Cryptanalysis of a hash function, and the modular subset sum problem

Abstract Recently, Shpilrain and Sosnovski proposed a hash function based on composition of affine maps. In this paper, we show that this hash function with its proposed parameters is not weak collision resistant, for plaintexts of size at least 1.9MB (about 2 24 {2^{24}} bits). Our approach is to reduce the preimage problem to a (very) high density instance of the Random Modular Subset Sum Problem, for which we give an algorithm capable of solving instances of the resulting size. Specifically, given plaintexts of about 1.9MB, we were able to produce other plaintexts of the same size with the same hash value in about 13 hours each, on average.

[1]  P ? ? ? ? ? ? ? % ? ? ? ? , 1991 .

[2]  Vadim Lyubashevsky On Random High Density Subset Sums , 2005, Electron. Colloquium Comput. Complex..

[3]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[4]  Markus Grassl,et al.  Cryptanalysis of the Tillich–Zémor Hash Function , 2010, Journal of Cryptology.

[5]  Vladimir Shpilrain,et al.  Compositions of linear functions and applications to hashing , 2016, IACR Cryptol. ePrint Arch..

[6]  Gilles Zémor,et al.  Hashing with SL_2 , 1994, CRYPTO.