Higher order eTCR hash functions

Computers and Mathematics with Applications 65 (2013) 1396–1402

Contents lists available at SciVerse ScienceDirect

Computers and Mathematics with Applications journal homepage: www.elsevier.com/locate/camwa

Higher order eTCR hash functions Deukjo Hong a , Dong-Chan Kim a , Woo-Hwan Kim a , Jongsung Kim b,∗ a

ETRI, Republic of Korea

b

Division of e-Business, Kyungnam University, Republic of Korea

article

info

Keywords: Higher order eTCR hash functions Merkle–Damgård scheme enhanced target collision resistance

abstract We study higher order eTCR (enhanced target collision resistance) hash functions, where rth-order eTCR is denoted by eTCR(r ). We prove that a few rounds of the MD (Merkle–Damgård) scheme and a few levels of the TR (tree) scheme can be eTCR under the compression function is eTCR(r ) for some positive integer r. Additionally, we prove that the TH (tree hash) scheme also preserves eTCR. © 2012 Elsevier Ltd. All rights reserved.

1. Introduction A cryptographic hash function is a function mapping arbitrary-length messages to fixed-length outputs, usually required for satisfying several security notions such as collision resistance, second-preimage resistance, and preimage resistance. It is one of the primitives widely used in security applications for various environments such as smart grid systems [1] and wireless networks [2–4]. eTCR (enhanced target collision resistance) is a new security notion for cryptographic hash functions, proposed by Halevi and Krawczyk in order to explain the cryptographic property of the RH (randomized hashing) scheme [5]. Roughly, an eTCR adversary tries to do the following for a hash function family H : K × M → C . Firstly, it commits to a target message M ∈ M . Independently of this, a key K is randomly selected from the key space K . Finally, for the given K and the target message M, the adversary outputs a sibling pair of (K ′ , M ′ ) ∈ K × M . If (K , M ) ̸= (K ′ , M ′ ) but HK (M ) = HK ′ (M ′ ), then the adversary succeeds in the attack on H in the sense of eTCR. The definition of eTCR is very similar to that of TCR (target collision resistance) except that a TCR adversary tries to find a sibling message M ′ such that M ̸= M ′ but HK (M ) = HK (M ′ ) instead of a sibling pair of (K ′ , M ′ ). TCR and eTCR hash functions can replace CR (collision resistance) hash functions in many applications; even for digital signatures this is feasible, but it should be noted that a TCR hash function becomes vulnerable to attacks by the signers (who can cheat and choose the key before the target message). We divide the notion of eTCR into ordered notions according to how many times the adversary can ask for hash values for its chosen messages before committing to its target message, which is like the notion of TCR(r ) in [6]. It is denoted by eTCR(r ) when the number of queries available to the adversary is r. Then, our interest starts from the assumption that a compression function H is already designed as an eTCR(r ). We note that MD (Merkle–Damgård) and TR (tree) schemes are the most efficient schemes extending the compression functions in terms of the cost of random keys. We study how many rounds of the MD scheme and how many levels of the TR scheme are applicable to extending the eTCR(r ) compression function for preserving eTCR. This work is very much analogous to that of [6], but we believe that it is worth a public report for the following reasons.

∗

Corresponding author. E-mail addresses: [email protected] (D. Hong), [email protected] (D.-C. Kim), [email protected] (W.-H. Kim), [email protected], [email protected] (J. Kim). 0898-1221/$ – see front matter © 2012 Elsevier Ltd. All rights reserved. doi:10.1016/j.camwa.2012.01.033

D. Hong et al. / Computers and Mathematics with Applications 65 (2013) 1396–1402

1397

• Existing domain extending schemes [7] preserving eTCR require a greater amount of random keys for hashing longer messages.

