Can a collision resistant hash return zero?

Recently, I have been reading the original proof of GCM.

It mentioned the properties of "almost universal" and "return zero" for hash function.

I wonder if there is a connection between the two, that is

If a hash function is collision resistant, then it is "unlikely" return zero.

In a more formal way, we have the following:

For $\forall M, M^{'} \in \{0,1\}^{n}, M \ne M^{'}$,

if $\mathrm{Pr}\left[H_{K}(M)\oplus H_{K}(M^{'})=0^{n}\ \middle|\ K\stackrel{\\\$}{\leftarrow} \{0,1\}^{n}\right] \le \epsilon_{1}$ holds, then $\mathrm{Pr}\left[H_{K}(M) =0^{n} \middle|\ K\stackrel{\\\$}{\leftarrow} \{0,1\}^{n}\right] \le \mathrm{Pr}\left[H_{K}(M)\oplus H_{K}(M^{'})=0^{n}\ \middle|\ K\stackrel{\\\$}{\leftarrow} \{0,1\}^{n}\right] \le \epsilon_{1}$ also holds.

Is this statement correct?

• If is, how to prove this?
• If not, what is the relationship between collision resistance and zero hash result?

Thanks in advance!

Is this statement correct?

Actually, in the specific case of GHASH, it is not.

GHASH has the property that $\forall k: H_k(0^n) = 0$; hence that shows that the desired inequality doesn't hold.

What's going on is for GHASH, we always have $H_k(M) \oplus H_k(M') = H_k(M \oplus M')$; we also have $\mathrm{Pr}\left[H_{K}(M) =0^{n} \middle|\ K\stackrel{\\\$}{\leftarrow} \{0,1\}^{n}\right] \le \epsilon$ for $M \ne 0^n$, which is why the original inequality holds.

On a side note, you asked about 'collision resistant hash functions'; it turns out that GHASH is not a collision resistant hash function - instead, it is a "$\Delta$ almost universal hash function"; your first equation (replacing $0^n$ with a free variable) is essentially the definition.

GHASH is not a collision resistant hash function because if you are given Oracle access to GHASH, it is easy to recover $k$, and from there, it is easy to find collisions.