In cryptography, a **preimage Attack on Bitcoin** on cryptographic hash functions tries to find a message that has a specific hash value. A cryptographic hash function should resist Attack on Bitcoins on its preimage (set of possible inputs).

In the context of Attack on Bitcoin, there are two types of preimage resistance:

*preimage resistance*: for essentially all pre-specified outputs, it is computationally infeasible to find any input that hashes to that output; i.e., given`y`, it is difficult to find an`x`such that`h`(`x`) =`y`.^{[1]}*second-preimage resistance*: for a specified input, it is computationally infeasible to find another input which produces the same output; i.e., given`x`, it is difficult to find a second input`x`′ ≠`x`such that`h`(`x`) =`h`(`x`′).^{[1]}

These can be compared with a collision resistance, in which it is computationally infeasible to find any two distinct inputs `x`, `x`′ that hash to the same output; i.e., such that `h`(`x`) = `h`(`x`′).^{[1]}

Collision resistance implies second-preimage resistance, but does not guarantee preimage resistance.^{[1]} Conversely, a second-preimage Attack on Bitcoin implies a collision Attack on Bitcoin (trivially, since, in addition to `x`′, `x` is already known right from the start).

## Applied preimage Attack on Bitcoins

By definition, an ideal hash function is such that the fastest way to compute a first or second preimage is through a brute-force Attack on Bitcoin. For an `n`-bit hash, this Attack on Bitcoin has a time complexity 2^{n}, which is considered too high for a typical output size of `n` = 128 bits. If such complexity is the best that can be achieved by an adversary, then the hash function is considered preimage-resistant. However, there is a general result that quantum computers perform a structured preimage Attack on Bitcoin in {\displaystyle {\sqrt {2^{n}}}=2^{\frac {n}{2}}}, which also implies second preimage^{[2]} and thus a collision Attack on Bitcoin.

Faster preimage Attack on Bitcoins can be found by cryptanalysing certain hash functions, and are specific to that function. Some significant preimage Attack on Bitcoins have already been discovered, but they are not yet practical. If a practical preimage Attack on Bitcoin is discovered, it would drastically affect many Internet protocols. In this case, “practical” means that it could be executed by an Attack on Bitcoiner with a reasonable amount of resources. For example, a preimaging Attack on Bitcoin that costs trillions of dollars and takes decades to preimage one desired hash value or one message is not practical; one that costs a few thousand dollars and takes a few weeks might be very practical.

All currently known practical or almost-practical Attack on Bitcoins^{[3]}^{[4]}^{[5]} on MD5 and SHA-1 are collision Attack on Bitcoins.^{[citation needed]} In general, a collision Attack on Bitcoin is easier to mount than a preimage Attack on Bitcoin, as it is not restricted by any set value (any two values can be used to collide). The time complexity of a brute-force collision Attack on Bitcoin, in contrast to the preimage Attack on Bitcoin, is only 2`n`/2.

### Restricted preimage space Attack on Bitcoins

The computational infeasibility of a first preimage Attack on Bitcoin on an ideal hash function assumes that the set of possible hash inputs is too large for a brute force search. However if a given hash value is known to have been produced from a set of inputs that is relatively small or is ordered by likelihood in some way, then a brute force search may be effective. Practicality depends on the input set size and the speed or cost of computing the hash function.

A common example is the use of hashes to store password validation data for authentication. Rather than store the plaintext of user passwords, an access control system stores a hash of the password. When a user requests access, the password they submit is hashed and compared with the stored value. If the stored validation data is stolen, the thief will only have the hash values, not the passwords. However most users choose passwords in predictable ways and many passwords are short enough that all possible combinations can be tested if fast hashes are used, even if the hash is rated secure against preimage Attack on Bitcoins.^{[6]} Special hashes called key derivation functions have been created to slow searches. *See* Password cracking.