PlayStation 3 predicts next US president

William Allen Simpson william.allen.simpson at
Sun Dec 2 11:51:24 EST 2007

Weger, B.M.M. de wrote:
>> The parlor trick demonstrates a weakness of the pdf format, not MD5.
> I disagree. We could just as easy have put the collision blocks
> in visible images.

Parlor trick.

> ... We could just as easy have used MS Word
> documents, or any document format in which there is some way
> of putting a few random blocks somewhere nicely.

Parlor trick.

> ... We say so on
> the website. We did show this hiding of collisions for other data
> formats, such as X.509 certificates

More interesting.  Where on your web site?  I've long abhorred the
X.509 format, and was a supporter of a more clean alternative.

> ... and for Win32 executables.
Parlor trick.

So far, all the things you mention require the certifier to be suborned.

> Our real work is chosen-prefix collisions combined with
> multi-collisions. This is crypto, it has not been done before,

Certainly it was done before!  We talked about it more than a decade ago.
We knew that what was "computationally infeasible" would become feasible.

Every protocol I've designed or formally reviewed is protected against the
chosen prefix attack.  (To qualify, where I had final say.  I've reviewed
badly designed protocols, such as IKE/ISAKMP.  And I've been overruled by
committee from time to time....)

What *would* be crypto is the quantification of where MDx currently falls
on the computational spectrum.

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list