Is it feasible to get a hash collision for CRC32, MD-5 and SHA-1 on one file?How hard is it to generate a simultaneous MD5 and SHA1 collision?Brute forcing CRC-32Is Dropbox's hashing method cryptographically secure?Is there a generic attack on encrypted CRC32 when used as a MAC?CRC32 vs. low 32 bits of cryptographic hashIntegrity compromised - HASH modifiedWould SHA-1 be safe for certificates with short validity?Checksum vs. non-cryptographic hashHow does the attack on MD5 work that allows a file to show its own (full) hash?How is it possible to detect “unknown SHA-1 cryptanalytic collision attacks given just a single file from a colliding file pair”?
Two questions about typesetting a Roman missal
Why are non-collision-resistant hash functions considered insecure for signing self-generated information
Duplicate instruments in unison in an orchestra
How to gently end involvement with an online community?
What is the difference between "Grippe" and "Männergrippe"?
What verb is かまされる?
Did anyone try to find the little box that held Professor Moriarty and his wife after the crash?
Add newline to prompt if it's too long
Architectural feasibility of a tiered circular stone keep
Transposing from C to Cm?
Notepad++ cannot print
The No-Free-Lunch Theorem and K-NN consistency
I don't have the theoretical background in my PhD topic. I can't justify getting the degree
Uri tokenizer as a simple state machine
How do you interpolate outside the range of data?
Was it ever possible to target a zone?
Does Norwegian overbook flights?
Round towards zero
Are the A380 engines interchangeable (given they are not all equipped with reverse)?
Compelling story with the world as a villain
Circular Reasoning for Epsilon-Delta Proof?
Algorithms vs LP or MIP
Obtaining the intermediate solutions in AMPL
Read file lines into shell line separated by space
Is it feasible to get a hash collision for CRC32, MD-5 and SHA-1 on one file?
How hard is it to generate a simultaneous MD5 and SHA1 collision?Brute forcing CRC-32Is Dropbox's hashing method cryptographically secure?Is there a generic attack on encrypted CRC32 when used as a MAC?CRC32 vs. low 32 bits of cryptographic hashIntegrity compromised - HASH modifiedWould SHA-1 be safe for certificates with short validity?Checksum vs. non-cryptographic hashHow does the attack on MD5 work that allows a file to show its own (full) hash?How is it possible to detect “unknown SHA-1 cryptanalytic collision attacks given just a single file from a colliding file pair”?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
$begingroup$
I'm aware that individually, each has its weaknesses (especially CRC32), but is it feasible that a file could be created to falsely match all three?
checksum md5 crc sha-1
asked Aug 12 at 14:14
HiccupHiccup
1313 bronze badges
$endgroup$
migrated from superuser.com Aug 12 at 15:11
This question came from our site for computer enthusiasts and power users.
add a comment |
$begingroup$
I'm aware that individually, each has its weaknesses (especially CRC32), but is it feasible that a file could be created to falsely match all three?
checksum md5 crc sha-1
asked Aug 12 at 14:14
HiccupHiccup
1313 bronze badges
$endgroup$
migrated from superuser.com Aug 12 at 15:11
This question came from our site for computer enthusiasts and power users.
$begingroup$
I think it would be difficult to actively intend to get a simultaneous clash on all three given that they use different algorithms. Clashes are possible in each, sure, and you can engineer a clash in each if you are determined but I would have thought it would be difficult to get a clash in all three at the same time. It feels like the sort of thing that might be possible but technically unfeasible given the amount of effort required. Personally I'd be curious to see how probable this is.
$endgroup$
– Mokubai
Aug 12 at 15:01
2
$begingroup$
this Q&A has the (positive) answer except for the CRC part
$endgroup$
– SEJPM♦
Aug 12 at 15:22
$begingroup$
Is this is some attempt at synthesizing a "faster" hash because the old/simpler algorithms are quicker? They're not.
$endgroup$
– Nick T
Aug 13 at 4:05
1
$begingroup$
@NickT These old, inscecure hashes are being used for compatibility with old software. Removing these hashes is not an option, so I was asking to find out if it is worth adding something better. I'd rather not have to add another one as it means extra work for people using the old software - they'd have to use different software to generate the new hash (e.g. SHA256). As I understand it, its not feasible for the common person to find a collision for all three at the same time.
$endgroup$
– Hiccup
Aug 13 at 13:51
add a comment |
$begingroup$
I'm aware that individually, each has its weaknesses (especially CRC32), but is it feasible that a file could be created to falsely match all three?
checksum md5 crc sha-1
asked Aug 12 at 14:14
HiccupHiccup
1313 bronze badges
$endgroup$
I'm aware that individually, each has its weaknesses (especially CRC32), but is it feasible that a file could be created to falsely match all three?
checksum md5 crc sha-1
checksum md5 crc sha-1
asked Aug 12 at 14:14
HiccupHiccup
1313 bronze badges
asked Aug 12 at 14:14
HiccupHiccup
1313 bronze badges
asked Aug 12 at 14:14
HiccupHiccup
1313 bronze badges
asked Aug 12 at 14:14
HiccupHiccup
1313 bronze badges
asked Aug 12 at 14:14
HiccupHiccup
1313 bronze badges
1313 bronze badges
migrated from superuser.com Aug 12 at 15:11
This question came from our site for computer enthusiasts and power users.
migrated from superuser.com Aug 12 at 15:11
This question came from our site for computer enthusiasts and power users.
migrated from superuser.com Aug 12 at 15:11
This question came from our site for computer enthusiasts and power users.
$begingroup$
I think it would be difficult to actively intend to get a simultaneous clash on all three given that they use different algorithms. Clashes are possible in each, sure, and you can engineer a clash in each if you are determined but I would have thought it would be difficult to get a clash in all three at the same time. It feels like the sort of thing that might be possible but technically unfeasible given the amount of effort required. Personally I'd be curious to see how probable this is.
$endgroup$
– Mokubai
Aug 12 at 15:01
2
$begingroup$
this Q&A has the (positive) answer except for the CRC part
$endgroup$
– SEJPM♦
Aug 12 at 15:22
$begingroup$
Is this is some attempt at synthesizing a "faster" hash because the old/simpler algorithms are quicker? They're not.
$endgroup$
– Nick T
Aug 13 at 4:05
1
$begingroup$
@NickT These old, inscecure hashes are being used for compatibility with old software. Removing these hashes is not an option, so I was asking to find out if it is worth adding something better. I'd rather not have to add another one as it means extra work for people using the old software - they'd have to use different software to generate the new hash (e.g. SHA256). As I understand it, its not feasible for the common person to find a collision for all three at the same time.
$endgroup$
– Hiccup
Aug 13 at 13:51
add a comment |
$begingroup$
I think it would be difficult to actively intend to get a simultaneous clash on all three given that they use different algorithms. Clashes are possible in each, sure, and you can engineer a clash in each if you are determined but I would have thought it would be difficult to get a clash in all three at the same time. It feels like the sort of thing that might be possible but technically unfeasible given the amount of effort required. Personally I'd be curious to see how probable this is.
$endgroup$
– Mokubai
Aug 12 at 15:01
2
$begingroup$
this Q&A has the (positive) answer except for the CRC part
$endgroup$
– SEJPM♦
Aug 12 at 15:22
$begingroup$
Is this is some attempt at synthesizing a "faster" hash because the old/simpler algorithms are quicker? They're not.
$endgroup$
– Nick T
Aug 13 at 4:05
1
$begingroup$
@NickT These old, inscecure hashes are being used for compatibility with old software. Removing these hashes is not an option, so I was asking to find out if it is worth adding something better. I'd rather not have to add another one as it means extra work for people using the old software - they'd have to use different software to generate the new hash (e.g. SHA256). As I understand it, its not feasible for the common person to find a collision for all three at the same time.
$endgroup$
– Hiccup
Aug 13 at 13:51
$begingroup$
I think it would be difficult to actively intend to get a simultaneous clash on all three given that they use different algorithms. Clashes are possible in each, sure, and you can engineer a clash in each if you are determined but I would have thought it would be difficult to get a clash in all three at the same time. It feels like the sort of thing that might be possible but technically unfeasible given the amount of effort required. Personally I'd be curious to see how probable this is.
$endgroup$
– Mokubai
Aug 12 at 15:01
$begingroup$
I think it would be difficult to actively intend to get a simultaneous clash on all three given that they use different algorithms. Clashes are possible in each, sure, and you can engineer a clash in each if you are determined but I would have thought it would be difficult to get a clash in all three at the same time. It feels like the sort of thing that might be possible but technically unfeasible given the amount of effort required. Personally I'd be curious to see how probable this is.
$endgroup$
– Mokubai
Aug 12 at 15:01
2
2
$begingroup$
this Q&A has the (positive) answer except for the CRC part
$endgroup$
– SEJPM♦
Aug 12 at 15:22
$begingroup$
this Q&A has the (positive) answer except for the CRC part
$endgroup$
– SEJPM♦
Aug 12 at 15:22
$begingroup$
Is this is some attempt at synthesizing a "faster" hash because the old/simpler algorithms are quicker? They're not.
$endgroup$
– Nick T
Aug 13 at 4:05
$begingroup$
Is this is some attempt at synthesizing a "faster" hash because the old/simpler algorithms are quicker? They're not.
$endgroup$
– Nick T
Aug 13 at 4:05
1
1
$begingroup$
@NickT These old, inscecure hashes are being used for compatibility with old software. Removing these hashes is not an option, so I was asking to find out if it is worth adding something better. I'd rather not have to add another one as it means extra work for people using the old software - they'd have to use different software to generate the new hash (e.g. SHA256). As I understand it, its not feasible for the common person to find a collision for all three at the same time.
$endgroup$
– Hiccup
Aug 13 at 13:51
$begingroup$
@NickT These old, inscecure hashes are being used for compatibility with old software. Removing these hashes is not an option, so I was asking to find out if it is worth adding something better. I'd rather not have to add another one as it means extra work for people using the old software - they'd have to use different software to generate the new hash (e.g. SHA256). As I understand it, its not feasible for the common person to find a collision for all three at the same time.
$endgroup$
– Hiccup
Aug 13 at 13:51
add a comment |
2 Answers
2
active
oldest
votes
$begingroup$
Finding a simultaneous collision for all three would take the effort of approximately $2^72$ SHA-1 compression function evaluations.
The overall idea would be to take the general $2^67$ idea found in the answer to How hard is it to generate a simultaneous MD5 and SHA1 collision? and perform the attack 33 successive times (generating 33 places in the hash image where we can take either $X_i$ or $Y_i$ without affecting either the MD5 or SHA-1 hash).
That'll give us a total of $2^33$ images with all the same MD5 and SHA-1 hash; there must be a pair of images with the same CRC-32 value as well, and so that solves the problem.
Whether $2^72$ operations is in the realm of feasibility is another question entirely...
answered Aug 12 at 15:38
ponchoponcho
98.6k3 gold badges160 silver badges258 bronze badges
$endgroup$
$begingroup$
I was brought here by the curiosity of the question and I'm a bit hung up on the feasibility side. Yes it is technically possible but 2^72 is a number that my mind just spits back as "impossibly huge". Does this mean it is within the realms of a guy sitting in a basement with an old i3 box or is it all the computers in the world running until the eventual heat death of the universe?
