ArticlePDF Available

The Whirlpool hashing function

Authors:

Abstract and Figures

We present Whirlpool, a 512-bit hash function operating on messages less than 2 256 bits in length. The function structure is de-signed according to the Wide Trail strategy and permits a wide variety of implementation tradeoffs.
Content may be subject to copyright.
The WHIRLPOOL Hashing Function
Paulo S.L.M. Barreto1?and Vincent Rijmen2??
1Scopus Tecnologia S. A.
Av. Mutinga, 4105 - Pirituba
BR–05110–000 S˜ao Paulo (SP), Brazil
pbarreto@scopus.com.br
2Cryptomathic NV,
Lei 8A,
B–3000 Leuven, Belgium
vincent.rijmen@cryptomathic.com
Abstract. We present Whirlpool, a 512-bit hash function operating
on messages less than 2256 bits in length. The function structure is de-
signed according to the Wide Trail strategy and permits a wide variety
of implementation tradeoffs.
(Revised on May 24, 2003)
1 Introduction
In this document we describe Whirlpool, a one-way, collision resistant 512-bit
hashing function operating on messages less than 2256 bits in length.
Whirlpool consists of the iterated application of a compression function,
based on an underlying dedicated 512-bit block cipher that uses a 512-bit key.
The round function and the key schedule are designed according to the Wide
Trail strategy [2]. Whirlpool implementations on 8-bit and 64-bit processors
benefit especially from the function structure, which nevertheless is not oriented
toward any particular platform.
As originally submitted for the NESSIE project [17], Whirlpool employed
a randomly generated substitution box (S-box) whose lack of internal structure
tended to make efficient hardware implementation a challenging and tricky pro-
cess. The present document describes an S-box that is much more amenable
to hardware implementation, while not adversely affecting any of the software
implementation techniques suggested herein. No effective algebraic attack based
on the recursive structure of the new S-box has been reported.
?Co-sponsored by the Laborat´orio de Arquitetura e Redes de Computadores (LARC),
Departamento de Engenharia de Computa¸ao e Sistemas Digitais, Escola Polit´ecnica
da Universidade de S˜ao Paulo, Brazil.
?? Co-sponsored by the Institute for Applied Information Processing and Communica-
tions (IAIK), Graz University of Technology, Inffeldgasse 16a, A–8010 Graz, Austria.
Recently, Shirai and Shibutani [22] discovered a flaw in the Whirlpool
diffusion matrix that made its branch number suboptimal. Although this flaw per
se does not seem to introduce an effective vulnerability, the present document
replaces that matrix by one that, besides displaying optimal branch number
and thus keeping our security analysis unchanged, also leads to more efficient
implementation in 8-bit platforms and hardware.
This document is organised as follows. The mathematical preliminaries and
notation employed are described in section 2. A mathematical description of the
Whirlpool primitive is given in section 3. A statement of the claimed security
properties and expected security level is made in section 4. An analysis of the
primitive with respect to standard cryptanalytic attacks is provided in section 5
(a statement that there are no hidden weaknesses inserted by the designers is
explicitly made in section 5.5). Section 6 contains the design rationale explaining
design choices. Implementation guidelines to avoid implementation weaknesses
are given in section 7. Estimates of the computational efficiency in software are
provided in section 8. The overall strengths and advantages of the primitive are
listed in section 9.
2 Mathematical preliminaries and notation
We now summarise the mathematical background and notation that will be used
throughout this paper.
2.1 Finite fields
We will represent the field GF(24) as GF(2)[x]/p4(x) where p4(x) = x4+x+ 1,
and the field GF(28) as GF(2)[x]/p8(x) where p8(x) = x8+x4+x3+x2+ 1.
Polynomials p4(x) and p8(x) are the first primitive polynomials of degrees 4 and
8 listed in [14], and were chosen so that g(x) = xis a generator of GF(24)\ {0}
and GF(28)\ {0}, respectively.
A polynomial u=Pm1
i=0 ui·xiGF(2)[x], where uiGF(2) for all i=
0, . . . , m 1, will be denoted by the numerical value Pm1
i=0 ui·2i, and written
in hexadecimal notation. For instance, we write 13xto denote p4(x).
2.2 Matrix classes
Mm×n[GF(28)] denotes the set of m×nmatrices over GF(28).
cir(a0, a1, . . . , am1) stands for the m×mcirculant matrix whose first row
consists of elements a0, a1, . . . , am1, i.e.
cir(a0, a1, . . . , am1)
a0a1. . . am1
am1a0. . . am2
.
.
..
.
.....
.
.
a1a2. . . a0
,
or simply cir(a0, a1, . . . , am1) = ccij =a(ji) mod m,06i, j 6m1.
2
2.3 MDS codes
The Hamming distance between two vectors uand vfrom the n-dimensional
vector space GF(2p)nis the number of coordinates where uand vdiffer.
The Hamming weight wh(a) of an element aGF(2p)nis the Hamming
distance between aand the null vector of GF(2p)n, i.e. the number of non-zero
components of a.
Alinear [n, k, d]code over GF(2p) is a k-dimensional subspace of the vec-
tor space (GF(2p))n, where the Hamming distance between any two distinct
subspace vectors is at least d(and dis the largest number with this property).
Agenerator matrix Gfor a linear [n, k, d] code Cis a k×nmatrix whose
rows form a basis for C. A generator matrix is in echelon or standard form if it
has the form G= [Ik×kAk×(nk)], where Ik×kis the identity matrix of order k.
We write simply G= [I A] omitting the indices wherever the matrix dimensions
are irrelevant for the discussion, or clear from the context.
Linear [n, k, d] codes obey the Singleton bound:d6nk+ 1. A code that
meets the bound, i.e. d=nk+1, is called a maximal distance separable (MDS)
code. A linear [n, k, d] code Cwith generator matrix G= [Ik×kAk×(nk)] is MDS
if, and only if, every square submatrix formed from rows and columns of Ais
non-singular (cf. [15, chapter 11, §4, theorem 8]).
2.4 Cryptographic properties
A product of mdistinct Boolean variables is called an m-th order product of
the variables. Every Boolean function f: GF(2)nGF(2) can be written as a
sum over GF(2) of distinct m-order products of its arguments, 0 6m6n; this
is called the algebraic normal form of f.
The non-linear order of f, denoted ν(f), is the maximum order of the terms
appearing in its algebraic normal form. A linear Boolean function is a Boolean
function of non-linear order 1, i.e. its algebraic normal form only involves isolated
arguments. Given αGF(2)n, we denote by lα: GF(2)nGF (2) the linear
Boolean function consisting of the sum of the argument bits selected by the bits
of α:
lα(x)
n1
M
i=0
αi·xi.
A mapping S: GF(2n)GF(2n), x 7→ S[x], is called a substitution box,
or S-box for short. An S-box can also be viewed as a mapping S: GF(2)n
GF(2)nand therefore described in terms of its component Boolean functions
si: GF(2)nGF(2),06i6n1, i.e. S[x] = (s0(x), . . . , sn1(x)).
The non-linear order of an S-box S, denoted νS, is the minimum non-linear
order over all linear combinations of the components of S:
νSmin
αGF(2)n
{ν(lαS)}.
3
The δ-parameter of an S-box Sis defined as
δS2n·max
a6=0, b #{cGF(2n)|S[ca]S[c] = b}.
