A New Algorithm for the Unbalanced Meet-in-the-Middle Problem

  • Ivica NikolićEmail author
  • Yu Sasaki
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10031)


A collision search for a pair of n-bit unbalanced functions (one is R times more expensive than the other) is an instance of the meet-in-the-middle problem, solved with the familiar standard algorithm that follows the tradeoff \(TM=N\), where T and M are time and memory complexities and \(N=2^n\). By combining two ideas, unbalanced interleaving and van Oorschot-Wiener parallel collision search, we construct an alternative algorithm that follows \(T^2 M = R^2 N\), where \(M\le R\). Among others, the algorithm solves the well-known open problem: how to reduce the memory of unbalanced collision search.


Meet-in-the-middle Tradeoff Collision search 

Supplementary material


  1. 1.
    Biryukov, A., Khovratovich, D.: Asymmetric proof-of-work based on the generalized birthday problem. IACR Cryptology ePrint Archive 2015, 946 (2015)Google Scholar
  2. 2.
    Biryukov, A., Shamir, A.: Cryptanalytic time/memory/data tradeoffs for stream ciphers. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 1–13. Springer, Heidelberg (2000). doi: 10.1007/3-540-44448-3_1 CrossRefGoogle Scholar
  3. 3.
    Diffie, W., Hellman, M.E.: Special feature exhaustive cryptanalysis of the NBS data encryption standard. IEEE Comput. 10(6), 74–84 (1977)CrossRefGoogle Scholar
  4. 4.
    Dinur, I., Dunkelman, O., Keller, N., Shamir, A.: Efficient dissection of composite problems, with applications to cryptanalysis, knapsacks, and combinatorial search problems. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 719–740. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-32009-5_42 CrossRefGoogle Scholar
  5. 5.
    Dunkelman, O., Keller, N., Shamir, A.: Minimalism in cryptography: the even-mansour scheme revisited. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 336–354. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-29011-4_21 CrossRefGoogle Scholar
  6. 6.
    Fleischmann, E., Forler, C., Lucks, S.: McOE: A family of almost foolproof on-line authenticated encryption schemes. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 196–215. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-34047-5_12 CrossRefGoogle Scholar
  7. 7.
    Floyd, R.W.: Nondeterministic algorithms. J. ACM 14(4), 636–644 (1967)CrossRefzbMATHGoogle Scholar
  8. 8.
    Fouque, P.-A., Joux, A., Mavromati, C.: Multi-user collisions: applications to discrete logarithm, even-mansour and PRINCE. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 420–438. Springer, Heidelberg (2014). doi: 10.1007/978-3-662-45611-8_22 Google Scholar
  9. 9.
    Hellman, M.E.: A cryptanalytic time-memory trade-off. IEEE Trans. Inf. Theory 26(4), 401–406 (1980)MathSciNetCrossRefzbMATHGoogle Scholar
  10. 10.
    Indesteege, S., Andreeva, E., De Canniere, C., Dunkelman, O., Käper, E., Nikova, S., Preneel, B., Tischhauser, E.: The LANE hash function, Submission to NIST (2008)Google Scholar
  11. 11.
    Iwamoto, M., Peyrin, T., Sasaki, Y.: Limited-birthday distinguishers for hash functions: collisions beyond the birthday bound can be meaningful. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013. LNCS, vol. 8270, pp. 504–523. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-42045-0_26 CrossRefGoogle Scholar
  12. 12.
    Joux, A., Lucks, S.: Improved generic algorithms for 3-collisions. In: Matsui [13], pp. 347–363Google Scholar
  13. 13.
    Matsui, M. (ed.): ASIACRYPT 2009. LNCS, vol. 5912. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-10366-7_21 zbMATHGoogle Scholar
  14. 14.
    Matusiewicz, K., Naya-Plasencia, M., Nikolić, I., Sasaki, Y., Schläffer, M.: Rebound attack on the full Lane compression function. In: Matsui [13], pp. 106–125Google Scholar
  15. 15.
    Mendel, F., Mennink, B., Rijmen, V., Tischhauser, E.: A simple key-recovery attack on McOE-X. In: Pieprzyk, J., Sadeghi, A.-R., Manulis, M. (eds.) CANS 2012. LNCS, vol. 7712, pp. 23–31. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-35404-5_3 CrossRefGoogle Scholar
  16. 16.
    Merkle, R.C., Hellman, M.E.: On the security of multiple encryption. Commun. ACM 24(7), 465–467 (1981)MathSciNetCrossRefGoogle Scholar
  17. 17.
    Minematsu, K.: Beyond-birthday-bound security based on tweakable block cipher. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 308–326. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-03317-9_19 CrossRefGoogle Scholar
  18. 18.
    Mouha, N., Mennink, B., Herrewege, A., Watanabe, D., Preneel, B., Verbauwhede, I.: Chaskey: An efficient MAC algorithm for 32-bit microcontrollers. In: Joux, A., Youssef, A. (eds.) SAC 2014. LNCS, vol. 8781, pp. 306–323. Springer, Heidelberg (2014). doi: 10.1007/978-3-319-13051-4_19 CrossRefGoogle Scholar
  19. 19.
    Naya-Plasencia, M.: How to improve rebound attacks. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 188–205. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-22792-9_11 CrossRefGoogle Scholar
  20. 20.
    Nikolić, I., Sasaki, Y.: Refinements of the k-tree algorithm for the generalized birthday problem. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9453, pp. 683–703. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-48800-3_28 CrossRefGoogle Scholar
  21. 21.
    Sasaki, Y.: Memoryless unbalanced meet-in-the-middle attacks: impossible results and applications. In: Boureanu, I., Owesarski, P., Vaudenay, S. (eds.) ACNS 2014. LNCS, vol. 8479, pp. 253–270. Springer, Heidelberg (2014). doi: 10.1007/978-3-319-07536-5_16 Google Scholar
  22. 22.
    van Oorschot, P.C., Wiener, M.J.: Parallel collision search with cryptanalytic applications. J. Cryptol. 12(1), 1–28 (1999)MathSciNetCrossRefzbMATHGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2016

Authors and Affiliations

  1. 1.Nanyang Technological UniversitySingaporeSingapore
  2. 2.NTT Secure Platform LaboratoriesTokyoJapan

Personalised recommendations