World Library  
Flag as Inappropriate
Email this Article

Whirlpool (cryptography)

Article Id: WHEBN0000567567
Reproduction Date:

Title: Whirlpool (cryptography)  
Author: World Heritage Encyclopedia
Language: English
Subject: Rebound attack, Fast Syndrome Based Hash, Hash function security summary, Comparison of cryptographic hash functions, SHA-1
Collection: Cryptographic Hash Functions
Publisher: World Heritage Encyclopedia

Whirlpool (cryptography)

Designers Vincent Rijmen, Paulo S. L. M. Barreto
First published 2000
Derived from Square, AES
Certification NESSIE
Digest sizes 512 bits
Structure Miyaguchi-Preneel
Rounds 10
Best public cryptanalysis
In 2009, a rebound attack was announced that presents full collisions against 4.5 rounds of Whirlpool in 2120 operations, semi-free-start collisions against 5.5 rounds in 2120 time and semi-free-start near-collisions against 7.5 rounds in 2128 time.[1]

In International Electrotechnical Commission (IEC) as part of the joint ISO/IEC 10118-3 international standard.


  • Design features 1
    • Version changes 1.1
  • Internal structure 2
    • SubBytes 2.1
    • ShiftColumns 2.2
    • MixRows 2.3
    • AddRoundKey 2.4
  • Whirlpool hashes 3
  • Implementations 4
  • See also 5
  • References 6
  • External links 7

Design features

The Whirlpool Galaxy (M51), which inspired the name of the algorithm.[2]

Whirlpool is a hash designed after the Square block cipher. Whirlpool is a Miyaguchi-Preneel construction based on a substantially modified Advanced Encryption Standard (AES). It takes a message of any length less than 2256 bits and returns a 512-bit message digest.[3]

The authors have declared that "WHIRLPOOL is not (and will never be) patented. It may be used free of charge for any purpose."[2]

Version changes

The original Whirlpool will be called Whirlpool-0, the first revision of Whirlpool will be called Whirlpool-T and the latest version will be called Whirlpool in the following test vectors.

  • In the first revision in 2001, the s-box was changed from a randomly generated one with good cryptographic properties to one which has better cryptographic properties and is easier to implement in hardware.
  • In the second revision (2003), a flaw in the diffusion matrix was found that lowered the estimated security of the algorithm below its potential.[4] Changing the 8x8 rotating matrix constants from (1, 1, 3, 1, 5, 8, 9, 5) to (1, 1, 4, 1, 8, 5, 2, 9) solved this issue.

Internal structure

The Whirlpool hash function is a Merkle–Damgård construction based on an AES-like block cipher W in Miyaguchi-Preneel mode.[2] The block cipher W consists of an 8×8 state matrix S of bytes, for a total of 512 bits. The encryption process consists of updating the state with four round functions over 10 rounds. The four round functions are SubBytes (SB), ShiftColumns (SC), MixRows (MR) and AddRoundKey (AK). During each round the new state is computed as S=AK \circ MR \circ SC \circ SB(S) .


The SubBytes operation applies a non-linear permutation (the S-box) to each byte of the state independently. The 8-bit S-box is composed of 3 smaller 4-bit S-boxes.


The ShiftColumns operation cyclically shifts each byte in each column of the state. Column j has its bytes shifted downwards by j positions.


The MixRows operation is a right-multiplication of each row by an 8×8 matrix over \mathbb{F}_{2^8}. The matrix is chosen such that the branch number (an important property when looking at resistance to differential cryptanalysis) is 9, which is maximal.


The AddRoundKey operation uses bitwise xor to add a key calculated by the key schedule to the current state. The key schedule is identical to the encryption itself, except the AddRoundKey function is replaced by an AddRoundConstant function that adds a predetermined constant in each round.

Whirlpool hashes

The Whirlpool algorithm has undergone two revisions since its original 2000 specification.

People incorporating Whirlpool will most likely use the most recent revision of Whirlpool; while there are no known security weaknesses in earlier versions of Whirlpool, the most recent revision has better hardware implementation efficiency characteristics, and is also likely to be more secure. As mentioned earlier, it is also the version adopted in the ISO/IEC 10118-3 international standard.

The 512-bit (64-byte) Whirlpool hashes (also termed message digests) are typically represented as 128-digit hexadecimal numbers. The following demonstrates a 43-byte ASCII input and the corresponding Whirlpool hashes:

 Whirlpool-0("The quick brown fox jumps over the lazy dog") =

 Whirlpool-T("The quick brown fox jumps over the lazy dog") =

 Whirlpool("The quick brown fox jumps over the lazy dog") =

Even a small change in the message will (with an extremely high probability of 1-10^{-154}) result in a different hash, which will usually look completely different just like two unrelated random numbers do. The following demonstrates the result of changing the previous input by a single letter (a single bit, even, in ASCII-compatible encodings), replacing d with e:

 Whirlpool-0("The quick brown fox jumps over the lazy eog") =

 Whirlpool-T("The quick brown fox jumps over the lazy eog") =
 Whirlpool("The quick brown fox jumps over the lazy eog") =

The hash of a zero-length string is:

 Whirlpool-0("") =

 Whirlpool-T("") =

 Whirlpool("") =


The authors provide reference implementations of the WHIRLPOOL algorithm, including a version written in C and a version written in Java.[2] These reference implementations have been released into the public domain.[2]

Two of the first widely used mainstream cryptographic programs that started using Whirlpool were FreeOTFE, followed by TrueCrypt in 2005.

See also


  1. ^
  2. ^ a b c d e
  3. ^
  4. ^

External links

  • Whirlpool homepage Includes detailed algorithm information, C and Java implementations, the paper, etc.
  • A Java implementation of all three revisions of Whirlpool
  • An open source Go implementation of the latest revision of Whirlpool
  • A Matlab Implementation of the Whirlpool Hashing Function
  • CHK Freeware Checksum Utility with GUI and WHIRLPOOL support
  • RHash, an open source command-line tool, which can calculate and verify Whirlpool hash.
  • Perl Whirlpool module at CPAN
  • Ruby Whirlpool library
  • Ironclad: a Common Lisp cryptography package containing a Whirlpool implementation
  • The ISO/IEC 10118-3 standard
  • Test vectors for the Whirlpool hash from the NESSIE project
  • Managed C# implementation
This article was sourced from Creative Commons Attribution-ShareAlike License; additional terms may apply. World Heritage Encyclopedia content is assembled from numerous content providers, Open Access Publishing, and in compliance with The Fair Access to Science and Technology Research Act (FASTR), Wikimedia Foundation, Inc., Public Library of Science, The Encyclopedia of Life, Open Book Publishers (OBP), PubMed, U.S. National Library of Medicine, National Center for Biotechnology Information, U.S. National Library of Medicine, National Institutes of Health (NIH), U.S. Department of Health & Human Services, and, which sources content from all federal, state, local, tribal, and territorial government publication portals (.gov, .mil, .edu). Funding for and content contributors is made possible from the U.S. Congress, E-Government Act of 2002.
Crowd sourced content that is contributed to World Heritage Encyclopedia is peer reviewed and edited by our editorial staff to ensure quality scholarly research articles.
By using this site, you agree to the Terms of Use and Privacy Policy. World Heritage Encyclopedia™ is a registered trademark of the World Public Library Association, a non-profit organization.

Copyright © World Library Foundation. All rights reserved. eBooks from World eBook Library are sponsored by the World Library Foundation,
a 501c(4) Member's Support Non-Profit Organization, and is NOT affiliated with any governmental agency or department.