# Collisions and inversions for Damgård's whole hash function

## Abstract

Ivan Damgård gave a great theorem about hash functions in

Then, he suggested, among others, to choose for *f* a knapsack scheme. However, in [1] and [4] it was shown that it is possible to find collisions on *f*, and even to find a preimage for *f* with an algebraic algorithm. Nevertheless, it was not shown how to find collision, or a preimage for *h*. (We call *h* Damgård's “whole” Hash function). Then, in [3] it was shown how to find a collision on *h* with the LLL Algorithm.

Here we will show how to find collision, and also how to find a preimage for *h* with an algebraic algorithm. A quick comparison of the two techniques (LLL and Algebraic) will be given.

For example, in about 2^{33} operations and 2^{24} storage it will be possible to find a collision for *h*. And with about 2^{48} operations and 2^{32} storage we will be able to find a preimage for *h*. (This is better than the previously known algorithm for a preimage given in [5] p. 202 which needs 2^{64} in time and 2^{32} in memory). Then we will study how to construct from *f* two new candidate hash functions *H*1 and *H*2 by slightly modifying Damgård's scheme in order to make the search of collisions more difficult, and in order to have a theorem showing why it looks “more difficult”.

## Keywords

Hash Function Compression Factor General Diagram Cryptographic Hash Function Algebraic Algorithm## Preview

Unable to display preview. Download preview PDF.

## References

- 1.P. Camion and J. Patarin, “
*The Knapsack Hash Function proposed at Crypto'89 can be broken”*, Proceedings of Eurocrypt'91, pp. 39–53, Springer Verlag.Google Scholar - 2.I. Damgård, “
*A Design Principles for Hash Functions”*, Proceedings of Crypto'89, pp. 416–427, Springer Verlag.Google Scholar - 3.A. Joux and L. Granboulan, “
*A practical attack against Knapsack based Hash Functions”*, Proceedings of Eurocrypt'94.Google Scholar - 4.J. Patarin, “
*How to find and avoid collisions for the Knapsack Hash Function”*, Proceedings of Eurocrypt'93, pp. 305–317.Google Scholar - 5.B. Preneel, “
*Analysis and Design of Cryptographic Hash Functions”*, Katolieke Universiteit Leuven.Google Scholar - 6.C.P. Schnorr, unpublished communication, 1991.Google Scholar