Unformatted text preview: by using a digital signature algorithm on H(M), and Bob could produce M’, another message different from M where H(M) = H(M’), then Bob could claim that Alice signed M’. In some applications, one-wayness is insufficient; we need an additional requirement called collision-resistance. It is hard to find two random messages, M and M’, such that H(M) = H(M’). Remember the birthday attack from Section 7.4? It is not based on finding another message M’, such that H(M) = H(M’), but based on finding two random messages, M and M’, such that H(M) = H(M’). The following protocol, first described by Gideon Yuval , shows how—if the previous requirement were not true—Alice could use the birthday attack to swindle Bob. (1) Alice prepares two versions of a contract: one is favorable to Bob; the other bankrupts him. (2) Alice makes several subtle changes to each document and calculates the hash value for each. (These changes could be things like: replacing SPACE with SPACE-BACKSPACE-SPACE, putting a space or two before a carriage return, and so on. By either making or not making a single change on each of 32 lines, Alice can easily generate 232 different documents.) (3) Alice compares the hash values for each change in each of the two documents, looking for a pair that matches. (If the hash function only outputs a 64-bit value, she would usually find a matching pair with 232 versions of each.) She reconstructs the two documents that hash to the same value. (4) Alice has Bob sign the version of the contract that is favorable to him, using a protocol in which he only signs the hash value. (5) At some time in the future, Alice substitutes the contract Bob signed with the one that he didn’t. Now she can convince an adjudicator that Bob signed the other contract. This is a big problem. (One moral is to always make a cosmetic change to any document you sign.) Other similar attacks could be mounted assuming a successful birthday attack. For example, an adversary could send an automated control system (o...
View Full Document
This note was uploaded on 10/18/2010 for the course MATH CS 301 taught by Professor Aliulger during the Fall '10 term at Koç University.
- Fall '10