Cryptology ePrint Archive: Report 2014/501
Lighter, Faster, and Constant-Time: WhirlBob, the Whirlpool variant of StriBob
Markku-Juhani O. Saarinen
Abstract: WhirlBob is an Authenticated Encryption with Associated Data (AEAD)
algorithm derived from the first round CAESAR candidate StriBob
and the Whirlpool hash algorithm.
As with StriBob, the reduced-size Sponge design has a strong provable
security link with the a standard hash algorithm.
The main advantage of WhirlBob over
StriBob is its greatly reduced implementation footprint on
resource-constrained platforms. Remarkably, the entire C reference
implementation of WhirlBob 1.0 $\pi$ fits onto a single page of the
Appendix. The new design utilizes only the LPS or $\rho$
keying line of Whirlpool in a flexible domain-separated Sponge mode BLNK
and adds the number of rounds in $\pi$ permutation from 10 to 12 as a
countermeasure against Rebound Distinguishing attacks.
On most low-end microcontrollers the total software footprint of
$\pi$+BLNK = WhirlBob AEAD is less than half a kilobyte. We also report
an FPGA implementation of WhirlBob. The implementation requires 4,946 logic
units for a single round of WhirlBob, which
compares favorably to 7,972 required for Keccak/Keyak on the same platform.
The reduced hardware gate count is also reflected as efficient bitsliced
straight-line implementations, especially on 64-bit platforms. Bitslicing
works as an efficient countermeasure against AES-style cache timing
side-channel attacks. Our constant-time bitsliced implementations run at
around 35 \% of the speed of 64-bit table-lookup implementations.
We finally present some
discussion and analysis on differences between Whirlpool, the Russian
GOST Streebog hash, and the recently proposed draft Russian
Encryption Standard Kuznyechik.
Category / Keywords: Authenticated Encryption, Sponge designs, Whirlpool, Streebog, StriBob, CAESAR
Date: received 25 Jun 2014, last revised 28 Aug 2014
Contact author: mjos at iki fi
Available format(s): PDF | BibTeX Citation
Note: Will talk about this at DIAC '14, 23-24 August 2014, Santa Barbara, USA. Also submitted to a conference with proceedings.
Version: 20140829:022931 (All versions of this report)
Discussion forum: Show discussion | Start new discussion
[ Cryptology ePrint archive ]