Return to Answer

You claim that you can make the hashes match with enough computing power. The problem is that given a modern hash algorithm, neither you nor anybody else has this computing power. That's the whole point of cryptographic hash algorithms.

The attack you're describing is a preimage attack: For a given hash, you're trying to find an input which results in the same hash. All modern hash algorithms are designed to make such attacks impractical. For example, in the case of SHA-256, the NIST assumes a preimage resistance of 256 bits. In other words, you would have to perform 2^256 operations to carry out this attack. This is absolutely hopeless. Even just finding two arbitrary (but different) messages which have the same SHA-256 hash (so a collision attack) would require 2^128 operations.

So unless there's a mathematical and/or technological breakthrough, the attack doesn't work.

However, some now-obsolete hash algorithms like MD5 are vulnerable to collision attacks, including chosen-prefix collisions which allow the attacker to find collisions for meaningful messages, not just gibberish data: They can set two arbitrary prefixes P and P' and then find suffixes S and S', so that MD5(P + S) and MD5(P' + S') are identical. In principle, this could be used for a different attack against a time stamping authority (TSA): The attacker has a document with the hash D, and they want to get a signed timestamp token for a past date T. If the token has the format document hash + timestamp + additional data, and if the hash algorithm h used by the TSA is vulnerable to chosen-prefix collision, then the attacker could construct two tokens M = D + T + S and M' = D + T' + S' with h(M) = h(M'). T' is some time in the future (chosen by the attacker), and S and S' are the attacker-constructed suffixes. At time T', the attacker obtains the signature for the token hash(D) + T' + S' from the TSA and then uses it as a signature for the different token hash(D) + T + S. This makes it seem like document D already existed at the past date T. The attack has several major limitations, though.

• The attacker has to know about the (chosen-prefix) collision vulnerability of the hash algorithm before the TSA phases out this algorithm
• Since the TSA doesn't have a record of actually having issued the backdated token, the attack becomes obvious if the TSA database and not just the signature is checked.
• For the attack to work, the attacker must be able to cram all necessarily data (including the suffix from the collision attack) into the specific token format used by the TSA.
• The attacker may need to hide the suffix, so that it won't stand out as suspicious unexplained data if the token is actually inspected by an expert witness.

You claim that you can make the hashes match with enough computing power. The problem is that given a modern hash algorithm, neither you nor anybody else has this computing power. That's the whole point of cryptographic hash algorithms.

The attack you're describing is a preimage attack: For a given hash, you're trying to find an input which results in the same hash. All modern hash algorithms are designed to make such attacks impractical. For example, in the case of SHA-256, the NIST assumes a preimage resistance of 256 bits. In other words, you would have to perform 2^256 operations to carry out this attack. This is absolutely hopeless. Even just finding two arbitrary (but different) messages which have the same SHA-256 hash (so a collision attack) would require 2^128 operations.

So unless there's a mathematical and/or technological breakthrough, the attack doesn't work.

However, some now-obsolete hash algorithms like MD5 are vulnerable to collision attacks, including chosen-prefix collisions which allow the attacker to find collisions for meaningful messages, not just gibberish data: They can set two arbitrary prefixes P and P' and then find suffixes S and S', so that MD5(P + S) and MD5(P' + S') are identical. In principle, this could be used for a different attack against a time stamping authority (TSA): The attacker has a document with the hash D, and they want to get a signed timestamp token for a past date T. If the token has the format document hash + timestamp + additional data, and if the hash algorithm h used by the TSA is vulnerable to chosen-prefix collision, then the attacker could construct two tokens M = D + T + S and M' = D + T' + S' with h(M) = h(M'). T' is some time in the future (chosen by the attacker), and S and S' are the attacker-constructed suffixes. At time T', the attacker obtains the signature for the token hash(D) + T' + S' from the TSA and then uses it as a signature for the different token hash(D) + T + S. This makes it seem like document D already existed at the past date T. The attack has several major limitations, though.

• The attacker has to know about the (chosen-prefix) collision vulnerability of the hash algorithm before the TSA phases out this algorithm
• Since the TSA doesn't have a record of actually having issued the backdated token, the attack becomes obvious if the TSA database and not just the signature is checked.
• For the attack to work, the attacker must be able to cram all necessarily data (including the suffix from the collision attack) into the specific token format used by the TSA.
• The attacker may need to hide the suffix, so that it won't stand out as suspicious unexplained data if the token is inspected by an expert witness.

You claim that you can make the hashes match with enough computing power. The problem is that given a modern hash algorithm, neither you nor anybody else has this computing power. That's the whole point of cryptographic hash algorithms.