$endgroup$
– Mokubai
Aug 12 at 15:47
2
$begingroup$
@Mokubai: it's probably closer to 'if the NSA (or possibly Goggle or Amazon) decide to devote all their assets on this one problem, they could probably do it in a not-unreasonable amount of time...'.
$endgroup$
– poncho
Aug 12 at 15:56
1
$begingroup$
Okay, so it's within the realms of possibility of nation-state actors, but probably beyond your average malware or script-kiddie. That is unless he has a pretty large botnet... Not unreasonable to achieve, but probably costs far more than it is ever going to worth unless the target is a) incredibly paranoid (to be using/checking all three hashes) and b) extremely high value. Thank you for indulging my curiosity :)
$endgroup$
– Mokubai
Aug 12 at 16:14
5
$begingroup$
The Bitcoin network has a hash rate of $2^72$ hashes every three days. It's more than one guy in a basement but far less than heat death of the universe. It's also probably far less than what the NSA could manage.
$endgroup$
– djao
Aug 12 at 18:51
4
$begingroup$
I was half expecting to see an answer of "Yeah, these two files."
$endgroup$
– Joshua
Aug 12 at 22:26
|
show 1 more comment
$begingroup$
The following method is faster than poncho's answer, and it allows you to choose the CRC value.
First, generate a $2^96$ SHA1 multicollision.
Using linearity of CRCs, find a set of $approx 2^64$ distinct messages in the multicollision with the target CRC value. See below for details.
Simply look for an MD5 collision within this set of $approx 2^64$ messages.
What do we gain? Instead of running the full SHA1/MD5 simultaneous collision attack $33$ times, we only run it once with an increased effort in steps 1 and 3.
More precisely, using the value of $2^63.1$ SHA1 compressions from the SHAttered paper, we require the equivalent of $approx 2^69.7$ SHA1 compressions in step 1, and $approx 2^70$ MD5 compressions in step 3. Ignoring the ridiculously high memory cost of naïve birthday search in step 3, and sloppily equating the costs of SHA1 and MD5 compressions, the total cost comes out as $approx 2^70.9$ compression function calls.
(Note that this number cannot be compared directly with poncho's coarser estimate; in reality, the speedup factor should be closer to $approx10$.)
Step 2
Let us look at how taking different combinations of the multicollision blocks affects the CRC value. Suppose at position $i$ we have a choice between two blocks $x_i$ and $y_i$, and that we use a bit $c_i$ to select between the two. Thus, set $$
beginequation
labeleq:c_chooses_xy
tag$ast$
z_i=begincasesx_i&textif $c_i=0$;\y_i&textif $c_i=1$.endcases
endequation
$$
It is well-known that CRCs are linear. Concretely, this means that for each block $i$ of the multicollision, choosing between $x_i$ and $y_i$ incurs a fixed differential $delta_i$ in the final output, independent of the other choices:
$$
mathrmCRC(z_1Vert z_2VertdotsVert y_iVertdotsVert z_96)
=
delta_ioplus
mathrmCRC(z_1Vert z_2VertdotsVert x_iVertdotsVert z_96)
,text.
$$
Therefore,
$$
mathrmCRC(z_1Vert z_2VertdotsVert z_96)
=
mathrmCRC(x_1Vert x_2VertdotsVert x_96)
oplus
bigoplus_i=1^96 c_i delta_i
,text,
$$
which is a linear equation over $mathbb F_2$ in the variables $c_1,dots,c_96$!
To find $2^64$ solutions $(c_1 dots c_96)inmathbb F_2^96$,
first compute all the $delta_i$-values, interpreted as length-$32$ vectors over $mathbb F_2$,
to form the matrix
$$
M := left(beginarrayc
delta_1\hline
vdots\hline
delta_96
endarrayright)
inmathbb F_2^96times32
,text.
$$
Then, for a given target CRC value $tinmathbb F_2^32$, compute a solution $gammainmathbb F_2^96$ to the equation
$$
gammacdot M = t-s
,text.
$$
Note that such a solution is almost guaranteed to exist since the probability that $M$ has the maximal possible rank $32$ is greater than $1-2^-64$ when modelling the $delta_i$ as uniformly random in $mathbb F_2^32$.
Also compute $64$ independent vectors $v_1,dots,v_64inmathbb F_2^96$ in the (left) kernel of $M$. (These always exist due to the dimensions.)
Now finally, letting $c$ run through all vectors of the form
$$
c = gamma + sum_i=1^64 alpha_i v_i
,text,
$$
where $alpha_iinmathbb F_2$, and assembling our multicollision messages according to $eqrefeq:c_chooses_xy$ yields our desired $2^64$ messages, all with the same SHA1 hash, and all with the same chosen CRC value!
answered Aug 13 at 0:52
yyyyyyyyyyyyyy
9,9343 gold badges35 silver badges54 bronze badges
$endgroup$
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "281"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f72549%2fis-it-feasible-to-get-a-hash-collision-for-crc32-md-5-and-sha-1-on-one-file%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
$begingroup$
Finding a simultaneous collision for all three would take the effort of approximately $2^72$ SHA-1 compression function evaluations.
The overall idea would be to take the general $2^67$ idea found in the answer to How hard is it to generate a simultaneous MD5 and SHA1 collision? and perform the attack 33 successive times (generating 33 places in the hash image where we can take either $X_i$ or $Y_i$ without affecting either the MD5 or SHA-1 hash).
That'll give us a total of $2^33$ images with all the same MD5 and SHA-1 hash; there must be a pair of images with the same CRC-32 value as well, and so that solves the problem.
