[Cryptography] Name for a specific type of preimage resistance
Stephan Neuhaus
stephan.neuhaus at zhaw.ch
Fri Dec 9 05:13:30 EST 2022
On 12/8/22 13:35, Peter Gutmann wrote:
> The lesser-known required property for a hash function alongside collision
> resistance is preimage resistance, and in fact for a lot of hash function use
> in security protocols, in particular their near-universal use in PRFs and KDFs
> and similar, what's essential is preimage resistance rather than collision
> resistance. However, in this case an attacker needs to perform something far
> stronger than a generic preimage attack in which they determine any valid
> preimage, they need to recover the exact preimage that contains the secret
> value or password or key that's being hashed or MACed or PRFed.
>
> Is there a name for this special-case preimage attack, find the one preimage
> that contains the secret value, to distinguish it from a generic preimage
> attack, find any preimage?
>
> Peter.
I don't know of any name (but I'm not a cryptographer). But why is that
even an issue? Once you keep only hash(x) but not x, wouldn't ANY
preimage do?
Also, I'm confident that pseudo-randomness implies preimage resistance
(that seems to me to be a straightforward implication of the
random-oracle model), but does the reverse also hold?
Fun
Stephan
More information about the cryptography
mailing list