Powered by
Share this page on
Article provided by Wikipedia

This article is about the hash function. For other uses, see "Whirlpool (disambiguation).
Designers "Vincent Rijmen, "Paulo S. L. M. Barreto
First published 2000, 2001, 2003
Derived from "Square, "AES
Certification "NESSIE
"Digest sizes 512 bits
Security claims Large hashsum size
Structure "Miyaguchi-Preneel
Rounds 10
Best public "cryptanalysis
In 2009, a "rebound attack was announced that presents full collisions against 4.5 rounds of Whirlpool in 2120 operations, semi-free-start collisions against 5.5 rounds in 2120 time and semi-free-start near-collisions against 7.5 rounds in 2128 time.[1]

In "computer science and "cryptography, Whirlpool (sometimes styled WHIRLPOOL) is a "cryptographic hash function. It was designed by "Vincent Rijmen (co-creator of the "Advanced Encryption Standard) and "Paulo S. L. M. Barreto, who first described it in 2000.

The hash has been recommended by the "NESSIE project. It has also been adopted by the "International Organization for Standardization (ISO) and the "International Electrotechnical Commission (IEC) as part of the joint ISO/IEC 10118-3 "international standard.


Design features[edit]

The "Whirlpool Galaxy (M51), which inspired the name of the algorithm.[2]

Whirlpool is a hash designed after the "Square "block cipher, and is considered to be in that family of block cipher functions.

Whirlpool is a "Miyaguchi-Preneel construction based on a substantially modified "Advanced Encryption Standard (AES).

Whirlpool takes a message of any length less than 2256 bits and returns a 512-bit "message digest.[3]

The authors have declared that

"WHIRLPOOL is not (and will never be) patented. It may be used free of charge for any purpose."[2]

Version changes[edit]

The original Whirlpool will be called Whirlpool-0, the first revision of Whirlpool will be called Whirlpool-T and the latest version will be called Whirlpool in the following test vectors.

Internal structure[edit]

The Whirlpool hash function is a "Merkle–Damgård construction based on an "AES-like "block cipher W in "Miyaguchi-Preneel mode.[2]

The "block cipher W consists of an 8×8 state matrix of bytes, for a total of 512 bits.

The encryption process consists of updating the state with four round functions over 10 rounds. The four round functions are SubBytes (SB), ShiftColumns (SC), MixRows (MR) and AddRoundKey (AK). During each round the new state is computed as .


The SubBytes operation applies a non-linear permutation (the S-box) to each byte of the state independently. The 8-bit S-box is composed of 3 smaller 4-bit S-boxes.


The ShiftColumns operation cyclically shifts each byte in each column of the state. Column j has its bytes shifted downwards by j positions.


The MixRows operation is a right-multiplication of each row by an 8×8 matrix over . The matrix is chosen such that the branch number (an important property when looking at resistance to "differential cryptanalysis) is 9, which is maximal.


The AddRoundKey operation uses bitwise "xor to add a key calculated by the key schedule to the current state. The key schedule is identical to the encryption itself, except the AddRoundKey function is replaced by an AddRoundConstant function that adds a predetermined constant in each round.

Whirlpool hashes[edit]

The Whirlpool algorithm has undergone two revisions since its original 2000 specification.

People incorporating Whirlpool will most likely use the most recent revision of Whirlpool; while there are no known security weaknesses in earlier versions of Whirlpool, the most recent revision has better hardware implementation efficiency characteristics, and is also likely to be more secure. As mentioned earlier, it is also the version adopted in the ISO/IEC 10118-3 "international standard.

The 512-bit (64-byte) Whirlpool hashes (also termed message digests) are typically represented as 128-digit "hexadecimal numbers.
The following demonstrates a 43-byte "ASCII input (not including quotes) and the corresponding Whirlpool hashes:

Version Input String Computed Hash
Whirlpool-0 ""The quick brown fox jumps over the lazy dog"
Whirlpool-T "The quick brown fox jumps over the lazy dog"
Whirlpool "The quick brown fox jumps over the lazy dog"

Even a small change in the message will (with an extremely high probability of ) result in a different hash, which will "usually look completely different just like two unrelated random numbers do. The following demonstrates the result of changing the previous input by a single letter (a single bit, even, in ASCII-compatible encodings), replacing d with e:

Version Input String Computed Hash
Whirlpool-0 "The quick brown fox jumps over the lazy eog"
Whirlpool-T "The quick brown fox jumps over the lazy eog"
Whirlpool "The quick brown fox jumps over the lazy eog"

The hash of a zero-length string is:

Version Input String Computed Hash
Whirlpool-0 ""
Whirlpool-T ""
Whirlpool ""


The authors provide "reference implementations of the WHIRLPOOL algorithm, including a version written in "C and a version written in "Java.[2] These reference implementations have been released into the public domain.[2]

Two of the first widely used mainstream cryptographic programs that started using Whirlpool were "FreeOTFE, followed by "TrueCrypt in 2005.

The algorithm is also commonly used by many companies to hash simple data.["citation needed]

See also[edit]


  1. ^ Florian Mendel1, Christian Rechberger, Martin Schläffer, Søren S. Thomsen (2009-02-24). The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl (PDF). Fast Software Encryption: 16th International Workshop. 
  2. ^ a b c d e Paulo S. L. M. Barreto (2008-11-25). "The WHIRLPOOL Hash Function". Retrieved 2017-03-03. 
  3. ^ Barreto, Paulo S.L.M. & Rijmen, Vincent (2003-05-24). "The WHIRLPOOL Hashing Function" (ZIP). Retrieved 2017-03-03. 
  4. ^ Kyoji, Shibutani & Shirai, Taizo (2003-03-11). "On the diffusion matrix employed in the Whirlpool hashing function" (PDF). Retrieved 2017-03-03. 

External links[edit]

) )