A Generalized Birthday Problem

Extended Abstract
  • David Wagner
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2442)


We study a k-dimensional generalization of the birthday problem: given k lists of n-bit values, find some way to choose one element from each list so that the resulting k values xor to zero. For k = 2, this is just the extremely well-known birthday problem, which has a square-root time algorithm with many applications in cryptography. In this paper, we show new algorithms for the case k > 2: we show a cube-root time algorithm for the case of k = 4 lists, and we give an algorithm with subexponential running time when k is unrestricted.

We also give several applications to cryptanalysis, describing new subexponential algorithms for constructing one-more forgeries for certain blind signature schemes, for breaking certain incremental hash functions, and for finding low-weight parity check equations for fast correlation attacks on stream ciphers. In these applications, our algorithm runs in O(22√n ) time for an n-bit modulus, demonstrating that moduli may need to be at least 1600 bits long for security against these new attacks. As an example, we describe the first-known attack with subexponential complexity on Schnorr and Okamoto-Schnorr blind signatures over elliptic curve groups.


Hash Function Parity Check Stream Cipher Blind Signature Complete Binary Tree 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    M. Ajtai, R. Kumar, D. Sivakumar, “A Sieve Algorithm for the Shortest Lattice Vector Problem,” STOC 2001, pp.601–610, ACM Press, 2001.Google Scholar
  2. 2.
    M. Bellare, D. Micciancio, “A New Paradigm for Collision-free Hashing: Incrementality at Reduced Cost,” EUROCRYPT’97, LNCS 1233, Springer-Verlag, 1997.Google Scholar
  3. 3.
    D. Bernstein, “Enumerating solutions to p(a)+q(b) = r(c)+s(d),” Math. Comp., 70(233):389–394, AMS, 2001.zbMATHCrossRefMathSciNetGoogle Scholar
  4. 4.
    D. Bleichenbacher, “On the generation of DSA one-time keys,” unpublished manuscript, Feb. 7, 2002.Google Scholar
  5. 5.
    A. Blum, A. Kalai, H. Wasserman, “Noise-Tolerant Learning, the Parity Problem, and the Statistical Query Model,” STOC 2000, ACM Press, 2000.Google Scholar
  6. 6.
    D. Boneh, A. Joux, P.Q. Nguyen, “Why Textbook ElGamal and RSA Encryption are Insecure,” ASIACRYPT 2000, LNCS 1976, Springer-Verlag, pp.30–44, 2000.CrossRefGoogle Scholar
  7. 7.
    A. Canteaut, M. Trabbia, “Improved Fast Correlation Attacks Using Parity-Check Equations of Weight 4 and 5,” EUROCRYPT 2000, LNCS 1807, Springer-Verlag, pp.573–588, 2000.CrossRefGoogle Scholar
  8. 8.
    M. Casto, B. Liskov, “Practical Byzantine Fault Tolerance,” Proc. 3rd OSDI (Operating Systems Design & Implementation), Usenix, Feb. 1999.Google Scholar
  9. 9.
    M. Casto, B. Liskov, “Proactive Recovery in a Byzantine-Fault-Tolerant System,” Proc. 4th OSDI (Operating Systems Design & Implementation), Usenix, Oct. 2000.Google Scholar
  10. 10.
    V.V. Chepyzhov, T. Johansson, B. Smeets, “A Simple Algorithm for Fast Correlation Attacks on Stream Ciphers,” FSE 2000, LNCS 1978, Springer-Verlag, 2001.Google Scholar
  11. 11.
    P. Chose, A. Joux, M. Mitton, “Fast Correlation Attacks: an Algorithmic Point of View,” EUROCRYPT 2002, LNCS 2332, Springer-Verlag, 2002.CrossRefGoogle Scholar
  12. 12.
    W. Dai, personal communication, Aug. 1999.Google Scholar
  13. 13.
    H. Gobioff, “Security for a High Performance Commodity Storage Subsystem,” Ph.D. thesis, CS Dept., Carnegie Mellon Univ., July 1999.Google Scholar
  14. 14.
    H. Gobioff, D. Nagle, G. Gibson, “Embedded Security for Network-Attached Storage,” Tech. report CMU-CS-99-154, CS Dept., Carnegie Mellon Univ., June 1999.Google Scholar
  15. 15.
    B.-M. Goi, M.U. Siddiqi, H.-T. Chuah, “Incremental Hash Function Based on Pair Chaining & Modular Arithmetic Combining,” INDOCRYPT 2001, LNCS 2247, Springer-Verlag, pp.50–61, 2001.Google Scholar
  16. 16.
