WhirlBob is an Authenticated Encryption with Associated Data (AEAD)
algorithm derived from the first round CAESAR candidate StriBob and the
Whirlpool hash algorithm. As with StriBob, the reduced-size Sponge design
has a strong provable security link with a standardized hash algorithm.
The new design utilizes only the LPS or $\rho$ component of Whirlpool in
flexibly domain-separated BLNK Sponge mode. The number of rounds is
increased from 10 to 12 as a countermeasure against Rebound
Distinguishing attacks. The $8 \times 8$ - bit S-Box used by Whirlpool and
WhirlBob is constructed from $4 \times 4$ - bit ``MiniBoxes''. We report
on fast constant-time Intel SSSE3 and ARM NEON SIMD WhirlBob
implementations that keep full miniboxes in registers and access them via
SIMD shuffles. This is an efficient countermeasure against AES-style cache
timing side-channel attacks. Another main advantage of WhirlBob over
StriBob (and most other AEADs) is its greatly reduced implementation
footprint on lightweight platforms. On many lower-end microcontrollers the
total software footprint of $\pi$+BLNK = WhirlBob AEAD is less than half a
kilobyte. We also report an FPGA implementation that requires 4,946 logic
units for a single round of WhirlBob, which compares favorably to 7,972
required for Keccak / Keyak on the same target platform. The relatively
small S-Box gate count also enables efficient 64-bit bitsliced
straight-line implementations. We finally present some discussion and
analysis on the relationships between WhirlBob, Whirlpool, the Russian GOST
Streebog hash, and the recent draft Russian Encryption Standard Kuznyechik.
↧