Bogus digital signatures, Re: OT: utility account transfer frauds
Matthew Astley
lists-ukcrypto at fruitcake.demon.co.uk
Fri, 11 Oct 2002 01:11:23 +0100
On Thu, Oct 10, 2002 at 10:23:49PM +0100, Peter Tomlinson wrote:
> David Howe wrote:
> > I am just waiting for this to fail, and fail badly in court. the
> > obvious defense is to prove (by example) that two documents, with
> > different content, can have the same digital signature
I'm told that someone suggested distributed.net should look for an
instance of a collision on MD5, by collecting values that when hashed
repeatedly give a result which has the top 32 bits clear.
I've looked at the relevant list archives but can't find a reference.
Anyway, it would appear that distributed.net is big enough[1] to
attack the 128-bit MD5, because the birthday paradox reduces it to an
approximately 64-bit problem.
Although a concrete example of a full hash collision might be handy
when it comes to court cases, it seems unlikely that one will be found
in time to influence the law.
It's all pointless anyway, because the real question is "how much do
you need to pay the cleaner, in order to get access to steal the
private key?".
> > - something the birthday attack is ideal for. This of course
> > leaves aside the problems of key theft and security generally.
> Have I missed something? Could someone explain the 'birthday
> attack'? (privately if I did miss something)
http://www.x5.net/faqs/crypto/q95.html is a slightly terse
description.
http://www.chipcenter.com/eexpert/jleiseboer/jleiseboer003.html is
more verbose.
Matthew #8-)
--
[1] Give or take a constant factor related to the speed of crunching
for the RC5 problem vs. the collision task