The Symbiosis between Collision and Preimage Resistance

  • Elena Andreeva
  • Martijn Stam
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7089)


We revisit the definitions of preimage resistance, focussing on the question of finding a definition that is simple enough to prove security against, yet flexible enough to be of use for most applications. We give an in-depth analysis of existing preimage resistance notions, introduce several new notions, and establish relations and separations between the known and new preimage notions. This establishes a clear separation between domain-oriented and range-oriented preimage resistance notions. For the former an element is chosen from the domain and hashed to form the target digest; for the latter the target digest is chosen directly from the range.

In particular, we show that Rogaway and Shrimpton’s notion of everywhere preimage resistance on its own is less powerful than previously thought. However, we prove that in conjunction with collision resistance, everywhere preimage resistance implies ‘ordinary’ (domain-based) preimage resistance. We show the implications of our result for iterated hash functions and hash chains, where the latter is related to the Winternitz one-time signature scheme.


Hash Function Compression Function Cryptographic Hash Function Hash Chain Security Notion 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Andreeva, E., Neven, G., Preneel, B., Shrimpton, T.: Seven-Property-Preserving Iterated Hashing: ROX. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 130–146. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  2. 2.
    Avoine, G., Junod, P., Oechslin, P.: Characterization and Improvement of Time-Memory Trade-Off Based on Perfect Tables. ACM Trans. Inf. Syst. Secur. 11(4) (2008)Google Scholar
  3. 3.
    Bellare, M., Kohno, T.: Hash Function Balance and its Impact on Birthday Attacks. In: Cachin, C., Camenisch, J. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 401–418. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  4. 4.
    Black, J., Rogaway, P., Shrimpton, T.: Black-Box Analysis of the Block-Cipher-Based Hash-Function Constructions from PGV. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 320–335. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  5. 5.
    Black, J., Rogaway, P., Shrimpton, T., Stam, M.: An Analysis of the Block-Cipher-Based Hash Functions from PGV. Journal of Cryptology 23(4), 519–545 (2010)CrossRefzbMATHMathSciNetGoogle Scholar
  6. 6.
    Brassard, G. (ed.): CRYPTO 1989. LNCS, vol. 435, pp. 416–427. Springer, Heidelberg (1990)Google Scholar
  7. 7.
    Cachin, C.: Unconditional Security in Cryptography. Ph.D. thesis, ETH Zürich (1997)Google Scholar
  8. 8.
    Damgård, I.: A Design Principle for Hash Functions. In: Brassard [6], pp. 416–427Google Scholar
  9. 9.
    Dods, C., Smart, N.P., Stam, M.: Hash Based Digital Signature Schemes. In: Smart, N.P. (ed.) Cryptography and Coding 2005. LNCS, vol. 3796, pp. 96–115. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  10. 10.
    Even, S., Goldreich, O., Micali, S.: On-Line/Off-Line Digital Signatures. Journal of Cryptology 9(1), 35–67 (1996)CrossRefzbMATHMathSciNetGoogle Scholar
  11. 11.
    Hellman, M.: A Cryptanalytic Time-Memory Trade Off. IEEE Transactions on Information Theory 26(4), 401–406 (1980)CrossRefzbMATHMathSciNetGoogle Scholar
  12. 12.
    Hevia, A., Micciancio, D.: The Provable Security of Graph-Based One-time Signatures and Extensions to Algebraic Signature Schemes. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 379–396. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  13. 13.
    Merkle, R.C.: A Certified Digital Signature. In: Brassard [6], pp. 218–238Google Scholar
  14. 14.
    Merkle, R.C.: One Way Hash Functions and DES. In: Brassard [6], pp. 428–446Google Scholar
  15. 15.
    Neven, G., Smart, N., Warinschi, B.: Hash Function Requirements for Schnorr Signatures. Journal of Mathematical Cryptology 3(1), 69–87 (2009)CrossRefzbMATHMathSciNetGoogle Scholar
  16. 16.
    Preneel, B.: Analysis and Design of Cryptographic Hash Functions. Ph.D. thesis, Katholieke Universiteit Leuven (1993)Google Scholar
  17. 17.
    Rivest, R.L.: The MD6 Hash Function – a Proposal to NIST for SHA-3. Submission to NIST (2008)Google Scholar
  18. 18.
    Rogaway, P., Shrimpton, T.: Cryptographic Hash-Function Basics: Definitions, Implications and Separations for Preimage Resistance, Second-Preimage Resistance, and Collision Resistance. In: Roy, B.K., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 371–388. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  19. 19.
    Rogaway, P.: On the Role Definitions in and Beyond Cryptography. In: Maher, M.J. (ed.) ASIAN 2004. LNCS, vol. 3321, pp. 13–32. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  20. 20.
    Rogaway, P.: Formalizing Human Ignorance. In: Nguyen, P.Q. (ed.) VIETCRYPT 2006. LNCS, vol. 4341, pp. 211–228. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  21. 21.
    Stam, M.: Blockcipher-Based Hashing Revisited. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 67–83. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  22. 22.
    Verheul, E.R.: Selecting Secure Passwords. In: Abe, M. (ed.) CT-RSA 2007. LNCS, vol. 4377, pp. 49–66. Springer, Heidelberg (2006)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Elena Andreeva
    • 1
  • Martijn Stam
    • 2
  1. 1.ESAT/SCD–COSIC, Dept. of Electrical EngineeringKatholieke Universiteit Leuven and IBBTBelgium
  2. 2.Department of Computer ScienceUniversity of BristolBristolUnited Kingdom

Personalised recommendations