Danilo Gligoroski, NIST mailing list 2008-12-12
-----------------------------------------------
Cheetah hash function is not resistant against length-extension attack.
The mechanism in Cheetah to protect against length-extension attack is the
permutation of the chaining value before the last invocation of the
compression function. However, the initial chaining value of Cheetah is a
zero vector of 256 or 512 bits. That means that every hashing of short
messages that have length less than 959 bits will suffer from the trivial
length-extension attack because the permutation of the initial zero vector
is known to the attacker.
Best regards,
Danilo Gligoroski