MD4和MD5碰撞攻擊之研究

全文

(1)國立交通大學資訊科學與工程研究所碩士論文. M D 4 和 M D 5 碰撞攻擊之研究 A Study of the Collision Cryptanalysis against MD4 and MD5. 研究生：陳冠廷指導教授：曾文貴. 中華民國. 教授. 九十五. 年六月.

(2) MD4 和 MD5 碰撞攻擊之研究 A Study of the Collision Cryptanalysis against MD4 and MD5. 研究生：陳冠廷. Student：Guan-Ting Chen. 指導教授：曾文貴. Advisor：Wen-Guey Tzeng. 國立交通大學資訊科學與工程研究所碩士論文. A Thesis Submitted to Institute of Computer Science and Engineering College of Computer Science National Chiao Tung University in partial Fulfillment of the Requirements for the Degree of Master in. Computer Science June 2006 Hsinchu, Taiwan, Republic of China. 中華民國九十五年六月.

(3) MD4 與 MD5 碰撞攻擊之研究學生：陳冠廷. 指導教授：曾文貴博士國立交通大學資訊科學與工程研究所摘要. 王小雲等人在密碼會議 EuroCrypt2005 上發表他們對 MD4 和 MD5 的碰撞攻擊演算法。之後許多研究者根據他們的結果並相繼提出他們對於碰撞攻擊演算法的改進。其中大部分研究者著重在如何讓訊息修改演算法更有效率。在本篇論文中，我們改進了訊息修改演算法。對於 MD5，我們提出一些訊息修改的方法，能滿足第一個回合的一個充分條件和第二個回合的五個充分條件。對於 MD4，我們修正了之前 MD4 碰撞攻擊演算法的一些錯誤。同時我們實作了對於 MD4 和 MD5 的碰撞攻擊演算法。我們對於 MD5 的碰撞攻擊演算法的實作平均大約需要 1.75 個小時去找出一組碰撞的訊息。根據我們的實驗，我們的實作能在 12 個小時內找到一組碰撞的訊息之機率為 1。關鍵字：碰撞攻擊，差分攻擊，雜湊，MD4，MD5，訊息修改，充分條件。. i.

(4) A Study of the Collision Cryptanalysis against MD4 and MD5 Student: Guan-Ting Chen. Advisor: Dr. Wen-Guey Tzeng. Institute of Computer Science and Engineering National Chiao Tung University Abstract In EuroCrypt2005, Wang et al. publish their collision searching algorithms for MD4 and MD5. Many researchers follow their results and publish their improvements on the collision searching algorithms. Many of them focus on how to do the message modification efficiently. In this thesis, we improve the message modification techniques. We use our message modification methods to satisfy 1 sufficient condition in the first iteration and 5 sufficient conditions in the second iteration for MD5. For MD4 collision searching algorithm, we correct the errors in the previous results. We implement the collision searching algorithm for both MD4 and MD5. Our implementation of the MD5 collision searching algorithm takes about 1.75 hours to give a collision pair in average. The successful probability to find the collision pair in 12 hours is 1 according to our experiments. Keywords: Collision Cryptanalysis, Differential Cryptanalysis, Hash, MD4, MD5, Message Modification, Sufficient Conditions.. ii.

(5) 誌. 謝. 首先要感謝我的指導老師曾文貴教授，在我碩士班的學習過程中，帶領我深入密碼學的領域，我使獲益良多。另外，我要感謝口試委員，交大資工蔡錫鈞教授與中研院資訊科學研究所呂及人教授，在論文上給我許多建議與指導，讓我的論文更加完善。除此之外，我要感謝實驗室學長成康的指導，實驗室同學君偉、資工 92 級陳榮傑老師密碼理論實驗室漢璋的幫忙，和你們一起討論和學習是一件愉快的事，室友哲瑩在程式上的一些建議和幫忙，以及所有曾經與我一起在資科系計中工作過和一起在實驗室學習的夥伴在精神方面的鼓勵。最後，我要感謝我的父母、弟弟、小舅和舅媽，不論在精神或物質上都給我極大的支持，讓我能在無後顧之憂的情況下順利完成學業。得之於人者太多，出之於己者太少，要感謝的人實在太多了，無法一一列舉，就感謝天罷。. iii.

(6) Contents. 1 Introduction. 1. 2 Description of The Hash Algorithms. 6. 2.1. Hash Functions . . . . . . . . . . . . . . . . . . . . . . . . . .. 2.2. The Compression Function of MD4 . . . . . . . . . . . . . . . 10. 2.3. The Compression Function of MD5 . . . . . . . . . . . . . . . 12. 3 Review of Wang et al.’s Attack on MD4 and MD5. 6. 15. 3.1. Collision Differentials . . . . . . . . . . . . . . . . . . . . . . . 15. 3.2. Sufficient Conditions . . . . . . . . . . . . . . . . . . . . . . . 18. 3.3. Message Modification . . . . . . . . . . . . . . . . . . . . . . . 19. 3.4. Collision Searching Algorithm . . . . . . . . . . . . . . . . . . 21. 4 Some Improvements on Message Modification. 23. 4.1. Previous Results . . . . . . . . . . . . . . . . . . . . . . . . . 24. 4.2. Our Improvements . . . . . . . . . . . . . . . . . . . . . . . . 33 4.2.1. The Improvements on MD4 . . . . . . . . . . . . . . . 33. 4.2.2. The Improvements on MD5 . . . . . . . . . . . . . . . 38. iv.

(7) 5 Our Implementation on the Collision Searching Algorithm. 48. 5.1. A brief description of the Implementation . . . . . . . . . . . . 48. 5.2. Analysis of Our Implementation . . . . . . . . . . . . . . . . . 58 5.2.1. Correctness Analysis . . . . . . . . . . . . . . . . . . . 58. 5.2.2. Performance Analysis . . . . . . . . . . . . . . . . . . . 59. 6 Conclusions. 61. v.

(8) List of Tables 4.1. The successful probability that some sufficient conditions are not fulfilled . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38. 5.1. The Execution Time of the Experiments . . . . . . . . . . . . 60. vi.

(9) Chapter 1 Introduction Cryptographic Hash Functions are a kind of important primitive in cryptographic applications. Many cryptographic schemes, such as digital signatures, MACs, authentications, certificates, IBE, and so on, use the hash functions as their internal subroutines to construct the whole cryptographic schemes. Some cryptographic schemes that use hash functions as their internal subroutines are proven to be secure by assuming that their underlying hash functions are truly-random functions. This is called the random oracle model. But some studies show that the security of the cryptographic schemes under the random oracle model is not guaranteed when their underlying hash functions are not truly-random functions. The studies don’t find the insecurity of the existing cryptographic schemes that are proven to be secure under the random oracle model in the real world. Instead, they give a counter example to show that the cryptographic schemes proven secure under the random oracle model are not secure if their underlying hash functions are substituted with a real hash function such as SHA-1, not a. 1.

(10) truly random function [CGH98, CGH04]. Goldwasser and Kalai [GK03] find that the security of the Fiat-Shamir transformation that transform secure 3-round public-coin identification schemes into digital signature schemes is not guaranteed although the methodology is proven secure under the random oracle model. Therefore, we can’t ignore the real structure of the hash functions and just see them as the black-box of the truly-random functions. A cryptographic scheme that uses an insecure hash function as its internal subroutine may be insecure [LWdW05, Mik04, LdW05]. So many researchers do their best to re-evaluate the security of the existing cryptographic hash algorithms and study how to design a secure ones. There are many existing hash functions, such as MD2 [Kal92], MD4 [Riv90, Riv92a], MD5 [Riv92b],RIPEMD-128 and RIPEMD-160 [DBP96], HAVAL [ZPS92], SHA-1 [FIP95], SHA-256 and SHA-512 [FIP02], Whirlpool [RB00], and so on. Before these hash functions were proposed, the hash functions were constructed from blockcipher. Generally speaking, the encryption and decryption of the blockcipher is less efficient than the compression of the hash function on the same message (or plaintext). If a large file is transfered from Alice to Bob on 100M ethernet, the computation time of the blockcipher-based hash value of the file will be larger than the transmission time. We want the hash value to be computed as fast as possible to meet the transmission speed of the ethernet. Nowadays, when we download files from the FTP or Web site, these files are usually associate with their hash values. 2.

(11) or PGP digital signatures, that also use cryptographic hash functions as their internal functions, for file integrity. The efficiency of computing the hash values is very important due to their heavy use, and MD2 was not used widely because of its inefficiency. Besides it, some researchers [RC97, Mul04, KM05] figure out the insecurity of MD2. MD4 is an early-appeared hash function that is used to replace MD2 and designed for modern computers. All MD4 operations are basic arithmetic and Boolean operations on 32-bit words that are suitable in modern computers and able to be computed efficiently. So the MD4 hash value can be computed fast by using modern computers. This type of hash functions, referred as dedicated hash functions, is quite different from the traditional design of the blockcipher-based hash functions. Generally speaking, the computational cost of a blockcipher is much larger than that of a dedicated hash functions. After MD4 was published, many new dedicated hash functions, such as MD5, HAVAL, RIPEMD, RIPEMD-160, SHA-1, etc, follow the design of MD4. Among these hash functions, MD5 and SHA-1 are used most widely. On the other hand, some researches evaluate the security of the existing hash functions. Some focus on the Merkle-Damg˚ ard structure that is widely used in many hash functions. Some check whether the compression function is secure. After the publication of MD4 and other their derived dedicated hash functions, many researchers started to analyze them. Recently, Wang et al. give collision searching algorithms for MD4 [WLF+ 05], MD5 [WY05], and. 3.

