Abstract
WHIRLBOB, also known as STRIBOBr2, is an AEAD (Authenticated Encryption with Associated Data) algorithm derived from STRIBOBr1 and the Whirlpool hash algorithm. WHIRLBOB/STRIBOBr2 is a second round candidate in the CAESAR competition. As with STRIBOBr1, the reduced-size Sponge design has a strong provable security link with a standardized hash algorithm. The new design utilizes only the LPS or ρ component of Whirlpool in flexibly domain-separated BLNK Sponge mode. The number of rounds is increased from 10 to 12 as a countermeasure against Rebound Distinguishing attacks. The 8 ×8 - bit S-Box used by Whirlpool and WHIRLBOB is constructed from 4 ×4 - bit “MiniBoxes”. We report on fast constant-time Intel SSSE3 and ARM NEON SIMD WHIRLBOB implementations that keep full miniboxes in registers and access them via SIMD shuffles. This is an efficient countermeasure against AES-style cache timing side-channel attacks. Another main advantage of WHIRLBOB over STRIBOBr1 (and most other AEADs) is its greatly reduced implementation footprint on lightweight platforms. On many lower-end microcontrollers the total software footprint of π+BLNK = WHIRLBOB AEAD is less than half a kilobyte. We also report an FPGA implementation that requires 4,946 logic units for a single round of WHIRLBOB, which compares favorably to 7,972 required for Keccak / Keyak on the same target platform. The relatively small S-Box gate count also enables efficient 64-bit bitsliced straight-line implementations. We finally present some discussion and analysis on the relationships between WHIRLBOB, Whirlpool, the Russian GOST Streebog hash, and the recent draft Russian Encryption Standard Kuznyechik.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Acıiçmez, O., Schindler, W., Koç, Ç.K.: Cache based remote timing attack on the aes. In: Abe, M. (ed.) CT-RSA 2007. LNCS, vol. 4377, pp. 271–286. Springer, Heidelberg (2006)
Andreeva, E., Bilgin, B., Bogdanov, A., Luykx, A., Mennink, B., Mouha, N., Yasuda, K.: PRIMATEs v1 - Submission to the CAESAR Competition. CAESAR First Round Submission, March 2014. http://competitions.cr.yp.to/round1/primatesv1.pdf
Aumasson, J.-P., Jovanovic, P., Neves, S.: CAESAR submission: NORX v1. CAESAR First Round Submission, March 2014. http://competitions.cr.yp.to/round1/norxv1.pdf
Barreto, P.S.L.M., Rijmen, V.: The Whirlpool hashing function. NESSIE Algorithm Specification, 2000, revised May 2003. http://www.larc.usp.br/~pbarreto/WhirlpoolPage.html
Bernstein, D.J.: Cache-timing attacks on AES. Technical report, University of Chigaco, 2005. http://cr.yp.to/antiforgery/cachetiming-20050414.pdf
Bertoni, G., Daemen, J., Peeters, M., Van Assche, G., Van Keer, R.: CAESAR submission: Ketje v1. CAESAR First Round Submission, March 2014. http://competitions.cr.yp.to/round1/ketjev1.pdf
Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Sponge functions. In: Ecrypt Hash Workshop 2007, May 2007. http://events.iaik.tugraz.at/HashWorkshop07/program.html
Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Sponge-based pseudo-random number generators. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 33–47. Springer, Heidelberg (2010)
Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Duplexing the sponge: single-pass authenticated encryption and other applications. In: Miri, A., Vaudenay, S. (eds.) SAC 2011. LNCS, vol. 7118, pp. 320–337. Springer, Heidelberg (2012)
Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: The Keccak reference, version 3.0. NIST SHA3 Submission Document, January 2011. http://keccak.noekeon.org/Keccak-reference-3.0.pdf
Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Sakura: a flexible coding for tree hashing. In: Boureanu, I., Owesarski, P., Vaudenay, S. (eds.) ACNS 2014. LNCS, vol. 8479, pp. 217–234. Springer, Heidelberg (2014)
Bertoni, G., Daemen, J., Peeters, M., Van Assche, G., Van Keer, R.: CAESAR submission: Keyak v1. CAESAR First Round Submission, March 2014. http://competitions.cr.yp.to/round1/keyakv1.pdf
Biham, E., Shamir, A.: Differential Cryptanalysis of the Data Encryption Standard. Springer (1993)
Biryukov, A., Khovratovich, D.: Related-key cryptanalysis of the full AES-192 and AES-256. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 1–18. Springer, Heidelberg (2009)
Biryukov, A., Khovratovich, D., Nikolić, I.: Distinguisher and related-key attack on the full AES-256. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 231–249. Springer, Heidelberg (2009)
