A Generalized Birthday Problem

We study a k-dimensional generalization of the birthday problem: given k lists of n-bit values, find some way to choose one element from each list so that the resulting k values XOR to zero. For k = 2, this is just the extremely well-known birthday problem, which has a square-root time algorithm with many applications in cryptography. In this paper, we show new algorithms for the case k > 2: we show a cube-root time algorithm for the case of k = 4 lists, and we give an algorithm with subexponential running time when k is unrestricted.We also give several applications to cryptanalysis, describing new subexponential algorithms for constructing one-more forgeries for certain blind signature schemes, for breaking certain incremental hash functions, and for finding low-weight parity check equations for fast correlation attacks on stream ciphers. In these applications, our algorithm runs in O(22?n) time for an n-bit modulus, demonstrating that moduli may need to be at least 1600 bits long for security against these new attacks. As an example, we describe the first-known attack with subexponential complexity on Schnorr and Okamoto-Schnorr blind signatures over elliptic curve groups.

[1]  Garth A. Gibson,et al.  Security for a high performance commodity storage subsystem , 1999 .

[2]  V. Nechaev Complexity of a determinate algorithm for the discrete logarithm , 1994 .

[3]  Adi Shamir,et al.  A TcS2 = 0 (2n) time/space tradeoff for certain NP-complete problems , 1979, 20th Annual Symposium on Foundations of Computer Science (sfcs 1979).

[4]  Serge Vaudenay,et al.  On the Need for Multipermutations: Cryptanalysis of MD4 and SAFER , 1994, FSE.

[5]  Vladimir V. Chepyzhov,et al.  A Simple Algorithm for Fast Correlation Attacks on Stream Ciphers , 2000, FSE.

[6]  J. D. Golic Computation of low-weight parity-check polynomials , 1996 .

[7]  Jean-Jacques Quisquater,et al.  How Easy is Collision Search? Application to DES (Extended Summary) , 1990, EUROCRYPT.

[8]  Garth A. Gibson,et al.  Embedded Security for Network-Attached Storage, , 1999 .

[9]  Walter T. Penzhorn,et al.  Computation of Low-Weight Parity Checks for Correlation Attacks on Stream Ciphers , 1995, IMACC.

[10]  Mihir Bellare,et al.  A New Paradigm for Collision-Free Hashing: Incrementality at Reduced Cost , 1997, EUROCRYPT.

[11]  Gideon Yuval,et al.  How to Swindle Rabin , 1979, Cryptologia.

[12]  Ke Yang On Learning Correlated Boolean Functions Using Statistical Queries , 2001, ALT.

[13]  Daniel J. Bernstein,et al.  Enumerating solutions to p(a) + q(b) = r(c) + s(d) , 2001, Math. Comput..

[14]  Mohammad Umar Siddiqi,et al.  Incremental Hash Function Based on Pair Chaining & Modular Arithmetic Combining , 2001, INDOCRYPT.

[15]  Adi Shamir,et al.  A T=O(2n/2), S=O(2n/4) Algorithm for Certain NP-Complete Problems , 1981, SIAM J. Comput..

[16]  Antoine Joux,et al.  "Chinese & Match", an alternative to Atkin's "Match and Sort" method used in the SEA algorithm , 2001, Math. Comput..

[17]  Liuba Shrira,et al.  Trust but Check: Mutable Objects in Untrusted Cooperative Caches , 1998, POS/PJW.

[18]  Ravi Kumar,et al.  A sieve algorithm for the shortest lattice vector problem , 2001, STOC '01.

[19]  Victor Shoup,et al.  Lower Bounds for Discrete Logarithms and Related Problems , 1997, EUROCRYPT.

[20]  Thomas Johansson,et al.  Fast Correlation Attacks through Reconstruction of Linear Polynomials , 2000, CRYPTO.

[21]  Ed Dawson,et al.  A Systematic Procedure for Applying Fast Correlation Attacks to Combiners with Memory , 1997 .

[22]  Antoine Joux,et al.  Why Textbook ElGamal and RSA Encryption Are Insecure , 2000, ASIACRYPT.

[23]  Serge Vaudenay,et al.  Black Box Cryptanalysis of Hash Networks Based on Multipermutations , 1994, EUROCRYPT.

[24]  Claus-Peter Schnorr,et al.  Security of Blind Discrete Log Signatures against Interactive Attacks , 2001, ICICS.

[25]  Manuel Blum,et al.  Secure Human Identification Protocols , 2001, ASIACRYPT.

[26]  Miguel Castro,et al.  Proactive recovery in a Byzantine-fault-tolerant system , 2000, OSDI.

[27]  Miguel Castro,et al.  Practical byzantine fault tolerance and proactive recovery , 2002, TOCS.

[28]  Hideki Imai,et al.  A Low-Complexity and High-Performance Algorithm for the Fast Correlation Attack , 2000, FSE.

[29]  Antoine Joux,et al.  Fast Correlation Attacks: An Algorithmic Point of View , 2002, EUROCRYPT.

[30]  Anne Canteaut,et al.  Improved Fast Correlation Attacks Using Parity-Check Equations of Weight 4 and 5 , 2000, EUROCRYPT.

[31]  Donald Ervin Knuth,et al.  The Art of Computer Programming , 1968 .