• Generation of random values is often expensive in many applications, and transmission of random values together with the message and the hash value will be regarded as an additional overload compared with the conventional usage of CR hash functions. • The application of MD and TR schemes clearly reduces the amount of random keys required for extending the compression function. • It is very likely that if someone designs or realizes a ‘good’ eTCR compression function, it has nonzero order. We also show that the TH scheme preserves eTCR. We believe that this proof is a supplement to [7]. 1.1. Related works Reyhanitabar et al. treated eTCR as a new security notion for cryptographic hash functions [7]. They studied the relationships among CR, TCR and eTCR, and showed that MD and RH schemes do not preserve eTCR, that XOR masking based schemes such as XLH, Shoup, Enveloped Shoup, and XTH are insecure in the sense of eTCR, and that the LH scheme preserves eTCR. Mironov investigated a simple conversion of a TCR function to an eTCR function, and showed how to compose a TCR domain extending scheme and a fixed-input-length eTCR function to make an arbitrary-input-length eTCR function [8]. 1.2. Organization This paper is organized as follows. In Section 2, we explain the notation and definitions used throughout this paper. In Section 3, we show that some rounds of the MD scheme and some levels of the TR scheme are eTCR under the assumption that the compression function is eTCR(r ) for a proper positive integer r. In Section 4, we show that the TH scheme preserves eTCR. In Section 5, we conclude our work and discuss the comparison with previous works. 2. Notation and definitions We denote the concatenation of strings x and x′ by x ∥ x′ or xx′ . {0, 1}n is the set of all strings of bit-length n. H : K × M → C is regarded as a family of hash functions induced by elements in K , from M to C , i.e. for each K ∈ K , HK : M → C . K is the key space, M is the message space, and C is the space of hash values. We write x ←ur S for selecting an element x from a set S uniformly at random. For a bit-string x, we denote its bit-length by |x|. Let A be a probabilistic polynomial time algorithm, program or adversary. y ← A(x) means that A outputs y on the input of x, where x is an element of a domain. y ← A(Q ) means A outputs y on the input of a set Q , where Q is a set of elements of a domain. When we want to emphasize the point that A outputs y without any input, we use the notation y ← A(∅), where ∅ is the empty set or null string. We take the RAM (random access machine) model of computation which is also used in [9], and measure the running time of a program with respect to that model. If H : K × D → R is a hash function family, we let TH indicate the worst-case time for computing H (K , x), in the underlying model of computation, when K ∈ K and x ∈ D . We describe the advantages of TCR, TCR(r ), eTCR, and eTCR(r ) which are the success probability of the adversary restricted by the running time t as follows: ′ ′ ′ AdvTCR H (A) = Pr[(M , State) ← A1 (∅); K ←ur K ; M ← A2 (K , M , State) : M ̸= M ∧ HK (M ) = HK (M )] TCR(r )

AdvH

H

(A) = Pr[K ←ur K ; (M , State) ← A1 K (Q ); M ′ ← A2 (K , M , State) : M ̸= M ′ ∧ HK (M ) = HK ′ (M ′ )]

AdveTCR (A) = Pr[(M , State) ← A1 (∅); K ←ur K ; (K ′ , M ′ ) ← A2 (K , M , State) : H (K , M ) ̸= (K ′ , M ′ ) ∧ HK (M ) = HK ′ (M ′ )] eTCR(r )

AdvH

H

(A) = Pr[K ←ur K ; (M , State) ← A1 K (Q ); (K ′ , M ′ ) ← A2 (K , M , State) : (K , M ) ̸= (K ′ , M ′ ) ∧ HK (M ) = HK ′ (M ′ )].

In the above descriptions, ‘State’ is extra information produced in finding a target message. Note that TCR and eTCR are equivalent to TCR(r ) and eTCR(r ) for r = 0, respectively. In TCR and eTCR, the key selection is independent of A1 ’s finding a target message, while in TCR(r ) and eTCR(r ), the former should be followed by the latter and A1 has r accesses to the oracle HK . In the advantages of TCR(r ) and eTCR(r ), Q means a set of (query, answer) pairs for A1 and the oracle of HK . If the advantage of any adversary with running time at most t for a hash function H is upper bounded by ε in the sense of xxx ∈ {TCR, TCR(r ), eTCR, eTCR(r )}, we say that H is (t , ε)-xxx or a (t , ε)-xxx hash function. Note that if H is eTCR(r ), then H is also TCR(r ), and that if H is eTCR(r ), then H is eTCR(r ′ ) for 0 ≤ r ′ ≤ r. Let X be a domain extension scheme. X[H ] means that X uses H as its compression function. The MD scheme has been considered as the most popular method for constructing cryptographic hash functions with variable input length in both theoretical and practical worlds. It is called Merkle–Damgård (MD) construction. The MD scheme is defined as follows. Let H : K × {0, 1}n+m → {0, 1}n where m ≥ n. Let x = x0 ∥x1 ∥ · · · ∥ xr where x0 ∈ {0, 1}n and x1 , . . . , xr ∈ {0, 1}m . Then for

