# Difference between revisions of "MD4"

(→Preimage Attacks) |
|||

(20 intermediate revisions by 4 users not shown) | |||

Line 1: | Line 1: | ||

− | == | + | == Specification == |

− | + | * digest size: 128 bits | |

− | * digest size: | ||

* max. message length: < 2<sup>64</sup> bits | * max. message length: < 2<sup>64</sup> bits | ||

− | * compression function: 512-bit message block, | + | * compression function: 512-bit message block, 128-bit chaining variable |

− | * Specification: | + | * Specification: [http://www.ietf.org/rfc/rfc1320.txt RFC1320] |

− | --> | + | |

+ | <bibtex> | ||

+ | @inproceedings{cryptoRivest90, | ||

+ | author = {Ronald L. Rivest}, | ||

+ | title = {The MD4 Message Digest Algorithm}, | ||

+ | booktitle = {CRYPTO}, | ||

+ | year = {1990}, | ||

+ | pages = {303-311}, | ||

+ | url = {http://link.springer.de/link/service/series/0558/bibs/0537/05370303.htm}, | ||

+ | editor = {Alfred Menezes and Scott A. Vanstone}, | ||

+ | publisher = {Springer}, | ||

+ | series = {LNCS}, | ||

+ | volume = {537}, | ||

+ | isbn = {3-540-54508-5}, | ||

+ | editor = {Alfred Menezes and Scott A. Vanstone}, | ||

+ | publisher = {Springer}, | ||

+ | series = {LNCS}, | ||

+ | volume = {537}, | ||

+ | isbn = {3-540-54508-5}, | ||

+ | } | ||

+ | </bibtex> | ||

== Cryptanalysis == | == Cryptanalysis == | ||

Line 21: | Line 40: | ||

=== Collision Attacks === | === Collision Attacks === | ||

+ | <bibtex> | ||

+ | @inproceedings{iciscYuW07, | ||

+ | author = {Hongbo Yu and Xiaoyun Wang}, | ||

+ | title = {Multi-collision Attack on the Compression Functions of MD4 and 3-Pass HAVAL}, | ||

+ | booktitle = {ICISC}, | ||

+ | year = {2007}, | ||

+ | pages = {206-226}, | ||

+ | url = {http://dx.doi.org/10.1007/978-3-540-76788-6_17}, | ||

+ | editor = {Kil-Hyun Nam and Gwangsoo Rhee}, | ||

+ | publisher = {Springer}, | ||

+ | series = {LNCS}, | ||

+ | volume = {4817}, | ||

+ | isbn = {978-3-540-76787-9}, | ||

+ | abstract = {In this paper, we present a new type of multi-collision attack on the compression functions of both MD4 and 3-Pass HAVAL. Different from Joux’s multi-collision attack, our method focuses on the multi-collision of the compression function. For MD4, we utilize two different feasible collision differential paths to find a 4-collision with about 221 MD4 computations. For 3-Pass HAVAL, we can find a 4-collision with complexity about 2^{30} and a 8-near-collision with complexity 2^9.}, | ||

+ | } | ||

+ | </bibtex> | ||

+ | |||

+ | <bibtex> | ||

+ | @inproceedings{fseSasakiWOK07, | ||

+ | author = {Yu Sasaki and Lei Wang and Kazuo Ohta and Noboru Kunihiro}, | ||

+ | title = {New Message Difference for MD4}, | ||

+ | pages = {329-348}, | ||

+ | url = {http://dx.doi.org/10.1007/978-3-540-74619-5_21}, | ||

+ | editor = {Alex Biryukov}, | ||

+ | booktitle = {FSE}, | ||

+ | publisher = {Springer}, | ||

+ | series = {LNCS}, | ||

+ | volume = {4593}, | ||

+ | year = {2007}, | ||

+ | isbn = {978-3-540-74617-1}, | ||

+ | abstract = {This paper proposes several approaches to improve | ||

+ | the collision attack on MD4 proposed by Wang et al. First, we | ||

+ | propose a new local collision that is the best for the MD4 collision | ||

+ | attack. Selection of a good message difference is the most important | ||

+ | step in achieving effective collision attacks. This is the first paper | ||

+ | to introduce an improvement to the message difference approach of | ||

+ | Wang et al., where we propose a new local collision. Second, we propose | ||

+ | a new algorithm for constructing differential paths. While similar | ||

+ | algorithms have been proposed, they do not support the new local collision | ||

