> -----Original Message-----
> From: Eric Rescorla [mailto:[EMAIL PROTECTED]]
> Sent: Friday, December 07, 2001 5:29 PM
> To: [EMAIL PROTECTED]
> Subject: Re: Cryptology Questions
>
>
> Bernard Dautrevaux <[EMAIL PROTECTED]> writes:
> > It's even worst than that: Alice can agree with Bob to the original
> > contract, and have Bob sign it. THEN she have:
> > - The contract itself (which can be used to generate the
> MD5 digest)
> > - Bob's signed MD5 digest
> >
> > Then applying the birthday attack she can fiddle with the
> "better-for-her"
> > contract till it generates the same MD5 digest. The mere
> fact the MD5 digest
> > is the same makes that Bob's signature "match" this contract.
> You misunderstand the birthday attack, which involves creating
> two messages which have the same (previously unknown) digest.
> The birthday attack requires you to create the message pair
> upfront, before the signature occurs.
>
> The attack you describe: creating a document with a SPECIFIC digest,
> is 2^n hard (where n is the length of the hash). (Assuming, of course,
> that no attack better than brute force is known for the digest
> in question).
Oh, yes; Now I understand why this attack is O(N) when I expected such an
attack to be O(2^N) as is effectively an attack as I (mis)understood it.
Thanks for the clarification,
Bernard
--------------------------------------------
Bernard Dautrevaux
Microprocess Ingenierie
97 bis, rue de Colombes
92400 COURBEVOIE
FRANCE
Tel: +33 (0) 1 47 68 80 80
Fax: +33 (0) 1 47 88 97 85
e-mail: [EMAIL PROTECTED]
[EMAIL PROTECTED]
--------------------------------------------
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
