Paper 2012/040

Single-block collision attack on MD5

Marc Stevens


In 2010, Tao Xie and Dengguo Feng [ePrint 2010/643] constructed the first single-block collision for MD5 consisting of two 64-byte messages that have the same MD5 hash. Details of their attack, developed using what they call an evolutionary approach, has not been disclosed ``for security reasons''. Instead they have posted a challenge to the cryptology community to find a new different single-block collision attack for MD5. This paper answers that challenge by presenting a single-block collision attack based on other message differences together with an example colliding message pair. The attack is based on a new collision finding algorithm that exploits the low number of bitconditions in the first round. It uses a new way to choose message blocks that satisfy bitconditions up to step 22 and additionally uses three known tunnels to correct bitconditions up to step 25. The attack has an average runtime complexity equivalent to $2^{49.8}$ calls to MD5's compression function.


Available format(s)
Publication info
Published elsewhere. Unknown where it was published
Contact author(s)
marc @ marc-stevens nl
2012-01-29: revised
2012-01-29: received
See all versions
Short URL
Creative Commons Attribution


      author = {Marc Stevens},
      title = {Single-block collision attack on MD5},
      howpublished = {Cryptology ePrint Archive, Paper 2012/040},
      year = {2012},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.