Page 6, Section 3.4.3, added at the end of the paragraph:
Hence, a HAIFA hash function can be distinguished after $q$ queries to
the compression function with probability at most $O(q^2 / 2^{m_c})$ (or
if $m_c = m$ --- with probability at most $O(q^2/2^m)$).
Page 18, Section 5.2, added a bullet concerning why Enveloped Merkle-Damgard
was not selected as the mode of iteration of SHAvite-3:
Enveloped Merkle-Damgard --- While the enveloped Merkle-Dangard
mode offers the preservation of the pseudo random properties of the
compression function, it does not offer full second preimage resistance
for long messages and is not secure against the herding attack. Hence,
we decided to avoid the use of this mode.
Page 22, Section 6.1.1, the "Algebraic Approaches" bullet:
Updated submission (15th January):
is still open.
New Specification Document (1st February):
is still open (see [18,42]).
Added at the end of the bullet:
We also note that this seems to render cube attacks [27]
on the full cipher unuseful.
Page 26, Section 7, end of the paragraph just after the second formula,
Added at the end of the paragraph:
Of course, in this case the key used as salt is to be kept secret.
Page 26, Section 7, one paragraph before last: added at the end
of the paragraph:
In Table 4
we compare the number of compression function calls when using
SHA-256, HMAC-SHA-256, SHAvite-3, and Shavite-3-MAC (when they are used
to produce a 256-bit digest/tag).
Also, we added table 4.
Page 31, Section 8.3.3, second paragraph:
Updated submission (15th January):
four AES round cores need to be used. This increases the circuit size to
about 100,500 gates.
New Specification Document (1st February):
three AES round cores need to be used with some additional memory.^{4}
This increases the circuit size to about 81,000 gates.
Footnote 4 was added and says:
The three cores are used as follows: one in each $F^{4}(\cdot)$, and one for
the message expansion. There is a requirement for some additional memory in
the message expansion in this approach.
Bibliography:
Added references:
18. Carlos Cid, Gaeten Leurent, An Analysis
of the XSL Algorithm, Advances in Cryptology, proceedings of ASIACRYPT
2005, Lecture Notes in Computer Science~3788, pp.~333--352, Springer-Verlag,
2005.
27. Itai Dinur, Adi Shamir, Cube Attacks on Tweakable
Black Box Polynomials, IACR ePrint report 2008/385, 2008.
41. Lars R.~Knudsen, Vincent Rijmen,
Known-Key Distinguishers for Some Block Ciphers,
Advances in Cryptology, proceedings of ASIACRYPT 2007,
Lecture Notes in Computer Science~4833, pp.~315--324, Springer-Verlag, 2007.
42. Chu-Wee Lim, Khoongming Khoo, An Analysis of XSL Applied to BES,
proceedings of Fast Software Encryption 2007,
Lecture Notes in Computer Science~4593, pp.~242--253, Springer-Verlag, 2007.