(12) SHA-1 [WYY05]. The time complexity of their collision searching algorithms for MD4 and MD5 are small enough to run on modern PCs. After the publication of their researches on MD4 and MD5 collisions, some researchers [NSKO05, HPR04, Kli05b, Kli05a, SNKO05, LL05] published their results based on Wang et al.’s results subsequently. Some implementations of the collision searching algorithms are also given [Sta05a, Sta05b]. By our study, it is still possible to improve the previous collision searching algorithms. In this thesis, we give some techniques in speeding up the collision searching algorithms. Although Wang et al.’s [WLF+ 05, WY05] and their subsequent results [NSKO05, HPR04, Kli05b, Kli05a, SNKO05, LL05] are sufficient enough, there’s something that can be improved. Most improvements on the collision searching algorithms on MD4 and MD5 focus on message modification that we will introduce in Chapter 4. We improve the message modification techniques to ensure that more sufficient conditions are fulfilled. According to our research, we find that there’s something wrong in Naito et al.’s results [NSKO05] for the MD4 collision searching algorithm. We give some message modification methods to correct these errors. For MD5 collision searching algorithm, we give some message modification methods to satisfy the sufficient condition “c5,32 = d5.32 ” in the first iteration and the sufficient conditions “d5,18 = 1”, “d5,32 = a5,32 ”, “c5,18 = 0”, “c5,32 = d5,32 ”, and “d6,32 = a6,32 ” in the second iteration for MD5. Sasaki et al. also give message modification method for the sufficient condition “c5,32 = d5.32 ” in the. 4.

(13) first iteration [SNKO05]. But their method reduce the set size of the collision pair too much. Then we implement the collision searching algorithm for both MD4 and MD5 and it takes about 1.75 hours to given a MD5 collision pair in average. The successful probability to find the collision pair in 12 hours is 1 according to our experiments.. The Organization of the Thesis. In Chapter 2, we give some introduction of the hash functions, MD4 and MD5. In Chapter 3, we review the collision searching algorithms on MD4 and MD5 given by Wang et al. In Chapter 4, we introduce the previous results on message modification techniques, and give our own improvements from theirs. In Chapter 5, we give an introduction of our implementation on MD5 and analyze it. Finally, We conclude this thesis in Chapter 6.. 5.

(14) Chapter 2 Description of The Hash Algorithms 2.1. Hash Functions. A cryptographic hash function F with a k-bit output is a function that accepts an arbitrary length input M ∈ {0, 1}∗ and outputs a fixed length output H ∈ {0, 1}k . We call that H is the hash value of the input message M via the hash function F . Cryptographic hash functions at least need to satisfy the following three basic security requirements: • Preimage Resistance: Given a randomly chosen image H ∈ {0, 1}k , there is no probabilistic polynomial time adversary with less than about 2k computations to give a value M such that F (M ) = H with an nonnegligible probability with respective to its output size k. If the hash function F satisfy this security requirement, we also say that the hash function F is an one-way hash function.. 6.

(15) • Second Preimage Resistance: Given a randomly chosen value M , there is no probabilistic polynomial time adversary with less than about 2k computations to give another M 0 , M 0 6= M , such that F (M ) = F (M 0 ) with an non-negligible probability with respective to its output size k. • Collision Resistance: There is no probabilistic polynomial time adverk. sary with less than about 2 2 computations to find M and M 0 , M 6= M 0 , such that F (M ) = F (M 0 ) with an non-negligible probability with rek. spective to its output size k. The value 2 2 is the theoretic lower bound of the birthday attack suppose the hash function F is balance over its image. The above three properties are the minimal security requirements for the cryptographic hash functions. There are still other security requirements for hash functions on other specific cryptographic applications. We can find that breaking the second preimage resistance property is more difficult than breaking the collision resistance property. But there is no reduction relation between preimage resistance and second preimage resistance. Many existing cryptographic hash functions are iterated hash functions built from compression functions. We denote the compression function as f , and its input and output as x and y, respectively. The length of x and y is always fixed, and |x| > |y|. But the input length of F is arbitrary, so F need to call the compression function f many times to compute the hash value.. 7.

(16) Many existing cryptographic hash functions use the Merkel-Damg˚ ard construction [Dam89, Mer89] as their iterative structure. It is that, if we want to compute the hash value H of the message M , we compute as follows: 1. We pad the message M according to its padding algorithm. For brevity of explaining, we also denote the padded message as M . After padding, |M | is an integer multiple of |x| − |y| bits. 2. We divide M into n blocks, each block size is equal to |x| − |y|, where n=. |M | . |x|−|y|. For each block of M , we denote the ith block as Mi . So. M = M1 ||M2 || . . . ||Mn−1 ||Mn . 3. We use the following recursive equation to compute the hash values: yi = f (yi−1 ||Mi ). for i = 1 to n. where y0 =IV. 4. Finally H = yn is the hash value of M via the hash function F . In the step 3 of the above computation of H, IV, or initial value, is a fixed value chosen by the designer of the hash function. In step 1, we mention that the padding algorithm can be split from the Merkel-Damg˚ ard construction of the hash functions, as long as the sender and the receiver knows the padding algorithm. Many padding algorithms, such as RC5-CBC-PAD [BR96], random padding, the padding for ESP [Ken05, Page 15], and so on, used in blockcipher can be used in hash functions. In blockcipher, when ciphertext 8.

(17) is decrypted then the padded message must be removed to recover the original plaintext so that the padding algorithms must be invertible. Unlike the blockcipher algorithms, the padding algorithms of the hash functions are not necessary to be invertible because the original message M is a plaintext and are known by both the sender and the receiver. The padded message can be also a checksum of the message M or something else. The checksum is also a hash value, but it is not a cryptographic hash value. The checksum algorithms is much more efficient than the cryptographic ones, but it’s not necessary to satisfy the three basic security requirements of the cryptographic hash functions. Its output length is usually shorter than that of the cryptographic hash functions. Nowadays, the string 10|x|−|y|−(|M |+1. mod (|x|−|y|)). is. padded and then the length of the unpadded message is also appeared in the last block after the padded message in many hash functions that use the Merkle-Dam˚ agrd structure, such as MD4, MD5, SHA-1 and so on. Actually the cryptographic hash functions are similar (but not the same) to the blockciphers in many aspects. For a long message, we partition it into several blocks and then use the blockcipher, such as DES, RC5, and AES, to encrypt each block. There are many mode of operations, such as ECB, CBC, CFB, OFB, and so on, used during the encryption or decryption of the blockcipher for long messages. We can also see the Merkle-Damg˚ ard construction as the mode used in cryptographic hash functions.. 9.

(18) Someone may use hi = f (hi−1 , mi−1 ) to denote the computation of the compression function instead of yi = f (yi−1 ||Mi−1 ). We also call hi−1 as the initial value, hi as the hash value and mi−1 as the message block of the compression function f in this (the ith ) iteration in later description. In the following statements, we will use hi = f (hi−1 , mi−1 ) to denote the computation of the compression function instead of yi = f (yi−1 ||Mi−1 ) for brevity of explaining.. 2.2. The Compression Function of MD4. In this section, we denote the input of the compression function of the message digest algorithm MD4 in this iteration as (h, m), where h and m are the initial value and message block of the compression function, respectively. In MD4 spec, h consists of 4 words, i.e., h = a0 ||b0 ||c0 ||d0 , and a0 , b0 , c0 and d0 are all 32-bit words. The message block m consists of 16 words, we denote m = m0 ||m1 || . . . ||m15 , where mi are all 32-bit words for all 0 ≤ i ≤ 15. There are some internal values used during the computation of the compression function of MD4. In this thesis, we will call these internal values as chaining values, shorten as CV. In MD4, there are four registers that are used to store the CVs, and we denote them as a, b, c, and d. Then given the input (m, h), we set (a, b, c, d) = (a0 , b0 , c0 , d0 ), and the output of the compression function is computed as follows: Σi = a + φi (b, c, d) + wi + ti. a = Σ i ≪ si. 10. if i. mod 4 = 1.

(19) Σi = d + φi (a, b, c) + wi + ti. d = Σ i ≪ si. if i. mod 4 = 2. Σi = c + φi (d, a, b) + wi + ti. c = Σ i ≪ si. if i. mod 4 = 3. Σi = b + φi (c, d, a) + wi + ti. b = Σ i ≪ si. if i. mod 4 = 0. for i = 1 to 48. In the above equations, si ’s are step-dependent constants, wi ’s are chosen from mi for 0 ≤ i ≤ 15 according to its step i, ti ’s are round-dependent constants, and φi ’s are round-dependent Boolean functions. All variables used in the above steps are all 32-bit words, and the addition operation is under the group Z232 , and the operation “≪” is the cyclic left rotation on 32-bit words. We divide all the 48 steps of the computation of the compression function into 3 rounds, and each round is of 16-step. The round-dependent Boolean function is defined as follows: φi (X, Y, Z). =. F F (X, Y, Z) = (X ∧ Y ) ∨ (X ∧ Z). for 1 ≤ i ≤ 16. GG(X, Y, Z) = (X ∧ Y ) ∨ (X ∧ Z) ∨ (Y ∧ Z) for 17 ≤ i ≤ 32 HH(X, Y, Z) = X ⊕ Y ⊕ Z. for 33 ≤ i ≤ 48. Finally, the hash value of the compression function f is (a0 + a)||(b0 + b)||(c0 + c)||(d0 + d), where the addition is also under the group Z232 . Later, we will denote ai to the ith update of the register a, i.e., we denote the j th update of the chaining value as ad j e if j mod 4 = 1, and bi , ci , and 4 11.

