## No full-text available

To read the full-text of this research,

you can request a copy directly from the authors.

We present a novel, automated way to find differential paths for MD5. As an application we have shown how, at an approximate expected cost of 250 calls to the MD5 compression function, for any two chosen message prefixes P and P′, suffixes S and S′ can be constructed such that the concatenated values P||S and P′||S′ collide under MD5. Although the practical attack potential of this construction of chosen-prefix collisions is limited, it is of greater concern than random collisions for MD5. To illustrate the practicality of our method, we constructed two MD5 based X.509 certificates with identical signatures but different public keys and different Distinguished Name fields, whereas our previous construction of colliding X.509 certificates required identical name fields. We speculate on other possibilities for abusing chosen-prefix collisions. More details than can be included here can be found on
www.win.tue.nl/hashclash/ChosenPrefixCollisions/
.

To read the full-text of this research,

you can request a copy directly from the authors.

... But, it is not suitable for the applications depending on the Secure Socket Layer (SSL) certificates or digital signatures. Stevens et al. [7] generated X.509 certificates with the similar signatures and dissimilar public keys, based on the MD5 algorithm. The SHA-1 hash function is found to be highly vulnerable [8]. ...

... Figure 2 shows the block diagram of LTCHA algorithm. Step 1: Transform each character of X into the 8-bit binary // = 0 , 1 , … , 7 Step 2: Apply definite padding ...

... This quality is used in the pheromone update of the next iteration [43]. Step 5: Apply the local pheromone for every edge ( , ) based on eqn (5) Step 6: Update global pheromone according to eqn (7) Step 7: Increment Current_iteration_t by one Execute ACO procedure with input temp_List_of_Tasks and n End Do ...

The cryptographic hash algorithms play a significant role in preserving the data security in the wireless networks. The most frequently used hash algorithms such as Message Digest (MD5) and Secure Hash Algorithm (SHA1) need high computational overhead. The energy-starved network does not afford such high computational overhead. The major constraints in the network are communication, computation and storage overheads. To overcome these issues, this paper develops a Light-Weight Two-Way Cryptographic Hash Algorithm (LTCHA) for generating a hash-digest of minimum length for the energy-starved network. This paper proposes an LTCHA for two-way authentication between the user and Cloud Service Provider (CSP). The Third Party Auditor (TPA) approves the CSP if the identity (ID) and hashcode of the user matches with the generated ID and hashcode. After receiving the approval, the user can upload the file to the service provider. File splitting is performed. After splitting the file, it is allocated to the suitable Virtual Machine (VM) in the cloud by using the ACO-based task allocation algorithm. The proposed LTCHA algorithm requires lower energy consumption, overall execution time, key size, time for encryption and file uploading than the existing schemes.

... The limitation of the identical-prefix collision attack is that the message blocks before the colliding message need to be identical. Later, Stevens et al. overcame the shortcoming [5]. They introduced the chosen-prefix collision attack in that prefix message blocks can be chosen arbitrarily. ...

... Chaining value differences are δQ t = 2 31 (25 ≤ t ≤ 26, 28 ≤ t ≤ 30), δQ t = ± 2 5 (57 ≤ t ≤ 59), δQ 27 = 2 31 ± 2 17 . Unavoidable sufficient conditions are Q 57 [5] 3) NICS3 element has two classes and uses type II difference. Message difference is δM = ± (δm 6 = 2 8 , δm 9 = δm 15 = 2 31 ). ...

One application of counter-cryptanalysis is detecting whether a message block is involved in a collision attack, such as the detection of MD5 and SHA-1. Stevens and Shumow speeded up the detection of SHA-1 by introducing unavoidable conditions in message blocks. They left a challenge: how to determine unavoidable conditions for MD5. Later, Shen et al. found that the unavoidable conditions of MD5 were the sufficient conditions located in the last round of differential paths. In this paper, we made further work. We discover sufficient conditions in the second round that can also be used as unavoidable conditions. With additional sufficient conditions, we subdivide three sets and distinguish seven more classes. As a result, compared with Shen's collision detection algorithm, our improved algorithm reduces the collision detection cost by 8.18%. Finally, we find that they do exist in the differential paths constructed by the automatic tool "HashClash".

... • Edge and IE consider MD5 as secure, so a server certificate signed or forged by this broken algorithm [4], [5] is accepted without warnings. Meanwhile, all browsers show no warnings on certificates binding 1024-bit RSA key pairs, which are prohibited in the community [6], [7]. ...

... The collisions of MD5 and SHA-1 have been found [25], [26], and the weakness of MD5 was exploited to successfully forge certificates [4], [5]. However, Edge and IE do not show any warnings on certificates signed by MD5 or SHA-1. ...

... At Eurocrypt 2007, the different certificates with the same signature were created firstly by Stevens based on the chosen-prefix collision attack of MD5 [3][4][5]. This was a big event for commerce CAs and their users because the kind of forged certificates can be verified successfully. ...

... Step 7: Attacker uses the candidate serial numbers, T f as "not before", and f + v as "not after", to generate forged certificates according to the Stevens's method [3]. ...

In 2007, a real faked X.509 certificate based on the chosen-prefix collision of MD5 was presented by Marc Stevens. In the method, attackers needed to predict the serial number of X.509 certificates generated by CAs besides constructing the collision pairs of MD5. After that, the randomness of the serial number is required. Then, in this case, how do we predict the random serial number? Thus, the way of generating serial number in OpenSSL was reviewed. The vulnerability was found that the value of the field “not before” of X.509 certificates generated by OpenSSL leaked the generating time of the certificates. Since the time is the seed of generating serial number in OpenSSL, we can limit the seed in a narrow range and get a series of candidate serial numbers and use these candidate serial numbers to construct faked X.509 certificates through Stevens’s method. Although MD5 algorithm has been replaced by CAs, the kind of attack will be feasible if the chosen-prefix collision of current hash functions is found in the future. Furthermore, we investigate the way of generating serial numbers of certificates in other open source libraries, such as EJBCA, CFSSL, NSS, Botan, and Fortify.

... A project MD5CRK that attempted to find a collision by brute force was halted early in 2004, when a team of researchers led by Xiaoyun Wang [43] demonstrated collisions for MD5 found by a groundbreaking special cryptanalytic attack that pioneered new techniques. In a major development, Stevens et al. [38] later showed that a more powerful type of attack (the so-called chosen-prefix collision attack ) could be performed against MD5. This eventually led to the forgery of a Rogue Certification Authority that in principle completely undermined HTTPS security [39] in 2008. ...

... A similar meet-in-the-middle algorithm was independently first developed for MD5 and then adapted to SHA-1 by Stevens et al. [38,34,15], which operates on bit-slices and is more efficient. The open-source HashClash project [15] seems to be the only publicly available non-linear path construction implementation, which we improved as follows. ...

... A project MD5CRK that attempted to find a collision by brute force was halted early in 2004, when a team of researchers led by Xiaoyun Wang [43] demonstrated collisions for MD5 found by a groundbreaking special cryptanalytic attack that pioneered new techniques. In a major development, Stevens et al. [38] later showed that a more powerful type of attack (the so-called chosen-prefix collision attack ) could be performed against MD5. This eventually led to the forgery of a Rogue Certification Authority that in principle completely undermined HTTPS security [39] in 2008. ...

