Applications of SAT Solvers to Cryptanalysis of Hash Functions

  • Ilya Mironov
  • Lintao Zhang
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4121)


Several standard cryptographic hash functions were broken in 2005. Some essential building blocks of these attacks lend themselves well to automation by encoding them as CNF formulas, which are within reach of modern SAT solvers. In this paper we demonstrate effectiveness of this approach. In particular, we are able to generate full collisions for MD4 and MD5 given only the differential path and applying a (minimally modified) off-the-shelf SAT solver. To the best of our knowledge, this is the first example of a SAT-solver-aided cryptanalysis of a non-trivial cryptographic primitive. We expect SAT solvers to find new applications as a validation and testing tool of practicing cryptanalysts.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [BC04]
    Biham, E., Chen, R.: Near-collisions of SHA-0. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 290–305. Springer, Heidelberg (2004)Google Scholar
  2. [BCH06]
    Black, J., Cochran, M., Highland, T.: A study of the MD5 attacks: Insights and improvements. In: Fast Software Encryption (2006)Google Scholar
  3. [BCJ+05]
    Biham, E., Chen, R., Joux, A., Carribault, P., Lemuet, C., Jalby, W.: Collisions of SHA-0 and reduced SHA-1. In: Cramer, R.J.F. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 36–57. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  4. [Bra90]
    Brassard, G. (ed.): CRYPTO 1989. LNCS, vol. 435. Springer, Heidelberg (1990)zbMATHGoogle Scholar
  5. [CJ98]
    Chabaud, F., Joux, A.: Differential collisions in SHA-0. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 56–71. Springer, Heidelberg (1998)Google Scholar
  6. [Cra05]
    Cramer, R. (ed.): EUROCRYPT 2005. LNCS, vol. 3494. Springer, Heidelberg (2005)zbMATHGoogle Scholar
  7. [Dam88]
    Damgård, I.: Collision free hash functions and public key signature schemes. In: Price, W.L., Chaum, D. (eds.) EUROCRYPT 1987. LNCS, vol. 304, pp. 203–216. Springer, Heidelberg (1988)CrossRefGoogle Scholar
  8. [Dam90]
    Damgård, I.: A design principle for hash functions. In: McCurley, K.S., Ziegler, C.D. (eds.) Advances in Cryptology 1981 - 1997. LNCS, vol. 1440, pp. 416–427. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  9. [Dau05]
    Daum, M.: Cryptanalysis of Hash Functions of the MD4-Family. PhD thesis, Ruhr-Universität Bochum (2005)Google Scholar
  10. [dBB94]
    den Boer, B., Bosselaers, A.: Collisions for the compressin function of MD5. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 293–304. Springer, Heidelberg (1994)CrossRefGoogle Scholar
  11. [Dob96a]
    Dobbertin, H.: Cryptanalysis of MD4. In: Gollmann, D. (ed.) FSE 1996. LNCS, vol. 1039, pp. 53–69. Springer, Heidelberg (1996)Google Scholar
  12. [Dob96b]
    Dobbertin, H.: The status of MD5 after a recent attack. CryptoBytes 2(2), 1–6 (1996)MathSciNetGoogle Scholar
  13. [EB05]
    Eén, N., Biere, A.: Effective preprocessing in SAT through variable and clause elimination. In: Bacchus, F., Walsh, T. (eds.) SAT 2005. LNCS, vol. 3569, pp. 61–75. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  14. [ES03]
    Eén, N., Sörensson, N.: An extensible SAT-solver. In: Giunchiglia, E., Tacchella, A. (eds.) SAT 2003. LNCS, vol. 2919, Springer, Heidelberg (2004)CrossRefGoogle Scholar
  15. [ES06]
    Eén, N., Sörensson, N.: Translating pseudo-boolean constraints into SAT. J. Satisfiability, Boolean Modeling and Computation 2, 1–26 (2006)zbMATHGoogle Scholar
  16. [FMM03]
    Fiorini, C., Martinelli, E., Massacci, F.: How to fake an RSA signature by encoding modular root finding as a SAT problem. Discrete Applied Mathematics 130(2), 101–127 (2003)zbMATHCrossRefMathSciNetGoogle Scholar
  17. [GN02]
    Goldberg, E., Novikov, Y.: BerkMin: A fast and robust Sat-solver. In: DATE, pp. 142–149 (2002)Google Scholar
  18. [HPR04]
    Hawkes, P., Paddon, M., Rose, G.G.: Musings on the Wang et al. MD5 collision. Cryptology ePrint Archive, Report 2004/264 (2004),
  19. [JJ05]
