> -----Original Message----- > From: Eric Rescorla [mailto:[EMAIL PROTECTED]] > Sent: Friday, December 07, 2001 5:29 PM > To: [EMAIL PROTECTED] > Subject: Re: Cryptology Questions > > > Bernard Dautrevaux <[EMAIL PROTECTED]> writes: > > It's even worst than that: Alice can agree with Bob to the original > > contract, and have Bob sign it. THEN she have: > > - The contract itself (which can be used to generate the > MD5 digest) > > - Bob's signed MD5 digest > > > > Then applying the birthday attack she can fiddle with the > "better-for-her" > > contract till it generates the same MD5 digest. The mere > fact the MD5 digest > > is the same makes that Bob's signature "match" this contract. > You misunderstand the birthday attack, which involves creating > two messages which have the same (previously unknown) digest. > The birthday attack requires you to create the message pair > upfront, before the signature occurs. > > The attack you describe: creating a document with a SPECIFIC digest, > is 2^n hard (where n is the length of the hash). (Assuming, of course, > that no attack better than brute force is known for the digest > in question).
Oh, yes; Now I understand why this attack is O(N) when I expected such an attack to be O(2^N) as is effectively an attack as I (mis)understood it. Thanks for the clarification, Bernard -------------------------------------------- Bernard Dautrevaux Microprocess Ingenierie 97 bis, rue de Colombes 92400 COURBEVOIE FRANCE Tel: +33 (0) 1 47 68 80 80 Fax: +33 (0) 1 47 88 97 85 e-mail: [EMAIL PROTECTED] [EMAIL PROTECTED] -------------------------------------------- ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]