    J. Golić, “Computation of low-weight parity-check polynomials,” Electronics Letters, 32(21):1981–1982, 1996.CrossRefGoogle Scholar
  17. 17.
    N.J. Hopper, M. Blum, “Secure Human Identification Protocols,” ASIACRYPT 2001, LNCS 2248, Springer-Verlag, pp.52–66, 2001.CrossRefGoogle Scholar
  18. 18.
    T. Johansson, F. Jönsson, “Fast Correlation Attacks Through Reconstruction of Linear Polynomials,” CRYPTO 2000, LNCS 1880, Springer-Verlag, 2000.CrossRefGoogle Scholar
  19. 19.
    A. Joux, R. Lercier, “‘Chinese & Match’, an alternative to Atkin’s ‘Match and Sort’ method used in the SEA algorithm,” Math. Comp., 70(234):827–836, AMS, 2001.zbMATHCrossRefMathSciNetGoogle Scholar
  20. 20.
    D.E. Knuth, The Art of Computer Programming, vol 3, Addison-Wesley, 1973.Google Scholar
  21. 21.
    W. Meier, O. Staffelbach. “Fast correlation attacks on certain stream ciphers,” J. Cryptology, 1(3):159–167, 1989.zbMATHCrossRefMathSciNetGoogle Scholar
  22. 22.
    M.J. Mihalević, M.P.C. Fossorier, H. Imai, “A Low-Complexity and High-Performance Algorithm for the Fast Correlation Attack,” FSE 2000, LNCS 1978, Springer-Verlag, pp.196–212, 2001.Google Scholar
  23. 23.
    V.I. Nechaev, “Complexity of a determinate algorithm for the discrete logarithm,” Math. Notes, 55(2):165–172, 1994.CrossRefMathSciNetGoogle Scholar
  24. 24.
    J.-J. Quisquater, J.-P. Delescaille, “How easy is collision search? Application to DES (Extended summary),” EUROCRYPT’89, LNCS 434, Springer-Verlag, pp.429–434, 1990.Google Scholar
  25. 25.
    P.C. van Oorschot, M.J. Wiener, “Parallel Collision Search with Cryptanalytic Applications,” Journal of Cryptology, 12(1):1–28, 1999.zbMATHCrossRefMathSciNetGoogle Scholar
  26. 26.
    W.T. Penzhorn, G.J. Kühn, “Computation of Low-Weight Parity Checks for Correlation Attacks on Stream Ciphers,” Cryptography and Coding, LNCS 1024, Springer, pp.74–83, 1995.Google Scholar
  27. 27.
    M. Salmasizadeh, J. Golic, E. Dawson, L. Simpson. “A Systematic Procedure for Applying Fast Correlation Attacks to Combiners with Memory,” SAC’97 (Selected Areas in Cryptography).Google Scholar
  28. 28.
    C.P. Schnorr, “Security of Blind Discrete Log Signatures against Interactive Attacks,” ICICS 2001, LNCS 2229, Springer-Verlag, pp.1–12, 2001.Google Scholar
  29. 29.
    C.P. Schnorr, S. Vaudenay, “Black box cryptanalysis of hash networks based on multipermutations,” EUROCRYPT’94, LNCS 950, Springer-Verlag, 1994.Google Scholar
  30. 30.
    R. Schroeppel, A. Shamir, “A TS 2 = O(2n) Time/Space Tradeoff for Certain NP-Complete Problems,” FOCS’ 79, pp. 328–336, 1979.Google Scholar
  31. 31.
    R. Schroeppel, A. Shamir, “A T = O(2n/2), S = O(2n/4) Algorithm for Certain NP-Complete Problems,” SIAM J. Comput., 10(3):456–464, 1981.zbMATHCrossRefMathSciNetGoogle Scholar
  32. 32.
    L. Shrira, B. Yoder, “Trust but Check: Mutable Objects in Untrusted Cooperative Caches,” Proc. POS8 (Persistent Object Systems), Morgan Kaufmann, pp.29–36, Sept. 1998.Google Scholar
  33. 33.
    V. Shoup, “Lower Bounds for Discrete Logarithms and Related Problems,” EUROCRYPT’97, LNCS 1233, Springer-Verlag, pp.256–266, 1997.Google Scholar
  34. 34.
    S. Vaudenay, “On the need for multipermutations: Cryptanalysis of MD4 and SAFER.” FSE’94, LNCS 1008, Springer-Verlag, pp.286–297, 1994.Google Scholar
  35. 35.
    D. Wagner, I. Goldberg, “Parallel Collision Search: Making money the old-fashioned way-the NOW as a cash cow,” unpublished report, 1997.
  36. 36.
    D. Wagner, “A Generalized Birthday Problem,” Full version at
  37. 37.
    K. Yang, “On Learning Correlated Functions Using Statistical Query,” ALT’01 (12th Intl. Conf. Algorithmic Learning Theory), LNAI 2225, Springer-Verlag, 2001.Google Scholar
  38. 38.
    G. Yuval, “How to Swindle Rabin,” Cryptologia, 3(3):187–189, 1979.CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2002

Authors and Affiliations

  • David Wagner
    • 1
  1. 1.University of California at BerkeleyUSA

Personalised recommendations