How to Break MD5 and Other Hash Functions

1
How to Break MD5 and Other Hash Functions

• Xiaoyun Wang(???) and Hongbo Yu(???)
• Cryptography Information Security
• Shandong University China
• Advances in Cryptology - EUROCRYPT 2005, 24th
  Annual International Conference on the Theory and
  Applications of Cryptographic Techniques, Aarhus,
  Denmark, May 22-26, 2005, Proceedings.
• Presented by Henrry, C.Y. Chiang (???)

2
EUROCRYPT (1/1)

• Eurocrypt (or EUROCRYPT) is an important
  conference for cryptography research.
• The full name of the conference is currently the
  Annual International Conference on the Theory and
  Applications of Cryptographic Techniques, but
  this has not always been its name.
• Eurocrypt is held annually in the spring in
  various locations throughout Europe.
• The first workshop in the series of conferences
  that became known as Eurocrypt was held in 1982.
• In 1984, the name "Eurocrypt" was first used.
  Generally, there have been published proceedings
  including all papers at the conference every year.

3
About The Author (1/2)

• Xiaoyun Wang (Simplified Chinese ???
  Traditional Chinese ???) (born 1966) is a
  researcher and professor in the Department of
  Mathematics and System Science, Shandong
  University, Shandong, China.

4
About The Author (2/2)

• At the rump session of CRYPTO 2004, she and
  co-authors demonstrated collision attacks against
  MD5, SHA-0 and other related hash functions. They
  received a standing ovation for their work.
• In February 2005 it was reported that Wang and
  co-authors had found a method to find collisions
  in the SHA-1 hash function, which is used in many
  of today's mainstream security products.
• She gained bachelors (1987), masters (1990) and
  doctorate (1993) degrees at Shandong University,
  and subsequently lectured in the mathematics
  department from 1993. Wang was appointed
  assistant professor in 1995, and full professor
  in 2001.

5
OUTLINE

1. Introduction
2. Description of MD5
3. Differential Attack for Hash Functions
4. Differential Attack on MD5
5. Summary

6
OUTLINE

1. Introduction
2. Description of MD5
3. Differential Attack for Hash Functions
4. Differential Attack on MD5
5. Summary

7
1. Introduction (1/6)

• People know that digital signatures are very
  important in information security.
• The security of digital signatures depends on the
  cryptographic strength of the underlying hash
  functions.
• Hash functions also have many other applications
  such as data integrity, group signature, e-cash
  and many other cryptographic protocols.
• Nowadays, there are two widely used hash
  functions MD5 and SHA-1.

8
1. Introduction (2/6)

• MD5 is one of the most widely used cryptographic
  hash functions nowadays.
• It was designed in 1992 as an improvement of MD4.
• In this paper we present a new powerful attack on
  MD5 which allows us to find collisions
  efficiently.
• We used this attack to find collision of MD5 in
  about 15 minutes up to an hour computation time.

9
1. Introduction (3/6)

• The attack is a differential attack, which unlike
  most differential attack, does not use the
  exclusive-or as a measure of difference, but
  instead uses modular integer subtraction as the
  measure.
• An application of this attack to MD4 can find
  collision in less than a fraction of a second.
• This attack is also applicable to other hash
  functions, such as RIPEMD and HAVAL.

10
1. Introduction (4/6)

• In this paper, we want to find a pair (M0, M1)
  and (M0, M1) such that
• We show that such collisions of MD5 can be found
  efficiently, where finding the first blocks (M0,
  M0) takes about MD5 operations, and
  finding the second blocks (M1, M1) takes about
  MD5 operations.

11
1. Introduction (5/6)
12
1. Introduction (6/6)
Birthday Attack ( MD5 operations)
13
OUTLINE

1. Introduction
2. Description of MD5
3. Differential Attack for Hash Functions
4. Differential Attack on MD5
5. Summary

14
2. Description of MD5 (1/5)

• Generally a hash function is iterated by a
  compression function X f( Z ) which compress
  l-bit message block Z to s-bit hash value X where
  l gt s.
• For MD5, l 512, and s 128.
• For a padded message M with multiples of l-bit
  length, the iterating process is as follows

15
2. Description of MD5 (2/5)

• In the above iterating process, we omit the
  padding method because it has no influence on our
  attack.