The attack you're describing is a preimage attack: For a given hash, you're trying to find an input which results in the same hash. All modern hash algorithms are designed to make such attacks impractical. For example, in the case of SHA-256, the NIST assumes a preimage resistance of 256 bits. In other words, you would have to perform 2^256 operations to carry out this attack. This is absolutely hopeless. Even just finding two arbitrary (but different) messages which have the same SHA-256 hash (so a collision attack) would require 2^128 operations.

So unless there's a mathematical and/or technological breakthrough, the attack doesn't work.

Also note that additional work would be required to hide the “garbage data” used to carry out the attack. Real-world cases like the forged CA certificate created through a chosen-prefix attack on MD5 had clearly visible artifacts which would likely be noticed by an expert witness in court. Hiding those artifacts in an image would essentially require steganography.

You claim that you can make the hashes match with enough computing power. The problem is that given a modern hash algorithm, neither you nor anybody else has this computing power. That's the whole point of cryptographic hash algorithms.

The attack you're describing is a preimage attack: For a given hash, you're trying to find an input which results in the same hash. All modern hash algorithms are designed to make such attacks impractical. For example, in the case of SHA-256, the NIST assumes a preimage resistance of 256 bits. In other words, you would have to perform 2^256 operations to carry out this attack. This is absolutely hopeless. Even just finding two arbitrary (but different) messages which have the same SHA-256 hash (so a collision attack) would require 2^128 operations.

So unless there's a mathematical and/or technological breakthrough, the attack doesn't work.

However, some now-obsolete hash algorithms like MD5 are vulnerable to collision attacks, including chosen-prefix collisions which allow the attacker to find collisions for meaningful messages, not just gibberish data: They can set two arbitrary prefixes P and P' and then find suffixes S and S', so that MD5(P + S) and MD5(P' + S') are identical. In principle, this could be used for a different attack against a time stamping authority (TSA): The attacker has a document with the hash D, and they want to get a signed timestamp token for a past date T. If the token has the format document hash + timestamp + additional data, and if the hash algorithm h used by the TSA is vulnerable to chosen-prefix collision, then the attacker could construct two tokens M = D + T + S and M' = D + T' + S' with h(M) = h(M'). T' is some time in the future (chosen by the attacker), and S and S' are the attacker-constructed suffixes. At time T', the attacker obtains the signature for the token hash(D) + T' + S' from the TSA and then uses it as a signature for the different token hash(D) + T + S. This makes it seem like document D already existed at the past date T. The attack has several major limitations, though.

• The attacker has to know about the (chosen-prefix) collision vulnerability of the hash algorithm before the TSA phases out this algorithm
• Since the TSA doesn't have a record of actually having issued the backdated token, the attack becomes obvious if the TSA database and not just the signature is checked.
• For the attack to work, the attacker must be able to cram all necessarily data (including the suffix from the collision attack) into the specific token format used by the TSA.
• The attacker may need to hide the suffix, so that it won't stand out as suspicious unexplained data if the token is actually inspected by an expert witness.

You claim that you can make the hashes match with enough computing power. The problem is that given a modern hash algorithm, neither you nor anybody else has this computing power. That's the whole point of cryptographic hash algorithms.

The attack you're describing is a preimage attack: For a given hash, you're trying to find an input which results in the same hash. All modern hash algorithms are designed to make such attacks impractical. For example, in the case of SHA-256, the NIST assumes a preimage resistance of 256 bits. In other words, you would have to perform 2^256 operations to carry out this attack. This is absolutely hopeless. Even just finding two arbitrary (but different) messages which have the same SHA-256 hash (so a collision attack) would require 2^128 operations.

So unless there's a mathematical and/or technological breakthrough, the attack doesn't work. It's also unlikely that an expert witness in court would accept a document with lots of unexplained data.

You claim that you can make the hashes match with enough computing power. The problem is that given a modern hash algorithm, neither you nor anybody else has this computing power. That's the whole point of cryptographic hash algorithms.

The attack you're describing is a preimage attack: For a given hash, you're trying to find an input which results in the same hash. All modern hash algorithms are designed to make such attacks impractical. For example, in the case of SHA-256, the NIST assumes a preimage resistance of 256 bits. In other words, you would have to perform 2^256 operations to carry out this attack. This is absolutely hopeless. Even just finding two arbitrary (but different) messages which have the same SHA-256 hash (so a collision attack) would require 2^128 operations.

So unless there's a mathematical and/or technological breakthrough, the attack doesn't work.

Also note that additional work would be required to hide the “garbage data” used to carry out the attack. Real-world cases like the forged CA certificate created through a chosen-prefix attack on MD5 had clearly visible artifacts which would likely be noticed by an expert witness in court. Hiding those artifacts in an image would essentially require steganography.