PlayStation 3 predicts next US president

Dirk-Willem van Gulik dirkx at
Wed Dec 5 04:55:03 EST 2007

On Dec 3, 2007, at 2:47 PM, William Allen Simpson wrote:

> Dirk-Willem van Gulik wrote:

>> Keep in mind that the notary is still 'careful' -- effectively they  
>> sign the hash -- rather than the document; and state either such  
>> (e.g. in the case of some software/code where you do not hand over  
>> the actual code) or state that _a_ document was presented with said  
>> hash.
> And that makes all the difference.  The digital notary is not  
> certifying the
> original document.  You described the notary generating its own tuples
> (credentials as presented, the hash, a timestamp, and a notarized  
> declaration
> that such was presented).  There is no problem, and the described  
> attack does
> not apply.

Not sure - lets take a similar example - the role of Chamber of  
Commerce in repetitive/renewal public tender/bid processes - who  
essentially makes you use an RFC 3161 service to sign any MD5 (Well -  
SHA1 is the actual default) for companies; typically a PDF or Word  
document of a bid for the purpose of 'locking' in the date of  
sumbission. And on unsealing day, which for tax reasons can be months  
later,  the govt. entity just checks the MD5's versus the RFC3161  
attest. (The reason for this time-stamping is threefold a) make it  
fair between entities regardless as to how good their postal system  
is, b) 'date of postoffice' is a bit buyable in some places of the  
world and c) some bid processes require the digital document to be  
hand delivered on sealing day to alleviate the confidentially burden  
of the govt. of keeping the bids secure).

An in-house Mallory (at the bidder) may well want to tweak things a  
bit and make several doctored copies with different bid levels; and  
send in the one joint MD5 through the RFC3161 service.

And then depending on the information leaking/gossip of the industry -  
choose later than the others which one to 'really' submit. As its  
competitors, as is common in the industry, tend to get a lot less  
tight lipped once the deadline has passed.

What is new is that Mallory can generate several documents with the  
same MD5 with a few days of 'work'.

That endagers workflows where you assume that a party cannot  
intentionally create more than one asset with has the same MD5.


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list