48

From Wikipedia:

Second pre-image resistance

Given an input $m_1$ it should be difficult to find another input $m_2$ such that $m_1$ ≠ $m_2$ and $\operatorname{hash}(m_1) = \operatorname{hash}(m_2)$. Functions that lack this property are vulnerable to second-preimage attacks.

Collision resistance

It should be difficult to find two different messages $m_1$ and $m_2$ such that $\operatorname{hash}(m_1) = \operatorname{hash}(m_2)$. Such a pair is called a cryptographic hash collision.

Could someone explain the difference between these two please? They very much appear to be identical to me, as in both definitions $m_1 \neq m_2$ and $\operatorname{hash}(m_1) = \operatorname{hash}(m_2)$.

yyyyyyy
  • 12,081
  • 4
  • 47
  • 68
ritch
  • 583
  • 1
  • 4
  • 6
  • Further read: https://stackoverflow.com/questions/28378326/difference-between-preimage-resistance-and-second-preimage-resistance – hola Sep 15 '20 at 23:39

1 Answers1

75

The difference is in the choice of $m_1$.

  • In the first case (second preimage resistance), the attacker is handed a fixed $m_1$ to which he has to find a different $m_2$ with equal hash. In particular, he can't choose $m_1$.
  • In the second case (collision resistance), the attacker can freely choose both messages $m_1$ and $m_2$, with the only requirement that they are different (and hash to the same value).

(From this, it is also obvious that collision resistance implies second preimage resistance: An attacker can just choose an arbitrary $m_1$ and compute a second preimage $m_2$ to obtain a collision.)

yyyyyyy
  • 12,081
  • 4
  • 47
  • 68
  • Then it sounds like collision-resistant hash functions are not necessary for digital signatures to be secure. Without an already known signature, there'd be no hash to forge a signature against. I must be wrong with that. – Melab Jul 26 '23 at 20:15