Hash function balance and its impact on birthday attacks

Abstract

Textbooks tell us that a birthday attack on a hash function h with range size r requires r1/2 trials (hash computations) to find a collision. But this is quite misleading, being true only if h is regular, meaning all points in the range have the same number of pre-images under ft; if ft is not regular, fewer trials may be required. But how much fewer? This paper addresses this question by introducing a measure of the "amount of regularity" of a hash function that we call its balance, and then providing estimates of the success-rate of the birthday attack, and the expected number of trials to find a collision, as a function of the balance of the hash function being attacked. In particular, we will see that the number of trials can be significantly less than r1/2 for hash functions of low balance. This leads us to examine popular design principles, such as the MD (Merkle-Damgård) transform, from the point of view of balance preservation, and to mount experiments to determine the balance of popular hash functions. © International Association for Cryptologic Research 2004.