Is there a way to generate n strings with the same MD5 hash?
$\begingroup$ $\endgroup$
0 
Add a comment |
1 Answer
$\begingroup$ $\endgroup$
1 MD5 is a Merkle–Damgård hash, so it's vulnerable to the length extension attack.
That means there's a simple way to find multicollisions using any algorithm that can find collisions for an arbitrary IV:
- Find some collision $\operatorname{MD5}(a) = \operatorname{MD5}(b)$ using the normal IV.
- Find another collision $\operatorname{MD5}'(c) = \operatorname{MD5}'(d)$ using the output from the first step as IV.
- Combine them to valid messages that look like $a||c$, $a||d$, $b||c$ and $b||d$, except for the padding. This may require adding one more (equal) message block to get a valid padding and length.
- 1$\begingroup$ A relevant paper (to the second part of the answer) is Joux: Multicollisions in Iterated Hash Functions. Application to Cascaded Constructions, in proceedings of CRYPTO 2004. $\;$ That's related to length extension attack, but not exactly it; rather, an extension. $\endgroup$2014-09-12 13:54:02 +00:00Commented Sep 12, 2014 at 13:54