While far from the current state of the art of practical cryptography, I have a very soft spot for "theoretically constructed" cryptographic hash functions.<p>I've encountered SWIFFT (which uses a lattice SVP), and some based on classic number theoretic functions (DLP).<p>Walks on expander graphs for cryptographic hashes are new for me. I'd seen them for applications in randomness extraction, but their application to cryptographic hashing really, really beautifully links well known graph problems (cycle finding and path finding) to collision and pre-image attacks.<p>This isn't exactly what the paper is about (just the introductory material)... but something I felt moved to say. Hopefully someday we find very efficient expander graph constructs, because of how incredibly useful they continue to be in the theory.