Meet-in-the-middle attacks, where problems and the secrets being sought are decomposed into two pieces, have many applications in cryptanalysis. A well-known such attack on double-DES requires 2⁵⁶ time and memory; a naive key search would take 2¹¹² time. However, when the attacker is limited to a practical amount of memory, the time savings are much less dramatic. For n the cardinality of the space that each half of the secret is chosen from (n=2⁵⁶ for double-DES), and w the number of words of memory available for an attack, a technique based on parallel collision search is described which requires O $ (\sqrt {n/ w} ) $ (\sqrt {n/ w} ) times fewer operations and O(n/w) times fewer memory accesses than previous approaches to meet-in-the-middle attacks. For the example of double-DES, an attacker with 16 Gbytes of memory could recover a pair of DES keys in a known-plaintext attack with 570 times fewer encryptions and 3.7×10⁶ times fewer memory accesses compared to previous techniques using the same amount of memory.