(20) di are defined similarly.. 2.3. The Compression Function of MD5. MD4 and MD5 are both the dedicated hash functions and MD5 is the strengthened version of MD4 with a little modification on MD4 algorithm. MD5 is used to replace MD4 and now is still used widely. So the compression function of MD5 is similar with that of MD4 but for some exceptions, and we will mention them later in this section. In this section, we also denote the input of the compression function of the message digest algorithm MD5 in this iteration as (h, m), where h and m are the initial value and message block of the compression function, respectively. Like MD4, in MD5 spec, h also consists of 4 words, i.e., h = a0 ||b0 ||c0 ||d0 , and a0 , b0 , c0 and d0 are all 32-bit words. The message block m also consists of 16 words, we denote m = m0 ||m1 || . . . ||m15 , where mi are all 32-bit words for all 0 ≤ i ≤ 15. There are four registers that are used to store the CV, and we denote them as a, b, c, and d. Then given the input (m, h), we set (a, b, c, d) = (a0 , b0 , c0 , d0 ), and the output of the compression function is computed as follows: Σi = a + φi (b, c, d) + wi + ti. a = b + Σi ≪ si. if i. mod 4 = 1. Σi = d + φi (a, b, c) + wi + ti. d = a + Σi ≪ si. if i. mod 4 = 2. Σi = c + φi (d, a, b) + wi + ti. c = d + Σi ≪ si. if i. mod 4 = 3. Σi = b + φi (c, d, a) + wi + ti. b = c + Σi ≪ si. if i. mod 4 = 0. for i = 1 to 64. 12.

(21) In the above equations, si ’s are step-dependent constants, wi ’s are chosen from mi for 0 ≤ i ≤ 15 according to its step i, and φi ’s are round-dependent Boolean functions. All variables used in the above steps are all 32-bit words, the addition operation is under the group Z232 , and the operation “≪” is the cyclic left rotation on 32-bit words. But note here, unlike MD4, ti ’s are step-dependent constants, not round-dependent constants. So there are 64 different ti ’s for i = 1 to 64 in the whole MD5 compression function. In MD4, there are only 3 different ti ’s for i = 1 to 48 in the whole compression function. There are total 64 steps, not 48 steps, in the compression function of MD5. In each step computation, there is a little difference between MD4 and MD5. The Σi ’s computation of MD4 and of MD5 are the same. But when updating the register of the chaining value, MD5 will add the last one updated chaining value and the addition is also under the group Z232 . Here we divide all the 64 steps of the computation of the compression function into 4 rounds, and each round is also of 16-step like MD4. The round-dependent Boolean function is defined as follows: φi (X, Y, Z). =. F F (X, Y, Z) = (X ∧ Y ) ∨ (X ∧ Z) for 1 ≤ i ≤ 16 GG(X, Y, Z) = (X ∧ Z) ∨ (Y ∧ Z). for 17 ≤ i ≤ 32. HH(X, Y, Z) = X ⊕ Y ⊕ Z. for 33 ≤ i ≤ 48. II(X, Y, Z). = Y ⊕ (x ∨ Z). 13. for 49 ≤ i ≤ 64.

(22) Here we can observe that the round-dependent Boolean function φi of MD5 are not all the same as that of MD4. Finally, the hash value of the compression function f is (a0 + a)||(b0 + b)||(c0 + c)||(d0 + d), where the addition is also under the group Z232 . We stress that without final step (add the initial value a0 , b0 , c0 , and d0 to the registers a, b, c, and d), the whole computation of the MD4 and MD5 are not one-way given the message block m. Like that of MD4, we will denote ai to the ith update of the register a, and bi , ci , and di are defined similarly.. 14.

(23) Chapter 3 Review of Wang et al.’s Attack on MD4 and MD5 3.1. Collision Differentials. The attacks given by Wang et al. on MD4 and MD5 are differential attacks whose differential is under the addition operation of the group Z232 . They focus on the flaw of the compression function, not the whole hash function. Both MD4 and MD5 use the Merkel-Damg˚ ard construction as their iterative hash structure, the block that represent the original length of the message is always padded as the last block of the input of the hash function. So we can find that Wang et al. want to find a equal-length collision pair such that all the padded strings are the same. According to the Merkel-Damg˚ ard construction, the hash value of the original message are the same implies that the hash value of the padded message are also the same. In other words, Wang et al. give messages (M, M 0 ) where |M | = |M 0 | and then the ˆ will be padded after M and M 0 . Here we denote the same padded message M ˜ = M ||M ˆ and M ˜ 0 = M 0 ||M ˆ , respectively. padded message of M and M 0 as M 15.

(24) We set n =. |M | r. =. |M 0 | r. and n ˜=. ˜| |M r. =. ˜ 0| |M r. = n + 2 where r is the size of the. message block in each iteration of the compression function, and the length of M or M 0 is always an integer multiple of r bits because Wang et al. focus on the compression functions. According to the description of the MerkelDamg˚ ard construction described in the previous chapter, the hash value in the nth iteration of the computations of the original messages M and M 0 are hn = (hn−1 ||Mn ) and h0n = (h0n−1 ||Mn0 ), respectively. The messages given by ˜ and M ˜ 0 are the Wang et al. will let hn = h0n , and the following message of M same, so the final hash values will be the same. They want to find a collision pair (M, M 0 ), M and M 0 are both of message block size (512-bit), of MD4 such that: ∆M. ∆h0 = 0 → ∆h1 = 0 where ∆M = M 0 − M = ∆m0 ||∆m1 || . . . ||∆m15 = (m00 − m0 )||(m01 − m1 )|| . . . ||(m015 − m15 ), and ∆m1 = 231 , ∆m2 = 231 − 228 , ∆m12 = −216 , and ∆mi = 0. for 0 ≤ i ≤ 15 ∧ i 6= 1 ,2 ,12.. They want to find a two-block message pair (M, M 0 ), where M = M1 ||M2 and M 0 = M10 ||M20 , to give a collision of MD5. The differential path between the compression function is shown as follows: ∆M. ∆M. ∆h0 = 0 →1 ∆h1 →2 ∆h2 = 0. 16.

(25) where, ∆M1 = M10 −M1 = ∆m1,0 ||∆m1,1 || . . . ||∆m1,15 = (m01,0 −m1,0 )||(m01,1 − m1,1 )|| . . . ||(m01,15 − m1,15 ) ∆m1,4 = 231 , ∆m1,11 = 215 , ∆m1,14 = 231 , and ∆m1,i = 0. for 0 ≤ i ≤ 15 ∧ i 6= 4 ,11 ,14.. and ∆M2 = M20 − M2 = ∆m2,0 ||∆m2,1 || . . . ||∆m2,15 = (m02,0 − m2,0 )||(m02,1 − m2,1 )|| . . . ||(m02,15 − m2,15 ) ∆m2,4 = 231 , ∆m2,11 = −215 , ∆m2,14 = 231 , and ∆m2,i = 0. for 0 ≤ i ≤ 15 ∧ i 6= 4 ,11 ,14.. The differential value ∆h1 = (231 , 231 +225 , 231 +225 , 231 +225 ). In all the above equations in this section, all of the message block differentials are consisted from its element word differentials. Wang et al. give a differential path of the chaining values during the computation of the compression function in [WLF+ 05, Table 5] and [WY05, Table 3 & 5] of MD4 and MD5, respectively. With the differential path of the chaining values, two message M and M 0 with the differential described above will collide if their differential of the chaining values are the same as Wang et al.’s. But note here, any collision message pair is not always satisfy the differential of the message and of the internal chaining value given by Wang et al. Like the differential cryptanalysis against DES, we always use the differential path (In DES, someone may call that the input differential and the output differential for each round sub-key encryption) that we think 17.

(26) that is the most useful for attacking. Wang et al. give a differential path that can be used to find a collision pair fast by them.. 3.2. Sufficient Conditions. Given the differential path, it is not practical to find the collision pairs. So Wang et al. also give the sufficient conditions [WLF+ 05, Table 6] and [WY05, Table 4 & 6] of MD4 and MD5 respectively according to their differential path. It is that if a randomly chosen message M satisfy all the sufficient conditions, then the differential of chaining values of M and M 0 = M + ∆M during the computation of the compression function will be equal to that given by Wang et al. In other words, the sufficient conditions of the message M are to guarantee the differential path of the message pair M and M 0 to be equivalent with Wang et al.’s. With the sufficient conditions, we can focus on the message M itself, not the collision pair (M, M 0 ) instead. So we now want to find a message M that satisfy all the sufficient conditions given by Wang et al. If the message M satisfy all the sufficient conditions, then M 0 = M + ∆M and M will collide. Note here that the sufficient conditions can be computed by anyone who knows the differential path. The sufficient conditions given by Wang et al. are also computed according to the differential path given by them. Some papers post on ePrint to figure out that the sufficient conditions given by Wang et al. are not sufficient and can be relaxed [YS05, LL05, SNY+ 06].. 18.

