/
Countercryptanalysis Marc Stevens CWI Amsterdam The Ne Countercryptanalysis Marc Stevens CWI Amsterdam The Ne

Countercryptanalysis Marc Stevens CWI Amsterdam The Ne - PDF document

test
test . @test
Follow
426 views
Uploaded On 2015-05-23

Countercryptanalysis Marc Stevens CWI Amsterdam The Ne - PPT Presentation

nl Abstract We introduce countercryptanalysis as a new paradigm for strengthening weak cryptographic primitives against cryptanalytic attacks Redesigning a weak primitive to more strongly resist cryptanalytic tech niques will unavoidably break backwa ID: 72886

Abstract introduce countercryptanalysis

Share:

Link:

Embed:

Download Presentation from below link

Download Pdf The PPT/PDF document "Countercryptanalysis Marc Stevens CWI Am..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.


Presentation Transcript

practice,widelyusedcryptographicprimitivesthatarebrokencontinuetobeusedlongaftertheirexpirationdate.Thisphenomenomiscausedbymanyreasonsamongwhicharecostand/orriskconsiderations,unconvincingreal-worldabusescenariosandevenlaxness.However,inthecaseofweakdigitalsignatureschemesthereisalsotheissueofsupportingoldsignatures.Itmaywellbeimpossibletoreplacealloldweaksignatureswithmoresecureones,assignaturestendtoproliferatebeyondthecontroloftheoriginalsigner.Itseemsthatthereforesignatureveri erswillcontinuetoacceptweak{andpossiblymalicious{signaturesforalongtimetocome.Unfortunately,signatureveri ershavenowayofknowingwhetherallsignershaveactuallyretiredtheweakschemeandwhetheran'old'weaksignatureisreallyanoldoneorjustforgedtolooklikeone.Thisisexactlywhatwe'recurrentlyseeingforMD5-basedsignaturesinpractice.MD5was rstproventobebrokenin2004byWangetal.[WY05],howeverthe rsttrulyconvincingattackscenariousingMD5collisionswasourconstructionofarogueCerti cationAuthorityfrom2008usingamorepowerfulattackcalledthechosen-pre xcollisionattack[SSA+09].MD5hasbeenexplicitlydisallowedfordigitalsignaturesforCerti cationAuthoritieseversince,butit'sstillusedbysomeandstillsupportednearlyeverywhere.1.2FlameAnexampleshowingthatthecontinuedsupportforweaksignatureschemesleavesonevulnerableisFlame[Cry12,Kas12].FlameisahighlyadvancedmalwareforcyberwarfarediscoveredinMay2012,whichspreaditselflocallybyimpersonatingasaproperly,butillegitimately,signedWindowsUpdatesecuritypatch.Flame'scode-signingcerti catewasobtainedbyfoolingMicrosoftintosigningancollidingandinnocuous-lookingcerti cateusinganMD5-basedsignaturealgorithm.Astheto-be-signedpartofbothcerti cateswerecarefullycraftedtoresultinthesameMD5-hashusingachosen-pre xcollisionattack,theMD5-basedsignatureisvalidforbothcerti cates.EventhoughMicrosoftwasfullyawareofthesesevereweaknessesofMD5andspentgreate ortinmigratingtomoresecurehashfunctionsfornewdigitalsignaturesatleastsince2008,theirsoftwarecontinuedtoaccept(old)MD5-baseddigitalsignatures.Also,intheire ortstheyoverlookedtheiruseofMD5-basedsignaturesforlicensingpurposesintheirTerminalServerLicensingServiceuptothediscoveryofFlamein2012.This,togetherwithotherunforeseencircumstances,allowedthecreationofFlame'sproperly,butillegitimately,signedsecuritypatchthatwastrustedbyallversionsoftheWindows[MS12a].11.3Counter-cryptanalysisWeintroducecounter-cryptanalysisasanewparadigmforstrengtheningweakcryptographicprimitivesagainstcryptanalyticattacksbyexploitingsubtle,un- 