Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [preimage-resistance]

Difficulty of finding an input string that hashes to a given value

Preimage resistance is a security property of cryptographic hash functions. A hash function $H$ is said to be (first) preimage resistant if, given a hash value $x$, it is computationally infeasible to find a string $s$ such that $H(s) = x$.

Stronger security properties often demanded of hash functions include second preimage resistance and collision resistance, both of which imply first preimage resistance.

See also: ,

178 questions
56
votes
11 answers

How do hashes really ensure uniqueness?

This might seem an impractical and unnecessary conversation, but I feel it's something I need to clarify. Especially, as I just got my first developer job in a blockchain startup. So hashes are said to generate the same thing for any information it…
James Kumar
  • 685
  • 1
  • 5
  • 3
42
votes
3 answers

What are preimage resistance and collision resistance, and how can the lack thereof be exploited?

What is "preimage resistance", and how can the lack thereof be exploited? How is this different from collision resistance, and are there any known preimage attacks that would be considered feasible?
John Gietzen
  • 1,515
  • 2
  • 15
  • 16
30
votes
11 answers

Why can't I reverse a hash to a possible input?

I'm going to provide “proof” why a hash function can be reversed, and I hope you can tell my why I'm wrong So, a hash function can be implemented as a series of logic gates. All logic gates can be implemented using only NOT and OR gates. (I'm fairly…
Shelvacu
  • 574
  • 1
  • 5
  • 10
23
votes
2 answers

What makes SHA-256 secure?

For example, RSA relies on a mathematically hard problem, factoring, while ECDSA or similar rely on discrete logarithm problem. What makes SHA-256 and similar hash functions, of the same family, secure against pre-image and collision attacks? What's…
rapadura
  • 341
  • 1
  • 2
  • 6
20
votes
3 answers

Pre-image resistant but not 2nd pre-image resistant?

Are there any cryptographic hash functions for which there is a known pre-image attack, or a known second pre-image attack, but not both? The attack doesn't have to be practical - just anything that beats the security claim of the hash…
Michael
  • 1,509
  • 10
  • 19
20
votes
2 answers

What is the general justification for the hardness of finding preimages for cryptographic hash functions?

Since most cryptographic hash functions are simple, compact constructions does this simplicity impose a limit on the complexity and the size of a function that can generate preimages? That is, given a cryptographic hash function, H of some length…
Ethan Heilman
  • 2,326
  • 2
  • 20
  • 40
19
votes
2 answers

SHA-256: (Probabilistic?) partial preimage possible?

Currently busying myself with the Bitcoin "mining" algorithm, I am wondering if the process really cannot be simplified. For reference, the algorithm is basically SHA-256d: $$\mathit{success} := \operatorname{SHA256}( \operatorname{SHA256}(…
JimmyB
  • 312
  • 2
  • 10
19
votes
1 answer

Could we break MD5 entirely in the future?

Even of today MD5 is (sadly) still heavily used in some applications. Even big tools like ApacheMD5. But even today there are more then enough MD5 hashes which are still not cracked. According to Wikipedia, the strongest attack at time of writing…
Richard R. Matthews
  • 4,545
  • 9
  • 31
  • 49
18
votes
1 answer

What are the consequences of removing a single byte from a sha256 hash?

I'm working on a system (Ethereum) where it is significantly cheaper to store 32 bytes than 33 bytes. I'd like to create a table where data is stored based on its hash. Sha256 would meet this criteria since it outputs 32 bytes. However, I'd also…
Akhil F
  • 285
  • 2
  • 5
18
votes
1 answer

Did NIST verify “post-quantum” claims in the SHA3 proposal papers?

I have been reading Bernstein’s “Quantum attacks against Blue Midnight Wish, ECHO, Fugue, Grøstl, Hamsi, JH, Keccak, Shabal, SHAvite-3, SIMD, and Skein” paper from 2010… This document disproves the claims of preimage resistance for Blue Midnight…
Mike Edward Moras
  • 18,161
  • 12
  • 87
  • 240
16
votes
3 answers

Why does second pre-image resistance imply pre-image resistance

I am studying hash functions. I can understand why collision resistance implies second preimage resistance, but I don't get why second preimage resistance should imply first preimage resistance. Could anybody be help me with this argument from…
juaninf
  • 2,781
  • 3
  • 21
  • 29
15
votes
3 answers

Does a partial preimage attack imply a preimage attack?

Let's assume we have an $n$-bit hash function and a $b$-bit partial preimage attack that is faster than brute force. Does this imply a faster than brute force preimage attack on the whole hash? It seems that it does, because if you run the $t<2^b$…
otus
  • 32,462
  • 5
  • 75
  • 167
13
votes
3 answers

Is SHA-256 irreversible for each input?

There are more inputs to the SHA-256 function than outputs, so it must be a many-to-one function by the Pigeonhole Principle. However, that doesn't automatically imply that it send more than one input to each of its outputs. For instance, Squaring…
Tristan Laguz
  • 145
  • 1
  • 9
12
votes
5 answers

Hash paradox in an image file that contain hash text?

Is it possible to include a hash digest visibly in an image, such that the hash of the image itself is that same digest? When we draw the text of the hash in the image, we will of course change the hash of the image at the same time, because as we…
Muhammad Ikhwan Perwira
  • 375
  • 2
  • 11
12
votes
3 answers

SHA3-255, one bit less

I need a SHA3-255 or 511. What if I simply truncate a standard SHA3-256 or 512? Apart from the doubled probability of hash collision, are there any other things I should be aware of? I could also truncate one byte instead of one bit, if useful. What…
ragazzojp
  • 423
  • 4
  • 8
1
2 3
11 12