Journal of Cryptology

, Volume 24, Issue 1, pp 148–156 | Cite as

Cryptanalysis of the Tillich–Zémor Hash Function

  • Markus Grassl
  • Ivana Ilić
  • Spyros Magliveras
  • Rainer Steinwandt


At CRYPTO ’94, Tillich and Zémor proposed a family of hash functions, based on computing a suitable matrix product in groups of the form \(SL_{2}(\mathbb{F}_{2^{n}})\). We show how to construct collisions between palindromic bit strings of length 2n+2 for Tillich and Zémor’s construction. The approach also yields collisions for related proposals by Petit et al. from ICECS ’08 and CT-RSA ’09.

It seems fair to consider our attack as practical: for parameters of interest, the colliding bit strings have a length of a few hundred bits and can be found on a standard PC within seconds.

Key words

Cryptanalysis Hash function Collision 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [1]
    K.S. Abdukhalikov, C. Kim, On the security of the hashing scheme based on SL 2, in Fast Software Encryption—FSE ’98, ed. by S. Vaudenay. Lecture Notes in Computer Science, vol. 1372 (Springer, Berlin, 1998), pp. 93–102 CrossRefGoogle Scholar
  2. [2]
    W. Bosma, J. Cannon, C. Playoust, The magma algebra system I: the user language. J. Symb. Comput. 24, 235–265 (1997) zbMATHCrossRefMathSciNetGoogle Scholar
  3. [3]
    C. Charnes, J. Pieprzyk, Attacking the SL 2 hashing scheme, in Advances in Cryptology—ASIACRYPT ’94, ed. by J. Pieprzyk, R. Safavi-Naini. Lecture Notes in Computer Science, vol. 917 (Springer, Berlin, 1995), pp. 322–330 Google Scholar
  4. [4]
    G. de Meulenaer, C. Petit, J.-J. Quisquater, Hardware implementations of a variant of the Zémor–Tillich hash function: can a provably secure hash function be very efficient? May 2009. Available at
  5. [5]
    W. Geiselmann, A note on the hash function of Tillich and Zémor, in Cryptography and Coding, ed. by C. Boyd. Lecture Notes in Computer Science, vol. 1025 (Springer, Berlin, 1995), pp. 257–263 Google Scholar
  6. [6]
    J.P. Mesirov, M.M. Sweet, Continued fraction expansions of rational expressions with irreducible denominators in characteristic 2. J. Number Theory 27, 144–148 (1987) zbMATHCrossRefMathSciNetGoogle Scholar
  7. [7]
    C. Petit, K. Lauter, J.-J. Quisquater, Cayley hashes: a class of efficient graph-based hash functions. Preprint (2007). Available at
  8. [8]
    C. Petit, J.-J. Quisquater, J.-P. Tillich, G. Zémor, Hard and easy components of collision search in the Zémor–Tillich hash function: new attacks and reduced variants with equivalent security, in Topics in Cryptology—CT-RSA 2009, ed. by M. Fischlin. Lecture Notes in Computer Science, vol. 5473 (Springer, Berlin, 2009), pp. 182–194 CrossRefGoogle Scholar
  9. [9]
    C. Petit, N. Veyrat-Charvillon, J.-J. Quisquater, Efficiency and pseudo-randomness of a variant of Zémor–Tillich hash function, in IEEE International Conference on Electronics, Circuits, and Systems ICECS 2008 (2008) Google Scholar
  10. [10]
    R. Steinwandt, M. Grassl, W. Geiselmann, T. Beth, Weaknesses in the \({SL}_{2}({\mathbb{F}}_{2^{n}})\) hashing scheme, in Advances in Cryptology—CRYPTO 2000, ed. by M. Bellare. Lecture Notes in Computer Science, vol. 1880 (Springer, Berlin, 2000), pp. 287–299 CrossRefGoogle Scholar
  11. [11]
    J.-P. Tillich, G. Zémor, Group-theoretic hash functions, in Algebraic Coding, First French–Israeli Workshop, ed. by G.D. Cohen, S. Litsyn, A. Lobstein, G. Zémor. Lecture Notes in Computer Science, vol. 781 (Springer, Berlin, 1994), pp. 90–110 Google Scholar
  12. [12]
    J.-P. Tillich, G. Zémor, Hashing with SL 2, in Advances in Cryptology—CRYPTO ’94, ed. by Y. Desmedt. Lecture Notes in Computer Science, vol. 839 (Springer, Berlin, 1994), pp. 40–49 Google Scholar
  13. [13]
    G. Zémor, Hash functions and graphs with large girths, in Advances in Cryptology—EUROCRYPT ’91, ed. by D.W. Davies. Lecture Notes in Computer Science, vol. 547 (Springer, Berlin, 1991), pp. 508–511 Google Scholar
  14. [14]
    G. Zémor, Hash functions and Cayley graphs. Des. Codes Cryptogr. 4(4), 381–394 (1994) zbMATHCrossRefMathSciNetGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2010

Authors and Affiliations

  • Markus Grassl
    • 1
  • Ivana Ilić
    • 2
  • Spyros Magliveras
    • 2
  • Rainer Steinwandt
    • 2
  1. 1.Centre for Quantum Technologies (CQT)National University of SingaporeSingaporeSingapore
  2. 2.Center for Cryptology and Information Security, Department of Mathematical SciencesFlorida Atlantic UniversityBoca RatonUSA

Personalised recommendations