Paper 2007/278

A Framework for Iterative Hash Functions - HAIFA

Eli Biham and Orr Dunkelman


Since the seminal works of Merkle and Damgard on the iteration of compression functions, hash functions were built from compression functions using the Merkle-Damgard construction. Recently, several flaws in this construction were identified, allowing for pre-image attacks and second pre-image attacks on such hash functions even when the underlying compression functions are secure. In this paper we propose the HAsh Iterative FrAmework (HAIFA). Our framework can fix many of the flaws while supporting several additional properties such as defining families of hash functions and supporting variable hash size. HAIFA allows for an online computation of the hash function in one pass with a fixed amount of memory independently of the size of the message. Besides our proposal, the recent attacks initiated research on the way compression functions are to be iterated. We show that most recent proposals such as randomized hashing, the enveloped Merkle-Damgard, and the RMC and ROX modes can be all be instantiated as part of the HAsh Iterative FrAmework (HAIFA).

Available format(s)
Secret-key cryptography
Publication info
Published elsewhere. Unknown where it was published
Merkle-Damgardrandomized hashingEnveloped Merkle-DamgardRMCROXWide pipeHAIFA
Contact author(s)
orr dunkelman @ esat kuleuven be
2007-08-08: last of 2 revisions
2007-08-07: received
See all versions
Short URL
Creative Commons Attribution


      author = {Eli Biham and Orr Dunkelman},
      title = {A Framework for Iterative Hash Functions - HAIFA},
      howpublished = {Cryptology ePrint Archive, Paper 2007/278},
      year = {2007},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.