Incomputer science andcryptography,Whirlpool (sometimes styledWHIRLPOOL) is acryptographic hash function. It was designed byVincent Rijmen (co-creator of theAdvanced Encryption Standard) andPaulo S. L. M. Barreto, who first described it in 2000. It is named after theWhirlpool galaxy inCanes Venatici (M51, orNGC 5194), the first one recognized to have a spiral structure byWilliam Parsons, third Earl of Rosse, in April 1845^[1].

The hash has been recommended by theNESSIE project. It has also been adopted by theInternational Organization for Standardization (ISO) and theInternational Electrotechnical Commission (IEC) as part of the joint ISO/IEC 10118-3international standard.

Whirlpool is a hash designed after theSquareblock cipher, and is considered to be in that family of block cipher functions.

Whirlpool is aMiyaguchi–Preneel construction based on a substantially modifiedAdvanced Encryption Standard (AES).

Whirlpool takes a message of any length less than 2²⁵⁶ bits and returns a 512-bitmessage digest.^[3]

The authors have declared that

"WHIRLPOOL is not (and will never be)patented. It may be used free of charge for any purpose."^[2]

The original Whirlpool will be calledWhirlpool-0, the first revision of Whirlpool will be calledWhirlpool-T and the latest version will be calledWhirlpool in the following test vectors.

• In the first revision in 2001, theS-box was changed from a randomly generated one with good cryptographic properties to one which has better cryptographic properties and is easier to implement in hardware.
• In the second revision (2003), a flaw in thediffusion matrix was found that lowered the estimated security of the algorithm below its potential.^[4] Changing the 8x8 rotating matrix constants from (1, 1, 3, 1, 5, 8, 9, 5) to (1, 1, 4, 1, 8, 5, 2, 9) solved this issue.

The Whirlpool hash function is aMerkle–Damgård construction based on anAES-likeblock cipher W inMiyaguchi–Preneel mode.^[2]

Theblock cipher${\displaystyle W}$ consists of an 8×8 state matrix${\displaystyle S}$ of bytes, for a total of 512 bits.

The encryption process consists of updating the state with four round functions over 10 rounds. The four round functions are SubBytes (SB or${\displaystyle \gamma }$), ShiftColumns (SC or${\displaystyle \pi }$), MixRows (MR or${\displaystyle \theta }$) and AddRoundKey (AK or${\displaystyle \sigma [k]}$). During each round the new state is computed as${\displaystyle S:=\left(AK\circ MR\circ SC\circ SB\right)(S)}$.

TheSubBytes operation applies a non-linear permutation (the S-box) to each byte of the state independently. The 8-bit S-box is composed of 3 smaller 4-bit S-boxes.

TheShiftColumns operation cyclically shifts each byte in each column of the state. Columnj has its bytes shifted downwards byj positions.

TheMixBytesInRows operation is a right-multiplication of each row by an 8×8matrix over${\displaystyle GF(2^8)}$. The matrix is chosen such that thebranch number (an important property when looking at resistance todifferential cryptanalysis) is 9, which is maximal.

TheAddRoundKey operation uses bitwisexor to add a key calculated by the key schedule to the current state. The key schedule is identical to the encryption itself, except the AddRoundKey function is replaced by anAddRoundConstant function that adds a predetermined constant in each round.

Here is the detailed explanation of the Whirlpoolalgorithm as described in the official release paper^[1].

First, let's define thenotation used:

• Every number used is an 8-bit (1byte) integer.
• ${\displaystyle \{0,1{\}}^n}$ is an-bitbinary string.
• ${\displaystyle {\mathcal{M}}_{n\times m}}$ is ann-by-mmatrix ofbytes.
• ${\displaystyle f:A\to B}$ is a function thatmaps elements fromset A toset B.
• ${\displaystyle a\oplus b}$ is the bitwiseXOR of${\displaystyle a}$ and${\displaystyle b}$.
  If${\displaystyle a}$ and${\displaystyle b}$ arematrices, theXOR is applied element-wise (${\displaystyle a\oplus b=c\iff c_{i,j}=a_{i,j}\oplus b_{i,j}}$).
• ${\displaystyle f\circ g}$ is the composition function of${\displaystyle f}$ and${\displaystyle g}$ such that${\displaystyle \left(f\circ g\right)\left(x\right)=g\left(f\left(x\right)\right)}$;
• ${\displaystyle \underset{k=m}{\stackrel{n}{◯}}{\alpha }_k,\mathrm{\forall }\left(m;n;k\right)\in {\mathbb{Z}}^3,m\le k\le n}$ is the ascending repetition of${\displaystyle {\alpha }_m\circ {\alpha }_{m+1}\circ \dots \circ {\alpha }_{n-1}\circ {\alpha }_n}$;
• ${\displaystyle \underset{m}{\stackrel{k=n}{◯}}{\alpha }_k,\mathrm{\forall }\left(m;n;k\right)\in {\mathbb{Z}}^3,m\le k\le n}$ is the descending repetition of${\displaystyle {\alpha }_n\circ {\alpha }_{n-1}\circ \dots \circ {\alpha }_{m+1}\circ {\alpha }_m}$.

