> Hash-based digital signatures are secure (resistant to forgery) as long as the hash function they are built on has second-pre-image resistance
I am not very experienced with this, but isn't this clearly wrong?
If I have a controllable collision (like SHA1), I can get someone to sign document A, then destroy all evidence of document A's existence and claim they signed document B.
Isn't it essential that a digital signature scheme is immune against such an attack?
I think generally you're signing things you generated, like your own binaries, your code, that sort of thing. The part where collisions matter is if you're signing someone else's documents, like a CA signing TLS certs, or someone in the web of trust signing the keys of someone based on their ID.
Generally people won't sign garbage or random documents, so Document A has to be of a very specific subset of documents a person would sign. Then finding Document B constitutes a second pre-image attack.
I am not very experienced with this, but isn't this clearly wrong?
If I have a controllable collision (like SHA1), I can get someone to sign document A, then destroy all evidence of document A's existence and claim they signed document B.
Isn't it essential that a digital signature scheme is immune against such an attack?