KangarooTwelve: Fast Hashing Based on \({\textsc {Keccak}\text {-}p}{}\)
- 3 Citations
- 1k Downloads
Abstract
We present KangarooTwelve, a fast and secure arbitrary output-length hash function aiming at a higher speed than the FIPS 202’s SHA-3 and SHAKE functions. While sharing many features with SHAKE128, like the cryptographic primitive, the sponge construction, the eXtendable Output Function (XOF) and the 128-bit security strength, KangarooTwelve offers two major improvements over its standard counterpart. First it has a built-in parallel mode that efficiently exploits multi-core or SIMD instruction parallelism for long messages, without impacting the performance for short messages. Second, relying on the cryptanalysis results on Keccak over the past ten years, we tuned its permutation to require twice less computation effort while still offering a comfortable safety margin. By combining these two changes KangarooTwelve consumes less than 0.55 cycles/byte for long messages on the latest Intel\(^{\circledR }\)’s SkylakeX architectures. The generic security of KangarooTwelve is guaranteed by the use of Sakura encoding for the tree hashing and of the sponge construction for the compression function.
Keywords
Symmetric cryptography Hash function Tree hashing Keccak Software performanceNotes
Acknowledgements
Our implementation for the serial processing is based on the AVX2\(^\mathrm{TM}\) code written by Andy Polyakov for OpenSSL. We would also like to thank the anonymous reviewers for their constructive comments.
References
- 1.ARM corporation: ARM architecture reference manual ARMv8, for ARMv8-A architecture profile, document ARM DDI 0487C.a (ID121917). http://www.arm.com/
- 2.Aumasson, J.-P., Henzen, L., Meier, W., Phan, R. C.-W., SHA-3 proposal BLAKE. Submission to NIST (2008)Google Scholar
- 3.Aumasson, J.-P., Meier, W.: Zero-sum distinguishers for reduced Keccak-f and for the core functions of Luffa and Hamsi (2009). http://131002.net/data/papers/AM09.pdf
- 4.Aumasson, J.-P., Neves, S., Wilcox-O’Hearn, Z., Winnerlein, C.: BLAKE2: simpler, smaller, fast as MD5. In: Jacobson, M., Locasto, M., Mohassel, P., Safavi-Naini, R. (eds.) ACNS 2013. LNCS, vol. 7954, pp. 119–135. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38980-1_8CrossRefGoogle Scholar
- 5.Bernstein, D.J., Lange, T., (eds.) eBACS: ECRYPT benchmarking of cryptographic systems. http://bench.cr.yp.to
- 6.Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Keccak specifications. NIST SHA-3 Submission, October 2008Google Scholar
- 7.Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: On the indifferentiability of the sponge construction. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 181–197. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78967-3_11CrossRefGoogle Scholar
- 8.Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Cryptographic sponge functions, January 2011. https://keccak.team/files/SpongeFunctions.pdf
- 9.Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Sakura: a flexible coding for tree hashing. In: Boureanu, I., Owesarski, P., Vaudenay, S. (eds.) ACNS 2014. LNCS, vol. 8479, pp. 217–234. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-07536-5_14CrossRefGoogle Scholar
- 10.Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Sufficient conditions for sound tree and sequential hashing modes. Int. J. Inf. Secur. 13, 335–353 (2014). https://doi.org/10.1007/s10207-013-0220-yCrossRefGoogle Scholar
- 11.Bertoni, G., Daemen, J., Peeters, M., Van Assche, G., Van Keer, R.: KangarooTwelve: fast hashing based on Keccak-p. Cryptology ePrint Archive, Report 2016/770 (2016). http://eprint.iacr.org/2016/770
- 12.Bertoni, G., Daemen, J., Peeters, M., Van Assche, G., Van Keer, R.: Keccak code package, June 2016. https://github.com/gvanas/KeccakCodePackage
- 13.Bertoni, G., Daemen, J., Peeters, M., Van Assche, G., Van Keer, R.: Keccak third-party cryptanalysis (2017). https://keccak.team/third_party.html
- 14.Boura, C., Canteaut, A., De Cannière, C.: Higher-order differential properties of Keccak and Luffa. In: Joux, A. (ed.) FSE 2011. LNCS, vol. 6733, pp. 252–269. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-21702-9_15CrossRefGoogle Scholar
- 15.Dinur, I., Dunkelman, O., Shamir, A.: Collision attacks on up to 5 rounds of SHA-3 using generalized internal differentials. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 219–240. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-43933-3_12CrossRefGoogle Scholar
