Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [2nd-preimage-resistance]

Difficulty of finding another input string that hashes to the same value as a given string

Second preimage resistance is a security property of cryptographic hash functions. A hash function $H$ is said to be second preimage resistant if, given an input string $s$, it is computationally infeasible to find another string $s' \ne s$ such that $H(s') = H(s)$.

Second preimage resistance is a stronger security property than first preimage resistance, but weaker than collision resistance.

See also: ,

73 questions
50
votes
2 answers

Second pre-image resistance vs Collision resistance

From Wikipedia: Second pre-image resistance Given an input $m_1$ it should be difficult to find another input $m_2$ such that $m_1$ ≠ $m_2$ and $\operatorname{hash}(m_1) = \operatorname{hash}(m_2)$. Functions that lack this property are…
ritch
  • 603
  • 1
  • 5
  • 6
23
votes
1 answer

Does collision resistance imply (or not) second-preimage resistance?

I've seen contradictory results. Sometimes hash functions are collision-resistant but not necessarily second-preimage resistant. I've seen this kind of things in papers from Bart Preneel: “Security Properties of Domain Extenders for Cryptographic…
Dingo13
  • 2,917
  • 3
  • 29
  • 46
21
votes
3 answers

Collision or second preimage for the ChaCha core?

Daniel J. Bernstein's ChaCha core is an evolution of the Salsa20 core. Both are functions over the set of 512-bit bitstrings, partitioned as sixteen 32-bit words. Can we exhibit collisions, or second-preimages (with implies the former), for the…
fgrieu
  • 149,326
  • 13
  • 324
  • 622
20
votes
3 answers

Pre-image resistant but not 2nd pre-image resistant?

Are there any cryptographic hash functions for which there is a known pre-image attack, or a known second pre-image attack, but not both? The attack doesn't have to be practical - just anything that beats the security claim of the hash…
Michael
  • 1,509
  • 10
  • 19
19
votes
2 answers

Why is Pearson hash not used as a cryptographic hash?

The original algorithm produces 1 byte long hash and is (of course) not suitable for cryptography use. But according to wikipedia, it is possible and easy to produce Pearson hash of any length, simply by increment the first byte of the message for…
johnfound
  • 293
  • 2
  • 8
16
votes
3 answers

Why does second pre-image resistance imply pre-image resistance

I am studying hash functions. I can understand why collision resistance implies second preimage resistance, but I don't get why second preimage resistance should imply first preimage resistance. Could anybody be help me with this argument from…
juaninf
  • 2,781
  • 3
  • 21
  • 29
14
votes
1 answer

Is a second preimage attack on MD5 feasible?

What's the practical status of MD5 w.r.t. second-preimage? Integrity of a piece of data is protected by an MD5 hash, itself assumed genuine. The data (and thus the hash) is known to the adversary. The adversary can change the data, and wants to do…
fgrieu
  • 149,326
  • 13
  • 324
  • 622
12
votes
3 answers

SHA3-255, one bit less

I need a SHA3-255 or 511. What if I simply truncate a standard SHA3-256 or 512? Apart from the doubled probability of hash collision, are there any other things I should be aware of? I could also truncate one byte instead of one bit, if useful. What…
ragazzojp
  • 423
  • 4
  • 8
12
votes
1 answer

Why doesn't preimage resistance imply the second preimage resistance?

Let the preimage resistance be defined as »given a hash value $h$, it is hard to find any message $m$ such that $\operatorname{hash}(m)=h$«, and let the second preimage resistance be defined as »given a message $m_1$, it is hard to find any message…
huyichen
  • 783
  • 1
  • 6
  • 16
11
votes
2 answers

Which MACs can be converted into a secure unkeyed hash function?

It is known that setting the secret key to a fixed, public value does not make MACs like CBC-MAC or GMAC into secure unkeyed cryptographic hash functions that could be used - for instance - for digital signatures. In other words, the resulting hash…
SquareRootOfTwentyThree
  • 1,755
  • 12
  • 17
11
votes
1 answer

Is MD5 second-preimage resistant when used only on FIXED length messages?

I fully realize that MD5 should not be used in any new project, but in my particular situation I have severe CPU performance issues, so MD5 is convenient. I have read a lot about MD5 security for this project, and I know it is broken in several…
jcea
  • 343
  • 1
  • 3
  • 10
7
votes
2 answers

Is there a feasible preimage attack for any hash function (no matter how deprecated) today?

Has there ever been a hash function that was actually used in the field, no matter how long ago, for which there is now a feasible preimage attack? All hashes that are nowadays considered 'broken' (such as MD5 and MD4 and older, and to some extent…
RocketNuts
  • 1,397
  • 1
  • 13
  • 24
7
votes
3 answers

The difference between being not strongly collision resistant, and not weakly collision resistant?

So I understand the two concepts: (Strong) collision resistance: it is infeasible to find a pair $x \neq x'$ such that $h(x) = h(x')$ Weak collision resistance / 2nd-preimage resistance: for all $x \in D$ it is infeasible to find $x' \neq x$ such…
8128
  • 171
  • 1
  • 4
7
votes
1 answer

Has there ever been more then a theoretical difference between preimage resistance and second preimage resistance?

In other words, has there ever been a point in time in which having the content of a message has actually helped break a hash function?
user3201068
  • 721
  • 1
  • 5
  • 18
6
votes
2 answers

Why might SHA-384 throughput be lower than SHA-512 throughput in hashcat and more secure?

I found a hashcat benchmark results in the internet: hashcat results: SHA-384 is 17065.4 MH/s SHA-512 is 17280.3 MH/s Why does SHA-512 take less time? SHA-512 is longer and I thought it therefore needs more time and computation resources to…
sluge
  • 197
  • 1
  • 8
1
2 3 4 5