Abstract
We study a k-dimensional generalization of the birthday problem: given k lists of n-bit values, find some way to choose one element from each list so that the resulting k values xor to zero. For k = 2, this is just the extremely well-known birthday problem, which has a square-root time algorithm with many applications in cryptography. In this paper, we show new algorithms for the case k > 2: we show a cube-root time algorithm for the case of k = 4 lists, and we give an algorithm with subexponential running time when k is unrestricted.
We also give several applications to cryptanalysis, describing new subexponential algorithms for constructing one-more forgeries for certain blind signature schemes, for breaking certain incremental hash functions, and for finding low-weight parity check equations for fast correlation attacks on stream ciphers. In these applications, our algorithm runs in O(22√n) time for an n-bit modulus, demonstrating that moduli may need to be at least 1600 bits long for security against these new attacks. As an example, we describe the first-known attack with subexponential complexity on Schnorr and Okamoto-Schnorr blind signatures over elliptic curve groups.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
M. Ajtai, R. Kumar, D. Sivakumar, “A Sieve Algorithm for the Shortest Lattice Vector Problem,” STOC 2001, pp.601–610, ACM Press, 2001.
M. Bellare, D. Micciancio, “A New Paradigm for Collision-free Hashing: Incrementality at Reduced Cost,” EUROCRYPT’97, LNCS 1233, Springer-Verlag, 1997.
D. Bernstein, “Enumerating solutions to p(a)+q(b) = r(c)+s(d),” Math. Comp., 70(233):389–394, AMS, 2001.
D. Bleichenbacher, “On the generation of DSA one-time keys,” unpublished manuscript, Feb. 7, 2002.
A. Blum, A. Kalai, H. Wasserman, “Noise-Tolerant Learning, the Parity Problem, and the Statistical Query Model,” STOC 2000, ACM Press, 2000.
D. Boneh, A. Joux, P.Q. Nguyen, “Why Textbook ElGamal and RSA Encryption are Insecure,” ASIACRYPT 2000, LNCS 1976, Springer-Verlag, pp.30–44, 2000.
A. Canteaut, M. Trabbia, “Improved Fast Correlation Attacks Using Parity-Check Equations of Weight 4 and 5,” EUROCRYPT 2000, LNCS 1807, Springer-Verlag, pp.573–588, 2000.
M. Casto, B. Liskov, “Practical Byzantine Fault Tolerance,” Proc. 3rd OSDI (Operating Systems Design & Implementation), Usenix, Feb. 1999.
M. Casto, B. Liskov, “Proactive Recovery in a Byzantine-Fault-Tolerant System,” Proc. 4th OSDI (Operating Systems Design & Implementation), Usenix, Oct. 2000.
V.V. Chepyzhov, T. Johansson, B. Smeets, “A Simple Algorithm for Fast Correlation Attacks on Stream Ciphers,” FSE 2000, LNCS 1978, Springer-Verlag, 2001.
P. Chose, A. Joux, M. Mitton, “Fast Correlation Attacks: an Algorithmic Point of View,” EUROCRYPT 2002, LNCS 2332, Springer-Verlag, 2002.
W. Dai, personal communication, Aug. 1999.
H. Gobioff, “Security for a High Performance Commodity Storage Subsystem,” Ph.D. thesis, CS Dept., Carnegie Mellon Univ., July 1999.
H. Gobioff, D. Nagle, G. Gibson, “Embedded Security for Network-Attached Storage,” Tech. report CMU-CS-99-154, CS Dept., Carnegie Mellon Univ., June 1999.
B.-M. Goi, M.U. Siddiqi, H.-T. Chuah, “Incremental Hash Function Based on Pair Chaining & Modular Arithmetic Combining,” INDOCRYPT 2001, LNCS 2247, Springer-Verlag, pp.50–61, 2001.
J. Golić, “Computation of low-weight parity-check polynomials,” Electronics Letters, 32(21):1981–1982, 1996.
N.J. Hopper, M. Blum, “Secure Human Identification Protocols,” ASIACRYPT 2001, LNCS 2248, Springer-Verlag, pp.52–66, 2001.
T. Johansson, F. Jönsson, “Fast Correlation Attacks Through Reconstruction of Linear Polynomials,” CRYPTO 2000, LNCS 1880, Springer-Verlag, 2000.
