Collisions for the compression function of MD5
At Crypto’ 91 Ronald L. Rivest introduced the MD5 Message Digest Algorithm as a strengthened version of MD4, differing from it on six points. Four changes are due to the two existing attacks on the two round versions of MD4. The other two changes should additionally strengthen MD5. However both these changes cannot be described as well-considered. One of them results in an approximate relation between any four consecutive additive constants. The other allows to create collisions for the compression function of MD5. In this paper an algorithm is described that finds such collisions.
A C program implementing the algorithm establishes a work load of finding about 216 collisions for the first two rounds of the MD5 compression function to find a collision for the entire four round function. On a 33MHz 80386 based PC the mean run time of this program is about 4 minutes.
KeywordsCompression Function Shift Constant Round Function Message Block Strengthened Version
- [Rive90]R.L. Rivest, “The MD4 message digest algorithm,” Advances in Cryptology, Proc. Crypto’90, LNCS 537, S. Vanstone, Ed., Springer-Verlag, 1991, pp. 303–311.Google Scholar
- [Merk90]R.C. Merkle, Unpublished result, 1990.Google Scholar
- [dBBo91]B. den Boer and A. Bosselaers, “An attack on the last two rounds of MD4,” Advances in Cryptology, Proc. Crypto’91, LNCS 576, J. Feigenbaum, Ed., Springer-Verlag, 1992, pp. 194–203.Google Scholar
- [Rive91]R.L. Rivest, “The MD5 message digest algorithm,” Presented at the rump session of Crypto’91.Google Scholar
- [Schn91]B. Schneier, “One-way hash functions,” Dr. Dobb’s Journal, Vol. 16, No. 9, 1991, pp. 148–151.Google Scholar
- [Rive92a]R.L. Rivest, “The MD4 message-digest algorithm,” Request for Comments (RFC) 1320, Internet Activities Board, Internet Privacy Task Force, April 1992.Google Scholar
- [Rive92b]R.L. Rivest, “The MD5 message-digest algorithm,” Request for Comments (RFC) 1321, Internet Activities Board, Internet Privacy Task Force, April 1992.Google Scholar