4

For studying purposes it would be usefull to find out how many times can i compose a md5 function with itself without getting the same value.

This is a paralell/complementary approach to the salt, because this way the value gets harder to crack using brute force.

András Gyömrey
  • 1,770
  • 1
  • 15
  • 36
  • 1
    you mean something like `while(foo != md5(foo)) { foo = md5(foo) }`? While md5 is useless these days, I doubt it was ever so fundamentally broken that `foo == md5(foo)` would ever be true. – Marc B Sep 27 '13 at 19:01
  • That's mathematically impossible. MD5 relation set is finite. And as a result, you'll return more elements than existent in the relation. (16^32 values) There are many values, but that's exactly the point of my question: how many times can i do it? – András Gyömrey Sep 27 '13 at 19:06
  • Any other statistic/data/study (for sha1 for example) would be as useful. – András Gyömrey Sep 27 '13 at 19:07
  • 1
    Yes, the inputs are infinite. But once you start feeding the outputs back as inputs, you're instantly limiting yourself to 2^128 inputs, because that's all that md5 ever will output. A hash function which generates an output that's identical to itself as an input is useless. – Marc B Sep 27 '13 at 19:07
  • You have to take into account two things: 1. It doesn't matter how many inputs (infinite) it has, only matters the output which is finite. 2. Choose the composition function you want: md5, substr . md5, reverse . substr . md5. It doesn't matter. Each composition has a recursion limit. – András Gyömrey Sep 27 '13 at 19:09

1 Answers1

4

Seemingly infinite. However MD5 has been shown to not be collision resistant so at some point you will have a duplicate.

The following Ruby code will cyclicly apply the MD5 hashing algorithm until a duplicate has been detected, at which point it will print the number of cycles required to reach the duplication point. The original string is randomly generated from alphabetical characters.

require 'set'
require 'digest'

keys = Set.new

o = [('a'..'z'), ('A'..'Z')].map { |i| i.to_a }.flatten
string = (0...10).map{ o[rand(o.length)] }.join
count = 0

while !keys.include?(string) do
  count += 1
  puts count
  keys << string
  string = Digest::MD5.digest(string)
end

puts "#{count}"

This continues to run past 15mil cycles... I will update once a duplicate has been found.

Update: due to the limited resources of my machine I had to halt the above script after 75,933,338 cycles without a collision (the set had allocated ~8 GB in memory)

aren55555
  • 1,677
  • 1
  • 20
  • 34