probability at least 50%. If there are 30, the probability is around 70%. Finding two people with the same birthday is the same thing as finding a collision for this particular hash function.
Collision Search-1 For collision search, select distinct inputs xi for i=1, 2, ... , n, where n is the number of hash bits and check for a collision in the h(xi) values The prob. that no collision is found after selecting k inputs is (In the case of the birthday paradox r is the number of people randomly selected and the collision condition is the birthday of the people and n=365.)
Birthday Attacks The probability that all 23 people have different birthdays is Therefore, the probability of at least two having the same birthday is 1- 0.493 = 0.507
Exact solution: use fractions Approximate solution: More generally, suppose we have N objects, where N is large. There are r people, and each chooses an object. Then Exact solution: use fractions Approximate solution:
Birthday paradox in our class What’s the chances that two people in our class of 43 have the same birthday? Approximate solution: Where r = 43 people, and N = 365 choices
Birthday Attacks On Hash Function The birthday attack can be used to find collisions for hash functions if the output of the hash function is not sufficiently large. Suppose h is an n-bit hash function. Then there are N = 2n possible outputs. We have the situation of list of length r≈ “people” with N possible “birthdays,” so there is a good chance of having two values with the same hash value. If the hash function outputs 128-bit values, then the lists have length around 264 ≈1019, which is too large, both in time and in memory.
Collision Search-2 For large n
Collision Search-3 When r is large, the percentage difference between r and r-1 is small, and we may approximate r-1 r.
Birthday Attacks Choosing r2/2N = ln2, we find that if r≈1.177 , then the probability is 50% that at least two people choose the same object. If there are N possibilities and we have a list of length , then there is a good chance of a match. If we want to increase the chance of a match, we can make a list of length of a constant times .
Collision Search-4 For the birthday case, the value of r that makes the probability closest to 1/2 is 23
(Example) (Example) We have 40 license plates, each ending in a 3-digit number. What is the probability that two of the license plates end in the same 3 digits? (Solution) N=1000, r=40 1. Approximation: 2. The exact answer:
Birthday Attacks What is the probability that none of these 40 license plates ends in the same 3 digits as yours? The reason the birthday paradox works is that we are not just looking for matches between one fixed plate and the other plates. We are looking for matches between any two plates in the set, so there are more opportunities for matches.
Birthday Attacks on Different Set/Group Suppose there are N objects and there are two groups of r people. Each person from each group selects an object. What is the probability that someone from the first group choose the same object as someone from the second group? Eg. If we take N=365 and r=30, then
Birthday Attacks discrete logarithm A birthday attack on discrete logarithm We want to solve αx≡β (mod p). Make two lists, both of length around 1st list: αk (mod p) for random k. 2nd list: βα-h (mod p) for random h. There is a good chance that there is a match αk ≡ βα-h (mod p), hence x=k+h. Compared with BSGS: BSGS algorithm is deterministic while the birthday attack algorithm is probabilistic.
Attack Prevention The important property is the length in bits of the message digest produced by the hash function. If the number of m bit hash , the cardinality n of the hash function is The 0.5 probability of collision for m bit hash, expected number of operation k before finding a collision is very close to m should be large enough so that it’s not feasible to compute hash values!!!