DOCSLIB.ORG

Hash Functions

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Hash Functions CSC 482/582: Computer Security Slide #1 Topics 1. Hash Functions 2. Applications of Hash Functions 3. Secure Hash Functions 4. Collision Attacks 5. Pre-Image Attacks 6. Current Hash Functions 7. HMAC: Keyed Hash Functions CSC 482/582: Computer Security Slide #2 Hash Functions Hash Function h: MMD Input M: variable length message M Output MD: fixed length “Message Digest” of input Many inputs produce same output (called a hash collision) Limited number of outputs; infinite number of inputs Avalanche effect: small input change -> big output change Example Hash Function Sum 32-bit words of message mod 232 M MD=h(M) h CSC 482/582: Computer Security Slide #3 Applications of Hash Functions Verifying file integrity How do you know that a file you downloaded was not corrupted during download? Storing passwords (confidentiality) To avoid compromise of all passwords by an attacker who has gained admin access, store hash of passwords. Additional features needed for secure passwords. Digital signatures (authentication) Cryptographic verification that data was downloaded from the intended source and not modified. Used for operating system patches and packages. CSC 482/582: Computer Security Slide #4 Why attack hash functions? Create forged security certificate to Make phishing site appear legitimate. Bypass code signing checks on updates. Distribute malware Replace legitimate app with malware app. Ensure both apps have legitimate hash value, so victims cannot distinguish between them. Forge digital signatures Replace contract where victim pays $50 to attacker with one where victim pays $5,000. CSC 482/582: Computer Security Slide #5 Flame Malware Cyber espionage tool discovered in 2012 Records audio, screenshots, bluetooth, and file data. Exfiltrates data via SSL encrypted channel. Bypassed code signing security in MS Windows Used hash collision to create a certificate apparently signed by Microsoft Certificate Authority. Malware digitally signed with forged certificate. Code signing accepted that malware was valid as certificate apparently signed by MS CA. Attack could be used as MITM attack on MS Update Attacker substitutes Windows patch with malware. CSC 482/582: Computer Security Slide #6 Avalanche Effect The avalanche effect is shown when a small change to the input of a block cipher or hash function makes a large change in the output. Hashing “Cryptography”: MD5 (128-bit) = 64ef07ce3e4b420c334227eecb3b3f4c SHA1 (160-bit) = b804ec5a0d83d19d8db908572f51196505d09f98 Hashing “Cryptography1”: MD5 (128-bit) = 443d4fb1fedeb86b69582169c2719c24 SHA1 (160-bit) = 838498e48147106062a64c523ddfe11bd07a5eac CSC 482/582: Computer Security Slide #7 Secure Hash Function A function h = hash(m) must have 3 properties to be secure: 1. Pre-image resistance: Given a hash h it should be difficult to find any message m such that h = hash(m). Functions that lack this property are vulnerable to preimage attacks. 2. Second pre-image resistance: Given an input m1 it should be difficult to find another input m2 such that m1 ≠ m2 and hash(m1) = hash(m2). Functions that lack this property are vulnerable to second-preimage attacks. 3. Collision resistance: It should be difficult to find two different messages m1 and m2 such that hash(m1) = hash(m2). Such a pair is called a cryptographic hash collision. This property is sometimes referred to as strong collision resistance. It requires a hash value at least twice as long as that required for preimage-resistance; otherwise collisions may be found by a birthday attack. CSC 482/582: Computer Security Slide #8 Pre-image Attacks A pre-image attack attempts to find a message m that has a specific hash value h, such that h=hash(m). Would allow attacker to substitute a malicious document matching hash of valid document, allowing SSL certificate or digitally signed contract forgeries. Brute force attack is possible with 2n operations, where n is the length of the hash value. For n >= 64, brute force considered infeasible. A one-way function is pre-image resistant. No practical pre-image attacks exist against widely used hash functions. An MD5 collision can be found in 2123.4 operations. CSC 482/582: Computer Security Slide #9 Collision Attacks A collision attack attempts to find two different messages m1 and m2 such that hash(m1) = hash(m2). Collisions must exist because there are more inputs than fixed-sized outputs for hash functions. Pigeonhole principle: if there are n containers for n+1 objects, then at least 1 container will have 2 objects in it. Two types of collision attacks exist Birthday Attack Chosen Prefix Attack Collision attacks do not impact password hashing, but do allow for forged certificates and signatures. CSC 482/582: Computer Security Slide #10 The Birthday Paradox The birthday paradox concerns the probability that, in a set of n randomly chosen people, some pair of them will have the same birthday. By the pigeonhole principle, the