nl Abstract We introduce countercryptanalysis as a new paradigm for strengthening weak cryptographic primitives against cryptanalytic attacks Redesigning a weak primitive to more strongly resist cryptanalytic tech niques will unavoidably break backwa ID: 72886
Download Pdf The PPT/PDF document "Countercryptanalysis Marc Stevens CWI Am..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
practice,widelyusedcryptographicprimitivesthatarebrokencontinuetobeusedlongaftertheirexpirationdate.Thisphenomenomiscausedbymanyreasonsamongwhicharecostand/orriskconsiderations,unconvincingreal-worldabusescenariosandevenlaxness.However,inthecaseofweakdigitalsignatureschemesthereisalsotheissueofsupportingoldsignatures.Itmaywellbeimpossibletoreplacealloldweaksignatureswithmoresecureones,assignaturestendtoproliferatebeyondthecontroloftheoriginalsigner.Itseemsthatthereforesignatureverierswillcontinuetoacceptweak{andpossiblymalicious{signaturesforalongtimetocome.Unfortunately,signatureveriershavenowayofknowingwhetherallsignershaveactuallyretiredtheweakschemeandwhetheran'old'weaksignatureisreallyanoldoneorjustforgedtolooklikeone.Thisisexactlywhatwe'recurrentlyseeingforMD5-basedsignaturesinpractice.MD5wasrstproventobebrokenin2004byWangetal.[WY05],howeverthersttrulyconvincingattackscenariousingMD5collisionswasourconstructionofarogueCerticationAuthorityfrom2008usingamorepowerfulattackcalledthechosen-prexcollisionattack[SSA+09].MD5hasbeenexplicitlydisallowedfordigitalsignaturesforCerticationAuthoritieseversince,butit'sstillusedbysomeandstillsupportednearlyeverywhere.1.2FlameAnexampleshowingthatthecontinuedsupportforweaksignatureschemesleavesonevulnerableisFlame[Cry12,Kas12].FlameisahighlyadvancedmalwareforcyberwarfarediscoveredinMay2012,whichspreaditselflocallybyimpersonatingasaproperly,butillegitimately,signedWindowsUpdatesecuritypatch.Flame'scode-signingcerticatewasobtainedbyfoolingMicrosoftintosigningancollidingandinnocuous-lookingcerticateusinganMD5-basedsignaturealgorithm.Astheto-be-signedpartofbothcerticateswerecarefullycraftedtoresultinthesameMD5-hashusingachosen-prexcollisionattack,theMD5-basedsignatureisvalidforbothcerticates.EventhoughMicrosoftwasfullyawareofthesesevereweaknessesofMD5andspentgreateortinmigratingtomoresecurehashfunctionsfornewdigitalsignaturesatleastsince2008,theirsoftwarecontinuedtoaccept(old)MD5-baseddigitalsignatures.Also,intheireortstheyoverlookedtheiruseofMD5-basedsignaturesforlicensingpurposesintheirTerminalServerLicensingServiceuptothediscoveryofFlamein2012.This,togetherwithotherunforeseencircumstances,allowedthecreationofFlame'sproperly,butillegitimately,signedsecuritypatchthatwastrustedbyallversionsoftheWindows[MS12a].11.3Counter-cryptanalysisWeintroducecounter-cryptanalysisasanewparadigmforstrengtheningweakcryptographicprimitivesagainstcryptanalyticattacksbyexploitingsubtle,un- 