### Q1. Collision resistant Hash Functions

Considering that \(H\) is a collision-resistant hash function, the following hash constructions are also collision-resistant:
- **1; 2; 4; 7; 8**

Constructions **3**, **5**, and **6** are **not collision-resistant** because:

- **3:** For any message, the hash value is always $H(64)$; therefore, every input collides to the same value.

- **5:** By reducing the hash size from 64 bits to 10 bits, we greatly increase the probability of finding a collision.  
  In other words, by the birthday paradox, there exists an efficient probabilistic algorithm that finds collisions with about $2^{5}$ attempts.

- **6:** To attack this construction, it is enough to pick messages $m_0$ and $m_1$ that share the same prefix $p$ except for the final two bits.  
  For example, if $m_0 = p || 00$ and $m_1 = p || 11$, then  
  $H \big(m_0[0 \ldots |m_0| - 2]\big) = H\big(m_1[0 \ldots |m_1| - 2]\big)$.

### Q2: Rho method to find Hash collisions

#### Code in `rho_exercise.py`

The `rho` function implements the **Floyd's cycle-finding algorithm** (Tortoise and Hare), which is the core of the Rho method, to find a collision in the sequence of iterated hash values. The process involves finding the meeting point of a single-step pointer ($\text{hi}$) and a double-step pointer ($\text{hi\_prime}$) in the hash value sequence. Once the meeting point is found, the two pointers are advanced step-by-step from the sequence start ($\text{h0}$) and the meeting point ($\text{hi}$) until their next hash outputs are equal, identifying the inputs ($m_0, m_1$) that form the collision.

```python
def rho(h0):
	print("Hash is "+str(8*L)+" bits")

	# 1: Initialize two pointers (Floyd's algorithm)
	# hi: 'Tortoise' - single step: h_i+1 = H(h_i)
	# hi_prime: 'Hare' - double step: h'_i+1 = H(H(h'_i))
	hi = h0
	hi_prime = h0

	# Advance the pointers once/twice to ensure the first check is not h0=h0
	# h2 = H(h1) and h2' = H(H(h1')) 
	hi = H(hi)
	hi_prime = H(H(hi_prime))
	
	iterations = 1 

	# 2: Find the meeting point (where the loop is first detected)
	# Iterate until h_i+1 = h'_i+1
	while hi != hi_prime:
		# Compute h_i+2 = H(h_i+1)
		hi = H(hi)
		# Compute h'_i+2 = H(H(h'_i+1))
		hi_prime = H(H(hi_prime))
		iterations += 1

	print(f"Loop detected after {iterations} iterations where hi = hi_prime.")
	
	# 3: Find the collision inputs (m0, m1)
	# Reset one pointer to the start (h0) and keep the other at the meeting point (hi).
	m0 = h0 # Reset to the start of the sequence
	m1 = hi # Stays at the meeting point (H_k)
	
	# Advance both pointers one step at a time until H(m0) == H(m1).
	while H(m0) != H(m1):
		m0 = H(m0)
		m1 = H(m1)

	print("Collision found! :-)")
	return (m0, m1)
```

#### Succinct Analysis: How long does it take to find these collisions?

The hash function $H$ is truncated to $L=5$ bytes, resulting in an output space of $n = 8L = \mathbf{40}$ **bits**. The total size of the hash space is $N = 2^{40}$.

##### Time in Cycle Iterations and Real Time

The Rho method's expected complexity is based on the **Birthday Attack** paradox (not really a paradox, but regardless). The expected number of samples needed to find a collision in a space of size $N$ is $\mathbf{O}(\sqrt{N})$. In simpler terms, $\sqrt{2^n} = 2^{n/2}$, where $n$ is the number of bits in the hash output.

1.  **Expected Hash Evaluations (Cycles)**:
    The expected number of $H$ function evaluations is $\approx 3 \times \sqrt{2^n} = 3 \times 2^{n/2}$.
    For $L=5$ ($n=40$), the total expected number of evaluations is:
    $$\approx 3 \times 2^{40/2} = 3 \times 2^{20} \approx \mathbf{3.15 \text{ million}}$$

2.  **Real Time**: Given the low number of required hash evaluations ($\sim 3.15$ million), the collision for $L=5$ is found **very quickly**, especially on modern computing systems.

##### How Does This Scale with $L$?

The time complexity scales almost **exponentially** with the output length $L$ (in bytes):

$$\text{Complexity} = \mathbf{O}(2^{n/2}) = \mathbf{O}(2^{8L/2}) = \mathbf{O}(2^{4L})$$

The computational cost to find a collision is multiplied by **$2^8 = 256$** for every $\mathbf{1 \text{-byte}}$ increase in $L$. This exponential growth is why strong hash functions, such as the full SHA256 ($L=32$ bytes), remain collision resistant due to the computationally unfeasible $2^{128}$ operations required.


### Q3. Weak ciphers


