Subject: Re: FUD about CGD and GBDE
To: David Schultz <das@CSAIL.MIT.EDU>
From: Colin Percival <>
List: tech-security
Date: 03/07/2005 05:06:44
David Schultz wrote:
>     As a
>     rather extreme example, suppose that it was discovered that on
>     random input, an MD5 output only has 70 bits of entropy.  Then
>     it might be relatively easy for an adversary to recover sector
>     keys without knowing the master key.  (Granted, this would
>     constitute a much stronger break in MD5 than is currently known.)

I'm not going to even touch the rest of this thread, but it is clear
that MD5 has at least 100 bits of entropy, simply based on the lack
of collisions resulting from hashing random data.  (If you generate
2^n hashes randomly without finding a collision, then the hash must
have at least ~~ 2n bits of entropy, and organized attempts to crack
MD5 generated at least 2^50 hashes before the algorithmic break was

Colin Percival