Biryukov, A., Perrin, L., Udovenko, A.: The secret structure of the S-Box of Streebog, Kuznechik and StriBob. IACR ePrint 2015/812, August 2015. https://eprint.iacr.org/2015/812
Bogdanov, A., Khovratovich, D., Rechberger, C.: Biclique cryptanalysis of the full AES. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 344–371. Springer, Heidelberg (2011)
Brumley, B.B.: Secure and fast implementations of two involution ciphers. In: Aura, T., Järvinen, K., Nyberg, K. (eds.) NordSec 2010. LNCS, vol. 7127, pp. 269–282. Springer, Heidelberg (2012)
Burgin, K., Peck, M.: Suite B Profile for Internet Protocol Security (IPsec). IETF RFC 6380, October 2011
CAESAR. CAESAR: Competition for authenticated encryption: Security, applicability, and robustness, January 2014. http://competitions.cr.yp.to/caesar.html
CAESAR. CAESAR first and second round submissions, July 2015. http://competitions.cr.yp.to/caesar-submissions.html
Courtois, N.: How fast can be algebraic attacks on block ciphers? IACR ePrint 2006/168, May 2006. https://eprint.iacr.org/2006/168
Daemen, J., Rijmen, V.: The Design of Rijndael: AES - the Advanced Encryption Standard. Springer (2002)
Dobraunig, C., Eichlseder, M., Mendel, F., Schläffer, M.: Ascon v1 - Submission to the CAESAR Competition. CAESAR First Round Submission, March 2014. http://competitions.cr.yp.to/round1/asconv1.pdf
Dygin, D.M., Lavrikov, I.V., Marshalko, G.B., Rudskoy, V.I., Trifonov, D.I., Shishkin, V.A.: On a new Russian Encryption Standard. Mathematical Aspects of Cryptography 6(2), 29–34 (2015). http://www.mathnet.ru/php/archive.phtml?wshow=paper&jrnid=mvk&paperid=142&option_lang=eng (Abstract In Russian)
GOST. Information technology. cryptographic protection of information, hash function. GOST R 34.11-2012 (2012). http://protect.gost.ru/v.aspx?control=7&id=180209 (In Russian)
Hamburg, M.: Accelerating AES with vector permute instructions. In: Clavier, C., Gaj, K. (eds.) CHES 2009. LNCS, vol. 5747, pp. 18–32. Springer, Heidelberg (2009)
Hilewitz, Y., Yin, Y.L., Lee, R.B.: Accelerating the whirlpool hash function using parallel table lookup and fast cyclical permutation. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 173–188. Springer, Heidelberg (2008)
Igoe, K.: Suite B Cryptographic Suites for Secure Shell (SSH). IETF RFC 6239, May 2011. https://tools.ietf.org/html/rfc6239
ISO/IEC. Information technology - security techniques - hash-functions - part 3: Dedicated hash-functions. ISO/IEC 10118–3:2004 (2004). https://www.iso.org/obp/ui/#iso:std:iso-iec:10118:-3:ed-3:v1:en
Jakobsen, T., Knudsen, L.R.: The interpolation attack on block ciphers. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 99–112. Springer, Heidelberg (1997)
Jovanovic, P., Luykx, A., Mennink, B.: Beyond 2\(^\text{c/2}\) security in sponge-based authenticated encryption modes. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 85–104. Springer, Heidelberg (2014)
Kazymyrov, O., Kazymyrova, V.: Algebraic aspects of the Russian hash standard GOST R 34.11-2012. In: CTCrypt 2013, June 23–24, 2013, Ekaterinburg, Russia, 2013. IACR ePrint 2013/556. https://eprint.iacr.org/2013/556
Krovetz, T., Rogaway, P.: OCB (v1). CAESAR First Round Submission, March 2014. http://competitions.cr.yp.to/round1/ocbv1.pdf
Lamberger, M., Mendel, F., Rechberger, C., Rijmen, V., Schläffer, M.: Rebound distinguishers: results on the full whirlpool compression function. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 126–143. Springer, Heidelberg (2009)
Lamberger, M., Mendel, F., Schläffer, M., Rechberger, C., Rijmen, V.: The rebound attack and subspace distinguishers: Application to Whirlpool. J. Cryptology 28, 257–296 (2015)
Matsui, M.: Linear cryptanalysis method for DES cipher. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 386–397. Springer, Heidelberg (1994)
Matyuhin, D.V., Rudskoy, V.I., Shishkin, V.A.: Promising hashing algorithm. RusCrypto 2010. Workshop 02, 2010 (2010). (In Russian)
Mendel, F., Rechberger, C., Schläffer, M., Thomsen, S.S.: The rebound attack: cryptanalysis of reduced Whirlpool and Grøstl. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 260–276. Springer, Heidelberg (2009)
Minematsu, K.: AES-OTR v1. CAESAR First Round Submission, March 2014. http://competitions.cr.yp.to/round1/aesotrv1.pdf
Miyaguchi, S., Ohta, K., Iwata, M.: 128-bit hash function (\(n\)-hash). NTT Review 2, 128–132 (1990)
NESSIE. Final report of European project number IST-1999-12324, named New European Schemes for Signatures, Integrity, and Encryption. NESSIE, April 2004. https://www.cosic.esat.kuleuven.be/nessie/Bookv015.pdf
