It can be shown that some form of birthday attack will succeed
against any hash scheme involving the use of cipher block
chaining without a secret key, provided that either the resulting
hash code is small enough or that a larger hash code can be
decomposed into independent subcodes.