ZhangYi Wang,Huanguo Zhang,Zhongping Qin,Qiang Meng

2006-01-01

Abstract:The sufficient conditions for keeping desired differential path of MD5 was discussed. By analyzing the expanding of subtraction difference, differential characters of Boolean functions, and the differential characters of shift rotation, the sufficient conditions for keeping desired differential path could be obtained. From the differential characters of shift rotation, the lacked sufficient conditions were found. Then an algorithm that reduces the number of trials for finding collisions were presented. By restricting search space, search operation can be reduced to 2^34 for the first block and 2^30 for the second block. The whole attack on the MD5 can be accomplished within 20 hours using a PC with 1.6 G CPU.

Xiaoyun Wang,Hongbo Yu

DOI: https://doi.org/10.1007/11426639_2

2005-01-01

Abstract:MD5 is one of the most widely used cryptographic hash functions nowadays. It was designed in 1992 as an improvement of MD4, and its security was widely studied since then by several authors. The best known result so far was a semi free-start collision, in which the initial value of the hash function is replaced by a non-standard value, which is the result of the attack. In this paper we present a new powerful attack on MD5 which allows us to find collisions efficiently. We used this attack to find collisions of MD5 in about 15 minutes up to an hour computation time. The attack is a differential attack, which unlike most differential attacks, does not use the exclusive-or as a measure of difference, but instead uses modular integer subtraction as the measure. We call this kind of differential a modular differential. An application of this attack to MD4 can find a collision in less than a fraction of a second. This attack is also applicable to other hash functions, such as RIPEMD and HAVAL.

Yanzhao Shen,Ting Wu,Gaoli Wang,Xinfeng Dong,Haifeng Qian

DOI: https://doi.org/10.1093/comjnl/bxab109

2022-01-01

Abstract:Counter-cryptanalysis uses cryptanalytic techniques to detect cryptanalytic attacks. It was introduced by Stevens with a collision detection algorithm that detects whether a message is one of a colliding message pair constructed using a collision attack. Later, Stevens and Shumow improved the collision detection against SHA-1 by using unavoidable conditions. However, there are no results improving collision detection against MD5 due to its weak diffusion properties. In this paper, an improved collision detection algorithm against MD5 is proposed by using the 14-bit sufficient condition combinations. This leads to the dividing the 223 classes into four sets. Each element, belonging to the first two sets, holds the same sufficient condition combination. Our new algorithm can classify 126 classes efficiently. The runtime is 28.6% of the previous collision detection method.

Yu Sasaki,Lei Wang,Noboru Kunihiro,Kazuo Ohta

DOI: https://doi.org/10.1093/ietfec/e91-a.1.55

2008-01-01

Abstract:In 2005, collision resistance of several hash functions was broken by Wang et al. The strategy of determining message differences is the most important part of collision attacks against hash functions. So far, many researchers have tried to analyze Wang et al.'s method and proposed improved collision attacks. Although several researches proposed improved attacks, all improved results so far were based on the same message differences proposed by Wang et al. In this paper, we propose new message differences for collision attacks on MD4 and MD5. Our message differences of MD4 can generate a collision with complexity of less than two MD4 computations, which is faster than the original Wang et al.'s attack, and moreover, than the all previous attacks. This is the first result that improves the complexity of collision attack by using different message differences from Wang et al.'s. Regarding MD5, so far, no other message difference from Wang et al.'s is known. Therefore, study for constructing method of other message differences on MD5 should be interesting. Our message differences of MD5 generates a collision with complexity of 242 MD5 computations, which is slower than the latest best attack. However, since our attack needs only 1 bit difference, it has some advantages in terms of message freedom of collision messages.

Wang Yu,Chen Jianhua,He Debiao

DOI: https://doi.org/10.1109/NSWCTC.2009.264

2009-01-01

Abstract:In 2005, collision resistance of several hash functions was broken by Wang et al. The strategy of determining message differential is the most important part of collision attacks against hash functions. So far, there are only three other message differentials attack published, one of which is 6 bits difference and two are I bit difference. In this paper, we propose a completely new attack with 2 bits differential. Our message differential of MD5 generates a collision with complexity of less than 2(41.5) MD5 computations. Although it is slower than the latest best attack, it will be useful in analyzing the security of related applications.

