Advertisement

KangarooTwelve: Fast Hashing Based on \({\textsc {Keccak}\text {-}p}{}\)

  • Guido Bertoni
  • Joan Daemen
  • Michaël Peeters
  • Gilles Van AsscheEmail author
  • Ronny Van Keer
  • Benoît Viguier
Conference paper
First Online:
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10892)

Abstract

We present KangarooTwelve, a fast and secure arbitrary output-length hash function aiming at a higher speed than the FIPS 202’s SHA-3 and SHAKE functions. While sharing many features with SHAKE128, like the cryptographic primitive, the sponge construction, the eXtendable Output Function (XOF) and the 128-bit security strength, KangarooTwelve offers two major improvements over its standard counterpart. First it has a built-in parallel mode that efficiently exploits multi-core or SIMD instruction parallelism for long messages, without impacting the performance for short messages. Second, relying on the cryptanalysis results on Keccak over the past ten years, we tuned its permutation to require twice less computation effort while still offering a comfortable safety margin. By combining these two changes KangarooTwelve consumes less than 0.55 cycles/byte for long messages on the latest Intel\(^{\circledR }\)’s SkylakeX architectures. The generic security of KangarooTwelve is guaranteed by the use of Sakura encoding for the tree hashing and of the sponge construction for the compression function.

Keywords

Symmetric cryptography Hash function Tree hashing Keccak Software performance 
This is a preview of subscription content, log in to check access.

Notes

Acknowledgements

Our implementation for the serial processing is based on the AVX2\(^\mathrm{TM}\) code written by Andy Polyakov for OpenSSL. We would also like to thank the anonymous reviewers for their constructive comments.

