Article

MD5 Is Weaker Than Weak: Attacks on Concatenated Combiners

Authors:

Florian Mendel,

Christian Rechberger,

Martin SchläfferAuthors Info & Claims

ASIACRYPT '09: Proceedings of the 15th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology

Pages 144 - 161

https://doi.org/10.1007/978-3-642-10366-7_9

Published: 02 December 2009 Publication History

Abstract

We consider a long standing problem in cryptanalysis: attacks on hash function combiners. In this paper, we propose the first attack that allows collision attacks on combiners with a runtime below the birthday-bound of the <em>smaller</em> compression function. This answers an open question by Joux posed in 2004.

As a concrete example we give such an attack on combiners with the widely used hash function MD5. The cryptanalytic technique we use combines a partial birthday phase with a differential inside-out technique, and may be of independent interest. This potentially reduces the effort for a collision attack on a combiner like MD5||SHA-1 for the first time.

References

[1]

den Boer, B., Bosselaers, A.: Collisions for the Compression Function of MD5. In: Helleseth, T. (ed.) EUROCRYPT 1993, vol. 765, pp. 293-304. Springer, Heidelberg (1994)

Digital Library

[2]

Brassard, G. (ed.): CRYPTO 1989. LNCS, vol. 435. Springer, Heidelberg (1990)

[3]

Coron, J.S., Dodis, Y., Malinaud, C., Puniya, P.: Merkle-Damgård Revisited: How to Construct a Hash Function. In: Shoup {26}, pp. 430-448

Digital Library

[4]

Damgård, I.: A Design Principle for Hash Functions. In: Brassard {2}, pp. 416-427

Digital Library

[5]

De Cannière, C., Mendel, F., Rechberger, C.: Collisions for 70-Step SHA-1: On the Full Cost of Collision Search. In: Adams, C.M., Miri, A., Wiener, M.J. (eds.) SAC 2007. LNCS, vol. 4876, pp. 56-73. Springer, Heidelberg (2007)

Digital Library

[6]

De Cannière, C., Rechberger, C.: Finding SHA-1 Characteristics: General Results and Applications. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 1-20. Springer, Heidelberg (2006)

Digital Library

[7]

Dierks, T., Allen, C.: The TLS Protocol Version 1.0. IETF Request for Comments: 2246 (1999)

[8]

Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.1. IETF Request for Comments: 4346 (2006)

[9]

Dobbertin, H.: Cryptanalysis of MD5 Compress (1996)

[10]

Dobbertin, H., Bosselaers, A., Preneel, B.: RIPEMD-160: A Strengthened Version of RIPEMD. In: Gollmann, D. (ed.) FSE 1996. LNCS, vol. 1039, pp. 71-82. Springer, Heidelberg (1996)

Digital Library

[11]

Hoch, J.J., Shamir, A.: On the Strength of the Concatenated Hash CombinerWhen All the Hash Functions Are Weak. In: Aceto, L., Damgård, I., Goldberg, L.A., Halldórsson, M.M., Ingólfsdóttir, A., Walukiewicz, I. (eds.) ICALP 2008, Part II. LNCS, vol. 5126, pp. 616-630. Springer, Heidelberg (2008)

Digital Library

[12]

Joux, A.: Multicollisions in Iterated Hash Functions. Application to Cascaded Constructions. In: Franklin, M. K. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 306-316. Springer, Heidelberg (2004)

[13]

Joux, A., Peyrin, T.: Hash Functions and the (Amplified) Boomerang Attack. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 244-263. Springer, Heidelberg (2007)

Digital Library

[14]

Klima, V.: Tunnels in hash functions: Md5 collisions within a minute. Cryptology ePrint Archive, Report 2006/105 (2006), http://eprint.iacr.org/

[15]

Liskov, M.: Constructing an Ideal Hash Function from Weak Ideal Compression Functions. In: Biham, E., Youssef, A.M. (eds.) SAC 2006. LNCS, vol. 4356, pp. 358-375. Springer, Heidelberg (2007)

Digital Library

[16]

Manuel, S., Peyrin, T.: Collisions on SHA-0 in One Hour. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 16-35. Springer, Heidelberg (2008)

Digital Library

[17]

Mendel, F., Pramstaller, N., Rechberger, C., Rijmen, V.: On the Collision Resistance of RIPEMD-160. In: Katsikas, S.K., López, J., Backes, M., Gritzalis, S., Preneel, B. (eds.) ISC 2006. LNCS, vol. 4176, pp. 101-116. Springer, Heidelberg (2006)

