The Symbiosis between Collision and Preimage Resistance
We revisit the definitions of preimage resistance, focussing on the question of finding a definition that is simple enough to prove security against, yet flexible enough to be of use for most applications. We give an in-depth analysis of existing preimage resistance notions, introduce several new notions, and establish relations and separations between the known and new preimage notions. This establishes a clear separation between domain-oriented and range-oriented preimage resistance notions. For the former an element is chosen from the domain and hashed to form the target digest; for the latter the target digest is chosen directly from the range.
In particular, we show that Rogaway and Shrimpton’s notion of everywhere preimage resistance on its own is less powerful than previously thought. However, we prove that in conjunction with collision resistance, everywhere preimage resistance implies ‘ordinary’ (domain-based) preimage resistance. We show the implications of our result for iterated hash functions and hash chains, where the latter is related to the Winternitz one-time signature scheme.
KeywordsHash Function Compression Function Cryptographic Hash Function Hash Chain Security Notion
Unable to display preview. Download preview PDF.
- 2.Avoine, G., Junod, P., Oechslin, P.: Characterization and Improvement of Time-Memory Trade-Off Based on Perfect Tables. ACM Trans. Inf. Syst. Secur. 11(4) (2008)Google Scholar
- 6.Brassard, G. (ed.): CRYPTO 1989. LNCS, vol. 435, pp. 416–427. Springer, Heidelberg (1990)Google Scholar
- 7.Cachin, C.: Unconditional Security in Cryptography. Ph.D. thesis, ETH Zürich (1997)Google Scholar
- 8.Damgård, I.: A Design Principle for Hash Functions. In: Brassard , pp. 416–427Google Scholar
- 13.Merkle, R.C.: A Certified Digital Signature. In: Brassard , pp. 218–238Google Scholar
- 14.Merkle, R.C.: One Way Hash Functions and DES. In: Brassard , pp. 428–446Google Scholar
- 16.Preneel, B.: Analysis and Design of Cryptographic Hash Functions. Ph.D. thesis, Katholieke Universiteit Leuven (1993)Google Scholar
- 17.Rivest, R.L.: The MD6 Hash Function – a Proposal to NIST for SHA-3. Submission to NIST (2008)Google Scholar
- 18.Rogaway, P., Shrimpton, T.: Cryptographic Hash-Function Basics: Definitions, Implications and Separations for Preimage Resistance, Second-Preimage Resistance, and Collision Resistance. In: Roy, B.K., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 371–388. Springer, Heidelberg (2004)CrossRefGoogle Scholar