• Marc Stevens
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8042)


We introduce counter-cryptanalysis as a new paradigm for strengthening weak cryptographic primitives against cryptanalytic attacks. Redesigning a weak primitive to more strongly resist cryptanalytic techniques will unavoidably break backwards compatibility. Instead, counter-cryptanalysis exploits unavoidable anomalies introduced by cryptanalytic attacks to detect and block cryptanalytic attacks while maintaining full backwards compatibility. Counter-cryptanalysis in principle enables the continued secure use of weak cryptographic primitives.

Furthermore, we present the first example of counter-cryptanalysis, namely the efficient detection whether any given single message has been constructed – together with an unknown sibling message – using a cryptanalytic collision attack on MD5 or SHA-1.

An immediate application is in digital signature verification software to ensure that an (older) MD5 or SHA-1 based digital signature is not a forgery using a collision attack. This would certainly be desirable for two reasons. Firstly, it might still be possible to generate malicious forgeries using collision attacks as too many parties still sign using MD5 (or SHA-1) based signature schemes. Secondly, any such forgeries are currently accepted nearly everywhere due to the ubiquitous support of MD5 and SHA-1 based signature schemes. Despite the academic push to use more secure hash functions over the last decade, these two real-world arguments (arguably) will remain valid for many more years.

Only due to counter-cryptanalysis were we able to discover that Flame, a highly advanced malware for cyberwarfare uncovered in May 2012, employed an as of yet unknown variant of our chosen-prefix collision attack on MD5 [SLdW07, SSA+09]. In this paper we disect the revealed cryptanalytic details and work towards the reconstruction of the algorithms underlying Flame’s new variant attack. Finally, we make a preliminary comparision between Flame’s attack and our chosen-prefix collision attack.


Hash Function Compression Function Disturbance Vector Message Block Collision Attack 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. [Cry12]
    CrySyS Lab, sKyWIper (a.k.a. Flame a.k.a. Flamer): A complex malware for targeted attacks, Laboratory of Cryptography and System Security, Budapest University of Technology and Economics (May 31, 2012)Google Scholar
  2. [dBB93]
    den Boer, B., Bosselaers, A.: Collisions for the Compressin Function of MD5. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 293–304. Springer, Heidelberg (1994)Google Scholar
  3. [HC]
    HashClash project webpage,
  4. [Kas12]
    Kaspersky Lab, The Flame: Questions and Answers, Securelist blog (May 28, 2012)Google Scholar
  5. [Kli06]
    Klima, V.: Tunnels in Hash Functions: MD5 Collisions Within a Minute. Cryptology ePrint Archive, Report 2006/105 (2006)Google Scholar
  6. [Man11]
    Manuel, S.: Classification and generation of disturbance vectors for collision attacks against SHA-1. Des. Codes Cryptography 59(1-3), 247–263 (2011)MathSciNetCrossRefzbMATHGoogle Scholar
  7. [MRS09]
    Mendel, F., Rechberger, C., Schläffer, M.: MD5 Is Weaker Than Weak: Attacks on Concatenated Combiners. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 144–161. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  8. [MS12a]
    Microsoft, Flame malware collision attack explained, Security Research & Defense, Microsoft TechNet Blog (June 6, 2012)Google Scholar
  9. [MS12b]
    Microsoft, Microsoft certification authority signing certificates added to the Untrusted Certificate Store, Security Research & Defense, Microsoft TechNet Blog (June 3, 2012)Google Scholar
  10. [SLdW07]
    Stevens, M., Lenstra, A.K., de Weger, B.: Chosen-prefix collisions for MD5 and colliding X.509 certificates for different identities. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 1–22. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  11. [SSA+09]
    Stevens, M., Sotirov, A., Appelbaum, J., Lenstra, A., Molnar, D., Osvik, D.A., de Weger, B.: Short Chosen-Prefix Collisions for MD5 and the Creation of a Rogue CA Certificate. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 55–69. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  12. [Ste13]
    Stevens, M.: New Collision Attacks on SHA-1 Based on Optimal Joint Local-Collision Analysis. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 245–261. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  13. [VJBT08]
    Vábek, J., Joščák, D., Boháček, M., Tůma, J.: A New Type of 2-Block Collisions in MD5. In: Chowdhury, D.R., Rijmen, V., Das, A. (eds.) INDOCRYPT 2008. LNCS, vol. 5365, pp. 78–90. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  14. [WY05]
    Wang, X., Yu, H.: How to Break MD5 and Other Hash Functions. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 19–35. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  15. [XF09]
    Xie, T., Feng, D.: How To Find Weak Input Differences For MD5 Collision Attacks. Cryptology ePrint Archive, Report 2009/223 (2009)Google Scholar
  16. [XF10]
    Xie, T., Feng, D.: Construct MD5 Collisions Using Just A Single Block of Message. Cryptology ePrint Archive, Report 2010/643 (2010)Google Scholar
  17. [XFL08]
    Xie, T., Feng, D., Liu, F.: A New Collision Differential for MD5 With Its Full Differential Path. Cryptology ePrint Archive, Report 2008/230 (2008)Google Scholar
  18. [XLF08]
    Xie, T., Liu, F., Feng, D.: Could The 1-MSB Input Difference Be The Fastest Collision Attack For MD5? Cryptology ePrint Archive, Report 2008/391 (2008)Google Scholar

Copyright information

© International Association for Cryptologic Research 2013

Authors and Affiliations

  • Marc Stevens
    • 1
  1. 1.CWIAmsterdamThe Netherlands

Personalised recommendations