1398

D. Hong et al. / Computers and Mathematics with Applications 65 (2013) 1396–1402

Algorithm 1 MDr [H ]K (x) 1: y0 ← x0 ; 2: for i = 1, . . . , r do 3: yi ← HK (yi−1 ∥ xi ); 4: end for 5: return yr ; a randomly selected K ∈ K and on the input of x, the r-round MD scheme MDr [H ] with the compression function H gives the output MDr [H ]K (x) which is computed according to Algorithm 1 (see Fig. 1). l

l

The TR scheme is defined as follows. Let H : K × {0, 1}dn → {0, 1}n . Let x0 ∈ {0, 1}d n be parsed into x10 ∥x20 ∥ · · · ∥ xd0 where xi0 ∈ {0, 1}n for 1 ≤ i ≤ dl . Then, for a randomly selected K ∈ K and on the input of x0 , the l-level d-ary TR scheme TRl [H ] with the compression function H gives the output TRl [H ]K (x0 ) which is computed according to Algorithm 2 (see Fig. 2). Algorithm 2 TRl [H ]K (x0 ) 1: 2: 3: 4: 5: 6:

for i = 1, . . . , l do for j = 1, . . . , dl−i do j (j−1)d+1 xi ← HK (xi−1 ∥ · · · ∥xjd i−1 ); end for end for return x1l ;

Strictly, when we are given H : K × D → R, we should call it a family of functions, but for simplicity we often just call it a function. 3. MD and TR extensions of eTCR(r ) compression functions In this section, we show that some rounds of the MD scheme and some levels of the TR scheme are eTCR under the assumption that the compression function is eTCR(r ) for a proper positive integer r. Theorem 1. Let H : K × {0, 1}n+m → {0, 1}n be (t ′ , ε ′ )-eTCR (r ). Then, MDr +1 [H ] : K × {0, 1}n+(r +1)m → {0, 1}n is (t , ε)-eTCR, where ε = (r + 1)ε′ and t = t ′ − Θ (r (TH + m + n)). Proof. Let x, x′ ∈ {0, 1}n+(r +1)m be a collision for MDr +1 [H ]K for K ∈ K . We observe that there exists an index j ∈ {1, . . . , r + 1} such that MDj [H ]K (x0 ∥ · · · ∥xj ) = MDj [H ]K (x′0 ∥ · · · ∥x′j ), MDj−1 [H ]K (x0 ∥ · · · ∥xj−1 )∥xj ̸=

MDj−1 [H ]K (x0 ∥ · · · ∥x′j−1 )∥x′j . ′

(1) (2)

We use this fact in the proof. Assume that A = (A1 , A2 ) is an eTCR adversary for MDr +1 [H ] with the running time t that has the advantage ε . Then there exists an eTCR(r ) adversary B = (B1 , B2 ) for H using A as a subroutine. H If K is selected uniformly at random from K and r-time access to the hash oracle HK is given to B1 , B1 K uses A1 to generate its target message (z , StateB ) as follows. 1: for j = 1, . . . , r do 2: if j = 1 then 3: (x, StateA ) ← A1 (∅); 4: Parse x into x0 ∥x1 ∥ · · · ∥ xr such that x0 ∈ {0, 1}n and xi ∈ {0, 1}m−n for 1 ≤ i ≤ r; 5: y0 ← x0 ; 6: Ask y0 ∥ x1 to HK and get y1 = HK (y0 ∥ x1 ); 7: end if 8: if j > 1 then 9: Ask yj−1 ∥ xj to HK and get yj = HK (yj−1 ∥ xj ); 10: end if 11: end for 12: i ←ur {1, . . . , r + 1}; 13: z ← yi−1 ∥ xi ; StateB ← i∥x∥StateA ; 14: return (z , StateB );

D. Hong et al. / Computers and Mathematics with Applications 65 (2013) 1396–1402

1399

Fig. 1. Three-round MD scheme, MD3 [H ].

Fig. 2. Three-level 3-ary TR construction, TR3 [H ].

