Questions tagged [birthday-attack]

A birthday attack is a cryptanalytic technique. Birthday attacks can be used to find collisions in a cryptographic hash function. For instance, suppose we have a hash function which, when supplied with a random input, returns one of $k$ equally likely values. By repeatedly evaluating the function on $1.2\sqrt{k}$ different inputs, it is likely we will find some pair of inputs that produce the same output (a collision).

Birthday attacks are a class of brute-force techniques used in an attempt to solve a class of cryptographic hash function problems. These methods take advantage of functions which, when supplied with a random input, return one of k equally likely values. By repeatedly evaluating the function for different inputs, the same output is expected to be obtained after about $1.2\sqrt{k}$ evaluations.

A simple approach of finding a collision in a hash function is to look for a second preimage:

An initial value $I$ is picked and the hash $H_I$ is calculated.
Further values are picked and their hash is compared to $H_I$.

An attack based on the birthday paradox is more efficient to find a collision: It compares the new hash value of each round with all the hash values that have been calculated earlier.

Birthday paradox in Wikipedia
Birthday attack in Wikipedia

97 questions

votes

2 answers

How does hashing twice protect against birthday attacks?

The bitcoin wiki says: Bitcoin is using two hash iterations (denoted SHA256^2 ie "SHA256 function squared") and the reason for this relates to a partial attack on the smaller but related SHA1 hash. SHA1's resistance to birthday attacks has been…

sha-256 cryptocurrency birthday-attack

asked Jan 05 '17 at 16:25

4nt

votes

1 answer

How does a birthday attack on a hashing algorithm work?

A "normal", brute-force attack on a cryptographic hashing algorithm $H$ should have a complexity of about $2^{n}$ for a hash algorithm with an output length of $n$ bits. That means it takes about $2^{n-1}$ tries on average to find a colliding…

hash collision-resistance birthday-attack

asked Jul 20 '12 at 21:14

lxgr

1,798
1
13
22

votes

1 answer

Three-way hash collision

According to the birthday paradox we need approximately $O(|T|^{1/2})$ samples from the tag-space to find a collision for a hash function $h:K\times M \to T$. But how many samples are needed to find a three-way collision, i.e. $h(a) = h(b) = h(c)$…

collision-resistance birthday-attack

asked Oct 04 '13 at 08:45

hsalin

votes

1 answer

Security of N bit HMAC

Lets say that I am using 128 bit HMAC. How many operations are needed to find a "non secure" message. Is a birthday attack possible?

cryptanalysis hmac birthday-attack

asked Jul 29 '11 at 06:38

ralu

votes

2 answers

Why would you expect to find a collision in a hash function after approximately $\sqrt{n}$ hashes?

I can't get an intuitive understanding of why it's $2^{(\frac{n}{2})}$ and not $2^n$, where $n$ is the number of bits of which the key consists.

hash collision-resistance birthday-attack

asked Oct 27 '11 at 16:13

Matt H

votes

3 answers

Birthday Attack

I am reading about the birthday attack in Wikipedia: We consider the following experiment. From a set of $H$ values we choose $n$ values uniformly at random thereby allowing repetitions. Let $p(n; H)$ be the probability that during this…

brute-force-attack birthday-attack

asked Jul 16 '13 at 20:09

juaninf

2,781
3
21
29

votes

3 answers

Why does Birthday attack work only with random messages and not with chosen messages?

Considering unkeyed hashing functions, I studied that the birthday attack can only work generating random messages and not with messages chosen from the attacker, but I didn't understand why. For example if there is a trade contract between two…

hash brute-force-attack birthday-attack

asked Jan 17 '18 at 16:10

alex_the_great

votes

1 answer

Formula for the number of expected collisions

Say we have a hash function that produces $n$ bit outputs. From the birthday problem that after around $\sqrt{2^n}$ different inputs to the has function, we can expect a collision. Say instead that we have $m$ outputs. How many collisions can we…

hash collision-resistance birthday-attack

asked Aug 06 '15 at 20:54

mikeazo

39,117
9
118
183

votes

1 answer

MuSig: could the rogue key attack be mitigated by using commitments instead of key transformations?

Background MuSig is an extension of/derivation from Schnorr signatures using cyclic groups on elliptic curves. In the original paper, the authors point out that naive multi-Schnorr is vulnerable to a rogue key attack: Given $\Bbb G$ is a cyclic…

public-key commitments schnorr-signature birthday-attack

asked Aug 31 '21 at 16:46

Jonathan Voss

votes

1 answer

Applicability of birthday attack to AES brute force

Is the following snippet from a recently published cryptography book correct? EDIT: Expand the snippet from the book to make the context (symmetric key search) more clear. You can apply this to other cryptographic issues as well. Let's return to…

aes brute-force-attack birthday-attack

asked Feb 26 '16 at 02:38

Thomas Byrd

votes

1 answer

What are the differences between collision attack and birthday attack?

From my understanding both types of attack, collision and birthday, are based on the principle of two randomly/pseudo-randomly chosen plaintext to hash to the same value. I don't want to launch any biased supposition, but aren't they the same? From…

hash collision-resistance birthday-attack

asked Jun 18 '15 at 14:05

Rares Sabin Rusu

votes

2 answers

Elliptic curve and "vanity" public keys

I want to find an algorithm to get a private/public key pair where one coordinate of the public key has some specific prefix (for example: 20 leading zeroes). In the secp256k1 case (the Bitcoin curve), G. Maxwell has found a public key with…

public-key elliptic-curves birthday-attack pollard-rho

asked Jun 23 '18 at 18:41

arulbero

votes

1 answer

Hash multiset to point on elliptic curve where $A = 0$

I want to hash a multiset to a point on the elliptic curve $y^2 = x^3 + 3$ over a finite field of some 254-bit prime order, where $P = 3 \pmod 4$. Moreover, I want this hash to be incremental, in that the hash of the union of the multisets should be…

hash elliptic-curves collision-resistance encoding birthday-attack

asked Aug 16 '19 at 18:14

Alan

votes

2 answers

What does this paraphrase of the birthday problem mean?

The following is an excerpt from A Generalized Birthday Problem - David Wagner: One of the best-known combinatorial tools in cryptology is the birthday problem: Problem 1. Given two lists $L_1, \space L_2$ of elements drawn uniformly and…

birthday-attack

asked Mar 22 '19 at 03:20

SedriX

votes

1 answer

What is a wide block cipher and why does it avoid birthday bound problems?

I've recently heard the claim that wide block ciphers avoid birthday bound problems. Trying to figure out what exactly "wide block encryption" is, a quick search turned up this paper which is trying to do the following: The focus of this paper is…

block-cipher blocksize birthday-attack

asked Jun 12 '17 at 16:25

Elias

4,933
1
16
32

2 3 4 5 6 7 Next