Performance Analysis

In this section, we compare the execution time of our implementation of MD5 collision finding algorithm with Stach’s. We summary the result of the total fifty times experiments per implementation in table 5.1. In http:

//www.stachliu.com/collisions.html, he said “average run time on P4 1.6ghz PC — 45 minutes.” But according to our experiments on P4 2.8GHz PC, the result is quite different from what he said. We should mention that

Average Case

Best Case Worst Case Sucessful Probability Our Implementation 1h48m10s 4m20s 8h50m01s 1

Stach’s Implementa-tion

2h06m13s 8m29s 5h58m57s 0.5

Table 5.1: The Execution Time of the Experiments

the execution time of his implementation in the worst case is much better than ours.

Chapter 6 Conclusions

After Wang et al. publish their MD4 and MD5 collision searching algorithms, many researchers publish their improvements. After their improvements were given, the collision searching algorithms become more and more definitive and efficient. In this thesis, we also give our own improvements on the message modification techniques. Then we implement the MD4 and MD5 collision searching algorithms to show that our improvements are efficient enohgh to run on modern PCs. Some cryptographic scholars think that the collision resistance requirement is not necessary for a cryptographic hash function in all cryptographic applications. Because it is infeasible for any probabilistic polynomial time adversary to break all cryptographic applications even their internal cryptographic hash function is not collision resistant. For example, if the adversary Eve want to fake Alice’s certificate, it is infeasible for him to do this even the certificate use a non-collision resistant cryptographic hash function. So we can relax the collision resistance requirements in some cryptographic applications, but not in all of them. As mentioned in Section

2.1, some cryptographic applications need stronger security requirements of the hash functions, not just the three basic ones. If a hash function is not second preimage resistant, the hash function is broken wholly. So how to find the second preimage of the existing hash functions is an interesting problem.

Yu et al. [YWZW05] gave their discovery on finding the second preimage of the hash function MD4. But they didn’t really find the real second preimage of the hash function MD4. Instead, they gave a collision path that is of higher probability to find the second preimage of MD4 than Wang et al.’s [WLF⁺05, Chapter 6]. For a randomly chosen message block M , they gave a sufficiently efficient algorithm to modify M to cM , where the hamming distance of M and M is very small, and the second preimage of cc M can be computed efficiently.

But their results are not practical enough to damage the use of MD4 in the real world for digital signatures, certificates, MACs, and so on. Instead, we want an algorithm to find the second preimage for any message, even though the time complexity of the algorithm is a little bigger. As long as the time complexity of the second preimage finding algorithm is not too large to run on modern computers, we can accept it. So how to find the second preimage for arbitrary message of the dedicated hash functions, such as MD4, MD5, SHA-1, is an interesting problem for solving.

Bibliography

[BR96] R. Baldwin and R. Rivest. The RC5, RC5-CBC, RC5-CBC-Pad, and RC5-CTS Algorithms. Request for Comments (RFC 2040), October 1996.

[Bra90] Gilles Brassard, editor. Advances in Cryptology - CRYPTO ’89, 9th Annual International Cryptology Conference, Santa Bar-bara, California, USA, August 20-24, 1989, Proceedings, volume 435 of Lecture Notes in Computer Science. Springer, 1990.

[CGH98] Ran Canetti, Oded Goldreich, and Shai Halevi. The random oracle methodology, revisited (preliminary version). In STOC, pages 209–218, 1998.

[CGH04] Ran Canetti, Oded Goldreich, and Shai Halevi. The random oracle methodology, revisited. J. ACM, 51(4):557–594, 2004.

[Cra05] Ronald Cramer, editor. Advances in Cryptology - EUROCRYPT 2005, 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark,

May 22-26, 2005, Proceedings, volume 3494 of Lecture Notes in Computer Science. Springer, 2005.

[Dam89] Ivan Damg˚ard. A design principle for hash functions. In Bras-sard [Bra90], pages 416–427.

[DBP96] Hans Dobbertin, Antoon Bosselaers, and Bart Preneel. Ripemd-160: A strengthened version of ripemd. In Dieter Gollmann, editor, Fast Software Encryption, volume 1039 of Lecture Notes in Computer Science, pages 71–82. Springer, 1996.

[FIP95] Secure hash standard (shs). Federal Information Processing Standard (FIPS) Publication 180-1, National Institute of Stan-dards and Technology (NIST), April 1995.

[FIP02] Secure hash standard (shs). Federal Information Processing Standard (FIPS) Publication 180-2, National Institute of Stan-dards and Technology (NIST), August 2002.

[GK03] Shafi Goldwasser and Yael Tauman Kalai. On the (in)security of the fiat-shamir paradigm. In FOCS, pages 102–. IEEE Computer Society, 2003.

[HPR04] Philip Hawkes, Michael Paddon, and Gregory G. Rose. Musings on the wang et al. md5 collision. Cryptology ePrint Archive, Report 2004/264, 2004. http://eprint.iacr.org/2004/264.

pdf.

[Kal92] B. Kaliski. The MD2 Message-Digest Algorithm. Request for Comments (RFC 1319), April 1992.

[Ken05] S. Kent. IP Encapsulating Security Payload (ESP). Request for Comments (RFC 4303), December 2005.

[Kli05a] Vlastimil Klima. Finding md5 collisions on a notebook pc using multi-message modifications. Cryptology ePrint Archive, Report 2005/102, 2005. http://eprint.iacr.org/2005/102.pdf.

[Kli05b] Vlastimil Klima. Finding md5 collisions v a toy for a notebook.