The value 2n·δis called the differential uniformity of S.
The correlation c(f, g) between two Boolean functions fand gis defined as:
c(f, g)21n·#{x|f(x) = g(x)} − 1.
The extreme value (i.e. either the minimum or the maximum, whichever is
larger in absolute value) of the correlation between linear functions of input bits
and linear functions of output bits of Sis called the bias of S.
The λ-parameter of an S-box Sis defined as the absolute value of the bias:
λSmax
(i,j)6=(0,0) |c(li, ljS)|.
The branch number Bof a linear mapping θ: GF(2p)kGF(2p)mis defined
as
B(θ)min
a6=0 {wh(a)+wh(θ(a))}.
Given a [k+m, k, d] linear code over GF(2p) with generator matrix G=
[Ik×kMk×m], the linear mapping θ: GF(2p)kGF(2p)mdefined by θ(a) = a·M
has branch number B(θ) = d; if the code is MDS, such a mapping is called an
optimal diffusion mapping [20].
2.5 Miscellaneous notation
Given a sequence of functions fm, fm+1, . . . , fn1, fn, m 6n, we use the notation
n
r=mfrfmfm+1 ◦ · · ·◦ fn1fn, and r=n
mfrfnfn1◦ · · ·◦ fm+1 fm;
if m > n, both expressions stand for the identity mapping.
3 Description of the WHIRLPOOL primitive
The Whirlpool primitive is a Merkle hashing function (cf. [16, algorithm 9.25])
based on a dedicated block cipher, W, which operates on a 512-bit hash state
using a chained key state, both derived from the input data. In the following
we will individually define the component mappings and constants that build
up Whirlpool, then specify the complete hashing function in terms of these
components.
3.1 Input and output
The hash state is internally viewed as a matrix in M8×8[GF(28)]. Therefore, 512-
bit data blocks (externally represented as byte arrays by sequentially grouping
the bits in 8-bit chunks) must be mapped to and from this matrix format. This
is done by function µ: GF(28)64 → M8×8[GF(28)] and its inverse:
µ(a) = bbij =a8i+j,06i, j 67.
4
3.2 The non-linear layer γ
Function γ:M8×8[GF(28)] → M8×8[GF(28)] consists of the parallel application
of a non-linear substitution box S: GF(28)GF(28), x 7→ S[x] to all bytes of
the argument individually:
γ(a) = bbij =S[aij ],06i, j 67.
The substitution box is discussed in detail in section 6.2.
3.3 The cyclical permutation π
The permutation π:M8×8[GF(28)] → M8×8[GF(28)] cyclically shifts each
column of its argument independently, so that column jis shifted downwards
by jpositions:
π(a) = bbij =a(ij) mod 8,j ,06i, j 67.
The purpose of πis to disperse the bytes of each row among all rows.
3.4 The linear diffusion layer θ
The diffusion layer θ:M8×8[GF(28)] → M8×8[GF(28)] is a linear mapping
based on the [16,8,9] MDS code with generator matrix GC= [I C] where C=
cir(01x,01x,04x,01x,08x,05x,02x,09x),i.e.
C=
01x01x04x01x08x05x02x09x
09x01x01x04x01x08x05x02x
02x09x01x01x04x01x08x05x
05x02x09x01x01x04x01x08x
08x05x02x09x01x01x04x01x
01x08x05x02x09x01x01x04x
04x01x08x05x02x09x01x01x
01x04x01x08x05x02x09x01x
,
so that θ(a) = bb=a·C. The effect of θis to mix the bytes in each state
row.
3.5 The key addition σ[k]
The affine key addition σ[k] : M8×8[GF(28)] → M8×8[GF(28)] consists of the
bitwise addition (exor) of a key matrix k∈ M8×8[GF(28)]:
σ[k](a) = bbij =aij kij ,06i, j 67.
This mapping is also used to introduce round constants in the key schedule.
5
3.6 The round constants cr
The round constant for the r-th round, r > 0, is a matrix cr∈ M8×8[GF(28)],
defined as:
cr
0jS[8(r1) + j],06j67,
cr
ij 0,16i67,06j67.
3.7 The round function ρ[k]
The r-th round function is the composite mapping ρ[k] : M8×8[GF(28)]
M8×8[GF(28)], parametrised by the key matrix k∈ M8×8[GF(28)] and given
by:
ρ[k]σ[k]θπγ.
3.8 The key schedule
The key schedule expands the 512-bit cipher key K∈ M8×8[GF(28)] onto a
sequence of round keys K0, . . . , KR:
K0=K,
Kr=ρ[cr](Kr1), r > 0,
3.9 The internal block cipher W
The dedicated 512-bit block cipher W[K] : M8×8[GF(28)] → M8×8[GF(28)],
parametrised by the 512-bit cipher key K, is defined as
W[K] = r=R
1
ρ[Kr]σ[K0],
where the round keys K0, . . . , KRare derived from Kby the key schedule. The
default number of rounds is R= 10.
3.10 Padding and MD-strengthening
Before being subjected to the hashing operation, a message Mof bit length
L < 2256 is padded with a 1-bit, then with as few 0-bits as necessary to obtain
a bit string whose length is an odd multiple of 256, and finally with the 256-bit
right-justified binary representation of L, resulting in the padded message m,
partitioned in tblocks m1, . . . , mt. These blocks are viewed as byte arrays by
sequentially grouping the bits in 8-bit chunks.
6
3.11 The compression function
Whirlpool iterates the Miyaguchi-Preneel hashing scheme [16, algorithm 9.43]
over the tpadded message blocks mi, 1 6i6t, using the dedicated 512-bit
block cipher W:
ηi=µ(mi),
H0=µ(IV ),
Hi=W[Hi1](ηi)Hi1ηi,16i6t,
where IV (the initialisation vector) is a string of 512 0-bits.
3.12 Message digest computation
The Whirlpool message digest for message message Mis defined as the output
Htof the compression function, mapped back to a bit string:
Whirlpool(M)µ1(Ht).
4 Security goals
In this section, we present the goals we have set for the security of Whirlpool.
A cryptanalytic attack will be considered successful by the designers if it demon-
strates that a security goal described herein does not hold.
4.1 Expected strength
Assume we take as hash result the value of any n-bit substring of the full
Whirlpool output. Then:
The expected workload of generating a collision is of the order of 2n/2exe-
cutions of Whirlpool.
Given an n-bit value, the expected workload of finding a message that hashes
to that value is of the order of 2nexecutions of Whirlpool.
Given a message and its n-bit hash result, the expected workload of finding a
second message that hashes to the same value is of the order of 2nexecutions
of Whirlpool.
Moreover, it is infeasible to detect systematic correlations between any linear
combination of input bits and any linear combination of bits of the hash result.
It is also infeasible to predict what bits of the hash result will change value when
certain input bits are flipped, i.e. Whirlpool is resistant against differential
attacks.
These claims result from the considerable safety margin taken with respect
to all known attacks. We do however realise that it is impossible to make non-
speculative statements on things unknown.
7
5 Analysis
In contrast to the extension of public research on block cipher cryptanalysis,
hashing function constructions based on block ciphers have received surprisingly
scarce attention. We summarise here the available research results applicable to
Whirlpool components.
