Cryptology ePrint Archive: Report 2014/501
Lighter, Faster, and Constant-Time: WhirlBob, the Whirlpool variant of StriBob
Markku-Juhani O. Saarinen
Abstract: WhirlBob is a new Authenticated Encryption with Associated Data (AEAD)
algorithm derived from the first round CAESAR candidate StriBob
and the Whirlpool hash algorithm. The main advantage of WhirlBob over
StriBob is its greatly reduced implementation footprint on
resource-constrained platforms. Remarkably, the entire C reference
implementation of WhirlBob 1.0 $\pi$ fits onto a single page of the Appendix.
On most low-end microcontrollers the total software footprint of
$\pi$+BLNK = WhirlBob AEAD is less than half a kilobyte. The greatly
reduced hardware gate count is also reflected as efficient bitsliced
straight-line implementations, especially on 64-bit platforms. Bitslicing
works as an efficient countermeasure against AES-style cache timing
side-channel attacks. The new design utilizes only the LPS or $\rho$
keying line of Whirlpool in a flexible domain-separated Sponge mode BLNK
and adds the number of rounds in $\pi$ permutation from 10 to 12 as a
countermeasure against Rebound Distinguishing attacks.
As with StriBob, the reduced-size Sponge design has a strong provable
security link with the original hash algorithm. We finally present some
discussion and analysis on differences between Whirlpool, the Russian
GOST Streebog hash, and the recently proposed draft Russian
Encryption Standard Kuznyechik.
Category / Keywords: secret-key cryptography / Authenticated Encryption, Sponge designs, Whirlpool, Streebog, StriBob, CAESAR, NESSIE, GOST R 34.11-2012
Date: received 25 Jun 2014, last revised 23 Jul 2014
Contact author: mjos at iki fi
Available format(s): PDF | BibTeX Citation
Note: Will talk about this at DIAC '14, 23-24 August 2014, Santa Barbara, USA. Also submitted to a conference with proceedings.
Version: 20140723:164110 (All versions of this report)
Discussion forum: Show discussion | Start new discussion
[ Cryptology ePrint archive ]