probability reaches 100% when the number of people reaches 367. However, 99% probability is reached with just 57 people, and 50% probability with 23 people. The birthday paradox is a violation of our intuition, not a true paradox. It arises because the chance of shared birthdays increases with the number of unique pairs of people, which is n(n-1)/2 for n people. CSC 482/582: Computer Security Slide #11 Birthday Attack A birthday attack exploits the mathematics behind the birthday problem to find hash collisions. Suppose a hash function h has a b-bit long output. Therefore there are 2b possible hash values. Attacker generates many random messages Computes hash of each one. Searches for pairs of messages with same hash value. By similar mathematics as in the birthday problem, attacker can find a collision with about 2b/2 messages. CSC 482/582: Computer Security Slide #12 Birthday Attack Analysis The birthday attack procedure follows these steps: 1. Randomly generate a sequence of plaintexts X1, X2, X3,… 2. For each Xi compute yi = h(Xi) and test whether yi = yj for some j < i 3. Stop as soon as a collision has been found If there are m possible hash values, the probability that the ith plaintext does not collide with any of the previous i – 1 plaintexts is 1 - (i - 1)/m The probability Fk that the attack fails (no collisions) after k plaintexts is Fk = (1 - 1/m) (1 - 2/m) (1 - 3/m) … (1 - (k - 1)/m) Using the standard approximation 1 - x e-x -(1/m + 2/m + 3/m + … + (k-1)/m) -k(k-1)/2m Fk e = e The attack succeeds/fails with probability ½ when Fk = ½ , that is, e-k(k-1)/2m = ½ k 1.17 m½ We conclude that a hash function with b-bit values provides ~b/2 bits of security. CSC 482/582: Computer Security Slide #13 Chosen Prefix Attacks A chosen prefix attack is an hash collision attack starting with two different prefixes p1, p2 and attempting to find two suffixes m1 and m2 such that hash(p1 ∥ m1) = hash(p2 ∥ m2). Such an attack allows custom creation of two completely different documents with identical hashes. Example attack Attacker creates two SSL certificate files for two different domains but with identical hashes. Attacker asks CA to sign certificate for one domain. Attacker uses certificate to create phishing site for another domain. User browser successfully validates SSL certificate signature, tells user that phishing site is real site. CSC 482/582: Computer Security Slide #14 Merkle–Damgård construction Select a cryptographic hash function f(m, d). Apply repeatedly to fixed size blocks of message mi. Use output of previous stage di as second input. Start with initialization vector d0 = IV CSC 482/582: Computer Security Slide #15 Message-Digest Algorithm 5 (MD5) Developed by Ron Rivest in 1991 Uses 128-bit hash values Merkle–Damgård construction Still widely used in legacy applications even though collision vulnerabilities allow forgery of digital signatures and SSL certificates. CSC 482/582: Computer Security Slide #16 MD5 Collision Attack History 1. Initial attacks (2004) could only find collisions in files that differed only in last few bytes. 2. Early attacks (2008) used cluster of 200 PS3s for a couple of days. 3. Current attacks can find a collision in seconds on single PC. Lesson: Cryptanalytic attacks always improve. Change algorithms before they do. CSC 482/582: Computer Security Slide #17 Secure Hash Algorithm (SHA-1) Developed by NSA; approved as federal std by NIST SHA-0 (1993) and SHA-1 (1995) 160-bit hash values Merkle–Damgård construction SHA-1 developed to correct insecurity of SHA-0 SHA-1 still found in legacy applications Vulnerabilities less severe than those of MD5 Can find SHA-1 collision in 269 operations. Can find SHA-0 collision in 239 operations. CSC 482/582: Computer Security Slide #18 SHA-2 Developed by NSA; approved as federal std by NIST SHA-2 (2001) 224, 256, 384, or 512-bit hash values Merkle–Damgård construction Current recommended hash function for security applications like digital signatures or SSL certificates. Cryptanalysts making progress but no breaks Can only find collisions if modify hash algorithm by reducing number of rounds from 80 (SHA-512) to 46 or 64 (SHA-256) to 41. CSC 482/582: Computer Security Slide #19 SHA-3 Winner of open NIST competition (2007-2012) Final standard expected by 2014 Q2. SHA-3 (2012) 224, 256, 384, or 512-bit hash values Keccak was winning algorithm out of field of 64. An alternative to SHA-2 Not a replacement as SHA-2 is not broken. Built on sponge-function instead of Merkle–Damgård construction like MD5, SHA-1, SHA-2 so that the same cryptanalytic techniques will not work against SHA-3. CSC 482/582: Computer Security Slide #20 HMAC A keyed hash message authentication code (HMAC) is the use of a hash function for calculating a message authentication code (MAC) based on a message in combination with a secret cryptographic key.
Recommended publications
  • GPU-Based Password Cracking on the Security of Password Hashing Schemes Regarding Advances in Graphics Processing Units