Cryptology ePrint Archive, Report 2005/075, 2005. http://

eprint.iacr.org/2005/075.pdf.

[KM05] Lars R. Knudsen and John Erik Mathiassen. Preimage and col-lision attacks on md2. In Henri Gilbert and Helena Handschuh, editors, FSE, volume 3557 of Lecture Notes in Computer Sci-ence, pages 255–267. Springer, 2005.

[LdW05] Arjen K. Lenstra and Benne de Weger. On the possibility of constructing meaningful hash collisions for public keys. In Colin Boyd and Juan Manuel Gonz´alez Nieto, editors, ACISP, vol-ume 3574 of Lecture Notes in Computer Science, pages 267–279.

Springer, 2005.

[LL05] Jie Liang and Xuejia Lai. Improved collision attack on hash

function md5. Cryptology ePrint Archive, Report 2005/425, 2005. http://eprint.iacr.org/2005/425.pdf.

[LWdW05] Arjen Lenstra, Xiaoyun Wang, and Benne de Weger. Colliding x.509 certificates. Cryptology ePrint Archive, Report 2005/067, 2005. http://eprint.iacr.org/2005/067.pdf.

[Mer89] Ralph C. Merkle. One way hash functions and des. In Brassard [Bra90], pages 428–446.

[Mik04] Ondrej Mikle. Practical attacks on digital signatures using md5 message digest. Cryptology ePrint Archive, Report 2004/356, 2004. http://eprint.iacr.org/2004/356.pdf.

[Mul04] Fr´ed´eric Muller. The md2 hash function is not one-way. In Pil Joong Lee, editor, ASIACRYPT, volume 3329 of Lecture Notes in Computer Science, pages 214–229. Springer, 2004.

[NSKO05] Yusuke Naito, Yu Sasaki, Noboru Kunihiro, and Kazuo Ohta.

Improved collision attack on md4 with probability almost 1. In Dongho Won and Seungjoo Kim, editors, ICISC, volume 3935 of Lecture Notes in Computer Science, pages 122–135. Springer, 2005.

[RB00] Vincent Rijmen and Paulo S. L. M. Barreto. The WHIRLPOOL hash function. First open NESSIE Workshop record, November

2000. The document is available at http://paginas.terra.

com.br/informatica/paulobarreto/WhirlpoolPage.html.

[RC97] N. Rogier and Pascal Chauvaud. Md2 is not secure without the checksum byte. Des. Codes Cryptography, 12(3):245–251, 1997.

[Riv90] Ronald L. Rivest. The md4 message digest algorithm. In Alfred Menezes and Scott A. Vanstone, editors, CRYPTO, volume 537 of Lecture Notes in Computer Science, pages 303–311. Springer, 1990.

[Riv92a] R. Rivest. The MD4 Message-Digest Algorithm. Request for Comments (RFC 1320), April 1992.

[Riv92b] R. Rivest. The MD5 Message-Digest Algorithm . Request for Comments (RFC 1321), April 1992.

[SNKO05] Yu Sasaki, Yusuke Naito, Noboru Kunihiro, and Kazuo Ohta.

Improved collision attack on md5. Cryptology ePrint Archive, Report 2005/400, 2005. http://eprint.iacr.org/2005/400.

pdf.

[SNY⁺06] Yu Sasaki, Yusuke Naito, Jun Yajima, Takeshi Shimoyama, Noboru Kunihiro, and Kazuo Ohta. How to construct suffi-cient condition in searching collisions of md5. Cryptology ePrint Archive, Report 2006/074, 2006. http://eprint.iacr.org/.

[Sta05a] Patrick Stach. MD4 Collision Generation— Faster implemen-tation of techniques in “Cryptanalysis for Hash Functions MD4 and RIPEMD”. http://www.stachliu.com/md4coll.c, 2005.

[Sta05b] Patrick Stach. MD5 Collision Generation— Faster implemen-tation of techniques in “How to Break MD5 and Other Hash Functions”. http://www.stachliu.com/md5coll.c, 2005.

[WLF⁺05] Xiaoyun Wang, Xuejia Lai, Dengguo Feng, Hui Chen, and Xi-uyuan Yu. Cryptanalysis of the hash functions md4 and ripemd.

In Cramer [Cra05], pages 1–18.

[WY05] Xiaoyun Wang and Hongbo Yu. How to break md5 and other hash functions. In Cramer [Cra05], pages 19–35.

[WYY05] Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu. Finding colli-sions in the full sha-1. In Victor Shoup, editor, CRYPTO, vol-ume 3621 of Lecture Notes in Computer Science, pages 17–36.

Springer, 2005.

[YS05] Jun Yajima and Takeshi Shimoyama. Wang’s sufficient con-ditions of md5 are not sufficient. Cryptology ePrint Archive, Report 2005/263, 2005. http://eprint.iacr.org/2005/263.

pdf.

[YWZW05] Hongbo Yu, Gaoli Wang, Guoyan Zhang, and Xiaoyun Wang.

The second-preimage attack on md4. In Yvo Desmedt, Huaxiong

Wang, Yi Mu, and Yongqing Li, editors, CANS, volume 3810 of Lecture Notes in Computer Science, pages 1–12. Springer, 2005.

[ZPS92] Yuliang Zheng, Josef Pieprzyk, and Jennifer Seberry. Haval - a one-way hashing algorithm with variable length of output. In Jennifer Seberry and Yuliang Zheng, editors, ASIACRYPT, vol-ume 718 of Lecture Notes in Computer Science, pages 83–104.

Springer, 1992.