Hongbo Yu,Xiaoyun Wang

DOI: https://doi.org/10.1007/978-3-540-76788-6_17

2007-01-01

Abstract:In this paper, we present a new type of multi-collision attack on the compression functions of both MD4 and 3-Pass HAVAL. Different from Joux's multi-collision attack, our method focuses on the multi-collision of the compression function. For MD4, we utilize two different feasible collision differential paths to find a 4-collision with about 2 21 MD4 computations. For 3-Pass HAVAL, we can find a 4-collision with complexity about 2(30) and a 8-near-collision with complexity 2(9).

Zhang-yi Wang,Huanguo Zhang,Zhongping Qin,Qingshu Meng

2006-01-01

Abstract:HAVAL is a cryptographic hash function proposed by Zheng et al. Van Rompay et al and Wang et al found collisions of full 3-Pass HAVAL. In this paper, we study the security of 4-Pass HAVAL. By analyzing the expanding of subtraction difference and differential characters of Boolean functions, we find collisions of full versions of 4-Pass HAVAL. The form of collisions is similar to the two-block collisions of MD5 proposed by Wang et al. With fixed carry method instead of multi-message modification, the computational complexity of the attack is about 230-232 for the first block and 227-229 for the second block. We use this method to find collisions of 4-Pass HAVAL in 3-4 hour on a common PC.

Hongbo Yu,Xiaoyun Wang,Aaram Yun,Sangwoo Park

DOI: https://doi.org/10.1007/11799313_7

2006-01-01

Abstract:HAVAL is a cryptographic hash function with variable digest size proposed by Zheng, Pieprzyk and Seberry in 1992. It has three variants, 3-, 4-, and 5-pass HAVAL. Previous results on HAVAL suggested only practical collision attacks for 3-pass HAVAL. In this paper, we present collision attacks for 4 and 5 pass HAVAL. For 4-pass HAVAL, we describe two practical attacks for finding 2-block collisions, one with 243 computations and the other with 236 computations. In addition, we show that collisions for 5-pass HAVAL can be found with about 2123 computations, which is the first attack more efficient than the birthday attack.

Gaoli Wang

DOI: https://doi.org/10.1007/978-3-642-25243-3_19

2011-01-01

Abstract:Extended MD4 is a hash function proposed by Rivest in 1990 with a 256-bit hash value. The compression function consists of two different and independent parallel lines called Left Line and Right Line, and each line has 48 steps. The initial values of Left Line and Right Line are denoted by IV0 and IV1 respectively. Dobbertin proposed a collision attack for the compression function of Extended MD4 with a complexity of about 2(40) under the condition that the value for IV0 = IV1 is prescribed. In this paper, we gave a collision attack on the full Extended MD4 with a complexity of about 2(37). Firstly, we propose a collision differential path for both lines by choosing a proper message difference, and deduce a set of sufficient conditions that ensure the differential path hold. Then by using some precise message modification techniques to improve the success probability of the attack, we find two-block collisions of Extended MD4 with less than 2(37) computations. This work provides a new reference to the collision analysis of other hash functions such as RIPEMD-160 etc. which consist of two lines.

Lei Wang,Kazuo Ohta,Noboru Kunihiro

DOI: https://doi.org/10.1587/transfun.e92.a.76

2009-01-01

Abstract:The most widely used hash functions from MD4 family have been broken, which lead to a public competition on designing new hash functions held by NIST. This paper focuses on one concept called near-collision resistance: computationally difficult to find a pair of messages with hash values differing in only few bits, which new hash functions should satisfy. In this paper, we will give a model of near-collisions on MD4, and apply it to attack protocols including HMAC/NMAC-MD4 and MD4(Password||Challenge). Our new outer-key recovery attacks on HMAC/NMAC-MD4 has a complexity of 272 online queries and 277 MD4 computations, while previous result was 288 online queries and 295 MD4 computations. Our attack on MD4(Password||Challenge) can recover 16 password characters with a complexity of 237 online queries and 221 MD4 computations, which is the first approach to attack such protocols.

