Wang et al. recently found several collisions in some hash functions, such as MD4, MD5, Haval-128 and RIPEMD. These findings have significantly changed our views about the security of existing hash functions. Unfortunately, al- though it is easy for us to verify the correctness of the collisions published by Wang et al., the sufficient condi- tions for collisions are not clear. In this paper, we present our methodology for constructing the sufficient conditions of collision tables by using Haval-128 Pass 3 as an ex- ample. We propose a backward analysis method of com- pression functions for constructing the sufficient condition table and the differential characteristic table. We also ex- pose the weaknesses of Haval-128 which may be applied to other hash functions.
Thorncharoensri, P., Xia, T. & Mu, Y. (2007). How to Find the Sufficient Collision Conditions for Haval-128 Pass 3 by Backward Analysis. International Journal of Network Security, 4 (2), 138-148.