Paper 2014/501

Lighter, Faster, and Constant-Time: WhirlBob, the Whirlpool variant of StriBob

Markku-Juhani O. Saarinen

Abstract

WhirlBob is an Authenticated Encryption with Associated Data (AEAD) algorithm derived from the first round CAESAR candidate StriBob and the Whirlpool hash algorithm. As with StriBob, the reduced-size Sponge design has a strong provable security link with the a standard hash algorithm. The main advantage of WhirlBob over StriBob is its greatly reduced implementation footprint on resource-constrained platforms. Remarkably, the entire C reference implementation of WhirlBob 1.0 $\pi$ fits onto a single page of the Appendix. The new design utilizes only the LPS or $\rho$ keying line of Whirlpool in a flexible domain-separated Sponge mode BLNK and adds the number of rounds in $\pi$ permutation from 10 to 12 as a countermeasure against Rebound Distinguishing attacks. On most low-end microcontrollers the total software footprint of $\pi$+BLNK = WhirlBob AEAD is less than half a kilobyte. We also report an FPGA implementation of WhirlBob. The implementation requires 4,946 logic units for a single round of WhirlBob, which compares favorably to 7,972 required for Keccak/Keyak on the same platform. The reduced hardware gate count is also reflected as efficient bitsliced straight-line implementations, especially on 64-bit platforms. Bitslicing works as an efficient countermeasure against AES-style cache timing side-channel attacks. Our constant-time bitsliced implementations run at around 35 \% of the speed of 64-bit table-lookup implementations. We finally present some discussion and analysis on differences between Whirlpool, the Russian GOST Streebog hash, and the recently proposed draft Russian Encryption Standard Kuznyechik.

Note: Will talk about this at DIAC '14, 23-24 August 2014, Santa Barbara, USA. Also submitted to a conference with proceedings.