Assume a 256-bit cryptographic hash function h
with all the properties that are expected from such.
Construct the function which, for any input string s
, returns the first 255 bits of h(s)
followed by the bit 0
.
This function is easy to distinguish from random with good probability given enough inputs: it returns only even numbers. But it is still tricky to compute any sort of collision or preimage for it: it is 255-bit strong.
Resistance to collision or preimage is not an all-or-nothing question. There are gradations.