NIST. Advanced Encryption Standard (AES). Federal Information Processing Standards Publication FIPS 197, November 2001. http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
NIST. Counter with Cipher Block Chaining - Message Authentication Code (CCM). NIST Special Publication 800–38C, May 2004
NIST. Recommendation for block cipher modes of operation: Galois/counter mode (GCM) and GMAC. NIST Special Publication 800–38D (2007). http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf
NIST. The Keyed-Hash Message Authentication Code (HMAC). Federal Information Processing Standards Publication FIPS 198–1, July 2008
NIST VCAT. NIST Cryptographic Standards and Guidelines Development Process: Report and Recommendations of the Visiting Committee on Advanced Technology of the National Institute of Standards and Technology, July 2014
NSA. Suite B Cryptography (2005). http://www.nsa.gov/ia/programs/suiteb_cryptography
Nyberg, K.: Differentially uniform mappings for cryptography. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 55–64. Springer, Heidelberg (1994)
Osvik, D.A., Shamir, A., Tromer, E.: Cache attacks and countermeasures: the case of AES. In: Pointcheval, D. (ed.) CT-RSA 2006. LNCS, vol. 3860, pp. 1–20. Springer, Heidelberg (2006)
Preneel, B.: Analysis and Design of Cryptographic Hash Functions. PhD thesis, K. U. Leuven (Belgium) (1993). http://homes.esat.kuleuven.be/~preneel/phd_preneel_feb1993.pdf
Rijmen, V., Daemen, J., Preneel, B., Bosselaers, A., De Win, E.: The cipher SHARK. In: Gollmann, D. (ed.) FSE 1996. LNCS, vol. 1039, pp. 99–111. Springer, Heidelberg (1996)
Saarinen, M.-J.O.: Beyond modes: building a secure record protocol from a cryptographic sponge permutation. In: Benaloh, J. (ed.) CT-RSA 2014. LNCS, vol. 8366, pp. 270–285. Springer, Heidelberg (2014)
Saarinen, M.-J.O.: Simple AEAD hardware interface (SÆHI) in a SoC: implementing an on-chip Keyak/WhirlBob coprocessor. In: TrustED 2014 Proceedings of the 4th International Workshop on Trustworthy Embedded Device, pp. 51–56. ACM (2014)
Saarinen, M.-J.O.: StriBob: Authenticated encryption from GOST R 34.11-2012 LPS permutation. In: Preproceedings of the CTCrypt 2014, 05–06 June 2014, Moscow, Russia, pp. 170–182, June 2014. https://eprint.iacr.org/2014/271
Saarinen, M.-J.O.: The STRIBOBr 1 authenticated encryption algorithm. CAESAR, 1st Round Candidate, March 2014. http://www.stribob.com
Saarinen, M.-J.O.: StriBob: authenticated encryption from GOST R 34.11-2012 LPS permutation. Mathematical Aspects of Cryptography 6(2), 67–78 (2015). http://www.mathnet.ru/php/archive.phtml?wshow=paper&jrnid=mvk&paperid=146&option_lang=eng (Abstract In Russian)
Saarinen, M.-J.O., Brumley, B.B.: STRIBOBr 2: “WHIRLBOB”, second round caesar algorithm tweak specification. CAESAR 2nd Round Candidate, August 2015. http://www.stribob.com
Salter, M., Housley, R.: Suite B Profile for Transport Layer Security (TLS). IETF RFC 6460, January 2012. https://tools.ietf.org/html/rfc6460
Shirai, T., Shibutani, K.: On the diffusion matrix employed in the Whirlpool hashing function. NESSIE Public Report (2003). http://www.cosic.esat.kuleuven.be/nessie/reports/phase2/whirlpool-20030311.pdf
Shishkin, V., Dygin, D., Lavrikov, I., Marshalko, G., Rudskoy, V., Trifonov, D.: Low-weight and hi-end: draft Russian encryption standard. In: Preproceedings CTCrypt 2014, June 05–06, 2014, Moscow, Russia. pp. 183–188, June 2014
Weiß, M., Heinz, B., Stumpf, F.: A cache timing attack on aes in virtualization environments. In: Keromytis, A.D. (ed.) FC 2012. LNCS, vol. 7397, pp. 314–328. Springer, Heidelberg (2012)
Whiting, D., Housley, R., Ferguson, N.: Counter with CBC-MAC (CCM). IETF RFC 3610, September 2003. https://tools.ietf.org/html/rfc3610
Wu, H., Huang, T.: The Authenticated Cipher MORUS (v1). CAESAR First Round Submission, March 2014. http://competitions.cr.yp.to/round1/morusv1.pdf
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Saarinen, MJ.O., Brumley, B.B. (2015). WHIRLBOB, the Whirlpool Based Variant of STRIBOB. In: Buchegger, S., Dam, M. (eds) Secure IT Systems. NordSec 2015. Lecture Notes in Computer Science, vol 9417. Springer, Cham. https://doi.org/10.1007/978-3-319-26502-5_8
Download citation
DOI: https://doi.org/10.1007/978-3-319-26502-5_8
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-26501-8
Online ISBN: 978-3-319-26502-5
eBook Packages: Computer ScienceComputer Science (R0)