Gaoli Wang

DOI: https://doi.org/10.1007/978-3-642-25243-3_19

2011-01-01

Abstract:Extended MD4 is a hash function proposed by Rivest in 1990 with a 256-bit hash value. The compression function consists of two different and independent parallel lines called Left Line and Right Line, and each line has 48 steps. The initial values of Left Line and Right Line are denoted by IV0 and IV1 respectively. Dobbertin proposed a collision attack for the compression function of Extended MD4 with a complexity of about 2(40) under the condition that the value for IV0 = IV1 is prescribed. In this paper, we gave a collision attack on the full Extended MD4 with a complexity of about 2(37). Firstly, we propose a collision differential path for both lines by choosing a proper message difference, and deduce a set of sufficient conditions that ensure the differential path hold. Then by using some precise message modification techniques to improve the success probability of the attack, we find two-block collisions of Extended MD4 with less than 2(37) computations. This work provides a new reference to the collision analysis of other hash functions such as RIPEMD-160 etc. which consist of two lines.

Wei Li,Zhi Tao,Dawu Gu,Yi Wang,Zhiqiang Liu,Ya Liu

DOI: https://doi.org/10.4304/jcp.8.11.2888-2894

2013-01-01

Journal of Computers

Abstract:The MD5, proposed by R. Riverst in 1992, is a widely used hash function with Merkle-Damgard structure. In the literature, many studies have been devoted to classical cryptanalysis on the MD5, such as the collision attack, the preimage attack etc. In this paper, we propose a new differential fault analysis on the MD5 compression function in the word-oriented random fault model. The simulating experimental results show that 144 random faults on average are required to obtain the current input message block. Our method not only increases the efficiency of fault injection, but also decreases the number of fault hash values. It provides a new reference for the security analysis of the same structure of the hash compression functions.

Haiyan Yu,Xiaoyun Wang

2007-01-01

Abstract:In this paper, we present a new type of MultiCollision attack on the compression functions both of MD4 and 3-Pass HAVAL. For MD4, we utilize two feasible different collision differential paths to find a 4collision with 2 MD4 computations. For 3-Pass HAVAL, we present three near-collision differential paths to find a 8-NearCollision with 2 HAVAL computations.

Yu Sasaki,Lei Wang,Kazuo Ohta,Noboru Kunihiro

DOI: https://doi.org/10.1007/978-3-540-74619-5_21

2007-01-01

Abstract:This paper proposes several approaches to improve the collision attack on MD4 proposed by Wang et al. First, we propose a new local collision that is the best for the MD4 collision attack. Selection of a good message difference is the most important step in achieving effective collision attacks. This is the first paper to introduce an improvement to the message difference approach of Wang et al., where we propose a new local collision. Second, we propose a new algorithm for constructing differential paths. While similar algorithms have been proposed, they do not support the new local collision technique. Finally, we complete a collision attack, and show that the complexity is smaller than the previous best work.

毛明,秦志光,陈少晖

DOI: https://doi.org/10.3724/sp.j.1087.2009.03174

2009-01-01

Journal of Computer Applications

Abstract:Based on the structural characteristics of the MD5 algorithm,the authors summarized the key points of deciphering the Hash function MD5: the introduction to the message differential,the control of the differential path and the satisfaction of the sufficient conditions. In the process of deciphering the MD5,three differences and the properties of the non-linear functions were introduced. The extensive form of the signed difference and the affection of the left shift rotation were applied in it. The important technique for attack of the MD5 algorithm,named technique of message modification,was cryptanalyzed in detail with an example. In general,the authors explored the key points of deciphering the MD5 algorithm form both the overall analysis and specific practice.

