Log inSign up
Marc Stevens
738 posts
Image
user avatar
Marc Stevens
@realhashbreaker
Father^2. Cryptologist at CWI Amsterdam @cwinl. Likes theoretical and applied cryptanalysis a lot.
Amsterdam, Netherlands
marc-stevens.nl/research
Joined February 2017
135
Following
2,492
Followers

New to X?

Sign up now to get your own personalized timeline!

Create account

By signing up, you agree to the Terms of Service and Privacy Policy, including Cookie Use.

Terms·Privacy·Cookies·Accessibility·Ads Info·© 2026 X Corp.
Don't miss what's happening
People on X are the first to know.
Log inSign up
  • Pinned
    user avatar
    Marc Stevens
    @realhashbreaker
    Mar 19, 2024
    Here is a 72-byte alphanum MD5 collision with 1-byte difference for fun: md5("TEXTCOLLBYfGiJUETHQ4hAcKSMd5zYpgqf1YRDhkmxHkhPWptrkoyz28wnI9V0aHeAuaKnak") = md5("TEXTCOLLBYfGiJUETHQ4hEcKSMd5zYpgqf1YRDhkmxHkhPWptrkoyz28wnI9V0aHeAuaKnak")
    2.1M
  • user avatar
    Marc Stevens
    @realhashbreaker
    Jul 3, 2020
    Replying to @SwiftOnSecurity
    I once used the cluster of 215 PlayStation 3s at EPFL, that was a lot of cheap computing power at the time. And unlike for other CPUs, assembly programming for SPUs was quite magical: exact clockcycle predictions just from code.
    Image
  • user avatar
    Marc Stevens
    @realhashbreaker
    Mar 19, 2024
    Replying to @realhashbreaker
    One potential usecase: to discern websites that store unsalted md5 passwords. x.com/Kuggofficial/s…
    82K
  • user avatar
    Marc Stevens
    @realhashbreaker
    Mar 19, 2024
    Replying to @realhashbreaker
    This is the first md5 collision with only printable ascii that I know of. I have been asked before if this was possible, but I used to respond its not practically doable.
    90K
  • user avatar
    Marc Stevens
    @realhashbreaker
    Jan 8, 2020
    I'm very proud and thankful to have won one of the RWC2020 Levchin prize together with Xiaoyun Wang for our work on hash function cryptanalysis!! #realworldcrypto
  • user avatar
    Marc Stevens
    @realhashbreaker
    Mar 19, 2024
    Replying to @realhashbreaker
    Its an identical-prefix collision attack where you can pick your own allowed charset (say alphanum, base64, all printable). It also allows to force some specific bytes (mainly 0-7 and 20-27) to some extent.
    72K
  • user avatar
    Marc Stevens
    @realhashbreaker
    Mar 19, 2024
    Replying to @real_redp
    Try echo -n, otherwise it appends a newline char that also goes into MD5.
    25K
  • user avatar
    Marc Stevens
    @realhashbreaker
    Mar 19, 2024
    Replying to @h4knet
    One machine with 40 cores and a lot of RAM in a half a day.
    23K
  • user avatar
    Marc Stevens
    @realhashbreaker
    Mar 22, 2017
    GitHub now uses our SHA-1 collision detection code to protect repositories against SHA-1 collisions: github.com/blog/2338-sha-… Great!!
    github.blog
    SHA-1 collision detection on GitHub.com
    A few weeks ago, researchers announced SHAttered, the first collision of the SHA-1 hash function. Starting today, all SHA-1 computations on GitHub.com will detect and reject any Git content that…
  • user avatar
    Marc Stevens
    @realhashbreaker
    Mar 19, 2024
    Replying to @SoatokDhole
    The attack has a 1 byte difference of +4 in the 21st byte, but hAcKSMd5=>hEcKSMd5 is indeed no coincidence ;)
    18K
  • user avatar
    Marc Stevens
    @realhashbreaker
    Jan 7, 2020
    Seriously, stop using SHA-1! SHA-1 chosen-prefix collisions are now practically demonstrated. Beware of ALL possible collision exploits. E.g. see the amazing list of PoCs by @angealbertini.
    user avatar
    IACR
    @IACR_News
    Jan 7, 2020
    #ePrint SHA-1 is a Shambles - First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust: G Leurent, T Peyrin ia.cr/2020/014
  • user avatar
    Marc Stevens
    @realhashbreaker
    Feb 26, 2017
    Commonly overlooked: our single expensive SHA-1 collision can be reused to craft many colliding file pairs by anyone for free.
  • user avatar
    Marc Stevens
    @realhashbreaker
    Jul 27, 2017
    Our SHA-1 collision won the 2017 Pwnie Award for best cryptographic attack!
    user avatar
    Elie Bursztein
    @elie
    Jul 27, 2017
    Shattered our SHA-1 collision attack won the #BlackHat best cryptographic attack award. @realhashbreaker
    Image
  • user avatar
    Marc Stevens
    @realhashbreaker
    Jul 3, 2020
    Replying to @SwiftOnSecurity
    Here are some more pictures: win.tue.nl/~bdeweger/PS3L…
Advertisement
Advertisement