KangarooTwelve: fast hashing based on Keccak-p

KangarooTwelve is a fast and secure extendable-output function (XOF), the generalization of hash functions to arbitrary output lengths. Derived from Keccak, it aims at higher speeds than FIPS 202's SHA-3 and SHAKE functions, while retaining their flexibility and basis of security. On high-end platforms, it can exploit a high degree of parallelism, whether using multiple cores or the single-instruction multiple-data (SIMD) instruction set of modern processors. Some examples:

  • On current Intel architectures with AVX2, KangarooTwelve tops at 1.4 cycles/byte for long messages on a single core, and at 0.51 cycles/byte with AVX-512.
  • On the latest Apple 14 and M1 processors, KangarooTwelve can take advantage of the ARMv8-A's SHA-3 dedicated instructions to deliver 0.75 cycles/byte for long messages on a single core. This is 1.7 times (resp. 3 times) faster than SHA-256 (resp. SHA-512), also using hardware acceleration.

On low-end platforms, as well as for short messages, it is roughly twice faster than the fastest FIPS 202 instance SHAKE128.

Technical details

SynopsisThe KangarooTwelve extendable-output function
Designed byGuido Bertoni, Joan Daemen, Michaël Peeters, Gilles Van Assche, Ronny Van Keer and Benoît Viguier
ImplementsA extendable-output function (XOF), i.e., the generalization of a cryptographic hash function with arbitrary output length, with the native support of domain separation via a customization string
ConstructionA tree hash mode with kangaroo hopping on top of TurboSHAKE128
PrimitiveThe Keccak-p[1600, 12] permutation
Parameterized byNo parameter
InstancesJust KangarooTwelve. One size fits all!
StatusRelies on the same cryptanalysis track record as Keccak/SHA-3; safe if there are no attacks on Keccak/SHA-3 reduced to 12 rounds

Resources: