Recent Cryptanalytic Results on Dedicated Hash Functions. - - PowerPoint PPT Presentation

SLIDE 1

T-79.514 Special Course on Cryptology September 30, 2004

Recent Cryptanalytic Results on Dedicated Hash Functions.

Markku-Juhani O. Saarinen

Helsinki University of Technology

mjos@tcs.hut.fi

T.79-514 Markku-Juhani O. Saarinen 1

SLIDE 2

Terminology Vulnerability to n implies vulnerability n + 1, n + 2 · · · .

• 1. Preimage attack: Given value Y , find a message M with H(M) = Y .
• 2. 2nd preimage attack: Given message M1, find message M2 = M1

with H(M1) = H(M2).

• 3. Collision attack: Find two messages M1 = M2 with H(M1) =

H(M2).

• 4. Pseudo-collision attack: Two inputs M1 = M2 and a chaining variable

X so that F(M1, X) = F(M2, X).

T.79-514 Markku-Juhani O. Saarinen 2

SLIDE 3

Iterated hash functions (1)

Merkle-Damgård idea (Crypto 1989): Cut the long message as equal- length message blocks M1, M2, · · · , Mn and maintain state Si. Using some initialization vector H0 and compression function F, compute the digest as Hi = F(Mi, Hi−1). Final Hn is the hash.

T.79-514 Markku-Juhani O. Saarinen 3

SLIDE 4

Iterated hash functions (2)

• Davies-Meyer construction (origianlly for block ciphers) uses block ci-

pher as compression function: Hi = E(Mi, Hi−1) + Hi−1, where E(key, input) is a block cipher.

• Speed (number of block cipher invocations) is directly proportional to

key size. Idea: why not design dedicated hash functions which have a really long key. Ron Rivest designs MD4 in 1990.

• All SHA and MD4/MD5 family hashes follow the Davies-Meyer con-
• struction. "Key" (i.e. message block) is 512 bits (1024 bits for SHA-

512), and state is 128 (MD5), 160 (SHA-1), 256 (SHA-256), or 512 (SHA-512).

T.79-514 Markku-Juhani O. Saarinen 4

SLIDE 5

T.79-514 Markku-Juhani O. Saarinen 5

SLIDE 6

From FIPS 186-2 “Secure Hash Standard” (August 2002), page 7:

T.79-514 Markku-Juhani O. Saarinen 6

SLIDE 7

Multicollisions (Antoine Joux, CRYPTO 2004)

• To find a k-collision (i.e. H(M1) = H(M2) = · · · = H(Mk)) on an

ideal n-bit hash function would require O(2(k−1)n/k) effort.

• This is not the case for iterated hash functions. Suppose that to find

a collision for a single message block would require x = O(2n/2)

• effort. We find collisions for message blocks 1, 2, and 3. This requires

3x effort. But it allows us to construct 23 = 8 collisions of messages consisting of 3 blocks!

• Hence the complexity becomes O(log(k) ∗ 2n/2).
• Stefan Lucks has proposed increasing the internal state of hash func-

tion as larger than the hash result. (e-Print 253/2004, Sept 29, 2004).

T.79-514 Markku-Juhani O. Saarinen 7

SLIDE 8

MD5

• Message Digest 5 – designed by Ron Rivest in 1992 of MIT and RSA
• Labs. Specified in RFC 1321.
• 128-bit state (4 word) and hash result. 512-bit (16 word) blocks.
• Four “rounds”, each consisting of 16 iterations.
• Bitwise boolean functions mixed with

mod 232 addition, very fast.

• Widely used in electronic mail, certificates, IPSec, SSL/TLS, and also

as a building block for PRNGs.

T.79-514 Markku-Juhani O. Saarinen 8

SLIDE 9

Structure of MD5

• F(b, c, d) :

Boolean function for each round: R1: (b ∧ c) ∨ (¬b ∧ d), R2: (b ∧ d) ∨ (c ∧ ¬d), R3: b ⊕ c ⊕ d, R4: c ⊕ (b ∨ ¬d).

• Mi :

One of 16 Message words (permutated each round).

• Ki :

One of 64 “random” constants.

T.79-514 Markku-Juhani O. Saarinen 9

SLIDE 10

MD5 high-bit characteristic

P ⊕ P ′ = 80000000 80000000 80000000 80000000 ↓ E(K, P) ⊕ E(K, P ′) = 80000000 80000000 80000000 80000000 This differential characteristic holds for various iterations: R1: P = 0.5, R2: P = 0.5, R3: P = 1, R4: P = 0.5. Total probability: 2−48. Hence the MD5 compression function would be a very bad block cipher, and constructions like MDC-MD5 are broken.

T.79-514 Markku-Juhani O. Saarinen 10

SLIDE 11

Hans Dobbertin finds MD5 pseudo-collisions in 1996.

• ✁

✂ ✄ ☎ ✆ ✝ ✆ ✞ ✂ ✟ ✠ ✟ ✡ ☛ ☞ ✌ ✍

• ✡

✎ ✄ ✁ ✏ ✟ ✟ ✑ ✒ ✓ ✔ ✕ ✖ ✗ ✗ ✘ ✙ ✚ ✛ ✓ ✜ ✢ ✣ ✤ ✥ ✦ ✧ ✦ ★ ✩ ✣ ✤ ✥ ✪ ✫ ✩ ✦ ✬ ✢ ✭ ✮ ✣ ✫ ✪ ✯ ✰ ✱ ✢ ✦ ✭ ✯ ✢ ✲ ✤ ✥ ✫ ✳ ✴ ✵ ✶ ✷ ✷ ✸ ✹ ✺ ✻ ✼ ✽ ✾ ✿ ✶ ❀ ❁ ✹ ❂ ✸ ✻ ✼ ❁ ✵ ✸ ❃ ✥ ✯ ❄ ❅ ❆ ❇ ❇ ❈ ❉ ✓ ❊ ❋ ❋ ❊ ✚

• ✘
• ✒

✔

• ❍

■ ✓ ❏ ✚ ✛ ✖ ✓ ❑ ✕ ▲ ▼ ✒ ✔ ✛ ✓ ✚ ✙ ✖ ◆ ■ ❏ ✘ ◆ ✗ ❖ P ✖ ✓ P ✛ ◗ ✘ ✔ ✚ ✒ ✔ ✒ ✔ ✚ ✙ ✘ ✓ ❘ ❙ ✚

• ✘

✓ ✘ ◆ ◗ ✘ ✙ ✔ ✛ ✖ ✓ ✖ ❍ ❑ ✕ ❚ ❯ ❱ ✘ ✔ ✛ ◆ ✘ ✔ ✖ ❲ ✘ ✖ ✚

• ✘

✙ ❲ ✖ ◆ ✛ ❳ ❏ ✒ ✚ ✛ ✖ ✓ ✔ ❨ ✚

• ✘

✓ ■ ❲ ✗ ✘ ✙ ✖ ❍ ✙ ✖ ■ ✓ ◆ ✔ ✛ ✔ ✘ ❩ ✚ ✘ ✓ ◆ ✘ ◆ ❍ ✙ ✖ ❲ ✚

• ✙

✘ ✘ ✚ ✖ ❍ ✖ ■ ✙ ❯ ❉ ✓ ✚

• ✛

✔ ✔

• ✖

✙ ✚ ✓ ✖ ✚ ✘ ▼ ✘ ✙ ✘ ❬ ✖ ✙ ✚ ✒ ✗ ✖ ■ ✚ ✒ ✓ ✒ ✚ ✚ ✒ ❏ ❭ ✖ ✓ ✚

• ✘

❏ ✖ ❲ ❬ ✙ ✘ ✔ ✔ ❍ ■ ✓ ❏ ✚ ✛ ✖ ✓ ✖ ❍ ❑ ✕ ▲ ❨ ▼

• ✛

❏

• ✛

✔ ✗ ✒ ✔ ✘ ◆ ✖ ✓ ✔ ✛ ❲ ✛ ❪ ✒ ✙ ❲ ✘ ✚

• ✖

◆ ✔ ✒ ✔ ❬ ✙ ✘ ◗ ✛ ✖ ■ ✔ ✒ ✚ ✚ ✒ ❏ ❭ ✔ ✖ ✓ P ❉ ❫ ❴ ❑ ✕ ❨ ❑ ✕ ❚ ✒ ✓ ◆ ✚

• ✘

❵ ▲ ❛ ❙ ✗ ✛ ✚ ✘ ❩ ✚ ✘ ✓ ✔ ✛ ✖ ✓ ✖ ❍ ❑ ✕ ❚ ❜ ✔ ✘ ✘ ❝ ❚ ❞ ❨ ❝ ▲ ❞ ❡ ❯ ❱ ✘ ❪ ✖ ▼ ▼ ✘ ❘ ✛ ◗ ✘ ✒ ❢ ❣ ❤ ❤ ✐ ❥ ✐ ❣ ❦ ❧ ❣ ♠ ♥ ♦ ♣ ❢ ❣ q r s ♣ ❥ ❥ ♠ t ❦ ❢ ♥ ✐ ❣ ❦ ❣ ♠ ✉ ✈ ✇ ❯ P ✘ ❏ ✒ ❪ ❪ ✚

• ✒

✚ ✛ ✓ ❊ ❋ ❋ ① ❱ ✘ ✙ ✚ ◆ ✘ ✓ ❱ ✖ ✘ ✙ ✒ ✓ ◆ ② ✓ ✚ ✖ ✖ ✓ ❱ ✖ ✔ ✔ ✘ ❪ ✒ ✘ ✙ ✔ ❝ ① ❞ ✔

