Whirlpool (hash function)

<h2 id="design-features">Design features</h2>

<p>Whirlpool is a hash designed after the <a href="/facts/Square_(cipher)/mQRozt3V">Square</a> <a href="/facts/Block_cipher/MJywAyfQ">block cipher</a>, and is considered to be in that family of block cipher functions. 
</p><p>Whirlpool is a <a href="/facts/One-way_compression_function/Rog6N1KR">Miyaguchi-Preneel</a> construction based on a substantially modified <a href="/facts/Advanced_Encryption_Standard/HdXGBY2Q">Advanced Encryption Standard</a> (AES). 
</p><p>Whirlpool takes a message of any length less than 2256 bits and returns a 512-bit <a href="/facts/Message_digest/cuxkgbST">message digest</a>.<a class="footnote-ref" id="fnref:1" href="#fn:1"><sup>1</sup></a>
</p><p>The authors have declared that
</p>
"WHIRLPOOL is not (and will never be) <a href="/facts/Patent/LjT2bG3A">patented</a>. It may be used free of charge for any purpose."<a class="footnote-ref" id="fnref:2" href="#fn:2"><sup>2</sup></a>
<h3>Version changes</h3>
<p>The original Whirlpool will be called <i>Whirlpool-0</i>, the first revision of Whirlpool will be called <i>Whirlpool-T</i> and the latest version will be called <i>Whirlpool</i> in the following test vectors.
</p>
<ul><li>In the first revision in 2001, the <a href="/facts/S-box/9xKgnLCF">S-box</a> was changed from a randomly generated one with good cryptographic properties to one which has better cryptographic properties and is easier to implement in hardware.</li>
<li>In the second revision (2003), a flaw in the <a href="/facts/MDS_matrix/YySPhFPh">diffusion matrix</a> was found that lowered the estimated security of the algorithm below its potential.<a class="footnote-ref" id="fnref:3" href="#fn:3"><sup>3</sup></a> Changing the 8x8 rotating matrix constants from (1, 1, 3, 1, 5, 8, 9, 5) to (1, 1, 4, 1, 8, 5, 2, 9) solved this issue.</li></ul>
<h2 id="internal-structure">Internal structure</h2>
<p>The Whirlpool hash function is a <a href="/facts/Merkle%25E2%2580%2593Damg%25C3%25A5rd_construction/nEuAJBAs">Merkle–Damgård construction</a> based on an <a href="/facts/Advanced_Encryption_Standard/HdXGBY2Q">AES</a>-like <a href="/facts/Block_cipher/MJywAyfQ">block cipher</a> W in <a href="/facts/One-way_compression_function/Rog6N1KR">Miyaguchi–Preneel</a> mode.<a class="footnote-ref" id="fnref:4" href="#fn:4"><sup>4</sup></a> 
</p><p>The <a href="/facts/Block_cipher/MJywAyfQ">block cipher</a> W consists of an 8×8 state matrix 
  
    
      
        S
      
    
    {\displaystyle S}
  
 of bytes, for a total of 512 bits.
</p><p>The encryption process consists of updating the state with four round functions over 10 rounds. The four round functions are SubBytes (SB), ShiftColumns (SC), MixRows (MR) and AddRoundKey (AK). During each round the new state is computed as

S
        =
        A
        K
        ∘
        M
        R
        ∘
        S
        C
        ∘
        S
        B
        (
        S
        )
      
    
    {\displaystyle S=AK\circ MR\circ SC\circ SB(S)}
  
.
</p>
<h3>SubBytes</h3>
<p>The SubBytes operation applies a non-linear permutation (the S-box) to each byte of the state independently. The 8-bit S-box is composed of 3 smaller 4-bit S-boxes.
</p>
<h3>ShiftColumns</h3>
<p>The ShiftColumns operation cyclically shifts each byte in each column of the state. Column <i>j</i> has its bytes shifted downwards by <i>j</i> positions.
</p>
<h3>MixRows</h3>
<p>The MixRows operation is a right-multiplication of each row by an 8×8 matrix over 
  
