There are three popular kinds of attacks on hash functions:

“Collision” Attacks

In a secret laboratory, I create Document A, which has a hash of “1234”

Document A, which has a hash of “1234” In the same laboratory I also create Document B, which also has a hash of “1234”

Document B, which has a hash of “1234” I show you both A and B, and “1234”, smile, and say: “Aren’t I clever?”

This is what Shattered is, and most past attacks on MD5 too. It’s important in situations where people might give you a document (A) and then lie about it later, saying they actually gave you (B).

“Second Preimage” Attacks

You give me Document A (source material) which has a hash of “1234”

Document A (source material) which a hash of “1234” You challenge me to find a Document B which also hashes to “1234”

to find a Document B which hashes to “1234” I’m probably screwed, unless you used a hash function that is massively, stupidly outdated, or I have several warehouses of computers.

Nobody has done this to SHA yet.

“Preimage” (First-Preimage?) Attacks

You challenge me to find a Document (X?) which hashes to “1234”

to find a Document (X?) which hashes to “1234” You don’t give me any source material.

Document X may need to be fit for some predetermined purpose.

I’m pretty comprehensively screwed, unless you really messed up behind the scenes and I can work out how.

This is generally how Tor Onion Addresses work. Nobody has done this to SHA yet.

Mitigations and the Future?

Tor is already addressing this anyway.

Also, the chances of a document being both a preimage collision and also a functioning RSA key, are very (?) slim.

References

preimage resistance: for essentially all pre-specified outputs, it is computationally infeasible to find any input that hashes to that output, i.e., given y, it is difficult to find an x such that h(x) = y.[1]

second-preimage resistance: it is computationally infeasible to find any second input which has the same output as that of a specified input, i.e., given x, it is difficult to find a second preimage x′ ≠ x such that h(x) = h(x′).[1]

a hash function H is collision resistant if it is hard to find two inputs that hash to the same output; that is, two inputs a and b such that H(a) = H(b), and a ≠ b.[1]:136

See Also