Hash Collisions Explained — Pigeonholes, the Birthday Paradox, and Broken Algorithms

Every hash function has collisions — two different inputs that produce the identical digest. That is not a flaw; it is a mathematical certainty. What separates a healthy algorithm like SHA-256 from a broken one like MD5 is whether anyone can find a collision on purpose. This article builds the idea from first principles: why collisions must exist, why they show up much sooner than intuition predicts, how researchers actually weaponised collisions against MD5 and SHA-1, and what "collision resistance" really promises for SHA-256 today.

The Pigeonhole Principle: Collisions Must Exist

Put 10 pigeons into 9 holes and at least one hole holds two pigeons. Hash functions face the same arithmetic at cosmic scale: SHA-256 has exactly 2^256 possible outputs, but the set of possible inputs — every file, string, and byte sequence of any length — is infinite. Infinitely many pigeons, finitely many holes: infinitely many inputs share each output.

So the security question was never "do collisions exist?" They do, for every hash function that can ever be designed. The question is: can anyone actually find one? With 2^256 holes, randomly stumbling on two pigeons in the same hole is — as we are about to see — a matter of probability, and the numbers are on the defender's side as long as the algorithm has no shortcuts.

The Birthday Paradox: Why 2^(n/2), Not 2^n

How many people must be in a room before two of them probably share a birthday? Not 183 — just 23. The trick is that you are not looking for a match with one specific date; you are looking for a match between any pair, and 23 people form 253 pairs.

The same effect governs hash collisions. To find an input matching one specificdigest (a "preimage"), you expect around 2^n guesses for an n-bit hash. But to find any two inputs that match each other, hashing random inputs and comparing all pairs, you expect a collision after only about 2^(n/2) attempts — the square root of the search space:

Algorithm   Digest bits   Brute-force collision cost (birthday bound)
MD5         128           ~2^64   (borderline feasible for nation-scale rigs)
SHA-1       160           ~2^80   (huge, but attacks cut it to ~2^63)
SHA-256     256           ~2^128  (utterly out of reach)

Rule of thumb: an n-bit hash gives n bits of preimage resistance
but only n/2 bits of collision resistance.

This is why digest size matters so much: the birthday bound halves your security before any cleverness begins. And cryptanalysis only ever pushes the cost belowthat bound — which is exactly how MD5 and SHA-1 died.

How Collisions Broke MD5 and SHA-1 in Practice

  • 2004 — MD5's 2^64 becomes hours. Xiaoyun Wang's team found structural weaknesses that produced collisions in hours on ordinary hardware — millions of times faster than the birthday bound. Within a few years, tools generated MD5 collisions in seconds.
  • 2008 — a forged certificate authority. Researchers used chosen-prefix MD5 collisions (where the attacker controls both documents' beginnings) to craft a rogue CA certificate that mainstream browsers would have trusted — turning a math result into a practical attack on the web's trust model.
  • 2012 — Flame malware. Flame used a previously unknown MD5 chosen-prefix collision to forge a Microsoft code-signing certificate, letting it masquerade as a legitimate Windows Update. Collisions in the wild, weaponised by real attackers.
  • 2017 — SHAttered kills SHA-1. Google and CWI Amsterdam produced two different PDF files with identical SHA-1 digests, using about 2^63 computations — roughly 100,000 times cheaper than brute force. Git, browsers, and certificate authorities all accelerated their moves away from SHA-1.

Notice the pattern: an academic weakness appears, then years later it forges certificates and signs malware. Collision attacks matter wherever a hash stands in for a document's identity — signatures, certificates, deduplication, content-addressed storage. The attacker gets a benign file approved, then swaps in its malicious twin with the same hash.

What Collision Resistance Means for SHA-256

No SHA-256 collision has ever been found, and its birthday bound of about 2^128 operations puts brute force permanently out of reach — that is billions of times more work than every computer on Earth performs in a year, sustained for longer than the age of the universe. Known cryptanalytic results only dent reduced-round variants of the function, nowhere near the full 64 rounds.

  • Collision resistance: nobody can craft two inputs with the same SHA-256 digest — signatures and certificates stay trustworthy
  • Second-preimage resistance: given your file, nobody can build a different file with the same digest — published checksums stay meaningful
  • Preimage resistance: a digest reveals nothing recoverable about its input

Two practical footnotes. First, collision resistance says nothing about guessing: hashing a weak password with SHA-256 is still crackable by brute force, which is why passwords need bcrypt or Argon2 instead. Second, the industry learned from MD5 that algorithms fail gradually — so SHA-512 and the structurally different SHA-3 family already exist as prepared exits long before SHA-256 shows any cracks.

What This Means for Your Code

  • Never use MD5 or SHA-1 where a deliberate collision gains an attacker anything: signatures, certificates, download verification, content addressing
  • MD5 remains acceptable strictly for accident detection — corruption checks and cache keys inside trusted pipelines
  • Standardise on SHA-256 for integrity and identity; the performance difference is negligible on modern hardware
  • Remember the n/2 rule when sizing truncated hashes: keeping only 64 bits of a SHA-256 digest gives just 32 bits of collision resistance — a few billion operations, crackable on a laptop

Frequently Asked Questions

What is a hash collision?

Two different inputs producing exactly the same hash output. Since hash functions map infinitely many inputs to a fixed number of outputs, collisions must exist — an algorithm is broken only when someone can find them on purpose, faster than brute force.

Why does the birthday paradox matter for hashing?

It shows matches appear far sooner than intuition suggests — 23 people probably share a birthday. For an n-bit hash, a random collision is expected after about 2^(n/2) attempts rather than 2^n, so a 128-bit hash like MD5 offers only about 64 bits of collision resistance before any cryptanalysis.

Has SHA-256 ever had a collision?

No. Its birthday bound of roughly 2^128 operations is far beyond any conceivable computing power, and no shortcut against the full function is known — which is why SHA-256 remains the standard for integrity and signatures.

Try the Free Hash Generator

Compare MD5, SHA-1, SHA-256, and SHA-512 digests side by side — generated instantly in your browser, nothing uploaded. No signup, no cost.

Related articles