    
      
        G
        F
        (
        
          
            2
            
              8
            
          
        
        )
      
    
    {\displaystyle GF({2^{8}})}
  
. The matrix is chosen such that the <a href="/facts/Branch_number/nnj0C13Q">branch number</a> (an important property when looking at resistance to <a href="/facts/Differential_cryptanalysis/84yp0SDC">differential cryptanalysis</a>) is 9, which is maximal.
</p>
<h3>AddRoundKey</h3>
<p>The AddRoundKey operation uses bitwise <a href="/facts/Exclusive_or/FHyr7hGQ">xor</a> to add a key calculated by the key schedule to the current state. The key schedule is identical to the encryption itself, except the AddRoundKey function is replaced by an AddRoundConstant function that adds a predetermined constant in each round.
</p>
<h2 id="whirlpool-hashes">Whirlpool hashes</h2>
<p>The Whirlpool algorithm has undergone two revisions since its original 2000 specification.
</p><p>People incorporating Whirlpool will most likely use the most recent revision of Whirlpool; while there are no known security weaknesses in earlier versions of Whirlpool, the most recent revision has better hardware implementation efficiency characteristics, and is also likely to be more secure. As mentioned earlier, it is also the version adopted in the ISO/IEC 10118-3 <a href="/facts/International_standard/9R3SMtfH">international standard</a>.
</p><p>The 512-bit (64-byte) Whirlpool hashes (also termed <i>message digests</i>) are typically represented as 128-digit <a href="/facts/Hexadecimal/02ohQW22">hexadecimal</a> numbers.
The following demonstrates a 43-byte <a href="/facts/ASCII/vGUI33Qu">ASCII</a> input (not including quotes) and the corresponding Whirlpool hashes:
</p>
<table><tbody><tr><th>Version</th><th>Input String</th><th>Computed Hash</th></tr><tr><td>Whirlpool-0</td><td><i>"</i><a href="/facts/The_quick_brown_fox_jumps_over_the_lazy_dog/LqNhzP4z">The quick brown fox jumps over the lazy dog</a><i>"</i></td><td> 4F8F5CB531E3D49A61CF417CD133792CCFA501FD8DA53EE368FED20E5FE0248C 3A0B64F98A6533CEE1DA614C3A8DDEC791FF05FEE6D971D57C1348320F4EB42D</td></tr><tr><td>Whirlpool-T</td><td><i>"</i>The quick brown fox jumps over the lazy dog<i>"</i></td><td> 3CCF8252D8BBB258460D9AA999C06EE38E67CB546CFFCF48E91F700F6FC7C183 AC8CC3D3096DD30A35B01F4620A1E3A20D79CD5168544D9E1B7CDF49970E87F1</td></tr><tr><td>Whirlpool</td><td><i>"</i>The quick brown fox jumps over the lazy dog<i>"</i></td><td> B97DE512E91E3828B40D2B0FDCE9CEB3C4A71F9BEA8D88E75C4FA854DF36725F D2B52EB6544EDCACD6F8BEDDFEA403CB55AE31F03AD62A5EF54E42EE82C3FB35</td></tr></tbody></table>
<h2 id="implementations">Implementations</h2>
<p>The authors provide <a href="/facts/Reference_implementation/k9B97xel">reference implementations</a> of the Whirlpool algorithm, including a version written in <a href="/facts/C_(programming_language)/Ky2No763">C</a> and a version written in <a href="/facts/Java_(programming_language)/9ScgFyAL">Java</a>.<a class="footnote-ref" id="fnref:5" href="#fn:5"><sup>5</sup></a> These reference implementations have been released into the public domain.<a class="footnote-ref" id="fnref:6" href="#fn:6"><sup>6</sup></a>
</p><p>Research on the security analysis of the Whirlpool function however, has revealed that on average, the introduction of 8 random faults is sufficient to compromise the 512-bit Whirlpool hash message being processed and the secret key of HMAC-Whirlpool within the context of Cloud of Things (CoTs). This emphasizes the need for increased security measures in its implementation.<a class="footnote-ref" id="fnref:7" href="#fn:7"><sup>7</sup></a>
</p>
<h2 id="adoption">Adoption</h2>
<p>Two of the first widely used mainstream cryptographic programs that started using Whirlpool were <a href="/facts/FreeOTFE/QM6pwR3n">FreeOTFE</a>, followed by <a href="/facts/TrueCrypt/vK1yL9Io">TrueCrypt</a> in 2005.
</p><p><a href="/facts/VeraCrypt/F6h1wIrH">VeraCrypt</a> (a fork of <a href="/facts/TrueCrypt/vK1yL9Io">TrueCrypt</a>) included Whirlpool (the final version) as one of its supported hash algorithms.<a class="footnote-ref" id="fnref:8" href="#fn:8"><sup>8</sup></a>
</p>
<h2 id="see-also">See also</h2>
<ul><li><a href="/facts/Digital_timestamping/eRjuYGTM">Digital timestamping</a></li></ul>

