View Full Version : A question about MD5

April 25th, 2005, 11:14
Hi all
I want to ask something about MD5 because I'm not that professional in cryptography.
I know MD5 is one of good hash algorithms,but I read in somewhere that we can calculate
Strong collisions for MD5 algorithm,but I want to know I is possible to calculate
weak collisions for it or not?
For example I have this equalation:
that S and k is a text and h is result hash.the operation "." is concating to strings.
Is it possible to calculate k for a given S,h ?

sincerely yours

April 26th, 2005, 03:03
Hi Hero,

it looks like you are referring to this

Because MD5 makes only one pass over the data, if two prefixes with the same hash can be constructed, a common suffix can be added to both to make the collision more reasonable. And because the current collision-finding techniques allow the preceding hash state to be specified arbitrarily, a collision can be found for any desired prefix. All that is required to generate two colliding files is a template file, with a 128-byte block of data aligned on a 64-byte boundary, that can be changed freely by the collision-finding algorithm.
quoted from http://encyclopedia.lockergnome.com/s/b/MD5

There is a lot of theory in these speculations, but no code nowhere (sometimes the code is kept secret, as in the case of the Chinese methods).
Edited: some detail has now been given, and the llink is provided at the following link

Anyway, the best and most recent stuff is in Klima pages:

Regards, bilbo

April 26th, 2005, 06:31
Hi bilbo
Thanks for great documents.But as what I see in them,was Strong collisions(As
I said that possible to find),but I didn't see anything about weak collisions in them(Perhaps
because finding weak collisions are more difficult).

sincerely yours

April 26th, 2005, 17:15
What you're looking for is a preimage attack: given a hash h, find a message k that produces it. In fact, you're looking for a constrained preimage, since you want it to start with S. (The constraint, however, doesn't matter much--it's just a different initial state for the registers.)

So to answer your question, no, it is not currently possible to find k from S, h for MD5.