Those are pretty high probabilities. I presume you intended to type

2^-64 and 2^-80, but the in the scenario you describe, the probability of

a pair of random inputs producing the same output, the probabilities are

2^-128 and 2^-160.

You can expect approximately one collision among 2^64 (resp. 2^80)

different inputs, because that many messages generates 2^128 (resp. 2^160)

pairs.

I'll disagree. What we have here is a large pool of outputs, this is the

birthday paradox case, this is where I got my numbers. I'll admit I gave

pessimistic numbers, but if 2^-80 is a pessimistically high probability it's

a good day.

(that is, if those hash functions

indeed exhibit the right properties --- at the very least, it makes

sense to make that assumption to simplify the reasoning)

It is expected that for the uniform distribution requirement for this, so

far I'm not aware of any research indicating that any of the MD5/SHA series

has any significantly low probability paths, and I certainly haven't found

any. With as much as these have been examined I would expect that such

differentials would be high priority.

Joe

