How to Break MD5 and Other Hash Functions [chapter]

Xiaoyun Wang, Hongbo Yu
2005 Lecture Notes in Computer Science  
MD5 is one of the most widely used cryptographic hash functions nowadays. It was designed in 1992 as an improvement of MD4, and its security was widely studied since then by several authors. The best known result so far was a semi free-start collision, in which the initial value of the hash function is replaced by a non-standard value, which is the result of the attack. In this paper we present a new powerful attack on MD5 which allows us to find collisions efficiently. We used this attack to
more » ... nd collisions of MD5 in about 15 minutes up to an hour computation time. The attack is a differential attack, which unlike most differential attacks, does not use the exclusive-or as a measure of difference, but instead uses modular integer subtraction as the measure. We call this kind of differential a modular differential. An application of this attack to MD4 can find a collision in less than a fraction of a second. This attack is also applicable to other hash functions, such as RIPEMD and HAVAL. A general description of this attack was published in [9] . In order to conveniently describe the general structure of MD5, we first recall the iteration process for hash functions. Generally a hash function is iterated by a compression function X = f (Z) which compresses l-bit message block Z to s-bit hash value X where l > s. For MD5, l = 512, and s = 128. The iterating method is usually called the Merkle-Damgard meta-method (see [6] , [16] ). For a padded message M with multiples of l-bit length, the iterating process is as follows:
doi:10.1007/11426639_2 fatcat:a4opm7g24jhjpguelj7xmpdgcm