(27) They find that some message M that satisfy all the sufficient conditions given by Wang et al., but M 0 = M + ∆M and M don’t collide. That is because the differential path of the chaining value during the computation of the compression function on M and M 0 is not the same as Wang et al.’s. So the probability that M and M 0 will collide is not always 1 under this situation.. 3.3. Message Modification. Given the sufficient conditions by Wang et al., the probability of a randomly chosen massage M that will satisfy all the sufficient conditions is very small. So we want the message M to satisfy more sufficient conditions to decrease the probability that M will satisfy all the sufficient conditions. Thus given a randomly chosen message M , we need to modify it to satisfy some sufficient conditions. We introduce the message modification techniques here to modify the randomly chosen message M to decrease the probability that M satisfies all the sufficient conditions.. Single-Message Modification. In MD4 and MD5, each word of the message block is used exactly once during the computation of the compression function in the first round. So we can modify the message to let it satisfy all the sufficient conditions in the first round easily. But there are also many sufficient conditions besides the first round. If we don’t care these sufficient conditions, the collision searching algorithm is not efficient enough and may 19.

(28) cost much more time to find a collision pair. So we also need to modify the message M to let it satisfy more sufficient conditions. If we want the message to satisfy the sufficient conditions not only in the first round, but outside the first round, it need some tricky techniques, Multi-Message Modification, to achieve this.. Multi-Message Modification. Because some message words are used more than once during the computation after the first round, we can’t modify the message word to satisfy the sufficient condition in more than two chaining values in the same time trivially. So we need to think deeper about the compression function and the sufficient conditions and give some definitive modification methods to let the message to satisfy as many sufficient conditions as possible. More sufficient conditions the message satisfies, less the time-complexity of the collision searching algorithms of the hash function MD4 or MD5 is. Many recents researches focus on how to let the chaining values of the message M during the computation of the compression function to satisfy more sufficient conditions in the same time. They give many multi-message modifications techniques to achieve the goal. We will introduce these techniques deeper in Chapter 4.. 20.

(29) 3.4. Collision Searching Algorithm. With the introduction in the previous section of this chapter, we will summarize the collision searching algorithm as below:. MD4 Collision Searching Algorithm: 1. We randomly choose a message block M . 2. We modify the message M by the message modification techniques. 3. For all the sufficient conditions that can’t be satisfied by the message modification techniques, we check if the chaining values during the computation of the compression function on M and these sufficient conditions are equivalent. If they are not equivalent, we randomly choose m14 and m15 of M and go back to step 2. 4. Finally, if the message M satisfy all the sufficient conditions, M 0 = M + ∆M and M collide.. MD5 Collision Searching Algorithm: 1. We randomly choose a message block M1 . 2. We modify the message M1 by the message modification techniques. 3. For all the sufficient conditions that can’t be satisfied by the message modification techniques, we check if the chaining value during the com-. 21.

(30) putation of the compression function on M1 and these sufficient conditions are equivalent. If they are not equivalent, we randomly choose m1,14 and m1,15 of M1 and go back to step 2. 4. We randomly choose a message block M2 . 5. We modify the message M2 by the message modification techniques. 6. For all the sufficient conditions that can’t be satisfied by the message modification techniques, check if the chaining value during the computation of the compression function on M2 and these sufficient conditions are equivalent. If they are not equivalent, we randomly choose m2,14 and m2,15 of M2 and go back to step 5. 7. Finally, if the message M = M1 ||M2 satisfy all the sufficient conditions, M 0 = M10 ||M20 = (M1 + ∆M1 )||(M2 + ∆M2 ) and M collide.. 22.

(31) Chapter 4 Some Improvements on Message Modification After Wang et al. published the papers of the collision cryptanalysis against MD4 and MD5 [WLF+ 05, WY05], many cryptographic researchers study how to improve the performance of the collision searching algorithms. Many researches focus on how to improve the multi-message modification techniques. They use the correct sufficient conditions derived from the same differential path given by Wang et al. In this chapter, we introduce their results so far and give our own improvements. We will use the successful probability instead of the computation numbers of the hash compression function to measure and compare the time complexity of the below multi-message modification results. The successful probability is computed according to the number of unsatisfied sufficient conditions by using the multi-message modification techniques. In other words, the more sufficient conditions are fulfilled by the multi-message modification, the more efficient this multi-message modification algorithm is. 23.

(32) 4.1. Previous Results. Many results on finding the collisions of MD4 and MD5, given by Wang et al., are ambiguous. Only a rough discovery is given. The reason for such discovery is not introduced. In the message modification techniques, they also just give a very rough method. If someone follows the multi-message modification methods given by them to find the collision of MD4, he can’t find any collision at all. This is found by Naito et al. in their research of the collision searching algorithm on MD4 [NSKO05]. They show that some extra conditions given by Wang et al. may be broken by their type 1 multimessage modification. The extra conditions introduced in this chapter are not sufficient conditions, instead they are used to improve the efficiency of the multi-message modification methods outside the first round. Any randomly generated message block M is not necessary to satisfy the extra conditions. The sufficient conditions is to guarantee the differential path of M and M 0 to hold. The extra conditions are used to guarantee the modification on message words, that are after the first round, doesn’t affect too many chaining values that are in the first round. If all except a very small size sufficient conditions are fulfilled by the message block M , then the probability that M and M 0 = M + ∆M collide is negligible. So the priority of the sufficient conditions are higher than that of extra conditions, i.e., any extra conditions must not contradict with the sufficient conditions. Below we show the two types of multi-message modifications.. 24.

(33) Type 1 Muiti-Message Modification. Here we use the multi-message modification of the sufficient condition “a5,19 = c4,19 ” given by Naito et al. [NSKO05, Table 9] as the example to introduce the type 1 multi-message modification. According to the MD4 algorithms, a5 = (a4 + GG(b4 , c4 , d4 ) + m0 + t17 ) ≪ 3 and m0 is used to compute the chaining value a5 . We can find that the complement of m0,16 will always cause the complement of a5,19 to occur because the left shift number is 3. The complement of a5 implies that “a5,19 6= c4,14 ” becomes “a5,19 = c4,14 ” as long as c4,14 is unchange. In other words, if some bits of the chaining values don’t satisfy their corresponding sufficient conditions, we only need to cause the complement of these bits to occur using anything we can do. But the complement of m0,16 will cause the bit a1,19 (a1 = (a0 +F F (b0 , c0 , d0 )+m0 +t1 ) ≪ 3) in the first round to change and a1,i may change due to the carry or the borrow on a1,19 for 20 ≤ i ≤ 32. To prevent carry or borrow on a1,19 , we need to consider the direction of the change on a1,19 . If a1,19 = 1, then we modify a1,19 to 0, otherwise we modify a1,19 to 1. Since m0 is updated by m0 = (a1 ≫ 3) − a0 − F F (b0 , c0 , d0 ) − t1 , the complement of m0,16 occurs. Then the subsequent chaining values d1 c1 b1 and a2 are computed as follows: d1 = (d0 + F F (a1 , b0 , c0 ) + m1 + t2 ) ≪ 7 c1 = (c0 + F F (d1 , a1 , b0 ) + m2 + t3 ) ≪ 11 b1 = (b0 + F F (c1 , d1 , a1 ) + m3 + t4 ) ≪ 19 a2 = (a1 + F F (b1 , c1 , d1 ) + m4 + t5 ) ≪ 3 25.

(34) They all use a1 to compute themselves and may change because a1 changes. We need to do something to prevent them from changing because any change of them will result in that the change of all subsequent chaining values. So we need to update the message words m1 , m2 , m3 , and m4 to cancel the change from a1 to its subsequent chaining values as follows: m1 = (d1 ≫ 7) − d0 + F F (a1 , b0 , c0 ) − t2 m2 = (c1 ≫ 11) − c0 + F F (d1 , a1 , b0 ) − t3 m3 = (b1 ≫ 19) − b0 + F F (c1 , d1 , a1 ) − t4 m4 = (a2 ≫ 3) − a1 + F F (b1 , c1 , d1 ) − t5 We summary the type 1 multi-message modification techniques here. Consider the sufficient condition of the j th bit of the chaining value x in the ith step computation of the compression function. If is is not what we want, we modify it to satisfy the sufficient condition as follows: 1. We find which message word in the message block m is used to compute the chaining values in the ith step. We assume it is ml for 0 ≤ l ≤ 15. 2. We find which chaining value in the first round that use ml to compute itself, suppose it is y and is in the i0th step. 3. We complement the bit yj−si +si0. mod 32. and update the 5 message words. that is used to compute the chaining values in the rth to the (r + 4)th steps.. 26.

(35) Type 2 Multi-Message Modification. In type 1 multi-message modification, there exist some cases that the techniques may not work. The first case is that yj−si +si0. mod 32. itself is a sufficient condition. The second case is. that y is in the rth step and r ≥ 13. The reason that r ≥ 13 is not allowed is that some of the chaining values in the rth to the (r + 4)th steps are in the second round. The message used to compute the chaining values in the second round are also used to compute a chaining value in the first round. In this case, the multi-message modification methods are not as easy as those described in the type 1 multi-message modification. There are also some other cases that cause the type 1 multi-message modification to fail. One among them is that the type 1 multi-message modification breaks the extra condition used for other sufficient conditions. The multi-message modification techniques here under this situation are much more complex. We need to introduce the extra condition to help us to guarantee that the modification on the corresponding chaining value doesn’t affect its subsequent chaining values too much. Here we introduce the multi-message modification of the sufficient condition “c5,26 = d5,26 ” given by Naito et al. [NSKO05, Table 12] to explain the type 2 multi-message modification. As described in the type 1 multi-message modification, we find that we must consider the bit a3,26−9+3. mod 32. = a3,20 .. However, we find that a3,20 itself is a sufficient condition, so the type 1 multimessage modification doesn’t work. So we follow the type 2 multi-message. 27.