Jie Liang,Xue-Jia Lai

DOI: https://doi.org/10.1007/s11390-007-9010-1

2007-01-01

Abstract:In this paper, we present a fast attack algorithm to find two-block collision of hash function MD5. The algorithm is based on the two-block collision differential path of MD5 that was presented by Wang et al . in the Conference EUROCRYPT 2005. We found that the derived conditions for the desired collision differential path were not sufficient to guarantee the path to hold and that some conditions could be modified to enlarge the collision set. By using technique of small range searching and omitting the computing steps to check the characteristics in the attack algorithm, we can speed up the attack of MD5 efficiently. Compared with the Advanced Message Modification technique presented by Wang et al ., the small range searching technique can correct 4 more conditions for the first iteration differential and 3 more conditions for the second iteration differential, thus improving the probability and the complexity to find collisions. The whole attack on the MD5 can be accomplished within 5 hours using a PC with Pentium4 1.70GHz CPU.

Gao-Li Wang

DOI: https://doi.org/10.1007/s11390-013-1317-5

2013-01-01

Abstract:The cryptographic hash functions Extended MD4 and RIPEMD are double-branch hash functions, which consist of two parallel branches. Extended MD4 was proposed by Rivest in 1990, and RIPEMD was devised in the framework of the RIPE project (RACE Integrity Primitives Evaluation, 1988 ~ 1992). On the basis of differential analysis and meet-in-the-middle attack principle, this paper proposes a collision attack on the full Extended MD4 and a pseudo-preimage attack on the full RIPEMD respectively. The collision attack on Extended MD4 holds with a complexity of 237, and a collision instance is presented. The pseudo-preimage attack on RIPEMD holds with a complexity of 2125:4, which optimizes the complexity order for brute-force attack. The results in this study will also be beneficial to the analysis of other double-branch hash functions such as RIPEMD-160.

Xiaoyun Wang,Hongbo Yu

DOI: https://doi.org/10.1007/11426639_2

2005-01-01

Abstract:MD5 is one of the most widely used cryptographic hash functions nowadays. It was designed in 1992 as an improvement of MD4, and its security was widely studied since then by several authors. The best known result so far was a semi free-start collision, in which the initial value of the hash function is replaced by a non-standard value, which is the result of the attack. In this paper we present a new powerful attack on MD5 which allows us to find collisions efficiently. We used this attack to find collisions of MD5 in about 15 minutes up to an hour computation time. The attack is a differential attack, which unlike most differential attacks, does not use the exclusive-or as a measure of difference, but instead uses modular integer subtraction as the measure. We call this kind of differential a modular differential. An application of this attack to MD4 can find a collision in less than a fraction of a second. This attack is also applicable to other hash functions, such as RIPEMD and HAVAL.

Wang Yu,Chen Jianhua,He Debiao

DOI: https://doi.org/10.1109/NSWCTC.2009.264

2009-01-01

Abstract:In 2005, collision resistance of several hash functions was broken by Wang et al. The strategy of determining message differential is the most important part of collision attacks against hash functions. So far, there are only three other message differentials attack published, one of which is 6 bits difference and two are I bit difference. In this paper, we propose a completely new attack with 2 bits differential. Our message differential of MD5 generates a collision with complexity of less than 2(41.5) MD5 computations. Although it is slower than the latest best attack, it will be useful in analyzing the security of related applications.

Yu Sasaki,Wataru Komatsubara,Yasuhide Sakai,Lei Wang,Mitsugu Iwamoto,Kazuo Sakiyama,Kazuo Ohta

DOI: https://doi.org/10.5220/0004521101110122

2013-01-01

Abstract:In this paper, we revisit previous meet-in-the-middle preimage attacks on hash functions. We firstly present a technical improvement for the existing local-collision and initial-structure techniques. With applying some equivalent transformation, we can significantly reduce the memory requirement from the original proposals. We then revisit the previous preimage attacks on MD5 and HAVAL with recent techniques. Consequently, we can improve the memory complexity of the previous preimage attack on full MD5 from 2(45) to 2(13) and on full 4-pass HAVAL from 2(64) to 2(32). Moreover, we extend the preimage attack on 5-pass HAVAL from 151 steps to 158 steps, and present the first preimage attack with a single block message for 3-pass HAVAL.

