12.8 Exercises

In a family of four, what is the probability that no two people have birthdays in the same month? (Assume that all months have equal probabilities.)

Each person in the world flips 100 coins and obtains a sequence of length 100 consisting of Heads and Tails. (There are ${2}^{100}\approx {10}^{30}$ possible sequences.) Assume that there are approximately ${10}^{10}$ people in the world. What is the probability that two people obtain the same sequence of Heads and Tails? Your answer should be accurate to at least two decimal places.

Let ${E}_{K}$ be an encryption function with $N$ possible keys $K$, $N$ possible plaintexts, and $N$ possible ciphertexts. Assume that if you know the encryption key $K$, then it is easy to find the decryption function ${D}_{K}$ (therefore, this problem does not apply to public key methods). Suppose that, for each pair $({K}_{1}\text{,}\text{}{K}_{2})$ of keys, it is possible to find a key ${K}_{3}$ such that ${E}_{{K}_{1}}({E}_{{K}_{2}}(m))={E}_{{K}_{3}}(m)$ for all plaintexts $m$. Assume also that for every plaintext–ciphertext pair $(m\text{,}\text{}c)$, there is usually only one key $K$ such that ${E}_{K}(m)=c$. Suppose that you know a plaintext–ciphertext pair $(m\text{,}\text{}c)$. Give a birthday attack that usually finds the key $K$ in approximately $2\sqrt{N}$ steps. (Remark: This is much faster than brute force searching through all keys $K$, which takes time proportional to $N$.)
Show that the shift cipher (see Section 2.1) satisfies the conditions of part (a), and explain how to attack the shift cipher mod 26 using two lists of length 6. (Of course, you could also find the key by simply subtracting the plaintext from the ciphertext; therefore, the point of this part of the problem is to illustrate part (a).)

Alice uses double encryption with a block cipher to send messages to Bob, so $c={E}_{{K}_{1}}({E}_{{K}_{2}}(m))$ gives the encryption. Eve obtains a plaintext–ciphertext pair $(m\text{,}\text{}c)$ and wants to find ${K}_{1}\text{,}\text{}{K}_{2}$ by the Birthday Attack. Suppose that the output of ${E}_{K}$ has $N$ bits. Eve computes two lists:
${E}_{K}(m)$ for $3\cdot {2}^{N/2}$ randomly chosen keys $K\text{.}$
${D}_{L}(c)$ for $3\cdot {2}^{N/2}$ randomly chosen keys $L$.
Why is there a very good chance that Eve finds a key pair $(L\text{,}\text{}K)$ such that $c={E}_{L}({E}_{K}(m))$ ?
Why is it unlikely that $(L\text{,}\text{}K)$ is the correct key pair? (Hint: Look at the analysis of the MeetintheMiddle Attack in Section 6.5.)
What is the difference between the MeetintheMiddle Attack and what Eve does in this problem?

Each person who has ever lived on earth receives a deck of 52 cards and thoroughly shuffles it. What is the probability that two people have the cards in the same order? It is estimated that around $1.08\times {10}^{11}$ people have ever lived on earth. The number of shuffles of 52 cards is $52!\approx 8\times {10}^{67}$.

Let $p$ be a 300digit prime. Alice chooses a secret integer $k$ and encrypts messages by the function ${E}_{k}(m)={m}^{k}\text{\hspace{0.17em}}(\text{mod}\text{\hspace{0.17em}}p)$.
Suppose Eve knows a cipher text $c$ and knows the prime $p$. She captures Alice’s encryption machine and decides to try to find $m$ by a birthday attack. She makes two lists. The first list contains $c\cdot {E}_{k}(x{)}^{1}\text{\hspace{0.17em}}(\text{mod}\text{\hspace{0.17em}}p)$ for some random choices of $x$. Describe how to generate the second list, state approximately how long the two lists should be, and describe how Eve finds $m$ if her attack is successful.
Is this attack practical? Why or why not?