B1 runs A1 just one time at j = 1 to get (x, StateA ). Once B1 generates the target message (z , StateB )1 in the above way, B2 on the input of (K , z , StateB ) generates the sibling pair (K ′ , z ′ ) using A2 as follows. 1: Parse StateB into i∥x∥StateA ; ′ ′ 2: (K , x ) ← A2 (K , x, StateA ); ′ ′ ′ ′ ′ ′ n m−n 3: Parse x into x0 ∥x1 ∥ · · · ∥ xr such that x0 ∈ {0, 1} and xi ∈ {0, 1} for 1 ≤ i ≤ r; ′ ′ ′ ′ 4: yi−1 ← MDi−1 [H ]K (x0 ∥x1 ∥ · · · ∥ xi−1 ); ′ ′ ′ 5: z ← yi−1 ∥ xi ; ′ ′ 6: return (K , z ); Now we must bound the success probability of B. Note that i was chosen at random, so if A succeeds, then we have i = j with probability 1/(r + 1), where j is the value of Eq. (1). So, ε ′ > ε/(r + 1). The running time of B is that of A plus the overhead. This overhead is Θ (r (TH + m + n)). The choice of t in the theorem statement makes all of this at most t ′ , from which we conclude the result.  In [7], Reyhanitabar et al. gave the example of an eTCR function whose two-round MD extension is not eTCR, which was originally suggested by Bellare and Rogaway in [9]. It is very easy to see that its eTCR order is zero. We can construct a similar example for the TR scheme. Let n = 2k and let F : {0, 1}k × {0, 1}6k → {0, 1}2k be (t , ε)-TCR (or eTCR). H : {0, 1}k × {0, 1}6k → {0, 1}3k is defined as follows: for K ∈ {0, 1}k and x = x1 ∥...∥x6 ∈ {0, 1}6k , HK (x) =

FK (x) ∥ K 13k



if if

K ̸= x3 ∨ K ̸= x6 K = x3 ∧ K = x6 .

It is easily shown that H is (t ′ , ε ′ )-TCR (or eTCR) for a proper (t ′ , ε ′ ), but TR2 [H ] is neither TCR nor eTCR because the following hold. For x = 06k and y = 16k , TR2 [H ]K (x∥x) = HK (FK (x)∥K ∥FK (x)∥K ) = 13k , TR2 [H ]K (y∥y) = HK (FK (y)∥K ∥FK (y)∥K ) = 13k . This means that the eTCR order of H is zero.

1 Indeed, State can include much more information like the source code of B . ‘i∥x∥State ’ means the minimum information for B . B 1 A 2

1400

D. Hong et al. / Computers and Mathematics with Applications 65 (2013) 1396–1402 l

Theorem 2. Let H : K × {0, 1}dn → {0, 1}n be a (t ′ , ε ′ )-eTCR (r ) and r = (dl − d)/(d − 1). Then TRl [H ] : K × {0, 1}d n → {0, 1}n is a (t , ε)-eTCR, where ε = (r + 1)ε′ , and t ′ = t + Θ (dl (TH + n)). l

Proof. Assume that x, y ∈ {0, 1}d n is a collision for TRl [H ]K (·) where K ∈ {0, 1}k . We observe that there exist α ∈ {1, . . . , l} and β ∈ {1, . . . , dl−α } such that xβα = yβα , (β−1)d+1 βd xα−1 ∥ · · · ∥xα−1

(3)

̸=

(β−1)d+1 βd yα−1 ∥ · · · ∥yα−1 .

(4)

We will exploit this below. Assume that A = (A1 , A2 ) is an eTCR adversary for TRl [H ] with the running time t which has the advantage ε . Then there exists an eTCR(r ) adversary B = (B1 , B2 ) for H using A as a subroutine. H If K is selected uniformly at random from K and r-time access to the hash oracle HK is given to B1 , B1 K uses A1 to generate its target message (z , StateB ) as follows. l−u 1: for u = 1, . . . , l − 1, v = 1, . . . , d do 2: if (u, v) = (1, 1) then 3: (x0 , StateA ) ← A1 ; l

Parse x0 into x10 ∥ · · · ∥xd0 such that xi0 ∈ {0, 1}c for all i; 5: Ask x10 ∥ · · · ∥xd0 to HK and get x11 = HK (x10 ∥ · · · ∥xd0 ); 6: end if 7: if (u, v) ̸= (1, 1) then (v−1)d+1 (v−1)d+1 d d v 8: Ask xu−1 ∥ · · · ∥xvu− ∥ · · · ∥xvu− 1 to HK and get xu = HK (xu−1 1 ); 9: end if 10: end for l −i 11: i ←ur {1, . . . , l}; j ←ur {1, . . . , d }; (j−1)d+1 jd 12: z ← xi−1 ∥ · · · ∥xi−1 ; StateB ← i∥j∥x0 ∥ StateA ; 13: return (z , StateB ); Once B1 generates the target message (z , StateB ) in the above way, B2 on the input of (K , z , StateB ) generates the sibling pair (K ′ , z ′ ) using A2 as follows. 1: Parse StateB into i∥j∥x0 ∥ StateA ; ′ 2: (K , y0 ) ← A2 (K , x0 , StateA ); 4:

