Forwarded message:

Newsgroups: sci.crypt From: schneier@chinet.chi.il.us (Bruce Schneier) Subject: Successful Cryptanalysis of MD5 Message-ID: <C42Gr3.M3w@chinet.chi.il.us> Organization: Chinet - Public Access UNIX Date: Thu, 18 Mar 1993 04:06:39 GMT

This is from Bart Preneel's Ph.D. thesis, "Analysis and Design of Cryptographic Hash Functions," Jan 1993, p. 191. It is about the cryptanalysis of MD5:

B. den Boer noted that an approximate relation exists between any four consecutive additive constants. Moreover, together with A. Bosselaers he developed an attack that produces pseudo-collisions, more specifically they can construct two chaining variables (that only differ in the most significant bit of every word) and a single message block that yield the same hashcode. The attack takes a few minutes on a PC. This means that one of the design principles behind MD4 (and MD5), namely to design a collision resistant function is not satisfied.

I have not seen the actual paper yet, which will be presented at Eurocrypt. Both PEM and PGP rely on MD5 for a secure one-way hash function. This is troublesome, to say the least.

Bruce

************************************************************************** * Bruce Schneier * Counterpane Systems For a good prime, call 391581 * 2^216193 - 1 * schneier@chinet.chi.il.us **************************************************************************

-- Yanek Martinson yanek@novavax.nova.edu