There are approximately $3\times {10}^{147}$ primes with 150 digits. There are approximately ${10}^{85}$ particles in the universe. If each particle chooses a random 150digit prime, do you think two particles will choose the same prime? Explain why or why not.

If there are five people in a room, what is the probability that no two of them have birthdays in the same month? (Assume that each person has probability 1/12 of being born in any given month.)

You use a random number generator to generate ${10}^{9}$ random 15digit numbers. What is the probability that two of the numbers are equal? Your answer should be accurate enough to say whether it is likely or unlikely that two of the numbers are equal.

Nelson has a hash function ${H}_{1}$ that gives an output of 60 bits. Friends tell him that this is not a big enough output, so he takes a strong hash function ${H}_{2}$ with a 200bit output and uses $H(x)={H}_{2}({H}_{1}(x))$ as his hash function. That is, he first hashes with his old hash function, then hashes the result with the strong hash function to get a 200bit output, which he thinks is much better. The new hash function $H$ can be computed quickly. Does it have preimage resistance, and does it have strong collision resistance? Explain your answers. (Note: Assume that computers can do up to ${2}^{50}\approx {10}^{15}$ computations for this problem. Also, since it is essentially impossible to prove rigorously that most hash functions have preimage resistance or collision resistance, if your answer to either of these is “yes” then your explanation is really an explanation of why it is probably true.)

Bob signs contracts by signing the hash values of the contracts. He is using a hash function $H$ with a 50bit output. Eve has a document $M$ that states that Bob will pay her a lot of money. Eve finds a file with ${10}^{9}$ documents that Bob has signed. Explain how Eve can forge Bob’s signature on a document (closely related to $M$) that states that Bob will pay Eve a lot of money. (Note: You may assume that Eve can do up to ${2}^{30}$ calculations.)

This problem derives the formula (12.1) for the probability of at least one match in a list of length $r$ when there are $N$ possible birthdays.
Let $f(x)=ln(1x)+x$ and $g(x)=ln(1x)+x+{x}^{2}$. Show that ${f}^{\prime}(x)\le 0$ and ${g}^{\prime}(x)\ge 0$ for $0\le x\le 1/2$.
Using the facts that $f(0)=g(0)=0$ and $f$ is decreasing and $g$ is increasing, show that
$$x{x}^{2}\le ln(1x)\le x\text{\hspace{1em}}\text{\hspace{0.17em}}\text{for}\text{\hspace{0.17em}}0\le x\le 1/2.$$Show that if $r\le N/2$, then
$${\displaystyle \frac{(r1)r}{2N}}{\displaystyle \frac{{r}^{3}}{3{N}^{2}}}\le \sum _{j=1}^{r1}ln\left(1{\displaystyle \frac{j}{N}}\right)\le {\displaystyle \frac{(r1)r}{2N}}\text{.}$$(Hint: $\sum _{j=1}^{r1}j=(r1)r/2$ and $\sum _{j=1}^{r1}{j}^{2}=(r1)r(2r1)/6<{r}^{3}/3$.)
Let $\lambda ={r}^{2}/(2N)$ and assume that $\lambda \le N/8$ (this implies that $r\le N/2$). Show that
$${e}^{\lambda}{e}^{{c}_{1}/\sqrt{N}}\le \prod _{j=1}^{r1}\left(1{\displaystyle \frac{j}{N}}\right)\le {e}^{\lambda}{e}^{{c}_{2}/\sqrt{N}}\text{,}\text{}$$with ${c}_{1}=\sqrt{\lambda /2}{\displaystyle \frac{1}{3}}(2\lambda {)}^{3/2}$ and ${c}_{2}=\sqrt{\lambda /2}$.
Observe that when $N$ is large, ${e}^{c/\sqrt{N}}$ is close to 1. Use this to show that as $N$ becomes large and $\lambda $ is constant with $\lambda \le N/8$, then we have the approximation
$$\prod _{j=1}^{r1}\left(1{\displaystyle \frac{j}{N}}\right)\approx {e}^{\lambda}\text{.}$$