3: 4:

l

Parse y0 into y0 1 ∥ · · · ∥y0 d such that y0 i ∈ {0, 1}c for all i; for u = 1, . . . , d do (j−1)d+u

((j−1)d+u−1)di−1 +1

((j−1)d+u)di−1

yi−1 ← TRi−1 [H ]K (x0 ∥ · · · ∥x0 ); 6: end for (j−1)d+1 ′ 7: z ← yi−1 ∥ · · · ∥yjd i −1 ; ′ ′ 8: return (K , z ); Now we bound the success probability of B. The number of possibilities for (i, j) is at most d0 +· · ·+ dl−1 = (dl − 1)/(d − 1). Note that i and j were chosen randomly and independently, so if A succeeds, then we have (i, j) = (α, β) with probability (d − 1)/(dl − 1), where (α, β) is the pair in Eq. (3). So, ε ′ > ε(d − 1)/(dl − 1). The running time of B is that of A plus the overhead, which is equal to Θ (dl (TH + n)).  5:

4. The TH scheme preserves eTCR In this section we prove that the TH scheme preserves eTCR. The TH scheme has the same structure as the TR scheme except that the key Ki of the compression function is randomly selected from {0, 1}k for each ith level. l

Theorem 3. Let H : K × {0, 1}dn → {0, 1}n be a (t , ε)-eTCR. Then THl [H ] : K × {0, 1}d n → {0, 1}n is a (t , ε)-eTCR, where ε = (r + 1)ε′ , and t ′ = t + Θ (dl (TH + k + n)). Algorithm 3 THl [H ]K (x0 ) 1: 2: 3: 4: 5: 6:

for i = 1, . . . , l do for j = 1, . . . , dl−i do j (j−1)d+1 xi ← HKi (xi−1 ∥ · · · ∥xjd i−1 ); end for end for return x1l ;

D. Hong et al. / Computers and Mathematics with Applications 65 (2013) 1396–1402

1401

Fig. 3. Three-level 3-ary TH scheme, TH3 [H ].

Proof. The proof is similar to that of Theorem 2. Assume that A = (A1 , A2 ) is an eTCR adversary for TRl [H ] with the running time t which has the advantage ε . Then there exists an eTCR adversary B = (B1 , B2 ) for H using A as a subroutine. H If K is selected uniformly at random from K and r-time access to the hash oracle HK is given to B1 , B1 K uses A1 to generate its target message (z , StateB ) as follows. 1: (x0 , StateA ) ← A1 ; l−i 2: i ←ur {1, . . . , l}; j ←ur {1, . . . , d }; (j−1)d+1 jd 3: z ← xi−1 ∥ · · · ∥xi−1 ; StateB ← i∥j∥x0 ∥ StateA ; 4: return (z , StateB ); Once B1 generates the target message (z , StateB ) in the above way, B2 on the input of (K , z , StateB ) generates the sibling pair (K ′ , z ′ ) using A2 as follows. 1: Parse StateB into i∥j∥x0 ∥ StateA ; ′ 2: (K , y0 ) ← A2 (K , x0 , StateA ); 3: 4:

l

Parse y0 into y0 1 ∥ · · · ∥y0 d such that y0 i ∈ {0, 1}n for all i; for u = 1, . . . , d do (j−1)d+u

((j−1)d+u−1)di−1 +1

((j−1)d+u)di−1

yi−1 ← TRi−1 [H ]K (x0 ∥ · · · ∥x0 ); 6: end for (j−1)d+1 ′ 7: z ← yi−1 ∥ · · · ∥yjd i−1 ; ′ ′ 8: return (K , z ); Now we bound the success probability of B. The number of possibilities for (i, j) is at most d0 +· · ·+dl−1 = (dl − 1)/(d − 1). Note that i and j were chosen randomly and independently, so if A succeeds, then we have (i, j) = (α, β) with probability (d − 1)/(dl − 1), where (α, β) is the pair in Eq. (3). So, ε ′ > ε(d − 1)/(dl − 1). The running time of B is that of A plus the overhead, which is equal to Θ (dl (TH + k + n)) (see Fig. 3).  5:

