Current techniques for collision search with feasible memory requirements involve pseudo-random walks through some space where one must wait for the result of the current step before the next step can begin. These techniques are serial in nature, and direct parallelization is inefficient. We present a simple new method of parallelizing collision searches that greatly extends the reach of practical attacks. The new method is illustrated with applications to hash functions and discrete logarithms in cyclic groups. In the case of hash functions, we begin with two messages; the first is a message that we want our target to digitally sign, and the second is a message that the target is willing to sign. Using collision search adapted for hashing collisions, one can find slightly altered versions of these messages such that the two new messages give the same hash result. As a particular example, a $10 million custom machine for applying parallel collision search to the MD5 hash function could complete an attack with an expected run time of 24 days. This machine would be specific to MD5, but could be used for any pair of messages. For discrete logarithms in cyclic groups, ideas from Pollard's rho and lambda methods for index computation are combined to allow efficient parallel implementation using the new method. As a concrete example, we consider an elliptic curve cryptosystem over GF(2155) with the order of the curve having largest prime factor of approximate size 1036. A $10 million machine custom built for this finite field could compute a discrete logarithm with an expected run time of 36 days.
2nd ACM Conference on Computer and Communications Security, CCS 1994
School of Computer Science

Van Oorschot, P, & Wiener, M.J. (Michael J.). (1994). Parallel collision search with application to hash functions and discrete logarithms. In Proceedings of the ACM Conference on Computer and Communications Security (pp. 210–218). doi:10.1145/191177.191231