<h2 id="external-links">External links</h2>
<ul><li><a href="https://web.archive.org/web/20171129084214/http://www.larc.usp.br/~pbarreto/WhirlpoolPage.html">The WHIRLPOOL Hash Function</a> at the <a href="/facts/Wayback_Machine/nmQ3a6JC">Wayback Machine</a> (archived 2017-11-29)</li>
<li><a href="https://sourceforge.net/projects/jacksum/">Jacksum</a> on <a href="/facts/SourceForge/lxYAgUAX">SourceForge</a>, a Java implementation of all three revisions of Whirlpool</li>
<li><a href="https://github.com/jzelinskie/whirlpool">whirlpool</a> on <a href="/facts/GitHub/n1hNCsc3">GitHub</a> – An open source <a href="/facts/Go_(programming_language)/oWlsmAFJ">Go</a> implementation of the latest revision of Whirlpool</li>
<li><a href="https://web.archive.org/web/20120219054743/http://www.karljapetre.com/whirlpool/">A Matlab Implementation of the Whirlpool Hashing Function</a></li>
<li><a href="http://rhash.sourceforge.net/">RHash</a>, an <a href="/facts/Open_source/7X9rCdz4">open source</a> command-line tool, which can calculate and verify Whirlpool hash.</li>
<li><a href="https://metacpan.org/pod/Digest::Whirlpool">Perl Whirlpool</a> module at <a href="/facts/CPAN/MB7Iv662">CPAN</a></li>
<li><a href="https://rubygems.org/gems/digest-whirlpool">Digest module</a> implementing the Whirlpool hashing algorithm in <a href="/facts/Ruby_(programming_language)/BeYSaPSR">Ruby</a></li>
<li><a href="http://method-combination.net/lisp/ironclad/">Ironclad</a> a <a href="/facts/Common_Lisp/mq1pRbSF">Common Lisp</a> cryptography package containing a Whirlpool implementation</li>
<li><a href="https://www.iso.org/standard/39876.html">The ISO/IEC 10118-3:2004 standard</a></li>
<li><a href="https://www.cosic.esat.kuleuven.be/nessie/testvectors/hash/whirlpool/index.html">Test vectors for the Whirlpool hash</a> from the <a href="/facts/NESSIE/IXgAcAhx">NESSIE</a> project</li>
<li><a href="http://csharptest.net/browse/src/Library/Crypto/WhirlpoolManaged.cs">Managed C# implementation</a></li>
<li><a href="https://pypi.org/project/Whirlpool/">Python Whirlpool module</a></li></ul>

