Paper 2009/077

On the Security of Iterated Hashing based on Forgery-resistant Compression Functions

Charles Bouillaguet, Orr Dunkelman, Pierre-Alain Fouque, and Antoine Joux


In this paper we re-examine the security notions suggested for hash functions, with an emphasis on the delicate notion of second preimage resistance. We start by showing that, in the random oracle model, both Merkle-Damgaard and HAIFA achieve second preimage resistance beyond the birthday bound, and actually up to the level of known generic attacks, hence demonstrating the optimality of HAIFA in this respect. We then try to distill a more elementary requirement out of the compression function to get some insight on the properties it should have to guarantee the second preimage resistance of its iteration. We show that if the (keyed) compression function is a secure FIL-MAC then the Merkle-Damgaard mode of iteration (or HAIFA) still maintains the same level of second preimage resistance. We conclude by showing that this ``new'' assumption (or security notion) implies the recently introduced Preimage-Awareness while ensuring all other classical security notions for hash functions.

Available format(s)
Publication info
Published elsewhere. Unknown where it was published
Contact author(s)
charles bouillaguet @ ens fr
2009-02-16: received
Short URL
Creative Commons Attribution


      author = {Charles Bouillaguet and Orr Dunkelman and Pierre-Alain Fouque and Antoine Joux},
      title = {On the Security of Iterated Hashing based on Forgery-resistant Compression Functions},
      howpublished = {Cryptology ePrint Archive, Paper 2009/077},
      year = {2009},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.