    GPU-Based Password Cracking on the Security of Password Hashing Schemes Regarding Advances in Graphics Processing Units

    Radboud University Nijmegen Faculty of Science Kerckhoffs Institute Master of Science Thesis GPU-based Password Cracking On the Security of Password Hashing Schemes regarding Advances in Graphics Processing Units by Martijn Sprengers [email protected] Supervisors: Dr. L. Batina (Radboud University Nijmegen) Ir. S. Hegt (KPMG IT Advisory) Ir. P. Ceelen (KPMG IT Advisory) Thesis number: 646 Final Version Abstract Since users rely on passwords to authenticate themselves to computer systems, ad- versaries attempt to recover those passwords. To prevent such a recovery, various password hashing schemes can be used to store passwords securely. However, recent advances in the graphics processing unit (GPU) hardware challenge the way we have to look at secure password storage. GPU's have proven to be suitable for crypto- graphic operations and provide a significant speedup in performance compared to traditional central processing units (CPU's). This research focuses on the security requirements and properties of prevalent pass- word hashing schemes. Moreover, we present a proof of concept that launches an exhaustive search attack on the MD5-crypt password hashing scheme using modern GPU's. We show that it is possible to achieve a performance of 880 000 hashes per second, using different optimization techniques. Therefore our implementation, executed on a typical GPU, is more than 30 times faster than equally priced CPU hardware. With this performance increase, `complex' passwords with a length of 8 characters are now becoming feasible to crack. In addition, we show that between 50% and 80% of the passwords in a leaked database could be recovered within 2 months of computation time on one Nvidia GeForce 295 GTX.
  • MD5 Collisions the Effect on Computer Forensics April 2006

    MD5 Collisions the Effect on Computer Forensics April 2006

    Paper MD5 Collisions The Effect on Computer Forensics April 2006 ACCESS DATA , ON YOUR RADAR MD5 Collisions: The Impact on Computer Forensics Hash functions are one of the basic building blocks of modern cryptography. They are used for everything from password verification to digital signatures. A hash function has three fundamental properties: • It must be able to easily convert digital information (i.e. a message) into a fixed length hash value. • It must be computationally impossible to derive any information about the input message from just the hash. • It must be computationally impossible to find two files to have the same hash. A collision is when you find two files to have the same hash. The research published by Wang, Feng, Lai and Yu demonstrated that MD5 fails this third requirement since they were able to generate two different messages that have the same hash. In computer forensics hash functions are important because they provide a means of identifying and classifying electronic evidence. Because hash functions play a critical role in evidence authentication, a judge and jury must be able trust the hash values to uniquely identify electronic evidence. A hash function is unreliable when you can find any two messages that have the same hash. Birthday Paradox The easiest method explaining a hash collision is through what is frequently referred to as the Birthday Paradox. How many people one the street would you have to ask before there is greater than 50% probability that one of those people will share your birthday (same day not the same year)? The answer is 183 (i.e.
  • The Birthday Problem (2.7)

    The Birthday Problem (2.7)

