A way to detect a collision…

Slides:



Advertisements
Similar presentations
Announcements: Choosing presentation dates (at end) Choosing presentation dates (at end)Questions? This week: Hash functions, SHA Hash functions, SHA Birthday.
Advertisements

Line Efficiency     Percentage Month Today’s Date
1 Chapter 5 Hashes and Message Digests Instructor: 孫宏民 Room: EECS 6402, Tel: , Fax :
Announcements:Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman, ElGamal Hash Functions and SHA-1 Hash Functions.
Announcements: 1. Class cancelled tomorrow 2. HW7 due date moved to Thursday. Questions? This week: Birthday attacks, Digital signatures Birthday attacks,
Chapter 4  Hash Functions 1 Overview  Cryptographic hash functions are functions that: o Map an arbitrary-length (but finite) input to a fixed-size output.
Announcements: 1. HW6 due now 2. HW7 posted Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman, ElGamal Hash Functions.
Digital Signatures (DSs) The digital signatures cannot be separated from the message and attached to another The signature is not only tied to signer but.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Theory of Computation II Topic presented by: Alberto Aguilar Gonzalez.
1 Hash Functions. 2 A hash function h takes as input a message of arbitrary length and produces as output a message digest of fixed length
Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 2.3 Hash Functions.
CS426Fall 2010/Lecture 51 Computer Security CS 426 Lecture 5 Cryptography: Cryptographic Hash Function.
Hashes Lesson Introduction ●The birthday paradox and length of hash ●Secure hash function ●HMAC.
The Birthday Paradox July Definition 2 Birthday attacks are a class of brute-force techniques that target the cryptographic hash functions. The.
1 4.1 Hash Functions and Data Integrity A cryptographic hash function can provide assurance of data integrity. ex: Bob can verify if y = h K (x) h is a.
Jan 2016 Solar Lunar Data.
DTTF/NB479: Dszquphsbqiz Day 26
Security of Message Digests
The 6 steps of data collection:
Topic 14: Random Oracle Model, Hashing Applications
Q1 Jan Feb Mar ENTER TEXT HERE Notes
Cryptographic Hash Functions Part I
Cryptography Lecture 13.
Cryptographic Hash Functions
Average Monthly Temperature and Rainfall
ICS 454 Principles of Cryptography
Cryptographic Hash Functions
Hypothesis Testing and Confidence Intervals
2017 Jan Sun Mon Tue Wed Thu Fri Sat

Gantt Chart Enter Year Here Activities Jan Feb Mar Apr May Jun Jul Aug
Q1 Q2 Q3 Q4 PRODUCT ROADMAP TITLE Roadmap Tagline MILESTONE MILESTONE
Free PPT Diagrams : ALLPPT.com
ICS 454 Principles of Cryptography

Calendar Year 2009 Insure Oklahoma Total & Projected Enrollment
Jan Sun Mon Tue Wed Thu Fri Sat
DTTF/NB479: Dszquphsbqiz Day 27
Lecture 4.1: Hash Functions: Introduction
Hash Functions Motivation Hash Functions: collision, pre-images SHA-1
The Birthday Paradox June 2012.
©G Dear 2008 – Not to be sold/Free to use
Cryptographic Hash Functions Part I
Electricity Cost and Use – FY 2016 and FY 2017
Lecture 4.1: Hash Functions, and Message Authentication Codes
Text for section 1 1 Text for section 2 2 Text for section 3 3
Text for section 1 1 Text for section 2 2 Text for section 3 3
One Way Functions Motivation Complexity Theory Review, Motivation
Text for section 1 1 Text for section 2 2 Text for section 3 3
Text for section 1 1 Text for section 2 2 Text for section 3 3
Q1 Q2 Q3 Q4 PRODUCT ROADMAP TITLE Roadmap Tagline MILESTONE MILESTONE
Cryptography Lecture 14.
Free PPT Diagrams : ALLPPT.com
Hashing Hash are the auxiliary values that are used in cryptography.
Text for section 1 1 Text for section 2 2 Text for section 3 3
Text for section 1 1 Text for section 2 2 Text for section 3 3
Text for section 1 1 Text for section 2 2 Text for section 3 3
Text for section 1 1 Text for section 2 2 Text for section 3 3
Text for section 1 1 Text for section 2 2 Text for section 3 3
Text for section 1 1 Text for section 2 2 Text for section 3 3
Cryptography Lecture 13.
DATA STRUCTURES-COLLISION TECHNIQUES
Lecture 4: Hash Functions
DATA STRUCTURES-COLLISION TECHNIQUES

Hash Function Requirements
CRYPTOGRAPHY & NETWORK SECURITY
When Intuition Fails Us
Q1 Q2 Q3 Q4 PRODUCT ROADMAP TITLE Roadmap Tagline MILESTONE MILESTONE
Presentation transcript:

A way to detect a collision… Birthday Attacks A way to detect a collision…

Principle Of MD Strongly collision-free: Can’t find any pair m1 ≠ m2 such that h(m1)=h(m2) easily (Sometimes we can settle for weakly collision-free: given m, can’t find m’ ≠ m with h(m) = h(m’). The birthday paradox doesn’t mean that there’s a high probability that someone else has my birthday. Likewise, the birthday paradox doesn’t mean that finding a collision with a known digest is easy. We can calculate how many messages we need to hash to have a good chance of finding a collision.

Definition Birthday attacks are a class of brute-force techniques that target the cryptographic hash functions. The goal is to take a cryptographic hash function and find two different inputs that produce the same output.

The Birthday Problem What is the probability that at least two of r randomly selected people have the same birthday? (Same month and day, but not necessarily the same year.)

The Birthday Paradox How large must r be so that the probability is greater than 50 percent? The answer is 23 It is a paradox in the sense that a mathematical truth contradicts common intuition.

Birthday Calendar Wall Equivalence to our hashing space Jan 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 Feb   Mar Apr May Jun Jul Aug Sep Oct Nov Dec

Calculating the Probability-1 Assumptions Nobody was born on February 29 People's birthdays are equally distributed over the other 365 days of the year

Calculating the Probability-2 In a room of k people q: the prob. all people have different birthdays p: the prob. at least two of them have the same birthdays

Birthday Attacks Birthday paradox In a group of 23 randomly chosen people, at least two will share a birthday with probability at least 50%. If there are 30, the probability is around 70%. Finding two people with the same birthday is the same thing as finding a collision for this particular hash function.

Collision Search-1 For collision search, select distinct inputs xi for i=1, 2, ... , n, where n is the number of hash bits and check for a collision in the h(xi) values The prob. that no collision is found after selecting k inputs is (In the case of the birthday paradox r is the number of people randomly selected and the collision condition is the birthday of the people and n=365.)

Birthday Attacks The probability that all 23 people have different birthdays is Therefore, the probability of at least two having the same birthday is 1- 0.493 = 0.507

Exact solution: use fractions Approximate solution: More generally, suppose we have N objects, where N is large. There are r people, and each chooses an object. Then Exact solution: use fractions Approximate solution:

Birthday paradox in our class What’s the chances that two people in our class of 43 have the same birthday? Approximate solution: Where r = 43 people, and N = 365 choices

Birthday Attacks On Hash Function The birthday attack can be used to find collisions for hash functions if the output of the hash function is not sufficiently large. Suppose h is an n-bit hash function. Then there are N = 2n possible outputs. We have the situation of list of length r≈ “people” with N possible “birthdays,” so there is a good chance of having two values with the same hash value. If the hash function outputs 128-bit values, then the lists have length around 264 ≈1019, which is too large, both in time and in memory.

Collision Search-2 For large n

Collision Search-3 When r is large, the percentage difference between r and r-1 is small, and we may approximate r-1  r.

Birthday Attacks Choosing r2/2N = ln2, we find that if r≈1.177 , then the probability is 50% that at least two people choose the same object. If there are N possibilities and we have a list of length , then there is a good chance of a match. If we want to increase the chance of a match, we can make a list of length of a constant times .

Collision Search-4 For the birthday case, the value of r that makes the probability closest to 1/2 is 23

(Example) (Example) We have 40 license plates, each ending in a 3-digit number. What is the probability that two of the license plates end in the same 3 digits? (Solution) N=1000, r=40 1. Approximation: 2. The exact answer:

Birthday Attacks What is the probability that none of these 40 license plates ends in the same 3 digits as yours? The reason the birthday paradox works is that we are not just looking for matches between one fixed plate and the other plates. We are looking for matches between any two plates in the set, so there are more opportunities for matches.

Birthday Attacks on Different Set/Group Suppose there are N objects and there are two groups of r people. Each person from each group selects an object. What is the probability that someone from the first group choose the same object as someone from the second group? Eg. If we take N=365 and r=30, then

Birthday Attacks discrete logarithm A birthday attack on discrete logarithm We want to solve αx≡β (mod p). Make two lists, both of length around 1st list: αk (mod p) for random k. 2nd list: βα-h (mod p) for random h. There is a good chance that there is a match αk ≡ βα-h (mod p), hence x=k+h. Compared with BSGS: BSGS algorithm is deterministic while the birthday attack algorithm is probabilistic.

Attack Prevention The important property is the length in bits of the message digest produced by the hash function. If the number of m bit hash , the cardinality n of the hash function is The 0.5 probability of collision for m bit hash, expected number of operation k before finding a collision is very close to m should be large enough so that it’s not feasible to compute hash values!!!