The Birthday Paradox question is stated as follows:
Given that there are $k$ people in a room, what is the minimum value of $k$ that the probability that any two people in the room share a birthday is at least $\frac{1}{2}$
We can note the following events:
- A = nobody shares a birthday
- B = At least two people share a birthday
The number of unique assignments can be determined by the following method:
- Label each person with a number i=1 to k
- Assign one day to person 1 = 365
- Choose one day out of the remaining (365 - 1) = 364 days to person 2
- Repeat the above process until each person k is assigned a day
Therefore, number of unique assignments of birthdays = $365364363*\cdots*(365 - (k - 1))$
Total number of assignments =
Therefore the probability that nobody shares a birthday is
Therefore the probability that at least two people share a birthday is then
We can calculate this value emprirically until we exceed
This yields our required probability
For our birthday problem
Taking log and negating
Therefore, we can see that
In general, for any event space size
For the hash collision problem, a n-bit hash will have
For a 64-bit key, this would require computation of
Alice and Bob are two individuals who share a secret key for encrypting their communication using a symmetric cryptographic scheme.
Assuming that no one else has the secret key, it holds that Alice and Bob have the same key. In this situation, it is possible for Bob to create a message, encrypt it using the secret key to generate a ciphertext and claim that Alice had sent it.
Therefore, Alice can, under this possibility, deny sending the message to Bob. Thus, non-repudation of origin is not satisfied by a symmetric cryptographic scheme.
If the length of the message digest is
Assuming that the adversary can perform
However, according to the birthday paradox, a collision is very likely to be found after evaluating
Therefore, if
Since this time frame is very small, it is quite evident that
Let
####19.1 $ MAC_k(M[1] \dots M[m] = E_k[M[1]] \oplus E_k[M[2]] \oplus \dots \oplus E_k[M[m]] $
Let $ m_1 = 01 $ and $ m_2 = 10 $ where
$ MAC_k(m_1) = E_k[0] \oplus E_k[1] $
$ MAC_k(m_2) = E_k[1] \oplus E_k[0]$
Since
Let
Consider the following messages where
Computing the MAC of the above messages: $ MAC_k(m_1) = E[<1>||X] \oplus E[<2>||X] $ $ MAC_k(m_2) = E[<1>||X] \oplus E[<2>||Y] $ $ MAC_k(m_3) = E[<1>||Y] \oplus E[<2>||Y] $ $ MAC_k(m_4) = E[<1>||Y] \oplus E[<2>||X] $
Performing $ MAC_k(m_1) \oplus MAC_k(m_2) \oplus MAC_k(m_3)$: $ = E[<1>||X] \oplus E[<2>||X] \oplus E[<1>||X] \oplus E[<2>||Y] \oplus E[<1>||Y] \oplus E[<2>||Y]$ $ = E[<1>||Y] \oplus E[<2>||X] = MAC_k(m_4) $ $ \implies MAC_k(m_1) \oplus MAC_k(m_2) \oplus MAC_k(m_3) = MAC_k(m_4)$
Therefore, the above MAC scheme is susceptible to forgery attacks.
To make a message a multiple of block length $ n $, padding is required. If a string of $0$s is used to pad the message, then it may lead of a vulnerability under CMA as follows:
Let $ m $ be a message of length
The corresponding MACs produced are: $ MAC_k(m) = E_k[m||\underbrace{0 \dots 0}{n - |m| }]$ $ MAC_k(m^\prime) = E_k[m||0||\underbrace{0 \dots 0}{n - |m| - 1}] = E_k[m||\underbrace{0 \dots 0}_{n - |m|}]$ $ \implies MAC_k(m) = MAC_k(m^\prime)$
Therefore, the above scheme is vulnerable under CMA
CBC-MAC is semantically secure for a fixed number of blocks, given that $ E $ is semantically secure.
If a variable number of blocks are allowed, the scheme can be broken as follows:
Let $ m_1 $ and $ m_2 $ be two messages who size equals the block size. Compute the tags for the two message as follows:
Consider the messsage $ m^\prime = m1 || m2 $. According to the CBC-MAC scheme:
We can observe that the above expression can be written as:
Therefore, we can perform the following forgery: $ m^{\prime\prime} = m_2 \oplus MAC_1 $ $ \implies MAC^{\prime\prime} = MAC_k(m^{\prime\prime}) = E_k[m^{\prime\prime}] = E_k[m_2 \oplus MAC_1] = MAC^{\prime}$
Therefore, the CBC-MAC under variable block size is susceptible to forgery under CMA.