TLSH (C++ Python extension)





GitHub Stars



Last Commit

6d ago







Apache or BSD



Build Status

TLSH - Trend Micro Locality Sensitive Hash

TLSH is a fuzzy matching library. Given a byte stream with a minimum length of 50 bytes TLSH generates a hash value which can be used for similarity comparisons. Similar objects will have similar hash values which allows for the detection of similar objects by comparing their hash values. Note that the byte stream should have a sufficient amount of complexity. For example, a byte stream of identical bytes will not generate a hash value.

What's New in TLSH 4.x.x

Release version 4.7.1 Updated Python realease with additional functions:

  • lvalue
  • q1ratio
  • q2ratio
  • checksum
  • bucket_value
  • is_valid

Release version 4.6.0 Issue 99 raised issues about what to do when evaluating the TLSH for files over 4GB We decided to define that TLSH is the TLSH of the first 4GB of a file

We have written technical material that focuses on 2 topics at

  • fast nearest neighbour search and scalable clustering
  • robustness to attack



  • adding version identifier to the digest
  • added output options (-o)
  • added json object output (-ojson)
  • added null digest (TNULL)

TLSH has gained some traction. It has been included in STIX 2.1 and been ported to a number of langauges.

We are adding a version identifier ("T1") to the start of the digest so that we can cleary distinguish between different variants of the digest (such as non-standard choices of 3 byte checksum). This means that we do not rely on the length of the hex string to determine if a hex string is a TLSH digest (this is a brittle method for identifying TLSH digests). We are doing this to enable compatibility, especially backwards compatibility of the TLSH approach.

This release will add "T1" to the start of TLSH digests. The code is backwards compatible, it can still read and interpret 70 hex character strings as TLSH digests. And data sets can include mixes of the old and new digests. If you need old style TLSH digests to be outputted, then use the command line option '-old'


Thanks to Chun Cheng, who was a humble and talented engineer.

Minimum byte stream length

The program in default mode requires an input byte stream with a minimum length of 50 bytes (and a minimum amount of randomness - see note in Python extension below).

For consistency with older versions, there is a -conservative option which enforces a 256 byte limit. See notes for version 3.17.0 of TLSH

Computed hash

The computed hash is 35 bytes of data (output as 'T1' followed 70 hexidecimal characters. Total length 72 characters). The 'T1' has been added as a version number for the hash - so that we can adapt the algorithm and still maintain backwards compatibility. To get the old style 70 hex hashes, use the -old command line option.

Bytes 3,4,5 are used to capture the information about the file as a whole (length, ...), while the last 32 bytes are used to capture information about incremental parts of the file. (Note that the length of the hash can be increased by changing build parameters described below in CMakeLists.txt, which will increase the information stored in the hash. For some applications this might increase the accuracy in predicting similarities between files.)

Executables and library

Building TLSH (see below) will create a static library in the lib directory, and the tlsh executable (a symbolic link to tlsh_unittest). 'tlsh' links to the static library, in the bin directory. The library has functionality to generate the hash value from a given file, and to compute the similarity between two hash values.

tlsh is a utility for generating TLSH hash values and comparing TLSH hash values to determine similarity. Run it with no parameters for detailed usage.


  • A JavaScript port available in the js_ext directory.
  • A Java port is available in the java directory.

3rd Party Ports

We list these ports just for reference. We have not checked the code in these repositories, and we have not checked that the results are identical to TLSH here. We also request that any ports include the files LICENSE and NOTICE.txt exactly as they appear in this repository.

  • Another Java port is available here.
  • Another Java port is available here.
  • A Golang port is available here.
  • A Ruby port is available here

Downloading TLSH

Download TLSH as follows:

wget -O
cd tlsh-master


git clone git://
cd tlsh
git checkout master

Building TLSH

Edit CMakeLists.txt to build TLSH with different options.

  • TLSH_BUCKETS: determines using 128 or 256 buckets use the default 128 buckets unless you are an expert and know you need 256 buckets
  • TLSH_CHECKSUM_1B: determines checksum length, longer means less collision use the default 1 byte unless you are an expert and know you need a larger checksum



Note: Building TLSH on Linux depends upon cmake to create the Makefile and then make the project, so the build will fail if cmake is not installed.

Windows (MinGW)

Added in March 2020. See the instructions in README.mingw

Windows (Visual Studio)

Use the version-specific tlsh solution files (tlsh.VC2005.sln, tlsh.VC2008.sln, ...) under the Windows directory.

See tlsh.h for the tlsh library interface and tlsh_unittest.cpp and simple_unittest.cpp under the test directory for example code.

