[Cryptography] Name for a specific type of preimage resistance

[Ron Garret]

On Dec 8, 2022, at 4:35 AM, Peter Gutmann <pgut001 at cs.auckland.ac.nz> wrote:

> The lesser-known required property for a hash function alongside collision
> resistance is preimage resistance, and in fact for a lot of hash function use
> in security protocols, in particular their near-universal use in PRFs and KDFs
> and similar, what's essential is preimage resistance rather than collision
> resistance.  However, in this case an attacker needs to perform something far
> stronger than a generic preimage attack in which they determine any valid
> preimage, they need to recover the exact preimage that contains the secret
> value or password or key that's being hashed or MACed or PRFed.
> 
> Is there a name for this special-case preimage attack, find the one preimage
> that contains the secret value, to distinguish it from a generic preimage
> attack, find any preimage?

Your problem description is ambiguous: "they need to recover THE EXACT preimage that CONTAINS THE secret value or password or key” (emphasis added).

For any given secret S there are an unbounded number of documents that CONTAIN it, so “THE EXACT preimage that contains THE secret” is non-sensical.  There is no One True Container of S, and so there is no One True Preimage.

If what you meant was: find SOME pre-image that contains S, that is still ambiguous because you have not specified whether the attacker knows the secret, or has an oracle for the secret.  If the attacker knows the secret then this is a chosen-prefix attack.  If the attacker has an oracle then this becomes an attack on the oracle.  If the attacker has neither then the problem is non-sensical because there is no way the attacker can know if he has succeeded.

rg