... A similar meet-in-the-middle algorithm was independently first developed for MD5 and then adapted to SHA-1 by Stevens et al. [38,34,15], which operates on bit-slices and is more efficient. The open-source HashClash project [15] seems to be the only publicly available non-linear path construction implementation, which we improved as follows. ...

SHA-1 is a widely used 1995 NIST cryptographic hash function standard that was officially deprecated by NIST in 2011 due to fundamental security weaknesses demonstrated in various analyses and theoretical attacks.

... The security properties required from hash functions depend on the intended purpose. For example, a collision attack on the used hash functions has catastrophic consequences when it is used in signature schemes (see [9] for an attack scenario), whereas this is not necessarily problematic when it is used in HMACs. Nevertheless, insecure hash functions should not be used anymore, independently of their area of application. ...

Hash functions are one-way functions that map arbitrary-length input to fixed-length output. Moreover, they have many cryptographic applications, such as integrity checks, password storage, and signatures. Cryptographic hash functions have some additional properties that can be formulated as hard problems: pre-image resistance, second pre-image resistance, and collision resistance. A significant technological development in this area is unlikely. Standardized hash functions are considered secure, and open-source implementations can be used at no cost. To conclude, the security properties required from hash functions depend on the intended purpose.

... To detect the root cause in a blue node , SSDTutor performs a forward program slicing technique to analyze the enclosing method hashEncrypt() and identifies the method invocation statement SDBaseEncrypt.hashTemplate() and a weak algorithm "MD2" by matching the pattern rule Weak-HF. Using insecure cryptographic hash algorithms such as MD2 in crypto APIs is susceptible to hash collision [105,106] and pre-image [107,83] as well as vulnerabilities from feasible brute-force attacks [108]. ...

Application Programming Interfaces (APIs) in cryptography typically impose concealed usage constraints. The violations of these usage constraints can lead to software crashes or security vulnerabilities. Several professional tools can detect these constraints (API misuses) in cryptography; however, in the educational programs, the focus has been less on helping students implement an application without cryptographic API misuses that are caused by either a lack of cryptographic knowledge or programming mistakes.
To address the problem, we present an intelligent tutoring approach SSDTutor for educating Secure Software Development. Our tutoring approach helps students or developers repair cryptographic API misuse defects by leveraging an automated program repair technique based on the usage patterns of cryptographic APIs. We studied the best practices of cryptographic implementations and encoded eight cryptographic API usage patterns. For quality feedback, we leverage a clone detection technique to recommend related feedback for helping students understand why their programs are incorrect, rather than blindly accepting repairs.
We evaluated SSDTutor on 456 open source subject projects implemented with cryptographic APIs. SSDTutor successfully detected 1,553 out of 1,573 misuse defects with 98.9% accuracy and repaired 1,551 out of 1,573 misuse defects with 99.3% accuracy. In a user study involving 22 students, the participants reported that interactive SSDTutor's feedback recommendation could be valuable for novice students to learn about the correct usages of cryptography APIs.

... ≤ 1024 bits) is not yet extinct in the WPA2-Enterprise ecosystem, with about 5% of the certificates embedded in CAT profiles still use one. Interestingly, despite the known weakness in collision resistance [54,57,63], MD5-based signatures can still be found on a few certificates. Similarly, SHA1 is also collisionprone under various settings [44,55,56], but nearly half of the certificates embedded in the CAT profiles have SHA1-based signatures. ...

In this paper, we perform the first multifaceted measurement study to investigate the widespread insecure practices employed by tertiary education institutes (TEIs) around the globe when offering WPA2-Enterprise Wi-Fi services. The security of such services critically hinges on two aspects: (1) the connection configuration on the client-side; and (2) the TLS setup on the authentication servers. Weaknesses in either can leave users susceptible to credential theft. Typically, TEIs prescribe to their users either manual instructions or pre-configured profiles (e.g., eduroam CAT). For studying the security of configurations, we present a framework in which each configuration is mapped to an abstract security label drawn from a strict partially ordered set. We first used this framework to evaluate the configurations supported by the user interfaces (UIs) of mainstream operating systems (OSs), and discovered many design weaknesses. We then considered 7045 TEIs in 54 countries/regions, and collected 7275 configuration instructions from 2061 TEIs. Our analysis showed that majority of these instructions lead to insecure configurations, and nearly 86% of those TEIs can suffer from credential thefts on at least one OS. We also analyzed a large corpus of pre-configured eduroam CAT profiles and discovered several misconfiguration issues that can negatively impact security. Finally, we evaluated the TLS parameters used by authentication servers of thousands of TEIs and discovered perilous practices, such as the use of expired certificates, deprecated versions of TLS, weak signature algorithms, and suspected cases of private key reuse among TEIs. Our long list of findings have been responsibly disclosed to the relevant stakeholders, many of which have already been positively acknowledged.

... Cryptographic hash functions such as MD5, SHA-1, SHA-3, and BLAKE etc. were designed to provide security guarantees. In 2005, Wang and Yu [28] broke MD5 by providing a method to construct collisions, and in recent years researchers have made these attacks more efficient and practical [18,23,24]. Thus, applications should avoid using MD5 and migrate to stronger hash functions like SHA-3. ...

... Chosen Prefix Collision Attack. Stevens, Lenstra and de Weger [15] proposed the chosen prefix collision attack for a hash function. In this attack, we decide a pair (P, P ′ ) of prefixes beforehand and find a collision (P ||S, P ′ ||S ′ ). ...

Weakened random oracle models (WROMs) are variants of the random oracle model (ROM). The WROMs have the random oracle and the additional oracle which breaks some property of a hash function. Analyzing the security of cryptographic schemes in WROMs, we can specify the property of a hash function on which the security of cryptographic schemes depends. Liskov (SAC 2006) proposed WROMs and later Numayama et al. (PKC 2008) formalized them as CT-ROM, SPT-ROM, and FPT-ROM. In each model, there is the additional oracle to break collision resistance, second preimage resistance, preimage resistance respectively. Tan and Wong (ACISP 2012) proposed the generalized FPT-ROM (GFPT-ROM) which intended to capture the chosen prefix collision attack suggested by Stevens et al. (EUROCRYPT 2007). In this paper, in order to analyze the security of cryptographic schemes more precisely, we formalize GFPT-ROM and propose additional three WROMs which capture the chosen prefix collision attack and its variants. In particular, we focus on signature schemes such as RSA-FDH, its variants, and DSA, in order to understand essential roles of WROMs in their security proofs.

... In 2005, Lenstra joined Wang to apply this cryptographic vulnerability to X.509 certificates, a cornerstone of the public key infrastructure that enables protocols like HTTPS, and was able to construct pairs of colliding certificates [LWdW05]. Amidst doubts that a certificate authority would sign such suspicious certificates, or that they would even be exploitable once issued because they lacked "meaningful" structure, Stevens joined Lenstra et al. in 2007 to extend the original random collision attack on MD5 to a chosen-prefix collision attack [SLdW07]. This work culminated in 2009, when Stevens et al. announced that they had managed to forge a X.509 certificate with certificate authority privileges that passed verification on all major browsers [SSA + 09], causing vendors to immediately obsolete MD5. ...

