Cryptology ePrint Archive: Report 2014/501

Lighter, Faster, and Constant-Time: WhirlBob, the Whirlpool variant of StriBob

Markku-Juhani O. Saarinen and Billy Bob Brumley

Abstract: WhirlBob is an Authenticated Encryption with Associated Data (AEAD) algorithm derived from the first round CAESAR candidate StriBob and the Whirlpool hash algorithm. As with StriBob, the reduced-size Sponge design has a strong provable security link with a standardized hash algorithm. The new design utilizes only the LPS or $\rho$ keying half of Whirlpool in a flexible domain-separated BLNK Sponge mode and increases the number of rounds from 10 to 12 as a countermeasure against Rebound Distinguishing attacks. The Whirlpool and WhirlBob $8 \times 8$ - bit S-Box is constructed from $4 \times 4$ - bit ``MiniBoxes''. We report on a fast constant-time SIMD implementation technique that keeps full miniboxes in registers and accesses them via SIMD shuffles. This is an efficient countermeasure against AES-style cache timing side-channel attacks and we have implemented it on Intel SSSE3 and ARM NEON targets. Another main advantage of WhirlBob over StriBob (and most other AEADs) is its greatly reduced implementation footprint on resource-constrained platforms. On many low-end microcontrollers the total software footprint of $\pi$+BLNK = WhirlBob AEAD is less than half a kilobyte. We also report an FPGA implementation of WhirlBob. The implementation requires 4,946 logic units for a single round of WhirlBob, which compares favorably to 7,972 required for Keccak/Keyak on the same platform.The relatively small hardware gate count is also reflected as efficient bitsliced straight-line implementations, especially on pure 64-bit platforms. We finally present some discussion and analysis on the relationships between WhirlBob, Whirlpool, the Russian GOST Streebog hash, and the recent draft Russian Encryption Standard Kuznyechik.

Category / Keywords: Secret-Key Cryptiography / Authenticated Encryption, Sponge designs, Timing Attacks, Whirlpool, Streebog, StriBob, CAESAR Project

Date: received 25 Jun 2014, last revised 15 Sep 2014

Contact author: mjos at iki fi

Available format(s): PDF | BibTeX Citation

Note: Submitted for publication.

Version: 20140915:100159 (All versions of this report)

Discussion forum: Show discussion | Start new discussion


[ Cryptology ePrint archive ]