Preimage attack

Preimage attacks ( also Engl. Preimage attack) are attacks on a cryptographic hash function with a view to a given hash of an unknown message (First - preimage attack also Engl. First- preimage attack) or for a given message itself ( Second - preimage attack also engl. second- preimage attack) to find another message that produces the same hash.

  • When first - preimage attack, the goal is to find a hash value of a prototype.

Where: hash, the message M does not need to be known Wanted:, such that: =

  • In the second - preimage attack, the goal is to find an item a second prototype, which is hashed to the same value.

Given: message so can be calculated the hash of the message Wanted:, such that: =


The text of the contract ( " I order a coffee for € 100 " ) was signed using a hash. An attacker can then either the hash of the signature alone or additionally know the text of the Treaty. For the hash algorithm used, there is a practical preimage attack, in the first case only a first preimage attack is possible in the second case there are two types of attacks. Thus, the attacker can now produce texts that have the same hash as the Treaty. These texts will be no meaningful message in the normal case. Therefore, the attacker needs to generate long texts until they form a meaningful message and suitable for his attack are ( " I order 200 coffee machines for each € 2,000 ").


If passwords are encoded directly using a hash, and the attacker is known only to the hash, so he can gain another password by a first - preimage attack. Since this second password has the same hash, an attacker can thus gain access.

Does the attacker now Already a password, for example, by a first - preimage attack or foreknowledge, so he can now by this additional information ( and by that of the previously known hashes of the correct passwords) by a second - preimage attack yet provide more valid passwords.

Basically, can not be decided whether passwords that have been identified by attacking hashes are original. Because with all the usual hash functions, each hash virtually unlimited number of possible passwords are facing (non- injectivity ). There are even saved any features except the actual hash, which would allow further verification.


Due to the fact that in a second - preimage attack more information is available than for a First - preimage attack can be when viewing equations, differential paths, etc. of the compression function of the hash function to hold more variables or bind to other variables, so that their number decreases to degrees of freedom and can thus reduce the effort required.

After the knowledge of a suitable message by a second - preimage attack can be easily converted by applying the hash function to the hash required for the first - preimage attack. With the right hash of a first - preimage - attack can, however, no suitable message with less effort than find a second preimage attack. So you get to a certain extent given a first - preimage attack with a second - preimage attack.

Preimage attacks are much more difficult to perform than a collision attack because pre-image attacks are always looking for a special message to another specific message or a hash value, whereas a collision attack investigated any message to any other message. See also: Birthday paradox. For example, a collision attack on SHA -1 needs about 252 attempts, a preimage attack in 2104, not twice, but 252 times as many attempts.