Time-Memory Trade-Offs for Near-Collisions

  • Gaëtan Leurent
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8424)


In this work we consider generic algorithms to find near-collisions for a hash function. If we consider only hash computations, it is easy to compute a lower-bound for the complexity of near-collision algorithms, and to build a matching algorithm. However, this algorithm needs a lot of memory, and makes more than \(2^{n/2}\) memory accesses. Recently, several algorithms have been proposed without this memory requirement; they require more hash evaluations, but the attack is actually more practical. They can be divided in two main categories: they are either based on truncation, or based on covering codes.

In this paper, we give a new insight to the generic complexity of a near-collision attack. First, we consider time-memory trade-offs for truncation-based algorithms. For a practical implementation, it seems reasonable to assume that some memory is available and we show that taking advantage of this memory can significantly reduce the complexity. Second, we show a new method combining truncation and covering codes. The new algorithm is always at least as good as the previous works, and often gives a significant improvement. We illustrate our results by giving a 10-near collision for MD5: our algorithm has a complexity of \(2^{45.4}\) using 1 TB of memory while the best previous algorithm required \(2^{52.5}\) computations.


Hash function Near-collision Generic attack Time-memory trade-off 



The author is supported by the ERC project CRASH. Part of this work was done while the author was at the university of Luxembourg, supported by the AFR grant PDR-10-022 of the FNR. Experiments presented in this paper were carried out using the HPC facility of the University of Luxembourg.


  1. 1.
    Leurent, G., Thomsen, S.S.: Practical near-collisions on the compression function of BMW. In: [19], pp. 238–251Google Scholar
  2. 2.
    Jean, J., Fouque, P.A.: Practical near-collisions and collisions on round-reduced ECHO-256 compression function. In: [19], pp. 107–127Google Scholar
  3. 3.
    Su, B., Wu, W., Wu, S., Dong, L.: Near-collisions on the reduced-round compression functions of skein and BLAKE. In: Heng, S.-H., Wright, R.N., Goi, B.-M. (eds.) CANS 2010. LNCS, vol. 6467, pp. 124–139. Springer, Heidelberg (2010) CrossRefGoogle Scholar
  4. 4.
    Kelsey, J., Lucks, S.: Collisions and near-collisions for reduced-round tiger. In: Robshaw, M. (ed.) FSE 2006. LNCS, vol. 4047, pp. 111–125. Springer, Heidelberg (2006) CrossRefGoogle Scholar
  5. 5.
    Biham, E., Chen, R.: Near-collisions of SHA-0. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 290–305. Springer, Heidelberg (2004) CrossRefGoogle Scholar
  6. 6.
    Lamberger, M., Mendel, F., Rijmen, V., Simoens, K.: Memoryless near-collisions via coding theory. Des. Codes Crypt. 62(1), 1–18 (2012)CrossRefMATHMathSciNetGoogle Scholar
  7. 7.
    Lamberger, M., Rijmen, V.: Optimal covering codes for finding near-collisions. In: Biryukov, A., Gong, G., Stinson, D.R. (eds.) SAC 2010. LNCS, vol. 6544, pp. 187–197. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  8. 8.
    van Oorschot, P.C., Wiener, M.J.: Parallel collision search with cryptanalytic applications. J. Crypt. 12(1), 1–28 (1999)CrossRefMATHGoogle Scholar
  9. 9.
    Pollard, J.: A monte carlo method for factorization. BIT Numer. Math. 15(3), 331–334 (1975)CrossRefMATHMathSciNetGoogle Scholar
  10. 10.
    Pollard, J.: Monte carlo methods for index computation (mod p). Math. Comput. 32(143), 918–924 (1978)MATHMathSciNetGoogle Scholar
  11. 11.
    Knuth, D.: Seminumerical Algorithms. The Art of Computer Programming, vol. 2. Addison-Wesley, Reading (1981)MATHGoogle Scholar
  12. 12.
    Brent, R.: An improved monte carlo factorization algorithm. BIT Numer. Math. 20(2), 176–184 (1980)CrossRefMATHMathSciNetGoogle Scholar
  13. 13.
    Quisquater, J.-J., Delescaille, J.-P.: How easy is collision search. New results and applications to DES. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 408–413. Springer, Heidelberg (1990) CrossRefGoogle Scholar
  14. 14.
    Sedgewick, R., Szymanski, T., Yao, A.: The complexity of finding cycles in periodic functions. SIAM J. Comput. 11, 376 (1982)CrossRefMATHMathSciNetGoogle Scholar
  15. 15.
    Nivasch, G.: Cycle detection using a stack. Inf. Process. Lett. 90(3), 135–140 (2004)CrossRefMATHMathSciNetGoogle Scholar
  16. 16.
    Lugo, M.: Sum of “the first \(k\)” binomial coefficients for fixed \(n\). (MathOverflow). (version: 2010-03-05)
  17. 17.
    Lamberger, M., Teufl, E.: Memoryless near-collisions, revisited. Inf. Process. Lett. 113(3), 60–66 (2013)CrossRefMATHMathSciNetGoogle Scholar
  18. 18.
    Stein, W., et al.: Sage Mathematics Software (Version 5.7). The Sage Development Team (2013).
  19. 19.
    Joux, A. (ed.): FSE 2011. LNCS, vol. 6733. Springer, Heidelberg (2011)MATHGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2014

Authors and Affiliations

  1. 1.UCL Crypto GroupLouvain-la-NeuveBelgium

Personalised recommendations