Birthday attack

A birthday attack is a type of cryptographic attack which exploits the mathematics behind the birthday paradox, making use of a space-time tradeoff. Specifically, if a function yields any of n different outputs with equal probability and n is sufficiently large, then after evaluating the function for about 1.2 sqrt n different arguments we expect to have found a pair of different arguments x_1 and x_2 with f(x_1) = f(x_2), known as a collision. If the outputs of the function are distributed unevenly, then a collision can be found even faster (Bellare and Kohno, 2004).

Related Topics:
Cryptographic - Mathematic - Birthday paradox - Space-time tradeoff - Function - Collision

~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Digital signatures can be susceptible to a birthday attack. A message m is typically signed by first computing f(m), where f is a cryptographic hash function, and then using some secret key to sign f(m). Suppose Alice wants to trick Bob into signing a fraudulent contract. Alice prepares a fair contract m and a fraudulent one m'. She then finds a number of positions where m can be changed without changing the meaning, such as inserting commas, empty lines, one versus two spaces after a sentence, replacing synonyms, etc. By combining these changes, she can create a huge number of variations on m which are all fair contracts. In a similar manner, she also creates a huge number of variations on the fraudulent contract m'. She then applies the hash function to all these variations until she finds a version of the fair contract and a version of the fraudulent contract which have the same hash value, f(m) = f(m'). She presents the fair version to Bob for signing. After Bob has signed, Alice takes the signature and attaches it to the fraudulent contract. This signature then "proves" that Bob signed the fraudulent contract.

Related Topics:
Digital signature - Cryptographic hash function

~ ~ ~ ~ ~ ~ ~ ~ ~ ~

To avoid this attack, the output length of the hash function used for a signature scheme can be chosen large enough so that the birthday attack becomes computationally infeasible, i.e. about twice as large as needed to prevent an ordinary brute force attack. It has also been recommended that Bob cosmetically modify any contract presented to him before signing. An argument against this recommendation is that users should be able to treat cryptographic operations as simple "black boxes" without having to worry about modifying their behavior.

Related Topics:
Brute force attack - Black box

~ ~ ~ ~ ~ ~ ~ ~ ~ ~

The birthday attack can also be used to speed up the computation of discrete logarithms. Suppose x and y are elements of some group and y is a power of x. We want to find the exponent of x that gives y. A birthday attack computes x^r for many randomly chosen integers r and computes yx^{-s} for many randomly chosen integers s. After a while, a match will be found: x^r = yx^{-s} which means y = x^{r+s}.

Related Topics:
Discrete logarithm - Group

~ ~ ~ ~ ~ ~ ~ ~ ~ ~

If the group has n elements, then the naive method of trying out all exponents takes about n/2 steps on average; the birthday attack is considerably faster and takes fewer than 2 sqrt n steps on average.

~ ~ ~ ~ ~ ~ ~ ~ ~ ~