24420288 - A Generalized Birthday Problem(extended abstract...

Info iconThis preview shows pages 1–3. Sign up to view the full content.

View Full Document Right Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: A Generalized Birthday Problem (extended abstract) David Wagner University of California at Berkeley Abstract. We study a k-dimensional generalization of the birthday problem: given k lists of n-bit values, find some way to choose one el- ement from each list so that the resulting k values xor to zero. For k = 2, this is just the extremely well-known birthday problem, which has a square-root time algorithm with many applications in cryptogra- phy. In this paper, we show new algorithms for the case k > 2: we show a cube-root time algorithm for the case of k = 4 lists, and we give an algorithm with subexponential running time when k is unrestricted. We also give several applications to cryptanalysis, describing new subex- ponential algorithms for constructing one-more forgeries for certain blind signature schemes, for breaking certain incremental hash functions, and for finding low-weight parity check equations for fast correlation attacks on stream ciphers. In these applications, our algorithm runs in O (2 2 √ n ) time for an n-bit modulus, demonstrating that moduli may need to be at least 1600 bits long for security against these new attacks. As an example, we describe the first-known attack with subexponential com- plexity on Schnorr and Okamoto-Schnorr blind signatures over elliptic curve groups. 1 Introduction One of the best-known combinatorial tools in cryptology is the birthday problem: Problem 1. Given two lists L 1 ,L 2 of elements drawn uniformly and indepen- dently at random from { , 1 } n , find x 1 ∈ L 1 and x 2 ∈ L 2 such that x 1 ⊕ x 2 = 0. (Here the ⊕ symbol represents the bitwise exclusive-or operation.) The birthday problem is well understood: A solution x 1 ,x 2 exists with good probability once | L 1 | × | L 2 | ≫ 2 n holds, and if the list sizes are favorably chosen, the complex- ity of the optimal algorithm is Θ (2 n/ 2 ). The birthday problem has numerous applications throughout cryptography and cryptanalysis. In this paper, we explore a generalization of the birthday problem. The above presentation suggests studying a variant of the birthday problem with an arbi- trary number of lists. In this way, we obtain the following k-dimensional ana- logue, which we call the k-sum problem: Problem 2. Given k lists L 1 ,...,L k of elements drawn uniformly and indepen- dently at random from { , 1 } n , find x 1 ∈ L 1 ,...,x k ∈ L k such that x 1 ⊕ x 2 ⊕ ··· ⊕ x k = 0. A Generalized Birthday Problem 289 We allow the lists to be extended to any desired length, and so it may aid the intuition to think of each element of each list as being generated by a random (or pseudorandom) oracle R i , so that the j-th element of L i is R i ( j ). It is easy to see that a solution to the k-sum problem exists with good probability so long as | L 1 |×···×| L k | ≫ 2 n . However, the challenge is to find a solution x 1 ,...,x k explicitly and efficiently....
View Full Document

{[ snackBarMessage ]}

Page1 / 17

24420288 - A Generalized Birthday Problem(extended abstract...

This preview shows document pages 1 - 3. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online