Enhanced Target Collision Resistant Hash Functions Revisited

Transcription

1 Enanced Target Collision Resistant Has Functions Revisited Moammad Reza Reyanitabar, Willy Susilo, and Yi Mu Centre for Computer and Information Security Researc, Scool of Computer Science and Software Engineering University of Wollongong, Australia {mrr790, wsusilo, Abstract. Enanced Target Collision Resistance (etcr) property for a as function was put fort by Halevi and rawczyk in Crypto 2006, in conjunction wit te randomized asing mode tat is used to realize suc a as function family. etcr is a strengtened variant of te well-known TCR (or UOWHF) property for a as function family (i.e. a dedicated-key as function). Te contributions of tis paper are twofold. First, we compare te new etcr property wit te well-known collision resistance (CR) property, were bot properties are considered for a dedicated-key as function. We sow tere is a separation between te two notions, tat is in general, etcr property cannot be claimed to be weaker (or stronger) tan CR property for any arbitrary dedicated-key as function. Second, we consider te problem of etcr property preserving domain extension. We study several domain extension metods for tis purpose, including (Plain, Strengtened, and Prefix-free) Merkle-Damgård, Randomized Hasing (considered in dedicated-key as setting), Soup, Enveloped Soup, XOR Linear Has (XLH), and Linear Has (LH) metods. Interestingly, we sow tat te only etcr preserving metod is a nested variant of LH wic as a drawback of aving ig key expansion factor. Terefore, it is interesting to design a new and efficient etcr preserving domain extension in te standard model. ey words: Has Functions, CR, TCR, etcr, Domain Extension 1 Introduction Cryptograpic as functions are widely used in many cryptograpic scemes, most importantly as building blocks for digital signature scemes and message autentication codes (MACs). Teir application in signature scemes following as-and-sign paradigm, like DSA, requires te collision resistance (CR) property. Contini and Yin [5] sowed tat breaking te CR property of a as function can also endanger security of te MAC scemes, wic are based on te as function, suc as HMAC. Despite being a very essential and widelydesirable security property of a as function, CR as been sown to be a very strong and demanding property for as functions from teoretical viewpoint [21, 4, 17] as well as being a practically endangered property by te recent advances in cryptanalysis of widely-used standard as functions like MD5 and SHA-1 [24, 23]. In response to tese observations in regard to te strong CR property for as functions and its implication on te security of many applications, recently several ways out of tis uneasy situation ave been proposed. Te first approac is to avoid relying on te CR property in te design of new applications and instead, just base te security on oter weaker tan CR properties like Target Collision Resistance ( Ask less of a as function and it is less likely to disappoint! [4]). Tis is an attractive and wise metodology in te design of new applications using as functions, but unfortunately it migt be of limited use to secure an already implemented and in-use application, if te required modifications are significant and ence proibitive (and not cost effective) in practice. Te second approac is to design new as functions to replace current endangered as function standards like SHA-1. For acieving tis goal, NIST as started a public competition for selecting a new secure as standard SHA-3 to replace te current SHA-1 standard [15]. It is oped tat new as standard will be able to resist against all known cryptanalysis metods, especially powerful statistical metods like differential cryptanalysis wic ave been successfully used to attack MD5, SHA-1 and oter as functions [24, 23, 22].

2 2 M. R. Reyanitabar, W. Susilo and Y. Mu Anoter metodology as also recently been considered as an intermediate step between te aforementioned two approaces in [10, 9]. Tis approac aims at providing a safety net by fixing te current complete reliance on endangered CR property witout aving to cange te internals of an already implemented as function like SHA-1 and instead, just by using te as function in some black-box modes of operation. Based on tis idea, Randomized Hasing mode was proposed in [10] and announced by NIST as Draft SP [16]. In a nutsell, Randomized Hasing construction, sown in Figure 1, converts a keyless as function H (e.g. SHA-1) to a dedicated-key as function H defined as H (M) = H( (M 1 ) (M L )), were H is an iterated Merkle-Damgård as function based on a compression function. (M 1 M L is te padded message after applying strengtening padding.) M 1 M 2 M L M 1 M 2 M 3 M L+1 IV C 1 C 2 C 3 C L C L+1 Fig. 1. Randomized Hasing construction Altoug te main motivation for te design of a randomized asing mode in [10] was to free reliance on collision resistance assumption on te underlying as function (by making off-line attacks ineffective by using a random key), in parallel to tis aim, a new security property was also introduced and defined for as functions, namely enanced Target Collision Resistance (etcr) property. Having H as te first example of a construction for etcr as functions in and, we also note tat an etcr as function is an interesting and useful new primitive. In [10], te security of te specific example function H in etcr sense is based on some new assumptions (called c-spr and e-spr) about keyless compression function. However, tis example function H, may be treatened as a result of future cryptanalysis results, but te notion of etcr asing will still remain useful independently from tis specific function. By using an etcr as function family {H } in a as-and-sign digital signature sceme, one does not need to sign te key used for te asing. It is only required to sign H (M) and te key is sent in public to te verifier as part of te signed message [10]. Tis is an improvement compared to using a TCR (UOWHF) as function family were one needs to sign H (M) [4]. Our Contributions Our aim in tis paper is to investigate te etcr asing as a new and interesting notion. Following te previous background on te CR notion, te first natural question tat arises is weter etcr is weaker tan CR in general. It is known tat bot CR and etcr imply TCR property (i.e. are stronger notion tan TCR) [14, 19, 10], but te relation between CR and etcr as not been considered yet. As our first contribution in tis paper, we compare te etcr property wit te CR property, were bot properties are considered formally for a dedicated-key as function. We sow tat tere is a separation between etcr and CR notions, tat is in general, etcr property cannot be claimed to be weaker (or stronger) tan CR property for any arbitrary dedicated-key as function. At first glance, tis may seem to be discouraging for te applications of etcr asing, but we empasize tat tis separation result actually sows te incomparability between etcr and CR notions but it does not formally imply tat for any specific construction of a dedicated-key as function (say te Randomized Hasing construction), acieving te

