Why does second pre-image resistance imply pre-image resistance

Question

I am studying hash functions. I can understand why collision resistance implies second preimage resistance, but I don't get why second preimage resistance should imply first preimage resistance.

Could anybody be help me with this argument from Introduction to Modern Cryptography by Katz & Lindell, please?

1. Collision resistance: This is the strongest notion and the one we have considered so far.

2. Second pre-image resistance: Informally speaking, a hash function is second pre-image resistant if given $s$ and $x$ it is infeasible for a probabilistic polynomial-time adversary to find $x' \ne x$ such that $H^s(x') = H^s(s)$.

3. Pre-image resistance: Informally, a hash function is pre-image resistant if given $s$ and $y = H^s(x)$ (but not $x$ itself) for a randomly chosen $x$, it is infeasible for a probabilistic polynomial-time adversary to find a value $x'$ such that $H^s(x') = y$. (Looking ahead to later chapters in the book, this essentially means that $H^s$ is one-way.)

[...] Likewise, any hash function that is second pre-image resistant is also pre-image resistant. This is due to the fact that if it is possible to invert $y$ and find an $x^\prime$ such that $H^s (x^\prime ) = y$ then it is possible to take $x$, compute $y = H^s (x)$ and invert it again obtaining $x^\prime$. Since the domain of $H$ is infinite, it follows that with good probability $x \neq x^\prime$. We conclude that the above three security requirements form a hierarchy with each definition implying the one below it.

Answer 1

Let me try to elaborate on their proof. Suppose you had a hash function $H$ that was second-preimage resistant but not first-preimage resistant. By showing that this leads to a contradiction, we will be showing that with second-preimage resistance, you must have first-preimage resistance. Namely, we will show that the lack of first-preimage resistance is enough to break second-preimage resistance.

When breaking second-preimage resistance, we are given a random $x$ and the goal is to find another $x' \ne x$ such that $H(x') = H(x)$. Suppose we are given a random $x$. Then we can compute $H(x)$ and then use our preimage-finding algorithm (since this hash function isn't first-preimage resistant, remember?) to find an input $x'$ such that $H(x') = H(x)$.

The question becomes whether or not $x' = x$. For a hash function with an infinite domain, there are infinitely many inputs that $H$ maps to the same output. That is, there exist infinitely many second-preimages for any particular $x$; the question is whether or not we can find one.

Intuitively, the preimage-finding algorithm "should" give back an $x' \ne x$. After all, there are infinitely many inputs that map to the same output as $x$, so the probability that we find the exact $x$ we were given "should be" low, right?

So we should have an $x' \ne x$ such that $H(x') = H(x)$. But this is a second preimage! Thus, assuming that $x'$ indeed does not equal $x$, we cannot have a hash function that has second-preimage resistance but not first-preimage resistance. Thus, second-preimage resistance must imply first-preimage resistance. This is not a formal proof: just an intuitive argument.

The crucial assumption in this "proof" is that the domain is infinite. If it were not infinite, then all bets are off. In that case, the output size of the hash function needs to be sufficiently small relative to the input size for this argument to hold. I've written about that idea in great detail on my answer on the question "Pre-image resistant but not 2nd pre-image resistant?", so I refer you to that for more technical details.

Answer 2

Consider this hash: $$H(m) = m$$ Where we define it's domain to be messages of some arbitrary fixed-length.

It is completely second pre-image resistant.

It is not at all first pre-image resistant.

Therefore:

Second pre-image resistance does not imply first pre-image resistance.

Answer 3

I know this post is old, sorry for bump, but I came across an interesting example that might invalidate the accepted answer.

Consider the following hash: H(m) = SHA1(m) | {first 10 bits of m, padded with 0 if len(m) < 10 bits} (clamped concatenation with SHA1).

This function is clearly not first pre-image resistant, as for any m such that len(m) < 10 bits we can find the pre-image easily by taking the last 10 bits (and remove the padding) of H(m).

However, I think that it is actually second pre-image resistant, as we cannot easily find another m' != m such that H(m) = H(m').

Therefore, it would mean that second pre-image resistance does not imply first pre-image resistance ?

I am curious to have an "expert's opinion" on this curious hash.