Single-block collision attack on MD5

In 2010, Tao Xie and Dengguo Feng [XF10] constructed the rst single-block collision for MD5 consisting of two 64-byte messages that have the same MD5 hash. Details of their attack, developed using what they call an evolutionary approach, has not been disclosed \for security reasons". Instead they have posted a challenge to the cryptology community to nd a new dierent single-block collision attack for MD5. This paper answers that challenge by presenting a single-block collision attack based on other message dierences together with an example colliding message pair. The attack is based on a new collision nding algorithm that exploits the low number of bitconditions in the rst round. It uses a new way to choose message blocks that satisfy bitconditions up to step 22 and additionally uses three known tunnels to correct bitconditions up to step 25. The attack has an average runtime complexity equivalent to 2 49:8 calls to MD5’s compression function.

[1]  Ronald L. Rivest,et al.  The MD5 Message-Digest Algorithm , 1992, RFC.

[2]  Yu Sasaki,et al.  Improved Collision Attack on MD5 , 2005, IACR Cryptol. ePrint Arch..

[3]  Tao Xie,et al.  Construct MD5 Collisions Using Just A Single Block Of Message , 2010, IACR Cryptol. ePrint Arch..

[4]  Marc Stevens,et al.  Chosen-Prefix Collisions for MD5 and Colliding X.509 Certificates for Different Identities , 2007, EUROCRYPT.

[5]  LiangJie,et al.  Improved collision attack on hash function MD5 , 2007 .

[6]  Philip Hawkes,et al.  Musings on the Wang et al. MD5 Collision , 2004, IACR Cryptol. ePrint Arch..

[7]  Takeshi Shimoyama,et al.  Wang's sufficient conditions of MD5 are not sufficient , 2005, IACR Cryptol. ePrint Arch..

[8]  Marc Stevens,et al.  Short Chosen-Prefix Collisions for MD5 and the Creation of a Rogue CA Certificate , 2009, CRYPTO.

[9]  Xuejia Lai,et al.  Improved Collision Attack on Hash Function MD5 , 2007, Journal of Computer Science and Technology.

[10]  Marc Stevens,et al.  Fast Collision Attack on MD5 , 2006, IACR Cryptol. ePrint Arch..

[11]  Xiaoyun Wang,et al.  How to Break MD5 and Other Hash Functions , 2005, EUROCRYPT.

[12]  Marc Stevens,et al.  Chosen-prefix collisions for MD5 and applications , 2012, Int. J. Appl. Cryptogr..

[13]  Vlastimil Klíma,et al.  Finding MD5 Collisions on a Notebook PC Using Multi-message Modifications , 2005, IACR Cryptol. ePrint Arch..

[14]  Vlastimil Klíma,et al.  Tunnels in Hash Functions: MD5 Collisions Within a Minute , 2006, IACR Cryptol. ePrint Arch..

[15]  Tao Xie,et al.  How To Find Weak Input Differences For MD5 Collision Attacks , 2009, IACR Cryptol. ePrint Arch..