3 etcr Has Functions Revisited 3 etcr property will be arder tan CR. Altoug our separation result does not rule out te possibility of designing specific dedicated-key as functions in wic etcr migt be easier to acieve compared to CR, it empasizes te point tat any suc a construction sould explicitly sow tat tis is indeed te case. As our second contribution, we consider te problem of etcr preserving domain extension. Assuming tat one as been able to design a dedicated-key compression function wic possesses etcr property, te next step will be ow to extend its domain to obtain a full-fledged as function wic also provably possesses etcr property and is capable of asing any variable lengt message. In te case of CR property te seminal works of Merkle [12] and Damgård [7] sow tat Merkle-Damgård (MD) iteration wit strengtening (lengt indicating) padding is a CR preserving domain extender. Analysis and design of (multi-)property preserving domain extenders for as function as been recently attracted new attention in several works considering several different security properties, suc as [4, 3, 2, 1]. We investigate eigt domain extension transforms for tis purpose; namely Plain MD [12, 7], Strengtened MD [12, 7], Prefix-free MD [6, 11], Randomized Hasing [10] (considered in dedicated-key as setting), Soup [20], Enveloped Soup [2], XOR Linear Has (XLH) [4], and a variant of Linear Has (LH) [4] metods. Interestingly, we sow tat te only etcr preserving metod among tese metods is a nested variant of LH (defined based on a variant proposed in [4]) wic as te drawback of aving ig key expansion factor. From tis analysis, design of a new and efficient etcr preserving domain extender remains an interesting open problem for future work. Te overview of constructions and te properties tey preserve are sown in Table 1. Te symbol means tat te notion is provably preserved by te construction; means tat it is not preserved. Underlined entries related to etcr property are te results sown in tis paper. Sceme CR TCR etcr Plain MD [12, 7] [4] Strengtened MD [12, 7] [4] Prefix-free MD [2] [2] Randomized Hasing [1] [1] Soup [20] [20] Enveloped Soup [2] [2] XOR Linear Has (XLH) [1] [4] Nested Linear Has (LH) [4] [4] Table 1. Overview of constructions and te properties tey preserve. 2 Preliminaries 2.1 Notations If A is a probabilistic algoritm ten by y $ A(x 1,, x n ) it is meant tat y is a random variable wic is defined from te experiment of running A wit inputs x 1,, x n and assigning te output to y. To sow tat an algoritm A is run witout any input (i.e. wen te input is an empty string) we use te notation y $ A(). By time complexity of an algoritm we mean te running time, relative to some fixed model of computation (e.g. RAM) plus te size of te description of te algoritm using some fixed encoding metod. If X is a finite set, by x $ X it is meant tat x is cosen from X uniformly at random. Let x y denote te string obtained from concatenating string y to string x. Let 1 m and 0 m, respectively, denote a string of m consecutive 1 and 0 bits, and 1 m 0 n denote te concatenation of 0 n to 1 m. By (x, y) we mean an injective encoding of two strings x and y, from wic one can efficiently recover x and y. For a binary string M, let M 1...n denote te first n bits of M, M denote its lengt in bits and M b M /b denote its lengt in b-bit blocks. For a positive integer m, let m b denotes binary representation of m by a string of lengt

4 4 M. R. Reyanitabar, W. Susilo and Y. Mu exactly b bits. If S is a finite set we denote size of S by S. Te set of all binary strings of lengt n bits (for some positive integer n) is denoted as {0, 1} n, te set of all binary strings wose lengts are variable but upper-bounded by N is denoted by {0, 1} N and te set of all binary strings of arbitrary lengt is denoted by {0, 1}. 2.2 Two Settings for Has Functions In a formal study of cryptograpic as functions and teir security notions, two different but related settings can be considered. Te first setting is te traditional keyless as function setting were a as function refers to a single function H (e.g. H=SHA-1) tat maps variable lengt messages to fixed lengt output as value. In te second setting, by a as function it is meant a family of as functions H : M {0, 1} n, also called a dedicated-key as function [2], wic is indexed by a key space. A key acts as an index to select a specific member function from te family and often te key argument is denoted as a subscript, tat is H (M) = H(, M), for all M M. In a formal treatment of as functions and te study of relationsips between different security properties, one sould clarify te target setting, namely weter keyless or dedicated-key setting is considered. Tis is wort empasizing as some security properties like TCR and etcr are inerently defined and make sense for a dedicated-key as function [19, 10]. Regarding CR property tere is a well-known foundational dilemma, namely CR can only be formally defined for a dedicated-key as function, but it as also been used widely as a security assumption in te case of keyless as functions like SHA-1. We will briefly review tis formalization issue for CR in Subsection 2.3 and for a detailed discussion we refer to [18]. 2.3 Definition of Security Notions: CR, TCR and etcr In tis section, we recall tree security notions directly relevant to our discussions in te rest of te paper; namely, CR, TCR, and etcr, were tese properties are formally defined for a dedicated-key as function. We also recall te well-known definitional dilemma regarding CR assumption for a keyless as function. A dedicated-key as function H : M {0, 1} n is called (t, ɛ)-x secure, were x {CR, TCR, etcr} if te advantage of any adversary, aving time complexity at most t, is less tan ɛ, were te advantage of an adversary A, denoted by Adv x H (A), is defined as te probability tat a specific winning condition is satisfied by A upon finising te game (experiment) defining te property x. Te probability is taken over all randomness used in te defining game as well as tat of te adversary itself. Te advantage functions for an adversary A against te CR, TCR and etcr properties of te as function H are defined as follows, were in te case of TCR and etcr, adversary is denoted by a two-stage algoritm A = (A 1, A 2 ): } Adv CR H { (A) = Pr $ ; (M, M ) $ A() : M M H (M) = H (M ) } Adv T H {(M, CR (A) = Pr State) $ A 1 (); $ ; M $ A2 (, State) : M M H (M) = H (M ) Adv H (M, State) $ A 1 (); (A) = Pr $ ; : (, M) (, M ) H (M) = H (M ) (, M ) $ A 2 (, State); CR for a eyless Has Function. Collision resistance as a security property cannot be formally defined for a keyless as function H : M {0, 1} n. Informally, one would say tat it is infeasible to find two distinct messages M and M suc tat H(M) = H(M ). But it is easy to see tat if M > 2 n (i.e. if te function is compressing) ten tere are many colliding pairs and ence, trivially tere exists an

