KangarooTwelve: Fast Hashing Based on \({\textsc {Keccak}\text {-}p}{}\)

  • Guido Bertoni
  • Joan Daemen
  • Michaël Peeters
  • Gilles Van AsscheEmail author
  • Ronny Van Keer
  • Benoît Viguier
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10892)


We present KangarooTwelve, a fast and secure arbitrary output-length hash function aiming at a higher speed than the FIPS 202’s SHA-3 and SHAKE functions. While sharing many features with SHAKE128, like the cryptographic primitive, the sponge construction, the eXtendable Output Function (XOF) and the 128-bit security strength, KangarooTwelve offers two major improvements over its standard counterpart. First it has a built-in parallel mode that efficiently exploits multi-core or SIMD instruction parallelism for long messages, without impacting the performance for short messages. Second, relying on the cryptanalysis results on Keccak over the past ten years, we tuned its permutation to require twice less computation effort while still offering a comfortable safety margin. By combining these two changes KangarooTwelve consumes less than 0.55 cycles/byte for long messages on the latest Intel\(^{\circledR }\)’s SkylakeX architectures. The generic security of KangarooTwelve is guaranteed by the use of Sakura encoding for the tree hashing and of the sponge construction for the compression function.


Symmetric cryptography Hash function Tree hashing Keccak Software performance 



Our implementation for the serial processing is based on the AVX2\(^\mathrm{TM}\) code written by Andy Polyakov for OpenSSL. We would also like to thank the anonymous reviewers for their constructive comments.


