WHIRLBOB, the Whirlpool Based Variant of STRIBOB

Lighter, Faster, and Constant Time
  • Markku-Juhani O. Saarinen
  • Billy Bob Brumley
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9417)


WHIRLBOB, also known as STRIBOBr2, is an AEAD (Authenticated Encryption with Associated Data) algorithm derived from STRIBOBr1 and the Whirlpool hash algorithm. WHIRLBOB/STRIBOBr2 is a second round candidate in the CAESAR competition. As with STRIBOBr1, the reduced-size Sponge design has a strong provable security link with a standardized hash algorithm. The new design utilizes only the LPS or ρ component of Whirlpool in flexibly domain-separated BLNK Sponge mode. The number of rounds is increased from 10 to 12 as a countermeasure against Rebound Distinguishing attacks. The 8 ×8 - bit S-Box used by Whirlpool and WHIRLBOB is constructed from 4 ×4 - bit “MiniBoxes”. We report on fast constant-time Intel SSSE3 and ARM NEON SIMD WHIRLBOB implementations that keep full miniboxes in registers and access them via SIMD shuffles. This is an efficient countermeasure against AES-style cache timing side-channel attacks. Another main advantage of WHIRLBOB over STRIBOBr1 (and most other AEADs) is its greatly reduced implementation footprint on lightweight platforms. On many lower-end microcontrollers the total software footprint of π+BLNK = WHIRLBOB AEAD is less than half a kilobyte. We also report an FPGA implementation that requires 4,946 logic units for a single round of WHIRLBOB, which compares favorably to 7,972 required for Keccak / Keyak on the same target platform. The relatively small S-Box gate count also enables efficient 64-bit bitsliced straight-line implementations. We finally present some discussion and analysis on the relationships between WHIRLBOB, Whirlpool, the Russian GOST Streebog hash, and the recent draft Russian Encryption Standard Kuznyechik.


