Collisions for the compression function of MD5

Boer, Bert den; Bosselaers, Antoon

doi:10.1007/3-540-48285-7_26

Cited by 172 publications

(55 citation statements)

References 4 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…While our results don't endanger the collision resistance of the RIPEMD-128 hash function as a whole, we emphasize that semi-free-start collision attacks are a strong warning sign which indicates that RIPEMD-128 might not be as secure as the community expected. Considering the history of the attacks on the MD5 compression function [7,8], MD5 hash function [28], and then MD5-protected certificates [24], we believe that another function than RIPEMD-128 should be used for new security applications.…”

Section: Resultsmentioning

confidence: 99%

Cryptanalysis of Full RIPEMD-128

Landelle

Peyrin

2015

J Cryptol

View full text Add to dashboard Cite

Abstract. In this article we propose a new cryptanalysis method for double-branch hash functions that we apply on the standard RIPEMD-128, greatly improving over know results. Namely, we were able to build a very good differential path by placing one non-linear differential part in each computation branch of the RIPEMD-128 compression function, but not necessarily in the early steps. In order to handle the low differential probability induced by the non-linear part located in later steps, we propose a new method for using the freedom degrees, by attacking each branch separately and then merging them with free message blocks. Overall, we present the first collision attack on the full RIPEMD-128 compression function as well as the first distinguisher on the full RIPEMD-128 hash function. Experiments on reduced number of rounds were conducted, confirming our reasoning and complexity analysis. Our results show that 16 years old RIPEMD-128, one of the last unbroken primitives belonging to the MD-SHA family, might not be as secure as originally thought.

show abstract

Section: Resultsmentioning

confidence: 99%

Cryptanalysis of Full RIPEMD-128

Landelle

Peyrin

2015

J Cryptol

View full text Add to dashboard Cite

show abstract

“…Not reflected in the table is the fact that already in 1993 it was known that there was serious trouble with MD5, based on collisions in its compression function (cf. [1], [3]). We leave any speculation about the future of SHA-1 cryptanalysis to the knowledgeable reader.…”

Section: Resultsmentioning

confidence: 99%

Short Chosen-Prefix Collisions for MD5 and the Creation of a Rogue CA Certificate

Stevens

Sotirov

Appelbaum

et al. 2009

Advances in Cryptology - CRYPTO 2009

124

View full text Add to dashboard Cite

Abstract. We present a refined chosen-prefix collision construction for MD5 that allowed creation of a rogue Certification Authority (CA) certificate, based on a collision with a regular end-user website certificate provided by a commercial CA. Compared to the previous construction from Eurocrypt 2007, this paper describes a more flexible family of differential paths and a new variable birthdaying search space. Combined with a time-memory trade-off, these improvements lead to just three pairs of near-collision blocks to generate the collision, enabling construction of RSA moduli that are sufficiently short to be accepted by current CAs. The entire construction is fast enough to allow for adequate prediction of certificate serial number and validity period: it can be made to require about 2 49 MD5 compression function calls. Finally, we improve the complexity of identical-prefix collisions for MD5 to about 2 16 MD5 compression function calls and use it to derive a practical single-block chosen-prefix collision construction of which an example is given.

show abstract

“…This distinguisher utilizes the dBB pseudo-collision path of MD5 [5], where the hash values collide with probability 2 −46 when the IV difference satisfies the dBB-condition, i.e.,…”

Section: Recent Attack On Hmac/nmac-md5 and Md5-mac [18]mentioning

confidence: 99%

“…For MD4, because it is easy to find a differential path with high probability [15,20], there are some successful cryptanalytic results on MACs based on MD4 [4,6,14]. For HMAC/NMAC-MD5, there is only one available differential path that is called dBB pseudo-collision path [5]. Because the dBB pseudo-collision consists of two different IVs and the same message, so all the attacks [4,6,11,14] are in the related-key setting.…”

Section: Introductionmentioning

confidence: 99%

New Distinguishing Attack on MAC Using Secret-Prefix Method

Wang

Jia

et al. 2009

Fast Software Encryption

View full text Add to dashboard Cite

Abstract. This paper presents a new distinguisher which can be applied to secret-prefix MACs with the message length prepended to the message before hashing. The new distinguisher makes use of a special truncated differential path with high probability to distinguish an inner near-collision in the first round. Once the inner near-collision is detected, we can recognize an instantiated MAC from a MAC with a random function. The complexity for distinguishing the MAC with 43-step reduced SHA-1 is 2 124.5 queries. For the MAC with 61-step SHA-1, the complexity is 2 154.5 queries. The success probability is 0.70 for both.

show abstract

Collisions for the compression function of MD5

Cited by 172 publications

References 4 publications

Cryptanalysis of Full RIPEMD-128

Cryptanalysis of Full RIPEMD-128

Short Chosen-Prefix Collisions for MD5 and the Creation of a Rogue CA Certificate

New Distinguishing Attack on MAC Using Secret-Prefix Method

Contact Info

Product

Resources

About