What are the three security properties that a cryptographic hash function must satisfy?
Preimage resistance, second preimage resistance (weak collision resistance), and collision resistance (strong collision resistance).
* The three properties differ by what the attacker is handed: a target hash (preimage), one document (2nd-preimage), or nothing at all (collision). *
1. Preimage resistance (Urbildresistenz): Given a hash value $y \in \{0,1\}^n$, it's infeasible to find any $x$ such that $h(x) = y$.
- This is the defining property of a cryptographic hash function.
2. Second preimage resistance (weak collision resistance): Given $x$ and its hash $h(x)$, it's infeasible to find a different $x' \neq x$ such that $h(x') = h(x)$.
- The attacker knows one document and tries to forge another with the same hash.
3. Collision resistance (strong collision resistance): It's infeasible to find any two values $x \neq x'$ such that $h(x) = h(x')$.
- The attacker has freedom to choose both documents.
Additional required (non-security) properties:
- Deterministic: Same input always produces same output
- Efficient: Computing the hash must be fast
Go deeper:
Collision resistance (Wikipedia) — how the three properties relate and why collision resistance is the hardest to guarantee.
Preimage attack (Wikipedia) — the attack that the (second-)preimage properties defend against.