1AnylicensecerticateproducedbytheTerminalServerLicensingServicecoulddirectlybeusedtoattackWindowsVistaandearlierversions,butnotlaterversions. NextinSect.3,wediscussthediscoveriesmadebyanalyzingFlame'smaliciouscerticateusingourcounter-cryptanalysistechniqueandourworktowardsthereconstructionoftheunderlyingalgorithmsandourpreliminaryconclusions.2Detectionofcryptanalyticcollisionattacks2.1BriefbackgroundoncollisionattacksMD5andSHA-1arecryptographichashfunctionsthatusetheMerkle-DamgardconstructioninwhichthesecurityofthehashfunctionisreducedtothatofacompressionfunctionthattakesasinputanIntermediateHashValueIHVand512-bitmessageblockB.ThecompressionstartswithaworkingstateWS0initializedwithIHVandgoesthrough64(MD5)or80(SHA-1)stepst=0;:::computingstateWSt+1fromWSt.FinallyitoutputsthesumofIHVandthelastworkingstate.Acollisionforahashfunctionisapairofmessages(M;M0)thathavethesamehash.ForanynamedvariableXrelatedtoM,wedenotebyX0thesamevariableforM0.TherstcollisionattackonMD5isduetoWangetal.[WY05]andiscon-structedfromtwosequentialnear-collisionattacksonthecompressionfunction.Eachnear-collisionattackstartswithagiven(IHV;IHV0)-pairwithaknowndierencedenotedbyIHVandusesspecicmessageblockdierencesdenotedbyB.ItisbasedonadierentialpaththatdescribesexactlyhowtheinputdierencesIHVandBpropagatethroughthecompressionfunction,forwhichthenasolution(B;B0)withB0=B+Bisfound.AsWangetal.'sattackrequiresazeroIHVbeforethetwonear-collisionblocks,thistypeofcollisionattackiscalledanidentical-prexcollisionattack.Themorepowerfulchosen-prexcollisionattack[SLdW07]canstartfromanarbitrary(IHV;IHV0)pair.Itrstusesabirthdaysearchtoobtainanew(IHVb;IHV0b)pairwhosedierenceIHVbhasaspecicform.Thenitemploysaseriesofnear-collisionattacksthatiterativelyreducesIHVbtozeroandtherebyresultsinacollision.2.2ExploitingcryptanalyticnecessitiesThemainprincipleofournoveltechniqueofdetectingcollisionattacksistodetectthelastnear-collisionblockofacollisionattackandusestwokeyobservationsontheliteratureonMD5andSHA-1cryptanalysis:{Thereareonlyasmallnumberofpossiblemessageblockdierencesthatmayleadtofeasiblenear-collisionattacks;{AllpublishedMD5andSHA-1collisionattacksusedierentialpathsthatatsomestephavenodierencesatallintheworkingstate,or{inthecaseofMD5{thedierences(231;231;231;231)(see[dBB93]).2 2Thereasonforthisissimple:theseworkingstatedierencescanbemaintainedateverystepofthe64stepsofMD5Compresswithprobabilityatleast1/2ifnot1. Ifthemessage(upperhalf)wasconstructedusingacollisionattackandwecorrectlyguessboththeworkingstatedierencesatacertainstepandtheusedmessageblockdierences,thenweobtainvaluesoftheinternalcomputationofitssiblingmessage(lowerhalf).Thesearesucienttoreconstructtheentirecompressionfunctioncomputationforthissiblingblockandverifywhetherthereisacollision:IHV0k+1=IHVk+1.Fig.2.Detectionofnear-collisionshoweverasonlythemessageMisgiven,thevaluesofM0,M0kandIHV0k+1arenotdirectlyknown.SinceMandM0wereconstructedwithafeasiblecollisionattack,thereexistsatriple(B;i;WSi)inourlistsuchthatB=Mkandthislastnear-collisionattackusesworkingstatedierencesWSiatstepi.AsillustratedinFig.2,step3ofAlg.2-1computesIHVk+1andIHV0k+1andtestsforthetelltaleconditionIHVk+1=IHV0k+1inthefollowingmanner.ThehashvaluecomputationofMgivesusvaluesfortheinputIHVk,outputIHVk+1andintermediatestateWSi(theworkingstatebeforestepi)ofthecompressionfunctionappliedtoIHVkandMk.Sinceweknowthemessageblockdierencesandtheworkingstatedierencesbyassumption,wecandeterminethemessageblockM0kandtheworkingstateWS0iassociatedwiththemessageM0thatcollideswithM.Computingstepsi+1;:::;S(whereS=64forMD5andS=80forSHA-1)ofthecompressionfunctionusingM0kandWS0i,weobtainworkingstatesWS0i+1;:::;WS0S.AsthestepfunctionsofMD5andSHA-1arereversiblewecanalsocomputeworkingstatesWS0i1;:::;WS00.ThevalueofIHV0kcanbederivedfromWS00andthevalueofIHV0k+1canbecomputedfromIHV0kandWS0S.ItisclearthatAlg.2-1oninputMforthevaluekinstep3forthetriple(Bi;i;WSi)willdeterminethecorrectvalueIHV0k+1,verifythatin-deedIHV0k+1=IHVk+1andthereforereturnTrue.Whatremainsistoarguethattheprobabilityofafalsepositive,i.e.,itreturnsTrueforagivenmessageMwhichwasnotconstructedusingacryptanalyticcollisionattack,isnegligible. FalsepositivesIfthegivenmessageblockisnotpartofanear-collisionblockpairthentheguessedWS0iispassedthroughall64or80stepsofthecompressionfunctiontodetermineIHV0k+1.Therefore,wearguethatiftherewasnocrypt-analyticattackthenthedistributionoftheresultingvalueIHV0k+1isclosetotheuniformdistribution.Hence,theprobabilityofafalsepositive,namelythatIHV0k+1=IHVk+1,istherebyapproximatelyC2LwhereListhebitlengthofthehashvalueandCisthenumberoftriplesattemptedinstep3ofAlg.2-1asbefore.Interestingly,thefalsepositiveprobabilitymaybeprovetobehigherwhenthereexistsadierentialpathcompatiblewithoneofthecombinationsofB,iandWSithatholdswithprobabilityhigherthan2L.Sofaronlyonenon-zerodierentialpathisknownwithprobabilityhigherthan2128forMD5(andnoneforSHA-1),namelythedierentialpathconsistingofdierencesinthemostsignicantbit[dBB93],andthisdierentialpathistreatedasaspecialcasebelowandalsochecksforthenecessarysecond-lastnear-collisionblock.Soifneverthelessthefalsepositiveprobabilityprovestobehigherthanweconjecturethenthismaywellpointtowardsinterestingunknowncryptanalyticweaknesses.2.3ApplicationtoMD5Alg.2-1canbedirectlyappliedtoMD5.WhatremainsistodeterminepossiblecombinationsofvaluesformessageblockdierencesB,stepiandworkingstatedierencesWSithatbelongtoafeasiblenear-collisionattack.ThemessageblockdierencesareadditiveinZ=232ZandforeachmessageblockMkthemessageblockM0kcanbeeitherMk+BorMkB.TherearetwotrivialdierentworkingstatedierencesWSithatcanbeusedforMD5,namely(0;0;0;0)and(231;231;231;231),writtenmorecompactlyas0 and231 .WerefertoSect.Aforalistof222triples(B;i;WSi)derivedfromtheliterature.Wedonotguaranteethatthislistformstheexhaustivelistofallcombinationsthatleadtofeasiblenear-collisionattacks.However,itshouldbenotedthatinterestingmessageblockdierenceshavebeenstudiedextensivelyfornearlyadecade,whichhasresultedintheabovementionedlist.Nevertheless,othercombinationsfromfuturecollisionattackscaneasilybeaddedtothislist.Allpublishednear-collisionattacksrequirecomplexdierentialstepsintherstround,therebyrequiringahighnumberofbitconditions,sayatleast200.E.g.,thedierentialpathsbyWangetal.requireroughly300bitconditions[WY05].ThisimpliesthattheprobabilityofafalsepositiveisdominatedbythegeneralC2Ltermexplainedearlier.Hence,theprobabilityofafalsepositiveisestimatedas2222128andthusnegligible.However,thereisaspecialcase.Duetothepseudo-collisionattackagainstMD5'scompressionfunctionbydenBoerandBosselaers[dBB93],thereisalsoaspecialnear-collisionattacknotyetincludedintheabovelist.ItuseszeromessageblockdierencesandWSi=231 