Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

Chapter 12 Hash Functions: Attacks and Applications

12.1 Birthday Attacks

If there are 23 people in a room, the probability is slightly more than 50% that two of them have the same birthday. If there are 30, the probability is around 70%. This might seem surprising; it is called the birthday paradox. Let’s see why it’s true. We’ll ignore leap years (which would slightly lower the probability of a match) and we assume that all birthdays are equally likely (if not, the probability of a match would be slightly higher).

Consider the case of 23 people. We’ll compute the probability that they all have different birthdays. Line them up in a row. The first person uses up one day, so the second person has probability $(1 - 1 / 365)$ $(1 - 1 / 365)$ of having a different birthday. There are two days removed for the third person, so the probability is $(1 - 2 / 365)$ $(1 - 2 / 365)$ that the third birthday differs from the first two. Therefore, the probability of all three people having different birthdays is $(1 - 1 / 365) (1 - 2 / 365)$ $(1 - 1 / 365) (1 - 2 / 365)$ . Continuing in this way, we see that the probability that all 23 people have different birthdays is

(1 - \frac{1}{365}) (1 - \frac{2}{365}) \dots (1 - \frac{22}{365}) = .493 .

$(1 - \frac{1}{365}) (1 - \frac{2}{365}) \dots (1 - \frac{22}{365}) = .493 .$

Therefore, the probability of at least two having the same birthday is

1 - .493 = .507 .

$1 - .493 = .507 .$

One way to understand the preceding calculation intuitively is to consider the case of 40 people. If the first 30 have a match, we’re done, so suppose the first 30 have different birthdays. Now we have to choose the last 10 birthdays. Since 30 birthdays are already chosen, we have approximately a 10% chance that a randomly chosen birthday will match one of the first 30. And we are choosing 10 birthdays. Therefore, it shouldn’t be too surprising that we get a match. In fact, the probability is 89% that there is a match among 40 people.

More generally, suppose we have $N$ $N$ objects, where $N$ $N$ is large. There are $r$ $r$ people, and each chooses an object (with replacement, so several people could choose the same one). Then

\begin{array}{rcl} Prob(there is a match) \approx 1 - e^{- r^{2} / 2 N} . \end{array}

$\begin{array}{rcl} Prob(there is a match) \approx 1 - e^{- r^{2} / 2 N} . \end{array}$ (12.1)

Note that this is only an approximation that holds for large $N$ $N$ ; for small $n$ $n$ it is better to use the above product and obtain an exact answer. In Exercise 12, we derive this approximation. Choosing $r^{2} / 2 N = ln 2,$ $r^{2} / 2 N = ln 2,$ , we find that if $r \approx 1.177 \sqrt{N}$ $r \approx 1.177 \sqrt{N}$ , then the probability is 50% that at least two people choose the same object.

To summarize, if there are $N$ $N$ possibilities and we have a list of length $\sqrt{N}$ $\sqrt{N}$ , then there is a good chance of a match. If we want to increase the chance of a match, we can make the list have length $2 \sqrt{N}$ $2 \sqrt{N}$ or $5 \sqrt{N}$ $5 \sqrt{N}$ . The main point is that a length of a constant times $\sqrt{N}$ $\sqrt{N}$ (instead of something like $N$ $N$ ) suffices.

For example, suppose we have 40 license plates, each ending in a three-digit number. What is the probability that two of the license plates end in the same three digits? We have $N = 1000$ $N = 1000$ , the number of possible three-digit numbers, and $r = 40$ $r = 40$ , the number of license plates under consideration. Since

\frac{r^{2}}{2 N} = .8,

$\frac{r^{2}}{2 N} = .8,$

the approximate probability of a match is

1 - e^{- .8} = .551,

$1 - e^{- .8} = .551,$

which is more than 50%. We stress that this is only an approximation. The correct answer is obtained by calculating

1 - (1 - \frac{1}{1000}) (1 - \frac{2}{1000}) \dots (1 - \frac{39}{1000}) = .546.

$1 - (1 - \frac{1}{1000}) (1 - \frac{2}{1000}) \dots (1 - \frac{39}{1000}) = .546.$

The next time you are stuck in traffic (and have a passenger to record numbers), check out this prediction.

But what is the probability that one of these 40 license plates has the same last three digits as yours (assuming that yours ends in three digits)? Each plate has probability $1 - 1 / 1000$ $1 - 1 / 1000$ of not matching yours, so the probability is $(1 - 1 / 1000)^{40} = .961$ $(1 - 1 / 1000)^{40} = .961$ that none of the 40 plates matches your plate. The reason the birthday paradox works is that we are not just looking for matches between one fixed plate, such as yours, and the other plates. We are looking for matches between any two plates in the set, so there are many more opportunities for matches.

For more examples, see Examples 36 and 37 in the Computer Appendices.

The applications of these ideas to cryptology require a slightly different setup. Suppose there are two rooms, each with 30 people. What is the probability that someone in the first room has the same birthday as someone in the second room? More generally, suppose there are $N$ $N$ objects and there are two groups of $r$ $r$ people. Each person from each group selects an object (with replacement). What is the probability that someone from the first group chooses the same object as someone from the second group? In this case,

\begin{array}{rcl} Prob(there is a match) \approx 1 - e^{- r^{2} / N} . \end{array}

$\begin{array}{rcl} Prob(there is a match) \approx 1 - e^{- r^{2} / N} . \end{array}$ (12.2)

If $λ = r^{2} / N$ $λ = r^{2} / N$ , then the probability of exactly $i$ $i$ matches is approximately $λ^{i} e^{- λ} / i!$ $λ^{i} e^{- λ} / i!$ . An analysis of this problem, with generalizations, is given in [Girault et al.]. Note that the present situation differs from the earlier problem of finding a match in one set of $r$ $r$ people. Here, we have two sets of $r$ $r$ people, so a total of $2 r$ $2 r$ people. Therefore, the probability of a match in this set is approximately $1 - e^{- 2 r^{2} / N}$ $1 - e^{- 2 r^{2} / N}$ . But around half of the time, these matches are between members of the same group, and half the time the matches are the desired ones, namely, between the two groups. The precise effect is to cut the probability down to $1 - e^{- r^{2} / N}$ $1 - e^{- r^{2} / N}$ .

