## On the possibility of constructing meaningful hash collisions for public keys (2005)

### Cached

### Download Links

- [www.win.tue.nl]
- [infoscience.epfl.ch]
- [www.win.tue.nl]
- DBLP

### Other Repositories/Bibliography

Citations: | 25 - 4 self |

### BibTeX

@MISC{Lenstra05onthe,

author = {Arjen Lenstra and Benne De Weger},

title = {On the possibility of constructing meaningful hash collisions for public keys },

year = {2005}

}

### OpenURL

### Abstract

### Citations

46 | Formal Aspects of Mobile Code Security - Dean - 1999 |

40 | Preimages on n-Bit Hash Functions for Much Less than 2 n Work”, EUROCRYPT - Kelsey, Schneier, et al. - 2005 |

38 | Generating ElGamal signatures without knowing the secret key," Eurocrypt 96. Note that the version in the proceedings has an error. A revised version is available at the time of writing from /ElGamal.ps> [BLOWFISH] Schneier, B. "Description of a New Varia
- Bleichenbacher
- 1993
(Show Context)
Citation Context ...uction method is not specified, since it may have been concocted to collide, for some exponents, with a ‘standard’ or otherwise prescribed generator. This has been known for a long time, cf. [10] and =-=[1]-=-, and, according to [19], this issue came up in the P1363 standards group from time to time. Nevertheless it still seems to escape the attention of many implementors and practitioners. Remark on actua... |

32 | On the number of positives integers ≤ x and free of prime factors - Bruijn - 1966 |

27 |
How to Break MD5
- Wang, Yu
(Show Context)
Citation Context ... argument follows the lines of the security argument presented earlier in this section. We do not elaborate. Remark. Given the restrictions of the MD5-collisions as found by the methods from [14] and =-=[15]-=-, our method does not allow us to target 1024-bit moduli that collide under MD5, only substantially larger ones. Asymptotically, with growing modulus size but fixed collision size, the prime factors i... |

22 |
Generating RSA Moduli with a Predetermined Portion
- Lenstra
- 1998
(Show Context)
Citation Context ...times longer than the smallest factor. Unbalanced moduli for instance occur in [13]. Our method combines the ideas mentioned in the introduction and earlier in this section with the construction from =-=[6]-=-. Algorithm to generate actually colliding hard to factor moduli. Let b1 and b2 be two bitstrings of equal bitlength B that collide under a MerkleDamg˚ard based hash function. Following [14], B could ... |

18 |
Collisions for hash functions md4, md5, haval-128 and ripemd. Cryptology ePrint Archive, Report 2004/199
- Wang, Feng, et al.
- 2004
(Show Context)
Citation Context ...-bit hash function can be constructed after an effort proportional to 2 n/2 hash applications, no matter how good the hash function is. From the results presented at the Crypto 2004 rump session (cf. =-=[14]-=-), and since then described in more detail in [15], [16], [17], and [18], it follows that for many well known hash functions the effort required to find random collisions is considerably lower. Indeed... |

18 | Colliding X.509 Certificates,” Cryptology ePrint Archive - Lenstra, Wang, et al. |

15 | The full cost of cryptanalytic attacks - Wiener - 2004 |

13 | Practical Attacks on Digital Signatures Using MD5 Message Digest
- Mikle
- 2004
(Show Context)
Citation Context ...monly used arguments why such applications are not affected by the lack of random collision resistance. In this note we concentrate on applications in the area of public key cryptography, see [4] and =-=[9]-=- for interesting ideas about the application of hash collisions in other areas. A successful attack on an existing certificate requires second preimage resistance of one message: given a pre-specified... |

13 |
RSA for paranoids
- Shamir
- 1995
(Show Context)
Citation Context ...as hard to factor as regular RSA moduli but for which, in a typical application, the largest prime factor is about three times longer than the smallest factor. Unbalanced moduli for instance occur in =-=[13]-=-. Our method combines the ideas mentioned in the introduction and earlier in this section with the construction from [6]. Algorithm to generate actually colliding hard to factor moduli. Let b1 and b2 ... |

11 | Circuits for integer factorization: a proposal, manuscript, 2001, available at http://cr.yp.to/papers.html - Bernstein |

