Manoj Srivastava wrote:
On Mon, 31 Mar 2003 15:35:15 +0100,
Matthew Wilcox <[EMAIL PROTECTED]> said:
> I believe the method for choosing the hash that allows one to
> identify one's vote is flawed. Since all components of the string
> to be fed to md5sum are chosen by the secretary or known well in
> advance, it would be possible for a malicious secretary to stuff
> the ballot box. If it is possible for the secretary to choose two
> strings which hash to the same value, the secretary can replace one
> of the votes with a vote of their choosing. This is admittedly
> rather hard, but the secretary has an unlimited amount of time to
> work in to achieve this result.
If I could find a means of two strings (of the same size) that
gasg to the same vlaue in md5sum, I'd be too busy raking in money to
bother stuffing debian ballots.
If you voted, please take the rest of the year trying to come
up with another string that would hash to _your_ md5sum. If you can
come up with something even remotely reproducible, we'll have a majot
math paper on out hands, and I;ll happily change things around.
Speaking hypothetically, I'd like to point out that the FAQ on the
RSA.com web site about various hash algorithms, including MD5, cites a
1994 paper estimating that a machine built for brute-forcing MD5 hash
collisions could probably be made for US$10M out of 1994 technology and
1994 dollars that would find a hash collision in 24 days on average.
Moore's Law would suggest that such a machine would cost on the order of
US$150K.
Doing some quick orders-of-magnitude calculations, I can't see how they
would do it in that time-frame as "brute force", though.
manoj