References

  1. 1.
    ARM corporation: ARM architecture reference manual ARMv8, for ARMv8-A architecture profile, document ARM DDI 0487C.a (ID121917). http://www.arm.com/
  2. 2.
    Aumasson, J.-P., Henzen, L., Meier, W., Phan, R. C.-W., SHA-3 proposal BLAKE. Submission to NIST (2008)Google Scholar
  3. 3.
    Aumasson, J.-P., Meier, W.: Zero-sum distinguishers for reduced Keccak-f and for the core functions of Luffa and Hamsi (2009). http://131002.net/data/papers/AM09.pdf
  4. 4.
    Aumasson, J.-P., Neves, S., Wilcox-O’Hearn, Z., Winnerlein, C.: BLAKE2: simpler, smaller, fast as MD5. In: Jacobson, M., Locasto, M., Mohassel, P., Safavi-Naini, R. (eds.) ACNS 2013. LNCS, vol. 7954, pp. 119–135. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-38980-1_8CrossRefGoogle Scholar
  5. 5.
    Bernstein, D.J., Lange, T., (eds.) eBACS: ECRYPT benchmarking of cryptographic systems. http://bench.cr.yp.to
  6. 6.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Keccak specifications. NIST SHA-3 Submission, October 2008Google Scholar
  7. 7.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: On the indifferentiability of the sponge construction. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 181–197. Springer, Heidelberg (2008).  https://doi.org/10.1007/978-3-540-78967-3_11CrossRefGoogle Scholar
  8. 8.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Cryptographic sponge functions, January 2011. https://keccak.team/files/SpongeFunctions.pdf
  9. 9.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Sakura: a flexible coding for tree hashing. In: Boureanu, I., Owesarski, P., Vaudenay, S. (eds.) ACNS 2014. LNCS, vol. 8479, pp. 217–234. Springer, Cham (2014).  https://doi.org/10.1007/978-3-319-07536-5_14CrossRefGoogle Scholar
  10. 10.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Sufficient conditions for sound tree and sequential hashing modes. Int. J. Inf. Secur. 13, 335–353 (2014).  https://doi.org/10.1007/s10207-013-0220-yCrossRefGoogle Scholar
  11. 11.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G., Van Keer, R.: KangarooTwelve: fast hashing based on Keccak-p. Cryptology ePrint Archive, Report 2016/770 (2016). http://eprint.iacr.org/2016/770
  12. 12.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G., Van Keer, R.: Keccak code package, June 2016. https://github.com/gvanas/KeccakCodePackage
  13. 13.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G., Van Keer, R.: Keccak third-party cryptanalysis (2017). https://keccak.team/third_party.html
  14. 14.
    Boura, C., Canteaut, A., De Cannière, C.: Higher-order differential properties of Keccak and Luffa. In: Joux, A. (ed.) FSE 2011. LNCS, vol. 6733, pp. 252–269. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-21702-9_15CrossRefGoogle Scholar
  15. 15.
    Dinur, I., Dunkelman, O., Shamir, A.: Collision attacks on up to 5 rounds of SHA-3 using generalized internal differentials. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 219–240. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-662-43933-3_12CrossRefGoogle Scholar
  16. 16.
    Dinur, I., Dunkelman, O., Shamir, A.: Improved practical attacks on round-reduced Keccak. J. Cryptol. 27(2), 183–209 (2014)MathSciNetCrossRefGoogle Scholar
  17. 17.
    Dinur, I., Morawiecki, P., Pieprzyk, J., Srebrny, M., Straus, M.: Cube attacks and cube-attack-like cryptanalysis on the round-reduced Keccak sponge function. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 733–761. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-46800-5_28CrossRefGoogle Scholar
  18. 18.
    Dobraunig, C., Eichlseder, M., Mendel, F.: Analysis of SHA-512/224 and SHA-512/256. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9453, pp. 612–630. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-48800-3_25CrossRefGoogle Scholar
  19. 19.
    Ferguson, N., Lucks, S., Schneier, B., Whiting, D., Bellare, M., Kohno, T., Callas, J., Walker, J.: The skein hash function family. Submission to NIST (Round 2) (2009)Google Scholar
  20. 20.
    Gauravaram, P., Knudsen, L.R., Matusiewicz, K., Mendel, F., Rechberger, C., Schläffer, M., Thomsen, S.S.: Grøstl - a SHA-3 candidate. Submission to NIST (Round 3) (2011)Google Scholar
  21. 21.
    Guo, J., Liu, M., Song, L.: Linear structures: applications to cryptanalysis of round-reduced Keccak. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 249–274. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-53887-6_9CrossRefGoogle Scholar
  22. 22.
    Huang, S., Wang, X., Xu, G., Wang, M., Zhao, J.: Conditional cube attack on reduced-round Keccak sponge function. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10211, pp. 259–288. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-56614-6_9CrossRefGoogle Scholar
  23. 23.
    Li, J., Isobe, T., Shibutani, K.: Converting meet-in-the-middle preimage attack into pseudo collision attack: application to SHA-2. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 264–286. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-34047-5_16CrossRefGoogle Scholar
  24. 24.
    Maurer, U., Renner, R., Holenstein, C.: Indifferentiability, impossibility results on reductions, and applications to the random oracle methodology. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 21–39. Springer, Heidelberg (2004).  https://doi.org/10.1007/978-3-540-24638-1_2CrossRefGoogle Scholar
  25. 25.
    Mendel, F., Nad, T., Schläffer, M.: Improving local collisions: new attacks on reduced SHA-256. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 262–278. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-38348-9_16CrossRefGoogle Scholar
  26. 26.
    Micciancio, D., Walter, M.: On the bit security of cryptographic primitives. Eurocrypt (2018, to appear)Google Scholar
  27. 27.
    Neves, S.: BLAKE2 AVX2 implementations. https://github.com/sneves/blake2-avx2
  28. 28.
    NIST: Federal information processing standard 180–1, secure hash standard, April 1995Google Scholar
  29. 29.
    NIST: Federal information processing standard 180–2, secure hash standard, August 2002Google Scholar
  30. 30.
    NIST: Federal information processing standard 202, SHA-3 standard: Permutation-based hash and extendable-output functions, August 2015. http://dx.doi.org/10.6028/NIST.FIPS.202
  31. 31.
    NIST: NIST special publication 800–185, SHA-3 derived functions: cSHAKE, KMAC, TupleHash and ParallelHash, December 2016. https://doi.org/10.6028/NIST.SP.800-185
  32. 32.
    OpenSSL community: OpenSSL - cryptography and SSL/TLS toolkit. https://github.com/openssl/openssl
  33. 33.
    Ristenpart, T., Shacham, H., Shrimpton, T.: Careful with composition: limitations of the indifferentiability framework. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 487–506. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-20465-4_27CrossRefGoogle Scholar
  34. 34.
    Rivest, R.: The MD5 message-digest algorithm. Internet Request for Comments, RFC 1321, April 1992Google Scholar
  35. 35.
    Saha, D., Kuila, S., Chowdhury, D.R.: Symsum: symmetric-sum distinguishers against round reduced SHA3. IACR Trans. Symmetric Cryptol. 2017(1), 240–258 (2017)Google Scholar
  36. 36.
    Song, L., Liao, G., Guo, J.: Non-full sbox linearization: applications to collision attacks on round-reduced Keccak. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10402, pp. 428–451. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-63715-0_15CrossRefGoogle Scholar
  37. 37.
    Song, L., Liao, G., Guo, J.: Solution to the 6-round collision challenge (2017). https://keccak.team/crunchy_contest.html
  38. 38.
    Viguier, B.: KangarooTwelve. Internet Research Task Force draft, March 2018. https://datatracker.ietf.org/doc/draft-viguier-kangarootwelve/
  39. 39.
    Wu, H.: The hash function JH. Submission to NIST (Round 3) (2011)Google Scholar

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  • Guido Bertoni
    • 3
  • Joan Daemen
    • 1
    • 2
  • Michaël Peeters
    • 1
  • Gilles Van Assche
    • 1
    Email author
  • Ronny Van Keer
    • 1
  • Benoît Viguier
    • 2
  1. 1.STMicroelectronicsDiegemBelgium
  2. 2.Radboud UniversityNijmegenThe Netherlands
  3. 3.Security PatternBresciaItaly

Personalised recommendations

Cite paper

Buy options