    Combinatorics (2.6) The Birthday Problem (2.7) Prof. Tesler Math 186 Winter 2020 Prof. Tesler Combinatorics & Birthday Problem Math 186 / Winter 2020 1 / 29 Multiplication rule Combinatorics is a branch of Mathematics that deals with systematic methods of counting things. Example How many outcomes (x, y, z) are possible, where x = roll of a 6-sided die; y = value of a coin flip; z = card drawn from a 52 card deck? (6 choices of x) × (2 choices of y) × (52 choices of z) = 624 Multiplication rule The number of sequences (x1, x2,..., xk) where there are n1 choices of x1, n2 choices of x2,..., nk choices of xk is n1 · n2 ··· nk. This assumes the number of choices of xi is a constant ni that doesn’t depend on the other choices. Prof. Tesler Combinatorics & Birthday Problem Math 186 / Winter 2020 2 / 29 Addition rule Months and days How many pairs (m, d) are there where m = month 1,..., 12; d = day of the month? Assume it’s not a leap year. 12 choices of m, but the number of choices of d depends on m (and if it’s a leap year), so the total is not “12 × ” Split dates into Am = f (m, d): d is a valid day in month m g: A = A1 [···[ A12 = whole year jAj = jA1j + ··· + jA12j = 31 + 28 + ··· + 31 = 365 Addition rule If A ,..., A are mutually exclusive, then 1 n n n [ Ai = jAij i=1 i=1 X Prof. Tesler Combinatorics & Birthday Problem Math 186 / Winter 2020 3 / 29 Permutations of distinct objects Here are all the permutations of A, B, C: ABC ACB BAC BCA CAB CBA There are 3 items: A, B, C.
  • A Note on the Exponentiation Approximation of the Birthday Paradox

    A Note on the Exponentiation Approximation of the Birthday Paradox

    A note on the exponentiation approximation of the birthday paradox Kaiji Motegi∗ and Sejun Wooy Kobe University Kobe University July 3, 2021 Abstract In this note, we shed new light on the exponentiation approximation of the probability that all K individuals have distinct birthdays across N calendar days. The exponen- tiation approximation imposes a pairwise independence assumption, which does not hold in general. We sidestep it by deriving the conditional probability for each pair of individuals to have distinct birthdays given that previous pairs do. An interesting im- plication is that the conditional probability decreases in a step-function form |not in a strictly monotonical form| as the more pairs are restricted to have distinct birthdays. The source of the step-function structure is identified and illustrated. The equivalence between the proposed pairwise approach and the existing permutation approach is also established. MSC 2010 Classification Codes: 97K50, 60-01, 65C50. Keywords: birthday problem, pairwise approach, permutation approach, probability. ∗Corresponding author. Graduate School of Economics, Kobe University. 2-1 Rokkodai-cho, Nada, Kobe, Hyogo 657-8501 Japan. E-mail: [email protected] yDepartment of Economics, Kobe University. 2-1 Rokkodai-cho, Nada, Kobe, Hyogo 657-8501 Japan. E-mail: [email protected] 1 1 Introduction Suppose that each of K individuals has his/her birthday on one of N calendar days consid- ered. Let K¯ = f1;:::;Kg be the set of individuals, and let N¯ = f1;:::;Ng be the set of ¯ calendar days, where 2 ≤ K ≤ N. Let Ak;n be an event that individual k 2 K has his/her birthday on day n 2 N¯ .
  • Probability Theory

    Probability Theory

    Probability Theory Course Notes — Harvard University — 2011 C. McMullen March 29, 2021 Contents I TheSampleSpace ........................ 2 II Elements of Combinatorial Analysis . 5 III RandomWalks .......................... 15 IV CombinationsofEvents . 24 V ConditionalProbability . 29 VI The Binomial and Poisson Distributions . 37 VII NormalApproximation. 44 VIII Unlimited Sequences of Bernoulli Trials . 55 IX Random Variables and Expectation . 60 X LawofLargeNumbers...................... 68 XI Integral–Valued Variables. Generating Functions . 70 XIV RandomWalkandRuinProblems . 70 I The Exponential and the Uniform Density . 75 II Special Densities. Randomization . 94 These course notes accompany Feller, An Introduction to Probability Theory and Its Applications, Wiley, 1950. I The Sample Space Some sources and uses of randomness, and philosophical conundrums. 1. Flipped coin. 2. The interrupted game of chance (Fermat). 3. The last roll of the game in backgammon (splitting the stakes at Monte Carlo). 4. Large numbers: elections, gases, lottery. 5. True randomness? Quantum theory. 6. Randomness as a model (in reality only one thing happens). Paradox: what if a coin keeps coming up heads? 7. Statistics: testing a drug. When is an event good evidence rather than a random artifact? 8. Significance: among 1000 coins, if one comes up heads 10 times in a row, is it likely to be a 2-headed coin? Applications to economics, investment and hiring. 9. Randomness as a tool: graph theory; scheduling; internet routing. We begin with some previews. Coin flips. What are the chances of 10 heads in a row? The probability is 1/1024, less than 0.1%. Implicit assumptions: no biases and independence. 10 What are the chance of heads 5 out of ten times? ( 5 = 252, so 252/1024 = 25%).
  • Exploiting Hash Collisions, (The Weakest Ones, W/ Identical Prefix) Via Manipulating File Formats

