Paper 2014/501

WHIRLBOB, the Whirlpool based Variant of STRIBOB: Lighter, Faster, and Constant Time

Markku--Juhani O. Saarinen and Billy Bob Brumley


WHIRLBOB, also known as STRIBOBr2, is an AEAD (Authenticated Encryption with Associated Data) algorithm derived from STRIBOBr1 and the Whirlpool hash algorithm. WHIRLBOB/STRIBOBr2 is a second round candidate in the CAESAR competition. As with STRIBOBr1, the reduced-size Sponge design has a strong provable security link with a standardized hash algorithm. The new design utilizes only the LPS or $\rho$ component of Whirlpool in flexibly domain-separated BLNK Sponge mode. The number of rounds is increased from 10 to 12 as a countermeasure against Rebound Distinguishing attacks. The $8 \times 8$ - bit S-Box used by Whirlpool and WHIRLBOB is constructed from $4 \times 4$ - bit ``MiniBoxes''. We report on fast constant-time Intel SSSE3 and ARM NEON SIMD WHIRLBOB implementations that keep full miniboxes in registers and access them via SIMD shuffles. This is an efficient countermeasure against AES-style cache timing side-channel attacks. Another main advantage of WHIRLBOB over STRIBOBr1 (and most other AEADs) is its greatly reduced implementation footprint on lightweight platforms. On many lower-end microcontrollers the total software footprint of $\pi$+BLNK = WHIRLBOB AEAD is less than half a kilobyte. We also report an FPGA implementation that requires 4,946 logic units for a single round of WHIRLBOB, which compares favorably to 7,972 required for Keccak / Keyak on the same target platform. The relatively small S-Box gate count also enables efficient 64-bit bitsliced straight-line implementations. We finally present some discussion and analysis on the relationships between WHIRLBOB, Whirlpool, the Russian GOST Streebog hash, and the recent draft Russian Encryption Standard Kuznyechik.

Note: Major revision of original.

Available format(s)
Publication info
Published elsewhere. MINOR revision.NORDSEC '15, Stockholm, Sweden, October 19-21, 2015.
WHIRLBOBSTRIBOBr1Authenticated EncryptionSponge DesignsTiming AttacksWhirlpoolStreebogCAESAR Competition.
Contact author(s)
mjos @ iki fi
2015-08-27: last of 44 revisions
2014-06-26: received
See all versions
Short URL
Creative Commons Attribution


      author = {Markku--Juhani O.  Saarinen and Billy Bob Brumley},
      title = {WHIRLBOB, the Whirlpool based Variant of STRIBOB: Lighter, Faster, and Constant Time},
      howpublished = {Cryptology ePrint Archive, Paper 2014/501},
      year = {2014},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.