(36) modification given by Naito et al. as follows: 1. We add the extra condition “d2,17 = 0”. 2. We change the bit d2,17 from 0 to 1. 3. We update the message word m5 by m5 = (d2 ≫ 7)−d1 −F F (a2 , b1 , c1 )− 16 old 9 t6 = ((dold 2 + 2 ) ≫ 7) − d1 − F F (a2 , b1 , c1 ) − t6 = m5 + 2 .. 4. We add the extra condition “a2,17 = b1,17 ”. 5. We compute the chaining value c2 by c2 = (c1 + F F (d2 , a2 , b1 ) + m6 + t7 ) ≪ 11 but d2,17 changes from 0 to 1. However, the extra condition “a2,17 = b1,17 ” guarantees that F F (d2,17 , a2,17 , b1,17 ) = F F (0 → 1, a2,17 , b1,17 ) = b1,17 → a2,17 ” unchanges. That implies that c2 unchange. 6. We add the extra condition “c2,17 = 0”. 7. We compute the chaining value b2 by b2 = (b1 + F F (c2 , d2 , a2 ) + m7 + t8 ) ≪ 19 but d2,17 changes from 0 to 1. However, the extra condition “c2,17 = 0” guarantees that F F (c2,17 , d2,17 , a2,17 ) = F F (0, 0 → 1, a2,17 ) = a2,17 unchanges. That implies that b2 unchange. 8. We add the extra condition “b2,17 = 0”. 9. We update the message word m8 by m8 = (a3 ≫ 3)−a2 −F F (b2 , c2 , d2 )− 16 old 16 t9 = (a3 ≫ 3) − a2 − (F F (b2 , c2 , dold for the 2 ) + 2 ) − t9 = m8 − 2. extra condition “b2,17 = 0”. 28.

(37) 16 10. m8 = mold 8 −2 will cause the complement of the bit m8,17 to occur, then. the complement of the bit c5,26 (c5 = (c4 + GG(d5 , a5 , b4 ) + m8 + t19 ) ≪ 9) also occurs and the sufficient condition “c5,26 = d5,26 ” will be fulfilled. 11. Finally, We update the message word m9 by m9 = (d3 ≫ 7) − d2 − 16 F F (c2 , b2 , a2 ) − t10 = (d3 ≫ 7) − (dold 2 + 2 ) − F F (c2 , b2 , a2 ) − t10 = 16 mold 9 −2 .. We stress that the extra conditions must be in the first round of the compression function and must be fulfilled by the simple single-message modification. We will introduce single-message modification below.. Klima [Kli05b, Kli05a] first introduced an efficient and definite multimessage modification algorithms on MD5. His single-message modification methods is very useful to find the collision on both MD4 and MD5. By the introduction of the compression function of MD4 and MD5 in Section 2.2 and 2.3, respectively. We set (a, b, c, d) = (a0 , b0 , c0 , d0 ) first and do the single-message modification of MD4 as follows: We randomly generate x but satisfy all the sufficient conditions of ad i e , 4 Σi = x ≫ s i. mi−1 = Σi − a − F F (b, c, d) − ti. a=x. if i. mod 4 = 1. We randomly generate x but satisfy all the sufficient conditions of dd i e , 4 Σi = x ≫ s i. mi−1 = Σi − d − F F (a, b, c) − ti. d=x. if i. mod 4 = 2. We randomly generate x but satisfy all the sufficient conditions of cd i e , 4 29.

(38) Σi = x ≫ s i. mi−1 = Σi − c − F F (d, a, b) − ti. c=x. if i. mod 4 = 3. We randomly generate x but satisfy all the sufficient conditions of bd i e , 4 Σi = x ≫ s i. mi−1 = Σi − b − F F (c, d, a) − ti. b=x. if i. mod 4 = 0. where x is a 32-bit word for i = 1 to 16. The single-message modification of MD5 is as follows: We randomly generate x but satisfy all the sufficient conditions of ad i e , 4 Σi = (x − b) ≫ si. mi−1 = Σi − a − F F (b, c, d) − ti. a=x. if i. mod 4 = 1. We randomly generate x but satisfy all the sufficient conditions of dd i e , 4 Σi = (x − a) ≫ si. mi−1 = Σi − d − F F (a, b, c) − ti. d=x. if i. mod 4 = 2. We randomly generate x but satisfy all the sufficient conditions of cd i e , 4 Σi = (x − d) ≫ si. mi−1 = Σi − c − F F (d, a, b) − ti. c=x. if i. mod 4 = 3. We randomly generate x but satisfy all the sufficient conditions of bd i e , 4 Σi = (x − c) ≫ si. mi−1 = Σi − b − F F (c, d, a) − ti. b=x. if i. mod 4 = 0. where x is a 32-bit word for i = 1 to 16. The main philosophy of the single-message modification methods is that the message word mi is not used to compute the chaining values but is able to be computed from the chaining values for 0 ≤ i ≤ 15. After the computations of the single-message modification given by Klima, the 128-bit message block m is recovered wholly. Klima also mentioned that there is no sufficient conditions in the chaining values a1 and d1 in the first iteration of MD5. In the 30.

(39) first round of the compression function of MD5, the chaining value a1 and d1 are computed using the message words m0 and m1 , respectively. In the second round, the message words m0 and m1 are used to compute the chaining value b5 and a5 , respectively. So in first 20 steps of the compression function of MD5, all message words of m are used exactly once except m6 and m11 , that are used to compute the chaining values d5 and c5 , respectively. Then in first 20 steps of the first iteration, all sufficient conditions of the chaining values except d5 and c5 can be fulfilled by the single-message modification introduced above easily. But the method given by Klima on how to modify m0 and m1 to satisfy the sufficient conditions on d5 and c5 is a brute-force method. He doesn’t guarantee that the modification always succeeds, and it may need to restart the collision searching algorithm by re-generate some chaining values (that implies re-generate their corresponding message words as described in Section 3.4). Sasaki et al. improve the message modification of the first iteration of MD5 [SNKO05]. In their paper, they claimed that they can satisfy all the sufficient conditions in first 23 steps of the first iteration with probability 21 . In other words, all sufficient conditions in ai bj ci and di can be fulfilled by their message modification methods for 0 ≤ i ≤ 5. ∧. 0 ≤ j ≤ 4. Similar. to their results on MD4 [NSKO05], they also use the extra conditions to guarantee that later in the second round the message modification doesn’t affect too many chaining values that are in the first round.. 31.

(40) Later Liang and Lai improve the message modification techniques [LL05]. They introduced a new techniques, small range searching techniques, to do the multi-message modification. In [LL05, Chapter 5] they said that for the computation of the chaining value N = ((L + φ(X, Y, Z) + M + T ) ≪ s) + U , they can modify the j th bit of N by changing the j th bit of U or the (j − s)th bit of L, X, Y , Z, or M if these bits has no sufficient condition. But this was already used widely in type 1 or type 2 multi-message modification introduced before. They claimed that they can modify the j th bit of N by changing the bits lower than the j th bit of U and/or the bits lower than the (j − s)th bit of L, X, Y , Z, and/or M by “carry” or “borrow” on these bits if these bits has no sufficient condition. But we think what they give to do the multi-message modification is less efficient than that given by Sasaki et al. Because the small range searching techniques need to search all the corresponding lower bits where there is no sufficient condition (i.e., the bit value is random) and modify them. Suppose there are total n the corresponding lower bits in U , L, X, Y , Z, and M . Then they may need total 2n testing in searching these n bits and may fail in the worst case because no carry or borrow occurs. The small range searching technique doesn’t guarantee that it must be able to modify the j th bit of N successfully. But according to the introduction of the small range searching techniques by them, it is more flexible to do the multi-message modification than that Sasaki et al.’s. There is no extra condition to narrow the size of the message block M , and there are many. 32.

(41) possibilities how to do the multi-message modification by searching these n bits in U , L, X, Y , Z, and M . But the prerequisite is that the small range searching technique need always to work successfully. On the other hand, their small range searching techniques on Σ19 in both iterations will always work. Because we can select the corresponding bits in M randomly and modify it by the type 1 multi-message modification. If Σ20 in the first iteration is not what we want, we can regenerate b5 randomly. In their papers of finding the MD5 collisions, they also give a type 2 multi-message modification on the sufficient conditions “d5,18 = 1”, “d5,30 = a5,30 ”, and “d5,32 = a5,32 ” in the first iteration and their corresponding extra conditions.. 4.2. Our Improvements. In this section, we will gave some improvements on multi-message modification techniques. We will introduce this in two parts, MD4 and MD5.. 4.2.1. The Improvements on MD4. Although Naito et al.’s result [NSKO05] is efficient enough, but we find that three extra conditions given by them are not in the first round. So these three extra conditions can not be modified trivially by the simple single-message modification. We need to modify them by the multi-message modification techniques. One of the three extra conditions is the condition “a5,20 = b4,20 ” for the sufficient condition “c5,29 = d5,29 ” [NSKO05, Table 13]. Follow their type 2 multi-message-modification method for the sufficient 33.

