Preimage Attack on MD4 Hash Function as a Problem of Parallel Sat-Based Cryptanalysis

Irina A. Gribanova, Oleg S. Zaikin, Ilya V. Otpuschennikov, Alexander A. Semenov


In this paper we study the inversion problem of MD4 cryptographic hash function developed by R. Rivest in 1990. By MD4-k we denote a truncated variant of MD4 hash function in which k represents a number of steps used to calculate a hash value (the full version of MD4 function corresponds to MD4-48). H. Dobbertin has showed that MD4-32 hash function is not one-way, namely, it can be inverted for the given image of a random input. He suggested to add special conditions to the equations that describe the computation of concrete steps (chaining variables) of the considered hash function. These additional conditions allowed to solve the inversion problem of MD4-32 within a reasonable time by solving corresponding system of equations. The main result of the present paper is an automatic derivation of “Dobbertin’s conditions” using parallel SAT solving algorithms. We also managed to solve several inversion problems of functions of the kind MD4-k (for k from 31 up to 39 inclusive). Our method significantly outperforms previously existing approaches to solving these problems.

Ключевые слова

cryptanalysis, hash function, inversion problem; MD4; SAT; parallel computing; MPI

Полный текст:

PDF (English)


Wang X., Lai X., Feng D., Chen H., Yu X. Cryptanalysis of the Hash Functions MD4 and RIPEMD. Proceedings of the 24th Annual International Conference on Theory and Applications of Cryptographic Techniques. EUROCRYPT’05. Berlin, Heidelberg: Springer- Verlag, 2005. P. 1–18. DOI: 10.1007/11426639_1.

Wang X., Yu H. How to Break MD5 and Other Hash Functions. Proceedings of the 24th Annual International Conference on Theory and Applications of Cryptographic Techniques. EUROCRYPT’05. Berlin, Heidelberg: Springer-Verlag, 2005. P. 19–35. DOI: 10.1007/11426639_2.

Dobbertin H. The First Two Rounds of MD4 are Not One-Way. Fast Software Encryption / Ed. by Serge Vaudenay. Lecture Notes in Computer Science. Springer Berlin Heidelberg, 1998. Vol. 1372. P. 284–292. DOI: 10.1007/3-540-69710-1_19.

Rivest R.L. The MD4 Message Digest Algorithm. Advances in Cryptology - CRYPTO’90, Proceedings / Ed. by Alfred Menezes, Scott A. Vanstone. Lecture Notes in Computer Science. Springer, 1990. Vol. 537. P. 303–311. DOI: 10.1007/3-540-38424-3_22.

Damgard I.B. A Design Principle for Hash Functions. Proceedings on Advances in Cryptology. CRYPTO ’89. New York, NY, USA: Springer-Verlag New York, Inc., 1989. P. 416–427. DOI: 10.1007/0-387-34805-0_39.

Merkle R.C. A Certi ed Digital Signature. Proceedings on Advances in Cryptology. CRYPTO ’89. New York, NY, USA: Springer-Verlag New York, Inc., 1989. P. 218–238. DOI: 10.1007/0- 387-34805-0_21.

Tseitin G.S On the Complexity of Derivation in Propositional Calculus. Automation of Reasoning: 2: Classical Papers on Computational Logic 1967–1970. Berlin, Heidelberg: Springer Berlin Heidelberg, 1983. P. 466–483. DOI: 10.1007/978-3-642-81955- 1_28.

Erkok L., Matthews J. High assurance programming in Cryptol. Fifth Cyber Security and Information Intelligence Research Workshop, CSIIRW’09, Knoxville, TN, USA, April 13-15, 2009 / Ed. by Frederick T. Sheldon, Greg Peterson, Axel W. Krings [et al.]. ACM, 2009. P. 60. DOI: 10.1145/1558607.1558676.

Janicic P. URSA: a System for Uniform Reduction to SAT. Logical Methods in Computer Science. 2012. Vol. 8, No. 3. P. 1–39. DOI: 10.2168/lmcs-8(3:30)2012.

Soos M., Nohl K., Castelluccia C. Extending SAT Solvers to Cryptographic Problems . SAT / Ed. by Oliver Kullmann. Lecture Notes in Computer Science. Springer, 2009. Vol. 5584. P. 244–257. DOI: 10.1007/978-3-642-02777-2_24.

Otpuschennikov I., Semenov A., Gribanova I., Zaikin O., Kochemazov S. Encoding Cryptographic Functions to SAT Using TRANSALG System. ECAI 2016 - 22nd European Conference on Arti cial Intelligence, 29 August-2 September 2016, The Hague, The Netherlands - Including Prestigious Applications of Arti cial Intelligence (PAIS 2016) / Ed. by Gal A. Kaminka, Maria Fox, Paolo Bouquet [et al.]. Frontiers in Arti cial Intelligence and Applications. IOS Press, 2016. Vol. 285. P. 1594–1595.

Marques-Silva J.P., Sakallah K.A. GRASP: A Search Algorithm for Propositional Satis ability. IEEE Trans. Computers. 1999. Vol. 48, No. 5. P. 506–521. DOI: 10.1109/12.769433.

Marques-Silva J.P., Lynce I., Malik S. Con ict-Driven Clause Learning SAT Solvers. Handbook of Satis ability / Ed. by Armin Biere, Marijn Heule, Hans van Maaren, Toby Walsh. Frontiers in Arti cial Intelligence and Applications. IOS Press, 2009. Vol. 185. P. 131–153.

Hyvarinen A.E.J. Grid Based Propositional Satis ability Solving. Ph.D. thesis, Aalto University, 2011.

Mironov I., Zhang L. Applications of SAT Solvers to Cryptanalysis of Hash Functions. SAT / Ed. by Armin Biere, Carla P. Gomes. Lecture Notes in Computer Science. Springer, 2006. Vol. 4121. P. 102–115. DOI: 10.1007/11814948_13.

De D., Kumarasubramanian A., Venkatesan R. Inversion Attacks on Secure Hash Functions Using SAT Solvers. Theory and Applications of Satis ability Testing - SAT 2007, Proceedings / Ed. by Joao Marques-Silva, Karem A. Sakallah. Lecture Notes in Computer Science. Springer, 2007. Vol. 4501. P. 377–382. DOI: 10.1007/978-3-540-72788-0_36.

Een N., Sorensson N. Temporal induction by incremental SAT solving. Electr. Notes Theor. Comput. Sci. 2003. Vol. 89, No. 4. P. 543–560. DOI: 10.1016/s1571-0661(05)82542-3.

Semenov A., Zaikin O. Algorithm for nding partitionings of hard variants of boolean satis ability problem with application to inversion of some cryptographic functions. SpringerPlus. 2016. Vol. 5, No. 1. P. 1–16. DOI:10.1186/s40064-016-2187-4.

Bogachkova (Gribanova) I., Zaikin O., Kochemazov S., Otpuschennikov I., Semenov A., Khamisov O. Problems of search for collisions of cryptographic hash functions of the MD family as variants of Boolean satis ability problem. Numerical Methods and programming. 2015. Vol. 16, No. 1. P. 61–77. (in Russian)