Skip to main content
SpringerLink
Log in

An algorithmic framework for the generalized birthday problem

  • Published:
Designs, Codes and Cryptography Aims and scope Submit manuscript

Abstract

The generalized birthday problem (GBP) was introduced by Wagner in 2002 and has shown to have many applications in cryptanalysis. In its typical variant, we are given access to a function \(H:\{0,1\}^{\ell } \rightarrow \{0,1\}^n\) (whose specification depends on the underlying problem) and an integer \(K>0\). The goal is to find K distinct inputs to H (denoted by \(\{x_i\}_{i=1}^{K}\)) such that \(\sum _{i=1}^{K}H(x_i) = 0\). Wagner’s K-tree algorithm solves the problem in time and memory complexities of about \(N^{1/(\lfloor \log K \rfloor + 1)}\) (where \(N= 2^n\)). In this paper, we improve the best known GBP time-memory tradeoff curve (published independently by Nikolić and Sasaki and also by Biryukov and Khovratovich) for all \(K \ge 8\) from \(T^2M^{\lfloor \log K \rfloor -1} = N\) to \(T^{\lceil (\log K)/2 \rceil + 1 }M^{\lfloor (\log K)/2 \rfloor } = N\), applicable for a large range of parameters. We further consider values of K which are not powers of 2 and show that in many cases even more efficient time-memory tradeoff curves can be obtained. Finally, we optimize our techniques for several concrete GBP instances and show how to solve some of them with improved time and memory complexities compared to the state-of-the-art. Our results are obtained using a framework that combines several algorithmic techniques such as variants of the Schroeppel–Shamir algorithm for solving knapsack problems (devised in works by Howgrave-Graham and Joux and by Becker, Coron and Joux) and dissection algorithms (published by Dinur, Dunkelman, Keller and Shamir).

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9

Similar content being viewed by others

Notes

  1. GBP formally requires that \(\sum _{i=1}^{K}H(x_i) = 0\), but it is typically easy to tweak GBP algorithms to output \(\{x_i\}_{i=1}^{K}\), such that \(\sum _{i=1}^{K}H(x_i) = s\) for any fixed \(s \in \{0,1\}^n\).

  2. In a sub-linear time-memory tradeoff, the exponent of T is larger than the exponent of M.

  3. This definition does not capture algorithms (such as Minder and Sinclair’s algorithm [11]) that merge the initial lists into larger ones. However, the restriction typically does not result in loss of generality, as an initial merge can be considered as a preparation phase algorithm by defining the function H appropriately.

  4. When the number of expected solutions to the list sum problem is S, then \(A_{K,S}\) typically coincides with \(A_{K}\). The more interesting case is when the number of expected solutions is greater than S and \(A_{K,S}\) could potentially be more efficient than \(A_{K}\).

  5. Our algorithms will also assume that the number of solutions has low variance, hence such constraints have to be set carefully for this to hold.

  6. We note that [1] extended this algorithm to a time-memory tradeoff. However, as it uses memory larger than \(2^m\) (the size of the input lists), we do not consider it in this paper.

  7. We could try to fix additional intermediate target values that the algorithm \(A_{i}\) iterates over internally. However, this generally results in a less efficient tradeoff compared to \(TM^i = N\).

  8. Note that in this section we rename the parameter of basic algorithms from K to P.

  9. Note that the evaluation is performed at K / 2 rather than K.

  10. These algorithms are not optimal for a very small domain size close to \(2^{n/K}\), which is the minimal value required for a solution to exist with high probability. In such cases it is more efficient to apply a final layer of random-walk collision search (as done in [4, 7]). However, the practical relevance of these algorithms is relatively limited and they are beyond the scope of this paper (as we focus on practical tradeoffs for GBP instances with limited domain sizes).

References

  1. Becker A., Coron J., Joux A.: Improved generic algorithms for hard knapsacks. In: Paterson K.G. (ed) Advances in Cryptology—EUROCRYPT 2011—30th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Tallinn, Estonia, May 15–19, 2011. Lecture Notes in Computer Science, vol. 6632, pp. 364–385. Springer, New York (2011).

  2. Becker A., Joux A., May A., Meurer A.: Decoding random binary linear codes in \(2^{n/20}\): how \(1 + 1 = 0\) improves information set decoding. In: Pointcheval D., Johansson T. (eds.) Advances in Cryptology—EUROCRYPT 2012—31st Annual International Conference on the Theory and Applications of Cryptographic Techniques, Cambridge, UK, April 15-19, 2012. Lecture Notes in Computer Science, vol. 7237, pp. 520–536. Springer, New York (2012).

  3. Bernstein D.J.: Better price-performance ratios for generalized birthday attacks. In: SHARCS07: Special-Purpose Hardware for Attacking Cryptographic Systems (2007).

  4. Bernstein D.J., Lange T., Niederhagen R., Peters C., Schwabe P.: FSBday. In: Roy B.K., Sendrier N. (eds.) Progress in Cryptology—INDOCRYPT 2009, 10th International Conference on Cryptology in India, New Delhi, India, December 13–16, 2009. Lecture Notes in Computer Science, vol. 5922, pp. 18–38. Springer, New York (2009).

  5. Biryukov A., Khovratovich D.: Equihash: asymmetric proof-of-work based on the generalized birthday problem. In: 23nd Annual Network and Distributed System Security Symposium, NDSS 2016, San Diego, California, USA, February 21–24, 2016. The Internet Society (2016).

  6. Canteaut A., Trabbia M.: Improved fast correlation attacks using parity-check equations of weight 4 and 5. In: Preneel B. (ed.) Advances in Cryptology—EUROCRYPT 2000, International Conference on the Theory and Application of Cryptographic Techniques, Bruges, Belgium, May 14–18, 2000. Lecture Notes in Computer Science, vol. 1807, pp. 573–588. Springer, New York (2000).

  7. Dinur I., Dunkelman O., Keller N., Shamir A.: Efficient dissection of composite problems, with applications to cryptanalysis, knapsacks, and combinatorial search problems. In: Safavi-Naini R., Canetti R. (eds.) Advances in Cryptology—CRYPTO 2012—32nd Annual Cryptology Conference, Santa Barbara, CA, USA, August 19–23, 2012. Lecture Notes in Computer Science, vol. 7417, pp. 719–740. Springer, New York (2012).

  8. Finiasz M., Sendrier N.: Security bounds for the design of code-based cryptosystems. In: Matsui M. (ed.) Advances in Cryptology—ASIACRYPT 2009, 15th International Conference on the Theory and Application of Cryptology and Information Security, Tokyo, Japan, December 6–10, 2009. Lecture Notes in Computer Science, vol. 5912, pp. 88–105. Springer, New York (2009).

  9. Howgrave-Graham N., Joux A.: New generic algorithms for hard knapsacks. In: Gilbert H. (ed.) Advances in Cryptology—EUROCRYPT 2010, 29th Annual International Conference on the Theory and Applications of Cryptographic Techniques, French Riviera, May 30–June 3, 2010. Lecture Notes in Computer Science, vol. 6110, pp. 235–256. Springer, New York(2010).

  10. Meier W., Staffelbach O.: Fast correlation attacks on certain stream ciphers. J. Cryptol. 1(3), 159–176 (1989).

    Article  MathSciNet  MATH  Google Scholar 

  11. Minder L., Sinclair A.: The extended k-tree algorithm. J. Cryptol. 25(2), 349–382 (2012).

    Article  MathSciNet  MATH  Google Scholar 

  12. Nikolic I., Sasaki Y.: Refinements of the k-tree algorithm for the generalized birthday problem. In: Iwata T., Cheon J.H. (eds.) Advances in Cryptology—ASIACRYPT 2015—21st International Conference on the Theory and Application of Cryptology and Information Security, Auckland, New Zealand, November 29–December 3, 2015. Lecture Notes in Computer Science, Part II, vol. 9453, pp. 683–703. Springer, New York (2015).

  13. Schroeppel R., Shamir A.: \(\text{ A } \text{ T }=\text{ O }(2^{n/2})\), \(\text{ S }=\text{ O }(2^{n/4})\) algorithm for certain NP-complete problems. SIAM J. Comput. 10(3), 456–464 (1981).

    Article  MathSciNet  MATH  Google Scholar 

  14. van Oorschot P.C., Wiener M.J.: Parallel collision search with cryptanalytic applications. J. Cryptol. 12(1), 1–28 (1999).

    Article  MathSciNet  MATH  Google Scholar 

  15. Wagner D.A.: A generalized birthday problem. In: Yung M. (ed.) Advances in Cryptology—CRYPTO 2002, 22nd Annual International Cryptology Conference, Santa Barbara, California, USA, August 18–22, 2002. Lecture Notes in Computer Science, vol. 2442, pp. 288–303. Springer, New York(2002).

Download references

Acknowledgements

The author was supported in part by the Israeli Science Foundation through Grant No. 573/16.

Author information

Authors and Affiliations

  1. Department of Computer Science, Ben-Gurion University, Beersheba, Israel

    Itai Dinur

Authors
  1. Itai Dinur
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Itai Dinur.

Additional information

Communicated by A. Winterhof.

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Dinur, I. An algorithmic framework for the generalized birthday problem. Des. Codes Cryptogr. 87, 1897–1926 (2019). https://doi.org/10.1007/s10623-018-00594-6

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10623-018-00594-6

Keywords

Mathematics Subject Classification

Search

Navigation