• ✖

▼ ✘ ◆

• ✖

▼ r ❥ ♣ t ③ ❣ ④ ❢ ❣ ❤ ❤ ✐ ❥ ✐ ❣ ❦ ❥ ❜ ✛ ✓ ✖ ■ ✙ ✚ ✘ ✙ ❲ ✛ ✓ ✖ ❪ ✖ ❘ ❖ ❡ ✖ ❍ ❑ ✕ ▲ ❏ ✖ ❲ ❬ ✙ ✘ ✔ ✔ ❏ ✒ ✓ ✗ ✘ ❍ ✖ ■ ✓ ◆ ❯ ❑ ✒ ✚ ✚ P ✖ ✗ ✔

• ✒

▼ ❜ ❝ ⑤ ❞ ❨ P ✘ ❲ ✒ ✙ ❭ ❊ ✛ ✓ ⑥ ✘ ❏ ✚ ✛ ✖ ✓ ❚ ❯ ❊ ❡ ❏ ✖ ❲ ❲ ✘ ✓ ✚ ✘ ◆ ✖ ✓ ✚

• ✛

✔ ✒ ✚ ✚ ✒ ❏ ❭ ✒ ✔ ❍ ✖ ❪ ❪ ✖ ▼ ✔ ⑦ ⑧ ✰ ⑨ ✫ ✪ ⑨ ✪ ✥ ✦ ⑩ ⑨ ❅ ✪ ❶ ✢ ❷ ⑨ ✢ ✮ ⑩ ✩ ✲ ✭ ✩ ✳ ✳ ✫ ⑨ ✫ ✩ ✦ ✥ ✣ ✫ ⑨ ✢ ⑨ ★ ✣ ✩ ✤ ✫ ✦ ✫ ✪ ✫ ✥ ✳ ✫ ❸ ✫ ✦ ✱ ✪ ❶ ✢ ★ ✩ ✮ ✣ ✲ ❹ ✩ ✣ ⑩ ❺ ✮ ❻ ✢ ✣ ✥ ✪ ✪ ❶ ✢ ⑨ ✪ ✥ ✣ ✪ ✩ ★ ❃ ❼ ❽ ✪ ✩ ✪ ❹ ✩ ⑩ ✫ ❻ ✢ ✣ ✢ ✦ ✪ ❾ ✥ ✳ ✮ ✢ ⑨ ❿ ➀ ❶ ✢ ⑨ ✢ ❾ ✥ ✳ ✮ ✢ ⑨ ⑩ ✫ ❻ ✢ ✣ ✩ ✦ ✳ ✯ ✫ ✦ ✪ ❶ ✢ ❃ ✬ ➁ ✩ ★ ✢ ✥ ✭ ❶ ✩ ★ ✪ ❶ ✢ ★ ✩ ✮ ✣ ❹ ✩ ✣ ⑩ ⑨ ❿ ➀ ❶ ✢ ⑨ ✥ ✤ ✢ ✤ ✢ ⑨ ⑨ ✥ ✱ ✢ ✫ ⑨ ✮ ⑨ ✢ ⑩ ★ ✩ ✣ ❺ ✩ ✪ ❶ ⑨ ✢ ✪ ⑨ ✩ ★ ❺ ✮ ❻ ✢ ✣ ❾ ✥ ✳ ✮ ✢ ⑨ ✥ ✦ ⑩ ✪ ❶ ✢ ⑨ ✥ ✤ ✢ ✤ ✢ ⑨ ⑨ ✥ ✱ ✢ ⑩ ✫ ✱ ✢ ⑨ ✪ ✫ ⑨ ✩ ❺ ✪ ✥ ✫ ✦ ✢ ⑩ ❿ ✰ ★ ✥ ✣ ✤ ✩ ✣ ✢ ⑨ ✢ ✣ ✫ ✩ ✮ ⑨ ➂ ✥ ❹ ❹ ✩ ✮ ✳ ⑩ ❺ ✢ ✫ ★ ✫ ✪ ❹ ✢ ✣ ✢ ❷ ✩ ⑨ ⑨ ✫ ❺ ✳ ✢ ✪ ✩ ✭ ❶ ✩ ✩ ⑨ ✢ ✩ ✦ ✢ ✫ ✦ ✫ ✪ ✫ ✥ ✳ ⑨ ✪ ✥ ✣ ✪ ✫ ✦ ✱ ❾ ✥ ✳ ✮ ✢ ★ ✩ ✣ ✪ ❶ ✢ ❺ ✮ ❻ ✢ ✣ ❅ ✦ ✩ ✪ ✦ ✢ ✭ ✢ ⑨ ⑨ ✥ ✣ ✫ ✳ ✯ ✪ ❶ ✢ ✩ ✦ ✢ ✱ ✫ ❾ ✢ ✦ ✫ ✦ ✪ ❶ ✢ ✥ ✳ ✱ ✩ ✣ ✫ ✪ ❶ ✤ ❅ ✥ ✦ ⑩ ✪ ❶ ✢ ✦ ✭ ❶ ✩ ✩ ⑨ ✢ ✪ ❹ ✩ ⑩ ✫ ❻ ✢ ✣ ✢ ✦ ✪ ✤ ✢ ⑨ ⑨ ✥ ✱ ✢ ⑨ ❅ ❷ ✢ ✣ ❶ ✥ ❷ ⑨ ⑩ ✫ ❻ ✢ ✣ ✫ ✦ ✱ ✫ ✦ ✩ ✦ ✳ ✯ ✥ ★ ✢ ❹ ❺ ✫ ✪ ⑨ ✩ ★ ✩ ✦ ✢ ❹ ✩ ✣ ⑩ ❅ ⑨ ✩ ✪ ❶ ✥ ✪ ✪ ❶ ✢ ⑨ ✥ ✤ ✢ ✤ ✢ ⑨ ⑨ ✥ ✱ ✢ ⑩ ✫ ✱ ✢ ⑨ ✪ ✫ ⑨ ✩ ❺ ✪ ✥ ✫ ✦ ✢ ⑩ ❿ ➃ ➄

• ✘

❪ ✒ ✚ ✚ ✘ ✙ ◆ ✘ ✔ ❏ ✙ ✛ ✗ ✘ ✔ ❬ ✙ ✘ ❏ ✛ ✔ ✘ ❪ ❖ ▼

• ✒

✚ ✛ ✔ ◆ ✖ ✓ ✘ ✓ ✖ ▼ ❯ ➅ ✘ ✚

• ✛

✓ ❭ ✚

• ✒

✚ ✚

• ✛

✔ ❲ ✛ ❘

• ✚

✗ ✘ ✙ ✘ ✒ ✔ ✖ ✓ ✘ ✓ ✖ ■ ❘

• ✚

✖ ✔ ■ ✗ ✔ ✚ ✛ ✚ ■ ✚ ✘ ❑ ✕ ▲ ✛ ✓ ❍ ■ ✚ ■ ✙ ✘ ✒ ❬ ❬ ❪ ✛ ❏ ✒ ✚ ✛ ✖ ✓ ✔ ❯ ② ❪ ✚ ✘ ✙ ✓ ✒ ✚ ✛ ◗ ✘ ✔ ❍ ✖ ✙ ❑ ✕ ▲ ✒ ✙ ✘ ⑥ ✑ ② ❙ ❊ ❝ ❊ ❞ ✒ ✓ ◆ ✖ ✓ ✚

