Collisions of MMO-MD5 and Their Impact on Original MD5

  • Yu Sasaki
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6737)


In this paper, we find collisions of MD5 in the Matyas-Meyer-Oseas mode and Miyaguchi-Preneel mode with a complexity of 239 operations, which runs contrary to the cryptographer’s belief that these modes are stronger against collision attacks than the Davies-Meyer mode due to the impossibility of the message modification. We then show that, our collision attack for the Matyas-Meyer-Oseas mode can give impact to some collision properties of the Davies-Meyer mode, which we call “free-start given-message collisions” and “NMAC colliding keys”. These indicate that collisions of MMO-MD5 give some impacts on the original MD5. The attack is implemented on a PC and we present generated collisions of MMO-MD5.


MD5 collision Matyas-Meyer-Oseas Davies-Meyer Miyaguchi-Preneel PGV given-message collision NMAC colliding keys 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Rivest, R.L.: Request for Comments 1321: The MD5 Message Digest Algorithm. The Internet Engineering Task Force (1992),
  2. 2.
    den Boer, B., Bosselaers, A.: Collisions for the compression function of MD5. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 293–304. Springer, Heidelberg (1994)CrossRefGoogle Scholar
  3. 3.
    Dobbertin, H.: The status of MD5 after a recent attack. CryptoBytes The Technical Newsletter of RSA Laboratories, a Division of RSA Data Security, Inc. 2(2), (1996) (summer)Google Scholar
  4. 4.
    Wang, X., Yu, H.: How to break MD5 and other hash functions. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 19–35. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  5. 5.
    Black, J., Cochran, M., Highland, T.: A study of the MD5 attacks: Insights and improvements. In: Robshaw, M.J.B. (ed.) FSE 2006. LNCS, vol. 4047, pp. 262–277. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  6. 6.
    Klima, V.: Finding MD5 collisions on a notebook PC using multi-message modifications. In: International Scientific Conference Security and Protection of Information (May 2005)Google Scholar
  7. 7.
    Klima, V.: Tunnels in hash functions: MD5 collisions within a minute. In: IACR Cryptology ePrint Archive: Report 2006/105 (2006),
  8. 8.
    Liang, J., Lai, X.: Improved collision attack on hash function MD5. Cryptology ePrint Archive, Report 2005/425 (2005),
  9. 9.
    Sasaki, Y., Naito, Y., Kunihiro, N., Ohta, K.: Improved collision attacks on MD4 and MD5. IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences E90-A(1), 36–47 (2007)CrossRefGoogle Scholar
  10. 10.
    Sasaki, Y., Naito, Y., Yajima, J., Shimoyama, T., Kunihiro, N., Ohta, K.: How to construct sufficient condition in searching collisions of MD5. In: Nguyên, P.Q. (ed.) VIETCRYPT 2006. LNCS, vol. 4341, pp. 243–259. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  11. 11.
    Stevens, M.: Fast collision attack on MD5. Cryptology ePrint Archive, Report 2006/104 (2006),
  12. 12.
    Vábek, J., Joscák, D., Bohácek, M., Tuma, J.: A new type of 2-block collisions in MD5. In: Chowdhury, D.R., Rijmen, V., Das, A. (eds.) INDOCRYPT 2008. LNCS, vol. 5365, pp. 78–90. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  13. 13.
    Xie, T., Feng, D.: How to find weak input differences for MD5 collision attacks. Cryptology ePrint Archive, Report 2009/223 Version 20090530:102049 (2009),
  14. 14.
    Xie, T., Liu, F., Feng, D.: Could the 1-MSB input difference be the fastest collision attack for MD5? Cryptology ePrint Archive, Report 2008/391 (2008),
  15. 15.
    Xie, T., Feng, D.: Construct MD5 collisions using just a single block of message. Cryptology ePrint Archive, Report 2010/643, Version 20101225:061128 (2010),
  16. 16.
    Xie, T., Feng, D.: The first 1-block collision attack on MD5 and call for a challedge. Cryptology ePrint Archive, Report 2009/223, Version 20101216:032027 (2010),
  17. 17.
    Contini, S., Yin, Y.L.: Forgery and Partial Key-Recovery Attacks on HMAC and NMAC Using Hash Collisions. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 37–53. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  18. 18.
    Fouque, P.A., Leurent, G., Nguyen, P.: Full key-recovery attacks on HMAC/NMAC-MD4 and NMAC-MD5. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 15–30. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  19. 19.
    Kim, J., Biryukov, A., Preneel, B., Hong, S.: On the Security of HMAC and NMAC Based on HAVAL, MD4, MD5, SHA-0 and SHA-1. In: De Prisco, R., Yung, M. (eds.) SCN 2006. LNCS, vol. 4116, pp. 242–256. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  20. 20.
    Rechberger, C., Rijmen, V.: On Authentication with HMAC and Non-random Properties. In: Dietrich, S., Dhamija, R. (eds.) FC 2007 and USEC 2007. LNCS, vol. 4886, pp. 119–133. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  21. 21.
