Don't wanna knock Lenstra and de Weger, but what exactly is newsworthy here [0]? I mean, I understand the concept of chosen-prefix collisions, but hasn't that concept already been milked dry with this year's EUROCRYPT paper [1]? Didn't Lucks and Daum prove a very similar point (not chosen-prefix, but the malleability of PostScript) already 2 years ago [3]? Klima showed how to do concurrent collisions for MD5 and CRC32 for rpms in 2004 [3], people from the BSI [4] showed how to do it with other data formats.

OK, someone please wake me when there's the first (2nd) pre-image attack on MD5 or MD4 with practical complexity. I'll be all ears then.

-R

[0] http://www.win.tue.nl/hashclash/Nostradamus/
[1] http://www.springerlink.com/content/94157j22042l5064/
[2] http://www.cits.rub.de/MD5Collisions/
[3] http://cryptography.hyperlink.cz/2004/otherformats.html
[4] http://www.bsi.bund.de/english

(Reply) (Thread)

I don't disagree with you, even sha-1 has been considered dead for a while let alone md5; but I have to admit, for what I was interested in I just wanted some files that had a collision to test something else against, that's why I was happy.

Reference #3 in particular is of interest to me, but I'd rather have something of my own to verify in 20 seconds than read someone's claims of how easily it's done. And finally, someone provided that, I'm not sure if there was anything else novel other than use of ps3's or something (shrug).

(Reply) (Parent) (Thread)

The "md5" program in FreeBSD 7.0 is currently buggy, and returns the totally wrong hash sometimes. I haven't figure out why yet. "md5deep" and "diff" produce correct results on the same system.

(Reply) (Thread)