Skip to main content
Cryptography

You are not logged in. Your edit will be placed in a queue until it is peer reviewed.

We welcome edits that make the post easier to understand and more valuable for readers. Because community members review edits, please try to make the post substantially better than how you found it, for example, by fixing grammar or adding additional resources and hyperlinks.

Required fields*

8
  • $\begingroup$ With an array of $k$ quantum computers... you could find a single MD5 preimage in about $2^{64}/k$ time; is that true? I've looked for parallel versions of Grover's, and the best I could find is $2^{64}/\sqrt{k}$ time. Do you have a reference for an efficient parallelized version? $\endgroup$ Commented Jul 26, 2017 at 15:08
  • 1
    $\begingroup$ Nope! I misquoted the paper I cited. Fixed now. $\endgroup$ Commented Jul 26, 2017 at 15:12
  • $\begingroup$ Thanks for the reference; I had thought that was the case, now I have proof... $\endgroup$ Commented Jul 26, 2017 at 15:16
  • $\begingroup$ When it comes to breaking a hash algorithm, I wouldn't think that finding the original input is the goal. If, for example, a site is distributing an executable binary and publishes the size and an MD5 hash of the file, the attacker's goal wouldn't be to find the original input, but would rather be to create a malicious file of the same size that produces the same hash that they could trick users into downloading and executing. $\endgroup$ Commented Jul 27, 2017 at 7:00
  • $\begingroup$ @martin: That is certainly one application! The OP's question seemed to be about recovering what the original plaintexts were, so I focused on that goal. What you describe is similar to (a), except instead of learning what the original input was, we don't care and just fill it with garbage to match a target hash, like a Bitcoin block. $\endgroup$ Commented Jul 27, 2017 at 7:11