5.1 Security of the compression function
The Miyaguchi-Preneel scheme is one of the few still unbroken methods to con-
struct a hashing function from an underlying block cipher [18]. Its security prop-
erties are discussed in [16, section 9.4.1]; in particular, it is “provably secure”
if certain ideal properties hold for the underlying block cipher. Recent research
results by Black, Rogaway and Shrimpton [1] further analyses the security prop-
erties of the Miyaguchi-Preneel and other schemes from a black-box perspective,
quantitatively corroborating the choice made for Whirlpool.
5.2 Differential cryptanalysis
The application of differential cryptanalysis techniques to hash functions based
on block ciphers has been studied in [19, 21]. Although there are some important
differences between differential attacks on block ciphers and differential attacks
on hash functions, basically the same techniques and reasonings apply. Both
attacks require that a differential characteristic is found, that has a sufficiently
large probability.
The branch number of the θtransform is B= 9. Due to the Square pattern
propagation theorem (cf. [20, proposition 7.9]), for any two different input values
of W, it holds that the number of S-boxes with a different input value in four
consecutive rounds is at least B2= 81. As a consequence, no differential charac-
teristic over four rounds of Whas probability larger than δB2= (25)81 = 2405 .
This makes a classical differential attack very unlikely to succeed for the full hash
function.
5.3 Attacks against the internal block cipher W
For completeness, we list the best attacks known against the internal block cipher
Wwith reduced number of rounds. We point out, however, that these attacks
are not directly applicable to Whirlpool.
The best key recovery attack known against Wreduced to 7 rounds is an
extension of the attack by Gilbert and Minier [7]. The attack requirements are
264 guesses for one column of the first round key ×232 c-sets ×16 values to be
encrypted per entry ×2 tables ×2144 entries/table. This sums up to 2245 steps.
It is possible to mount an attack against 7 rounds of Wusing ideas described
in [6], but the complexity is extremely high: 2512 S-box lookups, 2128 bits of
storage and O(2512) plaintexts. This is essentially the complexity of finding a
8
preimage or second preimage by brute force (and certainly much larger than the
complexity of finding a collision by means of the birthday paradox).
No attack is known against more rounds of Wfaster than exhaustive search.
5.4 Encryption-decryption cascade:
Since Whirlpool does not use the decryption form of the internal cipher W,
encryption-decryption cascades as described in [16, pp. 39] would imply the
existence of semi-weak keys, such that encryption with one key corresponds to
decryption with another key. We don’t believe that semi-weak keys exist for
Whirlpool.
5.5 Designers’ statement on the absence of hidden weaknesses
In spite of any analysis, doubts might remain regarding the presence of trapdoors
deliberately introduced in the algorithm. That is why the NESSIE project asks
for the designers’ declaration on the contrary.
Therefore we, the designers of Whirlpool, do hereby declare that there are
no hidden weaknesses inserted by us in the Whirlpool primitive.
6 Design rationale
6.1 Hashing mode
Why Miyaguchi-Preneel instead of, say, Matyas-Meyer-Oseas (MMO)? Notice
that the key schedule resembles encryption of the cipher key under a pseudo-key
defined by the round constants, so that the core of the hashing process could
be formally viewed as two interacting encryption lines. Consider the encryption
W[Hi1](ηi). We could write the last round key as KR=W0[c](Hi1); this
quantity is exored onto the cipher state as the last encryption step. Now take
a look at the MMO recursion: Hi=W[Hi1](ηi)ηi. Formally applying this
construction to the “key encryption line” we get K0R=W0[c](Hi1)Hi1.
Using this value as the effective last round key formally creates two interacting
MMO lines (as compared to the interacting encryption lines), and results in the
Miyaguchi-Preneel scheme, which therefore shows up as the natural choice for
the compression function.
6.2 Choice of the substitution box
The originally submitted form of Whirlpool used a pseudo-randomly gener-
ated S-box, chosen to satisfy the following conditions:
The δ-parameter must not exceed 8 ×28.
The λ-parameter must not exceed 16 ×26.
The non-linear order νmust be maximum, namely, 7.
9
The bounds on δand λcorrespond to twice the minimum achievable values for
these quantities. An additional condition, that the S-box has no fixed point, was
imposed in an attempt to speed up the search. This condition was inspired by
the empirical study reported in [26, section 2.3], where the strong correlation
found between the cryptographic properties and the number of fixed points of a
substitution box suggests minimising the number of such points. The polynomial
and rational representations of Sover GF(28) are checked as well, to avoid any
obvious algebraic weakness (which could lead e.g. to interpolation attacks [10]).
However, the extreme lack of structure in such an S-box hinders efficient hard-
ware implementation. Moreover, a flaw that went unnoticed in the random search
program caused the value of λfor the original S-box to be incorrectly reported
as 15 ×26instead of the actual value 16 ×26(corresponding to a negative
bias)1. Therefore, we now describe an alternative S-box that, besides strictly
satisfying the design conditions, is amenable to much more efficient implemen-
tation in hardware, while not affecting the software implementation techniques
presented here in any reasonable way.
The new S-box is illustrated in figure 1. This structure has its origin in a sim-
ple three-layer construction consisting of two non-linear layers (each containing
two 4 ×4 S-boxes) separated by a symmetric linear transform M: GF(24)2
GF(24)2. The most general form such a transform can assume is given by the
matrix
M=a+ 1 a
a a + 1 , a GF(24),
which reduces to the structure in figure 1 by setting R(u)a·u(the actual Ris
pseudo-randomly generated as described below). Thus, writing Sas a mapping
S: GF(24)2GF(24)2,S(u, v) = (u0, v0), we have
u0=E(E(u)r), v0=E1(E1(v)r),
where rR(E(u)E1(v)).
The Etable (as well as its inverse E1) is not generated at random; rather, it
is derived from a simple exponential mapping with optimal δ,λ, and ν, namely:
E: GF(24)GF(24) : E(u) = Bu
xif u6=Fx,
0xotherwise,
where the occurrence of u=u3x3+u2x2+u1x+u0as an exponent in Bu
xis
taken to be its numerical value P3
i=0 ui·2i. The basis Bxwas chosen so that E
has neither fixed points (i.e. values usuch that E(u) = u) nor points usuch that
E(E(u)) = u. Notice that E1satisfies the same properties.
The Rtable is a pseudo-randomly generated permutation with optimal δ,λ,
and ν, chosen so that the S-box built from E,E1and Rsatisfies the design
criteria listed at the beginning of this section.
Table 1 lists the Epermutation, and table 2 shows the Rpermutation found
by the searching algorithm.
1We thank the NESSIE evaluation team for pointing out this discrepancy [5].
10
EE1
R
EE1
???? ????
???? ????
iiii
iiii
iiii
-rr
-rr
-rr
-rr
?
?
?
?
????
?
?
?
?
????
????
-r-r-r-r
Fig. 1. Structure of the Whirlpool S-box. Ecorresponds to the mapping E:
GF(24)GF(24) : E(u) = Bu
xif u6=Fx, and E(Fx) = 0. Ris pseudo-randomly
generated in a verifiable way. Both have optimal values of δ,λ, and ν.
The random search we carried out was able to find an S-box with λ= 14×26,
slightly better than the design bound. A description of the searching algorithm
and a listing of the resulting S-box are given in the appendix.
Table 1. The Emini-box
u0x1x2x3x4x5x6x7x8x9xAxBxCxDxExFx
E[u]1xBx9xCxDx6xFx3xEx8x7x4xAx2x5x0x
Table 2. The Rmini-box
u0x1x2x3x4x5x6x7x8x9xAxBxCxDxExFx
R[u]7xCxBxDxEx4x9xFx6x3x8xAx2x5x1x0x
6.3 Choice of the diffusion layer
The adopted circulant matrix Chas as many 1-elements as possible (namely,
3 per row) for an 8 ×8 circulant MDS matrix; furthermore, any element has
11
Hamming weight at most 2, and polynomial degree at most 3. These constraints
are especially advantageous for smart cards and dedicated hardware, and from
all matrices satisfying these criteria the actual selection leads to a particularly
efficient implementation on those platforms (see section 7.3).
6.4 The last round
One difference between the Whirlpool structure and the structure of
Square [3] and Rijndael [4] is the fact that, in the former, the operation
θis present in all rounds, while in the latter it is not present in the first or in the
last round. Firstly, we will explain why one application of the operation θcan
be left out without changing the security level of the cipher. Subsequently, we
list some motivations to leave out one application of the operation θ, followed
by the motivation why it was actually kept in for Whirlpool.
Why it is possible to leave θout: Consider a Square-like cipher with two
rounds, and an extra key addition:
E=σ[K2]τγθσ[K1]τγθσ[K0].(1)
As explained in [3], the operations θand σ[K] can be exchanged, provided that
the key Kis replaced by an equivalent key K0=θ(K). Consequently, we can
write (1) as:
E=σ[K2]τγθσ[K1]τγσ[θ(K0)] θ. (2)
In (2), it is obvious that the first application of θdoes not contribute to the
security of the cipher, because it can always be undone by an attacker, without
knowing the key. Therefore, we can leave it out of the definition of our cipher
(1). The new definition becomes:
E0=σ[K2]τγθσ[K1]τγσ[K0].(3)
Observe that in this analysis we did not make any assumption about the
attack that an attacker is trying to mount. We proved generally that the security
of Eand E0are equivalent.
Motivation to leave θout: One motivation to leave out one application of
θ, is that it does not contribute to the cipher’s security. Furthermore, imple-
mentations on small processors that execute all transformations explicitly will
probably experience increased performance. Thirdly, (3) has the advantage that
encryption and decryption are more similar to one another2than for (1).
2However, in Whirlpool the internal cipher Woperates only in encryption mode,
hence the third motivation to keep θis not important here.
12
Motivation to leave θin: The best motivation to keep all rounds identical to
one another, is the performance on processors with a medium-sized fast cache
memory. If not all rounds are identical, then the number of tables that have to
be stored in memory increases. For fast implementations of Square, it turns
out that the tables for the complete rounds can be stored in the cache, but there
is no place left for the tables of the incomplete round. The net result is that the
round without θtakes longer to execute.
7 Implementation
Whirlpool can be implemented very efficiently. On different platforms, differ-
ent optimisations and tradeoffs are possible. We make here a few suggestions.
7.1 64-bit processors
We suggest a lookup-table approach to implement ρ. Let Ckbe the k-th row of
the circulant matrix C; using eight tables Tk[x]S[x]·Ck,06k67, i.e.:
T0[x] = S[x]·[01x01x04x01x08x05x02x09x],
T1[x] = S[x]·[09x01x01x04x01x08x05x02x],
T2[x] = S[x]·[02x09x01x01x04x01x08x05x],
T3[x] = S[x]·[05x02x09x01x01x04x01x08x],
T4[x] = S[x]·[08x05x02x09x01x01x04x01x],
T5[x] = S[x]·[01x08x05x02x09x01x01x04x],
T6[x] = S[x]·[04x01x08x05x02x09x01x01x],
T7[x] = S[x]·[01x04x01x08x05x02x09x01x],
then a row biof b= (θπγ)(a) can be calculated with eight table lookups and
seven exor operations as:
bi=
7
M
k=0
Tk[a(ik) mod 8,k ];
the key addition then completes the evaluation of ρwith a single additional
exor. The T-tables require 28×8 bytes of storage each. An implementation
can use the fact that the corresponding entries of different T-tables are cyclical
permutations of one another and save some memory at the expense of introducing
extra permutations at runtime. Usually this decreases the performance of the
implementation.
7.2 32-bit processors
Any circulant matrix Cof order 2mshows the following structure:
C=U V
V U ,
13
where Uand Vare matrices of order m. A 32-bit implementation may take
advantage of this structure by representing elements cGF(28)8as pairs c=
ˆc0ˆc1of elements ˆciGF(28)4:
b=θ(a)ˆ
b0= ˆa0Uˆa1V,
ˆ
b1= ˆa0Vˆa1U,
with twice the complexity derived for 64-bit processors regarding the number of
table lookups and exors, but using smaller tables (each occupying 28×4 bytes).
7.3 8-bit processors
On an 8-bit processor with a limited amount of RAM, e.g. a typical smart
card processor, the previous approach is not feasible. On these processors the
substitution is performed byte by byte, combined with the σ[k] transformation.
For θ, it is necessary to implement the matrix multiplication. The following piece
of pseudo-code calculates one row of b=θ(a), using a table Xthat implements
multiplication by the polynomial g(x) = xin GF(28) (i.e. X[u]x·u) and five
auxiliary variables t0to t4, at the cost of 46 exors and 24 table lookups:
t0ai1ai3ai5ai7;
t1ai3ai6;
t2ai5ai0;
t3ai7ai2;
t4ai1ai4;
bi0ai0t0X[ai2X[t1X[t4]]];
bi2ai2t0X[ai4X[t2X[t1]]];
bi4ai4t0X[ai6X[t3X[t2]]];
bi6ai6t0X[ai0X[t4X[t3]]];
t0ai0ai2ai4ai6;
t1ai4ai7;
t2ai6ai1;
t3ai0ai3;
t4ai2ai5;
bi1ai1t0X[ai3X[t1X[t4]]];
bi3ai3t0X[ai5X[t2X[t1]]];
bi5ai5t0X[ai7X[t3X[t2]]];
bi7ai7t0X[ai1X[t4X[t3]]];
7.4 Techniques to avoid software implementation weaknesses
Hash functions do not use secret keys. In principle, they are not vulnerable to
the key recovery techniques described by Kocher et al. [12, 13]. However, hash
functions are sometimes used as building blocks for other cryptographic primi-
tives, such as MACs, that use secret keys. In that case, the necessary attention
14
should be given to the implementation of the round transformation as well as
the key scheduling of the primitive.
A first example is the timing attack [12] that can be applicable if the execu-
tion time of the primitive depends on the value of the key and the plaintext. This
is typically caused by the presence of conditional execution paths. For instance,
multiplication by a constant value over a finite field is sometimes implemented
as a multiplication followed by a reduction, the latter being implemented as a
conditional exor. This vulnerability is avoided by implementing the multiplica-
tion by a constant by means of table lookups, as proposed in sections 7.1, 7.2,
and 7.3.
A second class of attacks are the attacks based on the careful observation of
the power consumption pattern of an encryption device [13]. Protection against
this type of attack can only be achieved by combined measures at the hardware
and software level. We leave the final word on this issue to the specialists, but
we hope that the simple structure and the limited number of operations in
Whirlpool will make it easier to create an implementation that resists this
type of attacks.
