[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: computer-go: Authenticating the identity of a remote go-playing computer program



   From: Mika Kojo <mkojo@xxxxxxxxxxxxxxxxx>

   David Stafford wrote:
   >The 128-bit MD5 signature will match one in 2^128 messages.  That 
   >is a very low probability, for sure, but it doesn't uniquely 
   >represent one and only one message.

   David, recall birthday paradox: in a set of just 23 people there is
   probability > 1/2 that some have the same birthday. That is, in just
   2^64 messages you will observe collision of 128-bit strings with
   probability ~ 1/2.


Yes,  this   is  exactly  equivalent  to the    birthday paradox.  The
protection  we   are looking for  in  the  context of  our discussion,
however, is not a birthday paradox issue.  The characteristic we would
desire is   that  it should  be   incredibly  difficult  to produce  a
"tampered with" version of a SPECIFIC program.   So we are still talking
about 2^128, not 2^64. 


   On the otherhand, I believe that no actual collision for MD5 has ever
   been found or described in the (open) literature.

But   they  surely  exist!  I  have   written  software that generates
hundreds  or thousands of  md5   signature per  day to  perform useful
functions, I  think there must be business  in every city of the world
producing millions or  billions of these  every day.  Surely, some  of
these collide!   Finding them might take an  enormous amount of effort
however!


   The currently recommended (cryptographic) hash function SHA-1 has
   160-bit hash digest. Finding collision takes thus at most 2^80
   messages, but even this is not beyond all suspicion.

   Indeed, NIST has recently issued variants of SHA for 256, 384 and
   512-bit hash digests. These should be resistant to birthday paradox
   based collision attacks for the life time of this planet (assuming
   that there is no algorithmic weakness, and no major breakthrough in
   cryptanalysis).

   Scott Dossey <sdossey@xxxxxxxxxxxxxxxxx> writes:
   > First of all, I am using the phrase "MD5 digital signature", because the
   > word "checksum" isn't quite applicable to MD5, even though it is in common
   > parlance.  MD5 is what cryptographers call a one way hash, not a
   > checksum.  

   To me checksum sounds better than MD5 digital signature, as digital
   signatures imply public key cryptography. If the writer remembers to
   mention that the checksum must be collision resistant then I suspect
   there is no harm done.

I typically use the term checksum too, and I don't think it's wrong,
but "digital signature" is clearly more descriptive.

Don

   -- 
   Mika Kojo
   SSH Communications Security Corp