Practical consequences of the aberration of narrow-pipe hash designs from ideal random functions

In a recent note to the NIST hash-forum list, the following observation was presented: narrow-pipe hash functions differ significantly from ideal random functions H : {0, 1} → {0, 1} that map bit strings from a big domain where N = n + m, m ≥ n (n = 256 or n = 512). Namely, for an ideal random function with a big domain space {0, 1} and a finite co-domain space Y = {0, 1}, for every element y ∈ Y , the probability Pr{H−1(y) = ∅} ≈ e−2 m ≈ 0 where H−1(y) ⊆ {0, 1} and H−1(y) = {x | H(x) = y} (in words the probability that elements of Y are “unreachable” is negligible). However, for the narrow-pipe hash functions, for certain values of N (the values that are causing the last padded block that is processed by the compression function of these functions to have no message bits), there exists a huge non-empty subset Y∅ ⊆ Y with a volume |Y∅| ≈ e−1|Y | ≈ 0.36|Y | for which it is true that for every y ∈ Y∅, H−1(y) = ∅. In this paper we extend the same finding to SHA-2 and show consequences of this abberation when narrow-pipe hash functions are employed in HMAC and in two widely used protocols: 1. The pseudorandom function defined in SSL/TLS 1.2 and 2. The Password-based Key Derivation Function No.1, i.e. PBKDF1.