Time-Memory Trade-Offs for Near-Collisions

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8424)


In this work we consider generic algorithms to find near-collisions for a hash function. If we consider only hash computations, it is easy to compute a lower-bound for the complexity of near-collision algorithms, and to build a matching algorithm. However, this algorithm needs a lot of memory, and makes more than \(2^{n/2}\) memory accesses. Recently, several algorithms have been proposed without this memory requirement; they require more hash evaluations, but the attack is actually more practical. They can be divided in two main categories: they are either based on truncation, or based on covering codes.

In this paper, we give a new insight to the generic complexity of a near-collision attack. First, we consider time-memory trade-offs for truncation-based algorithms. For a practical implementation, it seems reasonable to assume that some memory is available and we show that taking advantage of this memory can significantly reduce the complexity. Second, we show a new method combining truncation and covering codes. The new algorithm is always at least as good as the previous works, and often gives a significant improvement. We illustrate our results by giving a 10-near collision for MD5: our algorithm has a complexity of \(2^{45.4}\) using 1 TB of memory while the best previous algorithm required \(2^{52.5}\) computations.


Hash function Near-collision Generic attack Time-memory trade-off 


  1. 1.
    Leurent, G., Thomsen, S.S.: Practical near-collisions on the compression function of BMW. In: [19], pp. 238–251Google Scholar
  2. 2.
    Jean, J., Fouque, P.A.: Practical near-collisions and collisions on round-reduced ECHO-256 compression function. In: [19], pp. 107–127Google Scholar
  3. 3.
    Su, B., Wu, W., Wu, S., Dong, L.: Near-collisions on the reduced-round compression functions of skein and BLAKE. In: Heng, S.-H., Wright, R.N., Goi, B.-M. (eds.) CANS 2010. LNCS, vol. 6467, pp. 124–139. Springer, Heidelberg (2010) CrossRefGoogle Scholar
  4. 4.
    Kelsey, J., Lucks, S.: Collisions and near-collisions for reduced-round tiger. In: Robshaw, M. (ed.) FSE 2006. LNCS, vol. 4047, pp. 111–125. Springer, Heidelberg (2006) CrossRefGoogle Scholar
  5. 5.
    Biham, E., Chen, R.: Near-collisions of SHA-0. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 290–305. Springer, Heidelberg (2004) CrossRefGoogle Scholar
  6. 6.
    Lamberger, M., Mendel, F., Rijmen, V., Simoens, K.: Memoryless near-collisions via coding theory. Des. Codes Crypt. 62(1), 1–18 (2012)CrossRefMATHMathSciNetGoogle Scholar
  7. 7.
    Lamberger, M., Rijmen, V.: Optimal covering codes for finding near-collisions. In: Biryukov, A., Gong, G., Stinson, D.R. (eds.) SAC 2010. LNCS, vol. 6544, pp. 187–197. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  8. 8.
    van Oorschot, P.C., Wiener, M.J.: Parallel collision search with cryptanalytic applications. J. Crypt. 12(1), 1–28 (1999)CrossRefMATHGoogle Scholar
  9. 9.
    Pollard, J.: A monte carlo method for factorization. BIT Numer. Math. 15(3), 331–334 (1975)CrossRefMATHMathSciNetGoogle Scholar
  10. 10.
    Pollard, J.: Monte carlo methods for index computation (mod p). Math. Comput. 32(143), 918–924 (1978)MATHMathSciNetGoogle Scholar
  11. 11.
    Knuth, D.: Seminumerical Algorithms. The Art of Computer Programming, vol. 2. Addison-Wesley, Reading (1981)MATHGoogle Scholar
  12. 12.
    Brent, R.: An improved monte carlo factorization algorithm. BIT Numer. Math. 20(2), 176–184 (1980)CrossRefMATHMathSciNetGoogle Scholar
  13. 13.
    Quisquater, J.-J., Delescaille, J.-P.: How easy is collision search. New results and applications to DES. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 408–413. Springer, Heidelberg (1990) CrossRefGoogle Scholar
  14. 14.
    Sedgewick, R., Szymanski, T., Yao, A.: The complexity of finding cycles in periodic functions. SIAM J. Comput. 11, 376 (1982)CrossRefMATHMathSciNetGoogle Scholar
  15. 15.
    Nivasch, G.: Cycle detection using a stack. Inf. Process. Lett. 90(3), 135–140 (2004)CrossRefMATHMathSciNetGoogle Scholar
  16. 16.
    Lugo, M.: Sum of “the first \(k\)” binomial coefficients for fixed \(n\). (MathOverflow). http://mathoverflow.net/questions/17236 (version: 2010-03-05)
  17. 17.
    Lamberger, M., Teufl, E.: Memoryless near-collisions, revisited. Inf. Process. Lett. 113(3), 60–66 (2013)CrossRefMATHMathSciNetGoogle Scholar
  18. 18.
    Stein, W., et al.: Sage Mathematics Software (Version 5.7). The Sage Development Team (2013). http://www.sagemath.org
  19. 19.
    Joux, A. (ed.): FSE 2011. LNCS, vol. 6733. Springer, Heidelberg (2011)MATHGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2014

Authors and Affiliations

  1. 1.UCL Crypto GroupLouvain-la-NeuveBelgium

Personalised recommendations