## How to break MD5 and other hash functions (2005)

### Cached

### Download Links

- [merlot.usc.edu]
- [merlot.usc.edu]
- [securespeech.cs.cmu.edu]
- [www.infosec.sdu.edu.cn]
- [www.cs.cmu.edu]
- [www.infosec.sdu.edu.cn]
- [www.iacr.org]
- DBLP

### Other Repositories/Bibliography

Venue: | In EUROCRYPT |

Citations: | 215 - 5 self |

### BibTeX

@INPROCEEDINGS{Wang05howto,

author = {Xiaoyun Wang and Hongbo Yu},

title = {How to break MD5 and other hash functions},

booktitle = {In EUROCRYPT},

year = {2005},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

Abstract. MD5 is one of the most widely used cryptographic hash functions nowadays. It was designed in 1992 as an improvement of MD4, and its security was widely studied since then by several authors. The best known result so far was a semi free-start collision, in which the initial value of the hash function is replaced by a non-standard value, which is the result of the attack. In this paper we present a new powerful attack on MD5 which allows us to find collisions efficiently. We used this attack to find collisions of MD5 in about 15 minutes up to an hour computation time. The attack is a differential attack, which unlike most differential attacks, does not use the exclusive-or as a measure of difference, but instead uses modular integer subtraction as the measure. We call this kind of differential a modular differential. An application of this attack to MD4 can find a collision in less than a fraction of a second. This attack is also applicable to other hash functions, such as RIPEMD and HAVAL. 1

### Citations

370 |
The MD5 Message Digest Algorithm
- Rivest
- 1992
(Show Context)
Citation Context ..., but also greatly improve the efficiency. Nowadays, there are two widely used hash functions – MD5 [18] and SHA-1 [12]. MD5 is a hash function designed by Ron Rivest as a strengthened version of MD4 =-=[17]-=-. Since its publication, some weaknesses has been found. In 1993, B. den Boer and A. Bosselaers [3] found a kind of pseudo-collision for MD5 which consists of the same message with two different sets ... |

335 |
Differential Cryptanalysis of the Data Encryption Standard
- Biham, Shamir
- 1993
(Show Context)
Citation Context ...fferential attack which uses exclusive-or as the difference. The differential attack was introduced by E. Biham and A. Shamir to analyze the security of DES-like cryptosystems. E. Biham and A. Shamir =-=[1]-=-, described that differential cryptanalysis is a method which analyzes the effect of particular differences in plain text pairs on the differences of the resultant cipher text pairs. The differential ... |

288 |
A Design Principle for Hash Functions
- Damg˚ard
- 1989
(Show Context)
Citation Context ...ssion function X = f(Z) which compresses l-bit message block Z to s-bit hash value X where l>s.For MD5, l = 512, and s = 128. The iterating method is usually called the MerkleDamgard meta-method (see =-=[6]-=-, [16]). For a padded message M with multiples of l-bit length, the iterating process is as follows: Hi+1 = f(Hi,Mi), 0 ≤ i ≤ t − 1. Here M =(M0,M2, ···,Mt−1), and H0 = IV0 is the initial value for th... |

130 |
The MD5 message-digest algorithm. Request for Comments (RFC
- Rivest
- 1992
(Show Context)
Citation Context ...ryptographic protocols. The use of hash functions in these applications not only ensure the security, but also greatly improve the efficiency. Nowadays, there are two widely used hash functions – MD5 =-=[18]-=- and SHA-1 [12]. MD5 is a hash function designed by Ron Rivest as a strengthened version of MD4 [17]. Since its publication, some weaknesses has been found. In 1993, B. den Boer and A. Bosselaers [3] ... |

104 | RIPEMD-160, a strengthened version of RIPEMD - Dobbertin, Bosselaers, et al. - 1996 |

75 |
The Status of MD5 After a Recent Attack
- Dobbertin
- 1996
(Show Context)
Citation Context ...consists of two different 512-bit messages with a chosen initial value IV ′ 0. a0 = 0x12ac2375, b0 = 0x3b341042, c0 = 0x5f62b97c, d0 = 0x4ba763ed A general description of this attack was published in =-=[9]-=-. Although H. Dobbertin cannot provide a real collision of MD5, his attack reveals the weak avalanche for the full MD5. This provides a possibility to find a special differential with one iteration.sI... |

62 | Near collisions of SHA-0
- Biham, Chen
(Show Context)
Citation Context ... MD4, the attack can find a collision within less than a second, and can also find second pre-images for many messages. In Crypto’04 Eli Biham and Rafi Chen presented a near-collision attack on SHA-0 =-=[2]-=-, which follows the lines of the technique of [4]. In the rump session they described their new (and improved) results on SHA-0 and SHA-1 (including a multi-block technique and collisions of reduced S... |

