## On the possibility of constructing meaningful hash collisions for public keys (2005)

### Cached

### Download Links

- [www.win.tue.nl]
- [www.win.tue.nl]
- [infoscience.epfl.ch]
- [www.win.tue.nl]
- [merlot.usc.edu]
- [merlot.usc.edu]
- [merlot.usc.edu]
- [merlot.usc.edu]
- [merlot.usc.edu]
- DBLP

### Other Repositories/Bibliography

Venue: | ACISP ’05: The 10th Australasian Conference on Information Security and Privacy, volume 3574 of Lecture Notes in Computer Science |

Citations: | 27 - 4 self |

### BibTeX

@INPROCEEDINGS{Lenstra05onthe,

author = {Arjen Lenstra and Benne De Weger},

title = {On the possibility of constructing meaningful hash collisions for public keys},

booktitle = {ACISP ’05: The 10th Australasian Conference on Information Security and Privacy, volume 3574 of Lecture Notes in Computer Science},

year = {2005},

pages = {267--279},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

{a.k.lenstra,b.m.m.d.weger} at tue dot nl Abstract. It is sometimes argued (as in [4]) that finding meaningful hash collisions might prove difficult. We show that at least one of the arguments involved is wrong, by showing that for several common public key systems it is easy to construct pairs of meaningful and secure public key data that either collide or share other characteristics with the hash collisions as quickly constructed in [14]. We present some simple results, investigate what we can and cannot (yet) achieve, and formulate some open problems of independent interest. At this point we are not yet aware of truly interesting practical implications. Nevertheless, our results may be relevant for the practical assessment of the recent hash collision results in [14]. For instance, we show how to use hash collisions to construct two X.509 certificates that contain identical signatures and that differ only in the public keys. Thus hash collisions indeed undermine one of the principles underlying Public Key Infrastructures.

### Citations

51 |
Formal Aspects of Mobile Code Security
- Dean
- 1999
(Show Context)
Citation Context ...unced in [14] do not imply that second preimages are essentially easier to find than they should, namely effort proportional to 2n for an n-bit hash function. According to a result first published in =-=[3]-=- and later (and independently) generalized in [7], second preimages for many common hash functions can be found in overall runtime proportional to 2n−k for reasonably sized k > 0, but at memory cost 2... |

43 |
Preimages on n-Bit Hash Functions for Much Less than 2n Work
- Kelsey, Schneier, et al.
- 2005
(Show Context)
Citation Context ...are essentially easier to find than they should, namely effort proportional to 2n for an n-bit hash function. According to a result first published in [3] and later (and independently) generalized in =-=[7]-=-, second preimages for many common hash functions can be found in overall runtime proportional to 2n−k for reasonably sized k > 0, but at memory cost 2k. Thus, using the full cost time×memory of an at... |

40 | Generating ElGamal signatures without knowing the secret key
- Bleichenbacher
- 1070
(Show Context)
Citation Context ...uction method is not specified, since it may have been concocted to collide, for some exponents, with a ‘standard’ or otherwise prescribed generator. This has been known for a long time, cf. [10] and =-=[1]-=-, and, according to [19], this issue came up in the P1363 standards group from time to time. Nevertheless it still seems to escape the attention of many implementors and practitioners. Remark on actua... |

34 |
On the number of positive integers ≤ x and free of prime factors > y
- Bruijn
- 1951
(Show Context)
Citation Context ...or the MD4 collisions from [14]), q is not used, and where we attempt to realize the first possibility for p2. Let ψ(x, y) be the number of y-smooth integers below x. Based on De Bruijn’s estimate in =-=[2]-=- logψ(x, y) ≈ log x log y log ( 1 + y log x ) + y log y log ( 1 + log x y ) (neglecting error terms) we estimate that we have to generate 1.3 million b values before a good one turns up. This is feasi... |

28 |
How to Break MD5
- Wang, Yu
- 2005
(Show Context)
Citation Context ... argument follows the lines of the security argument presented earlier in this section. We do not elaborate. Remark. Given the restrictions of the MD5-collisions as found by the methods from [14] and =-=[15]-=-, our method does not allow us to target 1024-bit moduli that collide under MD5, only substantially larger ones. Asymptotically, with growing modulus size but fixed collision size, the prime factors i... |

