How to Break MD5 and Other Hash Functions

  • Xiaoyun Wang
  • Hongbo Yu
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3494)


MD5 is one of the most widely used cryptographic hash functions nowadays. It was designed in 1992 as an improvement of MD4, and its security was widely studied since then by several authors. The best known result so far was a semi free-start collision, in which the initial value of the hash function is replaced by a non-standard value, which is the result of the attack. In this paper we present a new powerful attack on MD5 which allows us to find collisions efficiently. We used this attack to find collisions of MD5 in about 15 minutes up to an hour computation time. The attack is a differential attack, which unlike most differential attacks, does not use the exclusive-or as a measure of difference, but instead uses modular integer subtraction as the measure. We call this kind of differential a modular differential. An application of this attack to MD4 can find a collision in less than a fraction of a second. This attack is also applicable to other hash functions, such as RIPEMD and HAVAL.


Hash Function Block Cipher Differential Attack Message Block Fast Software Encryption 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Biham, E., Shamir, A.: Differential Cryptanalysis of the Data Encryption Standard. Springer, Heidelberg (1993)zbMATHGoogle Scholar
  2. 2.
    Biham, E., Chen, R.: Near collision for SHA-0. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 290–305. Springer, Heidelberg (2004)Google Scholar
  3. 3.
    den Boer, B., Bosselaers, A.: Collisions for the compression function of MD5. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 293–304. Springer, Heidelberg (1994)Google Scholar
  4. 4.
    Chabaud, F., Joux, A.: Differential collisions in SHA-0. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, p. 56. Springer, Heidelberg (1998)Google Scholar
  5. 5.
    Cotini, S., Rivest, R.L., Robshaw, M.J.B., Lisa Yin, Y.: Security of the RC6TM Block Cipher,
  6. 6.
    Damgård, I.B.: A design principle for hash functions. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 416–427. Springer, Heidelberg (1990)Google Scholar
  7. 7.
    Dobbertin, H.: Cryptanalysis of MD4. In: Gollmann, D. (ed.) FSE 1996. LNCS, vol. 1039, pp. 53–69. Springer, Heidelberg (1996)Google Scholar
  8. 8.
    Dobbertin, H.: Cryptanalysis of MD5 compress. Presented at the rump session of Eurocrypt 1996Google Scholar
  9. 9.
    Dobbertin, H.: The status of MD5 after a recent attack. CryptoBytes 2(2) (1996),
  10. 10.
    Dobbertin, H.: RIPEMD with two round compress function is not collision-free. Journal of Cryptology 10, 51–69 (1997)zbMATHCrossRefGoogle Scholar
  11. 11.
    Dobbertin, H., Bosselaers, A., Preneel, B.: RIPEMD-160: A strengthened version of RIPEMD. In: Gollmann, D. (ed.) FSE 1996. LNCS, vol. 1039. Springer, Heidelberg (1996)Google Scholar
  12. 12.
    FIPS 180-1. Secure hash standard, NIST, Washington D.C. US Department of Commerce. Springer, Heidelberg (1996)Google Scholar
  13. 13.
    FIPS 180-2. Secure Hash Standard (2002),
  14. 14.
    Joux, A.: Collisions for SHA-0. Rump session of Crypto 2004 (2004)Google Scholar
  15. 15.
    Bosselaers, A., Preneel, B. (eds.): RIPE 1992. LNCS, vol. 1007. Springer, Heidelberg (1995)Google Scholar
  16. 16.
    Merkle, R.C.: One way hash function and DES. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 428–446. Springer, Heidelberg (1990)Google Scholar
  17. 17.
    Rivest, R.L.: The MD4 message digest algorithm. In: Menezes, A., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 303–311. Springer, Heidelberg (1991)Google Scholar
  18. 18.
    Rivest, R.L.: The MD5 message-digest algorithm, Request for Comments (RFC 1320), Internet Activities Board, Internet Privacy Task Force (1992)Google Scholar
  19. 19.
    Wang, X.Y., Guo, F.D., Lai, X.J., Yu, H.B.: Collisions for hash functions MD4, MD5, HAVAL-128 and RIPEMD. Rump session of Crypto 2004, E-print (2004)Google Scholar
  20. 20.
    Zheng, Y.L., Pieprzyk, J., Seberry, J.: HAVAL–A one-way hashing algorithm with variable length of output. In: Zheng, Y., Seberry, J. (eds.) AUSCRYPT 1992. LNCS, vol. 718. Springer, Heidelberg (1993)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Xiaoyun Wang
    • 1
  • Hongbo Yu
    • 1
  1. 1.Shandong UniversityJinanChina

Personalised recommendations