Wang Xiaoyun,Feng Dengguo,Yu Xiuyuan

DOI: https://doi.org/10.1360/122004-107

2005-01-01

Abstract:In this paper, we give a fast attack against hash function—HAVAL-128. HAVAL was presented by Y. L. Zheng et al. at Auscrypto’92. It can be processed in 3, 4 or 5 passes, and produces 128, 160, 192, or 224-bit fingerprint. We break the HAVAL with 128-bit fingerprint. The conclusion is that, given any 1024-bit message m, we just make some modifications about m, and the modified message m can collide with another message m′ only with probability 1/27, where m′=m+Δm, in which Δm is a fixed difference selected in advance. In addition, two collision examples for HAVAL-128 are given in this paper.

Yu Sasaki,Lei Wang,Noboru Kunihiro,Kazuo Ohta

DOI: https://doi.org/10.1093/ietfec/e91-a.1.55

2008-01-01

Abstract:In 2005, collision resistance of several hash functions was broken by Wang et al. The strategy of determining message differences is the most important part of collision attacks against hash functions. So far, many researchers have tried to analyze Wang et al.'s method and proposed improved collision attacks. Although several researches proposed improved attacks, all improved results so far were based on the same message differences proposed by Wang et al. In this paper, we propose new message differences for collision attacks on MD4 and MD5. Our message differences of MD4 can generate a collision with complexity of less than two MD4 computations, which is faster than the original Wang et al.'s attack, and moreover, than the all previous attacks. This is the first result that improves the complexity of collision attack by using different message differences from Wang et al.'s. Regarding MD5, so far, no other message difference from Wang et al.'s is known. Therefore, study for constructing method of other message differences on MD5 should be interesting. Our message differences of MD5 generates a collision with complexity of 242 MD5 computations, which is slower than the latest best attack. However, since our attack needs only 1 bit difference, it has some advantages in terms of message freedom of collision messages.

Xiaoyun Wang,Xuejia Lai,Dengguo Feng,Hui Chen,Xiuyuan Yu

DOI: https://doi.org/10.1007/11426639_1

2005-01-01

Abstract:MD4 is a hash function developed by Rivest in 1990. It serves as the basis for most of the dedicated hash functions such as MD5, SHAx, RIPEMD, and HAVAL. In 1996, Dobbertin showed how to find collisions of MD4 with complexity equivalent to 220 MD4 hash computations. In this paper, we present a new attack on MD4 which can find a collision with probability 2− 2 to 2− 6, and the complexity of finding a collision doesn’t exceed 28 MD4 hash operations. Built upon the collision search attack, we present a chosen-message pre-image attack on MD4 with complexity below 28. Furthermore, we show that for a weak message, we can find another message that produces the same hash value. The complexity is only a single MD4 computation, and a random message is a weak message with probability 2− 122.The attack on MD4 can be directly applied to RIPEMD which has two parallel copies of MD4, and the complexity of finding a collision is about 218 RIPEMD hash operations.

Wei Li,Zhi Tao,Dawu Gu,Yi Wang,Zhiqiang Liu,Ya Liu

DOI: https://doi.org/10.4304/jcp.8.11.2888-2894

2013-01-01

Journal of Computers

Abstract:The MD5, proposed by R. Riverst in 1992, is a widely used hash function with Merkle-Damgard structure. In the literature, many studies have been devoted to classical cryptanalysis on the MD5, such as the collision attack, the preimage attack etc. In this paper, we propose a new differential fault analysis on the MD5 compression function in the word-oriented random fault model. The simulating experimental results show that 144 random faults on average are required to obtain the current input message block. Our method not only increases the efficiency of fault injection, but also decreases the number of fault hash values. It provides a new reference for the security analysis of the same structure of the hash compression functions.

