The Improvements on MD5

After surveying the previous papers about the multi-message modification techniques on MD5 [Kli05b, Kli05a, SNKO05, LL05], we find that something can be improved. As mentioned in Section 3.4, there are two iterations in the

collision searching algorithm of MD5. We also introduce our improvements in two parts, the first iteration (or the first block) and the second iteration (or the second block).

• The First Iteration:

– For the sufficient condition “c_5,32= d_5,32” in the first iteration, we do the following procedure.

1. We complement the bit c_4,18.

2. Because c₄ changes, we use the following equations to update the message words m₁₄, m₁₅, and m₀.

m14= ((c4− d4) ≫ 17) − c³− F F (d4, a4, b3) − t15

m₁₅= ((b₄− c₄) ≫ 22) − b3− F F (c₄, d₄, a₄) − t₁₆ m₀ = ((a₅− b₄) ≫ 5) − a4− GG(b₄, c₄, d₄) − t₁₇

3. We add the extra condition “b4,18 = a5,18 = 0”. Note that

“a_5,18= 0” itself is a sufficient condition.

4. We compute the chaining value d₅by d₅ = ((d₄+GG(a₅, b₄, c₄)+

m₆+t₁₈) ≪ 9)+a5but c_4,18changes. However, the extra con-dition “b_4,18 = a_5,18” guarantees that GG(a_5,18, b_4,18, c_4,18) = GG(0, 0, c^old_4,18) = 0 → 0 unchanges. This also implies that d5

unchanges.

5. We update the chaining value c₅ by c₅ = ((c₄+GG(d₅, a₅, b₄)+

m₁₁+ t₁₉) ≪ 14) + d5 = (((c^old₄ ± 2¹⁷) + GG(d₅, a₅, b₄) + m₁₁+

t₁₉) ≪ 14)+d5 = c^old₅ ±2³¹. This implies that the complement of the bit c_5,32 occurs.

6. Because m₀ changes, we update the chaining value a₁ by a₁ = ((a₀+ F F (b₀, c₀, d₀) + m₀+ t₁) ≪ 7) + b0.

7. Because a₁ also changes, we use the following equations to update the message words m₁, m₂, m₃, and m₄.

m₁ = ((d₁− a₁) ≫ 12) − d0− F F (a₁, b₀, c₀) − t₂ m2 = ((c1− d1) ≫ 17) − c⁰− F F (d1, a1, b0) − t3

m₃ = ((b₁− c₁) ≫ 22) − b0− F F (c₁, d₁, a₁) − t₄ m₄ = ((a₂− b₁) ≫ 7) − a1− F F (b₁, c₁, d₁) − t₅

Sasaki et al. also give a type 2 multi-message modification for the sufficient condition “c_5,32 = d_5,32” in their paper [SNKO05, Ta-ble 6]. But there are six extra conditions in their multi-message modification method. As mentioned in Section 4.1, the extra con-dition is not necessary for the message modification techniques, they are used to avoid too many chaining values from changing instead. So if the message modification method need too many extra conditions, the size of the set of the collision message pair will become too small. Even if sometimes we need to add the extra condition to help us to do the multi-message modification, but we must decrease the total number of the extra conditions as possible as we can to enlarge the size of the set of the collision message

pair. In our multi-message modification for the sufficient condition

“c_5,32 = d_5,32”, we need only one extra condition “c_5,32 = d_5,32”.

• The Second Iteration:

– For the sufficient condition “d_5,18 = 1” in the second iteration, we do the following procedure.

1. We complement the bit d_4,9.

2. Because d₄ changes, we use the following equations to update the message words m₁₃, m₁₄, and m₁₅.

m₁₃= ((d₄− a₄) ≫ 12) − d3− F F (a₄, b₃, c₃) − t₁₄ m₁₄= ((c₄− d₄) ≫ 17) − c3− F F (d₄, a₄, b₃) − t₁₅ m₁₅= ((b₄− c₄) ≫ 22) − b3− F F (c₄, d₄, a₄) − t₁₆

3. We add the extra condition “b_4,9 = c_4,9”.

4. Because the bit d_4,9 changes, we update ∆_17,9 by ∆_17,9 = GG(b_4,9, c_4,9, d_4,9) = GG(b_4,9, c_4,9, d^old_4,9) = (b_4,9 → c_4,9)∨(c_4,9 → b_4,9). The extra condition “b_4,9 = c_4,9” guarantees that ∆_17,9 unchange. This also implies that a₅ = ((a₄+ GG(b₄, c₄, d₄) + m₁+ t₁₇) ≪ 5) + b4 unchanges.

5. Finally, we update the chaining value d5 by d5 = ((d4 + GG(a₅, b₄, c₄)+m₆+t₁₈) ≪ 9)+a5 = (((d^old₄ ±2⁸)+GG(a₅, b₄, c₄)+

m₆+ t₁₈) ≪ 9) + a5 = d^old₅ ± 2¹⁷. This will cause the comple-ment of the bit d_5,18 to occur.

– For the sufficient condition “d_5,32 = a_5,32” in the second iteration, we do the following procedure.