16
2. Description of MD5 (3/5)
17
2. Description of MD5 (4/5)
18
2. Description of MD5 (5/5)
19
OUTLINE

1. Introduction
2. Description of MD5
3. Differential Attack for Hash Functions
4. Differential Attack on MD5
5. Summary

20
OUTLINE

• Introduction
• Description of MD5
• Differential Attack for Hash Functions
• 3.1 The Modular Differential and the XOR
  Differential
• 3.2 Differential Attacks on Hash Functions
• 3.3 Optimized Collision Differentials for Hash
  Functions
• 4. Differential Attack on MD5
• 5. Summary

21
3. Differential Attack for Hash Functions3.1 The
Modular Differential and the XOR Differential
(1/7)

• The most important analysis method for hash
  functions is differential attack which is also
  one of most important methods for analyzing block
  ciphers.
• In general, the differential attack especially in
  block ciphers is a kind of XOR differential
  attack which uses exclusive-or as the difference.
• Differential cryptanalysis is a method which
  analyzes the effect of particular differences in
  plain text pairs on the differences of the
  resultant cipher text pairs.

22
3. Differential Attack for Hash Functions3.1 The
Modular Differential and the XOR Differential
(2/7)

• The differential definition in this paper is a
  kind of precise differential which uses the
  difference in term of integer modular
  subtraction.
• We also use integer modular subtraction and the
  differences in term of XOR.
• The combination of both kinds of differences give
  us more information than each of them keep by
  itself.

23
3. Differential Attack for Hash Functions3.1 The
Modular Differential and the XOR Differential
(3/7)

• For example, when the modular integer subtraction
  difference is for some value X,
  the XOR difference can have many
  possibilities, which are
• 1. One-bit difference in bit 7, i.e., 0x00000040.
  In this case which means that
  bit 7 in X is 1 and bit 7 in X is 0.
• X 0100 0000
• X 0000 0000
• 2. Two-bit difference, in which a different carry
  is transferred from bit 7 to bit 8, i.e.,
  0x000000C0.
• X 1000 0000
• X 0100 0000

24
3. Differential Attack for Hash Functions3.1 The
Modular Differential and the XOR Differential
(4/7)

• 3. Three-bit difference, in which a different
  carry is transferred from bit 7 to bit 8 and then
  to bit 9, i.e., 0x000001C0.
• X 0001 0000 0000
• X 0000 1100 0000
• 4. Similarly, there can be more carries to
  further bits, and the binary form of X is 1000,
  and of X is 0111.
• 5. In case the former difference is negative, the
  XOR differences still look the same, but the
  values of X and X are exchanged (i.e., X is of
  the form 1000, and X of the form 0111 ).

25
3. Differential Attack for Hash Functions3.1 The
Modular Differential and the XOR Differential
(5/7)
26
3. Differential Attack for Hash Functions3.1 The
Modular Differential and the XOR Differential
(6/7)
27
3. Differential Attack for Hash Functions3.1 The
Modular Differential and the XOR Differential
(7/7)

• Compared with earlier modular differential
  attacks, our attack has the following advantages
• Our attack is to find collisions with two
  iterations, i. e., each message in the collision
  includes two message blocks (1024-bit).
• Our attack is a precise differential attack in
  which the characteristics are more restrictive
  than used, and that they gives values of bits in
  addition to the differences.
• Our attack gives a set of sufficient conditions
  which ensure the differential to occur.
• Our attack use a message modification technique
  to greatly improve the collision probability.

28
3. Differential Attack for Hash Functions3.2
Differential Attacks on Hash Functions (1/2)

• The difference for two parameters X and X is
  defined as
• For any two messages M and M with l-bit
  multiples,
  
  
• a full
  differential for a hash function is defined as
  follows
• where is the initial value difference
  which equals to zero. is the output
  difference for the two messages.
  is the output difference for the i-th
  iteration, and also is the initial difference for
  the next iteration.

