## A Generalized Birthday Problem (2002)

Venue: | In CRYPTO |

Citations: | 93 - 0 self |

### BibTeX

@INPROCEEDINGS{Wagner02ageneralized,

author = {David Wagner},

title = {A Generalized Birthday Problem},

booktitle = {In CRYPTO},

year = {2002},

pages = {288--303},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

We study a k-dimensional generalization of the birthday problem: given k lists of n-bit values, nd some way to choose one element from each list so that the resulting k values xor to zero. For k = 2, this is just the extremely well-known birthday problem, which has a square-root time algorithm with many applications in cryptography.

### Citations

1774 | How to share a secret
- Shamir
- 1979
(Show Context)
Citation Context ... subexponential attacks that are barely feasible for typical modulus sizes. The attack on xor is what led Rivest, et al., to use a more complicated combining function in their work on ring signatures =-=[39]-=-, and our attack on modular addition gives further motivation along these lines. Zero-knowledge proofs of disjunctions. Let the predicate ' be a disjunction of predicates ' 1 ; : : : ; ' k , i.e., ' =... |

544 | Practical Byzantine fault tolerance
- Castro, Liskov
- 1999
(Show Context)
Citation Context ... size of m, and so it is no surprise that some implementors have used inadequate parameters: for instance, NASD used a 256bit modulus [21, 22], and several implementations have used a 128-bit modulus =-=[13, 14, 45]-=-. Oursrst attack on the NASD hash applies to AdHash as well, so wesnd that AdHash's modulus m must be very large indeed: the asymptotic complexity of the k-sum problem is as low as O(2 2 p lg m ) if w... |

223 | Lower bounds for discrete logarithms and related problems
- Shoup
- 1997
(Show Context)
Citation Context ...roup G has running time ( p p), where p denotes the largest prime factor of the order of G. Proof. Any generic algorithm for the discrete log problem in a group of prime order p has complexity ( p p) =-=[35, 46]-=-. Now see Theorem 2. Moreover, Theorem 2 shows that we cannot hope tosnd a polynomial-time algorithm for the k-sum problem over any group where the discrete log problem is hard. For example,snding a s... |

214 |
Rethinking Public Key Infrastructures and Digital Certificates: Building in Privacy
- Brands
- 2000
(Show Context)
Citation Context ...allenge attack, whereas we require only that the witness remain hidden against a known-challenge attack. The disjunction trick has been used for deniable signatures [27], privacysensitive certicates [=-=9]-=-, and elsewhere [20]. We believe the k-sum attack gives new insight on the limitations of the disjunction trick 2 . Encryption based on error-correcting codes. In 1990, Hwang and Chen proposed a symme... |

150 | A sieve algorithm for the shortest lattice vector problem
- Ajtai, Kumar, et al.
- 2001
(Show Context)
Citation Context ...thentication scheme [26]. Ajtai, Kumar, and Sivakumar have used Blum, Kalai, and Wasserman's algorithm as a subroutine to speed up the shortest lattice vector problem from 2 O(n log n) to 2 O(n) time =-=[-=-2]. Bellare, et al., showed that the k-sum problem over (GF (2) n ; ) can be solved in O(n 3 + kn) time using Gaussian elimination when k n [4, Appendix A]. Wagner and Goldberg have shown how to ecie... |

146 | Parallel Collision Search with Cryptanalytic Applications
- Oorschot, Wiener
- 1999
(Show Context)
Citation Context ...ire O(2 n=2 ) time and space, if we are free to choose the size of the lists however we like. Techniques for reducing the space complexity of this algorithm are known for some important special cases =-=[3-=-7]. The birthday problem has many applications. For example, if we want tosnd a collision for a hash function h : f0; 1g ! f0; 1g n , we may dene the j-th element of list L i as h(i; j). Assuming tha... |

129 | Proactive recovery in a Byzantine-fault-tolerant system
- Castro, Liskov
- 2000
(Show Context)
Citation Context ... size of m, and so it is no surprise that some implementors have used inadequate parameters: for instance, NASD used a 256bit modulus [21, 22], and several implementations have used a 128-bit modulus =-=[13, 14, 45]-=-. Oursrst attack on the NASD hash applies to AdHash as well, so wesnd that AdHash's modulus m must be very large indeed: the asymptotic complexity of the k-sum problem is as low as O(2 2 p lg m ) if w... |