We present attacks on the cryptography formerly used in the IOTA blockchain, including under certain conditions the ability to forge signatures. We developed practical attacks on IOTA’s cryptographic hash function Curl-P-27, allowing us to quickly generate short colliding messages. These collisions work even for messages of the same length. Exploiting these weaknesses in Curl-P-27, we broke the EUCMA security of the former IOTA Signature Scheme (ISS). Finally, we show that in a chosen-message setting we could forge signatures and multi-signatures of valid spending transactions (called bundles in IOTA).

... On the other hand, there exists a series of research on reducing the complexity and monetary costs for finding SHA1 and MD5 collisions to within reach of resourceful adversaries [20,[29][30][31][32]39,40], and vendors of major desktop browsers have already been rejecting SHA1 and MD5 certificates. However, their use as HMAC in TLS is not immediately problematic [RFC6151], as the security argument for HMAC does not depend on the collision resistance of the hash function [6]. ...

Increasingly more mobile browsers are developed to use proxies for traffic compression and censorship circumvention. While these browsers can offer such desirable features, their security implications are, however, not well understood, especially when tangled with TLS in the mix. Apart from vendor-specific proprietary designs, there are mainly 2 models of using proxies with browsers: TLS interception and HTTP tunneling. To understand the current practices employed by proxy-based mobile browsers, we analyze 34 Android browser apps that are representative of the ecosystem, and examine how their deployments are affecting communication security. Though the impacts of TLS interception on security was studied before in other contexts, proxy-based mobile browsers were not considered previously. In addition, the tunneling model requires the browser itself to enforce certain desired security policies (e.g., validating certificates and avoiding the use of weak cipher suites), and it is preferable to have such enforcement matching the security level of conventional desktop browsers. Our evaluation shows that many proxy-based mobile browsers downgrade the overall quality of TLS sessions, by for example allowing old versions of TLS (e.g., SSLv3.0 and TLSv1.0) and accepting weak cryptographic algorithms (e.g., 3DES and RC4) as well as unsatisfactory certificates (e.g., revoked or signed by untrusted CAs), thus exposing their users to potential security and privacy threats. We have reported our findings to the vendors of vulnerable proxy-based browsers and are waiting for their response.

... In addition, static initialization vectors (IVs) in cipher block chaining (CBC) and electronic codebook (ECB) modes are insecure [20,49]. 5. Vulnerabilities from feasible bruteforce attacks. MD5 and SHA1 are susceptible to hash collision [69,70] and pre-image [9,27] attacks. In addition, bruteforce attacks are feasible for 64-bit symmetric ciphers (e.g., DES, 3DES, IDEA, Blowfish) [22]. ...

Cryptographic API misuses, such as exposed secrets, predictable random numbers, and vulnerable certificate verification, seriously threaten software security. The vision of automatically screening cryptographic API calls in massive-sized (e.g., millions of LoC) programs is not new. However, hindered by the practical difficulty of reducing false positives without compromising analysis quality, this goal has not been accomplished. CryptoGuard is a set of detection algorithms that refine program slices by identifying language-specific irrelevant elements. The refinements reduce false alerts by 76% to 80% in our experiments. Running our tool, CryptoGuard, on 46 high-impact large-scale Apache projects and 6,181 Android apps generated many security insights. Our findings helped multiple popular Apache projects to harden their code, including Spark, Ranger, and Ofbiz. We also have made progress towards the science of analysis in this space, including manually analyzing 1,295 Apache alerts, confirming 1,277 true positives (98.61% precision), and in-depth comparison with leading solutions including CrySL, SpotBugs, and Coverity.

... A conflict with the MD5 algorithm has already been discovered [19]. As a more advanced attack method, the chosen-prefix collision attack was proposed [20], and a forged certificate using the collision was generated [21]. In 2017, a collision with SHA-1 was discovered [22]. ...

Android applications are digitally signed using developers' signing keys. Since each key is associated with a developer, it can be used to establish trust between applications published by the author, i.e., apps signed with the same key are allowed to update themselves if package names are identical, or access each other's resources. However, if a signature is generated using a weak algorithm such as MD5, then apps signed with the corresponding key are exposed to several risks, such as hijacking apps with fake updates or granting permissions to a malicious app. In this work, we analyze several Android apps to identify the threats caused by using weak algorithms. Our study uncovered the following findings: Of the more than one million apps collected from Google Play, 223 and 52, 866 were digitally signed using the weak algorithms of 512-bit RSA key and MD5, respectively. We identified the causal mechanisms for generating certificates that employ weak algorithms, and found that these mechanisms can be attributed to app-building frameworks and online app-building services. On the basis of these findings, we provide guidelines for stakeholders of the Android app distribution ecosystem.

... (AT10) Hash collision: The key goal of the collision attack is to reveal two input strings of a hash function that give the same hash value. Because a hash function has variable input lengths and a short fixed-length output, there is the possibility that two different inputs generate the same output, and this case is known as a collision [41,42]. As a consequence, an attacker can compromise the encryption key and therefore intercept or have access to the IoT object's data. ...

The Internet of Things (IoT) makes our lives much easier, more valuable, and less stressful due to the development of many applications around us including smart cities, smart cars, and smart grids, offering endless services and solutions. Protecting IoT data of such applications at rest either on the objects or in the cloud is an indispensable requirement for achieving a symmetry in the handling and protection of the IoT, as we do with data created by persons and applications. This is because unauthorised access to such data may lead to harmful consequences such as linkage attacks, loss of privacy, and data manipulation. Such undesired implications may jeopardise the existence of IoT applications if protection measures are not taken, and they stem from two main factors. One is that IoT objects have limited capabilities in terms of memory capacity, battery life, and computational power that hamper the direct implementation of conventional Internet security solutions without some modifications (e.g., traditional symmetric algorithms). Another factor is the absence of widely accepted IoT security and privacy guidelines for IoT data at rest and their appropriate countermeasures, which would help IoT stakeholders (e.g., developers, manufacturers) to develop secure IoT systems and therefore enhance IoT security and privacy by design. Toward this end, we first briefly describe the main IoT security goals and identify IoT stakeholders. Moreover, we briefly discuss the most well-known data protection frameworks (e.g., General Data Protection Regulation (GDPR), Health Insurance Portability (HIPAA)). Second, we highlight potential attacks and threats against data at rest and show their violated security goals (e.g., confidentiality and integrity). Third, we review a list of protection measures by which our proposed guidelines can be accomplished. Fourth, we propose a framework of security and privacy guidelines for IoT data at rest that can be utilised to enhance IoT security and privacy by design and establish a symmetry with the protection of user-created data. Our framework also presents the link between the suggested guidelines, mitigation techniques, and attacks. Moreover, we state those IoT stakeholders (e.g., manufacturers, developers) who will benefit most from these guidelines. Finally, we suggest several open issues requiring further investigation in the future, and we also discuss the limitations of our suggested framework.

