An algorithmic framework for the generalized birthday problem

Research output: Contribution to journalArticlepeer-review

8 Scopus citations


The generalized birthday problem (GBP) was introduced by Wagner in 2002 and has shown to have many applications in cryptanalysis. In its typical variant, we are given access to a function H: { 0 , 1 } → { 0 , 1 } n (whose specification depends on the underlying problem) and an integer K> 0. The goal is to find K distinct inputs to H (denoted by {xi}i=1K) such that ∑i=1KH(xi)=0. Wagner’s K-tree algorithm solves the problem in time and memory complexities of about N1/(logK+1) (where N= 2 n). In this paper, we improve the best known GBP time-memory tradeoff curve (published independently by Nikolić and Sasaki and also by Biryukov and Khovratovich) for all K≥ 8 from T2MlogK-1= N to T(logK)/2+1M(logK)/2= N, applicable for a large range of parameters. We further consider values of K which are not powers of 2 and show that in many cases even more efficient time-memory tradeoff curves can be obtained. Finally, we optimize our techniques for several concrete GBP instances and show how to solve some of them with improved time and memory complexities compared to the state-of-the-art. Our results are obtained using a framework that combines several algorithmic techniques such as variants of the Schroeppel–Shamir algorithm for solving knapsack problems (devised in works by Howgrave-Graham and Joux and by Becker, Coron and Joux) and dissection algorithms (published by Dinur, Dunkelman, Keller and Shamir).

Original languageEnglish
Pages (from-to)1897-1926
Number of pages30
JournalDesigns, Codes, and Cryptography
Issue number8
StatePublished - 15 Aug 2019


  • Cryptanalysis
  • Generalized birthday problem
  • K-tree algorithm
  • Time-memory tradeoff

ASJC Scopus subject areas

  • Theoretical Computer Science
  • Applied Mathematics
  • Discrete Mathematics and Combinatorics
  • Computer Science Applications


Dive into the research topics of 'An algorithmic framework for the generalized birthday problem'. Together they form a unique fingerprint.

Cite this