Chapter

Advances in Cryptology – ASIACRYPT 2009

Volume 5912 of the series Lecture Notes in Computer Science pp 144-161

MD5 Is Weaker Than Weak: Attacks on Concatenated Combiners

  • Florian MendelAffiliated withInstitute for Applied Information Processing and Communications (IAIK), Graz University of Technology
  • , Christian RechbergerAffiliated withInstitute for Applied Information Processing and Communications (IAIK), Graz University of Technology
  • , Martin SchläfferAffiliated withInstitute for Applied Information Processing and Communications (IAIK), Graz University of Technology

Abstract

We consider a long standing problem in cryptanalysis: attacks on hash function combiners. In this paper, we propose the first attack that allows collision attacks on combiners with a runtime below the birthday-bound of the smaller compression function. This answers an open question by Joux posed in 2004.

As a concrete example we give such an attack on combiners with the widely used hash function MD5. The cryptanalytic technique we use combines a partial birthday phase with a differential inside-out technique, and may be of independent interest. This potentially reduces the effort for a collision attack on a combiner like MD5||SHA-1 for the first time.

Keywords

hash functions cryptanalysis MD5 combiner differential