Cryptology ePrint Archive: Report 2014/501

Lighter, Faster, and Constant-Time: WhirlBob, the Whirlpool variant of StriBob

Markku-Juhani O. Saarinen and Billy Bob Brumley

Abstract: WhirlBob is an Authenticated Encryption with Associated Data (AEAD) algorithm derived from the first round CAESAR candidate StriBob and the Whirlpool hash algorithm. As with StriBob, the reduced-size Sponge design has a strong provable security link with a standardized hash algorithm. The new design utilizes only the LPS or $\rho$ component of Whirlpool in flexibly domain-separated BLNK Sponge mode. The number of rounds is increased from 10 to 12 as a countermeasure against Rebound Distinguishing attacks. The $8 \times 8$ - bit S-Box used by Whirlpool and WhirlBob is constructed from $4 \times 4$ - bit ``MiniBoxes''. We report on fast constant-time Intel SSSE3 and ARM NEON SIMD WhirlBob implementations that keep full miniboxes in registers and access them via SIMD shuffles. This is an efficient countermeasure against AES-style cache timing side-channel attacks. Another main advantage of WhirlBob over StriBob (and most other AEADs) is its greatly reduced implementation footprint on lightweight platforms. On many lower-end microcontrollers the total software footprint of $\pi$+BLNK = WhirlBob AEAD is less than half a kilobyte. We also report an FPGA implementation that requires 4,946 logic units for a single round of WhirlBob, which compares favorably to 7,972 required for Keccak / Keyak on the same target platform. The relatively small S-Box gate count also enables efficient 64-bit bitsliced straight-line implementations. We finally present some discussion and analysis on the relationships between WhirlBob, Whirlpool, the Russian GOST Streebog hash, and the recent draft Russian Encryption Standard Kuznyechik.

Category / Keywords: Secret-Key Cryptiography / Authenticated Encryption, Sponge designs, Timing Attacks, Whirlpool, Streebog, StriBob, CAESAR Project

Date: received 25 Jun 2014, last revised 9 Jan 2015

Contact author: mjos at iki fi

Available format(s): PDF | BibTeX Citation

Note: Accepted to INSCRYPT '14 but does not appear in proceedings. Submitted to Journal publication.

Version: 20150109:115156 (All versions of this report)

Discussion forum: Show discussion | Start new discussion

[ Cryptology ePrint archive ]