Preimage Attacks on 3-Pass HAVAL and Step-Reduced MD5

  • Jean-Philippe Aumasson
  • Willi Meier
  • Florian Mendel
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5381)


This paper presents preimage attacks on the hash functions 3-pass HAVAL and step-reduced MD5. Introduced in 1992 and 1991 respectively, these functions underwent severe collision attacks, but no preimage attack. We describe two preimage attacks on the compression function of 3-pass HAVAL. The attacks have a complexity of about 2224 compression function evaluations instead of 2256. We present several preimage attacks on the MD5 compression function that invert up to 47 steps (out of 64) within 296 trials instead of 2128. Although our attacks are not practical, they show that the security margin of 3-pass HAVAL and step-reduced MD5 with respect to preimage attacks is not as high as expected.


cryptanalysis hash function preimage attack 


  1. 1.
    Cramer, R. (ed.): Advances in Cryptology - EUROCRYPT 2005, 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Proceedings, Aarhus, Denmark, May 22-26, 2005. LNCS, vol. 3494, pp. 22–26. Springer, Heidelberg (2005)zbMATHGoogle Scholar
  2. 2.
    Daum, M.: Cryptanalysis of Hash Functions of the MD4-Family. PhD thesis, Ruhr Universität Bochum (2005)Google Scholar
  3. 3.
    De, D., Kumarasubramanian, A., Venkatesan, R.: Inversion attacks on secure hash functions using sat solvers. In: Marques-Silva, J., Sakallah, K.A. (eds.) SAT 2007. LNCS, vol. 4501, pp. 377–382. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  4. 4.
    den Boer, B., Bosselaers, A.: Collisions for the compression function of MD-5. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 293–304. Springer, Heidelberg (1994)CrossRefGoogle Scholar
  5. 5.
    Dobbertin, H.: The first two rounds of MD4 are not one-way. In: Vaudenay, S. (ed.) FSE 1998. LNCS, vol. 1372, pp. 284–292. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  6. 6.
    Leurent, G.: MD4 is not one-way. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 412–428. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  7. 7.
    Kim, J.-S., Biryukov, A., Preneel, B., Lee, S.-J.: On the security of encryption modes of MD4, MD5 and HAVAL. In: Qing, S., Mao, W., López, J., Wang, G. (eds.) ICICS 2005. LNCS, vol. 3783, pp. 147–158. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  8. 8.
    Klima, V.: Tunnels in hash functions: MD5 collisions within a minute. Cryptology ePrint Archive, Report 2006/105 (2006),
  9. 9.
    Lee, E., Kim, J., Chang, D., Sung, J., Hong, S.: Second preimage attack on 3-pass HAVAL and partial key-recovery attacks on NMAC/HMAC-3-pass HAVAL (to appear) (2008)Google Scholar
  10. 10.
    Mendel, F., Rijmen, V.: Weaknesses in the HAS-V compression function. In: Nam, K.-H., Rhee, G. (eds.) ICISC 2007. LNCS, vol. 4817, pp. 335–345. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  11. 11.
    Quisquater, J.-J., Delescaille, J.-P.: How easy is collision search? Application to DES. In: Quisquater, J.-J., Vandewalle, J. (eds.) EUROCRYPT 1989. LNCS, vol. 434, pp. 429–434. Springer, Heidelberg (1990)CrossRefGoogle Scholar
  12. 12.
    Rivest, R.: RFC 1321 - The MD5 Message-Digest Algorithm (1992)Google Scholar
  13. 13.
    Van Rompay, B., Biryukov, A., Preneel, B., Vandewalle, J.: Cryptanalysis of 3-pass HAVAL. In: Laih, C.-S. (ed.) ASIACRYPT 2003. LNCS, vol. 2894, pp. 228–245. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  14. 14.
    Sasaki, Y., Aoki, K.: Preimage attacks on step-reduced MD5. In: Mu, Y., Susilo, W., Seberry, J. (eds.) ACISP 2008. LNCS, vol. 5107, pp. 282–296. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  15. 15.
    Sasaki, Y., Aoki, K.: Preimage attacks on one-block MD4, 63-step MD5 and more. In: Avanzi, R., Keliher, L., Sica, F. (eds.) SAC 2008. LNCS, vol. 5381, pp. 103–119. Springer, Heidelberg (2009)Google Scholar
  16. 16.
    Sedgewick, R., Szymanski, T.G., Yao, A.C.-C.: The complexity of finding cycles in periodic functions. SIAM Journal of Computing 11(2), 376–390 (1982)MathSciNetCrossRefzbMATHGoogle Scholar
  17. 17.
    Stevens, M., Lenstra, A.K., de Weger, B.: Chosen-prefix collisions for MD5 and colliding X.509 certificates for different identities. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 1–22. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  18. 18.
    X. Wang, X. Lai, D. Feng, H. Chen, X. Yu.: Cryptanalysis of the hash functions MD4 and RIPEMD. In: Cramer [1], pp. 1–18Google Scholar
  19. 19.
    Wang, X., Yu, H.: How to break MD5 and other hash functions. In: Cramer [1], pp. 19–35 (2005)Google Scholar
  20. 20.
    Yoshida, H., Biryukov, A., De Cannière, C., Lano, J., Preneel, B.: Non-randomness of the full 4 and 5-pass HAVAL. In: Blundo, C., Cimato, S. (eds.) SCN 2004. LNCS, vol. 3352, pp. 324–336. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  21. 21.
    Yu, H., Wang, X., Yun, A., Park, S.: Cryptanalysis of the full HAVAL with 4 and 5 passes. In: Robshaw, M.J.B. (ed.) FSE 2006. LNCS, vol. 4047, pp. 89–110. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  22. 22.
    Zheng, Y., Pieprzyk, J., Seberry, J.: HAVAL - a one-way hashing algorithm with variable length of output. In: Zheng, Y., Seberry, J. (eds.) AUSCRYPT 1992. LNCS, vol. 718, pp. 83–104. Springer, Heidelberg (1993)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Jean-Philippe Aumasson
    • 1
  • Willi Meier
    • 1
  • Florian Mendel
    • 2
  1. 1.FHNWWindischSwitzerland
  2. 2.IAIKGraz University of TechnologyGrazAustria

Personalised recommendations