> HAIFA is a response to MD that (among other things) eliminates length-extension attacks.
Sorry to reply belatedly, but after reading the HAIFA paper I'm a little confused. When the message is a multiple of the block length, doesn't HAIFA still depend on padding for protecting against length extension attacks? At the bottom of page 4 the paper says, "If this value [the number of bits processed so far] is not a multiple of a block, then the resulting digest does not equal the chaining value that is needed to the expansion of the message. If the message is a multiple of a block, then an additional block is hashed (with the padding) with the same number of bits hashed so far." Later they also mention that they use basically the same padding scheme as in MD: "The padding scheme used in HAIFA is very similar to the one used in the Merkel-Damgaard construction, i.e. the message is padded with 1, as many needed 0s, the length of the message encoded in a fixed number of bits, and the digest size."
My impression from my admittedly cursory reading of the paper is that protection against extension attacks wasn't a motivating factor for designing HAIFA. The major motivation, at least going by the paper's internal evidence, seems to be protecting against a kind of pre-image attack based on finding fixed points of the one-way compression function.
Sorry to reply belatedly, but after reading the HAIFA paper I'm a little confused. When the message is a multiple of the block length, doesn't HAIFA still depend on padding for protecting against length extension attacks? At the bottom of page 4 the paper says, "If this value [the number of bits processed so far] is not a multiple of a block, then the resulting digest does not equal the chaining value that is needed to the expansion of the message. If the message is a multiple of a block, then an additional block is hashed (with the padding) with the same number of bits hashed so far." Later they also mention that they use basically the same padding scheme as in MD: "The padding scheme used in HAIFA is very similar to the one used in the Merkel-Damgaard construction, i.e. the message is padded with 1, as many needed 0s, the length of the message encoded in a fixed number of bits, and the digest size."
My impression from my admittedly cursory reading of the paper is that protection against extension attacks wasn't a motivating factor for designing HAIFA. The major motivation, at least going by the paper's internal evidence, seems to be protecting against a kind of pre-image attack based on finding fixed points of the one-way compression function.