Cryptology ePrint Archive: Report 2014/501
WHIRLBOB, the Whirlpool based Variant of STRIBOB: Lighter, Faster, and Constant Time
Markku--Juhani O. Saarinen and Billy Bob Brumley
Abstract: WHIRLBOB, also known as STRIBOBr2, is an AEAD (Authenticated Encryption
with Associated Data) algorithm derived from STRIBOBr1 and the
Whirlpool hash algorithm. WHIRLBOB/STRIBOBr2 is a second round candidate
in the CAESAR competition. As with STRIBOBr1, the reduced-size Sponge
design has a strong provable security link with a standardized hash
The new design utilizes only the LPS or $\rho$ component of Whirlpool in
flexibly domain-separated BLNK Sponge mode. The number of rounds is
increased from 10 to 12 as a countermeasure against Rebound
Distinguishing attacks. The $8 \times 8$ - bit S-Box used by Whirlpool and
WHIRLBOB is constructed from $4 \times 4$ - bit ``MiniBoxes''.
We report on fast constant-time Intel SSSE3 and ARM NEON SIMD WHIRLBOB
implementations that keep full miniboxes in registers and access them via
SIMD shuffles. This is an efficient countermeasure against AES-style cache
timing side-channel attacks. Another main advantage of WHIRLBOB over
STRIBOBr1 (and most other AEADs) is its greatly reduced implementation
footprint on lightweight platforms. On many lower-end microcontrollers the
total software footprint of $\pi$+BLNK = WHIRLBOB AEAD is less than half a
kilobyte. We also report an FPGA implementation that requires 4,946 logic
units for a single round of WHIRLBOB, which compares favorably to 7,972
required for Keccak / Keyak on the same target platform. The relatively
small S-Box gate count also enables efficient 64-bit bitsliced
We finally present some discussion and
analysis on the relationships between WHIRLBOB, Whirlpool, the Russian GOST
Streebog hash, and the recent draft Russian Encryption Standard Kuznyechik.
Category / Keywords: WHIRLBOB, STRIBOBr1, Authenticated Encryption, Sponge Designs, Timing Attacks, Whirlpool, Streebog, CAESAR Competition.
Original Publication (with minor differences): NORDSEC '15, Stockholm, Sweden, October 19-21, 2015.
Date: received 25 Jun 2014, last revised 27 Aug 2015
Contact author: mjos at iki fi
Available format(s): PDF | BibTeX Citation
Note: Major revision of original.
Version: 20150827:131340 (All versions of this report)
Short URL: ia.cr/2014/501
Discussion forum: Show discussion | Start new discussion
[ Cryptology ePrint archive ]