|
| 1 | +block2 |
| 2 | +====== |
| 3 | + |
| 4 | +This code produces the second block of an MD5 collision given the chaining |
| 5 | +value from a first block message. Using the chaining value from M output |
| 6 | +by the block1 program, we are able to calculate the chaining value for M1'. |
| 7 | +The chaining values are specified in the file 'CV.txt'. |
| 8 | + |
| 9 | +Compilation instructions |
| 10 | +======================== |
| 11 | + g++ -O3 -c md5.cpp |
| 12 | + g++ -O3 -c block2.cpp |
| 13 | + g++ block2.o md5.o -o Block2.out |
| 14 | + |
| 15 | +At one point we noted that compiling the Block2 code with the Intel compiler |
| 16 | +produced a 30% performance increase. People having access to the Intel |
| 17 | +compiler are encouraged to use it. |
| 18 | + |
| 19 | +icc -fast -Ob2 md5.cpp block2.cpp |
| 20 | +The binary will be placed in a.out |
| 21 | + |
| 22 | + |
| 23 | + |
| 24 | +Sufficient Conditions |
| 25 | +====================== |
| 26 | + |
| 27 | +The sufficient conditions for producing a second block message are |
| 28 | +contained in md5cond2.txt. Conditions reflect the updated conditions |
| 29 | +released by Jun Yajima and Takeshi Shemoyama. These conditions may |
| 30 | +be modified by researchers when the list of sufficient conditions |
| 31 | +is changed. It should also be noted that conditions are "manually" |
| 32 | +satisfied for portions of the code rather than looking through the list |
| 33 | +of condtions for efficiency reasons. In md5cond2.txt each condition is |
| 34 | +represented by a three tuple (x,y,z). x is the step value the condition |
| 35 | +is placed on and has value [0-63]. y is the bit within the step value |
| 36 | +that the condition is placed on, and has values [1-32]. z is the type |
| 37 | +of condition having value [0-6] |
| 38 | + |
| 39 | +0 -bit y of stepvalue x should be 0 |
| 40 | +1 -bit y of stepvalue x should be 1 |
| 41 | +2 -bit y of stepvalue x should be equal to bit y of stepvalue x-1 |
| 42 | +3 -bit y of stepvalue x should be equal to bit y of stepvalue x-2 |
| 43 | +4 -bit y of stepvalue x should be not equal to bit y of stepvalue x-1 |
| 44 | +5 -bit y of stepvalue x should be not equal to bit y of stepvalue x-2 |
| 45 | + |
| 46 | + |
| 47 | + |
| 48 | +Chaining Values |
| 49 | +=============== |
| 50 | +CV.txt may have arbitrarily many chaining values. |
| 51 | + |
| 52 | +First-block chaining values are used as the IV's for the second block. |
| 53 | +Each set of chainging values is specified on a single line as a 128 bit value. |
| 54 | + |
| 55 | + |
| 56 | +Executing block2 code |
| 57 | +===================== |
| 58 | + |
| 59 | +block2 |
| 60 | +block2 [num cv] |
| 61 | +block2 [num cv] [num coll] |
| 62 | + |
| 63 | +where: |
| 64 | + [num cv] is the number of chaining value sets to be read from CV.txt |
| 65 | + |
| 66 | + [num coll] is the number of collisions to be produced for each |
| 67 | + chainging variable. |
| 68 | + |
| 69 | + When [num coll] is specified [num cv] must also be specified. |
| 70 | + When either [num coll] or both parameters are not specified they |
| 71 | + default to 1. |
| 72 | + |
| 73 | + |
| 74 | +Output Format |
| 75 | +============= |
| 76 | + |
| 77 | +The output format is the same for block2 as it is for block1: the chaining |
| 78 | +value for M is output first, then M and M' are output. Here they are |
| 79 | +two 512-bit values intended as the second blocks corresponding to the |
| 80 | +pair output from the block1 code. |
| 81 | + |
| 82 | +The chaining value shown is NOT the same as the MD5 output value when |
| 83 | +run on either colliding pair because our calculations were not done with |
| 84 | +the length appended. However, since both messages are two blocks long, |
| 85 | +appending the length will not upset the collision. |
| 86 | + |
| 87 | + |
| 88 | + |
| 89 | +Debugging |
| 90 | +========= |
| 91 | + |
| 92 | +Optional output has been left in the code for the purpose of dubugging. This |
| 93 | +output can be turned on by setting the DEBUG constant to 1 rather than 0. |
0 commit comments