Whirlpool (hash function)

Last updated
Whirlpool
General
Designers Vincent Rijmen, Paulo S. L. M. Barreto
First published2000, 2001, 2003
Derived from Square, AES
Certification NESSIE
Detail
Digest sizes 512 bits
Security claimsLarge hashsum size
Structure Miyaguchi-Preneel
Rounds 10
Best public cryptanalysis
In 2009, a rebound attack was announced that presents full collisions against 4.5 rounds of Whirlpool in 2120 operations, semi-free-start collisions against 5.5 rounds in 2120 time and semi-free-start near-collisions against 7.5 rounds in 2128 time. [1]

In computer science and cryptography, Whirlpool (sometimes styled WHIRLPOOL) is a cryptographic hash function. It was designed by Vincent Rijmen (co-creator of the Advanced Encryption Standard) and Paulo S. L. M. Barreto, who first described it in 2000.

Contents

The hash has been recommended by the NESSIE project. It has also been adopted by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) as part of the joint ISO/IEC 10118-3 international standard.

Design features

The Whirlpool Galaxy (M51), which inspired the name of the algorithm. Messier51 sRGB.jpg
The Whirlpool Galaxy (M51), which inspired the name of the algorithm.

Whirlpool is a hash designed after the Square block cipher, and is considered to be in that family of block cipher functions.

Whirlpool is a Miyaguchi-Preneel construction based on a substantially modified Advanced Encryption Standard (AES).

Whirlpool takes a message of any length less than 2256 bits and returns a 512-bit message digest. [3]

The authors have declared that

"WHIRLPOOL is not (and will never be) patented. It may be used free of charge for any purpose." [2]

Version changes

The original Whirlpool will be called Whirlpool-0, the first revision of Whirlpool will be called Whirlpool-T and the latest version will be called Whirlpool in the following test vectors.

Internal structure

The Whirlpool hash function is a Merkle–Damgård construction based on an AES-like block cipher W in Miyaguchi–Preneel mode. [2]

The block cipher W consists of an 8×8 state matrix of bytes, for a total of 512 bits.

The encryption process consists of updating the state with four round functions over 10 rounds. The four round functions are SubBytes (SB), ShiftColumns (SC), MixRows (MR) and AddRoundKey (AK). During each round the new state is computed as .

SubBytes

The SubBytes operation applies a non-linear permutation (the S-box) to each byte of the state independently. The 8-bit S-box is composed of 3 smaller 4-bit S-boxes.

ShiftColumns

The ShiftColumns operation cyclically shifts each byte in each column of the state. Column j has its bytes shifted downwards by j positions.

MixRows

The MixRows operation is a right-multiplication of each row by an 8×8 matrix over . The matrix is chosen such that the branch number (an important property when looking at resistance to differential cryptanalysis) is 9, which is maximal.

AddRoundKey

The AddRoundKey operation uses bitwise xor to add a key calculated by the key schedule to the current state. The key schedule is identical to the encryption itself, except the AddRoundKey function is replaced by an AddRoundConstant function that adds a predetermined constant in each round.

Whirlpool hashes

The Whirlpool algorithm has undergone two revisions since its original 2000 specification.

People incorporating Whirlpool will most likely use the most recent revision of Whirlpool; while there are no known security weaknesses in earlier versions of Whirlpool, the most recent revision has better hardware implementation efficiency characteristics, and is also likely to be more secure. As mentioned earlier, it is also the version adopted in the ISO/IEC 10118-3 international standard.

The 512-bit (64-byte) Whirlpool hashes (also termed message digests) are typically represented as 128-digit hexadecimal numbers.
The following demonstrates a 43-byte ASCII input (not including quotes) and the corresponding Whirlpool hashes:

VersionInput StringComputed Hash
Whirlpool-0" The quick brown fox jumps over the lazy dog "
 4F8F5CB531E3D49A61CF417CD133792CCFA501FD8DA53EE368FED20E5FE0248C  3A0B64F98A6533CEE1DA614C3A8DDEC791FF05FEE6D971D57C1348320F4EB42D
Whirlpool-T"The quick brown fox jumps over the lazy dog"
 3CCF8252D8BBB258460D9AA999C06EE38E67CB546CFFCF48E91F700F6FC7C183  AC8CC3D3096DD30A35B01F4620A1E3A20D79CD5168544D9E1B7CDF49970E87F1
Whirlpool"The quick brown fox jumps over the lazy dog"
 B97DE512E91E3828B40D2B0FDCE9CEB3C4A71F9BEA8D88E75C4FA854DF36725F  D2B52EB6544EDCACD6F8BEDDFEA403CB55AE31F03AD62A5EF54E42EE82C3FB35

Even a small change in the message will (with an extremely high probability of ) result in a different hash, which will usually look completely different just like two unrelated random numbers do. The following demonstrates the result of changing the previous input by a single letter (a single bit, even, in ASCII-compatible encodings), replacing d with e:

VersionInput StringComputed Hash
Whirlpool-0"The quick brown fox jumps over the lazy eog"
 228FBF76B2A93469D4B25929836A12B7D7F2A0803E43DABA0C7FC38BC11C8F2A  9416BBCF8AB8392EB2AB7BCB565A64AC50C26179164B26084A253CAF2E012676
Whirlpool-T"The quick brown fox jumps over the lazy eog"
 C8C15D2A0E0DE6E6885E8A7D9B8A9139746DA299AD50158F5FA9EECDDEF744F9  1B8B83C617080D77CB4247B1E964C2959C507AB2DB0F1F3BF3E3B299CA00CAE3
Whirlpool"The quick brown fox jumps over the lazy eog"
 C27BA124205F72E6847F3E19834F925CC666D0974167AF915BB462420ED40CC5  0900D85A1F923219D832357750492D5C143011A76988344C2635E69D06F2D38C

The hash of a zero-length string is:

VersionInput StringComputed Hash
Whirlpool-0""
 B3E1AB6EAF640A34F784593F2074416ACCD3B8E62C620175FCA0997B1BA23473  39AA0D79E754C308209EA36811DFA40C1C32F1A2B9004725D987D3635165D3C8
Whirlpool-T""
 470F0409ABAA446E49667D4EBE12A14387CEDBD10DD17B8243CAD550A089DC0F  EEA7AA40F6C2AAAB71C6EBD076E43C7CFCA0AD32567897DCB5969861049A0F5A
Whirlpool""
 19FA61D75522A4669B44E39C1D2E1726C530232130D407F89AFEE0964997F7A7  3E83BE698B288FEBCF88E3E03C4F0757EA8964E59B63D93708B138CC42A66EB3

Implementations

The authors provide reference implementations of the Whirlpool algorithm, including a version written in C and a version written in Java. [2] These reference implementations have been released into the public domain. [2]

Research on the security analysis of the Whirlpool function however, has revealed that on average, the introduction of 8 random faults is sufficient to compromise the 512-bit Whirlpool hash message being processed and the secret key of HMAC-Whirlpool within the context of Cloud of Things (CoTs). This emphasizes the need for increased security measures in its implementation. [5] .

Adoption

Two of the first widely used mainstream cryptographic programs that started using Whirlpool were FreeOTFE, followed by TrueCrypt in 2005.[ citation needed ]

VeraCrypt (a fork of TrueCrypt) included Whirlpool (the final version) as one of its supported hash algorithms. [6]

See also

Related Research Articles

<span class="mw-page-title-main">Advanced Encryption Standard</span> Standard for the encryption of electronic data

The Advanced Encryption Standard (AES), also known by its original name Rijndael, is a specification for the encryption of electronic data established by the U.S. National Institute of Standards and Technology (NIST) in 2001.

Blowfish is a symmetric-key block cipher, designed in 1993 by Bruce Schneier and included in many cipher suites and encryption products. Blowfish provides a good encryption rate in software, and no effective cryptanalysis of it has been found to date. However, the Advanced Encryption Standard (AES) now receives more attention, and Schneier recommends Twofish for modern applications.

In cryptography, a block cipher is a deterministic algorithm that operates on fixed-length groups of bits, called blocks. Block ciphers are the elementary building blocks of many cryptographic protocols. They are ubiquitous in the storage and exchange of data, where such data is secured and authenticated via encryption.

<span class="mw-page-title-main">Triple DES</span> Block cipher

In cryptography, Triple DES, officially the Triple Data Encryption Algorithm, is a symmetric-key block cipher, which applies the DES cipher algorithm three times to each data block. The Data Encryption Standard's (DES) 56-bit key is no longer considered adequate in the face of modern cryptanalytic techniques and supercomputing power. A CVE released in 2016, CVE-2016-2183 disclosed a major security vulnerability in DES and 3DES encryption algorithms. This CVE, combined with the inadequate key size of DES and 3DES, led to NIST deprecating DES and 3DES for new applications in 2017, and for all applications by the end of 2023. It has been replaced with the more secure, more robust AES.

<span class="mw-page-title-main">Symmetric-key algorithm</span> Algorithm

Symmetric-key algorithms are algorithms for cryptography that use the same cryptographic keys for both the encryption of plaintext and the decryption of ciphertext. The keys may be identical, or there may be a simple transformation to go between the two keys. The keys, in practice, represent a shared secret between two or more parties that can be used to maintain a private information link. The requirement that both parties have access to the secret key is one of the main drawbacks of symmetric-key encryption, in comparison to public-key encryption. However, symmetric-key encryption algorithms are usually better for bulk encryption. With exception of the one-time pad they have a smaller key size, which means less storage space and faster transmission. Due to this, asymmetric-key encryption is often used to exchange the secret key for symmetric-key encryption.

In cryptography, a block cipher mode of operation is an algorithm that uses a block cipher to provide information security such as confidentiality or authenticity. A block cipher by itself is only suitable for the secure cryptographic transformation of one fixed-length group of bits called a block. A mode of operation describes how to repeatedly apply a cipher's single-block operation to securely transform amounts of data larger than a block.