    Jovanović, D., Janičić, P.: Logical analysis of hash functions. In: Gramlich, B. (ed.) FroCos 2005. LNCS (LNAI), vol. 3717, pp. 200–215. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  20. [JKW74]
    Evans Jr., A., Kantrowitz, W., Weiss, E.: A user authentication scheme not requiring secrecy in the computer. Commun. ACM 17(8), 437–442 (1974)CrossRefGoogle Scholar
  21. [Kli05]
    Klima, V.: Finding MD5 collisions on a notebook PC using multi-message modifications. Cryptology ePrint Archive, Report, 2005/102 (2005),
  22. [Lam79]
    Lamport, L.: Constructing digital signatures from a one-way function. Technical Report CSL-98, SRI International (October 1979)Google Scholar
  23. [Mas99]
    Massacci, F.: Using Walk-SAT and Rel-SAT for cryptographic key search. In: International Joint Conference on Artificial Intelligence, IJCAI 99, pp. 290–295 (1999)Google Scholar
  24. [Mer90]
    Merkle, R.C.: One way hash functions and DES. In: McCurley, K.S., Ziegler, C.D. (eds.) Advances in Cryptology 1981 - 1997. LNCS, vol. 1440, pp. 428–446. Springer, Heidelberg (1999)Google Scholar
  25. [MM00]
    Massacci, F., Marraro, L.: Logical cryptanalysis as a SAT problem. Journal of Automated Reasoning 24, 165–203 (2000)zbMATHCrossRefMathSciNetGoogle Scholar
  26. [MMZ+01]
    Moskewicz, M.W., Madigan, C.F., Zhao, Y., Zhang, L., Malik, S.: Chaff: Engineering an efficient SAT solver. In: Proceedings of the Design Automation Conference (DAC) (June 2001)Google Scholar
  27. [MSS99]
    Marques-Silva, J.P., Sakallah, K.A.: GRASP—a search algorithm for propositional satisfiability. IEEE Transactions in Computers 48(5), 506–521 (1999)CrossRefMathSciNetGoogle Scholar
  28. [MvOV96]
    Menezes, A.J., van Oorschot, P.C., Vanstone, S.A.: Handbook of Applied Cryptography. CRC Press, Boca Raton (1996)CrossRefGoogle Scholar
  29. [NIS93]
    NIST. Secure hash standard. FIPS PUB 180, National Institute of Standards and Technology (May 1993)Google Scholar
  30. [NIS95]
    NIST. Secure hash standard. FIPS PUB 180-1, National Institute of Standards and Technology (April 1995)Google Scholar
  31. [Riv91]
    Rivest, R.L.: The MD4 message digest algorithm. In: Menezes, A., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 303–311. Springer, Heidelberg (1991)Google Scholar
  32. [Riv92]
    Rivest, R.L.: The MD5 message-digest algorithm. RFC 1321, The Internet Engineering Task Force (April 1992)Google Scholar
  33. [RSA78]
    Rivest, R.L., Shamir, A., Adleman, L.M.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21(2), 120–126 (1978)zbMATHCrossRefMathSciNetGoogle Scholar
  34. [Rya04]
    Ryan, L.: Efficient algorithms for clause-learning SAT solvers. M.Sc. Thesis, Simon Fraser University (February 2004)Google Scholar
  35. [Sho05]
    Shoup, V. (ed.): CRYPTO 2005. LNCS, vol. 3621. Springer, Heidelberg (2005)zbMATHGoogle Scholar
  36. [SO06]
    Schläffer, M., Oswald, E.: Searching for differential paths in MD4. In: Fast Software Encryption (2006)Google Scholar
  37. [Tse68]
    Tseytin, G.: On the complexity of derivation in propositional calculus, pp. 115–125. Consultant Bureau, New York-London (1968)Google Scholar
  38. [WLF+05]
    Wang, X., Lai, X., Feng, D., Chen, H., Yu, X.: Cryptanalysis of the hash functions MD4 and RIPEMD. In: Cramer, R.J.F. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 1–18. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  39. [WSK04]
    Wedler, M., Stoffel, D., Kunz, W.: Arithmetic reasoning in DPLL-based SAT solving. In: DATE, pp. 30–35 (2004)Google Scholar
  40. [WY05]
    Wang, X., Yu, H.: How to break MD5 and other hash functions. In: Cramer, R.J.F. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 19–35. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  41. [WYY05a]
    Wang, X., Yin, Y.L., Yu, H.: Finding collisions in the full SHA-1. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 17–36. Springer, Heidelberg (2005)Google Scholar
  42. [WYY05b]
    Wang, X., Yu, H., Yin, Y.L.: Efficient collision search attacks on SHA-0. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 1–16. Springer, Heidelberg (2005)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Ilya Mironov
    • 1
  • Lintao Zhang
    • 1
  1. 1.Microsoft Research

Personalised recommendations