The message${\displaystyle M}$ that is to be hashed is firstpadded to ensure its length is a multiple of the block size (512 bits). This is done using the standardpadding scheme defined in theISO/IEC 10118-1 standard (the same used formd5,sha-2, and others):

1. Append a '1' bit;
2. Append as many '0' bits as needed for the length to reach a multiple of 256 (${\displaystyle 512-256}$);
3. Append the original length of the message in bits using 256-bitbig-endian format.

Then, the padded message is divided into${\displaystyle t}$ 512-bit blocks${\displaystyle m_i}$,${\displaystyle 1\le i\le t}$.

Whirlpool iterates theMiyaguchi-Preneel hashing scheme over these blocks^{[sections 3.11 and 3.12][1]}:

Where:

• ${\displaystyle \mu :\{0,1{\}}^{512}\to {\mathcal{M}}_{8\times 8}}$ is thestring tomatrix conversion function;
• ${\displaystyle {\mu }^{-1}:{\mathcal{M}}_{8\times 8}\to \{0,1{\}}^{512}}$ is thematrix tostring conversion function;
• ${\displaystyle IV}$ is theinitialization vector, astring of 512 0-bits;
• ${\displaystyle W}$ is the Whirlpool cipher function.

The internal block cipher function${\displaystyle W\left[{\mathcal{M}}_{8\times 8}\right]:{\mathcal{M}}_{8\times 8}\to {\mathcal{M}}_{8\times 8}}$^{[section 3.9][1]} operates on and returns an 8x8matrix:

${\displaystyle \begin{array}{r}W\left[K\right]=\left(\underset{1}{\stackrel{r=R}{◯}}\rho \left[K_r\right]\right)\circ \sigma \left[K_0\right]\end{array}}$

Where:

• ${\displaystyle R}$ is the number of rounds (the standard Whirlpool uses${\displaystyle R=10}$);
• ${\displaystyle K_n}$ is thenth key of the${\displaystyle K}$ key schedule;
• ${\displaystyle \rho }$ is the round function.

The key schedule expands the key${\displaystyle K\in {\mathcal{M}}_{8\times 8}}$ into asequence of keys${\displaystyle K_r\in {\mathcal{M}}_{8\times 8},0\le r\le R}$^{[section 3.8][1]}:

Where:

• ${\displaystyle c^r\in {\mathcal{M}}_{8\times 8}}$ is therth round constantmatrix.
  

The round constant for therth round,${\displaystyle r>0}$, is amatrix${\displaystyle c^r\in {\mathcal{M}}_{8\times 8}}$, defined as:

Where:

• ${\displaystyle S\in {\mathcal{M}}_{16\times 16}}$ is the S-box.

The round function${\displaystyle \rho \left[{\mathcal{M}}_{8\times 8}\right]:{\mathcal{M}}_{8\times 8}\to {\mathcal{M}}_{8\times 8}}$^{[section 3.7][1]} is defined as:

Where:

• ${\displaystyle \gamma }$ is the non-linear layer;
• ${\displaystyle \pi }$ is the cyclicalpermutation;
• ${\displaystyle \theta }$ is the diffusion layer;
• ${\displaystyle \sigma }$ is the key addition.

The function${\displaystyle \gamma :{\mathcal{M}}_{8\times 8}\to {\mathcal{M}}_{8\times 8}}$ consists of the parallel application of a non-linearsubstitution${\displaystyle \psi :x_{\text{(Byte)}}\to S{\left[x\right]}_{\text{(Byte)}}}$ to eachbytes of the argument independently^{[section 3.2][1]}:

Thepermutation${\displaystyle \pi :{\mathcal{M}}_{8\times 8}\to {\mathcal{M}}_{8\times 8}}$ cyclically shifts each column of its argument independently, so that column${\displaystyle j}$ is shifted downwards by${\displaystyle j}$ positions^{[section 3.3][1]}:

