Secure and Fast Implementations of Two Involution Ciphers

Anubis and Khazad are closely related involution block ciphers. Building on two recent AES software results, this work presents a number of constant-time software implementations of Anubis and Khazad for processors with a byte-vector shuffle instruction, such as those that support SSSE3. For Anubis, the first is serial in the sense that it employs only one cipher instance and is compatible with all standard block cipher modes. Efficiency is largely due to the S-box construction that is simple to realize using a byte shuffler. The equivalent for Khazad runs two parallel instances in counter mode. The second for each cipher is a parallel bit-slice implementation in counter mode

STRIBOB / WHIRLBOB Security Analysis Addendum

This memo collects references to published cryptanalytic results which are directly relevant to the security evaluation of CAESAR first round algorithm STRIBOB and its second round tweaked variant, WHIRLBOB. During the first year after initial publication of STRIBOB and WHIRLBOB, no cryptanalytic breaks or other serious issues have emerged. The main difference in the security between the two variants is that WHIRLBOB allows easier creation of constant-time software implementations resistant to cache timing attacks