PlayStation 3 predicts next US president

William Allen Simpson william.allen.simpson at
Sun Dec 2 18:08:31 EST 2007

Weger, B.M.M. de wrote:
> See
> Our first chosen-prefix collision attack has complexity of about
> 2^50, as described in our EuroCrypt 2007 paper. This has been 
> considerably improved since then. In the full paper that is in
> preparation we'll give details of those improvements.
Much more interesting.  Looks like the death knell of X.509.  Why
didn't you say so earlier?

(It's a long known design flaw in X.509 that it doesn't provide
integrity for all its internal fields.)

Where are MD2, MD4, SHA1, and others on this continuum?

And based on the comments in the page above, the prefix is quite large!
Optimally, shouldn't it be <= the internal chaining variables?  512 bits
for MDx.  So, the attacks need two values for comparison: the complexity
versus the length of the chosen prefix.

Let me know when you get the chosen prefix down to 64-bits, so I can say
"I told you so" to Bellovin again.  I was strongly against adding the
"random" IV field to IPsec....

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list