HASH: cryptanalysis of MD5? (fwd)

Yanek Martinson root at rmsdell.ftl.fl.us
Thu Mar 18 10:07:01 PST 1993


Forwarded message:
>  Newsgroups: sci.crypt
>  From: schneier at chinet.chi.il.us (Bruce Schneier)
>  Subject: Successful Cryptanalysis of MD5
>  Message-ID: <C42Gr3.M3w at chinet.chi.il.us>
>  Organization: Chinet - Public Access UNIX
>  Date: Thu, 18 Mar 1993 04:06:39 GMT
>  
>  This is from Bart Preneel's Ph.D. thesis, "Analysis and Design of
>  Cryptographic Hash Functions," Jan 1993, p. 191.  It is about the
>  cryptanalysis of MD5:
>  
>          B. den Boer noted that an approximate relation exists between
>          any four consecutive additive constants.  Moreover, together
>          with A. Bosselaers he developed an attack that produces
>          pseudo-collisions, more specifically they can construct two
>          chaining variables (that only differ in the most significant
>          bit of every word) and a single message block that yield the
>          same hashcode.  The attack takes a few minutes on a PC.  This
>          means that one of the design principles behind MD4 (and MD5),
>          namely to design a collision resistant function is not satisfied.
>  
>  I have not seen the actual paper yet, which will be presented at
>  Eurocrypt.  Both PEM and PGP rely on MD5 for a secure one-way hash
>  function.  This is troublesome, to say the least.
>  
>  Bruce
>  
>  **************************************************************************
>  * Bruce Schneier
>  * Counterpane Systems         For a good prime, call 391581 * 2^216193 - 1
>  * schneier at chinet.chi.il.us
>  **************************************************************************
> 
> 

--
Yanek Martinson
yanek at novavax.nova.edu





More information about the cypherpunks-legacy mailing list