Security

HAVAL: From Hero to Zero

In the 1990s, cryptographers were searching for hash functions that could offer flexibility without sacrificing security. HAVAL emerged as an ambitious answer—a hash function that let users choose their own security parameters. For a brief moment, it seemed like the future of hashing. Then came 2004.

This is the story of HAVAL: how it rose to prominence, what made it special, and why you should never use it today.

What is HAVAL?

HAVAL (HAsh of VAriable Length) was designed in 1992 by Yuliang Zheng, Josef Pieprzyk, and Jennifer Seberry at the University of Wollongong, Australia. It was built as an improvement over MD5, offering something no other hash function provided at the time: user-configurable security parameters.

With HAVAL, you could choose:

Number of passes: 3, 4, or 5 passes over the data
Output length: 128, 160, 192, 224, or 256 bits

This gave users 15 different combinations (3 passes × 5 output sizes), allowing them to trade off speed for security based on their specific needs.

The Appeal of Flexibility

In the early 1990s, this flexibility was revolutionary. Consider the landscape:

Hash Function	Output Size	Operations	Year
MD4	128 bits	48 (3 rounds × 16)	1990
MD5	128 bits	64 (4 rounds × 16)	1991
SHA-0	160 bits	80 (4 rounds × 20)	1993
HAVAL	128-256 bits	96-160 (3-5 passes × 32)	1992

While other hash functions locked you into a single configuration, HAVAL offered a menu. Need speed? Use HAVAL-128-3 (128-bit output, 3 passes). Need maximum security? Use HAVAL-256-5 (256-bit output, 5 passes).

The naming convention is straightforward: HAVAL-[bits]-[passes]

Example Hashes

Here's what HAVAL-256-5 (the most secure variant) produces:

HAVAL-256-5("") =
be417bb4dd5cfb76c7126f4f8eeb1553a449039307b1a3cd451dbfdc0fbbe330

HAVAL-256-5("The quick brown fox jumps over the lazy dog") =
b89c551cdfe2e06dbd4cea2be1bc7d557416c58ebb4d07cbc94e49f710c55be4

Notice the 64-character hexadecimal output (256 bits). Even with 5 passes and 256-bit output, this variant is now broken.

How HAVAL Works

HAVAL processes input in 1024-bit (128-byte) blocks—twice the block size of MD5's 512 bits. This larger block size was intended to improve security against certain attacks.

The Algorithm Structure

Padding: The message is padded to a multiple of 1024 bits, with the last 10 bytes encoding the message length and HAVAL parameters (version, passes, output length).
Initialization: Eight 32-bit state variables (A through H) are initialized with fixed constants:
```
A = 0x243F6A88    E = 0xA4093822
B = 0x85A308D3    F = 0x299F31D0
C = 0x13198A2E    G = 0x082EFA98
D = 0x03707344    H = 0xEC4E6C89
```
(These are derived from the fractional part of π)
Processing: Each 1024-bit block goes through 3, 4, or 5 passes. Each pass consists of 32 rounds, making:
- 3 passes = 96 rounds
- 4 passes = 128 rounds
- 5 passes = 160 rounds
Compression: Each pass uses a different Boolean function. Within a pass, all 32 rounds use the same function but mix the state with different message words and constants.
Finalization: The final state is folded down to produce the desired output length (128, 160, 192, 224, or 256 bits).

The Boolean Functions

Each pass uses a different 7-variable Boolean function (f₁ through f₅). These functions were designed by Seberry and Zhang to satisfy specific cryptographic properties:

Balanced: Equal probability of 0 and 1 outputs
Highly nonlinear: Resistant to linear approximation
Linearly inequivalent: No two functions can be transformed into each other via linear operations

For 3-pass HAVAL, only f₁, f₂, f₃ are used. For 4-pass, f₁ through f₄. For 5-pass, all five functions.

The complete function definitions can be found in the original HAVAL paper.

Message Word Ordering

Unlike MD5, which processes message words in a fixed order, HAVAL uses different permutations of the 32 message words for each pass. This was intended to increase diffusion and resist differential cryptanalysis.

The Fall: Wang's Attack (2004)

In 2004, the same year that brought devastating attacks against MD5 and SHA-1, Xiaoyun Wang and her colleagues turned their attention to HAVAL. The results were catastrophic.

Collision Attacks

Wang's team and subsequent researchers found collisions in HAVAL with alarming efficiency:

Variant	Complexity	Source
3-pass HAVAL (all sizes)	2⁷	Wang et al. 2004
4-pass HAVAL (all sizes)	2³⁶	Yu et al. 2006
5-pass HAVAL (all sizes)	2¹²³	Yu et al. 2006

The 3-pass variants were completely broken—collisions could be found in roughly 128 compression function calls. That's not 2¹²⁸. That's about 2⁷. On a modern computer, that takes microseconds.

What This Means in Practice

With only 2⁷ (128) operations needed, finding a HAVAL-128-3 collision is trivial. Wang's paper demonstrated collisions where two 1024-bit message blocks differed in only a handful of bits yet produced identical hashes.

For comparison:

Brute force on 128-bit hash: 2⁶⁴ operations (birthday attack)
Wang's attack on HAVAL-128-3: 2⁷ operations
Difference: The attack is 2⁵⁷ times faster than brute force

Why the Attack Worked

HAVAL's downfall came from the same weakness that plagued MD5: insufficient diffusion in the Boolean functions. The 3-pass variant simply didn't mix the input enough to prevent differential attacks.

