Collisions and inversions for Damgård's whole hash function
Ivan Damgård gave a great theorem about hash functions in
Then, he suggested, among others, to choose for f a knapsack scheme. However, in  and  it was shown that it is possible to find collisions on f, and even to find a preimage for f with an algebraic algorithm. Nevertheless, it was not shown how to find collision, or a preimage for h. (We call h Damgård's “whole” Hash function). Then, in  it was shown how to find a collision on h with the LLL Algorithm.
Here we will show how to find collision, and also how to find a preimage for h with an algebraic algorithm. A quick comparison of the two techniques (LLL and Algebraic) will be given.
For example, in about 233 operations and 224 storage it will be possible to find a collision for h. And with about 248 operations and 232 storage we will be able to find a preimage for h. (This is better than the previously known algorithm for a preimage given in  p. 202 which needs 264 in time and 232 in memory). Then we will study how to construct from f two new candidate hash functions H1 and H2 by slightly modifying Damgård's scheme in order to make the search of collisions more difficult, and in order to have a theorem showing why it looks “more difficult”.
KeywordsHash Function Compression Factor General Diagram Cryptographic Hash Function Algebraic Algorithm
Unable to display preview. Download preview PDF.
- 1.P. Camion and J. Patarin, “The Knapsack Hash Function proposed at Crypto'89 can be broken”, Proceedings of Eurocrypt'91, pp. 39–53, Springer Verlag.Google Scholar
- 2.I. Damgård, “A Design Principles for Hash Functions”, Proceedings of Crypto'89, pp. 416–427, Springer Verlag.Google Scholar
- 3.A. Joux and L. Granboulan, “A practical attack against Knapsack based Hash Functions”, Proceedings of Eurocrypt'94.Google Scholar
- 4.J. Patarin, “How to find and avoid collisions for the Knapsack Hash Function”, Proceedings of Eurocrypt'93, pp. 305–317.Google Scholar
- 5.B. Preneel, “Analysis and Design of Cryptographic Hash Functions”, Katolieke Universiteit Leuven.Google Scholar
- 6.C.P. Schnorr, unpublished communication, 1991.Google Scholar