• ✘

✖ ✚

• ✘

✙

• ✒

✓ ◆ P ❉ ❫ ❴ ❑ ✕ ❙ ❊ ❛ ➆ ❝ ❛ ❞ ❨ ▼

• ✛

❏

• ✒

✔ ✗ ✘ ✘ ✓ ◆ ✘ ✔ ✛ ❘ ✓ ✘ ◆ ✒ ✔ ✒ ✔ ✚ ✙ ✘ ✓ ❘ ✚

• ✘

✓ ✘ ◆ ◗ ✘ ✙ ✔ ✛ ✖ ✓ ✖ ❍ P ❉ ❫ ❴ ❑ ✕ ❝ ❵ ❞ ✗ ❖ ② ✓ ✚ ✖ ✖ ✓ ❱ ✖ ✔ ✔ ✘ ❪ ✒ ✘ ✙ ✔ ❨ ❱ ✒ ✙ ✚ ❫ ✙ ✘ ✓ ✘ ✘ ❪ ✒ ✓ ◆ ✚

• ✘

✒ ■ ✚

• ✖

✙ ✚ ✒ ❭ ✛ ✓ ❘ ✒ ❏ ❏ ✖ ■ ✓ ✚ ✖ ❍ ✚

• ✘

✙ ✘ ❏ ✘ ✓ ✚ ✒ ✓ ✒ ❪ ❖ ✔ ✛ ✔ ✖ ❍ ❑ ✕ ❚ ❙ ❪ ✛ ❭ ✘

• ✒

✔

• ❍

■ ✓ ❏ ✚ ✛ ✖ ✓ ✔ ❯ ➇ ➈ ⑨ ✫ ✦ ✱ ✪ ❶ ✢ ✪ ✢ ✣ ✤ ⑧ ✭ ✩ ✳ ✳ ✫ ⑨ ✫ ✩ ✦ ✩ ★ ✥ ✭ ✩ ✤ ❷ ✣ ✢ ⑨ ⑨ ★ ✮ ✦ ✭ ✪ ✫ ✩ ✦ ➃ ❹ ✢ ✥ ⑨ ⑨ ✮ ✤ ✢ ✪ ❶ ✥ ✪ ✪ ❶ ✢ ✫ ✦ ✫ ✪ ✫ ✥ ✳ ❾ ✥ ✳ ✮ ✢ ✫ ⑨ ✪ ❶ ✢ ⑨ ✥ ✤ ✢ ★ ✩ ✣ ❺ ✩ ✪ ❶ ✫ ✦ ❷ ✮ ✪ ⑨ ❅ ✫ ❿ ✢ ❿ ✥ ✦ ✫ ✦ ✫ ✪ ✫ ✥ ✳ ❾ ✥ ✳ ✮ ✢ ➉ ➊ ✥ ✦ ⑩ ✪ ❹ ✩ ⑩ ✫ ❻ ✢ ✣ ✢ ✦ ✪ ✫ ✦ ❷ ✮ ✪ ⑨ ➋ ✥ ✦ ⑩ ➌ ➋ ✥ ✣ ✢ ✱ ✫ ❾ ✢ ✦ ⑨ ✮ ✭ ❶ ✪ ❶ ✥ ✪ ➍ ➎ ➏ ➐ ➑ ➒ ➓ ➓ ➔ ➉ ➊ → ➋ ➣ ↔ ➍ ➎ ➏ ➐ ➑ ➒ ➓ ➓ ➔ ➉ ➊ → ➌ ➋ ➣ ↕ ➙ ✦ ✪ ❶ ✢ ✩ ✪ ❶ ✢ ✣ ❶ ✥ ✦ ⑩ ❹ ✢ ✮ ⑨ ✢ ✪ ❶ ✢ ✪ ✢ ✣ ✤ ⑧ ❷ ⑨ ✢ ✮ ⑩ ✩ ✲ ✭ ✩ ✳ ✳ ✫ ⑨ ✫ ✩ ✦ ➃ ✫ ★ ✪ ❹ ✩ ⑩ ✫ ❻ ✢ ✣ ✢ ✦ ✪ ✫ ✦ ✫ ✪ ✫ ✥ ✳ ❾ ✥ ✳ ✮ ✢ ⑨ ➉ ➊ ➛ ➌ ➉ ➊ ✥ ✦ ⑩ ➔ ❷ ✩ ⑨ ⑨ ✫ ❺ ✳ ✯ ✫ ⑩ ✢ ✦ ✪ ✫ ✭ ✥ ✳ ➣ ✫ ✦ ❷ ✮ ✪ ⑨ ➋ ➛ ➌ ➋ ✥ ✣ ✢ ✱ ✫ ❾ ✢ ✦ ⑨ ✮ ✭ ❶ ✪ ❶ ✥ ✪ ➍ ➎ ➏ ➐ ➑ ➒ ➓ ➓ ➔ ➉ ➊ → ➋ ➣ ↔ ➍ ➎ ➏ ➐ ➑ ➒ ➓ ➓ ➔ ➌ ➉ ➊ → ➌ ➋ ➣ ↕ ➜ ⑨ ✢ ✮ ⑩ ✩ ✲ ✭ ✩ ✳ ✳ ✫ ⑨ ✫ ✩ ✦ ⑨ ✥ ✣ ✢ ✩ ★ ✤ ✮ ✭ ❶ ✳ ✢ ⑨ ⑨ ❷ ✣ ✥ ✭ ✪ ✫ ✭ ✥ ✳ ✫ ✤ ❷ ✩ ✣ ✪ ✥ ✦ ✭ ✢ ✪ ❶ ✥ ✦ ✭ ✩ ✳ ✳ ✫ ⑨ ✫ ✩ ✦ ⑨ ❿ ➝ ❣ ❤ ❤ ✐ ❥ ✐ ❣ ❦ ♠ ❣ s ♥ ♦ ♣ ❢ ❣ q r s ♣ ❥ ❥ ♠ t ❦ ❢ ♥ ✐ ❣ ❦ ❣ ♠ ✉ ✈ ✇ ➞ ➟ ✔ ✘ ✚

• ✘

✛ ✓ ✛ ✚ ✛ ✒ ❪ ◗ ✒ ❪ ■ ✘ ➠ ➡ ➢ ➤ ➥ ➦ ➧ ➨ ➩ ➧ ➫ ➭ ➯ ➤ ➥ ➫ ➲ ➫ ➳ ➦ ➤ ➳ ➧ ➤ ➥ ➯ ➵ ➸ ➧ ➲ ➺ ➭ ➩ ➤ ➥ ➳ ➲ ➨ ➭ ➸ ➫ ➻ ➼ ➽ ✒ ✓ ◆ ◆ ✘ ❳ ✓ ✘ ✚

• ✘

❳ ✙ ✔ ✚ ✛ ✓ ❬ ■ ✚ ➾ ➢ ❜ ➾ ➚ ❡ ➚ ➪ ❧ ➶ ✗ ❖ ✔ ✘ ✚ ✚ ✛ ✓ ❘ ⑦ ➾ ➹ ➢ ➤ ➥ ➨ ➨ ➦ ➼ ➼ ➨ ➯ ➻ ➾ ➘ ➢ ➤ ➥ ➦ ➤ ➤ ➸ ➫ ➸ ➫ ➻ ➾ ➴ ➢ ➤ ➥ ➺ ➷ ➨ ➦ ➵ ➲ ➦ ➺ ➾ ❧ ➬ ➢ ➤ ➥ ➦ ➫ ➧ ➸ ➻ ➼ ➸ ➯ ➾ ❧ ➢ ➤ ➥ ➼ ➺ ➭ ➨ ➲ ➵ ➵ ➯ ➾ ➮ ➢ ➤ ➥ ➭ ➧ ➦ ➷ ➧ ➤ ➺ ➼ ➾ ➱ ➢ ➤ ➥ ➦ ➵ ➨ ➻ ➳ ➳ ➲ ➤ ➾ ❧ ✃ ➢ ➤ ➥ ➼ ➺ ➫ ➻ ➤ ➺ ➭ ➧ ➾ ➬ ➢ ➤ ➥ ➯ ➯ ➵ ➤ ➻ ➦ ➩ ➦ ➾ ➶ ➢ ➤ ➥ ➻ ➤ ➦ ➩ ➦ ➫ ➯ ➼ ➾ ❧ ➹ ➢ ➤ ➥ ➧ ➫ ➸ ➲ ➲ ➺ ➺ ➧ ➾ ❧ ➘ ➢ ➤ ➥ ➼ ➳ ➯ ➷ ➩ ➷ ➸ ➷ ➾ ✃ ➢ ➤ ➥ ➫ ➧ ➭ ➭ ➳ ➧ ➳ ➳ ➾ ❐ ➢ ➤ ➥ ➺ ➼ ➨ ➸ ➳ ➼ ➤ ➻ ➾ ❧ ❧ ➢ ➤ ➥ ➸ ➲ ➭ ➨ ➸ ➸ ➺ ➲ ➾ ❧ ➮ ➢ ➤ ➥ ➸ ➲ ➭ ➧ ➭ ➳ ➸ ➨ ➄

• ✘

✔ ✘ ❏ ✖ ✓ ◆ ✛ ✓ ❬ ■ ✚ ❒ ➾ ➢ ❜ ❒ ➾ ➚ ❡ ➚ ➪ ❧ ➶ ✛ ✔ ◆ ✘ ❳ ✓ ✘ ◆ ✗ ❖ ✔ ✘ ✚ ✚ ✛ ✓ ❘ ❒ ➾ ➚ ➢ ➾ ➚ ❜ ❮ ❰ ❊ ❛ ➽ ❮ Ï ➢ ❊ ❚ ❡ ✒ ✓ ◆ ❒ ➾ ❧ ➘ ➢ ➾ ❧ ➘ Ð ❵ ➱ ❯ ➄

• ✘

✓ ▼ ✘

• ✒

◗ ✘ ✒ ❏ ✖ ❪ ❪ ✛ ✔ ✛ ✖ ✓ ❨ ✛ ❯ ✘ ❯ Ñ Ò Ó Ô Õ Ö × Ø Ù Ú Û Û ❜ ➠ ➡ Ü ➾ ❡ ➢ Ñ Ò Ó Ô Õ Ö × Ø Ù Ú Û Û ❜ ➠ ➡ Ü ❒ ➾ ❡ ➽ ✒ ✓ ◆ ✚

• ✛

✔ ❏ ✖ ❲ ❲ ✖ ✓ ❏ ✖ ❲ ❬ ✙ ✘ ✔ ✔ ◗ ✒ ❪ ■ ✘ ✛ ✔ ➤ ➥ ➲ ➵ ➺ ➤ ➻ ➸ ➭ ➤ ➤ ➥ ➭ ➯ ➧ ➨ ➵ ➺ ➧ ➲ ➤ ➥ ➺ ➩ ➻ ➳ ➻ ➫ ➻ ➦ ➤ ➥ ➲ ➦ ➧ ➩ ➵ ➷ ➼ ➻ Ý ➄