foralli2f0;:::;64g.Onecantestforthispseudo-collisionattackusingB=0,i=32andWS32=231 .Theprobabilityofafalsepositiveis248whichisnotnegligible.However,sinceit requiresWS0=231 andthusIHVin=231 ,thispseudo-collisionattackrequiresatleastoneprecedingnear-collisionblocktoformacollisionattackagainstMD5.ThisobservationcallsforthefollowingmodicationofAlg.2-1forMD5toreducethechanceofafalsepositiveto2222128248forthecaseB=0.Wheneveranear-collisionblockisdetectedinstep3.(f)forthecombinationB=0,i=32andWS32=231 andbeforereturningTrue,performsteps1{4ofAlg.2-1onthepreviousmessageblockMk1usingallcombinationsthathaveB6=0andusingtheconditionIHV0k=IHVk+231 insteadoftheconditionIHV0k=IHVk.Ifthissub-instancereturnsFalsethenthemaininstancecontinueswiththenextcombinationofB,iandWSi.Otherwise,themaininstancereturnsTrue.GivenamessageM,theaveragecomplexitytodetectwhetherMiscon-structedbyacollisionattackagainstMD5usingoneofthegivenmessagedierencesisabout222+1+1=224timesthecomplexityofcomputingtheMD5hashofM.Ithasaconjecturedfalsepositiveprobabilityofabout2222128.2.4ApplicationtoSHA-1Alg.2-1canbedirectlyappliedtoSHA-1.NotethatthisispossibleeventhoughnoactualcollidingmessagesforSHA-1areknownyet.WhatremainsistodeterminepossiblecombinationsofvaluesformessageblockdierencesB,stepiandworkingstatedierencesWSithatbelongtoafeasiblenear-collisionattack.AllknownattemptsataSHA-1collisionattackarebasedoncombininglocalcollisionsaccordingtoadisturbancevector(DVi)79i=02(Z=232Z)80.Furthermore,Manuel[Man11]hasfoundthatallproposeddisturbancevectorscanbecatego-rizedintotwoclassesasgiveninTbl.B-1.AdisturbancevectorfromtherstclassdenotedbyI(j;b)isdenedbyDVj=:::=DVj+14=0andDVj+15=2b.Similarly,adisturbancevectorfromthesecondclassdenotedbyII(j;b)isde-nedbyDVj+1=DVj+3=RL(231;b)andDVj+15=2bandDVj+i=0fori2f0;2;4;5;:::;14g.Forbothclasses,theremainingDV0;:::;DVj1andDVj+16;:::;DV79aredeterminedthroughthemessageexpansionrelation.Foragivendisturbancevector(DVi)79i=0,thenecessarymessageblockdier-encesaretheXORdierences(DWi)15i=0=MkM0kdeterminedas:DWi:=M(j;r)2RRL(DVij;r);R=f(0;0);(1;5);(2;0);(3;30);(4;30);(5;30)g;whereDV1;:::;DV5aregivenbythereversedmessageexpansionrelation:DVi=RR(DVi+16;1)DVi+2DVi+8DVi+13;i=1;:::;5:ForbothdisturbancevectorI(j;b)andII(j;b)therearenodierencesatstepj+8,hencetotestfornear-collisionblockpairusingeitherdisturbancevectorweuseAlg.2-1withthecombination(DWt)15t=0,i=j+8andWSi=(0;0;0;0;0).Giventhefactthatnoactualcollisionsareknownyet,itissomewhatdiculttodecidewhichtriplestoinclude.Forthiswerefertoourrecentanalysis Block a=Q61b=Q64c=Q63d=Q62 1 [31][31,25,-18,-15,-12,9,1][31,25,-14,-12,9][31,25]2 [31,5][-26,24,21,-14,-9,5,0][31,26,24,20,-9,5][31,-25,-9,5]3 [31][30,26,-24,20,-17,15,9,-3][31,26,-24,-14,9][31,25,9]4 [31][-25,14,-9,-5,3,0][31,-25,14,-9][31,-25,-9] 1+2 [5][31,-24,21,-18,-16,14,-12,5,2,-0][27,-24,20,-14,-12,5][-9,5]3+4 [][30,24,20,-16,-14,-5,0][24][] 1+4 [][31,-18,-14,-12,-4,-2,-0][-12][-9]2+3 [5][30,22,-20,-17,14,5,-3,0][27,20,-14,5][5] all [5][-30,21,19,17,-12,2][27,20,-14,-12,5][-9,5]Note:weusethecompactnotation[b1;:::;bn]forPni=02jbijsign(bi).Incomparison,therstcollisionattackbyWangetal.wasbasedupontheIHV`correction'([31],[31,25],[31,25],[31,25])usedintwosequentialnear-collisionattacks,wherethesecondusesthenegated`correction'suchthatthetwo`corrections'cancelout.3.bitdierencesinallbitsofQ6,identicalforblocks1&3and2&4Block q6[31]:::q6[0] 1 ++----+----+---------+++++++++++2 +-++++++++++----------+---+-----3 ++----+----+---------+++++++++++4 +-++++++++++----------+---+-----4.highestdensityofbitconditionsfoundonQ4;:::;Q8.Thefourdier-entialpathshave,respectively,only8,4,6and5bitsoffreedomleftoutofthose160bitsofQ4;:::;Q8.5.xeddierencesQ6;:::;Q60.Thedierentialpathsfromtherstandthirdblock(thatusethesamemessageblockdierences)usethesamedierencesQ6;:::;Q60.Similarly,thedierentialpathsfromthesecondandfourthblock(thatalsousethesamemessageblockdierences)usethesamedierencesQ6;:::;Q60.6.advancedmessagemodicationnotmaximized.Oneofthekeymes-sagemodicationstospeeduptocollisionsearcharetunnels[Kli06].ThebestandmostimportanttunnelallowsasimplemessagemodicationthatdoesnotaectallbitconditionsonQ1;:::;Q24.ForFlame'sdierentialpaths,thistunnelcanmaximethetimespentonsteps24andonwards.Thistunnelisbasedon ippingabitQ9[b]withnobitconditionandrequiresthatQ10[b]=Q010[b]=0andQ11[b]=Q011[b]=1.Asshowninthetablebelow,thenear-collisionblocksshowasignicantlylowertunnelstrengththanthemaximalstrengthpossiblebasedonjustthedierentialpaths.3 3The`avg.strength'istheaveragestrengththatwouldbeobservediftheextraconditionsonQ10andQ11areeachfullledrandomlyandthetunnelisnotused. obtaintherequiredamountoflower/upperpathpairs.Overall,thiswouldimplythatFlame'smethodhashighercomplexityandresultsindierentialpathswithfewerdegreesoffreedom.WewereabletoperformasomewhatsimplequantitivecomparisonofFlame'sdierentialpathswithdierentialpathsconstructedusingourpubliclyavailableHashClashtoolkit[HC].InanexperimentwetriedtondareplacementpathforFlame'srstdierentialpathwithasfewbitconditionsaspossible.TheresultingdierentialpathisgiveninTbl.D-1andhasonly266bitconditionsoverQ1;:::;Q24whichare62fewerthanthe328bitconditionsofTbl.C-1.InanotherexperimentwetriedtoconstructadierentialpathwiththeHashClashtoolkitinaveryshortamountoftime,theresultwasanaverageruntimeofonly15secondsonanInteli7-2600CPUleadingtodierentialpathswithabout276bitconditions,whichisstill52bitconditionsfewerthanFlame'spath.Thisexperimentusedonly20,000lowerand20,000upperpartialpathsleadingtoatotalof400,000,000pairs.FutureresearchmightprovideinsightsintheminimumcomplexityofconstructingdierentialpathswiththesamecharacteristicsofSect.3.3,howeverwehavenoresultsinthisdirectionatthispointoftime.3.5Near-collisionblocksearchThoughObservation6indicatesthebesttunnelstrengthisnotmaximized,itisalsoclearthatthistunnel(oraslightlyweakerversion)isactuallyusedastheobservedtunnelstrengthissignicantlyhigherthanwhatwouldbeobservedifthistunnelwasnotused(cf.`avg.strength'atObs.6).AreasonableguessisthattheyusedtunnelsinadynamicmannerdependingonwhetherthenecessaryconditionsonQ10andQ11werefullled.GiventhelownumberofbitconditionsonQ18;:::;Q24andsucientlyhightunnelstrengths,wecanreasonablysaythatthenear-collisionblocksearchcomplexityisdominatedbythecostofsteps24upto63.Wehaveexperimentallydeterminedthesuccessprobabilityoversteps24upto63foreachofthenear-collisionblocksandthesearegiveninTbl.3-1togetherwithlower-boundsfortheaveragecomplexityinMD5compressionfunctioncalls.Notethatbecausetheinner-mostloopcomputesatleast9stepsofthecompressionfunction,thissearchiswellsuitedformassivelyparallelarchitecturesincontrasttoourchosen-prexcollisionattack.Table3-1.Near-collisionblocks:complexitylower-boundsBlock estimatedprobabilityofsteps24-63 averagecomplexitylower-bound 1 238:8 236:02 246:8 244:03 233:6 230:84 233:3 230:5 [WY05] 220:5 217:7 3.6BirthdayandreductionproceduresTheIHVresultingfromthebirthdayprocedurecanbeobservedasthedier-encesfort=3;2;1;0oftherstdierentialpathTbl.C-1:IHV=(25;22+212217219221+230;25+212+214220227;25+29):Basedontheavailablespaceinthecerticate,ourinitialguessisthatFlameuses64birthdaybitsovertherstandlastwordoftheIHV(matchingt=3andt=2oftherstpath).However,thisdoesnotimmediatelyimplythatFlame'sbirtdaysearchhascomplexityp 232MD5compressions,asnoteverybirthdaycollisionisusable.Infact,thetworandom-lookingdierenceshaveverylowweightsof6and5bitdierences,whereanuniformdistributionthatmightbeexpectedfromanarbitrarybirthdaycollisionwouldactuallyleadtoanaverageofabout11bitdierenceseach.Justaimingatsuchalowweightdistributionwouldresultinabirthdaycomplexityofabout242MD5compressions.However,lackingasystematicfamilyofdierentialpathlikethatof[SSA+09],itisalmostcertainthatthepositionsofthebitdierencesarealsoimportant,whichfurtherincreasesthebirthdaycomplexity.FurtherresearchmayprovidemoreinsightsinwhichIHVcorrectionsarepossiblewithintheobservednear-collisionblockcomplexitiesandtheeectthereofonthebirthdaysearchanditscomplexity.3.7PreliminaryconclusionsFirstly,Flame'smethodtoconstructdierentialpathsseemstobesub-optimalcomparedtothoseobtainedwithourpublicHashClashtoolkit[HC].Secondly,sofarwehavebeenabletoprovideaweaklower-boundforthebirth-daysearchandgoodlower-boundsforthenear-collisionblocksearchcomplexities.Theselower-boundstogetherindicatethatFlame'snewvariantchosen-prexcollisionattacklikelycostsmorethan244:3MD5compressions.Howmuchmoreremainsanopenquestionasthebirthdaysearchcomplexityisinaccurateanditdoesnotyetincludethecostofthedierentialpathconstruction.Alsonotethatwehaveonlyoneinstanceofachosen-prexcollisionfromFlame'snewvariantattack,makingituncertainhowclosetheobservednear-collisionblocksearchcomplexitiesaretowhatcanbeexpectedonaveragewithFlame'sattack.Incomparison,theaveragecomplexityofour2009chosen-prexcollisionattackforfournear-collisionblocksappearstobedominatedbythebirthdaysearchcomplexityof244:55MD5compressionfunctioncalls(cf.[SSA+09,Table2]usingr=4andw=5).Comparingtheweaklower-boundwiththiscost,thetheoreticalcomplexityofFlame'sattackisnotsignicantlylowerthanthatofourattack.Nevertheless,Flame'sattackmightbemorecosteectiveduetothesuitabilitiyofthecollisionsearchformassivelyparallelarchitectures.4ConclusionWehaveintroducedcounter-cryptanalysisasanewparadigmforstrengtheningweakcryptographicprimitives.Also,wehavepresentedtherstexamplethereof, [SSA+09]MarcStevens,AlexanderSotirov,JacobAppelbaum,ArjenK.Lenstra,DavidMolnar,DagArneOsvik,andBennedeWeger,ShortChosen-PrexCollisionsforMD5andtheCreationofaRogueCACerticate,CRYPTO(ShaiHalevi,ed.),LectureNotesinComputerScience,vol.5677,Springer,2009,pp.55{69.