Designs, Codes and Cryptography

, Volume 56, Issue 2–3, pp 141–162 | Cite as

Whirlwind: a new cryptographic hash function

  • Paulo Barreto
  • Ventzislav Nikov
  • Svetla NikovaEmail author
  • Vincent Rijmen
  • Elmar Tischhauser
Open Access


A new cryptographic hash function Whirlwind is presented. We give the full specification and explain the design rationale. We show how the hash function can be implemented efficiently in software and give first performance numbers. A detailed analysis of the security against state-of-the-art cryptanalysis methods is also provided. In comparison to the algorithms submitted to the SHA-3 competition, Whirlwind takes recent developments in cryptanalysis into account by design. Even though software performance is not outstanding, it compares favourably with the 512-bit versions of SHA-3 candidates such as LANE or the original CubeHash proposal and is about on par with ECHO and MD6.


Cryptographic hash functions Whirlpool Normal bases over finite fields Dyadic matrices Rebound attacks 

Mathematics Subject Classification (2000)

94A60 12E30 



We would like to thank the referees for their comments which improved the paper. This work was sponsored by the Research Fund K. U. Leuven, by the IAP Programme P6/26 BCRYPT of the Belgian State (Belgian Science Policy) and by the European Commission through the ICT Programme under Contract ICT-2007-216676 (ECRYPT II). Elmar Tischhauser is a research assistant of the F.W.O., Fund for Scientific Research—Flanders.

Open Access

This article is distributed under the terms of the Creative Commons Attribution Noncommercial License which permits any noncommercial use, distribution, and reproduction in any medium, provided the original author(s) and source are credited.