  1. 1.
    ARM corporation: ARM architecture reference manual ARMv8, for ARMv8-A architecture profile, document ARM DDI 0487C.a (ID121917).
  2. 2.
    Aumasson, J.-P., Henzen, L., Meier, W., Phan, R. C.-W., SHA-3 proposal BLAKE. Submission to NIST (2008)Google Scholar
  3. 3.
    Aumasson, J.-P., Meier, W.: Zero-sum distinguishers for reduced Keccak-f and for the core functions of Luffa and Hamsi (2009).
  4. 4.
    Aumasson, J.-P., Neves, S., Wilcox-O’Hearn, Z., Winnerlein, C.: BLAKE2: simpler, smaller, fast as MD5. In: Jacobson, M., Locasto, M., Mohassel, P., Safavi-Naini, R. (eds.) ACNS 2013. LNCS, vol. 7954, pp. 119–135. Springer, Heidelberg (2013). Scholar
  5. 5.
    Bernstein, D.J., Lange, T., (eds.) eBACS: ECRYPT benchmarking of cryptographic systems.
  6. 6.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Keccak specifications. NIST SHA-3 Submission, October 2008Google Scholar
  7. 7.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: On the indifferentiability of the sponge construction. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 181–197. Springer, Heidelberg (2008). Scholar
  8. 8.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Cryptographic sponge functions, January 2011.
  9. 9.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Sakura: a flexible coding for tree hashing. In: Boureanu, I., Owesarski, P., Vaudenay, S. (eds.) ACNS 2014. LNCS, vol. 8479, pp. 217–234. Springer, Cham (2014). Scholar
  10. 10.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Sufficient conditions for sound tree and sequential hashing modes. Int. J. Inf. Secur. 13, 335–353 (2014). Scholar
  11. 11.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G., Van Keer, R.: KangarooTwelve: fast hashing based on Keccak-p. Cryptology ePrint Archive, Report 2016/770 (2016).
  12. 12.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G., Van Keer, R.: Keccak code package, June 2016.
  13. 13.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G., Van Keer, R.: Keccak third-party cryptanalysis (2017).
  14. 14.
    Boura, C., Canteaut, A., De Cannière, C.: Higher-order differential properties of Keccak and Luffa. In: Joux, A. (ed.) FSE 2011. LNCS, vol. 6733, pp. 252–269. Springer, Heidelberg (2011). Scholar
  15. 15.
    Dinur, I., Dunkelman, O., Shamir, A.: Collision attacks on up to 5 rounds of SHA-3 using generalized internal differentials. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 219–240. Springer, Heidelberg (2014). Scholar
  16. 16.
    Dinur, I., Dunkelman, O., Shamir, A.: Improved practical attacks on round-reduced Keccak. J. Cryptol. 27(2), 183–209 (2014)MathSciNetCrossRefGoogle Scholar
  17. 17.
    Dinur, I., Morawiecki, P., Pieprzyk, J., Srebrny, M., Straus, M.: Cube attacks and cube-attack-like cryptanalysis on the round-reduced Keccak sponge function. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 733–761. Springer, Heidelberg (2015). Scholar
  18. 18.
    Dobraunig, C., Eichlseder, M., Mendel, F.: Analysis of SHA-512/224 and SHA-512/256. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9453, pp. 612–630. Springer, Heidelberg (2015). Scholar
  19. 19.
    Ferguson, N., Lucks, S., Schneier, B., Whiting, D., Bellare, M., Kohno, T., Callas, J., Walker, J.: The skein hash function family. Submission to NIST (Round 2) (2009)Google Scholar
  20. 20.
    Gauravaram, P., Knudsen, L.R., Matusiewicz, K., Mendel, F., Rechberger, C., Schläffer, M., Thomsen, S.S.: Grøstl - a SHA-3 candidate. Submission to NIST (Round 3) (2011)Google Scholar
  21. 21.
    Guo, J., Liu, M., Song, L.: Linear structures: applications to cryptanalysis of round-reduced Keccak. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 249–274. Springer, Heidelberg (2016). Scholar
  22. 22.
    Huang, S., Wang, X., Xu, G., Wang, M., Zhao, J.: Conditional cube attack on reduced-round Keccak sponge function. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10211, pp. 259–288. Springer, Cham (2017). Scholar
  23. 23.
    Li, J., Isobe, T., Shibutani, K.: Converting meet-in-the-middle preimage attack into pseudo collision attack: application to SHA-2. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 264–286. Springer, Heidelberg (2012). Scholar
  24. 24.
    Maurer, U., Renner, R., Holenstein, C.: Indifferentiability, impossibility results on reductions, and applications to the random oracle methodology. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 21–39. Springer, Heidelberg (2004). Scholar
  25. 25.
    Mendel, F., Nad, T., Schläffer, M.: Improving local collisions: new attacks on reduced SHA-256. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 262–278. Springer, Heidelberg (2013). Scholar
  26. 26.
    Micciancio, D., Walter, M.: On the bit security of cryptographic primitives. Eurocrypt (2018, to appear)Google Scholar
  27. 27.
    Neves, S.: BLAKE2 AVX2 implementations.
  28. 28.
    NIST: Federal information processing standard 180–1, secure hash standard, April 1995Google Scholar
  29. 29.
    NIST: Federal information processing standard 180–2, secure hash standard, August 2002Google Scholar
  30. 30.
    NIST: Federal information processing standard 202, SHA-3 standard: Permutation-based hash and extendable-output functions, August 2015.
  31. 31.
    NIST: NIST special publication 800–185, SHA-3 derived functions: cSHAKE, KMAC, TupleHash and ParallelHash, December 2016.
  32. 32.
    OpenSSL community: OpenSSL - cryptography and SSL/TLS toolkit.
  33. 33.
    Ristenpart, T., Shacham, H., Shrimpton, T.: Careful with composition: limitations of the indifferentiability framework. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 487–506. Springer, Heidelberg (2011). Scholar
  34. 34.
    Rivest, R.: The MD5 message-digest algorithm. Internet Request for Comments, RFC 1321, April 1992Google Scholar
  35. 35.
    Saha, D., Kuila, S., Chowdhury, D.R.: Symsum: symmetric-sum distinguishers against round reduced SHA3. IACR Trans. Symmetric Cryptol. 2017(1), 240–258 (2017)Google Scholar
  36. 36.
    Song, L., Liao, G., Guo, J.: Non-full sbox linearization: applications to collision attacks on round-reduced Keccak. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10402, pp. 428–451. Springer, Cham (2017). Scholar
  37. 37.
    Song, L., Liao, G., Guo, J.: Solution to the 6-round collision challenge (2017).
  38. 38.
    Viguier, B.: KangarooTwelve. Internet Research Task Force draft, March 2018.
  39. 39.
    Wu, H.: The hash function JH. Submission to NIST (Round 3) (2011)Google Scholar

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  • Guido Bertoni
    • 3
  • Joan Daemen
    • 1
    • 2
  • Michaël Peeters
    • 1
  • Gilles Van Assche
    • 1
    Email author
  • Ronny Van Keer
    • 1
  • Benoît Viguier
    • 2
  1. 1.STMicroelectronicsDiegemBelgium
  2. 2.Radboud UniversityNijmegenThe Netherlands
  3. 3.Security PatternBresciaItaly

Personalised recommendations