81 | A new paradigm for collision-free hashing: Incrementality at reduced cost
- Bellare, Micciancio
- 1997
(Show Context)
Citation Context ...the NASD hash should be considered thoroughly broken. AdHash. The NASD hash may be viewed as a special case of a general incremental hashing construction proposed by Bellare, et al., and named AdHash =-=[4]-=-: H(x) def = k X i=1 h(i; x i ) mod m; where the modulus m is public and chosen randomly. However, Bellare, et al., give no concrete suggestions for the size of m, and so it is no surprise that some i... |

73 |
Fast correlation attacks on certain stream ciphers
- Meier, Staffelbach
- 1989
(Show Context)
Citation Context ...ks, about d 1=(1+blg kc) times as much work will suce tosnd d parity checks, as long as d 2 n=blg kc . This algorithm is an extension of previous techniques which used the (2-list) birthday problem [=-=24, 33, 40, 29]-=-. As a concrete example, if p(x) represents a polynomial of degree 120, we cansnd a multiple m(x) with degree 2 40 and weight 5 after about 2 42 work by using the 4-tree algorithm. Compare this to pre... |

66 |
Complexity of a Determinate Algorithm for the Discrete Logarithm
- NECHAEV
- 1994
(Show Context)
Citation Context ...roup G has running time ( p p), where p denotes the largest prime factor of the order of G. Proof. Any generic algorithm for the discrete log problem in a group of prime order p has complexity ( p p) =-=[35, 46]-=-. Now see Theorem 2. Moreover, Theorem 2 shows that we cannot hope tosnd a polynomial-time algorithm for the k-sum problem over any group where the discrete log problem is hard. For example,snding a s... |

58 | Improved fast correlation attacks using parity-check equations of weight 4 and 5
- Canteaut, Trabbia
- 2000
(Show Context)
Citation Context ... (say, 2 32 or so). Here, the weight of a polynomial is dened as the number of non-zero coecients it has. Recently, there has been increased interest insnding parity-check equations of weight 4 or 5 [=-=11, 29, 15, 3-=-4], and the cost of the precomputation forsnding parity checks has been identied as a signicant barrier in some cases [15]. Ecient solutions forsnding low-weight multiples of p(x) provide low-weight p... |

41 | On Monotone Formula Closure of SZK
- Santis, Crescenzo, et al.
- 1994
(Show Context)
Citation Context ...reas we require only that the witness remain hidden against a known-challenge attack. The disjunction trick has been used for deniable signatures [27], privacysensitive certicates [9], and elsewhere [=-=20]-=-. We believe the k-sum attack gives new insight on the limitations of the disjunction trick 2 . Encryption based on error-correcting codes. In 1990, Hwang and Chen proposed a symmetric-key encryption ... |

36 | A simple algorithm for fast correlation attacks on stream ciphers
- Chepyzhov, Johansson, et al.
- 2000
(Show Context)
Citation Context ... (say, 2 32 or so). Here, the weight of a polynomial is dened as the number of non-zero coecients it has. Recently, there has been increased interest insnding parity-check equations of weight 4 or 5 [=-=11, 29, 15, 3-=-4], and the cost of the precomputation forsnding parity checks has been identied as a signicant barrier in some cases [15]. Ecient solutions forsnding low-weight multiples of p(x) provide low-weight p... |

32 | Software generation of practically strong random numbers
- Gutmann
- 1998
(Show Context)
Citation Context ...lementations typically mix additional entropy into the secret state of the generator, for example by sampling system state, the arrival times of network packets, interactions with the user, and so on =-=[25]-=-. However, this introduces the possibility of chosen-input attacks [31, 25], and we discuss how the k-tree algorithm may be used to give new attacks in this setting. The BSAFE PRNG works as follows: t... |

27 | Vaudenay: Black Box Cryptanalysis of hash networks based on multipermutations - Schnorr, S - 1995 |

26 |
The knapsack hash function proposed at Crypto’89 can be broken
- Camion, Patarin
- 1991
(Show Context)
Citation Context ... may be relevant to the k-sum problem. We have not explored this direction, and we leave it to future work. After the initial publication of our work, we discovered earlier work by Camion and Patarin =-=[10]-=- on the following problem: Given a 128-bit integer b and a set of 256 120-bit integers a i ,snd a subset of a i 's that sums to b. They showed how to solve this problem in about 2 32 operations using ... |

