https://eprint.iacr.org/2020/1311 published a distinguisher for FF1 against binary numeral strings, that has a data complexity of $2^{2n((r-1)-\frac{1}{2}) - n}$ and a time complexity of $2^{2n((r-1)-\frac{1}{2})}$. FF1 has 10 rounds, corresponding to $r = 5$, and its minimum binary string length corresponds to $n = 10$; this gives a data complexity of $2^{60}$ and time complexity of $2^{70}$.
While this is clearly not secure for such short inputs, it does not invalidate FF1 as a whole. For example, on the 88-bit inputs used for Zcash diversifiers ( $n = 44$ ), we get a data complexity of $2^{264}$ and time complexity of $2^{308}$, which remains sufficient.
The best fix for this is to raise the $\mathsf{radix}^\mathsf{minlen}$ requirement (once we implement #31) to be greater than what NIST SP 800-38G Rev. 1 requires. For instance, 42-bit binary strings ( $n = 21$ ) are the longest that have a data and time complexity for this distinguisher smaller than $2^{128}$.
https://eprint.iacr.org/2020/1311 published a distinguisher for FF1 against binary numeral strings, that has a data complexity of$2^{2n((r-1)-\frac{1}{2}) - n}$ and a time complexity of $2^{2n((r-1)-\frac{1}{2})}$ . FF1 has 10 rounds, corresponding to $r = 5$ , and its minimum binary string length corresponds to $n = 10$ ; this gives a data complexity of $2^{60}$ and time complexity of $2^{70}$ .
While this is clearly not secure for such short inputs, it does not invalidate FF1 as a whole. For example, on the 88-bit inputs used for Zcash diversifiers ($n = 44$ ), we get a data complexity of $2^{264}$ and time complexity of $2^{308}$ , which remains sufficient.
The best fix for this is to raise the$\mathsf{radix}^\mathsf{minlen}$ requirement (once we implement #31) to be greater than what NIST SP 800-38G Rev. 1 requires. For instance, 42-bit binary strings ( $n = 21$ ) are the longest that have a data and time complexity for this distinguisher smaller than $2^{128}$ .