Preimage attack

In cryptography, a preimage attack on cryptographic hash functions tries to find a message that has a specific hash value. A cryptographic hash function should resist attacks on its preimage.

In the context of attack, there are two types of preimage resistance:

preimage resistance: for essentially all pre-specified outputs, it is computationally infeasible to find any input that hashes to that output, i.e., given y, it is difficult to find an x such that h(x) = y.^[1]
second-preimage resistance: it is computationally infeasible to find any second input which has the same output as that of a specified input, i.e., given x, it is difficult to find a second preimage x′ ≠ x such that h(x) = h(x′).^[1]

These can be compared with a collision resistance, in which it is computationally infeasible to find any two distinct inputs x, x′ that hash to the same output, i.e., such that h(x) = h(x′).^[1]

Collision resistance implies second-preimage resistance,^[1] but does not guarantee preimage resistance.^[1]

Applied preimage attacks

By definition, an ideal hash function is such that the fastest way to compute a first or second preimage is through a brute force attack. For an n-bit hash, this attack has a time complexity 2ⁿ, which is considered too high for a typical output size of n = 128 bits. If such complexity is the best that can be achieved by an adversary, then the hash function is considered preimage-resistant.

Faster preimage attacks can be found by cryptanalysing certain hash functions, and are specific to that function. Some significant preimage attacks have already been discovered, but they are not yet practical. If a practical preimage attack is discovered, it would drastically affect many Internet protocols. In this case, "practical" means that it could be executed by an attacker with a reasonable amount of resources. For example, a preimaging attack that costs trillions of dollars and takes decades to preimage one desired hash value or one message is not practical; one that costs a few thousand dollars and takes a few weeks might be very practical.

All currently known practical or almost-practical attacks on MD5 and SHA-1 are collision attacks.^[2]^[3] In general, a collision attack is easier to mount than a preimage attack, as it is not restricted by any set value (any two values can be used to collide). The time complexity of the collision attack, in contrast, is 2^n/2.

References

IETF RFC 4270: Attacks on Cryptographic Hashes in Internet Protocols

1 2 3 4 5 Rogaway, P.; Shrimpton, T. "Cryptographic Hash-Function Basics: Definitions, Implications, and Separations for Preimage Resistance, Second-Preimage Resistance, and Collision Resistance" (PDF). Fast Software Encryption (2004). Springer-Verlag. Retrieved 17 November 2012.
↑ Bruce Morton, Clayton Smith (30 January 2014). "Why We Need to Move to SHA-2". CA Security Council.
↑ "MD5 and Perspectives". 1 January 2009.

Cryptographic hash functions & message authentication codes

List Comparison Known attacks

Common functions	MD5 SHA-1 SHA-2 SHA-3 BLAKE2

SHA-3 finalists	BLAKE Grøstl JH Skein Keccak (winner)

Other functions	ECOH FSB GOST HAS-160 HAVAL Kupyna LM hash MD2 MD4 MD5 MD6 MDC-2 N-Hash RIPEMD RadioGatún SWIFFT SipHash Snefru Streebog Tiger VSH WHIRLPOOL

Key derivation functions	bcrypt crypt PBKDF2 scrypt Argon2 Lyra2

MAC functions	DAA CBC-MAC HMAC OMAC/CMAC PMAC VMAC UMAC Poly1305

Authenticated encryption modes	CCM CWC EAX GCM IAPM OCB

Attacks	Collision attack Preimage attack Birthday attack Brute force attack Rainbow table Side-channel attack Length extension attack

Design	Avalanche effect Hash collision Merkle–Damgård construction

Standardization	CRYPTREC NESSIE NIST hash function competition

Utilization	Hash-based cryptography Key stretching Merkle tree Message authentication Proof of work Salt

Cryptography

History of cryptography Cryptanalysis Outline of cryptography

Symmetric-key algorithm Block cipher Stream cipher Public-key cryptography Cryptographic hash function Message authentication code Random numbers Steganography

Category Portal WikiProject

This article is issued from Wikipedia - version of the 12/11/2015. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.

Preimage attack

Applied preimage attacks

See also

References