A first report on Whirlpool , NUSH , SC 2000 , Noekeon

Whirlpool is a hash function that operates on messages less than 2256 bits in length, and produces a message digest of 512 bits. Whirlpool uses the Miyaguchi-Preneel scheme with a 512 bit block cipher, and it is claimed to be collision resistant and one-way. The bit string to be hashed is always padded, and its length after padding is a multiple of 512. The message string is then divided into a sequence of 512-bit words, m1,m2, . . . , mt. This sequence is then used to generate a new sequence of 512-bit words, H1,H2, . . . , Ht in the following way. mi is encrypted with Hi−1 as key, and the resulting ciphertext is XORed with mi and Hi−1 to produce Hi. H0 is a string of 512 0-bits, and the final word Ht is the output of the algorithm. The block cipher, W, that forms the basis of Whirlpool is very similar to the AES selection Rijndael. The main difference between W and Rijndael is that Rijndael supports blocklengths of 128, 192 and 256 bits, while W only works on 512-bit blocks. The plaintext block in W is regarded as an 8x8 array of bytes, called a state and each byte is viewed as an element in GF(28). The polynomial that defines this field is different from the one used in Rijndael. W consists of 10 rounds, preceded by an XOR of the first round key. As in Rijndael, each round starts with each byte of the state passing through an S-box. After this, each column of the state is rotated downwards a number of positions. This is followed by a multiplication with a fixed 8x8 matrix over GF(28) with maximal branch number, the state being the left factor. Finally, the round ends with a key addition.