Making a small change to the data, including changing one bit, should produce a totally different checksum, since that's what it was designed to do in the first place.

—John

Are you saying that given a size and a target CRC checksum other than zero, it's easy to compose a message of length size that produces the target checksum?

Yes.

Also, if you know the CRC of some data, you can calculate the CRC of "data xor something", even if you don't know what the data was!

use String::CRC32;
# given $crc == crc32($data)
$crc2 = $crc ^ crc32($diff) ^ crc32("\0" x length($diff));
# now, $crc2 == crc32($data ^ $pad.$diff)
# where $pad = "\0" x (length($data) - length($diff))
[download]

So, although it's good at finding accidental mutations to data, it's quite easy to contrive a change that produces a given checksum.

It seems to me that for any hash function, if you only have 2**32 different fingerprints, you can find something by brute force.