Question
I wanted to learn a bit about the relationship between different properties of cryptographic hash functions, so I looked at the appropriate chapter in the Boneh-Shoup cryptography textbook.
Page 337 gives the implication chain:
$\text{collision resistance} \implies \text{2nd-preimage resistance} \implies \text{preimage resistance (one way)}$
assuming that the input space is a super-polynomial factor larger and than the output space.
The book leaves these as an exercise to the reader. The first implication is straight forward to prove. I am struggling a bit on the second one, and was wondering if anyone knew how to prove it?
Definitions:
Let $H: M \to T$ be a function.
Page 336 gives definitions of the various properties, the essence of which are:
The collision resistance game is that an adversary outputs $(m_1, m_2) \in M^2$, ideally so that $H(m_1) = H(m_2)$ and $m_1 \neq m_2$.
The 2nd-preimage resistance game is that an adversary outputs $m_2 \in M$ when provided $m_1$, a uniform-randomly sampled elem of $M$, ideally so that $H(m_1) = H(m_2)$ and $m_1 \neq m_2$.
The preimage resistance game is that an adversary outputs $m' \in M$ when provided $H(m)$, where $m$ is uniform-randomly sampled from $M$, ideally so that $H(m') = H(m)$.
The advantages are defined how you would expect. The hash function has one of these properties iff there is no non-negligible advantage + efficient adversary against it in the corresponding game.
Book's Hints / What I Have Tried
The hints are as follows:
Let $s = \frac{|M|}{|T|}$ [The compression factor of the hash function].
- Show that at most $\frac{1}{s}$ of the elements of $M$ do not have a second preimage
Let $W$ be the set of elements of $M$ without a second preimage. $H$ restricted to $W$ is injective.
$\frac{|M|}{s} = |T|$, so if $|W| > \frac{|M|}{s}$, then $|W| > |T|$, impling $H$ restricted to $W$ is not injective.
- Use this to then show that $\text{OWAdv}[\mathcal A,H] \leq 2 \cdot \text{SPRAdv}[\mathcal B, H] + \frac{1}{s}$, where $\mathcal B$ is an elementary wrapper around $\mathcal A$.
From $\mathcal A$, we construct the preimage resistance game adversary $\mathcal B$ as follows:
$\mathcal B$ receives $m_0 \in M$ as input. It computes $H(m_0)$, invokes $\mathcal A$ with that as its input, and then outputs $\mathcal A$'s output.
Let $m \overset{R}{\leftarrow} M$. Let $\text{PRWin}$ be the event "$m' \leftarrow A(H(m)) \wedge H(m') = H(m)$". Let $\text{PreImg}$ be the event where $m$ has a second preimage through $H$.
$\text{OWAdv}[\mathcal A,H] = \Pr[\text{PRWin}] = \Pr[\text{PRWin} \wedge \text{PreImg}] + \Pr[\text{PRWin} \wedge \text{PreImg}^c] \leq \Pr[\text{PRWin} \wedge \text{PreImg}] + \frac{1}{s}$
If I am on the right track, working backwards from the desired result, it seems like $\text{PRWin} \wedge \text{PreImg}$ needs to be reframed in terms of how $\mathcal B$ does in the second-preimage resistance game.
I had one idea, but I'm not sure how valid it is. Let $\text{SPRWin[x]}$ be the event "$m' \leftarrow A(H(x)) \wedge H(m') = H(x) \wedge m' \neq x$". Aka, "$\mathcal B$ wins the second preimage resistance game with $x$ as the input".
Now, let $m^*$ be a random variable that is uniformly distributed over $M$, but such that $m^*$ never equals $m$ for any outcome on the outcome space and $H(m^*) = H(m)$ is always true [unless $m$ doesn't have a second preimage, then $m$ can be equal $m^*$].
Now, $(\text{SPRWin}[m^*] \vee \text{SPRWin}[m]) \wedge \text{PreImg}$ = $\text{PRWin} \wedge \text{PreImg}$
So, $\Pr[\text{PRWin} \wedge \text{PreImg}] \leq \Pr[\text{SPRWin}[m^*] \vee \text{SPRWin}[m]] \leq \Pr[\text{SPRWin}[m^*]] +\Pr[\text{SPRWin}[m]] = 2\cdot \text{SPRAdv}[\mathcal B, H]$
My main concern is on the validity of this trick of using $m^*$. I guess I never questioned how exactly the challenger must randomly sample things in these types of games. The book, at least in this section, doesn't go any deeper into formalism other than just stating that the challenger "randomly samples $m \in M$".