Again, if there are $N$ $N$ possibilities and we have two lists of length $\sqrt{N}$ $\sqrt{N}$ , then there is a good chance of a match. Also, if we want to increase the chance of a match, we can make the lists have length $2 \sqrt{N}$ $2 \sqrt{N}$ or $5 \sqrt{N}$ $5 \sqrt{N}$ . The main point is that a length of a constant times $\sqrt{N}$ $\sqrt{N}$ (instead of something like $N$ $N$ ) suffices.

For example, if we take $N = 365$ $N = 365$ and $r = 30$ $r = 30$ , then

λ = 30^{2} / 365 = 2.466.

$λ = 30^{2} / 365 = 2.466.$

Since $1 - e^{- λ} = .915$ $1 - e^{- λ} = .915$ , there is approximately a 91.5% probability that someone in one group of 30 people has the same birthday as someone in a second group of 30 people.

The birthday attack can be used to find collisions for hash functions if the output of the hash function is not sufficiently large. Suppose that $h$ $h$ is an $n$ $n$ -bit hash function. Then there are $N = 2^{n}$ $N = 2^{n}$ possible outputs. Make a list $h (x)$ $h (x)$ for approximately $r = \sqrt{N} = 2^{n / 2}$ $r = \sqrt{N} = 2^{n / 2}$ random choices of $x$ $x$ . Then we have the situation of $r \approx \sqrt{N}$ $r \approx \sqrt{N}$ “people” with $N$ $N$ possible “birthdays,” so there is a good chance of having two values $x_{1}$ $x_{1}$ and $x_{2}$ $x_{2}$ with the same hash value. If we make the list longer, for example $r = 10 \cdot 2^{n / 2}$ $r = 10 \cdot 2^{n / 2}$ values of $x$ $x$ , the probability becomes very high that there is a match.

Similarly, suppose we have two sets of inputs, $S$ $S$ and $T$ $T$ . If we compute $h (s)$ $h (s)$ for approximately $\sqrt{N}$ $\sqrt{N}$ randomly chosen $s \in S$ $s \in S$ and compute $h (t)$ $h (t)$ for approximately $\sqrt{N}$ $\sqrt{N}$ randomly chosen $t \in T$ $t \in T$ , then we expect some value $h (s)$ $h (s)$ to be equal to some value $h (t)$ $h (t)$ . This situation will arise in an attack on signature schemes in Chapter 13, where $S$ $S$ will be a set of good documents and $T$ $T$ will be a set of fraudulent documents.

If the output of the hash function is around $n = 60$ $n = 60$ bits, the above attacks have a high chance of success. It is necessary to make lists of length approximately $2^{n / 2} = 2^{30} \approx 10^{9}$ $2^{n / 2} = 2^{30} \approx 10^{9}$ and to store them. This is possible on most computers. However, if the hash function outputs 256-bit values, then the lists have length around $2^{128} \approx 10^{38}$ $2^{128} \approx 10^{38}$ , which is too large, both in time and in memory.

12.1.1 A Birthday Attack on Discrete Logarithms

Suppose we are working with a large prime $p$ $p$ and want to evaluate $L_{α} (h)$ $L_{α} (h)$ . In other words, we want to solve $α^{x} \equiv h (mod p)$ $α^{x} \equiv h (mod p)$ . We can do this with high probability by a birthday attack.

Make two lists, both of length around $\sqrt{p}$ $\sqrt{p}$ :

The first list contains numbers $α^{k} (mod p)$ $α^{k} (mod p)$ for approximately $\sqrt{p}$ $\sqrt{p}$ randomly chosen values of $k$ $k$ .
The second list contains numbers $h α^{- ℓ} (mod p)$ $h α^{- ℓ} (mod p)$ for approximately $\sqrt{p}$ $\sqrt{p}$ randomly chosen values of $ℓ$ $ℓ$ .

There is a good chance that there is a match between some element on the first list and some element on the second list. If so, we have

α^{k} \equiv h α^{- ℓ}, hence α^{k + ℓ} \equiv h (mod p) .

$α^{k} \equiv h α^{- ℓ}, hence α^{k + ℓ} \equiv h (mod p) .$

Therefore, $x \equiv k + ℓ (mod p - 1)$ $x \equiv k + ℓ (mod p - 1)$ is the desired discrete logarithm.

Let’s compare this method with the Baby Step, Giant Step (BSGS) method described in Section 10.2. Both methods have running time and storage space proportional to $\sqrt{p}$ $\sqrt{p}$ . However, the BSGS algorithm is deterministic, which means that it is guaranteed to produce an answer. The birthday algorithm is probabilistic, which means that it probably produces an answer, but this is not guaranteed. Moreover, there is a computational advantage to the BSGS algorithm. Computing one member of a list from a previous one requires one multiplication (by $α$ $α$ or by $α^{- N}$ $α^{- N}$ ). In the birthday algorithm, the exponent $k$ $k$ is chosen randomly, so $α^{k}$ $α^{k}$ must be computed each time. This makes the algorithm slower. Therefore, the BSGS algorithm is somewhat superior to the birthday method.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for Chapter 12 Hash Functions: Attacks and Applications

Create new playlist

Sign In

Sign Up

Table of Contents for
Chapter 12 Hash Functions: Attacks and Applications