1. A way to detect a collision…
Birthday Attacks
A way to detect a collision…

2. Principle Of MD
Strongly collision-free: Can’t find any pair m1 ≠ m2 such that h(m1)=h(m2) easily
(Sometimes we can settle for weakly collision-free: given m, can’t find m’ ≠ m with h(m) = h(m’).
The birthday paradox doesn’t mean that there’s a high probability that someone else has my birthday.
Likewise, the birthday paradox doesn’t mean that finding a collision with a known digest is easy.
We can calculate how many messages we need to hash to have a good chance of finding a collision.

3. Definition
Birthday attacks are a class of brute-force techniques that target the cryptographic hash functions. The goal is to take a cryptographic hash function and find two different inputs that produce the same output.

4. The Birthday Problem
What is the probability that at least two of r randomly selected people have the same birthday? (Same month and day, but not necessarily the same year.)

5. The Birthday Paradox
How large must r be so that the probability is greater than 50 percent?
The answer is 23
It is a paradox in the sense that a mathematical truth contradicts common intuition.

6. Birthday Calendar Wall
Equivalence to our hashing space
Jan 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Feb
Mar
Apr
May
Jun
Jul
Aug
Sep
Oct
Nov
Dec

7. Calculating the Probability-1
Assumptions
Nobody was born on February 29
People's birthdays are equally distributed over the other 365 days of the year

8. Calculating the Probability-2
In a room of k people
q: the prob. all people have different birthdays
p: the prob. at least two of them have the same birthdays

9. Birthday Attacks Birthday paradox
In a group of 23 randomly chosen people, at least two will share a birthday with probability at least 50%. If there are 30, the probability is around 70%.
Finding two people with the same birthday is the same thing as finding a collision for this particular hash function.

10. Collision Search-1
For collision search, select distinct inputs xi for i=1, 2, ... , n, where n is the number of hash bits and check for a collision in the h(xi) values
The prob. that no collision is found after selecting k inputs is
(In the case of the birthday paradox r is the number of people randomly selected and the collision condition is the birthday of the people and n=365.)

11. Birthday Attacks
The probability that all 23 people have different birthdays is
Therefore, the probability of at least two having the
same birthday is = 0.507

12. Exact solution: use fractions Approximate solution:
More generally, suppose we have N objects, where N is large. There are r people, and each chooses an object. Then
Exact solution: use fractions
Approximate solution:

13. Birthday paradox in our class
What’s the chances that two people in our class of 43 have the same birthday?
Approximate solution:
Where r = 43 people, and N = 365 choices

14. Birthday Attacks On Hash Function
The birthday attack can be used to find collisions for hash functions if the output of the hash function is not sufficiently large.
Suppose h is an n-bit hash function. Then there are N = 2n possible outputs. We have the situation of list of length r≈ “people” with N possible “birthdays,” so there is a good chance of having two values with the same hash value.
If the hash function outputs 128-bit values, then the lists have length around 264 ≈1019, which is too large, both in time and in memory.

15. Collision Search-2
For large n

16. Collision Search-3
When r is large, the percentage difference between r and r-1 is small, and we may approximate r-1  r.

17. Birthday Attacks
Choosing r2/2N = ln2, we find that if r≈ , then the probability is 50% that at least two people choose the same object.
If there are N possibilities and we have a list of length , then there is a good chance of a match.
If we want to increase the chance of a match, we can make a list of length of a constant times .

18. Collision Search-4
For the birthday case, the value of r that makes the probability closest to 1/2 is 23

19. (Example) (Example) We have 40 license plates, each ending
in a 3-digit number. What is the probability that two
of the license plates end in the same 3 digits?
(Solution) N=1000, r=40
1. Approximation:
2. The exact answer:

20. Birthday Attacks
What is the probability that none of these 40 license plates ends in the same 3 digits as yours?
The reason the birthday paradox works is that we are not just looking for matches between one fixed plate and the other plates. We are looking for matches between any two plates in the set, so there are more opportunities for matches.

21. Birthday Attacks on Different Set/Group
Suppose there are N objects and there are two groups of r people. Each person from each group selects an object. What is the probability that someone from the first group choose the same object as someone from the second group?
Eg. If we take N=365 and r=30, then

22. Birthday Attacks discrete logarithm
A birthday attack on discrete logarithm
We want to solve αx≡β (mod p).
Make two lists, both of length around
1st list: αk (mod p) for random k.
2nd list: βα-h (mod p) for random h.
There is a good chance that there is a match
αk ≡ βα-h (mod p), hence x=k+h.
Compared with BSGS:
BSGS algorithm is deterministic while the birthday
attack algorithm is probabilistic.

23. Attack Prevention
The important property is the length in bits of the message digest produced by the hash function.
If the number of m bit hash , the cardinality n of the hash function is
The 0.5 probability of collision for m bit hash, expected number of operation k before finding a collision is very close to
m should be large enough so that it’s not feasible to compute hash values!!!