5. Conclusion and discussion We proposed and studied the notion of eTCR(r ) hash functions. We showed that eTCR(r ) functions can be made with TCR(r ) functions and one-way permutations. Theorems 1 and 2 mean that considering the eTCR order of the compression function allows us to use it efficiently in the length of the random keys because the MD and TR schemes take priority over the LH and TH schemes. Since our results can be applied together with any efficient existing schemes, this is necessary for the optimal usage of an eTCR compression function. For example, assume that we are given an eTCR(r ) compression function H : {0, 1}k × {0, 1}n+m → {0, 1}n . Roughly n ⌉k-bit random key bits. By the way, we use MDs [H ] : {0, 1}k × speaking, using LH[H ] to hash a t-bit message requires ⌈ t − m

{0, 1}n+(r +1)m → {0, 1}n as a eTCR compression function for s ≤ r + 1. Using LH[MDs [H ]] to hash a t-bit message requires approximately ⌈ m(t r−+n1) ⌉k-bit random key bits with the same number of calls of the compression function as for LH[H ].

Mironov’s eTCR domain extension scheme [8] consists of the Shoup scheme SH [10] for compressing arbitrary-inputlength messages and the two-round LH scheme for finalization. Recall that if H is eTCR(r ), then H is also TCR(r ). If we apply an eTCR(r ) compression function H : {0, 1}k × {0, 1}n+m → {0, 1}n , with our results and the results of [6], to Mironov’s scheme, SH[H ] and the two-round LH scheme can be replaced with SH[MDs [H ]] and the two-round MD scheme, so the n required amount of random key bits for hashing a t-bit message can decrease (⌈log2 t − ⌉ + 2)k to (⌈log2 m(t r−+n1) ⌉ + 1)k with m the same number of calls of the compression function as for Mironov’s original scheme.

1402

D. Hong et al. / Computers and Mathematics with Applications 65 (2013) 1396–1402

Acknowledgment This work was supported by Kyungnam University Research Fund, 2011. References [1] A.P.A. Ling, M. Masao, Selection of model in developing information security criteria for smart grid security system, Journal of Convergence 2 (1) (2011) 31–38. [2] C. Huang, R.-H. Cheng, S.-R. Chen, C.-I. Li, Enhancing network availability by tolerance control in multi-sink wireless sensor networks, Journal of Convergence 1 (1) (2010) 15–22. [3] D. Kumar, T.C. Aseri, R.B. Patel, Multi-hop communication routing (MCR) protocol for heterogeneous wireless sensor networks, IJITCC 1 (2) (2011) 130–145. [4] B. Xie, A. Kumar, D. Zhao, R. Reddy, B. He, On secure communication in integrated heterogeneous wireless networks, IJITCC 1 (1) (2010) 4–23. [5] S. Halevi, H. Krawczyk, Strengthening digital signatures via randomized hashing, in: C. Dwork (Ed.), Advances in Cryptology—CRYPTO 2006, in: LNCS, vol. 4117, Springer-Verlag, 2006, pp. 41–59. [6] D. Hong, B. Preneel, S. Lee, Higher order universal one-way hash functions, in: P.J. Lee (Ed.), Advances in Cryptology—ASIACRYPT 2004, in: LNCS, vol. 3329, Springer-Verlag, 2004, pp. 201–213. [7] M.R. Reyhanitabar, W. Susilo, Y. Mu, Enhanced target collision resistant hash functions revisited, in: O. Dunkelman (Ed.), Fast Software Encryption 2009, in: LNCS, vol. 5665, Springer-Verlag, 2009, pp. 327–344. [8] I. Mironov, Domain extension for enhanced target collision-resistant hash functions, in: FSE 2010, Springer-Verlag, 2010. [9] M. Bellare, P. Rogaway Jr., Collision-resistant hashing: towards making UOWHFs practical, in: B.S. Kaliski (Ed.), Advances in Cryptology—CRYPTO’97, in: LNCS, vol. 1294, Springer-Verlag, 1997, pp. 470–484. [10] V. Shoup, A composite theorem for universal one-way hash functions, in: B. Preneel (Ed.), Advances in Cryptology—EUROCRYPT 2000, in: LNCS, vol. 1807, Springer-Verlag, 2000, pp. 445–452.