Construction of a full differential path can be done as follows. ChooseδQ−3and bitconditionsq−2,
6.5 Constructing full differential paths 31
extend backward down to step 16. This leads to bitconditions q−2,q−1, . . . ,q11,q14,q15, . . . ,q63 and differences δQ−3, δQ12, δQ13, δQ64. It remains to finish steps t = 12,13,14,15. As with extending backward we can, for t = 12,13,14,15, determine δRt, choose the resulting δTt after right rotation ofδRtoverRCt bits, and determineδFt=δTt−δWt−δQt−3.
We aim to find new bitconditions q10,q11, . . . ,q15 that are compatible with the original bit- conditions and that result in the required δQ12, δQ13,δF12, δF13, δF14, δF15, thereby completing the differential path. First we can test whether it is even possible to find such bitconditions.
For i= 0,1, . . . ,32, let Ui be a set of tuples (q1, q2, f1, f2, f3, f4) of 32-bit integers with qj ≡
fk ≡ 0 mod 2i for j = 1,2 and k = 1,2,3,4. We want to construct each Ui so that for each tuple (q1, q2, f1, f2, f3, f4) ∈ Ui there exist bitconditions q10[`],q11[`], . . . ,q15[`], determining the ∆Q11+jJ`Kand ∆F11+kJ`Kbelow, over the bits`= 0, . . . , i−1, such that
δQ11+j =qj+ i−1 X `=0 2`∆Q11+jJ`K, j= 1,2, δF11+k =fk+ i−1 X `=0 2`∆F11+kJ`K, k= 1,2,3,4.
This impliesU0={(δQ12, δQ13, δF12, δF13, δF14, δF15)}. The otherUiare constructed inductively by Algorithm 6.1 by exhaustive search. Furthermore,|Ui| ≤26, since for each qj, fk there are at most 2 possible values that can satisfy the above relations.
If we find U32 6= ∅ then there exists a path u0, u1, . . . , u32 with ui ∈ Ui where each ui+1 is generated byui in Algorithm 6.1. Now the desired new bitconditions (q15[i],q14[i], . . . ,q10[i]) are (a0, b00, c000, d000, e00, f0), which can be found at step 13 of Algorithm 6.1, where one starts with ui and ends withui+1.
Clearly, the probability of success and thus the complexity of constructing a full differential path depends on several factors, where the amount of freedom left by the bitconditionsq10,q11,q14,q15 and the number of possible BSDR’s ofδQ12and δQ13are the most important.
Algorithm 6.1Construction ofUi+1 from Ui.
SupposeUi is constructed as desired. Set Ui+1 =∅ and for each tuple (q1, q2, f1, f2, f3, f4)∈ Ui do the following:
1. Let (a, b, e, f) = (q15[i],q14[i],q11[i],q10[i]). 2. For each bitcondition d=q12[i]∈
{.} ifq1[i] = 0 {-,+} ifq1[i] = 1
do 3. Letq01= 0,−1,+1 for resp. d=.,-,+
4. For each different f10 ∈ {−f1[i],+f1[i]} ∩Vdef do 5. Let (d0, e0, f0) =F C(12, def, f10)
6. For each bitcondition c=q13[i]∈
{.} ifq2[i] = 0 {-,+} ifq2[i] = 1
do 7. Letq02= 0,−1,+1 for resp. c=.,-,+
8. For each different f20 ∈ {−f2[i],+f2[i]} ∩Vcd0e0 do 9. Let (c0, d00, e00) =F C(13, cd0e0, f20)
10. For each different f30 ∈ {−f3[i],+f3[i]} ∩Vbc0d00 do 11. Let (b0, c00, d000) =F C(14, bc0d00, f30)
12. For each different f40 ∈ {−f4[i],+f4[i]} ∩Vab0c00 do 13. Let (a0, b00, c000) =F C(15, ab0c00, f0
4)
14. Insert (q1−2iq10, q2−2iq20, f1−2if10, f2−2if20, f3−2if30, f4−2if40) intoUi+1. Keep only one of each tuple inUi+1 that occurs multiple times. By construction we findUi+1 as desired.
7
Chosen-Prefix Collisions
A chosen-prefix collision is a pair of messagesM andM0 which consist of arbitrary chosen prefixes
P and P0 (not necessarily of the same length), together with constructed suffixesS andS0 such that M =PkS,M0 =P0kS0 and M D5(M) =M D5(M0). Furthermore, appending an arbitrary suffixS00to each of these messages still leads to a collisionM D5(MkS00) =M D5(M0kS00) of MD5. In this section we will present our joint work with Arjen Lenstra and Benne de Weger which is a method to construct such chosen-prefix collisions. Using this method we have constructed one example of a chosen-prefix collision, namely two colliding X.509 certificates with different identities [22] which we will refer to often. Details on this example itself are discussed in subsection 7.5.
The two suffixes we will construct consist of three parts: padding bitstringsSpandS0p, followed by ‘birthday’ bitstrings Sb and S0b, followed by ‘near collision’ blocks Sc and Sc0. The padding bitstrings Sp and Sp0 are chosen to guarantee that the bitlengths of PkSp and P0kSp0 are both equal toL= 512n−96 for a positive integern. They can be chosen arbitrarily but must meet the length requirements. The ‘birthday’ bitstringsSb andSb0 both consist of 96 bits and complete the
n-th block. Applying MD5 toPkSpkSbandP0kS0pkSb0 will result inIHVnandIHVn0, respectively. The ‘birthday’ bitstrings are constructed in such a manner thatδIHVn can be eliminated using several near-collision blocks inSc andSc0 as described below.
The main idea is to eliminate the differenceδIHVnusing several consecutive near-collisions that together constituteSc and Sc0. The number of differences inδIHVn = (δa, δb, δc, δd) is measured using the NAF weight, the total weight of the NAFs ofδa,δb,δcandδd. For each near-collision we need to construct a differential path such that the NAF weight of the newδIHVn+j+1is lower than the NAF weight ofδIHVn+j, until afterrnear-collisions we have reached δIHVn+r= (0,0,0,0).
7.1
Near-collisions
We will use near-collisions based on a family of upper differential paths using the message block difference δm11 =±2d for varying 0 ≤d ≤31 and δmi = 0 fori 6= 11. This was suggested to us by Xiaoyun Wang as with this type of message difference the number of bitconditions over the final two rounds can be kept very low. This is illustrated in Table 7-1, where the corresponding upper differential path is shown for the final 31 steps. As one can see in Table A-1, these message block differences maximizes the number of steps in the third and fourth round withδQt= 0.
Table 7-1: Partial differential path withδm11=±2d.
t δQt δFt δWt δTt δRt RCt 30 ∓2d 31 0 32 0 33 0 0 ±2d 0 0 16 34−60 0 0 0 0 0 · 61 0 0 ±2d ±2d ±2d+10 mod 32 10 62 ±2d+10 mod 32 0 0 0 0 15 63 ±2d+10 mod 32 0 0 0 0 21 64 ±2d+10 mod 32
Although the number of bitconditions over the final two rounds is very low, the second round will contain in the order of 100 bitconditions. Would these bitconditions have occurred in the third or fourth round, they would have implied a collision finding complexity of approx. 2100com- pressions. However, in our case there will be in the order of only 30 bitconditions fromQ25 up to
Q33, whereQ25is the POV of the most efficient tunnelT(Q9, m9) (see Table 5-2). Because of this fact and using the collision finding techniques described in section 5, we were able to find actual near-collision blocks within feasible time.