Ref:
Elena Andreeva, Gregory Neven, Bart Preneel and Thomas Shrimpton. In K. Kurosawa, editor, Advances in Cryptology - ASIACRYPT 2007, volume 4833 of Lecture Notes in Computer Science,
pages 130-146. Springer-Verlag, 2007.

Abstract:
Nearly all modern hash functions are constructed by iterating a compression function. At FSE'04,
Rogaway and Shrimpton [RS04] formalized seven security notions for hash functions: collision resistance
(Coll) and three variants of second-preimage resistance (Sec, aSec, eSec) and preimage
resistance (Pre, aPre, ePre). The main contribution of this paper is in determining, by proof or
counterexample, which of these seven notions is preserved by each of eleven existing iterations. Our
study points out that none of them preserves more than three notions from [RS04]. In particular,
only a single iteration preserves Pre, and none preserves Sec, aSec, or aPre. The latter two notions
are particularly relevant for practice, because they do not rely on the problematic assumption that
practical compression functions be chosen uniformly from a family. In view of this poor state of
affairs, even the mere existence of seven-property-preserving iterations seems uncertain. As a second
contribution, we propose the new Random-Oracle XOR (ROX) iteration that is the first to provably
preserve all seven notions, but that, quite controversially, uses a random oracle in the iteration. The
compression function itself is not modeled as a random oracle though. Rather, ROX uses an auxiliary
small-input random oracle (typically 170 bits) that is called only a logarithmic number of times.