FFT Hashing is not Collision-free

The FFT Hashing Function proposed by C.P. Schnorr [1] hashes messages of arbitrary length into a 128- bit hash value. In this paper, we show that this function is not collision free, and we give an example of two disrinct 256-bit messages with the same hask value. Finding a collision (in fact a large family of colliding messages) requires approximately 223 partial computations of the hash function, and takes a few hours on a SUN3- workstation, and less than an hour on a SPARC-workstation. A similar result discovered independently has been announced at the Asiacrypt '91 rump session by Daemen - Bosselaers - Covaerts - Vandewalle [2].