Bmm Benne de Weger

Chosen-Prefix Collisions for MD5 and Colliding X.509 Certificates for Different Identities

We present a novel, automated way to find differential paths for MD5. As an application we have shown how, at an approximate expected cost of 250calls to the MD5 compression function, for any two chosen message prefixes Pand P?, suffixes Sand S? can be constructed such that the concatenated values P||Sand P?||S? collide under MD5. Although the practical attack potential of this construction of chosen-prefix collisionsis limited, it is of greater concern than random collisions for MD5. To illustrate the practicality of our method, we constructed two MD5 based X.509 certificates with identical signatures but different public keys anddifferent Distinguished Name fields, whereas our previous construction of colliding X.509 certificates required identical name fields. We speculate on other possibilities for abusing chosen-prefix collisions. More details than can be included here can be found on www.win.tue.nl/hashclash/ChosenPrefixCollisions/ .

Optimal symmetric Tardos traitor tracing schemes

For the Tardos traitor tracing scheme, we show that by combining the symbol-symmetric accusation function of Škorić etxa0al. with the improved analysis of Blayer and Tassa we get further improvements. Our construction gives codes that are up to four times shorter than Blayer and Tassa’s, and up to two times shorter than the codes from Škorić etxa0al. Asymptotically, we achieve the theoretical optimal codelength for Tardos’ distribution function and the symmetric score function. For large coalitions, our codelengths are asymptotically about 4.93% of Tardos’ original codelengths, which also improves upon results from Nuida etxa0al.

Chosen-prefix collisions for MD5 and applications

We present a novel, automated way to find differential paths for MD5. Its main application is in the construction of chosen-prefix collisions. We have shown how, at an approximate expected cost of 2

Faster Sieving for Shortest Lattice Vectors Using Spherical Locality-Sensitive Hashing

Recently, it was shown that angular locality-sensitive hashing LSH can be used to significantly speed up lattice sieving, leading to a heuristic time complexity for solving the shortest vector problem SVP of

Modeling identity-related properties and their privacy strength

2^{0.337n + on}

Formal Modelling of (De)Pseudonymisation: A Case Study in Health Care Privacy

20.337n+on and space complexity

The Collatz conjecture and De Bruijn graphs

2^{0.208n + on}