7 research outputs found
Optimal symmetric Tardos traitor tracing schemes
For the Tardos traitor tracing scheme, we show that by combining the
symbol-symmetric accusation function of Skoric et al. with the improved
analysis of Blayer and Tassa we get further improvements. Our construction
gives codes that are up to 4 times shorter than Blayer and Tassa's, and up to 2
times shorter than the codes from Skoric et al. Asymptotically, we achieve the
theoretical optimal codelength for Tardos' distribution function and the
symmetric score function. For large coalitions, our codelengths are
asymptotically about 4.93% of Tardos' original codelengths, which also improves
upon results from Nuida et al.Comment: 16 pages, 1 figur
Chosen-Prefix Collisions for MD5 and Applications
We present a novel, automated way to find differential paths for MD5.
Its main application is in the construction of \emph{chosen-prefix collisions}.
We have shown how, at an approximate expected cost of
calls to the MD5 compression function, for any two chosen message
prefixes and , suffixes and can be constructed such that
the concatenated values and collide under MD5.
The practical attack potential of this construction
of chosen-prefix collisions is of greater concern
than the MD5-collisions that were published before. This is illustrated by
a pair of MD5-based X.509 certificates one of which was signed by a
commercial Certification Authority (CA) as a legitimate website certificate,
while the other one is a certificate for a rogue CA that is entirely
under our control (cf.\ \url{http://www.win.tue.nl/hashclash/rogue-ca/}).
Other examples, such as MD5-colliding executables, are presented as well.
More details can be found on
\url{http://www.win.tue.nl/hashclash/ChosenPrefixCollisions/}
Dynamic Tardos traitor tracing schemes
We construct binary dynamic traitor tracing schemes, where the number of watermark bits needed to trace and disconnect any coalition of pirates is quadratic in the number of pirates, and logarithmic in the total number of users and the error probability. Our results improve upon results of Tassa, and our schemes have several other advantages, such as being able to generate all codewords in advance, a simple accusation method, and flexibility when the feedback from the pirate network is delayed
Short chosen-prefix collisions for MD5 and the creation of a rogue CA certificate.
Abstract. We present a refined chosen-prefix collision construction for MD5 that allowed creation of a rogue Certification Authority (CA) certificate, based on a collision with a regular end-user website certificate provided by a commercial CA. Compared to the previous construction from Eurocrypt 2007, this paper describes a more flexible family of differential paths and a new variable birthdaying search space. Combined with a time-memory trade-off, these improvements lead to just three pairs of near-collision blocks to generate the collision, enabling construction of RSA moduli that are sufficiently short to be accepted by current CAs. The entire construction is fast enough to allow for adequate prediction of certificate serial number and validity period: it can be made to require about 2 49 MD5 compression function calls. Finally, we improve the complexity of identical-prefix collisions for MD5 to about 2 16 MD5 compression function calls and use it to derive a practical single-block chosen-prefix collision construction of which an example is given