7.5 Hardware implementation
We have currently no precise figures on the available performance and required
area or gate count of Whirlpool in ASIC or FPGA, nor do we have a de-
scription in VHDL. However, we expect that the results on Rijndael [9, 23] will
carry over to some extent3.
8 Efficiency estimates
Using the reference C implementation on a 1 GHz Pentium III platform, we
observe that Whirlpool operates at about 73 cycles per hashed byte. The
compression function runs at about 56 cycles per hashed byte.
Many factors explain the observed performance. First, a 32-bit processor was
used to test a native 64-bit implementation; better results are expected by merely
running the speed measurement on an Alpha or Itanium processor. Second, it
seems that the pipe parallelism capabilities of the Pentium were not fully used;
this may reflect a non-optimising implementation of 64-bit arithmetic support
by the C compiler, and might be overcome by an assembler implementation.
Third, the tables employed in the reference implementation are quite large, and
the built-in processor cache might not be enough to hold them, the data being
hashed, and the hashing code at once, thus degrading processing speed.
3In particular, the S-box structure can be implemented in about 1/5 the number of
gates used by the implementation of the Rijndael S-box reported in [24], which
takes about 500–600 gates [25].
15
9 Advantages
Whirlpool is much more scalable than most modern hashing functions. Even
though is not specifically oriented toward any platform, it is rather efficient on
many of them, its structure favouring extensively parallel execution of the com-
ponent mappings. At the same time, it does not require excessive storage space
(either for code or for tables), and can therefore be efficiently implemented in
quite constrained environments like smart cards, although it can benefit from
larger cache memory available on modern processors to achieve higher perfor-
mance. It does not use expensive or unusual instructions that must be built in
the processor. The mathematical simplicity of the primitive resulting from the
design strategy tends to make analysis easier. And finally, it has a very long hash
length; this not only provides increased protection against birthday attacks, but
also offers a larger internal state for entropy containment, as is needed for certain
classes of pseudo-random number generators [11].
10 Acknowledgements
We are grateful to Ra¨ıf Naffah, for carefully reading and suggesting improve-
ments for the implementation guidelines provided in this paper, and for imple-
menting several versions of Whirlpool in Java.
We are deeply indebted to Brian Gladman for providing software and hard-
ware facilities to search for efficient mini-box implementations in terms of
Boolean functions.
We thank Paris Kitsos for pointing out an error in the diagram displayed in
figure 1.
Finally, we would also like to thank the NESSIE project organisers and eval-
uation team for making this work possible.
References
1. J. Black, P. Rogaway, and T. Shrimpton, Black-box analysis of the block-
cipher-based hash-function constructions from PGV, Advances in Cryptology –
Crypto’2002, Lecture Notes in Computer Science, vol. 2442, Springer-Verlag, 2002,
pp. 320–335.
2. J. Daemen, Cipher and hash function design strategies based on linear and differ-
ential cryptanalysis, Ph.D. thesis, Katholieke Universiteit Leuven, March 1995.
3. J. Daemen, L.R. Knudsen, and V. Rijmen, The block cipher Square, Fast Software
Encryption – FSE’97, Lecture Notes in Computer Science, vol. 1267, Springer-
Verlag, 1997, pp. 149–165.
4. J. Daemen and V. Rijmen, The design of Rijndael, Springer-Verlag, Berlin, 2002,
Also described in NIST FIPS 197.
5. NESSIE evaluation team, private communication, 2001.
6. N. Ferguson, J. Kelsey, S. Lucks, B. Schneier, M. Stay, D. Wagner, and D. Whit-
ing, Improved cryptanalysis of Rijndael, Fast Software Encryption – FSE’2000,
Lecture Notes in Computer Science, vol. 1978, Springer-Verlag, 2000, pp. 213–230.
16
7. H. Gilbert and M. Minier, A collision attack on 7 rounds of Rijndael, Third
Advanced Encryption Standard Candidate Conference, NIST, 2000, pp. 230–241.
8. M. Hoskin, The cambridge illustrated history of astronomy, Cambridge University
Press, London, 1997.
9. T. Ichikawa, T. Kasuya, and M. Matsui, Hardware evaluation of the AES finalists,
Third Advanced Encryption Standard Candidate Conference, NIST, 2000, pp. 279–
285.
10. T. Jakobsen and L.R. Knudsen, The interpolation attack on block ciphers, Fast
Software Encryption – FSE’97, Lecture Notes in Computer Science, vol. 1267,
Springer-Verlag, 1997, pp. 28–40.
11. J. Kelsey, B. Schneier, D. Wagner, and C. Hall, Cryptanalytic attacks on pseudo-
random number generators, Fast Software Encryption – FSE’98, Lecture Notes in
Computer Science, vol. 1372, Springer-Verlag, 1998, pp. 168–188.
12. P. Kocher, Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and
other systems, Advances in Cryptology – Crypto’96, Lecture Notes in Computer
Science, vol. 1109, Springer-Verlag, 1996, pp. 104–113.
13. P. Kocher, J. Jaffe, and B. Jun, Differential power analysis, Advances in Cryptology
– Crypto’99, Lecture Notes in Computer Science, vol. 1666, Springer-Verlag, 1999,
pp. 388–397.
14. R. Lidl and H. Niederreiter, Introduction to finite fields and their applications,
Cambridge University Press, London, 1986.
15. F.J. MacWilliams and N.J.A. Sloane, The theory of error-correcting codes, North-
Holland Mathematical Library, vol. 16, North-Holland, London, 1977.
16. A.J. Menezes, P.C. van Oorschot, and S.A. Vanstone, Handbook of applied cryp-
tography, CRC Press, 1997.
17. NESSIE, New European Schemes for Signatures, Integrity, and Encryption,
http://cryptonessie.org, 2000.
18. B. Preneel, Analysis and design of cryptographic hash functions, Ph.D. thesis,
Katholieke Universiteit Leuven, January 1993.
19. , Differential cryptanalysis of hash functions based on block ciphers, Com-
puter and Communications Security, ACM, 1993, pp. 183–188.
20. V. Rijmen, Cryptanalysis and design of iterated block ciphers, Ph.D. thesis,
Katholieke Universiteit Leuven, October 1997.
21. V. Rijmen and B. Preneel, Improved characteristics for differential cryptanalysis of
hash functions based on block ciphers, Fast Software Encryption – FSE’95, Lecture
Notes in Computer Science, vol. 1008, Springer-Verlag, 1995, pp. 242–248.
22. T. Shirai and K. Shibutani, On the diffusion matrix employed in the Whirlpool
hashing function, NESSIE public report, 2003.
23. B. Weeks, M. Bean, T. Rozylowicz, and C. Ficke, Hardware performance simula-
tions of round 2 AES algorithms, Third Advanced Encryption Standard Candidate
Conference, NIST, 2000, pp. 286–304.
24. D. Whiting, AES implementations in 0.25µm ASIC, NIST AES electronic discus-
sion forum posting, 2000.
25. , private communication, 2001.
26. A.M. Youssef, S.E. Tavares, and H.M. Heys, A new class of substitution-
permutation networks, Selected Areas in Cryptography – SAC’96, Workshop
record, 1996, pp. 132–147.
17
A Generation of the WHIRLPOOL S-box
The only part of the S-box structure left unspecified in figure 1 is the Rpermu-
tation, which is generated pseudo-randomly in a verifiable way.