- 16.Dinur, I., Dunkelman, O., Shamir, A.: Improved practical attacks on round-reduced Keccak. J. Cryptol. 27(2), 183–209 (2014)MathSciNetCrossRefGoogle Scholar
- 17.Dinur, I., Morawiecki, P., Pieprzyk, J., Srebrny, M., Straus, M.: Cube attacks and cube-attack-like cryptanalysis on the round-reduced Keccak sponge function. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 733–761. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_28CrossRefGoogle Scholar
- 18.Dobraunig, C., Eichlseder, M., Mendel, F.: Analysis of SHA-512/224 and SHA-512/256. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9453, pp. 612–630. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48800-3_25CrossRefGoogle Scholar
- 19.Ferguson, N., Lucks, S., Schneier, B., Whiting, D., Bellare, M., Kohno, T., Callas, J., Walker, J.: The skein hash function family. Submission to NIST (Round 2) (2009)Google Scholar
- 20.Gauravaram, P., Knudsen, L.R., Matusiewicz, K., Mendel, F., Rechberger, C., Schläffer, M., Thomsen, S.S.: Grøstl - a SHA-3 candidate. Submission to NIST (Round 3) (2011)Google Scholar
- 21.Guo, J., Liu, M., Song, L.: Linear structures: applications to cryptanalysis of round-reduced Keccak. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 249–274. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53887-6_9CrossRefGoogle Scholar
- 22.Huang, S., Wang, X., Xu, G., Wang, M., Zhao, J.: Conditional cube attack on reduced-round Keccak sponge function. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10211, pp. 259–288. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56614-6_9CrossRefGoogle Scholar
- 23.Li, J., Isobe, T., Shibutani, K.: Converting meet-in-the-middle preimage attack into pseudo collision attack: application to SHA-2. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 264–286. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34047-5_16CrossRefGoogle Scholar
- 24.Maurer, U., Renner, R., Holenstein, C.: Indifferentiability, impossibility results on reductions, and applications to the random oracle methodology. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 21–39. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24638-1_2CrossRefGoogle Scholar
- 25.Mendel, F., Nad, T., Schläffer, M.: Improving local collisions: new attacks on reduced SHA-256. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 262–278. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_16CrossRefGoogle Scholar
- 26.Micciancio, D., Walter, M.: On the bit security of cryptographic primitives. Eurocrypt (2018, to appear)Google Scholar
- 27.Neves, S.: BLAKE2 AVX2 implementations. https://github.com/sneves/blake2-avx2
- 28.NIST: Federal information processing standard 180–1, secure hash standard, April 1995Google Scholar
- 29.NIST: Federal information processing standard 180–2, secure hash standard, August 2002Google Scholar
- 30.NIST: Federal information processing standard 202, SHA-3 standard: Permutation-based hash and extendable-output functions, August 2015. http://dx.doi.org/10.6028/NIST.FIPS.202
- 31.NIST: NIST special publication 800–185, SHA-3 derived functions: cSHAKE, KMAC, TupleHash and ParallelHash, December 2016. https://doi.org/10.6028/NIST.SP.800-185
- 32.OpenSSL community: OpenSSL - cryptography and SSL/TLS toolkit. https://github.com/openssl/openssl
- 33.Ristenpart, T., Shacham, H., Shrimpton, T.: Careful with composition: limitations of the indifferentiability framework. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 487–506. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-20465-4_27CrossRefGoogle Scholar
- 34.Rivest, R.: The MD5 message-digest algorithm. Internet Request for Comments, RFC 1321, April 1992Google Scholar
- 35.Saha, D., Kuila, S., Chowdhury, D.R.: Symsum: symmetric-sum distinguishers against round reduced SHA3. IACR Trans. Symmetric Cryptol. 2017(1), 240–258 (2017)Google Scholar
- 36.Song, L., Liao, G., Guo, J.: Non-full sbox linearization: applications to collision attacks on round-reduced Keccak. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10402, pp. 428–451. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63715-0_15CrossRefGoogle Scholar
- 37.Song, L., Liao, G., Guo, J.: Solution to the 6-round collision challenge (2017). https://keccak.team/crunchy_contest.html
- 38.Viguier, B.: KangarooTwelve. Internet Research Task Force draft, March 2018. https://datatracker.ietf.org/doc/draft-viguier-kangarootwelve/
- 39.Wu, H.: The hash function JH. Submission to NIST (Round 3) (2011)Google Scholar