A few questions about md5 collision in production

Question

I'm in a game company, and we use md5 algorithm to do the charge order check.

Here is how we do it:

1. On both the Pay-center server and our game server there is a common "secret-key".

2. Pay-center send an add game coin request to our game server.
   In which there are many conventional parameters and a special parameter named "sign"

3. When we received a request on the game server, we use md5("all the conventional parameters" + "secret key") to produce a result.
   If the result is equal to "sign" parameter, we'll consider this charge order a valid one.

---

My question are:

If someone blindly using a random-generated "pseudo-secret-key" to doing md5 computation with all other parameters to produce a sign.
And by coincidence, he made a valid sign with one of his "pseudo-secret-key".

1. How many times does he need to try to produce a valid sign for each group of "conventional parameters"?

2. How many chances are there the pseudo-secret-key is identical to my original secret-key when it happens to produce a valid sign?

3. If the pseudo-secret-key is different with my original secret-key, is it nearly impossible to use the pseudo-key to produce a valid sign using another different combinations of conventional parameters?

Answer 1

The basic: md5 hash result is uniformly distributed. That's a chance of 1 out of 2^128.

1. You can't tell exactly how many attempts he will need. You may, however, calculate the chances of colition in t attempts : 1 - (1 - 1 / (2 ^ 128)) ^ t. For example, after 2^128 attempts he has a chance of about 1/3.
2. Depends on the range of your key.
3. Again, chances are 1/(2^128).