The Symbiosis between Collision and Preimage Resistance

We revisit the definitions of preimage resistance, focussing on the question of finding a definition that is simple enough to prove security against, yet flexible enough to be of use for most applications. We show that—counter to what was previously thought—Rogaway and Shrimpton’s notion of everywhere preimage resistance on its own does not fit this bill. We thus set out to fix the situation. Our contributions here are twofold. We give an in-depth analysis of existing preimage resistance notions, emphasizing the important difference between domain-oriented and range-oriented preimage resistance. For the former an element is chosen from the domain and hashed to form the target digest; for the latter the target digest is chosen directly from the range. We introduce several new notions, among them somewhere preimage resistance, which is a better measure of insecurity than existing notions. Furthermore, we establish relations and separations between the known and new preimage notions, thus showing a clear and strong separation between the two approaches to select a target digest. Our second and main contribution is the observation that in conjunction with collision resistance, everywhere preimage resistance is the right notion. We show that for an iterated hash function preimage resistance holds with respect to any input distribution of sufficient Rényi2-entropy provided that the hash function is collision resistant and its final part is everywhere preimage resistant. A slightly stronger statement applies for hash chains, implying that collision resistance and everywhere preimage resistance suffice for instance for the security of the Winternitz one-time signature scheme.