Whether $2^72$ operations is in the realm of feasibility is another question entirely...
answered Aug 12 at 15:38
ponchoponcho
98.6k3 gold badges160 silver badges258 bronze badges
$endgroup$
$begingroup$
I was brought here by the curiosity of the question and I'm a bit hung up on the feasibility side. Yes it is technically possible but 2^72 is a number that my mind just spits back as "impossibly huge". Does this mean it is within the realms of a guy sitting in a basement with an old i3 box or is it all the computers in the world running until the eventual heat death of the universe?
$endgroup$
– Mokubai
Aug 12 at 15:47
2
$begingroup$
@Mokubai: it's probably closer to 'if the NSA (or possibly Goggle or Amazon) decide to devote all their assets on this one problem, they could probably do it in a not-unreasonable amount of time...'.
$endgroup$
– poncho
Aug 12 at 15:56
1
$begingroup$
Okay, so it's within the realms of possibility of nation-state actors, but probably beyond your average malware or script-kiddie. That is unless he has a pretty large botnet... Not unreasonable to achieve, but probably costs far more than it is ever going to worth unless the target is a) incredibly paranoid (to be using/checking all three hashes) and b) extremely high value. Thank you for indulging my curiosity :)
$endgroup$
– Mokubai
Aug 12 at 16:14
5
$begingroup$
The Bitcoin network has a hash rate of $2^72$ hashes every three days. It's more than one guy in a basement but far less than heat death of the universe. It's also probably far less than what the NSA could manage.
$endgroup$
– djao
Aug 12 at 18:51
4
$begingroup$
I was half expecting to see an answer of "Yeah, these two files."
$endgroup$
– Joshua
Aug 12 at 22:26
|
show 1 more comment
$begingroup$
Finding a simultaneous collision for all three would take the effort of approximately $2^72$ SHA-1 compression function evaluations.
The overall idea would be to take the general $2^67$ idea found in the answer to How hard is it to generate a simultaneous MD5 and SHA1 collision? and perform the attack 33 successive times (generating 33 places in the hash image where we can take either $X_i$ or $Y_i$ without affecting either the MD5 or SHA-1 hash).
That'll give us a total of $2^33$ images with all the same MD5 and SHA-1 hash; there must be a pair of images with the same CRC-32 value as well, and so that solves the problem.
Whether $2^72$ operations is in the realm of feasibility is another question entirely...
answered Aug 12 at 15:38
ponchoponcho
98.6k3 gold badges160 silver badges258 bronze badges
$endgroup$
$begingroup$
I was brought here by the curiosity of the question and I'm a bit hung up on the feasibility side. Yes it is technically possible but 2^72 is a number that my mind just spits back as "impossibly huge". Does this mean it is within the realms of a guy sitting in a basement with an old i3 box or is it all the computers in the world running until the eventual heat death of the universe?
$endgroup$
– Mokubai
Aug 12 at 15:47
2
$begingroup$
@Mokubai: it's probably closer to 'if the NSA (or possibly Goggle or Amazon) decide to devote all their assets on this one problem, they could probably do it in a not-unreasonable amount of time...'.
$endgroup$
– poncho
Aug 12 at 15:56
1
$begingroup$
Okay, so it's within the realms of possibility of nation-state actors, but probably beyond your average malware or script-kiddie. That is unless he has a pretty large botnet... Not unreasonable to achieve, but probably costs far more than it is ever going to worth unless the target is a) incredibly paranoid (to be using/checking all three hashes) and b) extremely high value. Thank you for indulging my curiosity :)
$endgroup$
– Mokubai
Aug 12 at 16:14
5
$begingroup$
The Bitcoin network has a hash rate of $2^72$ hashes every three days. It's more than one guy in a basement but far less than heat death of the universe. It's also probably far less than what the NSA could manage.
$endgroup$
– djao
Aug 12 at 18:51
4
$begingroup$
I was half expecting to see an answer of "Yeah, these two files."
$endgroup$
– Joshua
Aug 12 at 22:26
|
show 1 more comment
$begingroup$
Finding a simultaneous collision for all three would take the effort of approximately $2^72$ SHA-1 compression function evaluations.
The overall idea would be to take the general $2^67$ idea found in the answer to How hard is it to generate a simultaneous MD5 and SHA1 collision? and perform the attack 33 successive times (generating 33 places in the hash image where we can take either $X_i$ or $Y_i$ without affecting either the MD5 or SHA-1 hash).
That'll give us a total of $2^33$ images with all the same MD5 and SHA-1 hash; there must be a pair of images with the same CRC-32 value as well, and so that solves the problem.
Whether $2^72$ operations is in the realm of feasibility is another question entirely...
answered Aug 12 at 15:38
ponchoponcho
98.6k3 gold badges160 silver badges258 bronze badges
$endgroup$
Finding a simultaneous collision for all three would take the effort of approximately $2^72$ SHA-1 compression function evaluations.
The overall idea would be to take the general $2^67$ idea found in the answer to How hard is it to generate a simultaneous MD5 and SHA1 collision? and perform the attack 33 successive times (generating 33 places in the hash image where we can take either $X_i$ or $Y_i$ without affecting either the MD5 or SHA-1 hash).
That'll give us a total of $2^33$ images with all the same MD5 and SHA-1 hash; there must be a pair of images with the same CRC-32 value as well, and so that solves the problem.
