Principle Of MD Strongly collisionfree Cant find any pair m 1 m 2 such that hm 1 hm 2 easily Sometimes we can settle for weakly collisionfree given m cant find m m with hm hm ID: 1001159
Download Presentation The PPT/PDF document "Birthday Attacks A way to detect a colli..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
1. Birthday AttacksA way to detect a collision…
2. Principle Of MDStrongly collision-free: Can’t find any pair m1 ≠ m2 such that h(m1)=h(m2) easily(Sometimes we can settle for weakly collision-free: given m, can’t find m’ ≠ m with h(m) = h(m’).The birthday paradox doesn’t mean that there’s a high probability that someone else has my birthday.Likewise, the birthday paradox doesn’t mean that finding a collision with a known digest is easy.We can calculate how many messages we need to hash to have a good chance of finding a collision.
3. Definition3Birthday attacks are a class of brute-force techniques that target the cryptographic hash functions. The goal is to take a cryptographic hash function and find two different inputs that produce the same output.
4. The Birthday Problem4What is the probability that at least two of r randomly selected people have the same birthday? (Same month and day, but not necessarily the same year.)
5. The Birthday Paradox5How large must r be so that the probability is greater than 50 percent? The answer is 23 It is a paradox in the sense that a mathematical truth contradicts common intuition.
6. Birthday Calendar Wall6Jan12345678910111213141516171819202122232425262728293031Feb12345678910111213141516171819202122232425262728 Mar12345678910111213141516171819202122232425262728293031Apr123456789101112131415161718192021222324252627282930 May123456789101112131415161718192021222324252627282930 Jun123456789101112131415161718192021222324252627282930 Jul12345678910111213141516171819202122232425262728293031Aug12345678910111213141516171819202122232425262728293031Sep123456789101112131415161718192021222324252627282930 Oct12345678910111213141516171819202122232425262728293031Nov123456789101112131415161718192021222324252627282930 Dec12345678910111213141516171819202122232425262728293031Equivalence to our hashing space
7. Calculating the Probability-17AssumptionsNobody was born on February 29 People's birthdays are equally distributed over the other 365 days of the year
8. Calculating the Probability-28In a room of k peopleq: the prob. all people have different birthdaysp: the prob. at least two of them have the same birthdays
9. Birthday Attacks9Birthday paradoxIn a group of 23 randomly chosen people, at least two will share a birthday with probability at least 50%. If there are 30, the probability is around 70%. Finding two people with the same birthday is the same thing as finding a collision for this particular hash function.
10. Collision Search-110The prob. that no collision is found after selecting k inputs is(In the case of the birthday paradox r is the number of people randomly selected and the collision condition is the birthday of the people and n=365.)For collision search, select distinct inputs xi for i=1, 2, ... , n, where n is the number of hash bits and check for a collision in the h(xi) values
11. Birthday Attacks11The probability that all 23 people have different birthdays isTherefore, the probability of at least two having the same birthday is 1- 0.493 = 0.507
12. More generally, suppose we have N objects, where N is large. There are r people, and each chooses an object. ThenExact solution: use fractionsApproximate solution:
13. Birthday paradox in our class13What’s the chances that two people in our class of 43 have the same birthday? Approximate solution: Where r = 43 people, and N = 365 choices
14. Birthday Attacks On Hash Function14The birthday attack can be used to find collisions for hash functions if the output of the hash function is not sufficiently large.Suppose h is an n-bit hash function. Then there are N = 2n possible outputs. We have the situation of list of length r≈ “people” with N possible “birthdays,” so there is a good chance of having two values with the same hash value.If the hash function outputs 128-bit values, then the lists have length around 264 ≈1019, which is too large, both in time and in memory.
15. Collision Search-215For large n
16. Collision Search-316When r is large, the percentage difference between r and r-1 is small, and we may approximate r-1 r.
17. Birthday Attacks17Choosing r2/2N = ln2, we find that if r≈1.177 , then the probability is 50% that at least two people choose the same object.If there are N possibilities and we have a list of length , then there is a good chance of a match.If we want to increase the chance of a match, we can make a list of length of a constant times .
18. Collision Search-418For the birthday case, the value of r that makes the probability closest to 1/2 is 23
19. (Example)19(Example) We have 40 license plates, each ending in a 3-digit number. What is the probability that two of the license plates end in the same 3 digits?(Solution) N=1000, r=401. Approximation:2. The exact answer:
20. Birthday Attacks20What is the probability that none of these 40 license plates ends in the same 3 digits as yours?The reason the birthday paradox works is that we are not just looking for matches between one fixed plate and the other plates. We are looking for matches between any two plates in the set, so there are more opportunities for matches.
21. Birthday Attacks on Different Set/Group21Suppose there are N objects and there are two groups of r people. Each person from each group selects an object. What is the probability that someone from the first group choose the same object as someone from the second group?Eg. If we take N=365 and r=30, then
22. Birthday Attacks discrete logarithm22A birthday attack on discrete logarithmWe want to solve αx≡β (mod p).Make two lists, both of length around 1st list: αk (mod p) for random k. 2nd list: βα-h (mod p) for random h.There is a good chance that there is a match αk ≡ βα-h (mod p), hence x=k+h.Compared with BSGS: BSGS algorithm is deterministic while the birthday attack algorithm is probabilistic.
23. Attack Prevention23The important property is the length in bits of the message digest produced by the hash function.m should be large enough so that it’s not feasible to compute hash values!!!The 0.5 probability of collision for m bit hash, expected number of operation k before finding a collision is very close toIf the number of m bit hash , the cardinality n of the hash function is