A Study of the MD5 Attacks: Insights and Improvements

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4047)


MD5 is a well-known and widely-used cryptographic hash function. It has received renewed attention from researchers subsequent to the recent announcement of collisions found by Wang et al. [16]. To date, however, the method used by researchers in this work has been fairly difficult to grasp.

In this paper we conduct a study of all attacks on MD5 starting from Wang. We explain the techniques used by her team, give insights on how to improve these techniques, and use these insights to produce an even faster attack on MD5. Additionally, we provide an “MD5 Toolkit” implementing these improvements that we hope will serve as an open-source platform for further research.

Our hope is that a better understanding of these attacks will lead to a better understanding of our current collection of hash functions, what their strengths and weaknesses are, and where we should direct future efforts in order to produce even stronger primitives.


Cryptographic Hash Functions Differential Cryptanalysis MD5 


  1. 1.
    Black, J., Cochran, M., Highland, T.: A study of the MD5 attacks: Insights and improvements (full version). Manuscript available at,
  2. 2.
    Damgård, I.: A design principle for hash functions. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 416–427. Springer, Heidelberg (1990)Google Scholar
  3. 3.
    Daum, M.: Cryptanalysis of hash functions of the MD4 family. Dissertation, available at,
  4. 4.
    den Boer, B., Bosselaers, A.: Collisions for the compression function of MD5. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 293–304. Springer, Heidelberg (1994)Google Scholar
  5. 5.
    Dobbertin, H.: Cryptanalysis of MD5 compress. Presented at the rump session of EUROCRYPT 1996 (1996)Google Scholar
  6. 6.
    Hawkes, P., Paddon, M., Rose, G.G.: Musings on the Wang et al. MD5 collision (October 2004), See
  7. 7.
    Klima, V.: Tunnels in hash functions: MD5 collisions within a minute, See
  8. 8.
    Klima, V.: Finding MD5 collisions: A toy for a notebook (March 2005), See
  9. 9.
    Klima, V.: Finding MD5 collisions on a notebook PC using multi-message modifications. In: International Scientific Conference Security and Protection of Information (May 2005)Google Scholar
  10. 10.
    Merkle, R.C.: One way hash functions and DES. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 428–446. Springer, Heidelberg (1990)Google Scholar
  11. 11.
    Rivest, R.: The MD5 message-digest algorithm. RFC 1321 (April 1992)Google Scholar
  12. 12.
    Rogaway, P., Shrimpton, T.: Cryptographic hash-function basics: Definitions, implications and separations for preimage resistance, second-preimage resistance, and collision resistance. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 371–388. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  13. 13.
    Stach, P., Liu, V.: MD5 collision generation. Code, available at,
  14. 14.
    Stevens, M.: HashClash, See
  15. 15.
    Wang, X., Lai, X., Feng, D., Chen, H., Yu, X.: Cryptanalysis of the hash functions MD4 and RIPEMD. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 1–18. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  16. 16.
    Wang, X., Yu, H.: How to break MD5 and other hash functions. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 19–35. Springer, Heidelberg (2005)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  1. 1.University of Colorado at BoulderUSA
  2. 2.University of Texas at AustinUSA

Personalised recommendations