The linear diffusion layer${\displaystyle \theta :{\mathcal{M}}_{8\times 8}\to {\mathcal{M}}_{8\times 8}}$ is a linearmapping based on thecircular matrix${\displaystyle C=\text{cir}\left({01}_{(16)},{01}_{(16)},{04}_{(16)},{01}_{(16)},{08}_{(16)},{05}_{(16)},{02}_{(16)},{09}_{(16)}\right)}$^{[section 3.4][1]}:

Acirculant matrix${\displaystyle C\in {\mathcal{M}}_{n\times n}}$ is defined as a matrix where each row is a cyclic shift of the previous row^{[section 2.2][1]}. Formally, acirculant matrix can be represented as:

For example,circulant matrix${\displaystyle C=\text{cir}\left({01}_{(16)},{01}_{(16)},{04}_{(16)},{01}_{(16)},{08}_{(16)},{05}_{(16)},{02}_{(16)},{09}_{(16)}\right)}$ is thematrix:

The affine key addition${\displaystyle \sigma \left[{\mathcal{M}}_{8\times 8}\right]:{\mathcal{M}}_{8\times 8}\to {\mathcal{M}}_{8\times 8}}$ consists of the bitwiseXOR of a keymatrix${\displaystyle k\in {\mathcal{K}}_{8\times 8}}$:

${\displaystyle \begin{array}{r}\sigma \left[k\right]\left(a\right)=a\oplus k\end{array}}$

The S-Box${\displaystyle S\in {\mathcal{M}}_{16\times 16}}$ is typically represented as alookup table, where each inputbyte is mapped to a corresponding outputbyte. It can be computed using optimal diffusion mapping generation techniques^{[section 2.4][1]} but here is amatrix representation of it:

The Whirlpool algorithm has undergone two revisions since its original 2000 specification.

People incorporating Whirlpool will most likely use the most recent revision of Whirlpool; while there are no known security weaknesses in earlier versions of Whirlpool, the most recent revision has better hardware implementation efficiency characteristics, and is also likely to be more secure. As mentioned earlier, it is also the version adopted in the ISO/IEC 10118-3international standard.

The 512-bit (64-byte) Whirlpool hashes (also termedmessage digests) are typically represented as 128-digithexadecimal numbers.
The following demonstrates a 43-byteASCII input (not including quotes) and the corresponding Whirlpool hashes:

 4F8F5CB531E3D49A61CF417CD133792CCFA501FD8DA53EE368FED20E5FE0248C 3A0B64F98A6533CEE1DA614C3A8DDEC791FF05FEE6D971D57C1348320F4EB42D

 3CCF8252D8BBB258460D9AA999C06EE38E67CB546CFFCF48E91F700F6FC7C183 AC8CC3D3096DD30A35B01F4620A1E3A20D79CD5168544D9E1B7CDF49970E87F1

 B97DE512E91E3828B40D2B0FDCE9CEB3C4A71F9BEA8D88E75C4FA854DF36725F D2B52EB6544EDCACD6F8BEDDFEA403CB55AE31F03AD62A5EF54E42EE82C3FB35

The authors providereference implementations of the Whirlpool algorithm, including a version written inC and a version written inJava.^[2] These reference implementations have been released into the public domain.^[2]

Research on the security analysis of the Whirlpool function however, has revealed that on average, the introduction of 8 random faults is sufficient to compromise the 512-bit Whirlpool hash message being processed and the secret key of HMAC-Whirlpool within the context of Cloud of Things (CoTs). This emphasizes the need for increased security measures in its implementation.^[5]

Here is an implementation example of the standard Whirlpoolalgorithm:

