It is sometimes argued (as in [6]) that finding meaningful hash collisions might prove difficult. We show that at least one of the arguments involved is wrong, by showing that for several common public key systems it is easy to construct pairs of meaningful and secure public key data that either collide or share other characteristics with the hash collisions as quickly constructed in [22]. We present some simple results, investigate what we can and cannot (yet) achieve, and formulate some open problems of independent interest. At this point we are not yet aware of truly interesting practical implications. Nevertheless, our results may be relevant for the practical assessment of the recent hash collision results in [22]. For instance, we show how to use hash collisions to construct two X.509 certificates that contain identical signatures and that differ only in the public keys. Thus hash collisions indeed undermine one of the principles underlying Public Key Infrastructures.
Arjen K. Lenstra, Benne de Weger