|
| 1 | +README.txt |
| 2 | +Last updated: 1/04/2006 |
| 3 | + |
| 4 | +This file is intended to supplement the code found in block1.c. |
| 5 | + |
| 6 | +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
| 7 | +Building the Executable |
| 8 | +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
| 9 | + |
| 10 | +To build the binary, just type 'make' at the command line, or use the command |
| 11 | + |
| 12 | + gcc -O3 -march=pentium4 block1.c -o block1 |
| 13 | + |
| 14 | +where the '-march=' flag is changed to the appropriate value. On the |
| 15 | +Pentium 4, use of this flag makes the code roughly twice as fast compared |
| 16 | +to a binary compiled without specifying the architecture. You can also |
| 17 | +use the build.sh script supplied to build the entire toolkit. |
| 18 | + |
| 19 | + |
| 20 | +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
| 21 | +Usage |
| 22 | +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
| 23 | + |
| 24 | +The code can either use the default IV for MD5, or it can take the |
| 25 | +IV as a paramter. In the former case, the code is invoked by |
| 26 | + |
| 27 | + ./block1 |
| 28 | + |
| 29 | +and in the latter case the code is invoked by |
| 30 | + |
| 31 | + ./block 1 <IV> |
| 32 | + |
| 33 | +where IV is any hex value of length 32. As an example, one might invoke the |
| 34 | +code as follows: |
| 35 | + |
| 36 | + ./block1 d41d8cd98f00b204e9800998ecf8427e |
| 37 | + |
| 38 | + |
| 39 | +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
| 40 | +Output |
| 41 | +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
| 42 | + |
| 43 | +The output to the program consists of three parts: the output of the |
| 44 | +MD5 compression function on the first of two messages, M and M', and |
| 45 | +then the two 512-bit messages M and M' themselves, |
| 46 | +represented as a 16-tuple of 32-bit hex values. |
| 47 | + |
| 48 | +As an example run, we obtained the following output: |
| 49 | + |
| 50 | + Chaining value for M: |
| 51 | + ef5f6cf37991e593628c40e6794a54b9 |
| 52 | + M = { 87e85516, 9f820a2d, 1d2c1ea0, 891cc06e, |
| 53 | + b50347ae, 364a887c, 3ada98ae, 62468e31, |
| 54 | + 05352d45, 21333bfe, 8c9ef6b7, 269a3354, |
| 55 | + 6043a0c7, 3f98a2f4, ab400728, 3a995dcd } |
| 56 | + |
| 57 | + M' = { 87e85516, 9f820a2d, 1d2c1ea0, 891cc06e, |
| 58 | + 350347ae, 364a887c, 3ada98ae, 62468e31, |
| 59 | + 05352d45, 21333bfe, 8c9ef6b7, 269ab354, |
| 60 | + 6043a0c7, 3f98a2f4, 2b400728, 3a995dcd } |
| 61 | + |
| 62 | +This output is a pair of first-blocks of what will be a pair of two-block |
| 63 | +messages that collide under MD5. The differential is the Wang-differential, |
| 64 | +but several more conditions were specified to speed up the algorithm as |
| 65 | +described in the accompanying paper (and see below). |
| 66 | + |
| 67 | +The chaining value for M is all that is needed in order to produce a pair |
| 68 | +of second-blocks to complete the collision-pair. The chaining value above |
| 69 | +is given to a separate program (aptly named 'block2') to accomplish this. |
| 70 | +When M from this program is prepended to M from the block2 program we get |
| 71 | +a two-block message X. When M' from this program is prepended to M' from |
| 72 | +the block2 program, we get a distinct two-block message Y. X and Y will |
| 73 | +collide under MD5. |
| 74 | + |
| 75 | +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
| 76 | +md5cond_1.txt |
| 77 | +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
| 78 | + |
| 79 | +This file contains the list of conditions on the step values computed during |
| 80 | +the computation of the MD5 compression function. For 'normal' use of the |
| 81 | +code, no modifications of md5cond_1.txt are necessary. That is, the file |
| 82 | +contains an encoding of all the conditions present in the associated |
| 83 | +paper. One may wish to change md5cond_1.txt only to experiment with |
| 84 | +new conditions or to examine the effect on code running-time when various |
| 85 | +conditions are manipulated, created, or removed. |
| 86 | + |
| 87 | +Format: |
| 88 | +Each line of the file encodes one condition and is composed of five |
| 89 | +space-delimited numbers. The first number denotes the step number of the |
| 90 | +condition, with acceptable values of 0-63 (68-71 are used for the conditions |
| 91 | +on the chaining values). The second number denotes the index of the bit of |
| 92 | +the condition (values 0-31). The third value denotes either the value of |
| 93 | +that bit (-2 means that bit should be zero, and -1 means that bit should be |
| 94 | +one) or the index of the step value that it should be compared to. The |
| 95 | +fourth and fifth values are used only when the condition refers to another |
| 96 | +step value and they represent the bit index and additive constant to that |
| 97 | +value, respectively. |
| 98 | + |
| 99 | +Examples: |
| 100 | +3 5 -2 0 0 |
| 101 | +Bit 5 on step value 3 should be 0. |
| 102 | + |
| 103 | +27 31 -1 0 0 |
| 104 | +Bit 31 on step value 27 should be 1. |
| 105 | + |
| 106 | +15 31 14 31 0 |
| 107 | +Bit 31 on step value 15 should be the same as bit 31 on step value 14. |
| 108 | + |
| 109 | +63 31 61 31 1 |
| 110 | +Bit 31 on step value 63 should be the opposite of bit 31 on step value 61. |
0 commit comments