PlayStation 3 predicts next US president

William Allen Simpson william.allen.simpson at
Sat Dec 1 21:09:07 EST 2007

James A. Donald wrote:
> This attack does not require the certifier to be
> compromised.
You are referring to a different page (that I did not reference).
Never-the-less, both attacks require the certifier to be compromised!

>  The attack was to generate a multitude of predictions
> for the US election, each of which has the same MD5
> hash.  If the certifier certifies any one of these
> predictions, the recipient can use the certificate for
> any one of these predictions.
That's a mighty big "if" -- as in infinite improbability.  Therefore, a
parlor trick, not cryptography.

There are no circumstances in which any reputable certifier will ever
certify any of the "multitude" containing a hidden pdf image, especially
where generated by another party.

The attack requires the certifier to be compromised, either to certify
documents that the certifier did not generate, or to include the chosen
text (hidden image) in its documents in exactly the correct location.

While there are plenty of chosen text attacks in cryptography, this one
is highly impractical.  The image is hidden.  It will not appear, and thus
would not be accidentally copied by somebody (cut-and-paste).

The parlor trick demonstrates a weakness of the pdf format, not MD5.

> This attack renders MD5 entirely worthless for any use
> other than as an error check like CRC - and CRC does it
> better and faster.
To be as weak as CRC, the strength would be 2**8.  I've seen no papers
that reduce MD5 complexity to 2**8.

Please present your proofs and actual vulnerabilities, including specific
examples of actual PPP CHAP compromised traffic -- and for extra credit,
actual compromise of netbsd and/or openbsd software distribution.

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list