Properties of a cryptographic hash function

We use JavaScript to display the mathematics on this page. Please enable JavaScript in your browser for it to work.

A hash function $h(M)$ takes as input a message $M$ of any length and outputs a message digest or hash value of a fixed length, $n$. For a given message $M$, the output is always the same.

In mathematical notation, we write

$h: \{0,1\}^{*} \rightarrow \{0,1\}^n$, where $\{0,1\}^n$ represents a bitstring of length $n$.

A cryptographic hash function has the following three properties

Preimage resistance: Given $h(M) = x$ it is computationally infeasible to compute $M$.
Second preimage resistance: Given $h(M) = x$ it is computationally infeasible to find a message $M' \ne M$ such that $h(M') = x$.
Collision resistance: It is computationally infeasible to find two messages $M_1$ and $M_2$ such that $h(M_1) = h(M_2)$.

If the message digest length is $n$ bits, the time complexity of a preimage or second preimage attack is $2^n$. But the time complexity of a collision attack is only $2^{n/2}$ (using a birthday attack).

Therefore resistance against a collision attack (strong collision resistance) requires a hash value at least twice as long as that required for preimage resistance (weak collision resistance).

Note that SPHINCS+ is not affected by a collision attack against the hash function.

<< previous: SPHINCS+ A stateless hash-based signature scheme

Contents

next: One-time signature (OTS) scheme >>

Contact us

To comment on this page or to contact us, please send us a message.

This page first published 17 March 2023. Last updated 9 September 2025.