Digital Library

[18]

Mendel, F., Schläffer, M.: On Free-start Collisions and Collisions for TIB3. In: Proceedings of ISC, Springer, Heidelberg (2009)

Digital Library

[19]

Merkle, R.C.: One Way Hash Functions and DES. In: Brassard {2}, pp. 428-446

Digital Library

[20]

van Oorschot, P.C., Wiener, M.J.: Parallel Collision Search with Cryptanalytic Applications. J. Cryptology 12(1), 1-28 (1999)

[21]

Quisquater, J.-J., Delescaille, J.-P.: How Easy Is Collision Search? Application to DES. In: Quisquater, J.-J., Vandewalle, J. (eds.) EUROCRYPT 1989. LNCS, vol. 434, pp. 429-434. Springer, Heidelberg (1990)

Digital Library

[22]

Quisquater, J.J., Delescaille, J.P.: How Easy is Collision Search. New Results and Applications to DES. In: Brassard {2}, pp. 408-413

[23]

Rivest, R.L.: The MD4 Message Digest Algorithm. In: Menezes, A., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 303-311. Springer, Heidelberg (1991)

Digital Library

[24]

Rivest, R.L.: The MD5 Message-Digest Algorithm. IETF Request for Comments: 1321 (1992)

[25]

Sasaki, Y., Naito, Y., Kunihiro, N., Ohta, K.: Improved Collision Attack on MD5. Cryptology ePrint Archive, Report 2005/400 (2005), http://eprint.iacr.org/

[26]

Shoup, V. (ed.): CRYPTO 2005. LNCS, vol. 3621. Springer, Heidelberg (2005)

[27]

Simon, D.R.: Findings Collisions on a One-Way Street: Can Secure Hash Functions Be Based on General Assumptions? In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 334-345. Springer, Heidelberg (1998)

[28]

Stevens, M., Lenstra, A.K., de Weger, B.: Chosen-Prefix Collisions for MD5 and Colliding X.509 Certificates for Different Identities. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 1-22. Springer, Heidelberg (2007)

Digital Library

[29]

Stevens, M., Sotirov, A., Appelbaum, J., Lenstra, A., Molnar, D., Osvik, D.A., de Weger, B.: Short chosen-prefix collisions for MD5 and the creation of a rogue CA certificate. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 55-69. Springer, Heidelberg (2009)

Digital Library

[30]

Wang, X., Yin, Y.L., Yu, H.: Finding Collisions in the Full SHA-1. In: Shoup {26}, pp. 17-36

Digital Library

[31]

Wang, X., Yu, H.: How to Break MD5 and Other Hash Functions. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 19-35. Springer, Heidelberg (2005)

Digital Library

[32]

Yajima, J., Iwasaki, T., Naito, Y., Sasaki, Y., Shimoyama, T., Peyrin, T., Kunihiro, N., Ohta, K.: A Strict Evaluation on the Number of Conditions for SHA-1 Collision Search. IEICE TRANSACTIONS on Fundamentals of Electronics, Communications and Computer Sciences E92-A(1), 87-95 (2009)

Cited By

Dong XLi SPham PZhang G(2023)Quantum Attacks on Hash Constructions with Low Quantum Random Access MemoryAdvances in Cryptology – ASIACRYPT 202310.1007/978-981-99-8727-6_1(3-33)Online publication date: 4-Dec-2023
https://dl.acm.org/doi/10.1007/978-981-99-8727-6_1
Yoo SChen X(2021)Secure Keyed Hashing on Programmable SwitchesProceedings of the ACM SIGCOMM 2021 Workshop on Secure Programmable network INfrastructure10.1145/3472873.3472881(16-22)Online publication date: 27-Aug-2021
https://dl.acm.org/doi/10.1145/3472873.3472881
Bauer BFarshim PMazaheri S(2018)Combiners for Backdoored Random OraclesAdvances in Cryptology – CRYPTO 201810.1007/978-3-319-96881-0_10(272-302)Online publication date: 19-Aug-2018
https://dl.acm.org/doi/10.1007/978-3-319-96881-0_10
Show More Cited By

Recommendations

A New Collision Attack on MD5
NSWCTC '09: Proceedings of the 2009 International Conference on Networks Security, Wireless Communications and Trusted Computing - Volume 02