Whether $2^72$ operations is in the realm of feasibility is another question entirely...
answered Aug 12 at 15:38
ponchoponcho
98.6k3 gold badges160 silver badges258 bronze badges
answered Aug 12 at 15:38
ponchoponcho
98.6k3 gold badges160 silver badges258 bronze badges
answered Aug 12 at 15:38
ponchoponcho
98.6k3 gold badges160 silver badges258 bronze badges
answered Aug 12 at 15:38
ponchoponcho
98.6k3 gold badges160 silver badges258 bronze badges
98.6k3 gold badges160 silver badges258 bronze badges
$begingroup$
I was brought here by the curiosity of the question and I'm a bit hung up on the feasibility side. Yes it is technically possible but 2^72 is a number that my mind just spits back as "impossibly huge". Does this mean it is within the realms of a guy sitting in a basement with an old i3 box or is it all the computers in the world running until the eventual heat death of the universe?
$endgroup$
– Mokubai
Aug 12 at 15:47
2
$begingroup$
@Mokubai: it's probably closer to 'if the NSA (or possibly Goggle or Amazon) decide to devote all their assets on this one problem, they could probably do it in a not-unreasonable amount of time...'.
$endgroup$
– poncho
Aug 12 at 15:56
1
$begingroup$
Okay, so it's within the realms of possibility of nation-state actors, but probably beyond your average malware or script-kiddie. That is unless he has a pretty large botnet... Not unreasonable to achieve, but probably costs far more than it is ever going to worth unless the target is a) incredibly paranoid (to be using/checking all three hashes) and b) extremely high value. Thank you for indulging my curiosity :)
$endgroup$
– Mokubai
Aug 12 at 16:14
5
$begingroup$
The Bitcoin network has a hash rate of $2^72$ hashes every three days. It's more than one guy in a basement but far less than heat death of the universe. It's also probably far less than what the NSA could manage.
$endgroup$
– djao
Aug 12 at 18:51
4
$begingroup$
I was half expecting to see an answer of "Yeah, these two files."
$endgroup$
– Joshua
Aug 12 at 22:26
|
show 1 more comment
$begingroup$
I was brought here by the curiosity of the question and I'm a bit hung up on the feasibility side. Yes it is technically possible but 2^72 is a number that my mind just spits back as "impossibly huge". Does this mean it is within the realms of a guy sitting in a basement with an old i3 box or is it all the computers in the world running until the eventual heat death of the universe?
$endgroup$
– Mokubai
Aug 12 at 15:47
2
$begingroup$
@Mokubai: it's probably closer to 'if the NSA (or possibly Goggle or Amazon) decide to devote all their assets on this one problem, they could probably do it in a not-unreasonable amount of time...'.
$endgroup$
– poncho
Aug 12 at 15:56
1
$begingroup$
Okay, so it's within the realms of possibility of nation-state actors, but probably beyond your average malware or script-kiddie. That is unless he has a pretty large botnet... Not unreasonable to achieve, but probably costs far more than it is ever going to worth unless the target is a) incredibly paranoid (to be using/checking all three hashes) and b) extremely high value. Thank you for indulging my curiosity :)
$endgroup$
– Mokubai
Aug 12 at 16:14
5
$begingroup$
The Bitcoin network has a hash rate of $2^72$ hashes every three days. It's more than one guy in a basement but far less than heat death of the universe. It's also probably far less than what the NSA could manage.
$endgroup$
– djao
Aug 12 at 18:51
4
$begingroup$
I was half expecting to see an answer of "Yeah, these two files."
$endgroup$
– Joshua
Aug 12 at 22:26
$begingroup$
I was brought here by the curiosity of the question and I'm a bit hung up on the feasibility side. Yes it is technically possible but 2^72 is a number that my mind just spits back as "impossibly huge". Does this mean it is within the realms of a guy sitting in a basement with an old i3 box or is it all the computers in the world running until the eventual heat death of the universe?
$endgroup$
– Mokubai
Aug 12 at 15:47
$begingroup$
I was brought here by the curiosity of the question and I'm a bit hung up on the feasibility side. Yes it is technically possible but 2^72 is a number that my mind just spits back as "impossibly huge". Does this mean it is within the realms of a guy sitting in a basement with an old i3 box or is it all the computers in the world running until the eventual heat death of the universe?
$endgroup$
– Mokubai
Aug 12 at 15:47
2
2
$begingroup$
@Mokubai: it's probably closer to 'if the NSA (or possibly Goggle or Amazon) decide to devote all their assets on this one problem, they could probably do it in a not-unreasonable amount of time...'.
$endgroup$
– poncho
Aug 12 at 15:56
$begingroup$
@Mokubai: it's probably closer to 'if the NSA (or possibly Goggle or Amazon) decide to devote all their assets on this one problem, they could probably do it in a not-unreasonable amount of time...'.
$endgroup$
– poncho
Aug 12 at 15:56
1
1
$begingroup$
Okay, so it's within the realms of possibility of nation-state actors, but probably beyond your average malware or script-kiddie. That is unless he has a pretty large botnet... Not unreasonable to achieve, but probably costs far more than it is ever going to worth unless the target is a) incredibly paranoid (to be using/checking all three hashes) and b) extremely high value. Thank you for indulging my curiosity :)
$endgroup$
– Mokubai
Aug 12 at 16:14
$begingroup$
Okay, so it's within the realms of possibility of nation-state actors, but probably beyond your average malware or script-kiddie. That is unless he has a pretty large botnet... Not unreasonable to achieve, but probably costs far more than it is ever going to worth unless the target is a) incredibly paranoid (to be using/checking all three hashes) and b) extremely high value. Thank you for indulging my curiosity :)
$endgroup$
– Mokubai
Aug 12 at 16:14
5
5
$begingroup$
The Bitcoin network has a hash rate of $2^72$ hashes every three days. It's more than one guy in a basement but far less than heat death of the universe. It's also probably far less than what the NSA could manage.
$endgroup$
– djao
Aug 12 at 18:51
$begingroup$
The Bitcoin network has a hash rate of $2^72$ hashes every three days. It's more than one guy in a basement but far less than heat death of the universe. It's also probably far less than what the NSA could manage.
