The original HMAC paper based the security proof on the fact that the compression function of the Hash is already a MAC (appropriately keyed).
How does this relate to common assumptions for compressions functions? Is it required to show security of the Hash function? Conversely, can a good hash function have a weak compression function which is not a MAC?
This is of course related to my question about which compressions functions are PRFs.
