Re: What is next in line

From: Henrick Hellström (
Date: 03/16/05

Date: Wed, 16 Mar 2005 14:13:18 GMT

Kim Hyldgaard wrote:

> That was also the recommendation from NESSIE,
> however it was stated that it had not been properly
> analysed yet.

Almost, but not quite. This is what the final report says about both
Whirlpool and the SHA-2 hashes:

NESSIE portfolio. The collision-resistant hash functions included in the
NESSIE portfolio are Whirlpool, SHA-256, SHA-384 and SHA-512.

– The NESSIE project selects Whirlpool as a collision-resistant hash
function, with an output length of 512 bits. The design of Whirlpool is
based on an underlying 512-bit block cipher that is used in
Miyaguchi-Preneel mode. This block cipher has a structure similar to
Rijndael. The best known attack on Whirlpool finds non-random properties
when the compression function is reduced to six rounds or less (out of
ten); this gives a good security margin. The performance of Whirlpool is
acceptable, though on most platforms it is slightly slower than SHA-512.

– The NESSIE project selects SHA-256, SHA-384 and SHA-512 as
collision-resistant hash functions, with an output length of 256, 384 or
512 bits. These primitives have recently been added to the NIST standard
for hash functions. In contrast to the AES process this was not an open
standardisation process and the design strategy was not made public.
These primitives are rather new designs that have some similarities to
SHA-1 but there are important differences in the structure. They were
not submitted to NESSIE and owing to a lack of resources only limited
evaluation has been performed. Current results indicate no security
problems and these primitives seem to have a large security margin
against known attacks. The performance of these primitives is
acceptable, SHA-512 and SHA-384 being slightly faster than Whirlpool on
most platforms. SHA-256 is about twice as fast on most platforms.

No security weaknesses were found for these primitives. However,
Whirlpool, SHA-256, SHA-384 and SHA-512 are newly designed primitives
which have undergone only limited evaluation by the cryptographic
community so far.