The larger 1024-bit block size, which was supposed to improve security, actually made the attack easier by providing more message bits to manipulate.

The 5-Pass Variants: A Brief Reprieve

The 5-pass variants held up longer. HAVAL-256-5 wasn't immediately broken by Wang's 2004 attack. But the writing was on the wall.

Subsequent research completed the cryptanalysis:

2006: Yu et al. publish collision attacks on 4-pass (2³⁶) and 5-pass (2¹²³) variants at FSE 2006

By 2006, all 15 HAVAL variants were cryptographically broken—attacks faster than brute force existed for every configuration.

Performance vs. Security: A False Trade-off

HAVAL's core premise—that users could choose their security level—turned out to be flawed. The 3-pass variants that offered "speed" were completely insecure. The 5-pass variants that offered "security" were slower than SHA-256 while providing less actual security.

HAVAL-256-5 vs. Modern Alternatives:

Hash	Relative Speed	Security Status
HAVAL-256-5	Slow	Broken
SHA-256	Medium	Secure
SHA-3-256	Medium	Secure
BLAKE2b	Fast	Secure

Even if HAVAL were secure, faster and proven alternatives exist. There's no scenario where HAVAL makes sense today.

Legacy and Lessons

HAVAL taught the cryptographic community several important lessons:

1. Flexibility Can Be Dangerous

Offering multiple security levels tempts users to choose the faster, weaker options. When those options are later broken, systems that chose "speed" are compromised.

2. Larger Isn't Always Better

HAVAL's 1024-bit block size was marketed as a security improvement, but it provided more attack surface, not less. SHA-256's 512-bit blocks turned out to be perfectly adequate.

3. Rounds Matter More Than Round Complexity

HAVAL's Boolean functions were complex, but 3 passes weren't enough. SHA-256's simpler operations over 64 rounds provided better diffusion.

4. The Importance of Conservative Design

HAVAL was ambitious. SHA-2, published in 2001, took a conservative approach—and it's still secure over 20 years later.

Where HAVAL Lives Today

HAVAL is mostly forgotten, but you might still encounter it:

Legacy systems: Some 1990s-era software used HAVAL for file integrity checking
Password hashing: A few old systems stored passwords using HAVAL (these should be migrated immediately)
Forensics tools: Some digital forensics software can calculate HAVAL hashes for compatibility with old evidence

If you find HAVAL in a production system, treat it as a critical vulnerability requiring immediate remediation.

The Bottom Line

HAVAL was an innovative design that addressed a real need—flexible security parameters. But cryptographic flexibility proved to be a liability, not an asset. When the weakest variants fell, they took HAVAL's reputation with them.

Today, HAVAL serves as a cautionary tale: in cryptography, simplicity and conservatism beat ambition and flexibility.

Use SHA-256 or SHA-3. Use BLAKE2 if you need speed. Leave HAVAL where it belongs—in the history books.

Quick Reference

Variant	Output	Passes	Operations	Status
HAVAL-128-3	128 bits	3	96	Broken (2⁷ collision)
HAVAL-128-4	128 bits	4	128	Broken (2³⁶ collision)
HAVAL-128-5	128 bits	5	160	Broken (2¹²³ collision)
HAVAL-160-3	160 bits	3	96	Broken (2⁷ collision)
HAVAL-160-4	160 bits	4	128	Broken (2³⁶ collision)
HAVAL-160-5	160 bits	5	160	Broken (2¹²³ collision)
HAVAL-192-3	192 bits	3	96	Broken (2⁷ collision)
HAVAL-192-4	192 bits	4	128	Broken (2³⁶ collision)
HAVAL-192-5	192 bits	5	160	Broken (2¹²³ collision)
HAVAL-224-3	224 bits	3	96	Broken (2⁷ collision)
HAVAL-224-4	224 bits	4	128	Broken (2³⁶ collision)
HAVAL-224-5	224 bits	5	160	Broken (2¹²³ collision)
HAVAL-256-3	256 bits	3	96	Broken (2⁷ collision)
HAVAL-256-4	256 bits	4	128	Broken (2³⁶ collision)
HAVAL-256-5	256 bits	5	160	Broken (2¹²³ collision)

Timeline

Year	Event
1992	HAVAL published by Zheng, Pieprzyk, and Seberry
1992-2003	HAVAL used in various applications
2004	Wang et al. publish collision attacks on 3-pass variants (2⁷)
2006	Yu et al. break 4-pass (2³⁶) and 5-pass (2¹²³) variants—all HAVAL variants now broken
Today	HAVAL deprecated—do not use

References

Zheng, Y., Pieprzyk, J., & Seberry, J. (1992). "HAVAL—A One-Way Hashing Algorithm with Variable Length of Output." AUSCRYPT '92, LNCS 718, pp. 83-104.
Wang, X., Feng, D., Lai, X., & Yu, H. (2004). "Collisions for Hash Functions MD4, MD5, HAVAL-128 and RIPEMD." Rump Session, CRYPTO 2004.
Yu, H., Wang, X., Yun, A., & Park, S. (2006). "Cryptanalysis of the Full HAVAL with 4 and 5 Passes." FSE 2006.
HAVAL on Wikipedia