1. We complement the bit d_2,23.

2. We add the extra condition “a_2,23= b_1,23”.

3. Because d₂ changes, we use the following equations to update the message words m₅, m₆, m₇, m₈, and m₉.

m₅ = ((d₂ − a₂) ≫ 12) − d1− F F (a₂, b₁, c₁) − t₆

m₆ = ((c₂− d₂) ≫ 17) − c1− F F (d₂, a₂, b₁) − t₇ (4.4) m7 = ((b2− c₂) ≫ 22) − b¹− F F (c₂, d2, a2) − t8

m8 = ((a3− b2) ≫ 7) − a²− F F (b2, c2, d2) − t9

m₉ = ((d₃ − a₃) ≫ 12) − d2− F F (a₃, b₂, c₂) − t₁₀

4. In equation 4.4, F F (d_2,23, a_2,23, b_1,23) = F F (d^old_2,23, a_2,23, b_1,23) = (b_1,23 → a_2,23) ∨ (a_2,23 → b_1,23). The extra condition “a_2,23 = b_1,23” cause the complement of F F (d_2,23, a_2,23, b_1,23) to oc-cur. The word m₆ = ((c₂ − (d^old₂ ± 2²²)) ≫ 17) − c1 − (F F^old(d₂, a₂, b₁) ± 2²²) − t₇ = m^old₆ ∓ (2⁵ + 2²²). Then d₅ = ((d₄+GG(a₄, b₃, c₃)+m₆+t₁₈) ≪ 9)+a5 = ((d₄+GG(a₄, b₃, c₃)+

(m^old₆ ∓ (2⁵+ 2²²)) + t₁₈) ≪ 9) + a5 = d^old₅ ∓ (2¹⁴+ 2³¹). This causes the complement of the bit d_5,32 to occur.

– For the sufficient condition “c_5,18= 0” in the second iteration, we do the following procedure.

1. We complement the bit b_2,4.

2. Because b₂ changes, we use the following equations to update the message words m7, m8, m9, m10, and m11.

m₇ = ((b₂− c₂) ≫ 22) − b1− F F (c₂, d₂, a₂) − t₈ m₈ = ((a₃− b₂) ≫ 7) − a2− F F (b₂, c₂, d₂) − t₉ m₉ = ((d₃− a₃) ≫ 12) − d2− F F (a₃, b₂, c₂) − t₁₀ m₁₀ = ((c₃− d₃) ≫ 17) − c2− F F (d₃, a₃, b₂) − t₁₁

m₁₁ = ((b₃− c₃) ≫ 22) − b2− F F (c₃, d₃, a₃) − t₁₂ (4.5)

3. In equation 4.5, m₁₁ = ((b₃ − c₃) ≫ 22) − (b^old2 ± 2³) − F F (c3, d3, a3)−t12 = m^old₁₁∓2³. Then c5 = ((c4+GG(d5, a5, b4)+

m₁₁+ t₁₉) ≪ 14) + d5 = ((c₄+ GG(d₅, a₅, b₄) + (m₁₁∓ 2³) + t₁₉) ≪ 14)+d5 = c^old₅ ∓2¹⁷. This implies that the complement of the bit c_5,18 to occur.

– For the sufficient condition “c_5,32= d_5,32” in the second iteration, we do the following procedure.

1. We complement the bit c_4,18.

2. Because c4 changes, we use the following equations to update the message words m₁₄ and m₁₅.

m14= ((c4− d4) ≫ 17) − c³− F F (d4, a4, b3) − t15

m₁₅= ((b₄− c₄) ≫ 22) − b3− F F (c₄, d₄, a₄) − t₁₆

3. We compute the chaining value a₅by a₅ = ((a₄+GG(b₄, c₄, d₄)+

m₀+ t₁₇) ≪ 5) + b4 but c_4,18changes. However, the sufficient condition “d4, 18 = 1” guarantees that GG(b_4,18, c_4,18, d_4,18) = GG(b_4,18, c^old_4,18, 0) is always equal to b_4,18. This also implies that a₅ unchanges.

4. We add the extra condition “b_4,18= 0”.

5. We compute the chaining value d₅by d₅ = ((d₄+GG(a₅, b₄, c₄)+

m₆+t₁₈) ≪ 9)+a5and c_4,18changes. But the extra condition

“b_4,18= 0” cause that GG(a_5,18, b_4,18, c_4,18) = GG(a_5,18, b_4,18, c^old_4,18) = (a5,18 → b4,18) ∧ (b4,18 → a5,18). The bit “a5,18 = 0” itself is a sufficient condition, so GG(a_5,18, b_4,18, c_4,18) = 0 → 0 un-changes. This also implies that d₅ unchanges.

6. Finally, we update the chaining value c₅ is by c₅ = ((c₄ + GG(d₅, a₅, b₄) + m₁₁ + t₁₉) ≪ 14) + d5 = (((c^old₄ ± 2¹⁷) + GG(d₅, a₅, b₄) + m₁₁ + t₁₉) ≪ 14) + d5 = c^old₅ ± 2³¹. This implies that the complement of the bit c_5,32 to occur.

