No, it was on the compression function, but not in any sense reduced. But
you had to start with particular values of the chaining variables, and in
practice no-one knows how to do that, so MD5 (as a whole) isn't broken by
this, at least until tomorrow evening. The rumour here is that MD5, HAVAL,
Ed Felten's blog is carrying the rumor that a break in SHA-1
is going to be announced soon:
http://www.freedom-to-tinker.com/archives/000661.html
I've also done some off-the-cuff analysis of how bad this
would be in practice, which you can find here:
Eric Rescorla [EMAIL PROTECTED] writes:
P.S. AFAIK, although Dobbertin was able to find preimages for
reduced MD4, there still isn't a complete break in MD4. Correct?
Dobbertin's work on was reduced MD5. I haven't heard anything about
progress on that front for several years.
At 15:50 2004-08-16 -0400, Matt Curtin wrote:
Eric Rescorla [EMAIL PROTECTED] writes:
P.S. AFAIK, although Dobbertin was able to find preimages for
reduced MD4, there still isn't a complete break in MD4. Correct?
Dobbertin's work on was reduced MD5. I haven't heard anything about
progress on
Eric Rescorla wrote:
P.S. AFAIK, although Dobbertin was able to find preimages for
reduced MD4, there still isn't a complete break in MD4. Correct?
Dobbertin published a complete break of MD4 (namely, a breaking algorithm and some
collisions found with it) in the Journal of Cryptology.
Mads