$endgroup$
– djao
Aug 12 at 18:51
4
4
$begingroup$
I was half expecting to see an answer of "Yeah, these two files."
$endgroup$
– Joshua
Aug 12 at 22:26
$begingroup$
I was half expecting to see an answer of "Yeah, these two files."
$endgroup$
– Joshua
Aug 12 at 22:26
|
show 1 more comment
$begingroup$
The following method is faster than poncho's answer, and it allows you to choose the CRC value.
First, generate a $2^96$ SHA1 multicollision.
Using linearity of CRCs, find a set of $approx 2^64$ distinct messages in the multicollision with the target CRC value. See below for details.
Simply look for an MD5 collision within this set of $approx 2^64$ messages.
What do we gain? Instead of running the full SHA1/MD5 simultaneous collision attack $33$ times, we only run it once with an increased effort in steps 1 and 3.
More precisely, using the value of $2^63.1$ SHA1 compressions from the SHAttered paper, we require the equivalent of $approx 2^69.7$ SHA1 compressions in step 1, and $approx 2^70$ MD5 compressions in step 3. Ignoring the ridiculously high memory cost of naïve birthday search in step 3, and sloppily equating the costs of SHA1 and MD5 compressions, the total cost comes out as $approx 2^70.9$ compression function calls.
(Note that this number cannot be compared directly with poncho's coarser estimate; in reality, the speedup factor should be closer to $approx10$.)
Step 2
Let us look at how taking different combinations of the multicollision blocks affects the CRC value. Suppose at position $i$ we have a choice between two blocks $x_i$ and $y_i$, and that we use a bit $c_i$ to select between the two. Thus, set $$
beginequation
labeleq:c_chooses_xy
tag$ast$
z_i=begincasesx_i&textif $c_i=0$;\y_i&textif $c_i=1$.endcases
endequation
$$
It is well-known that CRCs are linear. Concretely, this means that for each block $i$ of the multicollision, choosing between $x_i$ and $y_i$ incurs a fixed differential $delta_i$ in the final output, independent of the other choices:
$$
mathrmCRC(z_1Vert z_2VertdotsVert y_iVertdotsVert z_96)
=
delta_ioplus
mathrmCRC(z_1Vert z_2VertdotsVert x_iVertdotsVert z_96)
,text.
$$
Therefore,
$$
mathrmCRC(z_1Vert z_2VertdotsVert z_96)
=
mathrmCRC(x_1Vert x_2VertdotsVert x_96)
oplus
bigoplus_i=1^96 c_i delta_i
,text,
$$
which is a linear equation over $mathbb F_2$ in the variables $c_1,dots,c_96$!
To find $2^64$ solutions $(c_1 dots c_96)inmathbb F_2^96$,
first compute all the $delta_i$-values, interpreted as length-$32$ vectors over $mathbb F_2$,
to form the matrix
$$
M := left(beginarrayc
delta_1\hline
vdots\hline
delta_96
endarrayright)
inmathbb F_2^96times32
,text.
$$
Then, for a given target CRC value $tinmathbb F_2^32$, compute a solution $gammainmathbb F_2^96$ to the equation
$$
gammacdot M = t-s
,text.
$$
Note that such a solution is almost guaranteed to exist since the probability that $M$ has the maximal possible rank $32$ is greater than $1-2^-64$ when modelling the $delta_i$ as uniformly random in $mathbb F_2^32$.
Also compute $64$ independent vectors $v_1,dots,v_64inmathbb F_2^96$ in the (left) kernel of $M$. (These always exist due to the dimensions.)
Now finally, letting $c$ run through all vectors of the form
$$
c = gamma + sum_i=1^64 alpha_i v_i
,text,
$$
where $alpha_iinmathbb F_2$, and assembling our multicollision messages according to $eqrefeq:c_chooses_xy$ yields our desired $2^64$ messages, all with the same SHA1 hash, and all with the same chosen CRC value!
answered Aug 13 at 0:52
yyyyyyyyyyyyyy
9,9343 gold badges35 silver badges54 bronze badges
$endgroup$
add a comment |
$begingroup$
The following method is faster than poncho's answer, and it allows you to choose the CRC value.
First, generate a $2^96$ SHA1 multicollision.
Using linearity of CRCs, find a set of $approx 2^64$ distinct messages in the multicollision with the target CRC value. See below for details.
Simply look for an MD5 collision within this set of $approx 2^64$ messages.
What do we gain? Instead of running the full SHA1/MD5 simultaneous collision attack $33$ times, we only run it once with an increased effort in steps 1 and 3.
More precisely, using the value of $2^63.1$ SHA1 compressions from the SHAttered paper, we require the equivalent of $approx 2^69.7$ SHA1 compressions in step 1, and $approx 2^70$ MD5 compressions in step 3. Ignoring the ridiculously high memory cost of naïve birthday search in step 3, and sloppily equating the costs of SHA1 and MD5 compressions, the total cost comes out as $approx 2^70.9$ compression function calls.
(Note that this number cannot be compared directly with poncho's coarser estimate; in reality, the speedup factor should be closer to $approx10$.)