... A conflict with the MD5 algorithm has already been discovered [4]. As a more advanced attack method, the chosen-prefix collision attack was proposed [8], and a certificate of counterfeiting that employed the conflict was generated [9]. Recently, a conflict with SHA-1 was discovered [10]. ...

... Hash collision: The main objective of the collision attack is to discover two input strings of a hash function that gives the same hash value. Because hash functions have variable input lengths and a short fixed length output, there is a possibility that two different inputs generate the same output and this case is known as a collision [138]. ...

Internet of Things (IoT) has not yet reached a distinctive definition. A generic understanding of IoT is that it offers numerous services in many domains, utilizing conventional inter-net infrastructure by enabling different communication patterns such as human-to-object, object-to-objects, and object-to-object. Integrating IoT objects into the standard Internet, however, has unlocked several security challenges, as most internet technologies and connectivity protocols have been specifically designed for unconstrained objects. Moreover, IoT objects have their own limitations in terms of computation power, memory and band-width. IoT vision, therefore, has suffered from unprecedented attacks targeting not only individuals but also enterprises, some examples of these attacks are loss of privacy, organized crime, mental suffering, and the probability of jeopardizing human lives. Hence, providing a comprehensive classification of IoT attacks and their available countermeasures is an indispensable requirement. In this paper, we propose a novel four-layered IoT reference model based on building blocks strategy, in which we develop a comprehensive IoT attack model composed of four key phases. First, we have proposed IoT asset-based attack surface, which consists of four main components: 1) physical objects, 2) protocols covering whole IoT stack, 3) data, and 4) software. Second, we describe a set of IoT security goals. Third, we identify IoT attack taxonomy for each asset. Finally, we show the relationship between each attack and its violated security goals, and identify a set of countermeasures to protect each asset as well. To the best of our knowledge, this is the first paper that attempts to provide a comprehensive IoT attacks model based on a building-blocked reference model.

... Even if the key is given, the difficulty to break HMAC-SHA1 is reduced to break the underlying hash function SHA-1. The complexity of the fastest method known to find a collision in SHA-1 is about 2 61 [8]. Hence, without better estimation, the generated MAC can be assumed to be completely random. ...

Automotive in-vehicle systems are distributed systems consisting of multiple ECUs (Electronic Control Units) interconnected with a broadcast network such as FlexRay. Message authentication is an effective mechanism to prevent attackers from injecting malicious messages into the network. In order to reduce timing interference of message authentication operations on application tasks, hardware coprocessors in the form of either FPGA or ASIC are adopted to offload computation intensive cryptographic algorithms from the ECU. However, it may not be feasible or desirable to equip every ECU with a hardware coprocessor, as modern vehicles can contain more than a hundred ECUs, and the automotive industry is cost-sensitive. In this paper, we consider the problem of mapping an application task graph onto a FlexRay-based distributed hardware platform, to meet security and deadline requirements while minimizing the number of hardware coprocessors needed in the system. We present a MILP (Mixed Integer Linear Programming) formulation, a divide-and-conquer heuristic algorithm, and a Simulated Annealing algorithm. We evaluate the algorithms with industrial case studies.

... We further state a recursive formula for the number of BSDR's of any given (not only minimal) weight for any integer z. Our research is motivated by Stevens' heuristic search algorithm for finding differential paths in the hash function MD5 as described in [15]. We applied the new upper bounds to optimize our implementation of Stevens' algorithm that found a new type of collisions for MD5, see [18]. ...

Binary signed digit representations (BSDR's) of integers have been studied since the 1950's. Their study was originally motivated by multiplication and division algorithms for integers and later by arithmetics on elliptic curves. Our paper is motivated by differential cryptanalysis of hash functions. We give an upper bound for the number of BSDR's of a given weight. Our result im- proves the upper bound on the number of BSDR's with minimal weight stated by Grabner and Heuberger in On the number of optimal base 2 representations, Des. codes cryptogr. 40 (2006), 25-39, and introduce a new recursive upper bound for the number of BSDR's of any given weight.

... We evaluated the performance of three different MAC constructs: HMAC-MD5, HMAC-SHA1 and SkipJack in CBC-MAC. Note that, even though there are well-known attacks on MD5 that find chosen-prefix collisions [SLW07], the short-lived nature of the integrity check needed in our protocol rules out attacks that require 2 50 calls to the underlying compression function. Table Table 3 The fact that MD5 is the fastest is not surprising, given that, in our implementation, the code is heavily in-lined, which reduces the number of context switches for function calls while also resulting in increased code size. ...

Embedded devices are currently used in many critical systems, ranging from automotive to medical devices and industrial control systems. Most of the research on such devices has focused on improving their reliability against unintentional failures, while fewer efforts have been spent to prevent intentional and malicious attacks. These devices are increasingly being connected via wireless and connected to the Internet for remote administration, this increases the risk of remote exploits and malicious code injected in such devices. Failures in such devices might cause physical damage and health and safety risks. Therefore, protecting embedded devices from attacks is of the utmost importance. In this thesis we present novel attacks and defenses against low-end embedded devices. We present several attacks against software-based attestation techniques used in embedded devices. Furthermore we design and implement a novel software-based attestation technique that is immune to the aforementioned attacks. Finally, we design a hardware solution to attest and establish a dyna

We present a new generic transform that takes a multi-round interactive proof for the membership of a language \(\mathcal {L}\) and outputs a non-interactive zero-knowledge proof (not of knowledge) in the common reference string model. Similar to the Fiat-Shamir transform, it requires a hash function \(\textsf{H}\). However, in our transform the zero-knowledge property is in the standard model, and the adaptive soundness is in the non-programmable random oracle model (\(\textsf{NPROM}\)). Behind this new generic transform, we build a new generic OR-composition of two multi-round interactive proofs. Note that the two common techniques for building OR-proofs (parallel OR-proof and sequential OR-proof) cannot be naturally extended to the multi-round setting. We also give a proof of security for our OR-proof in the quantum oracle model (\(\textsf{QROM}\)), surprisingly the security loss in \(\textsf{QROM}\) is independent from the number of rounds.

The goal of this paper is to improve the efficiency and applicability of straightline extraction techniques in the random oracle model. Straightline extraction in the random oracle model refers to the existence of an extractor, which given the random oracle queries made by a prover P∗(x) on some theorem x, is able to produce a witness w for x with roughly the same probability that P∗ produces a verifying proof. This notion applies to both zero-knowledge protocols and verifiable computation where the goal is compressing a proof. Pass (CRYPTO ’03) first showed how to achieve this property for NP using a cut-and-choose technique which incurred a λ2-bit overhead in communication where λ is a security parameter. Fischlin (CRYPTO ’05) presented a more efficient technique based on “proofs of work” that sheds this λ2 cost, but only applies to a limited class of Sigma Protocols with a “quasi-unique response” property, which for example, does not necessarily include the standard OR composition for Sigma protocols. With Schnorr/EdDSA signature aggregation as a motivating application, we develop new techniques to improve the computation cost of straight-line extractable proofs. Our improvements to the state of the art range from 70×–200× for the best compression parameters. This is due to a uniquely suited polynomial evaluation algorithm, and the insight that a proof-of-work that relies on multicollisions and the birthday paradox is faster to solve than inverting a fixed target. Our collision based proof-of-work more generally improves the Prover’s random oracle query complexity when applied in the NIZK setting as well. In addition to reducing the query complexity of Fischlin’s Prover, for a special class of Sigma protocols we can for the first time closely match a new lower bound we present. Finally we extend Fischlin’s technique so that it applies to a more general class of strongly-sound Sigma protocols, which includes the OR composition. We achieve this by carefully randomizing Fischlin’s technique—we show that its current deterministic nature prevents its application to certain multi-witness languages.