Hongbo Yu,Xiaoyun Wang

DOI: https://doi.org/10.1007/978-3-540-76788-6_17

2007-01-01

Abstract:In this paper, we present a new type of multi-collision attack on the compression functions of both MD4 and 3-Pass HAVAL. Different from Joux's multi-collision attack, our method focuses on the multi-collision of the compression function. For MD4, we utilize two different feasible collision differential paths to find a 4-collision with about 2 21 MD4 computations. For 3-Pass HAVAL, we can find a 4-collision with complexity about 2(30) and a 8-near-collision with complexity 2(9).

Zhangyi Wang,Bangju Wang,Huanguo Zhang

2007-01-01

Abstract:We use the evolutionary computation to study cryptographic hash functions. In finding collisions of hash functions, evolutionary algorithm can be used to find collisions of MD4 and MD5. In this paper, firstly we explain some basic idea about the evolutionary cryptography design and analysis. Then we present an algorithm that reduces the number of trials for finding collisions. Instead of manual computing, by evolutionary computing we can find new differential paths and new collision forms for MD4. For MD5, we use evolutionary computing to find "good" bits that make more conditions satisfied. By restricting search space, we can reduce search operation to 2(34) for the first block and 2(30) for the second block.

Xiaoyun Wang,Xuejia Lai,Dengguo Feng,Hui Chen,Xiuyuan Yu

DOI: https://doi.org/10.1007/11426639_1

2005-01-01

Abstract:MD4 is a hash function developed by Rivest in 1990. It serves as the basis for most of the dedicated hash functions such as MD5, SHAx, RIPEMD, and HAVAL. In 1996, Dobbertin showed how to find collisions of MD4 with complexity equivalent to 220 MD4 hash computations. In this paper, we present a new attack on MD4 which can find a collision with probability 2− 2 to 2− 6, and the complexity of finding a collision doesn’t exceed 28 MD4 hash operations. Built upon the collision search attack, we present a chosen-message pre-image attack on MD4 with complexity below 28. Furthermore, we show that for a weak message, we can find another message that produces the same hash value. The complexity is only a single MD4 computation, and a random message is a weak message with probability 2− 122.The attack on MD4 can be directly applied to RIPEMD which has two parallel copies of MD4, and the complexity of finding a collision is about 218 RIPEMD hash operations.

Lei Wang,Kazuo Ohta,Noboru Kunihiro

DOI: https://doi.org/10.1587/transfun.e92.a.76

2009-01-01

Abstract:The most widely used hash functions from MD4 family have been broken, which lead to a public competition on designing new hash functions held by NIST. This paper focuses on one concept called near-collision resistance: computationally difficult to find a pair of messages with hash values differing in only few bits, which new hash functions should satisfy. In this paper, we will give a model of near-collisions on MD4, and apply it to attack protocols including HMAC/NMAC-MD4 and MD4(Password||Challenge). Our new outer-key recovery attacks on HMAC/NMAC-MD4 has a complexity of 272 online queries and 277 MD4 computations, while previous result was 288 online queries and 295 MD4 computations. Our attack on MD4(Password||Challenge) can recover 16 password characters with a complexity of 237 online queries and 221 MD4 computations, which is the first approach to attack such protocols.

Lei Wang,Kazuo Ohta,Yu Sasaki,Kazuo Sakiyama,Noboru Kunihiro

DOI: https://doi.org/10.1587/transinf.e93.d.1087

2010-01-01

IEICE Transactions on Information and Systems

Abstract:Many hash-based authentication protocols have been proposed, and proven secure assuming that underlying hash functions are secure. On the other hand, if a hash function compromises, the security of authentication protocols based on this hash function becomes unclear. Therefore, it is significantly important to verify the security of hash-based protocols when a hash function is broken.In this paper, we will re-evaluate the security of two MD5-based authentication protocols based on a fact that MD5 cannot satisfy a required fundamental property named collision resistance. The target protocols are APOP (Authenticated Post Office Protocol) and NMAC (Nested Message Authentication Code), since they or their variants are widely used in real world. For security evaluation of APOP, we will propose a modified password recovery attack procedure, which is twice as fast as previous attacks. Moreover, our attack is more realistic, as the probability of being detected is lower than that of previous attacks. For security evaluation of MD5-based NMAC, we will propose a new key-recovery attack procedure, which has a complexity lower than that of previous attack. The complexity of our attack is 2(76), while that of previous attack is 2(100).**Moreover, our attack has another interesting point. NMAC has two keys: the inner key and the outer key. Our attack can recover the outer key partially without the knowledge of the inner key.