5 etcr Has Functions Revisited 5 efficient program tat can always output a colliding pair M and M, namely a simple one wit M and M included in its code. Tat is, infeasibility cannot be formalized by an statement like tere exists no efficient adversary wit non-negligible advantage as clearly tere are many suc adversaries as mentioned before. Te point is tat no uman being knows suc a program [18], but te latter concept cannot be formalized matematically. Terefore, in te context of keyless as functions, CR can only be treated as a strong assumption to be used in a constructive security reduction following uman-ignorance framework of [18]. We will call suc a CR assumption about a keyless as function as keyless-cr assumption to distinguis it from formally definable CR notion for a dedicated-key as function. We note tat as a result of recent collision finding attacks, it is sown tat keyless-cr assumption is completely invalid for MD5 [24] and teoretically endangered assumption for SHA-1 [23]. 3 etcr Property vs. CR Property In tis Section, we sow tat tere is a separation between CR and etcr, tat is none of tese two properties can be claimed to be weaker or stronger tan te oter in general in dedicated-key as function setting. We empasize tat we consider relation between CR and etcr as formally defined properties for a dedicated-key as function. In oter words, we follow te comparison metodology in te dedicated-key as function setting as in [19]. Te CR property considered in tis section sould not be mixed wit te strong keyless-cr assumption for a keyless as function. Te separation results are sown in te following subsections. 3.1 CR etcr We want to sow tat te CR property does not imply te etcr property. Tat is, etcr as a security notion for a dedicated-key as function is not weaker tan te CR property. Tis is done by sowing as a counterexample, a dedicated-key as function wic is secure in CR sense but completely insecure in etcr sense. Lemma 1 (CR does not imply etcr). Assume tat tere exists a dedicated-key as function H : {0, 1} k {0, 1} m {0, 1} n wic is (t, ɛ) CR. Select (and fix) an arbitrary message M {0, 1} m and an arbitrary key {0, 1} k (e.g. M = 1 m and = 1 k ). Te dedicated-key as function G : {0, 1} k {0, 1} m {0, 1} n sown in tis lemma is (t, ɛ ) CR, were t = t ct H and ɛ = ɛ + 2 k, but it is completely insecure in etcr sense. T H denotes te time for one computation of H and c is a small constant. M1 n if M = M = (1) G (M) = H (M ) if M M H (M) = M1 n (2) H (M) oterwise (3) Note tat te condition in line (3) of definition of G (implicitly denoted as oterwise ) actually can be explicitly sown as: [if M M H (M) M1 n ]. It is easily seen tat tis condition and te oter two conditions in line (1) and (2) cover te all possibility for and M in defining G (M). Te proof is valid for any arbitrary selection of parameters M {0, 1} m and {0, 1} k, and ence, tis construction actually sows 2 m+k suc counterexample functions, wic are CR but not etcr. Proof. Let s first demonstrate tat G as a dedicated-key as function is not secure in etcr sense. Tis can be easily sown by te following simple adversary A = (A 1, A 2 ) playing etcr game against G. In te first stage of etcr attack, A 1 outputs te target message as M = M. In te second stage of te attack,

6 6 M. R. Reyanitabar, W. Susilo and Y. Mu A 2, after receiving te first randomly selected key (were $ {0, 1} k ), outputs a different message M M and selects te second key as =. It can be seen easily tat te adversary A = (A 1, A 2 ) wins te etcr game, as M M implies tat (M, ) (M, ) and by te construction of G we ave G (M ) = G (M ) = M1 n ; tat is bot of te conditions for winning etcr game are satisfied. Terefore, te as function family G is completely insecure in etcr sense. To complete te proof, we need to sow tat te as function family G inerits te CR property of H. Tis is done by reducing CR security of G to tat of H. Let A be an adversary tat can win CR game against G wit probability ɛ using time complexity t. We construct an adversary B against CR property of H wit success probability of at least ɛ = ɛ 2 k ( ɛ, for large k) and time t = t + ct H as stated in te lemma. Te construction of B and te analysis is provided in Appendix A. 3.2 etcr CR We want to demonstrate tat te etcr property does not imply te CR property. Tat is, te CR property as a security notion for a dedicated-key as function is not a weaker tan te etcr property. Tis is done by sowing as a counterexample, a dedicated-key as function wic is secure in etcr sense but completely insecure in CR sense. Lemma 2 (etcr does not imply CR). Assume tat tere exists a dedicated-key as function H : {0, 1} k {0, 1} m {0, 1} n, were m > k n, wic is (t, ɛ). Te dedicated-key as function G : {0, 1} k {0, 1} m {0, 1} n sown in tis lemma is (t, ɛ ), were t = t c, ɛ = ɛ + 2 k+1, but it is completely insecure in CR sense. (c is a small constant.) { H (0 G (M) = m k ) if M = 1 m k H (M) oterwise Note tat te structural assumption about H : {0, 1} k {0, 1} m {0, 1} n, namely tat we ave m > k n is quite reasonable even for practical scenarios. For instance, in Randomized Hasing wic sould provide a dedicated-key as function wit etcr property, te key lengt k is fixed and equal to te block lengt of te underlying keyless as function (e.g using SHA-1 we ave k = 512, n = 160) wile message lengt m can be very large (just less tan 2 64 ). Proof. We firstly demonstrate tat G as a dedicated-key as function is not secure in CR sense. Tis can be easily sown by te following simple adversary A tat plays CR game against G. On receiving te key, te adversary A outputs two different messages as M = 1 m k and M = 0 m k and wins te CR game as we ave G (1 m k ) = H (0 m k ) = G (0 m k ). It remains to sow tat tat G indeed is an etcr secure as function family. Let A = (A 1, A 2 ) be an adversary wic wins te etcr game against G wit probability ɛ and using time complexity t. We construct an adversary B = (B 1, B 2 ) wic uses A as a subroutine and wins etcr game against H wit success probability of at least ɛ = ɛ 2 k+1 ( ɛ, for large k) and aving time complexity t = t + c were small constant c can be determined from te description of algoritm B. Te description of te algoritm B and te analysis is provided in Appendix B. 3.3 Te Case for Randomized Hasing Randomized Hasing metod as sown in Fig. 1 is a simple metod to obtain a dedicated-key as function H : M {0, 1} n from an iterated (keyless) as function H as H(, M) H ( (M 1 ) (M L ) ), were = {0, 1} b and H itself is constructed by iterating a keyless compression function : {0, 1} n+b

