PlayStation 3 predicts next US president

James A. Donald jamesd at
Mon Dec 10 05:37:42 EST 2007

William Allen Simpson wrote:
 >>  > The notary would never sign a hash generated by
 >>  > somebody else.  Instead, the notary generates its
 >>  > own document (from its own tuples), and signs its
 >>  > own document, documenting that some other document
 >>  > was submitted by some person before some
 >>  > particular time.

James A. Donald:
 > > And how does it identify this "other document"?

William Allen Simpson wrote:
 > Sorry, obviously I incorrectly assumed that we're
 > talking to somebody skilled in the art....
 > Reminding you that several of us have told you that a
 > notary has the document in her possession; and binds
 > the document to a person; and that we have rather a
 > lot of experience in identifying documents (even for
 > simple things like email), such as the PGP digital
 > timestamping service.
 > Assuming,
 >   Dp := any electronic document submitted by some
 >   person, converted to its
 >         canonical form
 >   Cp := a electronic certificate irrefutably
 >   identifying the other person
 >         submitting the document
 >   Cn := certificate of the notary Tn := timestamp of
 >   the notary S() := signature of the notary
 >   S( MD5(Tn || Dp || Cp || Cn) ).

Assuming that the attacker knows or can guess Tn, and
that the canonical form allows images, then the attack
still works.

The attacker can create several documents, D1, D2, D3,
D4, D5, such that MD5(Tn || D1 || Cp || Cn) is equal to
MD5(Tn || D2 || Cp || Cn), which is equal to MD5(Tn ||
D3 || Cp || Cn), etc.

He then gets the notary to sign MD5(Tn || D1 || Cp ||
Cn), and then uses  whichever of D1, D2, D3, D4, and D5
is convenient.

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list