Nasour Bagheri, NIST mailing list 2008-11-29
--------------------------------------------

If I have understood the JH hash scheme correctly, the $E_d$ block is a
permutation. So we can see this scheme as a variant of Sponge hah function. Now
one can select a message in his choice (but considering the specific padding
rule) and combined with the given target and reverse the hash function.
However, he/she has not any control over the achieved IV. The same approach can
be used for free start collision and second preimage. The complexity of attacks
is one or two JH function in reverse. The designer has not presented any
security against free start attacks.

I am not claiming that the attack is a break of the JH hash function,
nor that any security claims made by you are invalidated.