[Cryptography] Name for a specific type of preimage resistance
Viktor Dukhovni
cryptography at dukhovni.org
Mon Dec 12 17:45:47 EST 2022
On Mon, Dec 12, 2022 at 05:54:45AM +0000, Peter Gutmann wrote:
> In the absence of any actual name, could I suggest "singular preimage
> resistance"?
The closest extant term is "1st preimage resistance", where all you have
is the digest, rather than "2nd preimage resistance" where you have some
given preimage and the goal is to find another.
However, you're asking for something that's mathematically less well
defined, because mathematically all 1st preimages are alike, but in
you're looking for "the one true" preimage, that has low entropy, or
some expected structure, that would it better than the rest.
So I don't think there's a well-established term for that. The expected
number of preimages of a "random" function is (if I'm not mistaken)
e/(e-1) ~ 1.5819767068693, so if a digest is close to "ideal", finding
any preimage gives you an ~63% chance of finding "the one true"
preimage, but of course you're concerned with "less than ideal"
digests...
--
Viktor.
More information about the cryptography
mailing list