Is this function preimage resistant?

Question

One of the ways of testing strength of PRNG functions is to design tests that distinguish PRNG outputs from random strings: we are given a box which outputs PRNG(u) for some u or a random string. We have to determine if the output comes from PRNG. Assume that a hash function H fails this test.

Does it mean that it is not second preimage resistant?

Answer 1

Assume a 256-bit cryptographic hash function h with all the properties that are expected from such.

Construct the function which, for any input string s, returns the first 255 bits of h(s) followed by the bit 0.

This function is easy to distinguish from random with good probability given enough inputs: it returns only even numbers. But it is still tricky to compute any sort of collision or preimage for it: it is 255-bit strong.

Resistance to collision or preimage is not an all-or-nothing question. There are gradations.