(42) condition “c5,29 = d5,29 ”, we can find that the update of the chaining value d5 [NSKO05, Table 13, Step 18] is computed as d5 = (d4 + GG(a5 , b4 , c4 ) + m4 + t18 ) ≪ 5. The complement of the bit c4,20 causes GG(a5,20 , b4,20 , c4,20 ) = GG(a5,20 , b4,20 , 0 → 1) = a5,20 ∧ b4,20 → (a5,20 ∧ b4,20 ) ∨ a5,20 ∨ b4,20 and a5,20 ∧ b4,20 = (a5,20 ∧ b4,20 ) ∨ a5,20 ∨ b4,20 if and only if a5,20 = c5,20 . If the extra condition “a5,20 = d4,20 ” is not fulfilled during the message modification for “c5,29 = d5,29 ”, d5 changes. So when we do the multi-message modification for the chaining value a5 , besides their sufficient condition, we also need to consider the extra condition “a5,20 = d4,20 ”. If a5,20 6= b4,20 , we need to use the following procedure to do the multi-message modification to cause a5 satisfy the extra condition. 1. We complement the bit a1,20 . 2. We use the following equations to update the message words m0 , m1 , m2 , and m3 . m0 = (a1 ≫ 3) − a0 − F F (b0 , c0 , d0 ) − t1. (4.1). m1 = (d1 ≫ 7) − d0 − F F (a1 , b0 , c0 ) − t2 m2 = (c1 ≫ 11) − c0 − F F (d1 , a1 , b0 ) − t3 m3 = (b1 ≫ 19) − b0 − F F (c1 , d1 , a1 ) − t4 m4 = (a2 ≫ 3) − a1 − F F (b1 , c1 , d1 ) − t5 3. In equation 4.1, m0 = ((a1 ± 219 ) ≫ 3) − a0 − F F (b0 , c0 , d0 ) − t1 = 16 mold 0 ± 2 . Then a5 = (a4 + GG(b4 , c4 , d4 ) + m0 + t17 ) ≪ 3 = (a4 +. 34.

(43) 16 old 19 GG(b4 , c4 , d4 ) + (mold 0 ± 2 ) + t17 ) ≪ 3 = a5 ± 2 . This implies that. the complement of the bit a5,20 to occur. The other two extra conditions are “a5,22 = b4,22 ” and “c5,31 = 1” for the sufficient condition “c5,32 = d5,32 ” [NSKO05, Table 15]. By their type 2 multi-message-modification method for the sufficient condition “c5,32 = d5,32 ”, we can find that the Boolean function φ18 of the chaining value d5 [NSKO05, Table 15, Step 18] is computed as GG(a5 , b4 , c4 ). The complement of the bit c4,22 causes GG(a5,22 , b4,22 , 0 → 1) = a5,22 ∧ b4,22 → (a5,22 ∧ b4,22 ) ∨ a5,22 ∨ b4,22 and a5,22 ∧ b4,22 = (a5,22 ∧ b4,22 ) ∨ a5,22 ∨ b4,22 if and only if a5,22 = d5,22 . If the extra condition “a5,22 = d4,22 ” is not fulfilled during the message modification for “c5,32 = d5,32 ”, d5 changes. So when we do the multi-message modification for the chaining value a5 , besides their sufficient condition, we need to consider the extra condition “a5,22 = d4,22 ”. If a5,22 6= b4,22 , we need to use the following procedure to do the multi-message modification to cause a5 to satisfy the extra condition. 1. We complement the bit a1,22 . 2. We use the following equations to update the message words m0 , m1 , m2 , m3 , and m4 . m0 = (a1 ≫ 3) − a0 − F F (b0 , c0 , d0 ) − t1 m1 = (d1 ≫ 7) − d0 − F F (a1 , b0 , c0 ) − t2 m3 = (c1 ≫ 11) − c0 − F F (d1 , a1 , b0 ) − t3 35. (4.2).

(44) m4 = (b1 ≫ 19) − b0 − F F (c1 , d1 , a1 ) − t4 m5 = (a2 ≫ 3) − a1 − F F (b1 , c1 , d1 ) − t5 3. In equation 4.2, m0 = ((a1 ± 221 ) ≫ 3) − a0 − F F (b0 , c0 , d0 ) − t1 = 18 mold 0 ± 2 . Then a5 = (a4 + GG(b4 , c4 , d4 ) + m0 + t17 ) ≪ 3 = (a4 + 18 old 21 GG(b4 , c4 , d4 ) + (mold 0 ± 2 ) + t17 ) ≪ 3 = a5 ± 2 . This implies that. the complement of the bit a5,22 to occur. Naito et al.’s type 2 multi-message modification for the sufficient condition “c5,32 = d5,32 ” doesn’t cause the complement of c5,32 to occur directly. Instead, they add the extra condition “c5,31 = 1” and c5 is updated by c5 = (c4 + GG(d5 , a5 , b4 ) + m8 + t19 ) ≪ 9. c4,22 : 0 → 1 causes 21 old 30 c5 = ((cold 4 + 2 ) + GG(d5 , a5 , b4 ) + m8 + t19 ) ≪ 9 = c5 + 2 . The extra. condition “c5,31 = 1” causes the carry on c5,31 to occur and implies that the complement of c5,32 also occur. So if we need to do the multi-message modification for “c5,32 = d5,32 ” and “c5,31 = 0 6= 1”, we need to use the following procedure to do the multi-message modification to cause c5 to satisfy the extra condition. 1. We complement the bit a3,25 . 2. We use the following equations to update the message word m8 , m9 ,. 36.

(45) m10 , m11 , and m12 . m8 = (a3 ≫ 3) − a2 − F F (b2 , c2 , d2 ) − t9. (4.3). m9 = (d3 ≫ 7) − d2 − F F (a3 , b2 , c2 ) − t10 m10 = (c3 ≫ 11) − c2 − F F (d3 , a3 , b2 ) − t11 m11 = (b3 ≫ 19) − b2 − F F (c3 , d3 , a3 ) − t12 m12 = (a4 ≫ 3) − a3 − F F (b3 , c3 , d3 ) − t13 24 3. In equation 4.3, m8 = ((aold 3 ± 2 ) ≫ 3) − a2 − F F (b2 , c2 , d2 ) − t9 = 21 mold 8 ± 2 . Then c5 = (c4 + GG(d5 , a5 , b4 ) + m8 + t19 ) ≪ 9 = (c4 + 30 GG(d5 , a5 , b4 ) + (m8 ± 221 ) + t19 ) ≪ 9 = cold 5 ± 2 . This implies that. the complement of the bit c5,31 to occur. Finally we compare our improvements with Naito et al.’s result. Here we assume that all bits of all chaining values are uniform under {0, 1} and are totally independent. Let E1 be the event that the sufficient condition “c5,29 = d5,29 ” is not fulfilled and need to be modified by Naito et al.’s type 2 multimessage modification during the collision searching algorithm, E2 be the event that the sufficient condition “c5,32 = d5,32 ” is not fulfilled and need to be modified by their type 2 multi-message modification, and S be the successful event (i.e., the extra conditions described above are what we want). Then successful probabilities conditioned on E are listed in table 4.1. For the four possibilities of E, each is of probability 14 . So the successful probability of Naito et al.’s multi-message modification on MD4 is: 37.

(46) The Event E E1 ∩ E2 E1 ∩ E2 E1 ∩ E2 E1 ∩ E2. The Probability Pr[S|E] 1 1 4 1 2 1 8. Table 4.1: The successful probability that some sufficient conditions are not fulfilled. Pr[S] =Pr[E1 ∩ E2 ]Pr[S|E1 ∩ E2 ] + Pr[E1 ∩ E2 ]Pr[S|E1 ∩ E2 ] +Pr[E1 ∩ E2 ]Pr[S|E1 ∩ E2 ] + Pr[E1 ∩ E2 ]Pr[S|E1 ∩ E2 ] 1 1 1 1 1 1 1 = ×1+ × + × + × 4 4 4 4 2 4 8 15 = 32 Our modified version of their multi-message modification is of probability 1. Even if they restart the random generation of some message words for the failure as described in Section 3.4, our modified version is also about. 32 15. times faster than their multi-message modification. They also need 2 extra computations of the MD4 compression function to verify if the message pair (M, M 0 ) collide.. 4.2.2. The Improvements on MD5. After surveying the previous papers about the multi-message modification techniques on MD5 [Kli05b, Kli05a, SNKO05, LL05], we find that something can be improved. As mentioned in Section 3.4, there are two iterations in the 38.

(47) collision searching algorithm of MD5. We also introduce our improvements in two parts, the first iteration (or the first block) and the second iteration (or the second block). • The First Iteration: – For the sufficient condition “c5,32 = d5,32 ” in the first iteration, we do the following procedure. 1. We complement the bit c4,18 . 2. Because c4 changes, we use the following equations to update the message words m14 , m15 , and m0 . m14 = ((c4 − d4 ) ≫ 17) − c3 − F F (d4 , a4 , b3 ) − t15 m15 = ((b4 − c4 ) ≫ 22) − b3 − F F (c4 , d4 , a4 ) − t16 m0 = ((a5 − b4 ) ≫ 5) − a4 − GG(b4 , c4 , d4 ) − t17 3. We add the extra condition “b4,18 = a5,18 = 0”. Note that “a5,18 = 0” itself is a sufficient condition. 4. We compute the chaining value d5 by d5 = ((d4 +GG(a5 , b4 , c4 )+ m6 +t18 ) ≪ 9)+a5 but c4,18 changes. However, the extra condition “b4,18 = a5,18 ” guarantees that GG(a5,18 , b4,18 , c4,18 ) = GG(0, 0, cold 4,18 ) = 0 → 0 unchanges. This also implies that d5 unchanges. 5. We update the chaining value c5 by c5 = ((c4 +GG(d5 , a5 , b4 )+ 17 m11 + t19 ) ≪ 14) + d5 = (((cold 4 ± 2 ) + GG(d5 , a5 , b4 ) + m11 +. 39.

