Skip to main content
SpringerLink
Log in

WHIRLBOB, the Whirlpool Based Variant of STRIBOB

Lighter, Faster, and Constant Time

  • Conference paper
Secure IT Systems (NordSec 2015)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9417))

Included in the following conference series:

Abstract

WHIRLBOB, also known as STRIBOBr2, is an AEAD (Authenticated Encryption with Associated Data) algorithm derived from STRIBOBr1 and the Whirlpool hash algorithm. WHIRLBOB/STRIBOBr2 is a second round candidate in the CAESAR competition. As with STRIBOBr1, the reduced-size Sponge design has a strong provable security link with a standardized hash algorithm. The new design utilizes only the LPS or ρ component of Whirlpool in flexibly domain-separated BLNK Sponge mode. The number of rounds is increased from 10 to 12 as a countermeasure against Rebound Distinguishing attacks. The 8 ×8 - bit S-Box used by Whirlpool and WHIRLBOB is constructed from 4 ×4 - bit “MiniBoxes”. We report on fast constant-time Intel SSSE3 and ARM NEON SIMD WHIRLBOB implementations that keep full miniboxes in registers and access them via SIMD shuffles. This is an efficient countermeasure against AES-style cache timing side-channel attacks. Another main advantage of WHIRLBOB over STRIBOBr1 (and most other AEADs) is its greatly reduced implementation footprint on lightweight platforms. On many lower-end microcontrollers the total software footprint of π+BLNK = WHIRLBOB AEAD is less than half a kilobyte. We also report an FPGA implementation that requires 4,946 logic units for a single round of WHIRLBOB, which compares favorably to 7,972 required for Keccak / Keyak on the same target platform. The relatively small S-Box gate count also enables efficient 64-bit bitsliced straight-line implementations. We finally present some discussion and analysis on the relationships between WHIRLBOB, Whirlpool, the Russian GOST Streebog hash, and the recent draft Russian Encryption Standard Kuznyechik.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Acıiçmez, O., Schindler, W., Koç, Ç.K.: Cache based remote timing attack on the aes. In: Abe, M. (ed.) CT-RSA 2007. LNCS, vol. 4377, pp. 271–286. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  2. Andreeva, E., Bilgin, B., Bogdanov, A., Luykx, A., Mennink, B., Mouha, N., Yasuda, K.: PRIMATEs v1 - Submission to the CAESAR Competition. CAESAR First Round Submission, March 2014. http://competitions.cr.yp.to/round1/primatesv1.pdf

  3. Aumasson, J.-P., Jovanovic, P., Neves, S.: CAESAR submission: NORX v1. CAESAR First Round Submission, March 2014. http://competitions.cr.yp.to/round1/norxv1.pdf

  4. Barreto, P.S.L.M., Rijmen, V.: The Whirlpool hashing function. NESSIE Algorithm Specification, 2000, revised May 2003. http://www.larc.usp.br/~pbarreto/WhirlpoolPage.html

  5. Bernstein, D.J.: Cache-timing attacks on AES. Technical report, University of Chigaco, 2005. http://cr.yp.to/antiforgery/cachetiming-20050414.pdf

  6. Bertoni, G., Daemen, J., Peeters, M., Van Assche, G., Van Keer, R.: CAESAR submission: Ketje v1. CAESAR First Round Submission, March 2014. http://competitions.cr.yp.to/round1/ketjev1.pdf

  7. Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Sponge functions. In: Ecrypt Hash Workshop 2007, May 2007. http://events.iaik.tugraz.at/HashWorkshop07/program.html

  8. Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Sponge-based pseudo-random number generators. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 33–47. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  9. Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Duplexing the sponge: single-pass authenticated encryption and other applications. In: Miri, A., Vaudenay, S. (eds.) SAC 2011. LNCS, vol. 7118, pp. 320–337. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  10. Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: The Keccak reference, version 3.0. NIST SHA3 Submission Document, January 2011. http://keccak.noekeon.org/Keccak-reference-3.0.pdf

  11. Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Sakura: a flexible coding for tree hashing. In: Boureanu, I., Owesarski, P., Vaudenay, S. (eds.) ACNS 2014. LNCS, vol. 8479, pp. 217–234. Springer, Heidelberg (2014)

    Google Scholar 

  12. Bertoni, G., Daemen, J., Peeters, M., Van Assche, G., Van Keer, R.: CAESAR submission: Keyak v1. CAESAR First Round Submission, March 2014. http://competitions.cr.yp.to/round1/keyakv1.pdf

  13. Biham, E., Shamir, A.: Differential Cryptanalysis of the Data Encryption Standard. Springer (1993)

    Google Scholar 

  14. Biryukov, A., Khovratovich, D.: Related-key cryptanalysis of the full AES-192 and AES-256. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 1–18. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  15. Biryukov, A., Khovratovich, D., Nikolić, I.: Distinguisher and related-key attack on the full AES-256. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 231–249. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  16. Biryukov, A., Perrin, L., Udovenko, A.: The secret structure of the S-Box of Streebog, Kuznechik and StriBob. IACR ePrint 2015/812, August 2015. https://eprint.iacr.org/2015/812

  17. Bogdanov, A., Khovratovich, D., Rechberger, C.: Biclique cryptanalysis of the full AES. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 344–371. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  18. Brumley, B.B.: Secure and fast implementations of two involution ciphers. In: Aura, T., Järvinen, K., Nyberg, K. (eds.) NordSec 2010. LNCS, vol. 7127, pp. 269–282. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  19. Burgin, K., Peck, M.: Suite B Profile for Internet Protocol Security (IPsec). IETF RFC 6380, October 2011

    Google Scholar 

  20. CAESAR. CAESAR: Competition for authenticated encryption: Security, applicability, and robustness, January 2014. http://competitions.cr.yp.to/caesar.html

  21. CAESAR. CAESAR first and second round submissions, July 2015. http://competitions.cr.yp.to/caesar-submissions.html

  22. Courtois, N.: How fast can be algebraic attacks on block ciphers? IACR ePrint 2006/168, May 2006. https://eprint.iacr.org/2006/168

  23. Daemen, J., Rijmen, V.: The Design of Rijndael: AES - the Advanced Encryption Standard. Springer (2002)

    Google Scholar 

  24. Dobraunig, C., Eichlseder, M., Mendel, F., Schläffer, M.: Ascon v1 - Submission to the CAESAR Competition. CAESAR First Round Submission, March 2014. http://competitions.cr.yp.to/round1/asconv1.pdf

  25. Dygin, D.M., Lavrikov, I.V., Marshalko, G.B., Rudskoy, V.I., Trifonov, D.I., Shishkin, V.A.: On a new Russian Encryption Standard. Mathematical Aspects of Cryptography 6(2), 29–34 (2015). http://www.mathnet.ru/php/archive.phtml?wshow=paper&jrnid=mvk&paperid=142&option_lang=eng (Abstract In Russian)

  26. GOST. Information technology. cryptographic protection of information, hash function. GOST R 34.11-2012 (2012). http://protect.gost.ru/v.aspx?control=7&id=180209 (In Russian)

  27. Hamburg, M.: Accelerating AES with vector permute instructions. In: Clavier, C., Gaj, K. (eds.) CHES 2009. LNCS, vol. 5747, pp. 18–32. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  28. Hilewitz, Y., Yin, Y.L., Lee, R.B.: Accelerating the whirlpool hash function using parallel table lookup and fast cyclical permutation. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 173–188. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  29. Igoe, K.: Suite B Cryptographic Suites for Secure Shell (SSH). IETF RFC 6239, May 2011. https://tools.ietf.org/html/rfc6239

  30. ISO/IEC. Information technology - security techniques - hash-functions - part 3: Dedicated hash-functions. ISO/IEC 10118–3:2004 (2004). https://www.iso.org/obp/ui/#iso:std:iso-iec:10118:-3:ed-3:v1:en

  31. Jakobsen, T., Knudsen, L.R.: The interpolation attack on block ciphers. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 99–112. Springer, Heidelberg (1997)