A. Joux, R. Lercier, “‘Chinese & Match’, an alternative to Atkin’s ‘Match and Sort’ method used in the SEA algorithm,” Math. Comp., 70(234):827–836, AMS, 2001.
D.E. Knuth, The Art of Computer Programming, vol 3, Addison-Wesley, 1973.
W. Meier, O. Staffelbach. “Fast correlation attacks on certain stream ciphers,” J. Cryptology, 1(3):159–167, 1989.
M.J. Mihalević, M.P.C. Fossorier, H. Imai, “A Low-Complexity and High-Performance Algorithm for the Fast Correlation Attack,” FSE 2000, LNCS 1978, Springer-Verlag, pp.196–212, 2001.
V.I. Nechaev, “Complexity of a determinate algorithm for the discrete logarithm,” Math. Notes, 55(2):165–172, 1994.
J.-J. Quisquater, J.-P. Delescaille, “How easy is collision search? Application to DES (Extended summary),” EUROCRYPT’89, LNCS 434, Springer-Verlag, pp.429–434, 1990.
P.C. van Oorschot, M.J. Wiener, “Parallel Collision Search with Cryptanalytic Applications,” Journal of Cryptology, 12(1):1–28, 1999.
W.T. Penzhorn, G.J. Kühn, “Computation of Low-Weight Parity Checks for Correlation Attacks on Stream Ciphers,” Cryptography and Coding, LNCS 1024, Springer, pp.74–83, 1995.
M. Salmasizadeh, J. Golic, E. Dawson, L. Simpson. “A Systematic Procedure for Applying Fast Correlation Attacks to Combiners with Memory,” SAC’97 (Selected Areas in Cryptography).
C.P. Schnorr, “Security of Blind Discrete Log Signatures against Interactive Attacks,” ICICS 2001, LNCS 2229, Springer-Verlag, pp.1–12, 2001.
C.P. Schnorr, S. Vaudenay, “Black box cryptanalysis of hash networks based on multipermutations,” EUROCRYPT’94, LNCS 950, Springer-Verlag, 1994.
R. Schroeppel, A. Shamir, “A TS 2 = O(2n) Time/Space Tradeoff for Certain NP-Complete Problems,” FOCS’ 79, pp. 328–336, 1979.
R. Schroeppel, A. Shamir, “A T = O(2n/2), S = O(2n/4) Algorithm for Certain NP-Complete Problems,” SIAM J. Comput., 10(3):456–464, 1981.
L. Shrira, B. Yoder, “Trust but Check: Mutable Objects in Untrusted Cooperative Caches,” Proc. POS8 (Persistent Object Systems), Morgan Kaufmann, pp.29–36, Sept. 1998.
V. Shoup, “Lower Bounds for Discrete Logarithms and Related Problems,” EUROCRYPT’97, LNCS 1233, Springer-Verlag, pp.256–266, 1997.
S. Vaudenay, “On the need for multipermutations: Cryptanalysis of MD4 and SAFER.” FSE’94, LNCS 1008, Springer-Verlag, pp.286–297, 1994.
D. Wagner, I. Goldberg, “Parallel Collision Search: Making money the old-fashioned way-the NOW as a cash cow,” unpublished report, 1997. http://www.cs.berkeley.edu/~daw/papers/kcoll97.ps
D. Wagner, “A Generalized Birthday Problem,” Full version at http://www.cs.berkeley.edu/~daw/papers/genbday.html.
K. Yang, “On Learning Correlated Functions Using Statistical Query,” ALT’01 (12th Intl. Conf. Algorithmic Learning Theory), LNAI 2225, Springer-Verlag, 2001.
G. Yuval, “How to Swindle Rabin,” Cryptologia, 3(3):187–189, 1979.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2002 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Wagner, D. (2002). A Generalized Birthday Problem. In: Yung, M. (eds) Advances in Cryptology — CRYPTO 2002. CRYPTO 2002. Lecture Notes in Computer Science, vol 2442. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-45708-9_19
Download citation
DOI: https://doi.org/10.1007/3-540-45708-9_19
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-44050-5
Online ISBN: 978-3-540-45708-4
eBook Packages: Springer Book Archive