+ | technique.Finally, we complete a collision attack, and show that the | ||

+ | complexity is smaller than the previous best work.} | ||

+ | } | ||

+ | </bibtex> | ||

+ | |||

+ | <bibtex> | ||

+ | @inproceedings{fseLeurent07, | ||

+ | author = {Gaëtan Leurent}, | ||

+ | title = {Message Freedom in MD4 and MD5 Collisions: Application to APOP}, | ||

+ | pages = {309-328}, | ||

+ | url = {http://dx.doi.org/10.1007/978-3-540-74619-5_20}, | ||

+ | editor = {Alex Biryukov}, | ||

+ | booktitle = {FSE}, | ||

+ | publisher = {Springer}, | ||

+ | series = {LNCS}, | ||

+ | volume = {4593}, | ||

+ | year = {2007}, | ||

+ | isbn = {978-3-540-74617-1}, | ||

+ | abstract = {In Wang’s attack, message modifications allow to | ||

+ | deterministically satisfy certain sufficient conditions to find | ||

+ | collisions efficiently. Unfortunately, message modifications | ||

+ | significantly change the messages and one has little control | ||

+ | over the colliding blocks. In this paper, we show how to choose | ||

+ | small parts of the colliding messages. Consequently, we break a | ||

+ | security countermeasure proposed by Szydlo and Yin at CT-RSA ’06, | ||

+ | where a fixed padding is added at the end of each block. Furthermore, | ||

+ | we also apply this technique to recover part of the passwords in the | ||

+ | Authentication Protocol of the Post Office Protocol (POP). This shows | ||

+ | that collision attacks can be used to attack real protocols, which means that finding collisions is a real threat.} | ||

+ | } | ||

+ | </bibtex> | ||

+ | |||

+ | <bibtex> | ||

+ | @inproceedings{iciscNaitoSKO05, | ||

+ | author = {Yusuke Naito and Yu Sasaki and Noboru Kunihiro and Kazuo Ohta}, | ||

+ | title = {Improved Collision Attack on MD4 with Probability Almost 1}, | ||

+ | booktitle = {ICISC}, | ||

+ | year = {2005}, | ||

+ | pages = {129-145}, | ||

+ | url = {http://dx.doi.org/10.1007/11734727_12}, | ||

+ | editor = {Dongho Won and Seungjoo Kim}, | ||

+ | publisher = {Springer}, | ||

+ | series = {LNCS}, | ||

+ | volume = {3935}, | ||

+ | isbn = {3-540-33354-1}, | ||

+ | abstract = {In EUROCRYPT2005, a collision attack on MD4 was proposed by Wang, Lai, Chen, and Yu. They claimed that collision messages were found with probability 2^{-6} to 2^{-2}, and the complexity was less than 2^8 MD4 hash operations. However, there were some tyops and oversights in their paper. In this paper, first, we reevaluate the exact success probability. Second, we point out the typos and oversights in the paper of Wang et al, and we show how to improve them. Third, we propose a new message modification method for the third round of MD4. From the first result, we reevaluate that the method of Wang et al. can find collision messages with success probability 2^{-5.61}. From the second result, we can find collision messages with success probability 2^{-2}. Also by combining the second result and the third result, our improved method is able to find collision messages with probability almost 1. This complexity is less than 3 repetitions of MD4 hash operations. Our improved method is about 85 times as fast as the method of Wang et al.}, | ||

+ | } | ||

+ | </bibtex> | ||

+ | |||

+ | <bibtex> | ||

+ | @inproceedings{eurocryptWangLFCY05, | ||

+ | author = {Xiaoyun Wang and Xuejia Lai and Dengguo Feng and Hui Chen and Xiuyuan Yu}, | ||

+ | title = {Cryptanalysis of the Hash Functions MD4 and RIPEMD}, | ||

+ | booktitle = {EUROCRYPT}, | ||

+ | year = {2005}, | ||

+ | pages = {1-18}, | ||

+ | abstract = {MD4 is a hash function developed by Rivest in 1990. It serves as the basis for most of the dedicated hash functions such as MD5, SHAx, RIPEMD, and HAVAL. In 1996, Dobbertin showed how to find collisions of MD4 with complexity equivalent to 220 MD4 hash computations. In this paper, we present a new attack on MD4 which can find a collision with probability 2–2 to 2–6, and the complexity of finding a collision doesnrsquot exceed 28 MD4 hash operations. Built upon the collision search attack, we present a chosen-message pre-image attack on MD4 with complexity below 28. Furthermore, we show that for a weak message, we can find another message that produces the same hash value. The complexity is only a single MD4 computation, and a random message is a weak message with probability 2–122. The attack on MD4 can be directly applied to RIPEMD which has two parallel copies of MD4, and the complexity of finding a collision is about 218 RIPEMD hash operations.}, | ||

+ | editor = {Ronald Cramer}, | ||

+ | volume = {3494}, | ||

+ | series = {LNCS}, | ||

+ | publisher = {Springer}, | ||

+ | isbn = {3-540-25910-4}, | ||

+ | url = {http://dx.doi.org/10.1007/11426639_1}, | ||

+ | } | ||

+ | </bibtex> | ||

+ | |||

+ | <bibtex> | ||

+ | @article{jocDobbertin98, | ||

+ | author = {Hans Dobbertin}, | ||

+ | title = {Cryptanalysis of MD4}, | ||

+ | journal = {J. Cryptology}, | ||

+ | volume = {11}, | ||

+ | number = {4}, | ||

+ | year = {1998}, | ||

+ | pages = {253-271}, | ||

+ | url = {http://link.springer.de/link/service/journals/00145/bibs/11n4p253.html}, | ||

+ | abstract = {In 1990 Rivest introduced the hash function MD4. Two years later RIPEMD, a European proposal, was designed as a stronger mode of MD4. In 1995 the author found an attack against two of three rounds of RIPEMD. As we show in the present note, the methods developed to attack RIPEMD can be modified and supplemented such that it is possible to break the full MD4, while previously only partial attacks were known. An implementation of our attack allows us to find collisions for MD4 in a few seconds on a PC. An example of a collision is given demonstrating that our attack is of practical relevance.}, | ||

+ | } | ||

+ | </bibtex> | ||

+ | |||

+ | <bibtex> | ||

+ | @inproceedings{fseDobbertin96, | ||

+ | author = {Hans Dobbertin}, | ||

+ | title = {Cryptanalysis of MD4}, | ||

+ | pages = {53-69}, | ||

+ | editor = {Dieter Gollmann}, | ||

+ | booktitle = {FSE}, | ||

+ | publisher = {Springer}, | ||

+ | series = {LNCS}, | ||

+ | volume = {1039}, | ||

+ | year = {1996}, | ||

+ | isbn = {3-540-60865-6}, | ||

+ | abstract = {In 1990 Rivest introduced the hash function MD4. Two years later RIPEMD, | ||

+ | a European proposal, was designed as a stronger mode of MD4. In 1995 the | ||

+ | author found an attack against two of three rounds of RIPEMD. As we show | ||

+ | in the present note, the methods developed to attack RIPEMD can be modified | ||

+ | and supplemented such that it is possible to break the full MD4, while | ||

+ | previously only partial attacks were known. An implementation of our attack | ||

+ | allows us to find collisions for MD4 in a few seconds on a PC. | ||

+ | An example of a collision is given demonstrating that our attack is of practical relevance.}, | ||

+ | url = {http://dx.doi.org/10.1007/s001459900047} | ||

+ | } | ||

+ | </bibtex> | ||

+ | |||

+ | <bibtex> | ||

+ | @inproceedings{fseVaudenay94, | ||

+ | author = {Serge Vaudenay}, | ||

+ | title = {On the Need for Multipermutations: Cryptanalysis of MD4 and SAFER}, | ||

+ | pages = {286-297}, | ||

+ | editor = {Bart Preneel}, | ||

+ | booktitle = {FSE}, | ||

+ | publisher = {Springer}, | ||

+ | series = {LNCS}, | ||

+ | volume = {1008}, | ||

+ | year = {1995}, | ||

+ | abstract = {Cryptographic primitives are usually based on a network with boxes. | ||

