[Cryptography] Is this a "relevant" attack against HMAC-MD5?
Natanael
natanael.l at gmail.com
Mon May 25 16:52:14 EDT 2015
Den 25 maj 2015 22:21 skrev "Dan Kaminsky" <dan at doxpara.com>:
>
>
http://crypto.stackexchange.com/questions/25584/is-hmac-md5-still-secure-for-commitment-or-other-common-uses
>
> I pretty much never see bit commitment protocols in the field, but
somebody posted this and I don't know enough to know if it matters.
These are the really serious ones:
http://www.di.ens.fr/~fouque/pub/crypto07b.pdf
http://link.springer.com/chapter/10.1007%2F978-3-540-78967-3_14
Full key recovery (still computationally difficult, but now within
practical range for an entity like NSA).
And using HMAC-MD5 commitment with for say multiparty protocols with key
derivation or other randomness it would allow for precomputation to bias
the output. For games it is a total break when used for something like a
coinflip. But as far as I know there are relatively few widely used
protocols that rely on commitment schemes that expects a fully honest
committer (Fawkes signatures as an example don't care *which* precomputed
message you publish, just that *only you* knew the committed value in
advance). But for those that do expect an honest committer where 1
commitment hash = 1 committed message, don't use MD5.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150525/384fdc22/attachment.html>
More information about the cryptography
mailing list