Data integrity can be protected using hash functions, message authentication codes, and digital signatures. These cryptographic mechanisms are introduced in this chapter, along with the combination of encryption and message authentication codes that results in authenticated encryption.

Cryptanalysis, formerly known as the art of deciphering secret codes, is now understood in a broader sense: it consists in finding flaws of all kinds, either harmless or severe, in cryptographic constructions. This thesis is made of three parts, devoted to the study of different families of cryptographic primitives.Hash functions are usually iterated constructions, where a building block is used in a repeated way, as specified by a mode of operation. In 2004, 2005 and 2006, the discovery of several generic attacks, targeting the ubiquitous Merkle-Damgård mode of operation, prompted researchers to design alternative modes of operations. Generic attacks exploit the fact that the internal state of the hash functions has the same size as the digests. This allows the attackers to find internal collisions and exploit them. Our results tend to show that this problem is difficult to avoid in general: in the first part of this thesis, we describe several generic second preimage attacks against proposals to repair or patch the Merkle-Damgård construction in order to precisely avoid generic attacks.In the second part, we focus on the cryptanalysis of the AES, the most popular block cipher. We consider a somewhat restrictive attack model where the attacker only has access to very few plaintext/ciphertext pairs. We are thus condemned to attack only highly reduced version of the full cipher, but the attacks we find in this model can sometimes be reused in other contexts. We have built software tools to assist us in finding guess-and-determine as well as meet-in-the-middle attacks. These tools found surprising attacks that are more efficient than those found manually by other cryptanalysts. For instance, we find the best knownattacks against the Message Authentication Code Pelican-MAC, and against the stream cipher LEX.The last part of this thesis is devoted to the cryptanalysis of multivariate schemes. This label covers all the schemes whose security explicitly relies on the hardness of solving systems of polynomial equations in several unknowns. Some multivariate scheme also rely on another hardness assumption, namely the hardness of the Polynomial Linear Equivalence (PLE) problem. We build new algorithms to solve PLE problems by combining tools from linear algebra and algebraic geometry with combinatorial and statistical techniques. Our algorithms show that a multivariate scheme relying on the hardness of PLE cannot exhibit an optimalsecurity level. These algorithms also allow to break in practice the “subfield” variant of HFE.

The area of computational cryptography is dedicated to the development of effective methods in algorithmic number theory that improve implementation of cryptosystems or further their cryptanalysis. This book is a tribute to Arjen K. Lenstra, one of the key contributors to the field, on the occasion of his 65th birthday, covering his best-known scientific achievements in the field. Students and security engineers will appreciate this no-nonsense introduction to the hard mathematical problems used in cryptography and on which cybersecurity is built, as well as the overview of recent advances on how to solve these problems from both theoretical and practical applied perspectives. Beginning with polynomials, the book moves on to the celebrated Lenstra–Lenstra–Lovász lattice reduction algorithm, and then progresses to integer factorization and the impact of these methods to the selection of strong cryptographic keys for usage in widely used standards.

With the continuous development of the Internet and the popularization of storage devices, network disk storage is increasingly favored by many enterprises and individual users due to its simplicity and convenience. At the same time, With the increase of data stored on the network disk, its data security and reliability also become an important issue. In the research of the secure storage system based on multi-network disk, we propose a block-based file encryption method and a block-based erasure code-based coding method to ensure the security and reliability of data stored in the network disk. Finally, the improved multi-cloud storage-based block erasure coding algorithm is experimentally tested and compared with related experiments.

Password-Based Key Derivation Function 2 (PBKDF2) is widely used cryptographic algorithm in order to generate secure keys to a password in various occasions. For example, it is used for file encryption and implementation of authentication systems, and so on. However, the generated derived key has a lower entropy than a general cryptography key, so its use is limited. To compensate for this the number of iteration counts of PBKDF2 should be increased. As the number of repetitive tasks increases, the entropy of the derived key increases, but it takes more time to generate the derived key. We present various optimization methods of PBKDF2. The main idea of our proposed method is reducing redundant block operations and optimizing the internal process of underlying Pseudo Random Function (PRF). In other words, we integrate several redundant operations and make full use of constant values used in PBKDF2. We use two HMAC algorithms: one using SHA-2 family and one using LSH family as the PRF of PBKDF2 (SHA-2 family is the most widely used hash functions, and LSH family is the latest hash function recently developed in South Korea). With our techniques, our implementations outperform Korea Internet & Security Agency (KISA) implementation by 121.26%, 325.91%, and 231.89% for using SHA256, LSH256, and LSH512 respectively; and also outperform OpenSSL implementation by 39.59% using SHA512. In addition, we show that the internal process of PBKDF2 can be computed independently. With our multi thread technique, our PBKDF2 implementations outperform KISA implementation by 2,152.66%, 1,986.85%, and 1,591.36% for using SHA256, LSH256, and LSH512 respectively; and our PBKDF2-HMAC-SHA512 implementation outperforms OpenSSL implementation by 523.57%. With our proposed implementation techniques, higher security can be achieved with more iteration operations. Furthermore, our optimization techniques can be easily expanded to optimize the performance of PBKDF2 on GPGPU and embedded devices.

In this paper, we propose an automatic tool to search for optimal differential and linear trails in ARX ciphers. It’s shown that a modulo addition can be divided into sequential small modulo additions with carry bit, which turns an ARX cipher into an S-box-like cipher. From this insight, we introduce the concepts of carry-bit-dependent difference distribution table (CDDT) and carry-bit-dependent linear approximation table (CLAT). Based on them, we give efficient methods to trace all possible output differences and linear masks of a big modulo addition, with returning their differential probabilities and linear correlations simultaneously. Then an adapted Matsui’s algorithm is introduced, which can find the optimal differential and linear trails in ARX ciphers. Besides, the superiority of our tool’s potency is also confirmed by experimental results for round-reduced versions of HIGHT and SPECK. More specifically, we find the optimal differential trails for up to 10 rounds of HIGHT, reported for the first time. We also find the optimal differential trails for 10, 12, 16, 8 and 8 rounds of SPECK32/48/64/96/128, and report the provably optimal differential trails for SPECK48 and SPECK64 for the first time. The optimal linear trails for up to 9 rounds of HIGHT are reported for the first time, and the optimal linear trails for 22, 13, 15, 9 and 9 rounds of SPECK32/48/64/96/128 are also found respectively. These results evaluate the security of HIGHT and SPECK against differential and linear cryptanalysis. Also, our tool is useful to estimate the security in the design of ARX ciphers.The abstract goes here.

