## Cryptology ePrint Archive: Report 2014/501

Lighter, Faster, and Constant-Time: WhirlBob, the Whirlpool variant of StriBob

Markku-Juhani O. Saarinen

Abstract: WhirlBob is an Authenticated Encryption with Associated Data (AEAD) algorithm derived from the first round CAESAR candidate StriBob and the Whirlpool hash algorithm. As with StriBob, the reduced-size Sponge design has a strong provable security link with the a standard hash algorithm. The main advantage of WhirlBob over StriBob is its greatly reduced implementation footprint on resource-constrained platforms. Remarkably, the entire C reference implementation of WhirlBob 1.0 $\pi$ fits onto a single page of the Appendix. The new design utilizes only the LPS or $\rho$ keying line of Whirlpool in a flexible domain-separated Sponge mode BLNK and adds the number of rounds in $\pi$ permutation from 10 to 12 as a countermeasure against Rebound Distinguishing attacks. On most low-end microcontrollers the total software footprint of $\pi$+BLNK = WhirlBob AEAD is less than half a kilobyte. We also report an FPGA implementation of WhirlBob. The implementation requires 4,946 logic units for a single round of WhirlBob, which compares favorably to 7,972 required for Keccak/Keyak on the same platform. The reduced hardware gate count is also reflected as efficient bitsliced straight-line implementations, especially on 64-bit platforms. Bitslicing works as an efficient countermeasure against AES-style cache timing side-channel attacks. Our constant-time bitsliced implementations run at around 35 \% of the speed of 64-bit table-lookup implementations. We finally present some discussion and analysis on differences between Whirlpool, the Russian GOST Streebog hash, and the recently proposed draft Russian Encryption Standard Kuznyechik.

Category / Keywords: Authenticated Encryption, Sponge designs, Whirlpool, Streebog, StriBob, CAESAR

Date: received 25 Jun 2014, last revised 28 Aug 2014

Contact author: mjos at iki fi

Available format(s): PDF | BibTeX Citation

Note: Will talk about this at DIAC '14, 23-24 August 2014, Santa Barbara, USA. Also submitted to a conference with proceedings.

[ Cryptology ePrint archive ]