    Exploiting Hash Collisions, (The Weakest Ones, W/ Identical Prefix) Via Manipulating File Formats

    Exploitingidentical hash prefix collisions Ange Albertini BlackAlps 2017 Switzerland All opinions expressed during this presentation are mine and not endorsed by any of my employers, present or past. DISCLAIMERS This is not a crypto talk. It’s about exploiting hash collisions, (the weakest ones, w/ identical prefix) via manipulating file formats. You may want to watch Marc Stevens’ talk at CRYPTO17. TL;DR Nothing groundbreaking. No new vulnerability. Just a look behind the scenes of Shattered-like research (format-wise) OTOH there are very few talks on the topic AFAIK. This talk is about... MalSha1 2014: Malicious SHA1 - modified SHA1 2017: PoC||GTFO 0x14 - MD5 2015-2017: Shattered - SHA1 MD5:1992-2004 SHA1: 1995-2005 SHA2: 2001-? SHA3: 2015-? Types of collision first, weakest, overlooked ● Identical prefix ○ 2 files starting with same data ● Chosen prefix Sh*t's broken, yo! ○ 2 files starting with different (chosen) data Unicorns ● Second preimage attack ○ Find data to match another data's hash Dragons ● Preimage attack ○ Find data to match hash From here on, hash collision = IPC = Identical Prefix Collision Formal way to present IPCs Collisions for Hash Functions MD4, MD5, HAVAL-128 and RIPEMD. X Wang, D Feng, X Lai, H Yu 2004 Not very “visual”! Determine file structure I play no role Computationin this (exact shape unknown in advance) Craft valid and meaningful files Collisions blocks Impact Better than random-looking blocks? Will it convince anyone to deprecate anything? FTR Shattered took 6500 CPU-Yr and 110 GPU-Yr. (that's a lot
  • MD5 Is Weaker Than Weak: Attacks on Concatenated Combiners

    MD5 Is Weaker Than Weak: Attacks on Concatenated Combiners

    MD5 is Weaker than Weak: Attacks on Concatenated Combiners Florian Mendel, Christian Rechberger, and Martin Schl¨affer Institute for Applied Information Processing and Communications (IAIK) Graz University of Technology, Inffeldgasse 16a, A-8010 Graz, Austria. [email protected] Abstract. We consider a long standing problem in cryptanalysis: at- tacks on hash function combiners. In this paper, we propose the first attack that allows collision attacks on combiners with a runtime below the birthday-bound of the smaller compression function. This answers an open question by Joux posed in 2004. As a concrete example we give such an attack on combiners with the widely used hash function MD5. The cryptanalytic technique we use combines a partial birthday phase with a differential inside-out tech- nique, and may be of independent interest. This potentially reduces the effort for a collision attack on a combiner like MD5jjSHA-1 for the first time. Keywords: hash functions, cryptanalysis, MD5, combiner, differential 1 Introduction The recent spur of cryptanalytic results on popular hash functions like MD5 and SHA-1 [28,30,31] suggests that they are (much) weaker than originally an- ticipated, especially with respect to collision resistance. It seems non-trivial to propose a concrete hash function which inspires long term confidence. Even more so as we seem unable to construct collision resistant primitives from potentially simpler primitives [27]. Hence constructions that allow to hedge bets, like con- catenated combiners, are of great interest. Before we give a preview of our results in the following, we will first review work on combiners. Review of work on combiners.
  • A Non-Uniform Birthday Problem with Applications to Discrete Logarithms

