The WHIRLPOOL Hash Function

M51 (Whirlpool) Galaxy in Canes Venatici. Image courtesy of William McLaughlin.

Welcome!

WHIRLPOOL is a hash function designed by Vincent Rijmen and Paulo S. L. M. Barreto that operates on messages less than 2²⁵⁶ bits in length, and produces a message digest of 512 bits.

Historically, WHIRLPOOL had three versions. The first version, WHIRLPOOL-0, was submitted to the NESSIE project. Its "tweaked" successor, WHIRLPOOL-T, was selected for the NESSIE portfolio of cryptographic primitives. A flaw in its diffusion layer reported by Shirai and Shibutani ("On the diffusion matrix employed in the Whirlpool hashing function," NESSIE public report, 2003) was fixed afterwards, and the final version (called simply WHIRLPOOL for short) was adopted by the International Organization for Standardization (ISO) in the ISO/IEC 10118-3:2004 standard.



---

The function

WHIRLPOOL uses Merkle-Damgård strengthening and the Miyaguchi-Preneel hashing scheme with a dedicated 512-bit block cipher called W. This consists of the following. The bit string to be hashed is padded with a &lquo;'1'-bit, then with a sequence of '0'-bits, and finally with the original length (in the form of a 256-bit integer value), so that the length after padding is a multiple of 512 bits. The resulting message string is divided into a sequence of 512-bit blocks m₁, m₂, ... m_t which is then used to generate a sequence of intermediate hash values H₀, H₁, H₂, ... H_t. By definition, H₀ is a string of 512 '0'-bits. To compute H_i, W encrypts m_i using H_i-1 as key, and XORs the resulting ciphertext with both H_i-1 and m_i. Finally, the WHIRLPOOL message digest is H_t.

Miyaguchi-Preneel compression function:


---

The internal W block cipher

The W  block cipher used by WHIRLPOOL is very similar to the AES algorithm, RIJNDAEL, the main differences being sketched in the following table:

The W  S-box, which in the original submission is generated entirely at random (i.e. lacks any internal structure), by a recursive structure: the new 8×8 substitution box is composed of smaller 4×4 "mini-boxes" (the exponential E-box, its inverse, and the pseudo-randomly generated R-box).

The recursive structure of the "tweaked" S-box:

---

The documentation

The documentation package contains:


• the specification (DVI, PDF, PS),
• reference implementations (C, Java), and
• test vectors (NESSIE, ISO) for the standardized version of WHIRLPOOL.

The reference implementations are in the public domain. But before you go and use it, please read the accompanying disclaimer:


THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.



---

The security statement

Assume we take as hash result the value of any n-bit substring of the full WHIRLPOOL output. The design of WHIRLPOOL sets the following security goals:

The expected workload of generating a collision is of the order of 2n/2 executions of WHIRLPOOL. Given an n-bit value, the expected workload of finding a message that hashes to that value is of the order of 2n executions of WHIRLPOOL. Given a message and its n-bit hash result, the expected workload of finding a second message that hashes to the same value is of the order of 2n executions of WHIRLPOOL. It is infeasible to detect systematic correlations between any linear combination of input bits and any linear combination of bits of the hash result, or to predict what bits of the hash result will change value when certain input bits are flipped (this means resistance against linear and differential attacks).

These claims result from the considerable safety margin taken with respect to all known attacks. We do however realise that it is impossible to make non-speculative statements on things unknown.

In spite of any analysis, doubts might remain regarding the presence of trapdoors deliberately introduced in the algorithm. That is why the NESSIE effort asked for the designers' declaration on the contrary. Therefore we, the designers of WHIRLPOOL, do hereby declare that there are no hidden weaknesses inserted by us in the WHIRLPOOL primitive.



---

The availability

WHIRLPOOL is not (and will never be) patented. It may be used free of charge for any purpose. The reference implementations are in the public domain.



---

The name

The WHIRLPOOL hashing function is named after the Whirlpool galaxy in Canes Venatici (M51, or NGC 5194), the first one recognized to have spiral structure by William Parsons, third Earl of Rosse, in April 1845 (cf. M. Hoskin, "The Cambridge Illustrated History of Astronomy," Cambridge University Press, 1997).


Another nice, true-colour photograph of the Whirlpool Galaxy, taken by Peter Bunclark (IoA).
Image courtesy of the Isaac Newton Group of Telescopes, La Palma.


---

Links

The Hash Function Lounge

Paulo's page

Vincent's page




---

Visits since 2001.05.06:

Last update: 2006.10.28
Copyright © 2001, 2005 by Paulo S. L. M. Barreto.  All rights reserved.