Broken cryptographic algorithms and hardness assumptions are a constant threat to real-world protocols. Prominent examples are hash functions for which collisions become known, or number-theoretic assumptions which are threatened by advances in quantum computing. Especially when it comes to key exchange protocols, the switch to quantum-resistant primitives has begun and aims to protect today’s secrets against future developments, moving from common Diffie–Hellman-based solutions to Learning-With-Errors-based approaches, often via intermediate hybrid designs.

A chosen-prefix collision attack is a stronger variant of a collision attack, where an arbitrary pair of challenge prefixes are turned into a collision. Chosen-prefix collisions are usually significantly harder to produce than (identical-prefix) collisions, but the practical impact of such an attack is much larger. While many cryptographic constructions rely on collision-resistance for their security proofs, collision attacks are hard to turn into break of concrete protocols, because the adversary has a limited control over the colliding messages. On the other hand, chosen-prefix collisions have been shown to break certificates (by creating a rogue CA) and many internet protocols (TLS, SSH, IPsec).In this article, we propose new techniques to turn collision attacks into chosen-prefix collision attacks. Our strategy is composed of two phases: first a birthday search that aims at taking the random chaining variable difference (due to the chosen-prefix model) to a set of pre-defined target differences. Then, using a multi-block approach, carefully analysing the clustering effect, we map this new chaining variable difference to a colliding pair of states using techniques developed for collision attacks.We apply those techniques to MD5 and SHA-1, and obtain improved attacks. In particular, we have a chosen-prefix collision attack against SHA-1 with complexity between \(2^{66.9}\) and \(2^{69.4}\) (depending on assumptions about the cost of finding near-collision blocks), while the best-known attack has complexity \(2^{77.1}\). This is within a small factor of the complexity of the classical collision attack on SHA-1 (estimated as \(2^{64.7}\)). This represents yet another warning that industries and users have to move away from using SHA-1 as soon as possible.KeywordsHash functionCryptanalysisChosen-prefix collision
SHA-1
MD5

There is a lack of hands-on exercises in cryptanalysis offered at the university level for a variety of reasons. One reason is the high amount of computations needed to complete cryptanalysis attacks. However, enabling students to perform fixed prefix SHA-1 collision attacks on PDFs does not require any advanced computation power. This paper presents a hands-on exercise for university students and professionals to generate SHA-1 collisions. The exercise shows how SHA-1 is vulnerable to fixed-prefix collisions, and how students are able to leverage existing tools to create their own SHA-1 collisions between arbitrary PDF files. In our two classroom runs of the exercise, over 90% of the students who performed the exercise found it to be a useful tool to reinforce their knowledge of SHA-1 collisions. The exercise increases awareness about hash collisions and urges caution when dealing with digitally signed PDFs that utilize SHA-1 as their hashing mechanism. To our knowledge, this is the first exercise designed to introduce practical SHA-1 collisions for students in the classroom.

Weakened random oracle models (WROMs) are variants of the random oracle model (ROM). The WROMs have the random oracle and the additional oracle which breaks some property of a hash function. Analyzing the security of cryptographic schemes in WROMs, we can specify the property of a hash function on which the security of cryptographic schemes depends.Liskov (SAC’06) proposed WROMs and later Numayama et al. (PKC’08) formalized them as CT-ROM, SPT-ROM, and FPT-ROM. In each model, there is the additional oracle to break collision resistance, second preimage resistance, preimage resistance respectively. Tan and Wong (ACISP’12) proposed the generalized FPT-ROM (GFPT-ROM) which intended to capture the chosen prefix collision attack suggested by Stevens et al. (EUROCRYPT’07).In this paper, in order to analyze the security of cryptographic schemes more precisely, we formalize GFPT-ROM and propose additional three WROMs which capture the chosen prefix collision attack and its variants. In particular, we focus on signature schemes such as RSA-FDH, its variants, and DSA, in order to understand essential roles of WROMs in their security proofs.KeywordsWeakened random oracle model
WROM
RSA-FDH
DSA
Chosen prefix collision attack

The Varied Applications of Cryptography Authentication The Need for Certificates Cryptographic Hash Functions X.509 Certificates and CCIT Standardization The Secure Socket Layer (SSL) Trust on the Web … Trust No One Over 40! MD5 Criticism of MD5 The Wang-Yu Collision Attack Steven's Improvement to the Wang-Yu Collision Attack The Chosen-Prefix Attack on MD5 The Rogue CA Attack Scenario The Secure Hash Algorithms Criticism of SHA-1 SHA-2 What Now? Appendix 18: Sketch of the Steven's Chosen Prefix Attack

Investigating how to construct a secure hash algorithm needs in-depth study, as various existing hash functions like the MD5 algorithm have recently exposed their security flaws. At the same time, hash function based on chaotic theory has become an emerging research in the field of nonlinear information security. As an extension of our previous research works, a new chaotic iterations keyed hash function is proposed in this article. Chaotic iterations are used both to construct strategies with pseudorandom number generator and to calculate new hash values using classical hash functions. It is shown that, by doing so, it is possible to apply a kind of post-treatment on existing hash algorithms, which preserves their security properties while adding Devaney’s chaos. Security performance analysis of such a post-treatment are finally provided.

The safety application in vehicular ad hoc network provides active road safety to avoid road accidents by disseminating life critical information among drivers securely. Such information must be protected from the access of intruder or attacker. A timestamp defined hash algorithm is proposed in the present work for secure data dissemination among vehicles. The sender vehicle sends a deformed version of the original message along with the incomplete message digest to its neighbors. The receiver vehicle generates message digest from the deformed version of the original message and also from the incomplete message digest. It accepts the message if both the digests are equal. The proposed algorithm fulfils all the basic properties such as preimage resistance, collision resistance of a one-way unkeyed hash function. Finally the comparative usability of the hash algorithm in the said application domain is worked out and that shows the dominance of the scheme over the existing schemes.

In questo capitolo ci occupiamo di una famiglia di funzioni il cui ruolo in crittografia è fondamentale: le funzioni hash. Unafunzionehash è unafunzione non iniettiva,che mappa una stringa di lunghezza arbitraria in una stringa di lunghezza predefinita. Possiamo interpretare l’hash di unastringa x ∈ {0,1}* come un’impronta digitale da associare all astringa stessa. In generale una funzione hash prende come input una stringa a lunghezza arbitraria, e la comprime in una stringa più corta (tipicamente qualche centinaio di bit). Un’applicazione tipica è nel contesto dell amemorizzazione di dati nei calcolatori. Data una funzione hash H(•) con codominio {0,1}n si inizializza una tabella a dimensione n, si calcola l’hash dell astringa x e simemorizza il risultato nella cella indicizzata da H(x). In questo modo,la struttura dati assicura tempi di lettura e scrittura costanti. La speranza, qui, è che la funzione hash minimizzi il numero di collisioni (ovvero distribuisca uniformemente gli elementi nella tabella), in quanto una collisione risulta in due elementi memorizzati nella stessa cella: un numero molto elevato di collisioni renderebbe poco efficiente la lettura di alcuni elementi.

