PlayStation 3 predicts next US president

Weger, B.M.M. de b.m.m.d.weger at
Sun Dec 2 03:16:33 EST 2007

Hi William,

> >  The attack was to generate a multitude of predictions for the US 
> > election, each of which has the same MD5 hash.  If the certifier 
> > certifies any one of these predictions, the recipient can use the 
> > certificate for any one of these predictions.
> > 
> That's a mighty big "if" -- as in infinite improbability.  
> Therefore, a parlor trick, not cryptography.

That's an "if" indeed, we say so on the website. How big it is, you
all form your own opinion.

> There are no circumstances in which any reputable certifier 
> will ever certify any of the "multitude" containing a hidden 
> pdf image, especially where generated by another party.

This I read as a definition of 'reputable'. 

> While there are plenty of chosen text attacks in 
> cryptography, this one is highly impractical.  The image is 
> hidden.  It will not appear, and thus would not be 
> accidentally copied by somebody (cut-and-paste).
> The parlor trick demonstrates a weakness of the pdf format, not MD5.

I disagree. We could just as easy have put the collision blocks
in visible images. We could just as easy have used MS Word
documents, or any document format in which there is some way
of putting a few random blocks somewhere nicely. We say so on
the website. We did show this hiding of collisions for other data
formats, such as X.509 certificates and for Win32 executables.

Our real work is chosen-prefix collisions combined with
multi-collisions. This is crypto, it has not been done before,
this is as far as we can get in MD5 cryptanalysis, and we think 
it's relevant. To sell it to the world we wrapped it up nicely.
You just throw away the wrapper. 

Benne de Weger

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list