Step 2
Let us look at how taking different combinations of the multicollision blocks affects the CRC value. Suppose at position $i$ we have a choice between two blocks $x_i$ and $y_i$, and that we use a bit $c_i$ to select between the two. Thus, set $$
beginequation
labeleq:c_chooses_xy
tag$ast$
z_i=begincasesx_i&textif $c_i=0$;\y_i&textif $c_i=1$.endcases
endequation
$$
It is well-known that CRCs are linear. Concretely, this means that for each block $i$ of the multicollision, choosing between $x_i$ and $y_i$ incurs a fixed differential $delta_i$ in the final output, independent of the other choices:
$$
mathrmCRC(z_1Vert z_2VertdotsVert y_iVertdotsVert z_96)
=
delta_ioplus
mathrmCRC(z_1Vert z_2VertdotsVert x_iVertdotsVert z_96)
,text.
$$
Therefore,
$$
mathrmCRC(z_1Vert z_2VertdotsVert z_96)
=
mathrmCRC(x_1Vert x_2VertdotsVert x_96)
oplus
bigoplus_i=1^96 c_i delta_i
,text,
$$
which is a linear equation over $mathbb F_2$ in the variables $c_1,dots,c_96$!
To find $2^64$ solutions $(c_1 dots c_96)inmathbb F_2^96$,
first compute all the $delta_i$-values, interpreted as length-$32$ vectors over $mathbb F_2$,
to form the matrix
$$
M := left(beginarrayc
delta_1\hline
vdots\hline
delta_96
endarrayright)
inmathbb F_2^96times32
,text.
$$
Then, for a given target CRC value $tinmathbb F_2^32$, compute a solution $gammainmathbb F_2^96$ to the equation
$$
gammacdot M = t-s
,text.
$$
Note that such a solution is almost guaranteed to exist since the probability that $M$ has the maximal possible rank $32$ is greater than $1-2^-64$ when modelling the $delta_i$ as uniformly random in $mathbb F_2^32$.
Also compute $64$ independent vectors $v_1,dots,v_64inmathbb F_2^96$ in the (left) kernel of $M$. (These always exist due to the dimensions.)
Now finally, letting $c$ run through all vectors of the form
$$
c = gamma + sum_i=1^64 alpha_i v_i
,text,
$$
where $alpha_iinmathbb F_2$, and assembling our multicollision messages according to $eqrefeq:c_chooses_xy$ yields our desired $2^64$ messages, all with the same SHA1 hash, and all with the same chosen CRC value!
answered Aug 13 at 0:52
yyyyyyyyyyyyyy
9,9343 gold badges35 silver badges54 bronze badges
$endgroup$
add a comment |
$begingroup$
The following method is faster than poncho's answer, and it allows you to choose the CRC value.
First, generate a $2^96$ SHA1 multicollision.
Using linearity of CRCs, find a set of $approx 2^64$ distinct messages in the multicollision with the target CRC value. See below for details.
Simply look for an MD5 collision within this set of $approx 2^64$ messages.
What do we gain? Instead of running the full SHA1/MD5 simultaneous collision attack $33$ times, we only run it once with an increased effort in steps 1 and 3.
More precisely, using the value of $2^63.1$ SHA1 compressions from the SHAttered paper, we require the equivalent of $approx 2^69.7$ SHA1 compressions in step 1, and $approx 2^70$ MD5 compressions in step 3. Ignoring the ridiculously high memory cost of naïve birthday search in step 3, and sloppily equating the costs of SHA1 and MD5 compressions, the total cost comes out as $approx 2^70.9$ compression function calls.
(Note that this number cannot be compared directly with poncho's coarser estimate; in reality, the speedup factor should be closer to $approx10$.)
Step 2
Let us look at how taking different combinations of the multicollision blocks affects the CRC value. Suppose at position $i$ we have a choice between two blocks $x_i$ and $y_i$, and that we use a bit $c_i$ to select between the two. Thus, set $$
beginequation
labeleq:c_chooses_xy
tag$ast$
z_i=begincasesx_i&textif $c_i=0$;\y_i&textif $c_i=1$.endcases
endequation
$$
It is well-known that CRCs are linear. Concretely, this means that for each block $i$ of the multicollision, choosing between $x_i$ and $y_i$ incurs a fixed differential $delta_i$ in the final output, independent of the other choices:
$$
mathrmCRC(z_1Vert z_2VertdotsVert y_iVertdotsVert z_96)
=
delta_ioplus
mathrmCRC(z_1Vert z_2VertdotsVert x_iVertdotsVert z_96)
,text.
$$
Therefore,
$$
mathrmCRC(z_1Vert z_2VertdotsVert z_96)
=
mathrmCRC(x_1Vert x_2VertdotsVert x_96)
oplus
bigoplus_i=1^96 c_i delta_i
,text,
$$
which is a linear equation over $mathbb F_2$ in the variables $c_1,dots,c_96$!
To find $2^64$ solutions $(c_1 dots c_96)inmathbb F_2^96$,
first compute all the $delta_i$-values, interpreted as length-$32$ vectors over $mathbb F_2$,
to form the matrix
$$
M := left(beginarrayc
delta_1\hline
vdots\hline
delta_96
endarrayright)
inmathbb F_2^96times32
,text.
$$
Then, for a given target CRC value $tinmathbb F_2^32$, compute a solution $gammainmathbb F_2^96$ to the equation
$$
gammacdot M = t-s
,text.
$$
Note that such a solution is almost guaranteed to exist since the probability that $M$ has the maximal possible rank $32$ is greater than $1-2^-64$ when modelling the $delta_i$ as uniformly random in $mathbb F_2^32$.
Also compute $64$ independent vectors $v_1,dots,v_64inmathbb F_2^96$ in the (left) kernel of $M$. (These always exist due to the dimensions.)
Now finally, letting $c$ run through all vectors of the form
$$
c = gamma + sum_i=1^64 alpha_i v_i
,text,
$$
where $alpha_iinmathbb F_2$, and assembling our multicollision messages according to $eqrefeq:c_chooses_xy$ yields our desired $2^64$ messages, all with the same SHA1 hash, and all with the same chosen CRC value!
answered Aug 13 at 0:52
yyyyyyyyyyyyyy
9,9343 gold badges35 silver badges54 bronze badges
$endgroup$
The following method is faster than poncho's answer, and it allows you to choose the CRC value.
