Hash Function Balance and Its Impact on Birthday Attacks

  • Mihir Bellare
  • Tadayoshi Kohno
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3027)


Textbooks tell us that a birthday attack on a hash function h with range size r requires r 1/2 trials (hash computations) to find a collision. But this is quite misleading, being true only if h is regular, meaning all points in the range have the same number of pre-images under h; if h is not regular, fewer trials may be required. But how much fewer? This paper addresses this question by introducing a measure of the “amount of regularity” of a hash function that we call its balance, and then providing estimates of the success-rate of the birthday attack, and the expected number of trials to find a collision, as a function of the balance of the hash function being attacked. In particular, we will see that the number of trials can be significantly less than r 1/2 for hash functions of low balance. This leads us to examine popular design principles, such as the MD (Merkle-Damgård) transform, from the point of view of balance preservation, and to mount experiments to determine the balance of popular hash functions.


Hash Function Random Function Regular Function Full Version Compression Function 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Bellare, M., Kohno, T.: Hash function balance and its impact on birthday attacks. IACR ePrint archive, Full version of this paper
  2. 2.
    Damgård, I.: A design principle for hash functions. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 416–427. Springer, Heidelberg (1990)Google Scholar
  3. 3.
    Dobbertin, H., Bosselaers, A., Preneel, B.: RIPEMD-160, a strengthened version of RIPEMD. In: Gollmann, D. (ed.) FSE 1996. LNCS, vol. 1039, Springer, Heidelberg (1996)Google Scholar
  4. 4.
    Menezes, A., van Oorschot, P., Vanstone, S.: Handbook of applied cryptography. CRC Press, Boca Raton (1997)zbMATHGoogle Scholar
  5. 5.
    Merkle, R.: One way hash functions and DES. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 428–446. Springer, Heidelberg (1990)Google Scholar
  6. 6.
    National Institute of Standards. FIPS 180-2, Secure hash standard. August 1 (2000)Google Scholar
  7. 7.
    Rivest, R.: The MD5 message-digest algorithm. IETF RFC 1321 (April 1992)Google Scholar
  8. 8.
    Stinson, D.: Cryptography theory and practice, 1st edn. CRC Press, Boca Raton (1995)zbMATHGoogle Scholar
  9. 9.
    van Oorschot, P., Wiener, M.: Parallel collision search with cryptanalytic applications. Journal of Cryptology 12(1), 1–28 (1999)zbMATHCrossRefMathSciNetGoogle Scholar
  10. 10.
    Yuval, G.: How to swindle Rabin. Cryptologia (3), 187–190 (1979)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2004

Authors and Affiliations

  • Mihir Bellare
    • 1
  • Tadayoshi Kohno
    • 1
  1. 1.Dept. of Computer Science & EngineeringUniversity of California, San DiegoLa JollaUSA

Personalised recommendations