2004 - Musings on the Wang et al. MD5 Collision

2004 - Musings on the Wang et al. MD5 Collision - Musings...

Info iconThis preview shows pages 1–3. Sign up to view the full content.

View Full Document Right Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: Musings on the Wang et al. MD5 Collision Philip Hawkes 1 , Michael Paddon 1 , and Gregory G. Rose 1 Qualcomm Australia, Level 3, 230 Victoria Rd, Gladesville, NSW 2111, Australia { phawkes,mwp,ggr } @qualcomm.com Abstract. Wang et al [12] caused great excitement at CRYPTO2004 when they announced a collision for MD5 [11]. This paper is examines the internal differences and conditions required for the attack to be suc- cessful. There are a large number of conditions that must be satisfied, thus indicating Wang at al. have found a clever way to generate message pairs for which the conditions are satisfied. The large number of condi- tions suggests that an attacker cannot use these differentials to cause sec- ond pre-image attacks with complexity less than generic attacks. Initial examination also suggests that an attacker cannot cause such collisions for HMAC-MD5 [9] with complexity less than generic attacks. Keywords : MD5, collision. Disclaimer : This document notes some observations of the authors regard- ing the collisions generated by Wang et al.. We do not claim to have any new discoveries in this paper. However, we hope that this paper provides a useful explanation until the time when Wang et al. publish a detailed analysis of their discoveries. This is a very rough description and is not intended as a publication. There has been a focus more on content than presentation. 1 Introduction The cryptographic hash algorithm MD5 [11] needs little introduction. The MD5 collision found by X. Wang, D. Feng, X. Lai and H. Yu [12] is almost as well known as MD5 itself! Following the announcement of the MD5 collision, we spent some time study- ing the MD5 collision in order to glean useful hints for our ongoing analysis of SHA-2 family [5]. At first, the collision seemed to difficult to comprehend: the XOR-based differences have high weight (which seemed counter-intuitive) and the addition-based differences do not seem to follow any obvious pattern. We are still amazed that someone found this sequences of differences! It will be enlightening to see how it was discovered. The collision uses a differential that is spread over a length of two message blocks. The first block difference results in a small difference in the state, and the second block difference cancels the introduced difference. For each of these blocks, the internal differentials are very similar. Unfortunately, we have only had sufficient time to fully document the internal differential for the first block. 2 Tables in Appendix B contain the details of the internal differential for the second block, but without any explanatory text. This paper is arranged as follows. Section 3 contains some basic notation, with Section 3 containing a description of the MD5 algorithm. We use an un- orthodox description, as it better suits our analysis and (I think) leads to a better understanding of the algorithm. Section 4 describes the sequence of addition- based differences that form the internal differential for the first block. Sectionbased differences that form the internal differential for the first block....
View Full Document

Page1 / 76

2004 - Musings on the Wang et al. MD5 Collision - Musings...

This preview shows document pages 1 - 3. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online