In 2005, collision resistance of several hash functions was broken by Wang et al. The strategy of determining message differential is the most important part of collision attacks against hash functions. So far, there are only three other message ...
Analysis of SHA-512/224 and SHA-512/256
Proceedings, Part II, of the 21st International Conference on Advances in Cryptology --- ASIACRYPT 2015 - Volume 9453

In 2012, NIST standardized SHA-512/224 and SHA-512/256, two truncated variants of SHA-512, in FIPS 180-4. These two hash functions are faster than SHA-224 and SHA-256 on 64-bit platforms, while maintaining the same hash size and claimed security level. ...
Full key-recovery attacks on HMAC/NMAC-MD4 and NMAC-MD5
CRYPTO'07: Proceedings of the 27th annual international cryptology conference on Advances in cryptology

At Crypto '06, Bellare presented new security proofs for HMAC and NMAC, under the assumption that the underlying compression function is a pseudo-random function family. Conversely, at Asiacrypt '06, Contini and Yin used collision techniques to obtain ...

Comments

Information & Contributors

Information

Published In

cover image Guide Proceedings

ASIACRYPT '09: Proceedings of the 15th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology

December 2009

720 pages

ISBN:9783642103650

Editor:
Mitsuru Matsui
Information Technology R&D Center, Mitsubishi Electric Corporation, Kamakura, Kanagawa, Japan 247-8501

Publisher

Springer-Verlag

Berlin, Heidelberg

Publication History

Published: 02 December 2009

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

8
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 03 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Dong XLi SPham PZhang G(2023)Quantum Attacks on Hash Constructions with Low Quantum Random Access MemoryAdvances in Cryptology – ASIACRYPT 202310.1007/978-981-99-8727-6_1(3-33)Online publication date: 4-Dec-2023
https://dl.acm.org/doi/10.1007/978-981-99-8727-6_1
Yoo SChen X(2021)Secure Keyed Hashing on Programmable SwitchesProceedings of the ACM SIGCOMM 2021 Workshop on Secure Programmable network INfrastructure10.1145/3472873.3472881(16-22)Online publication date: 27-Aug-2021
https://dl.acm.org/doi/10.1145/3472873.3472881
Bauer BFarshim PMazaheri S(2018)Combiners for Backdoored Random OraclesAdvances in Cryptology – CRYPTO 201810.1007/978-3-319-96881-0_10(272-302)Online publication date: 19-Aug-2018
https://dl.acm.org/doi/10.1007/978-3-319-96881-0_10
Dinur I(2016)New Attacks on the Concatenation and XOR Hash CombinersProceedings, Part I, of the 35th Annual International Conference on Advances in Cryptology --- EUROCRYPT 2016 - Volume 966510.5555/3081770.3081789(484-508)Online publication date: 8-May-2016
https://dl.acm.org/doi/10.5555/3081770.3081789
Mennink BPreneel B(2014)Breaking and Fixing Cryptophia's Short CombinerProceedings of the 13th International Conference on Cryptology and Network Security - Volume 881310.1007/978-3-319-12280-9_4(50-63)Online publication date: 22-Oct-2014
https://dl.acm.org/doi/10.1007/978-3-319-12280-9_4
Sasaki YWang L(2013)Improved Single-Key Distinguisher on HMAC-MD5 and Key Recovery Attacks on Sandwich-MAC-MD5Revised Selected Papers on Selected Areas in Cryptography -- SAC 2013 - Volume 828210.1007/978-3-662-43414-7_25(493-512)Online publication date: 14-Aug-2013
https://dl.acm.org/doi/10.1007/978-3-662-43414-7_25
Leurent G(2012)Analysis of differential attacks in ARX constructionsProceedings of the 18th international conference on The Theory and Application of Cryptology and Information Security10.1007/978-3-642-34961-4_15(226-243)Online publication date: 2-Dec-2012
https://dl.acm.org/doi/10.1007/978-3-642-34961-4_15
Sasaki Y(2011)Collisions of MMO-MD5 and their impact on original MD5Proceedings of the 4th international conference on Progress in cryptology in Africa10.5555/2026469.2026479(117-133)Online publication date: 5-Jul-2011
https://dl.acm.org/doi/10.5555/2026469.2026479

View Options

View options

Figures

Tables

Media

View Table of Conten