Page 6, Section 3.4.3, added at the end of the paragraph: Hence, a HAIFA hash function can be distinguished after $q$ queries to the compression function with probability at most $O(q^2 / 2^{m_c})$ (or if $m_c = m$ --- with probability at most $O(q^2/2^m)$). Page 18, Section 5.2, added a bullet concerning why Enveloped Merkle-Damgard was not selected as the mode of iteration of SHAvite-3: Enveloped Merkle-Damgard --- While the enveloped Merkle-Dangard mode offers the preservation of the pseudo random properties of the compression function, it does not offer full second preimage resistance for long messages and is not secure against the herding attack. Hence, we decided to avoid the use of this mode. Page 22, Section 6.1.1, the "Algebraic Approaches" bullet: Updated submission (15th January): is still open. New Specification Document (1st February): is still open (see [18,42]). Added at the end of the bullet: We also note that this seems to render cube attacks [27] on the full cipher unuseful. Page 26, Section 7, end of the paragraph just after the second formula, Added at the end of the paragraph: Of course, in this case the key used as salt is to be kept secret. Page 26, Section 7, one paragraph before last: added at the end of the paragraph: In Table 4 we compare the number of compression function calls when using SHA-256, HMAC-SHA-256, SHAvite-3, and Shavite-3-MAC (when they are used to produce a 256-bit digest/tag). Also, we added table 4. Page 31, Section 8.3.3, second paragraph: Updated submission (15th January): four AES round cores need to be used. This increases the circuit size to about 100,500 gates. New Specification Document (1st February): three AES round cores need to be used with some additional memory.^{4} This increases the circuit size to about 81,000 gates. Footnote 4 was added and says: The three cores are used as follows: one in each $F^{4}(\cdot)$, and one for the message expansion. There is a requirement for some additional memory in the message expansion in this approach. Bibliography: Added references: 18. Carlos Cid, Gaeten Leurent, An Analysis of the XSL Algorithm, Advances in Cryptology, proceedings of ASIACRYPT 2005, Lecture Notes in Computer Science~3788, pp.~333--352, Springer-Verlag, 2005. 27. Itai Dinur, Adi Shamir, Cube Attacks on Tweakable Black Box Polynomials, IACR ePrint report 2008/385, 2008. 41. Lars R.~Knudsen, Vincent Rijmen, Known-Key Distinguishers for Some Block Ciphers, Advances in Cryptology, proceedings of ASIACRYPT 2007, Lecture Notes in Computer Science~4833, pp.~315--324, Springer-Verlag, 2007. 42. Chu-Wee Lim, Khoongming Khoo, An Analysis of XSL Applied to BES, proceedings of Fast Software Encryption 2007, Lecture Notes in Computer Science~4593, pp.~242--253, Springer-Verlag, 2007.