7 etcr Has Functions Revisited 7 {0, 1} n and using a fixed initial caining value IV. Te analysis in [10] reduces te security of H in etcr sense to some assumptions, called c-spr and e-spr, on te keyless compression function wic are weaker tan te keyless-cr assumption on. Here, we are interested in a somewat different question, namely weter (formally definable) Coll for tis specific design of dedicated-key as function H implies tat it is etcr or not. Interestingly, we can gater a strong evidence tat Coll for H implies tat it is also etcr, by te following argument. First, from te construction of H it can be seen tat Coll for H implies keyless-cr for a as function H wic is identical to te H except tat its initial caining value is a random and known value IV = (IV ) instead of te prefixed IV (Note tat is selected at random and is provided to te adversary at te start of Coll game). Tis is easily proved, as any adversary tat can find collisions for H (i.e. breaks it in keyless-cr sense) can be used to construct an adversary tat can break H in Coll sense. Second, from recent cryptanalysis metods wic use differential attacks to find collisions [24, 23], we ave a strong evidence tat finding collisions for H under known IV would not be arder tan finding collisions for H under IV, for a practical as function like MD5 or SHA-1. Tat is, we argue tat if H is keyless-cr ten H is also keyless- CR. Finally, we note tat keyless-cr assumption on H in turn implies tat H is etcr as follows. Consider a successful etcr attack against H were on finising te attack we will ave (, M) (, M ) and H(, M) = H(, M ); were, M = M 1 M L and M = M 1 M L. Referring to te construction of H tis is translated to H ( (M 1 ) (M L ) ) = H ( (M 1 ) (M L ) ) and from (, M) (, M ) we ave tat (M 1 ) (M L ) (M 1 ) (M L ). Hence, we ave found a collision for H and tis contradicts te assumption tat H is keyless-cr. Terefore, for te case of te specific dedicated-key as function H obtained via Randomized Hasing mode, it can be argued tat Coll implies etcr. 4 Domain Extension and etcr Property Preservation In tis section we investigate te etcr preserving capability of eigt domain extension transforms, namely Plain MD [12, 7], Strengtened MD [12, 7], Prefix-free MD [6, 11], Randomized Hasing [10], Soup [20], Enveloped Soup [2], XOR Linear Has (XLH)[4], and Linear Has (LH) [4] metods. Assume tat we ave a compression function : {0, 1} k {0, 1} n+b {0, 1} n tat can only as messages of fixed lengt (n+b) bits. A domain extension transform can use tis compression function (as a black-box) to construct a as function H : M {0, 1} n, were te message space M can be eiter {0, 1} or {0, 1} <2m, for some positive integer m (e.g. m = 64). Te key space is determined by te construction of a domain extender. Clearly log 2 ( ) k, as H involves at least one invocation of. Te difference between log 2 ( ) (i.e. te key lengt of H) and k (i.e. te key lengt of ) is called te key expansion of domain extension transform and is a measure of its efficiency: te less key expansion is, te more efficient te domain extension transform will be. A domain extension transform comprises of two functions: an injective padding function P ad and an iteration function f I. First, te padding function P ad : M D I is applied to an input message M M to convert it to te padded message P ad(m) in a domain D I. Ten, te iteration function f I : D I {0, 1} n uses te compression function as many times as required, and outputs te final as value. Te full-fledged as function H is obtained by combining te two functions. It is known tat te property preserving capability of a domain extension transform depends on bot te padding function and iteration function, for example Plain MD (i.e., plain padding and MD iteration) is not CR preserving domain extender, but Strengtened MD (i.e., strengtening padding and MD iteration) does preserve CR [12, 7, 2]. Hence, precisely speaking, we can ave several domain extenders using te same iteration function but wit different padding function, e.g. Plain MD, Strengtened MD, Prefix-free MD, wic are considered as tree different domain extenders tat ave different capabilities from property preserving viewpoint [2].

8 8 M. R. Reyanitabar, W. Susilo and Y. Mu Te padding functions used in te eigt domain extension transforms tat we consider in tis paper are defined as follows: Plain: pad : {0, 1} L 1 {0, 1}Lb, were pad(m) = M 10 p and p is te minimum number of 0 s required to make te lengt of pad(m) a multiple of block lengt. Strengtening: pad s : {0, 1} <2m L 1 {0, 1}Lb, were pad s (M) = M 10 p M m and p is te minimum number of 0 s required to make te lengt of pad s (M) a multiple of block lengt. Prefix-free: padp F : {0, 1} L 1 {0, 1}Lb, were padp F transforms te input message space {0, 1} to a prefix-free message space, i.e. padp F (M) is not a prefix of padp F (M ) for any two distinct messages M and M. An example of a Prefix-free padding function, wic we consider in tis paper, is as follows. Append 10 p to te message were p is te minimum number of 0 s required to make te lengt of te resulted message a multiple of b 1 bits. Parse te resulted message into blocks of b 1 bits and prepend a 0 to all blocks but te final block were a 1 must be prepended. Strengtened Cain Sift: padcs s : {0, 1} <2m L 1 {0, 1}Lb+b n, were padcs s (M) = M 10 r M m 0 p, and parameters p and r are defined in two ways depending on te block lengt b. If b n+m ten p = 0, oterwise p = b n. Ten r is te minimum number of 0 s required to make te padded message a member of {0, 1} Lb+b n, for some positive integer L. Te iteration functions for MD, Randomized Hasing, Soup, Enveloped Soup, XLH and LH are sown in Fig Merkle-Damgård Does not Preserve etcr MD iteration function as sown in Fig. 2 can be used togeter wit Plain (pad), Strengtening(pad s ), or Prefix-free(padP F ) padding function to construct a domain extension transform, wic is called Plain MD, Strengtened MD, or Prefix-free MD, respectively. In tis section we sow tat none of tese tree domain extension transforms can be used as an etcr preserving domain extender. Teorem 1 (Negative Result). Plain MD, Strengtened MD, and Prefix-free MD do not preserve etcr. Proof. We borrow te construction of te following counterexample from [4] were it was used in te context of TCR property. Assume tat tere is a dedicated-key compression function g : {0, 1} k {0, 1} n+b {0, 1} n wit b > k wic is (t, ɛ)-etcr secure. Set b = k + b were b > 0 by te assumption tat b > k. Consider te following dedicated-key compression function : {0, 1} k {0, 1} (n+k)+b {0, 1} n+k : { g (X Y Z) if Y (, X Y Z) = (X Y Z) = 1 n+k if = Y were {0, 1} k, X {0, 1} n, Y {0, 1} k, Z {0, 1} b (n + k is caining variable lengt and b is block lengt for ). To complete te proof, we first sow in Lemma 3 tat inerits te etcr property from g. Note tat tis cannot be directly inferred from te proof in [4] tat inerits te weaker notion TCR from g. Ten, we sow a simple attack in eac case to sow tat te as function obtained via eiter of Plain, Strengtened, or Prefix-free MD transform by extending domain of is completely insecure in etcr sense. Lemma 3. Te dedicated-key compression function is (t, ɛ )-etcr secure, were ɛ = ɛ + 2 k+1 ɛ and t = t c, for a small constant c. Proof. Let A = (A 1, A 2 ) be an adversary wic wins te etcr game against wit probability ɛ and using time complexity t. We construct an adversary B = (B 1, B 2 ) wic uses A as a subroutine and wins etcr game against g wit success probability of at least ɛ = ɛ 2 k+1 ( ɛ, for large k) and spending