The searching algorithm starts with a simple permutation without fixed
points (namely, the negation mapping u7→ ¯u=uFx), and derives from it
a sequence of 4 ×4 substitution boxes (“mini-boxes”) with the optimal values
δ= 1/4, λ= 1/2, and ν= 3. Each such mini-box is combined with Eand E1
according to the diagram shown in figure 1; finally, the resulting 8 ×8 S-box, if
free of fixed points, is tested for the design criteria regarding δ,λ, and ν.
Given a mini-box at any point during the search, a new one is derived from
it by choosing a pair of distinct values that are not the image of one another and
swapping them, keeping the result free of fixed points; this is repeated until the
running mini-box has optimal values of δ,λ, and ν.
The pseudo-random number generator is implemented with Rijndael [4] in
counter mode, with a fixed key consisting of 256 zero bits and an initial counter
value consisting of 128 zero bits.
The following pseudo-code fragment illustrates the computation of the chain
of mini-boxes and the resulting S-box:
// initialize Rto the negation permutation:
for (u0; u < 256; u++) {
R[u]¯u;
}
// look for S-box conforming to the design criteria:
do {
// generate a random permutation free of fixed points:
do {
do {
// randomly select xand ysuch that
// x6=y,R[x]6=y, and R[y]6=x:
zRandomByte(); xz4; yz&0Fx;
}while (x=yR[x] = yR[y] = x);
// swap entries:
uR[x]; R[x]R[y]; R[y]u;
}while (δ(R)>1/4λ(R)>1/2ν(R)<3);
// build S-box from the mini-boxes (see figure 1):
for (u0; u < 256; u++) {
xE[u4]; yE1[u&0Fx];
rR[xy]; xxr;yyr;
S[u](E[x]4) |E1[y];
}
// test design criteria:
}while (#FixedPoints(S)>0δ(S)>25λ(S)>22ν(S)<7);
18
B Hardware implementation
Restricting the allowed logical gates to AND, OR, NOT, and XOR, the Emini-
box and its inverse can be implemented with 18 logical gates each, while the R
mini-box needs 17 logical gates. Therefore, the complete S-box can be imple-
mented with 101 gates.
The pseudo-code fragments shown in figure 2 illustrate this (u=u3x3+
u2x2+u1x+u0GF(24) denotes the mini-box input, z=z3x3+z2x2+z1x+z0
GF(24) denotes its output, and the tkdenote intermediate values). We point out,
however, that the search for efficient Boolean expressions for the mini-boxes has
not been thorough, and it is likely that better expressions exist.
z=E[u]z=E1[u]z=R[u]
t0u0u2t0← ¬u0t0← ¬u0
t0t0u1t1u0u1t1u2u3
t2← ¬u0t1t1u3t2u0t1
t1u3t2t2u2t1t2t2u1
t2t0t1z3t0t2t3u3t0
z0u0t2t2u0u2z2t2t3
t2u2t0t3u0u3t2← ¬u2
t1t1t2t3t3t2t2t2t3
t2u3z0t3t3u1t3u1t2
z1t2t1z0t0t3z3t1t3
t2u2t1t2t2u1t3t3t0
t1t1u3t3u2t0t0u0z3
t0t0t2t4z3t2t1← ¬u1
t1t1t0t1t1t4t1t1u3
z2t2t1t2t2t1z0t0t1
t1z1z2z2t3t1t3t3z0
t1t1z0t0t0u3z1t2t3
z3t0t1z1t0t2
Fig. 2. Boolean expressions for E,E1, and R
For completeness, table 3 lists the resulting 8 ×8Whirlpool S-box.
C The name
Whirlpool is named after the Whirlpool galaxy in Canes Venatici (M51, or
NGC 5194), the first one recognised to have spiral structure by William Parsons,
third Earl of Rosse, in April 1845 [8].
19
Table 3. The Whirlpool S-box
00x01x02x03x04x05x06x07x08x09x0Ax0Bx0cx0dx0Ex0Fx
00x18x23xc6xE8x87xB8x01x4Fx36xA6xd2xF5x79x6Fx91x52x
10x60xBcx9Bx8ExA3x0cx7Bx35x1dxE0xd7xc2x2Ex4BxFEx57x
20x15x77x37xE5x9FxF0x4AxdAx58xc9x29x0AxB1xA0x6Bx85x
30xBdx5dx10xF4xcBx3Ex05x67xE4x27x41x8BxA7x7dx95xd8x
40xFBxEEx7cx66xddx17x47x9ExcAx2dxBFx07xAdx5Ax83x33x
50x63x02xAAx71xc8x19x49xd9xF2xE3x5Bx88x9Ax26x32xB0x
60xE9x0Fxd5x80xBExcdx34x48xFFx7Ax90x5Fx20x68x1AxAEx
70xB4x54x93x22x64xF1x73x12x40x08xc3xEcxdBxA1x8dx3dx
80x97x00xcFx2Bx76x82xd6x1BxB5xAFx6Ax50x45xF3x30xEFx
90x3Fx55xA2xEAx65xBAx2Fxc0xdEx1cxFdx4dx92x75x06x8Ax
A0xB2xE6x0Ex1Fx62xd4xA8x96xF9xc5x25x59x84x72x39x4cx
B0x5Ex78x38x8cxd1xA5xE2x61xB3x21x9cx1Ex43xc7xFcx04x
c0x51x99x6dx0dxFAxdFx7Ex24x3BxABxcEx11x8Fx4ExB7xEBx
d0x3cx81x94xF7xB9x13x2cxd3xE7x6Exc4x03x56x44x7FxA9x
E0x2AxBBxc1x53xdcx0Bx9dx6cx31x74xF6x46xAcx89x14xE1x
F0x16x3Ax69x09x70xB6xd0xEdxccx42x98xA4x28x5cxF8x86x
20
... It has also inspired many designs in homage to or build with AES operations. Consequently, hash functions with a compression function based on or similar to the AES round function is refered to as AES-like hash functions or AES-like hashing, to list a few: Whirlpool [BR00], Grøstl [Gau+09], Saturnin-hash [Can+20], etc. AES-like hash functions are widely used in applications: AES-128 in MMO mode is used in the standards of the Zigbee protocol suite [All17] and ISO/IEC [ISO10], Whirlpool is adopted as the ISO/IEC standard in [ISO04], etc. • SubByte employs the S-box for each cell. ...
... Whirlpool is a block-cipher-based hash function with a 512-bit hash value, which was designed by Rijmen and Barreto [BR00] as a submission to the NESSIE competition and later adopted as an ISO/IEC standard [ISO04]. Whirlpool adopts a 10 round AES-like block cipher with 8 × 8 byte encryption and key states in MP mode. ...
... Its encryption and key schedule essentially use the same round function with SB, SC, MR and AK operations, except for the key schedule replaced with the round constant addition AC, as illustrated in Figure 8. For more details, we refer the readers to the design paper [BR00]. Before we dive into the details, we clarify the following notions. ...