S :=  0x18, 0x23, 0xc6, 0xe8, 0x87, 0xb8, 0x01, 0x4f, 0x36, 0xa6, 0xd2, 0xf5, 0x79, 0x6f, 0x91, 0x52, \      0x60, 0xbc, 0x9b, 0x8e, 0xa3, 0x0c, 0x7b, 0x35, 0x1d, 0xe0, 0xd7, 0xc2, 0x2e, 0x4b, 0xfe, 0x57, \      0x15, 0x77, 0x37, 0xe5, 0x9f, 0xf0, 0x4a, 0xda, 0x58, 0xc9, 0x29, 0x0a, 0xb1, 0xa0, 0x6b, 0x85, \      0xbd, 0x5d, 0x10, 0xf4, 0xcb, 0x3e, 0x05, 0x67, 0xe4, 0x27, 0x41, 0x8b, 0xa7, 0x7d, 0x95, 0xd8, \      0xfb, 0xee, 0x7c, 0x66, 0xdd, 0x17, 0x47, 0x9e, 0xca, 0x2d, 0xbf, 0x07, 0xad, 0x5a, 0x83, 0x33, \      0x63, 0x02, 0xaa, 0x71, 0xc8, 0x19, 0x49, 0xd9, 0xf2, 0xe3, 0x5b, 0x88, 0x9a, 0x26, 0x32, 0xb0, \      0xe9, 0x0f, 0xd5, 0x80, 0xbe, 0xcd, 0x34, 0x48, 0xff, 0x7a, 0x90, 0x5f, 0x20, 0x68, 0x1a, 0xae, \      0xb4, 0x54, 0x93, 0x22, 0x64, 0xf1, 0x73, 0x12, 0x40, 0x08, 0xc3, 0xec, 0xdb, 0xa1, 0x8d, 0x3d, \      0x97, 0x00, 0xcf, 0x2b, 0x76, 0x82, 0xd6, 0x1b, 0xb5, 0xaf, 0x6a, 0x50, 0x45, 0xf3, 0x30, 0xef, \      0x3f, 0x55, 0xa2, 0xea, 0x65, 0xba, 0x2f, 0xc0, 0xde, 0x1c, 0xfd, 0x4d, 0x92, 0x75, 0x06, 0x8a, \      0xb2, 0xe6, 0x0e, 0x1f, 0x62, 0xd4, 0xa8, 0x96, 0xf9, 0xc5, 0x25, 0x59, 0x84, 0x72, 0x39, 0x4c, \      0x5e, 0x78, 0x38, 0x8c, 0xd1, 0xa5, 0xe2, 0x61, 0xb3, 0x21, 0x9c, 0x1e, 0x43, 0xc7, 0xfc, 0x04, \      0x51, 0x99, 0x6d, 0x0d, 0xfa, 0xdf, 0x7e, 0x24, 0x3b, 0xab, 0xce, 0x11, 0x8f, 0x4e, 0xb7, 0xeb, \      0x3c, 0x81, 0x94, 0xf7, 0xb9, 0x13, 0x2c, 0xd3, 0xe7, 0x6e, 0xc4, 0x03, 0x56, 0x44, 0x7f, 0xa9, \      0x2a, 0xbb, 0xc1, 0x53, 0xdc, 0x0b, 0x9d, 0x6c, 0x31, 0x74, 0xf6, 0x46, 0xac, 0x89, 0x14, 0xe1, \      0x16, 0x3a, 0x69, 0x09, 0x70, 0xb6, 0xd0, 0xed, 0xcc, 0x42, 0x98, 0xa4, 0x28, 0x5c, 0xf8, 0x86C :=  0x01, 0x01, 0x04, 0x01, 0x08, 0x05, 0x02, 0x09, \      0x09, 0x01, 0x01, 0x04, 0x01, 0x08, 0x05, 0x02, \      0x02, 0x09, 0x01, 0x01, 0x04, 0x01, 0x08, 0x05, \      0x05, 0x02, 0x09, 0x01, 0x01, 0x04, 0x01, 0x08, \      0x08, 0x05, 0x02, 0x09, 0x01, 0x01, 0x04, 0x01, \      0x01, 0x08, 0x05, 0x02, 0x09, 0x01, 0x01, 0x04, \      0x04, 0x01, 0x08, 0x05, 0x02, 0x09, 0x01, 0x01, \      0x01, 0x04, 0x01, 0x08, 0x05, 0x02, 0x09, 0x01# Matrix built from initialization vectorIM := 0, 0, 0, 0, 0, 0, 0, 0, \      0, 0, 0, 0, 0, 0, 0, 0, \      0, 0, 0, 0, 0, 0, 0, 0, \      0, 0, 0, 0, 0, 0, 0, 0, \      0, 0, 0, 0, 0, 0, 0, 0, \      0, 0, 0, 0, 0, 0, 0, 0, \      0, 0, 0, 0, 0, 0, 0, 0, \      0, 0, 0, 0, 0, 0, 0, 0R :=  10func getConstantRoundMatrix(r)    cr := IM    for j from 0 to 7        cr[j] := S[8 * (r - 1) + j]    endfor    return crendfuncfunc whirlpoolRound(matrix, key)    # Apply the non-linear transformation γ    for i from 0 to 7        for j from 0 to 7            matrix[i * 8 + j] = S[matrix[i * 8 + j]]        endfor    endfor    # Apply cyclical permutation π    tmp := matrix    for i from 0 to 7        for j from 0 to 7            # '+ 8' to prevent negative indices            matrix[i * 8 + j] = tmp[((i - j + 8) % 8) * 8 + j]        endfor    endfor    matrix := tmp    # Apply linear diffusion θ    matrix := dotProduct(matrix, C)    # Apply key addition σ[key]    matrix := matrix xor key    return matrixendfuncfunc whirlpool(M)    m, t := pad(M)  # Returns (paddedMessageDividedInChunks, amountOfChunks)    H := IM    for i from 0 to t        W := m[t]        Kr := H        W := W xor H        for r from 1 to R            cr := getConstantRoundMatrix(r)            Kr := whirlpoolRound(Kr, cr)            W := whirlpoolRound(W, Kr)        endfor        H := H xor W        H := H xor m[t]    endfor    return matrixToHexString(H)endfunc

