Birthday attack

From Wikipedia, the free encyclopedia

A birthday attack is a type of cryptographic attack which exploits the mathematics behind the birthday paradox, making use of a space-time tradeoff. Specifically, if a function f(x) yields any of H different outputs with equal probability and H is sufficiently large, then after evaluating the function for about 1.2 \cdot \sqrt H different arguments we expect to obtain a pair of different arguments x1 and x2 with f(x1) = f(x2), known as a collision.

Contents

[edit] The mathematics

To show this, we start with the Taylor series approximation to the probability of two people having the same birthday. In this case, replace the number of days in a year with the number of unique outputs, H:

p(n) = 1-\bar p(n) \approx 1 - e^{-(n(n-1))/2 \cdot H} \approx 1-e^{-n^2/{2 \cdot H}},

where n is the number of attempts at a collision. Inverting this expression,

n(p)\approx \sqrt{2\cdot H\cdot\ln\left({1 \over 1-p}\right)},

and assigning a 0.5 probability of collision we arrive at

n(0.5) = 1.1774 \sqrt H.

As an example, if a 64 bit hash is used, there are approximately 1.8 × 1019 different outputs. If these are all equally probable (the best case), then it would take 'only' approximately 5.1 × 109 attempts to generate a collision using brute force. This value is called birthday bound and for n-bit codes it could be computed as 2n / 2.[1] Other examples are as follows:

Bits Possible
outputs
Desired probability of random collision
10-12 10-9 10-6 0.1% 1% 25% 50% 75%
64 1.8 × 1019 6.1 × 103 1.9 × 105 6.1 × 106 1.9 × 108 6.1 × 108 3.3 × 109 5.1 × 109 7.2 × 109
128 3.4 × 1038 2.6 × 1013 8.2 × 1014 2.6 × 1016 8.3 × 1017 2.6 × 1018 1.4 × 1019 2.2 × 1019 3.1 × 1019
256 1.2 × 1077 4.8 × 1032 1.5 × 1034 4.8 × 1035 1.5 × 1037 4.8 × 1037 2.6 × 1038 4.0 × 1038 5.7 × 1038
384 3.9 × 10115 8.9 × 1051 2.8 × 1053 8.9 × 1054 2.8 × 1056 8.9 × 1056 4.8 × 1057 7.4 × 1057 1.0 × 1058
512 1.3 × 10154 1.6 × 1071 5.2 × 1072 1.6 × 1074 5.2 × 1075 1.6 × 1076 8.8 × 1076 1.4 × 1077 1.9 × 1077
Table shows number of hashes needed to achieve the given probability of success, assuming all hashes are equally likely. For comparison, the uncorrectable bit error rate of a typical hard disk is 10-18 to 10-15.[citation needed]

It is easy to see that if the outputs of the function are distributed unevenly, then a collision can be found even faster. The notion of 'balance' of a hash function quantifies the resistance of the function to birthday attacks and allows the vulnerability of popular hashes such as MD and SHA to be estimated (Bellare and Kohno, 2004).

Digital signatures can be susceptible to a birthday attack. A message m is typically signed by first computing f(m), where f is a cryptographic hash function, and then using some secret key to sign f(m). Suppose Alice wants to trick Bob into signing a fraudulent contract. Alice prepares a fair contract m and a fraudulent one m'. She then finds a number of positions where m can be changed without changing the meaning, such as inserting commas, empty lines, one versus two spaces after a sentence, replacing synonyms, etc. By combining these changes, she can create a huge number of variations on m which are all fair contracts. In a similar manner, she also creates a huge number of variations on the fraudulent contract m'. She then applies the hash function to all these variations until she finds a version of the fair contract and a version of the fraudulent contract which have the same hash value, f(m) = f(m'). She presents the fair version to Bob for signing. After Bob has signed, Alice takes the signature and attaches it to the fraudulent contract. This signature then "proves" that Bob signed the fraudulent contract. (This differs slightly from the original birthday problem, as Alice gains nothing by finding two fair or two fraudulent contracts with the same hash. Alice's optimum strategy is to generate "pairs" of one fair and one fraudulent contract. Then Alice compares each freshly-generated pair to all other pairs -- in other words, Alice compares the new fair hash is compared to all previous fraudulent hashes, and the new fraudulent contract to all previous fair hashes -- Alice doesn't bother comparing fair-to-fair or fraudulent-to-fraudulent. The birthday problem equations apply where "n" is the number of pairs. The number of hashes Alice actually generates is 2n).

To avoid this attack, the output length of the hash function used for a signature scheme can be chosen large enough so that the birthday attack becomes computationally infeasible, i.e. about twice as many bits as are needed to prevent an ordinary brute force attack. It has also been recommended (Schneier, p. 430) that Bob cosmetically modify any contract presented to him before signing.

The birthday attack can also be used to speed up the computation of discrete logarithms. Suppose x and y are elements of some group and y is a power of x. We want to find the exponent of x that gives y. A birthday attack computes xr for many randomly chosen integers r and computes yx s for many randomly chosen integers s. After a while, a match will be found: xr = yx s which means y = xr + s.

If the group has n elements, then the naive method of trying out all exponents takes about n / 2 steps on average; the birthday attack is considerably faster and takes fewer than 2 \sqrt n steps on average.

Techniques based on repeated iteration, such as rainbow tables, can greatly reduce the storage requirements of birthday attacks.

[edit] See also

[edit] References

  1. ^ Jacques Patarin, Audrey Montreuil (2005). "Benes and Butterfly schemes revisited" (PostScript, PDF). Université de Versailles. Retrieved on 2007-03-15.

[edit] External links

Hash algorithms: Gost-Hash | HAS-160 | HAS-V | HAVAL | MDC-2 | MD2 | MD4 | MD5 | N-Hash | RadioGatún | RIPEMD | SHA family | Snefru | Tiger | VEST | WHIRLPOOL | crypt(3) DES
MAC algorithms: DAA | CBC-MAC | HMAC | OMAC/CMAC | PMAC | UMAC | Poly1305-AES | VEST
Authenticated encryption modes: CCM | EAX | GCM | OCB | VEST   Attacks: Birthday attack | Collision attack | Preimage attack | Rainbow table | Brute force attack
Standardization: CRYPTREC | NESSIE   Misc: Avalanche effect | Hash collision | Hash functions based on block ciphers
Cryptography
v  d  e
History of cryptography | Cryptanalysis | Cryptography portal | Topics in cryptography
Symmetric-key algorithm | Block cipher | Stream cipher | Public-key cryptography | Cryptographic hash function | Message authentication code | Random numbers
In other languages