<h2 id="references">References</h2>

<ol>
<li id="fn:1"><p>Barreto, Paulo S. L. M. & Rijmen, Vincent (2003-05-24). "The WHIRLPOOL Hashing Function". Archived from the original (ZIP) on 2017-10-26. Retrieved 2018-08-09. {{cite journal}}: Cite journal requires |journal= (help) <a href="https://web.archive.org/web/20171026140501/http://www.larc.usp.br/%7Epbarreto/whirlpool.zip" target="_blank">https://web.archive.org/web/20171026140501/http://www.larc.usp.br/%7Epbarreto/whirlpool.zip</a> <a href="#fnref:1" class="footnote-back-ref">↩</a></p></li>
<li id="fn:2"><p>Paulo S. L. M. Barreto (2008-11-25). "The WHIRLPOOL Hash Function". Archived from the original on 2017-11-29. Retrieved 2018-08-09. <a href="https://web.archive.org/web/20171129084214/http://www.larc.usp.br/~pbarreto/WhirlpoolPage.html" target="_blank">https://web.archive.org/web/20171129084214/http://www.larc.usp.br/~pbarreto/WhirlpoolPage.html</a> <a href="#fnref:2" class="footnote-back-ref">↩</a></p></li>
<li id="fn:3"><p>Kyoji, Shibutani & Shirai, Taizo (2003-03-11). "On the diffusion matrix employed in the Whirlpool hashing function" (PDF). Retrieved 2018-08-09. {{cite journal}}: Cite journal requires |journal= (help) <a href="https://www.cosic.esat.kuleuven.be/nessie/reports/phase2/whirlpool-20030311.pdf" target="_blank">https://www.cosic.esat.kuleuven.be/nessie/reports/phase2/whirlpool-20030311.pdf</a> <a href="#fnref:3" class="footnote-back-ref">↩</a></p></li>
<li id="fn:4"><p>Paulo S. L. M. Barreto (2008-11-25). "The WHIRLPOOL Hash Function". Archived from the original on 2017-11-29. Retrieved 2018-08-09. <a href="https://web.archive.org/web/20171129084214/http://www.larc.usp.br/~pbarreto/WhirlpoolPage.html" target="_blank">https://web.archive.org/web/20171129084214/http://www.larc.usp.br/~pbarreto/WhirlpoolPage.html</a> <a href="#fnref:4" class="footnote-back-ref">↩</a></p></li>
<li id="fn:5"><p>Paulo S. L. M. Barreto (2008-11-25). "The WHIRLPOOL Hash Function". Archived from the original on 2017-11-29. Retrieved 2018-08-09. <a href="https://web.archive.org/web/20171129084214/http://www.larc.usp.br/~pbarreto/WhirlpoolPage.html" target="_blank">https://web.archive.org/web/20171129084214/http://www.larc.usp.br/~pbarreto/WhirlpoolPage.html</a> <a href="#fnref:5" class="footnote-back-ref">↩</a></p></li>
<li id="fn:6"><p>Paulo S. L. M. Barreto (2008-11-25). "The WHIRLPOOL Hash Function". Archived from the original on 2017-11-29. Retrieved 2018-08-09. <a href="https://web.archive.org/web/20171129084214/http://www.larc.usp.br/~pbarreto/WhirlpoolPage.html" target="_blank">https://web.archive.org/web/20171129084214/http://www.larc.usp.br/~pbarreto/WhirlpoolPage.html</a> <a href="#fnref:6" class="footnote-back-ref">↩</a></p></li>
<li id="fn:7"><p>Li, W., Gao, Z., Gu, D., Ge, C., Liao, L., Zhou, Z., Liu, Y., & Liu, Z. (2017). Security Analysis of the Whirlpool Hash Function in the Cloud of Things. KSII Transactions on Internet and Information Systems, 11(1), 536–551. https://doi.org/10.3837/tiis.2017.01.028 <a href="https://doi.org/10.3837/tiis.2017.01.028" target="_blank">https://doi.org/10.3837/tiis.2017.01.028</a> <a href="#fnref:7" class="footnote-back-ref">↩</a></p></li>
<li id="fn:8"><p>"Whirlpool". VeraCrypt Documentation. IDRIX. Retrieved 2018-08-09. <a href="https://www.veracrypt.fr/en/Whirlpool.html" target="_blank">https://www.veracrypt.fr/en/Whirlpool.html</a> <a href="#fnref:8" class="footnote-back-ref">↩</a></p></li>
</ol>

Whirlpool (hash function) open-in-new

Whirlpool (hash function)