WHIRLBOB STRIBOBr1 Authenticated encryption Sponge designs Timing attacks Whirlpool Streebog CAESAR competition 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Acıiçmez, O., Schindler, W., Koç, Ç.K.: Cache based remote timing attack on the aes. In: Abe, M. (ed.) CT-RSA 2007. LNCS, vol. 4377, pp. 271–286. Springer, Heidelberg (2006) CrossRefGoogle Scholar
  2. 2.
    Andreeva, E., Bilgin, B., Bogdanov, A., Luykx, A., Mennink, B., Mouha, N., Yasuda, K.: PRIMATEs v1 - Submission to the CAESAR Competition. CAESAR First Round Submission, March 2014.
  3. 3.
    Aumasson, J.-P., Jovanovic, P., Neves, S.: CAESAR submission: NORX v1. CAESAR First Round Submission, March 2014.
  4. 4.
    Barreto, P.S.L.M., Rijmen, V.: The Whirlpool hashing function. NESSIE Algorithm Specification, 2000, revised May 2003.
  5. 5.
    Bernstein, D.J.: Cache-timing attacks on AES. Technical report, University of Chigaco, 2005.
  6. 6.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G., Van Keer, R.: CAESAR submission: Ketje v1. CAESAR First Round Submission, March 2014.
  7. 7.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Sponge functions. In: Ecrypt Hash Workshop 2007, May 2007.
  8. 8.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Sponge-based pseudo-random number generators. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 33–47. Springer, Heidelberg (2010) CrossRefGoogle Scholar
  9. 9.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Duplexing the sponge: single-pass authenticated encryption and other applications. In: Miri, A., Vaudenay, S. (eds.) SAC 2011. LNCS, vol. 7118, pp. 320–337. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  10. 10.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: The Keccak reference, version 3.0. NIST SHA3 Submission Document, January 2011.
  11. 11.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Sakura: a flexible coding for tree hashing. In: Boureanu, I., Owesarski, P., Vaudenay, S. (eds.) ACNS 2014. LNCS, vol. 8479, pp. 217–234. Springer, Heidelberg (2014) Google Scholar
  12. 12.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G., Van Keer, R.: CAESAR submission: Keyak v1. CAESAR First Round Submission, March 2014.
  13. 13.
    Biham, E., Shamir, A.: Differential Cryptanalysis of the Data Encryption Standard. Springer (1993)Google Scholar
  14. 14.
    Biryukov, A., Khovratovich, D.: Related-key cryptanalysis of the full AES-192 and AES-256. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 1–18. Springer, Heidelberg (2009) CrossRefGoogle Scholar
  15. 15.
    Biryukov, A., Khovratovich, D., Nikolić, I.: Distinguisher and related-key attack on the full AES-256. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 231–249. Springer, Heidelberg (2009) CrossRefGoogle Scholar
  16. 16.
    Biryukov, A., Perrin, L., Udovenko, A.: The secret structure of the S-Box of Streebog, Kuznechik and StriBob. IACR ePrint 2015/812, August 2015.
  17. 17.
    Bogdanov, A., Khovratovich, D., Rechberger, C.: Biclique cryptanalysis of the full AES. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 344–371. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  18. 18.
    Brumley, B.B.: Secure and fast implementations of two involution ciphers. In: Aura, T., Järvinen, K., Nyberg, K. (eds.) NordSec 2010. LNCS, vol. 7127, pp. 269–282. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  19. 19.
    Burgin, K., Peck, M.: Suite B Profile for Internet Protocol Security (IPsec). IETF RFC 6380, October 2011Google Scholar
  20. 20.
    CAESAR. CAESAR: Competition for authenticated encryption: Security, applicability, and robustness, January 2014.
  21. 21.
    CAESAR. CAESAR first and second round submissions, July 2015.
  22. 22.
    Courtois, N.: How fast can be algebraic attacks on block ciphers? IACR ePrint 2006/168, May 2006.
  23. 23.
    Daemen, J., Rijmen, V.: The Design of Rijndael: AES - the Advanced Encryption Standard. Springer (2002)Google Scholar
  24. 24.
    Dobraunig, C., Eichlseder, M., Mendel, F., Schläffer, M.: Ascon v1 - Submission to the CAESAR Competition. CAESAR First Round Submission, March 2014.
  25. 25.
    Dygin, D.M., Lavrikov, I.V., Marshalko, G.B., Rudskoy, V.I., Trifonov, D.I., Shishkin, V.A.: On a new Russian Encryption Standard. Mathematical Aspects of Cryptography 6(2), 29–34 (2015). (Abstract In Russian)
  26. 26.
    GOST. Information technology. cryptographic protection of information, hash function. GOST R 34.11-2012 (2012). (In Russian)
  27. 27.
    Hamburg, M.: Accelerating AES with vector permute instructions. In: Clavier, C., Gaj, K. (eds.) CHES 2009. LNCS, vol. 5747, pp. 18–32. Springer, Heidelberg (2009) CrossRefGoogle Scholar
  28. 28.
    Hilewitz, Y., Yin, Y.L., Lee, R.B.: Accelerating the whirlpool hash function using parallel table lookup and fast cyclical permutation. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 173–188. Springer, Heidelberg (2008) CrossRefGoogle Scholar
  29. 29.
    Igoe, K.: Suite B Cryptographic Suites for Secure Shell (SSH). IETF RFC 6239, May 2011.
  30. 30.
    ISO/IEC. Information technology - security techniques - hash-functions - part 3: Dedicated hash-functions. ISO/IEC 10118–3:2004 (2004).
  31. 31.
    Jakobsen, T., Knudsen, L.R.: The interpolation attack on block ciphers. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 99–112. Springer, Heidelberg (1997) CrossRefGoogle Scholar
  32. 32.
    Jovanovic, P., Luykx, A., Mennink, B.: Beyond 2\(^\text{c/2}\) security in sponge-based authenticated encryption modes. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 85–104. Springer, Heidelberg (2014) Google Scholar
  33. 33.