• ✘

❏ ✖ ❲ ❬ ■ ✚ ✒ ✚ ✛ ✖ ✓ ✖ ❍ ✔ ■ ❏

• ✒

❏ ✖ ❪ ❪ ✛ ✔ ✛ ✖ ✓ ✚ ✒ ❭ ✘ ✔ ✒ ✗ ✖ ■ ✚ ❊ ➆

• ✖

■ ✙ ✔ ✖ ✓ ✒ ❫ ✘ ✓ ✚ ✛ ■ ❲ ❫ Þ ❯ ß à á à â à ã ä à å ❆ ❿ æ ✧ ➜ ✬ ❆ ç è ✲ ❆ ❅ é ê ë ì í ê î ï ð î ð ñ ï ò ó ï í ó ôõ ✧ ✬ ➀ ❅ ➈ ✬ ❼ ✢ ❷ ✥ ✣ ✪ ✤ ✢ ✦ ✪ ✩ ★ ö ✩ ✤ ✤ ✢ ✣ ✭ ✢ ❅ ÷ ✥ ⑨ ❶ ✫ ✦ ✱ ✪ ✩ ✦ ❼ ❿ ö ❿ ❅ ✰ ❷ ✣ ✫ ✳ ❆ ❇ ❇ ❽ ❿ ❄ ❿ ø ✧ ➜ ù ö ✩ ✦ ⑨ ✩ ✣ ✪ ✫ ✮ ✤ ❅ ú û ü ê ý ò ñ ê þ í û ñ ÿ

• í

û ✁ û ñ û ✂ ê ð ✄ ☎ û ò ï ✆ í ê ü ✝ í ñ ✝ ✞ ú ✟ ✠ ✡ ý ò ñ ê þ í û ñ ÿ

• í

û ✁ ☛ û ñ û ✂ ê ð ✡ ✂ ï ✆ ì ï ñ û ✝ ò ☞ ú ✌ ✍ ✎ ✍ ✏ ❅ ✑ õ ö ✬ ❆ è è ✒ ❅ ✬ ❷ ✣ ✫ ✦ ✱ ✢ ✣ ✲ ✓ ✢ ✣ ✳ ✥ ✱ ❅ ❆ ❇ ❇ ❽ ❿ ✔ ❿ ➁ ❿ ⑩ ✢ ✦ ➁ ✩ ✢ ✣ ❅ ✰ ❿ ➁ ✩ ⑨ ⑨ ✢ ✳ ✥ ✢ ✣ ⑨ ❅ ✠ ✝ ✆ ✆ û ð û ✝ ò ð ✞ ✝ í ñ î ê ë ✝ ✁ ü í ê ð ð û ✝ ò ✞ ì ò ë ñ û ✝ ò ✝ ✞✕ ✖ ✗ ❅ ✰ ⑩ ✲ ❾ ✥ ✦ ✭ ✢ ⑨ ✫ ✦ ö ✣ ✯ ❷ ✪ ✩ ✳ ✩ ✱ ✯ ❅ ➜ ✣ ✩ ✭ ❿ ù ✮ ✣ ✩ ✭ ✣ ✯ ❷ ✪ ✘ ❇ ✔ ❅ ✑ õ ö ✬ ✒ ❈ ❽ ❅ ➀ ❿ ✙ ✢ ✳ ✳ ✢ ⑨ ✢ ✪ ❶ ❅ ù ⑩ ❿ ❅ ✬ ❷ ✣ ✫ ✦ ✱ ✢ ✣ ✲ ✓ ✢ ✣ ✳ ✥ ✱ ❅ ❆ ❇ ❇ ✚ ❅ ❷ ❷ ❿ ❄ ❇ ✔ ✛ ✔ è ✚ ❿ ✚ ❿ ✙ ❿ ❼ ✩ ❺ ❺ ✢ ✣ ✪ ✫ ✦ ❅ ú ý

• ✡

✕ ✖ ✜ û ñ î ñ ✜ ✝ ☛ í ✝ ì ò ó ë ✝ ✁ ü í ê ð ð ✞ ì ò ë ñ û ✝ ò û ð ò ✝ ñ ë ✝ ✆ ✆ û ð û ✝ ò ☛ ✞ í ê ê ❅ ✢ ✩ ✮ ✣ ✦ ✥ ✳ ✩ ★ ö ✣ ✯ ❷ ✪ ✩ ✳ ✩ ✱ ✯ ❅ ✪ ✩ ✥ ❷ ❷ ✢ ✥ ✣ ❿ ❽ ❿ ✙ ❿ ❼ ✩ ❺ ❺ ✢ ✣ ✪ ✫ ✦ ❅ ✠ í ÿ ü ñ ï ò ï ✆ ÿ ð û ð ✝ ✞ ✕ ✖ ✎ ❅ æ ✥ ⑨ ✪ ✬ ✩ ★ ✪ ❹ ✥ ✣ ✢ ù ✦ ✭ ✣ ✯ ❷ ✪ ✫ ✩ ✦ ❅ ✑ õ ö ✬ ❆ è ✔ ❇ ❅ ❼ ❿ ✜ ✩ ✳ ✳ ✤ ✥ ✦ ✦ ❅ ù ⑩ ❿ ❅ ✬ ❷ ✣ ✫ ✦ ✱ ✢ ✣ ✲ ✓ ✢ ✣ ✳ ✥ ✱ ❅ ❆ ❇ ❇ ❈ ❅ ❷ ❷ ❿ ❽ ✔ ✛ ❈ ❇ ❿ ❈ ❿ ✙ ❿ ❼ ✩ ❺ ❺ ✢ ✣ ✪ ✫ ✦ ❅ ✰ ❿ ➁ ✩ ⑨ ⑨ ✢ ✳ ✥ ✢ ✣ ⑨ ❅ ✥ ✦ ⑩ ➁ ❿ ➜ ✣ ✢ ✦ ✢ ✢ ✳ ✴ ú ý

• ✡

✕ ✖ ☛ ✌ ✣ ✍ ✤ ✟ ð ñ í ê ò þ ñ î ê ò ê ó ✂ ê í ☛ ð û ✝ ò ✝ ✞ ú ý

• ✡

✕ ✖ ❅ æ ✥ ⑨ ✪ ✬ ✩ ★ ✪ ❹ ✥ ✣ ✢ ù ✦ ✭ ✣ ✯ ❷ ✪ ✫ ✩ ✦ ❅ ö ✥ ✤ ❺ ✣ ✫ ⑩ ✱ ✢ ÷ ✩ ✣ ✥ ⑨ ❶ ✩ ❷ ❅ ✑ õ ö ✬ ❆ è ✔ ❇ ❅ ❼ ❿ ✜ ✩ ✳ ✳ ✤ ✥ ✦ ✦ ❅ ù ⑩ ❿ ❅ ✬ ❷ ✣ ✫ ✦ ✱ ✢ ✣ ✲ ✓ ✢ ✣ ✳ ✥ ✱ ❅ ❆ ❇ ❇ ❈ ❅ ❷ ❷ ❿ ✒ ❆ ✲ ç ❄ ❿ ✦ ✒ ❿ ø ❿ ø ✫ ❾ ✢ ⑨ ✪ ❅ ✧ î ê ✕ ✖ ✗ ✁ ê ð ð ï þ ê ó û þ ê ð ñ ï ✆ þ ✝ í û ñ î ✁ ❅ ø æ ö ❆ ✔ ❄ ❆ ❅ ✰ ❷ ✣ ✫ ✳ ❆ ❇ ❇ ❄ ❿ ç ❿ ❃ ❿ ø ✩ ❺ ⑨ ❶ ✥ ❹ ❅ ★ ò ü ð ê ì ó ✝ ☛ ë ✝ ✆ ✆ û ð û ✝ ò ð û ò ✕ ✖ ✗ ❅ ➀ ✢ ✭ ❶ ✦ ✫ ✭ ✥ ✳ ø ✢ ❷ ✩ ✣ ✪ ➀ ø ✲ ❆ è ❄ ❅ ❾ ✢ ✣ ⑨ ✫ ✩ ✦ ❆ ❿ ❆ ❅ ø ✬ ✰ ✑ ✥ ❺ ✩ ✣ ✥ ✪ ✩ ✣ ✫ ✢ ⑨ ❅ ✢ ✮ ✳ ✯ ❆ ❇ ❇ ✚ ❿ ✦ ➀ ❶ ✫ ⑨ ✩ ✣ ⑨ ✪ ❷ ✮ ❺ ✳ ✫ ✭ ✥ ✪ ✫ ✩ ✦ ✩ ★ ✪ ❈ ✫ ⑨ ✪ ✫ ✳ ✳ ✭ ✩ ✦ ✪ ✥ ✫ ✦ ⑨ ⑨ ✩ ✤ ✢ ❺ ✮ ✱ ⑨ ❿ ➀ ❶ ✢ ✭ ✩ ✣ ✣ ✢ ✭ ✪ ✢ ⑩ ❾ ✢ ✣ ⑨ ✫ ✩ ✦ ✥ ⑨ ❹ ✢ ✳ ✳ ✥ ⑨ ✥ ö ✣ ✢ ★ ✢ ✣ ✢ ✦ ✭ ✢ ✫ ✤ ❷ ✳ ✢ ✤ ✢ ✦ ✪ ✥ ✪ ✫ ✩ ✦ ✩ ★ ø ✧ ➜ ù ❃ ❼ ✲ ❆ ❈ è ✭ ✥ ✦ ❺ ✢ ✩ ❺ ✪ ✥ ✫ ✦ ✢ ⑩ ✮ ✦ ⑩ ✢ ✣ ✬ ✺ ✭ ❁ ✸ ✾ ✮ ✺ ❁ ✿ ✯ ✰ ✸ ✯ ✱ ✸ ✼ ❁ ✮ ✲ ❁ ✷ ✸ ✫ ✦ ✪ ❶ ✢ ⑩ ✫ ✣ ✢ ✭ ✪ ✩ ✣ ✯ ✳ ✭ ✯ ✷ ✳ ✴ ✵ ✶ ✷ ✴ ✳ ✷ ✶ ✾ ✾ ✸ ✰ ✮ ✸ ✳ ✹ ✻ ✭ ✸ ❀ ✵ ✳ ❿ ❵

T.79-514 Markku-Juhani O. Saarinen 11

SLIDE 12

Pseudocollisions? So what?