7 | Unbelievable security - Lenstra |

5 |
personal communication
- COH, WIENER
- 1963
(Show Context)
Citation Context ...ecified, since it may have been concocted to collide, for some exponents, with a ‘standard’ or otherwise prescribed generator. This has been known for a long time, cf. [10] and [1], and, according to =-=[19]-=-, this issue came up in the P1363 standards group from time to time. Nevertheless it still seems to escape the attention of many implementors and practitioners. Remark on actually colliding powers of ... |

4 |
The Second-Preimage Attack on
- Yu, Wang, et al.
- 2005
(Show Context)
Citation Context ...n/2 hash applications, no matter how good the hash function is. From the results presented at the Crypto 2004 rump session (cf. [14]), and since then described in more detail in [15], [16], [17], and =-=[18]-=-, it follows that for many well known hash functions the effort required to find random collisions is considerably lower. Indeed, in some cases the ease with which collisions can be found is disconcer... |

2 |
MD5 to be considered harmful someday, preprint
- Kaminsky
- 2004
(Show Context)
Citation Context ... the commonly used arguments why such applications are not affected by the lack of random collision resistance. In this note we concentrate on applications in the area of public key cryptography, see =-=[4]-=- and [9] for interesting ideas about the application of hash collisions in other areas. A successful attack on an existing certificate requires second preimage resistance of one message: given a pre-s... |

2 |
Contributions to the mailing list “cryptography@metzdowd.com”, December 22, 2004, available at http://diswww.mit.edu/bloom-picayune/crypto/16587
- Kelsey, Laurie
(Show Context)
Citation Context ...lated to public keys. Also the Diffie-Hellman group size may be related to a random-looking large prime, which is a system parameter that could be hard-coded into a binary executable. As was shown in =-=[5]-=-, given any hash collision it is trivial to construct a ‘real’ Diffie-Hellman prime and a ‘fake’ one that hash to the same value. One may ask whether the mathematical requirements that lie behind publ... |

2 | An Attack on Hash Function HAVAL-128 - Wang, Feng, et al. |

1 |
Alf swindles Ann, Cryptobytes 1(3
- Dobbertin
- 1995
(Show Context)
Citation Context ... collisions do not suffice because the values to be hashed are meaningful (cf. [3] and [11]). Dobbertin’s cryptanalytic work on MD4 was so strong that meaningful collisions could be found easily, cf. =-=[2]-=-. The recent results of [14] seem not (yet) to have similar strength, so revisiting the concept of meaningfulness is of interest. A certificate, such as an X.509 or PGP certificate, is a highly struct... |

1 |
Twin RSA, submitted for publication
- Lenstra, Weger
- 2005
(Show Context)
Citation Context ...tes, one for encryption and the other for signature purposes, for the transmission cost of just one certificate plus the few positions where the RSA moduli differ (similar ideas will be worked out in =-=[8]-=-). Indeed, the CA may knowingly participate in this application and verify that Alice knows both factorizations. However, if that is not done and the CA is tricked into signing one of the keys without... |

1 |
What’s the Worst That Could Happen? presentation at the DIMACS Workshop on Cryptography: Theory Meets Practice October 14–15, 2004, http://dimacs.rutgers.edu/Workshops/Practice/ slides/rescorla.pdf
- Rescorla
(Show Context)
Citation Context ...both for RSA and for discrete logarithm systems. We explicitly restrict ourselves to known and secure private keys as the construction of unknown or non-secure private keys is hardly challenging (cf. =-=[12]-=-). Furthermore, using the appending trick, we show how we can generate actually colliding pairs consisting of proper public RSA keys. Combining this construction with the prepending idea, we show how ... |

1 |
How to Find Another Kind of Collision for MD4 Efficiently
- Wang, Chen, et al.
- 2004
(Show Context)
Citation Context ...onal to 2 n/2 hash applications, no matter how good the hash function is. From the results presented at the Crypto 2004 rump session (cf. [14]), and since then described in more detail in [15], [16], =-=[17]-=-, and [18], it follows that for many well known hash functions the effort required to find random collisions is considerably lower. Indeed, in some cases the ease with which collisions can be found is... |

1 | Alf swindles - Dobbertin - 1995 |

1 | MD5 to be considered harmful someday, preprint, December 2004, http://www.doxpara.com/ md5 someday.pdf - Kaminsky |