Cryptology ePrint Archive: Report 2014/501

Lighter, Faster, and Constant-Time: WhirlBob, the Whirlpool variant of StriBob

Markku-Juhani O. Saarinen

Abstract: WhirlBob is a new Authenticated Encryption with Associated Data (AEAD) algorithm derived from the first round CAESAR candidate StriBob and the Whirlpool hash algorithm. The main advantage of WhirlBob over StriBob is its greatly reduced implementation footprint on resource-constrained platforms. Remarkably, the entire C reference implementation of WhirlBob 1.0 $\pi$ fits onto a single page of the Appendix. On most low-end microcontrollers the total software footprint of $\pi$+BLNK = WhirlBob AEAD is less than half a kilobyte. The greatly reduced hardware gate count is also reflected as efficient bitsliced straight-line implementations, especially on 64-bit platforms. Bitslicing works as an efficient countermeasure against AES-style cache timing side-channel attacks. The new design utilizes only the LPS or $\rho$ keying line of Whirlpool in a flexible domain-separated Sponge mode BLNK and adds the number of rounds in $\pi$ permutation from 10 to 12 as a countermeasure against Rebound Distinguishing attacks. As with StriBob, the reduced-size Sponge design has a strong provable security link with the original hash algorithm. We finally present some discussion and analysis on differences between Whirlpool, the Russian GOST Streebog hash, and the recently proposed draft Russian Encryption Standard Kuznyechik.

Category / Keywords: secret-key cryptography / Authenticated Encryption, Sponge designs, Whirlpool, Streebog, StriBob, CAESAR, NESSIE, GOST R 34.11-2012

Date: received 25 Jun 2014, last revised 23 Jul 2014

Contact author: mjos at iki fi

Available format(s): PDF | BibTeX Citation

Note: Will talk about this at DIAC '14, 23-24 August 2014, Santa Barbara, USA. Also submitted to a conference with proceedings.

Version: 20140723:164110 (All versions of this report)

Discussion forum: Show discussion | Start new discussion

[ Cryptology ePrint archive ]