Finding a pseudo-collision does not imply a real collision, but the theorem

• f Merkle-Damgård which derives the security of a hash function from the

underlying compression function cannot be invoked. From CryptoBytes, RSA Labs technical newsletter, Summer 1996: “Therefore we suggest that in the future MD5 should no longer be implemented in applications like signature schemes, where a collision-resistant hash function is required.” But MD5 became widely deployed despite these warnings.

T.79-514 Markku-Juhani O. Saarinen 12

SLIDE 13

The chinese paper

• Xiaoyun Wang, Dengguo Feng, Xuejia Lai and Hongbo Yu, “Collisions

for Hash Functions MD4, MD5, HAVAL-128 and RIPEMD”, IACR e- Print 199/2004.

• First version came out Aug 16, describing collisions for MD5’ (MD5

where IV is in big endian format).

• Second version came out Aug 17, first time describing collisions for full

MD5.

• No real information regarding how collisions are obtained.

T.79-514 Markku-Juhani O. Saarinen 13

SLIDE 14

Papers from August 16 and August 17.

Collisions for Hash Functions MD4, MD5, HAVAL-128 and RIPEMD

Xiaoyun Wang1, Dengguo Feng2, Xuejia Lai3, Hongbo Yu1 The School of Mathematics and System Science, Shandong University, Jinan250100, China1 Institute of Software, Chinese Academy of Sciences, Beijing100080, China2

• Dept. of Computer Science and Engineering, Shanghai Jiaotong University, Shanghai, China3

xywang@sdu.edu.cn1 August 16, 2004

1 Collisions for MD5

MD5 is the hash function designed by Ron Rivest [9] as a strengthened version of MD4[8]. In 1993 Bert den Boer and Antoon Bosselaers [1] found pseudo-collision for MD5 which is made of the same message with two different sets of initial value. H. Dobbertin[3] found another kind of collision which consists of two different 512-bit messages with a chosen initial value V I c. ED BA x C B F x C B AC x A V I 763 4 D , 97 62 5 , 341042 3 0x B , 2375 12 : c c c c c Our attack can find many real collisions which are composed of two 1024-bit messages with the original initial value IV of MD5. 76543210 , 98 , 89 , 01234567 : x D xfedcba C abcdef x B x A IV 14 , 11 , 4 ), , 2 ,... 2 ,.... 2 , , , , ( , 31 15 31 1 1 ' '

• c

s C C M M k k 14 , 11 , 4 ), , 2 ,... 2 ,.... 2 , , , , ( , 31 15 31 2 2

• '

'

• c

s C C M M ki ki such that ) , ( 5 ) , ( 5 i i N M MD N M MD c c On IBM P690 it takes about one hour to find such M and M c , after that, it takes only 15 seconds to 5 minutes to find i N and i Nc , so that ) , ( i N M and ) , ( i N M c c will produce the same hash same value. The following are two pairs of 1024-bit messages producing collisions, the two examples have the same 1-st half 512 bits. M1 313838dd fc2932c7 c030b717 bafc1bae 6673a8d7 9ddcf416 85d70859 99403db0 634add1 c0736004 9558bd1f 21e10982 ca94c90b 6aae6e69 cbf61bf1 6b0e615 X1 M11 2e82d48b 16bdf161 ce10bd62 c3c6809d b6745639 fc0e06c7 6573a914 bef0d753 537b8755 497b92e8 46f559c2 7d7a347a 511d8b1 98ebeb68 c9ca4559 eb10e037 M1

• 313838dd fc2932c7 c030b717 bafc1bae e673a8d7 9ddcf416 85d70859 99403db0

634add1 c0736004 9558bd1f 21e18982 ca94c90b 6aae6e69 4bf61bf1 6b0e615 X1

• M11
• 2e82d48b 16bdf161 ce10bd62 c3c6809d 36745639 fc0e06c7 6573a914 bef0d753

537b8755 497b92e8 46f559c2 7d79b47a 511d8b1 98ebeb68 49ca4559 eb10e037 H 21f15d09 3ef611d2 f9f09bfb 86b9cadf M1 313838dd fc2932c7 c030b717 bafc1bae 6673a8d7 9ddcf416 85d70859 99403db0 634add1 c0736004 9558bd1f 21e10982 ca94c90b 6aae6e69 cbf61bf1 6b0e615 X2 M12 2882d409 177df16c bf90fdc1 c406a19a b43a36af fd41f967 2835450e a12506ce 2973087d 8839e1a0 78646612 9c8dac6d ef59b8e7 4840474 2afb5bd0 840c546a M1

• 313838dd fc2932c7 c030b717 bafc1bae e673a8d7 9ddcf416 85d70859 99403db0

634add1 c0736004 9558bd1f 21e18982 ca94c90b 6aae6e69 4bf61bf1 6b0e615 X2

• M12
• 2882d409 177df16c bf90fdc1 c406a19a 343a36af fd41f967 2835450e a12506ce

2973087d 8839e1a0 78646612 9c8d2c6d ef59b8e7 4840474 aafb5bd0 840c546a H fa8892f3 49c2111f 477d3217 56ae4e97 Table 1 Two pairs of collision for MD5

2 Collisions for HAVAL-128

HAVAL is proposed in [10] . HAVAL is a hashing algorithm that can compress messages of any length in 3,4

• r 5 passes and produce a variable length output --128-bit,160-bit, 192 or 224-bit fingerprint.

Attack on a reduced version for HAVAL was given by P. R. Kasselman and W T Penzhorn [7], which consists of last rounds for HAVAL-128. We break the full HAVAL-128 with only about the 26 HAVAL

• computations. Here we give two examples of collisions of HAVAL-128, where

18 , 11 , ), ,..., , 2 ,.... 2 , , , , 2 ( , 8 12 1 ' '

• c
• s

C C M M i i i 31 ,... 2 , 1 , i ) ( ) ( M HAVAL M HAVAL c M1 6377448b d9e59f18 f2aa3cbb d6cb92ba ee544a44 879fa576 1ca34633 76ca5d4f a67a8a42 8d3adc8b b6e3d814 5630998d 86ea5dcd a739ae7b 54fd8e32 acbb2b36 38183c9a b67a9289 c47299b2 27039ee5 dd555e14 839018d8 aabbd9c9 d78fc632 fff4b3a7 40000096 7f466aac fffffbc0 5f4016d2 5f4016d0 12e2b0 f4307f87 M1

• 6377488b d9e59f18 f2aa3cbb d6cb92ba ee544a44 879fa576 1ca34633 76ca5d4f

a67a8a42 8d3adc8b b6e3d814 d630998d 86ea5dcd a739ae7b 54fd8e32 acbb2b36 38183c9a b67a9289 c47299ba 27039ee5 dd555e14 839018d8 aabbd9c9 d78fc632 fff4b3a7 40000096 7f466aac fffffbc0 5f4016d2 5f4016d0 12e2b0 f4307f87 H 95b5621c ca62817a a48dacd8 6d2b54bf M2 6377448b d9e59f18 f2aa3cbb d6cb92ba ee544a44 879fa576 1ca34633 76ca5d4f a67a8a42 8d3adc8b b6e3d814 5630998d 86ea5dcd a739ae7b 54fd8e32 acbb2b36 38183c9a b67a9289 c47299b2 27039ee5 dd555e14 839018d8 aabbd9c9 d78fc632 fff4b3a7 40000096 7f466aac fffffbc0 5f4016d2 5f4016d0 12e2b0 f5b16963 M2

• 6377488b d9e59f18 f2aa3cbb d6cb92ba ee544a44 879fa576 1ca34633 76ca5d4f

a67a8a42 8d3adc8b b6e3d814 d630998d 86ea5dcd a739ae7b 54fd8e32 acbb2b36 38183c9a b67a9289 c47299ba 27039ee5 dd555e14 839018d8 aabbd9c9 d78fc632 fff4b3a7 40000096 7f466aac fffffbc0 5f4016d2 5f4016d0 12e2b0 f5b16963 H b0e99492 d64eb647 5149ef30 4293733c Table 2 Two pairs of collision, where i=11 and these two examples differ only at the last word

3 Collisions for MD4

MD4 is designed by R. L. Rivest[8] . Attack of H. Dobbertin in Eurocrypto'96[2] can find collision with probability 1/222. Our attack can find collision with hand calculation, such trhat 12 , 2 , 1 ), ,..., , 2 , ,...., , 2 2 , 2 , ( , 16 31 28 31

• '

'

• c

i C C M M ) ( 4 ) ( 4 M MD M MD c M1 4d7a9c83 56cb927a b9d5a578 57a7a5ee de748a3c dcc366b3 b683a020 3b2a5d9f c69d71b3 f9e99198 d79f805e a63bb2e8 45dd8e31 97e31fe5 2794bf08 b9e8c3e9 M1 ✁ 4d7a9c83 d6cb927a 29d5a578 57a7a5ee de748a3c dcc366b3 b683a020 3b2a5d9f c69d71b3 f9e99198 d79f805e a63bb2e8 45dc8e31 97e31fe5 2794bf08 b9e8c3e9 H 5f5c1a0d 71b36046 1b5435da 9b0d807a M2 4d7a9c83 56cb927a b9d5a578 57a7a5ee de748a3c dcc366b3 b683a020 3b2a5d9f c69d71b3 f9e99198 d79f805e a63bb2e8 45dd8e31 97e31fe5 f713c240 a7b8cf69 M2 ✁ 4d7a9c83 d6cb927a 29d5a578 57a7a5ee de748a3c dcc366b3 b683a020 3b2a5d9f c69d71b3 f9e99198 d79f805e a63bb2e8 45dc8e31 97e31fe5 f713c240 a7b8cf69 H e0f76122 c429c56c ebb5e256 b809793 Table 3 Two pairs of collisions for MD4

