Refinements of the k-tree Algorithm for the Generalized Birthday Problem

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9453)


We study two open problems proposed by Wagner in his seminal work on the generalized birthday problem. First, with the use of multicollisions, we improve Wagner’s k-tree algorithm that solves the generalized birthday problem for the cases when k is not a power of two. The new k-tree only slightly outperforms Wagner’s k-tree. However, in some applications this suffices, and as a proof of concept, we apply the new 3-tree algorithm to slightly reduce the security of two CAESAR proposals. Next, with the use of multiple collisions based on Hellman’s table, we give improvements to the best known time-memory tradeoffs for the k-tree. As a result, we obtain the a new tradeoff curve \(T^2 \cdot M^{\lg k -1} = k \cdot N\). For instance, when \(k=4\), the tradeoff has the form \(T^2 M = 4 \cdot N\).


Generalized birthday problem k-list problem k-tree algorithm Time-memory tradeoff 


  1. 1.
    Ajtai, M., Kumar, R., Sivakumar, D.: A sieve algorithm for the shortest lattice vector problem. In: Vitter, J.S., Spirakis, P.G., Yannakakis, M. (eds.) Proceedings on 33rd Annual ACM Symposium on Theory of Computing, 6–8 July 2001, pp. 601–610. ACM, Heraklion (2001)Google Scholar
  2. 2.
    Bellare, M., Micciancio, D.: A new paradigm for collision-free hashing: incrementality at reduced cost. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 163–192. Springer, Heidelberg (1997) Google Scholar
  3. 3.
    Bernstein, D.: CAESAR Competition (2013).
  4. 4.
    Bernstein, D.J.: Enumerating solutions to p(a) + q(b) = r(c) + s(d). Math. Comput. 70(233), 389–394 (2001)MATHCrossRefGoogle Scholar
  5. 5.
    Bernstein, D.J.: Better price-performance ratios for generalized birthday attacks. In: Workshop Record of SHARCS 2007: Special-purpose Hardware for Attacking Cryptographic Systems (2007).
  6. 6.
    Bernstein, D.J., Lange, T., Niederhagen, R., Peters, C., Schwabe, P.: FSBday. In: Roy, B., Sendrier, N. (eds.) INDOCRYPT 2009. LNCS, vol. 5922, pp. 18–38. Springer, Heidelberg (2009) CrossRefGoogle Scholar
  7. 7.
    Biryukov, A., Shamir, A.: Cryptanalytic time/memory/data tradeoffs for stream ciphers. In: Okamoto, T. (ed.) [26], vol. 1976, pp. 1–13. Springer, Heidelberg (2000)Google Scholar
  8. 8.
    Bleichenbacher, D.: On the generation of DSA one-time keys. In: The 6th Workshop on Elliptic Curve Cryptography (ECC 2002) (2002)Google Scholar
  9. 9.
    Blum, A., Kalai, A., Wasserman, H.: Noise-tolerant learning, the parity problem, and the statistical query model. In: Yao, F.F., Luks, E.M. (eds.) Proceedings of the Thirty-Second Annual ACM Symposium on Theory of Computing, 21–23 May 2000, pp. 435–440. ACM, Portland (2000)Google Scholar
  10. 10.
    Boneh, D., Joux, A., Nguyen, P.Q.: Why textbook ElGamal and RSA encryption are insecure. In: Okamoto, T. (ed.) [26], pp. 30–43 (2000)Google Scholar
  11. 11.
    Chose, P., Joux, A., Mitton, M.: Fast correlation attacks: an algorithmic point of view. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, p. 209. Springer, Heidelberg (2002) CrossRefGoogle Scholar
  12. 12.
    Dinur, I., Dunkelman, O., Keller, N., Shamir, A.: Key recovery attacks on 3-round Even-Mansour, 8-step LED-128, and Full AES2. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part I. LNCS, vol. 8269, pp. 337–356. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  13. 13.