    Kazymyrov, O., Kazymyrova, V.: Algebraic aspects of the Russian hash standard GOST R 34.11-2012. In: CTCrypt 2013, June 23–24, 2013, Ekaterinburg, Russia, 2013. IACR ePrint 2013/556.
  34. 34.
    Krovetz, T., Rogaway, P.: OCB (v1). CAESAR First Round Submission, March 2014.
  35. 35.
    Lamberger, M., Mendel, F., Rechberger, C., Rijmen, V., Schläffer, M.: Rebound distinguishers: results on the full whirlpool compression function. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 126–143. Springer, Heidelberg (2009) CrossRefGoogle Scholar
  36. 36.
    Lamberger, M., Mendel, F., Schläffer, M., Rechberger, C., Rijmen, V.: The rebound attack and subspace distinguishers: Application to Whirlpool. J. Cryptology 28, 257–296 (2015)MathSciNetCrossRefGoogle Scholar
  37. 37.
    Matsui, M.: Linear cryptanalysis method for DES cipher. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 386–397. Springer, Heidelberg (1994) CrossRefGoogle Scholar
  38. 38.
    Matyuhin, D.V., Rudskoy, V.I., Shishkin, V.A.: Promising hashing algorithm. RusCrypto 2010. Workshop 02, 2010 (2010). (In Russian)Google Scholar
  39. 39.
    Mendel, F., Rechberger, C., Schläffer, M., Thomsen, S.S.: The rebound attack: cryptanalysis of reduced Whirlpool and Grøstl. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 260–276. Springer, Heidelberg (2009) CrossRefGoogle Scholar
  40. 40.
    Minematsu, K.: AES-OTR v1. CAESAR First Round Submission, March 2014.
  41. 41.
    Miyaguchi, S., Ohta, K., Iwata, M.: 128-bit hash function (\(n\)-hash). NTT Review 2, 128–132 (1990)Google Scholar
  42. 42.
    NESSIE. Final report of European project number IST-1999-12324, named New European Schemes for Signatures, Integrity, and Encryption. NESSIE, April 2004.
  43. 43.
    NIST. Advanced Encryption Standard (AES). Federal Information Processing Standards Publication FIPS 197, November 2001.
  44. 44.
    NIST. Counter with Cipher Block Chaining - Message Authentication Code (CCM). NIST Special Publication 800–38C, May 2004Google Scholar
  45. 45.
    NIST. Recommendation for block cipher modes of operation: Galois/counter mode (GCM) and GMAC. NIST Special Publication 800–38D (2007).
  46. 46.
    NIST. The Keyed-Hash Message Authentication Code (HMAC). Federal Information Processing Standards Publication FIPS 198–1, July 2008Google Scholar
  47. 47.
    NIST VCAT. NIST Cryptographic Standards and Guidelines Development Process: Report and Recommendations of the Visiting Committee on Advanced Technology of the National Institute of Standards and Technology, July 2014Google Scholar
  48. 48.
    NSA. Suite B Cryptography (2005).
  49. 49.
    Nyberg, K.: Differentially uniform mappings for cryptography. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 55–64. Springer, Heidelberg (1994) Google Scholar
  50. 50.
    Osvik, D.A., Shamir, A., Tromer, E.: Cache attacks and countermeasures: the case of AES. In: Pointcheval, D. (ed.) CT-RSA 2006. LNCS, vol. 3860, pp. 1–20. Springer, Heidelberg (2006) CrossRefGoogle Scholar
  51. 51.
    Preneel, B.: Analysis and Design of Cryptographic Hash Functions. PhD thesis, K. U. Leuven (Belgium) (1993).
  52. 52.
    Rijmen, V., Daemen, J., Preneel, B., Bosselaers, A., De Win, E.: The cipher SHARK. In: Gollmann, D. (ed.) FSE 1996. LNCS, vol. 1039, pp. 99–111. Springer, Heidelberg (1996) CrossRefGoogle Scholar
  53. 53.
    Saarinen, M.-J.O.: Beyond modes: building a secure record protocol from a cryptographic sponge permutation. In: Benaloh, J. (ed.) CT-RSA 2014. LNCS, vol. 8366, pp. 270–285. Springer, Heidelberg (2014) CrossRefGoogle Scholar
  54. 54.
    Saarinen, M.-J.O.: Simple AEAD hardware interface (SÆHI) in a SoC: implementing an on-chip Keyak/WhirlBob coprocessor. In: TrustED 2014 Proceedings of the 4th International Workshop on Trustworthy Embedded Device, pp. 51–56. ACM (2014)Google Scholar
  55. 55.
    Saarinen, M.-J.O.: StriBob: Authenticated encryption from GOST R 34.11-2012 LPS permutation. In: Preproceedings of the CTCrypt 2014, 05–06 June 2014, Moscow, Russia, pp. 170–182, June 2014.
  56. 56.
    Saarinen, M.-J.O.: The STRIBOBr 1 authenticated encryption algorithm. CAESAR, 1st Round Candidate, March 2014.
  57. 57.
    Saarinen, M.-J.O.: StriBob: authenticated encryption from GOST R 34.11-2012 LPS permutation. Mathematical Aspects of Cryptography 6(2), 67–78 (2015). (Abstract In Russian)
  58. 58.
    Saarinen, M.-J.O., Brumley, B.B.: STRIBOBr 2: “WHIRLBOB”, second round caesar algorithm tweak specification. CAESAR 2nd Round Candidate, August 2015.
  59. 59.
    Salter, M., Housley, R.: Suite B Profile for Transport Layer Security (TLS). IETF RFC 6460, January 2012.
  60. 60.
    Shirai, T., Shibutani, K.: On the diffusion matrix employed in the Whirlpool hashing function. NESSIE Public Report (2003).
  61. 61.
    Shishkin, V., Dygin, D., Lavrikov, I., Marshalko, G., Rudskoy, V., Trifonov, D.: Low-weight and hi-end: draft Russian encryption standard. In: Preproceedings CTCrypt 2014, June 05–06, 2014, Moscow, Russia. pp. 183–188, June 2014Google Scholar
  62. 62.
    Weiß, M., Heinz, B., Stumpf, F.: A cache timing attack on aes in virtualization environments. In: Keromytis, A.D. (ed.) FC 2012. LNCS, vol. 7397, pp. 314–328. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  63. 63.
    Whiting, D., Housley, R., Ferguson, N.: Counter with CBC-MAC (CCM). IETF RFC 3610, September 2003.
  64. 64.
    Wu, H., Huang, T.: The Authenticated Cipher MORUS (v1). CAESAR First Round Submission, March 2014.

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Markku-Juhani O. Saarinen
    • 1
  • Billy Bob Brumley
    • 2
  1. 1.Centre for Secure Information Technologies (CSIT) ECITQueen’s University BelfastBelfastUK
  2. 2.Tampere University of TechnologyTampereFinland

Personalised recommendations