[Cryptography] Name for a specific type of preimage resistance

[Michael Kjörling]

On 12 Dec 2022 05:54 +0000, from pgut001 at cs.auckland.ac.nz (Peter Gutmann):
> The specific problem here is "given hash( secret_value ), can you recover
> secret_value from its hash"?

I would say that in the general case, the answer to that is plain and
simply "no".

Why? Because the size of the input space is effectively unbounded,
whereas the size of the output space is bounded. A hash algorithm
accepts an (essentially) arbitrarily-large input, and produces a
fixed-size output. For any input size larger than the output size,
which is likely to be the normal case for hashing in practice and
would certainly be a design criteria for a real-world hash function,
there _must_ exist more than one input that produces some given output
(though not _necessarily_ the _exact_ output you are working with).

Absent _a priori_ information, you cannot tell after the fact _which_
input was given to the hash function to produce the specific output
hash value seen. You can only tell that _a_ given input (preimage)
produces the same output hash value as observed.

If we can assume that any candidate input value is of no larger size
than the output hash size, it _might_ become possible to treat hash()
as a one-to-one mapping between input and output values. But I don't
think that you have mentioned this constraint, and even in this
restricted scenario it may not be the case generally.

-- 
✍  Michael Kjörling                  🏡 https://michael.kjorling.se
“Remember when, on the Internet, nobody cared that you were a dog?”