    A Non-Uniform Birthday Problem with Applications to Discrete Logarithms

    A NON-UNIFORM BIRTHDAY PROBLEM WITH APPLICATIONS TO DISCRETE LOGARITHMS STEVEN D. GALBRAITH AND MARK HOLMES Abstract. We consider a generalisation of the birthday problem that arises in the analysis of algorithms for certain variants of the discrete logarithm problem in groups. More precisely, we consider sampling coloured balls and placing them in urns, such that the distribution of assigning balls to urns depends on the colour of the ball. We determine the expected number of trials until two balls of different colours are placed in the same urn. As an aside we present an amusing “paradox” about birthdays. Keywords: birthday paradox, discrete logarithm problem (DLP), probabilistic analysis of randomised algorithms 1. Introduction In the classical birthday problem one samples uniformly with replacement from a set of size N until the same value is sampled twice. It is known that the expected time at which this match first occurs grows as πN/2. The word “birthday” arises from a common application of this result: the expected value of the minimum number of people in a room before two of them have the same birthday is approximately 23.94 (assuming birthdays are uniformly distributed over the year). The birthday problem can be generalised in a number of ways. For example, the assumption that births are uniformly distributed over the days in the year is often false. Hence, researchers have studied the expected time until a match occurs for general distributions. One can also generalise the problem to multi-collisions (e.g., 3 people having the same birthday) or coincidences among individuals of different “types” (e.g., in a room with equal numbers of boys and girls, when can one expect a boy and girl to share the same birthday).
  • The Matching, Birthday and the Strong Birthday Problem

    The Matching, Birthday and the Strong Birthday Problem

    Journal of Statistical Planning and Inference 130 (2005) 377–389 www.elsevier.com/locate/jspi The matching, birthday and the strong birthday problem: a contemporary review Anirban DasGupta Department of Statistics, Purdue University, 1399 Mathematical Science Building, West Lafayette, IN 47907, USA Received 7 October 2003; received in revised form 1 November 2003; accepted 10 November 2003 Dedicated to Herman Chernoff with appreciation and affection on his 80th birthday Available online 29 July 2004 Abstract This article provides a contemporary exposition at a moderately quantitative level of the distribution theory associated with the matching and the birthday problems. A large number of examples, many not well known, are provided to help a reader have a feeling for these questions at an intuitive level. © 2004 Elsevier B.V. All rights reserved. Keywords: Birthday problem; Coincidences; Matching problem; Poisson; Random permutation; Strong birthday problem 1. Introduction My first exposure to Professor Chernoff’s work was in an asymptotic theory class at the ISI. Later I had the opportunity to read and teach a spectrum of his work on design of experiments, goodness of fit, multivariate analysis and variance inequalities. My own modest work on look-alikes in Section 2.8 here was largely influenced by the now famous Chernoff faces. It is a distinct pleasure to write this article for the special issue in his honor. This article provides an exposition of some of the major questions related to the matching and the birthday problems. The article is partially historical, and partially forward looking. For example, we address a new problem that we call the strong birthday problem.
  • Approximations to the Birthday Problem with Unequal Occurrence Probabilities and Their Application to the Surname Problem in Japan*

    Approximations to the Birthday Problem with Unequal Occurrence Probabilities and Their Application to the Surname Problem in Japan*

    Ann. Inst. Statist. Math. Vol. 44, No. 3, 479-499 (1992) APPROXIMATIONS TO THE BIRTHDAY PROBLEM WITH UNEQUAL OCCURRENCE PROBABILITIES AND THEIR APPLICATION TO THE SURNAME PROBLEM IN JAPAN* SHIGERU MASE Faculty of Integrated Arts and Sciences, Hiroshima University, Naka-ku, Hiroshima 730, Japan (Received July 4, 1990; revised September 2, 1991) Abstract. Let X1,X2,...,X~ be iid random variables with a discrete dis- tribution {Pi}~=l. We will discuss the coincidence probability Rn, i.e., the probability that there are members of {Xi} having the same value. If m = 365 and p~ ~ 1/365, this is the famous birthday problem. Also we will give two kinds of approximation to this probability. Finally we will give two applica- tions. The first is the estimation of the coincidence probability of surnames in Japan. For this purpose, we will fit a generalized zeta distribution to a fre- quency data of surnames in Japan. The second is the true birthday problem, that is, we will evaluate the birthday probability in Japan using the actual (non-uniform) distribution of birthdays in Japan. Key words and phrases: Birthday problem, coincidence probability, non-uni- formness, Bell polynomial, approximation, surname. I. Introduction It is frequently observed that, even within a small group, there are people with the same surname. It may not be considered so curious to find persons with the same surname in a group compared to those with the same birthday. But if we consider the variety of surnames and the relatively small portions of each surname in some countries, this fact becomes less trivial than is first seen.
  • A FIRST COURSE in PROBABILITY This Page Intentionally Left Blank a FIRST COURSE in PROBABILITY

