Leaving memory-hardness assumptions aside, some slow hash functions are iterated salted hash-chain versions of regular cryptographic hashes. This is usually defined by a round parameter i.e., in PBKDF2. Is there any cryptography paper that addresses security-bits definition based on the factor of rounds of linear successive invocations (not parallel) for one output computation?
I.e., a concrete example: is breaking a pre-image of sha3(fresh_salt, input_value) easier than sha3(sha3(sha3(sha3(fresh_salt, input_value)))), and if yes does the latter offer 2-bits of extra security because the relative effort required by the attacker is 4 times more? Any research paper that discusses that (relative adversarial effort required between independent or linearly-dependent functions vs. pragmatic bits of offered security)?
- This question is similar to Security implications of slow-by-design hashes on relative security vs. hash size, but I’m mostly interested in a security proof related answer.