Article
Full-text available
Chosen-prefix collision (CPC) attack was first presented by Stevens, Lenstra and de Weger on MD5 at Eurocrypt 2007. A CPC attack finds a collision for any two chosen prefixes, which is a stronger variant of collision attack. CPCs are naturally harder to construct but have larger practical impact than (identical-prefix) collisions, as seen from the series of previous works on MD5 by Stevens et al. and SHA-1 by Leurent and Peyrin. Despite its significance, the resistance of CPC attacks has not been studied on AES-like hashing.In this work, we explore CPC attacks on AES-like hashing following the framework practiced on MD5 and SHA-1. Instead of the message modification technique developed for MD-SHA family, we opt for related-key rebound attack to construct collisions for AES-like hashing in view of its effectiveness. We also note that the CPC attack framework can be exploited to convert a specific class of one-block free-start collisions into two-block collisions, which sheds light on the importance of free-start collisions. As a result, we present the first CPC attacks on reduced Whirlpool, Saturnin-hash and AES-MMO/MP in classic and quantum settings, and extend the collision attack on Saturnin-hash from 5 to 6 rounds in the classic setting. As an independent contribution, we improve the memoryless algorithm of solving 3-round inbound phase by Hosoyamada and Sasaki at Eurocrpyt 2020, which leads to improved quantum attacks on Whirlpool. Notably, we find the first 6-round memoryless quantum collision attack on Whirlpool better than generic CNS collision finding algorithm when exponential-size qRAM is not available but exponential-size classic memory is available.
... The experimental methods of MDS matrix construction were employed for synthesising, for instance, ciphers Rijndael [2] and SQUARE [22] and hash function Whirlpool [23]. In those three cases, developers used circulant MDS matrices. ...
... Experiments show that the Laplace expansion allows a further two to seven times speed-up of the MDS testing. Via proposed techniques, several circulant MDS matrices were found including 8 × 8 matrices over GF (2 8 ) and 16 × 16 matrices over GF (2 22 ), GF(2 23 ) and GF (2 24 ) with many multiplicative identity element entries, a few different elements of the low Hamming weight and efficient inverses. Besides that, empirical probability mass functions were found for the random variables representing the least dimension of singular submatrices of 16 × 16 circulant matrices of two chosen forms over GF (2 m ...
... This section investigates the capacity of the set M to improve experimental MDS testing and estimates the implied costs. Further results are several 8 × 8 circulant MDS matrices over GF (2 8 ) and 16 × 16 circulant MDS matrices over GF (2 22 ), GF(2 23 ) and GF (2 24 ) with many multiplicative identity element entries and a few different elements of the low Hamming weight. Moreover, the inverses of some listed matrices have repeated entries themselves. ...
Article
Full-text available
MDS matrices are used in symmetric cryptography to hinder differential and linear cryptanalysis. This article proposes and examines a new deterministic method that accelerates circulant matrix MDS testing and the search for circulant MDS matrices. The method is to ascertain the MDS property via computing the determinants of only those submatrices that lie in a suitable subset of square submatrices constructed in advance. It is shown that for 8×8 8 \times 8 circulant matrices, this new method reduces thirteenfold the MDS confirmation time and searches for MDS matrices 8 times faster compared to the general method employing all square submatrices. The article also proves that the constructed set can be arranged in a manner that comprises all the submatrices needed for the Laplace expansion of the determinant of any submatrix within the subset. Experiments show that the Laplace expansion allows a further two to seven times speed-up of the MDS testing. Via proposed techniques, several circulant MDS matrices were found including 8×8\boldsymbol{8} \times \boldsymbol{8} matrices over GF(28) {\textbf {GF}}\boldsymbol{(2^8)} and 16×16 \boldsymbol{16} \times \boldsymbol{16} matrices over GF(222),GF(223) {\textbf {GF}}\boldsymbol{(2^{22}),} {\textbf {GF}}\boldsymbol{(2^{23})} and GF(224) {\textbf {GF}}\boldsymbol{(2^{24})} with many multiplicative identity element entries, a few different elements of the low Hamming weight and efficient inverses. Besides that, empirical probability mass functions were found for the random variables representing the least dimension of singular submatrices of 16×16 \boldsymbol{16} \times \boldsymbol{16} circulant matrices of two chosen forms over GF(2m),m{8,,24} {\textbf {GF}}\boldsymbol{(2^m), m \in \{8, \dots , 24\}} .
... of information, using cryptographic hash functions, from the combined quantum and classical noise [19]. We use the Whirlpool hash function [28]; other standard randomness extractors could have also been employed [29,30]. These cryptographic functions mix the input data bits, increasing the theoretically secure entropy per bit at the cost of losing output bits. ...
Preprint
Random numbers are essential for applications ranging from secure communications to numerical simulation and quantitative finance. Algorithms can rapidly produce pseudo-random outcomes, series of numbers that mimic most properties of true random numbers while quantum random number generators (QRNGs) exploit intrinsic quantum randomness to produce true random numbers. Single-photon QRNGs are conceptually simple but produce few random bits per detection. In contrast, vacuum fluctuations are a vast resource for QRNGs: they are broad-band and thus can encode many random bits per second. Direct recording of vacuum fluctuations is possible, but requires shot-noise-limited detectors, at the cost of bandwidth. We demonstrate efficient conversion of vacuum fluctuations to true random bits using optical amplification of vacuum and interferometry. Using commercially-available optical components we demonstrate a QRNG at a bit rate of 1.11 Gbps. The proposed scheme has the potential to be extended to 10 Gbps and even up to 100 Gbps by taking advantage of high speed modulation sources and detectors for optical fiber telecommunication devices.
... These matrices play a vital role in ensuring optimal diffusion in the diffusion layer of the cipher, thereby enhancing the cipher's resilience against both differential and linear cryptanalysis. As a consequence, many block ciphers such as SQUARE [9], AES [10], Twofish [26], and hash functions like PHOTON [13], Whirlpool [1] incorporate MDS matrices for enhancing the overall security of these cryptographic systems. ...
Preprint
In 2014, Gupta and Ray proved that the circulant involutory matrices over the finite field F2m\mathbb{F}_{2^m} can not be maximum distance separable (MDS). This non-existence also extends to circulant orthogonal matrices of order 2d×2d2^d \times 2^d over finite fields of characteristic 2. These findings inspired many authors to generalize the circulant property for constructing lightweight MDS matrices with practical applications in mind. Recently, in 2022, Chatterjee and Laha initiated a study of circulant matrices by considering semi-involutory and semi-orthogonal properties. Expanding on their work, this article delves into circulant matrices possessing these characteristics over the finite field F2m.\mathbb{F}_{2^m}. Notably, we establish a correlation between the trace of associated diagonal matrices and the MDS property of the matrix. We prove that this correlation holds true for even order semi-orthogonal matrices and semi-involutory matrices of all orders. Additionally, we provide examples that for circulant, semi-orthogonal matrices of odd orders over a finite field with characteristic 2, the trace of associated diagonal matrices may possess non-zero values.
... As a result, constructing diffusion layers with higher branch numbers and low-cost implementations is a challenge in the field of cipher design. Many block ciphers like AES [11], LED [17], g -CIRCULANT MATRICES SHARK [24], SQUARE [10] and many hash functions like PHOTON [16], WHIRLPOOL [2] use maximum distance separable (MDS) matrices in their diffusion layers to achieve optimal diffusion. ...