26 | Fast correlation attacks: an algorithmic point of view
- Chose, Joux, et al.
- 2002
(Show Context)
Citation Context ...itton have independently discovered a space-ecient algorithm forsnding all solutions to x 1 x k = 0 and shown how to use it to speed up search for parity checks for stream cipher cryptanalysis [16]. For k = 4, their approach runs in O(2 n=2 ) time and O(2 n=4 ) space if jL 1 j = = jL 4 j = 2 n=4 and all values are n bits long, and so their scheme is in a similar class as Schroeppel and Sh... |

26 | Fast correlation attacks through reconstruction of linear polynomials
- Johansson, Jönsson
- 2000
(Show Context)
Citation Context ... (say, 2 32 or so). Here, the weight of a polynomial is dened as the number of non-zero coecients it has. Recently, there has been increased interest insnding parity-check equations of weight 4 or 5 [=-=11, 29, 15, 3-=-4], and the cost of the precomputation forsnding parity checks has been identied as a signicant barrier in some cases [15]. Ecient solutions forsnding low-weight multiples of p(x) provide low-weight p... |

24 | Security of Blind Discrete Log Signatures against Interactive Attacks
- Schnorr
- 2001
(Show Context)
Citation Context ...the security of several discrete-log-based blind signature schemes depends not only on the hardness of the discrete log but also on the hardness of a novel algorithmic problem, called the ROS problem =-=[41]-=-. This observation applies to Schnorr blind signatures and Okamoto-Schnorr blind signatures, especially when working over elliptic curve groups and other groups with no known subexponential algorithm ... |

23 | Why Textbook ElGamal and RSA Encryption are Insecure (Extended Abstract
- Boneh, Joux, et al.
- 2000
(Show Context)
Citation Context ... 3c 3 4d 3 = 0 [5]. Boneh, Joux and Nguyen have used Schroeppel and Shamir's algorithm for solving integer knapsacks to reduce the space complexity of their birthday attacks on plain RSA and El Gamal =-=[-=-8]. They also used (a version of) our Theorem 3 to transform a 4-sum problem over ((Z=pZ) ; ) to a knapsack (i.e., 4-sum) problem over (Z=qZ; +), which allowed them to apply Schroeppel and Shamir's t... |

23 | The Art of Computer Programming, vol 3 - Knuth - 1973 |

18 | A Low-complexity and high-performance algorithm for fast correlation attack
- Mihaljević, Fossorier, et al.
- 1978
(Show Context)
Citation Context |

14 | Embedded Security for Network-Attached Storage
- Gobioff, Nagle, et al.
- 1999
(Show Context)
Citation Context ...ly-known algorithms for discrete logs in elliptic curve groups. NASD incremental hashing. One proposal for network-attached secure disks (NASD) uses the following hash function for integrity purposes =-=[21, 22]-=-: H(x) def = k X i=1 h(i; x i ) mod 2 256 : Here x denotes a padded k-block message, x = hx 1 ; : : : ; x k i. We reduce inverting this hash to a k-sum problem over the additive group (Z=2 256 Z; +). ... |

12 | Security analysis of the Gennaro-Halevi-Rabin signature scheme
- Coron, Naccache
- 2000
(Show Context)
Citation Context ... 0 i satisfying s = s 0 . Improved attacks on the GHR signature scheme. Coron and Naccache introduced attacks on the Gennaro-Halevi-Rabin signature scheme that work by looking for smooth hash digests =-=[17]-=-, and they then showed how to speed up the attack by a factor of 4 by exploiting properties of the GHR hash function. We show how to further speed up their attack by another factor of 16 by using k-su... |

12 |
Pra, private communication
- Boudou, Dai
- 2004
(Show Context)
Citation Context ...next that the lower bound can be improved in some special cases. Relation to discrete logs. There are close connections to the discrete log problem, as shown by the following observation from Wei Dai =-=[19]-=-. Theorem 2 (W. Dai). If the k-sum problem over a cyclic group G = hgi can be solved in time t, then the discrete logarithm with respect to g can be found in O(t) time as well. Proof. We describe an a... |

