In this paper we have put forward a new hash function, called Tiger, which is designed to be both fast and secure. Its core is three rounds, each of which uses eight lookups into 8-to-64-bit S-boxes to provide a strong nonlinear avalanche plus a number of register operations to increase diffusion and make differential attacks harder.
It can be implemented efficiently on 32-bit and 64-bit machines. On the former it is as fast as SHA1, but unlike SHA1, it can use the full power of 64-bit machines, on which it is about 2.5 times faster than SHA1. It can also be implemented on 16-bit machines, on which it should still be faster than SHA1.
It outputs 192-bit hash values. For compatibility with existing hash functions, we suggest that its output can be truncated to 160 or 128 bits if required for compatibility with existing applications. We believe that even these shortened variants are more secure than existing functions of the same output length; however if the ultra-cautious wish to add extra passes to Tiger, then they are welcome to do so, and we suggest a multiplicative constant of 9 in all the extra passes. We call these variants TigerM, or TigerM/N, where M is the number of passes, and N is the number of bits in the hash value.
As usual when suggesting a new cryptographic primitive, we urge people to study
the strength of Tiger; we will appreciate attacks, analysis and any
More information on the current status of Tiger, an updated copy of
this paper, and
reference implementations, will be available at the authors' home
pages at the URLs: