# How to Break MD5 and Other Hash Functions

@inproceedings{Wang2005HowTB, title={How to Break MD5 and Other Hash Functions}, author={Xiaoyun Wang and Hongbo Yu}, booktitle={EUROCRYPT}, year={2005} }

MD5 is one of the most widely used cryptographic hash functions nowadays. It was designed in 1992 as an improvement of MD4, and its security was widely studied since then by several authors. The best known result so far was a semi free-start collision, in which the initial value of the hash function is replaced by a non-standard value, which is the result of the attack. In this paper we present a new powerful attack on MD5 which allows us to find collisions efficiently. We used this attack to…

## 1,545 Citations

MD4 is Not One-Way

- Computer Science, MathematicsFSE
- 2008

This paper shows a partial pseudo-preimage attack on the compression function of MD4, using some ideas from previous cryptanalysis ofMD4, and is believed to be the first pre image attack on a member of the MD4 family.

A proposal of a criterion for collision resistance of hash functions

- Mathematics, Computer Science
- 2006

It is shown that almost all the currently proposed hash func cryptographic hash function is secure against col tions (including widely used MD5 and SHA-1) is lision attacks using a single message block based weak against their collision attacks.

Improved Collision Attack on Hash Function MD5

- Computer Science, MathematicsJournal of Computer Science and Technology
- 2007

A fast attack algorithm to find two-block collision of hash function MD5 using technique of small range searching and omitting the computing steps to check the characteristics in the attack algorithm can speed up the attack of MD5 efficiently.

Collision Attack for the Hash Function Extended MD4

- Computer Science, MathematicsICICS
- 2011

This work gives a collision attack on the full Extended MD4 with a complexity of about 237, and provides a new reference to the collision analysis of other hash functions such as RIPEMD-160 etc. which consist of two lines.

Security Proofs for the MD6 Hash Function Mode of Operation

- Computer Science, Mathematics
- 2008

This work demonstrates provably that the mode of operation used in MD6 preserves some cryptographic properties of the compression function — that is, assuming some ideal conditions about the compressionfunction used, the overall MD6 hash function is secure as well.

On the security of hash function combiners

- Computer Science, Mathematics
- 2010

This thesis addresses the question if there are security-amplifying combiners where the combined hash function provides a higher security level than the building blocks, thus going beyond the additive limit and proposes a solution that is essentially as efficient as the concatenated combiner.

Practical Free-Start Collision Attacks on 76-step SHA-1

- Computer Science, MathematicsCRYPTO
- 2015

This work exploits the additional freedom provided by this model by using a new start-from-the-middle approach in combination with improvements on the cryptanalysis tools that have been developed for SHA-1 in the recent years, which results in particular in better differential paths than the ones used for hash function collisions so far.

Cryptanalysis of Hash Functions

- Computer Science, Mathematics
- 2013

A new family of sponge-based lightweight hash function called spongent is proposed and its security analysis is presented by applying the most important state-of-the-art methods of cryptanalysis and by investigating their complexity.

Collisions on SHA-0 in One Hour

- Computer Science, MathematicsFSE
- 2008

This paper shows that the previous perturbation vectors used in all known attacks are not optimal and provides a new 2-block one and is able to produce the best collision attack against SHA-0 so far, with a measured complexity of 233,6hash function calls.

Fast Collision Attack on MD5

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2006

An improved attack algorithm to find two-block colli- sions of the hash function MD5 and the set of sucient conditions is presented and a new technique which allows us to deterministically fulfill restrictions to properly rotate the dierentials in the first round is presented.

## References

SHOWING 1-10 OF 31 REFERENCES

RIPEMD with two-round compress function is not collision-free

- Computer Science, MathematicsJournal of Cryptology
- 2007

It turns out that the methods developed in this note can be applied to find collisions for the full MD4, and the reduced versions of RIPEMD, where the first or the last round of the compress function is omitted, are not collision-free.

Collisions for the Compressin Function of MD5

- Computer ScienceEUROCRYPT
- 1993

In this paper an algorithm is described that finds collisions for the compression function of MD5 and results in an approximate relation between any four consecutive additive constants.

Collisions for the compression function of MD5

- Computer Science
- 1993

In this paper an algorithm is described that finds collisions and establishes a work load of finding about 2l6 collisions for the first two rounds of the MD5 compression function to find a collision for the entire four round function.

RIPEMD-160: A Strengthened Version of RIPEMD

- Computer ScienceFSE
- 1996

A new version of RIPEMD with a 160-bit result is proposed, as well as a plug-in substitute for RIPEMd with a 128- bit result, and the software performance of several MD4-based algorithms is compared.

A Design Principle for Hash Functions

- Mathematics, Computer ScienceCRYPTO
- 1989

Apart from suggesting a generally sound design principle for hash functions, the results give a unified view of several apparently unrelated constructions of hash functions proposed earlier, and suggests changes to other proposed constructions to make a proof of security potentially easier.

Collisions for Hash Functions MD4, MD5, HAVAL-128 and RIPEMD

- Computer ScienceIACR Cryptol. ePrint Arch.
- 2004

In 1993 Bert den Boer and Antoon Bosselaers found pseudo-collision for MD5 which is made of the same message with two different sets of initial value.

Differential Collisions in SHA-0

- Computer Science, MathematicsCRYPTO
- 1998

A theoretical attack on the compression function SHA-O with complexity 2 61 is obtained, which is thus better than the birthday paradox attack and is a strong evidence that the transition to version 1 indeed raised the level of security of SHA.

HAVAL - A One-Way Hashing Algorithm with Variable Length of Output

- Computer ScienceAUSCRYPT
- 1992

This paper proposes a one-way hashing algorithm called HAVAL, which compresses a message of arbitrary length into a fingerprint of 128, 160, 192, 224 or 256 bits, and is very efficient and particularly suited for 32-bit computers which predominate the current workstation market.

Differential Cryptanalysis of the Data Encryption Standard

- Computer Science, MathematicsSpringer New York
- 1993

This book introduces a new cryptographic method, called differential cryptanalysis, which can be applied to analyze cryptosystems, and describes the cryptanalysis of DES, deals with the influence of its building blocks on security, and analyzes modified variants.

Near-Collisions of SHA-0

- Computer Science, MathematicsCRYPTO
- 2004

This paper finds two near-collisions of the full compression function ofSHA-0, in which up to 142 of the 160 bits of the output are equal, and shows that 82-round SHA-0 is much weaker than the (80-round) SHA-1, although it has more rounds, and demonstrates that the strength of SHA- 0 is not monotonous in the number of rounds.