Quiz Entry - updated: 2026.07.14
What are the three security properties a cryptographic hash function must satisfy?
Preimage resistance, second-preimage resistance, collision resistance — three increasingly strong properties.
| Property | Informal | Formal |
|---|---|---|
| Preimage resistance | Given a hash, can't find any message that produces it | Given h, find m such that H(m) = h — should be infeasible |
| Second preimage resistance | Given a message, can't find a different message with the same hash | Given m₁, find m₂ ≠ m₁ such that H(m₁) = H(m₂) — infeasible |
| Collision resistance | Can't find any two messages with the same hash | Find any pair m₁ ≠ m₂ such that H(m₁) = H(m₂) — infeasible |
Why three? Each guards a different threat:
- Preimage: "An attacker sees the hash of my password; can they recover the password?" (No, if preimage-resistant.)
- Second preimage: "An attacker has my signed contract; can they substitute a different contract that produces the same hash?" (No, if 2nd-preimage-resistant.)
- Collision: "Can an attacker craft two documents — a benign one and an evil one — with the same hash, get me to sign the benign one, then swap?" (No, if collision-resistant.)
Birthday paradox makes collision the easiest to violate — for an n-bit hash, collision attacks need only 2^(n/2) work, vs 2^n for preimage. So SHA-256 has 128-bit collision strength but 256-bit preimage strength.
Concrete state of common hashes (2024):
| Algorithm | Collision attack | Preimage attack |
|---|---|---|
| MD5 | Broken (seconds on a laptop) | 2¹²³ (theoretical) |
| SHA-1 | Broken (Google's SHAttered, 2017) | 2¹⁶⁰ (still strong) |
| SHA-256, SHA-3, BLAKE3 | No practical attack | No practical attack |
Tip: A broken collision resistance is enough to abandon a hash for signatures and certificates — that's why CAs stopped issuing SHA-1 certificates in 2017.