MD5 collisions?

Declan McCullagh declan at
Tue Aug 17 17:33:08 PDT 2004

The last eight messages I see on cypherpunks (sorted by date, threaded)
are forwards of messages from Perry's crypto list.

Perry's list is archived publicly on the web if anyone subscribing to
cypherpunks but not his list is interested in the discussion -- so let
me humbly suggest that might be possible not to forward each message.

One is enough. Less is more. Let's eliminate redundancy, thus eliminating

-Declan "TCM" McCullagh

On Tue, Aug 17, 2004 at 03:09:58PM -0400, R. A. Hettinga wrote:
> --- begin forwarded text
> Delivered-To: cryptography at
> Date: Tue, 17 Aug 2004 11:10:58 -0400
> From: Thomas Harold <tgh at>
> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7)
> Gecko/20040616
> To: cryptography at
> Subject: Re: MD5 collisions?
> Sender: owner-cryptography at
> Eric Rescorla wrote:
> > Check out this ePrint paper, which claims to have collisions in
> > MD5, MD4, HAVAL, and full RIPEMD.
> >
> >
> >
> > The authors claim that the MD5 attack took an hour for the first
> > collision and 15 seconds to 5 minutes for subsequent attacks
> > with the same first 512 bits.
> I'll play the newbie and ask the question... how would this be used in a
> practical attack against MD5 (or the other hashing algorithms)?
>  From my limited understanding, MD5 is usually used as a hash to detect
> tampering in a particular bitstream.  In which case, the attacker's goal
> would be to calculate how to change bits in the bitstream without
> changing the MD5 output.  (And hopefully without making the bitstream a
> different size.)  Is this where collisions come into play?
> Alternatively, hash functions can be used to store passwords (salt +
> plain text password => hash function => password file).  But I don't see
> where the attacker could use collisions for that.
> [Moderator's note:
>  You might want to read up on hash functions and their uses --
>  "detecting tampering" in the sense you mean isn't the main use of
>  hash functions these days though they are certainly employed in such
>  applications. Hash functions are a primitive used in all sorts of
>  places as part of MACs, as ways of enabling signature systems, as
>  elements of commitment protocols etc. The use in commitment protocols
>  is totally blown by the current results, btw.
>  For purposes of things like x.509 certificates, as message integrity
>  codes, etc., the current attacks don't provide an immediate way to
>  attack the system, but they make one worried about the health of the
>  algorithms -- probably sufficiently much to motivate quickly
>  abandoning them for ones that are not vulnerable to these attacks.
>  --Perry]
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to majordomo at
> --- end forwarded text
> -- 
> -----------------
> R. A. Hettinga <mailto: rah at>
> The Internet Bearer Underwriting Corporation <>
> 44 Farquhar Street, Boston, MA 02131 USA
> "... however it may deserve respect for its usefulness and antiquity,
> [predicting the end of the world] has not been found agreeable to
> experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

More information about the cypherpunks-legacy mailing list