For the linear-diffusion${\displaystyle \theta }$, amatrix multiplication is required.Galois Field arithmetic can be used to write thismultiplication algorithm:

func dotProduct(A, B)    tmp: Matrix    for i from 0 to 7        for j from 0 to 7            tmp[i * 8 + j] := 0            for k from 0 to 7                # Galois Field (2^8) multiplication                a := A[i * 8 + k];                b := B[k * 8 + j];                product := 0;                while b > 0                    if b & 1 == 1                        product := product xor a                    endif                    if a & 0x80 != 0                        a := (a << 1) xor 0x11d  # x^8 + x^4 + x^3 + x^2 + 1                    else                        a := a << 1                    endif                    b := b >> 1                endwhile                tmp[i * 8 + j] := tmp[i * 8 + j] xor product            endfor        endfor    endfor    return tmpendfunc

Here is an implementation of the 512-bit (64-bits size,big-endian)padding:

func pad(M)    original_length := len(M)  # In bytes    # 512 bits (total length) - 256 bits (size length) - 1 bit (padding bit)    #  64 bytes               -  32 bytes              - 1 byte = 31 bytes    padding := (31 - original_length) % 64    padding := (padding + 64) % 64  # Avoid negative padding    total_length := original_length + 1 + padding + 32  # In bytes    padded: Byte[total_length]    # Copy original message    for i from 0 to original_length - 1        padded[i] := M[i]    endfor    padded[original_length] := 0x80  # Append the '1' bit, then 7 '0' bits    for i from original_length + 1 to original_length + padding        padded[i] := 0x00  # Append 8 '0' bits    endfor    for i from 0 to 31        padded[total_length - 32 + i] := (original_length * 8) >> (8 * (31 - i)) & 0xff    endfor    chunk_amount := total_length / 64    divided := Byte[chunk_amount][64]    for i from 0 to chunk_amount - 1        for j from 0 to 63            divided[i][j] := padded[i * 64 + j]        endfor    endfor    return divided, chunk_amountendfunc

And here is an example of amatrix-to-string conversion:

func matrixToHexString(matrix)    HEX := "0123456789abcdef"    result: Byte[128]    for i from 0 to 63        byte := matrix[i]        result[i * 2] := HEX[byte >> 4]        result[i * 2 + 1] := HEX[byte & 0xf]    endfor    return resultendfunc

Two of the first widely used mainstream cryptographic programs that started using Whirlpool wereFreeOTFE, followed byTrueCrypt in 2005.^{[citation needed]}

VeraCrypt (a fork ofTrueCrypt) included Whirlpool (the final version) as one of its supported hash algorithms.^[6]

• Digital timestamping

• The WHIRLPOOL Hash Function at theWayback Machine (archived 2017-11-29)
• Jacksum onSourceForge, a Java implementation of all three revisions of Whirlpool
• whirlpool onGitHub – An open sourceGo implementation of the latest revision of Whirlpool
• A Matlab Implementation of the Whirlpool Hashing Function
• RHash, anopen source command-line tool, which can calculate and verify Whirlpool hash.
• Perl Whirlpool module atCPAN
• Digest module implementing the Whirlpool hashing algorithm inRuby
• Ironclad aCommon Lisp cryptography package containing a Whirlpool implementation
• The ISO/IEC 10118-3:2004 standard
• Test vectors for the Whirlpool hash from theNESSIE project
• Managed C# implementation
• Python Whirlpool module

• Cryptographic hash functions

• CS1 maint: multiple names: authors list
• CS1 maint: numeric names: authors list
• CS1 errors: missing periodical
• Articles with short description
• Short description matches Wikidata
• All articles with unsourced statements
• Articles with unsourced statements from February 2018
• Webarchive template wayback links