62 |
Secure hash standard
- FIPS
- 1995
(Show Context)
Citation Context ...otocols. The use of hash functions in these applications not only ensure the security, but also greatly improve the efficiency. Nowadays, there are two widely used hash functions – MD5 [18] and SHA-1 =-=[12]-=-. MD5 is a hash function designed by Ron Rivest as a strengthened version of MD4 [17]. Since its publication, some weaknesses has been found. In 1993, B. den Boer and A. Bosselaers [3] found a kind of... |

48 |
One Way Hash Functions and
- Merkle
- 1989
(Show Context)
Citation Context ... function X = f(Z) which compresses l-bit message block Z to s-bit hash value X where l>s.For MD5, l = 512, and s = 128. The iterating method is usually called the MerkleDamgard meta-method (see [6], =-=[16]-=-). For a padded message M with multiples of l-bit length, the iterating process is as follows: Hi+1 = f(Hi,Mi), 0 ≤ i ≤ t − 1. Here M =(M0,M2, ···,Mt−1), and H0 = IV0 is the initial value for the hash... |

26 | RIPEMD-160, a strengthened version - Dobbertin, Bosselaers, et al. - 1996 |

23 |
RIPEMD with Two-Round Compress Function is Not CollisionFree
- Dobbertin
- 1997
(Show Context)
Citation Context ...2, a further (dropped) carry may happen, and then there is no negative sign in bit 32. It should be noted that the modular differential has been used earlier to analyze some hash functions ([4], [7], =-=[10]-=-). Compared with these attacks, our attack has the following advantages: 1. Our attack is to find collisions with two iterations, i. e., each message in the collision includes two message blocks (1024... |

21 |
Cryptanalysis of MD5 Compress. Presented at the rump session of Eurocrypt ‘96
- Dobbertin
- 1996
(Show Context)
Citation Context ...ith two different sets of initial values. This attack discloses the weak avalanche in the most significant bit for all the chaining variables in MD5. In the rump session of Eurocrypt’96, H. Dobbertin =-=[8]-=- presented a semi free-start collision which consists of two different 512-bit messages with a chosen initial value IV ′ 0. a0 = 0x12ac2375, b0 = 0x3b341042, c0 = 0x5f62b97c, d0 = 0x4ba763ed A general... |

19 |
HAVAL-A One-Way Hashing Algorithm with Variable
- Zhang, Seberry, et al.
- 1993
(Show Context)
Citation Context ...1 and M1 ′ . Two such collisions of MD5 were made public in the Crypto’04 rump session [19]. This attack is applicable to many other hash functions as well, including MD4, HAVAL-128 and RIPEMD ([17], =-=[20]-=-, [15]). In the case of MD4, the attack can find a collision within less than a second, and can also find second pre-images for many messages. In Crypto’04 Eli Biham and Rafi Chen presented a near-col... |

17 | Cryptanalysis of MD4. Fast Software Encryption - Dobbertin - 1996 |

15 |
Integrity Primitives for Secure Information Systems
- RIPE
- 1995
(Show Context)
Citation Context ...M1 ′ . Two such collisions of MD5 were made public in the Crypto’04 rump session [19]. This attack is applicable to many other hash functions as well, including MD4, HAVAL-128 and RIPEMD ([17], [20], =-=[15]-=-). In the case of MD4, the attack can find a collision within less than a second, and can also find second pre-images for many messages. In Crypto’04 Eli Biham and Rafi Chen presented a near-collision... |

6 |
Collisions for SHA-0. Rump session of Crypto’04
- Joux
- 2004
(Show Context)
Citation Context ...ion they described their new (and improved) results on SHA-0 and SHA-1 (including a multi-block technique and collisions of reduced SHA-1). Then, A. ˜ Joux presented a 4-block full collision of SHA-0 =-=[14]-=-, which is a further improvement of these results. Both these works were made independently of this paper. This paper is organized as follows: In Section 2 we briefly describe MD5. Then in Section 3 w... |

4 |
Collisions for the compression function
- Boer
- 1994
(Show Context)
Citation Context ...[18] and SHA-1 [12]. MD5 is a hash function designed by Ron Rivest as a strengthened version of MD4 [17]. Since its publication, some weaknesses has been found. In 1993, B. den Boer and A. Bosselaers =-=[3]-=- found a kind of pseudo-collision for MD5 which consists of the same message with two different sets of initial values. This attack discloses the weak avalanche in the most significant bit for all the... |