How to Break MD5 and Other Hash Functions

MD5 is one of the most widely used cryptographic hash functions nowadays. It was designed in 1992 as an improvement of MD4, and its security was widely studied since then by several authors. The best known result so far was a semi free-start collision, in which the initial value of the hash function is replaced by a non-standard value, which is the result of the attack. In this paper we present a new powerful attack on MD5 which allows us to find collisions efficiently. We used this attack to find collisions of MD5 in about 15 minutes up to an hour computation time. The attack is a differential attack, which unlike most differential attacks, does not use the exclusive-or as a measure of difference, but instead uses modular integer subtraction as the measure. We call this kind of differential a modular differential. An application of this attack to MD4 can find a collision in less than a fraction of a second. This attack is also applicable to other hash functions, such as RIPEMD and HAVAL.

[1]  Bart Preneel,et al.  Integrity Primitives for Secure Information Systems: Final RIPE Report of RACE Integrity Primitives Evaluation , 1995 .

[2]  Jennifer Seberry,et al.  HAVAL - A One-Way Hashing Algorithm with Variable Length of Output , 1992, AUSCRYPT.

[3]  Dengguo Feng,et al.  Collisions for Hash Functions MD4, MD5, HAVAL-128 and RIPEMD , 2004, IACR Cryptol. ePrint Arch..

[4]  Bart Preneel,et al.  RIPEMD-160: A Strengthened Version of RIPEMD , 1996, FSE.

[5]  Eli Biham,et al.  Differential Cryptanalysis of the Data Encryption Standard , 1993, Springer New York.

[6]  Antoon Bosselaers,et al.  Collisions for the Compressin Function of MD5 , 1994, EUROCRYPT.

[7]  Joos Vandewalle,et al.  Integrity primitives for secure information systems : final report of RACE Integrity Primitives Evaluation RIPE-RACE 1040 , 1995 .

[8]  Antoon Bosselaers,et al.  Collisions for the Compressin Function of MD5 , 1994, EUROCRYPT.

[9]  Ivan Damgård,et al.  A Design Principle for Hash Functions , 1989, CRYPTO.

[10]  Eli Biham,et al.  Near-Collisions of SHA-0 , 2004, CRYPTO.

[11]  Ralph C. Merkle,et al.  One Way Hash Functions and DES , 1989, CRYPTO.

[12]  Antoine Joux,et al.  Differential Collisions in SHA-0 , 1998, CRYPTO.

[13]  Bart Preneel,et al.  Integrity Primitives for Secure Information Systems , 2005, Lecture Notes in Computer Science.

[14]  Eric W. Weisstein One-Way Hash Function , 2000 .

[15]  Ronald L. Rivest,et al.  The MD5 Message-Digest Algorithm , 1992, RFC.

[16]  Hans Dobbertin Cryptanalysis of MD4 , 1996, FSE.

[17]  Ronald L. Rivest,et al.  The MD4 Message-Digest Algorithm , 1990, RFC.

[18]  Antoine Joux,et al.  Collisions in SHA-0 , 2004, CRYPTO 2004.

[19]  Hans Dobbertin,et al.  RIPEMD with two-round compress function is not collision-free , 1997, Journal of Cryptology.