## Where do hash functions get their preimage resistance? [migrated]

I read through this answer and it seemed to make sense to me, but when I try to make a simpler answer to explain it to myself I lose something in the process.

Here is the much simpler hash function I wrote after reading the description of how MD5 works.

1. Take in a single digit integer input as M
2. Define A[0] to be some public constant
3. for int i=1; i<=4; i++:
A[i] = (A[i-1] + M) mod 10
4. return A[4]

This hash function uses the message word in multiple rounds, which is what the answer says leads to preimage resistance. But with some algebra using mod addition we can reduce this "hash function" to just A[i] = (A[0] + i*M) mod 10.

A[1] = (A[0] + M) mod 10 A[2] = (A[1] + M) mod 10    //Substitute A[1] in      = ((A[0] + M) mod 10 + M) mod 10   // Distribute outer mod 10 in      = ((A[0] + M) mod 10 mod 10 + M mod 10) mod 10 // simplify mod 10 mod 10 to mod 10      = ((A[0] + M) mod 10 + M mod 10) mod 10    // Distribute inner mod 10      = ((A[0] mod 10 + M mod 10) mod 10 + M mod 10) mod 10  //factor mod 10 out      = ((A[0] mod 10 + M mod 10) + M) mod 10    // remove redudent paraens      = (A[0] mod 10 + M mod 10 + M) mod 10  // factor mod 10 in      = (A[0] mod 10 mod 10 + M mod 10 mod 10 + M mod 10) mod 10 // simplify mod 10 mod 10 to mod 10      = (A[0] mod 10 + M mod 10 + M mod 10) mod 10   // factor mods 10 out      = (A[0] + M + M) mod 10      = (A[0] + 2M) mod 1 // Repeat with A[3] to find A[3] = (A[0] + 3M) mod 10 and so on 

Because A[i] = (A[0] + i*M) mod 10 is not preimage resistant, I’m confused as to what action in a hash function gives it its preimage resistance. To phrase my question another way, if I wanted to write a super simple hash function, what would I need to include to be preimage resistant?

## Preimage of a constructible set in spectrum of a subring

While working through a proof of this paper, at the beginning of page 42, the author seems to claim the following is true:

Let $$R\subset S$$ be rings, where $$R$$ is a finite type algebra over $$\mathbb F_p$$. Consider the associated map of the prime spectra $$\varphi:\text{Spec}(S)\rightarrow \text{Spec}(R).$$ Suppose that $$K\subset \text{Spec}(R)$$ is a constructible subset such that $$\varphi^{-1}(K)=\varnothing$$. Prove that there exists an $$R\subset R^{‘}\subset S$$, such that $$R’$$ is a finite type $$R-$$algebra and that if $$\psi:\text{Spec}(R’)\rightarrow \text{Spec}(R).$$ is the associated map of spectra, then $$\psi^{-1}(K)=\varnothing$$.

I believe that I have an argument for the case when $$K$$ is a finite subset. One could think of $$S$$ as a direct limit of its finitely generated $$R$$-subalgebras and therefore $$Spec(S)$$ should equal an inverse limit of the spectra of the finitely generated $$R$$-subalgebras. For each prime in $$K$$, choose a finitely generated $$R$$-subalgebra where it does not have a preimage, and the rest is clear. However, I don’t know what to do for the general case.

## preimage of a torsion free subgroup

Let $$\phi: G \to H$$ be a surjective group homomorphism, and ker$$(\phi)$$ is torsion free. Let $$B$$ be a torsion-free subgroup of $$H$$. Show that $$A = \phi^{-1}(H)$$ is torsion free. I’m confused why we need the condition that ker$$\phi$$ is torsion free.

## preimage resistance

I’m struggling to get a clear understanding of second preimage resistance and collision resistance.

Research on the internet yielded the following definitions:

Second pre-image resistance

Given an input m1, it should be difficult to find a different input m2 such that hash(m1) = hash(m2). Functions that lack this property are vulnerable to second-preimage attacks.

Collision resistance

It should be difficult to find two different messages m1 and m2 such that hash(m1) = hash(m2). Such a pair is called a cryptographic hash collision. This property is sometimes referred to as strong collision resistance. It requires a hash value at least twice as long as that required for pre-image resistance; otherwise collisions may be found by a birthday attack.

As far as I understand, every collision resistant hash function is also second pre-image resistant.

I don’t understand why collision resistance is harder to achieve, given that input m1 of second pre-image resistance could still be theoretically any input in the domain of the hash function.