1Anylicensecerti cateproducedbytheTerminalServerLicensingServicecoulddirectlybeusedtoattackWindowsVistaandearlierversions,butnotlaterversions. NextinSect.3,wediscussthediscoveriesmadebyanalyzingFlame'smaliciouscerti cateusingourcounter-cryptanalysistechniqueandourworktowardsthereconstructionoftheunderlyingalgorithmsandourpreliminaryconclusions.2Detectionofcryptanalyticcollisionattacks2.1BriefbackgroundoncollisionattacksMD5andSHA-1arecryptographichashfunctionsthatusetheMerkle-DamgardconstructioninwhichthesecurityofthehashfunctionisreducedtothatofacompressionfunctionthattakesasinputanIntermediateHashValueIHVand512-bitmessageblockB.ThecompressionstartswithaworkingstateWS0initializedwithIHVandgoesthrough64(MD5)or80(SHA-1)stepst=0;:::computingstateWSt+1fromWSt.FinallyitoutputsthesumofIHVandthelastworkingstate.Acollisionforahashfunctionisapairofmessages(M;M0)thathavethesamehash.ForanynamedvariableXrelatedtoM,wedenotebyX0thesamevariableforM0.The rstcollisionattackonMD5isduetoWangetal.[WY05]andiscon-structedfromtwosequentialnear-collisionattacksonthecompressionfunction.Eachnear-collisionattackstartswithagiven(IHV;IHV0)-pairwithaknowndi erencedenotedbyIHVandusesspeci cmessageblockdi erencesdenotedbyB.Itisbasedonadi erentialpaththatdescribesexactlyhowtheinputdi erencesIHVandBpropagatethroughthecompressionfunction,forwhichthenasolution(B;B0)withB0=B+Bisfound.AsWangetal.'sattackrequiresazeroIHVbeforethetwonear-collisionblocks,thistypeofcollisionattackiscalledanidentical-pre xcollisionattack.Themorepowerfulchosen-pre xcollisionattack[SLdW07]canstartfromanarbitrary(IHV;IHV0)pair.It rstusesabirthdaysearchtoobtainanew(IHVb;IHV0b)pairwhosedi erenceIHVbhasaspeci cform.Thenitemploysaseriesofnear-collisionattacksthatiterativelyreducesIHVbtozeroandtherebyresultsinacollision.2.2ExploitingcryptanalyticnecessitiesThemainprincipleofournoveltechniqueofdetectingcollisionattacksistodetectthelastnear-collisionblockofacollisionattackandusestwokeyobservationsontheliteratureonMD5andSHA-1cryptanalysis:{Thereareonlyasmallnumberofpossiblemessageblockdi erencesthatmayleadtofeasiblenear-collisionattacks;{AllpublishedMD5andSHA-1collisionattacksusedi erentialpathsthatatsomestephavenodi erencesatallintheworkingstate,or{inthecaseofMD5{thedi erences(231;231;231;231)(see[dBB93]).2 2Thereasonforthisissimple:theseworkingstatedi erencescanbemaintainedateverystepofthe64stepsofMD5Compresswithprobabilityatleast1/2ifnot1. Ifthemessage(upperhalf)wasconstructedusingacollisionattackandwecorrectlyguessboththeworkingstatedi erencesatacertainstepandtheusedmessageblockdi erences,thenweobtainvaluesoftheinternalcomputationofitssiblingmessage(lowerhalf).Thesearesucienttoreconstructtheentirecompressionfunctioncomputationforthissiblingblockandverifywhetherthereisacollision:IHV0k+1=IHVk+1.Fig.2.Detectionofnear-collisionshoweverasonlythemessageMisgiven,thevaluesofM0,M0kandIHV0k+1arenotdirectlyknown.SinceMandM0wereconstructedwithafeasiblecollisionattack,thereexistsatriple(B;i;WSi)inourlistsuchthatB=Mkandthislastnear-collisionattackusesworkingstatedi erencesWSiatstepi.AsillustratedinFig.2,step3ofAlg.2-1computesIHVk+1andIHV0k+1andtestsforthetelltaleconditionIHVk+1=IHV0k+1inthefollowingmanner.ThehashvaluecomputationofMgivesusvaluesfortheinputIHVk,outputIHVk+1andintermediatestateWSi(theworkingstatebeforestepi)ofthecompressionfunctionappliedtoIHVkandMk.Sinceweknowthemessageblockdi erencesandtheworkingstatedi erencesbyassumption,wecandeterminethemessageblockM0kandtheworkingstateWS0iassociatedwiththemessageM0thatcollideswithM.Computingstepsi+1;:::;S(whereS=64forMD5andS=80forSHA-1)ofthecompressionfunctionusingM0kandWS0i,weobtainworkingstatesWS0i+1;:::;WS0S.AsthestepfunctionsofMD5andSHA-1arereversiblewecanalsocomputeworkingstatesWS0i�1;:::;WS00.ThevalueofIHV0kcanbederivedfromWS00andthevalueofIHV0k+1canbecomputedfromIHV0kandWS0S.ItisclearthatAlg.2-1oninputMforthevaluekinstep3forthetriple(Bi;i;WSi)willdeterminethecorrectvalueIHV0k+1,verifythatin-deedIHV0k+1=IHVk+1andthereforereturnTrue.Whatremainsistoarguethattheprobabilityofafalsepositive,i.e.,itreturnsTrueforagivenmessageMwhichwasnotconstructedusingacryptanalyticcollisionattack,isnegligible. FalsepositivesIfthegivenmessageblockisnotpartofanear-collisionblockpairthentheguessedWS0iispassedthroughall64or80stepsofthecompressionfunctiontodetermineIHV0k+1.Therefore,wearguethatiftherewasnocrypt-analyticattackthenthedistributionoftheresultingvalueIHV0k+1isclosetotheuniformdistribution.Hence,theprobabilityofafalsepositive,namelythatIHV0k+1=IHVk+1,istherebyapproximatelyC2�LwhereListhebitlengthofthehashvalueandCisthenumberoftriplesattemptedinstep3ofAlg.2-1asbefore.Interestingly,thefalsepositiveprobabilitymaybeprovetobehigherwhenthereexistsadi erentialpathcompatiblewithoneofthecombinationsofB,iandWSithatholdswithprobabilityhigherthan2�L.Sofaronlyonenon-zerodi erentialpathisknownwithprobabilityhigherthan2�128forMD5(andnoneforSHA-1),namelythedi erentialpathconsistingofdi erencesinthemostsigni cantbit[dBB93],andthisdi erentialpathistreatedasaspecialcasebelowandalsochecksforthenecessarysecond-lastnear-collisionblock.Soifneverthelessthefalsepositiveprobabilityprovestobehigherthanweconjecturethenthismaywellpointtowardsinterestingunknowncryptanalyticweaknesses.2.3ApplicationtoMD5Alg.2-1canbedirectlyappliedtoMD5.Whatremainsistodeterminepossiblecombinationsofvaluesformessageblockdi erencesB,stepiandworkingstatedi erencesWSithatbelongtoafeasiblenear-collisionattack.Themessageblockdi erencesareadditiveinZ=232ZandforeachmessageblockMkthemessageblockM0kcanbeeitherMk+BorMk�B.Therearetwotrivialdi erentworkingstatedi erencesWSithatcanbeusedforMD5,namely(0;0;0;0)and(231;231;231;231),writtenmorecompactlyas0 and231 .WerefertoSect.Aforalistof222triples(B;i;WSi)derivedfromtheliterature.Wedonotguaranteethatthislistformstheexhaustivelistofallcombinationsthatleadtofeasiblenear-collisionattacks.However,itshouldbenotedthatinterestingmessageblockdi erenceshavebeenstudiedextensivelyfornearlyadecade,whichhasresultedintheabovementionedlist.Nevertheless,othercombinationsfromfuturecollisionattackscaneasilybeaddedtothislist.Allpublishednear-collisionattacksrequirecomplexdi erentialstepsinthe rstround,therebyrequiringahighnumberofbitconditions,sayatleast200.E.g.,thedi erentialpathsbyWangetal.requireroughly300bitconditions[WY05].ThisimpliesthattheprobabilityofafalsepositiveisdominatedbythegeneralC2�Ltermexplainedearlier.Hence,theprobabilityofafalsepositiveisestimatedas2222�128andthusnegligible.However,thereisaspecialcase.Duetothepseudo-collisionattackagainstMD5'scompressionfunctionbydenBoerandBosselaers[dBB93],thereisalsoaspecialnear-collisionattacknotyetincludedintheabovelist.Ituseszeromessageblockdi erencesandWSi=231 foralli2f0;:::;64g.Onecantestforthispseudo-collisionattackusingB=0,i=32andWS32=231 .Theprobabilityofafalsepositiveis2�48whichisnotnegligible.However,sinceit requiresWS0=231 andthusIHVin=231 ,thispseudo-collisionattackrequiresatleastoneprecedingnear-collisionblocktoformacollisionattackagainstMD5.Thisobservationcallsforthefollowingmodi cationofAlg.2-1forMD5toreducethechanceofafalsepositiveto2222�1282�48forthecaseB=0.Wheneveranear-collisionblockisdetectedinstep3.(f)forthecombinationB=0,i=32andWS32=231 andbeforereturningTrue,performsteps1{4ofAlg.2-1onthepreviousmessageblockMk�1usingallcombinationsthathaveB6=0andusingtheconditionIHV0k=IHVk+231 insteadoftheconditionIHV0k=IHVk.Ifthissub-instancereturnsFalsethenthemaininstancecontinueswiththenextcombinationofB,iandWSi.Otherwise,themaininstancereturnsTrue.GivenamessageM,theaveragecomplexitytodetectwhetherMiscon-structedbyacollisionattackagainstMD5usingoneofthegivenmessagedi erencesisabout222+1+1=224timesthecomplexityofcomputingtheMD5hashofM.Ithasaconjecturedfalsepositiveprobabilityofabout2222�128.2.4ApplicationtoSHA-1Alg.2-1canbedirectlyappliedtoSHA-1.NotethatthisispossibleeventhoughnoactualcollidingmessagesforSHA-1areknownyet.Whatremainsistodeterminepossiblecombinationsofvaluesformessageblockdi erencesB,stepiandworkingstatedi erencesWSithatbelongtoafeasiblenear-collisionattack.AllknownattemptsataSHA-1collisionattackarebasedoncombininglocalcollisionsaccordingtoadisturbancevector(DVi)79i=02(Z=232Z)80.Furthermore,Manuel[Man11]hasfoundthatallproposeddisturbancevectorscanbecatego-rizedintotwoclassesasgiveninTbl.B-1.Adisturbancevectorfromthe rstclassdenotedbyI(j;b)isde nedbyDVj=:::=DVj+14=0andDVj+15=2b.Similarly,adisturbancevectorfromthesecondclassdenotedbyII(j;b)isde- nedbyDVj+1=DVj+3=RL(231;b)andDVj+15=2bandDVj+i=0fori2f0;2;4;5;:::;14g.Forbothclasses,theremainingDV0;:::;DVj�1andDVj+16;:::;DV79aredeterminedthroughthemessageexpansionrelation.Foragivendisturbancevector(DVi)79i=0,thenecessarymessageblockdi er-encesaretheXORdi erences(DWi)15i=0=MkM0kdeterminedas:DWi:=M(j;r)2RRL(DVi�j;r);R=f(0;0);(1;5);(2;0);(3;30);(4;30);(5;30)g;whereDV�1;:::;DV�5aregivenbythereversedmessageexpansionrelation:DVi=RR(DVi+16;1)DVi+2DVi+8DVi+13;i=�1;:::;�5:ForbothdisturbancevectorI(j;b)andII(j;b)therearenodi erencesatstepj+8,hencetotestfornear-collisionblockpairusingeitherdisturbancevectorweuseAlg.2-1withthecombination(DWt)15t=0,i=j+8andWSi=(0;0;0;0;0).Giventhefactthatnoactualcollisionsareknownyet,itissomewhatdiculttodecidewhichtriplestoinclude.Forthiswerefertoourrecentanalysis Block a=Q61b=Q64c=Q63d=Q62 1 [31][31,25,-18,-15,-12,9,1][31,25,-14,-12,9][31,25]2 [31,5][-26,24,21,-14,-9,5,0][31,26,24,20,-9,5][31,-25,-9,5]3 [31][30,26,-24,20,-17,15,9,-3][31,26,-24,-14,9][31,25,9]4 [31][-25,14,-9,-5,3,0][31,-25,14,-9][31,-25,-9] 1+2 [5][31,-24,21,-18,-16,14,-12,5,2,-0][27,-24,20,-14,-12,5][-9,5]3+4 [][30,24,20,-16,-14,-5,0][24][] 1+4 [][31,-18,-14,-12,-4,-2,-0][-12][-9]2+3 [5][30,22,-20,-17,14,5,-3,0][27,20,-14,5][5] all [5][-30,21,19,17,-12,2][27,20,-14,-12,5][-9,5]Note:weusethecompactnotation[b1;:::;bn]forPni=02jbijsign(bi).Incomparison,the rstcollisionattackbyWangetal.wasbasedupontheIHV`correction'([31],[31,25],[31,25],[31,25])usedintwosequentialnear-collisionattacks,wherethesecondusesthenegated`correction'suchthatthetwo`corrections'cancelout.3.bitdi erencesinallbitsofQ6,identicalforblocks1&3and2&4Block q6[31]:::q6[0] 1 ++----+----+---------+++++++++++2 +-++++++++++----------+---+-----3 ++----+----+---------+++++++++++4 +-++++++++++----------+---+-----4.highestdensityofbitconditionsfoundonQ4;:::;Q8.Thefourdi er-entialpathshave,respectively,only8,4,6and5bitsoffreedomleftoutofthose160bitsofQ4;:::;Q8.5. xeddi erencesQ6;:::;Q60.Thedi erentialpathsfromthe rstandthirdblock(thatusethesamemessageblockdi erences)usethesamedi erencesQ6;:::;Q60.Similarly,thedi erentialpathsfromthesecondandfourthblock(thatalsousethesamemessageblockdi erences)usethesamedi erencesQ6;:::;Q60.6.advancedmessagemodi cationnotmaximized.Oneofthekeymes-sagemodi cationstospeeduptocollisionsearcharetunnels[Kli06].Thebestandmostimportanttunnelallowsasimplemessagemodi cationthatdoesnota ectallbitconditionsonQ1;:::;Q24.ForFlame'sdi erentialpaths,thistunnelcanmaximethetimespentonsteps24andonwards.Thistunnelisbasedon ippingabitQ9[b]withnobitconditionandrequiresthatQ10[b]=Q010[b]=0andQ11[b]=Q011[b]=1.Asshowninthetablebelow,thenear-collisionblocksshowasigni cantlylowertunnelstrengththanthemaximalstrengthpossiblebasedonjustthedi erentialpaths.3 3The`avg.strength'istheaveragestrengththatwouldbeobservediftheextraconditionsonQ10andQ11areeachful lledrandomlyandthetunnelisnotused. obtaintherequiredamountoflower/upperpathpairs.Overall,thiswouldimplythatFlame'smethodhashighercomplexityandresultsindi erentialpathswithfewerdegreesoffreedom.WewereabletoperformasomewhatsimplequantitivecomparisonofFlame'sdi erentialpathswithdi erentialpathsconstructedusingourpubliclyavailableHashClashtoolkit[HC].Inanexperimentwetriedto ndareplacementpathforFlame's rstdi erentialpathwithasfewbitconditionsaspossible.Theresultingdi erentialpathisgiveninTbl.D-1andhasonly266bitconditionsoverQ1;:::;Q24whichare62fewerthanthe328bitconditionsofTbl.C-1.Inanotherexperimentwetriedtoconstructadi erentialpathwiththeHashClashtoolkitinaveryshortamountoftime,theresultwasanaverageruntimeofonly15secondsonanInteli7-2600CPUleadingtodi erentialpathswithabout276bitconditions,whichisstill52bitconditionsfewerthanFlame'spath.Thisexperimentusedonly20,000lowerand20,000upperpartialpathsleadingtoatotalof400,000,000pairs.Futureresearchmightprovideinsightsintheminimumcomplexityofconstructingdi erentialpathswiththesamecharacteristicsofSect.3.3,howeverwehavenoresultsinthisdirectionatthispointoftime.3.5Near-collisionblocksearchThoughObservation6indicatesthebesttunnelstrengthisnotmaximized,itisalsoclearthatthistunnel(oraslightlyweakerversion)isactuallyusedastheobservedtunnelstrengthissigni cantlyhigherthanwhatwouldbeobservedifthistunnelwasnotused(cf.`avg.strength'atObs.6).AreasonableguessisthattheyusedtunnelsinadynamicmannerdependingonwhetherthenecessaryconditionsonQ10andQ11wereful lled.GiventhelownumberofbitconditionsonQ18;:::;Q24andsucientlyhightunnelstrengths,wecanreasonablysaythatthenear-collisionblocksearchcomplexityisdominatedbythecostofsteps24upto63.Wehaveexperimentallydeterminedthesuccessprobabilityoversteps24upto63foreachofthenear-collisionblocksandthesearegiveninTbl.3-1togetherwithlower-boundsfortheaveragecomplexityinMD5compressionfunctioncalls.Notethatbecausetheinner-mostloopcomputesatleast9stepsofthecompressionfunction,thissearchiswellsuitedformassivelyparallelarchitecturesincontrasttoourchosen-pre xcollisionattack.Table3-1.Near-collisionblocks:complexitylower-boundsBlock estimatedprobabilityofsteps24-63 averagecomplexitylower-bound 1 2�38:8 236:02 2�46:8 244:03 2�33:6 230:84 2�33:3 230:5 [WY05] 2�20:5 217:7 3.6BirthdayandreductionproceduresTheIHVresultingfromthebirthdayprocedurecanbeobservedasthedi er-encesfort=�3;�2;�1;0ofthe rstdi erentialpathTbl.C-1:IHV=(�25;�22+212�217�219�221+230;�25+212+214�220�227;�25+29):Basedontheavailablespaceinthecerti cate,ourinitialguessisthatFlameuses64birthdaybitsoverthe rstandlastwordoftheIHV(matchingt=�3andt=�2ofthe rstpath).However,thisdoesnotimmediatelyimplythatFlame'sbirtdaysearchhascomplexityp 232MD5compressions,asnoteverybirthdaycollisionisusable.Infact,thetworandom-lookingdi erenceshaveverylowweightsof6and5bitdi erences,whereanuniformdistributionthatmightbeexpectedfromanarbitrarybirthdaycollisionwouldactuallyleadtoanaverageofabout11bitdi erenceseach.Justaimingatsuchalowweightdistributionwouldresultinabirthdaycomplexityofabout242MD5compressions.However,lackingasystematicfamilyofdi erentialpathlikethatof[SSA+09],itisalmostcertainthatthepositionsofthebitdi erencesarealsoimportant,whichfurtherincreasesthebirthdaycomplexity.FurtherresearchmayprovidemoreinsightsinwhichIHVcorrectionsarepossiblewithintheobservednear-collisionblockcomplexitiesandthee ectthereofonthebirthdaysearchanditscomplexity.3.7PreliminaryconclusionsFirstly,Flame'smethodtoconstructdi erentialpathsseemstobesub-optimalcomparedtothoseobtainedwithourpublicHashClashtoolkit[HC].Secondly,sofarwehavebeenabletoprovideaweaklower-boundforthebirth-daysearchandgoodlower-boundsforthenear-collisionblocksearchcomplexities.Theselower-boundstogetherindicatethatFlame'snewvariantchosen-pre xcollisionattacklikelycostsmorethan244:3MD5compressions.Howmuchmoreremainsanopenquestionasthebirthdaysearchcomplexityisinaccurateanditdoesnotyetincludethecostofthedi erentialpathconstruction.Alsonotethatwehaveonlyoneinstanceofachosen-pre xcollisionfromFlame'snewvariantattack,makingituncertainhowclosetheobservednear-collisionblocksearchcomplexitiesaretowhatcanbeexpectedonaveragewithFlame'sattack.Incomparison,theaveragecomplexityofour2009chosen-pre xcollisionattackforfournear-collisionblocksappearstobedominatedbythebirthdaysearchcomplexityof244:55MD5compressionfunctioncalls(cf.[SSA+09,Table2]usingr=4andw=5).Comparingtheweaklower-boundwiththiscost,thetheoreticalcomplexityofFlame'sattackisnotsigni cantlylowerthanthatofourattack.Nevertheless,Flame'sattackmightbemorecoste ectiveduetothesuitabilitiyofthecollisionsearchformassivelyparallelarchitectures.4ConclusionWehaveintroducedcounter-cryptanalysisasanewparadigmforstrengtheningweakcryptographicprimitives.Also,wehavepresentedthe rstexamplethereof, [SSA+09]MarcStevens,AlexanderSotirov,JacobAppelbaum,ArjenK.Lenstra,DavidMolnar,DagArneOsvik,andBennedeWeger,ShortChosen-Pre xCollisionsforMD5andtheCreationofaRogueCACerti cate,CRYPTO(ShaiHalevi,ed.),LectureNotesinComputerScience,vol.5677,Springer,2009,pp.55{69.