A

**birthday attack**is an attack on a cryptographical system that exploits the mathematics underlying the birthday paradox. Specifically, if a function yields any of

*n*different outputs with equal probability and

*n*is sufficiently large, then after evaluating the function for about 1.2√

*n*different arguments we expect to have found a pair of arguments

*x*

_{1}and

*x*

_{2}with

*f*(

*x*

_{1}) =

*f*(

*x*

_{2}).

Digital signature systems are susceptible to a birthday attack. A message *m* is typically signed by first computing *f*(*m*), where *f* is a cryptographically secure hash function, and then using some secret key to sign *f*(*m*). Suppose Bob wants to trick Alice into signing a fraudulent contract. Bob prepares a fair contract *m* and a fraudulent one *m'*. He then finds a number of positions where *m* can be changed without changing the meaning, such as inserting commas, empty lines, spaces etc. By combining these changes, he can create a huge number of variations on *m* which are all fair contracts. In a similar manner, he also creates a huge number of variations on the fraudulent contract *m*'. He then applies the hash function to all these variations until he finds a version of the fair contract and a version of the fraudulent contract which have the same hash value. He presents the fair version to Alice for signing. After Alice has signed, Bob takes the signature and attaches it to the fraudulent contract. This signature then "proves" that Alice signed the fraudulent contract.

To avoid this birthday attack, it is recommended that Alice slightly modify any digital contract that's presented to her, before signing it.

The birthday attack can also be used to compute discrete logarithms. Suppose *x* and *y* are elements of some group and *y* is a power of *x*. We want to find the exponent of *x* that gives *y*. A birthday attack computes *x*^{r} for many randomly chosen integers *r* and computes *yx*^{-s} for many randomly chosen integers *s*. After a while, a match will be found: *x*^{r} = *yx*^{-s} which means *y* = *x*^{r+s}.

If the group has *n* elements, then the naive method of trying out all exponents takes about *n*/2 steps on average; the birthday attack is considerably faster and takes fewer than 2√*n* steps on average.