ASIACRYPT 1994: Advances in Cryptology — ASIACRYPT'94 pp 305-321

# Collisions and inversions for Damgård's whole hash function

• Jacques Patarin
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 917)

## Abstract

Ivan Damgård gave a great theorem about hash functions in

Then, he suggested, among others, to choose for f a knapsack scheme. However, in [1] and [4] it was shown that it is possible to find collisions on f, and even to find a preimage for f with an algebraic algorithm. Nevertheless, it was not shown how to find collision, or a preimage for h. (We call h Damgård's “whole” Hash function). Then, in [3] it was shown how to find a collision on h with the LLL Algorithm.

Here we will show how to find collision, and also how to find a preimage for h with an algebraic algorithm. A quick comparison of the two techniques (LLL and Algebraic) will be given.

For example, in about 233 operations and 224 storage it will be possible to find a collision for h. And with about 248 operations and 232 storage we will be able to find a preimage for h. (This is better than the previously known algorithm for a preimage given in [5] p. 202 which needs 264 in time and 232 in memory). Then we will study how to construct from f two new candidate hash functions H1 and H2 by slightly modifying Damgård's scheme in order to make the search of collisions more difficult, and in order to have a theorem showing why it looks “more difficult”.

## Keywords

Hash Function Compression Factor General Diagram Cryptographic Hash Function Algebraic Algorithm
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

## References

1. 1.
P. Camion and J. Patarin, “The Knapsack Hash Function proposed at Crypto'89 can be broken”, Proceedings of Eurocrypt'91, pp. 39–53, Springer Verlag.Google Scholar
2. 2.
I. Damgård, “A Design Principles for Hash Functions”, Proceedings of Crypto'89, pp. 416–427, Springer Verlag.Google Scholar
3. 3.
A. Joux and L. Granboulan, “A practical attack against Knapsack based Hash Functions”, Proceedings of Eurocrypt'94.Google Scholar
4. 4.
J. Patarin, “How to find and avoid collisions for the Knapsack Hash Function”, Proceedings of Eurocrypt'93, pp. 305–317.Google Scholar
5. 5.
B. Preneel, “Analysis and Design of Cryptographic Hash Functions”, Katolieke Universiteit Leuven.Google Scholar
6. 6.
C.P. Schnorr, unpublished communication, 1991.Google Scholar