**Tight Time-Space Lower Bounds for Finding Multiple Collision Pairs and Their Applications**

*Itai Dinur*

**Abstract: **We consider a \emph{collision search problem} (CSP), where given a parameter $C$, the goal is to find $C$ collision pairs in a random function $f:[N] \rightarrow [N]$ (where $[N] = \{0,1,\ldots,N-1\})$ using $S$ bits of memory. Algorithms for CSP have numerous cryptanalytic applications such as space-efficient attacks on double and triple encryption. The best known algorithm for CSP is \emph{parallel collision search} (PCS) published by van Oorschot and Wiener, which achieves the time-space tradeoff $T^2 \cdot S = \tilde{O}(C^2 \cdot N)$.

In this paper, we prove that any algorithm for CSP satisfies $T^2 \cdot S = \tilde{\Omega}(C^2 \cdot N)$, hence the best known time-space tradeoff is optimal (up to poly-logarithmic factors in $N$). On the other hand, we give strong evidence that proving similar unconditional time-space tradeoff lower bounds on CSP applications (such as breaking double and triple encryption) may be very difficult, and would imply a breakthrough in complexity theory. Hence, we propose a new restricted model of computation and prove that under this model, the best known time-space tradeoff attack on double encryption is optimal.

**Category / Keywords: **secret-key cryptography / Collision search problem, time-space tradeoff, $R$-way branching program, provable security, cryptanalysis, parallel collision search, double encryption.

**Original Publication**** (in the same form): **IACR-EUROCRYPT-2020

**Date: **received 20 Feb 2020

**Contact author: **dinuri at cs bgu ac il

**Available format(s): **PDF | BibTeX Citation

**Version: **20200221:121105 (All versions of this report)

**Short URL: **ia.cr/2020/229

[ Cryptology ePrint archive ]