+ | At EUROCRYPT'94, Schnorr and the author of this paper claimed that | ||

+ | all boxes should be multipermutations. Here, we investigate a few | ||

+ | combinatorial properties of multipermutations. We argue that boxes which | ||

+ | fail to be multipermutations can open the way to unsuspected attacks. | ||

+ | We illustrate this statement with two examples. Firstly, | ||

+ | we show how to construct collisions to MD4 restricted to | ||

+ | its first two rounds. This allows one to forge digests close | ||

+ | to each other using the full compression function of MD4. Secondly, | ||

+ | we show that variants of SAFER are subject to attack faster than | ||

+ | exhaustive search in 6.1% cases. This attack can be implemented if | ||

+ | we decrease the number of rounds from 6 to 4.}, | ||

+ | url = {http://dx.doi.org/10.1007/3-540-60590-8_22} | ||

+ | } | ||

+ | </bibtex> | ||

+ | |||

+ | <bibtex> | ||

+ | @inproceedings{cryptoBoerB91, | ||

+ | author = {Bert den Boer and Antoon Bosselaers}, | ||

+ | title = {An Attack on the Last Two Rounds of MD4}, | ||

+ | booktitle = {CRYPTO}, | ||

+ | year = {1991}, | ||

+ | pages = {194-203}, | ||

+ | url = {http://link.springer.de/link/service/series/0558/bibs/0576/05760194.htm}, | ||

+ | editor = {Joan Feigenbaum}, | ||

+ | publisher = {Springer}, | ||

+ | series = {LNCS}, | ||

+ | volume = {576}, | ||

+ | isbn = {3-540-55188-3}, | ||

+ | } | ||

+ | </bibtex> | ||

---- | ---- | ||

Line 30: | Line 234: | ||

=== Preimage Attacks === | === Preimage Attacks === | ||

+ | <bibtex> | ||

+ | @inproceedings{fseLeurent08, | ||

+ | author = {Ga{\"e}tan Leurent}, | ||

+ | title = {MD4 is Not One-Way}, | ||

+ | booktitle = {FSE}, | ||

+ | year = {2008}, | ||

+ | pages = {412-428}, | ||

+ | abstract = {MD4 is a hash function introduced by Rivest in 1990. It is still used in some contexts, and the most commonly used hash functions (MD5, SHA-1, SHA-2) are based on the design principles of MD4. MD4 has been extensively studied and very efficient collision attacks are known, but it is still believed to be a one-way function. In this paper we show a partial pseudo-preimage attack on the compression function of MD4, using some ideas from previous cryptanalysis of MD4. We can choose 64 bits of the output for the cost of 2^32 compression function computations (the remaining bits are randomly chosen by the preimage algorithm). This gives a preimage attack on the compression function of MD4 with complexity 2^96, and we extend it to an attack on the full MD4 with complexity 2^102. As far as we know this is the first preimage attack on a member of the MD4 family. }, | ||

+ | url = {http://dx.doi.org/10.1007/978-3-540-71039-4_26}, | ||

+ | editor = {Kaisa Nyberg}, | ||

+ | publisher = {Springer}, | ||

+ | series = {LNCS}, | ||

+ | volume = {5086}, | ||

+ | isbn = {978-3-540-71038-7}, | ||

+ | } | ||

+ | </bibtex> | ||

+ | |||

+ | <bibtex> | ||

+ | @inproceedings{fseDobbertin98, | ||

+ | owner = {tnad}, | ||

+ | author = {Hans Dobbertin}, | ||

+ | title = {The First Two Rounds of MD4 are Not One-Way}, | ||

+ | pages = {284-292}, | ||

+ | editor = {Serge Vaudenay}, | ||

+ | booktitle = {FSE}, | ||

+ | publisher = {Springer}, | ||

+ | series = {LNCS}, | ||

+ | volume = {1372}, | ||

+ | year = {1998}, | ||

+ | isbn = {3-540-64265-X}, | ||

+ | abstract = {In [1] it was shown that there are very effective attacks leading | ||

+ | to collisions for the hash function MD4 designed by R. Rivest [3]. | ||

+ | A summary of the status of hash functions of the MD4-family with respect to | ||

+ | collision-resistence can be found in [2] and [4]. However, attacking the one-wayness | ||