Preprint
Circulant Maximum Distance Separable (MDS) matrices have gained significant importance due to their applications in the diffusion layer of the AES block cipher. In 2013, Gupta and Ray established that circulant involutory matrices of order greater than 3 cannot be MDS. This finding prompted a generalization of circulant matrices and the involutory property of matrices by various authors. In 2016, Liu and Sim introduced cyclic matrices by changing the permutation of circulant matrices. In 1961, Friedman introduced g-circulant matrices which form a subclass of cyclic matrices. In this article, we first discuss g-circulant matrices with involutory and MDS properties. We prove that g-circulant involutory matrices of order k×kk \times k cannot be MDS unless g1(modk).g \equiv -1 \pmod k. Next, we delve into g-circulant semi-involutory and semi-orthogonal matrices with entries from finite fields. We establish that the k-th power of the associated diagonal matrices of a g-circulant semi-orthogonal (semi-involutory) matrix of order k×kk \times k results in a scalar matrix. These findings can be viewed as an extension of the results concerning circulant matrices established by Chatterjee {\it{et al.}} in $2022.
Article
Full-text available
In recent years, hash algorithms have been used frequently in many areas, such as digital signature, blockchain, and IoT applications. Standard cryptographic hash functions, including traditional algorithms such as SHA-1 and MD5, are generally computationally intensive. A principal approach to improving the security and efficiency of hash algorithms is the integration of lightweight algorithms, which are designed to minimize computational overhead, into their architectural framework. This article proposes a new hash algorithm based on lightweight encryption. A new design for the lightweight hash function is proposed to improve its efficiency and meet security requirements. In particular, efficiency reduces computational load, energy consumption, and processing time for resource-constrained environments such as IoT devices. Security requirements focus on ensuring properties such as collision resistance, pre-image resistance, and distribution of modified bit numbers to ensure reliable performance while preserving the robustness of the algorithm. The proposed design incorporates the SPECK lightweight encryption algorithm to improve the structure of the algorithm, ensuring robust mixing and security through confusion and diffusion, while improving processing speed. Performance and efficiency tests were conducted to evaluate the proposed algorithm, and the results were compared with commonly used hash algorithms in the literature. The test results show that the new lightweight hash algorithm has successfully passed security tests, including collision resistance, pre-image resistance, sensitivity, and distribution of hash values, while outperforming other commonly used algorithms regarding execution time.
Chapter
In information security, hash functions are an important cryptographic tool. They have applications in a wide range of use cases, such as securing passwords in a database, securing authentication, and maintaining message integrity.
Article
Full-text available
Substitution boxes, or S-boxes, are one of the most important mathematical primitives in modern symmetric cryptographic algorithms. Given their importance, in the past decades, they have been thoroughly analyzed and evaluated by the academic world. Thus, a lot of desirable characteristics a given S-box should possess have been found. This includes, as much as possible, higher nonlinearity and algebraic degrees as well as, as much as possible, lower values of differential uniformity, autocorrelation and sum of squares indicator values. In this work, we use power mappings over GF(28) to generate, enumerate and evaluate all bijective S-boxes yielded by pentanomials of the form f(x)=xa+xb+xc+xd+xe given 0<a<b<c<d<e<256. We find a total of 152,320 different bijective S-boxes, which are further classified into 41,458 different groups in terms of the aforementioned characteristics as well as the number of their fixed points. Having this data, an S-box designer can easily generate a bijective substitution S-box with parameters of their choice. By using pentanomials, we show how we can easily construct S-boxes with cryptographic properties similar to those found in some popular S-boxes like the Kuznyechik S-box proposed by the Russian Federation’s standardization agency as well as the Skipjack S-box proposed by the National Security Agency of the USA.
Article
Full-text available
Block cipher is a cryptographic field that is now widely applied in various domains. Besides its security, deployment issues, implementation costs, and flexibility across different platforms are also crucial in practice. From an efficiency perspective, the linear layer is often the slowest transformation and requires significant implementation costs in block ciphers. Many current works employ lookup table techniques for linear layers, but they are quite costly and do not save memory storage space for the lookup tables. In this paper, we propose a novel lookup table technique to reduce memory storage when executing software. This technique is applied to the linear layer of block ciphers with recursive Maximum Distance Separable (MDS) matrices, Hadamard MDS matrices, and circulant MDS matrices of considerable sizes (e.g. sizes of 16, 32, 64, and so on). The proposed lookup table technique leverages the recursive property of linear matrices and the similarity in elements of Hadamard or circulant MDS matrices, allowing the construction of a lookup table for a submatrix instead of the entire linear matrix. The proposed lookup table technique enables the execution of the diffusion layer with unchanged computational complexity (number of XOR operations and memory accesses) compared to conventional lookup table implementations but allows a substantial reduction in memory storage for the pre-computed tables, potentially reducing the storage needed by 4 or 8 times or more. The memory storage will be reduced even more as the size of the MDS matrix increases. For instance, analysis shows that when the matrix size is 64, the memory storage ratio with the proposed lookup table technique decreases by 87.5% compared to the conventional lookup table technique. This method also allows for more flexible software implementations of large-sized linear layers across different environments.
Article
From the Publisher:In October 2000, the US National Institute of Standards and Technology selected the block cipher Rijndael as the Advanced Encryption Standard (AES). AES is expected to gradually replace the present Data Encryption Standard (DES) as the most widely applied data encryption technology.|This book by the designers of the block cipher presents Rijndael from scratch. The underlying mathematics and the wide trail strategy as the basic design idea are explained in detail and the basics of differential and linear cryptanalysis are reworked. Subsequent chapters review all known attacks against the Rijndael structure and deal with implementation and optimization issues. Finally, other ciphers related to Rijndael are presented.|This volume is THE authoritative guide to the Rijndael algorithm and AES. Professionals, researchers, and students active or interested in data encryption will find it a valuable source of information and reference.
Article
Expertly written and lavishly illustrated, The Cambridge Illustrated History of Astronomy offers a unique account of astronomical theory and practice from antiquity to the present day. How did Moslems of the Middle Ages use astronomy to calculate the direction of Mecca from far-flung corners of the Islamic world? Who was the only ancient Greek to suspect that the earth might revolve around the sun? How did Christopher Columbus abuse his knowledge of a lunar eclipse predicted by an astronomical almanac? Packed with anecdotes and intriguing detail, this book describes how we observed the sky and interpreted what we saw at different periods of history; how this influenced our beliefs and mythology; and how great astronomers contributed to what we now know. The result is a lively and highly visual history of astronomy - a compelling read for specialists and non-specialists alike.
Article
It has been claimed that the matrix employed in diffusion layer, i.e. the diffusion matrix, of Whirlpool hashing function was de-signed to hold branch number B = 9. However, we have found that B = 8 by analyzing certain sub-matrix and dependency of columns of the diffusion matrix. Also we show that there are 224 candidates for the diffusion matrix which actually satisfy the conditions posed by the designers of Whirlpool.
Conference Paper
Abstract In February 2000 the NESSIE project has launched an open call for the next generation of cryptographic algorithms These algo - rithms should o?er a higher security and/or conˉdence level than ex - isting ones, and should be better suited for the constraints of future hardware and software environments The NESSIE project has received 39 algorithms, many of these from major players In October 2001, the project completed the ˉrst phase of the evaluation and has selected 24 algorithms for the second phase The goal is to recommend a complete portfolio of algorithms by the end of 2002 This article presents the status of the NESSIE project after two years
Conference Paper
We improve the best attack on Rijndael reduced to 6 rounds from complexity 272 to 244. We also present the first known attacks on 7- and 8-round Rijndael. The attacks on 8-round Rijndael work for 192- bit and 256-bit keys. Finally, we discuss the key schedule of Rijndael and describe a related-key attack that can break 9-round Rijndael with 256-bit keys.