Article · Wikipedia archive · Last revised Jun 9, 2026

Claw finding problem

The claw finding problem is a classical problem in complexity theory, with several applications in cryptography. In short, given two functions f, g, viewed as oracles, the problem is to find x and y such as f(x) = g(y). The pair (x, y) is then called a claw. Some problems, especially in cryptography, are best solved when viewed as a claw finding problem, hence any algorithmic improvement to solving the claw finding problem provides a better attack on cryptographic primitives such as hash functions.

Last revised
Jun 9, 2026
Read time
≈ 3 min
Length
617 w
Citations
3
Source
Wikipedia ↗

The claw finding problem is a classical problem in complexity theory, with several applications in cryptography. In short, given two functions f, g, viewed as oracles, the problem is to find x and y such as f(x) = g(y). The pair (x, y) is then called a claw. Some problems, especially in cryptography, are best solved when viewed as a claw finding problem, hence any algorithmic improvement to solving the claw finding problem provides a better attack on cryptographic primitives such as hash functions.

Definition

Let A , B , C {\displaystyle A,B,C} be finite sets, and f : A C {\displaystyle f:A\to C} , g : B C {\displaystyle g:B\to C} two functions. A pair ( x , y ) A × B {\displaystyle (x,y)\in A\times B} is called a claw if f ( x ) = g ( y ) {\displaystyle f(x)=g(y)} . The claw finding problem is defined as to find such a claw, given that one exists.

If we view f , g {\displaystyle f,g} as random functions, we expect a claw to exist iff | A | | B | | C | {\displaystyle |A|\cdot |B|\geq |C|} . More accurately, there are exactly | A | | B | {\displaystyle |A|\cdot |B|} pairs of the form ( x , y ) {\displaystyle (x,y)} with x A , y B {\displaystyle x\in A,y\in B} ; the probability that such a pair is a claw is 1 / | C | {\displaystyle 1/|C|} . So if | A | | B | | C | {\displaystyle |A|\cdot |B|\geq |C|} , the expected number of claws is at least 1.

Algorithms

If classical computers are used, the best algorithm is similar to a Meet-in-the-middle attack, first described by Diffie and Hellman.1 The algorithm works as follows: assume | A | | B | {\displaystyle |A|\leq |B|} . For every x A {\displaystyle x\in A} , save the pair ( f ( x ) , x ) {\displaystyle (f(x),x)} in a hash table indexed by f ( x ) {\displaystyle f(x)} . Then, for every y B {\displaystyle y\in B} , look up the table at g ( y ) {\displaystyle g(y)} . If such an index exists, we found a claw. This approach takes time O ( | A | + | B | ) {\displaystyle O(|A|+|B|)} and memory O ( | A | ) {\displaystyle O(|A|)} .

If quantum computers are used, Seiichiro Tani showed that a claw can be found in complexity

| A | | B | 3 {\displaystyle {\sqrt[{3}]{|A|\cdot |B|}}} if | A | | B | < | A | 2 {\displaystyle |A|\leq |B|<|A|^{2}} and

| B | {\displaystyle {\sqrt {|B|}}} if | B | | A | 2 {\displaystyle |B|\geq |A|^{2}} .2

Shengyu Zhang showed that asymptotically these algorithms are the most efficient possible.3

Applications

As noted, most applications of the claw finding problem appear in cryptography. Examples include:

References

References

  1. Diffie, Whitfield; Hellman, Martin E. (June 1977). "Exhaustive Cryptanalysis of the NBS Data Encryption Standard" (PDF). Computer. 10 (6): 74–84. doi:10.1109/C-M.1977.217750.
  2. Tani, Seiichiro (November 2009). "Claw Finding Algorithms Using Quantum Walk". Theoretical Computer Science. 410 (50): 5285–5297. arXiv:0708.2584. doi:10.1016/j.tcs.2009.08.030.
  3. Zhang, Shengyu (2005). "Promised and Distributed Quantum Search". Computing and Combinatorics. Lecture Notes in Computer Science. Vol. 3595. Springer Berlin Heidelberg. pp. 430–439. doi:10.1007/11533719_44. ISBN 978-3-540-28061-3.