[Darkstryder]

I don’t understand how this is a pre-image attack, as the manifest file only references itself (and not the zip file) and you can fiddle with the manifest file to your liking. To me this is the same theoretical problem as this self-referencing PNG file.

[Retr0id]

How do you fiddle with the manifest without changing the MD5?

[Darkstryder]

You do want to change the MD5 of the manifest. This is what makes it a collision attack instead of a preimage attack.

[Retr0id]

Change it to what? A specific pre-determined value? That's a preimage.

[Darkstryder]

This is indeed a preimage attack if the manifest content (besides its own self-referenced hash) is fixed. However this is not the case in practice: to pull off this trick you could just append some random bytes at the end of the manifest, disguised as ASCII art or something like that. The manifest would still be human readable and correct, but this would become a collision attack.

Again, to me this is the exact same problem as this self-referential PNG file, which is a very cool trick but which can be (demonstrably) computed with limited compute resources.

[Retr0id]

Appending a suffix to try to meet a specific hash value is equivalent to preimage (and is not currently possible)

[Darkstryder]

One last comment though: I didn’t realize you were the author of the post (great work!!). This let me think you know your stuff, and you know something that I don’t and I need to think of all of that more carefully. So it is very probable you are right and I am wrong. Thanks for the discussion!

[Darkstryder]

Again, the idea is not to find a specific hash value, but any $hash for which the property md5($manifest_content, $hash, $random_bytes) = $hash is true. You don’t need to match a specific hash value.

And you never answered how this manifest is somehow different than the self-referential png.

It seems we do not understand each other (unfortunately HN comments are not the best avenue for deep discussions) so this will be my last post on this thread as we both have better things to do than talking past each other.