Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [collision-attack]

For attacks on hash functions that achieve hash collisions with less work than the birthday bound.

A collision attack creates a collision in a hash function $H$ (i.e. a pair of distinct inputs $x_0$ and $x_1$ such that $H(x_0)=H(x_1)$) with less work than the naive approach of trying multiple inputs until a repeated output is seen (the "birthday attack"). Practical collision attacks have been demonstrated for widely-used hash functions including MD4, MD5, and SHA1.

34 questions
5
votes
2 answers

Is it viable to find an MD5 collision for Haskell's sparse unicode string encoding?

I've recently discovered a potential vulnerability in the type system of Haskell, a functional programming language in use in critical applications at Facebook, Standard Chartered, Input Output et cetera. For context, Haskell's type system…
Curious Programmer
  • 91
  • 5
5
votes
0 answers

How the mimc bug from circomlib was safely exploited to fake the merkle root in the witness in practice?

Several years ago, there was an unenforced constraint on verification in the cirmcomlib library : a tool for building projects using ZsNarks. The error allowed to forge cryptographic nullifiers/proofs without having a prior commitment. Tornado Cash,…
user2284570
  • 324
  • 4
  • 19
4
votes
2 answers

How easy is it to fake a file hashed with three functions, CRC32, MD5 and SHA-1?

File-A is hashed with CRC32, MD5 and SHA-1. How easy is it to create a fake file-B that has the same hashes of file-A? CRC32, MD5 and SHA-1? Can an average PC with a GPU calculate a triple hash collision of file-A? And how long would it take?
user94388
  • 41
  • 2
4
votes
2 answers

How can having a cycle help finding a hash collision?

Edit: background: I was thinking about using iterating $H$ on some arbitrary $x$ to find a collision. Eventually I will have a cycle for the first time, and until then $x, H^1(x), H^2(x), \dots$ are all distinct. If the first cycle is from…
Guanyuming He
  • 213
  • 1
  • 7
4
votes
1 answer

PRF collision search for input smaller than output

Assume a given pseudo-random function $H:\{0,1\}^a\mapsto\{0,1\}^b$ with $b\in[104,256]$ and $b/263\%$. We are ready to perform $2^{b/2+1}$ evaluations of $H$ or slightly…
fgrieu
  • 149,326
  • 13
  • 324
  • 622
3
votes
1 answer

How would a malicious group of co-signers use a hash collision to sign an unintended message?

According to BIP340: However, a major drawback of this optimization is that finding collisions in a short hash function is easy. This complicates the implementation of secure signing protocols in scenarios in which a group of mutually distrusting…
scottmsul
  • 31
  • 1
3
votes
1 answer

Collision finding method

The "birthday paradox" places an upper bound on collision resistance: if a hash function produces $N$ bits of output, an attacker who computes only $2^{N/2}$ (...) hash operations on random input is likely to find two matching outputs. If there is…
Kuba Chrabański
  • 199
  • 1
  • 6
3
votes
5 answers

Hash function collision importance

Suppose a collision has been found in a certain hash function, such that $H(x_1) = H(x_2)$. However, $x_1$ and $x_2$ are both a seemingly 'random' collection of bits which do not convey a coherent message and cannot be interpreted in a coherent…
Arik
  • 31
  • 1
3
votes
2 answers

How can a attacker find a collision of a keyed digest without knowing the key? Are collisions not an issue anymore if we apply a keyed-digest?

Same as the title. How can an attacker find a collision in a keyed digest without knowing the key? Does using a keyed digest eliminate the problem of collisions?
allexj
  • 163
  • 3
3
votes
1 answer

Quickest way to find MD5 collision

I'm trying to find a MD5 hash collision between 2 numbers such that one is prime and the other is composite (at most 1024-bit). I'm using fastcoll with random prefixes for each iteration. For this I wrote this script: import subprocess from…
infinite-blank-
  • 173
  • 7
3
votes
1 answer

How do the c-bits (capacity bits) make the sponge construction better?

I know that the message never directly changes those last c bits of the internal state (as seen in the image). And I also know that the capacity bits make the sponge construction resistant against collision and preimage attacks. How do the c-bits…
questions change the world
  • 31
  • 3
3
votes
0 answers

Is WPA2 collision-proof?

I was experimenting with hashcat and aircrack to test WiFi security. The WiFi AP is a WPA2 encrypted network. The tool I used to capture is bettercap, which captured multiple WPA2 handshakes. The problem is that from those multiple handshakes I get…
Kristi
  • 31
  • 3
2
votes
1 answer

Understanding Hash collisions - why bad?

I read few answers about the question: why are hash collisions so dangerous? But did not get a really satisfying answer. Assume we are the first people who found a SHA256-collision, like sha256($§"%fa7asd8ft6sds) = sha256(889=?`/&&%"HSF) (this is…
ZPlaya7
  • 23
  • 4
2
votes
2 answers

Is there collision in encryption like in hash functions?

In hash functions, $h(m) = h(m_1)$ is called collision and is very undesired that they are feasible to find as it undermines hash security. However, is there essentially analogous concern in encryption like block ciphers (AES-256) or RSA? If there…
nimrodel
  • 69
  • 5
2
votes
1 answer

Finding $k$ strings $M_i$ such the XOR of the $k$ hashes $H(i,M_i)$ is zero

Let $k\ge2$ be a moderate given constant, and $H:[0,k)\times\{0,1\}^*\to\{0,1\}^b$ be a $b$-bit given hash function assimilated to a random oracle. For example $H(i,M)=\operatorname{SHAKE256}((\underline i\mathbin\|M),b)$ where $\underline i$ is $i$…
fgrieu
  • 149,326
  • 13
  • 324
  • 622
1
2 3