KangarooTwelve: fast hashing based on Keccak-p

KangarooTwelve is a family of fast and secure extendable-output functions (XOFs), the generalization of hash functions to arbitrary output lengths, with two instances: KT128 and KT256. Derived from Keccak, these functions aim at higher speeds than FIPS 202's SHA-3 and SHAKE functions, while retaining their flexibility and basis of security. On high-end platforms, they can exploit a high degree of parallelism, whether using multiple cores or the single-instruction multiple-data (SIMD) instruction set of modern processors. Some examples:

  • On current Intel architectures with AVX2, KT128 tops at 1.4 cycles/byte for long messages on a single core, and at 0.51 cycles/byte with AVX-512.
  • On the latest Apple 14 and M1 processors, KT128 can take advantage of the ARMv8-A's SHA-3 dedicated instructions to deliver 0.75 cycles/byte for long messages on a single core. This is 1.7 times (resp. 3 times) faster than SHA-256 (resp. SHA-512), also using hardware acceleration.

On low-end platforms, as well as for short messages, KT128 is roughly twice faster than the fastest FIPS 202 instance SHAKE128, and KT256 is roughly twice faster than SHAKE256.

Technical details

SynopsisThe KangarooTwelve extendable-output function
Designed byGuido Bertoni, Joan Daemen, Michaël Peeters, Gilles Van Assche, Ronny Van Keer and Benoît Viguier
ImplementsA extendable-output function (XOF), i.e., the generalization of a cryptographic hash function with arbitrary output length, with the native support of domain separation via a customization string
ConstructionA tree hash mode with kangaroo hopping on top of TurboSHAKE
PrimitiveThe Keccak-p[1600, 12] permutation
InstancesKT128 and KT256, depending on the desired security strength level
StatusRelies on the same cryptanalysis track record as Keccak/SHA-3; safe if there are no attacks on Keccak/SHA-3 reduced to 12 rounds

Resources: