AAPPENDIX PPENDIX NN WWHIRLPOOLHIRLPOOL William Stallings Copyright 2010 N.1 WHIRLPOOL HASH STRUCTURE................................................................................3 Background....................................................................................................................3 Whirlpool Logic.............................................................................................................4 N.2 BLOCK CIPHER W ..........................................................................................................5 Overall Structure............................................................................................................7 The Nonlinear Layer SB ..............................................................................................10 The Permutation Layer SC...........................................................................................10 The Diffusion Layer MR .............................................................................................11 The Add Key Layer AK...............................................................................................12 Key Expansion for the Block Cipher W ......................................................................13 REFERENCES ........................................................................................................................13 Supplement to Cryptography and Network Security, Fifth Edition William Stallings Prentice Hall 2010 ISBN-10: 0136097049 http://williamstallings.com/Crypto/Crypto5e.htmlN-2 In this appendix, we examine the hash function Whirlpool [BARR03], one of whose designers is also co-inventor of Rijndael, adopted as the Advanced Encryption Standard (AES). Whirlpool is one of only two hash functions endorsed by NESSIE (New European Schemes for Signatures, Integrity, and Encryption).1 The NESSIE project is a European Union-sponsored effort to put forward a portfolio of strong cryptographic primitives of various types. Whirlpool is based on the use of a block cipher for the compression function. There has traditionally been little interest in the use of block-cipher-based hash functions because of the demonstrated security vulnerabilities of the structure. The following are potential drawbacks: 1. Block ciphers do not possess the properties of randomizing functions. For example, they are invertible. This lack of randomness may lead to weaknesses that can be exploited. 2. Block ciphers typically exhibit other regularities or weaknesses. For example, [MIYA90] demonstrates how to compromise many hash schemes based on properties of the underlying block cipher. 3. Typically, block-cipher-based hash functions are significantly slower than hash functions based on a compression function specifically designed for the hash function. 4. A principal measure of the strength of a hash function is the length of the hash code in bits. For block-cipher-based hash codes, proposed designs have a hash code length equal to either the cipher block length or twice the cipher block length. Traditionally, cipher block length has been limited to 64 bits (e.g., DES, triple DES), resulting in a hash code of questionable strength. However, since the adoption of AES, there has been renewed interested in developing a secure hash function based on a strong block cipher and exhibiting good performance. Whirlpool is a block-cipher-based hash function intended to provide security and performance that is comparable, if not better, than that found in non-block-cipher based hash functions, such as SHA. Whirlpool has the following features: 1 The other endorsed scheme consists of three variants of SHA: SHA-256, SHA-384, and SHA-512.N-3 1. The hash code length is 512 bits, equaling the longest hash code available with SHA. 2. The overall structure of the hash function is one that has been shown to be resistant to the usual attacks on block-cipher-based hash codes. 3. The underlying block cipher is based on AES and is designed to provide for implementation in both software and hardware that is both compact and exhibits good performance. The design of Whirlpool sets the following security goals: Assume we take as hash result the value of any n-bit substring of the full Whirlpool output. • The expected workload of generating a collision is of the order of 2n/2 executions of Whirlpool. • Given an n-bit value, the expected workload of finding a message that hashes to that value is of the order of 2n executions of Whirlpool. • Given a message and its n-bit hash result, the expected workload of finding a second message that hashes to the same value is of the order of 2n executions of Whirlpool. • It is infeasible to detect systematic correlations between any linear combination of input bits and any linear combination of bits of the hash result, or to predict what bits of the hash result will change value when certain input bits are flipped (this means resistance against linear and differential attacks). The designers assert their confidence that these goals have been met with a considerable safety margin. However, the goals are not susceptible to a formal proof. We begin with a discussion of the structure of the overall hash function, and then examine the block cipher used as the basic building block. N.1 WHIRLPOOL HASH STRUCTURE Background The general iterated hash structure proposed by Merkle (Figure 11.7) is used in virtually all secure hash functions. However, as was pointed out, there are difficulties in designing a trulyN-4 secure iterated hash function when the compression function is a block cipher. Preneel [PREN93a, PREN93b] performed a systematic analysis of block-cipher-based hash functions, using the model depicted in Figure N.1. In this model, the hash code length equals the cipher block length. Additional security problems are introduced and the analysis is more difficult if the hash code length exceeds the cipher block length. Preneel devised 64 possible permutations of the basic model, based on which input served as the encryption key and which served as plaintext and on what input, if any, was combined with the ciphertext to produce the intermediate hash code. Based on his analysis, he concluded that only schemes in which the plaintext was fed forward and combined with the ciphertext were secure. Such an arrangement makes the compression function