12 |
On the need for multipermutations
- Vaudenay
(Show Context)
Citation Context ... i.e., for every constant a 2 V both f(a; ) and f(; a) should be ane. (When the latter two maps are both bijective, this is a special case of a (2; 1)-multipermutation, also known as a latin square [4=-=7]-=-.) For this case, we can compute the generalized join L ./ f L 0 , whichsnds all solutions to f(x; x 0 ) = 0, as follows: set h(x 0 ) def = g 1 x 0 (0), where g x 0 (x) def = f(x; x 0 ), and compute L... |

9 | Enumerating solutions to p(a)+q(b) = r(c)+s(d
- Bernstein
- 1999
(Show Context)
Citation Context ...an be seen as a direct precursor of our k-tree algorithm. Bernstein has used similar techniques in the context of enumerating solutions in the integers to equations such as a 3 + 2b 3 + 3c 3 4d 3 = 0 =-=[5]-=-. Boneh, Joux and Nguyen have used Schroeppel and Shamir's algorithm for solving integer knapsacks to reduce the space complexity of their birthday attacks on plain RSA and El Gamal [8]. They also use... |

8 |
Enhancing Privacy and Trust
- Huberman, Franklin, et al.
- 1999
(Show Context)
Citation Context ...o recover the witness in a chosenchallenge attack, whereas we require only that the witness remain hidden against a known-challenge attack. The disjunction trick has been used for deniable signatures =-=[27-=-], privacysensitive certicates [9], and elsewhere [20]. We believe the k-sum attack gives new insight on the limitations of the disjunction trick 2 . Encryption based on error-correcting codes. In 199... |

6 |
Computation of low-weight parity-check polynomials
- Golić
- 1996
(Show Context)
Citation Context ...ks, about d 1=(1+blg kc) times as much work will suce tosnd d parity checks, as long as d 2 n=blg kc . This algorithm is an extension of previous techniques which used the (2-list) birthday problem [=-=24, 33, 40, 29]-=-. As a concrete example, if p(x) represents a polynomial of degree 120, we cansnd a multiple m(x) with degree 2 40 and weight 5 after about 2 42 work by using the 4-tree algorithm. Compare this to pre... |

6 |
How easy is collision search? Application to DES (Extended summary
- Quisquater, Delescaille
- 1990
(Show Context)
Citation Context ...) running time barrier. When looking for only a single solution, it is possible to beat Schroeppel and Shamir's algorithm|using Floyd's cycle-nding algorithm, distinguished points cycling algorithms [=-=3-=-6], or parallel collision search [37], one can often achieve (2 n=2 ) time and (1) space| but there was previously no known algorithm with running time substantially better than 2 n=2 . Consequently, ... |

5 |
Proofs of partial knowledge and simpli ed design of witness hiding protocols
- Cramer, Damgard, et al.
- 1994
(Show Context)
Citation Context ...al., have shown that the above trick for disjunctions is sound when the underlying proof system for ' i is a honest-verier zero-knowledge proof of knowledge satisfying the special soundness property [=-=18]-=-. The special soundness property requires that any two proof transcripts (m i ; c i ; r i ); (m i ; c 0 i ; r 0 i ) for ' i with c i 6= c 0 i reveal the underlying witness. Cramer, et al., posed the f... |

5 |
Security for a High Performance Commodity Storage Subsystem
- Gobio
- 1999
(Show Context)
Citation Context ...ly-known algorithms for discrete logs in elliptic curve groups. NASD incremental hashing. One proposal for network-attached secure disks (NASD) uses the following hash function for integrity purposes =-=[21, 22]-=-: H(x) def = k X i=1 h(i; x i ) mod 2 256 : Here x denotes a padded k-block message, x = hx 1 ; : : : ; x k i. We reduce inverting this hash to a k-sum problem over the additive group (Z=2 256 Z; +). ... |

5 | Chinese & Match’, an alternative to Atkin’s ‘Match and Sort’ method used
- Joux, Lercier
(Show Context)
Citation Context ...orcing the importance of the k-sum problem to cryptography. Joux and Lercier have used related ideas to reduce the space complexity of a birthday step in point-counting algorithms for elliptic curves =-=[30]-=-. Blum, Kalai, and Wasserman previously have independently discovered something closely related to the k-tree algorithm for xor in the context of their work on learning theory [7]. In particular, they... |

