Cryptographic Hash-Function Basics: Definitions, Implications, and Separations for Preimage Resistance, Second-Preimage Resistance, and Collision Resistance

  • Phillip Rogaway
  • Thomas Shrimpton
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3017)


We consider basic notions of security for cryptographic hash functions: collision resistance, preimage resistance, and second-preimage resistance. We give seven different definitions that correspond to these three underlying ideas, and then we work out all of the implications and separations among these seven definitions within the concrete-security, provable-security framework. Because our results are concrete, we can show two types of implications, conventional and provisional, where the strength of the latter depends on the amount of compression achieved by the hash function. We also distinguish two types of separations, conditional and unconditional. When constructing counterexamples for our separations, we are careful to preserve specified hash-function domains and ranges; this rules out some pathological counterexamples and makes the separations more meaningful in practice. Four of our definitions are standard while three appear to be new; some of our relations and separations have appeared, others have not. Here we give a modern treatment that acts to catalog, in one place and with carefully-considered nomenclature, the most basic security notions for cryptographic hash functions.


collision resistance cryptographic hash functions preimage resistance provable security second-preimage resistance 


  1. 1.
    Anderson, R.: The classification of hash functions. In: IMA Conference in Cryptography and Coding IV, December 1993, pp. 83–94 (1993)Google Scholar
  2. 2.
    Bellare, M., Desai, A., Pointcheval, D., Rogaway, P.: Relations among notions of security for public-key encryption schemes. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 232–249. Springer, Heidelberg (1998)Google Scholar
  3. 3.
    Bellare, M., Rogaway, P.: Collision-resistant hashing: Towards making UOWHFs practical. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 470–484. Springer, Heidelberg (1997)Google Scholar
  4. 4.
    Black, J., Rogaway, P., Shrimpton, T.: Black-box analysis of the blockcipher- based hash-function constructions from PGV. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, p. 320. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  5. 5.
    Brown, D., Johnson, D.: Formal security proofs for a signature scheme with partial message recovery. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 126–144. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  6. 6.
    Damgård, I.: Collision free hash fucntions and public key signature schemes. In: Price, W.L., Chaum, D. (eds.) EUROCRYPT 1987. LNCS, vol. 304, pp. 203–216. Springer, Heidelberg (1988)Google Scholar
  7. 7.
    Damgård, I.: A design principle for hash functions. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 416–427. Springer, Heidelberg (1990)Google Scholar
  8. 8.
    Goldwasser, S., Micali, S.: Probabilistic encryption. Journal of Computer and System Sciences 28, 270–299 (1984)MATHCrossRefMathSciNetGoogle Scholar
  9. 9.
    Menezes, A., van Oorschot, P., Vanstone, S.: Handbook of Applied Cryptography. CRC Press, Boca Raton (1996)CrossRefGoogle Scholar
  10. 10.
    Merkle, R.: One way hash functions and DES. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 428–446. Springer, Heidelberg (1990)Google Scholar
  11. 11.
    Mironov, I.: Hash functions: From Merkle-Damgård to Shoup. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, p. 166. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  12. 12.
    Naor, M., Yung, M.: Universal one-way hash functions and their cryptographic applications. In: Proceedings of the Twenty-first ACM Symposium on Theory of Computing, pp. 33–43 (1989)Google Scholar
  13. 13.
    Preneel, B.: Cryptographic hash functions. Katholieke Universiteit Leuven, Belgium (1993)Google Scholar
  14. 14.
    Rogaway, P., Shrimpton, T.: Cryptographic hash-function basics: Definitions, implications and separations for preimage resistance, second-preimage resistance, and collision resistance (2004), Full version of this paper,
  15. 15.
    Stinson, D.: Some observations on the theory of cryptographic hash functions. Technical Report 2001/020, University of Waterloo (2001)Google Scholar
  16. 16.
    Zheng, Y., Matsumoto, T., Imai, H.: Connections among several versions of oneway hash functions. In: Special Issue on Cryptography and Information Security, Proceedings of IEICE of Japan (1990)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2004

Authors and Affiliations

  • Phillip Rogaway
    • 1
    • 2
  • Thomas Shrimpton
    • 3
  1. 1.Dept. of Computer ScienceUniversity of CaliforniaDavisUSA
  2. 2.Dept. of Computer Science, Fac of ScienceChiang Mai UniversityThailand
  3. 3.Dept. of Electrical and Computer EngineeringUniversity of CaliforniaDavisUSA

Personalised recommendations