4 Collisions for RIPEMD

RIPEMD was developed for the RIPE project (RACE Integrrity Primitives Evalustion, 1988-1992). In 1995, H. Dobbertin proved that the reduced version RIPEMD with two rounds is not collision-free[4]. We prove that the full RIPEMD also isn’t collision-free. The following are two pairs of collisions for RIPEMD. ) ( ) ( M RIPEMD M RIPEMD c where 15 , 10 , 3 ), 2 ,..., 2 2 ,.... 2 , , , ( , 31 31 18 20

• '

'

• c

i C C M M M1 579faf8e 9ecf579 574a6aba 78413511 a2b410a4 ad2f6c9f b56202c 4d757911 bdeaae7 78bc91f2 47bc6d7d 9abdd1b1 a45d2015 817104ff 264758a8 61064ea5 M ✁ 579faf8e 9ecf579 574a6aba 78513511 a2b410a4 ad2f6c9f b56202c 4d757911 bdeaae7 78bc91f2 c7c06d7d 9abdd1b1 a45d2015 817104ff 264758a8 e1064ea5 H 1fab152 1654a31b 7a33776a 9e968ba7 M2 579faf8e 9ecf579 574a6aba 78413511 a2b410a4 ad2f6c9f b56202c 4d757911 bdeaae7 78bc91f2 47bc6d7d 9abdd1b1 a45d2015 a0a504ff b18d58a8 e70c66b6 M2

• 579faf8e 9ecf579 574a6aba 78513511 a2b410a4 ad2f6c9f b56202c 4d757911

bdeaae7 78bc91f2 c7c06d7d 9abdd1b1 a45d2015 a0a504ff b18d58a8 670c66b6 H 1f2c159f 569b31a6 dfcaa51a 25665d24 Table 4 The collisions for RIPEMD

5 Remark

Besides the above hash functions we break, there are some other hash functions not having ideal security. For example, collision of SHA-0 [6] can be found within the running-time of about 240 SHA-0 algorithms, and HAVAL-160 can be found a collision with probability 1/232. 1 B. den Boer, Antoon Bosselaers, Collisions for the Compression Function of MD5, Eurocrypto,93. 2 H. Dobbertin, Cryptanalysis of MD4, Fast Software Encryption, LNCS 1039, D. , Springer-Verlag, 1996. 3 H. Dobbertin, Cryptanalysis of MD5 compress, presented at the rump session of EurocrZpt'96. 4 Hans Dobbertin, RIPEMD with Two-round Compress Function is Not Collision-Free, J. Cryptology 10(1), 1997. 5 H. Dobbertin, A. Bosselaers, B. Preneel, "RIPMEMD-160: A Strengthened Version of RIPMMD," Fast Software EncrZption, LNCS 1039, D.Gollmann, Ed., Springer-Verlag, 1996, pp. 71-82. 6 FIPS 180-1, Secure hash standard, NIST, US Department of Commerce, Washington D. C., April 1995. 7 P. R. Kasselman, W T Penzhorn , Cryptananlysis od reduced version of HAVAL, Vol. 36, No. 1, Electronic Letters, 2000. 8 R. L Rivest, The MD4 Message Digest Algorithm, Request for Comments (RFC)1320, Internet Activities Board, Internet Privacy Task Force, April 1992. 9 R. L Rivest, The MD5 Message Digest Algorithm, Request for Comments (RFC)1321, Internet Activities Board, Internet PrivacZ Task Force, April 1992.3RIPEMD-1281 10 Y. Zheng, J. Pieprzyk, J. Seberry, HAVAL--A One-way Hashing Algorithm with Variable Length of Output, Auscrypto'92.

Collisions for Hash Functions MD4, MD5, HAVAL-128 and RIPEMD

Xiaoyun Wang1, Dengguo Feng2, Xuejia Lai3, Hongbo Yu1 The School of Mathematics and System Science, Shandong University, Jinan250100, China1 Institute of Software, Chinese Academy of Sciences, Beijing100080, China2

• Dept. of Computer Science and Engineering, Shanghai Jiaotong University, Shanghai, China3

xywang@sdu.edu.cn1 revised on August 17, 2004

1 Collisions for MD5

MD5 is the hash function designed by Ron Rivest [9] as a strengthened version of MD4 [8]. In 1993 Bert den Boer and Antoon Bosselaers [1] found pseudo-collision for MD5 which is made of the same message with two different sets of initial value. H. Dobbertin[3] found a free-start collision which consists of two different 512-bit messages with a chosen initial value V I . ED BA x C B F x C B AC x A V I 763 4 D , 97 62 5 , 341042 3 0x B , 2375 12 : Our attack can find many real collisions which are composed of two 1024-bit messages with the original initial value IV of MD5: 10325476 , 98 , 89 67452301 : x D badcfe x C xefcdab ,B x A IV ) , 2 ,..., 2 ,..., 2 , , , , ( , 31 15 31 1 1 C C M M ) , 2 ,..., 2 ,..., 2 , , , , ( , 31 15 31 2 2 C C N N i i (non-zeros at position 4,11 and 14) such that ) , ( 5 ) , ( 5 i i N M MD N M MD . On IBM P690, it takes about one hour to find such M and M , after that, it takes only 15 seconds to 5 minutes to find i N and i N , so that ) , ( i N M and ) , ( i N M will produce the same hash same value. Moreover,

• ur attack works for any given initial value.

The following are two pairs of 1024-bit messages producing collisions, the two examples have the same 1-st half 512 bits. M 2dd31d1 c4eee6c5 69a3d69 5cf9af98 87b5ca2f ab7e4612 3e580440 897ffbb8 634ad55 2b3f409 8388e483 5a417125 e8255108 9fc9cdf7 f2bd1dd9 5b3c3780 X1 N1 d11d0b96 9c7b41dc f497d8e4 d555655a c79a7335 cfdebf0 66f12930 8fb109d1 797f2775 eb5cd530 baade822 5c15cc79 ddcb74ed 6dd3c55f d80a9bb1 e3a7cc35 M0 2dd31d1 c4eee6c5 69a3d69 5cf9af98 7b5ca2f ab7e4612 3e580440 897ffbb8 634ad55 2b3f409 8388e483 5a41f125 e8255108 9fc9cdf7 72bd1dd9 5b3c3780 X1 N1 d11d0b96 9c7b41dc f497d8e4 d555655a 479a7335 cfdebf0 66f12930 8fb109d1 797f2775 eb5cd530 baade822 5c154c79 ddcb74ed 6dd3c55f 580a9bb1 e3a7cc35 H 9603161f f41fc7ef 9f65ffbc a30f9dbf M 2dd31d1 c4eee6c5 69a3d69 5cf9af98 87b5ca2f ab7e4612 3e580440 897ffbb8 634ad55 2b3f409 8388e483 5a417125 e8255108 9fc9cdf7 f2bd1dd9 5b3c3780 X2 N2 313e82d8 5b8f3456 d4ac6dae c619c936 b4e253dd fd03da87 6633902 a0cd48d2 42339fe9 e87e570f 70b654ce 1e0da880 bc2198c6 9383a8b6 2b65f996 702af76f M0 2dd31d1 c4eee6c5 69a3d69 5cf9af98 7b5ca2f ab7e4612 3e580440 897ffbb8 634ad55 2b3f409 8388e483 5a41f125 e8255108 9fc9cdf7 72bd1dd9 5b3c3780 X2 N2 313e82d8 5b8f3456 d4ac6dae c619c936 34e253dd fd03da87 6633902 a0cd48d2 42339fe9 e87e570f 70b654ce 1e0d2880 bc2198c6 9383a8b6 ab65f996 702af76f H 8d5e7019 6324c015 715d6b58 61804e08 Table 1 Two pairs of collisions for MD5

2 Collisions for HAVAL-128

HAVAL is proposed in [10]. HAVAL is a hashing algorithm that can compress messages of any length in 3,4

• r 5 passes and produce a fingerprint of length 128, 160, 192 or 224 bits.

