20-CS-5153 Network Security Spring 2017
Some Odd Ciphers

Secret Key, Public Key, Hash Algorithms, IPSec, Kerberos, Authentication, more

Hash: collision attack (birthday problem)
When Is It Likely That Two Inputs Map to the Same Output?

 Problem: Assume a hash function H that pretty much randomly maps an integer input to an integer output. Suppose the number of output values for H is k. Pick n input integers randomly. How large should n be so that the probability that at least one pair of input integers map to the same output is 1/2? Setup: The number of output values for H is k and is fixed. Let A = {a1, a2, ... an} be a set of randomly chosen input numbers. For all pairs (ai,aj), 0 < i < j < n+1, define random variable Xi,j to have value 1 if H(ai) = H(aj) and value 0 otherwise. Define random variable X = X1,2+X1,3+ ... +X2,3+...+Xn-1,n to be the sum of all the random variables Xi,j (there are n(n-1)/2 such variables). Variable X takes the value 0 if no pairs of integers in A maps to the same output and takes a positive value otherwise. Let Pr(X > i) denote the probability that X has value greater than i. Let Pr(X = i) denote the probability that X has value i. Observe ∑i>r Pr(X = i) = Pr(X > r). Let E(X) denote the expected value of X. Let E(X|X > a) denote the conditional expectation of X given that X has a value that is greater than a. Outline of Solution: By definition of conditional expectation write E(X)=Pr(X=0)*E(X|X=0) + Pr(X>0)*E(X|X>0) =Pr(X>0)*E(X|X > 0) and therefore, after rearranging, Pr(X>0) = E(X)/E(X|X > 0) We can solve for E(X) exactly. Because the sum of expectations is the expectation of the sum (well known fact), we can write E(X)=E(X1,2)+E(X1,3)+...+E(Xn-1,n) . But E(Xi,j)=0*Pr(Xi,j=0)+1*Pr(Xi,j=1) . The first of these two terms is always 0 and the second is the probability that the ith and jth input values map to the same output value. This is k/k2=1/k. Since this is the same for any i and j, E(X)=n(n-1)/(2k). It is convenient to bound the term E(X|X>0) rather than compute it exactly. When conditioning on X>0 there must be at least one pair of inputs that map to the same output. Without loss of generality suppose inputs n-1 and n map to the same output. Let P denote the event that inputs n-1 and n map to the same number. Then we can write Pr(X>0) = E(X)/E(X|P). Consider all other inputs, namely those numbered 1 to n-2. There are (n-2)(n-3)/2 pairs of these numbers. Whether or not one of these pairs maps to the same number is independent of the mapping of inputs n-1 and n. Hence, E(X1,2|P) + E(X1,3|P) + ... + E(Xn-3,n-2|P) = (n-2)(n-3)/(2k). We also know E(Xn-1,n|P) = 1. That leaves 2*(n-2) pairs unaccounted for, each pair, say i and j, containing exactly one input, say j, that either maps to the target of n-1 or n as the case may be. Expectations of all such Xi,j are the probability that input i maps to the same number as both input j and n-1 or n, as the case may be. This is 1/(k-2). Hence, Pr(X > 0) = (n(n-1)/(2k))  /  (1+(n-2)(n-3)/(2k)+2*(n-2)/(k-2)). This is 1/2 approximately (find upper and lower bounds for the denominator - these differ by a term vanishing in n) when n(n-1)/(2k) = 1, that is, roughly when n2 = 2*k. This shows how large n should be so that the probability that at least one pair of input integers map to the same output (that is, Pr(X > 0)) is 1/2. Hash: preimage attack When Is It Likely That The Input for a Given Output is Found? Brute Force Attack: The number of output values, k. So, a brute force preimage attack on SHA-1 with a 160 bit hash should take 2160 hashes.