Gaoli Wang,Shaohui Wang

DOI: https://doi.org/10.1007/978-3-642-02384-2_1

2009-01-01

Abstract:HAVAL is a cryptographic hash function with variable hash value sizes proposed by Zheng, Pieprzyk and Seberry in 1992. It has 3, 4, or 5 passes, and each pass contains 32 steps. There was a collision attack on 5-pass HAVAL, but no second preimage attack. In this paper, we present a second preimage differential path for 5-pass HAVAL with probability 2*** 227 and exploit it to devise a second preimage attack on 5-pass HAVAL . Furthermore, we utilize the path to recover the partial key of HMAC/NMAC-5-pass HAVAL with 2235 oracle queries and 235 memory bytes.

Norbert Pramstaller,Christian Rechberger,Vincent Rijmen

DOI: https://doi.org/10.1007/11693383_16

2006-01-01

Abstract:We present a collision attack on SMASH. SMASH was proposed as a new hash function design strategy that does not rely on the structure of the MD4 family. The presented attack method allows us to produce almost any desired difference in the chaining variables of the iterated hash function. Due to the absence of a secret key, we are able to construct differences with probability 1. Furthermore, we get only few constraints on the colliding messages, which allows us to construct meaningful collisions. The presented collision attack uses negligible resources and we conjecture that it works for all hash functions built following the design strategy of SMASH.

Yu Sasaki,Lei Wang,Kazuo Ohta,Noboru Kunihiro

DOI: https://doi.org/10.1007/978-3-540-74619-5_21

2007-01-01

Abstract:This paper proposes several approaches to improve the collision attack on MD4 proposed by Wang et al. First, we propose a new local collision that is the best for the MD4 collision attack. Selection of a good message difference is the most important step in achieving effective collision attacks. This is the first paper to introduce an improvement to the message difference approach of Wang et al., where we propose a new local collision. Second, we propose a new algorithm for constructing differential paths. While similar algorithms have been proposed, they do not support the new local collision technique. Finally, we complete a collision attack, and show that the complexity is smaller than the previous best work.

Jin-min Zhong,Xue-jia Lai,Ming Duan

DOI: https://doi.org/10.1007/s12204-011-1215-3

2011-01-01

Abstract:HAVAL is a hash function proposed by Zheng et al. in 1992, including 3-, 4- and 5-pass versions. We improve pseudo-preimage and preimage attacks on 3-pass HAVAL at the complexity of 2172 and 2209.6, respectively, as compared to the previous best known results: 2192 and 2225 by Sasaki et al. in 2008. We extend the skip interval for partial-patching and apply the initial structure technique to find the better message chunks, and combine the indirect-partial-matching, partial-fixing and multi-neutral-word partial-fixing techniques to improve the attacks based on the meet-in-the-middle method. These are the best pseudo-preimage and preimage attacks on 3-pass HAVAL.

An Wang,Liji Wu,Zongyue Wang,Xuexin Zheng,Man Chen,Jing Ma

DOI: https://doi.org/10.1155/2014/209692

IF: 1.43

2014-01-01

Mathematical Problems in Engineering

Abstract:In CHES 2008, Bogdanov proposed multiple-differential collision attacks which could be applied to the power analysis attacks on practical cryptographic systems. However, due to the effect of countermeasures on FPGA, there are some difficulties during the collision detection, such as local high noise and the lack of sampling points. In this paper, keypoints voting test is proposed for solving these problems, which can increase the success ratio from 35% to 95% on the example of one implementation. Furthermore, we improve the ternary voting test of Bogdanov, which can improve the experiment efficiency markedly. Our experiments show that the number of power traces required in our attack is only a quarter of the requirement of traditional attack. Finally, some alternative countermeasures against our attacks are discussed.

Zhimin Li,Licheng Wang,Daofeng Li,Yixian Yang

DOI: https://doi.org/10.1109/ICNIT.2010.5508519

2010-01-01

Abstract:NaSHA is a family of hash functions submitted by Markovski and Mileva, it is accepted as one of the first SHA-3 round candidates. In this paper, we present a collision attack on NaSHA for the output sizes 384-bit and 512-bit. This attack is based on the the weakness in the generate course of the state words, and the fact that the quasigroup operation used in the compression function are determined by partial state words. The time complexity of this attack is about 2128 with negligible memory. This is currently by far the best known cryptanalysis result on this hash function.