Attack on a reduced version for HAVAL was given by P. R. Kasselman and W T Penzhorn [7], which consists of last rounds for HAVAL-128. We break the full HAVAL-128 with only about the 26 HAVAL

• computations. Here we give two examples of collisions of HAVAL-128, where

) ,..., , 2 ,.... 2 , , , , 2 ( , 8 12 1 i i i C C M M with non-zeros at position 0,11,18, and 31 ,... 2 , 1 , i , such that ) ( ) ( M HAVAL M HAVAL . M1 6377448b d9e59f18 f2aa3cbb d6cb92ba ee544a44 879fa576 1ca34633 76ca5d4f a67a8a42 8d3adc8b b6e3d814 5630998d 86ea5dcd a739ae7b 54fd8e32 acbb2b36 38183c9a b67a9289 c47299b2 27039ee5 dd555e14 839018d8 aabbd9c9 d78fc632 fff4b3a7 40000096 7f466aac fffffbc0 5f4016d2 5f4016d0 12e2b0 f4307f87 M1 6377488b d9e59f18 f2aa3cbb d6cb92ba ee544a44 879fa576 1ca34633 76ca5d4f a67a8a42 8d3adc8b b6e3d814 d630998d 86ea5dcd a739ae7b 54fd8e32 acbb2b36 38183c9a b67a9289 c47299ba 27039ee5 dd555e14 839018d8 aabbd9c9 d78fc632 fff4b3a7 40000096 7f466aac fffffbc0 5f4016d2 5f4016d0 12e2b0 f4307f87 H 95b5621c ca62817a a48dacd8 6d2b54bf M2 6377448b d9e59f18 f2aa3cbb d6cb92ba ee544a44 879fa576 1ca34633 76ca5d4f a67a8a42 8d3adc8b b6e3d814 5630998d 86ea5dcd a739ae7b 54fd8e32 acbb2b36 38183c9a b67a9289 c47299b2 27039ee5 dd555e14 839018d8 aabbd9c9 d78fc632 fff4b3a7 40000096 7f466aac fffffbc0 5f4016d2 5f4016d0 12e2b0 f5b16963 M2 6377488b d9e59f18 f2aa3cbb d6cb92ba ee544a44 879fa576 1ca34633 76ca5d4f a67a8a42 8d3adc8b b6e3d814 d630998d 86ea5dcd a739ae7b 54fd8e32 acbb2b36 38183c9a b67a9289 c47299ba 27039ee5 dd555e14 839018d8 aabbd9c9 d78fc632 fff4b3a7 40000096 7f466aac fffffbc0 5f4016d2 5f4016d0 12e2b0 f5b16963 H b0e99492 d64eb647 5149ef30 4293733c Table 2 Two pairs of collision, where i=11 and these two examples differ only at the last word 3 Collisions for MD4 MD4 is designed by R. L. Rivest[8] . Attack of H. Dobbertin in Eurocrypto'96[2] can find collision with probability 1/222. Our attack can find collision with hand calculation, such that ) , , , 2 , , , , , , , , , , 2 2 , 2 , ( , 16 31 28 31 C C M M and ) ( 4 ) ( 4 M MD M MD . M1 4d7a9c83 56cb927a b9d5a578 57a7a5ee de748a3c dcc366b3 b683a020 3b2a5d9f c69d71b3 f9e99198 d79f805e a63bb2e8 45dd8e31 97e31fe5 2794bf08 b9e8c3e9 M1 4d7a9c83 d6cb927a 29d5a578 57a7a5ee de748a3c dcc366b3 b683a020 3b2a5d9f c69d71b3 f9e99198 d79f805e a63bb2e8 45dc8e31 97e31fe5 2794bf08 b9e8c3e9 H 5f5c1a0d 71b36046 1b5435da 9b0d807a M2 4d7a9c83 56cb927a b9d5a578 57a7a5ee de748a3c dcc366b3 b683a020 3b2a5d9f c69d71b3 f9e99198 d79f805e a63bb2e8 45dd8e31 97e31fe5 f713c240 a7b8cf69 M2 4d7a9c83 d6cb927a 29d5a578 57a7a5ee de748a3c dcc366b3 b683a020 3b2a5d9f c69d71b3 f9e99198 d79f805e a63bb2e8 45dc8e31 97e31fe5 f713c240 a7b8cf69 H e0f76122 c429c56c ebb5e256 b809793 Table 3 Two pairs of collisions for MD4 4 Collisions for RIPEMD RIPEMD was developed for the RIPE project (RACE Integrrity Primitives Evalustion, 1988-1992). In 1995, H. Dobbertin proved that the reduced version RIPEMD with two rounds is not collision-free[4]. We show that the full RIPEMD also isnO t collision-free. The following are two pairs of collisions for RIPEMD: ) 2 , , , , , 2 2 , , , , , , , 2 , , , ( , 31 31 18 20 '

C C M M

i i M1 579faf8e 9ecf579 574a6aba 78413511 a2b410a4 ad2f6c9f b56202c 4d757911 bdeaae7 78bc91f2 47bc6d7d 9abdd1b1 a45d2015 817104ff 264758a8 61064ea5 M1 579faf8e 9ecf579 574a6aba 78513511 a2b410a4 ad2f6c9f b56202c 4d757911 bdeaae7 78bc91f2 c7c06d7d 9abdd1b1 a45d2015 817104ff 264758a8 e1064ea5 H 1fab152 1654a31b 7a33776a 9e968ba7 M2 579faf8e 9ecf579 574a6aba 78413511 a2b410a4 ad2f6c9f b56202c 4d757911 bdeaae7 78bc91f2 47bc6d7d 9abdd1b1 a45d2015 a0a504ff b18d58a8 e70c66b6 M2 579faf8e 9ecf579 574a6aba 78513511 a2b410a4 ad2f6c9f b56202c 4d757911 bdeaae7 78bc91f2 c7c06d7d 9abdd1b1 a45d2015 a0a504ff b18d58a8 670c66b6 H 1f2c159f 569b31a6 dfcaa51a 25665d24 Table 4 The collisions for RIPEMD

5 Remark

Besides the above hash functions we break, there are some other hash functions not having ideal security. For example, collision of SHA-0 [6] can be found with about 240 computations of SHA-0 algorithms, and a collision for HAVAL-160 can be found with probability 1/232. Note that the messages and all other values in this paper are composed of 32-bit words, in each 32-bit word the most left byte is the most significant byte. 1 B. den Boer, Antoon Bosselaers, Collisions for the Compression Function of MD5, Eurocrypto,93. 2 H. Dobbertin, Cryptanalysis of MD4, Fast Software Encryption, LNCS 1039, D. , Springer-Verlag, 1996. 3 H. Dobbertin, Cryptanalysis of MD5 compress, presented at the rump session of EurocrZpt'96. 4 Hans Dobbertin, RIPEMD with Two-round Compress Function is Not Collision-Free, J. Cryptology 10(1), 1997. 5 H. Dobbertin, A. Bosselaers, B. Preneel, "RIPMEMD-160: A Strengthened Version of RIPMMD," Fast Software EncrZption, LNCS 1039, D.Gollmann, Ed., Springer-Verlag, 1996, pp. 71-82. 6 FIPS 180-1, Secure hash standard, NIST, US Department of Commerce, Washington D. C., April 1995. 7 P. R. Kasselman, W T Penzhorn , Cryptananlysis od reduced version of HAVAL, Vol. 36, No. 1, Electronic Letters, 2000. 8 R. L. Rivest, The MD4 Message Digest Algorithm, Request for Comments (RFC)1320, Internet Activities Board, Internet Privacy Task Force, April 1992. 9 R. L Rivest, The MD5 Message Digest Algorithm, Request for Comments (RFC)1321, Internet Activities Board, Internet PrivacZ Task Force, April 1992.3RIPEMD-1281 10 Y. Zheng, J. Pieprzyk, J. Seberry, HAVAL--A One-way Hashing Algorithm with Variable Length of Output, Auscrypto'92.

T.79-514 Markku-Juhani O. Saarinen 14

SLIDE 15

file1.dat: 00000000 d1 31 dd 02 c5 e6 ee c4 69 3d 9a 06 98 af f9 5c 00000010 2f ca b5 87 12 46 7e ab 40 04 58 3e b8 fb 7f 89 00000020 55 ad 34 06 09 f4 b3 02 83 e4 88 83 25 71 41 5a 00000030 08 51 25 e8 f7 cd c9 9f d9 1d bd f2 80 37 3c 5b 00000040 96 0b 1d d1 dc 41 7b 9c e4 d8 97 f4 5a 65 55 d5 00000050 35 73 9a c7 f0 eb fd 0c 30 29 f1 66 d1 09 b1 8f 00000060 75 27 7f 79 30 d5 5c eb 22 e8 ad ba 79 cc 15 5c 00000070 ed 74 cb dd 5f c5 d3 6d b1 9b 0a d8 35 cc a7 e3 MD5(file1.dat) = a4c0d35c95a63a805915367dcfe6b751 file2.dat: 00000000 d1 31 dd 02 c5 e6 ee c4 69 3d 9a 06 98 af f9 5c 00000010 2f ca b5 07 12 46 7e ab 40 04 58 3e b8 fb 7f 89 00000020 55 ad 34 06 09 f4 b3 02 83 e4 88 83 25 f1 41 5a 00000030 08 51 25 e8 f7 cd c9 9f d9 1d bd 72 80 37 3c 5b 00000040 96 0b 1d d1 dc 41 7b 9c e4 d8 97 f4 5a 65 55 d5 00000050 35 73 9a 47 f0 eb fd 0c 30 29 f1 66 d1 09 b1 8f 00000060 75 27 7f 79 30 d5 5c eb 22 e8 ad ba 79 4c 15 5c 00000070 ed 74 cb dd 5f c5 d3 6d b1 9b 0a 58 35 cc a7 e3 MD5(file2.dat) = a4c0d35c95a63a805915367dcfe6b751

T.79-514 Markku-Juhani O. Saarinen 15

SLIDE 16

8-17 Chinese MD5 Input 1A.

T.79-514 Markku-Juhani O. Saarinen 16

SLIDE 17

8-17 Chinese MD5 Input 1B.

T.79-514 Markku-Juhani O. Saarinen 17

SLIDE 18

8-17 Chinese MD5 Input pair 1 xor-difference.

T.79-514 Markku-Juhani O. Saarinen 18

SLIDE 19

8-17 Chinese MD5 Input pair 2 xor-difference.

T.79-514 Markku-Juhani O. Saarinen 19

SLIDE 20

8-16 Chinese MD5’ Input pair 1 xor-difference.

