Optimal symmetric Tardos traitor tracing schemes

For the Tardos traitor tracing scheme, we show that by combining the symbol-symmetric accusation function of Skoric et al. with the improved analysis of Blayer and Tassa we get further improvements. Our construction gives codes that are up to 4 times shorter than Blayer and Tassa's, and up to 2 times shorter than the codes from Skoric et al. Asymptotically, we achieve the theoretical optimal codelength for Tardos' distribution function and the symmetric score function. For large coalitions, our codelengths are asymptotically about 4.93% of Tardos' original codelengths, which also improves upon results from Nuida et al.Comment: 16 pages, 1 figur

Chosen-Prefix Collisions for MD5 and Applications

We present a novel, automated way to find differential paths for MD5. Its main application is in the construction of \emph{chosen-prefix collisions}. We have shown how, at an approximate expected cost of $2^{39}$ calls to the MD5 compression function, for any two chosen message prefixes $P$ and $P'$, suffixes $S$ and $S'$ can be constructed such that the concatenated values $P\|S$ and $P'\|S'$ collide under MD5. The practical attack potential of this construction of chosen-prefix collisions is of greater concern than the MD5-collisions that were published before. This is illustrated by a pair of MD5-based X.509 certificates one of which was signed by a commercial Certification Authority (CA) as a legitimate website certificate, while the other one is a certificate for a rogue CA that is entirely under our control (cf.\ \url{http://www.win.tue.nl/hashclash/rogue-ca/}). Other examples, such as MD5-colliding executables, are presented as well. More details can be found on \url{http://www.win.tue.nl/hashclash/ChosenPrefixCollisions/}

Dynamic Tardos traitor tracing schemes

We construct binary dynamic traitor tracing schemes, where the number of watermark bits needed to trace and disconnect any coalition of pirates is quadratic in the number of pirates, and logarithmic in the total number of users and the error probability. Our results improve upon results of Tassa, and our schemes have several other advantages, such as being able to generate all codewords in advance, a simple accusation method, and flexibility when the feedback from the pirate network is delayed

Short chosen-prefix collisions for MD5 and the creation of a rogue CA certificate.

Abstract. We present a refined chosen-prefix collision construction for MD5 that allowed creation of a rogue Certification Authority (CA) certificate, based on a collision with a regular end-user website certificate provided by a commercial CA. Compared to the previous construction from Eurocrypt 2007, this paper describes a more flexible family of differential paths and a new variable birthdaying search space. Combined with a time-memory trade-off, these improvements lead to just three pairs of near-collision blocks to generate the collision, enabling construction of RSA moduli that are sufficiently short to be accepted by current CAs. The entire construction is fast enough to allow for adequate prediction of certificate serial number and validity period: it can be made to require about 2 49 MD5 compression function calls. Finally, we improve the complexity of identical-prefix collisions for MD5 to about 2 16 MD5 compression function calls and use it to derive a practical single-block chosen-prefix collision construction of which an example is given