– For the sufficient condition “d_6,32 = a_6,32” in the second iteration, we do the following procedure.

1. We complement the bit a3,23.

2. We add the extra conditions “d_3,23= 1” and “c_3,23 = 1”.

3. Because a₃ changes, so we use the following equations to

up-date the message words m₈, m₉, m₁₀, and m₁₂.

m₈ = ((a₃− b₂) ≫ 7) − a2− F F (b₂, c₂, d₂) − t₉ m₉ = ((d₃− a₃) ≫ 12) − d2− F F (a₃, b₂, c₂) − t₁₀

m₁₀= ((c₃− d₃) ≫ 17) − c2− F F (d₃, a₃, b₂) − t₁₁ (4.6) m₁₂= ((a₄− b₃) ≫ 7) − a3− F F (b₃, c₃, d₃) − t₁₃

4. Because a₃ also changes, we update the chaining value b₃ by b3 = ((b2 + F F (c3, d3, a3) + m11+ t12) ≪ 22) + c³. But the extra condition “c_3,23= 1” cause that F F (c_3,23, d_3,23, a_3,23) = F F (1, d_3,23, a^old_3,23) is always equal to d_3,23 and unchanges. So b₃ unchanges.

5. In equation 4.6, the extra conditions “d_3,23 = 1” cause that F F (d_3,23, a_3,23, b_2,23) = F F (1, a^old_3,23, b_2,23) = a^old_3,23. Then m₁₀= ((c₃− d₃) ≫ 17) − c2− (F F^old(d₃, a₃, b₂) ± 2²²) − t₁₁= m^old₁₀ ∓ 2²². The word d6 = ((d5 + GG(a6, b5, c5) + m10 + t22) ≪ 9)+a₆ = ((d₅+GG(a₆, b₅, c₅)+(m^old₁₀ ∓2²²)+t₂₂) ≪ 9)+a6 = d^old₆ ∓ 2³¹. This implies that the complement of the bit d_6,32 occurs.

Finally we analyze the time complexity of our improvements on multi-message modification of MD5. In the first iteration of MD5, our improvements is as efficient as Sasaki et al.’s results [SNKO05]. But the size of the set of our collision message pair is larger than Sasaki et al.’s. We also find that some

extra conditions in their multi-message modification can be erased. These extra conditions are as follows:

• The extra condition “d_3,4 = 0” for the sufficient condition “c_5,18 = 0”

[SNKO05, Table 5]. No matter what c_5,18 is, we just need to comple-ment it.

• The extra condition “a4,1 = 1” and “d1,13= 0” for the sufficient condi-tion “a_6,18 = b_5,18” [SNKO05, Table 8]. No matter what a_4,1 and d_1,13 are, we just need to complement them.

• The extra condition “a_3,23 = 0” for the sufficient condition “d_6,32 = a_6,32” [SNKO05, Table 10]. No matter what a_3,23 is, we just need to complement it.

So the size of the set of the collision message pair can be enlarged by eras-ing these four extra conditions. Because the collision searcheras-ing algorithm so far doesn’t satisfy all the sufficient conditions, they need to restart the whole collision searching algorithm many times. If we add these extra condi-tions, we must reset these extra conditions when restarting the whole collision searching algorithm. This is because that these extra conditions are broken when doing the message modification in the second round. So we need to recover them by resetting them. But other conditions, including sufficient conditions and other extra conditions, are not broken when doing the mes-sage modification in the second round. Our improvements is more efficient

than Liang and Lai’s results [LL05]. Note that the collision searching algo-rithm will restart the whole algoalgo-rithm many times. As mentioned before, the small range searching algorithm given by Liang and Lai [LL05] is less efficient than Sasaki et al.’s multi-message modification methods [SNKO05].

So in each time, a small time increase will cause that the time of finding the collision increase longer because the algorithm will execute inside the loop many times.

For the second iteration of MD5, Sasaki et al. don’t give any multi-message modification method. We combine Liang and Lai’s results [LL05]

and our improvements introduced before. We can modify for the sufficient conditions “a_5,4 = b_4,4”, “a_5,16 = b_4,16”, “a_5,18= 0”, and “d_5,30= a_5,30” by us-ing Liang and Lai’s type 1 multi-message modification methods, and for the sufficient conditions “d_5,18 = 1”, “d_5,32 = a_5,32”, “c_5,18 = 0”, “c_5,32 = d_5,32”, and “d_6,32= a_6,32” by using our own type 2 multi-message modification meth-ods. Because Sasaki et al. don’t give any multi-message modification method for the second iteration, so our improvements are more efficient than theirs.

We give 5 more type 2 multi-message modification on 5 sufficient conditions than Liang and Lai’s results for the second round. In these 5 sufficient con-ditions, Liang and Lai either use the small range searching techniques or restart the whole collision searching algorithm. So our improvements are more efficient than Liang and Lai’s results.

Chapter 5

Our Implementation on the Collision Searching Algorithm

5.1 A brief description of the