    A FIRST COURSE in PROBABILITY This Page Intentionally Left Blank a FIRST COURSE in PROBABILITY

    A FIRST COURSE IN PROBABILITY This page intentionally left blank A FIRST COURSE IN PROBABILITY Eighth Edition Sheldon Ross University of Southern California Upper Saddle River, New Jersey 07458 Library of Congress Cataloging-in-Publication Data Ross, Sheldon M. A first course in probability / Sheldon Ross. — 8th ed. p. cm. Includes bibliographical references and index. ISBN-13: 978-0-13-603313-4 ISBN-10: 0-13-603313-X 1. Probabilities—Textbooks. I. Title. QA273.R83 2010 519.2—dc22 2008033720 Editor in Chief, Mathematics and Statistics: Deirdre Lynch Senior Project Editor: Rachel S. Reeve Assistant Editor: Christina Lepre Editorial Assistant: Dana Jones Project Manager: Robert S. Merenoff Associate Managing Editor: Bayani Mendoza de Leon Senior Managing Editor: Linda Mihatov Behrens Senior Operations Supervisor: Diane Peirano Marketing Assistant: Kathleen DeChavez Creative Director: Jayne Conte Art Director/Designer: Bruce Kenselaar AV Project Manager: Thomas Benfatti Compositor: Integra Software Services Pvt. Ltd, Pondicherry, India Cover Image Credit: Getty Images, Inc. © 2010, 2006, 2002, 1998, 1994, 1988, 1984, 1976 by Pearson Education, Inc., Pearson Prentice Hall Pearson Education, Inc. Upper Saddle River, NJ 07458 All rights reserved. No part of this book may be reproduced, in any form or by any means, without permission in writing from the publisher. Pearson Prentice Hall™ is a trademark of Pearson Education, Inc. Printed in the United States of America 10987654321 ISBN-13: 978-0-13-603313-4 ISBN-10: 0-13-603313-X Pearson Education, Ltd., London Pearson Education Australia PTY. Limited, Sydney Pearson Education Singapore, Pte. Ltd Pearson Education North Asia Ltd, Hong Kong Pearson Education Canada, Ltd., Toronto Pearson Educacion´ de Mexico, S.A.
  • A NEW HASH ALGORITHM: Khichidi-1

    A NEW HASH ALGORITHM: Khichidi-1

    A NEW HASH ALGORITHM: Khichidi-1 Abstract This is a technical document describing a new hash algorithm called Khichidi-1 and has been written in response to a Hash competition (SHA-3) called by National Institute of Standards and Technology (NIST), USA. Tata Consultancy Services (TCS) has designed a new secure hash algorithm, Khichidi-1, which can be used to generate a condensed representation of a message called a Message Digest. A group of functions used in the development of Khichidi-1 has been described followed by a detailed explanation of preprocessing approach. Differences between Khichidi-1 and NIST’ SHA-2, the algorithm that is in use widely, have also been highlighted. Analytical proofs, implementations with examples, various attack scenarios, entropy tests, security strength and computational complexity of the algorithm are described as separate sections in this document. Author: Natarajan Vijayarangan, Ph. D © Copyright 2008, Tata Consultancy Services Limited (TCS). All rights reserved. Khichidi-1 Algorithm Preface Our research work describes a new design and analysis of hashing. A hash algorithm takes any message and produces a “fixed length value” in such a way that any two messages are unlikely to have the same fixed length value. This fixed length value is called a hash value / message digest. When two messages have the same hash value, this is known as a collision. A good hashing algorithm minimizes collisions for a given set of likely data inputs. To achieve this, we have started designing and analyzing a hash function that could be used for digital signature technology. Attacks on MD-5, SHA-0 and SHA-1 by Wang et al [25,26] has given a huge impetus to research in designing practical cryptographic hash functions as well as cryptanalysis of existing functions.