9 etcr Has Functions Revisited 9 MD IV : {0, 1}Lb {0, 1} n, were = {0, 1} k M 1 M 2 M 3 M L Algoritm MDIV (, M): C 0 = IV for i = 1 to L do C i = (C i 1 M i ) return C L RHIV : {0, 1}Lb {0, 1} n, were = {0, 1} k+b Algoritm RH IV (, M): C 0 = IV C 1 = (C 0 ) for i = 2 to L + 1 do C i = (C i 1 (M i 1 )) return C L+1 S IV : {0, 1}Lb {0, 1} n, were = {0, 1} k+tn t = log 2 (L), ν(i) = max {x : 2 x i} IV IV C 1 M 1 C 2 C 3 C L 1 C L M 2 M 1 M 2 M 3 M L M L C L+1 Algoritm S IV ( 0 1 t 1, M): C 0 = IV for i = 1 to L do C i = ((C i 1 ν(i) ) M i ) return C L IV v(l) C L ES IV 1,IV 2 : {0, 1} (L 1)b+b n {0, 1} n, were = {0, 1} k+tn t = log 2 (L 1) + 1, ν(i) = max {x : 2 x i} M 1 M 2 M L 1 M L Algoritm ES IV 1,IV 2 ( 0 1 t 1, M): C 0 = IV 1 ; µ = t 1 for i = 1 to L 1 do C i = ((C i 1 ν(i) ) M i ) return ((IV 2 0 ) (C L 1 µ ) M L ) IV ν(l 1) µ IV 2 0 b n C L XLH IV : {0, 1}Lb {0, 1} n, were = {0, 1} k+ln M 1 M 2 M 3 M L Algoritm XLH IV ( 0 1 L 1, M): C 0 = IV for i = 1 to L do C i = ((C i 1 i 1 ) M i ) return C L IV L 1 C L LH IV : {0, 1}Lb {0, 1} n, were = {0, 1} Lk M 1 M 2 M 3 M L Algoritm LH IV ( 1 2 L, M): C 0 = IV for i = 1 to L do C i = i (C i 1 M i ) return C L IV L C L Fig. 2. Iteration functions used in domain extension transforms: Merkle-Damgård (MD), Randomized Hasing (RH), Soup (S), Enveloped Soup (ES), XLH and LH. Te iteration functions are ordered top-down based on teir efficiency in terms of key expansion, MD iteration does not expand te key lengt of underlying compression function and is te most efficient transform and LH is te least efficient transform.

10 10 M. R. Reyanitabar, W. Susilo and Y. Mu time complexity t = t + c were small constant c can be determined from te description of algoritm B. Algoritm B is as follows: Algoritm B 1 () Algoritm B 2 ( 1, M 1, State) (M 1 = X 1 Y 1 Z 1, State) $ A 1 (); Parse M 1 as M 1 = X 1 Y 1 Z 1 return (M 1, State); if [ 1 = Y 1 1 = 1 k] return Fail ; (M 2 = X 2 Y 2 Z 2, 2 ) $ A 2 ( 1, M 1, State); return (M 2, 2 ); At te first stage of etcr attack, B 1 just merely runs A 1 and returns watever it returns as te first message (i.e. M 1 = X 1 Y 1 Z 1 ) and any possible state information to be passed to te second stage algoritm. At te second stage of te attack, let Bad be te event tat [ 1 = Y 1 1 = 1 k ]. If Bad appens ten algoritm B 2 (and ence B) will fail in etcr attack; oterwise (i.e. if Bad appens) we sow tat B will be successful in etcr attack against g wenever A succeeds in etcr attack against. Assume tat te event Bad appens; tat is, [ 1 Y k ]. We claim tat in tis case if A succeeds ten B also succeeds. Referring to te construction of (counterexample) compression function in tis lemma, it can be seen tat if A succeeds, i.e., wenever (M 1, 1 ) (M 2, 2 ) 1 (M 1 ) = 2 (M 2 ), it must be te case tat g 1 (M 1 ) 1 = g 2 (M 2 ) 2 wic implies tat g 1 (M 1 ) = g 2 (M 2 ) (and also 1 = 2 ). Tat is, (M 1, 1 ) and (M 2, 2 ) are also valid a colliding pair for te etcr attack against g. (Remember tat M 1 = X 1 Y 1 Z 1 and M 2 = X 2 Y 2 Z 2.) Now note tat Pr[Bad] Pr[ 1 = Y 1 ] + Pr[ 1 = 1 k ] = 2 k + 2 k = 2 k+1, as 1 is selected uniformly at random just after te message M 1 is fixed in te etcr game. Terefore, we ave ɛ = Pr[B succeeds] = Pr[A succeeds Bad] Pr[A succeeds] Pr[Bad] ɛ 2 k+1. To complete te proof of Teorem 1, we need to sow tat MD transforms cannot preserve etcr wile extending te domain of tis specific compression function. For tis part, te same attacks tat used in [4, 2] against TCR property also work for our purpose ere as clearly breaking TCR implies breaking its strengtened variant etcr. Te etcr attacks are as follows: Te Case of Plain MD and Strengtened MD: Let s denote Plain MD and Strengtened MD domain extension transforms applied on te counterexample compression function and using an initial value IV, respectively, by pmd IV and smd IV. Note tat MD IV is used to denote te MD iteration function (Fig. 2). Ten te full-fledged as function H : {0, 1} k M {0, 1} n+k will be defined as H(, M) = pmd IV (, M) = MD IV (, pad(m)) and H(, M) = smd IV (, M) = MD IV (, pad s(m)), for Plain and Strengtened MD case, respectively. Te following adversary A = (A 1, A 2 ) can break H in etcr sense for bot Plain MD and Strengtened MD cases. A 1 outputs M 1 = 0 b 0 b and A 2, on receiving te first key, outputs a different message as M 2 = 1 b 0 b togeter wit te same key as te second key. Considering tat te initial value IV = IV 1 IV 2 {0, 1} n+k is fixed before adversary starts te attack game and is cosen at random afterward in te second stage of te game, we ave Pr [ = IV 2 ] = 2 k. If IV 2 wic is te case wit probability 1 2 k ten adversary becomes successful as we ave: MD IV (, 0b 0 b ) = ( (IV 1 IV 2 0 b ) 0 b ) = (g (IV 1 IV 2 0 b ) 0 b ) = 1 n+k MD IV (, 1b 0 b ) = ( (IV 1 IV 2 1 b ) 0 b ) = (g (IV 1 IV 2 1 b ) 0 b ) = 1 n+k

