Birthday attack: Difference between revisions

From Citizendium
Jump to navigation Jump to search
imported>Sandy Harris
No edit summary
mNo edit summary
 
(13 intermediate revisions by 3 users not shown)
Line 1: Line 1:
{{subpages}}
{{PropDel}}<br><br>{{subpages}}
{{main|Cryptography}}
{{TOC|right}}
{{TOC-right}}


A '''birthday attack''' is a [[cryptography | cryptographic]] attack based on the mathematics exemplified by the [[birthday paradox]]. This math turns up whenever the question of two cryptographic operations producing the same result becomes an issue.
A '''birthday attack''' is a [[cryptanalysis | cryptanalytic]] attack based on the mathematics exemplified by the [[birthday paradox]]. This math turns up whenever the question of two [[cryptography|cryptographic]] operations producing the same result becomes an issue.


The best-known example is collisions in [[cryptographic hash]] or message digest functions. An enemy may be able to subvert the authentication that these functions are intended to provide if he can find two inputs that hash to the same output. See [[Hash (cryptography)#Collision resistance | collision resistance]] for details.
* For a [[cryptographic hash]] or message digest function, if an enemy can find two inputs that hash to the same output, then he may be able to subvert the authentication that these functions are intended to provide. See [[Hash (cryptography)#Collision resistance | collision resistance]] for details.
* If a [[challenge-response]] authentication system produces the same challenge twice then an enemy who has kept careful records could break in by looking up the correct response and giving it.
* When two output blocks from a [[block cipher]] are identical, the enemy gains some information. Assuming the key has not changed, he then knows the two input blocks were identical. A [[code book attack]] is based on accumulating such information.


Another issue arises when a [[challenge-response]] authentication system produces the same challenge twice. An enemy who has kept careful records might then break in by looking up the correct response and giving it.
A good approximation for the number of instances required to find a collision is <math>1.18 * \sqrt{n}</math>. For example, to have a 50% chance of finding two birthdays the same, you need <math>1.18 * \sqrt{365} \approx 23</math> people. In cryptography, the constant 1.18 can be ignored; we just say that for an object of size <math>b</math> bits, the attack cost is about <math>\sqrt{2^{b}}</math> or <math>2^{b/2}</math>. To find a collision in a 128-bit hash, the attacker needs to perform, on average, about 2<sup>64</sup> hash operations, to find a repeated ciphertext for a 64-bit block cipher or a repetition of a 64-bit challenge, he needs to collect and store about 2<sup>32</sup> samples, and so on.


When two output blocks from a [[block cipher]] are identical, the enemy gains some information. Assuming the key has not changed, he then knows the two input blocks were identical. There are attacks based on accumulating such information; see [[Block_cipher#Block_size | block size]].
Hashes are therefore routinely designed for output twice as large as the key size of the [[cipher]]s they are intended for use with. A [[brute force attack]] on a [[block cipher]] with a 128-bit key, for example, needs on average 2<sup>127</sup> encryptions. To provide authentication in a system that uses such a block cipher, or to hash a passphrase to produce a key for it, a hash algorithm with comparable strength is needed. A 256-bit hash is required to give 2<sup>128</sup> resistance to a birthday attack.


A good approximation for the number of instances required to find a collision is <math>1.18 * \sqrt{n}</math>. For example, to have a 50% chance of finding two birthdays the same, you need about <math>1.18 * \sqrt{365} \approx 23</math> people. For cryptography, a simpler approximation is used; we say that for an object of size <math>b</math> bits, the attack cost is <math>2^{b/2}</math>. To find a collision in a 128-bit hash, the attacker needs to perform, on average, 2<sup>64</sup> hash operations, to find a repeated ciphertext for a 64-bit block cipher or a repetition of a 64-bit challenge, he needs to collect and store 2<sup>32</sup> samples, and so on.
In US government standards, for example, the current block cipher standard is [[AES]] with key sizes of 128, 192 or 256 bits. The corresponding standard for a [[cryptographic hash]] is [[SHA-2]] which specifies 256-bit, 384-bit and 512-bit hashes for use with [[AES]], plus a 224-bit hash for use with [[Triple DES]].[[Category:Suggestion Bot Tag]]
 
Hashes are therefore routinely designed for output twice as large as the key size of the [[cipher]]s they are intended for use with. A [[block cipher]] with a 128-bit key, for example, needs 2<sup>127</sup> encryptions to break by [[brute force]]. To provide authentication in a system that uses such a [[block cipher]], or to hash a passphrase to produce a key for it, a hash algorithm with comparable strength is needed. A 256-bit hash is required to give 2<sup>128</sup> resistance to a birthday attack.
 
In US government standards, for example, the current [[block cipher]] standard is [[AES]] with key sizes of 128, 192 or 256 bits. The corresponding standard for a [[cryptographic hash]] is [[SHA-2]] which specifies 256-bit, 384-bit and 512-bit hashes for use with [[AES]], plus a 224-bit hash for use with [[Triple DES]].

Latest revision as of 06:00, 19 July 2024

This article may be deleted soon.
To oppose or discuss a nomination, please go to CZ:Proposed for deletion and follow the instructions.

For the monthly nomination lists, see
Category:Articles for deletion.


This article is a stub and thus not approved.
Main Article
Discussion
Related Articles  [?]
Bibliography  [?]
External Links  [?]
Citable Version  [?]
 
This editable Main Article is under development and subject to a disclaimer.

A birthday attack is a cryptanalytic attack based on the mathematics exemplified by the birthday paradox. This math turns up whenever the question of two cryptographic operations producing the same result becomes an issue.

  • For a cryptographic hash or message digest function, if an enemy can find two inputs that hash to the same output, then he may be able to subvert the authentication that these functions are intended to provide. See collision resistance for details.
  • If a challenge-response authentication system produces the same challenge twice then an enemy who has kept careful records could break in by looking up the correct response and giving it.
  • When two output blocks from a block cipher are identical, the enemy gains some information. Assuming the key has not changed, he then knows the two input blocks were identical. A code book attack is based on accumulating such information.

A good approximation for the number of instances required to find a collision is . For example, to have a 50% chance of finding two birthdays the same, you need people. In cryptography, the constant 1.18 can be ignored; we just say that for an object of size bits, the attack cost is about or . To find a collision in a 128-bit hash, the attacker needs to perform, on average, about 264 hash operations, to find a repeated ciphertext for a 64-bit block cipher or a repetition of a 64-bit challenge, he needs to collect and store about 232 samples, and so on.

Hashes are therefore routinely designed for output twice as large as the key size of the ciphers they are intended for use with. A brute force attack on a block cipher with a 128-bit key, for example, needs on average 2127 encryptions. To provide authentication in a system that uses such a block cipher, or to hash a passphrase to produce a key for it, a hash algorithm with comparable strength is needed. A 256-bit hash is required to give 2128 resistance to a birthday attack.

In US government standards, for example, the current block cipher standard is AES with key sizes of 128, 192 or 256 bits. The corresponding standard for a cryptographic hash is SHA-2 which specifies 256-bit, 384-bit and 512-bit hashes for use with AES, plus a 224-bit hash for use with Triple DES.