First, generate a $2^96$ SHA1 multicollision.
Using linearity of CRCs, find a set of $approx 2^64$ distinct messages in the multicollision with the target CRC value. See below for details.
Simply look for an MD5 collision within this set of $approx 2^64$ messages.
What do we gain? Instead of running the full SHA1/MD5 simultaneous collision attack $33$ times, we only run it once with an increased effort in steps 1 and 3.
More precisely, using the value of $2^63.1$ SHA1 compressions from the SHAttered paper, we require the equivalent of $approx 2^69.7$ SHA1 compressions in step 1, and $approx 2^70$ MD5 compressions in step 3. Ignoring the ridiculously high memory cost of naïve birthday search in step 3, and sloppily equating the costs of SHA1 and MD5 compressions, the total cost comes out as $approx 2^70.9$ compression function calls.
(Note that this number cannot be compared directly with poncho's coarser estimate; in reality, the speedup factor should be closer to $approx10$.)
Step 2
Let us look at how taking different combinations of the multicollision blocks affects the CRC value. Suppose at position $i$ we have a choice between two blocks $x_i$ and $y_i$, and that we use a bit $c_i$ to select between the two. Thus, set $$
beginequation
labeleq:c_chooses_xy
tag$ast$
z_i=begincasesx_i&textif $c_i=0$;\y_i&textif $c_i=1$.endcases
endequation
$$
It is well-known that CRCs are linear. Concretely, this means that for each block $i$ of the multicollision, choosing between $x_i$ and $y_i$ incurs a fixed differential $delta_i$ in the final output, independent of the other choices:
$$
mathrmCRC(z_1Vert z_2VertdotsVert y_iVertdotsVert z_96)
=
delta_ioplus
mathrmCRC(z_1Vert z_2VertdotsVert x_iVertdotsVert z_96)
,text.
$$
Therefore,
$$
mathrmCRC(z_1Vert z_2VertdotsVert z_96)
=
mathrmCRC(x_1Vert x_2VertdotsVert x_96)
oplus
bigoplus_i=1^96 c_i delta_i
,text,
$$
which is a linear equation over $mathbb F_2$ in the variables $c_1,dots,c_96$!
To find $2^64$ solutions $(c_1 dots c_96)inmathbb F_2^96$,
first compute all the $delta_i$-values, interpreted as length-$32$ vectors over $mathbb F_2$,
to form the matrix
$$
M := left(beginarrayc
delta_1\hline
vdots\hline
delta_96
endarrayright)
inmathbb F_2^96times32
,text.
$$
Then, for a given target CRC value $tinmathbb F_2^32$, compute a solution $gammainmathbb F_2^96$ to the equation
$$
gammacdot M = t-s
,text.
$$
Note that such a solution is almost guaranteed to exist since the probability that $M$ has the maximal possible rank $32$ is greater than $1-2^-64$ when modelling the $delta_i$ as uniformly random in $mathbb F_2^32$.
Also compute $64$ independent vectors $v_1,dots,v_64inmathbb F_2^96$ in the (left) kernel of $M$. (These always exist due to the dimensions.)
Now finally, letting $c$ run through all vectors of the form
$$
c = gamma + sum_i=1^64 alpha_i v_i
,text,
$$
where $alpha_iinmathbb F_2$, and assembling our multicollision messages according to $eqrefeq:c_chooses_xy$ yields our desired $2^64$ messages, all with the same SHA1 hash, and all with the same chosen CRC value!
answered Aug 13 at 0:52
yyyyyyyyyyyyyy
9,9343 gold badges35 silver badges54 bronze badges
edited Aug 13 at 21:22
answered Aug 13 at 0:52
yyyyyyyyyyyyyy
9,9343 gold badges35 silver badges54 bronze badges
answered Aug 13 at 0:52
yyyyyyyyyyyyyy
9,9343 gold badges35 silver badges54 bronze badges
answered Aug 13 at 0:52
yyyyyyyyyyyyyy
9,9343 gold badges35 silver badges54 bronze badges
9,9343 gold badges35 silver badges54 bronze badges
add a comment |
add a comment |
Thanks for contributing an answer to Cryptography Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
Use MathJax to format equations. MathJax reference.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f72549%2fis-it-feasible-to-get-a-hash-collision-for-crc32-md-5-and-sha-1-on-one-file%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
$begingroup$
I think it would be difficult to actively intend to get a simultaneous clash on all three given that they use different algorithms. Clashes are possible in each, sure, and you can engineer a clash in each if you are determined but I would have thought it would be difficult to get a clash in all three at the same time. It feels like the sort of thing that might be possible but technically unfeasible given the amount of effort required. Personally I'd be curious to see how probable this is.
$endgroup$
– Mokubai
Aug 12 at 15:01
2
$begingroup$
this Q&A has the (positive) answer except for the CRC part
$endgroup$
– SEJPM♦
Aug 12 at 15:22
$begingroup$
Is this is some attempt at synthesizing a "faster" hash because the old/simpler algorithms are quicker? They're not.
$endgroup$
– Nick T
Aug 13 at 4:05
1
$begingroup$
@NickT These old, inscecure hashes are being used for compatibility with old software. Removing these hashes is not an option, so I was asking to find out if it is worth adding something better. I'd rather not have to add another one as it means extra work for people using the old software - they'd have to use different software to generate the new hash (e.g. SHA256). As I understand it, its not feasible for the common person to find a collision for all three at the same time.
$endgroup$
– Hiccup
Aug 13 at 13:51