5 |
Computation of Low-Weight Parity Checks for Correlation Attacks
- Penzhorn, Kühn
- 1995
(Show Context)
Citation Context ...d non-trivial parity checks in some cases that are intractible for the previously known birthday-based methods. Interestingly, Penzhorn and Kuhn also gave a totally dierent cube-root-time algorithm [38], using discrete logarithms in GF (2 n ). Their methodsnds a parity check with weight 4 and degree 2 n=3 in O((1+) 2 n=3 ) time, where represents the time to compute a discrete log in GF (2 n ). ... |

4 | A Systematic Procedure for Applying Fast Correlation Attacks to Combiners with Memory
- Salmasizadeh, Golic, et al.
(Show Context)
Citation Context ...ks, about d 1=(1+blg kc) times as much work will suce tosnd d parity checks, as long as d 2 n=blg kc . This algorithm is an extension of previous techniques which used the (2-list) birthday problem [=-=24, 33, 40, 29]-=-. As a concrete example, if p(x) represents a polynomial of degree 120, we cansnd a multiple m(x) with degree 2 40 and weight 5 after about 2 42 work by using the 4-tree algorithm. Compare this to pre... |

4 | Trust but Check: Mutable Objects in Untrusted Cooperative Caches
- Shrira, Yoder
- 1998
(Show Context)
Citation Context ... size of m, and so it is no surprise that some implementors have used inadequate parameters: for instance, NASD used a 256bit modulus [21, 22], and several implementations have used a 128-bit modulus =-=[13, 14, 45]-=-. Oursrst attack on the NASD hash applies to AdHash as well, so wesnd that AdHash's modulus m must be very large indeed: the asymptotic complexity of the k-sum problem is as low as O(2 2 p lg m ) if w... |

3 |
On Learning Correlated Functions Using Statistical Query
- Yang
- 2001
(Show Context)
Citation Context ... would immediately lead to improved algorithms for learning parity with noise, a problem that has resisted algorithmic progress for many years. Others in learning theory have since used similar ideas =-=[50]-=-, and the hardness of this problem has even been proposed as the basis for a human-computer authentication scheme [26]. Ajtai, Kumar, and Sivakumar have used Blum, Kalai, and Wasserman's algorithm as ... |

2 |
Security Comments on the Hwang-Chen Algebraic-code Cryptosystem
- Alabbadi
- 1997
(Show Context)
Citation Context ...iphertexts, we expect tosnd about n pairs like this, and from them we can derive a combinatorially equivalent code ^ G. Alabbadi has argued that in some cases this may allow to break the cryptosystem [1]. The improved attack follows from a natural generalization of their observation. In particular, if we observe q ciphertexts (r 1 ; c 1 ); : : : ; (r q ; c q ) satisfying r 1 r q = 0, then c... |

2 |
Incremental Hash Function Based on Pair Chaining
- Goi, Siddiqi, et al.
- 2001
(Show Context)
Citation Context ...he need for such a large modulus may reduce or negate the performance advantages of AdHash. The PCIHF hash. We next cryptanalyze the PCIHF hash construction, proposed recently for incremental hashing =-=[23]-=-. PCIHF hashes a padded n-block message x as follows: H(x) def = n 1 X i=1 SHA(x i ; x i+1 ) mod 2 160 + 1: Our attack on AdHash does not apply directly to this scheme, because the blocks cannot be va... |

2 |
Secure Human Identi Protocols
- Hopper, Blum
- 2001
(Show Context)
Citation Context ... progress for many years. Others in learning theory have since used similar ideas [50], and the hardness of this problem has even been proposed as the basis for a human-computer authentication scheme =-=[26]-=-. Ajtai, Kumar, and Sivakumar have used Blum, Kalai, and Wasserman's algorithm as a subroutine to speed up the shortest lattice vector problem from 2 O(n log n) to 2 O(n) time [2]. Bellare, et al., sh... |