[Ste13]MarcStevens,NewCollisionAttacksonSHA-1BasedonOptimalJointLocal-CollisionAnalysis,EUROCRYPT(ThomasJohanssonandPhongQ.Nguyen,eds.),LectureNotesinComputerScience,vol.7881,Springer,2013,pp.245{261.[VJBT08]JirVabek,DanielJoscak,MilanBohacek,andJirTuma,ANewTypeof2-BlockCollisionsinMD5,INDOCRYPT(DipanwitaRoyChowdhury,VincentRijmen,andAbhijitDas,eds.),LectureNotesinComputerScience,vol.5365,Springer,2008,pp.78{90.[WY05]XiaoyunWangandHongboYu,HowtoBreakMD5andOtherHashFunc-tions,EUROCRYPT(RonaldCramer,ed.),LectureNotesinComputerScience,vol.3494,Springer,2005,pp.19{35.[XF09]TaoXieandDengguoFeng,HowToFindWeakInputDierencesForMD5CollisionAttacks,CryptologyePrintArchive,Report2009/223,2009.[XF10]TaoXieandDengguoFeng,ConstructMD5CollisionsUsingJustASingleBlockOfMessage,CryptologyePrintArchive,Report2010/643,2010.[XFL08]TaoXie,DengGuoFeng,andFanBaoLiu,ANewCollisionDierentialForMD5WithItsFullDierentialPath,CryptologyePrintArchive,Report2008/230,2008.[XLF08]TaoXie,FanbaoLiu,andDengguoFeng,CouldThe1-MSBInputDierenceBeTheFastestCollisionAttackForMD5?,CryptologyePrintArchive,Report2008/391,2008.AListofpossiblefeasibleMD5near-collisionattacksUsednon-zeromessageblockdierencesinpublishednear-collisionattacksare:{B=(m11=215;m4=m14=231)[WY05]:i=44,WS442f0 ;231 g;{B=(m2=28;m11=215;m4=m14=231)[SSA+09]:i=44,WS442f0 ;231 g;{B=(m11=2b)forb2f0;:::;30g[SLdW07]:i=44,WS442f0 ;231 g;{B=(m11=231)[SLdW07]:i=44,WS442f0 ;231 g;{B=(m5=210;m10=231)[XF10]:i=44,WS442f0 ;231 g;{B=(m8=231)[XLF08]:i=44,WS442f0 ;231 g;{B=(m6=28;m9=m15=231)[XFL08]:i=37,WS372f0 ;231 g;{B=(m9=227;m2=m12=231)[VJBT08]:i=37,WS372f0 ;231 g.Othernon-zeromessageblockdierencestakenfrom[XF09]and[XLF08]are:{B=(m4=220;m7=m13=231):i=44,WS442f0 ;231 g;{B=(m2=28):i=37,WS372f0 ;231 g;{B=(m5=210;m11=221):i=44,WS442f0 ;231 g;{B=(m5=210;m11=231):i=44,WS442f0 ;231 g;{B=(m5=231;m8=231):i=44,WS442f0 ;231 g; CFlame'sdierentialpathsTableC-1.Dierentialpathofnear-collisionblock1 t Bitconditions:qt[31]:::qt[0] -3 ..........................-..... -2 00.......1.1.01....1..+...-.10.. -1 110-+..1.1.-.00..+.+......-110.. 0 +-100..0.-0+^++1.0.+0.11.110-+.. 1 0+-++..-.-0++-+0011-0..1110+++.. 2 +0-0-.00.-++00+-0-1-+.1+1+-0++^. 3 +010-000.-+++0+1+--.+^1+-+-+++-. 4 -00-10+..11-+-0++++11--0-101-+0. 5 0-+-++-^^0110+1--110+0-0-0001+1^ 6 ++----+----+---------+++++++++++ 7 111.-1111101011.110-1001+0100.00 8 00+0.11110111101-1101100.1110011 9 ..0.1........-..0.10+...0-....0. 10 ..0^...1^....0..0^0-1....1....+. 11 ..0-...1+....-...+-01....0..^.1. 12 .1-1..^+1....+...0+0........+.1. 13 .0+1..-+1....0..100....1....0... 14 .-+...1......1..1.+....1....1... 15 .0+...10........-.0....-....-... 16 .1+......0........^............. 17 ..1......1....0.^......^....^... 18 ..0......+....1................. 19 ..............-................. 20 0........^...................... 21 0.............^................. 22 -............................... 23 ................................ 24 ^............................... 25{32 ................................ 33 0............................... 34 1............................... 35{59 X............................... 60 X.11110......................... 61 X.11000..........001.00......... 62 X.+----............0............ 63 X.?0??+..........--+.+-......... 64 X......+++++++..-..-.+-......+-. m4=m14=231;m11=215 TableC-2.Dierentialpathofnear-collisionblock2 t Bitconditions:qt[31]:::qt[0] -3 +.........................-..... -2 -1....+..1.1.0..0....1+..-+...0. -1 +01.-.+1.0-+.0^.011+---1-++.0.10 0 1-0.1.+0^-0+1+-1-1011+-0001.1^-1 1 10-.01.++++-0+10--+111+-+--0-+1- 2 .01.-01100+-++0+0--+.--0++10+0+0 3 ..1.-+11+001++^+01-+01100+1++0++ 4 ..-.1-11++1-++-+-1111--+++0+-+-1 5 ^^1^+1--10-010110+10-1-+0-+++000 6 +-++++++++++----------+---+----- 7 0010-000011110111011-11110.10010 8 000001001111111+-10011111-010111 9 ...-1....-.....10..1+....1....^. 10 ...0...0^0.....01..+0....0....-. 11 ..0+..^0-1...^.....01.........1. 12 .001..-+0....-....01..........1. 13 .1-1..0-1....0..1^1....1....1... 14 .-+...10.....0..1-+....1....1... 15 .0+....0........+01....+....-... 16 .^+......0.......^^............. 17 ..1......1....0.^......^....^... 18 ..0......-....1................. 19 ..............-................. 20 0........^...................... 21 0.............^................. 22 -............................... 23 ................................ 24 ^............................... 25{32 ................................ 33 1............................... 34 0............................... 35{58 X............................... 59 X.........................0..... 60 X.....0............1001.110..... 61 X....100...0.......1..1.00+..... 62 X....1-............-+++.+--..... 63 X....++-...+.......???-.?+-..... 64 ......--..+......-....-..+-....+ m4=m14=231;m11=215 TableC-4.Dierentialpathofnear-collisionblock4 t Bitconditions:qt[31]:::qt[0] -3 +............................... -2 +....0+.........000+---...000..1 -1 +....+-.11...-++++1101+.10011..1 0 001.1+-.01^.^111-++----011+-+11- 1 011.0.+.-+-^++1+++0000-1+--0-11+ 2 +--.-0-.-+1+0--01+1-1-++-1-00+-- 3 +--1-^1..+100--+10---1+0---0++-1 4 -010+-1.10-1-01+0-000-1-0+-10-1- 5 +00-+00^0++-11-0+++0-11101-+-100 6 +-++++++++++----------+---+----- 7 .111-11001.010.00101-1101101.011 8 111101100101000+-01011110-100111 9 ...-1....-.....10..1+....1....^. 10 ...0...0^0.....01..+0....0....-. 11 ..0+..^0-1...^.....01.........1. 12 .001..-+0....-...111..........1. 13 .1-1..0-1....0..100....1....1... 14 .-+...10.....0..1-+....1....1... 15 .0+....0........+01....+....-... 16 .^+......0.......^^............. 17 ..1......1....0.^......^....^... 18 ..0......-....1................. 19 ..............-................. 20 0........^...................... 21 0.............^................. 22 +............................... 23 ................................ 24 ^............................... 25{32 ................................ 33 0............................... 34 1............................... 35{59 X............................... 60 X.....0..............00......... 61 X.....1.........11....1......... 62 X.....-.........10...-+......... 63 X.....-.........+-...?-......... 64 ....-++.........+-....-...-.+..+ m4=m14=231;m11=215