(48) 31 t19 ) ≪ 14)+d5 = cold 5 ±2 . This implies that the complement. of the bit c5,32 occurs. 6. Because m0 changes, we update the chaining value a1 by a1 = ((a0 + F F (b0 , c0 , d0 ) + m0 + t1 ) ≪ 7) + b0 . 7. Because a1 also changes, we use the following equations to update the message words m1 , m2 , m3 , and m4 . m1 = ((d1 − a1 ) ≫ 12) − d0 − F F (a1 , b0 , c0 ) − t2 m2 = ((c1 − d1 ) ≫ 17) − c0 − F F (d1 , a1 , b0 ) − t3 m3 = ((b1 − c1 ) ≫ 22) − b0 − F F (c1 , d1 , a1 ) − t4 m4 = ((a2 − b1 ) ≫ 7) − a1 − F F (b1 , c1 , d1 ) − t5 Sasaki et al. also give a type 2 multi-message modification for the sufficient condition “c5,32 = d5,32 ” in their paper [SNKO05, Table 6]. But there are six extra conditions in their multi-message modification method. As mentioned in Section 4.1, the extra condition is not necessary for the message modification techniques, they are used to avoid too many chaining values from changing instead. So if the message modification method need too many extra conditions, the size of the set of the collision message pair will become too small. Even if sometimes we need to add the extra condition to help us to do the multi-message modification, but we must decrease the total number of the extra conditions as possible as we can to enlarge the size of the set of the collision message 40.

(49) pair. In our multi-message modification for the sufficient condition “c5,32 = d5,32 ”, we need only one extra condition “c5,32 = d5,32 ”. • The Second Iteration: – For the sufficient condition “d5,18 = 1” in the second iteration, we do the following procedure. 1. We complement the bit d4,9 . 2. Because d4 changes, we use the following equations to update the message words m13 , m14 , and m15 . m13 = ((d4 − a4 ) ≫ 12) − d3 − F F (a4 , b3 , c3 ) − t14 m14 = ((c4 − d4 ) ≫ 17) − c3 − F F (d4 , a4 , b3 ) − t15 m15 = ((b4 − c4 ) ≫ 22) − b3 − F F (c4 , d4 , a4 ) − t16 3. We add the extra condition “b4,9 = c4,9 ”. 4. Because the bit d4,9 changes, we update ∆17,9 by ∆17,9 = GG(b4,9 , c4,9 , d4,9 ) = GG(b4,9 , c4,9 , dold 4,9 ) = (b4,9 → c4,9 )∨(c4,9 → b4,9 ). The extra condition “b4,9 = c4,9 ” guarantees that ∆17,9 unchange. This also implies that a5 = ((a4 + GG(b4 , c4 , d4 ) + m1 + t17 ) ≪ 5) + b4 unchanges. 5. Finally, we update the chaining value d5 by d5 = ((d4 + 8 GG(a5 , b4 , c4 )+m6 +t18 ) ≪ 9)+a5 = (((dold 4 ±2 )+GG(a5 , b4 , c4 )+ 17 m6 + t18 ) ≪ 9) + a5 = dold 5 ± 2 . This will cause the comple-. ment of the bit d5,18 to occur. 41.

(50) – For the sufficient condition “d5,32 = a5,32 ” in the second iteration, we do the following procedure. 1. We complement the bit d2,23 . 2. We add the extra condition “a2,23 = b1,23 ”. 3. Because d2 changes, we use the following equations to update the message words m5 , m6 , m7 , m8 , and m9 . m5 = ((d2 − a2 ) ≫ 12) − d1 − F F (a2 , b1 , c1 ) − t6 m6 = ((c2 − d2 ) ≫ 17) − c1 − F F (d2 , a2 , b1 ) − t7. (4.4). m7 = ((b2 − c2 ) ≫ 22) − b1 − F F (c2 , d2 , a2 ) − t8 m8 = ((a3 − b2 ) ≫ 7) − a2 − F F (b2 , c2 , d2 ) − t9 m9 = ((d3 − a3 ) ≫ 12) − d2 − F F (a3 , b2 , c2 ) − t10 4. In equation 4.4, F F (d2,23 , a2,23 , b1,23 ) = F F (dold 2,23 , a2,23 , b1,23 ) = (b1,23 → a2,23 ) ∨ (a2,23 → b1,23 ). The extra condition “a2,23 = b1,23 ” cause the complement of F F (d2,23 , a2,23 , b1,23 ) to oc22 cur. The word m6 = ((c2 − (dold 2 ± 2 )) ≫ 17) − c1 − 5 22 (F F old (d2 , a2 , b1 ) ± 222 ) − t7 = mold 6 ∓ (2 + 2 ). Then d5 =. ((d4 +GG(a4 , b3 , c3 )+m6 +t18 ) ≪ 9)+a5 = ((d4 +GG(a4 , b3 , c3 )+ 5 22 old 14 31 (mold 6 ∓ (2 + 2 )) + t18 ) ≪ 9) + a5 = d5 ∓ (2 + 2 ). This. causes the complement of the bit d5,32 to occur. – For the sufficient condition “c5,18 = 0” in the second iteration, we do the following procedure. 42.

(51) 1. We complement the bit b2,4 . 2. Because b2 changes, we use the following equations to update the message words m7 , m8 , m9 , m10 , and m11 . m7 = ((b2 − c2 ) ≫ 22) − b1 − F F (c2 , d2 , a2 ) − t8 m8 = ((a3 − b2 ) ≫ 7) − a2 − F F (b2 , c2 , d2 ) − t9 m9 = ((d3 − a3 ) ≫ 12) − d2 − F F (a3 , b2 , c2 ) − t10 m10 = ((c3 − d3 ) ≫ 17) − c2 − F F (d3 , a3 , b2 ) − t11 m11 = ((b3 − c3 ) ≫ 22) − b2 − F F (c3 , d3 , a3 ) − t12. (4.5). 3 3. In equation 4.5, m11 = ((b3 − c3 ) ≫ 22) − (bold 2 ± 2 ) − 3 F F (c3 , d3 , a3 )−t12 = mold 11 ∓2 . Then c5 = ((c4 +GG(d5 , a5 , b4 )+. m11 + t19 ) ≪ 14) + d5 = ((c4 + GG(d5 , a5 , b4 ) + (m11 ∓ 23 ) + 17 t19 ) ≪ 14)+d5 = cold 5 ∓2 . This implies that the complement. of the bit c5,18 to occur. – For the sufficient condition “c5,32 = d5,32 ” in the second iteration, we do the following procedure. 1. We complement the bit c4,18 . 2. Because c4 changes, we use the following equations to update the message words m14 and m15 . m14 = ((c4 − d4 ) ≫ 17) − c3 − F F (d4 , a4 , b3 ) − t15 m15 = ((b4 − c4 ) ≫ 22) − b3 − F F (c4 , d4 , a4 ) − t16 43.

(52) 3. We compute the chaining value a5 by a5 = ((a4 +GG(b4 , c4 , d4 )+ m0 + t17 ) ≪ 5) + b4 but c4,18 changes. However, the sufficient condition “d4, 18 = 1” guarantees that GG(b4,18 , c4,18 , d4,18 ) = GG(b4,18 , cold 4,18 , 0) is always equal to b4,18 . This also implies that a5 unchanges. 4. We add the extra condition “b4,18 = 0”. 5. We compute the chaining value d5 by d5 = ((d4 +GG(a5 , b4 , c4 )+ m6 +t18 ) ≪ 9)+a5 and c4,18 changes. But the extra condition “b4,18 = 0” cause that GG(a5,18 , b4,18 , c4,18 ) = GG(a5,18 , b4,18 , cold 4,18 ) = (a5,18 → b4,18 ) ∧ (b4,18 → a5,18 ). The bit “a5,18 = 0” itself is a sufficient condition, so GG(a5,18 , b4,18 , c4,18 ) = 0 → 0 unchanges. This also implies that d5 unchanges. 6. Finally, we update the chaining value c5 is by c5 = ((c4 + 17 GG(d5 , a5 , b4 ) + m11 + t19 ) ≪ 14) + d5 = (((cold 4 ± 2 ) + 31 GG(d5 , a5 , b4 ) + m11 + t19 ) ≪ 14) + d5 = cold 5 ± 2 . This. implies that the complement of the bit c5,32 to occur. – For the sufficient condition “d6,32 = a6,32 ” in the second iteration, we do the following procedure. 1. We complement the bit a3,23 . 2. We add the extra conditions “d3,23 = 1” and “c3,23 = 1”. 3. Because a3 changes, so we use the following equations to up-. 44.