2 |
A TS = O(2 n ) Time/Space Tradeo for Certain NPComplete Problems
- Schroeppel, Shamir
- 1979
(Show Context)
Citation Context ...Knuth, exercise 5.2.3-29, and was credited to W.S. Brown [32, p.158]. Later, Schroeppel and Shamir showed how to generate 4-wise sums x 1 + + x 4 in sorted order using a tree of priority queues [43=-=-=-, 44]. In particular, given 4 lists of integers and a n-bit integer c, they considered how tosnd all solutions to x 1 + + x 4 = c, and they gave an algorithm running in (2 n=2 ) time and (2 n=4 ) s... |

2 |
A complete problems
- Schroeppel, Shamir
- 1981
(Show Context)
Citation Context ...Knuth, exercise 5.2.3-29, and was credited to W.S. Brown [32, p.158]. Later, Schroeppel and Shamir showed how to generate 4-wise sums x 1 + + x 4 in sorted order using a tree of priority queues [43=-=-=-, 44]. In particular, given 4 lists of integers and a n-bit integer c, they considered how tosnd all solutions to x 1 + + x 4 = c, and they gave an algorithm running in (2 n=2 ) time and (2 n=4 ) s... |

2 |
Parallel Collision Search: Making money the old-fashioned way—the NOW as a cash cow,” unpublished report
- Wagner, Goldberg
- 1997
(Show Context)
Citation Context ...) time using Gaussian elimination when k n [4, Appendix A]. Wagner and Goldberg have shown how to ecientlysnd solutions to x 1 = x 2 = = x k (where x i 2 L i ) using parallel collision search [48]=-=-=-. This is an alternative way to generalize the birthday problem to higher dimensions, but the techniques do not seem to carry over to the k-sum problem. There is also a natural connection between the ... |

1 |
Non-transferable signatures," ietf-open-pgp mailing list
- Back
(Show Context)
Citation Context ... expect that the space overhead can be drastically reduced using Shamir and Schroeppel's techniques [43, 44]. Group signatures. Back has previously proposed a simple construction for group signatures =-=[3-=-]. Let Alice and Bob have RSA public keys (nA ; e A ) and (nB ; e B ) respectively. In Back's scheme, we accept (wA ; wB ) as a valid signature on messagesM just if (w eA A mod nA ) (w eB B mod nB ) ... |

1 |
On the generation of DSA one-time keys," unpublished manuscript
- Bleichenbacher
- 2002
(Show Context)
Citation Context ...lem over ((Z=pZ) ; ) to a knapsack (i.e., 4-sum) problem over (Z=qZ; +), which allowed them to apply Schroeppel and Shamir's techniques. Bleichenbacher used similar techniques in his attack on DSA [6]. Chose, Joux, and Mitton have independently discovered a space-ecient algorithm forsnding all solutions to x 1 x k = 0 and shown how to use it to speed up search for parity checks for stream c... |

1 |
A study on the proposed
- Lim, Lee
- 1998
(Show Context)
Citation Context ...id the BSAFE generator in favor of some other PRNG with stronger resistance to chosen-input attacks. An unusual property of KCDSA. KCDSA is a digital signature algorithm proposed as a Korean standard =-=[12]-=-. The signature on a message m is of the form hr; si. We show a peculiar property of KCDSA: It is feasible for the signer tosnd two messages m;m 0 whose signatures partially collide, i.e., we can ecie... |

1 |
Algebraic-code cryptosystem using random code chaining
- Hwang, Chen
- 1990
(Show Context)
Citation Context ... insight on the limitations of the disjunction trick 2 . Encryption based on error-correcting codes. In 1990, Hwang and Chen proposed a symmetric-key encryption system based on error-correcting codes =-=[28]-=-. They noted that the system is susceptible to a partial attack based on the birthday paradox. They argued that this attack needs 2 n=2 ciphertexts and 2 n work (here n is the length of codewords), an... |

1 | A Generalized Birthday Problem," Full version at http://www.cs.berkeley.edu/~daw/papers/genbday.html - Wagner |

1 |
How to Swindle Rabin," Cryptologia
- Yuval
- 1979
(Show Context)
Citation Context ...atement will be met. Consequently, we can expect tosnd a solution to the corresponding birthday problem with O(2 n=2 ) work, and any such solution immediately yields a collision for the hash function =-=[51]-=-. The 4-list birthday problem. To extend the above well-known observations, consider next the 4-sum problem. We are given lists L 1 ; : : : ; L 4 , and our task is tosnd values x 1 ; : : : ; x 4 that ... |