On the Security of Iterated Hashing based on Forgery-resistant Compression Functions

In this paper we re-examine the security notions suggested for hash functions, with an emphasis on the delicate notion of second preimage resistance. We start by showing that, in the random oracle model, both Merkle-Damg̊ard and Haifa achieve second preimage resistance beyond the birthday bound, and actually up to the level of known generic attacks, hence demonstrating the optimality of Haifa in this respect. We then try to distill a more elementary requirement out of the compression function to get some insight on the properties it should have to guarantee the second preimage resistance of its iteration. We show that if the (keyed) compression function is a secure FIL-MAC then the Merkle-Damg̊ard mode of iteration (or Haifa) still maintains the same level of second preimage resistance. We conclude by showing that this “new” assumption (or security notion) implies the recently introduced Preimage-Awareness while ensuring all other classical security notions for hash functions.