    Rechberger, C., Rijmen, V.: New results on NMAC/HMAC when instantiated with popular hash functions. Journal of Universal Computer Science 14(3), 347–376 (2008)MathSciNetGoogle Scholar
  22. 22.
    Wang, L., Ohta, K., Kunihiro, N.: New key-recovery attacks on HMAC/NMAC-MD4 and NMAC-MD5. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 237–253. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  23. 23.
    Wang, X., Yu, H., Wang, W., Zhang, H., Zhan, T.: Cryptanalysis on HMAC/NMAC-MD5 and MD5-MAC. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 121–133. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  24. 24.
    Leurent, G.: Message freedom in MD4 and MD5 collisions: Application to APOP. In: Biryukov, A. (ed.) FSE 2007. LNCS, vol. 4593, pp. 309–328. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  25. 25.
    Sasaki, Y., Wang, L., Ohta, K., Kunihiro, N.: Security of MD5 challenge and response: Extension of APOP password recovery attack. In: Malkin, T. (ed.) CT-RSA 2008. LNCS, vol. 4964, pp. 1–18. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  26. 26.
    Stevens, M., Lenstra, A.K., de Weger, B.: Chosen-prefix collisions for MD5 and colliding X.509 certificates for different identities. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 1–22. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  27. 27.
    Stevens, M., Sotirov, A., Appelbaum, J., Lenstra, A.K., Molnar, D., Osvik, D.A., de Weger, B.: Short chosen-prefix collisions for MD5 and the creation of a rogue CA certificate. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 55–69. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  28. 28.
    Mendel, F., Rechberger, C., Schläffer, M.: MD5 is weaker than weak: Attacks on concatenated combiners. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 144–161. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  29. 29.
    Aoki, K., Sasaki, Y.: Preimage attacks on one-block MD4, 63-step MD5 and more. In: Avanzi, R.M., Keliher, L., Sica, F. (eds.) SAC 2008. LNCS, vol. 5381, pp. 103–119. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  30. 30.
    Aumasson, J.P., Meier, W., Mendel, F.: Preimage attacks on 3-pass HAVAL and step-reduced MD5. In: Avanzi, R.M., Keliher, L., Sica, F. (eds.) SAC 2008. LNCS, vol. 5381, pp. 120–135. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  31. 31.
    Sasaki, Y., Aoki, K.: Preimage attacks on step-reduced MD5. In: Mu, Y., Susilo, W. (eds.) ACISP 2008. LNCS, vol. 5107, pp. 282–296. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  32. 32.
    Sasaki, Y., Aoki, K.: Finding preimages in full MD5 faster than exhaustive search. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 134–152. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  33. 33.
    U.S. Department of Commerce, National Institute of Standards and Technology: Secure Hash Standard (SHS) (Federal Information Processing Standards Publication 180-3) (2008),
  34. 34.
    Preneel, B., Govaerts, R., Vandewalle, J.: Hash functions based on block ciphers: A synthetic approach. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 363–378. Springer, Heidelberg (1994)Google Scholar
  35. 35.
    Menezes, A.J., van Oorschot, P.C., Vanstone, S.A.: Handbook of applied cryptography. CRC Press, Boca Raton (1997)MATHGoogle Scholar
  36. 36.
    Ferguson, N., Lucks, S., Schneier, B., Whiting, D., Bellare, M., Kohno, T., Callas, J., Walker, J.: The Skein hash function family. Submission to NIST, Round 2 (2009)Google Scholar
  37. 37.
    Hirose, S., Kuwakado, H., Yoshida, H.: SHA-3 proposal: Lesamnta. Submission to NIST (2008)Google Scholar
  38. 38.
    Rijmen, V., Barreto, P.S.L.M.: The WHIRLPOOL hashing function. Submitted to NISSIE (September 2000)Google Scholar
  39. 39.
    Wang, X., Yin, Y.L., Yu, H.: Finding collisions in the full SHA-1. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 17–36. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  40. 40.
    Mendel, F., Rechberger, C., Schläffer, M., Thomsen, S.S.: The rebound attack: Cryptanalysis of reduced whirlpool and grøstl. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 260–276. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  41. 41.
    Bellare, M., Canetti, R., Krawczyk, H.: Keying hash functions for message authentication. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 1–15. Springer, Heidelberg (1996)Google Scholar
  42. 42.
    Cannière, C.D., Rechberger, C.: Finding SHA-1 characteristics: General results and applications. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 1–20. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  43. 43.
    Yu, H., Wang, G., Zhang, G., Wang, X.: The second-preimage attack on MD4. In: Desmedt, Y.G., Wang, H., Mu, Y., Li, Y. (eds.) CANS 2005. LNCS, vol. 3810, pp. 1–12. Springer, Heidelberg (2005)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Yu Sasaki
    • 1
  1. 1.NTT Information Sharing Platform LaboratoriesNTT CorporationMusashino-shiJapan

Personalised recommendations