11 etcr Has Functions Revisited 11 { H(, 0 b 0 pmd : b ) = MDIV (, pad(0b 0 b )) = (MDIV (, 0b 0 b ) 10 b 1 ) = (1 n+k 10 b 1 ) H(, 1 b 0 b ) = MDIV (, pad(1b 0 b )) = (MDIV (, 1b 0 b ) 10 b 1 ) = (1 n+k 10 b 1 ) MDIV (, pad s(0 b 0 b )) = (MDIV (, 0b 0 b ) 10 b m 1 2b m ) = (1 n+k 10 b m 1 2b m ) smd : MD IV (, pad s(1 b 0 b )) = (MDIV (, 1b 0 b ) 10 b m 1 2b m ) = (1 n+k 10 b m 1 2b m ) Te Case of Prefix-free MD: Denote Prefix-free MD domain extension transform by premd. Te full-fledged as function H : {0, 1} k M {0, 1} n+k will be defined as H(, M) = premd IV (, M) = MDIV (, padp F (M)). Note tat we ave M = {0, 1} due to te application of padp F function. Te following adversary A = (A 1, A 2 ) wic is used for TCR attack against Prefix-free MD in [2], can also break H in etcr sense, as clearly any TCR attacker against H is an etcr attacker as well. Here, we provide te description of te attack for etcr, for completeness. A 1 outputs M 1 = 0 b 1 0 b 2 and A 2 on receiving te first key outputs a different message as M 2 = 1 b 1 0 b 2 togeter wit te same key as te second key. Considering tat te initial value IV = IV 1 IV 2 {0, 1} n+k is fixed before te adversary starts te attack game and is cosen at random afterward, we ave Pr [ = IV 2 ] = 2 k. If IV 2 wic is te case wit probability 1 2 k ten te adversary becomes successful as we ave: H(, 0 b 1 0 b 2 ) = MD IV (, padp F (0b 1 0 b 2 )) = MD IV (, 0b 10 b 2 1) = ( (IV 1 IV 2 0 b ) 10 b 2 1) = (g (IV 1 IV 2 0 b ) 10 b 2 1) = 1 n+k H(, 1 b 1 0 b 2 ) = MD IV (, padp F (1b 1 0 b 2 )) = MD IV (, 01b 1 10 b 2 1) = ( (IV 1 IV 2 01 b 1 ) 10 b 2 1) = (g (IV 1 IV 2 01 b 1 ) 10 b 2 1) = 1 n+k 4.2 Randomized Hasing Does not Preserve etcr Our aim in tis section is to sow tat Randomized Hasing (RH) construction, if considered as a domain extension for a dedicated-key compression function, does not preserve etcr property. Note tat (tis dedicated-key variant of) RH metod as sown in Fig. 2 expands te key lengt of te underlying compression function by only a constant additive factor of b bits, tat is log 2 ( ) = k + b wic is independent from input message lengt. Tat is, after MD transfrom, RH is te most efficient metod from key expansion point of view. Te latter caracteristic, i.e. a small and message-lengt-independent key expansion could ave been considered a stunning advantage from efficiency viewpoint, if RH ad been able to preserve etcr. Neverteless, unfortunately we sall sow tat randomized asing does not preserve etcr. Following te specification of te original sceme for Randomized Hasing in [10], we assume tat te padding function is te strengtening padding pad s and so we use te same name for domain extension as its iteration function, i.e. RHIV (Fig. 2). Te full-fledged as function H : {0, 1}k M {0, 1} n+k will be defined as H(, M) = RHIV (, pad s (M)). Note tat we ave M = {0, 1} <2m due to te application of pad s function. Teorem 2 (Negative Result). Te Randomized Hasing transform does not preserve etcr.

12 12 M. R. Reyanitabar, W. Susilo and Y. Mu Proof. We need to sow as a counterexample, a dedicated-key compression function wic is etcr but for wic te dedicated-key as function H obtained via Randomized Hasing metod is completely insecure in etcr sense. Te same counterexample used in Teorem 1 can also be used to sow tat Randomized Hasing transform (in dedicated-key as function setting) does not preserve etcr property. As we ave previously sown in Lemma 3 tat te constructed inerits te etcr property of g, it just remains to sow tat RHIV cannot extend te domain of wile preserving its etcr property. Consider an adversary A = (A 1, A 2 ) tat plays te etcr game against te as function H, obtained via Randomized Hasing, as follows. A 1 outputs a one-block long target message M 1 = 0 b (note tat for te counterexample compression function, b is te block lengt and n + k is te caining variable lengt). A 2 on getting te first key for H (in te second stage of etcr attack), outputs te second message as M 2 = 1 b and puts te second key te same as te first key. As M 2 M 1, we just need to sow tat tese two messages collide under te same key, i.e.. Considering tat te initial value IV = IV 1 IV 2 {0, 1} n+k for RHIV is (selected and) fixed before te adversary starts te attack game and is cosen at random latter in te second stage of te game, we ave Pr [ = IV 2 ] = 2 k. If IV 2 (wic is te case wit probability 1 2 k ) ten te adversary A = (A 1, A 2 ) becomes successful as we ave: RHIV (, pad s (0 b )) = RHIV (, 0 b 10 b 1 m b m ) ( = ( (IV 1 IV 2 ) ( 0 b ) ) ) ( 10 b 1 m b m ) ( = ( g (IV 1 IV 2 ) ( 0 b ) ) ) ( 10 b 1 m b m ) = (1 n+k ( 10 b 1 m b m )) RHIV (, pad s (1 b )) = RHIV (, 1 b 10 b 1 m b m ) ( = ( (IV 1 IV 2 ) ( 1 b ) ) ) ( 10 b 1 m b m ) ( = ( g (IV 1 IV 2 ) ( 1 b ) ) ) ( 10 b 1 m b m ) = (1 n+k ( 10 b 1 m b m )) 4.3 Soup, Enveloped Soup and XLH Do not Preserve etcr In previous subsections, we ave sown tat neiter MD nor RH are etcr preserving transforms. Te next tree most efficient candidates from key expansion viewpoint tat we consider are Soup (S), Enveloped Soup (ES) and XLH transforms. In S and ES transforms te key expansion depends logaritmically on te input message lengt. For S iteration log 2 ( ) = k + log 2 (L) n and for ES iteration log 2 ( ) = k+( log 2 (L 1) +1)n, were L is te lengt of te padded message in blocks wic is input to te iteration function. (Note tat Fig. 2 just sows te iteration function of te domain extensions and padding functions are not sown Fig. 2). We assume te same padding functions as proposed in te original scemes, tat is, for Soup [20] and XLH [4] te strengtening padding function (pad s ) is used, and for Enveloped Soup [2] te padding function is te strengtened cain sift padding (padcs s ). So, te full-fledged as function H : {0, 1} k M {0, 1} n+k, obtained via tese tree domain extension metods, will be defined accordingly as follows: S: H( 0 t, M) = S IV ( 0 t 1, pad s (M)) ; were t = log 2 (L) ES : H( 0 t, M) = ES IV ( 0 t 1, padcs s (M)) ; were t = log 2 (L 1) + 1 XLH : H( 0 t, M) = XLHIV ( 0 L 1, pad s (M))

