Hash Function Balance and Its Impact on Birthday Attacks

Textbooks tell us that a birthday attack on a hash function h with range size r requires r trials (hash computations) to find a collision. But this is quite misleading, being true only if h is regular, meaning all points in the range have the same number of pre-images under h; if h is not regular, fewer trials may be required. But how much fewer? This paper addresses this question by introducing a measure of the “amount of regularity” of a hash function that we call its balance, and then providing estimates of the success-rate of the birthday attack, and the expected number of trials to find a collision, as a function of the balance of the hash function being attacked. In particular, we will see that the number of trials can be significantly less than r for hash functions of low balance. This leads us to examine popular design principles, such as the MD (Merkle-Damg̊ard) transform, from the point of view of balance preservation, and to mount experiments to determine the balance of popular hash functions.