29
3. Differential Attack for Hash Functions3.2
Differential Attacks on Hash Functions (2/2)
j
30
3. Differential Attack for Hash Functions3.3
Optimized Collision Differentials for Hash
Functions (1/2)

• Our attack uses a message modification technique
  to improve the collision probability.
• According to the modification technique, we can
  get a rough method to search for optimized
  differentials of a hash function.

31
3. Differential Attack for Hash Functions3.3
Optimized Collision Differentials for Hash
Functions (2/2)

• There are two kinds of message modifications

32
OUTLINE

1. Introduction
2. Description of MD5
3. Differential Attack for Hash Functions
4. Differential Attack on MD5
5. Summary

33
OUTLINE

• Introduction
• Description of MD5
• Differential Attack for Hash Functions
• Differential Attack on MD5
• 4.1 Notation
• 4.2 Collision Differentials for MD5
• 4.3 Sufficient Conditions for the
  Characteristics to Hold
• 4.4 Message Modification
• 4.5 The Differential Attack on MD5
• 5. Summary

34
4. Differential Attack on MD54.1 Notation (1/1)
35
4. Differential Attack on MD54.2 Collision
Differentials for MD5 (1/5)

• Our attack can find many real collisions which
  are composed of two 1024-bit messages
  and with the original
  initial value of MD5
• We select a collision differential with two
  iterations as follows

36
4. Differential Attack on MD54.2 Collision
Differentials for MD5 (2/5)
37
4. Differential Attack on MD54.2 Collision
Differentials for MD5 (3/5)
Why does the author choose this collision
differential?
38
4. Differential Attack on MD54.2 Collision
Differentials for MD5 (4/5)
StepChaining Variable for M0Message Word for
M0Shift RotationMessage Word
DifferenceChaining Variable DifferenceChaining
Variable for M0
Especially, the empty items both in sixth and
fifth columns denotes zero differences, and steps
those arent listed in the table have zero
differences both for message words and chaining
variables.
39
4. Differential Attack on MD54.2 Collision
Differentials for MD5 (5/5)
40
4. Differential Attack on MD54.3 Sufficient
Conditions for the Characteristics to Hold (1/9)

• How to derive a set of sufficient conditions that
  guarantee the differential characteristic in Step
  8 of MD5 (Table 3) to hold. Other conditions can
  be derived similarly.
• The differential characteristic in Step 8 of MD5
  is
• Each chaining variable satisfies one of the
  following equations.

41
4. Differential Attack on MD54.3 Sufficient
Conditions for the Characteristics to Hold (2/9)
42
4. Differential Attack on MD54.3 Sufficient
Conditions for the Characteristics to Hold (3/9)

• According to the operations in the 8-th step, we
  have

43
4. Differential Attack on MD54.3 Sufficient
Conditions for the Characteristics to Hold (4/9)

• We get a set of sufficient conditions that ensure
  the differential characteristic holds

44
4. Differential Attack on MD54.3 Sufficient
Conditions for the Characteristics to Hold (5/9)
45
4. Differential Attack on MD54.3 Sufficient
Conditions for the Characteristics to Hold (6/9)
46
4. Differential Attack on MD54.3 Sufficient
Conditions for the Characteristics to Hold (7/9)
47
4. Differential Attack on MD54.3 Sufficient
Conditions for the Characteristics to Hold (8/9)
By the similar method, we can derive a set of
sufficient conditions (Table 4 and Table 6) which
guarantee all the differential characteristics in
the collision differential to hold
48
4. Differential Attack on MD54.3 Sufficient
Conditions for the Characteristics to Hold (9/9)
49
4. Differential Attack on MD54.4 Message
Modification (1/9)

• Single-Message Modification
• In order to make the attack efficient, it is very
  attractive to improve over the probabilistic
  method, by fixing some of the message words to a
  prior fulfilling some of the conditions
• We observe that it is very easy to generate
  messages that fulfill all the conditions of the
  first 16 steps of MD5. We call it single-message
  modification.
• For each message block M0 (or similarly M1) and
  intermediate values (H0, or for the second block
  H1 and H1), we apply the following procedures to
  modify M0 (or M1), so that all the conditions of
  round 1 (the first 16 steps) in Table 4 and Table
  6 hold.

