What is a pre-image attack on a hash function, and how does it threaten digital signatures?
A pre-image attack finds a different message $m'$ with the same hash as a given message $m$ — allowing an attacker to forge a document that passes signature verification.
* Find a forged m' with h(m') = h(m); the old signature still verifies. Effort ~2^n. *
The attack:
Given a signed document $m$ with hash $h(m)$, find a different document $m' \neq m$ such that:
$$h(m') = h(m)$$
Impact on signatures: If Eve finds such an $m'$, she can substitute it for $m$ — the signature remains valid because the hash hasn't changed. Bob would verify the signature successfully on the forged document.
Difficulty: For a hash function with output length $n$ bits, a brute-force pre-image attack requires approximately $2^n$ attempts.
Example: For SHA-256 ($n = 256$), an attacker needs ~$2^{256}$ attempts — computationally infeasible. But for MD5 ($n = 128$), attacks have been demonstrated in practice.
Go deeper:
Preimage attack — first vs. second pre-image resistance.