+ | of a hash function is a much more demanding challenge, and in case of success it has much more devastating | ||

+ | consequences. No result along this line is known for MD4 and its | ||

+ | successors. Therefore it is worth to explore how the recently developed | ||

+ | new analytic methods for finding collisions can be applied to construct | ||

+ | preimages or second preimages. As a first step, we state here the following partial result.}, | ||

+ | url = {http://dx.doi.org/10.1007/3-540-69710-1_19} | ||

+ | } | ||

+ | </bibtex> | ||

---- | ---- | ||

=== Others === | === Others === | ||

+ | <bibtex> | ||

+ | @inproceedings{fseSchlafferO06, | ||

+ | author = {Martin Schläffer and Elisabeth Oswald}, | ||

+ | title = {Searching for Differential Paths in MD4}, | ||

+ | pages = {242-261}, | ||

+ | url = {http://dx.doi.org/10.1007/11799313_16}, | ||

+ | booktitle = {FSE}, | ||

+ | publisher = {Springer}, | ||

+ | series = {LNCS}, | ||

+ | volume = {4047}, | ||

+ | year = {2006}, | ||

+ | isbn = {3-540-36597-4}, | ||

+ | abstract = {The ground-breaking results of Wang et al. | ||

+ | have attracted a lot of attention to the collision resistance | ||

+ | of hash functions. In their articles, Wang et al. give input | ||

+ | differences, differential paths and the corresponding conditions | ||

+ | that allow to find collisions with a high probability. However, | ||

+ | Wang et al. do not explain how these paths were found. The common | ||

+ | assumption is that they were found by hand with a great deal of intuition. | ||

+ | In this article, we present an algorithm that allows to find paths | ||

+ | in an automated way. Our algorithm is successful for MD4. We have found | ||

+ | over 1000 differential paths so far. Amongst them, there are paths that | ||

+ | have fewer conditions in the second round than the path of Wang et al. | ||

+ | for MD4. This makes them better suited for the message modification techniques | ||

+ | that were also introduced by Wang et al.} | ||

+ | } |

## Latest revision as of 11:32, 10 November 2008

## Contents

## 1 Specification

- digest size: 128 bits
- max. message length: < 2
^{64}bits - compression function: 512-bit message block, 128-bit chaining variable
- Specification: RFC1320

*Ronald L. Rivest* - **The MD4 Message Digest Algorithm**

- CRYPTO 537:303-311,1990
- http://link.springer.de/link/service/series/0558/bibs/0537/05370303.htm

Bibtex**Author :**Ronald L. Rivest**Title :**The MD4 Message Digest Algorithm**In :**CRYPTO -**Address :****Date :**1990

## 2 Cryptanalysis

### 2.1 Best Known Results

### 2.2 Generic Attacks

### 2.3 Collision Attacks

*Hongbo Yu, Xiaoyun Wang* - **Multi-collision Attack on the Compression Functions of MD4 and 3-Pass HAVAL**

- ICISC 4817:206-226,2007
- http://dx.doi.org/10.1007/978-3-540-76788-6_17

Bibtex**Author :**Hongbo Yu, Xiaoyun Wang**Title :**Multi-collision Attack on the Compression Functions of MD4 and 3-Pass HAVAL**In :**ICISC -**Address :****Date :**2007

*Yu Sasaki, Lei Wang, Kazuo Ohta, Noboru Kunihiro* - **New Message Difference for MD4**

- FSE 4593:329-348,2007
- http://dx.doi.org/10.1007/978-3-540-74619-5_21

Bibtex**Author :**Yu Sasaki, Lei Wang, Kazuo Ohta, Noboru Kunihiro**Title :**New Message Difference for MD4**In :**FSE -**Address :****Date :**2007

*Gaëtan Leurent* - **Message Freedom in MD4 and MD5 Collisions: Application to APOP**

- FSE 4593:309-328,2007
- http://dx.doi.org/10.1007/978-3-540-74619-5_20

Bibtex**Author :**Gaëtan Leurent**Title :**Message Freedom in MD4 and MD5 Collisions: Application to APOP**In :**FSE -**Address :****Date :**2007

*Yusuke Naito, Yu Sasaki, Noboru Kunihiro, Kazuo Ohta* - **Improved Collision Attack on MD4 with Probability Almost 1**

