Hard and Easy Components of Collision Search in the Zémor-Tillich Hash Function: New Attacks and Reduced Variants with Equivalent Security

  • Christophe Petit
  • Jean-Jacques Quisquater
  • Jean-Pierre Tillich
  • Gilles Zémor
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5473)


The Zémor-Tillich hash function has remained unbroken since its introduction at CRYPTO’94. We present the first generic collision and preimage attacks against this function, in the sense that the attacks work for any parameters of the function. Their complexity is the cubic root of the birthday bound; for the parameters initially suggested by Tillich and Zémor they are very close to being practical. Our attacks exploit a separation of the collision problem into an easy and a hard component. We subsequently present two variants of the Zémor-Tillich hash function with essentially the same collision resistance but reduced outputs of 2n and n bits instead of the original 3n bits. Our second variant keeps only the hard component of the collision problem; for well-chosen parameters the best collision attack on it is the birthday attack.


Hash Function Discrete Logarithm Representation Problem Discrete Logarithm Problem Projective Version 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Abdukhalikov, K.S., Kim, C.: On the security of the hashing scheme based on SL2. In: Vaudenay, S. (ed.) FSE 1998. LNCS, vol. 1372, pp. 93–102. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  2. 2.
    Charnes, C., Pieprzyk, J.: Attacking the SL2 hashing scheme. In: Safavi-Naini, R., Pieprzyk, J.P. (eds.) ASIACRYPT 1994. LNCS, vol. 917, pp. 322–330. Springer, Heidelberg (1995)CrossRefGoogle Scholar
  3. 3.
    Geiselmann, W.: A note on the hash function of Tillich and Zémor. In: Gollmann, D. (ed.) FSE 1996. LNCS, vol. 1039, pp. 51–52. Springer, Heidelberg (1996)CrossRefGoogle Scholar
  4. 4.
    Lenstra, H.W.J.L.L., Lenstra, A.K.: Factoring polynomials with rational coefficients. Mathematische Annalen 261(5), 515–534 (1982)MathSciNetCrossRefzbMATHGoogle Scholar
  5. 5.
    Petit, C., Veyrat-Charvillon, N., Quisquater, J.-J.: Efficiency and Pseudo-Randomness of a Variant of Zémor-Tillich Hash Function. In: IEEE International Conference on Electronics, Circuits, and Systems, ICECS 2008 (2008)Google Scholar
  6. 6.
    Quisquater, J.-J., Delescaille, J.-P.: How easy is collision search? Application to DES. In: Quisquater, J.-J., Vandewalle, J. (eds.) EUROCRYPT 1989. LNCS, vol. 434, pp. 429–434. Springer, Heidelberg (1990)CrossRefGoogle Scholar
  7. 7.
    Shamir, A.: Random graphs in cryptography. In: Invited talk at Asiacrypt 2006 (2006)Google Scholar
  8. 8.
    Steinwandt, R., Grassl, M., Geiselmann, W., Beth, T.: Weaknesses in the \({\rm SL}_2({\mathbb F}_{2^n})\) hashing scheme. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, p. 287. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  9. 9.
    Tillich, J.-P., Zémor, G.: Hashing with SL 2. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 40–49. Springer, Heidelberg (1994)Google Scholar
  10. 10.
    Wagner, D.: A generalized birthday problem. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 288–303. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  11. 11.
    Yuval, G.: How to swindle Rabin. Cryptologia 3, 187–189 (1979)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Christophe Petit
    • 1
  • Jean-Jacques Quisquater
    • 1
  • Jean-Pierre Tillich
    • 2
  • Gilles Zémor
    • 3
  1. 1.UCL Crypto GroupUniversité catholique de Louvain Place du levant 3Louvain-la-NeuveBelgium
  2. 2.Equipe SECRET INRIA RocquencourtLe ChesnayFrance
  3. 3.Institut de Mathématiques de Bordeaux UMR 5251, Université Bordeaux 1TalenceFrance

Personalised recommendations