    Guo, J.: Marble v1. Submitted to CAESAR (2014)Google Scholar
  14. 14.
    Guo, J., Peyrin, T., Poschmann, A., Robshaw, M.: The LED block cipher. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 326–341. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  15. 15.
    Hellman, M.E.: A cryptanalytic time-memory trade-off. IEEE Trans. Inf. Theory 26(4), 401–406 (1980)MATHMathSciNetCrossRefGoogle Scholar
  16. 16.
    Jean, J., Nikolić, I., Peyrin, T.: Deoxys v1. Submitted to CAESAR (2014)Google Scholar
  17. 17.
    Jean, J., Nikolić, I., Peyrin, T.: Joltik v1. Submitted to CAESAR (2014)Google Scholar
  18. 18.
    Jean, J., Nikolić, I., Peyrin, T.: KIASU v1. Submitted to CAESAR (2014)Google Scholar
  19. 19.
    Joux, A., Lercier, R.: “Chinese and Match”, an alternative to Atkin “Match and Sort” method used in the sea algorithm. Math. Comput. 70(234), 827–836 (2001)MATHMathSciNetCrossRefGoogle Scholar
  20. 20.
    Joux, A., Lucks, S.: Improved generic algorithms for 3-collisions. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 347–363. Springer, Heidelberg (2009) CrossRefGoogle Scholar
  21. 21.
    Minder, L., Sinclair, A.: The extended k-tree algorithm. J. Cryptol. 25(2), 349–382 (2012)MATHMathSciNetCrossRefGoogle Scholar
  22. 22.
    Nandi, M.: XLS is not a strong pseudorandom permutation. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 478–490. Springer, Heidelberg (2014) Google Scholar
  23. 23.
    Nandi, M.: Revisiting security claims of XLS and COPA. Cryptology ePrint Archive, Report 2015/444 (2015).
  24. 24.
    Nikolić, I., Wang, L., Wu, S.: Cryptanalysis of round-reduced LED. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 112–130. Springer, Heidelberg (2014) Google Scholar
  25. 25.
    Oechslin, P.: Making a faster cryptanalytic time-memory trade-off. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 617–630. Springer, Heidelberg (2003) CrossRefGoogle Scholar
  26. 26.
    Okamoto, T.: ASIACRYPT 2000. LNCS, vol. 1976. Springer, Heidelberg (2000)MATHCrossRefGoogle Scholar
  27. 27.
    Ristenpart, T., Rogaway, P.: How to enrich the message space of a cipher. In: Biryukov, A. (ed.) FSE 2007. LNCS, vol. 4593, pp. 101–118. Springer, Heidelberg (2007) CrossRefGoogle Scholar
  28. 28.
    Schroeppel, R., Shamir, A.: A \(T=O(2^{n/2}), S=O(2^{n/4})\) algorithm for certain NP-complete problems. SIAM J. Comput. 10(3), 456–464 (1981)MATHMathSciNetCrossRefGoogle Scholar
  29. 29.
    Suzuki, K., Tonien, D., Kurosawa, K., Toyota, K.: Birthday paradox for multi-collisions. In: Rhee, M.S., Lee, B. (eds.) ICISC 2006. LNCS, vol. 4296, pp. 29–40. Springer, Heidelberg (2006) CrossRefGoogle Scholar
  30. 30.
    van Oorschot, P.C., Wiener, M.J.: Parallel collision search with cryptanalytic applications. J. Cryptol. 12(1), 1–28 (1999)MATHCrossRefGoogle Scholar
  31. 31.
    Wagner, D.: A generalized birthday problem. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, p. 288. Springer, Heidelberg (2002) CrossRefGoogle Scholar
  32. 32.
    Wang, L.: SHELL v1. Submitted to CAESAR (2014)Google Scholar

Copyright information

© International Association for Cryptologc Research 2015

Authors and Affiliations

  1. 1.Nanyang Technological UniversitySingaporeSingapore
  2. 2.NTT Secure Platform LaboratoriesTokyoJapan

Personalised recommendations