    Chapter  Google Scholar 

  32. Jovanovic, P., Luykx, A., Mennink, B.: Beyond 2\(^\text{c/2}\) security in sponge-based authenticated encryption modes. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 85–104. Springer, Heidelberg (2014)

    Google Scholar 

  33. Kazymyrov, O., Kazymyrova, V.: Algebraic aspects of the Russian hash standard GOST R 34.11-2012. In: CTCrypt 2013, June 23–24, 2013, Ekaterinburg, Russia, 2013. IACR ePrint 2013/556. https://eprint.iacr.org/2013/556

  34. Krovetz, T., Rogaway, P.: OCB (v1). CAESAR First Round Submission, March 2014. http://competitions.cr.yp.to/round1/ocbv1.pdf

  35. Lamberger, M., Mendel, F., Rechberger, C., Rijmen, V., Schläffer, M.: Rebound distinguishers: results on the full whirlpool compression function. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 126–143. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  36. Lamberger, M., Mendel, F., Schläffer, M., Rechberger, C., Rijmen, V.: The rebound attack and subspace distinguishers: Application to Whirlpool. J. Cryptology 28, 257–296 (2015)

    Article  MathSciNet  Google Scholar 

  37. Matsui, M.: Linear cryptanalysis method for DES cipher. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 386–397. Springer, Heidelberg (1994)

    Chapter  Google Scholar 

  38. Matyuhin, D.V., Rudskoy, V.I., Shishkin, V.A.: Promising hashing algorithm. RusCrypto 2010. Workshop 02, 2010 (2010). (In Russian)

    Google Scholar 

  39. Mendel, F., Rechberger, C., Schläffer, M., Thomsen, S.S.: The rebound attack: cryptanalysis of reduced Whirlpool and Grøstl. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 260–276. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  40. Minematsu, K.: AES-OTR v1. CAESAR First Round Submission, March 2014. http://competitions.cr.yp.to/round1/aesotrv1.pdf

  41. Miyaguchi, S., Ohta, K., Iwata, M.: 128-bit hash function (\(n\)-hash). NTT Review 2, 128–132 (1990)

    Google Scholar 

  42. NESSIE. Final report of European project number IST-1999-12324, named New European Schemes for Signatures, Integrity, and Encryption. NESSIE, April 2004. https://www.cosic.esat.kuleuven.be/nessie/Bookv015.pdf

  43. NIST. Advanced Encryption Standard (AES). Federal Information Processing Standards Publication FIPS 197, November 2001. http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf

  44. NIST. Counter with Cipher Block Chaining - Message Authentication Code (CCM). NIST Special Publication 800–38C, May 2004

    Google Scholar 

  45. NIST. Recommendation for block cipher modes of operation: Galois/counter mode (GCM) and GMAC. NIST Special Publication 800–38D (2007). http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf

  46. NIST. The Keyed-Hash Message Authentication Code (HMAC). Federal Information Processing Standards Publication FIPS 198–1, July 2008

    Google Scholar 

  47. NIST VCAT. NIST Cryptographic Standards and Guidelines Development Process: Report and Recommendations of the Visiting Committee on Advanced Technology of the National Institute of Standards and Technology, July 2014

    Google Scholar 

  48. NSA. Suite B Cryptography (2005). http://www.nsa.gov/ia/programs/suiteb_cryptography

  49. Nyberg, K.: Differentially uniform mappings for cryptography. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 55–64. Springer, Heidelberg (1994)

    Google Scholar 

  50. Osvik, D.A., Shamir, A., Tromer, E.: Cache attacks and countermeasures: the case of AES. In: Pointcheval, D. (ed.) CT-RSA 2006. LNCS, vol. 3860, pp. 1–20. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  51. Preneel, B.: Analysis and Design of Cryptographic Hash Functions. PhD thesis, K. U. Leuven (Belgium) (1993). http://homes.esat.kuleuven.be/~preneel/phd_preneel_feb1993.pdf

  52. Rijmen, V., Daemen, J., Preneel, B., Bosselaers, A., De Win, E.: The cipher SHARK. In: Gollmann, D. (ed.) FSE 1996. LNCS, vol. 1039, pp. 99–111. Springer, Heidelberg (1996)