[Ste13]MarcStevens,NewCollisionAttacksonSHA-1BasedonOptimalJointLocal-CollisionAnalysis,EUROCRYPT(ThomasJohanssonandPhongQ.Nguyen,eds.),LectureNotesinComputerScience,vol.7881,Springer,2013,pp.245{261.[VJBT08]JirVabek,DanielJoscak,MilanBohacek,andJirTuma,ANewTypeof2-BlockCollisionsinMD5,INDOCRYPT(DipanwitaRoyChowdhury,VincentRijmen,andAbhijitDas,eds.),LectureNotesinComputerScience,vol.5365,Springer,2008,pp.78{90.[WY05]XiaoyunWangandHongboYu,HowtoBreakMD5andOtherHashFunc-tions,EUROCRYPT(RonaldCramer,ed.),LectureNotesinComputerScience,vol.3494,Springer,2005,pp.19{35.[XF09]TaoXieandDengguoFeng,HowToFindWeakInputDi erencesForMD5CollisionAttacks,CryptologyePrintArchive,Report2009/223,2009.[XF10]TaoXieandDengguoFeng,ConstructMD5CollisionsUsingJustASingleBlockOfMessage,CryptologyePrintArchive,Report2010/643,2010.[XFL08]TaoXie,DengGuoFeng,andFanBaoLiu,ANewCollisionDi erentialForMD5WithItsFullDi erentialPath,CryptologyePrintArchive,Report2008/230,2008.[XLF08]TaoXie,FanbaoLiu,andDengguoFeng,CouldThe1-MSBInputDi erenceBeTheFastestCollisionAttackForMD5?,CryptologyePrintArchive,Report2008/391,2008.AListofpossiblefeasibleMD5near-collisionattacksUsednon-zeromessageblockdi erencesinpublishednear-collisionattacksare:{B=(m11=215;m4=m14=231)[WY05]:i=44,WS442f0 ;231 g;{B=(m2=28;m11=215;m4=m14=231)[SSA+09]:i=44,WS442f0 ;231 g;{B=(m11=2b)forb2f0;:::;30g[SLdW07]:i=44,WS442f0 ;231 g;{B=(m11=231)[SLdW07]:i=44,WS442f0 ;231 g;{B=(m5=210;m10=231)[XF10]:i=44,WS442f0 ;231 g;{B=(m8=231)[XLF08]:i=44,WS442f0 ;231 g;{B=(m6=28;m9=m15=231)[XFL08]:i=37,WS372f0 ;231 g;{B=(m9=227;m2=m12=231)[VJBT08]:i=37,WS372f0 ;231 g.Othernon-zeromessageblockdi erencestakenfrom[XF09]and[XLF08]are:{B=(m4=220;m7=m13=231):i=44,WS442f0 ;231 g;{B=(m2=28):i=37,WS372f0 ;231 g;{B=(m5=210;m11=221):i=44,WS442f0 ;231 g;{B=(m5=210;m11=231):i=44,WS442f0 ;231 g;{B=(m5=231;m8=231):i=44,WS442f0 ;231 g; CFlame'sdi erentialpathsTableC-1.Di erentialpathofnear-collisionblock1 t Bitconditions:qt[31]:::qt[0] -3 ..........................-..... -2 00.......1.1.01....1..+...-.10.. -1 110-+..1.1.-.00..+.+......-110.. 0 +-100..0.-0+^++1.0.+0.11.110-+.. 1 0+-++..-.-0++-+0011-0..1110+++.. 2 +0-0-.00.-++00+-0-1-+.1+1+-0++^. 3 +010-000.-+++0+1+--.+^1+-+-+++-. 4 -00-10+..11-+-0++++11--0-101-+0. 5 0-+-++-^^0110+1--110+0-0-0001+1^ 6 ++----+----+---------+++++++++++ 7 111.-1111101011.110-1001+0100.00 8 00+0.11110111101-1101100.1110011 9 ..0.1........-..0.10+...0-....0. 10 ..0^...1^....0..0^0-1....1....+. 11 ..0-...1+....-...+-01....0..^.1. 12 .1-1..^+1....+...0+0........+.1. 13 .0+1..-+1....0..100....1....0... 14 .-+...1......1..1.+....1....1... 15 .0+...10........-.0....-....-... 16 .1+......0........^............. 17 ..1......1....0.^......^....^... 18 ..0......+....1................. 19 ..............-................. 20 0........^...................... 21 0.............^................. 22 -............................... 23 ................................ 24 ^............................... 