There were several questions here regarding how surjective SHA-1/2 is, how many values don't have a pre-image from a fixed size input. I and others answered when modelling the relevant hash function as a random function. The question is can we venture if common hash functions are likely to collide more or less often than a ideal random function. Are there other cryptographic hash functions where we know exactly which direction such a weakness lies?
Asked
Active
Viewed 210 times
1 Answers
3
If we could prove anything one way or another about this, it would be a remarkable result worthy of publication in a cryptography journal, since—except for length extension issues in MD hashes—we usually expect these collision-resistant hash functions to behave like good little random oracles.
Of course, there are other families of functions which are not collision-resistant but from which random choices of function have bounded collision probability, namely universal hashes like Poly1305 and GHASH. We can use these as building blocks for fast authenticators or PRFs. But I don't think you were asking about those.
Squeamish Ossifrage
- 49,816
- 3
- 122
- 230