Birthday Paradox

What is a Paradox…?

• A paradox is a statement or concept that contains conflicting ideas.

• For example, consider a situation in which a father and his son are driving down the road. The car crashes into a tree and the father is killed. The boy is rushed to the nearest hospital where he is prepared for emergency surgery. On entering the surgery suite, the surgeon says, "I can't operate on this boy. He's my son."

• The paradox is resolved if it is revealed that the surgeon is a woman — the boy's mother. 2

© R

ksk

Ekan

ayak

a

The Birthday Paradox

• There are n people in a room, what is the probability that at least two people have the same birthday?

• For n=2: P(2) = 1 - 364

365

• For n=3: P(3) = 1 – ( 364

365 ×

363

365 )

• For n persons: P(n) = 1 – ( 364

365 ×

363

365 × … ×

365−𝑛−1

365)

• With 22 people in a room, there is better than 50% chance that two people have a common birthday.

• With 40 people in a room there is almost 90% chance that two people have a common birthday. 3

© R

ksk

Ekan

ayak

a

The Birthday Paradox…

• If n ≥ √365 then this probability is more than half.

• In general, if there are k possibilities

then on average √𝑘 trials are required to find a collision.

4

© R

ksk

Ekan

ayak

a

Hash Functions

• A hash function takes a variable length message M and produces a fixed length message digest.

• If the length of the digest is m then there are 2𝑚 possible message digests.

• More than one message will be mapped to the same digest.

5

© R

ksk

Ekan

ayak

a

Probability of Hash Collisions

• If we apply k random messages to our hash code what must the value of k to have probability of 0.5 that at least one duplicate?

Using previous equation, we have

k = √2𝑚 = 2𝑚/2 6

© R

ksk

Ekan

ayak

a

Birthday Attack

• Consider a hash function that gets an arbitrary message and outputs a n-bit digest.

• There are 2𝑛 possible digests.

• Then we need to try an average of 2𝑛/2 messages to find two with the same digest.

• For a 64-bit digest, this requires 232 tries.

• For a 128-bit digest, this requires 264 (~1019) tries. (That is computationally infeasible.) 7

© R

ksk

Ekan

ayak

a

Birthday Attack…

• A is prepared to “sign” a message by appending the appropriate m-bit hash code and encrypting that hash code with A’s private key.

• An attacker generates 2𝑚/2 variations on the message, all of which gives the same meaning. The attacker prepares an equal number of messages, all of which are variations of the fraudulent message to be substituted for the real one. 8

© R

ksk

Ekan

ayak

a

Birthday Attack…

• The two sets of messages are compared to find a pair of messages that produce the same hash code. The probability of success is greater than 0.5. If no match is found, additional valid and fraudulent messages are generated until a match is made.

• The attacker offers the valid variation to A for signature. This signature can then be attached to the fraudulent variation for transmission to the intended recipient. Because the two variations have the same hash code, they will produce the same signature; the attacker is assured of success even though the encryption key is not known.

9

© R

ksk

Ekan

ayak

a

How to avoid birthday attack

• To avoid this attack, the output length of the hash function used for a signature scheme can be chosen large enough so that the birthday attack becomes computationally infeasible.

• i.e. about twice as many bits as are needed to prevent an ordinary brute-force attack.

10

© R

ksk

Ekan

ayak

a

References

• https://en.wikipedia.org/wiki/Birthday_problem

• https://en.wikipedia.org/wiki/Birthday_attack

• www.facweb.iitkgp.ernet.in/~sourav/lecture_note9.pdf

• https://www.youtube.com/watch?v=2bEL3ok8D70

• https://www.youtube.com/watch?v=jBXWuQGRosM

© R

ksk

Ekan

ayak

a

11

Thank you.

12

© R

ksk

Ekan

ayak

a