Security

1. The nonlinearity comes mostly from S-boxes from 8 bits to 64 bits. This is much better than merely combining additions and XORs (i.e., using the carry bits), and it affects all the output bits, not just neighboring bits.

2. There is a strong avalanche, in that each message bit affects all the three registers after three rounds --- much faster than in any other hash function. The avalanche in 64-bit words (and 64-bit S boxes) is much faster than when shorter words are used.

3. As remarked above, all shortcut attacks on MD*/Snefru target one of the intermediate blocks. Increasing the intermediate value to 192 bits helps thwart these attacks.

4. The key schedule ensures that changing a small number of bits in a message affects many bits during the various passes. Together with the strong avalanche, it helps Tiger to resist attacks similar to Dobbertin's differential attack on MD4 (where changing certain bits in the message affects at most two bits in many rounds, and then these small differences can be made to cancel out in the last pass).

5. The multiplication of the register b in each round also contributes to the resistance to such attacks, since it ensures that bits which were used as inputs to S boxes in the previous rounds are mixed into other S boxes as well, and to the same S boxes with a different input difference. This multiplication also prevents related-key [B94] attacks on the hash function, since the constant differs in each round.

6. The feedforward prevents meet-in-the-middle birthday attacks that find preimages of the hash function (although their complexity would be anyway).