University of Wollongong Research Online Faculty of Engineering and Information Faculty of Informatics - Papers (Archive) Sciences 2007 How to Find the Sufficient Collision Conditions for vHa al-128 Pass 3 by Backward Analysis Pairat Thorncharoensri University of Wollongong Tianbing Xia University of Wollongong, [email protected] Yi Mu University of Wollongong, [email protected] Follow this and additional works at: https://ro.uow.edu.au/infopapers Part of the Physical Sciences and Mathematics Commons Recommended Citation Thorncharoensri, Pairat; Xia, Tianbing; and Mu, Yi: How to Find the Sufficient Collision Conditions for Haval-128 Pass 3 by Backward Analysis 2007. https://ro.uow.edu.au/infopapers/3076 Research Online is the open access institutional repository for the University of Wollongong. For further information contact the UOW Library: [email protected] How to Find the Sufficient Collision Conditions for vHa al-128 Pass 3 by Backward Analysis Abstract Wang et al. recently found several collisions in some hash functions, such as MD4, MD5, Haval-128 and RIPEMD. These findings have significantly changed our views about the security of existing hash functions. Unfortunately, al- though it is easy for us to verify the correctness of the collisions published by Wang et al., the sufficient condi- tions for collisions ear not clear. In this paper, we present our methodology for constructing the sufficient conditions of collision tablesy b using Haval-128 Pass 3 as an ex- ample. We propose a backward analysis method of com- pression functions for constructing the sufficient condition table and the differential characteristic table. We also ex- pose the weaknesses of Haval-128 which may be applied to other hash functions. Disciplines Physical Sciences and Mathematics Publication Details Thorncharoensri, P., Xia, T. & Mu, Y. (2007). How to Find the Sufficient Collision Conditions for vHa al-128 Pass 3 by Backward Analysis. International Journal of Network Security, 4 (2), 138-148. This journal article is available at Research Online: https://ro.uow.edu.au/infopapers/3076 International Journal of Network Security, Vol.4, No.2, PP.138-148, Mar. 2007 138 How to Find the Sufficient Collision Conditions for Haval-128 Pass 3 by Backward Analysis Pairat Thorncharoensri, Tianbing Xia and Yi Mu (Corresponding author: Pairat Thorncharoensri) School of IT and Computer Science University of Wollongong Wollongong, NSW 2522, Australia. (Email: {pt78, txia, ymu}@uow.edu.au) (Received Oct. 11, 2005; revised and accepted Dec. 6, 2005) Abstract tions for searching collisions. It is also noticed that the recent results of a MD5 col- Wang et al. recently found several collisions in some hash lision analysis in [2, 3] show a greater performance in functions, such as MD4, MD5, Haval-128 and RIPEMD. searching the collisions than the original one by Wang These findings have significantly changed our views about et al.. The results show that a collision for MD5 can the security of existing hash functions. Unfortunately, al- be found on a notebook computer in a few hours. They though it is easy for us to verify the correctness of the provided their results with some new conditions and uti- collisions published by Wang et al., the sufficient condi- lized a multi-message modification method to fulfill the tions for collisions are not clear. In this paper, we present condition in the first message and the second message to our methodology for constructing the sufficient conditions obtain higher probability in successfully finding a colli- of collision tables by using Haval-128 Pass 3 as an ex- sion. Nevertheless, they provided only the results and ample. We propose a backward analysis method of com- the conditions of finding collisions but did not show how pression functions for constructing the sufficient condition to choose the suitable bits and how to construct the suf- table and the differential characteristic table. We also ex- ficient condition for searching the collision table. pose the weaknesses of Haval-128 which may be applied In this paper, we for the first time reveal the secret to other hash functions. methodology of Wang et al.’s findings and show how to Keywords: Collision in hash functions, cryptography, and find a set of sufficient conditions and differential charac- hash function teristics for collisions. We propose a backward analysis method of compression functions to construct the suffi- cient condition table and differential characteristic table. 