## What would happen if SHA256's pre-image or collision resistance would be broken?

1

I'm experimenting with some self study cryptography and I was curious about the two following scenarios (simple answers and/or in relation to bitcoin)

If SHA256 was found to lack pre-image resistance, would it make solving the puzzle easier?

Alternatively, if the algorithm was found to be not collision resistant - would the puzzle again be easier to solve?

Thanks

## Answers

0

Preimage resistance and collision resistance are not absolute, they are just matters of amount of computation that is necessary to solve certain problems. For example, for an ideal hash function with 256-bit output, an order of 2256 evaluations are needed to find a preimage, and an order of 2128 evaluations are needed to find a collision. Anything less is considered an attack.

For example, if you can find collisions with just 2124 evaluations (and not because you are lucky, but because you use some approach specific to the function), this is an attack, but it is not practical because 2124 is still immensely large.

Moreover, for Bitcoin mining, you need to find only partial preimages, not full preimages. For example, to find a value such that first 50 bits of its hash are zeros, you need 250 hash evaluations, assuming the hash is ideal. And there is a problem: if the hash is not preimage-resistant (so you need, for example, just 2240 evaluations to find a preimage, rather than 2256), this doesn't tell anything about resistance to finding partial preimages (so the above problem may still take 250 evaluations, but may take only 234). And lack of collision resistance doesn't tell anything at all about the difficulty of finding partial preimages. However, Bitcoin depends on collision resistance of SHA256 in other places, so it is still important.

1

Any collision resistant hashing function Hk : {0,1}* → {0,1}k is pre-image resistant regarding the uniform distribution on {0,1}2k.

A ⇒ B ⇔ ¬B ⇒ ¬A: I.e. if a function isn't pre-image resistant it is not collision resistant either.

SHA256 is a function that maps a potentially unlimited set of numbers to a smaller set of numbers.

Hk : {0,1}* → {0,1}k

Collision resistance is a property that loosely says, it is difficult to find two inverse images X ≠ X' that have the same image H(X) = H(X').

More to the point:
A function H is collision resistant, if any algorithm can only find a collision with a negligible probability in probabilistic polynomial time.

I.e. if SHA256 would turn out to not be collision resistant, one could try to pick hashes that would succeed at the current difficulty, use the above predicted inverse function of SHA256 to calculate inverse image candidates, and finally check whether one can satisfy them with the currently available block input.

My gut feeling would be though, that it would be pretty difficult to find inverse images that also satisfy the required structure of the block input, especially getting right the hash of the parent block, and matching an address that one controls for the coinbase transaction.

Unfortunately, I have no idea whether the complexity of that would be greater or smaller than bruteforce mining.

I am currently studying for an exam whose topic includes Collision Resistance, pre-image resistance, and so forth. So, please take in account that I am by no means a cryptography expert before building on my answer. :) – Murch – 2014-09-25T15:10:16.973

I thought that Pre-image resistance and Collision resistance are something akin to mutually exclusive? Its more of a relationship between collision resistance and secondary pre-image resistance right? – mcdoomington – 2014-09-25T15:44:33.377

@mcdoomington: Target Collision Resistance (or Second Pre-Image Resistance) is between the two: For big domains hashed to a smaller image sets it is Collision Resistance ⇒ Second Pre-Image Resistance ⇒ Pre-Image resistance. Also see Does collision resistance imply (or not) second-preimage resistance?

– Murch – 2014-09-25T20:52:21.927