SL2 homomorphic hash functions: worst case to average case reduction and short collision search

We study homomorphic hash functions into SL2(q), the 2 × 2 matrices with determinant 1 over the field with q elements. Modulo a well supported number theoretic hypothesis, which holds in particular for all concrete homomorphisms proposed thus far, we prove that a random homomorphism is at least as secure as any concrete homomorphism. For a family of homomorphisms containing several concrete proposals in the literature, we prove that collisions of length O(log q) can be found in running time O( √ q). For general homomorphisms we offer an algorithm that, heuristically and according to experiments, in running time O( √ q) finds collisions of length O(log q) for q even, and length O(logq/ log log q) for arbitrary q. For any conceivable practical scenario, our algorithms are substantially faster than all earlier algorithms and produce much shorter collisions.