LeetArxiv

LeetArxiv

Playback speed
×
Share post
Share post at current time
0:00
/
0:00

Gaudry-Schost Collision Algorithm

Coding the 2004 paper 'A Low-Memory Parallel Version of Matsuo, Chao and Tsujii's Algorithm' by Pierrick Gaudry and Eric Schost
Murage Kibicho's avatar
Murage Kibicho
Nov 19, 2025
Quick Intro
LeetArxiv is a successor to Papers With Code after the latter shutdown. Here’s 20 dollars to send money abroad.
There’s free GPU credits hidden somewhere below :)

Stop reading papers. Start coding them. Engineers who use LeetArxiv for their professional growth can use this template email to ask their employers to expense a subscription.

Quick Summary
This paper introduces an alternative algorithm to Pollard Rho for collision finding.
Abstract for the 2004 paper A Low-Memory Parallel Version of Matsuo, Chao and Tsujii’s Algorithm by Pierrick Gaudry and Eric Schost

As usual, Python code is available on Colab and C code here on GitHub.

1.0 Paper Introduction

The 2004 paper A Low-Memory Parallel Version of Matsuo, Chao and Tsujii’s Algorithm (Gaudry & Schost, 2004)1 investigates the use of random walks to detect collisions by reformulating the Birthday Paradox.

The authors demonstrate an alternative to Baby-step Giant-step that requires little storage to achieve similar results but is 3 times slower.

*The original paper’s intent was finding the jacobian of small genus curves. We’ll work with integers instead
The introduction focuses on algebraic problems. Taken from page 1 of (Gaudry & Schost, 2004)

This is part of our series on Practical Index Calculus for Computer Programmers.

Part 1: Discrete Logarithms and the Index Calculus Solution.

Part 2: Solving Pell Equations with Index Calculus and Algebraic Numbers.

Part 3: Solving Index Calculus Equations over Integers and Finite Fields.

Part 4.1 : Pollard Kangaroo when Index Calculus Fails.

Part 4.2 : Pohlig-Hellman Attack.

Part 5 : Smart Attack on Anomalous Curves.

Part 6: Hacking Dormant Bitcoin Wallets in C.

2.0 Gaudry-Schost Algorithm

This section introduces the Birthday Attack formulation then later demonstrates Gaudry & Schost’s take.

2.1 The Birthday Attack

Birthday Attack described in (Goldfeld, 2020)

If you have 23 people in a room then there is at least a 50% chance that two people share a birthday (Goldfeld, 2020)2.

The calculation by hand resembles this:

Birthday paradox computation described in (Goldfeld, 2020)

and in Python, the computation would be:

Birthday Paradox in Python in our Google Colab

The C version is somewhat convoluted but it’s available as well lol

Birthday Paradox in C in our GitHub

This is the birthday paradox and it’s fundamental to the Pollard Rho and Pollard Lambda attacks from Chapter 4.

2.2 Gaudry and Schost’s Alternative to the Birthday Paradox

Theoretical foundation of Gaudry-Schost taken from page 4 of (Galbraith & Ruprai, 2010)

If we have 365 balls and draw them with replacement, alternately recording the picked balls in two different lists, then a ball appears in both lists after about 35 draws.

By hand, the probability as described in the screenshot above is:

Square-root of (Pi * setSize) estimates the probability of the Ball with Replacement paradox

This is summarized in (Galbraith & Ruprai, 2010)3 and the Gaudry-Schost algorithm is built on the idea.

In Python, we can test the idea:

Our Python implementation averages at ~35 picks.

The C version is available as well

Our C implementation averages at ~32 picks lol.

3.0 Gaudry-Schost Collision Algorithm

Gaudry-Schost algorithm involves random search in two intersecting intervals. Taken from page 8 of (Gaudry & Schost, 2004)

The Gaudry-Schost algorithm can be summarized as random search in two intersecting intervals but without the memory requirements.

Gaudry-Schost collision finding algorithm outline. Taken from page 8 of (Gaudry & Schost, 2004)

For a set of elements, R, the authors outline these steps:

  1. Construct two sets W and T by picking random elements in R.

  2. Store these elements in a data structure where collisions between elements of W and T are easy to detect.

  3. Together with these elements, store sigma values.

  4. Taking the difference of the sigma values yields the desired result.

3.1 The ‘Low-Memory’ Part of Gaudry-Schost

The authors address the memory requirements for the Ball Collision Paradox. Taken from page 5 of (Gaudry & Schost, 2004)

The authors suggest two changes to their birthday paradox alternative:

  1. Pseudo-random walk instead of a completely random walk.

    • Instead of calling rand, the next state is determined by a hash function.

  2. Using distinguished points to identify targets.

    • The paper suggests using the LSB or MSB’s of the binary representation of the point as an identifier.

Low memory version of Gaudry-Schost algorithm. Taken from page 6 of (Gaudry & Schost, 2004)

The authors describe the low memory version:

  1. Start with a random point in either of the two lists.

  2. Hash this point until we find a distinguished point.

  3. Store this distinguished point and start a new chain of hashes.

  4. We eventually find a collision.

In Python, the Gaudry-Schost algorithm resembles this:

Gaudry-Schost low-memory collision finding algorithm in Python

For our ball example, we attempt this:

  1. Define a distinguished ball (we use any ball whose hashed value mod 5 is zero).

  2. We only store distinguished balls in our lists.

  3. Hash the current ball’s value to get the next value in the chain.

  4. Once we find a distinguished ball we start the chain again from a fresh random ball.

    Results from running Python code. More picks needed but memory consumption decreases from 730 balls to only 14

As expected, the algorithm requires more picks to find a collision. However, observe the memory usage: only 14 balls stored in memory*.

*The C version of section 2.0 demonstrates how the original algorithm needed us store 730 balls in memory
*The C version is left to you, the reader.

Expected running time of Gaudry-Schost algorithm. Taken from page 5 of (Galbraith & Ruprai, 2010)

The algorithm’s running time is described in (Galbraith & Ruprai, 2010).

We can calculate by hand for N equals 365:

Expected running time for Gaudry-Schost is ~40 picks and we got 47

The paper discusses parameter optimizations like setting the chain restarts and then it ends.

Here are some free gpu credits if you made it this far lol.

Every research paper should be a brief blog post with relevant code. Subscribe.

References

1

Gaudry, P., & Schost, É. (2004). A low-memory parallel version of Matsuo, Chao and Tsujii’s algorithm. In ANTS-VI (pp. 208–222). Springer. https://doi.org/10.1007/978-3-540-24847-7_15

2

Goldfeld, D,. (2020). Birthday Attack. Columbia Mathematics. PDF Link.

3

Galbraith, S & Ruprai, R. (2010). Using Equivalence Classes to Accelerate Solving the Discrete Logarithm Problem in a Short Interval. IACRT EPrint. PDF Link.

Discussion about this video

User's avatar
© 2025 Murage Kibicho
PrivacyTermsCollection notice
Start your SubstackGet the app
Substack is the home for great culture