Suppose $f(x)$ is a function with $n$bit outputs and with inputs much larger than $n$ bits (this implies that collisions must exist). We know that, with a birthday attack, we have probability 1/2 of finding a collision in approximately ${2}^{n/2}$ steps.
Suppose we repeat the birthday attack until we find a collision. Show that the expected number of repetitions is
$$1\cdot {\displaystyle \frac{1}{2}}+2\cdot {\displaystyle \frac{1}{4}}+3\cdot {\displaystyle \frac{1}{8}}+4\cdot {\displaystyle \frac{1}{16}}+\cdots =2$$(one way to evaluate the sum, call it $S$, is to write $S{\displaystyle \frac{1}{2}}S={\displaystyle \frac{1}{2}}+(21){\displaystyle \frac{1}{4}}+(32){\displaystyle \frac{1}{8}}+\cdots =1$).
Assume that each evaluation of $f$ takes time a constant times $n$. (This is realistic since the inputs needed to find collisions can be taken to have $2n$ bits, for example.) Show that the expected time to find a collision for the function $f$ is a constant times $n\phantom{\rule{thinmathspace}{0ex}}{2}^{n/2}$.
Show that the expected time to produce the messages ${m}_{0}\text{,}\text{}\text{\hspace{0.17em}}{m}_{0}^{\prime}\text{,}\text{}\dots \text{,}\text{}\text{\hspace{0.17em}}{m}_{t1}\text{,}\text{}\text{\hspace{0.17em}}{m}_{t1}^{\prime}$ in Section 12.2 is a constant times $tn\text{\hspace{0.17em}}{2}^{n/2}$.

Suppose we have an iterative hash function, as in Section 11.3, but suppose we adjust the function slightly at each iteration. For concreteness, assume that the algorithm proceeds as follows. There is a compression function $f$ that operates on inputs of a fixed length. There is also a function $g$ that yields outputs of a fixed length, and there is a fixed initial value $IV$. The message is padded to obtain the desired format, then the following steps are performed:
Split the message $M$ into blocks ${M}_{1}\text{,}\text{}{M}_{2}\text{,}\text{}\dots \text{,}\text{}{M}_{\ell}$.
Let ${H}_{0}$ be the initial value $IV$.
For $i=1\text{,}\text{}2\text{,}\text{}\dots \text{,}\text{}\ell $, let ${H}_{i}=f({H}_{i1}\text{,}\text{}\phantom{\rule{thinmathspace}{0ex}}{M}_{i}g(i))$.
Let $H(M)={H}_{\ell}$.
Show that the method of Section 12.2 can be used to produce multicollisions for this hash function.

Some of the steps of SRP are similar to the DiffieHellman key exchange. Why not use DiffieHellman to log in, using the following protocol? Alice and the server use DiffieHellman to establish a key $K$. Or they could use a public key method to transmit a secret key $K$ from the server to Alice. Then they use $K$, along with a symmetric system such as AES, to submit Alice’s password $P$. Finally, the hash of the password is compared to what is stored in the computer’s password file.
Show how Eve can do an intruderinthemiddle attack and obtain Alice’s password.
In order to avoid the attack in part (a), Alice and the server decide that Alice should send the hash of her password. Show that if Eve uses an intruderinthemiddle attack, then she can log in to the server, pretending to be Alice.
Alice and the server have another idea. The server sends Alice a random $r$ and Alice sends $H(rP)$ to the server. Show how Eve can use an intruderinthemiddleattack to log in as Alice.

Suppose that in SRP, the number $u$ is chosen randomly by the server and sent to Alice at the same time that $s$ is sent. Suppose Eve has obtained $v$ from the server’s password file. Eve chooses a random $a$, computes $A\equiv {g}^{a}{v}^{u}$ mod $p$, and sends this value of $A$ to the server. Then Eve computes $S$ as $(B3v{)}^{a}$ mod $p$. Show that these computations appear to be valid to the server, so Eve can log in as Alice.