  1. 1.
    Barreto P., Rijmen V.: The Anubis block cipher. First open NESSIE Workshop, Leuven, November 13–14 (2000).Google Scholar
  2. 2.
    Barreto P., Rijmen V.: The Whirlpool hashing function. First open NESSIE Workshop, Leuven, November 13–14 (2000).Google Scholar
  3. 3.
    Benadjila R., Billet O., Gilbert H., Macario-Rat G., Peyrin T., Robshaw M., Seurin Y.: SHA-3 Proposal: ECHO. Submitted to NIST (2008).Google Scholar
  4. 4.
    Bernstein D.J.: CubeHash Specification. Submitted to NIST (2008).Google Scholar
  5. 5.
    Bertoni G., Daemen J., Peeters M., Van Assche G.: On the Indifferentiability of the Sponge Construction. EUROCRYPT, LNCS, vol. 4965, pp. 181–197 (2008).Google Scholar
  6. 6.
    Biham E., Dunkelman O.: The SHAvite-3 Hash Function. Submitted to NIST (2008).Google Scholar
  7. 7.
    Biryukov A.: Design of a New Stream Cipher—LEX. New Stream Cipher Designs, LNCS, vol. 4986, pp. 48–56 (2008).Google Scholar
  8. 8.
    Contini S., Lenstra A.K., Steinfeld R.: VSH, an Efficient and Provable Collision-Resistant Hash Function. EUROCRYPT, LNCS, vol. 4004, pp. 165–182 (2006).Google Scholar
  9. 9.
    Daemen J., Rijmen V.: The Design of Rijndael: AES—The Advanced Encryption Standard. Springer (2002).Google Scholar
  10. 10.
    Daemen J., Rijmen V.: Plateau characteristics and AES. IET Inf. Secur. 1(1), March 2007, 11–17.Google Scholar
  11. 11.
    Daemen J., Rijmen V.: New criteria for linear maps in AES-like ciphers. Cryptography and Communications Discrete Structures, Boolean Functions and Sequences, vol. 1, no. 1. Springer, pp. 47–69 (2009).Google Scholar
  12. 12.
    Gauravaram P., Knudsen L.R., Matusiewicz K., Mendel F. Rechberger C., Schläffer M., Thomsen S.S.: Grøstl—a SHA-3 Candidate. Submitted to NIST (2008).Google Scholar
  13. 13.
    Hilewitz Y., Yin Y., Lee R.: Accelerating the Whirlpool Hash Function Using Parallel Table Lookup and Fast Cyclical Permutation. FSE, LNCS, vol. 5086, pp. 173–188 (2008).Google Scholar
  14. 14.
    Ideguchi K., Owada T., Yoshida H.: A Study on RAM Requirements of Various SHA-3 Candidates on Low-cost 8-bit CPUs. May 2009.
  15. 15.
    IEEE 1363 draft 13: Standard Specifications for Public Key Cryptography, November 1999.
  16. 16.
    Indesteege S.: The LANE Hash Function. Submitted to NIST (2008).Google Scholar
  17. 17.
    Käsper E., Schwabe P.: Faster and Timing-Attack Resistant AES-GCM. CHES, LNCS, vol. 5747, pp. 1–17 (2009).Google Scholar
  18. 18.
    Lamberger M., Mendel F., Rechberger C., Rijmen V., Schläffer M.: Rebound Distinguishers: Results on the Full Whirlpool Compression Function. ASIACRYPT, LNCS, vol. 5912, pp. 126–143 (2009).Google Scholar
  19. 19.
    Lidl R., Niederreiter H.: Introduction to Finite Fields and Their Applications. Cambridge University Press, London (1986)zbMATHGoogle Scholar
  20. 20.
    Matusiewicz K., Naya-Plasencia M., Nikolic I., Sasaki Y., Schläffer M.: Rebound Attack on the Full LANE Compression Function. ASIACRYPT, LNCS, vol. 5912, pp. 106–125 (2009).Google Scholar
  21. 21.
    Mendel F., Rechberger C., Schläffer M., Thomsen S.: The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl. FSE, LNCS, vol. 5665, pp. 260–276 (2009).Google Scholar
  22. 22.
    Mullin R., Onyszchuk L., Vanstone S., Wilson R.: Optimal Normal Bases in GF(p n). Discr. Appl. Math. 22(2), 149–161 (1989)zbMATHCrossRefMathSciNetGoogle Scholar
  23. 23.
    Nakajima J., Matsui M.: Performance Analysis and Parallel Implementation of Dedicated Hash Functions. EUROCRYPT, LNCS, vol. 2332, pp. 165–180 (2002).Google Scholar
  24. 24.
    Nikova S., Rijmen V., Schläffer M.: Using Normal Bases for Compact Hardware Implementations of the AES S-Box. SCN, LNCS, vol. 5229, pp. 236–245 (2008).Google Scholar
  25. 25.
    Nyberg K.: Differentially uniform mappings for cryptography. EUROCRYPT, LNCS, vol. 765, pp. 55–64 (1992).Google Scholar
  26. 26.
    Paar C.: Efficient VLSI Architectres for Bit-Parallel Computations in Galois Fields. Ph.D. thesis, University of Essen (1994).Google Scholar
  27. 27.
    Perlis S.: Normal bases of cyclic fields of prime-power degree. Duke Math. J. 9(3), 507–517 (1942)zbMATHCrossRefMathSciNetGoogle Scholar
  28. 28.
    Rivest R.L.: The MD6 Hash Function—A Proposal to NIST for SHA-3. Submitted to NIST (2008).Google Scholar
  29. 29.
    Saarinen M.-J.O.: Security of VSH in the Real World. INDOCRYPT, LNCS, vol. 4329, pp. 95–103 (2006).Google Scholar
  30. 30.
    Vaudenay S.: Hidden Collisions on DSS. CRYPTO, LNCS, vol. 1109 pp. 83–88 (1996).Google Scholar

Copyright information

© The Author(s) 2010

Authors and Affiliations

  • Paulo Barreto
    • 1
  • Ventzislav Nikov
    • 2
  • Svetla Nikova
    • 3
    • 4
    Email author
  • Vincent Rijmen
    • 4
    • 5
  • Elmar Tischhauser
    • 4
  1. 1.Departamento de Engenharia de Computação e Sistemas Digitais (PCS), Escola PolitécnicaUniversidade de São PauloSão PauloBrazil
  2. 2.NXP SemiconductorsLeuvenBelgium
  3. 3.EEMCS-DIESUniversity of TwenteEnschedeThe Netherlands
  4. 4.Department of ESAT/SCD-COSIC and IBBTKatholieke Universiteit LeuvenLouvainBelgium
  5. 5.Institute for Applied Information Processing and Communications (IAIK)Graz University of TechnologyGrazAustria

Personalised recommendations