50
4. Differential Attack on MD54.4 Message
Modification (2/9)

• Single-Message Modification (cont.)
• It is easy to modify M0 such that the conditions
  of round 1 in Table 4 hold with probability 1.
• For example, to ensure that 3 conditions for c1
  in Table 4 hold, we modify m2 as follows

51
4. Differential Attack on MD54.4 Message
Modification (3/9)
52
4. Differential Attack on MD54.4 Message
Modification (4/9)
53
4. Differential Attack on MD54.4 Message
Modification (5/9)

• Single-Message Modification (cont.)
• By modifying each message word of message M0, all
  the conditions in round 1 of Table 4 hold. The
  first iterations differential hold with
  probability .
• The same modification is applied to M1. After
  modification, the second iteration differential
  hold with probability .

54
4. Differential Attack on MD54.4 Message
Modification (6/9)

• Multi-Message Modification
• It is even possible to fulfill a part of the
  conditions of the first 32 steps by an
  multi-message modification.
• For example, a5,32 1, we correct it into a5,32
  0 by modifying m1, m2, m3, m4, m5 such that the
  modification generates a partial collision from
  2-6 steps, and remains that all the conditions in
  round 1 hold.

55
4. Differential Attack on MD54.4 Message
Modification (7/9)

• Multi-Message Modification (cont.)

56
4. Differential Attack on MD54.4 Message
Modification (8/9)
57
4. Differential Attack on MD54.4 Message
Modification (9/9)

• Multi-Message Modification (cont.)
• By our modification, 37 conditions in round 2-4
  are undetermined in the table 4, and 30
  conditions in round 2-4 are undetermined in the
  table 6.
• So, the 1-st iteration differential holds with
  probability , and the second iteration
  differential holds with probability .

58
4. Differential Attack on MD54.5 The
Differential Attack on MD5 (1/5)
59
4. Differential Attack on MD54.5 The
Differential Attack on MD5 (2/5)
60
4. Differential Attack on MD54.5 The
Differential Attack on MD5 (3/5)

• The complexity of finding (M0, M0) doesnt
  exceed the time of running MD5
  operations.
• To select another message M0 is only to change
  the last two words from the previous selected
  message M0.
• So, finding (M0, M0) only needs about one-time
  single-message modification for the first 14
  words. This time can be neglected.

61
4. Differential Attack on MD54.5 The
Differential Attack on MD5 (4/5)

• For each selected message M0, it is only needs
  two-time single-message modifications for the
  last two words and 7-time multi-message
  modifications for correcting 7 conditions in the
  second round, and each multi-message modification
  only needs about a few step operations.
• According to the probability of the first
  iteration differential, it is easy to know that
  the complexity of finding (M0, M0) is not
  exceeds MD5 operations.
• Similarly, we can show that the complexity of
  finding (M1, M1) is not exceeds MD5
  operations.

62
4. Differential Attack on MD54.5 The
Differential Attack on MD5 (5/5)
63
OUTLINE

1. Introduction
2. Description of MD5
3. Differential Attack for Hash Functions
4. Differential Attack on MD5
5. Summary

64
5. Summary(1/3)

• This paper described a powerful attack against
  hash functions, and in particular showed that
  finding a collision of MD5 is easily feasible.
• This attack is also able to break efficiently
  other hash functions, such as HAVAL-128, MD4,
  RIPEMD, and SHA-0.

65
5. Summary(2/3)The analysis results for these
hash functions are as follows

1. The time complexity for finding a collision for
   MD4 is about MD4 operations without the
   multi-message modification, and is about
   MD4 operations with the multi-message
   modification.
2. The time complexity for finding a collision for
   HAVAL-128 is about HAVAL-128 operations
   without the multi-message modification, and is
   HAVAL-128 operations with the
   multi-message modification.

66
5. Summary(3/3)The analysis results for these
hash functions are as follows

• 3. The time complexity for finding a collision
  for RIPEMD is about RIPEMD operations
  without the multi-message modification, and is
  RIPEMD operations with the multi-message
  modification.
• 4. The time complexity for finding a collision
  for SHA-0 is about SHA-0 operations
  without the multi-message modification, and is
  SHA-0 operations with the multi-message
  modification.

67

• ???
• Thanks A Lot
• ???Presentation