While the Public-Key Infrastructure (PKI) model and digital certificates are existing methods to achieve many security requirements, recent limitations and threats make them vulnerable to serious attacks when used without prior trust. Cloud-based services are being widely adopted to offer desirable services for a growing number of devices in different geographic locations, which opens the door to new security threats. Evolving business models are starting to rely on Clouds to offer services as simple as finding a cab to services as sensitive as sharing health records. As a result, the authenticity of entities communicating through Clouds has become an important requirement, which is the initial step for any secure communication. In this paper, we present an Authentication-as-a-Service (AaaS) Cloud that provides strong mutual authentication among communicating parties. It implements a new authentication protocol we developed using the Pedersen commitment scheme, which involves interaction between communicating parties. It avoids the possibility of hash collisions and the overhead of checking digital certificate validity, valid chain of legitimate CAs, and revocation lists. Also, it prevents replay attacks and man-in-the-middle attacks.

This article presents an explicit freestart colliding pair for SHA-1, i.e. a collision for its internal compression function. This is the first practical break of the full SHA-1, reaching all 80 out of 80 steps. Only 10 days of computation on a 64-GPU cluster were necessary to perform this attack, for a runtime cost equivalent to approximately \(2^{57.5}\) calls to the compression function of SHA-1 on GPU. This work builds on a continuous series of cryptanalytic advancements on SHA-1 since the theoretical collision attack breakthrough of 2005. In particular, we reuse the recent work on 76-step SHA-1 of Karpman et al. from CRYPTO 2015 that introduced an efficient framework to implement (freestart) collisions on GPUs; we extend it by incorporating more sophisticated accelerating techniques such as boomerangs. We also rely on the results of Stevens from EUROCRYPT 2013 to obtain optimal attack conditions; using these techniques required further refinements for this work.
Freestart collisions do not directly imply a collision for the full hash function. However, this work is an important milestone towards an actual SHA-1 collision and it further shows how GPUs can be used very efficiently for this kind of attack. Based on the state-of-the-art collision attack on SHA-1 by Stevens from EUROCRYPT 2013, we are able to present new projections on the computational and financial cost required for a SHA-1 collision computation. These projections are significantly lower than what was previously anticipated by the industry, due to the use of the more cost efficient GPUs compared to regular CPUs.
We therefore recommend the industry, in particular Internet browser vendors and Certification Authorities, to retract SHA-1 quickly. We hope the industry has learned from the events surrounding the cryptanalytic breaks of MD5 and will retract SHA-1 before concrete attacks such as signature forgeries appear in the near future.

In May 2012, a highly advanced malware for espionage dubbed Flame was found targeting the Middle-East. As it turned out, it used a forged signature to infect Windows machines by MITM-ing Windows Update. Using counter-cryptanalysis, Stevens found that the forged signature was made possible by a chosen-prefix attack on MD5 [25]. He uncovered some details that prove that this attack differs from collision attacks in the public literature, yet many questions about techniques and complexity remained unanswered.
In this paper, we demonstrate that significantly more information can be deduced from the example collision. Namely, that these details are actually sufficient to reconstruct the collision attack to a great extent using some weak logical assumptions. In particular, we contribute an analysis of the differential path family for each of the four near-collision blocks, the chaining value differences elimination procedure and a complexity analysis of the near-collision block attacks and the associated birthday search for various parameter choices. Furthermore, we were able to prove a lower-bound for the attack’s complexity.
This reverse-engineering of a non-academic cryptanalytic attack exploited in the real world seems to be without precedent. As it allegedly was developed by some nation-state(s) [11, 12, 19], we discuss potential insights to their cryptanalytic knowledge and capabilities.

Many of the important decidability results in malware analysis are based Turing machine models of computation. We exhibit computational models which use more realistic assumptions about machine and attacker resources. While seminal results such as [1–5] remain true for Turing machines, we show under more realistic assumptions, important tasks are decidable instead of undecidable. Specifically, we show that detecting traditional malware unpacking behavior – in which a payload is decompressed or decrypted and subsequently executed – is decidable under our assumptions. We then examine the issue of dealing with complex but decidable problems. We look for lessons from the hardware verification community, which has been striving to meet the challenge of intractable problems for the past three decades.

There are many challenges for a forensic investigator when it comes to digital evidence. These include the constantly changing technology that may store evidence, the vast amounts of data that is stored, and the increasing use of cryptography. This last problem can prevent any useful information being retrieved and is encountered in the use of communication protocols, whole-disk encryption, and individual applications. Cryptography is a field of great depth and breadth, encompassing both complex mathematics and cutting-edge technology. A forensics investigator does not need to be aware of all aspects of this field, but there are certain areas that are vital. The knowledge described in this chapter can assist an investigator in obtaining information that may otherwise be obscured, and also prepare them to defend the integrity of any evidence obtained.

MD5 is one of the most widely used cryptographic hash functions nowadays. It was designed in 1992 as an improvement of MD4,
and its security was widely studied since then by several authors. The best known result so far was a semi free-start collision,
in which the initial value of the hash function is replaced by a non-standard value, which is the result of the attack. In
this paper we present a new powerful attack on MD5 which allows us to find collisions efficiently. We used this attack to
find collisions of MD5 in about 15 minutes up to an hour computation time. The attack is a differential attack, which unlike
most differential attacks, does not use the exclusive-or as a measure of difference, but instead uses modular integer subtraction
as the measure. We call this kind of differential a modular differential. An application of this attack to MD4 can find a collision in less than a fraction of a second. This attack is also applicable
to other hash functions, such as RIPEMD and HAVAL.

Wang et al (12) caused great excitement at CRYPTO2004 when they announced a collision for MD5 (11). This paper is examines the internal dierences and conditions required for the attack to be suc- cessful. There are a large number of conditions that must be satisfied, thus indicating Wang at al. have found a clever way to generate message pairs for which the conditions are satisfied. The large number of condi- tions suggests that an attacker cannot use these dierentials to cause sec- ond pre-image attacks with complexity less than generic attacks. Initial examination also suggests that an attacker cannot cause such collisions for HMAC-MD5 (9) with complexity less than generic attacks.

In this paper we introduce a new idea of tunneling of hash functions. In some sense tunnels replace multi-message modification methods and exponentially accelerate collision search. We describe several tunnels in hash function MD5. Using it we find a MD5 collision roughly in one minute on a standard notebook PC (Intel Pentium, 1.6 GHz). The method works for any initializing value. Tunneling is a general idea, which can be used for finding collisions of other hash functions, such as SHA-1, 2. We show several capabilities of tunnels. A program, which source code is available on a project homepage, experimentally verified the method. Version 2 of this paper contains the appendix with the description of more tunnels. These tunnels further decrease the average time of MD5 collision to 31 seconds. On PC Intel Pentium 4 (3,2 GHz) it is 17 seconds in average.

