1 / 13

Beyond the MD5 Collisions

Beyond the MD5 Collisions. Daniel Jo ščák , S.ICZ a.s. & MFF UK 04/05/2007, SPI Brno. Chewing functions. Chewing functions. Iterated hash functions. We would like to have a hash function h h : { 0,1 } * → { 0,1 } n

jacksonbrandon
Download Presentation

Beyond the MD5 Collisions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Beyond the MD5 Collisions • DanielJoščák, • S.ICZ a.s. & MFF UK • 04/05/2007, SPI Brno www.i.cz

  2. Chewing functions www.i.cz

  3. Chewing functions www.i.cz

  4. Iterated hash functions • We would like to have a hash function h h : {0,1}* → {0,1}n • We have so-called compression function f f : {0,1}b → {0,1}n • Pad a message m to be a multiple of b bits long • Iterate the compression function f www.i.cz

  5. Collisions in MD5 • Messages (M0||M1)≠ (N0||N1),h(M0||M1) = h(N0||N1) • We have real collisions producing algorithms and methods • Wang et al. 04 • Klíma 05 • Liang and Lai 05 • Stevens 05 and 06 (new target collisions) • … www.i.cz

  6. Attempts to improve MD5 • 3C, 3C+, … constructions by Gauravaram, Millan, Dawson, and Viswanathan 06 • Ring Iterative Structures by Su, Yang, Yang, Zhang 06. • Keep the compression function f and change Merkle-Damgård construction to obtain “better” function www.i.cz

  7. Attempts to improve MD5 3C+ 3C Single Feedback Multiple Feedback www.i.cz

  8. Properties of the collisions • Messages (M0||M1)≠ (N0||N1),h(M0||M1) = h(N0||N1) • Fixed message and chaining differences: • Δ0 = M0 − N0 = (0, 0, 0, 0, 2^31, 0, 0, 0, 0, 0, 0, +2^15, 0, 0, 2^31, 0) • Δ1 = M1 − N1 = (0, 0, 0, 0, 2^31, 0, 0, 0, 0, 0, 0, −2^15, 0, 0, 2^31, 0) • δ = IV1 − IV’1 = f(IV, M0) − f(IV, N0) = (2^31, 2^31 + 2^25, 2^31 + 2^25, 2^31 + 2^25) www.i.cz

  9. 4-block collisions for 3C • Algorithms work for any IV and have the fixed chaining differences • We can find (M1||M2||M3||M4) ≠ (N1||N2||N3||N4) s.t. • h3C(M1||M2||M3||M4) = h3C(N1||N2||N3||N4) • Find 2 pairs of MD5 collisions such that: • h(IV0,M1||M2) = h(IV0,N1||N2) = IV2, • h(IV2,M3||M4) = h(IV2,N3||N4). www.i.cz

  10. 5-block collisions for 3C+ • (M1||M2||M3||M4||M5) ≠ (N1||N2||N3||N4||N5) such that • h3C+(M1||M2||M3||M4||M5) = h3C+(N1||N2||N3||N4||N5) • Find 2 pairs of MD5 collisions such that: • M1 = N1 • h(IV1,M2||M3) = h(IV1,N2||N3) = IV2, • h(IV3,M4||M5) = h(IV3,N4||N5). www.i.cz

  11. 4-block collisions for simple feedback ring iterative struct. • We can find (M1||M2||M3||M4) ≠ (N1||N2||N3||N4) s.t. • hsf(M1||M2||M3||M4) = hsf(N1||N2||N3||N4) • Find just one pair of MD5 collisions: • M1 = N1 • h(IV1,M2||M3) = h(IV1,N2||N3), • M4 = N4. www.i.cz

  12. Conclusions • Be aware of quick “secure” changes in algorithms • Time for Advanced Hash Standard • Competition Organized by NIST • Submission deadline 3Q 2008 • Problems are gift (Bruno Buchberger) www.i.cz

  13. Thank you for your attention. • Daniel Joščák • daniel.joscak@i.cz • +420 724 429 248 • S.ICZ a.s. • www.i.cz • MFF UK, Dept. of Algebra www.i.cz

More Related