Improved Generic Algorithms for 3-Collisions

  • Antoine Joux
  • Stefan Lucks
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5912)


An r-collision for a function is a set of r distinct inputs with identical outputs. Actually finding r-collisions for a random map over a finite set of cardinality N requires at least about N (r − 1)/r units of time on a sequential machine. For r=2, memoryless and well-parallelizable algorithms are known. The current paper describes memory-efficient and parallelizable algorithms for r ≥ 3. The main results are: (1) A sequential algorithm for 3-collisions, roughly using memory N α and time N 1 − α for α ≤ 1/3. In particular, given N 1/3 units of storage, one can find 3-collisions in time N 2/3. (2) A parallelization of this algorithm using N 1/3 processors running in time N 1/3, where each single processor only needs a constant amount of memory. (3) A generalisation of this second approach to r-collisions for r ≥ 3: given N s parallel processors, with s ≤ (r − 2)/r, one can generate r-collisions roughly in time N ((r − 1)/r) − s , using memory N ((r − 2)/r) − s on every processor.


multicollision random map memory-efficient parallel implementation cryptanalysis 


  1. 1.
    Arbitman, Y., Naor, M., Segev, G.: De-amortized cuckoo hashing: Provable worst-case performance and experimental results. In: Albers, S., Marchetti-Spaccamela, A., Matias, Y., Niko-letsea, S. (eds.) ICALP 2009. LNCS, vol. 5556, pp. 411–422. Springer, Heidelberg (2009)Google Scholar
  2. 2.
    Coppersmith, D.: Another birthday attack. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 14–17. Springer, Heidelberg (1986)Google Scholar
  3. 3.
    Ferguson, N., Lucks, S.: Attacks on AURORA-512 and the double-mix Merkle-Damgård transform. Cryptology ePrint Archive, Report 2009/113 (2009)Google Scholar
  4. 4.
    Flajolet, P., Odlyzko, A.M.: Random mapping statistics. In: Quisquater, J.-J., Vandewalle, J. (eds.) EUROCRYPT 1989. LNCS, vol. 434, pp. 329–354. Springer, Heidelberg (1990)Google Scholar
  5. 5.
    Hellman, M.E.: A cryptanalytic time-memory trade-off. IEEE Transactions on Information Theory 26(4), 401–406 (1980)zbMATHCrossRefMathSciNetGoogle Scholar
  6. 6.
    Hoch, J.J., Shamir, A.: Breaking the ICE - finding multicollisions in iterated concatenated and expanded (ICE) hash functions. In: Robshaw, M.J.B. (ed.) FSE 2006. LNCS, vol. 4047, pp. 179–194. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  7. 7.
    Hoch, J.J., Shamir, A.: On the strength of the concatenated hash combiner when all the hash functions are weak. In: Aceto, L., Damgård, I., Goldberg, L.A., Halldórsson, M.M., Ingólfsdóttir, A., Walukiewicz, I. (eds.) ICALP 2008, Part II. LNCS, vol. 5126, pp. 616–630. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  8. 8.
    Iwata, T., Shibutani, K., Shirai, T., Moriai, S., Akishita, T.: AURORA: a cryptographic hash algorithm family. Submission to NIST’s SHA-3 competition (2008)Google Scholar
  9. 9.
    Joux, A.: Multicollisions in iterated hash functions. application to cascaded constructions. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 306–316. Springer, Heidelberg (2004)Google Scholar
  10. 10.
    Mendel, F.: Preimage attack on Blender,
  11. 11.
    Mendel, F., Rechberger, C., Schläffer, M.: Cryptanalysis of twister. In: Proceedings of ACNS. Springer, Heidelberg (to appear),
  12. 12.
    Mendel, F., Thomsen, S.S.: An observation on JH-512,
  13. 13.
    Nandi, M., Stinson, D.R.: Multicollision attacks on some generalized sequential hash functions. IEEE Transactions on Information Theory 53(2), 759–767 (2007)CrossRefMathSciNetGoogle Scholar
  14. 14.
    Newbold, C.: Observations and attacks on the SHA-3 candidate Blender,
  15. 15.
    Nivasch, G.: Cycle detection using a stack. Information Processing Letter 90(3), 135–140 (2004)zbMATHCrossRefMathSciNetGoogle Scholar
  16. 16.
    Pagh, R., Rodler, F.F.: Cuckoo hashing. J. Algorithms 51(2), 122–144 (2004)zbMATHCrossRefMathSciNetGoogle Scholar
  17. 17.
    Preneel, B.: Analysis and Design of Cryptographic Hash Functions. PhD thesis, KU Leuven (1993)Google Scholar
  18. 18.
    Quisquater, J.-J., Delescaille, J.-P.: Other cycling tests for DES. In: Pomerance, C. (ed.) CRYPTO 1987. LNCS, vol. 293, pp. 255–256. Springer, Heidelberg (1988)Google Scholar
  19. 19.
    Quisquater, J.-J., Delescaille, J.-P.: How easy is collision search? Application to DES. In: Quisquater, J.-J., Vandewalle, J. (eds.) EUROCRYPT 1989. LNCS, vol. 434, pp. 429–434. Springer, Heidelberg (1990)Google Scholar
  20. 20.
    Quisquater, J.-J., Delescaille, J.-P.: How easy is collision search. New results and applications to DES. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 408–413. Springer, Heidelberg (1990)Google Scholar
  21. 21.
    Sasaki, Y.: A collision attack on AURORA-512. Cryptology ePrint Archive, Report 2009/106 (2009)Google Scholar
  22. 22.
    Suzuki, K., Tonien, D., Kurosawa, K., Toyota, K.: Birthday paradox for multi-collisions. In: Rhee, M.S., Lee, B. (eds.) ICISC 2006. LNCS, vol. 4296, pp. 29–40. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  23. 23.
    van Oorschot, P.C., Wiener, M.: A known-plaintext attack on two-key triple encryption. In: Damgård, I.B. (ed.) EUROCRYPT 1990. LNCS, vol. 473, pp. 318–325. Springer, Heidelberg (1991)Google Scholar
  24. 24.
    van Oorschot, P.C., Wiener, M.J.: Parallel collision search with application to hash functions and discrete logarithms. In: ACM CCS 1994, Fairfax, Virginia, USA, pp. 210–218. ACM Press, New York (1994)CrossRefGoogle Scholar
  25. 25.
    van Oorschot, P.C., Wiener, M.: Improving implementable meet-in-the-middle attacks by orders of magnitude. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 229–236. Springer, Heidelberg (1996)Google Scholar
  26. 26.
    van Oorschot, P.C., Wiener, M.: On diffie-hellman key agreement with short exponents. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 332–343. Springer, Heidelberg (1996)Google Scholar
  27. 27.
    van Oorschot, P.C., Wiene, M.J.: Parallel collision search with cryptanalytic applications. Journal of Cryptology 12(1), 1–28 (1999)zbMATHCrossRefMathSciNetGoogle Scholar
  28. 28.
    Wiener, M.J.: The full cost of cryptanalytic attacks. Journal of Cryptology 17(2), 105–124 (2004)zbMATHCrossRefMathSciNetGoogle Scholar
  29. 29.
    Wu, H.: The complexity of Mendel and Thomsen’s preimage attack on JH-512,

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Antoine Joux
    • 1
  • Stefan Lucks
    • 2
  1. 1.DGA and Université de Versailles Saint-Quentin-en-Yvelines, UVSQ prismVersailles CedexFrance
  2. 2.Bauhaus-Universität WeimarWeimarGermany

Personalised recommendations