25{32 ................................ 33 0............................... 34 1............................... 35{59 X............................... 60 X.11110......................... 61 X.11000..........001.00......... 62 X.+----............0............ 63 X.?0??+..........--+.+-......... 64 X......+++++++..-..-.+-......+-. m4=m14=231;m11=215 TableC-2.Di erentialpathofnear-collisionblock2 t Bitconditions:qt[31]:::qt[0] -3 +.........................-..... -2 -1....+..1.1.0..0....1+..-+...0. -1 +01.-.+1.0-+.0^.011+---1-++.0.10 0 1-0.1.+0^-0+1+-1-1011+-0001.1^-1 1 10-.01.++++-0+10--+111+-+--0-+1- 2 .01.-01100+-++0+0--+.--0++10+0+0 3 ..1.-+11+001++^+01-+01100+1++0++ 4 ..-.1-11++1-++-+-1111--+++0+-+-1 5 ^^1^+1--10-010110+10-1-+0-+++000 6 +-++++++++++----------+---+----- 7 0010-000011110111011-11110.10010 8 000001001111111+-10011111-010111 9 ...-1....-.....10..1+....1....^. 10 ...0...0^0.....01..+0....0....-. 11 ..0+..^0-1...^.....01.........1. 12 .001..-+0....-....01..........1. 13 .1-1..0-1....0..1^1....1....1... 14 .-+...10.....0..1-+....1....1... 15 .0+....0........+01....+....-... 16 .^+......0.......^^............. 17 ..1......1....0.^......^....^... 18 ..0......-....1................. 19 ..............-................. 20 0........^...................... 21 0.............^................. 22 -............................... 23 ................................ 24 ^............................... 25{32 ................................ 33 1............................... 34 0............................... 35{58 X............................... 59 X.........................0..... 60 X.....0............1001.110..... 61 X....100...0.......1..1.00+..... 62 X....1-............-+++.+--..... 63 X....++-...+.......???-.?+-..... 64 ......--..+......-....-..+-....+ m4=m14=231;m11=�215 TableC-4.Di erentialpathofnear-collisionblock4 t Bitconditions:qt[31]:::qt[0] -3 +............................... -2 +....0+.........000+---...000..1 -1 +....+-.11...-++++1101+.10011..1 0 001.1+-.01^.^111-++----011+-+11- 1 011.0.+.-+-^++1+++0000-1+--0-11+ 2 +--.-0-.-+1+0--01+1-1-++-1-00+-- 3 +--1-^1..+100--+10---1+0---0++-1 4 -010+-1.10-1-01+0-000-1-0+-10-1- 5 +00-+00^0++-11-0+++0-11101-+-100 6 +-++++++++++----------+---+----- 7 .111-11001.010.00101-1101101.011 8 111101100101000+-01011110-100111 9 ...-1....-.....10..1+....1....^. 10 ...0...0^0.....01..+0....0....-. 11 ..0+..^0-1...^.....01.........1. 12 .001..-+0....-...111..........1. 13 .1-1..0-1....0..100....1....1... 14 .-+...10.....0..1-+....1....1... 15 .0+....0........+01....+....-... 16 .^+......0.......^^............. 17 ..1......1....0.^......^....^... 18 ..0......-....1................. 19 ..............-................. 20 0........^...................... 21 0.............^................. 22 +............................... 23 ................................ 24 ^............................... 25{32 ................................ 33 0............................... 34 1............................... 35{59 X............................... 60 X.....0..............00......... 61 X.....1.........11....1......... 62 X.....-.........10...-+......... 63 X.....-.........+-...?-......... 64 ....-++.........+-....-...-.+..+ m4=m14=231;m11=�215