Second Preimage Analysis of Whirlwind

Whirlwind is a keyless AES-like hash function that adopts the Sponge model. According to its designers, the function is designed to resist most of the recent cryptanalytic attacks. In this paper, we evaluate the second preimage resistance of the Whirlwind hash function. More precisely, we apply a meet in the middle preimage attack on the compression function which allows us to obtain a 5-round pseudo preimage for a given compression function output with time complexity of 2(385) and memory complexity of 2(128). We also employ a guess and determine approach to extend the attack to 6 rounds with time and memory complexities of 2(496) and 2(112), respectively. Finally, by adopting another meet in the middle attack, we are able to generate n-block message second preimages of the 5 and 6-round reduced hash function with time complexity of 2(449) and 2(505) and memory complexity of 2(128) and 2(112), respectively.