Gao-Li Wang

DOI: https://doi.org/10.1007/s11390-013-1317-5

2013-01-01

Abstract:The cryptographic hash functions Extended MD4 and RIPEMD are double-branch hash functions, which consist of two parallel branches. Extended MD4 was proposed by Rivest in 1990, and RIPEMD was devised in the framework of the RIPE project (RACE Integrity Primitives Evaluation, 1988 ~ 1992). On the basis of differential analysis and meet-in-the-middle attack principle, this paper proposes a collision attack on the full Extended MD4 and a pseudo-preimage attack on the full RIPEMD respectively. The collision attack on Extended MD4 holds with a complexity of 237, and a collision instance is presented. The pseudo-preimage attack on RIPEMD holds with a complexity of 2125:4, which optimizes the complexity order for brute-force attack. The results in this study will also be beneficial to the analysis of other double-branch hash functions such as RIPEMD-160.

Han Zhuoyu,Li Yongzhen

DOI: https://doi.org/10.1109/icpeca53709.2022.9719176

2022-01-01

Abstract:With the rapid popularity of the network, the development of information encryption technology has a significant role and significance in securing network security. The security of information has become an issue of concern to the whole society, and the study of cryptography has been increasingly concerned, and the hash function is the core of modern cryptography, the most common hash algorithms are MD5 series of algorithms, SHA series of algorithms. MD5 is a popular and excellent typical Hash encryption technology today, which is used for password management, electronic signature, spam screening. In this paper, we focus on the improved MD5 algorithm with more efficiency, focusing on the internal structure of MD5, and finally making it more efficient in retrieval.

Wang Xiaoyun,Feng Dengguo,Yu Xiuyuan

DOI: https://doi.org/10.1360/122004-107

2005-01-01

Abstract:In this paper, we give a fast attack against hash function—HAVAL-128. HAVAL was presented by Y. L. Zheng et al. at Auscrypto’92. It can be processed in 3, 4 or 5 passes, and produces 128, 160, 192, or 224-bit fingerprint. We break the HAVAL with 128-bit fingerprint. The conclusion is that, given any 1024-bit message m, we just make some modifications about m, and the modified message m can collide with another message m′ only with probability 1/27, where m′=m+Δm, in which Δm is a fixed difference selected in advance. In addition, two collision examples for HAVAL-128 are given in this paper.

Hongbo Yu,Gaoli Wang,Guoyan Zhang,Xiaoyun Wang

DOI: https://doi.org/10.1007/11599371_1

2005-01-01

Abstract:In Eurocrypt’05, Wang et al. presented new techniques to find collisions of Hash function MD4. The techniques are not only efficient to search for collisions, but also applicable to explore the second- preimage of MD4. About the second-preimage attack, they showed that a random message was a weak message with probability 2−122 and it only needed a one-time MD4 computation to find the second-preimage corresponding to the weak message. A weak message means that there exits a more efficient attack than the brute force attack to find its second-preimage. In this paper, we find another new collision differential path which can be used to find the second-preimage for more weak messages. For any random message, it is a weak message with probability 2−56, and it can be converted into a weak message by message modification techniques with about 227 MD4 computations. Furthermore, the original message is close to the resulting message (weak message), i.e, the Hamming weight of the difference for two messages is about 44.

bozhong liu,zheng gong,xiaohong chen,weidong qiu,dong zheng

DOI: https://doi.org/10.1109/ITAPP.2010.5566639

2010-01-01

Abstract:Hash functions are widely used in authentication. In this paper, the security of Lin et al.'s efficient block-cipher-based hash function is reviewed. By using Joux's multicollisions and Kelsey et al.'s expandable message techniques, we find the scheme is vulnerable to collision, preimage and second preimage attacks. Some modifications are recommended to avoid those security flaws in Lin et al.'s hash construction.