13 etcr Has Functions Revisited 13 In te following teorem we sow tat none of S, ES and XLH transforms can preserve etcr. Tat is, we lose te best TCR preserving transform, i.e. S, as well as te multi-property preserving ES transform wen it comes to etcr preservation. Teorem 3 (Negative Results). S, ES, and XLH transforms do not preserve etcr. Proof. Te proof is quite simple but te results are stronger tan previous counterexample based proofs, as ere te negative results old for any arbitrary compression function (irrespective of ow secure te compression function is), and not only for some specific counterexamples. Tat is tese XOR masking based domain extension transforms are structurally insecure in etcr sense. Intuitively, te inability if tese domain extenders to preserve etcr is due to te fact tat tey use XOR operation to add te key to te internal state (i.e. caining variable), and ence an etcr adversary will be able to cancel internal differences by taking advantage of its ability to select te value of te second key in te second stage of etcr attack. For te formal proof, we provide te following simple attacks. Te Case of Soup: Te following adversary A = (A 1, A 2 ) can break te as function H, obtained via Soup domain extension transfrom (i.e. pad s padding function followed by S IV iteration metod), in te etcr sense. At te first stage of te etcr attack, A 1 outputs a two-block message M = M 1 M 2 as te target message wic after applying pad s will become a tree-block message M 1 M 2 (10 b 1 m 2b m ) to be input to te treeround S IV iteration. In te second stage of etcr game, A 2, after receiving te first key as from te callenger, cooses te second two-block message as M = M 1 M 2 wic after padding becomes M 1 M 2 (10 b 1 m 2b m ). A 2 also puts te second key as 0 1 0, were te value of 1 is computed as 1 = ( ) ( 1 (IV 0 ) M 1 (IV 0 ) M 1). It is easy to see (referring to Fig. 2) tat tis value for cancel te introduced difference in caining variable wic was created due to te different message blocks M 1 and M 1. So, ( 0 1, M) and ( 0 1, M ) constitute a colliding pair for H in etcr sense. (Note tat te key sequence used for iteration function S IV is because padded message pad s (M) as an extra tird block containing te lengt information.) Te Case of Enveloped Soup: For te ES transform te attack strategy is quite similar to S case. Adversary A = (A 1, A 2 ) plays te etcr game as follows. A 1 outputs two different (L 1)-block messages M = M 1 M L 1 and M = M 1 M L 1 wic after applying padcs s padding function will become M 1 M L 1 (10 b 1 m n (L 1)b m ) and M 1 M L 1 (10b 1 m n (L 1)b m ), respectively. Tat is, te inputs to ES iteration function will ave te same last block as M L = M L = 10b 1 m n M m, but teir first (L 1) blocks are different (note tat in ES te lengt of te last block wic is used in te final envelop is b n bits). In te second stage of etcr attack, A 2, on receiving te first key, puts all blocks of te second key te same as te first given key except te last key block µ. A 2 simply adjusts te value of tis last key block to a new key block µ = µ C L 1 C L 1 to cancel te introduced difference in te caining variables C L 1 and C L 1 (related to te computation for M and M, respectively). We stress tat tis adjustment of te value of µ to µ to cancel te difference tat appears in final caining value is possible because µ is only used for te caining variable fed into te envelope as stated in [2]. Te Case of XLH: Te attack is similar to te case of Soup. Consider an adversary A = (A 1, A 2 ) tat can break te as function H, obtained via XLH domain extension transform (i.e. pad s padding function followed by XLHIV iteration metod), in etcr sense. A 1 outputs a two-block message M = M 1 M 2 as te target message wic after applying pad s will become a tree-block message M 1 M 2 (10 b 1 m 2b m ) to be te input to te tree-round XLHIV iteration. In te second stage of etcr game, A 2, on receiving te first key as