Articles related to cryptography include:

<span class="mw-page-title-main">Cryptographic hash function</span> Hash function that is suitable for use in cryptography

A cryptographic hash function (CHF) is a hash algorithm that has special properties desirable for a cryptographic application:

In cryptography, Tiger is a cryptographic hash function designed by Ross Anderson and Eli Biham in 1995 for efficiency on 64-bit platforms. The size of a Tiger hash value is 192 bits. Truncated versions can be used for compatibility with protocols assuming a particular hash size. Unlike the SHA-2 family, no distinguishing initialization values are defined; they are simply prefixes of the full Tiger/192 hash value.

In cryptography, Camellia is a symmetric key block cipher with a block size of 128 bits and key sizes of 128, 192 and 256 bits. It was jointly developed by Mitsubishi Electric and NTT of Japan. The cipher has been approved for use by the ISO/IEC, the European Union's NESSIE project and the Japanese CRYPTREC project. The cipher has security levels and processing abilities comparable to the Advanced Encryption Standard.

CRYPTREC is the Cryptography Research and Evaluation Committees set up by the Japanese Government to evaluate and recommend cryptographic techniques for government and industrial use. It is comparable in many respects to the European Union's NESSIE project and to the Advanced Encryption Standard process run by National Institute of Standards and Technology in the U.S.

In cryptography, a message authentication code (MAC), sometimes known as an authentication tag, is a short piece of information used for authenticating and integrity-checking a message. In other words, to confirm that the message came from the stated sender and has not been changed. The MAC value allows verifiers to detect any changes to the message content.

In cryptography, padding is any of a number of distinct practices which all include adding data to the beginning, middle, or end of a message prior to encryption. In classical cryptography, padding may include adding nonsense phrases to a message to obscure the fact that many messages end in predictable ways, e.g. sincerely yours.

Bart Preneel is a Belgian cryptographer and cryptanalyst. He is a professor at Katholieke Universiteit Leuven, in the COSIC group.

In cryptography, MDC-2 is a cryptographic hash function. MDC-2 is a hash function based on a block cipher with a proof of security in the ideal-cipher model. The length of the output hash depends on the underlying block cipher used.

<span class="mw-page-title-main">One-way compression function</span> Cryptographic primitive

In cryptography, a one-way compression function is a function that transforms two fixed-length inputs into a fixed-length output. The transformation is "one-way", meaning that it is difficult given a particular output to compute inputs which compress to that output. One-way compression functions are not related to conventional data compression algorithms, which instead can be inverted exactly or approximately to the original data.

The following tables compare general and technical information for a number of cryptographic hash functions. See the individual functions' articles for further information. This article is not all-inclusive or necessarily up-to-date. An overview of hash function security/cryptanalysis can be found at hash function security summary.

bcrypt is a password-hashing function designed by Niels Provos and David Mazières, based on the Blowfish cipher and presented at USENIX in 1999. Besides incorporating a salt to protect against rainbow table attacks, bcrypt is an adaptive function: over time, the iteration count can be increased to make it slower, so it remains resistant to brute-force search attacks even with increasing computation power.

The following outline is provided as an overview of and topical guide to cryptography:

Streebog is a cryptographic hash function defined in the Russian national standard GOST R 34.11-2012 Information Technology – Cryptographic Information Security – Hash Function. It was created to replace an obsolete GOST hash function defined in the old standard GOST R 34.11-94, and as an asymmetric reply to SHA-3 competition by the US National Institute of Standards and Technology. The function is also described in RFC 6986 and one out of hash functions in ISO/IEC 10118-3:2018.

References

  1. Florian Mendel1, Christian Rechberger, Martin Schläffer, Søren S. Thomsen (2009-02-24). The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl (PDF). Fast Software Encryption: 16th International Workshop.{{cite conference}}: CS1 maint: multiple names: authors list (link) CS1 maint: numeric names: authors list (link)
  2. 1 2 3 4 5 Paulo S. L. M. Barreto (2008-11-25). "The WHIRLPOOL Hash Function". Archived from the original on 2017-11-29. Retrieved 2018-08-09.
  3. Barreto, Paulo S. L. M. & Rijmen, Vincent (2003-05-24). "The WHIRLPOOL Hashing Function". Archived from the original (ZIP) on 2017-10-26. Retrieved 2018-08-09.{{cite journal}}: Cite journal requires |journal= (help)
  4. Kyoji, Shibutani & Shirai, Taizo (2003-03-11). "On the diffusion matrix employed in the Whirlpool hashing function" (PDF). Retrieved 2018-08-09.{{cite journal}}: Cite journal requires |journal= (help)
  5. Li, W., Gao, Z., Gu, D., Ge, C., Liao, L., Zhou, Z., Liu, Y., & Liu, Z. (2017). Security Analysis of the Whirlpool Hash Function in the Cloud of Things. KSII Transactions on Internet and Information Systems, 11(1), 536–551. https://doi.org/10.3837/tiis.2017.01.028
  6. "Whirlpool". VeraCrypt Documentation. IDRIX. Retrieved 2018-08-09.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.