1 Introduction We utilize a raw result from [4] to produce the sufficient condition for the searching collision table of Haval-128 Hash functions, such as MD5 and SHA1, are widely used pass 3. As we believe that Haval-128 is easier to break, in computer and network security. The security of those we choose it as the entry point for finding weak points of hash functions was not a major concern until the colli- hash functions and revealing Wang et al.’s methodology sions in MD4, MD5, Haval-128 and RIPEMD were re- of constructing the sufficient condition and the collision cently reported in the rump session of CRYPTO’04 by table. These weak points lead some information for us to Wang et al.[4]. Soon after, in [1], the methodology of break other hash functions. Wang et al. [4] was explained by analyzing the outputs of This paper is organized as follows. In Section 2, we de- [4], where they found a set of conditions and differential scribe the notations used in this paper. In Section 3, we behaviors for successfully searching the collision in each explain the compression of Haval related to our scheme. step of Haval-128 from the first round to the last round. In Section 4, we present the methodology used for our Recently, Wang et al. revealed more about their find- analysis and construct a set of sufficient collision con- ings of the collisions in MD4, MD5 and RIPEMD and re- ditions and differential characteristics. In Section 5, we ported more results of the collisions in SHA-0 and SHA- provide some examples and explain how to construct the 1 [5, 6, 7, 8]. They provided a set of sufficient condi- condition table. In the last section, we conclude our paper tions of collisions and differential characteristics for MD4, and describe the future work. MD5 and RIPEMD and applied them to single and multi- message modifications. However, they did not reveal the main methodology of constructing the sufficient condi- International Journal of Network Security, Vol.4, No.2, PP.138-148, Mar. 2007 139 2 Notations • denotes an addition on two 32-bit words under modulus 232. The notations used in this paper are defined in the fol- lowing. • ⊕ denotes an exclusive or. • M1 and M2 are two 1024-bit messages that are ex- • ∧ denotes a logical and. pected to produce the same hash value. • ROT(X, j) denotes a rotation by j bits of a 32-bit • E is an expansion function w.r.t the input mes- (M,i) word X. sage M and step i. • Wi, W 1(i), W 2(i), or W(i,j) is the input of a 32-bit word of the compression function. It is the output 3 Compression Function of Haval of message expansion E(M,i), where i denotes a step position, for i = 0, 1, · · · , 95 and j denotes a bit po- The full description of Haval is given in [9]. In this section, sition for j =0, 1 · · · , 31. we only describe the compression function which is the core of the algorithm. • Yi, Y 1(i), or Y 2(i) is the output of a 32-bit word of the compression function, where i denotes a step Each pass of Haval contains 4 rounds and each round position, for i = 0, 1, · · · , 95 and j denotes a bit po- of Haval contains 8 steps. Therefore, there are totally 96 sition for j = 0, 1, · · · , 31. Note that W and Y are for Haval-128 (Pass 3). Three Boolean functions for the referred to as general terms in the compression func- nonlinear terms of Pass 1 to 3 are: tion structure and W 1, W 2, Y 1, and Y 2 are referred to as the terms in the result. F1(x6, x5, x4, x3, x2, x1, x0) = x1 ∧ x4 ⊕ x2 ∧ x5 ⊕ x3 ∧ x6 ⊕ x0 ∧ x1 ⊕ x0 • Y−1,· · · , Y−7 is the initial value (IV) or the output of the compression function of the previous message. F2(x6, x5, x4, x3, x2, x1, x0) = x1 ∧ x2 ∧ x3 ⊕ x2 ∧ x4 ∧ x5 ⊕ x1 ∧ x2 ⊕ x1 • Z or Z(i,j) denotes a carry bit in each step, where i denotes the step position and j denotes the bit posi- ∧x4 ⊕ x2 ∧ x6 ⊕ x3 ∧ x5 ⊕ x4 ∧ x5 ⊕ x0 tion for j =0, 1, · · · , 31. ∧x2 ⊕ x0 F (x , x , x , x , x , x , x ) • P , Pp(i), P(i,j), or Pm(i,j) denotes a non-linear term, 3 6 5 4 3 2 1 0 where p denotes a pass number, m denotes the mes- = x1 ∧ x2 ∧ x3 ⊕ x1 ∧ x4 ⊕ x2 ∧ x5 ⊕ x3 ∧ x6 sage index, i denotes the step position and j denotes ⊕x0 ∧ x3 ⊕ x0 the bit position. • K or K(p,i) denotes a constant bit, where p denotes The non-linear terms for pass 1 to 3 are: a pass number and i denotes the step position. P1(i) = F1(Yi−7, Yi−6, Yi−5, Yi−4, Yi−3, Yi−2, Yi−1); • BDI or the bit-difference of inputs is the position of for i =0, · · · , 31, the difference of two input messages at the specific word and bit. The value of BDI represents the differ- P2(i) = F2(Yi−7, Yi−6, Yi−5, Yi−4, Yi−3, Yi−2, Yi−1); ent between W 1 and W 2 which are either 1 or -1.