It is sometimes argued that finding meaningful hash collisions might prove difficult. We show that for several common public key systems it is easy to construct pairs of meaningful and secure public key data that either collide or share other characteristics with the hash collisions as quickly constructed by Wang et al. We present some simple results, investigate what we can and cannot (yet) achieve, and formulate some open problems of independent interest. We are not yet aware of truly interesting practical implications. Nevertheless, our results may be relevant for the practical assessment of the recent hash collision results. For instance, we show how to construct two different X.509 certificates that contain identical signatures.

The most e-cient collision attacks on members of the SHA family presented so far all use complex characteristics which were man- ually constructed by Wang et al. In this report, we describe a method to search for characteristics in an automatic way. This is particularly useful for multi-block attacks, and as a proof of concept, we give a two-block collision for 64-step SHA-1 based on a new characteristic. The highest number of steps for which a SHA-1 collision was published so far was 58. We also give a unifled view on the expected work factor of a collision search and the needed degrees of freedom for the search, which facili- tates optimization.

We investigate Merkle-Damgard hash functions and different file formats. Our goal is to construct many meaningful hash collisions with given semantic contents from one single abstract collision. We show that this is not only possible for PostScript ([DL1]) but also for PDF, TIFF and MS Word 97. Our results suggest that this property might be typical for 'higher' file formats.

A simple new technique of parallelizing methods for solving search problems which seek collisions in pseudo-random walks is presented. This technique can be adapted to a wide range of cryptanalytic problems which can be reduced to finding collisions. General constructions are given showing how to adapt the technique to f inding discrete logarithms in cyclic groups, finding meaningful collisions in hash functions, and performing meet-in-the-middle attacks such as a known-plaintext attack on double encryption. The new technique greatly extends the reach of practical attacks, providing the most cost-effective means known to date for defeating: the small subgroup used in certain schemes based on discrete logarithms such as Schnorr, DSA, and elliptic curve cryptosystems; hash functions such as MD5, RIPEMD, SHA-1, MDC-2, and MDC-4; and double encryption and three-key triple encryption. The practical significance of the technique is illustrated by giving the design for three $10 million custom machines which could be built with current technology: one finds elliptic curve logarithms in GF(2155) thereby defeating a proposed elliptic curve cryptosystem in expected time 32 days, the second finds MD5 collisions in expected time 21 days, and the last recovers a double-DES key from 2 known plaintexts in expected time 4 years, which is four orders of magnitude faster than the conventional meet-in-the-middle attack on double-DES. Based on this attack, double-DES offers only 17 more bits of security than single- DES.

We have shown how, at a cost of about 252 calls to the MD5 compression func- tion, for any two target messages m1 and m2, values b1 and b2 can be constructed such that the concatenated values m1kb1 and m2kb2 collide under MD5. Although the practical at- tack potential of this construction of target collisions is limited, it is of greater concern than random collisions for MD5. In this note we sketch our construction. To illustrate its practi- cality, we present two MD5 based X.509 certificates with identical signatures but dierent public keys and dierent Distinguished Name fields, whereas our previous construction of colliding X.509 certificates required identical name fields. We speculate on other possibilities for abusing target collisions.

Joux and Wang's multicollision attack has yielded collisions for several one-way hash algorithms. Of these, MD5 is the most problematic due to its heavy deployment, but there exists a perception that the flaws identified have no applied implications. We show that the appendability of Merkle-Damgard allows us to add any payload to the proof-of-concept hashes released by Wang et al. We then demonstrate a tool, Stripwire, that uses this capability to create two files - one which executes an arbitrary sequence of commands, the other which hides those commands with the strength of AES - both with the same MD5 hash. We show how this affects file-oriented system auditors such as Tripwire, but point out that the failure is nowhere near as catastrophic as it appears at first glance. We examine how this failure affects HMAC and Digital Signatures within Digital Rights Management (DRM) systems, and how the full attack expands into an unusual pseudo- steganographic strikeback methodology against peer to peer networks.

In this paper, we present an improved attack algorithm to find two-block collisions of the hash function MD5. The attack uses the same differential path of MD5 and the set of sufficient conditions that was presented by Wang et al. We present a new technique which allows us to deterministically fulfill restrictions to properly rotate the differentials in the first round. We will present a new algorithm to find the first block and we will use an algorithm of Klima to find the second block. To optimize the inner loop of these algorithms we will optimize the set of sufficient conditions. We also show that the initial value used for the attack has a large influence on the attack complexity. Therefore a recommendation is made for 2 conditions on the initial value of the attack to avoid very hard situations if one has some freedom in choosing this initial value. Our attack can be done in an average of about 1 minute (avg. complexity $2^{32.3}$) on a 3Ghz Pentium4 for these random recommended initial values. For arbitrary random initial values the average is about 5 minutes (avg. complexity $2^{34.1}$). With a reasonable probability a collision is found within mere seconds, allowing for instance an attack during the execution of a protocol.

We use the knowledge of the single MD5 collision published byWang et al. [2] to show an example of a pair of binary self-extract packageswith equal MD5 checksums, whereas resulting extracted contracts have fundamentallydifferent meaning. Secondly, we demonstrate how an attacker couldcreate custom pair of such packages containing files arbitrarily chosen by theattacker with equal MD5 sums where each of the package extracts differentfile. Once the algorithm for finding MD5 collisions...

Since Wang et al. announced their results regarding the susceptibility of MD5 (Crypto'04) and SHA-1 (Crypto'05) hash functions to collision attacks, there have been many papers ad-vancing further aspects of these attacks. What has been lacking is an analysis of the legal effect of these attacks upon electronic commerce transactions. As technological advancements are made, the law will need to adjust so as to take account of these attacks so that there does not arise a total undermining of the electronic commerce environment. The legal implications of these attacks need to be understood so that the courts do not over react and thus destroy any confidence commerce currently has in operating in the electronic commerce environment. This paper explores the legal implications of these attacks where certain software applications rely, in part, upon either MD5 or SHA-1.

TU Eindhoven MSc thesis, in preparation

- M Stevens

Attacks on Cryptographic Hashes in Internet Protocols

- P Hoffman
- B Schneier

P. Hoffman and B. Schneier, Attacks on Cryptographic Hashes in Internet Protocols, IETF RFC 4270, November
2005, www.ietf.org/rfc/rfc4270.txt.

Collision Attacks on MD5 and SHA- 1: Is this theSword of Damocles" for Electronic Commerce?, AusSCERT 2006 R&D Stream

- P Gauravaram
- A Mccullagh
- E Dawson

Colliding X.509 certificates, Cryptology ePrint Archive An updated version has been published as an appendix to

- A K Lenstra
- X Wang
- B M M De Weger

A.K. Lenstra, X. Wang and B.M.M. de Weger, Colliding X.509 certificates, Cryptology ePrint Archive, Report
2005/067, eprint.iacr.org/2005/067. An updated version has been published as an appendix to [11].

Colliding X.509 certificates An updated version has been published as an appendix to: On the possibility of constructing meaningful hash collisions for public keys

- A K Lenstra
- X Wang
- B M M De Weger

- Philip Hawkes
- Michael Paddon
- Gregory G Rose

Philip Hawkes, Michael Paddon and Gregory G. Rose, Musings on the Wang et al. MD5 Collision, Cryptology
ePrint Archive, Report 2004/264, eprint.iacr.org/2004/264.