T.79-514 Markku-Juhani O. Saarinen 20

SLIDE 21

8-16 Chinese MD5’ Input pair 2 xor-difference.

T.79-514 Markku-Juhani O. Saarinen 21

SLIDE 22

Observations (1)

• Collision messages consist of two 512-bit blocks, each block having

the same three bits of difference. IV can be freely chosen. First find

• ne block, then second block to “cancel differences”.
• Message blocks carefully constructed so that the differential wanishes

for about 20 iterations during latter half of R2 and first half of R3.

• It seems probable that collisions are “forced” in R1 using careful inter-

play between xor and additive differences. Then simple 0x80000000 → 0x80000000 differential is applied.

T.79-514 Markku-Juhani O. Saarinen 22

SLIDE 23

Observations (2)

Consider the two messages as (M||N) and (M′||N′). The total additive differences are: M′ = M

⊞

00000000 00000000 00000000 00000000 80000000 00000000 00000000 00008000 00000000 00000000 00000000 00000000 00000000 00000000 80000000 00000000 N′ = N

⊞

00000000 00000000 00000000 00000000 80000000 00000000 00000000 ffff8000 00000000 00000000 00000000 00000000 00000000 00000000 80000000 00000000 Complexity is around 240 (one hour on a good machine).

T.79-514 Markku-Juhani O. Saarinen 23

SLIDE 24

HMAC-MD5

Keyed Message Authentication Code, Specified in RFC 2104. Let K be the (secret or public) authentication key. Two constants, I, which is 0x36 repeated 64 times, and O, which 0x5c repeated 64 times. HMAC(M) = H(K ⊕ O||H(K ⊕ I||M)) It is easy to see that collisions for HMAC can be created if the authentica- tion key K is public (draw a picture), but not easily of K is secret. HMAC-MD5 remains secure as a MAC in applications like IPSec and as a general PRF , but non-repudiability properties will be lost (i.e. you can’t trust the logs even if the MACs match).

T.79-514 Markku-Juhani O. Saarinen 24

SLIDE 25

MD2 (1)

Ron Rivest, late 80s. Designed for 8-bit systems, but still widely used and trusted today.

Signature Algorithm: md2WithRSAEncryption Issuer: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority Validity Not Before: Jan 29 00:00:00 1996 GMT Not After : Aug 1 23:59:59 2028 GMT Subject: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority Subject Public Key Info: Public Key Algorithm: rsaEncryption

This 1024-bit RSA cert is trusted by all browsers and MS operating sys- tems for everything, including code signing, updates, site authentication, etc.

T.79-514 Markku-Juhani O. Saarinen 25

SLIDE 26

MD2 (2)

Frédéric Muller, Asiacrypt 2004 (December 5–9): “The MD2 Hash Function is Not One-Way”. From abstract: “We describe preimage attacks against the underlying compres- sion function, the best of which has complexity of 273. As a result, the full MD2 hash can be attacked in preimage with complexity of 2104.” Hence the Muller attacks are not collision attacks but full preimage attacks allowing easy signature forgery! The MD2 compression function was broken 10 years ago (N. Rogier and P Chauvaud, “MD2 is not secure without the Checksum Byte”, presented in SAC 1995), but remains in use.

T.79-514 Markku-Juhani O. Saarinen 26

SLIDE 27

SHA (1)

Original variant of Secure Hash Standard, proposed in 1991, accepted as Federal Standard FIPS-180 in May 11, 1993. Updated version (designated FIPS-180-1 or SHA-1) was published in April 17, 1995. The only difference between the two is in the “key schedule”. SHA-0 ex- pands 16 message words W0, W1, · · · , W15 into 80 round keys as: Wi = Wi−3 ⊕ Wi−8 ⊕ Wi−14 ⊕ Wi−16 for 16 ≤ i ≤ 79. Where SHA-1 has one additional bit rotation!: Wi = (Wi−3 ⊕ Wi−8 ⊕ Wi−14 ⊕ Wi−16) ≪ 1 for 16 ≤ i ≤ 79.

T.79-514 Markku-Juhani O. Saarinen 27

SLIDE 28

T.79-514 Markku-Juhani O. Saarinen 28

SLIDE 29

SHA (2)

• F

. Chabaud, A. Joux, CRYPTO 1998: “Differential Collisions in SHA- 0”, show a 261 attack on SHA-0. They also produce collisions form 35-round variant with complexity 214.

• M.-J. Saarinen, FSE 2003, “Cryptanalysis of Block Ciphers Based on

SHA-1 and MD5”, finds slid pairs for full compression function of SHA- 1 with complexity 232.

• E. Biham, R. Chen, CRYPTO 2004: “Near-Collisions of SHA-0”, finds

near-collisions (Hamming distance 18 bits) on SHA-0 and introduces neutral-bit techinique. (Neutral bits are pairs of bits in 2 messages which can be complemented without “killing” the difference).

T.79-514 Markku-Juhani O. Saarinen 29

SLIDE 30

Slid pairs

SHA-1 takes 5 words (A, B, C, D, E) and iterates for i = 0 . . . 79 t = (A ≪ 5) + fi(B, C, D) + E + Wi + Ki; E = D; D = C; C = B ≫ 2; B = A; A = t; fi and Ki are changed after every 20 rounds. We set A′ = (A ≪ 5) + f0(B, C, D) + E + W0 + K0 B′ = A C′ = B ≫ 2 D′ = C E′ = D and use (A′, B′, C′, D′, E′) as the slid input.

T.79-514 Markku-Juhani O. Saarinen 30

SLIDE 31

Triplet A: (input,block,output)

(A, B, C, D, E) = 02AAD5C2 DC766713 19C66B2F 7CEAE5B1 CC08CC0B W0...15 = 8DA3F8F6 BBA5050C 99D3C3DC BBA5050C 99D3C3DC E42BAFB3 37DF640F 1ABABEEA 8DA3F8F6 E42BAFB3 37DF640F B57DEBB5 5AA5AB1F 44ED8DA0 1B63271F EAE12A73 (A, B, C, D, E) = FC56BE44 03A42CDA F68056F0 960F5286 32985CD9

Triplet B: (input,block,output)

(A′, B′, C′, D′, E′) = 4258DA7D 02AAD5C2 F71D99C4 19C66B2F 7CEAE5B1 W0...15 = BBA5050C 99D3C3DC BBA5050C 99D3C3DC E42BAFB3 37DF640F 1ABABEEA 8DA3F8F6 E42BAFB3 37DF640F B57DEBB5 5AA5AB1F 44ED8DA0 1B63271F EAE12A73 BA7C9CF9 (A′, B′, C′, D′, E′) = 58BB28F0 FC56BE44 C0E90B35 F68056F0 960F5286 T.79-514 Markku-Juhani O. Saarinen 31

SLIDE 32

SHA (3)

• On August 12, 2004, Antoine Joux announces a collision on full SHA-
• 0. “This was done by using a generalization of the attack presented

at Crypto’98 by Chabaud and Joux. This generalization takes advan- tage of the iterative structure of SHA-0. We also used the "neutral bit" technique of Biham and Chen (To be presented at Crypto’2004).” Complexity of attack appears to be 251.

• X. Wong claims one week later that his new (unpublished) techniques

can be extended to break SHA-0 with complexity 240.

• E. Biham says that SHA-1 remains secure, and can break only 35

rounds of it (I can break more than 40).

T.79-514 Markku-Juhani O. Saarinen 32

SLIDE 33

SHA-2

P . Hawkes, M. Paddon and G. Rose, “On Corrective Patterns for the SHA-2 Family”, e-Print 207/2004 (Aug 22).

• Use addition differences rather than xor differences.
• Find “corrective patterns” that work with probability 2−39. These are

a set of differences between two input words such that the state differ- ence vanishes.

• Notes flaws in previous Gilbert-Handschuh simplified analysis of SHA-

2 key schedule and corrective patterns.

• No real attacks, unknown if this work will lead anywhere.

T.79-514 Markku-Juhani O. Saarinen 33

SLIDE 34

NIST Brief Comments on Recent Cryptanalytic Attacks on Secure Hashing Functions and the Continued Security Provided by SHA-1. (August 25, 2004).

“At the recent Crypto2004 conference, researchers announced that they had discovered a way to "break" a number of hash algorithms, including MD4, MD5, HAVAL-128, RIPEMD and the long superseded Federal Standard SHA-0 algo-

• rithm. The current Federal Information Processing Standard SHA-1 algorithm,

which has been in effect since it replaced SHA-0 in 1994, was also analyzed, and a weakened variant was broken, but the full SHA-1 function was not broken and no collisions were found in SHA-1. The results presented so far on SHA-1 do not call its security into question. However, due to advances in technology, NIST plans to phase out of SHA-1 in favor of the larger and stronger hash functions (SHA-224, SHA-256, SHA-384 and SHA-512) by 2010. SHA-1 and the larger hash functions are specified in FIPS 180-2. For planning purposes by Federal agencies and others, note also that the use of other cryptographic algorithms of similar strength to SHA-1 will also be phased out in 2010.”

T.79-514 Markku-Juhani O. Saarinen 34

SLIDE 35

Conclusions

• For some reason or another, everyone is cracking hash functions right

now.

• Hash function cryptanalysis is currently an experimental “black art”

and little bit difficult to translate into scientific language!

• Flaws in the method of constructing iterated hash functions have been

found; I support Lucks’ idea of using an internal state that is larger than the message digest (hash).

• The design principles behind MD4/MD5/SHA are not sound (in my
• pinion).

T.79-514 Markku-Juhani O. Saarinen 35