Whirlpool was designed by Vincent Rijmen (co-creator of the Advanced Encryption Standard) and Paulo S. L. M. Barreto, who described it in 2000. It has been adopted by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) as ISO/IEC 10118-3 international standard. This algorithm is free to use and there are no patent limits.

The purpose of this function is to take for input a message of size less or equal than and to return a digest message of size 512 bits (the « hash ») using a function like the one used in AES (symmetric encryption algorithm).

How does it work?

Whirlpool transform a message of variable size into a hash of fixed size, to do that Whirlpool use a technique of “padding”. In our case, Whirlpool uses a Merkle-Damgard construction which is also used in MD5 and SHA-2. After that, the padded data are used in entry of the block cipher W in Miyaguchi–Preneel mode.

The block cipher W consists of an 8×8 state matrix S of bytes, for a total of 512 bits. The encryption process consists of updating the state with four round functions over 10 rounds. The four round functions are:

  1. SubBytes, an operation that applies a non-linear permutation to each byte of the state independently.

  2. ShiftColumns which is an operation that cyclically shifts each byte in each column (column j has its bytes shifted downwards by j positions).

  3. MixRows which is a right-multiplication of each row by an 8x8 matrix.

  4. AddRoundKey which is an operation that uses bitwise xor to add a key calculated by the key schedule to the current state. The key scheduling is the same as the encryption itself except that the AddRoundKey is replaced by AddRoundConstant with a predetermined constant in each round.

Possible threats


Whirlpool creates a 512bits digest which make it hard to find a collision. Furthermore, the Miyaguchi-Preneel construction is one of the only cipher blocks functions that remain “unbroken”. The best-known attack is a Birthday Attack which required operations this is way too much with the current technology.

Calculation of a cost attack

The time required to generate 1 000 000 hashes is in average 0.3 sec. We would need / (1 000 000*0.3) seconds so approximately 3,85E71 seconds that is to say 1,22E64 years.