    Chapter  Google Scholar 

  53. Saarinen, M.-J.O.: Beyond modes: building a secure record protocol from a cryptographic sponge permutation. In: Benaloh, J. (ed.) CT-RSA 2014. LNCS, vol. 8366, pp. 270–285. Springer, Heidelberg (2014)

    Chapter  Google Scholar 

  54. Saarinen, M.-J.O.: Simple AEAD hardware interface (SÆHI) in a SoC: implementing an on-chip Keyak/WhirlBob coprocessor. In: TrustED 2014 Proceedings of the 4th International Workshop on Trustworthy Embedded Device, pp. 51–56. ACM (2014)

    Google Scholar 

  55. Saarinen, M.-J.O.: StriBob: Authenticated encryption from GOST R 34.11-2012 LPS permutation. In: Preproceedings of the CTCrypt 2014, 05–06 June 2014, Moscow, Russia, pp. 170–182, June 2014. https://eprint.iacr.org/2014/271

  56. Saarinen, M.-J.O.: The STRIBOBr 1 authenticated encryption algorithm. CAESAR, 1st Round Candidate, March 2014. http://www.stribob.com

  57. Saarinen, M.-J.O.: StriBob: authenticated encryption from GOST R 34.11-2012 LPS permutation. Mathematical Aspects of Cryptography 6(2), 67–78 (2015). http://www.mathnet.ru/php/archive.phtml?wshow=paper&jrnid=mvk&paperid=146&option_lang=eng (Abstract In Russian)

  58. Saarinen, M.-J.O., Brumley, B.B.: STRIBOBr 2: “WHIRLBOB”, second round caesar algorithm tweak specification. CAESAR 2nd Round Candidate, August 2015. http://www.stribob.com

  59. Salter, M., Housley, R.: Suite B Profile for Transport Layer Security (TLS). IETF RFC 6460, January 2012. https://tools.ietf.org/html/rfc6460

  60. Shirai, T., Shibutani, K.: On the diffusion matrix employed in the Whirlpool hashing function. NESSIE Public Report (2003). http://www.cosic.esat.kuleuven.be/nessie/reports/phase2/whirlpool-20030311.pdf

  61. Shishkin, V., Dygin, D., Lavrikov, I., Marshalko, G., Rudskoy, V., Trifonov, D.: Low-weight and hi-end: draft Russian encryption standard. In: Preproceedings CTCrypt 2014, June 05–06, 2014, Moscow, Russia. pp. 183–188, June 2014

    Google Scholar 

  62. Weiß, M., Heinz, B., Stumpf, F.: A cache timing attack on aes in virtualization environments. In: Keromytis, A.D. (ed.) FC 2012. LNCS, vol. 7397, pp. 314–328. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  63. Whiting, D., Housley, R., Ferguson, N.: Counter with CBC-MAC (CCM). IETF RFC 3610, September 2003. https://tools.ietf.org/html/rfc3610

  64. Wu, H., Huang, T.: The Authenticated Cipher MORUS (v1). CAESAR First Round Submission, March 2014. http://competitions.cr.yp.to/round1/morusv1.pdf

Download references

Author information

Authors and Affiliations

  1. Centre for Secure Information Technologies (CSIT) ECIT, Queen’s University Belfast, Belfast, UK

    Markku-Juhani O. Saarinen

  2. Tampere University of Technology, Tampere, Finland

    Billy Bob Brumley

Authors
  1. Markku-Juhani O. Saarinen
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Billy Bob Brumley
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. KTH Royal Institute of Technology , Stockholm, Sweden

    Sonja Buchegger  & Mads Dam  & 

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this paper

Cite this paper

Saarinen, MJ.O., Brumley, B.B. (2015). WHIRLBOB, the Whirlpool Based Variant of STRIBOB. In: Buchegger, S., Dam, M. (eds) Secure IT Systems. NordSec 2015. Lecture Notes in Computer Science, vol 9417. Springer, Cham. https://doi.org/10.1007/978-3-319-26502-5_8

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-26502-5_8

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-26501-8

  • Online ISBN: 978-3-319-26502-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation