Birthday attack

From Wikipedia, the free encyclopedia

A birthday attack is a type of cryptographic attack, so named because it exploits the mathematics behind the birthday paradox. Given a function f, the goal of the attack is to find two inputs Failed to parse (Missing texvc executable; please see math/README to configure.): x_1,x_2

such that Failed to parse (Missing texvc executable; please see math/README to configure.): f(x_1)=f(x_2)

. Such a pair Failed to parse (Missing texvc executable; please see math/README to configure.): x_1,x_2

is called a collision. The method used to find a collision is to simply evaluate the function f for different input values that may be chosen randomly or pseudorandomly until the same result is found more than once. Because of the birthday paradox this method can be rather efficient. Specifically, if a function Failed to parse (Missing texvc executable; please see math/README to configure.): f(x)
yields any of Failed to parse (Missing texvc executable; please see math/README to configure.): H
different outputs with equal probability and Failed to parse (Missing texvc executable; please see math/README to configure.): H
is sufficiently large, then we expect to obtain a pair of different arguments Failed to parse (Missing texvc executable; please see math/README to configure.): x_1
and Failed to parse (Missing texvc executable; please see math/README to configure.): x_2
with Failed to parse (Missing texvc executable; please see math/README to configure.): f(x_1) = f(x_2)
after evaluating the function for about Failed to parse (Missing texvc executable; please see math/README to configure.): 1.25 \cdot \sqrt H
different arguments on average.

1 The mathematics
2 See also
3 References
4 Notes and references
5 External links

The mathematics

Main article: birthday problem

We consider the following experiment. From a set of Failed to parse (Missing texvc executable; please see math/README to configure.): H

values we choose Failed to parse (Missing texvc executable; please see math/README to configure.): n
values uniformly at random thereby allowing repetitions.

Let Failed to parse (Missing texvc executable; please see math/README to configure.): p(n;H)

be the probability that during this experiment at least one value is chosen more than once. This probability can be approximated as

Failed to parse (Missing texvc executable; please see math/README to configure.): p(n;H) \approx 1 - e^{-(n(n-1))/2 \cdot H} \approx 1-e^{-n^2/{2 \cdot H}},

Let Failed to parse (Missing texvc executable; please see math/README to configure.): n(p;H)

be the smallest number of values we have to choose, such that the expected probability for finding a collision is at least Failed to parse (Missing texvc executable; please see math/README to configure.): p

. By inverting this expression above, we find the following approximation

Failed to parse (Missing texvc executable; please see math/README to configure.): n(p;H)\approx \sqrt{2\cdot H\cdot\ln\left({1 \over 1-p}\right)},

and assigning a 0.5 probability of collision we arrive at

Failed to parse (Missing texvc executable; please see math/README to configure.): n(0.5;H) \approx 1.1774 \sqrt H

Let Failed to parse (Missing texvc executable; please see math/README to configure.): Q(H)

be the expected number of values we have to choose before finding the first collision. This number can be approximated by

Failed to parse (Missing texvc executable; please see math/README to configure.): Q(H)\approx \sqrt{{\pi\over 2}H}.

As an example, if a 64 bit hash is used, there are approximately 1.8 × 10¹⁹ different outputs. If these are all equally probable (the best case), then it would take 'only' approximately 5.1 × 10⁹ attempts to generate a collision using brute force. This value is called birthday bound^[1] and for n-bit codes it could be computed as Failed to parse (Missing texvc executable; please see math/README to configure.): 2^{n/2} .^[2] Other examples are as follows:

Bits	Possible outputs (H)	Desired probability of random collision (p)
Bits	Possible outputs (H)	10⁻¹⁸	10⁻¹⁵	10⁻¹²	10⁻⁹	10⁻⁶	0.1%	1%	25%	50%	75%
32	4.3 × 10⁹	<1	<1	<1	2.9	93	2.9 × 10³	9.3 × 10³	5.0 × 10⁴	7.7 × 10⁴	1.1 × 10⁵
64	1.8 × 10¹⁹	6.1	1.9 × 10²	6.1 × 10³	1.9 × 10⁵	6.1 × 10⁶	1.9 × 10⁸	6.1 × 10⁸	3.3 × 10⁹	5.1 × 10⁹	7.2 × 10⁹
128	3.4 × 10³⁸	2.6 × 10¹⁰	8.2 × 10¹¹	2.6 × 10¹³	8.2 × 10¹⁴	2.6 × 10¹⁶	8.3 × 10¹⁷	2.6 × 10¹⁸	1.4 × 10¹⁹	2.2 × 10¹⁹	3.1 × 10¹⁹
256	1.2 × 10⁷⁷	4.8 × 10²⁹	1.5 × 10³¹	4.8 × 10³²	1.5 × 10³⁴	4.8 × 10³⁵	1.5 × 10³⁷	4.8 × 10³⁷	2.6 × 10³⁸	4.0 × 10³⁸	5.7 × 10³⁸
384	3.9 × 10¹¹⁵	8.9 × 10⁴⁸	2.8 × 10⁵⁰	8.9 × 10⁵¹	2.8 × 10⁵³	8.9 × 10⁵⁴	2.8 × 10⁵⁶	8.9 × 10⁵⁶	4.8 × 10⁵⁷	7.4 × 10⁵⁷	1.0 × 10⁵⁸
512	1.3 × 10¹⁵⁴	1.6 × 10⁶⁸	5.2 × 10⁶⁹	1.6 × 10⁷¹	5.2 × 10⁷²	1.6 × 10⁷⁴	5.2 × 10⁷⁵	1.6 × 10⁷⁶	8.8 × 10⁷⁶	1.4 × 10⁷⁷	1.9 × 10⁷⁷

Table shows number of hashes n(p) needed to achieve the given probability of success, assuming all hashes are equally likely. For comparison, 10⁻¹⁸ to 10⁻¹⁵ is the uncorrectable bit error rate of a typical hard disk [1]. In theory, MD5, 128 bits, should stay within that range until about 820 billion documents, even if its possible outputs are many more.