- ICISC 3935:129-145,2005
- http://dx.doi.org/10.1007/11734727_12

Bibtex**Author :**Yusuke Naito, Yu Sasaki, Noboru Kunihiro, Kazuo Ohta**Title :**Improved Collision Attack on MD4 with Probability Almost 1**In :**ICISC -**Address :****Date :**2005

*Xiaoyun Wang, Xuejia Lai, Dengguo Feng, Hui Chen, Xiuyuan Yu* - **Cryptanalysis of the Hash Functions MD4 and RIPEMD**

- EUROCRYPT 3494:1-18,2005
- http://dx.doi.org/10.1007/11426639_1

Bibtex**Author :**Xiaoyun Wang, Xuejia Lai, Dengguo Feng, Hui Chen, Xiuyuan Yu**Title :**Cryptanalysis of the Hash Functions MD4 and RIPEMD**In :**EUROCRYPT -**Address :****Date :**2005

*Hans Dobbertin* - **Cryptanalysis of MD4**

- J. Cryptology 11(4):253-271,1998
- http://link.springer.de/link/service/journals/00145/bibs/11n4p253.html

Bibtex**Author :**Hans Dobbertin**Title :**Cryptanalysis of MD4**In :**J. Cryptology -**Address :****Date :**1998

*Hans Dobbertin* - **Cryptanalysis of MD4**

- FSE 1039:53-69,1996
- http://dx.doi.org/10.1007/s001459900047

Bibtex**Author :**Hans Dobbertin**Title :**Cryptanalysis of MD4**In :**FSE -**Address :****Date :**1996

*Serge Vaudenay* - **On the Need for Multipermutations: Cryptanalysis of MD4 and SAFER**

- FSE 1008:286-297,1995
- http://dx.doi.org/10.1007/3-540-60590-8_22

Bibtex**Author :**Serge Vaudenay**Title :**On the Need for Multipermutations: Cryptanalysis of MD4 and SAFER**In :**FSE -**Address :****Date :**1995

*Bert den Boer, Antoon Bosselaers* - **An Attack on the Last Two Rounds of MD4**

- CRYPTO 576:194-203,1991
- http://link.springer.de/link/service/series/0558/bibs/0576/05760194.htm

Bibtex**Author :**Bert den Boer, Antoon Bosselaers**Title :**An Attack on the Last Two Rounds of MD4**In :**CRYPTO -**Address :****Date :**1991

### 2.4 Second Preimage Attacks

### 2.5 Preimage Attacks

*Ga\"etan Leurent* - **MD4 is Not One-Way**

- FSE 5086:412-428,2008
- http://dx.doi.org/10.1007/978-3-540-71039-4_26

Bibtex**Author :**Ga\"etan Leurent**Title :**MD4 is Not One-Way**In :**FSE -**Address :****Date :**2008

*Hans Dobbertin* - **The First Two Rounds of MD4 are Not One-Way**

- FSE 1372:284-292,1998
- http://dx.doi.org/10.1007/3-540-69710-1_19

Bibtex**Author :**Hans Dobbertin**Title :**The First Two Rounds of MD4 are Not One-Way**In :**FSE -**Address :****Date :**1998

### 2.6 Others

<bibtex> @inproceedings{fseSchlafferO06,

author = {Martin Schläffer and Elisabeth Oswald}, title = {Searching for Differential Paths in MD4}, pages = {242-261}, url = {http://dx.doi.org/10.1007/11799313_16}, booktitle = {FSE}, publisher = {Springer}, series = {LNCS}, volume = {4047}, year = {2006}, isbn = {3-540-36597-4}, abstract = {The ground-breaking results of Wang et al.

have attracted a lot of attention to the collision resistance of hash functions. In their articles, Wang et al. give input differences, differential paths and the corresponding conditions that allow to find collisions with a high probability. However, Wang et al. do not explain how these paths were found. The common assumption is that they were found by hand with a great deal of intuition. In this article, we present an algorithm that allows to find paths in an automated way. Our algorithm is successful for MD4. We have found over 1000 differential paths so far. Amongst them, there are paths that have fewer conditions in the second round than the path of Wang et al. for MD4. This makes them better suited for the message modification techniques that were also introduced by Wang et al.} }