25 |
Generating RSA Moduli with a Predetermined Portion
- Lenstra
- 1998
(Show Context)
Citation Context ...times longer than the smallest factor. Unbalanced moduli for instance occur in [13]. Our method combines the ideas mentioned in the introduction and earlier in this section with the construction from =-=[6]-=-. Algorithm to generate actually colliding hard to factor moduli. Let b1 and b2 be two bitstrings of equal bitlength B that collide under a MerkleDamg˚ard based hash function. Following [14], B could ... |

21 |
Collisions for Hash Functions MD4, MD5, HAVAL-128 and RIPEMD. Cryptology ePrint Archive, Report 2004/199. Available at eprint.iacr.org/2004/199. SMASH-512 SMASH-512 takes a bit string of length less than 2256 and produces a 512-bit hash result. The outlin
- Wang, Feng, et al.
(Show Context)
Citation Context ...-bit hash function can be constructed after an effort proportional to 2 n/2 hash applications, no matter how good the hash function is. From the results presented at the Crypto 2004 rump session (cf. =-=[14]-=-), and since then described in more detail in [15], [16], [17], and [18], it follows that for many well known hash functions the effort required to find random collisions is considerably lower. Indeed... |

21 | Colliding X.509 certificates. Cryptology ePrint Archive, Report 2005/067 - Lenstra, Wang, et al. - 2005 |

16 | The Full Cost of Cryptanalytic Attacks
- Wiener
(Show Context)
Citation Context ...sh functions can be found in overall runtime proportional to 2n−k for reasonably sized k > 0, but at memory cost 2k. Thus, using the full cost time×memory of an attack effort, as suggested in [1] and =-=[19]-=-, finding a second preimage can still be argued to cost the full 2n. In any case, certificates that existed well before the results from [14] were obtained should be fine. For newly to be constructed ... |

14 | Practical attacks on digital signatures using md5 message digest. Cryptology ePrint Archive
- Mikle
(Show Context)
Citation Context ...monly used arguments why such applications are not affected by the lack of random collision resistance. In this note we concentrate on applications in the area of public key cryptography, see [4] and =-=[9]-=- for interesting ideas about the application of hash collisions in other areas. A successful attack on an existing certificate requires second preimage resistance of one message: given a pre-specified... |

13 |
RSA for paranoids
- Shamir
- 1995
(Show Context)
Citation Context ...as hard to factor as regular RSA moduli but for which, in a typical application, the largest prime factor is about three times longer than the smallest factor. Unbalanced moduli for instance occur in =-=[13]-=-. Our method combines the ideas mentioned in the introduction and earlier in this section with the construction from [6]. Algorithm to generate actually colliding hard to factor moduli. Let b1 and b2 ... |

13 |
Circuits for integer factorization: a proposal, manuscript
- Bernstein
(Show Context)
Citation Context ...ommon hash functions can be found in overall runtime proportional to 2n−k for reasonably sized k > 0, but at memory cost 2k. Thus, using the full cost time×memory of an attack effort, as suggested in =-=[1]-=- and [19], finding a second preimage can still be argued to cost the full 2n. In any case, certificates that existed well before the results from [14] were obtained should be fine. For newly to be con... |

10 |
How to break MD5 and other hash functions, in: EUROCRYPTO
- Wang, Yu
- 2005
(Show Context)
Citation Context ... we know, imply a hash collision. Indeed, it is as yet unclear to us what conditions have to be imposed on the matching bits in order to realize the collisions announced in [14], but it is clear from =-=[15]-=- that they will be severe. Presently, specially crafted data blocks seem to be required for collisions. But colliding data blocks can be used to generate more collisions as follows. All affected hash ... |

7 |
Unbelievable security
- Lenstra
(Show Context)
Citation Context ...1||b and b2||b are both 2048-bit integers with 512-bit prime factors p1 and p2, respectively, with prime cofactors, and MD5(b1||b) = MD5(b2||b) = 6 116346B2 D5C5E569 F4B65C52 B8125B07. As analyzed in =-=[9]-=-, according to the current state of the art in factoring these moduli are as hard to factor as regular 2048-bit RSA moduli. Remark. Given the restrictions of the MD5-collisions as found by the methods... |