It is easy to see that if the outputs of the function are distributed unevenly, then a collision can be found even faster. The notion of 'balance' of a hash function quantifies the resistance of the function to birthday attacks and allows the vulnerability of popular hashes such as MD and SHA to be estimated (Bellare and Kohno, 2004).

Digital signatures can be susceptible to a birthday attack. A message Failed to parse (Missing texvc executable; please see math/README to configure.): m

is typically signed by first computing Failed to parse (Missing texvc executable; please see math/README to configure.): f(m)

, where Failed to parse (Missing texvc executable; please see math/README to configure.): f

is a cryptographic hash function, and then using some secret key to sign Failed to parse (Missing texvc executable; please see math/README to configure.): f(m)

. Suppose Alice wants to trick Bob into signing a fraudulent contract. Alice prepares a fair contract Failed to parse (Missing texvc executable; please see math/README to configure.): m

and a fraudulent one Failed to parse (Missing texvc executable; please see math/README to configure.): m'

. She then finds a number of positions where Failed to parse (Missing texvc executable; please see math/README to configure.): m

can be changed without changing the meaning, such as inserting commas, empty lines, one versus two spaces after a sentence, replacing synonyms, etc. By combining these changes, she can create a huge number of variations on Failed to parse (Missing texvc executable; please see math/README to configure.): m
which are all fair contracts. In a similar manner, she also creates a huge number of variations on the fraudulent contract Failed to parse (Missing texvc executable; please see math/README to configure.): m'

. She then applies the hash function to all these variations until she finds a version of the fair contract and a version of the fraudulent contract which have the same hash value, Failed to parse (Missing texvc executable; please see math/README to configure.): f(m) = f(m') . She presents the fair version to Bob for signing. After Bob has signed, Alice takes the signature and attaches it to the fraudulent contract. This signature then "proves" that Bob signed the fraudulent contract. This differs slightly from the original birthday problem, as Alice gains nothing by finding two fair or two fraudulent contracts with the same hash. Alice's optimum strategy is to generate "pairs" of one fair and one fraudulent contract. Then Alice compares each freshly-generated pair to all other pairs; that is, she compares the new fair hash to all previous fraudulent hashes, and the new fraudulent contract to all previous fair hashes (but doesn't bother comparing fair hashes to fair or fraudulent to fraudulent). The birthday problem equations apply where "n" is the number of pairs. (The number of hashes Alice actually generates is 2n.)

To avoid this attack, the output length of the hash function used for a signature scheme can be chosen large enough so that the birthday attack becomes computationally infeasible, i.e. about twice as many bits as are needed to prevent an ordinary brute force attack.

Pollard's rho algorithm for logarithms is an example for an algorithm using a birthday attack for the computation of discrete logarithms.

References

Mihir Bellare, Tadayoshi Kohno: Hash Function Balance and Its Impact on Birthday Attacks. EUROCRYPT 2004: pp401–418
Applied Cryptography, 2nd ed. by Bruce Schneier

Notes and references

^ See upper and lower bounds.
^ Jacques Patarin, Audrey Montreuil (2005). "Benes and Butterfly schemes revisited" (PostScript, PDF). Université de Versailles. Retrieved on 2007-03-15.

External links

"What is a digital signature and what is authentication?" from RSA Security's crypto FAQ.
"Parallel collision search with cryptanalytic applications, by Michael Wiener and Paul C. van Oorschot

Cryptographic hash functions and Message authentication codes (MACs) v • d • e
Hash algorithms: Gost-Hash \| HAS-160 \| HAVAL \| MDC-2 \| MD2 \| MD4 \| MD5 \| N-Hash \| RadioGatún \| RIPEMD \| SHA family \| Snefru \| Tiger \| WHIRLPOOL \| crypt(3) DES
MAC algorithms: DAA \| CBC-MAC \| HMAC \| OMAC/CMAC \| PMAC \| UMAC \| Poly1305-AES
Authenticated encryption modes: CCM \| CWC \| EAX \| GCM \| OCB
Attacks: Hash collision \| Birthday attack \| Preimage attack \| Rainbow table \| Brute force attack
Standardization: CRYPTREC \| NESSIE
Misc: Avalanche effect \| Hash collision \| Merkle-Damgård construction
Cryptography v • d • e
History of cryptography \| Cryptanalysis \| Cryptography portal \| Topics in cryptography
Symmetric-key algorithm \| Block cipher \| Stream cipher \| Public-key cryptography \| Cryptographic hash function \| Message authentication code \| Random numbers