Efficient Hash Collision Search Strategies on Special-Purpose Hardware

  • Tim Güneysu
  • Christof Paar
  • Sven Schäge
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4945)


Hash functions play an important role in various cryptographic applications. Modern cryptography relies on a few but supposedly well analyzed hash functions which are mostly members of the so-called MD4-family. This work shows whether it is possible to significantly speedup collision search for MD4-family hash functions using special-purpose hardware. A thorough analysis of the computational requirements for MD4-family hash functions and corresponding collision attacks reveals that a microprocessor based architecture is best suited for the implementation of collision search algorithms. Consequently, we designed and implemented a (concerning MD4-family hash-functions) general-purpose microprocessor with minimal area requirements and, based on this, a full collision search unit. Comparing the performance characteristics of both ASICs with standard PC processors and clusters, it turns out that our design, massively parallelized, is nearly four times more cost-efficient than parallelized standard PCs. Although with further optimizations this factor can certainly be improved, we believe that special-purpose hardware does not provide a too significant benefit for hash collision search algorithms with respect to modern off-the-shelf general-purpose processors.


Hash functions Special-purpose Hardware Crypto Attacks 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Biham, E., Chen, R.: Near-Collisions of SHA-0. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152. pp. 290–305. Springer, Heidelberg (2004)Google Scholar
  2. 2.
    Biham, E., Shamir, A.: Differential Cryptanalysis of DES-like Cryptosystems. In: Menezes, A., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 2–21. Springer, Heidelberg (1990)Google Scholar
  3. 3.
    De Cannière, C., Mendel, F., Rechberger, C.: On the Full Cost of Collision Search for SHA-1. Presentation at ECRYPT Hash Workshop 2007 (May 2007)Google Scholar
  4. 4.
    De Cannière, C., Rechberger, C.: Finding SHA-1 Characteristics: General Results and Applications. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284. pp. 1–20. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  5. 5.
    Chabaud, F., Joux, A.: Differential Collisions in SHA-0. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462. pp. 56–71. Springer, Heidelberg (1998)Google Scholar
  6. 6.
    Intel Corporation. Intel Pentium 4 Processor Specification Update (May 2007),
  7. 7.
    M. Daum. Cryptanalysis of Hash Functions of the MD4-Family. PhD thesis, Ruhr-Universität Bochum (2005),
  8. 8.
    Joŝĉák, D.: Finding Collisions in Cryptographic Hash Functions. Master’s thesis, Univerzita Karlova v Praze (2006),
  9. 9.
    Klima, V.: Project Homepage (2006),
  10. 10.
    Klima, V.: Tunnels in Hash Functions: MD5 Collisions Within a Minute. Cryptology ePrint Archive, Report 2006/105 (2006),
  11. 11.
    Lenstra, A., de Weger, B.: On the possibility of constructing meaningful hash collisions for public keys. In: Boyd, C., González Nieto, J.M. (eds.) ACISP 2005. LNCS, vol. 3574. Springer, Heidelberg (2005)Google Scholar
  12. 12.
    Lenstra, A., Wang, X., de Weger, B.: Colliding X.509 Certificates (2005),
  13. 13.
    Liang, J., Lai, X.: Improved Collision Attack on Hash Function MD5. Cryptology ePrint Archive, Report 2005/425 (November 2005),
  14. 14.
    Menezes, A.J., van Oorschot, P.C., Vanstone, S.A.: Handbook of Applied Cryptography. CRC Press, Boca Raton (1997)zbMATHGoogle Scholar
  15. 15.
    Merkle, R.: One Way Hash Functions and DES. In: Brassard, G. (ed.) CRYPTO 1990. LNCS, vol. 435. Springer, Heidelberg (1990)Google Scholar
  16. 16.
    Damgård, I.: A Design Principle for Hash Functions. In: Brassard, G. (ed.) CRYPTO 1990. LNCS, vol. 435. Springer, Heidelberg (1990)Google Scholar
  17. 17.
    Reichardt, J., Schwarz, B.: VHDL-Synthese, 3rd edn. Oldenbourg (2003)Google Scholar
  18. 18.
    Rivest, R.: The MD5 Message-Digest Algorithm, Request for Comments (RFC) 1321 (1992),
  19. 19.
    Sasaki, Y., Naito, Y., Kunihiro, N., Ohta, K.: Improved Collision Attack on MD5. Cryptology ePrint Archive, Report 2005/400 (November 2005),
  20. 20.
    Stevens, M.: Fast Collision Attack on MD5. Cryptology ePrint Archive, Report 2006/104 (2006),
  21. 21.
    Stevens, M.: On Collisions for MD5. Master’s thesis, Eindhoven University of Technology, Department of Mathematics and Computing Science (June 2007)Google Scholar
  22. 22.
    Wang, X., Yin, Y.L., Yu, X.: Finding Collisions in the Full SHA-1. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 17–36. Springer, Heidelberg (2005)Google Scholar
  23. 23.
    Wang, X., Yu, X.: How to Break MD5 and other Hash Functions. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494. pp. 19–35. Springer, Heidelberg (2005)Google Scholar
  24. 24.
    Wang, X.: Cryptanalysis on hash functions. Presentation at Information-Technology Promotion Agency (IPA), Japan (October 2006),
  25. 25.
    Yuval, G.: How to Swindle Rabin. Cryptologia 3(3), 187–189 (1979)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Tim Güneysu
    • 1
  • Christof Paar
    • 1
  • Sven Schäge
    • 1
  1. 1.Horst Görtz Institute for IT SecurityRuhr University BochumGermany

Personalised recommendations