5 |
personal communication
- Wiener
- 2004
(Show Context)
Citation Context ...ecified, since it may have been concocted to collide, for some exponents, with a ‘standard’ or otherwise prescribed generator. This has been known for a long time, cf. [10] and [1], and, according to =-=[19]-=-, this issue came up in the P1363 standards group from time to time. Nevertheless it still seems to escape the attention of many implementors and practitioners. Remark on actually colliding powers of ... |

4 |
The Second-Preimage Attack on
- Yu, Wang, et al.
- 2005
(Show Context)
Citation Context ...n/2 hash applications, no matter how good the hash function is. From the results presented at the Crypto 2004 rump session (cf. [14]), and since then described in more detail in [15], [16], [17], and =-=[18]-=-, it follows that for many well known hash functions the effort required to find random collisions is considerably lower. Indeed, in some cases the ease with which collisions can be found is disconcer... |

2 |
MD5 to be considered harmful someday, preprint
- Kaminsky
- 2004
(Show Context)
Citation Context ... the commonly used arguments why such applications are not affected by the lack of random collision resistance. In this note we concentrate on applications in the area of public key cryptography, see =-=[4]-=- and [9] for interesting ideas about the application of hash collisions in other areas. A successful attack on an existing certificate requires second preimage resistance of one message: given a pre-s... |

2 |
Contributions to the mailing list ”cryptography@metzdowd.com”, December 22, 2004, available at http://diswww.mit.edu/bloom-picayune/crypto/16587
- Kelsey, Laurie
(Show Context)
Citation Context ...lated to public keys. Also the Diffie-Hellman group size may be related to a random-looking large prime, which is a system parameter that could be hard-coded into a binary executable. As was shown in =-=[5]-=-, given any hash collision it is trivial to construct a ‘real’ Diffie-Hellman prime and a ‘fake’ one that hash to the same value. One may ask whether the mathematical requirements that lie behind publ... |

2 | An Attack on Hash Function HAVAL-128 - Wang, Feng, et al. |

1 |
Alf swindles Ann, Cryptobytes 1(3
- Dobbertin
- 1995
(Show Context)
Citation Context ... collisions do not suffice because the values to be hashed are meaningful (cf. [3] and [11]). Dobbertin’s cryptanalytic work on MD4 was so strong that meaningful collisions could be found easily, cf. =-=[2]-=-. The recent results of [14] seem not (yet) to have similar strength, so revisiting the concept of meaningfulness is of interest. A certificate, such as an X.509 or PGP certificate, is a highly struct... |

1 |
Twin RSA, submitted for publication
- Lenstra, Weger
- 2005
(Show Context)
Citation Context ...tes, one for encryption and the other for signature purposes, for the transmission cost of just one certificate plus the few positions where the RSA moduli differ (similar ideas will be worked out in =-=[8]-=-). Indeed, the CA may knowingly participate in this application and verify that Alice knows both factorizations. However, if that is not done and the CA is tricked into signing one of the keys without... |

1 |
What’s the Worst That Could Happen? presentation at the
- Rescorla
(Show Context)
Citation Context ...both for RSA and for discrete logarithm systems. We explicitly restrict ourselves to known and secure private keys as the construction of unknown or non-secure private keys is hardly challenging (cf. =-=[12]-=-). Furthermore, using the appending trick, we show how we can generate actually colliding pairs consisting of proper public RSA keys. Combining this construction with the prepending idea, we show how ... |

1 |
How to Find Another Kind of Collision for MD4 Efficiently
- Wang, Chen, et al.
- 2004
(Show Context)
Citation Context ...onal to 2 n/2 hash applications, no matter how good the hash function is. From the results presented at the Crypto 2004 rump session (cf. [14]), and since then described in more detail in [15], [16], =-=[17]-=-, and [18], it follows that for many well known hash functions the effort required to find random collisions is considerably lower. Indeed, in some cases the ease with which collisions can be found is... |

1 | Alf swindles - Dobbertin - 1995 |

1 | MD5 to be considered harmful someday, preprint, December 2004, http://www.doxpara.com/ md5 someday.pdf - Kaminsky |