Preimage Attacks on Step-Reduced MD5

In this paper, we propose preimage attacks on step-reduced MD5. We show that a preimage of a 44-step MD5 can be computed to a complexity of 296. We also consider a preimage attack against variants of MD5 where the round order is modified from the real MD5. In such a case, a preimage of a 51-step round-reordered MD5 can be computed to a complexity of 296. Our attack uses "local collisions" of MD5 to create a degree of message freedom. This freedom enables us to match the two 128-bit intermediate values efficiently.

[1]  Phong Q. Nguyen Progress in Cryptology - VIETCRYPT 2006 , 2007 .

[2]  Antoine Joux,et al.  Multicollisions in Iterated Hash Functions. Application to Cascaded Constructions , 2004, CRYPTO.

[3]  Hans Dobbertin,et al.  The First Two Rounds of MD4 are Not One-Way , 1998, FSE.

[4]  Ronald L. Rivest,et al.  The MD5 Message-Digest Algorithm , 1992, RFC.

[5]  Hidenori Kuwakado,et al.  New Algorithm for Finding Preimages in a Reduced Version of the MD4 Compression Function(Special Section on Cryptography and Information Security) , 2000 .

[6]  Xuejia Lai,et al.  Improved Collision Attack on Hash Function MD5 , 2007, Journal of Computer Science and Technology.

[7]  Gerhard Goos,et al.  Fast Software Encryption , 2001, Lecture Notes in Computer Science.

[8]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[9]  Xiaoyun Wang,et al.  Multi-collision Attack on the Compression Functions of MD4 and 3-Pass HAVAL , 2007, ICISC.

[10]  Xiaoyun Wang,et al.  How to Break MD5 and Other Hash Functions , 2005, EUROCRYPT.

[11]  Tor Helleseth,et al.  Advances in Cryptology — EUROCRYPT ’93 , 2001, Lecture Notes in Computer Science.

[12]  Willi Meier,et al.  Preimage Attacks on 3-Pass HAVAL and Step-Reduced MD5 , 2009, Selected Areas in Cryptography.

[13]  Joao Marques-Silva,et al.  Theory and Applications of Satisfiability Testing - SAT 2007, 10th International Conference, Lisbon, Portugal, May 28-31, 2007, Proceedings , 2007, SAT.

[14]  Gaëtan Leurent,et al.  MD4 is Not One-Way , 2008, FSE.

[15]  Ronald Cramer,et al.  Advances in Cryptology - EUROCRYPT 2005, 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, May 22-26, 2005, Proceedings , 2005, EUROCRYPT.

[16]  Ramarathnam Venkatesan,et al.  Inversion Attacks on Secure Hash Functions Using satSolvers , 2007, SAT.

[17]  Frédéric Muller,et al.  The MD2 Hash Function Is Not One-Way , 2004, ASIACRYPT.

[18]  Lars R. Knudsen,et al.  Preimage and Collision Attacks on MD2 , 2005, FSE.

[19]  Phillip Rogaway,et al.  Formalizing Human Ignorance , 2006, VIETCRYPT.

[20]  Antoon Bosselaers,et al.  Collisions for the Compressin Function of MD5 , 1994, EUROCRYPT.

[21]  Matthew Franklin,et al.  Advances in Cryptology – CRYPTO 2004 , 2004, Lecture Notes in Computer Science.

[22]  Vlastimil Klíma,et al.  Tunnels in Hash Functions: MD5 Collisions Within a Minute , 2006, IACR Cryptol. ePrint Arch..

[23]  John Black,et al.  A Study of the MD5 Attacks: Insights and Improvements , 2006, FSE.

[24]  Kil-Hyun Nam,et al.  Information Security and Cryptology - ICISC 2007, 10th International Conference, Seoul, Korea, November 29-30, 2007, Proceedings , 2007, ICISC.

[25]  Yu Sasaki,et al.  Improved Collision Attacks on MD4 and MD5 , 2007, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..

[26]  Pil Joong Lee,et al.  Advances in Cryptology — ASIACRYPT 2001 , 2001, Lecture Notes in Computer Science.