Using TLSH in Python

Python Package

We have recently created a Python package on PyPi:
The py-tlsh replaces the python-tlsh package. For details see issue 94
To install this package

Python Extension

If you need to build your own Python package, then there is a README.python with notes about the python version

(1) compile the C++ code
(2) build the python version
    $ cd py_ext/
    $ python ./ build
(3) install - possibly - sudo, run as root or administrator
    $ python ./ install
(4) test it
    $ cd ../Testing
    $ ./

Python Usage

import tlsh


Note data needs to be bytes - not a string. This is because TLSH is for binary data and binary data can contain a NULL (zero) byte.

In default mode the data must contain at least 50 bytes to generate a hash value and that it must have a certain amount of randomness. To get the hash value of a file, try

tlsh.hash(open(file, 'rb').read())

Note: the open statement has opened the file in binary mode.

Python Example

import tlsh

h1 = tlsh.hash(data)
h2 = tlsh.hash(similar_data)
score = tlsh.diff(h1, h2)

h3 = tlsh.Tlsh()
with open('file', 'rb') as f:
    for buf in iter(lambda:, b''):
# this assertion is stating that the distance between a TLSH and itself must be zero
assert h3.diff(h3) == 0
score = h3.diff(h1)

Python Extra Options

The diffxlen function removes the file length component of the tlsh header from the comparison.

tlsh.diffxlen(h1, h2)

If a file with a repeating pattern is compared to a file with only a single instance of the pattern, then the difference will be increased if the file lenght is included. But by using the diffxlen function, the file length will be removed from consideration.

Python Backwards Compatibility Options

If you use the "conservative" option, then the data must contain at least 256 characters. For example,

import os

should generate a hash, but


will generate TNULL as it is less than 256 bytes.

If you need to generate old style hashes (without the "T1" prefix) then use


The old and conservative options may be combined:


Design Choices

  • To improve comparison accuracy, TLSH tracks counting bucket height distribution in quartiles. Bigger quartile difference results in higher difference score.
  • Use specially 6 trigrams to give equal representation of the bytes in the 5 byte sliding window which produces improved results.
  • Pearson hash is used to distribute the trigram counts to the counting buckets.
  • The global similarity score distances objects with significant size difference. Global similarity can be disabled. It also distances objects with different quartile distributions.
  • TLSH can be compiled to generate 70 or 134 characters hash strings. The longer version has been created to use of the 70 char hash strings is not working for your application.

TLSH similarity is expressed as a difference score:

  • A score of 0 means the objects are almost identical.
  • For the 72 characters hash, there is a detailed table of experimental Detection rates and False Positive rates based on the threshhold. see Table II on page 5


Current Version


	added options -thread and -private
	-thread	the TLSH is evaluated with 2 threads (faster calculation)
		Only done for files / bytestreams >= 10000 bytes
		But this means that it is impossible to calculate the checksum
		So the checksum is set to zero
		Does not evaluate the checksum
		Useful if you do not want to leak information
		Slightly faster than default TLSH (code was written to optimize this)
Timing (using the utility provide "timing_unittest") : (On Mac 2.3 GHz)
Byte size: 1 million bytes

eval TLSH DEFAULT (4.9.3 compact hash 1 byte checksum sliding_window=5) 500 times...
TLSH(buffer) = T1A12500088C838B0A0F0EC3C0ACAB82F3B8228B0308CFA302338C0F0AE2C24F28000008
BEFORE	ms=1631512230350
AFTER	ms=1631512234041
TIME	ms=3691
TIME	ms=  7.38	per iteration

eval TLSH THREADED (4.9.3 compact hash 1 byte checksum sliding_window=5) 500 times...
TLSH(buffer) = T1002500088C838B0A0F0EC3C0ACAB82F3B8228B0308CFA302338C0F0AE2C24F28000008
BEFORE	ms=1631512234041
AFTER	ms=1631512236464
TIME	ms=2423
TIME	ms=  4.85	per iteration

eval TLSH PRIVATE (4.9.3 compact hash 1 byte checksum sliding_window=5) 500 times...
TLSH(buffer) = T1002500088C838B0A0F0EC3C0ACAB82F3B8228B0308CFA302338C0F0AE2C24F28000008
BEFORE	ms=1631512236464
AFTER	ms=1631512239485
TIME	ms=3021
TIME	ms=  6.04	per iteration

eval TLSH distance 50 million times...
Test 2: Calc distance TLSH digest
BEFORE	ms=1631512239500
AFTER	ms=1631512240550
TIME	ms=1050
TIME	ms= 21.00	per million iterations

Change History


Rate & Review

Great Documentation0
Easy to Use0
Highly Customizable0
Bleeding Edge0
Responsive Maintainers0
Poor Documentation0
Hard to Use0
Unwelcoming Community0