14 14 M. R. Reyanitabar, W. Susilo and Y. Mu from te callenger, cooses te second two-block message as M = M 1 M 2 wic after padding becomes M 1 M 2 (10 b 1 m 2b m ). A 2 ten puts te second key as 0 1 2, were te value of 1 is computed as 1 = ( ) ( 1 (IV 0 ) M 1 (IV 0 ) M 1). It is easy to see (referring to Fig. 2) tat tis value for cancel te introduced difference in caining variable wic was created due to te different message blocks M 1 and M 1. Hence, ( 0 1 2, M) and ( 0 1 2, M ) constitute a colliding pair for H in etcr sense. Remark. Te etcr adversaries used in te above proofs take advantage of XOR masking based structure of XLH, S and ES transforms to cancel te effect of all accumulated differences in te internal state tat may ave been introduced by previous different message blocks, by simply adjusting te value of a last free key block. Tis implies tat any class of suc XOR masking based transforms tat allows tis cancellation penomenon to appen will not be suitable for designing an etcr preserving domain extender. It can be seen tat tis is te case for te XTH sceme of [4] as well. 4.4 LH Transform and its Nested Variant Up to know we ave sown tat neiter of MD, RH, S, or XLH transforms can preserve etcr property. Hencefort, we ave lost all efficient metods from key expansion viewpoint and now we ave reaced to te same starting point for TCR preserving scenario as in [4], were it was sown tat te LH metod can be used to preserve TCR only wit respect to equal-lengt-collision finding adversaries and its nested variant can be used to arcive TCR for any variable-lengt-collision finding adversaries. We sould mention tat it was pointed out in [4] and latter sown by an explicit counterexample in [1] tat LH iteration cannot preserve TCR wit respect to variable lengt collisions. After te previous series of negative results about inability of several efficient transforms to preserve etcr, we now consider weter at least (but opefully not te last) tis most non-efficient LH transform or its variants can be used for etcr preserving domain extension or not. Fortunately, we gater a positive answer for tis. Te proof for tis positive result is a straigtforward extension of te metodology used in [4] for te case of TCR, but wit some necessary adaptations required for considering etcr attack scenario were adversary as more power in second stage by getting to coose a different key as well as a different message. Firstly, in Teorem 4 we sow tat if te compression function is etcr secure ten te as function LHIV will be secure against a restricted class of etcr adversaries wic only find equal-lengt colliding pairs. Let s denote tis equal-lengt etcr notion by etcr. Secondly, it is sown in Teorem 5 tat a nested variant of LH can be made etcr secure, i.e. against any arbitrary adversary. Assume tat te input messages ave lengt a multiple of block lengt and te maximum lengt in blocks is some positive integer N, i.e. M Nb were b is te lengt of one block in bits. Tis restriction of message space to a domain wit messages of variable but multiple-block lengt can be easily removed by using any proper injective padding function like plain padding function pad. LHIV iteration function can be used to define a as function as H( 1 N, M) LHIV ( 1 m, M), were m is te lengt of M in blocks. Teorem 4 (Positive Result). Assume tat te compression function : {0, 1} k {0, 1} n+b {0, 1} n is (t, ɛ)-etcr. Ten te as function H : {0, 1} Nk {0, 1} Nb {0, 1} n obtained using LHIV iteration of, will be (t, ɛ )-etcr, were ɛ = Nɛ, t = t Θ(N) ( T + n + b + k ), were T is te time for one computation of te compression function. Proof. Te proof is provided in Appendix C. Te following teorem sows tat te composition of a variable input lengt as function wic is secure only in te equal-lengt etcr sense wit a compression function wic is etcr secure will yield a variable input lengt as function tat is secure in etcr sense.

15 etcr Has Functions Revisited 15 Teorem 5 (From etcr to etcr). Assume tat H 1 : {0, 1} k 1 M {0, 1} n is (t 1, ɛ 1 )-etcr as function and : {0, 1} k 2 {0, 1} n+b {0, 1} n is (t 2, ɛ 2 )-etcr compression function, were b log 2 ( M ), for any M M. Ten te composition function H : {0, 1} k 1+k 2 M {0, 1} n, defined as H(1 2, M) = (2, H 1 (1, M) M b ), will be (t, ɛ)-etcr; were ɛ = ɛ 1 +2ɛ 2, and t = min {t 1 k 2, t 2 k 1 2T H1 2b}. Proof. Te proof is provided in Appendix D. Nested Linear Has: Let H 1 be te equal-lengt etcr as function obtained via LH transform as stated in Teorem 4. From Teorem 5 we can obtain a variant of LH wic is etcr secure. Tis variant wic we call it Nested LH is obtained by te composition of H 1 wit an etcr compression function, tat is, LH nested by tis final application of te compression function in te way stated in Teorem 5 (i.e. final block is just M b ). Teorem 5 and Teorem 4 sow tat tis Nested LH will be etcr if te compression function is etcr. Alternatively, tis Nested LH construction can be seen as obtained using a variant of strengtening padding followed by LH iteration on te compression function. Tis variant of strengtening padding, wic migt be called full-final-block strengtening, acts as follows. On input a message M, append te message by 10 r to make its lengt a multiple of block lengt and ten append anoter full block wic only contains te representation of lengt of M in an exactly b-bit string, i.e. M b. 5 Conclusion Te invention of te Enanced Target Collision Resistance (etcr) property by Halevi and rawczyk [10] as been proven to be very useful to enric te notions of as functions, in particular wit its application to construct te Randomized Hasing mode wic as been announced by NIST as Draft SP Noneteless, te study on te relationsips between etcr wit te existing properties of as functions need to be furter studied. In tis paper, we sowed tat tere is a separation between te new etcr property wit te well-known collision resistance (CR) property, were bot properties are considered for a dedicated-key as function. Furtermore, wen considering te problem of etcr property preserving domain extension, we found tat te only etcr preserving metod is a nested variant of LH wic as a drawback of aving ig key expansion factor. Terefore, it is interesting to design a new etcr preserving domain extension in standard model, wic is efficient. We left tis as an open problem in tis paper. Acknowledgments. We would like to tank te anonymous reviewers of FSE 2009 for teir insigtful comments and suggestions. References [1] Andreeva, E., Neven, G., Preneel, B., Srimpton, T.: Seven-Property-Preserving Iterated Hasing: ROX. In: aoru urosawa (ed.): ASIACRYPT LNCS, vol. 4833, pp Springer (2007) [2] Bellare, M., Ristenpart, T.: Has Functions in te Dedicated-ey Setting: Design Coices and MPP Transforms. In Arge, L., Cacin, C., Jurdzinski, T., Tarlecki, A. (eds.): ICALP 07. LNCS, vol. 4596, pp Springer (2007) [3] Bellare, M., Ristenpart, T.: Multi-Property-Preserving Has Domain Extension and te EMD Transform. In Lai, X., Cen,. (eds.): ASIACRYPT LNCS, vol. 4284, pp Springer (2006) [4] Bellare, M., Rogaway, P.: Collision-Resistant Hasing: Towards Making UOWHFs Practical. In aliski Jr., B.S. (ed.) CRYPTO LNCS, vol. 1294, pp Springer (1997) [5] Contini, S., Yin, Y.L.: Forgery and Partial ey-recovery Attacks on HMAC and NMAC using Has Collisions. In: Lai, X., Cen,. (eds.) ASIACRYPT LNCS, vol. 4284, pp Springer (2006) [6] Coron, J.S., Dodis, Y., Malinaud, C., Puniya, P.: Merkle-Damgård Revisited: How to Construct a Has Function. In Soup, V. (ed.): CRYPTO LNCS, vol. 3621, pp Springer (2005) [7] Damgård, I.: A Design Principle for Has Functions. In Brassard, G. (ed.): CRYPTO LNCS, vol. 435, pp Springer (1990)