(53) date the message words m8 , m9 , m10 , and m12 . m8 = ((a3 − b2 ) ≫ 7) − a2 − F F (b2 , c2 , d2 ) − t9 m9 = ((d3 − a3 ) ≫ 12) − d2 − F F (a3 , b2 , c2 ) − t10 m10 = ((c3 − d3 ) ≫ 17) − c2 − F F (d3 , a3 , b2 ) − t11. (4.6). m12 = ((a4 − b3 ) ≫ 7) − a3 − F F (b3 , c3 , d3 ) − t13 4. Because a3 also changes, we update the chaining value b3 by b3 = ((b2 + F F (c3 , d3 , a3 ) + m11 + t12 ) ≪ 22) + c3 . But the extra condition “c3,23 = 1” cause that F F (c3,23 , d3,23 , a3,23 ) = F F (1, d3,23 , aold 3,23 ) is always equal to d3,23 and unchanges. So b3 unchanges. 5. In equation 4.6, the extra conditions “d3,23 = 1” cause that old F F (d3,23 , a3,23 , b2,23 ) = F F (1, aold 3,23 , b2,23 ) = a3,23 . Then m10 =. ((c3 − d3 ) ≫ 17) − c2 − (F F old (d3 , a3 , b2 ) ± 222 ) − t11 = mold 10 ∓ 222 . The word d6 = ((d5 + GG(a6 , b5 , c5 ) + m10 + t22 ) ≪ 22 9)+a6 = ((d5 +GG(a6 , b5 , c5 )+(mold 10 ∓2 )+t22 ) ≪ 9)+a6 = 31 dold 6 ∓ 2 . This implies that the complement of the bit d6,32. occurs. Finally we analyze the time complexity of our improvements on multi-message modification of MD5. In the first iteration of MD5, our improvements is as efficient as Sasaki et al.’s results [SNKO05]. But the size of the set of our collision message pair is larger than Sasaki et al.’s. We also find that some 45.

(54) extra conditions in their multi-message modification can be erased. These extra conditions are as follows: • The extra condition “d3,4 = 0” for the sufficient condition “c5,18 = 0” [SNKO05, Table 5]. No matter what c5,18 is, we just need to complement it. • The extra condition “a4,1 = 1” and “d1,13 = 0” for the sufficient condition “a6,18 = b5,18 ” [SNKO05, Table 8]. No matter what a4,1 and d1,13 are, we just need to complement them. • The extra condition “a3,23 = 0” for the sufficient condition “d6,32 = a6,32 ” [SNKO05, Table 10]. No matter what a3,23 is, we just need to complement it. So the size of the set of the collision message pair can be enlarged by erasing these four extra conditions. Because the collision searching algorithm so far doesn’t satisfy all the sufficient conditions, they need to restart the whole collision searching algorithm many times. If we add these extra conditions, we must reset these extra conditions when restarting the whole collision searching algorithm. This is because that these extra conditions are broken when doing the message modification in the second round. So we need to recover them by resetting them. But other conditions, including sufficient conditions and other extra conditions, are not broken when doing the message modification in the second round. Our improvements is more efficient 46.

(55) than Liang and Lai’s results [LL05]. Note that the collision searching algorithm will restart the whole algorithm many times. As mentioned before, the small range searching algorithm given by Liang and Lai [LL05] is less efficient than Sasaki et al.’s multi-message modification methods [SNKO05]. So in each time, a small time increase will cause that the time of finding the collision increase longer because the algorithm will execute inside the loop many times. For the second iteration of MD5, Sasaki et al. don’t give any multimessage modification method. We combine Liang and Lai’s results [LL05] and our improvements introduced before. We can modify for the sufficient conditions “a5,4 = b4,4 ”, “a5,16 = b4,16 ”, “a5,18 = 0”, and “d5,30 = a5,30 ” by using Liang and Lai’s type 1 multi-message modification methods, and for the sufficient conditions “d5,18 = 1”, “d5,32 = a5,32 ”, “c5,18 = 0”, “c5,32 = d5,32 ”, and “d6,32 = a6,32 ” by using our own type 2 multi-message modification methods. Because Sasaki et al. don’t give any multi-message modification method for the second iteration, so our improvements are more efficient than theirs. We give 5 more type 2 multi-message modification on 5 sufficient conditions than Liang and Lai’s results for the second round. In these 5 sufficient conditions, Liang and Lai either use the small range searching techniques or restart the whole collision searching algorithm. So our improvements are more efficient than Liang and Lai’s results.. 47.

(56) Chapter 5 Our Implementation on the Collision Searching Algorithm 5.1. A brief description of the Implementation. In this section, we describe our implementation of the collision searching algorithm briefly. The code is available on http://www.cs.nctu.edu.tw/ ∼gtchen/Codes/md4coll.c. and http://www.cs.nctu.edu.tw/∼gtchen/Codes/. md5coll.c for MD4 and MD5, respectively. The MD4 code was developed independently, and Stach has his own implementation [Sta05a]. The MD5 code was derived from Stach’s implementation[Sta05b], although most of them was already modified by us. Stach is the first man who implemented the collision searching algorithm of MD4 and MD5 and published the codes. We can find that there are 7 kinds of all the bits of all the chaining values. Stach also found that and implemented it in his code, although we have already found that before the release of his implementation. Now we consider the j th bit of the chaining value x in the ith step (we denote it as xj ), and 48.

(57) the 7 kinds of the bit xj : 1. There is no sufficient condition here, i.e., this bit of the chaining value xj can be set to 0 or 1. 2. This bit of the chaining value xj here must set to be 0. 3. This bit of the chaining value xj here must set to be 1. 4. This bit of the chaining value xj here must set to be the value of the same bit of the last updated chaining value (the j th bit of the chaining value in the (i − 1)th step). 5. This bit of the chaining value xj here must set to be the complement of the same bit of the last updated chaining value(the j th bit of the chaining value in the (i − 1)th step). 6. This bit of the chaining value xj here must set to be the value of the same bit of the last two updated chaining value (the j th bit of the chaining value in the (i − 2)th step). 7. This bit of the chaining value xj here must set to be the complement of the same bit of the last two updated chaining value (the j th bit of the chaining value in the (i − 2)th step). In the above statements, if we consider the sufficient condition xj in the chaining value x, yj is the same bit of the chaining value y with respective to xj . So we need to construct the bit masks for representing the 7 types of the 49.

(58) bits of the chaining values. But for the bit of the chaining values that has no sufficient condition, we can ignore it. So we construct the 6 bit-mask for every chaining values during the computation of the compression function. We define the six 32-bit bit mask Si,k , where 0 ≤ k ≤ 5, for the ith step chaining value x as follows: 1. The bit Si,0,j is 1 if xj must set to be 0, otherwise Si,0,j is 0. 2. The bit Si,1,j is 1 if xj must set to be 1, otherwise Si,1,j is 0. 3. The bit Si,2,j is 1 if xj must set to be the value of the same bit of the last updated chaining value, otherwise Si,2,j is 0. 4. The bit Si,3,j is 1 if xj must set to be the complement of the same bit of the last updated chaining value, otherwise Si,3,j is 0. 5. The bit Si,4,j is 1 if xj must set to be the value of the same bit of the last two updated chaining value, otherwise Si,4,j is 0. 6. The bit Si,5,j is 1 if xj here must set to be the complement of the same bit of the last two updated chaining value, otherwise Si,5,j is 0. We don’t need to modify Wang et al.’s MD4 collision searching algorithm as described in Section 3.4. But we need to modify Wang et al.’s MD5 collision searching algorithm as described in Section 3.4 to optimize the collision searching algorithm. Our MD5 collision searching algorithm now will run as follows: 50.

(59) 1. We use the following procedure to generate the first iteration message block M1 . (a) We set IV0 = IV = a0 ||b0 ||c0 ||d0 . (b) For the sufficient conditions in the first round, we do the singlemessage modification by Klima’s idea [Kli05a] as follows: u. x ← Z232 , c1 = [x ∧ S3,0 ] ∨ [x ∨ S3,1 ]. u. x ← Z232 , b1 = [x ∧ S4,0 ] ∨ [x ∨ S4,1 ] ∨ [(x ∧ S4,2 ) ∨ (c1 ∧ S4,2 )] ∨ [(x ∧ S4,3 ) ∨ (c1 ∧ S4,3 )]. u. x ← Z232 , a2 = [x ∧ S5,0 ] ∨ [x ∨ S5,1 ] ∨ [(x ∧ S5,2 ) ∨ (b1 ∧ S5,2 )] ∨ [(x ∧ S5,3 ) ∨ (b1 ∧ S5,3 )] ∨ [(x ∧ S5,4 ) ∨ (c1 ∧ S5,4 )] ∨ [(x ∧ S5,5 ) ∨ (c1 ∧ S5,5 )]. Then for i = 6 to 16, If i. u. x ← Z232 ,. mod 4 = 1,. ad i e = [x ∧ Si,0 ] ∨ [x ∨ Si,1 ] 4 ∨ [(x ∧ Si,2 ) ∨ (bd i−1 e ∧ Si,2 )] ∨ [(x ∧ Si,3 ) ∨ (bd i−1 e ∧ Si,3 )] 4. 4. ∨ [(x ∧ Si,4 ) ∨ (cd i−2 e ∧ Si,4 )] ∨ [(x ∧ Si,5 ) ∨ (cd i−2 e ∧ Si,5 )] 4. 4. Σi = (ad i e − bd i−1 e ) ≫ si 4. 4. 51.